-
Notifications
You must be signed in to change notification settings - Fork 201
/
Copy pathStage1-OC2TC-bof.py
393 lines (289 loc) · 12.5 KB
/
Stage1-OC2TC-bof.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
#!/usr/bin/python3
"""
Stage1-BOF.py
This script provides a supporting wrapper for the Stage1 C2 Server for easy BOF usage.
It can give context about;
- location and parameters of the BOF,
- help and description texts,
- desired GUI (file)inputs / elements,
- parameter splitting, validation, processing and defaults,
- automated execution of a series of commands.
Usage: clone the entire repo to the `stage1c2server/shared/bofs/` folder.
The additional commands are automatically loaded and ready for action.
Development: The integration of this bof.py script is facilitated by overloading from a base BOFModuleClass.
All BOF / BOT related code of Stage1 C2 server is open source and database credentials/access is available, allowing for very powerful modules.
Stage1 C2 is part of our commercial Outflank Security Tooling (OST) product. For more information:
Outflank Security Tooling
https://outflank.nl/services/outflank-security-tooling/
"""
import sys, inspect
sys.path.append("../..")
sys.path.append("/code/shared/bofs/")
sys.path.append("/shared/bofs/")
from boflibrary import *
CURRENT_PATH = os.path.abspath(os.path.dirname(__file__))
def bof_path64(name, arch): # arch is either 64 or 32
return "{}/{}.o".format(name, name) if arch == 64 else ""
def bof_path(name, arch): # arch is either 64 or 32
return "{}/{}.x{}.o".format(name, name, 64 if arch == 64 else 86)
class OTCBOFBaseClass(
BOFModuleClass
): # ExampleLibBaseClass is the commandline command name
def __init__(self):
super().__init__(
CURRENT_PATH,
bof_path(self.__class__.__name__, 64),
bof_path(self.__class__.__name__, 32),
)
class OTCBOF64BaseClass(
BOFModuleClass
): # ExampleLibBaseClass is the commandline command name
def __init__(self):
super().__init__(CURRENT_PATH, bof_path64(self.__class__.__name__, 64), "")
################################################
class AddMachineAccount(BOFModuleClass):
"""Outflank C2 Tool Collection AddMachineAccount BOF Module"""
def __init__(self):
super().__init__(
CURRENT_PATH,
"AddMachineAccount/AddMachineAccount.x64.o",
"AddMachineAccount/AddMachineAccount.x86.o",
)
self.args = "ZZ" # required, optional
def description(self): # Short
return "Add a computer account to the Active Directory domain."
def help(self): # Long
return (
"Synopsis: AddMachineAccount [Computername] [Password <Optional>]\n\n"
+ "Use Active Directory Service Interfaces (ADSI) to add a computer account to AD."
)
def split_arguments(self, arguments):
return arguments.strip().split(None, 1) # Only split on the first space
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Please specify a computeraccount name.")
return argumentList
class DelMachineAccount(BOFModuleClass):
"""Outflank C2 Tool Collection DelMachineAccount BOF Module"""
def __init__(self):
super().__init__(
CURRENT_PATH,
"AddMachineAccount/DelMachineAccount.x64.o",
"AddMachineAccount/DelMachineAccount.x86.o",
)
self.args = "Z" # required
def description(self): # Short
return "Remove a computer account from the Active Directory domain."
def help(self): # Long
return (
"Synopsis: DelMachineAccount [Computername]\n\n"
+ "Use Active Directory Service Interfaces (ADSI) to delete a computer account from AD."
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Please specify a computeraccount name.")
return argumentList
class GetMachineAccountQuota(BOFModuleClass):
"""Outflank C2 Tool Collection GetMachineAccountQuota BOF Module"""
def __init__(self):
super().__init__(
CURRENT_PATH,
"AddMachineAccount/GetMachineAccountQuota.x64.o",
"AddMachineAccount/GetMachineAccountQuota.x86.o",
)
def description(self): # Short
return "Read the MachineAccountQuota value from the Active Directory domain."
def help(self): # Long
return (
"Synopsis: GetMachineAccountQuota\n\n"
+ "Use Active Directory Service Interfaces (ADSI) to read the ms-DS-MachineAccountQuota value from AD."
)
class CVE202226923(BOFModuleClass):
"""Outflank C2 Tool Collection CVE-20222-6923 BOF Module"""
def __init__(self):
super().__init__(
CURRENT_PATH,
"CVE-2022-26923/CVE-2022-26923.x64.o",
"CVE-2022-26923/CVE-2022-26923.x86.o",
)
self.args = "ZZ"
def description(self): # Short
return "Active Directory Domain Privilege Escalation exploit."
def help(self): # Long
return (
"Synopsis: CVE-2022-26923 [Computername] [Password <Optional>]\n"
+ "Use Active Directory Service Interfaces (ADSI) to add a computer account with dNSHostName attribute set to the DC fqdn."
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Specify a computeraccount name!")
return argumentList
class Askcreds(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Askcreds BOF Module"""
def __init__(self):
super().__init__()
self.args = "Z" # optional
def description(self): # Short
return "Collect passwords using CredUIPromptForWindowsCredentialsName."
def help(self): # Long
return (
"Synopsis: Askcreds [optional reason]\n"
+ "Collect passwords by simply asking."
