diff --git a/.gitmodules b/.gitmodules index 6debcc64..aac7aa0c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -30,3 +30,6 @@ path = Covenant/Data/ReferenceSourceLibraries/SharpSC url = https://github.com/djhohnstein/SharpSC ignore = dirty +[submodule "Covenant/Data/ReferenceSourceLibraries/InternalMonologue"] + path = Covenant/Data/ReferenceSourceLibraries/InternalMonologue + url = https://github.com/eladshamir/Internal-Monologue diff --git a/Covenant/Core/DbInitializer.cs b/Covenant/Core/DbInitializer.cs index 95cccf18..c85c1806 100644 --- a/Covenant/Core/DbInitializer.cs +++ b/Covenant/Core/DbInitializer.cs @@ -259,7 +259,13 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte Name = "SharpSC", Description = "SharpSC is a .NET assembly to perform basic operations with services.", Location= "SharpSC" + Path.DirectorySeparatorChar, CompatibleDotNetVersions = new List { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 } - } + }, + new ReferenceSourceLibrary + { + Name = "InternalMonologue", Description = "Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS.", + Location= "InternalMonologue" + Path.DirectorySeparatorChar, + CompatibleDotNetVersions = new List { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 } + } }; await service.CreateReferenceSourceLibraries(ReferenceSourceLibraries); @@ -272,6 +278,7 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte var su = await service.GetReferenceSourceLibraryByName("SharpUp"); var sw = await service.GetReferenceSourceLibraryByName("SharpWMI"); var sc = await service.GetReferenceSourceLibraryByName("SharpSC"); + var im = await service.GetReferenceSourceLibraryByName("InternalMonologue"); await service.CreateEntities( new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) }, @@ -391,8 +398,23 @@ await service.CreateEntities( new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net35) }, - new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) } - ); + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) }, + + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net40) } + ); } #endregion @@ -506,4 +528,4 @@ public async static Task InitializeThemes(CovenantContext context) } } } -} \ No newline at end of file +} diff --git a/Covenant/Data/ReferenceSourceLibraries/InternalMonologue b/Covenant/Data/ReferenceSourceLibraries/InternalMonologue new file mode 160000 index 00000000..4694611f --- /dev/null +++ b/Covenant/Data/ReferenceSourceLibraries/InternalMonologue @@ -0,0 +1 @@ +Subproject commit 4694611f78f211ca4a0381cd3daca1310ced4293 diff --git a/Covenant/Data/Tasks/InternalMonologue.yaml b/Covenant/Data/Tasks/InternalMonologue.yaml new file mode 100644 index 00000000..1eef0783 --- /dev/null +++ b/Covenant/Data/Tasks/InternalMonologue.yaml @@ -0,0 +1,121 @@ +- Name: InternalMonologue + Aliases: [] + Author: + Name: 'Simone Salucci, Daniel López & Sergio Lázaro' + Handle: '@saim1z, @attl4s, @Slazar0' + Link: '' + Description: Internal Monologue downgrades NetNTLM and invokes a local procedure call to the NTLM authentication package (MSV1_0) with a specific challenge. The responses obtained can be cracked using rainbow tables. + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: | + using System; + using System.IO; + using InternalMonologue; + using InternalMonologue.StringExtensions; + + public static class Task + { + public static Stream OutputStream { get; set; } + public static string Execute(string Parameters) + { + string output = ""; + try + { + TextWriter realStdOut = Console.Out; + TextWriter realStdErr = Console.Error; + TextWriter stdOutWriter = new StreamWriter(OutputStream); + TextWriter stdErrWriter = new StreamWriter(OutputStream); + Console.SetOut(stdOutWriter); + Console.SetError(stdErrWriter); + + String[] args = Parameters.Split(' '); + + try + { + Program.Main(args); + } + catch (Exception e) + { + Console.WriteLine("\r\n[!] Unhandled InternalMonlogue exception:\r\n"); + Console.WriteLine(e); + } + + Console.Out.Flush(); + Console.Error.Flush(); + Console.SetOut(realStdOut); + Console.SetError(realStdErr); + OutputStream.Close(); + } + catch (Exception e) { output += e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; } + return output; + } + } + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: Parameters + Value: '' + DefaultValue: -Downgrade True -Restore True -Impersonate True -Thread False -Verbose False -Challenge 1122334455667788 + Description: The command-line parameters to pass to the tool. + SuggestedValues: [] + Optional: true + DisplayInCommand: true + FileOption: false + ReferenceSourceLibraries: + - Name: InternalMonologue + Description: Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS. + Location: InternalMonologue\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.Data.DataSetExtensions.dll + Location: net40\System.Data.DataSetExtensions.dll + DotNetVersion: Net40 + - Name: System.Data.dll + Location: net40\System.Data.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.Security.dll + Location: net40\System.Security.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.Data.dll + Location: net35\System.Data.dll + DotNetVersion: Net35 + - Name: System.Data.DataSetExtensions.dll + Location: net35\System.Data.DataSetExtensions.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.Security.dll + Location: net35\System.Security.dll + DotNetVersion: Net35 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] + EmbeddedResources: []