Add support kerberos aesKey and kdcHost #22 add lssasy module kerberos support

add error when not credential foud on lsassy module #368

Author: mpgn

cme/cli.py

@@ -48,6 +48,9 @@ def gen_cli_args():
     std_parser.add_argument("-u", metavar="USERNAME", dest='username', nargs='+', default=[], help="username(s) or file(s) containing usernames")
     std_parser.add_argument("-p", metavar="PASSWORD", dest='password', nargs='+', default=[], help="password(s) or file(s) containing passwords")
     std_parser.add_argument("-k", "--kerberos", action='store_true', help="Use Kerberos authentication from ccache file (KRB5CCNAME)")
+    std_parser.add_argument("--aesKey", action='store_true', help="AES key to use for Kerberos Authentication (128 or 256 bits)")
+    std_parser.add_argument("--kdcHost", action='store_true', help="IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter")
+
     fail_group = std_parser.add_mutually_exclusive_group()
     fail_group.add_argument("--gfail-limit", metavar='LIMIT', type=int, help='max number of global failed login attempts')
     fail_group.add_argument("--ufail-limit", metavar='LIMIT', type=int, help='max number of failed login attempts per username')

cme/connection.py

@@ -31,8 +31,8 @@ def __init__(self, args, db, host):
         self.password = ''
         self.username = ''
         self.kerberos = True if self.args.kerberos else False
-        self.aesKey = None
-        self.dc_ip = None
+        self.aesKey = None if not self.args.aesKey else self.args.aesKey
+        self.kdcHost = None if not self.args.kdcHost else self.args.kdcHost
         self.failed_logins = 0
         self.local_ip = None
 
@@ -142,7 +142,7 @@ def over_fail_limit(self, username):
 
     def login(self):
         if self.args.kerberos:
-            if self.kerberos_login(): return True
+            if self.kerberos_login(self.aesKey, self.kdcHost): return True
         else:
             for cred_id in self.args.cred_id:
                 with sem:

cme/modules/lsassy.py

@@ -77,6 +77,7 @@ def on_admin_login(self, context, connection):
         password = getattr(connection, "password", "")
         lmhash = getattr(connection, "lmhash", "")
         nthash = getattr(connection, "nthash", "")
+        kerberos = getattr(connection, "kerberos", "")
 
         password = "" if password is None else password
         lmhash = "" if lmhash is None else lmhash
@@ -102,6 +103,7 @@ def on_admin_login(self, context, connection):
             dump_options.dumpert_path = self.dumpert_path
 
         lsassy = Lsassy(
+            kerberos=kerberos,
             hostname=host,
             username=username,
             domain=domain_name,
@@ -114,13 +116,14 @@ def on_admin_login(self, context, connection):
             write_options=write_option
         )
         credentials = lsassy.get_credentials()
-
         if not credentials['success']:
             context.log.error(credentials['error_msg'])
             if context.verbose and credentials['error_exception']:
                 context.log.error(credentials['error_exception'])
-        else:
+        elif json.loads(credentials['credentials']).items():
             self.process_credentials(context, connection, credentials["credentials"])
+        else:
+            context.log.highlight("No credential found :'(")
 
 
     def process_credentials(self, context, connection, credentials):

cme/protocols/smb.py

@@ -254,15 +254,22 @@ def print_host_info(self):
                                                                                       self.domain,
                                                                                       self.signing,
                                                                                       self.smbv1))
-    def kerberos_login(self):
-        self.conn.kerberosLogin('', '', self.domain, self.lmhash, self.nthash, self.aesKey, self.dc_ip)
-        # self.check_if_admin() # currently not working with kerberos so we set admin_privs to True
-        self.admin_privs = True
-        out = u'{}\\{} {}'.format(self.domain,
-                                self.conn.getCredentials()[0],
-                                highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
-        self.logger.success(out)
-        return True
+    def kerberos_login(self, aesKey, kdcHost):
+        try:
+            self.conn.kerberosLogin('', '', self.domain, self.lmhash, self.nthash, aesKey, kdcHost)
+            # self.check_if_admin() # currently not working with kerberos so we set admin_privs to True
+            self.admin_privs = True
+            out = u'{}\\{} {}'.format(self.domain,
+                                    self.conn.getCredentials()[0],
+                                    highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else ''))
+            self.logger.success(out)
+            return True
+        except SessionError as e:
+            error, desc = e.getErrorString()
+            self.logger.error(u'{} {} {}'.format(self.domain, 
+                                                 error, 
+                                                 '({})'.format(desc) if self.args.verbose else ''))
+            return False
 
     def plaintext_login(self, domain, username, password):
         try:
@@ -410,7 +417,7 @@ def execute(self, payload=None, get_output=False, methods=None):
 
             if method == 'wmiexec':
                 try:
-                    exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.kerberos, self.hash, self.args.share)
+                    exec_method = WMIEXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.conn, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share)
                     logging.debug('Executed command via wmiexec')
                     break
                 except:
@@ -430,7 +437,7 @@ def execute(self, payload=None, get_output=False, methods=None):
 
             elif method == 'atexec':
                 try:
-                    exec_method = TSCH_EXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.kerberos, self.hash) #self.args.share)
+                    exec_method = TSCH_EXEC(self.host, self.smb_share_name, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash) #self.args.share)
                     logging.debug('Executed command via atexec')
                     break
                 except:
@@ -440,7 +447,7 @@ def execute(self, payload=None, get_output=False, methods=None):
 
             elif method == 'smbexec':
                 try:
-                    exec_method = SMBEXEC(self.host, self.smb_share_name, self.args.port, self.username, self.password, self.domain, self.kerberos, self.hash, self.args.share)
+                    exec_method = SMBEXEC(self.host, self.smb_share_name, self.args.port, self.username, self.password, self.domain, self.kerberos, self.aesKey, self.kdcHost, self.hash, self.args.share)
                     logging.debug('Executed command via smbexec')
                     break
                 except:

cme/protocols/smb/atexec.py

@@ -7,7 +7,7 @@
 from gevent import sleep
 
 class TSCH_EXEC:
-    def __init__(self, target, share_name, username, password, domain, doKerberos=False, hashes=None):
+    def __init__(self, target, share_name, username, password, domain, doKerberos=False, aesKey=None, kdcHost=None, hashes=None):
         self.__target = target
         self.__username = username
         self.__password = password
@@ -17,9 +17,9 @@ def __init__(self, target, share_name, username, password, domain, doKerberos=Fa
         self.__nthash = ''
         self.__outputBuffer = b''
         self.__retOutput = False
-        # self.__aesKey = aesKey
+        self.__aesKey = aesKey
         self.__doKerberos = doKerberos
-        self.__kdcHost = None
+        self.__kdcHost = kdcHost
 
         if hashes is not None:
         #This checks to see if we didn't provide the LM Hash
@@ -36,7 +36,7 @@ def __init__(self, target, share_name, username, password, domain, doKerberos=Fa
 
         if hasattr(self.__rpctransport, 'set_credentials'):
             # This method exists only for selected protocol sequences.
-            self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
+            self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey)
             self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
     def execute(self, command, output=False):

cme/protocols/smb/smbexec.py

@@ -8,7 +8,7 @@
 
 class SMBEXEC:
 
-    def __init__(self, host, share_name, protocol, username = '', password = '', domain = '', doKerberos=False, hashes = None, share = None, port=445):
+    def __init__(self, host, share_name, protocol, username = '', password = '', domain = '', doKerberos=False, aesKey=None, kdcHost=None, hashes = None, share = None, port=445):
         self.__host = host
         self.__share_name = share_name
         self.__port = port
@@ -28,9 +28,9 @@ def __init__(self, host, share_name, protocol, username = '', password = '', dom
         self.__scmr = None
         self.__conn = None
         # self.__mode  = mode
-        # self.__aesKey = aesKey
+        self.__aesKey = aesKey
         self.__doKerberos = doKerberos
-        self.__kdcHost = None
+        self.__kdcHost = kdcHost
 
         if hashes is not None:
         #This checks to see if we didn't provide the LM Hash
@@ -51,7 +51,7 @@ def __init__(self, host, share_name, protocol, username = '', password = '', dom
             self.__rpctransport.setRemoteHost(self.__host)
         if hasattr(self.__rpctransport, 'set_credentials'):
             # This method exists only for selected protocol sequences.
-            self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
+            self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash,self.__aesKey)
             self.__rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
         self.__scmr = self.__rpctransport.get_dce_rpc()

cme/protocols/smb/wmiexec.py

@@ -8,7 +8,7 @@
 from impacket.dcerpc.v5.dtypes import NULL
 
 class WMIEXEC:
-    def __init__(self, target, share_name, username, password, domain, smbconnection, doKerberos=False, hashes=None, share=None):
+    def __init__(self, target, share_name, username, password, domain, smbconnection, doKerberos=False, aesKey=None, kdcHost=None, hashes=None, share=None):
         self.__target = target
         self.__username = username
         self.__password = password
@@ -22,7 +22,8 @@ def __init__(self, target, share_name, username, password, domain, smbconnection
         self.__share_name = share_name
         self.__shell = 'cmd.exe /Q /c '
         self.__pwd = 'C:\\'
-        self.__aesKey = None
+        self.__aesKey = aesKey
+        self.__kdcHost = kdcHost
         self.__doKerberos = doKerberos
         self.__retOutput = True
 
@@ -35,7 +36,7 @@ def __init__(self, target, share_name, username, password, domain, smbconnection
 
         if self.__password is None:
             self.__password = ''
-        self.__dcom = DCOMConnection(self.__target, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos)
+        self.__dcom = DCOMConnection(self.__target, self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, oxidResolver=True, doKerberos=self.__doKerberos, kdcHost=self.__kdcHost)
         iInterface = self.__dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
         iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
         iWbemServices= iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)