def disable(self): remoteOps = RemoteOperations(self.smbconnection, self.doKerb) remoteOps.enableRegistry() self.rrp = remoteOps._RemoteOperations__rrp if self.rrp is not None: ans = rrp.hOpenLocalMachine(self.rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest') keyHandle = ans['phkResult'] try: rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00') except: self.logger.success('UseLogonCredential registry key not present') try: remoteOps.finish() except: pass return try: #Check to make sure the reg key is actually deleted rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') except DCERPCException: self.logger.success('UseLogonCredential registry key deleted successfully') try: remoteOps.finish() except: pass
def disable(self): remoteOps = RemoteOperations(self.smbconnection, self.doKerb) remoteOps.enableRegistry() self.rrp = remoteOps._RemoteOperations__rrp if self.rrp is not None: ans = rrp.hOpenLocalMachine(self.rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey( self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest' ) keyHandle = ans['phkResult'] rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00') try: #Check to make sure the reg key is actually deleted rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') except DCERPCException: self.logger.success( 'UseLogonCredential registry key deleted successfully') try: remoteOps.finish() except: pass
def start(remoteName, remoteHost, username, password, dllPath): winreg_bind = r'ncacn_np:445[\pipe\winreg]' hRootKey = None subkey = None rrpclient = None print("[*] Connecting to remote registry") try: rpctransport = transport.SMBTransport(remoteHost, 445, r'\winreg', username, password, "", "", "", "") except (Exception) as e: print("[x] Error establishing SMB connection: %s" % e) return try: # Set up winreg RPC rrpclient = rpctransport.get_dce_rpc() rrpclient.connect() rrpclient.bind(rrp.MSRPC_UUID_RRP) except (Exception) as e: print("[x] Error binding to remote registry: %s" % e) return print("[*] Connection established") print( "[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr" ) try: # Add a new registry key ans = rrp.hOpenLocalMachine(rrpclient) hRootKey = ans['phKey'] subkey = rrp.hBaseRegOpenKey( rrpclient, hRootKey, "SYSTEM\\CurrentControlSet\\Services\\NTDS") rrp.hBaseRegSetValue(rrpclient, subkey["phkResult"], "DirectoryServiceExtPt", 1, dllPath) except (Exception) as e: print("[x] Error communicating with remote registry: %s" % e) return print("[*] Registry value created, DLL will be loaded from %s" % (dllPath)) trigger_samr(remoteHost, username, password) print("[*] Removing registry entry") try: rrp.hBaseRegDeleteValue(rrpclient, subkey["phkResult"], "DirectoryServiceExtPt") except (Exception) as e: print("[x] Error deleting from remote registry: %s" % e) return print("[*] All done")
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue('HOLA COMO TE VA\x00' == data)
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print e type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue( 'HOLA COMO TE VA\x00' == data )
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key) resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name, rrp.REG_SZ, self.test_value_data) resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name) resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name) resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key) resp.dump() self.assertEqual(self.test_value_data, data)
def wdigest_disable(self, context, smbconnection): remoteOps = RemoteOperations(smbconnection, False) remoteOps.enableRegistry() if remoteOps._RemoteOperations__rrp: ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey( remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest' ) keyHandle = ans['phkResult'] try: rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00') except: context.log.success( 'UseLogonCredential registry key not present') try: remoteOps.finish() except: pass return try: #Check to make sure the reg key is actually deleted rtype, data = rrp.hBaseRegQueryValue( remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00') except DCERPCException: context.log.success( 'UseLogonCredential registry key deleted successfully') try: remoteOps.finish() except: pass
class RRPTests(unittest.TestCase): def connect(self): rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts) resp = rrp.hOpenLocalMachine( dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey'] def test_OpenClassesRoot(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenClassesRoot() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenCurrentUser(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenCurrentUser() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenLocalMachine(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenLocalMachine() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenPerformanceData(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenPerformanceData() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenUsers(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenUsers() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_BaseRegCloseKey(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegCloseKey() request['hKey'] = phKey resp = dce.request(request) resp.dump() def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception, e: print e type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue('HOLA COMO TE VA\x00' == data)
