def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
try:
x = LdapCon(args.user, args.passwd, args.hash, args.domain,
args.ldap_srv, args.timeout)
x.create_ldap_con()
dc_data = x.custom_query(
'(userAccountControl:1.2.840.113556.1.4.803:=8192)',
ATTRIBUTES['cpu'])
x.close()
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
if x.data:
for srv, data in dc_data.items():
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(),
"{:<20} OS: {}".format(srv, data['operatingSystem'])
])
else:
logger.fail([
smb_con.host, smb_con.ip,
self.name.upper(), "No data returned".format(self.name)
])
class LDAPHandler():
"""
Small class to handle ldap connection. Otherwise we receive a timeout
error when attempting multiple queries on the same connection.
"""
def __init__(self, args, loggers, db_obj):
self.con = False
self.count = 0
self.args = args
self.loggers = loggers
self.db = db_obj
def create_ldap_con(self):
try:
if self.con:
self.con.close()
self.con = LdapCon(self.args, self.loggers, self.args.ldap_srv,
self.db)
self.con.create_ldap_con()
self.count += 1
if self.count == 1:
# Output formatting indicating a successful connection
self.loggers['console'].success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
self.con.host, self.con.ldaps)
])
except Exception as e:
raise Exception(e)
def close(self):
if self.con:
self.con.close()
def main(args, config_obj, db_obj, loggers):
logger = loggers['console']
try:
query = LdapCon(args.user, args.passwd, args.hash, args.domain,
args.srv, args.timeout)
query.create_ldap_con()
logger.success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
query.host, query.ldaps)
])
# Users
if args.lookup_type in ['user', 'users']:
resp = query.user_query(args.query, args.attrs)
# Groups
elif args.lookup_type in ['group', 'groups']:
if args.query:
resp = query.group_membership(args.query, args.attrs)
else:
resp = query.group_query(args.attrs)
# Computers
elif args.lookup_type in ['computer', 'computers']:
resp = query.computer_query(args.query, args.attrs)
# Domain
elif args.lookup_type == 'domain':
resp = query.domain_query(args.attrs)
# Trust
elif args.lookup_type == 'trust':
resp = query.trust_query(args.attrs)
# Custom
elif args.lookup_type == 'custom':
resp = query.custom_query(args.query, args.attrs)
else:
logger.fail(
"Invalid query operation:\n\t"
"activereign query {user|group|computer|domain|trust|custom} -u {user} -p {password} -d {domain} -s {server}\n\t"
"activereign query {user|group|computer|domain|trust|custom} -q {lookup value} -a {attributes} -id {credID}"
)
# Display results
if args.lookup_type and resp:
format_data(logger, resp, args.lookup_type, args.query, args.attrs,
args.resolve, args.debug)
query.close()
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
def spray(auth_args, loggers, db_obj, config_obj, target, user, passwd):
if auth_args.user_as_pass: passwd = user
elif auth_args.hash: passwd = ''
try:
if auth_args.method.lower() == "ldap":
con = LdapCon(auth_args, loggers, target, db_obj)
con.create_ldap_con()
elif auth_args.method.lower() == 'smb':
con = SmbCon(auth_args, loggers, target, db_obj)
con.create_smb_con()
if auth_args.hash: passwd = auth_args.hash
if hasattr(con, 'admin')and con.admin == True:
loggers['console'].success([con.host, con.ip, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight(config_obj.PWN3D_MSG, 'yellow'))])
else:
loggers['console'].success([con.host, con.ip, auth_args.method.upper(),'{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight("SUCCESS", "green"))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\tSuccess".format(target, auth_args.domain, user, passwd))
con.close()
except KeyboardInterrupt:
print("\n[!] Key Event Detected, Closing...")
