release/0.2.13

[grisuno]

Full Changelog: release/0.2.12...release/0.2.13

pykerbrute

Command pykerbrute: Automates the installation and execution of PyKerbrute for bruteforcing Active Directory accounts using Kerberos pre-authentication.

This function performs the following tasks:

1. Clones and installs PyKerbrute if not already installed.
2. Allows the user to choose between the EnumADUser.py and ADPwdSpray.py scripts.
3. Executes the selected script with user-defined parameters, including domain, mode (TCP/UDP), and selected hash or password.

Args:
line (str): Optional argument for specifying additional parameters for execution, such as domain controller, domain, and attack mode.

Returns:
None

reg_py

Run reg.py with specified parameters to query the registry.

:param line: Line input for any additional parameters.

:returns: None

Manual execution:
To manually run reg.py, use the following command:

reg.py -hashes :<hash> <domain>/<username>@<target> query -keyName <registry_key>

This function prompts the user for the hash, domain, username, and registry key if they are not already provided.

name_the_hash

Identify hash type using nth after retrieving it with get_hash().

:param line: Line input for any additional parameters.

:returns: None

Manual execution:
To manually identify the hash, use the following command:

nth -t "{hash}"

This function fetches the hash using get_hash() and identifies its type. If nth is not installed, it is automatically installed.

refill_password

Generate a list of possible passwords by filling each asterisk in the input with user-specified characters.

:param line: A string containing asterisks (e.g., WebAO***7) for generating variations.

:returns: None

Process:
Prompts the user to enter characters to replace each asterisk, creates all possible combinations,
and saves them to 'sessions/passwords_refilled.txt'. If this file exists, the previous version is
renamed with a timestamp suffix.

sudo

Checks if the script is running with superuser (sudo) privileges, and if not,
restarts the script with sudo privileges.

This function verifies if the script is being executed with root privileges
by checking the effective user ID. If the script is not running as root,
it prints a warning message and restarts the script using sudo.

:return: None

netview

Executes the Impacket netview tool to list network shares on a specified target.

This function performs the following actions:

1. Checks if the target host is valid.
2. If the line argument is "pass", it searches for credential files with the pattern credentials*.txt
   and allows the user to select which file to use for executing the command.
3. If line is "hash", it searches for a hash file and prompts the user for a username, then constructs
   and executes the command with the hash.
4. If line does not match "pass" or "hash", it displays an error message with usage instructions.

Parameters:
line (str): A command argument to determine the authentication mode.
If "pass", the function searches for credential files and authenticates using the selected file.
If "hash", it uses a hash file for authentication.
If neither, it prints an error message with usage instructions.

Returns:
None

wmiexec

Executes the Impacket WMIExec tool to run commands on a target system using WMI.

This function performs the following actions:

1. Checks if the target IP is valid.
2. If the line argument is "pass", it searches for credential files with the pattern credentials*.txt
   and allows the user to select which file to use for executing the command.
3. If line is "hash", it searches for a hash file and prompts the user for a username, then constructs
   and executes the command with the hash.
4. If line does not match "pass" or "hash", it displays an error message with usage instructions.

Parameters:
line (str): A command argument to determine the authentication mode.
If "pass", the function searches for credential files and authenticates using the selected file.
If "hash", it uses a hash file for authentication.
If neither, it prints an error message with usage instructions.

Returns:
None

extract_ports

Extracts open ports and IP address information from a specified file.

This function performs the following actions:

1. Reads the specified file to find open ports.
2. If not port pass as an argument, Extracts the first unique IP address found in the file.
3. Prints the extracted information to the console.

Parameters:
line (str): The port to get information.

Returns:
None

cron

Schedules a command to run at a specified time.

This function allows users to schedule a command to execute at a specific hour and minute.
If the specified time has already passed for the current day, the command will be scheduled
to run the following day.

Usage:
cron HH:MM command [args]

Parameters:
line (str): The input string containing the scheduled time in 'HH:MM' format followed by the command and arguments.

Returns:
None

pezorsh

Executes the PEzor tool to pack executables or shellcode with custom configurations.

This function enables the user to construct commands for PEzor with various options.
By default, parameters are prompted to ensure successful execution without failure due to
missing values. It supports both executable and shellcode packing with the ability to
select from a range of PEzor flags to create the desired payload.

Functionalities of the function include:

1. Prompting the user to specify if they want to pack an executable or shellcode.
2. Gathering parameters for different PEzor flags based on user choices.
3. Building the command dynamically to execute PEzor.sh with the configured options.

Example commands the function can build:

• Pack an executable with 64-bit, debug, and anti-debug options.
• Pack shellcode with self-injection and sleep options.

Usage:
- Run 'PEzor [donut args...]' to pack an executable with donut options.
- Run 'PEzor ' to pack shellcode.

:param line: String containing initial command-line arguments or options.

mimikatzpy

Executes the Impacket Mimikatz tool to interact with a target system for credential-related operations.

This function performs the following actions:

1. Validates the target IP (rhost).
2. If the line argument is "pass", it searches for credential files matching the pattern credentials*.txt
   and prompts the user to select a file for executing Mimikatz.
3. If line is "hash", it searches for a hash file, prompts for a username, and constructs the command using
   the hash for authentication.
4. If line does not match "pass" or "hash", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the authentication mode.
If "pass", the function authenticates using credentials from a selected file.
If "hash", it uses a hash file for authentication.
If neither, it displays an error message with usage instructions.

Returns:
None

rdp_check_py

Executes the RDP check tool to verify credentials or hash-based authentication on a target system.

This function performs the following actions:

1. Validates the target IP (rhost).
2. If the line argument is "pass", it searches for credential files with the pattern credentials*.txt
   and prompts the user to select one to execute the RDP check.
3. If line is "hash", it searches for a hash file, prompts the user for a username, and constructs the command
   using the hash for authentication.
4. If line does not match "pass" or "hash", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the authentication mode.
If "pass", the function authenticates using credentials from a selected file.
If "hash", it uses a hash file for authentication.
If neither, it displays an error message with usage instructions.

Returns:
None

mqtt_check_py

Executes the MQTT check tool to verify credentials on a target system with optional SSL.

This function performs the following actions:

1. Validates the target IP (rhost).
2. If the line argument is "pass", it searches for credential files matching the pattern credentials*.txt
   and prompts the user to select one to execute the MQTT check.
3. If line is "ssl", it performs the MQTT check with SSL enabled using the selected credentials.
4. If line does not match "pass" or "ssl", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the authentication mode.
If "pass", the function authenticates using credentials from a selected file.
If "ssl", it authenticates using SSL.
If neither, it displays an error message with usage instructions.

Returns:
None

lookupsid_py

Executes the LookupSID tool to perform SID enumeration on a target system.

This function performs the following actions:

1. Validates the target IP (rhost).
2. If the line argument is "basic", it searches for credential files with the pattern credentials*.txt
   and prompts the user to select one to execute the SID lookup.
3. If line is "dc-target", it performs the SID lookup specifying domain controller and target IPs,
   using the selected credentials.
4. If line does not match "basic" or "dc-target", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the lookup mode.
If "basic", the function performs a standard SID lookup.
If "dc-target", it includes -dc-ip and -target-ip arguments.
If neither, it displays an error message with usage instructions.

Returns:
None

scavenger

Executes the Scavenger tool for multi-threaded post-exploitation scanning on target systems with SMB credentials.

This function performs the following actions:

1. Checks if Scavenger is installed; if not, it clones the repository and installs dependencies.
2. If the line argument is "pass", it searches for credential files matching credentials*.txt,
   prompts the user to select one, and executes Scavenger using the chosen credentials on a single target IP.
3. If the line argument is "targets", it prompts for an IP list file (iplist) and uses Scavenger with
   credentials from a selected file on multiple target IPs with the --overwrite option.
4. If line does not match "pass" or "targets", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the authentication mode.
- If "pass", authenticates with credentials from a selected file on a single target IP.
- If "targets", authenticates on multiple targets from a provided IP list file.
- If neither, displays an error message with usage instructions.

Returns:
None

binarycheck

Performs various checks on a selected binary to gather information and protections.

This function executes the following checks:

1. Checks program protections using checksec.
2. Displays information about the ELF binary using readelf.
3. Retrieves the address of the system() function using objdump.
4. Searches for a known string within the binary using objdump.
5. Generates a cyclic pattern for padding using pwntools.
6. Lists gadgets in the binary using ROPgadget.

Parameters:
line (str): Command argument not used in this function.

Returns:
None

lookupsid

Executes the Impacket lookupsid tool to enumerate SIDs on a target system.

This function performs the following actions:

1. Validates the target IP (or hostname) specified in the line argument.
2. If the line argument is "pass", it searches for credential files with the pattern credentials*.txt
   and prompts the user to select one to execute the lookupsid command.
3. If line is "hash", it prompts the user for a username and constructs the command using the hash for authentication.
4. If line does not match "pass" or "hash", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the authentication mode.
If "pass", the function authenticates using credentials from a selected file.
If "hash", it uses a hash file for authentication.
If neither, it displays an error message with usage instructions.

Returns:
None

certipy

Executes the Certipy tool to interact with Active Directory Certificate Services.

This function performs the following actions:

1. Validates the target IP or hostname specified in the line argument.
2. If line is "find", it executes the certipy find command to enumerate AD CS.
3. If line is "shadow", it prompts for an account and executes the certipy shadow command.
4. If line does not match "pass", "hash", "find", or "shadow", it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the action mode.
If "find", it enumerates AD CS.
If "shadow", it abuses shadow credentials for account takeover.
If neither, it displays an error message with usage instructions.

Returns:
None

follina

Executes the MSDT Follina exploit tool to create malicious documents for exploitation.

This function performs the following actions:

1. Checks if follina.py is available; if not, it clones the repository and installs dependencies.
2. If the line argument is "default", it runs the tool with default parameters to pop calc.exe.
3. If the line argument is "notepad", it runs the tool to pop notepad.exe.
4. If the line argument is "reverse", it prompts for a port and runs the tool to get a reverse shell.
5. If the line does not match any valid options, it displays an error message with usage instructions.

Parameters:
line (str): Command argument specifying the action mode.
- If "default", executes with default parameters.
- If "notepad", executes to pop notepad.exe.
- If "reverse", prompts for a port and executes for a reverse shell.
- If neither, displays an error message with usage instructions.

Returns:
None

sawks

Executes the Swaks (Swiss Army Knife for SMTP) tool to send test emails for phishing simulations.

This function performs the following actions:

1. Checks if Swaks is available; if not, it clones the repository to the appropriate directory.
2. Constructs the Swaks command with the specified 'to' and 'from' emails, server, and message body.
3. Runs the command using Swaks to simulate email delivery.

Parameters:
line (str): Command argument specifying additional options or the message body.
- If not provided, defaults to a basic test message.

Returns:
None

ad_ldap_enum

Executes ad-ldap-enum to enumerate Active Directory objects (users, groups, computers)
through LDAP, collecting extended information on group memberships and additional AD details.

This function enables the enumeration of Active Directory users, groups, and computers
by executing LDAP queries on a specified domain controller. The command constructed allows
password or Pass-the-Hash authentication, supports SSL/TLS, and IPv4/IPv6 connections,
and outputs data into CSV files detailing domain group memberships and extended user/computer
information.

Functionalities include:

1. Checking for credential availability and prompting for them if not found.
2. Constructing an LDAP enumeration command with customizable authentication and server details.
3. Executing ad-ldap-enum.py to output detailed information in CSV format.

The output files are saved in the current working directory with a prepend if specified.

Example command the function can build:

• python3 ad-ldap-enum.py -d scrm.local -l 10.10.11.168 -u ksimpson -p ksimpson -v

Usage:
- Run dp_ad_ldap_enum to initiate AD object enumeration using ad-ldap-enum.

:param line: String containing initial command-line arguments or options.

unzip

Unzips a specified file from the sessions directory.

This function attempts to locate and unzip a file in the sessions directory.
If a filename is provided as line, it will use that; otherwise, it will attempt
to retrieve a zip file name based on existing zip files in the user's dictionary.
If the zip file is not found or does not exist in the sessions path, it prints
an error message.

Steps of execution:

1. Determines the zip file name from line or user dictionary.
2. Checks if the zip file exists within the sessions path.
3. Builds the unzip command and executes it to extract the contents of the zip file.

Usage example:
unzip filename.zip

:param line: The zip filename to be extracted. If empty, a zip file will be selected
automatically if available.
:return: None

---

This discussion was created from the release release/0.2.13.