Merge branch 'master' of github.com:zblurx/CrackMapExec

2022-11-18 18:36:42 +01:00 · 2022-11-18 18:36:42 +01:00 · 5d60eb0d10
parent 92575a9530 3df3978cb0
commit 5d60eb0d10
3 changed files with 17 additions and 5 deletions
--- a/cme/protocols/mssql.py
+++ b/cme/protocols/mssql.py
@ -12,6 +12,7 @@ from cme.helpers.bloodhound import add_user_bh
 from cme.helpers.powershell import create_ps_command
 from impacket import tds
 import configparser
+from impacket.krb5.ccache import CCache
 from impacket.smbconnection import SMBConnection, SessionError
 from impacket.tds import SQLErrorException, TDS_LOGINACK_TOKEN, TDS_ERROR_TOKEN, TDS_ENVCHANGE_TOKEN, TDS_INFO_TOKEN, \
    TDS_ENVCHANGE_VARCHAR, TDS_ENVCHANGE_DATABASE, TDS_ENVCHANGE_LANGUAGE, TDS_ENVCHANGE_CHARSET, TDS_ENVCHANGE_PACKETSIZE
@ -189,7 +190,13 @@ class mssql(connection):
                return False

            self.password = password
-            self.username = username
+            if username == '' and useCache:
+                ccache = CCache.loadFile(os.getenv('KRB5CCNAME'))
+                principal = ccache.principal.toPrincipal()
+                self.username = principal.components[0]
+                username = principal.components[0]
+            else:
+                self.username = username
            self.domain = domain
            self.check_if_admin()

--- a/cme/protocols/mssql/db_navigator.py
+++ b/cme/protocols/mssql/db_navigator.py
@ -14,10 +14,10 @@ class navigator(DatabaseNavigator):
        for cred in creds:

            credID = cred[0]
-            domain = cred[1]
-            username = cred[2]
-            password = cred[3]
-            credtype = cred[4]
+            credtype = cred[1]
+            domain = cred[2]
+            username = cred[3]
+            password = cred[4]
            # pillaged_from = cred[5]

            links = self.db.get_admin_relations(userID=credID)
--- a/cme/protocols/smb.py
+++ b/cme/protocols/smb.py
@ -369,6 +369,11 @@ class smb(connection):
            if nthash: self.nthash = nthash
            self.conn.kerberosLogin(username, password, domain, lmhash, nthash, aesKey, kdcHost, useCache=useCache)
            self.check_if_admin()
+            
+            if username == '':
+                self.username = self.conn.getCredentials()[0]
+            else:
+                self.username = username

            out = u'{}\\{}{} {}'.format(self.domain,
                                    self.username,