def get_lsa_key(bootkey): global xp r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolSecretEncryptionKey") if r.is_present(): xp = 1 else: r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolEKList") if r.is_present: xp = 0 else: return None obf_lsa_key = r.get_value("") if not obf_lsa_key: return None if xp: md5 = MD5.new() md5.update(bootkey) for i in range(1000): md5.update(obf_lsa_key[60:76]) rc4key = md5.digest() rc4 = ARC4.new(rc4key) lsa_key = rc4.decrypt(obf_lsa_key[12:60]) return lsa_key[0x10:0x20] else: lsa_key = decrypt_lsa(obf_lsa_key, bootkey) return lsa_key[68:100]
def get_secrets(): global xp bootkey = get_bootkey() lsakey = get_lsa_key(bootkey) r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets") if not r.is_present: print( "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets" ) return None secrets = {} for service_key in r.get_subkeys(): service_name = service_key.get_name().split("\\")[-1] skey = regkey(service_key.get_name() + "\\CurrVal") enc_secret = skey.get_value("") if not enc_secret: continue if xp: encryptedSecretSize = unpack('<I', enc_secret[:4])[0] offset = len(enc_secret) - encryptedSecretSize secret = decrypt_secret(enc_secret[offset:], lsakey) else: secret = decrypt_lsa2(enc_secret, lsakey) secrets[service_name] = secret return secrets
def dumptab_installed_software(self): uninstall = regkey( 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall' ) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date) if process(os.getpid()).is_wow64(): print '[+] Checking installed software (WoW64 enabled)' uninstall = regkey( 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def get_secrets(): global xp bootkey = get_bootkey() lsakey = get_lsa_key(bootkey) r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets") if not r.is_present: print "[E] Secrets key not accessible: HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets" return None secrets = {} for service_key in r.get_subkeys(): service_name = service_key.get_name().split("\\")[-1] skey = regkey(service_key.get_name() + "\\CurrVal") enc_secret = skey.get_value("") if not enc_secret: continue if xp: encryptedSecretSize = unpack("<I", enc_secret[:4])[0] offset = len(enc_secret) - encryptedSecretSize secret = decrypt_secret(enc_secret[offset:], lsakey) else: secret = decrypt_lsa2(enc_secret, lsakey) secrets[service_name] = secret return secrets
def get_installed_packages(self): print '[+] Checking installed software' uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall') self.packages = self._get_packages_from_key(uninstall) if wpc.conf.on64bitwindows: print '[+] Checking installed software (WoW64 enabled)' uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64) self.packages = self.packages + self._get_packages_from_key(uninstall) return self.packages
def get_user_name(user_key): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key) V = r.get_value("V") name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC name_length = unpack("<L", V[0x10:0x14])[0] username = V[name_offset:name_offset+name_length].decode('utf-16-le') return username
def get_user_name(user_key): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key) V = r.get_value("V") name_offset = unpack("<L", V[0x0c:0x10])[0] + 0xCC name_length = unpack("<L", V[0x10:0x14])[0] username = V[name_offset:name_offset + name_length].decode('utf-16-le') return username
def dump_reg_keys(self): for check, key in wpc.conf.reg_keys.items(): #print "Checking %s => %s" % (check, key) key_a = key.split('\\') value = key_a.pop() key_s = '\\'.join(key_a) rk = regkey(key_s) if rk.is_present: v = rk.get_value(value) # This value appears as "(Default)" in regedit print "Check: \"%s\", Key: %s, Value: %s, Data: %s" % (check, key_s, value, v)
def get_secret_by_name(name, lsakey): global xp r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" % name) if not r.is_present(): return None enc_secret = r.get_value("") if xp: return decrypt_secret(enc_secret[0xC:], lsakey) else: return decrypt_lsa2(enc_secret, lsakey)
def dumptab_installed_software(self): uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall') if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date) if process(os.getpid()).is_wow64(): print '[+] Checking installed software (WoW64 enabled)' uninstall = regkey('HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall', view=64) if uninstall.is_present(): for subkey in uninstall.get_subkeys(): name = subkey.get_value("DisplayName") publisher = subkey.get_value("Publisher") version = subkey.get_value("DisplayVersion") date = subkey.get_value("InstallDate") if name: print wpc.utils.tab_line("info", "installed_software", name, publisher, version, date)
def get_bootkey(): cs = find_control_set() r = regkey("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa" % cs) lsa_keys = ["JD","Skew1","GBG","Data"] bootkey = "" for lk in lsa_keys: class_data = get_hklm_class("SYSTEM\\ControlSet%03d\\Control\\Lsa\\%s" % (cs, lk)) bootkey += class_data.decode('hex') bootkey_scrambled = "" for i in range(len(bootkey)): bootkey_scrambled += bootkey[p[i]] return bootkey_scrambled
def get_bootkey(): cs = find_control_set() r = regkey("HKEY_LOCAL_MACHINE\SYSTEM\ControlSet%03d\Control\Lsa" % cs) lsa_keys = ["JD", "Skew1", "GBG", "Data"] bootkey = "" for lk in lsa_keys: class_data = get_hklm_class( "SYSTEM\\ControlSet%03d\\Control\\Lsa\\%s" % (cs, lk)) bootkey += class_data.decode('hex') bootkey_scrambled = "" for i in range(len(bootkey)): bootkey_scrambled += bootkey[p[i]] return bootkey_scrambled
def get_secret_by_name(name, lsakey): global xp r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" % name) if not r.is_present(): return None enc_secret = r.get_value("") if xp: encryptedSecretSize = unpack("<I", enc_secret[:4])[0] offset = len(enc_secret) - encryptedSecretSize secret = decrypt_secret(enc_secret[offset:], lsakey) return decrypt_secret(enc_secret[0xC:], lsakey) else: return decrypt_lsa2(enc_secret, lsakey)
def get_hbootkey(bootkey): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account") F = r.get_value("F") if not F: return None md5 = MD5.new() md5.update(F[0x70:0x80] + aqwerty + bootkey + anum) rc4_key = md5.digest() rc4 = ARC4.new(rc4_key) hbootkey = rc4.encrypt(F[0x80:0xA0]) return hbootkey
def get_user_hashes(user_key, hbootkey): rid = int(user_key, 16) V = None r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key) V = r.get_value("V") hash_offset = unpack("<L", V[0x9c:0x9c+4])[0] + 0xCC lm_exists = True if unpack("<L", V[0x9c+4:0x9c+8])[0] == 20 else False nt_exists = True if unpack("<L", V[0x9c+16:0x9c+20])[0] == 20 else False enc_lm_hash = V[hash_offset+4:hash_offset+20] if lm_exists else "" enc_nt_hash = V[hash_offset+(24 if lm_exists else 8):hash_offset+(24 if lm_exists else 8)+16] if nt_exists else "" return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
def get_hbootkey(bootkey): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account"); F = r.get_value("F") if not F: return None md5 = MD5.new() md5.update(F[0x70:0x80] + aqwerty + bootkey + anum) rc4_key = md5.digest() rc4 = ARC4.new(rc4_key) hbootkey = rc4.encrypt(F[0x80:0xA0]) return hbootkey
def get_secret_by_name(name, lsakey): global xp r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\Secrets\\%s\\CurrVal" % name) if not r.is_present(): return None enc_secret = r.get_value("") if xp: encryptedSecretSize = unpack('<I', enc_secret[:4])[0] offset = len(enc_secret) - encryptedSecretSize secret = decrypt_secret(enc_secret[offset:], lsakey) return decrypt_secret(enc_secret[0xC:], lsakey) else: return decrypt_lsa2(enc_secret, lsakey)
def lookup_files_for_clsid(clsid): results = [] # Potentially intersting subkeys of clsids are listed here: # http://msdn.microsoft.com/en-us/library/windows/desktop/ms691424(v=vs.85).aspx for v in ("InprocServer", "InprocServer32", "LocalServer", "LocalServer32"): r = regkey("HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\" + clsid + "\\" + v) if r.is_present: d = r.get_value("") # "(Default)" value if d: d = env_expand(d) results.append([r, v, File(d)]) # else: # print "[i] Skipping non-existent clsid: %s" % r.get_name() return results
def dump_hashes(): bootkey = get_bootkey() if not bootkey: return [] lsakey = get_lsa_key(bootkey) # import binascii # print "lsakey : %s"%(binascii.hexlify(lsakey)) if not lsakey: return [] nlkm = get_nlkm(lsakey) # print "nlkm : %s"%(binascii.hexlify(nlkm)) if not nlkm: return [] r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache") if not r.is_present(): return [] hashes = [] for v in r.get_values(): if v == "NL$Control": continue data = r.get_value(v) (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # print "cache entry encodeddata: %s"%(binascii.hexlify(enc_data)) # Skip if nothing in this cache entry if uname_len == 0: continue global xp xp = isXp() if xp: dec_data = decrypt_hash(enc_data, nlkm, ch) else: dec_data = decrypt_hash_vista(enc_data, nlkm, ch) (username, domain, domain_name, hash) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hash)) return hashes
def get_user_hashes(user_key, hbootkey): rid = int(user_key, 16) V = None r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users\\" + user_key) V = r.get_value("V") hash_offset = unpack("<L", V[0x9c:0x9c + 4])[0] + 0xCC lm_exists = True if unpack("<L", V[0x9c + 4:0x9c + 8])[0] == 20 else False nt_exists = True if unpack("<L", V[0x9c + 16:0x9c + 20])[0] == 20 else False enc_lm_hash = V[hash_offset + 4:hash_offset + 20] if lm_exists else "" enc_nt_hash = V[hash_offset + (24 if lm_exists else 8):hash_offset + (24 if lm_exists else 8) + 16] if nt_exists else "" return decrypt_hashes(rid, enc_lm_hash, enc_nt_hash, hbootkey)
