NetExec/nxc/modules/spooler.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py
from impacket import uuid
from impacket.dcerpc.v5 import transport, epm
from impacket.dcerpc.v5.rpch import (
    RPC_PROXY_INVALID_RPC_PORT_ERR,
    RPC_PROXY_CONN_A1_0X6BA_ERR,
    RPC_PROXY_CONN_A1_404_ERR,
    RPC_PROXY_RPC_OUT_DATA_404_ERR,
)

KNOWN_PROTOCOLS = {
    135: {"bindstr": r"ncacn_ip_tcp:%s[135]"},
    445: {"bindstr": r"ncacn_np:%s[\pipe\epmapper]"},
}


class NXCModule:
    """
    For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy
    Module by @mpgn_x64
    """

    name = "spooler"
    description = "Detect if print spooler is enabled or not"
    supported_protocols = ["smb", "wmi"]
    opsec_safe = True
    multiple_hosts = True

    def __init__(self, context=None, module_options=None):
        self.context = context
        self.module_options = module_options
        self.__string_binding = None
        self.port = None

    def options(self, context, module_options):
        """
        PORT    Port to check (defaults to 135)
        """
        self.port = 135
        if "PORT" in module_options:
            self.port = int(module_options["PORT"])

    def on_login(self, context, connection):
        entries = []
        lmhash = getattr(connection, "lmhash", "")
        nthash = getattr(connection, "nthash", "")

        self.__stringbinding = KNOWN_PROTOCOLS[self.port]["bindstr"] % connection.host
        context.log.debug("StringBinding %s" % self.__stringbinding)
        rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
        rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash)
        rpctransport.setRemoteHost(connection.host if not connection.kerberos else connection.hostname + "." + connection.domain)
        rpctransport.set_dport(self.port)

        if connection.kerberos:
            rpctransport.set_kerberos(connection.kerberos, connection.kdcHost)

        try:
            entries = self.__fetch_list(rpctransport)
        except Exception as e:
            error_text = "Protocol failed: %s" % e
            context.log.critical(error_text)

            if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or RPC_PROXY_CONN_A1_404_ERR in error_text or RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:
                context.log.critical("This usually means the target does not allow " "to connect to its epmapper using RpcProxy.")
                return

        # Display results.
        endpoints = {}
        # Let's group the UUIDS
        for entry in entries:
            binding = epm.PrintStringBinding(entry["tower"]["Floors"])
            tmp_uuid = str(entry["tower"]["Floors"][0])
            if (tmp_uuid in endpoints) is not True:
                endpoints[tmp_uuid] = {}
                endpoints[tmp_uuid]["Bindings"] = list()
            if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18] in epm.KNOWN_UUIDS:
                endpoints[tmp_uuid]["EXE"] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18]]
            else:
                endpoints[tmp_uuid]["EXE"] = "N/A"
            endpoints[tmp_uuid]["annotation"] = entry["annotation"][:-1].decode("utf-8")
            endpoints[tmp_uuid]["Bindings"].append(binding)

            if tmp_uuid[:36] in epm.KNOWN_PROTOCOLS:
                endpoints[tmp_uuid]["Protocol"] = epm.KNOWN_PROTOCOLS[tmp_uuid[:36]]
            else:
                endpoints[tmp_uuid]["Protocol"] = "N/A"

        for endpoint in list(endpoints.keys()):
            if "MS-RPRN" in endpoints[endpoint]["Protocol"]:
                context.log.debug("Protocol: %s " % endpoints[endpoint]["Protocol"])
                context.log.debug("Provider: %s " % endpoints[endpoint]["EXE"])
                context.log.debug("UUID    : %s %s" % (endpoint, endpoints[endpoint]["annotation"]))
                context.log.debug("Bindings: ")
                for binding in endpoints[endpoint]["Bindings"]:
                    context.log.debug("          %s" % binding)
                context.log.debug("")
                context.log.highlight("Spooler service enabled")
                try:
                    host = context.db.get_hosts(connection.host)[0]
                    context.db.add_host(
                        host.ip,
                        host.hostname,
                        host.domain,
                        host.os,
                        host.smbv1,
                        host.signing,
                        spooler=True,
                    )
                except Exception as e:
                    context.log.debug(f"Error updating spooler status in database")
                break

        if entries:
            num = len(entries)
            if 1 == num:
                context.log.debug(f"[Spooler] Received one endpoint")
            else:
                context.log.debug(f"[Spooler] Received {num} endpoints")
        else:
            context.log.debug(f"[Spooler] No endpoints found")

    def __fetch_list(self, rpctransport):
        dce = rpctransport.get_dce_rpc()
        dce.connect()
        resp = epm.hept_lookup(None, dce=dce)
        dce.disconnect()
        return resp
Adding shebang and encoding utf-8 for all python files 2022-07-18 23:59:14 +00:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`# https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py`
fix(logging): update logging to use cme_logger and fix some formatting 2023-03-30 20:36:58 +00:00			`from impacket import uuid`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`from impacket.dcerpc.v5 import transport, epm`
black formating 2023-05-02 15:17:59 +00:00			`from impacket.dcerpc.v5.rpch import (`
			`RPC_PROXY_INVALID_RPC_PORT_ERR,`
			`RPC_PROXY_CONN_A1_0X6BA_ERR,`
			`RPC_PROXY_CONN_A1_404_ERR,`
			`RPC_PROXY_RPC_OUT_DATA_404_ERR,`
			`)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
			`KNOWN_PROTOCOLS = {`
black formating 2023-05-02 15:17:59 +00:00			`135: {"bindstr": r"ncacn_ip_tcp:%s[135]"},`
			`445: {"bindstr": r"ncacn_np:%s[\pipe\epmapper]"},`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`}`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
feat(spooler): update spooler module to update database if spooler service is enabled 2023-03-09 23:31:32 +00:00
Rename Module Classname to match python convention 2023-09-17 20:20:40 +00:00			`class NXCModule:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`"""`
fix(logging): update logging to use cme_logger and fix some formatting 2023-03-30 20:36:58 +00:00			`For printnightmare: detect if print spooler is enabled or not. Then use @cube0x0's project https://github.com/cube0x0/CVE-2021-1675 or Mimikatz from Benjamin Delpy`
			`Module by @mpgn_x64`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`"""`
black formating 2023-05-02 15:17:59 +00:00
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`name = "spooler"`
			`description = "Detect if print spooler is enabled or not"`
[wmi] Bring up more modules for wmi Signed-off-by: XiaoliChan <2209553467@qq.com> 2023-08-30 04:20:21 +00:00			`supported_protocols = ["smb", "wmi"]`
feat(spooler): update spooler module to update database if spooler service is enabled 2023-03-09 23:31:32 +00:00			`opsec_safe = True`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`multiple_hosts = True`

fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`def __init__(self, context=None, module_options=None):`
			`self.context = context`
			`self.module_options = module_options`
			`self.__string_binding = None`
			`self.port = None`

Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`def options(self, context, module_options):`
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`"""`
			`PORT Port to check (defaults to 135)`
			`"""`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`self.port = 135`
black formating 2023-05-02 15:17:59 +00:00			`if "PORT" in module_options:`
			`self.port = int(module_options["PORT"])`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
			`def on_login(self, context, connection):`
			`entries = []`
			`lmhash = getattr(connection, "lmhash", "")`
			`nthash = getattr(connection, "nthash", "")`

black formating 2023-05-02 15:17:59 +00:00			`self.__stringbinding = KNOWN_PROTOCOLS[self.port]["bindstr"] % connection.host`
			`context.log.debug("StringBinding %s" % self.__stringbinding)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)`
black v2 formating 2023-05-08 18:39:36 +00:00			`rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash)`
			`rpctransport.setRemoteHost(connection.host if not connection.kerberos else connection.hostname + "." + connection.domain)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`rpctransport.set_dport(self.port)`

Fix issue with DCE and kerberos 2023-04-07 14:49:39 +00:00			`if connection.kerberos:`
			`rpctransport.set_kerberos(connection.kerberos, connection.kdcHost)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
			`try:`
fix rpctransport name that I broke 2023-04-07 16:37:18 +00:00			`entries = self.__fetch_list(rpctransport)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`except Exception as e:`
black formating 2023-05-02 15:17:59 +00:00			`error_text = "Protocol failed: %s" % e`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.critical(error_text)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
black v2 formating 2023-05-08 18:39:36 +00:00			`if RPC_PROXY_INVALID_RPC_PORT_ERR in error_text or RPC_PROXY_RPC_OUT_DATA_404_ERR in error_text or RPC_PROXY_CONN_A1_404_ERR in error_text or RPC_PROXY_CONN_A1_0X6BA_ERR in error_text:`
			`context.log.critical("This usually means the target does not allow " "to connect to its epmapper using RpcProxy.")`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`return`

			`# Display results.`
			`endpoints = {}`
feat(spooler): update spooler module to update database if spooler service is enabled 2023-03-09 23:31:32 +00:00			`# Let's group the UUIDS`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`for entry in entries:`
black formating 2023-05-02 15:17:59 +00:00			`binding = epm.PrintStringBinding(entry["tower"]["Floors"])`
			`tmp_uuid = str(entry["tower"]["Floors"][0])`
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`if (tmp_uuid in endpoints) is not True:`
			`endpoints[tmp_uuid] = {}`
black formating 2023-05-02 15:17:59 +00:00			`endpoints[tmp_uuid]["Bindings"] = list()`
black v2 formating 2023-05-08 18:39:36 +00:00			`if uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18] in epm.KNOWN_UUIDS:`
			`endpoints[tmp_uuid]["EXE"] = epm.KNOWN_UUIDS[uuid.uuidtup_to_bin(uuid.string_to_uuidtup(tmp_uuid))[:18]]`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`else:`
black formating 2023-05-02 15:17:59 +00:00			`endpoints[tmp_uuid]["EXE"] = "N/A"`
			`endpoints[tmp_uuid]["annotation"] = entry["annotation"][:-1].decode("utf-8")`
			`endpoints[tmp_uuid]["Bindings"].append(binding)`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`if tmp_uuid[:36] in epm.KNOWN_PROTOCOLS:`
black formating 2023-05-02 15:17:59 +00:00			`endpoints[tmp_uuid]["Protocol"] = epm.KNOWN_PROTOCOLS[tmp_uuid[:36]]`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`else:`
black formating 2023-05-02 15:17:59 +00:00			`endpoints[tmp_uuid]["Protocol"] = "N/A"`

Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`for endpoint in list(endpoints.keys()):`
black formating 2023-05-02 15:17:59 +00:00			`if "MS-RPRN" in endpoints[endpoint]["Protocol"]:`
			`context.log.debug("Protocol: %s " % endpoints[endpoint]["Protocol"])`
			`context.log.debug("Provider: %s " % endpoints[endpoint]["EXE"])`
black v2 formating 2023-05-08 18:39:36 +00:00			`context.log.debug("UUID : %s %s" % (endpoint, endpoints[endpoint]["annotation"]))`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug("Bindings: ")`
black formating 2023-05-02 15:17:59 +00:00			`for binding in endpoints[endpoint]["Bindings"]:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug(" %s" % binding)`
			`context.log.debug("")`
black formating 2023-05-02 15:17:59 +00:00			`context.log.highlight("Spooler service enabled")`
fix: try/except updating the database on spoolers and zerologon modules 2023-03-09 23:38:42 +00:00			`try:`
refactor: standardize nomenclature to uses 'hosts' instead of 'computers' 2023-03-12 02:25:23 +00:00			`host = context.db.get_hosts(connection.host)[0]`
black formating 2023-05-02 15:17:59 +00:00			`context.db.add_host(`
			`host.ip,`
			`host.hostname,`
			`host.domain,`
			`host.os,`
			`host.smbv1,`
			`host.signing,`
			`spooler=True,`
			`)`
fix: try/except updating the database on spoolers and zerologon modules 2023-03-09 23:38:42 +00:00			`except Exception as e:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug(f"Error updating spooler status in database")`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`break`

			`if entries:`
			`num = len(entries)`
			`if 1 == num:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug(f"[Spooler] Received one endpoint")`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`else:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug(f"[Spooler] Received {num} endpoints")`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`else:`
feat(console): progress on dropping in console logging while keeping everything else the same 2023-03-29 18:19:31 +00:00			`context.log.debug(f"[Spooler] No endpoints found")`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00
fix(modules): refactor how modules are loaded, not initializing all objects before loading 2023-04-04 13:39:54 +00:00			`def __fetch_list(self, rpctransport):`
Add spooler service module Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py 2021-07-05 19:02:15 +00:00			`dce = rpctransport.get_dce_rpc()`
			`dce.connect()`
			`resp = epm.hept_lookup(None, dce=dce)`
			`dce.disconnect()`
			`return resp`