def get_lsa_key(bootkey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolSecretEncryptionKey")
if r.is_present():
xp = 1
else:
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolEKList")
if r.is_present:
xp = 0
else:
return None
obf_lsa_key = r.get_value("")
if not obf_lsa_key:
return None
if xp:
md5 = MD5.new()
md5.update(bootkey)
for i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
return lsa_key[0x10:0x20]
else:
lsa_key = decrypt_lsa(obf_lsa_key, bootkey)
return lsa_key[68:100]
def get_secrets():
global xp
bootkey = get_bootkey()
lsakey = get_lsa_key(bootkey)
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
if not r.is_present:
print(
"[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
)
return None
secrets = {}
for service_key in r.get_subkeys():
service_name = service_key.get_name().split("\\")[-1]
skey = regkey(service_key.get_name() + "\\CurrVal")
enc_secret = skey.get_value("")
if not enc_secret:
continue
if xp:
encryptedSecretSize = unpack('<I', enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
else:
secret = decrypt_lsa2(enc_secret, lsakey)
secrets[service_name] = secret
return secrets
def get_lsa_key(bootkey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolSecretEncryptionKey")
if r.is_present():
xp = 1
else:
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolEKList")
if r.is_present:
xp = 0
else:
return None
obf_lsa_key = r.get_value("")
if not obf_lsa_key:
return None
if xp:
md5 = MD5.new()
md5.update(bootkey)
for i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
return lsa_key[0x10:0x20]
else:
lsa_key = decrypt_lsa(obf_lsa_key, bootkey)
return lsa_key[68:100]
def dumptab_installed_software(self):
uninstall = regkey(
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall'
)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software",
name, publisher, version, date)
if process(os.getpid()).is_wow64():
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey(
'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall',
view=64)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info",
"installed_software",
name, publisher, version,
date)
def get_secrets():
global xp
bootkey = get_bootkey()
lsakey = get_lsa_key(bootkey)
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets")
if not r.is_present:
print "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets"
return None
secrets = {}
for service_key in r.get_subkeys():
service_name = service_key.get_name().split("\\")[-1]
skey = regkey(service_key.get_name() + "\\CurrVal")
enc_secret = skey.get_value("")
if not enc_secret:
continue
if xp:
encryptedSecretSize = unpack("<I", enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
else:
secret = decrypt_lsa2(enc_secret, lsakey)
secrets[service_name] = secret
return secrets
def get_installed_packages(self):
print '[+] Checking installed software'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall')
self.packages = self._get_packages_from_key(uninstall)
if wpc.conf.on64bitwindows:
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64)
self.packages = self.packages + self._get_packages_from_key(uninstall)
return self.packages
def get_installed_packages(self):
print '[+] Checking installed software'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall')
self.packages = self._get_packages_from_key(uninstall)
if wpc.conf.on64bitwindows:
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64)
self.packages = self.packages + self._get_packages_from_key(uninstall)
return self.packages
def get_user_name(user_key):
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key)
V = r.get_value("V")
name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", V[0x10:0x14])[0]
username = V[name_offset:name_offset+name_length].decode('utf-16-le')
return username
def get_user_name(user_key):
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" +
user_key)
V = r.get_value("V")
name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC
name_length = unpack("<L", V[0x10:0x14])[0]
username = V[name_offset:name_offset + name_length].decode('utf-16-le')
return username
def dump_reg_keys(self):
for check, key in wpc.conf.reg_keys.items():
#print "Checking %s => %s" % (check, key)
key_a = key.split('\\')
value = key_a.pop()
key_s = '\\'.join(key_a)
rk = regkey(key_s)
if rk.is_present:
v = rk.get_value(value) # This value appears as "(Default)" in regedit
print "Check: \"%s\", Key: %s, Value: %s, Data: %s" % (check, key_s, value, v)
def get_secret_by_name(name, lsakey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" % name)
if not r.is_present():
return None
enc_secret = r.get_value("")
if xp:
return decrypt_secret(enc_secret[0xC:], lsakey)
else:
return decrypt_lsa2(enc_secret, lsakey)
def get_secret_by_name(name, lsakey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" %
name)
if not r.is_present():
return None
enc_secret = r.get_value("")
if xp:
return decrypt_secret(enc_secret[0xC:], lsakey)
else:
return decrypt_lsa2(enc_secret, lsakey)
def dumptab_installed_software(self):
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall')
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
if process(os.getpid()).is_wow64():
print '[+] Checking installed software (WoW64 enabled)'
uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64)
if uninstall.is_present():
for subkey in uninstall.get_subkeys():
name = subkey.get_value("DisplayName")
publisher = subkey.get_value("Publisher")
version = subkey.get_value("DisplayVersion")
date = subkey.get_value("InstallDate")
if name:
print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def get_bootkey():
cs = find_control_set()
r = regkey("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa" % cs)
lsa_keys = ["JD","Skew1","GBG","Data"]
bootkey = ""
for lk in lsa_keys:
