Merge pull request EmpireProject#29 from PowerShellEmpire/mimikatz_8_…

…15_update2 Mimikatz 8 15 update2
jinverar · Aug 24, 2015 · e1b1898 · e1b1898
2 parents cf935db + 32e95b4
commit e1b1898
Show file tree

Hide file tree

Showing 23 changed files with 166 additions and 44 deletions.
diff --git a/changelog b/changelog
@@ -1,3 +1,12 @@
+8/24/2015
+---------
+-Added credentials/mimikatz/dcsync for remote DC credential extraction
+-Added situational_awareness/network/get_domaintrusts
+-Added /sids argument for credentials/mimikatz/golden_ticket
+-Added credential parsing for dcsync output
+-updated links for PowerTools
+-Fixed bug in credential parsing with ":" inside of the password,username, or domain
+
 8/20/2015
 ---------
 -Continued porting native shell commands to WMI replacents in agent core

diff --git a/lib/common/helpers.py b/lib/common/helpers.py
@@ -244,11 +244,12 @@ def parse_mimikatz(data):
             for line in lines2:
                 try:
                     if "Username" in line:
-                        username = line.split(":")[1].strip()
+                        username = line.split(":",1)[1].strip()
                     elif "Domain" in line:
-                        domain = line.split(":")[1].strip()
+                        domain = line.split(":",1)[1].strip()
                     elif "NTLM" in line or "Password" in line:
-                        password = line.split(":")[1].strip()
+                        print line.split(":")
+                        password = line.split(":",1)[1].strip()
                 except:
                     pass
 
@@ -271,32 +272,56 @@ def parse_mimikatz(data):
                 if not (credType == "plaintext" and username.endswith("$")):
                     creds.append((credType, domain, username, password, hostName, sid))
 
-    # check if we have lsadump output to check for krbtgt
-    #   happens on domain controller hashdumps
-    for x in xrange(8,13):
-        if lines[x].startswith("Domain :"):
+    if len(creds) == 0:
+        # check if we have lsadump output to check for krbtgt
+        #   happens on domain controller hashdumps
+        for x in xrange(8,13):
+            if lines[x].startswith("Domain :"):
 
-            domain, sid, krbtgtHash = "", "", ""
+                domain, sid, krbtgtHash = "", "", ""
 
-            try:
-                domainParts = lines[x].split(":")[1]
-                domain = domainParts.split("/")[0].strip()
-                sid = domainParts.split("/")[1].strip()
-
-                # substitute the FQDN in if it matches
-                if hostDomain.startswith(domain.lower()):
-                    domain = hostDomain
-                    sid = domainSid
+                try:
+                    domainParts = lines[x].split(":")[1]
+                    domain = domainParts.split("/")[0].strip()
+                    sid = domainParts.split("/")[1].strip()
+
+                    # substitute the FQDN in if it matches
+                    if hostDomain.startswith(domain.lower()):
+                        domain = hostDomain
+                        sid = domainSid
+
+                    for x in xrange(0, len(lines)):
+                        if lines[x].startswith("User : krbtgt"):
+                            krbtgtHash = lines[x+2].split(":")[1].strip()
+                            break
+
+                    if krbtgtHash != "":
+                        creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid))
+                except Exception as e:
+                    pass
 
-                for x in xrange(0, len(lines)):
-                    if lines[x].startswith("User : krbtgt"):
-                        krbtgtHash = lines[x+2].split(":")[1].strip()
-                        break
+    if len(creds) == 0:
+        # check if we get lsadump::dcsync output
+        if '** SAM ACCOUNT **' in lines:
+            domain, user, userHash, dcName, sid = "", "", "", "", ""
+            for line in lines:
+                try:
+                    if line.strip().endswith("will be the domain"):
+                        domain = line.split("'")[1]
+                    elif line.strip().endswith("will be the DC server"):
+                        dcName = line.split("'")[1].split(".")[0]
+                    elif line.strip().startswith("SAM Username"):
+                        user = line.split(":")[1].strip()
+                    elif line.strip().startswith("Object Security ID"):
+                        parts = line.split(":")[1].strip().split("-")
+                        sid = "-".join(parts[0:-1])
+                    elif line.strip().startswith("Hash NTLM:"):
+                        userHash = line.split(":")[1].strip()
+                except:
+                    pass
 
-                if krbtgtHash != "":
-                    creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid))
-            except Exception as e:
-                pass
+            if domain != "" and userHash != "":
+                creds.append(("hash", domain, user, userHash, dcName, sid))
 
     return uniquify_tuples(creds)
 

diff --git a/lib/modules/collection/filefinder.py b/lib/modules/collection/filefinder.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/collection/filesearch.py b/lib/modules/collection/filesearch.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/credentials/mimikatz/dcsync.py b/lib/modules/credentials/mimikatz/dcsync.py
@@ -19,7 +19,7 @@ def __init__(self, mainMenu, params=[]):
 