def delete(self, dce, keyName): hRootKey, subKey = self.__strip_root_key(dce, keyName) # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006) if self.__options.v is None and not self.__options.va and not self.__options.ve: # Try to delete subkey subKeyDelete = subKey subKey = '\\'.join(subKey.split('\\')[:-1]) ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) # Should I use ans2? try: ans3 = rrp.hBaseRegDeleteKey( dce, hRootKey, subKeyDelete, ) except rpcrt.DCERPCException as e: if e.error_code == 5: #TODO: Check if DCERPCException appears only because of existing subkeys print( 'Cannot delete key %s. Possibly it contains subkeys or insufficient privileges' % keyName) return else: raise except Exception as e: logging.error('Unhandled exception while hBaseRegDeleteKey') return if ans3['ErrorCode'] == 0: print('Successfully deleted subkey %s' % (keyName)) else: print('Error 0x%08x while deleting subkey %s' % (ans3['ErrorCode'], keyName)) elif self.__options.v: # Delete single value ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) ans3 = rrp.hBaseRegDeleteValue(dce, ans2['phkResult'], self.__options.v) if ans3['ErrorCode'] == 0: print('Successfully deleted key %s\\%s' % (keyName, self.__options.v)) else: print('Error 0x%08x while deleting key %s\\%s' % (ans3['ErrorCode'], keyName, self.__options.v)) elif self.__options.ve: ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) ans3 = rrp.hBaseRegDeleteValue(dce, ans2['phkResult'], '') if ans3['ErrorCode'] == 0: print('Successfully deleted value %s\\%s' % (keyName, 'Default')) else: print('Error 0x%08x while deleting value %s\\%s' % (ans3['ErrorCode'], keyName, self.__options.v)) elif self.__options.va: ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS) i = 0 allSubKeys = [] while True: try: ans3 = rrp.hBaseRegEnumValue(dce, ans2['phkResult'], i) lp_value_name = ans3['lpValueNameOut'][:-1] allSubKeys.append(lp_value_name) i += 1 except rrp.DCERPCSessionError as e: if e.get_error_code() == ERROR_NO_MORE_ITEMS: break ans4 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS) for subKey in allSubKeys: try: ans5 = rrp.hBaseRegDeleteValue(dce, ans4['phkResult'], subKey) if ans5['ErrorCode'] == 0: print('Successfully deleted value %s\\%s' % (keyName, subKey)) else: print('Error 0x%08x in deletion of value %s\\%s' % (ans5['ErrorCode'], keyName, subKey)) except Exception as e: print('Unhandled error %s in deletion of value %s\\%s' % (str(e), keyName, subKey))
class RRPTests(unittest.TestCase): def connect_scmr(self): rpctransport = transport.DCERPCTransportFactory( r'ncacn_np:%s[\pipe\svcctl]' % self.machine) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() # dce.set_max_fragment_size(32) dce.connect() dce.bind(scmr.MSRPC_UUID_SCMR) lpMachineName = 'DUMMY\x00' lpDatabaseName = 'ServicesActive\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | \ scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE resp = scmr.hROpenSCManagerW(dce, lpMachineName, lpDatabaseName, desiredAccess) scHandle = resp['lpScHandle'] return dce, rpctransport, scHandle def connect(self): if self.rrpStarted is not True: dce, rpctransport, scHandle = self.connect_scmr() desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess) resp.dump() serviceHandle = resp['lpServiceHandle'] try: resp = scmr.hRStartServiceW(dce, serviceHandle) except Exception as e: if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0: pass else: raise resp = scmr.hRCloseServiceHandle(dce, scHandle) self.rrpStarted = True rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts) resp = rrp.hOpenLocalMachine( dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey'] def test_OpenClassesRoot(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenClassesRoot() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenCurrentUser(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenCurrentUser() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenLocalMachine(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenLocalMachine() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenPerformanceData(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenPerformanceData() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_OpenUsers(self): dce, rpctransport, phKey = self.connect() request = rrp.OpenUsers() request['ServerName'] = NULL request['samDesired'] = MAXIMUM_ALLOWED resp = dce.request(request) resp.dump() def test_BaseRegCloseKey(self): dce, rpctransport, phKey = self.connect() request = rrp.BaseRegCloseKey() request['hKey'] = phKey resp = dce.request(request) resp.dump() def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception, e: print e type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue('HOLA COMO TE VA\x00' == data)