swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
NetExec/cme/protocols/mssql.py

419 lines
20 KiB
Python
Raw Normal View History

Adding shebang and encoding utf-8 for all python files
2022-07-18 23:59:14 +00:00
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
import socket
import logging
from cme.logger import CMEAdapter
start python3 migration
2019-11-10 21:42:04 +00:00
from io import StringIO
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
from cme.protocols.mssql.mssqlexec import MSSQLEXEC
from cme.connection import *
from cme.helpers.logger import highlight
Add bloodhound core feature
2021-11-20 21:37:14 +00:00
from cme.helpers.bloodhound import add_user_bh
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
from cme.helpers.powershell import create_ps_command
from impacket import tds
start python3 migration
2019-11-10 21:42:04 +00:00
import configparser
mssql - Retrieve username when using Kerberos Auth This change allows the program to return the name of the user being authenticated when using Kerberos with the protocol mssql.
2022-11-16 20:39:44 +00:00
from impacket.krb5.ccache import CCache
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
from impacket.smbconnection import SMBConnection, SessionError
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
from impacket.tds import SQLErrorException, TDS_LOGINACK_TOKEN, TDS_ERROR_TOKEN, TDS_ENVCHANGE_TOKEN, TDS_INFO_TOKEN, \
TDS_ENVCHANGE_VARCHAR, TDS_ENVCHANGE_DATABASE, TDS_ENVCHANGE_LANGUAGE, TDS_ENVCHANGE_CHARSET, TDS_ENVCHANGE_PACKETSIZE
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
class mssql(connection):
def __init__(self, args, db, host):
self.mssql_instances = None
self.domain = None
Fix uninitialized variable #363
2020-05-01 18:33:18 +00:00
self.server_os = None
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
self.hash = None
Improve MSSQL login
2020-09-06 13:21:38 +00:00
self.os_arch = None
update a little bit
2022-10-31 12:33:41 +00:00
self.nthash = ''
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
connection.__init__(self, args, db, host)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
@staticmethod
def proto_args(parser, std_parser, module_parser):
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
mssql_parser = parser.add_parser('mssql', help="own stuff using MSSQL", parents=[std_parser, module_parser])
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
dgroup = mssql_parser.add_mutually_exclusive_group()
Initial 4.0 pre-release
2017-03-27 21:09:36 +00:00
dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, help="domain name")
dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
mssql_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
mssql_parser.add_argument("--port", default=1433, type=int, metavar='PORT', help='MSSQL port (default: 1433)')
Fixes #187
2017-10-25 03:52:41 +00:00
mssql_parser.add_argument("-q", "--query", dest='mssql_query', metavar='QUERY', type=str, help='execute the specified query against the MSSQL DB')
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2
2020-04-30 14:06:57 +00:00
mssql_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2')
mssql_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Re-wrote the HTTP protocol to use splinter and phantomjs - All http connections are now concurrent - Added a flag to take screenshots of webpages - Minor Code cleanup
2017-04-30 18:54:35 +00:00
cgroup = mssql_parser.add_argument_group("Command Execution", "options for executing commands")
Initial 4.0 pre-release
2017-03-27 21:09:36 +00:00
cgroup.add_argument('--force-ps32', action='store_true', help='force the PowerShell command to run in a 32-bit process')
cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
xgroup = cgroup.add_mutually_exclusive_group()
Initial 4.0 pre-release
2017-03-27 21:09:36 +00:00
xgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
xgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Plugged in the Powershell obfuscation functionality - Two new flags can be added to protocols that use powershell that can clear cached obfuscated powershell scripts and obfuscate them if powershell is installed
2017-06-26 09:49:04 +00:00
psgroup = mssql_parser.add_argument_group('Powershell Obfuscation', "Options for PowerShell script obfuscation")
psgroup.add_argument('--obfs', action='store_true', help='Obfuscate PowerShell scripts')
psgroup.add_argument('--clear-obfscripts', action='store_true', help='Clear all cached obfuscated PowerShell scripts')
Add upload/download function to mssql
2022-06-29 11:44:41 +00:00
tgroup = mssql_parser.add_argument_group("Files", "Options for put and get remote files")
tgroup.add_argument("--put-file", nargs=2, metavar="FILE", help='Put a local file into remote target, ex: whoami.txt C:\\Windows\\Temp\\whoami.txt')
tgroup.add_argument("--get-file", nargs=2, metavar="FILE", help='Get a remote file, ex: C:\\Windows\\Temp\\whoami.txt whoami.txt')
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
return parser
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
def proto_flow(self):
self.proto_logger()
if self.create_conn_obj():
self.enum_host_info()
self.print_host_info()
self.login()
if hasattr(self.args, 'module') and self.args.module:
self.call_modules()
else:
self.call_cmd_args()
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def proto_logger(self):
self.logger = CMEAdapter(extra={
'protocol': 'MSSQL',
'host': self.host,
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
'port': self.args.port,
'hostname': 'None'
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
})
def enum_host_info(self):
Add try catch for issue #363
2020-05-01 18:20:55 +00:00
# this try pass breaks module http server, more info https://github.com/byt3bl33d3r/CrackMapExec/issues/363
try:
# Probably a better way of doing this, grab our IP from the socket
self.local_ip = str(self.conn.socket).split()[2].split('=')[1].split(':')[0]
except:
pass
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
if self.args.domain:
self.domain = self.args.domain
else:
try:
smb_conn = SMBConnection(self.host, self.host, None)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
try:
Improve MSSQL login
2020-09-06 13:21:38 +00:00
smb_conn.login('', '')
except SessionError as e:
Fix mssql enum host info error
2020-10-01 14:46:13 +00:00
if "STATUS_ACCESS_DENIED" in e.getErrorString():
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
pass
Improve MSSQL login
2020-09-06 13:21:38 +00:00
self.domain = smb_conn.getServerDNSDomainName()
self.hostname = smb_conn.getServerName()
self.server_os = smb_conn.getServerOS()
self.logger.extra['hostname'] = self.hostname
try:
smb_conn.logoff()
except:
pass
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
if self.args.domain:
self.domain = self.args.domain
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
if self.args.local_auth:
self.domain = self.hostname
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
except Exception as e:
self.logger.error("Error retrieving host domain: {} specify one manually with the '-d' flag".format(e))
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
self.mssql_instances = self.conn.getInstances(0)
refactor: standardize nomenclature to uses 'hosts' instead of 'computers'
2023-03-12 02:25:23 +00:00
self.db.add_host(self.host, self.hostname, self.domain, self.server_os, len(self.mssql_instances))
Refactored Database Menu code - Fixed some MSSQL DB interaction bugs - Made MSSQL DB schema more consistent - cmedb output now gets formatted using terminaltables (so perty) - Made everything a bit more PEP8 compliant
2017-11-02 09:43:08 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
try:
self.conn.disconnect()
except:
pass
def print_host_info(self):
Improve MSSQL login
2020-09-06 13:21:38 +00:00
self.logger.info(u"{} (name:{}) (domain:{})".format(self.server_os,
self.hostname,
self.domain))
# if len(self.mssql_instances) > 0:
# self.logger.info("MSSQL DB Instances: {}".format(len(self.mssql_instances)))
# for i, instance in enumerate(self.mssql_instances):
# self.logger.debug("Instance {}".format(i))
# for key in instance.keys():
# self.logger.debug(key + ":" + instance[key])
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def create_conn_obj(self):
try:
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
self.conn = tds.MSSQL(self.host, self.args.port, rowsPrinter=self.logger)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
self.conn.connect()
except socket.error:
return False
return True
Fix mssql check_if_admin function The check_if_admin function from mssql.py takes an additional auth parameter, that is actually not used. Other parts of the code are calling the function without the parameter, which leads to an error when enumerating mssql endpoints. By simply removing the parameter and fixing the locations that use it, the issue gets resolved.
2022-03-03 20:25:03 +00:00
def check_if_admin(self):
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
try:
Update mssql check_if_admin
2020-10-01 08:12:16 +00:00
self.conn.sql_query("SELECT IS_SRVROLEMEMBER('sysadmin')")
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
self.conn.printRows()
query_output = self.conn._MSSQL__rowsPrinter.getMessage()
Update mssql check_if_admin
2020-10-01 08:12:16 +00:00
query_output = query_output.strip("\n-")
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
Update mssql check_if_admin
2020-10-01 08:12:16 +00:00
if int(query_output):
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
self.admin_privs = True
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
else:
return False
except Exception as e:
Fix check_if_admin() function for mssql
2020-09-06 13:30:03 +00:00
self.logger.error('Error calling check_if_admin(): {}'.format(e))
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
return False
return True
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
def kerberos_login(self, domain, username, password = '', ntlm_hash = '', aesKey = '', kdcHost = '', useCache = False):
try:
add mssql kerberos login
2022-10-24 08:24:21 +00:00
self.conn.disconnect()
except:
pass
self.create_conn_obj()
logging.getLogger("impacket").disabled = True
enhance kerberos auth to mssql
2022-10-24 11:30:07 +00:00
update a little bit
2022-10-31 12:33:41 +00:00
nthash = ''
hashes = None
if ntlm_hash != '':
if ntlm_hash.find(':') != -1:
hashes = ntlm_hash
nthash = ntlm_hash.split(':')[1]
else:
# only nt hash
hashes = ':%s' % ntlm_hash
nthash = ntlm_hash
if not all('' == s for s in [self.nthash, password, aesKey]):
kerb_pass = next(s for s in [self.nthash, password, aesKey] if s)
else:
kerb_pass = ''
try:
enhance kerberos auth to mssql
2022-10-24 11:30:07 +00:00
res = self.conn.kerberosLogin(None, username, password, domain, hashes, aesKey, kdcHost=kdcHost, useCache=useCache)
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
if res is not True:
self.conn.printReplies()
return False
self.password = password
mssql - Retrieve username when using Kerberos Auth This change allows the program to return the name of the user being authenticated when using Kerberos with the protocol mssql.
2022-11-16 20:39:44 +00:00
if username == '' and useCache:
ccache = CCache.loadFile(os.getenv('KRB5CCNAME'))
principal = ccache.principal.toPrincipal()
self.username = principal.components[0]
username = principal.components[0]
else:
self.username = username
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
self.domain = domain
self.check_if_admin()
adapt outputed creds
2022-10-24 12:12:32 +00:00
out = u'{}{}{} {}'.format('{}\\'.format(domain) if not self.args.local_auth else '',
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
username,
adapt outputed creds
2022-10-24 12:12:32 +00:00
# Show what was used between cleartext, nthash, aesKey and ccache
" from ccache" if useCache
update a little bit
2022-10-31 12:33:41 +00:00
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
if not self.args.local_auth:
add_user_bh(self.username, self.domain, self.logger, self.config)
if not self.args.continue_on_success:
return True
except Exception as e:
adapt outputed creds
2022-10-24 12:12:32 +00:00
self.logger.error(u'{}\\{}{} {}'.format('{}\\'.format(domain) if not self.args.local_auth else '',
username,
# Show what was used between cleartext, nthash, aesKey and ccache
" from ccache" if useCache
update a little bit
2022-10-31 12:33:41 +00:00
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
adapt outputed creds
2022-10-24 12:12:32 +00:00
e))
starting to add mssql kerberos login
2022-10-24 08:10:44 +00:00
return False
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def plaintext_login(self, domain, username, password):
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
try:
self.conn.disconnect()
except:
pass
self.create_conn_obj()
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
try:
Fix regression for mssql with local_auth thx @juliourena
2022-10-24 19:20:14 +00:00
res = self.conn.login(None, username, password, domain, None, not self.args.local_auth)
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
if res is not True:
Add local-auth flag for MSSQL proto
2020-09-06 19:38:29 +00:00
self.conn.printReplies()
return False
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
self.password = password
self.username = username
Add local-auth flag for MSSQL proto
2020-09-06 19:38:29 +00:00
self.domain = domain
Fix mssql check_if_admin function The check_if_admin function from mssql.py takes an additional auth parameter, that is actually not used. Other parts of the code are calling the function without the parameter, which leads to an error when enumerating mssql endpoints. By simply removing the parameter and fixing the locations that use it, the issue gets resolved.