             'OutputExtension' : None,
 
-            'NeedsAdmin' : True,
+            'NeedsAdmin' : False,
 
             'OpsecSafe' : True,
 

diff --git a/lib/modules/credentials/mimikatz/golden_ticket.py b/lib/modules/credentials/mimikatz/golden_ticket.py
@@ -58,6 +58,11 @@ def __init__(self, mainMenu, params=[]):
                 'Required'      :   False,
                 'Value'         :   ''
             },
+            'sids' : {
+                'Description'   :   'External SIDs to add as sidhistory to the ticket.',
+                'Required'      :   False,
+                'Value'         :   ''
+            },
             'id' : {
                 'Description'   :   'id to impersonate, defaults to 500.',
                 'Required'      :   False,

diff --git a/lib/modules/privesc/powerup/allchecks.py b/lib/modules/privesc/powerup/allchecks.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/find_dllhijack.py b/lib/modules/privesc/powerup/find_dllhijack.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/service_exe_stager.py b/lib/modules/privesc/powerup/service_exe_stager.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/service_exe_useradd.py b/lib/modules/privesc/powerup/service_exe_useradd.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/service_stager.py b/lib/modules/privesc/powerup/service_stager.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/service_useradd.py b/lib/modules/privesc/powerup/service_useradd.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/privesc/powerup/write_dllhijacker.py b/lib/modules/privesc/powerup/write_dllhijacker.py
@@ -25,7 +25,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerUp'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/find_localadmin_access.py b/lib/modules/situational_awareness/network/find_localadmin_access.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/get_computer.py b/lib/modules/situational_awareness/network/get_computer.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/get_domaincontroller.py b/lib/modules/situational_awareness/network/get_domaincontroller.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/get_domaintrusts.py b/lib/modules/situational_awareness/network/get_domaintrusts.py
@@ -0,0 +1,83 @@
+from lib.common import helpers
+
+class Module:
+
+    def __init__(self, mainMenu, params=[]):
+
+        self.info = {
+            'Name': 'Get-NetDomainTrusts',
+
+            'Author': ['@harmj0y'],
+
+            'Description': ('Return all domain trusts for the current domain or '
+                            'a specified domain. Part of PowerView.'),
+
+            'Background' : True,
+
+            'OutputExtension' : None,
+
+            'NeedsAdmin' : False,
+
+            'OpsecSafe' : True,
+
+            'MinPSVersion' : '2',
+
+            'Comments': [
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
+            ]
+        }
+
+        # any options needed by the module, settable during runtime
+        self.options = {
+            # format:
+            #   value_name : {description, required, default_value}
+            'Agent' : {
+                'Description'   :   'Agent to run module on.',
+                'Required'      :   True,
+                'Value'         :   ''
+            },
+            'Domain' : {
+                'Description'   :   'Specific domain to query for trusts, defaults to current.',
+                'Required'      :   False,
+                'Value'         :   ''
+            },
+            'LDAP' : {
+                'Description'   :   'Switch. Use LDAP for domain queries (less accurate).',
+                'Required'      :   False,
+                'Value'         :   ''
+            }
+        }
+
+        # save off a copy of the mainMenu object to access external functionality
+        #   like listeners/agent handlers/etc.
+        self.mainMenu = mainMenu
+
+        for param in params:
+            # parameter format is [Name, Value]
+            option, value = param
+            if option in self.options:
+                self.options[option]['Value'] = value
+
+
+    def generate(self):
+
+        # read in the common module source code
+        moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/network/Invoke-MapDomainTrusts.ps1"
+
+        try:
+            f = open(moduleSource, 'r')
+        except:
+            print helpers.color("[!] Could not read module source path at: " + str(moduleSource))
+            return ""
+
+        moduleCode = f.read()
+        f.close()
+
+        script = moduleCode
+
+        if self.options['LDAP']['Value'].lower() == "true":
+            script += "Get-NetDomainTrustsLDAP | Out-String | %{$_ + \"`n\"};"
+        else:
+            script += "Get-NetDomainTrusts | Out-String | %{$_ + \"`n\"};"
+
+        return script
diff --git a/lib/modules/situational_awareness/network/get_user.py b/lib/modules/situational_awareness/network/get_user.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/mapdomaintrusts.py b/lib/modules/situational_awareness/network/mapdomaintrusts.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/netview.py b/lib/modules/situational_awareness/network/netview.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView',
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView',
                 'https://github.com/mubix/netview'
             ]
         }

diff --git a/lib/modules/situational_awareness/network/sharefinder.py b/lib/modules/situational_awareness/network/sharefinder.py
@@ -22,7 +22,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/stealth_userhunter.py b/lib/modules/situational_awareness/network/stealth_userhunter.py
@@ -24,7 +24,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }
 

diff --git a/lib/modules/situational_awareness/network/userhunter.py b/lib/modules/situational_awareness/network/userhunter.py
@@ -23,7 +23,7 @@ def __init__(self, mainMenu, params=[]):
             'MinPSVersion' : '2',
 
             'Comments': [
-                'https://github.com/Veil-Framework/PowerTools/tree/master/PowerView'
+                'https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView'
             ]
         }