diff --git a/changelog b/changelog index 2fc51d278..13f190a06 100644 --- a/changelog +++ b/changelog @@ -1,3 +1,12 @@ +8/24/2015 +--------- +-Added credentials/mimikatz/dcsync for remote DC credential extraction +-Added situational_awareness/network/get_domaintrusts +-Added /sids argument for credentials/mimikatz/golden_ticket +-Added credential parsing for dcsync output +-updated links for PowerTools +-Fixed bug in credential parsing with ":" inside of the password,username, or domain + 8/20/2015 --------- -Continued porting native shell commands to WMI replacents in agent core diff --git a/lib/common/helpers.py b/lib/common/helpers.py index 6d297b0df..ce906c65b 100644 --- a/lib/common/helpers.py +++ b/lib/common/helpers.py @@ -244,11 +244,12 @@ def parse_mimikatz(data): for line in lines2: try: if "Username" in line: - username = line.split(":")[1].strip() + username = line.split(":",1)[1].strip() elif "Domain" in line: - domain = line.split(":")[1].strip() + domain = line.split(":",1)[1].strip() elif "NTLM" in line or "Password" in line: - password = line.split(":")[1].strip() + print line.split(":") + password = line.split(":",1)[1].strip() except: pass @@ -271,32 +272,56 @@ def parse_mimikatz(data): if not (credType == "plaintext" and username.endswith("$")): creds.append((credType, domain, username, password, hostName, sid)) - # check if we have lsadump output to check for krbtgt - # happens on domain controller hashdumps - for x in xrange(8,13): - if lines[x].startswith("Domain :"): + if len(creds) == 0: + # check if we have lsadump output to check for krbtgt + # happens on domain controller hashdumps + for x in xrange(8,13): + if lines[x].startswith("Domain :"): - domain, sid, krbtgtHash = "", "", "" + domain, sid, krbtgtHash = "", "", "" - try: - domainParts = lines[x].split(":")[1] - domain = domainParts.split("/")[0].strip() - sid = domainParts.split("/")[1].strip() - - # substitute the FQDN in if it matches - if hostDomain.startswith(domain.lower()): - domain = hostDomain - sid = domainSid + try: + domainParts = lines[x].split(":")[1] + domain = domainParts.split("/")[0].strip() + sid = domainParts.split("/")[1].strip() + + # substitute the FQDN in if it matches + if hostDomain.startswith(domain.lower()): + domain = hostDomain + sid = domainSid + + for x in xrange(0, len(lines)): + if lines[x].startswith("User : krbtgt"): + krbtgtHash = lines[x+2].split(":")[1].strip() + break + + if krbtgtHash != "": + creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid)) + except Exception as e: + pass - for x in xrange(0, len(lines)): - if lines[x].startswith("User : krbtgt"): - krbtgtHash = lines[x+2].split(":")[1].strip() - break + if len(creds) == 0: + # check if we get lsadump::dcsync output + if '** SAM ACCOUNT **' in lines: + domain, user, userHash, dcName, sid = "", "", "", "", "" + for line in lines: + try: + if line.strip().endswith("will be the domain"): + domain = line.split("'")[1] + elif line.strip().endswith("will be the DC server"): + dcName = line.split("'")[1].split(".")[0] + elif line.strip().startswith("SAM Username"): + user = line.split(":")[1].strip() + elif line.strip().startswith("Object Security ID"): + parts = line.split(":")[1].strip().split("-") + sid = "-".join(parts[0:-1]) + elif line.strip().startswith("Hash NTLM:"): + userHash = line.split(":")[1].strip() + except: + pass - if krbtgtHash != "": - creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid)) - except Exception as e: - pass + if domain != "" and userHash != "": + creds.append(("hash", domain, user, userHash, dcName, sid)) return uniquify_tuples(creds) diff --git a/lib/modules/collection/filefinder.py b/lib/modules/collection/filefinder.py index a5fa9c2ff..0f7a543d9 100644 --- a/lib/modules/collection/filefinder.py +++ b/lib/modules/collection/filefinder.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/collection/filesearch.py b/lib/modules/collection/filesearch.py index 91d68297a..9f7cc2156 100644 --- a/lib/modules/collection/filesearch.py +++ b/lib/modules/collection/filesearch.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/credentials/mimikatz/dcsync.py b/lib/modules/credentials/mimikatz/dcsync.py index 2d40fc472..74ff76fb0 100644 --- a/lib/modules/credentials/mimikatz/dcsync.py +++ b/lib/modules/credentials/mimikatz/dcsync.py @@ -19,7 +19,7 @@ def __init__(self, mainMenu, params=[]): 'OutputExtension' : None, - 'NeedsAdmin' : True, + 'NeedsAdmin' : False, 'OpsecSafe' : True, diff --git a/lib/modules/credentials/mimikatz/golden_ticket.py b/lib/modules/credentials/mimikatz/golden_ticket.py index 36464fc7b..4cd441323 100644 --- a/lib/modules/credentials/mimikatz/golden_ticket.py +++ b/lib/modules/credentials/mimikatz/golden_ticket.py @@ -58,6 +58,11 @@ def __init__(self, mainMenu, params=[]): 'Required' : False, 'Value' : '' }, + 'sids' : { + 'Description' : 'External SIDs to add as sidhistory to the ticket.', + 'Required' : False, + 'Value' : '' + }, 'id' : { 'Description' : 'id to impersonate, defaults to 500.', 'Required' : False, diff --git a/lib/modules/privesc/powerup/allchecks.py b/lib/modules/privesc/powerup/allchecks.py index 4069284ea..2c218237a 100644 --- a/lib/modules/privesc/powerup/allchecks.py +++ b/lib/modules/privesc/powerup/allchecks.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/find_dllhijack.py b/lib/modules/privesc/powerup/find_dllhijack.py index 422135692..e384d17e7 100644 --- a/lib/modules/privesc/powerup/find_dllhijack.py +++ b/lib/modules/privesc/powerup/find_dllhijack.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_exe_stager.py b/lib/modules/privesc/powerup/service_exe_stager.py index 6bf16f268..a2e3cee41 100644 --- a/lib/modules/privesc/powerup/service_exe_stager.py +++ b/lib/modules/privesc/powerup/service_exe_stager.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_exe_useradd.py b/lib/modules/privesc/powerup/service_exe_useradd.py index 68c348ca0..75b8ec35b 100644 --- a/lib/modules/privesc/powerup/service_exe_useradd.py +++ b/lib/modules/privesc/powerup/service_exe_useradd.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_stager.py b/lib/modules/privesc/powerup/service_stager.py index 3bb82d384..7777c5f5a 100644 --- a/lib/modules/privesc/powerup/service_stager.py +++ b/lib/modules/privesc/powerup/service_stager.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/service_useradd.py b/lib/modules/privesc/powerup/service_useradd.py index 6cd6c686f..70deb73a5 100644 --- a/lib/modules/privesc/powerup/service_useradd.py +++ b/lib/modules/privesc/powerup/service_useradd.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/privesc/powerup/write_dllhijacker.py b/lib/modules/privesc/powerup/write_dllhijacker.py index 2b2f0f968..172d42505 100644 --- a/lib/modules/privesc/powerup/write_dllhijacker.py +++ b/lib/modules/privesc/powerup/write_dllhijacker.py @@ -25,7 +25,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp' ] } diff --git a/lib/modules/situational_awareness/network/find_localadmin_access.py b/lib/modules/situational_awareness/network/find_localadmin_access.py index 07f47d4fa..b92f57806 100644 --- a/lib/modules/situational_awareness/network/find_localadmin_access.py +++ b/lib/modules/situational_awareness/network/find_localadmin_access.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_computer.py b/lib/modules/situational_awareness/network/get_computer.py index 1c179c130..466efa1ce 100644 --- a/lib/modules/situational_awareness/network/get_computer.py +++ b/lib/modules/situational_awareness/network/get_computer.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_domaincontroller.py b/lib/modules/situational_awareness/network/get_domaincontroller.py index 7efb37a94..66745acdb 100644 --- a/lib/modules/situational_awareness/network/get_domaincontroller.py +++ b/lib/modules/situational_awareness/network/get_domaincontroller.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/get_domaintrusts.py b/lib/modules/situational_awareness/network/get_domaintrusts.py new file mode 100644 index 000000000..2c9ba36a2 --- /dev/null +++ b/lib/modules/situational_awareness/network/get_domaintrusts.py @@ -0,0 +1,83 @@ +from lib.common import helpers + +class Module: + + def __init__(self, mainMenu, params=[]): + + self.info = { + 'Name': 'Get-NetDomainTrusts', + + 'Author': ['@harmj0y'], + + 'Description': ('Return all domain trusts for the current domain or ' + 'a specified domain. Part of PowerView.'), + + 'Background' : True, + + 'OutputExtension' : None, + + 'NeedsAdmin' : False, + + 'OpsecSafe' : True, + + 'MinPSVersion' : '2', + + 'Comments': [ + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' + ] + } + + # any options needed by the module, settable during runtime + self.options = { + # format: + # value_name : {description, required, default_value} + 'Agent' : { + 'Description' : 'Agent to run module on.', + 'Required' : True, + 'Value' : '' + }, + 'Domain' : { + 'Description' : 'Specific domain to query for trusts, defaults to current.', + 'Required' : False, + 'Value' : '' + }, + 'LDAP' : { + 'Description' : 'Switch. Use LDAP for domain queries (less accurate).', + 'Required' : False, + 'Value' : '' + } + } + + # save off a copy of the mainMenu object to access external functionality + # like listeners/agent handlers/etc. + self.mainMenu = mainMenu + + for param in params: + # parameter format is [Name, Value] + option, value = param + if option in self.options: + self.options[option]['Value'] = value + + + def generate(self): + + # read in the common module source code + moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-MapDomainTrusts.ps1" + + try: + f = open(moduleSource, 'r') + except: + print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) + return "" + + moduleCode = f.read() + f.close() + + script = moduleCode + + if self.options['LDAP']['Value'].lower() == "true": + script += "Get-NetDomainTrustsLDAP | Out-String | %{$_ + \"`n\"};" + else: + script += "Get-NetDomainTrusts | Out-String | %{$_ + \"`n\"};" + + return script diff --git a/lib/modules/situational_awareness/network/get_user.py b/lib/modules/situational_awareness/network/get_user.py index 9db38474a..15fe8ddb4 100644 --- a/lib/modules/situational_awareness/network/get_user.py +++ b/lib/modules/situational_awareness/network/get_user.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/mapdomaintrusts.py b/lib/modules/situational_awareness/network/mapdomaintrusts.py index 4a750d88d..ff97a2826 100644 --- a/lib/modules/situational_awareness/network/mapdomaintrusts.py +++ b/lib/modules/situational_awareness/network/mapdomaintrusts.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/netview.py b/lib/modules/situational_awareness/network/netview.py index d053a1271..14ddcfeaf 100644 --- a/lib/modules/situational_awareness/network/netview.py +++ b/lib/modules/situational_awareness/network/netview.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView', + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView', 'https://github.com/mubix/netview' ] } diff --git a/lib/modules/situational_awareness/network/sharefinder.py b/lib/modules/situational_awareness/network/sharefinder.py index f4dc22608..cafe83e33 100644 --- a/lib/modules/situational_awareness/network/sharefinder.py +++ b/lib/modules/situational_awareness/network/sharefinder.py @@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/stealth_userhunter.py b/lib/modules/situational_awareness/network/stealth_userhunter.py index 63c24479c..40e94981b 100644 --- a/lib/modules/situational_awareness/network/stealth_userhunter.py +++ b/lib/modules/situational_awareness/network/stealth_userhunter.py @@ -24,7 +24,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] } diff --git a/lib/modules/situational_awareness/network/userhunter.py b/lib/modules/situational_awareness/network/userhunter.py index e1d8c5f1b..760e30b60 100644 --- a/lib/modules/situational_awareness/network/userhunter.py +++ b/lib/modules/situational_awareness/network/userhunter.py @@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]): 'MinPSVersion' : '2', 'Comments': [ - 'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView' + 'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView' ] }