Fix issue with DCE and kerberos

2023-04-07 10:49:39 -04:00 · 2023-04-07 10:49:39 -04:00 · 34cc0290a4
parent 82bf27f8b1
commit 34cc0290a4
5 changed files with 12 additions and 7 deletions
--- a/cme/modules/dfscoerce.py
+++ b/cme/modules/dfscoerce.py
@ -24,7 +24,7 @@ class CMEModule:

    def on_login(self, context, connection):
        trigger = TriggerAuth()
-        dce = trigger.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, doKerberos=connection.kerberos, dcHost=connection.kdcHost)
+        dce = trigger.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain, doKerberos=connection.kerberos, dcHost=connection.kdcHost)

        if dce is not None: 
            logging.debug("Target is vulnerable to DFSCoerce")
--- a/cme/modules/enum_av.py
+++ b/cme/modules/enum_av.py
@ -32,9 +32,11 @@ class CMEModule:

        success = 0
        results = {}
-        context.log.debug("Detecting installed services on {} using LsarLookupNames()...".format(connection.host))
+        target = connection.host if not connection.kerberos else connection.hostname + "." + connection.domain
+        context.log.debug("Detecting installed services on {} using LsarLookupNames()...".format(target))
+
        try:
-            lsa = LsaLookupNames(connection.domain, connection.username, connection.password, connection.hostname if connection.kerberos else connection.host, connection.kerberos, connection.domain, connection.lmhash, connection.nthash)
+            lsa = LsaLookupNames(connection.domain, connection.username, connection.password, target, connection.kerberos, connection.domain, connection.lmhash, connection.nthash)
            dce, rpctransport = lsa.connect()
            policyHandle = lsa.open_policy(dce)

--- a/cme/modules/petitpotam.py
+++ b/cme/modules/petitpotam.py
@ -42,7 +42,7 @@ class CMEModule:
            domain=connection.domain,
            lmhash=connection.lmhash,
            nthash=connection.nthash,
-            target=connection.host,
+            target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain,
            pipe=self.pipe,
            do_kerberos=connection.kerberos,
            dc_host=connection.kdcHost,
--- a/cme/modules/shadowcoerce.py
+++ b/cme/modules/shadowcoerce.py
@ -36,14 +36,14 @@ class CMEModule:

    def on_login(self, context, connection):
        c = CoerceAuth()
-        dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe="FssagentRpc", doKerberos=connection.kerberos, dcHost=connection.kdcHost)
+        dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain , pipe="FssagentRpc", doKerberos=connection.kerberos, dcHost=connection.kdcHost)

        # If pipe not available, try again. "TL;DR: run the command twice if it doesn't work." - @Shutdown
        if dce == 1:
            logging.debug("First try failed. Creating another dce connection...")
            # Sleeping mandatory for second try
            time.sleep(2)
-            dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe="FssagentRpc")
+            dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host if not connection.kerberos else connection.hostname + "." + connection.domain, pipe="FssagentRpc")
        
        if self.ipsc: 
            logging.debug("ipsc = %s", self.ipsc)
--- a/cme/modules/spooler.py
+++ b/cme/modules/spooler.py
@ -44,9 +44,12 @@ class CMEModule:
        logging.debug('StringBinding %s' % self.__stringbinding)
        rpctransport = transport.DCERPCTransportFactory(self.__stringbinding)
        rpctransport.set_credentials(connection.username, connection.password, connection.domain, lmhash, nthash)
-        rpctransport.setRemoteHost(connection.host)
+        rpctransport.setRemoteHost(connection.host if not connection.kerberos else connection.hostname + "." + connection.domain)
        rpctransport.set_dport(self.port)

+        if connection.kerberos:
+            rpctransport.set_kerberos(connection.kerberos, connection.kdcHost)
+
        try:
            entries = self.__fetchList(rpctransport)
        except Exception as e: