From 4808970e8c124d5eb6686cd10f1272076de2b8f5 Mon Sep 17 00:00:00 2001 From: salu90 Date: Tue, 22 Sep 2020 23:51:33 +0200 Subject: [PATCH 1/6] Add InternalMonologue submodule --- .gitmodules | 3 +++ Covenant/Data/ReferenceSourceLibraries/InternalMonologue | 1 + 2 files changed, 4 insertions(+) create mode 160000 Covenant/Data/ReferenceSourceLibraries/InternalMonologue diff --git a/.gitmodules b/.gitmodules index 6debcc64..aac7aa0c 100644 --- a/.gitmodules +++ b/.gitmodules @@ -30,3 +30,6 @@ path = Covenant/Data/ReferenceSourceLibraries/SharpSC url = https://github.com/djhohnstein/SharpSC ignore = dirty +[submodule "Covenant/Data/ReferenceSourceLibraries/InternalMonologue"] + path = Covenant/Data/ReferenceSourceLibraries/InternalMonologue + url = https://github.com/eladshamir/Internal-Monologue diff --git a/Covenant/Data/ReferenceSourceLibraries/InternalMonologue b/Covenant/Data/ReferenceSourceLibraries/InternalMonologue new file mode 160000 index 00000000..4694611f --- /dev/null +++ b/Covenant/Data/ReferenceSourceLibraries/InternalMonologue @@ -0,0 +1 @@ +Subproject commit 4694611f78f211ca4a0381cd3daca1310ced4293 From 3d9dcfcccacc65b9f4fcbdba278ffe8c882c521f Mon Sep 17 00:00:00 2001 From: salu90 Date: Tue, 22 Sep 2020 23:53:10 +0200 Subject: [PATCH 2/6] Add InternalMonologue task and reference libraries --- Covenant/Core/DbInitializer.cs | 28 ++++- Covenant/Data/Tasks/InternalMonologue.yaml | 121 +++++++++++++++++++++ 2 files changed, 146 insertions(+), 3 deletions(-) create mode 100644 Covenant/Data/Tasks/InternalMonologue.yaml diff --git a/Covenant/Core/DbInitializer.cs b/Covenant/Core/DbInitializer.cs index 95cccf18..0a154249 100644 --- a/Covenant/Core/DbInitializer.cs +++ b/Covenant/Core/DbInitializer.cs @@ -259,7 +259,13 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte Name = "SharpSC", Description = "SharpSC is a .NET assembly to perform basic operations with services.", Location= "SharpSC" + Path.DirectorySeparatorChar, CompatibleDotNetVersions = new List { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 } - } + }, + new ReferenceSourceLibrary + { + Name = "InternalMonologue", Description = "Internal Monologue repository.", + Location= "InternalMonologue" + Path.DirectorySeparatorChar, + CompatibleDotNetVersions = new List { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 } + } }; await service.CreateReferenceSourceLibraries(ReferenceSourceLibraries); @@ -272,6 +278,7 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte var su = await service.GetReferenceSourceLibraryByName("SharpUp"); var sw = await service.GetReferenceSourceLibraryByName("SharpWMI"); var sc = await service.GetReferenceSourceLibraryByName("SharpSC"); + var im = await service.GetReferenceSourceLibraryByName("InternalMonologue"); await service.CreateEntities( new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) }, @@ -391,8 +398,23 @@ await service.CreateEntities( new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net35) }, - new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) } - ); + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) }, + + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net40) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net35) }, + new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net40) } + ); } #endregion diff --git a/Covenant/Data/Tasks/InternalMonologue.yaml b/Covenant/Data/Tasks/InternalMonologue.yaml new file mode 100644 index 00000000..167ec875 --- /dev/null +++ b/Covenant/Data/Tasks/InternalMonologue.yaml @@ -0,0 +1,121 @@ +- Name: InternalMonologue + Aliases: [] + Author: + Name: '' + Handle: '' + Link: '' + Description: Execute Internal Monologue attack + Help: + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + Code: | + using System; + using System.IO; + using InternalMonologue; + using InternalMonologue.StringExtensions; + + public static class Task + { + public static Stream OutputStream { get; set; } + public static string Execute(string Command) + { + string output = ""; + try + { + TextWriter realStdOut = Console.Out; + TextWriter realStdErr = Console.Error; + TextWriter stdOutWriter = new StreamWriter(OutputStream); + TextWriter stdErrWriter = new StreamWriter(OutputStream); + Console.SetOut(stdOutWriter); + Console.SetError(stdErrWriter); + + String[] args = Command.Split(' '); + + try + { + Program.Main(args); + } + catch (Exception e) + { + Console.WriteLine("\r\n[!] Unhandled InternalMonlogue exception:\r\n"); + Console.WriteLine(e); + } + + Console.Out.Flush(); + Console.Error.Flush(); + Console.SetOut(realStdOut); + Console.SetError(realStdErr); + OutputStream.Close(); + } + catch (Exception e) { output += e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; } + return output; + } + } + TaskingType: Assembly + UnsafeCompile: false + TokenTask: false + Options: + - Name: Parameters + Value: '' + DefaultValue: -Downgrade True -Restore True -Impersonate True -Thread False -Verbose False -Challenge 1122334455667788 + Description: Internal Monologue custom parameters + SuggestedValues: [] + Optional: true + DisplayInCommand: true + FileOption: false + ReferenceSourceLibraries: + - Name: InternalMonologue + Description: Internal Monologue description. + Location: InternalMonologue\ + Language: CSharp + CompatibleDotNetVersions: + - Net35 + - Net40 + ReferenceAssemblies: + - Name: System.Core.dll + Location: net40\System.Core.dll + DotNetVersion: Net40 + - Name: System.Data.DataSetExtensions.dll + Location: net40\System.Data.DataSetExtensions.dll + DotNetVersion: Net40 + - Name: System.Data.dll + Location: net40\System.Data.dll + DotNetVersion: Net40 + - Name: System.dll + Location: net40\System.dll + DotNetVersion: Net40 + - Name: System.Security.dll + Location: net40\System.Security.dll + DotNetVersion: Net40 + - Name: mscorlib.dll + Location: net40\mscorlib.dll + DotNetVersion: Net40 + - Name: System.XML.dll + Location: net35\System.XML.dll + DotNetVersion: Net35 + - Name: System.dll + Location: net35\System.dll + DotNetVersion: Net35 + - Name: System.Data.dll + Location: net35\System.Data.dll + DotNetVersion: Net35 + - Name: System.Data.DataSetExtensions.dll + Location: net35\System.Data.DataSetExtensions.dll + DotNetVersion: Net35 + - Name: System.Core.dll + Location: net35\System.Core.dll + DotNetVersion: Net35 + - Name: mscorlib.dll + Location: net35\mscorlib.dll + DotNetVersion: Net35 + - Name: System.Security.dll + Location: net35\System.Security.dll + DotNetVersion: Net35 + - Name: System.XML.dll + Location: net40\System.XML.dll + DotNetVersion: Net40 + EmbeddedResources: [] + ReferenceAssemblies: [] + EmbeddedResources: [] \ No newline at end of file From 7ce1efa1cc94a84e25056c07813d9cfcd4828cdf Mon Sep 17 00:00:00 2001 From: salu90 Date: Mon, 28 Sep 2020 22:32:50 +0200 Subject: [PATCH 3/6] Minor fixes --- Covenant/Core/DbInitializer.cs | 2 +- Covenant/Data/Tasks/InternalMonologue.yaml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Covenant/Core/DbInitializer.cs b/Covenant/Core/DbInitializer.cs index 0a154249..33079ec8 100644 --- a/Covenant/Core/DbInitializer.cs +++ b/Covenant/Core/DbInitializer.cs @@ -262,7 +262,7 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte }, new ReferenceSourceLibrary { - Name = "InternalMonologue", Description = "Internal Monologue repository.", + Name = "InternalMonologue", Description = "Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS.", Location= "InternalMonologue" + Path.DirectorySeparatorChar, CompatibleDotNetVersions = new List { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 } } diff --git a/Covenant/Data/Tasks/InternalMonologue.yaml b/Covenant/Data/Tasks/InternalMonologue.yaml index 167ec875..4200593a 100644 --- a/Covenant/Data/Tasks/InternalMonologue.yaml +++ b/Covenant/Data/Tasks/InternalMonologue.yaml @@ -1,8 +1,8 @@ - Name: InternalMonologue Aliases: [] Author: - Name: '' - Handle: '' + Name: 'Simone Salucci & Daniel López' + Handle: '@saim1z, @attl4s' Link: '' Description: Execute Internal Monologue attack Help: @@ -19,7 +19,7 @@ public static class Task { public static Stream