• Stars
    star
    683
  • Rank 66,158 (Top 2 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created about 4 years ago
  • Updated over 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Self-developed tools for Lateral Movement/Code Execution

CheeseTools

This repository has been made basing onto the already existing MiscTool, so big shout-out to rasta-mouse for releasing them and for giving me the right motivation to work on them.

CheeseExec

Command Exec / Lateral movement via PsExec-like functionality. Must be running in the context of a privileged user. The tool is based on rasta-mouse CsExec, but is designed to allow additional control over the service creation, specifically:

  • Create (Search if the service exists, if not, tries to create it)
  • Start (Search if the service exists and is stopped, if that's the case attempts to start it; if not, tries to create it and start it)
  • Stop (Search if the service exists and is running, if that's the case attempts to stop it)
  • Delete (Search if the service exists and is running, if that's the case attempts to stop it than delete it, otherwise it deletes it)
CheeseExec.exe <targetMachine> <serviceName> <binPath> <action>

Also see TikiService.

CheesePS

Cheese PS is Command Exec / Lateral Movement framework. It relies on System.Management.Automation.PowerShell to load and run arbitrary code via PowerShell. The tool is natively capable of bypassing common restrictions creating and using PowerShell runspaces on local or remote targets. Must be running in the context of a privileged user (if using PowerShell Remoting).

The tool has been originally made as an enhancement of rasta_mouse CsPosh, but grew enough to become a framework on its own, and can now be used as a general PowerShell injector.

The idea behind this tool has been summarised in the following article:

The main functionalities implemented are:

  • BuiltIn CLM Bypass using REGINI
  • BuiltIn AmsiBypass that patches Amsi before executing any other command
    • Permits to specify an alternate PowerShell script for AMSI bypass
  • BuiltIn WldpBypass that patches WLDP before executing assemblies
    • Permits to specify an alternate PowerShell script for WLDP bypass
  • Import modules and script before execution
    • Against a local target: modules are imported via filesystem, smb, or http[s]
    • Against a remote target: modules are loaded directly from the local machine using WS-Management
  • Download binary and execute
    • Standard: Transfer -> Write to disk -> Execute
    • Reflective: Transfer -> Execute from memory
  • Supports AES Encryption of PS modules, C# assemblies and other executables to evade detection
    • All imported Modules/Assemblies can be encrypted in transit or at rest, and are decrypted just before usage

The following screenshot is a decently accurate schema to describe the tool's workflow:

CheesePS Workflow

Usage:
  -t, --target=VALUE         Target machine
  -c, --code=VALUE           Code to execute
  -e, --encoded              Indicates that provided code is base64 encoded
  -a, --am-si-bypass=VALUE   Uses the given PowerShell script to bypass A-M-S-
                               I (fs, smb o http[s])
      --aX, --encrypted-am-si
                             Indicates that provided A.M.S.I. bypass is
                               encrypted
  -i, --import=VALUE         Imports additional PowerShell modules (fs, smb o
                               http[s])
      --iX, --encrypted-imports
                             Indicates that provided PowerShell modules are
                               encrypted
  -o, --outstring            Append Out-String to code
  -r, --redirect             Redirect stderr to stdout
  -d, --domain=VALUE         Domain for alternate credentials
  -u, --username=VALUE       Username for alternate credentials
  -p, --password=VALUE       Password for alternate credentials
  -X, --encrypt=VALUE        Encrypt a script with an hardcoded key
  -D, --decrypt=VALUE        Test decryption of a script with an hardcoded key
  -n, --skip-bypass=VALUE    Skip A.M.S.I (A), WLDP (W) or ALL (*) Bypass
                               techniques
  -l, --lockdown-escape      Try to enable PowerShell FullLanguage mode using
                               REGINI
  -w, --wldp-bypass=VALUE    Uses the given PowerShell script to bypass WLDP
                               (fs, smb o http[s])
      --wX, --encrypted-wldp Indicates that provided WLDP bypass is encrypted
  -x, --executable=VALUE     [Download and] Execute given executable
      --xX, --encrypted-executable
                             Indicates that provided Exe/DLL is encrypted
      --xCS, --executable-csharp
                             Indicates that the executable provided is C# -
                               (.NET)
  -R, --reflective-injection Uses Invoke-ReflectivePEInjection to load the
                               assmebly from memory (requires Invoke-
                               ReflectivePEInjection to be imported!)
  -P, --powershell-decrypt   Force use of PowerShell-based decryption
  -k, --encryption-key=VALUE Uses the provided key for encryption/decryption
      --ssl                  Force use of SSL
  -h, -?, --help             Show Help

