diff --git a/changelog b/changelog index 2fc51d2..55c1ede 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,11 @@ +8/24/2015 +--------- +-Added credentials/mimikatz/dcsync for remote DC credential extraction +-Added situational_awareness/network/get_domaintrusts +-Added /sids argument for credentials/mimikatz/golden_ticket +-Added credential parsing for dcsync output +-updated links for PowerTools + 8/20/2015 --------- -Continued porting native shell commands to WMI replacents in agent core diff --git a/lib/common/helpers.py b/lib/common/helpers.py index 6d297b0..8635d08 100644 --- a/lib/common/helpers.py +++ b/lib/common/helpers.py @@ -271,32 +271,56 @@ def parse_mimikatz(data): if not (credType == "plaintext" and username.endswith("$")): creds.append((credType, domain, username, password, hostName, sid)) - # check if we have lsadump output to check for krbtgt - # happens on domain controller hashdumps - for x in xrange(8,13): - if lines[x].startswith("Domain :"): + if len(creds) == 0: + # check if we have lsadump output to check for krbtgt + # happens on domain controller hashdumps + for x in xrange(8,13): + if lines[x].startswith("Domain :"): - domain, sid, krbtgtHash = "", "", "" + domain, sid, krbtgtHash = "", "", "" - try: - domainParts = lines[x].split(":")[1] - domain = domainParts.split("/")[0].strip() - sid = domainParts.split("/")[1].strip() + try: + domainParts = lines[x].split(":")[1] + domain = domainParts.split("/")[0].strip() + sid = domainParts.split("/")[1].strip() - # substitute the FQDN in if it matches - if hostDomain.startswith(domain.lower()): - domain = hostDomain - sid = domainSid + # substitute the FQDN in if it matches + if hostDomain.startswith(domain.lower()): + domain = hostDomain + sid = domainSid - for x in xrange(0, len(lines)): - if lines[x].startswith("User : krbtgt"): - krbtgtHash = lines[x+2].split(":")[1].strip() - break + for x in xrange(0, len(lines)): + if lines[x].startswith("User : krbtgt"): + krbtgtHash = lines[x+2].split(":")[1].strip() + break - if krbtgtHash != "": - creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid)) - except Exception as e: - pass + if krbtgtHash != "": + creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid)) + except Exception as e: + pass + + if len(creds) == 0: + # check if we get lsadump::dcsync output + if '** SAM ACCOUNT **' in lines: + domain, user, userHash, dcName, sid = "", "", "", "", "" + for line in lines: + try: + if line.strip().endswith("will be the domain"): + domain = line.split("'")[1] + elif line.strip().endswith("will be the DC server"): + dcName = line.split("'")[1].split(".")[0] + elif line.strip().startswith("SAM Username"): + user = line.split(":")[1].strip() + elif line.strip().startswith("Object Security ID"): + parts = line.split(":")[1].strip().split("-") + sid = "-".join(parts[0:-1]) + elif line.strip().startswith("Hash NTLM:"): + userHash = line.split(":")[1].strip() + except: + pass + + if domain != "" and userHash != "": + creds.append(("hash", domain, user, userHash, dcName, sid)) return uniquify_tuples(creds) diff --git a/lib/modules/collection/filefinder.py b/lib/modules/collection/filefinder.py index a5fa9c2..0f7a543 100644 --- a/lib/modules/collection/filefinder.py +++ b/lib/modules/collection/filefinder.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/collection/filesearch.py b/lib/modules/collection/filesearch.py index 91d6829..9f7cc21 100644 --- a/lib/modules/collection/filesearch.py +++ b/lib/modules/collection/filesearch.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/credentials/mimikatz/dcsync.py b/lib/modules/credentials/mimikatz/dcsync.py index 2d40fc4..74ff76f 100644 --- a/lib/modules/credentials/mimikatz/dcsync.py +++ b/lib/modules/credentials/mimikatz/dcsync.py @@ -19,7 +19,7 @@ class Module: 'OutputExtension' : None, - 'NeedsAdmin' : True, + 'NeedsAdmin' : False, 'OpsecSafe' : True, diff --git a/lib/modules/credentials/mimikatz/golden_ticket.py b/lib/modules/credentials/mimikatz/golden_ticket.py index 36464fc..4cd4413 100644 --- a/lib/modules/credentials/mimikatz/golden_ticket.py +++ b/lib/modules/credentials/mimikatz/golden_ticket.py @@ -58,6 +58,11 @@ class Module: 'Required' : False, 'Value' : '' }, + 'sids' : { + 'Description' : 'External SIDs to add as sidhistory to the ticket.', + 'Required' : False, + 'Value' : '' + }, 'id' : { 'Description' : 'id to impersonate, defaults to 500.', 'Required' : False, diff --git a/lib/modules/privesc/powerup/allchecks.py b/lib/modules/privesc/powerup/allchecks.py index 4069284..2c21823 100644 --- a/lib/modules/privesc/powerup/allchecks.py +++ b/lib/modules/privesc/powerup/allchecks.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/find_dllhijack.py b/lib/modules/privesc/powerup/find_dllhijack.py index 4221356..e384d17 100644 --- a/lib/modules/privesc/powerup/find_dllhijack.py +++ b/lib/modules/privesc/powerup/find_dllhijack.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_exe_stager.py b/lib/modules/privesc/powerup/service_exe_stager.py index 6bf16f2..a2e3cee 100644 --- a/lib/modules/privesc/powerup/service_exe_stager.py +++ b/lib/modules/privesc/powerup/service_exe_stager.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_exe_useradd.py b/lib/modules/privesc/powerup/service_exe_useradd.py index 68c348c..75b8ec3 100644 --- a/lib/modules/privesc/powerup/service_exe_useradd.py +++ b/lib/modules/privesc/powerup/service_exe_useradd.