Example #1
0
    def plaintext_login(self, username, password):
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, password, self.domain, None, True)
                if res is not True:
                    self.conn.printReplies()
                    return False
            
            elif not self.args.mssql:
                self.conn.login(username, password, self.domain)

            self.password = password
            self.username = username
            self.check_if_admin()
            self.db.add_credential('plaintext', self.domain, username, password)

            if self.admin_privs:
                self.db.link_cred_to_host('plaintext', self.domain, username, password, self.host)

            out = u'{}\\{}:{} {}'.format(self.domain.decode('utf-8'),
                                         username.decode('utf-8'),
                                         password.decode('utf-8'),
                                         highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            error, desc = e.getErrorString()
            self.logger.error(u'{}\\{}:{} {} {}'.format(self.domain.decode('utf-8'),
                                                        username.decode('utf-8'),
                                                        password.decode('utf-8'),
                                                        error,
                                                        '({})'.format(desc) if self.args.verbose else ''))
            return False
Example #2
0
    def plaintext_login(self, username, password):
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, password, self.domain, None, True)
                if res is not True:
                    self.conn.printReplies()
                    return False
            
            elif not self.args.mssql:
                self.conn.login(username, password, self.domain)

            self.password = password
            self.username = username
            self.check_if_admin()
            self.db.add_credential('plaintext', self.domain, username, password)

            out = u'{}\\{}:{} {}'.format(self.domain, 
                                         username, 
                                         password,
                                         highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            self.logger.error(u'{}\\{}:{} {}'.format(self.domain, username, password, str(e).split(':')[1]))
            return False
Example #3
0
    def plaintext_login(self, username, password):
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, password, self.domain, None, True)
                if res is not True:
                    self.conn.printReplies()
                    return False
            
            elif not self.args.mssql:
                self.conn.login(username, password, self.domain)

            self.password = password
            self.username = username
            self.check_if_admin()
            self.db.add_credential('plaintext', self.domain, username, password)

            if self.admin_privs:
                self.db.link_cred_to_host('plaintext', self.domain, username, password, self.host)

            out = u'{}\\{}:{} {}'.format(self.domain.decode('utf-8'),
                                         username.decode('utf-8'),
                                         password.decode('utf-8'),
                                         highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            error, desc = e.getErrorString()
            self.logger.error(u'{}\\{}:{} {} {}'.format(self.domain.decode('utf-8'),
                                                        username.decode('utf-8'),
                                                        password.decode('utf-8'),
                                                        error,
                                                        '({})'.format(desc) if self.args.verbose else ''))
            return False
Example #4
0
    def hash_login(self, username, ntlm_hash):
        lmhash, nthash = ntlm_hash.split(':')
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, '', self.domain, ntlm_hash, True)
                if res is not True:
                    self.conn.printReplies()
                    return False

            elif not self.args.mssql:
                self.conn.login(username, '', self.domain, lmhash, nthash)

            self.hash = ntlm_hash
            self.username = username
            self.check_if_admin()
            self.db.add_credential('hash', self.domain, username, ntlm_hash)

            out = u'{}\\{} {} {}'.format(self.domain, 
                                         username, 
                                         ntlm_hash, 
                                         highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            self.logger.error(u'{}\\{} {} {}'.format(self.domain, username, ntlm_hash, str(e).split(':')[1]))
            return False
Example #5
0
    def hash_login(self, username, ntlm_hash):
        lmhash, nthash = ntlm_hash.split(':')
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, '', self.domain, ntlm_hash, True)
                if res is not True:
                    self.conn.printReplies()
                    return False

            elif not self.args.mssql:
                self.conn.login(username, '', self.domain, lmhash, nthash)

            self.hash = ntlm_hash
            self.username = username
            self.check_if_admin()
            self.db.add_credential('hash', self.domain, username, ntlm_hash)

            if self.admin_privs:
                self.db.link_cred_to_host('hash', self.domain, username, ntlm_hash, self.host)

            out = u'{}\\{} {} {}'.format(self.domain.decode('utf-8'), 
                                         username.decode('utf-8'), 
                                         ntlm_hash, 
                                         highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            error, desc = e.getErrorString()
            self.logger.error(u'{}\\{} {} {} {}'.format(self.domain.decode('utf-8'),
                                                        username.decode('utf-8'),
                                                        ntlm_hash,
                                                        error,
                                                        '({})'.format(desc) if self.args.verbose else ''))
            return False
Example #6
0
    def plaintext_login(self, username, password):
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, password, self.domain,
                                      None, True)
                if res is not True:
                    self.conn.printReplies()
                    return False

            elif not self.args.mssql:
                self.conn.login(username, password, self.domain)

            self.password = password
            self.username = username
            self.check_if_admin()
            self.db.add_credential('plaintext', self.domain, username,
                                   password)

            out = u'{}\\{}:{} {}'.format(
                self.domain, username, password,
                highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            self.logger.error(u'{}\\{}:{} {}'.format(self.domain, username,
                                                     password,
                                                     str(e).split(':')[1]))
            return False
Example #7
0
    def hash_login(self, username, ntlm_hash):
        lmhash, nthash = ntlm_hash.split(':')
        try:
            if self.args.mssql:
                res = self.conn.login(None, username, '', self.domain,
                                      ntlm_hash, True)
                if res is not True:
                    self.conn.printReplies()
                    return False

            elif not self.args.mssql:
                self.conn.login(username, '', self.domain, lmhash, nthash)

            self.hash = ntlm_hash
            self.username = username
            self.check_if_admin()
            self.db.add_credential('hash', self.domain, username, ntlm_hash)

            out = u'{}\\{} {} {}'.format(
                self.domain, username, ntlm_hash,
                highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            self.logger.error(u'{}\\{} {} {}'.format(self.domain, username,
                                                     ntlm_hash,
                                                     str(e).split(':')[1]))
            return False
Example #8
0
    def hash_login(self, username, ntlm_hash):
        lmhash = ''
        nthash = ''