Note: If executed without a target, the script will execute against the local machine

Advantages of using the tool against raw PowerShell:

  • Cleaner, more intuitive command line
  • Automatic bypasses (CLM, AMSI, WLDP)
  • Avoids to perform outbound connections from the remote target (everything is transfered through WS-Management)
  • Supports full encryption in transit

Also see AmsiBypass.

CheeseDCOM

Command Exec / Lateral Movement via DCOM. Must be running in the context of a privileged user. This tool is based on rasta-mouse CsDCOM, but it's been improved to add additional methods, adapting to the new research made by Philip Tsukerman. There is also an experimental method to "fix" eventual attempts to disable affected DCOM objects via dcomcfg, but it requires some preconditions in order to work properly.

The idea behind this tool has been summarised in the following article:

Current Methods: MMC20.Application, ShellWindows, ShellBrowserWindow, ExcelDDE, VisioAddonEx, OutlookShellEx, ExcelXLL, VisioExecLine, OfficeMacro.

Usage:
  -t, --target=VALUE         Target Machine
  -b, --binary=VALUE         Binary: powershell.exe
  -a, --args=VALUE           Arguments: -enc <blah>
  -m, --method=VALUE         Methods: MMC20Application, ShellWindows,
                               ShellBrowserWindow, ExcelDDE, VisioAddonEx,
                               OutlookShellEx, ExcelXLL, VisioExecLine, 
                               OfficeMacro
  -r, --reg, --registry      Enable registry manipulation
  -h, -?, --help             Show Help

Note: If executed with -t ., the script will execute against the local machine

Also see Lateral Movement Using DCOM Objects and C#

CheeseRDP

RDP credentials stealer via RDI (reflective DLL injection). Must be running in the context of a privileged user, or a user with SeImpersonatePrivilege. This tool is built on top of RdpThief by MDSec, but it's been fully wrapped in a single C# to enable it to be run via .NET Reflection (Assembly.Load and similar). In this way, it's possible to run it via Covenant, without the struggle of uploading a DLL on the target system.

Usage:
    CheeseRDP [actions]
Actions:
    wait: keep listening for any new mstsc.exe process indefinitely (stop with ctrl-C)
    clean: delete the credentials dump file if present
    dump: dump the content of the file if present, parsing the credentials in a compact format

Note: If executed without options, the program will try to inject in an active mstsc.exe process (the default wait time is 10 seconds)

CheeseSQL

Command Exec / Lateral Movement via MSSQL Trust. This tool has been developed to overcome some of the limitations given by already existing tools like esc, mostly regarding MSSQL impersonation. Moreover, CheeseSQL has been specifically modified to run from Covenant (via reflective loading), and to automate the most important phases of MSSQL trust abuse. Particuarly funny is the implementation of the CLR abuse, which allow a user to compile and upload a MSSQL extension on the fly with Roslyn to achieve command execution. A very little demo is shown below, the command executed is an encoded PowerShell Covenant downloader):

CheeseSQL CLR Attack

Following my rule of "always give credit when credit is due", this tool has been developed starting from an already existing project by Jb05s, called SharpSQL, so big shout out to Jeremy for his work.