class_data = get_hklm_class("SYSTEM\\ControlSet%03d\\Control\\Lsa\\%s" % (cs, lk))
bootkey += class_data.decode('hex')
bootkey_scrambled = ""
for i in range(len(bootkey)):
bootkey_scrambled += bootkey[p[i]]
return bootkey_scrambled
def get_bootkey():
cs = find_control_set()
r = regkey("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa" % cs)
lsa_keys = ["JD", "Skew1", "GBG", "Data"]
bootkey = ""
for lk in lsa_keys:
class_data = get_hklm_class(
"SYSTEM\\ControlSet%03d\\Control\\Lsa\\%s" % (cs, lk))
bootkey += class_data.decode('hex')
bootkey_scrambled = ""
for i in range(len(bootkey)):
bootkey_scrambled += bootkey[p[i]]
return bootkey_scrambled
def get_secret_by_name(name, lsakey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" % name)
if not r.is_present():
return None
enc_secret = r.get_value("")
if xp:
encryptedSecretSize = unpack("<I", enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
return decrypt_secret(enc_secret[0xC:], lsakey)
else:
return decrypt_lsa2(enc_secret, lsakey)
def get_hbootkey(bootkey):
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account")
F = r.get_value("F")
if not F:
return None
md5 = MD5.new()
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey
def get_user_hashes(user_key, hbootkey):
rid = int(user_key, 16)
V = None
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key)
V = r.get_value("V")
hash_offset = unpack("<L", V[0x9c:0x9c+4])[0] + 0xCC
lm_exists = True if unpack("<L", V[0x9c+4:0x9c+8])[0] == 20 else False
nt_exists = True if unpack("<L", V[0x9c+16:0x9c+20])[0] == 20 else False
enc_lm_hash = V[hash_offset+4:hash_offset+20] if lm_exists else ""
enc_nt_hash = V[hash_offset+(24 if lm_exists else 8):hash_offset+(24 if lm_exists else 8)+16] if nt_exists else ""
return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
def get_hbootkey(bootkey):
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account");
F = r.get_value("F")
if not F:
return None
md5 = MD5.new()
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
rc4_key = md5.digest()
rc4 = ARC4.new(rc4_key)
hbootkey = rc4.encrypt(F[0x80:0xA0])
return hbootkey
def get_secret_by_name(name, lsakey):
global xp
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" %
name)
if not r.is_present():
return None
enc_secret = r.get_value("")
if xp:
encryptedSecretSize = unpack('<I', enc_secret[:4])[0]
offset = len(enc_secret) - encryptedSecretSize
secret = decrypt_secret(enc_secret[offset:], lsakey)
return decrypt_secret(enc_secret[0xC:], lsakey)
else:
return decrypt_lsa2(enc_secret, lsakey)
def lookup_files_for_clsid(clsid):
results = []
# Potentially intersting subkeys of clsids are listed here:
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms691424(v=vs.85).aspx
for v in ("InprocServer", "InprocServer32", "LocalServer", "LocalServer32"):
r = regkey("HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\" + clsid + "\\" + v)
if r.is_present:
d = r.get_value("") # "(Default)" value
if d:
d = env_expand(d)
results.append([r, v, File(d)])
# else:
# print "[i] Skipping non-existent clsid: %s" % r.get_name()
return results
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
# import binascii
# print "lsakey : %s"%(binascii.hexlify(lsakey))
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
# print "nlkm : %s"%(binascii.hexlify(nlkm))
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# print "cache entry encodeddata: %s"%(binascii.hexlify(enc_data))
# Skip if nothing in this cache entry
if uname_len == 0:
continue
global xp
xp = isXp()
if xp:
dec_data = decrypt_hash(enc_data, nlkm, ch)
else:
dec_data = decrypt_hash_vista(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
def get_user_hashes(user_key, hbootkey):
rid = int(user_key, 16)
V = None
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" +
user_key)
V = r.get_value("V")
hash_offset = unpack("<L", V[0x9c:0x9c + 4])[0] + 0xCC
lm_exists = True if unpack("<L", V[0x9c + 4:0x9c + 8])[0] == 20 else False
nt_exists = True if unpack("<L", V[0x9c + 16:0x9c +
20])[0] == 20 else False
enc_lm_hash = V[hash_offset + 4:hash_offset + 20] if lm_exists else ""
enc_nt_hash = V[hash_offset + (24 if lm_exists else 8):hash_offset +
(24 if lm_exists else 8) + 16] if nt_exists else ""
return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
def lookup_files_for_clsid(clsid):
results = []
# Potentially intersting subkeys of clsids are listed here:
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms691424(v=vs.85).aspx
for v in ("InprocServer", "InprocServer32", "LocalServer",
"LocalServer32"):
r = regkey("HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\" + clsid +
"\\" + v)
if r.is_present:
d = r.get_value("") # "(Default)" value
if d:
d = env_expand(d)
results.append([r, v, File(d)])
# else:
# print "[i] Skipping non-existent clsid: %s" % r.get_name()
return results
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len, enc_data,
ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len, domain_len,
domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
def dump_hashes():
bootkey = get_bootkey()
if not bootkey:
return []
lsakey = get_lsa_key(bootkey)
if not lsakey:
return []
nlkm = get_nlkm(lsakey)
if not nlkm:
return []
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache")
if not r.is_present():
return []
hashes = []
for v in r.get_values():
if v == "NL$Control": continue
data = r.get_value(v)
(uname_len, domain_len, domain_name_len,
enc_data, ch) = parse_cache_entry(data)
# Skip if nothing in this cache entry
if uname_len == 0:
continue
dec_data = decrypt_hash(enc_data, nlkm, ch)
(username, domain, domain_name,
hash) = parse_decrypted_cache(dec_data, uname_len,
domain_len, domain_name_len)
hashes.append((username, domain, domain_name, hash))
return hashes
def get_reg_key(self):
if not self.reg_key:
self.reg_key = regkey(
