def get_sd(self):
if self.sd is None:
sd = None
try:
sd = win32api.RegGetKeySecurity(self.get_keyh(), win32security.DACL_SECURITY_INFORMATION | win32security.OWNER_SECURITY_INFORMATION)
self.sd = wpc.conf.cache.sd('regkey', sd)
#print "[D]: Got security descriptor for " + self.get_name()
except:
# print "WARNING: Can't get security descriptor for regkey: " + self.get_name()
self.sd = None
return self.sd
def get_registry_key_acl_procmon(self, path_dict):
try:
'''
cmd = {
"proc_name" : proc_name,
"orig_cmd" : orig_cmd,
"clean_cmd" : clean_cmd,
"operation" : operation,
"integrity" : integrity
}
'''
registry_dict = dict(
path_dict
) # A dictionary object containing all information regarding a single key
r_path = registry_dict[
"clean_cmd"] # The cleaned registry key path - ready for DACL enumeration
# HKLM support
if "hklm" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hklm\\")[1]
key = win32api.RegOpenKey(
con.HKEY_LOCAL_MACHINE,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
# HKCU Support
if "hkcu" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hkcu\\")[1]
key = win32api.RegOpenKey(
con.HKEY_CURRENT_USER,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
# HKCR Support
if "hkcr" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hkcr\\")[1]
key = win32api.RegOpenKey(
con.HKEY_CLASSES_ROOT,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
sd = win32api.RegGetKeySecurity( # Obtain a Registry Security Object
key, win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION)
dacl = sd.GetSecurityDescriptorDacl() # Registry Security DACL
owner_sid = sd.GetSecurityDescriptorOwner(
) # Registry Security Owner
sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
sd, win32security.SDDL_REVISION_1,
win32security.DACL_SECURITY_INFORMATION
) # Gives us an SDDL String we can now parse.
all_permissions = dict(self.__sddl_dacl_parse(sddl_string))
keys = all_permissions.keys()
acls = ""
# Enumerate all the keys (registry paths) and ACLS
for key in keys:
acls += f"{key}: {all_permissions[key]}\n"
acl_dict = {
"process_name": path_dict["proc_name"],
"integrity": path_dict["integrity"],
"operation": path_dict["operation"],
"original_cmd": path_dict["orig_cmd"],
"path": r_path,
"acls": acls
}
return acl_dict
except Exception as e:
error = str(e).lower()
if ("find the path specified" in error
or "find the file specified" in error
or "access is denied" in error or "ace type 9" in error):
final_dict = {
"key_path": r_path,
"acls": "ERROR",
"error": error
}
return final_dict
elif "no mapping" in error:
note = """Possibly VULNERABLE: No mapping between account names and SID's
Account used to set GPO may have been removed
Account name may be typed incorrectly
INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
final_dict = {"key_path": r_path, "acls": note, "error": error}
return final_dict
else:
self.__write_error(r_path + "\n" + all_permissions)
self.__print_exception()
exit(0)
def get_registry_key_acl(self, root_key):
try:
r_path = root_key.lower()
all_permissions = ""
# HKLM support
if "hklm" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hklm\\")[1]
key = win32api.RegOpenKey(
con.HKEY_LOCAL_MACHINE,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
# HKCU Support
if "hkcu" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hkcu\\")[1]
key = win32api.RegOpenKey(
con.HKEY_CURRENT_USER,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
# HKCR Support
if "hkcr" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hkcr\\")[1]
key = win32api.RegOpenKey(
con.HKEY_CLASSES_ROOT,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS
| con.KEY_QUERY_VALUE
| con.KEY_READ,
)
sd = win32api.RegGetKeySecurity(
key,
win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION,
)
dacl = sd.GetSecurityDescriptorDacl()
owner_sid = sd.GetSecurityDescriptorOwner()
sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
sd,
win32security.SDDL_REVISION_1,
win32security.DACL_SECURITY_INFORMATION,
)
all_permissions = dict(self.__sddl_dacl_parse(sddl_string))
keys = all_permissions.keys()
acls = ""
for key in keys:
acls += f"{key}: {all_permissions[key]}\n"
final_dict = {"key_path": r_path, "acls": acls, "error": None}
return final_dict
except Exception as e:
error = str(e).lower()
if ("find the path specified" in error
or "find the file specified" in error
or "access is denied" in error or "ace type 9" in error):
final_dict = {"key_path": r_path, "acls": None, "error": error}
return final_dict
elif "no mapping" in error:
note = """Possibly VULNERABLE: No mapping between account names and SID's
Account used to set GPO may have been removed
Account name may be typed incorrectly
INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
final_dict = {"key_path": r_path, "acls": note, "error": error}
return final_dict
else:
self.__write_error(r_path + "\n" + all_permissions)
self.__print_exception()
exit(0)
def get_acl_list_procmon(self, path_dict):
try:
'''
cmd = {
"proc_name" : proc_name,
"orig_cmd" : orig_cmd,
"clean_cmd" : clean_cmd,
"operation" : operation,
"integrity" : integrity
}
'''
path_dict = dict(path_dict)
r_path = path_dict["clean_cmd"]
# Support of HKLM Keys
if "hklm" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hklm\\")[1]
# Support for HKCU Keys
if "hkcu" in r_path:
try:
path = r_path.split(":\\")[1]
except:
path = r_path.split("hkcu\\")[1]
key = win32api.RegOpenKey(
con.HKEY_LOCAL_MACHINE,
path,
0,
con.KEY_ENUMERATE_SUB_KEYS | con.KEY_QUERY_VALUE
| con.KEY_READ,
)
sd = win32api.RegGetKeySecurity(
key,
win32security.DACL_SECURITY_INFORMATION
| win32security.OWNER_SECURITY_INFORMATION,
)
dacl = sd.GetSecurityDescriptorDacl()
owner_sid = sd.GetSecurityDescriptorOwner()
sddl_string = win32security.ConvertSecurityDescriptorToStringSecurityDescriptor(
sd,
win32security.SDDL_REVISION_1,
win32security.DACL_SECURITY_INFORMATION,
)
all_permissions = dict(self.sddl_dacl_parse(sddl_string))
keys = all_permissions.keys()
acls = ""
for key in keys:
acls += f"{key}: {all_permissions[key]}\n"
data = f"""
Process_Name: {path_dict["proc_name"]}
Integrity: {path_dict["integrity"]}
Operation: {path_dict["operation"]}
Original_Cmd: {path_dict["orig_cmd"]}
Path: {r_path}
Access: {acls}
"""
self.__write_acl(data)
except Exception as e:
error = str(e).lower()
if ("find the path specified" in error
or "find the file specified" in error
or "access is denied" in error or "ace type 9" in error):
data = f"\nPath: {r_path}\n{str(e)}\n"
self.__write_acl(data)
pass
elif "no mapping" in error:
note = """Possibly VULNERABLE: No mapping between account names and SID's
Account used to set GPO may have been removed
Account name may be typed incorrectly
INFO: https://www.rebeladmin.com/2016/01/how-to-fix-error-no-mapping-between-account-names-and-security-ids-in-active-directory/"""
data = f"\nPath: {r_path}\n{note}\n"
self.__write_acl(data)
pass
else:
print(r_path)
self.__write_error(r_path + "\n" + all_permissions)
self.__print_exception()
exit(0)