Also, I really recommend to see all the tools from NetSPI regarding MSSQL auditing and exploitation, as they are really amazing:

  • esc: interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features
  • DAFT: database auditing and assessment toolkit written in C#
  • PowerUpSQL: PowerSHell module for SQL Server discovery, auditing, and exploitation
[*] List of available commands:
  - findspn             : Find MSSQL Instances, using Domain SPNs
  - listdb              : List available Databases on the server
  - gethash             : Send Service Account Net-NTLM Hash to an Arbitrary IP
  - getlogin            : Retrieve SQL Logins Available for Impersonation
  - getdbuser           : Retrieve Information on the SQL Login, Currently Mapped User, and Available User Roles
  - getlinked           : Retrieve Information about Linked Servers
  - getserverinfo       : Retrieve current values of 'xp_cmdshell', 'ole automation procedures' and 'clr enabled'
  - xp                  : Execute Encoded PowerShell Command via 'xp_cmdshell'
  - ole                 : Execute Encoded PowerShell Command via 'sp_OACreate' and 'sp_OAMethod'
  - clr                 : Execute Encoded PowerShell Command via custom .NET assemblies
  - rpc                 : Configure Linked SQL Server to Allow RPC connections
  - linkedquery         : Execute Encoded PowerShell Command on Linked SQL Server via 'OPENQUERY'
  - openquery           : Execute an arbitrary query using 'OPENQUERY'

[*] For detailed usage, type:
  - CheeseSQL <command> /help

Credits

More Repositories

1

inceptor

Template-Driven AV/EDR Evasion Framework
Assembly
1,561
star
2

SysWhispers3

SysWhispers on Steroids - AV/EDR evasion via direct system calls.
Python
1,256
star
3

CVE-2021-40444

CVE-2021-40444 - Fully Weaponized Microsoft Office Word RCE Exploit
HTML
795
star
4

SilentMoonwalk

PoC Implementation of a fully dynamic call stack spoofer
C++
665
star
5

chameleon

PowerShell Script Obfuscator
Python
485
star
6

vortex

VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit
Python
419
star
7

CandyPotato

Pure C++, weaponized, fully automated implementation of RottenPotatoNG
C++
298
star
8

DriverJack

Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
C++
246
star
9

SharpSelfDelete

C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
C#
147
star
10

NimlineWhispers3

A tool for converting SysWhispers3 syscalls for use with Nim projects
Nim
137
star
11

RpcProxyInvoke

Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar
C++
100
star
12

klezVirus.github.io

CyberSec Blog
JavaScript
96
star
13

SharpLdapRelayScan

C# Port of LdapRelayScan
C#
77
star
14

koppeling-p

Adaptive DLL hijacking / dynamic export forwarding - EAT preserve
Python
66
star
15

DCKFinder

Dangling COM Keys Finder
C++
14
star
16

deser-node

NodeJS Deserialization Payload Generator
JavaScript
9
star
17

codegrepper

Pure python, self-contained, silly implementation of a SAST tool
Python
8
star
18

mapt-run

Simple script to setup a local hosted network for Mobile Application Penetration Testing
Shell
8
star
19

faceless

Faceless - Simple Tool for Text-File Anonymization
Python
7
star
20

msf-revhttp-gen

Little utility to facilitate Metasploit Reverse HTTP Payloads
Shell
7
star
21

nmap-report

A simple tool that can be use to extract usful information from a nmap scan
Shell
7
star
22

CryptoCheck

NIST-CAVS Extended - Encryption Auto Testing Toolkit
Python
4
star
23

deser-py

Python Deserialization Payload Generator
Python
4
star
24

deser-ruby

Ruby Deserialization Payload Generator
Ruby
4
star
25

nx_reporter

Rapid7 Nexpose template-based report generator
Python
4
star
26

muts-opt-encoder

Independent implementation of the optimized SUB-Encoder
Python
4
star
27

klezVirus

Temporary unavailable...
3
star
28

php-ipfinder

A simple tool to enumerate various info on a set of IP addresses
PHP
2
star
29

cves

Public Advisories Redirector
1
star
30

cors-security-remove

JavaScript
1
star
31

Posts

Offensive Security Certifications Reviews
1
star
32

oldrivrs

some old drivers and misc crap from a while ago
C
1
star