예제 #1
0
        public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
        {
            AToken.MakeToken("Fake", "Fake", "Fake");
            Console.WriteLine("------------------");

            if (String.IsNullOrEmpty(ticket))
            {
                var secrets = hashes.Length > 0 ? hashes : passwords;
                foreach (string user in users)
                {
                    foreach (string secret in secrets)
                    {
                        string hash;
                        if (passwords.Length > 0)
                        {
                            string salt = String.Format("{0}{1}", domain.ToUpper(), user);
                            hash = Crypto.KerberosPasswordHash(encType, secret, salt);
                        }
                        else
                        {
                            hash = secret;
                        }
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] Domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] Secret: {0}", secret));
                        string ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
                        if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                        {
                            Console.WriteLine("[+] Ticket successfully imported!");
                        }
                        else
                        {
                            Console.WriteLine("[-] Could not request TGT");
                            continue;
                        }
                        if (protocol.ToLower() == "smb")
                        {
                            Scan.SMB(computernames, module);
                        }
                        else if (protocol.ToLower() == "winrm")
                        {
                            Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                        }
                        else if (protocol.ToLower() == "reg32")
                        {
                            Scan.REG32(computernames, module);
                        }
                        else if (protocol.ToLower() == "ldap")
                        {
                            Scan.LDAP(module, domain, dc);
                        }
                    }
                }
            }
            else
            {
                Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
                string ticketoutput = SecurityContext.ImportTicket(ticket);
                if (ticketoutput.Contains("[+] Ticket successfully imported!"))
                {
                    Console.WriteLine("[+] TGT imported successfully!");
                }
                else
                {
                    Console.WriteLine("[-] Could not import TGT");
                    return;
                }
                if (protocol.ToLower() == "smb")
                {
                    Scan.SMB(computernames, module);
                }
                else if (protocol.ToLower() == "winrm")
                {
                    Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                }
                else if (protocol.ToLower() == "reg32")
                {
                    Scan.REG32(computernames, module);
                }
                else if (protocol.ToLower() == "ldap")
                {
                    Scan.LDAP(module, domain, dc);
                }
            }

            AToken.RevertFromToken();
        }
예제 #2
0
        public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string[] computernames, string domainController, string module, string moduleargument, string path, string destination, List <string> flags, string protocol)
        {
            var secrets = hashes != null ? hashes : passwords;

            if (hashes != null)
            {
                foreach (string user in users)
                {
                    foreach (string password in secrets)
                    {
                        Console.WriteLine("------------------");
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] secret: {0}", password));
                        Console.WriteLine();
                        SetThreadToken(user, domain, password);
                        if (protocol.ToLower() == "smb")
                        {
                            Scan.SMB(computernames, module);
                        }
                        else if (protocol.ToLower() == "winrm")
                        {
                            Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                        }
                        else if (protocol.ToLower() == "reg32")
                        {
                            Scan.REG32(computernames, module);
                        }
                        else if (protocol.ToLower() == "domain")
                        {
                            Scan.LDAP(module, domain, domainController);
                        }
                    }
                }
            }
            else
            {
                foreach (string user in users)
                {
                    foreach (string password in secrets)
                    {
                        Console.WriteLine("------------------");
                        Console.WriteLine(string.Format("[*] User:   {0}", user));
                        Console.WriteLine(string.Format("[*] domain: {0}", domain));
                        Console.WriteLine(string.Format("[*] secret: {0}", password));
                        Console.WriteLine();
                        using (new Impersonator.Impersonation(domain, user, password))
                        {
                            if (protocol.ToLower() == "smb")
                            {
                                Scan.SMB(computernames, module);
                            }
                            else if (protocol.ToLower() == "winrm")
                            {
                                Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
                            }
                            else if (protocol.ToLower() == "cim")
                            {
                                foreach (string computername in computernames)
                                {
                                    CimSession cimSession;
                                    cimSession = Cim.newSession(computername, domain, user, password, flags.Contains("impersonate"));
                                    Scan.CIM(cimSession, module);
                                }
                            }
                            else if (protocol.ToLower() == "reg32")
                            {
                                Scan.REG32(computernames, module);
                            }
                            else if (protocol.ToLower() == "domain")
                            {
                                Scan.LDAP(module, domain, domainController);
                            }
                        }
                    }
                }
            }
        }