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_stager.py b/lib/modules/privesc/powerup/service_stager.py index 3bb82d3..7777c5f 100644 --- a/lib/modules/privesc/powerup/service_stager.py +++ b/lib/modules/privesc/powerup/service_stager.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_useradd.py b/lib/modules/privesc/powerup/service_useradd.py index 6cd6c68..70deb73 100644 --- a/lib/modules/privesc/powerup/service_useradd.py +++ b/lib/modules/privesc/powerup/service_useradd.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/write_dllhijacker.py b/lib/modules/privesc/powerup/write_dllhijacker.py index 2b2f0f9..172d425 100644 --- a/lib/modules/privesc/powerup/write_dllhijacker.py +++ b/lib/modules/privesc/powerup/write_dllhijacker.py @@ -25,7 +25,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/situational_awareness/network/find_localadmin_access.py b/lib/modules/situational_awareness/network/find_localadmin_access.py index 07f47d4..b92f578 100644 --- a/lib/modules/situational_awareness/network/find_localadmin_access.py +++ b/lib/modules/situational_awareness/network/find_localadmin_access.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_computer.py b/lib/modules/situational_awareness/network/get_computer.py index 1c179c1..466efa1 100644 --- a/lib/modules/situational_awareness/network/get_computer.py +++ b/lib/modules/situational_awareness/network/get_computer.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_domaincontroller.py b/lib/modules/situational_awareness/network/get_domaincontroller.py index 7efb37a..66745ac 100644 --- a/lib/modules/situational_awareness/network/get_domaincontroller.py +++ b/lib/modules/situational_awareness/network/get_domaincontroller.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_domaintrusts.py b/lib/modules/situational_awareness/network/get_domaintrusts.py new file mode 100644 index 0000000..2c9ba36 --- /dev/null +++ b/lib/modules/situational_awareness/network/get_domaintrusts.py @@ -0,0 +1,83 @@ +from lib.common import helpers + +class Module: + + def __init__(self, mainMenu, params=[]): + + self.info = { + 'Name': 'Get-NetDomainTrusts', + + 'Author': ['@harmj0y'], + + 'Description': ('Return all domain trusts for the current domain or ' + 'a specified domain. Part of PowerView.'), + + 'Background' : True, + + 'OutputExtension' : None, + + 'NeedsAdmin' : False, + + 'OpsecSafe' : True, + + 'MinPSVersion' : '2', + + 'Comments': [ + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' + ] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent' : { + 'Description' : 'Agent to run module on.', + 'Required' : True, + 'Value' : '' + }, + 'Domain' : { + 'Description' : 'Specific domain to query for trusts, defaults to current.', + 'Required' : False, + 'Value' : '' + }, + 'LDAP' : { + 'Description' : 'Switch. Use LDAP for domain queries (less accurate).', + 'Required' : False, + 'Value' : '' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + + def generate(self): + + # read in the common module source code + moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-MapDomainTrusts.ps1" + + try: + f = open(moduleSource, 'r') + except: + print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) + return "" + + moduleCode = f.read() + f.close() + + script = moduleCode + + if self.options['LDAP']['Value'].lower() == "true": + script += "Get-NetDomainTrustsLDAP | Out-String | %{$_ + \"`n\"};" + else: + script += "Get-NetDomainTrusts | Out-String | %{$_ + \"`n\"};" + + return script diff --git a/lib/modules/situational_awareness/network/get_user.py b/lib/modules/situational_awareness/network/get_user.py index 9db3847..15fe8dd 100644 --- a/lib/modules/situational_awareness/network/get_user.py +++ b/lib/modules/situational_awareness/network/get_user.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/mapdomaintrusts.py b/lib/modules/situational_awareness/network/mapdomaintrusts.py index 4a750d8..ff97a28 100644 --- a/lib/modules/situational_awareness/network/mapdomaintrusts.py +++ b/lib/modules/situational_awareness/network/mapdomaintrusts.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/netview.py b/lib/modules/situational_awareness/network/netview.py index d053a12..14ddcfe 100644 --- a/lib/modules/situational_awareness/network/netview.py +++ b/lib/modules/situational_awareness/network/netview.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView', + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView', 'https://github.com/mubix/netview' ] } diff --git a/lib/modules/situational_awareness/network/sharefinder.py b/lib/modules/situational_awareness/network/sharefinder.py index f4dc226..cafe83e 100644 --- a/lib/modules/situational_awareness/network/sharefinder.py +++ b/lib/modules/situational_awareness/network/sharefinder.py @@ -22,7 +22,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/stealth_userhunter.py b/lib/modules/situational_awareness/network/stealth_userhunter.py index 63c2447..40e9498 100644 --- a/lib/modules/situational_awareness/network/stealth_userhunter.py +++ b/lib/modules/situational_awareness/network/stealth_userhunter.py @@ -24,7 +24,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/userhunter.py b/lib/modules/situational_awareness/network/userhunter.py index e1d8c5f..760e30b 100644 --- a/lib/modules/situational_awareness/network/userhunter.py +++ b/lib/modules/situational_awareness/network/userhunter.py @@ -23,7 +23,7 @@ class Module: 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] }