try:
con.close()
except:
pass
_exit(0)
except Exception as e:
# Overwrite pwd value for output
if auth_args.hash: passwd = auth_args.hash
if "password has expired" in str(e).lower():
loggers['console'].success2([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("PASSWORD EXPIRED", color='yellow'))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\tPassword Expired".format(target, auth_args.domain, user, passwd))
elif "account_locked_out" in str(e).lower():
loggers['console'].warning([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("ACCOUNT LOCKED", color='red'))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\tAccount Locked".format(target, auth_args.domain, user, passwd))
exit(1)
elif str(e) == "Connection to Server Failed":
loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("CONNECTION ERROR", color='red'))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\tConnection Error".format(target, auth_args.domain, user, passwd))
elif "status_logon_failure" in str(e).lower() or "invalidCredentials" in str(e).lower():
loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("FAILED", color='red'))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\tLogin Failed".format(target, auth_args.domain, user, passwd))
else:
loggers['console'].debug([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight(str(e), color='red'))])
loggers[auth_args.mode].info("Spray\t{}\t{}\\{}\t{}\t{}".format(target, auth_args.domain, user, passwd, str(e)))
sleep(auth_args.jitter)
del auth_args
def enum_arg_mods(args, db_obj, logger):
# Collect creds if not provided
if not args.passwd and args.user and not args.hash:
args.passwd = getpass("Enter password, or continue with null-value: ")
elif args.cred_id and not args.user:
enum_user = db_obj.extract_user(args.cred_id)
args.user = enum_user[0][0]
args.passwd = enum_user[0][1]
args.hash = enum_user[0][2]
args.domain = enum_user[0][3]
# Gather target systems
if args.target[0].startswith("{"):
if args.cred_id:
ldap_user = db_obj.extract_user(args.cred_id)
username = ldap_user[0][0]
password = ldap_user[0][1]
hashes = ldap_user[0][2]
domain = ldap_user[0][3]
elif args.domain:
username = args.user
password = args.passwd
hashes = args.hash
domain = args.domain
else:
logger.warning(
"To use the LDAP feature, please select a valid credential ID or enter domain credentials"
)
logger.warning(
"Insert credentials:\n\tactivereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
if hashes:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(domain, username)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False])'.format(
domain, username, password[:1])
])
try:
l = LdapCon(username, password, hashes, domain, args.ldap_srv,
args.timeout)
l.create_ldap_con()
if not l:
logger.status_fail(
['LDAP Connection', 'Unable to create LDAP connection'])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
l.host, l.ldaps)
])
if args.target[0] == '{ldap}':
args.target = list(l.computer_query(False, False).keys())
elif args.target[0] == "{eol}":
args.target = list(l.computer_query('eol', False).keys())
logger.status_success([
'LDAP Connection',
'{} computers collected'.format(len(args.target))
])
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
exit(1)
else:
args.target = ipparser(args.target[0])
if "--threshold" not in argv:
tmp = db_obj.extract_lockout(args.domain)
if tmp:
args.lockout_threshold = tmp
logger.status([
"Lockout Tracker",
"Threshold Extracted from database: {}".format(str(tmp))
])
else:
logger.status([
"Lockout Tracker",
"Using default lockout threshold: {}".format(
str(args.lockout_threshold))
])
else:
db_obj.update_domain(args.domain, args.lockout_threshold)
logger.status([
"Lockout Tracker",
"Updating {} threshold in database to: {}".format(
args.domain, str(args.lockout_threshold))
])
if args.hash:
logger.status([
'Enum Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
args.domain, args.user)
])
else:
logger.status([
'Enum Authentication',
'{}\{} (Password: {}****) (Hash: False)'.format(
args.domain, args.user, args.passwd[:1])
])
if 'l' in locals():
l.close()
return args
def enum_arg_mods(args, db_obj, loggers):
logger = loggers['console']
context = argparse.Namespace(
mode=args.mode,
timeout=args.timeout,
local_auth=False,
debug=args.debug,
user=False,
passwd=False,
hash=False,
domain=False,
)
# Ask user for creds if user present and no password
if not args.passwd and args.user and not args.hash:
args.passwd = getpass("Enter password, or continue with null-value: ")
# Cred ID present & no user/pass provided, for us in enumeration
elif args.cred_id and not args.user:
enum_user = db_obj.extract_user(args.cred_id)
args.user = enum_user[0][0]
args.passwd = enum_user[0][1]
args.hash = enum_user[0][2]
args.domain = enum_user[0][3]