        #This checks to see if we didn't provide the LM Hash
        if ntlm_hash.find(':') != -1:
            lmhash, nthash = ntlm_hash.split(':')
        else:
            nthash = ntlm_hash

        try:
            if self.args.mssql:
                res = self.conn.login(None, username, '', self.domain,
                                      ntlm_hash, True)
                if res is not True:
                    self.conn.printReplies()
                    return False

            elif not self.args.mssql:
                self.conn.login(username, '', self.domain, lmhash, nthash)

            self.hash = ntlm_hash
            self.username = username
            self.check_if_admin()
            self.db.add_credential('hash', self.domain, username, ntlm_hash)

            if self.admin_privs:
                self.db.link_cred_to_host('hash', self.domain, username,
                                          ntlm_hash, self.host)

            out = u'{}\\{} {} {}'.format(
                self.domain.decode('utf-8'), username.decode('utf-8'),
                ntlm_hash,
                highlight('(Pwn3d!)') if self.admin_privs else '')

            self.logger.success(out)
            return True
        except SessionError as e:
            error, desc = e.getErrorString()
            self.logger.error(u'{}\\{} {} {} {}'.format(
                self.domain.decode('utf-8'), username.decode('utf-8'),
                ntlm_hash, error,
                '({})'.format(desc) if self.args.verbose else ''))
            return False
Example #9
0
    def shutdown(self):
        try:
            while len(self.server.hosts) > 0:
                self.server.log.info('Waiting on {} host(s)'.format(highlight(len(self.server.hosts))))
                sleep(15)
        except KeyboardInterrupt:
            pass

        # shut down the server/socket
        self.server.shutdown()
        self.server.socket.close()
        self.server.server_close()
        self._Thread__stop()

        # make sure all the threads are killed
        for thread in threading.enumerate():
            if thread.isAlive():
                try:
                    thread._Thread__stop()
                except:
                    pass
Example #10
0
    def shutdown(self):
        try:
            while len(self.server.hosts) > 0:
                self.server.log.info('Waiting on {} host(s)'.format(highlight(len(self.server.hosts))))
                sleep(15)
        except KeyboardInterrupt:
            pass

        # shut down the server/socket
        self.server.shutdown()
        self.server.socket.close()
        self.server.server_close()
        self._Thread__stop()

        # make sure all the threads are killed
        for thread in threading.enumerate():
            if thread.isAlive():
                try:
                    thread._Thread__stop()
                except:
                    pass
Example #11
0
|  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
 \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|


                 Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                       Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)

                                                   Inspired by:
                            @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
                            @gojhonny's CredCrack https://github.com/gojhonny/CredCrack
                            @pentestgeek's smbexec https://github.com/pentestgeek/smbexec
                                                     
                                                  {}: {}
                                        {}: {}
""".format(highlight('Version', 'red'), highlight(VERSION),
           highlight('Codename', 'red'), highlight(CODENAME)),
                                 formatter_class=RawTextHelpFormatter,
                                 version='{} - {}'.format(VERSION, CODENAME),
                                 epilog='HA! Made you look!')

parser.add_argument(
    "target",
    nargs='*',
    type=str,
    help=
    "The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets"
)
parser.add_argument(
    "-t",
    type=int,
Example #12
0
|  `----.|  |\  \----. /  _____  \  |  `----.|  .  \  |  |  |  |  /  _____  \  |  |      |  |____  /  .  \  |  |____ |  `----.
 \______|| _| `._____|/__/     \__\  \______||__|\__\ |__|  |__| /__/     \__\ | _|      |_______|/__/ \__\ |_______| \______|


                 Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r

                       Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino)

                                                   Inspired by:
                            @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap
                            @gojhonny's CredCrack https://github.com/gojhonny/CredCrack
                            @pentestgeek's smbexec https://github.com/pentestgeek/smbexec
                                                     
                                                  {}: {}
                                        {}: {}
""".format(highlight('Version', 'red'),
           highlight(VERSION),
           highlight('Codename', 'red'),
           highlight(CODENAME)),

                                formatter_class=RawTextHelpFormatter,
                                version='{} - {}'.format(VERSION, CODENAME),
                                epilog='HA! Made you look!')

parser.add_argument("target", nargs='*', type=str, help="The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets")
parser.add_argument("-t", type=int, dest="threads", default=100, help="Set how many concurrent threads to use (defaults to 100)")
parser.add_argument('-id', metavar="CRED_ID", type=int, dest='cred_id', help='Database credential ID to use for authentication')
parser.add_argument("-u", metavar="USERNAME", dest='username', nargs='*', default=[], help="Username(s) or file(s) containing usernames")
parser.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="Domain name")
msgroup = parser.add_mutually_exclusive_group()
msgroup.add_argument("-p", metavar="PASSWORD", dest='password', nargs= '*', default=[], help="Password(s) or file(s) containing passwords")