コード例 #1
0
    def get_sd(self):
        if self.sd is None:
            sd = None
            try:
                sd = win32api.RegGetKeySecurity(self.get_keyh(), win32security.DACL_SECURITY_INFORMATION | win32security.OWNER_SECURITY_INFORMATION)
                self.sd = wpc.conf.cache.sd('regkey', sd)
                #print "[D]: Got security descriptor for " + self.get_name()
            except:
                # print "WARNING: Can't get security descriptor for regkey: " + self.get_name()
                self.sd = None

        return self.sd
コード例 #2
0
    def get_registry_key_acl_procmon(self, path_dict):
        try:
            '''
            cmd = {
                "proc_name" : proc_name, 
                "orig_cmd"  : orig_cmd, 
                "clean_cmd" : clean_cmd,
                "operation" : operation,
                "integrity" : integrity
                }
            '''
            registry_dict = dict(
                path_dict
            )  # A dictionary object containing all information regarding a single key
            r_path = registry_dict[
                "clean_cmd"]  # The cleaned registry key path - ready for DACL enumeration

            # HKLM support
            if "hklm" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hklm\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_LOCAL_MACHINE,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            # HKCU Support
            if "hkcu" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hkcu\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_CURRENT_USER,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            # HKCR Support
            if "hkcr" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hkcr\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_CLASSES_ROOT,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            sd = win32api.RegGetKeySecurity(  # Obtain a Registry Security Object
                key, win32security.DACL_SECURITY_INFORMATION
                | win32security.OWNER_SECURITY_INFORMATION)
            dacl = sd.GetSecurityDescriptorDacl()  # Registry Security DACL
            owner_sid = sd.GetSecurityDescriptorOwner(
            )  # Registry Security Owner
            sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
                sd, win32security.SDDL_REVISION_1,
                win32security.DACL_SECURITY_INFORMATION
            )  # Gives us an SDDL String we can now parse.

            all_permissions = dict(self.__sddl_dacl_parse(sddl_string))
            keys = all_permissions.keys()
            acls = ""

            # Enumerate all the keys (registry paths) and ACLS
            for key in keys:
                acls += f"{key}: {all_permissions[key]}\n"

            acl_dict = {
                "process_name": path_dict["proc_name"],
                "integrity": path_dict["integrity"],
                "operation": path_dict["operation"],
                "original_cmd": path_dict["orig_cmd"],
                "path": r_path,
                "acls": acls
            }
            return acl_dict

        except Exception as e:
            error = str(e).lower()
            if ("find the path specified" in error
                    or "find the file specified" in error
                    or "access is denied" in error or "ace type 9" in error):
                final_dict = {
                    "key_path": r_path,
                    "acls": "ERROR",
                    "error": error
                }
                return final_dict

            elif "no mapping" in error:
                note = """Possibly VULNERABLE: No mapping between account names and SID's
        Account used to set GPO may have been removed
        Account name may be typed incorrectly
        INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
                final_dict = {"key_path": r_path, "acls": note, "error": error}
                return final_dict

            else:
                self.__write_error(r_path + "\n" + all_permissions)
                self.__print_exception()
                exit(0)
コード例 #3
0
    def get_registry_key_acl(self, root_key):
        try:

            r_path = root_key.lower()
            all_permissions = ""

            # HKLM support
            if "hklm" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hklm\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_LOCAL_MACHINE,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            # HKCU Support
            if "hkcu" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hkcu\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_CURRENT_USER,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            # HKCR Support
            if "hkcr" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hkcr\\")[1]
                key = win32api.RegOpenKey(
                    con.HKEY_CLASSES_ROOT,
                    path,
                    0,
                    con.KEY_ENUMERATE_SUB_KEYS
                    | con.KEY_QUERY_VALUE
                    | con.KEY_READ,
                )

