NetExec/cme/modules/nopac.py

54 lines
2.1 KiB
Python

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Credit to https://exploit.ph/cve-2021-42287-cve-2021-42278-weaponisation.html
# @exploitph @Evi1cg
# module by @mpgn_x64
from binascii import unhexlify
from impacket.krb5.kerberosv5 import getKerberosTGT
from impacket.krb5 import constants
from impacket.krb5.types import Principal
class CMEModule:
name = "nopac"
description = "Check if the DC is vulnerable to CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True
def options(self, context, module_options):
""" """
def on_login(self, context, connection):
user_name = Principal(connection.username, type=constants.PrincipalNameType.NT_PRINCIPAL.value)
try:
tgt_with_pac, cipher, old_session_key, session_key = getKerberosTGT(
user_name,
connection.password,
connection.domain,
unhexlify(connection.lmhash),
unhexlify(connection.nthash),
connection.aesKey,
connection.host,
requestPAC=True,
)
context.log.highlight("TGT with PAC size " + str(len(tgt_with_pac)))
tgt_no_pac, cipher, old_session_key, session_key = getKerberosTGT(
user_name,
connection.password,
connection.domain,
unhexlify(connection.lmhash),
unhexlify(connection.nthash),
connection.aesKey,
connection.host,
requestPAC=False,
)
context.log.highlight("TGT without PAC size " + str(len(tgt_no_pac)))
if len(tgt_no_pac) < len(tgt_with_pac):
context.log.highlight("")
context.log.highlight("VULNERABLE")
context.log.highlight("Next step: https://github.com/Ridter/noPac")
except OSError as e:
context.log.debug(f"Error connecting to Kerberos (port 88) on {connection.host}")