def loadKeysFromKeytab(self, filename):
keytab = Keytab.loadFile(filename)
keyblock = keytab.getKey("%s@%s" % (options.spn, self.__domain))
if keyblock:
if keyblock["keytype"] == Enctype.AES256 or keyblock["keytype"] == Enctype.AES128:
options.aesKey = keyblock.hexlifiedValue()
elif keyblock["keytype"] == Enctype.RC4:
options.nthash = keyblock.hexlifiedValue()
else:
logging.warning("No matching key for SPN '%s' in given keytab found!", options.spn)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
rpcdomain, rpcuser, rpcpass = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::(.*))?)?').match(options.auth_rpc).groups('')
proxydomain, proxyuser, proxypass = re.compile('(?:(?:([^/:]*)/)?([^:]*)(?::(.*))?)?').match(options.auth_rpcproxy).groups('')
if rpcdomain is None:
rpcdomain = ''
if proxydomain is None:
proxydomain = ''
if options.keytab is not None:
Keytab.loadKeysFromKeytab (options.keytab, rpcuser, rpcdomain, options)
options.k = True
if options.aesKey is not None:
options.k = True
if rpcpass == '' and rpcuser != '' and options.hashes_rpc is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
rpcpass = getpass("Password for DCE/RPC communication:")
if proxypass == '' and proxyuser != '' and options.hashes_rpcproxy is None:
from getpass import getpass
proxypass = getpass("Password for RPC proxy:")
if options.uuid is not None:
uuids = [uuid.string_to_uuidtup(options.uuid)]
sys.exit(1)
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
domain, username, password, address = parse_target(options.target)
if domain is None:
domain = ''
if options.keytab is not None:
Keytab.loadKeysFromKeytab(options.keytab, username, domain, options)
options.k = True
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
atsvc_exec = TSCH_EXEC(username, password, domain, options.hashes,
options.aesKey, options.k, options.dc_ip,
' '.join(options.command), options.session_id)
atsvc_exec.play(address)
def main():
global CODEC
print(version.BANNER)
parser = argparse.ArgumentParser()
parser.add_argument('target', action='store', help='[[domain/]username[:password]@]<targetName or address>')
parser.add_argument('port', action='store', type=int, help='TSCH RPC endpoint port number (usually 49154)')
parser.add_argument('command', action='store', nargs='*', default=' ', help='command to execute at the target ')
parser.add_argument('-session-id', action='store', type=int, help='an existed logon session to use (no output, no cmd.exe)')
parser.add_argument('-ts', action='store_true', help='adds timestamp to every logging output')
parser.add_argument('-debug', action='store_true', help='Turn DEBUG output ON')
parser.add_argument('-codec', action='store', help='Sets encoding used (codec) from the target\'s output (default "%s"). If errors are detected, run chcp.com at the target, map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec ' % CODEC)
group = parser.add_argument_group('authentication')
group.add_argument('-hashes', action="store", metavar="LMHASH:NTHASH", help='NTLM hashes, format is LMHASH:NTHASH')
group.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
group.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line')
group.add_argument('-aesKey', action="store", metavar="hex key", help='AES key to use for Kerberos Authentication (128 or 256 bits)')
group.add_argument('-dc-ip', action='store',metavar="ip address", help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter')
group.add_argument('-keytab', action="store", help='Read keys for SPN from keytab file')
if len(sys.argv)==1:
parser.print_help()
sys.exit(1)
options = parser.parse_args()
# Init the example's logger theme
logger.init(options.ts)
if options.codec is not None:
CODEC = options.codec
else:
if CODEC is None:
CODEC = 'utf-8'
logging.warning("This will work ONLY on Windows >= Vista")
if ''.join(options.command) == ' ':
logging.error('You need to specify a command to execute!')
sys.exit(1)
if options.debug is True:
logging.getLogger().setLevel(logging.DEBUG)
# Print the Library's installation path
logging.debug(version.getInstallationPath())
else:
logging.getLogger().setLevel(logging.INFO)
import re
domain, username, password, address = re.compile('(?:(?:([^\/@:]*)\/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(options.target).groups('')
#In case the password contains '@'
if '@' in address:
password = password + '@' + address.rpartition('@')[0]
address = address.rpartition('@')[2]
if options.port <= 0 or options.port >= 65536:
logging.error("Invalid port number: %i" % (options.port))
return
if domain is None:
domain = ''
if options.keytab is not None:
Keytab.loadKeysFromKeytab (options.keytab, username, domain, options)
options.k = True
if password == '' and username != '' and options.hashes is None and options.no_pass is False and options.aesKey is None:
from getpass import getpass
password = getpass("Password:")
if options.aesKey is not None:
options.k = True
atsvc_exec = TSCH_EXEC(username, password, domain, options.hashes, options.aesKey, options.k, options.dc_ip, ' '.join(options.command), options.session_id)
atsvc_exec.play(address, options.port)