2022-03-03 20:25:03 +00:00
self.check_if_admin()
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
self.db.add_credential('plaintext', domain, username, password)
if self.admin_privs:
self.db.add_admin_user('plaintext', domain, username, password, self.host)
Add local-auth flag for MSSQL proto
2020-09-06 19:38:29 +00:00
out = u'{}{}:{} {}'.format('{}\\'.format(domain) if not self.args.local_auth else '',
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
username,
Add audit mode #523
2022-02-06 22:56:41 +00:00
password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
Fix issue when local account is used with bh #533
2022-02-06 12:33:49 +00:00
if not self.args.local_auth:
add_user_bh(self.username, self.domain, self.logger, self.config)
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
if not self.args.continue_on_success:
return True
fix: catch BrokenPipeErrors when connecting via SMB
2023-03-10 06:12:59 +00:00
except BrokenPipeError as e:
self.logger.error(f"Broken Pipe Error while attempting to login")
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
except Exception as e:
self.logger.error(u'{}\\{}:{} {}'.format(domain,
username,
Add check for audit mode #523
2022-02-07 21:19:46 +00:00
password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 21:11:54 +00:00
e))
return False
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2
2020-04-30 14:06:57 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def hash_login(self, domain, username, ntlm_hash):
lmhash = ''
nthash = ''
Fixes #187
2017-10-25 03:52:41 +00:00
# This checks to see if we didn't provide the LM Hash
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
else:
nthash = ntlm_hash
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
try:
self.conn.disconnect()
except:
pass
self.create_conn_obj()
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
try:
Fix regression for mssql with local_auth thx @juliourena
2022-10-24 19:20:14 +00:00
res = self.conn.login(None, username, '', domain, ':' + nthash if not lmhash else ntlm_hash, not self.args.local_auth)
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
if res is not True:
self.conn.printReplies()
return False
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
self.hash = ntlm_hash
self.username = username
self.domain = domain
self.check_if_admin()
self.db.add_credential('hash', domain, username, ntlm_hash)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
if self.admin_privs:
self.db.add_admin_user('hash', domain, username, ntlm_hash, self.host)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
out = u'{}\\{} {} {}'.format(domain,
username,
Add audit mode #523
2022-02-06 22:56:41 +00:00
ntlm_hash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
self.logger.success(out)
Fix issue when local account is used with bh #533
2022-02-06 12:33:49 +00:00
if not self.args.local_auth:
add_user_bh(self.username, self.domain, self.logger, self.config)
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
if not self.args.continue_on_success:
return True
fix: catch BrokenPipeErrors when connecting via SMB
2023-03-10 06:12:59 +00:00
except BrokenPipeError as e:
self.logger.error(f"Broken Pipe Error while attempting to login")
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
except Exception as e:
self.logger.error(u'{}\\{}:{} {}'.format(domain,
username,
Add check for audit mode #523
2022-02-07 21:19:46 +00:00
ntlm_hash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
Add better logic to MSSQL connection #364
2020-05-01 21:18:16 +00:00
e))
return False
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def mssql_query(self):
self.conn.sql_query(self.args.mssql_query)
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
self.conn.printRows()
Fixes #187
2017-10-25 03:52:41 +00:00
for line in StringIO(self.conn._MSSQL__rowsPrinter.getMessage()).readlines():
Update MSSQL protocol for windows authentication #306 If you want to use windows auth for MSSQL without SMB, add the flag -d DOMAIN
2020-04-29 09:56:11 +00:00
if line.strip() != '':
self.logger.highlight(line.strip())
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
return self.conn._MSSQL__rowsPrinter.getMessage()
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
@requires_admin
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
def execute(self, payload=None, get_output=False, methods=None):
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
if not payload and self.args.execute:
payload = self.args.execute
if not self.args.no_output: get_output = True
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
logging.debug('Command to execute:\n{}'.format(payload))
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
exec_method = MSSQLEXEC(self.conn)
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
raw_output = exec_method.execute(payload, get_output)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
logging.debug('Executed command via mssqlexec')
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
if hasattr(self, 'server'): self.server.track_host(self.host)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
update python3
2019-11-10 23:12:35 +00:00
output = u'{}'.format(raw_output)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
if self.args.execute or self.args.ps_execute:
Fixed MSSQL protocol, refactored HTTP Protocol - Fixed error in MSSQL protocol which would cause it to error out when executing commands - Fixed logic to deal with standard MSSQL auth instead of windows auth - Refactored the HTTP protocol
2017-05-03 00:52:16 +00:00
#self.logger.success('Executed command {}'.format('via {}'.format(self.args.exec_method) if self.args.exec_method else ''))
self.logger.success('Executed command via mssqlexec')
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
buf = StringIO(output).readlines()
for line in buf:
Update MSSQL protocol for windows authentication #306 If you want to use windows auth for MSSQL without SMB, add the flag -d DOMAIN
2020-04-29 09:56:11 +00:00
if line.strip() != '':
self.logger.highlight(line.strip())
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
return output
@requires_admin
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=False, dont_obfs=True):
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
if not payload and self.args.ps_execute:
payload = self.args.ps_execute
if not self.args.no_output: get_output = True
Fixed Powershell execution using MSSQL
2017-10-25 06:45:58 +00:00
# We're disabling PS obfuscation by default as it breaks the MSSQLEXEC execution method (probably an escaping issue)
ps_command = create_ps_command(payload, force_ps32=force_ps32, dont_obfs=dont_obfs)
return self.execute(ps_command, get_output)
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
Add upload/download function to mssql
2022-06-29 11:44:41 +00:00
@requires_admin
def put_file(self):
self.logger.info('Copy {} to {}'.format(self.args.put_file[0], self.args.put_file[1]))
with open(self.args.put_file[0], 'rb') as f:
try:
data = f.read()
self.logger.info('Size is {} bytes'.format(len(data)))
exec_method = MSSQLEXEC(self.conn)
exec_method.put_file(data, self.args.put_file[1])
if exec_method.file_exists(self.args.put_file[1]):
self.logger.success('File has been uploaded on the remote machine')
else:
self.logger.error('File does not exist on the remote system.. erorr during upload')
except Exception as e:
self.logger.error('Error during upload : {}'.format(e))
@requires_admin
def get_file(self):
self.logger.info('Copy {} to {}'.format(self.args.get_file[0], self.args.get_file[1]))
try:
exec_method = MSSQLEXEC(self.conn)
exec_method.get_file(self.args.get_file[0], self.args.get_file[1])
self.logger.success('File {} was transferred to {}'.format(self.args.get_file[0], self.args.get_file[1]))
except Exception as e:
self.logger.error('Error reading file {}: {}'.format(self.args.get_file[0], e))
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
# We hook these functions in the tds library to use CME's logger instead of printing the output to stdout
# The whole tds library in impacket needs a good overhaul to preserve my sanity
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished
2016-12-15 07:28:00 +00:00
def printRepliesCME(self):
for keys in self.replies.keys():
for i, key in enumerate(self.replies[keys]):
if key['TokenType'] == TDS_ERROR_TOKEN:
error = "ERROR(%s): Line %d: %s" % (key['ServerName'].decode('utf-16le'), key['LineNumber'], key['MsgText'].decode('utf-16le'))
self.lastError = SQLErrorException("ERROR: Line %d: %s" % (key['LineNumber'], key['MsgText'].decode('utf-16le')))
self._MSSQL__rowsPrinter.error(error)
elif key['TokenType'] == TDS_INFO_TOKEN:
self._MSSQL__rowsPrinter.info("INFO(%s): Line %d: %s" % (key['ServerName'].decode('utf-16le'), key['LineNumber'], key['MsgText'].decode('utf-16le')))
elif key['TokenType'] == TDS_LOGINACK_TOKEN:
self._MSSQL__rowsPrinter.info("ACK: Result: %s - %s (%d%d %d%d) " % (key['Interface'], key['ProgName'].decode('utf-16le'), key['MajorVer'], key['MinorVer'], key['BuildNumHi'], key['BuildNumLow']))
elif key['TokenType'] == TDS_ENVCHANGE_TOKEN:
if key['Type'] in (TDS_ENVCHANGE_DATABASE, TDS_ENVCHANGE_LANGUAGE, TDS_ENVCHANGE_CHARSET, TDS_ENVCHANGE_PACKETSIZE):
record = TDS_ENVCHANGE_VARCHAR(key['Data'])
if record['OldValue'] == '':
record['OldValue'] = 'None'.encode('utf-16le')
elif record['NewValue'] == '':
record['NewValue'] = 'None'.encode('utf-16le')
if key['Type'] == TDS_ENVCHANGE_DATABASE:
_type = 'DATABASE'
elif key['Type'] == TDS_ENVCHANGE_LANGUAGE:
_type = 'LANGUAGE'
elif key['Type'] == TDS_ENVCHANGE_CHARSET:
_type = 'CHARSET'
elif key['Type'] == TDS_ENVCHANGE_PACKETSIZE:
_type = 'PACKETSIZE'
else:
_type = "%d" % key['Type']
self._MSSQL__rowsPrinter.info("ENVCHANGE(%s): Old Value: %s, New Value: %s" % (_type,record['OldValue'].decode('utf-16le'), record['NewValue'].decode('utf-16le')))
Re-wrote the HTTP protocol to use splinter and phantomjs - All http connections are now concurrent - Added a flag to take screenshots of webpages - Minor Code cleanup
2017-04-30 18:54:35 +00:00
tds.MSSQL.printReplies = printRepliesCME