def dump_hashes(): bootkey = get_bootkey() if not bootkey: return [] lsakey = get_lsa_key(bootkey) if not lsakey: return [] nlkm = get_nlkm(lsakey) if not nlkm: return [] r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Cache") if not r.is_present(): return [] hashes = [] for v in r.get_values(): if v == "NL$Control": continue data = r.get_value(v) (uname_len, domain_len, domain_name_len, enc_data, ch) = parse_cache_entry(data) # Skip if nothing in this cache entry if uname_len == 0: continue dec_data = decrypt_hash(enc_data, nlkm, ch) (username, domain, domain_name, hash) = parse_decrypted_cache(dec_data, uname_len, domain_len, domain_name_len) hashes.append((username, domain, domain_name, hash)) return hashes
def get_reg_key(self): if not self.reg_key: self.reg_key = regkey( "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" + self.get_name()) return self.reg_key
def find_control_set(): r = regkey("HKEY_LOCAL_MACHINE\\SYSTEM\\Select") return r.get_value("Current")
def dump_registry(self): for r in regkey('HKLM').get_all_subkeys(): print r.as_text()
def define_trusted_principals(options): exploitable_by_fq = [] ignore_principals = [] if options.exploitable_by_list: exploitable_by_fq = options.exploitable_by_list if options.exploitable_by_file: try: exploitable_by_fq = exploitable_by_fq + [ line.strip() for line in open(options.exploitable_by_file) ] except: print "[E] Error reading from file %s" % options.exploitablebyfile sys.exit() if options.ignore_principal_list: ignore_principals = options.ignore_principal_list if options.ignore_principal_file: try: ignore_principals = ignore_principals + [ line.strip() for line in open(options.ignoreprincipalfile) ] except: print "[E] Error reading from file %s" % options.ignoreprincipalfile sys.exit() # examine token, populate exploitable_by if options.exploitable_by_me: try: p = process(os.getpid()) wpc.conf.exploitable_by.append(p.get_token().get_token_owner()) for g in p.get_token().get_token_groups(): if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1: wpc.conf.exploitable_by.append(g[0]) except: print "[E] Problem examining access token of current process" sys.exit() # check each of the supplied users in exploitable_by and exploitable_by resolve if exploitable_by_fq or wpc.conf.exploitable_by: wpc.conf.privesc_mode = "exploitable_by" for t in exploitable_by_fq: try: sid, _, _ = win32security.LookupAccountName( wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.exploitable_by.append(p) else: print "[E] can't look up sid for " + t except: pass print "Only reporting privesc issues for these users/groups:" for p in wpc.conf.exploitable_by: print "* " + p.get_fq_name() return else: wpc.conf.privesc_mode = "report_untrusted" # if user has specified list of trusted users, use only their list if ignore_principals: if options.ignorenoone: wpc.conf.trusted_principals_fq = [] wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals else: # otherwise the user has not specified a list of trusted users. we intelligently tweak the list. # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey( r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server" ) if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append( "NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group #print "[D] converting string sid" #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq for t in wpc.conf.trusted_principals_fq: try: sid, _, _ = win32security.LookupAccountName( wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print
def get_user_keys(): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users") for s in r.get_subkeys(): if s.get_name().split("\\")[-1] != "Names": yield s.get_name().split("\\")[-1]
def isXp(): r = regkey("HKEY_LOCAL_MACHINE\\SECURITY\\Policy\\PolSecretEncryptionKey") if r.is_present(): return True return False
def define_trusted_principals(): # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey( r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server") if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append( "NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print for t in wpc.conf.trusted_principals_fq: try: sid, name, i = win32security.LookupAccountName( wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group #print "[D] converting string sid" #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print
def get_reg_key(self): if not self.reg_key: self.reg_key = regkey("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\" + self.get_name()) return self.reg_key
def get_user_keys(): r = regkey("HKEY_LOCAL_MACHINE\\SAM\\SAM\\Domains\\Account\\Users"); for s in r.get_subkeys(): if s.get_name().split("\\")[-1] != "Names": yield s.get_name().split("\\")[-1]
def define_trusted_principals(): # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server") if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print for t in wpc.conf.trusted_principals_fq: try: sid, name, i = win32security.LookupAccountName(wpc.conf.remote_server, t) if sid: p = principal(sid) #print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) #print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group #print "[D] converting string sid" #print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print
def define_trusted_principals(options): exploitable_by_fq = [] ignore_principals = [] if options.exploitable_by_list: exploitable_by_fq = options.exploitable_by_list if options.exploitable_by_file: try: exploitable_by_fq = exploitable_by_fq + [line.strip() for line in open(options.exploitable_by_file)] except: print "[E] Error reading from file %s" % options.exploitablebyfile sys.exit() if options.ignore_principal_list: ignore_principals = options.ignore_principal_list if options.ignore_principal_file: try: ignore_principals = ignore_principals + [line.strip() for line in open(options.ignoreprincipalfile)] except: print "[E] Error reading from file %s" % options.ignoreprincipalfile sys.exit() # examine token, populate exploitable_by if options.exploitable_by_me: try: p = process(os.getpid()) wpc.conf.exploitable_by.append(p.get_token().get_token_owner()) for g in p.get_token().get_token_groups(): if "|".join(g[1]).find("USE_FOR_DENY_ONLY") == -1: wpc.conf.exploitable_by.append(g[0]) except: print "[E] Problem examining access token of current process" sys.exit() # check each of the supplied users in exploitable_by and exploitable_by resolve if exploitable_by_fq or wpc.conf.exploitable_by: wpc.conf.privesc_mode = "exploitable_by" for t in exploitable_by_fq: try: sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t) if sid: p = principal(sid) # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) # print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.exploitable_by.append(p) else: print "[E] can't look up sid for " + t except: pass print "Only reporting privesc issues for these users/groups:" for p in wpc.conf.exploitable_by: print "* " + p.get_fq_name() return else: wpc.conf.privesc_mode = "report_untrusted" # if user has specified list of trusted users, use only their list if ignore_principals: if options.ignorenoone: wpc.conf.trusted_principals_fq = [] wpc.conf.trusted_principals_fq = wpc.conf.trusted_principals_fq + ignore_principals else: # otherwise the user has not specified a list of trusted users. we intelligently tweak the list. # Ignore "NT AUTHORITY\TERMINAL SERVER USER" if HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled = 0 or doesn't exist # See http://support.microsoft.com/kb/238965 for details r = regkey(r"HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server") if r.is_present(): v = r.get_value("TSUserEnabled") if v is None: print "[i] TSUserEnabled registry value is absent. Excluding TERMINAL SERVER USER" elif v != 0: print "[i] TSUserEnabled registry value is %s. Including TERMINAL SERVER USER" % v wpc.conf.trusted_principals_fq.append("NT AUTHORITY\TERMINAL SERVER USER") else: print "[i] TSUserEnabled registry value is 0. Excluding TERMINAL SERVER USER" else: print "[i] TSUserEnabled registry key is absent. Excluding TERMINAL SERVER USER" print # TODO we only want to ignore this if it doesn't resolve try: # Server Operators group # print "[D] converting string sid" # print "%s" % win32security.ConvertStringSidToSid("S-1-5-32-549") p = Group(win32security.ConvertStringSidToSid("S-1-5-32-549")) except: wpc.conf.trusted_principals.append(p) # TODO this always ignored power users. not what we want. # only want to ignore when group doesn't exist. try: p = Group(win32security.ConvertStringSidToSid("S-1-5-32-547")) wpc.conf.trusted_principals.append(p) except: pass # populate wpc.conf.trusted_principals with the objects corresponding to trusted_principals_fq for t in wpc.conf.trusted_principals_fq: try: sid, _, _ = win32security.LookupAccountName(wpc.conf.remote_server, t) if sid: p = principal(sid) # print "Trusted: %s (%s) [%s]" % (p.get_fq_name(), p.get_type_string(), p.is_group_type()) # print "[D] Added trusted principal %s. is group? %s" % (p.get_fq_name(), p.is_group_type()) if p.is_group_type(): p = Group(p.get_sid()) # for m in p.get_members(): # print "Member: %s" % m.get_fq_name() else: p = user(p.get_sid()) # print p.get_groups() wpc.conf.trusted_principals.append(p) else: print "[E] can't look up sid for " + t except: pass print "Considering these users to be trusted:" for p in wpc.conf.trusted_principals: print "* " + p.get_fq_name() print