swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

WIP - cmedb update

main
Marshall Hallenbeck 2023-03-03 17:28:46 -05:00
parent e120efd347
commit 388f520103
3 changed files with 46 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cme/crackmapexec.py
View File

@ -31,7 +31,7 @@ import random
import os
import sys
import logging
from sqlalchemy import create_engine, MetaData, text
from sqlalchemy import create_engine, MetaData
from sqlalchemy.ext.declarative import DeferredReflection
from sqlalchemy.orm import declarative_base, sessionmaker

3
cme/modules/spooler.py
View File

@ -8,6 +8,7 @@ from impacket.dcerpc.v5 import transport, epm
from impacket.dcerpc.v5.rpch import RPC_PROXY_INVALID_RPC_PORT_ERR, \
RPC_PROXY_CONN_A1_0X6BA_ERR, RPC_PROXY_CONN_A1_404_ERR, \
RPC_PROXY_RPC_OUT_DATA_404_ERR
from cme.protocols.smb.database import database
KNOWN_PROTOCOLS = {
135: {'bindstr': r'ncacn_ip_tcp:%s[135]'},
@ -89,6 +90,8 @@ class CMEModule:
logging.debug(" %s" % binding)
logging.debug("")
context.log.highlight('Spooler service enabled')
host_id = context.db.get_computers(connection.host)[0][0]
database.update_computer(context.db, host_id, spooler=True)
break
if entries:

68
cme/protocols/smb/database.py
View File

@ -114,7 +114,7 @@ class database:
# )''')
def add_share(self, computerid, userid, name, remark, read, write):
cur = self.conn.cursor()
cur = self.conn
cur.execute("INSERT OR IGNORE INTO shares (computerid, userid, name, remark, read, write) VALUES (?,?,?,?,?,?)", [computerid, userid, name, remark, read, write])
cur.close()
@ -123,7 +123,7 @@ class database:
Check if this share ID is valid.
"""
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT * FROM shares WHERE id=? LIMIT 1', [shareID])
results = cur.fetchall()
cur.close()
@ -132,7 +132,7 @@ class database:
return len(results) > 0
def get_shares(self, filterTerm = None):
cur = self.conn.cursor()
cur = self.conn
if self.is_share_valid(filterTerm):
cur.execute("SELECT * FROM shares WHERE id=?", [filterTerm])
@ -145,7 +145,7 @@ class database:
return results
def get_shares_by_access(self, permissions, shareID=None):
cur = self.conn.cursor()
cur = self.conn
permissions = permissions.lower()
if shareID:
@ -167,7 +167,7 @@ class database:
return results
def get_users_with_share_access(self, computerID, share_name, permissions):
cur = self.conn.cursor()
cur = self.conn
permissions = permissions.lower()
if permissions == "r":
@ -189,7 +189,19 @@ class database:
# cur = self.conn.cursor()
sess = self.conn
results = sess.query(self.computers_table).all()
results = sess.query(self.computers_table).filter(self.computers_table.c.ip == ip).all()
host = {
"ip": ip,
"hostname": hostname,
"domain": domain,
"os": os,
"dc": dc,
"smbv1": smbv1,
"signing": signing,
"spooler": spooler,
"zerologon": zerologon,
"petitpotam": petitpotam
}
print(f"RESULTS: {results}")
print(f"IP: {ip}")
print(f"Hostname: {hostname}")
@ -199,6 +211,10 @@ class database:
print(f"Signing: {signing}")
print(f"DC: {dc}")
if not results:
# host doesn't exist in the DB
pass
if not len(results):
try:
sess.execute("INSERT INTO computers (ip, hostname, domain, os, dc, smbv1, signing) VALUES (?,?,?,?,?,?,?,?,?,?)", [ip, hostname, domain, os, dc, smbv1, signing, spooler, zerologon, petitpotam])
@ -228,7 +244,7 @@ class database:
"id": host_id,
"spooler": spooler
}
cur = self.conn.cursor()
cur = self.conn
Computers.Update(data)
cur.execute(Computers.Update(data))
@ -239,7 +255,7 @@ class database:
domain = domain.split('.')[0].upper()
user_rowid = None
cur = self.conn.cursor()
cur = self.conn
if groupid and not self.is_group_valid(groupid):
cur.close()
@ -278,7 +294,7 @@ class database:
domain = domain.split('.')[0].upper()
user_rowid = None
cur = self.conn.cursor()
cur = self.conn
cur.execute("SELECT * FROM users WHERE LOWER(domain)=LOWER(?) AND LOWER(username)=LOWER(?)", [domain, username])
results = cur.fetchall()
@ -307,7 +323,7 @@ class database:
def add_group(self, domain, name):
domain = domain.split('.')[0].upper()
cur = self.conn.cursor()
cur = self.conn
cur.execute("SELECT * FROM groups WHERE LOWER(domain)=LOWER(?) AND LOWER(name)=LOWER(?)", [domain, name])
results = cur.fetchall()
@ -326,14 +342,14 @@ class database:
Removes a credential ID from the database
"""
for credID in credIDs:
cur = self.conn.cursor()
cur = self.conn
cur.execute("DELETE FROM users WHERE id=?", [credID])
cur.close()
def add_admin_user(self, credtype, domain, username, password, host, userid=None):
domain = domain.split('.')[0].upper()
cur = self.conn.cursor()
cur = self.conn
if userid:
cur.execute("SELECT * FROM users WHERE id=?", [userid])
@ -361,7 +377,7 @@ class database:
def get_admin_relations(self, userID=None, hostID=None):
cur = self.conn.cursor()
cur = self.conn
if userID:
cur.execute("SELECT * FROM admin_relations WHERE userid=?", [userID])
@ -379,7 +395,7 @@ class database:
def get_group_relations(self, userID=None, groupID=None):
cur = self.conn.cursor()
cur = self.conn
if userID and groupID:
cur.execute("SELECT * FROM group_relations WHERE userid=? and groupid=?", [userID, groupID])
@ -397,7 +413,7 @@ class database:
def remove_admin_relation(self, userIDs=None, hostIDs=None):
cur = self.conn.cursor()
cur = self.conn
if userIDs:
for userID in userIDs:
@ -411,7 +427,7 @@ class database:
def remove_group_relations(self, userID=None, groupID=None):
cur = self.conn.cursor()
cur = self.conn
if userID:
cur.execute("DELETE FROM group_relations WHERE userid=?", [userID])
@ -428,14 +444,14 @@ class database:
"""
Check if this credential ID is valid.
"""
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT * FROM users WHERE id=? AND password IS NOT NULL LIMIT 1', [credentialID])
results = cur.fetchall()
cur.close()
return len(results) > 0
def is_credential_local(self, credentialID):
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT domain FROM users WHERE id=?', [credentialID])
user_domain = cur.fetchall()
@ -450,7 +466,7 @@ class database:
Return credentials from the database.
"""
cur = self.conn.cursor()
cur = self.conn
# if we're returning a single credential by ID
if self.is_credential_valid(filterTerm):
@ -475,7 +491,7 @@ class database:
"""
Check if this User ID is valid.
"""
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT * FROM users WHERE id=? LIMIT 1', [userID])
results = cur.fetchall()
cur.close()
@ -483,7 +499,7 @@ class database:
def get_users(self, filterTerm=None):
cur = self.conn.cursor()
cur = self.conn
if self.is_user_valid(filterTerm):
cur.execute("SELECT * FROM users WHERE id=? LIMIT 1", [filterTerm])
@ -500,7 +516,7 @@ class database:
return results
def get_user(self, domain, username):
cur = self.conn.cursor()
cur = self.conn
cur.execute("SELECT * FROM users WHERE LOWER(domain)=LOWER(?) AND LOWER(username)=LOWER(?)", [domain, username])
results = cur.fetchall()
cur.close()
@ -510,7 +526,7 @@ class database:
"""
Check if this host ID is valid.
"""
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT * FROM computers WHERE id=? LIMIT 1', [hostID])
results = cur.fetchall()
cur.close()
@ -521,7 +537,7 @@ class database:
Return hosts from the database.
"""
cur = self.conn.cursor()
cur = self.conn
# if we're returning a single host by ID
if self.is_computer_valid(filterTerm):
@ -553,7 +569,7 @@ class database:
"""
Check if this group ID is valid.
"""
cur = self.conn.cursor()
cur = self.conn
cur.execute('SELECT * FROM groups WHERE id=? LIMIT 1', [groupID])
results = cur.fetchall()
cur.close()
@ -568,7 +584,7 @@ class database:
if groupDomain:
groupDomain = groupDomain.split('.')[0].upper()
cur = self.conn.cursor()
cur = self.conn
if self.is_group_valid(filterTerm):
cur.execute("SELECT * FROM groups WHERE id=? LIMIT 1", [filterTerm])