            sd = win32api.RegGetKeySecurity(
                key,
                win32security.DACL_SECURITY_INFORMATION
                | win32security.OWNER_SECURITY_INFORMATION,
            )
            dacl = sd.GetSecurityDescriptorDacl()
            owner_sid = sd.GetSecurityDescriptorOwner()
            sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
                sd,
                win32security.SDDL_REVISION_1,
                win32security.DACL_SECURITY_INFORMATION,
            )

            all_permissions = dict(self.__sddl_dacl_parse(sddl_string))
            keys = all_permissions.keys()
            acls = ""

            for key in keys:
                acls += f"{key}: {all_permissions[key]}\n"

            final_dict = {"key_path": r_path, "acls": acls, "error": None}

            return final_dict

        except Exception as e:
            error = str(e).lower()
            if ("find the path specified" in error
                    or "find the file specified" in error
                    or "access is denied" in error or "ace type 9" in error):

                final_dict = {"key_path": r_path, "acls": None, "error": error}
                return final_dict

            elif "no mapping" in error:
                note = """Possibly VULNERABLE: No mapping between account names and SID's
        Account used to set GPO may have been removed
        Account name may be typed incorrectly
        INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
                final_dict = {"key_path": r_path, "acls": note, "error": error}
                return final_dict

            else:
                self.__write_error(r_path + "\n" + all_permissions)
                self.__print_exception()
                exit(0)
コード例 #4
0
    def get_acl_list_procmon(self, path_dict):
        try:
            '''
            cmd = {
                "proc_name" : proc_name, 
                "orig_cmd"  : orig_cmd, 
                "clean_cmd" : clean_cmd,
                "operation" : operation,
                "integrity" : integrity
                }
            '''

            path_dict = dict(path_dict)
            r_path = path_dict["clean_cmd"]

            # Support of HKLM Keys
            if "hklm" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hklm\\")[1]

            # Support for HKCU Keys
            if "hkcu" in r_path:
                try:
                    path = r_path.split(":\\")[1]
                except:
                    path = r_path.split("hkcu\\")[1]

            key = win32api.RegOpenKey(
                con.HKEY_LOCAL_MACHINE,
                path,
                0,
                con.KEY_ENUMERATE_SUB_KEYS | con.KEY_QUERY_VALUE
                | con.KEY_READ,
            )

            sd = win32api.RegGetKeySecurity(
                key,
                win32security.DACL_SECURITY_INFORMATION
                | win32security.OWNER_SECURITY_INFORMATION,
            )

            dacl = sd.GetSecurityDescriptorDacl()
            owner_sid = sd.GetSecurityDescriptorOwner()

            sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
                sd,
                win32security.SDDL_REVISION_1,
                win32security.DACL_SECURITY_INFORMATION,
            )
            all_permissions = dict(self.sddl_dacl_parse(sddl_string))

            keys = all_permissions.keys()
            acls = ""
            for key in keys:
                acls += f"{key}: {all_permissions[key]}\n"

            data = f"""
Process_Name: {path_dict["proc_name"]}
Integrity: {path_dict["integrity"]}
Operation: {path_dict["operation"]}
Original_Cmd: {path_dict["orig_cmd"]}
Path: {r_path}
Access: {acls}
            """

            self.__write_acl(data)

        except Exception as e:
            error = str(e).lower()
            if ("find the path specified" in error
                    or "find the file specified" in error
                    or "access is denied" in error or "ace type 9" in error):
                data = f"\nPath: {r_path}\n{str(e)}\n"
                self.__write_acl(data)
                pass
            elif "no mapping" in error:
                note = """Possibly VULNERABLE: No mapping between account names and SID's
        Account used to set GPO may have been removed
        Account name may be typed incorrectly
        INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
                data = f"\nPath: {r_path}\n{note}\n"
                self.__write_acl(data)
                pass
            else:
                print(r_path)
                self.__write_error(r_path + "\n" + all_permissions)
                self.__print_exception()
                exit(0)