# Gather target systems using ldap
if args.ldap or args.eol:
if args.cred_id:
ldap_user = db_obj.extract_user(args.cred_id)
context.user = ldap_user[0][0]
context.passwd = ldap_user[0][1]
context.hash = ldap_user[0][2]
context.domain = ldap_user[0][3]
elif args.domain and args.user:
context.user = args.user
context.passwd = args.passwd
context.hash = args.hash
context.domain = args.domain
else:
logger.warning(
"To use the LDAP feature, please select a valid credential ID or enter domain credentials"
)
logger.warning(
"Insert credentials:\n\tactivereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
if context.hash:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
context.domain, context.user)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False)'.format(
context.domain, context.user, context.passwd[:1])
])
try:
l = LdapCon(context, loggers, args.ldap_srv, db_obj)
l.create_ldap_con()
if not l:
logger.status_fail(
['LDAP Connection', 'Unable to create LDAP connection'])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.format(
l.host, l.ldaps)
])
if args.ldap:
args.target = list(l.computer_query(False, []).keys())
elif args.eol:
args.target = list(l.computer_query('eol', []).keys())
logger.status_success([
'LDAP Connection',
'{} computers collected'.format(len(args.target))
])
except Exception as e:
if "invalidCredentials" in str(e):
logger.fail(["LDAP Error", "Authentication failed"])
else:
logger.fail(["LDAP Error", str(e)])
exit(1)
else:
args.target = ipparser(args.target)
if "--threshold" not in argv:
tmp = db_obj.extract_lockout(args.domain)
if tmp:
args.lockout_threshold = tmp
logger.status([
"Lockout Tracker",
"Threshold extracted from database: {}".format(str(tmp))
])
else:
logger.status([
"Lockout Tracker",
"Using default lockout threshold: {}".format(
str(args.lockout_threshold))
])
else:
db_obj.update_domain(args.domain, args.lockout_threshold)
logger.status([
"Lockout Tracker",
"Updating {} threshold in database to: {}".format(
args.domain, str(args.lockout_threshold))
])
if args.hash:
logger.status([
'Enum Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
args.domain, args.user)
])
else:
logger.status([
'Enum Authentication',
'{}\{} (Password: {}****) (Hash: False)'.format(
args.domain, args.user, args.passwd[:1])
])
if 'l' in locals():
l.close()
return args
def spray_arg_mods(args, db_obj, loggers):
logger = loggers['console']
if not args.passwd:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if not args.ldap:
args.target = ipparser(args.target)
if args.ldap or args.domain_users:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
context = Namespace(
mode=args.mode,
timeout=args.timeout,
local_auth=False,
debug=args.debug,
user=ldap_user[0][0],
passwd=ldap_user[0][1],
hash=ldap_user[0][2],
domain=ldap_user[0][3],
)
if context.hash:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
context.domain, context.user)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False)'.format(
context.domain, context.user, context.passwd[:1])
])
try:
# Define LDAP server to use for query
l = LdapCon(context, loggers, args.ldap_srv, db_obj)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.domain_users:
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(context.user)
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
except:
pass
logger.status_success('{0}/{0} users collected'.format(
len(args.user)))
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == context.user.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
context.user))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.ldap:
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args
def create_con(args, loggers, db_obj):
query = LdapCon(args, loggers, args.ldap_srv, db_obj)
query.create_ldap_con()
def run(self, target, args, smb_con, loggers, config_obj):
logger = loggers['console']
users = {}
domain = {}
try:
# Create LDAP Con
x = LdapCon(args.user, args.passwd, args.hash, args.domain,
self.args['SERVER']['Value'], args.timeout)
x.create_ldap_con()
if not x:
logger.fail([
smb_con.host, smb_con.ip,
self.name.upper(), 'Unable to create LDAP connection'
])
return
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(),
'Connection established (server: {}) (LDAPS: {})'.format(
x.host, x.ldaps)
])
# Get Domain Lockout Threshold
domain = x.domain_query(False)
try:
lockout_threshold = int(domain[list(
domain.keys())[0]]['lockoutThreshold'])
logger.info([
smb_con.host, smb_con.ip,
self.name.upper(),
"Domain Lockout Threshold Detected: {}".format(
lockout_threshold), "Logon_Server: {}".format(x.host)
])
except:
lockout_threshold = self.args['Lockout']['Value']
logger.info([
smb_con.host, smb_con.ip,
self.name.upper(),
"Lockout threshold detection failed, using default: {}".
format(lockout_threshold)
])
#Collect users
users = x.user_query('active', False)
logger.debug("{}: Identified {} domain users".format(
self.name,
str(len(users.keys())),
))
if users:
# Compare
for user, data in users.items():
try:
if int(data['badPwdCount']) >= lockout_threshold:
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(), user,
"BadPwd: \033[1;31m{:<5}\033[1;m".format(
data['badPwdCount']),
"Logon_Server: {}".format(x.host)
])
elif int(data['badPwdCount']) >= (lockout_threshold -
1):
logger.success([
smb_con.host, smb_con.ip,
self.name.upper(), user,
"BadPwd: \033[1;33m{:<5}\033[1;m".format(
data['badPwdCount']),
"Logon_Server: {}".format(x.host)
])
except:
pass
else:
logger.fail("{}: No users returned from query".format(
self.name))
x.close()
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
def spray_arg_mods(args, db_obj, logger):
if args.user_as_pass:
args.passwd.append(0)
if args.hash:
args.passwd = ['']
if args.method.lower() == 'ldap' and args.local_auth:
logger.warning(
'Cannot use LDAP spray method with local authentication')
exit(0)
if args.target[0] != "{ldap}":
args.target = ipparser(args.target[0])
if "{ldap}" in argv:
if not args.cred_id:
logger.warning(
"To use this feature, please choose a cred id from the database"
)
logger.warning(
"Insert credentials:\r\n activereign db insert -u username -p Password123 -d domain.local"
)
exit(0)
# Extract creds from db for Ldap query
ldap_user = db_obj.extract_user(args.cred_id)
if ldap_user:
username = ldap_user[0][0]
password = ldap_user[0][1]
hashes = ldap_user[0][2]
domain = ldap_user[0][3]
logger.debug('Using {}\{}:{} to perform ldap queries'.format(
domain, username, password))
if hashes:
logger.status([
'LDAP Authentication',
'{}\{} (Password: None) (Hash: True)'.format(
domain, username)
])
else:
logger.status([
'LDAP Authentication',
'{}\{} (Password: {}*******) (Hash: False])'.format(
domain, username, password[:1])
])
try:
# Define ldap server to not deal with lockout/replication issues
if args.ldap_srv:
l = LdapCon(username, password, hashes, domain,
args.ldap_srv, args.timeout)
elif args.user[0] == 'ldap' and args.target[0] not in [
'ldap', 'eol'
]:
l = LdapCon(username, password, hashes, domain,
args.target[0], args.timeout)
else:
l = LdapCon(username, password, hashes, domain, '',
args.timeout)
l.create_ldap_con()
if not l:
logger.status_fail([
'LDAP Connection', 'Unable to create LDAP connection'
])
exit(1)
logger.status_success([
'LDAP Connection',
'Connection established (server: {}) (LDAPS: {})'.
format(l.host, l.ldaps)
])
########################################
# Get users via LDAP
########################################
if args.user[0] == '{ldap}':
tmp_users = l.user_query('active', False)
if args.force_all:
# Force spray on all users in domain - not recommended
args.user = tmp_users.keys()
try:
args.user.remove(username)
logger.status_success2([
"Users",
"Removed: {} (Query User)".format(username)
])
except:
pass
logger.status_success(
['Users', '{} users'.format(len(args.user))])
else:
users = []
# Check BadPwd Limit vs Lockout Threshold
try:
tmp = l.domain_query(False)
lockout_threshold = int(tmp[list(
tmp.keys())[0]]['lockoutThreshold'])
logger.status_success(
"Domain lockout threshold detected: {}\t Logon_Server: {}"
.format(lockout_threshold, l.host))
except:
logger.status_fail(
'Lockout threshold failed, using default threshold of {}'
.format(args.default_threshold))
lockout_threshold = args.default_threshold
# Compare and create user list
for user, data in tmp_users.items():
try:
# Remove query user from list
if user.lower() == username.lower():
logger.status_success2(
"Removed User: {} (Query User)".format(
username))
# Compare badpwd count + create new list
if int(data['badPwdCount']) < (
lockout_threshold - 1):
users.append(user)
else:
logger.status_success2(
"Removed User: {} (BadPwd: {})".format(
user, data['badPwdCount']))
except:
# no badPwdCount value exists
users.append(user)
args.user = users
logger.status_success('{}/{} users collected'.format(
len(args.user), len(tmp_users)))
########################################
# get targets via ldap
########################################
if args.target[0] == '{ldap}':
args.target = list(l.computer_query(False, False).keys())
logger.status_success('{} computers collected'.format(
len(args.target)))
l.close()
except Exception as e:
logger.fail("Ldap Connection Error: {}".format(str(e)))
exit(1)
else:
logger.fail("Unable to gather creds from db, try again")
exit(0)
return args