"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" +
self.get_name())
return self.reg_key
def find_control_set():
r = regkey("HKEY_LOCAL_MACHINE\\SYSTEM\\Select")
return r.get_value("Current")
def dump_registry(self):
for r in regkey('HKLM').get_all_subkeys():
print r.as_text()
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [
line.strip() for line in open(options.exploitable_by_file)
]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [
line.strip() for line in open(options.ignoreprincipalfile)
]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server"
)
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def get_user_keys():
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users")
for s in r.get_subkeys():
if s.get_name().split("\\")[-1] != "Names":
yield s.get_name().split("\\")[-1]
def isXp():
r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolSecretEncryptionKey")
if r.is_present():
return True
return False
def define_trusted_principals():
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(
r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append(
"NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
for t in wpc.conf.trusted_principals_fq:
try:
sid, name, i = win32security.LookupAccountName(
wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def get_reg_key(self):
if not self.reg_key:
self.reg_key = regkey("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" + self.get_name())
return self.reg_key
def get_user_keys():
r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users");
for s in r.get_subkeys():
if s.get_name().split("\\")[-1] != "Names":
yield s.get_name().split("\\")[-1]
def define_trusted_principals():
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
for t in wpc.conf.trusted_principals_fq:
try:
sid, name, i = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
#print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
#print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
#print "[D] converting string sid"
#print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
def find_control_set():
r = regkey("HKEY_LOCAL_MACHINE\\SYSTEM\\Select")
return r.get_value("Current")
def define_trusted_principals(options):
exploitable_by_fq = []
ignore_principals = []
if options.exploitable_by_list:
exploitable_by_fq = options.exploitable_by_list
if options.exploitable_by_file:
try:
exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)]
except:
print "[E] Error reading from file %s" % options.exploitablebyfile
sys.exit()
if options.ignore_principal_list:
ignore_principals = options.ignore_principal_list
if options.ignore_principal_file:
try:
ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)]
except:
print "[E] Error reading from file %s" % options.ignoreprincipalfile
sys.exit()
# examine token, populate exploitable_by
if options.exploitable_by_me:
try:
p = process(os.getpid())
wpc.conf.exploitable_by.append(p.get_token().get_token_owner())
for g in p.get_token().get_token_groups():
if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1:
wpc.conf.exploitable_by.append(g[0])
except:
print "[E] Problem examining access token of current process"
sys.exit()
# check each of the supplied users in exploitable_by and exploitable_by resolve
if exploitable_by_fq or wpc.conf.exploitable_by:
wpc.conf.privesc_mode = "exploitable_by"
for t in exploitable_by_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.exploitable_by.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Only reporting privesc issues for these users/groups:"
for p in wpc.conf.exploitable_by:
print "* " + p.get_fq_name()
return
else:
wpc.conf.privesc_mode = "report_untrusted"
# if user has specified list of trusted users, use only their list
if ignore_principals:
if options.ignorenoone:
wpc.conf.trusted_principals_fq = []
wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals
else:
# otherwise the user has not specified a list of trusted users. we intelligently tweak the list.
# Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist
# See http://support.microsoft.com/kb/238965 for details
r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server")
if r.is_present():
v = r.get_value("TSUserEnabled")
if v is None:
print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER"
elif v != 0:
print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v
wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER")
else:
print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER"
else:
print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER"
print
# TODO we only want to ignore this if it doesn't resolve
try:
# Server Operators group
# print "[D] converting string sid"
# print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549")
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549"))
except:
wpc.conf.trusted_principals.append(p)
# TODO this always ignored power users. not what we want.
# only want to ignore when group doesn't exist.
try:
p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547"))
wpc.conf.trusted_principals.append(p)
except:
pass
# populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq
for t in wpc.conf.trusted_principals_fq:
try:
sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t)
if sid:
p = principal(sid)
# print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type())
# print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type())
if p.is_group_type():
p = Group(p.get_sid())
# for m in p.get_members():
# print "Member: %s" % m.get_fq_name()
else:
p = user(p.get_sid())
# print p.get_groups()
wpc.conf.trusted_principals.append(p)
else:
print "[E] can't look up sid for " + t
except:
pass
print "Considering these users to be trusted:"
for p in wpc.conf.trusted_principals:
print "* " + p.get_fq_name()
print