OutputStream { get; set; } - public static string Execute(string Command) + public static string Execute(string Parameters) { string output = ""; try @@ -31,7 +31,7 @@ Console.SetOut(stdOutWriter); Console.SetError(stdErrWriter); - String[] args = Command.Split(' '); + String[] args = Parameters.Split(' '); try { @@ -60,14 +60,14 @@ - Name: Parameters Value: '' DefaultValue: -Downgrade True -Restore True -Impersonate True -Thread False -Verbose False -Challenge 1122334455667788 - Description: Internal Monologue custom parameters + Description: The command-line parameters to pass to the tool. SuggestedValues: [] Optional: true DisplayInCommand: true FileOption: false ReferenceSourceLibraries: - Name: InternalMonologue - Description: Internal Monologue description. + Description: Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS. Location: InternalMonologue\ Language: CSharp CompatibleDotNetVersions: From f3273c6a965d4c4eaee96aecc69e3de39844093b Mon Sep 17 00:00:00 2001 From: salu90 Date: Mon, 28 Sep 2020 23:25:12 +0200 Subject: [PATCH 4/6] Update InternalMonologue.yaml --- Covenant/Data/Tasks/InternalMonologue.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Covenant/Data/Tasks/InternalMonologue.yaml b/Covenant/Data/Tasks/InternalMonologue.yaml index 4200593a..f5109004 100644 --- a/Covenant/Data/Tasks/InternalMonologue.yaml +++ b/Covenant/Data/Tasks/InternalMonologue.yaml @@ -4,7 +4,7 @@ Name: 'Simone Salucci & Daniel López' Handle: '@saim1z, @attl4s' Link: '' - Description: Execute Internal Monologue attack + Description: Internal Monologue downgrades NetNTLM and invokes a local procedure call to the NTLM authentication package (MSV1_0) with a specific challenge. The responses obtained can be cracked using rainbow tables. Help: Language: CSharp CompatibleDotNetVersions: @@ -118,4 +118,4 @@ DotNetVersion: Net40 EmbeddedResources: [] ReferenceAssemblies: [] - EmbeddedResources: [] \ No newline at end of file + EmbeddedResources: [] From b7ed60a2eaddb822f4dad1b1faa35ff21119b10b Mon Sep 17 00:00:00 2001 From: salu90 Date: Mon, 28 Sep 2020 23:27:27 +0200 Subject: [PATCH 5/6] Update DbInitializer.cs --- Covenant/Core/DbInitializer.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Covenant/Core/DbInitializer.cs b/Covenant/Core/DbInitializer.cs index 33079ec8..c85c1806 100644 --- a/Covenant/Core/DbInitializer.cs +++ b/Covenant/Core/DbInitializer.cs @@ -278,7 +278,7 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte var su = await service.GetReferenceSourceLibraryByName("SharpUp"); var sw = await service.GetReferenceSourceLibraryByName("SharpWMI"); var sc = await service.GetReferenceSourceLibraryByName("SharpSC"); - var im = await service.GetReferenceSourceLibraryByName("InternalMonologue"); + var im = await service.GetReferenceSourceLibraryByName("InternalMonologue"); await service.CreateEntities( new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) }, new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) }, @@ -528,4 +528,4 @@ public async static Task InitializeThemes(CovenantContext context) } } } -} \ No newline at end of file +} From e38621460e852aec61fa1e74986474a0e6d4cb4e Mon Sep 17 00:00:00 2001 From: salu90 Date: Tue, 29 Sep 2020 10:13:57 +0200 Subject: [PATCH 6/6] Update InternalMonologue.yaml --- Covenant/Data/Tasks/InternalMonologue.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Covenant/Data/Tasks/InternalMonologue.yaml b/Covenant/Data/Tasks/InternalMonologue.yaml index f5109004..1eef0783 100644 --- a/Covenant/Data/Tasks/InternalMonologue.yaml +++ b/Covenant/Data/Tasks/InternalMonologue.yaml @@ -1,8 +1,8 @@ - Name: InternalMonologue Aliases: [] Author: - Name: 'Simone Salucci & Daniel López' - Handle: '@saim1z, @attl4s' + Name: 'Simone Salucci, Daniel López & Sergio Lázaro' + Handle: '@saim1z, @attl4s, @Slazar0' Link: '' Description: Internal Monologue downgrades NetNTLM and invokes a local procedure call to the NTLM authentication package (MSV1_0) with a specific challenge. The responses obtained can be cracked using rainbow tables. Help: