public void NTHash_String_TestVector1()
{
string result = NTHash.ComputeHash("Pa$$w0rd").ToHex(true);
string expected = "92937945B518814341DE3F726500D4FF";
Assert.AreEqual(expected, result);
}
protected override void ProcessRecord()
{
this.WriteVerbose("Calculating OrgId hash.");
try
{
byte[] binarySalt = null;
if (Salt != null)
{
binarySalt = Salt.HexToBinary();
}
string orgIdHash;
// TODO: Switch by parametersetname
if (NTHash != null)
{
// Calculate OrgId hash from NT Hash:
byte[] binaryNTHash = NTHash.HexToBinary();
orgIdHash = OrgIdHash.ComputeFormattedHash(binaryNTHash, binarySalt);
}
else
{
// Calculate OrgId hash from password:
orgIdHash = OrgIdHash.ComputeFormattedHash(Password, binarySalt);
}
this.WriteObject(orgIdHash);
}
catch (Exception ex)
{
ErrorRecord error = new ErrorRecord(ex, "Error1", ErrorCategory.NotSpecified, this.Password);
this.WriteError(error);
}
}
protected bool SetAccountPassword(DatastoreObject targetObject, object targetObjectIdentifier, SecureString newPassword, byte[] bootKey, bool skipMetaUpdate)
{
// Validate input
Validator.AssertNotNull(newPassword, "newPassword");
// Calculate NT hash
byte[] ntHash = NTHash.ComputeHash(newPassword);
// TODO TODO TODO: Change parameter to DSAccount from DatastoreObject
var account = this.GetAccount(targetObject, targetObjectIdentifier, bootKey);
var supplementalCredentials = new SupplementalCredentials(
newPassword,
account.SamAccountName,
account.UserPrincipalName,
this.context.DomainController.NetBIOSDomainName,
this.context.DomainController.Domain);
return(this.SetAccountPasswordHash(
targetObject,
targetObjectIdentifier,
ntHash,
supplementalCredentials,
bootKey,
skipMetaUpdate));
}
protected bool SetAccountPassword(DatastoreObject targetObject, object targetObjectIdentifier, SecureString newPassword, byte[] bootKey, bool skipMetaUpdate)
{
// Validate input
Validator.AssertNotNull(newPassword, "newPassword");
// Calculate NT hash
byte[] ntHash = NTHash.ComputeHash(newPassword);
// We need to read sAMAccountName and userPrincipalName to be able to generate the supplementalCredentials.
string samAccountName;
targetObject.ReadAttribute(CommonDirectoryAttributes.SAMAccountName, out samAccountName);
string userPrincipalName;
targetObject.ReadAttribute(CommonDirectoryAttributes.UserPrincipalName, out userPrincipalName);
var supplementalCredentials = new SupplementalCredentials(
newPassword,
samAccountName,
userPrincipalName,
this.context.DomainController.NetBIOSDomainName,
this.context.DomainController.DomainName);
return(this.SetAccountPasswordHash(
targetObject,
targetObjectIdentifier,
ntHash,
supplementalCredentials,
bootKey,
skipMetaUpdate));
}
public void NTHash_String_EmptyInput()
{
string result = NTHash.ComputeHash(string.Empty).ToHex(true);
string expected = "31D6CFE0D16AE931B73C59D7E0C089C0";
Assert.AreEqual(expected, result);
}
protected override void ProcessRecord()
{
// TODO: Extract as resource
this.WriteVerbose("Calculating NT hash.");
try
{
byte[] hashBytes = NTHash.ComputeHash(Password);
string hashHex = hashBytes.ToHex();
this.WriteObject(hashHex);
}
catch (ArgumentException ex)
{
ErrorRecord error = new ErrorRecord(ex, "Error1", ErrorCategory.InvalidArgument, this.Password);
this.WriteError(error);
}
catch (Win32Exception ex)
{
ErrorCategory category = ((Win32ErrorCode)ex.NativeErrorCode).ToPSCategory();
ErrorRecord error = new ErrorRecord(ex, "Error2", category, this.Password);
// Allow the processing to continue on this error:
this.WriteError(error);
}
catch (Exception ex)
{
ErrorRecord error = new ErrorRecord(ex, "Error3", ErrorCategory.NotSpecified, this.Password);
this.WriteError(error);
}
}
public void NTHash_EmptyInput()
{
SecureString password = string.Empty.ToSecureString();
string result = NTHash.ComputeHash(password).ToHex(true);
string expected = "31D6CFE0D16AE931B73C59D7E0C089C0";
Assert.AreEqual(expected, result);
}
public void NTHash_TestVector1()
{
SecureString password = "******".ToSecureString();
string result = NTHash.ComputeHash(password).ToHex(true);
string expected = "92937945B518814341DE3F726500D4FF";
Assert.AreEqual(expected, result);
}
private void TestWeakPassword(string weakPassword)
{
// Windows has a hard limit on password length, so we ignore long ones
if (weakPassword.Length <= NTHash.MaxInputLength)
{
byte[] weakHash = NTHash.ComputeHash(weakPassword);
this.TestWeakNTHash(weakHash);
}
}
private void TestComputerDefaultPassword()
{
string defaultPassword = this.Account.SamAccountName.TrimEnd('$').ToLower();
byte[] defaultHash = NTHash.ComputeHash(defaultPassword);
if (HashEqualityComparer.GetInstance().Equals(this.Account.NTHash, defaultHash))
{
// The computer has the default password.
this.result.DefaultComputerPassword.Add(this.Account.LogonName);
}
}
public void NTHash_GenerateRandom()
{
byte[] randomHash1 = NTHash.GetRandom();
byte[] randomHash2 = NTHash.GetRandom();
// Check hash size
Assert.AreEqual(NTHash.HashSize, randomHash1.Length);
// Check that the hashes are not the same
Assert.AreNotEqual(randomHash1.ToHex(), randomHash2.ToHex());
}
public void ManagedPassword_Vector1()
{
// Sample value taken from a GMSA in AD
byte[] blob = "01000000220100001000000012011a011609f270f541c315ffee9fcd22a98447b5c6e6fb7151cb020a2b017bb4e003647949967fc96f7c9ec3426b80901bb9c162867cbc68c520c4d7a431c3d9a670f8aa41d2ae5c0c08f27f8698b90c18a5a576e9933fb0cadaf8e661be2f58308c580866b1ae582ee50a9aa7c5d65a312dbbc3542c51c7e0b2d4c61e9763de481d9963367273aa72b53c2e402e31c6cd38e7785ad06639cdfa07738d19ae20c370e06787ad2f600823c505fc9dd32b3f06505da37b86b298d3650140af83c1f01c907964d182ea0efb19e74c949f58123fdecb41f78ed0eabbde31bb46afd3134da82550380ed36038d100f71095404a97e52d661dbe4f74deef4122a102dca698960000864973f96017000086eba24660170000".HexToBinary();
// Its corresponding NT hash, also taken from AD
string expectedHash = "1fe07f47bfa7f511d902ed5cfb79cc4d";
// Try parsing the blob
ManagedPassword pwd = new ManagedPassword(blob);
string actualHash = NTHash.ComputeHash(pwd.CurrentPassword.ToSecureString()).ToHex(false);
Assert.AreEqual(expectedHash, actualHash);
}
private void crackPasses()
{
FileStream passList = new FileStream(passwordList, FileMode.Open);
StreamReader passStream = new StreamReader(passList, System.Text.Encoding.ASCII, true, 128);
string currPass;
while ((currPass = passStream.ReadLine()) != null)
{
currPass = currPass.TrimEnd();
if (currPass.Length < 4)
{
continue;
}
string currHash = NTHash.ComputeHash(currPass).ToHex();
if (currHash != null && currHash.Length > 0 && hashDict.ContainsKey(currHash))
{
cracked.Add(currPass, new List <DSAccount>(hashDict[currHash]));
}
}
}
public SupplementalCredentials(SecureString password, string samAccountName, string userPrincipalName, string netBiosDomainName, string dnsDomainName)
{
// Input validation
Validator.AssertNotNull(password, "password");
Validator.AssertNotNull(samAccountName, "samAccountName");
// Note that UPN can be NULL, as it is an optional user attribute.
Validator.AssertNotNull(netBiosDomainName, "netBiosDomainName");
Validator.AssertNotNull(dnsDomainName, "dnsDomainName");
// Generate Kerberos keys
this.Kerberos = new KerberosCredential(password, samAccountName, dnsDomainName);
this.KerberosNew = new KerberosCredentialNew(password, samAccountName, dnsDomainName);
// Generate WDigest hashes
this.WDigest = WDigestHash.ComputeHash(password, userPrincipalName, samAccountName, netBiosDomainName, dnsDomainName);
// Generate a random NTLM strong hash that is definitely not based on a password.
this.NTLMStrongHash = NTHash.GetRandom();
// Note that we do not want to store the password in cleartext.
}
protected override void ProcessRecord()
{
foreach (string password in this.Input)
{
if (string.IsNullOrEmpty(password))
{
// Skip empty lines from the input.
continue;
}
try
{
byte[] hash = NTHash.ComputeHash(password);
if (!this.hashDictionary.ContainsKey(hash))
{
// Do not try to add duplicate hashes, because the Add method would throw an ArgumentException.
this.hashDictionary.Add(hash, password);
}
}
catch (ArgumentException ex)
{
ErrorRecord error = new ErrorRecord(ex, "Error1", ErrorCategory.InvalidArgument, password);
this.WriteError(error);
}
catch (Win32Exception ex)
{
ErrorCategory category = ((Win32ErrorCode)ex.NativeErrorCode).ToPSCategory();
ErrorRecord error = new ErrorRecord(ex, "Error2", category, password);
this.WriteError(error);
}
catch (Exception ex)
{
ErrorRecord error = new ErrorRecord(ex, "Error3", ErrorCategory.NotSpecified, password);
this.WriteError(error);
}
}
}
public void Execute(Dictionary <string, string> arguments)
{
string[] user;
string domain = "";
string[] computernames;
var hash = new NTHash();
var password = new ClearText();
string module = "";
string moduleargument = "";
List <string> flags = new List <string>();
if (arguments.ContainsKey("/m"))
{
module = arguments["/m"];
}
if (arguments.ContainsKey("/module"))
{
module = arguments["/module"];
}
if (arguments.ContainsKey("/a"))
{
moduleargument = arguments["/a"];
}
if (arguments.ContainsKey("/argument"))
{
moduleargument = arguments["/argument"];
}
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
else
{
domain = ".";
}
if (arguments.ContainsKey("/user"))
{
if (File.Exists(arguments["/user"]))
{
user = File.ReadAllLines(arguments["/user"]);
}
else
{
string[] parts = arguments["/user"].Split('\\');
if (parts.Length == 2)
{
domain = parts[0];
user = parts[1].Split(',');
}
else
{
user = arguments["/user"].Split(',');
}
}
}
else
{
Console.WriteLine("[-] /user must be supplied!");
return;
}
if (arguments.ContainsKey("/computername"))
{
if (File.Exists(arguments["/computername"]))
{
computernames = File.ReadAllLines(arguments["/computername"]);
}
else
{
computernames = arguments["/computername"].Split(',');
}
}
else
{
Console.WriteLine("[-] /computername must be supplied!");
return;
}
if (arguments.ContainsKey("/password"))
{
if (File.Exists(arguments["/password"]))
{
password.Cleartext = File.ReadAllLines(arguments["/password"]);
}
else
{
password.Cleartext = arguments["/password"].Split(',');
}
}
else if (arguments.ContainsKey("/ntlm"))
{
if (File.Exists(arguments["/ntlm"]))
{
hash.Nthash = File.ReadAllLines(arguments["/ntlm"]);
}
else
{
hash.Nthash = arguments["/ntlm"].Split(',');
}
}
else
{
Console.WriteLine("[-] /password or /ntlm must be supplied");
return;
}
if (password.Cleartext != null)
{
NtlmSmb(user, domain, password, computernames, module, moduleargument);
}
else
{
NtlmSmb(user, domain, hash, computernames, module, moduleargument);
}
}
public void NTHash_String_LongInput()
{
string password = "******";
string result = NTHash.ComputeHash(password).ToHex(true);
}
public void NTHash_LongInput()
{
SecureString password = "******".ToSecureString();
string result = NTHash.ComputeHash(password).ToHex(true);
}
public void NTHash_NullInput()
{
NTHash.ComputeHash(null);
}
public void NTHash_String_NullInput()
{
NTHash.ComputeHash((string)null);
}
public void Execute(Dictionary <string, string> arguments)
{
string[] user;
string domain = "";
string path = "";
string destination = "";
string[] computernames;
var hash = new NTHash();
var password = new ClearText();
string module = "";
string moduleargument = "";
List <string> flags = new List <string>();
if (arguments.ContainsKey("/module"))
{
module = arguments["/module"];
}
if (arguments.ContainsKey("/m"))
{
module = arguments["/m"];
}
if (arguments.ContainsKey("/impersonate") || arguments.ContainsKey("/imprs"))
{
flags.Add("impersonate");
}
//
if (arguments.ContainsKey("/domain"))
{
domain = arguments["/domain"];
}
else
{
domain = ".";
}
if (arguments.ContainsKey("/user"))
{
if (File.Exists(arguments["/user"]))
{
user = File.ReadAllLines(arguments["/user"]);
}
else
{
string[] parts = arguments["/user"].Split('\\');
if (parts.Length == 2)
{
domain = parts[0];
user = parts[1].Split(',');
}
else
{
user = arguments["/user"].Split(',');
}
}
}
else
{
Console.WriteLine("[-] /user must be supplied!");
return;
}
if (arguments.ContainsKey("/computername"))
{
if (File.Exists(arguments["/computername"]))
{
computernames = File.ReadAllLines(arguments["/computername"]);
}
else
{
computernames = arguments["/computername"].Split(',');
}
}
else
{
Console.WriteLine("[-] /computername must be supplied!");
return;
}
if (arguments.ContainsKey("/password"))
{
if (File.Exists(arguments["/password"]))
{
password.Cleartext = File.ReadAllLines(arguments["/password"]);
}
else
{
password.Cleartext = arguments["/password"].Split(',');
}
}
else if (arguments.ContainsKey("/ntlm"))
{
if (File.Exists(arguments["/ntlm"]))
{
hash.Nthash = File.ReadAllLines(arguments["/ntlm"]);
}
else
{
hash.Nthash = arguments["/ntlm"].Split(',');
}
}
else
{
Console.WriteLine("[-] /password or /ntlm must be supplied");
return;
}
if (module.Contains("exec") && moduleargument.Length == 0)
{
Console.WriteLine("[-] Missing exec argument");
return;
}
if (module.Contains("assembly") && !File.Exists(path))
{
Console.WriteLine("[-] Missing assembly path");
return;
}
if (module.Contains("download") && (String.IsNullOrEmpty(path) || String.IsNullOrEmpty(destination)))
{
Console.WriteLine("[-] Need path and destination");
return;
}
if (module.Contains("upload") && (String.IsNullOrEmpty(path) || String.IsNullOrEmpty(destination)))
{
Console.WriteLine("[-] Need path and destination");
return;
}
if (flags.Contains("impersonate"))
{
foreach (string computername in computernames)
{
CimSession cimSession;
cimSession = Cim.newSession(computername, "", "", "", true);
Scan.CIM(cimSession, module);
}
}
else if (password.Cleartext != null)
{
Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, path, destination, flags, "cim");
}
else
{
Console.WriteLine("[-] Need plaintext password or /impersonate for cim");
return;
}
}
