Example #1
0
        public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string[] computernames, string domainController, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
        {
            var secrets = hashes != null ? hashes : passwords;

            if (hashes != null)
            {
                foreach (string user in users)
                {
                    foreach (string password in secrets)
                    {
                        Console.WriteLine("------------------");
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] secret: {0}", password));
                        Console.WriteLine();
                        SetThreadToken(user, domain, password);
                        if (protocol.ToLower() == "smb")
                        {
                            Scan.SMB(computernames, module);
                        }
                        else if (protocol.ToLower() == "winrm")
                        {
                            Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                        }
                        else if (protocol.ToLower() == "reg32")
                        {
                            Scan.REG32(computernames, module);
                        }
                        else if (protocol.ToLower() == "domain")
                        {
                            Scan.LDAP(module, domain, domainController);
                        }
                    }
                }
            }
            else
            {
                foreach (string user in users)
                {
                    foreach (string password in secrets)
                    {
                        Console.WriteLine("------------------");
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] secret: {0}", password));
                        Console.WriteLine();
                        using (new Impersonator.Impersonation(domain, user, password))
                        {
                            if (protocol.ToLower() == "smb")
                            {
                                Scan.SMB(computernames, module);
                            }
                            else if (protocol.ToLower() == "winrm")
                            {
                                Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                            }
                            else if (protocol.ToLower() == "cim")
                            {
                                foreach (string computername in computernames)
                                {
                                    CimSession cimSession;
                                    cimSession = Cim.newSession(computername, domain, user, password, flags.Contains("impersonate"));
                                    Scan.CIM(cimSession, module);
                                }
                            }
                            else if (protocol.ToLower() == "reg32")
                            {
                                Scan.REG32(computernames, module);
                            }
                            else if (protocol.ToLower() == "domain")
                            {
                                Scan.LDAP(module, domain, domainController);
                            }
                        }
                    }
                }
            }
        }
Example #2
0
        public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
        {
            AToken.MakeToken("Fake", "Fake", "Fake");
            Console.WriteLine("------------------");

            if (String.IsNullOrEmpty(ticket))
            {
                var secrets = hashes.Length > 0 ? hashes : passwords;
                foreach (string user in users)
                {
                    foreach (string secret in secrets)
                    {
                        string hash;
                        if (passwords.Length > 0)
                        {
                            string salt = String.Format("{0}{1}", domain.ToUpper(), user);
                            hash = Crypto.KerberosPasswordHash(encType, secret, salt);
                        }
                        else
                        {
                            hash = secret;
                        }
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] Domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] Secret: {0}", secret));
                        string ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
                        if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                        {
                            Console.WriteLine("[+] Ticket successfully imported!");
                        }
                        else
                        {
                            Console.WriteLine("[-] Could not request TGT");
                            continue;
                        }
                        if (protocol.ToLower() == "smb")
                        {
                            Scan.SMB(computernames, module);
                        }
                        else if (protocol.ToLower() == "winrm")
                        {
                            Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                        }
                        else if (protocol.ToLower() == "reg32")
                        {
                            Scan.REG32(computernames, module);
                        }
                        else if (protocol.ToLower() == "ldap")
                        {
                            Scan.LDAP(module, domain, dc);
                        }
                    }
                }
            }
            else
            {
                Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
                string ticketoutput = SecurityContext.ImportTicket(ticket);
                if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                {
                    Console.WriteLine("[+] TGT imported successfully!");
                }
                else
                {
                    Console.WriteLine("[-] Could not import TGT");
                    return;
                }
                if (protocol.ToLower() == "smb")
                {
                    Scan.SMB(computernames, module);
                }
                else if (protocol.ToLower() == "winrm")
                {
                    Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                }
                else if (protocol.ToLower() == "reg32")
                {
                    Scan.REG32(computernames, module);
                }
                else if (protocol.ToLower() == "ldap")
                {
                    Scan.LDAP(module, domain, dc);
                }
            }

            AToken.RevertFromToken();
        }
Example #3
0
 public static void StartJob <T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
 {
     string[] passwords;
     if (typeof(T) == typeof(NTHash))
     {
         passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
         foreach (string user in users)
         {
             foreach (string password in passwords)
             {
                 Console.WriteLine("------------------");
                 Console.WriteLine(string.Format("[*] User:   {0}", user));
                 Console.WriteLine(string.Format("[*] domain: {0}", domain));
                 Console.WriteLine(string.Format("[*] secret: {0}", password));
                 Console.WriteLine();
                 SetThreadToken(user, domain, password);
                 if (protocol.ToLower() == "smb")
                 {
                     Scan.SMB(computernames, module);
                 }
                 else if (protocol.ToLower() == "winrm")
                 {
                     Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                 }
                 else if (protocol.ToLower() == "reg32")
                 {
                     Scan.REG32(computernames, module);
                 }
             }
         }
     }
     else if (typeof(T) == typeof(ClearText))
     {
         passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
         foreach (string user in users)
         {
             foreach (string password in passwords)
             {
                 Console.WriteLine("------------------");
                 Console.WriteLine(string.Format("[*] User:   {0}", user));
                 Console.WriteLine(string.Format("[*] domain: {0}", domain));
                 Console.WriteLine(string.Format("[*] secret: {0}", password));
                 Console.WriteLine();
                 using (new Impersonator.Impersonation(domain, user, password))
                 {
                     if (protocol.ToLower() == "smb")
                     {
                         Scan.SMB(computernames, module);
                     }
                     else if (protocol.ToLower() == "winrm")
                     {
                         Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                     }
                     else if (protocol.ToLower() == "cim")
                     {
                         foreach (string computername in computernames)
                         {
                             CimSession cimSession;
                             cimSession = Cim.newSession(computername, domain, user, password, flags.Contains("impersonate"));
                             Scan.CIM(cimSession, module);
                         }
                     }
                     else if (protocol.ToLower() == "reg32")
                     {
                         Scan.REG32(computernames, module);
                     }
                 }
             }
         }
     }
 }