)
def split_arguments(self, arguments):
return [
arguments
] # All further text (including spaces) is seen as one argument
class Domaininfo(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Domaininfo BOF Module"""
def description(self): # Short
return "Using Active Directory Domain Services to enumerate domain information."
def help(self): # Long
return (
"Using Active Directory Domain Services to enumerate domain information.\n\n"
+ "Synopsis: Domaininfo"
)
class Kerberoast(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Kerberoast BOF Module"""
def __init__(self):
super().__init__()
self.args = "ZZ"
def description(self): # Short
return "Perform Kerberoasting against all (or specified) SPN enabled accounts."
def help(self): # Long
return (
"List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.\n\n"
+ "Synopsis: Kerberoast [list, list-no-aes, roast or roast-no-aes] [account <optional sAMAccountName filter (default all)>]\n\n"
)
def split_arguments(self, arguments):
return arguments.strip().split(None, 1) # Only split on the first space
def validate_arguments(self, argumentList):
if (
not argumentList
or len(argumentList) == 0
or argumentList[0] not in ["list", "list-no-aes", "roast", "roast-no-aes"]
):
raise ValueError(
"[!] Error: Please specify an action (list, list-no-aes, roast or roast-no-aes)."
)
return argumentList
class Lapsdump(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Lapsdump BOF Module"""
def __init__(self):
super().__init__()
self.args = "Z"
def description(self): # Short
return "Dump LAPS passwords from specified computers within Active Directory."
def help(self): # Long
return (
"Synopsis: Lapsdump [target]\n\n"
+ "Use Active Directory Service Interfaces (ADSI) to extract LAPS passwords from AD."
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Please specify a Target: IP or Hostname.")
return argumentList
class PetitPotam(OTCBOF64BaseClass):
"""Outflank C2 Tool Collection PetitPotam BOF Module"""
def __init__(self):
super().__init__()
self.args = "ZZ"
def description(self): # Short
return "Coerce Windows hosts to authenticate to other machines via MS-EFSRPC."
def help(self): # Long
return (
"Synopsis: PetitPotam <capture server ip or hostname> <target server ip or hostname>\n"
+ "Bof implementation of the PetitPotam exploit."
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) < 1:
raise ValueError("[!] Error: Please specify a capture server!")
if len(argumentList) == 1:
raise ValueError("[!] Error: Please specify a target server!")
return argumentList
class Psc(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Psc BOF Module"""
def description(self): # Short
return "Show detailed information from processes with established TCP and RDP connections."
def help(self): # Long
return (
"Synopsis: psc\n\n"
+ "Shows a detailed list of all processes with established TCP and RDP connections."
)
class Psw(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Psw BOF Module"""
def description(self): # Short
return "Show Window titles from processes with active Windows."
def help(self): # Long
return (
"Synopsis: Psw\n\n"
+ "Show Window titles from processes with active Windows."
)
# Psx not included because Stage1 supports it natively
class Smbinfo(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Smbinfo BOF Module"""
def __init__(self):
super().__init__()
self.args = "Z"
def description(self): # Short
return "Gather remote system version info."
def help(self): # Long
return (
"Synopsis: Smbinfo [target]\n\n"
+ "Use NetWkstaGetInfo API to gather remote system version info."
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Specify an ip or hostname!")
return argumentList
class SprayAD(OTCBOFBaseClass):
"""Outflank C2 Tool Collection SprayAD BOF Module"""
def __init__(self):
super().__init__()
self.args = "ZZZ"
def description(self): # Short
return "Perform a Kerberos or ldap password spraying attack against Active Directory."
def help(self): # Long
return (
"Test all enabled Active Directory useraccounts for valid passwords.\n\n"
+ "Synopsis: SprayAD [password] [filter <optional> <example: admin*>] [ldap <optional>]"
)
def validate_arguments(self, argumentList):
if not argumentList or len(argumentList) == 0:
raise ValueError("[!] Error: Please specify a password to test!")
if len(argumentList) == 1:
argumentList.append("*")
return argumentList
class StartWebClient(OTCBOFBaseClass):
"""Outflank C2 Tool Collection StartWebClient BOF Module"""
def description(self): # Short
return "Starting WebClient Service Programmatically."
def help(self): # Long
return (
"Synopsis: StartWebClient\n\n"
+ "Starting WebClient Service Programmatically"
)
class Winver(OTCBOFBaseClass):
"""Outflank C2 Tool Collection Winver BOF Module"""
def description(self): # Short
return "Display the version of Windows that is running, the build number and patch release (Update Build Revision)."
def help(self): # Long
return "Synopsis: Winver\n\n" + "Display Windows version info."
# Main entry point of the file
if __name__ == "__main__":
for name, obj in inspect.getmembers(sys.modules[__name__]):
if (
inspect.isclass(obj)
and issubclass(obj, BOFModuleClass)
and name != "BOFModuleClass"
and name.find("BaseClass") == -1
):
try:
instance_of_obj = obj()
instance_of_obj.test()
except Exception as error:
print(
"[!] Error during test {}: {}".format(
type(error).__name__, name, str(error)
)
)