def plaintext_login(self, username, password): try: if self.args.mssql: res = self.conn.login(None, username, password, self.domain, None, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, password, self.domain) self.password = password self.username = username self.check_if_admin() self.db.add_credential('plaintext', self.domain, username, password) if self.admin_privs: self.db.link_cred_to_host('plaintext', self.domain, username, password, self.host) out = u'{}\\{}:{} {}'.format(self.domain.decode('utf-8'), username.decode('utf-8'), password.decode('utf-8'), highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: error, desc = e.getErrorString() self.logger.error(u'{}\\{}:{} {} {}'.format(self.domain.decode('utf-8'), username.decode('utf-8'), password.decode('utf-8'), error, '({})'.format(desc) if self.args.verbose else '')) return False
def plaintext_login(self, username, password): try: if self.args.mssql: res = self.conn.login(None, username, password, self.domain, None, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, password, self.domain) self.password = password self.username = username self.check_if_admin() self.db.add_credential('plaintext', self.domain, username, password) out = u'{}\\{}:{} {}'.format(self.domain, username, password, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: self.logger.error(u'{}\\{}:{} {}'.format(self.domain, username, password, str(e).split(':')[1])) return False
def hash_login(self, username, ntlm_hash): lmhash, nthash = ntlm_hash.split(':') try: if self.args.mssql: res = self.conn.login(None, username, '', self.domain, ntlm_hash, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, '', self.domain, lmhash, nthash) self.hash = ntlm_hash self.username = username self.check_if_admin() self.db.add_credential('hash', self.domain, username, ntlm_hash) out = u'{}\\{} {} {}'.format(self.domain, username, ntlm_hash, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: self.logger.error(u'{}\\{} {} {}'.format(self.domain, username, ntlm_hash, str(e).split(':')[1])) return False
def hash_login(self, username, ntlm_hash): lmhash, nthash = ntlm_hash.split(':') try: if self.args.mssql: res = self.conn.login(None, username, '', self.domain, ntlm_hash, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, '', self.domain, lmhash, nthash) self.hash = ntlm_hash self.username = username self.check_if_admin() self.db.add_credential('hash', self.domain, username, ntlm_hash) if self.admin_privs: self.db.link_cred_to_host('hash', self.domain, username, ntlm_hash, self.host) out = u'{}\\{} {} {}'.format(self.domain.decode('utf-8'), username.decode('utf-8'), ntlm_hash, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: error, desc = e.getErrorString() self.logger.error(u'{}\\{} {} {} {}'.format(self.domain.decode('utf-8'), username.decode('utf-8'), ntlm_hash, error, '({})'.format(desc) if self.args.verbose else '')) return False
def plaintext_login(self, username, password): try: if self.args.mssql: res = self.conn.login(None, username, password, self.domain, None, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, password, self.domain) self.password = password self.username = username self.check_if_admin() self.db.add_credential('plaintext', self.domain, username, password) out = u'{}\\{}:{} {}'.format( self.domain, username, password, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: self.logger.error(u'{}\\{}:{} {}'.format(self.domain, username, password, str(e).split(':')[1])) return False
def hash_login(self, username, ntlm_hash): lmhash, nthash = ntlm_hash.split(':') try: if self.args.mssql: res = self.conn.login(None, username, '', self.domain, ntlm_hash, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, '', self.domain, lmhash, nthash) self.hash = ntlm_hash self.username = username self.check_if_admin() self.db.add_credential('hash', self.domain, username, ntlm_hash) out = u'{}\\{} {} {}'.format( self.domain, username, ntlm_hash, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: self.logger.error(u'{}\\{} {} {}'.format(self.domain, username, ntlm_hash, str(e).split(':')[1])) return False
def hash_login(self, username, ntlm_hash): lmhash = '' nthash = '' #This checks to see if we didn't provide the LM Hash if ntlm_hash.find(':') != -1: lmhash, nthash = ntlm_hash.split(':') else: nthash = ntlm_hash try: if self.args.mssql: res = self.conn.login(None, username, '', self.domain, ntlm_hash, True) if res is not True: self.conn.printReplies() return False elif not self.args.mssql: self.conn.login(username, '', self.domain, lmhash, nthash) self.hash = ntlm_hash self.username = username self.check_if_admin() self.db.add_credential('hash', self.domain, username, ntlm_hash) if self.admin_privs: self.db.link_cred_to_host('hash', self.domain, username, ntlm_hash, self.host) out = u'{}\\{} {} {}'.format( self.domain.decode('utf-8'), username.decode('utf-8'), ntlm_hash, highlight('(Pwn3d!)') if self.admin_privs else '') self.logger.success(out) return True except SessionError as e: error, desc = e.getErrorString() self.logger.error(u'{}\\{} {} {} {}'.format( self.domain.decode('utf-8'), username.decode('utf-8'), ntlm_hash, error, '({})'.format(desc) if self.args.verbose else '')) return False
def shutdown(self): try: while len(self.server.hosts) > 0: self.server.log.info('Waiting on {} host(s)'.format(highlight(len(self.server.hosts)))) sleep(15) except KeyboardInterrupt: pass # shut down the server/socket self.server.shutdown() self.server.socket.close() self.server.server_close() self._Thread__stop() # make sure all the threads are killed for thread in threading.enumerate(): if thread.isAlive(): try: thread._Thread__stop() except: pass
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. \______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______| Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino) Inspired by: @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap @gojhonny's CredCrack https://github.com/gojhonny/CredCrack @pentestgeek's smbexec https://github.com/pentestgeek/smbexec {}: {} {}: {} """.format(highlight('Version', 'red'), highlight(VERSION), highlight('Codename', 'red'), highlight(CODENAME)), formatter_class=RawTextHelpFormatter, version='{} - {}'.format(VERSION, CODENAME), epilog='HA! Made you look!') parser.add_argument( "target", nargs='*', type=str, help= "The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets" ) parser.add_argument( "-t", type=int,
| `----.| |\ \----. / _____ \ | `----.| . \ | | | | / _____ \ | | | |____ / . \ | |____ | `----. \______|| _| `._____|/__/ \__\ \______||__|\__\ |__| |__| /__/ \__\ | _| |_______|/__/ \__\ |_______| \______| Swiss army knife for pentesting Windows/Active Directory environments | @byt3bl33d3r Powered by Impacket https://github.com/CoreSecurity/impacket (@agsolino) Inspired by: @ShawnDEvans's smbmap https://github.com/ShawnDEvans/smbmap @gojhonny's CredCrack https://github.com/gojhonny/CredCrack @pentestgeek's smbexec https://github.com/pentestgeek/smbexec {}: {} {}: {} """.format(highlight('Version', 'red'), highlight(VERSION), highlight('Codename', 'red'), highlight(CODENAME)), formatter_class=RawTextHelpFormatter, version='{} - {}'.format(VERSION, CODENAME), epilog='HA! Made you look!') parser.add_argument("target", nargs='*', type=str, help="The target IP(s), range(s), CIDR(s), hostname(s), FQDN(s) or file(s) containg a list of targets") parser.add_argument("-t", type=int, dest="threads", default=100, help="Set how many concurrent threads to use (defaults to 100)") parser.add_argument('-id', metavar="CRED_ID", type=int, dest='cred_id', help='Database credential ID to use for authentication') parser.add_argument("-u", metavar="USERNAME", dest='username', nargs='*', default=[], help="Username(s) or file(s) containing usernames") parser.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="Domain name") msgroup = parser.add_mutually_exclusive_group() msgroup.add_argument("-p", metavar="PASSWORD", dest='password', nargs= '*', default=[], help="Password(s) or file(s) containing passwords")