fix(ntlmv1): fix error handling when remote registry cannot be accessed or registry entry doesnt exist
Marshall Hallenbeck
parent
a6463c60ff
commit
91bbc1101f
|
|
@ -1,48 +1,54 @@
|
||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
# -*- coding: utf-8 -*-
|
# -*- coding: utf-8 -*-
|
||||||
|
import logging
|
||||||
|
|
||||||
from impacket.dcerpc.v5 import rrp
|
from impacket.dcerpc.v5 import rrp
|
||||||
from impacket.examples.secretsdump import RemoteOperations
|
from impacket.examples.secretsdump import RemoteOperations
|
||||||
from impacket.dcerpc.v5.rrp import DCERPCSessionError
|
from impacket.dcerpc.v5.rrp import DCERPCSessionError
|
||||||
|
|
||||||
|
|
||||||
class CMEModule:
|
class CMEModule:
|
||||||
'''
|
"""
|
||||||
Detect if the targets's LmCompatibilityLevel will allow NTLMv1 authentication
|
Detect if the target's LmCompatibilityLevel will allow NTLMv1 authentication
|
||||||
Module by @Tw1sm
|
Module by @Tw1sm
|
||||||
'''
|
"""
|
||||||
name = 'ntlmv1'
|
name = "ntlmv1"
|
||||||
description = 'Detect if lmcompatibilitylevel on the target is set to 0 or 1'
|
description = "Detect if lmcompatibilitylevel on the target is set to 0 or 1"
|
||||||
supported_protocols = ['smb']
|
supported_protocols = ["smb"]
|
||||||
opsec_safe= True
|
opsec_safe = True
|
||||||
multiple_hosts = True
|
multiple_hosts = True
|
||||||
|
|
||||||
def options(self, context, module_options):
|
def options(self, context, module_options):
|
||||||
self.output = 'NTLMv1 allowed on: {} - LmCompatibilityLevel = {}'
|
self.output = "NTLMv1 allowed on: {} - LmCompatibilityLevel = {}"
|
||||||
|
|
||||||
def on_admin_login(self, context, connection):
|
def on_admin_login(self, context, connection):
|
||||||
try:
|
try:
|
||||||
remoteOps = RemoteOperations(connection.conn, False)
|
remote_ops = RemoteOperations(connection.conn, False)
|
||||||
remoteOps.enableRegistry()
|
remote_ops.enableRegistry()
|
||||||
|
|
||||||
if remoteOps._RemoteOperations__rrp:
|
if remote_ops._RemoteOperations__rrp:
|
||||||
ans = rrp.hOpenLocalMachine(remoteOps._RemoteOperations__rrp)
|
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
|
||||||
regHandle = ans['phKey']
|
reg_handle = ans["phKey"]
|
||||||
|
ans = rrp.hBaseRegOpenKey(
|
||||||
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
reg_handle,
|
||||||
|
"SYSTEM\\CurrentControlSet\\Control\\Lsa"
|
||||||
|
)
|
||||||
|
key_handle = ans['phkResult']
|
||||||
|
rtype = None
|
||||||
|
data = None
|
||||||
|
try:
|
||||||
|
rtype, data = rrp.hBaseRegQueryValue(
|
||||||
|
remote_ops._RemoteOperations__rrp,
|
||||||
|
key_handle,
|
||||||
|
"lmcompatibilitylevel\x00"
|
||||||
|
)
|
||||||
|
except rrp.DCERPCSessionError as e:
|
||||||
|
logging.debug(f"Unable to reference lmcompatabilitylevel, which probably means ntlmv1 is not set")
|
||||||
|
|
||||||
ans = rrp.hBaseRegOpenKey(remoteOps._RemoteOperations__rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\Lsa')
|
if rtype and data and int(data) in [0, 1, 2]:
|
||||||
keyHandle = ans['phkResult']
|
|
||||||
|
|
||||||
rtype, data = rrp.hBaseRegQueryValue(remoteOps._RemoteOperations__rrp, keyHandle, 'lmcompatibilitylevel\x00')
|
|
||||||
|
|
||||||
if int(data) in [0, 1, 2]:
|
|
||||||
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
|
context.log.highlight(self.output.format(connection.conn.getRemoteHost(), data))
|
||||||
|
|
||||||
try:
|
|
||||||
remoteOps.finish()
|
|
||||||
except:
|
|
||||||
pass
|
|
||||||
|
|
||||||
except DCERPCSessionError as e:
|
except DCERPCSessionError as e:
|
||||||
try:
|
logging.debug(f"Error connecting to RemoteRegistry: {e}")
|
||||||
remoteOps.finish()
|
finally:
|
||||||
except:
|
remote_ops.finish()
|
||||||
pass
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue