WIP - cmedb update

cme/crackmapexec.py

@@ -31,7 +31,7 @@ import random
 import os
 import sys
 import logging
-from sqlalchemy import create_engine, MetaData, text
+from sqlalchemy import create_engine, MetaData
 
 from sqlalchemy.ext.declarative import DeferredReflection
 from sqlalchemy.orm import declarative_base, sessionmaker

cme/modules/spooler.py

@@ -8,6 +8,7 @@ from impacket.dcerpc.v5 import transport, epm
 from impacket.dcerpc.v5.rpch import RPC_PROXY_INVALID_RPC_PORT_ERR, \
     RPC_PROXY_CONN_A1_0X6BA_ERR, RPC_PROXY_CONN_A1_404_ERR, \
     RPC_PROXY_RPC_OUT_DATA_404_ERR
+from cme.protocols.smb.database import database
 
 KNOWN_PROTOCOLS = {
     135: {'bindstr': r'ncacn_ip_tcp:%s[135]'},
@@ -89,6 +90,8 @@ class CMEModule:
                     logging.debug("          %s" % binding)
                 logging.debug("")
                 context.log.highlight('Spooler service enabled')
+                host_id = context.db.get_computers(connection.host)[0][0]
+                database.update_computer(context.db, host_id, spooler=True)
                 break
 
         if entries:

cme/protocols/smb/database.py

@@ -114,7 +114,7 @@ class database:
         #    )''')
 
     def add_share(self, computerid, userid, name, remark, read, write):
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute("INSERT OR IGNORE INTO shares (computerid, userid, name, remark, read, write) VALUES (?,?,?,?,?,?)", [computerid, userid, name, remark, read, write])
         cur.close()
 
@@ -123,7 +123,7 @@ class database:
         Check if this share ID is valid.
         """
 
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT * FROM shares WHERE id=? LIMIT 1', [shareID])
         results = cur.fetchall()
         cur.close()
@@ -132,7 +132,7 @@ class database:
         return len(results) > 0
     
     def get_shares(self, filterTerm = None):
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if self.is_share_valid(filterTerm):
             cur.execute("SELECT * FROM shares WHERE id=?", [filterTerm])
@@ -145,7 +145,7 @@ class database:
         return results
 
     def get_shares_by_access(self, permissions, shareID=None):
-        cur = self.conn.cursor()
+        cur = self.conn
         permissions = permissions.lower()
 
         if shareID:
@@ -167,7 +167,7 @@ class database:
         return results
 
     def get_users_with_share_access(self, computerID, share_name, permissions):
-        cur = self.conn.cursor()
+        cur = self.conn
         permissions = permissions.lower()
 
         if permissions == "r":
@@ -189,7 +189,19 @@ class database:
         # cur = self.conn.cursor()
         sess = self.conn
 
-        results = sess.query(self.computers_table).all()
+        results = sess.query(self.computers_table).filter(self.computers_table.c.ip == ip).all()
+        host = {
+            "ip": ip,
+            "hostname": hostname,
+            "domain": domain,
+            "os": os,
+            "dc": dc,
+            "smbv1": smbv1,
+            "signing": signing,
+            "spooler": spooler,
+            "zerologon": zerologon,
+            "petitpotam": petitpotam
+        }
         print(f"RESULTS: {results}")
         print(f"IP: {ip}")
         print(f"Hostname: {hostname}")
@@ -199,6 +211,10 @@ class database:
         print(f"Signing: {signing}")
         print(f"DC: {dc}")
 
+        if not results:
+            # host doesn't exist in the DB
+            pass
+
         if not len(results):
             try:
                 sess.execute("INSERT INTO computers (ip, hostname, domain, os, dc, smbv1, signing) VALUES (?,?,?,?,?,?,?,?,?,?)", [ip, hostname, domain, os, dc, smbv1, signing, spooler, zerologon, petitpotam])
@@ -228,7 +244,7 @@ class database:
             "id": host_id,
             "spooler": spooler
         }
-        cur = self.conn.cursor()
+        cur = self.conn
         Computers.Update(data)
         cur.execute(Computers.Update(data))
 
