NetExec/nxc/modules/install_elevated.py

75 lines
3.1 KiB
Python
Raw Normal View History

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from impacket.dcerpc.v5 import rrp
2023-04-07 17:12:56 +00:00
from impacket.dcerpc.v5 import scmr
from impacket.examples.secretsdump import RemoteOperations
class NXCModule:
name = "install_elevated"
description = "Checks for AlwaysInstallElevated"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
2023-05-02 15:17:59 +00:00
""" """
def on_admin_login(self, context, connection):
try:
remote_ops = RemoteOperations(connection.conn, False)
remote_ops.enableRegistry()
try:
ans_machine = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
2023-05-02 15:17:59 +00:00
reg_handle = ans_machine["phKey"]
ans_machine = rrp.hBaseRegOpenKey(
remote_ops._RemoteOperations__rrp,
reg_handle,
"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
)
key_handle = ans_machine["phkResult"]
data_type, aie_machine_value = rrp.hBaseRegQueryValue(
remote_ops._RemoteOperations__rrp,
key_handle,
"AlwaysInstallElevated",
)
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
if aie_machine_value == 0:
2023-05-02 15:17:59 +00:00
context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
return
except rrp.DCERPCSessionError:
2023-05-02 15:17:59 +00:00
context.log.highlight("AlwaysInstallElevated Status: 0 (Disabled)")
return
try:
ans_user = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
2023-05-02 15:17:59 +00:00
reg_handle = ans_user["phKey"]
ans_user = rrp.hBaseRegOpenKey(
remote_ops._RemoteOperations__rrp,
reg_handle,
"SOFTWARE\\Policies\\Microsoft\\Windows\\Installer",
)
key_handle = ans_user["phkResult"]
data_type, aie_user_value = rrp.hBaseRegQueryValue(
remote_ops._RemoteOperations__rrp,
key_handle,
"AlwaysInstallElevated",
)
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
except rrp.DCERPCSessionError:
2023-05-08 18:39:36 +00:00
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
return
if aie_user_value == 0:
2023-05-08 18:39:36 +00:00
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled: Computer Only)")
else:
2023-05-02 15:17:59 +00:00
context.log.highlight("AlwaysInstallElevated Status: 1 (Enabled)")
finally:
try:
remote_ops.finish()
except scmr.DCERPCSessionError as e:
2023-05-08 18:39:36 +00:00
context.log.debug(f"Received SessionError while attempting to clean up logins: {e}")
except Exception as e:
2023-05-08 18:39:36 +00:00
context.log.debug(f"Received general exception while attempting to clean up logins: {e}")