@@ -239,7 +255,7 @@ class database:
 
         domain = domain.split('.')[0].upper()
         user_rowid = None
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if groupid and not self.is_group_valid(groupid):
             cur.close()
@@ -278,7 +294,7 @@ class database:
 
         domain = domain.split('.')[0].upper()
         user_rowid = None
-        cur = self.conn.cursor()
+        cur = self.conn
 
         cur.execute("SELECT * FROM users WHERE LOWER(domain)=LOWER(?) AND LOWER(username)=LOWER(?)", [domain, username])
         results = cur.fetchall()
@@ -307,7 +323,7 @@ class database:
     def add_group(self, domain, name):
 
         domain = domain.split('.')[0].upper()
-        cur = self.conn.cursor()
+        cur = self.conn
 
         cur.execute("SELECT * FROM groups WHERE LOWER(domain)=LOWER(?) AND LOWER(name)=LOWER(?)", [domain, name])
         results = cur.fetchall()
@@ -326,14 +342,14 @@ class database:
         Removes a credential ID from the database
         """
         for credID in credIDs:
-            cur = self.conn.cursor()
+            cur = self.conn
             cur.execute("DELETE FROM users WHERE id=?", [credID])
             cur.close()
             
     def add_admin_user(self, credtype, domain, username, password, host, userid=None):
 
         domain = domain.split('.')[0].upper()
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if userid:
             cur.execute("SELECT * FROM users WHERE id=?", [userid])
@@ -361,7 +377,7 @@ class database:
 
     def get_admin_relations(self, userID=None, hostID=None):
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if userID:
             cur.execute("SELECT * FROM admin_relations WHERE userid=?", [userID])
@@ -379,7 +395,7 @@ class database:
 
     def get_group_relations(self, userID=None, groupID=None):
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if userID and groupID:
             cur.execute("SELECT * FROM group_relations WHERE userid=? and groupid=?", [userID, groupID])
@@ -397,7 +413,7 @@ class database:
 
     def remove_admin_relation(self, userIDs=None, hostIDs=None):
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if userIDs:
             for userID in userIDs:
@@ -411,7 +427,7 @@ class database:
 
     def remove_group_relations(self, userID=None, groupID=None):
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if userID:
             cur.execute("DELETE FROM group_relations WHERE userid=?", [userID])
@@ -428,14 +444,14 @@ class database:
         """
         Check if this credential ID is valid.
         """
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT * FROM users WHERE id=? AND password IS NOT NULL LIMIT 1', [credentialID])
         results = cur.fetchall()
         cur.close()
         return len(results) > 0
 
     def is_credential_local(self, credentialID):
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT domain FROM users WHERE id=?', [credentialID])
         user_domain = cur.fetchall()
 
@@ -450,7 +466,7 @@ class database:
         Return credentials from the database.
         """
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         # if we're returning a single credential by ID
         if self.is_credential_valid(filterTerm):
@@ -475,7 +491,7 @@ class database:
         """
         Check if this User ID is valid.
         """
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT * FROM users WHERE id=? LIMIT 1', [userID])
         results = cur.fetchall()
         cur.close()
@@ -483,7 +499,7 @@ class database:
 
     def get_users(self, filterTerm=None):
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if self.is_user_valid(filterTerm):
             cur.execute("SELECT * FROM users WHERE id=? LIMIT 1", [filterTerm])
@@ -500,7 +516,7 @@ class database:
         return results
 
     def get_user(self, domain, username):
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute("SELECT * FROM users WHERE LOWER(domain)=LOWER(?) AND LOWER(username)=LOWER(?)", [domain, username])
         results = cur.fetchall()
         cur.close()
@@ -510,7 +526,7 @@ class database:
         """
         Check if this host ID is valid.
         """
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT * FROM computers WHERE id=? LIMIT 1', [hostID])
         results = cur.fetchall()
         cur.close()
@@ -521,7 +537,7 @@ class database:
         Return hosts from the database.
         """
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         # if we're returning a single host by ID
         if self.is_computer_valid(filterTerm):
@@ -553,7 +569,7 @@ class database:
         """
         Check if this group ID is valid.
         """
-        cur = self.conn.cursor()
+        cur = self.conn
         cur.execute('SELECT * FROM groups WHERE id=? LIMIT 1', [groupID])
         results = cur.fetchall()
         cur.close()
@@ -568,7 +584,7 @@ class database:
         if groupDomain:
             groupDomain = groupDomain.split('.')[0].upper()
 
-        cur = self.conn.cursor()
+        cur = self.conn
 
         if self.is_group_valid(filterTerm):
             cur.execute("SELECT * FROM groups WHERE id=? LIMIT 1", [filterTerm])