search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
32.92k stars 13.72k forks source link

Module to read/write registry key security descriptor remotely #19115

Closed cdelafuente-r7 closed 3 days ago

cdelafuente-r7 commented 3 weeks ago

This module reads or writes a Windows registry security descriptor remotely.

In READ mode, the FILE option can be set to specify where the security descriptor should be written to.

The following format is used:

key: <registry key>
security_info: <security information>
sd: <security descriptor as a hex string>

In WRITE mode, the FILE option can be used to specify the information needed to write the security descriptor to the remote registry. The file must follow the same format as described above.

:warning: Important :warning: DO NOT MERGE YET. This module is based on this branch will need this PR landed first. This PR only adds two files:

Verification Steps

  1. Start msfconsole
  2. Do: use auxiliary/admin/registry_security_descriptor
  3. Do: run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key>
  4. Verify the registry key security descriptor is displayed
  5. Do: run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> file=<file path>
  6. Verify the registry key security descriptor is saved to the file
  7. Do: run verbose=true rhost=<host> smbuser=<username> smbpass=<password> key=<registry key> action=write sd=<security descriptor as a hex string>
  8. Verify the security descriptor is correctly set on the given registry key
  9. Do: run verbose=true rhost=<host> smbuser=<username> smbpass=<password> file=<file path>
  10. Verify the security descriptor taken from the file is correctly set on the given registry key

Scenarios

Read against Windows Server 2019

msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=READ key='HKLM\SECURITY\Policy\PolEKList'
[*] Running module against 192.168.101.124

[+] 192.168.101.124:445 - Raw security descriptor for HKLM\SECURITY\Policy\PolEKList: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
[*] Auxiliary module execution completed

Write against Windows Server 2019

Note that the information security has been set to 4 (DACL_SECURITY_INFORMATION) to avoid an access denied error.

msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 key='HKLM\SECURITY\Policy\PolEKList' action=WRITE sd=01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000 security_information=4
[*] Running module against 192.168.101.124

[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
[*] Auxiliary module execution completed

Write against Windows Server 2019 (from file)

msf6 auxiliary(admin/registry_security_descriptor) > run verbose=true rhost=192.168.101.124 smbuser=Administrator smbpass=123456 action=WRITE file=/tmp/remote_registry_sd_backup.yml
[*] Running module against 192.168.101.124

[*] 192.168.101.124:445 - Getting security descriptor info from file /tmp/remote_registry_sd_backup.yml
  key: HKLM\SECURITY\Policy\PolEKList
  security information: 4
  security descriptor: 01000480480000005800000000000000140000000200340002000000000214003f000f0001010000000000051200000000021800000006000102000000000005200000002002000001020000000000052000000020020000010100000000000512000000
[+] 192.168.101.124:445 - Security descriptor set for HKLM\SECURITY\Policy\PolEKList
[*] Auxiliary module execution completed
smcintyre-r7 commented 3 days ago

Release Notes

This adds a module to read and write the security descriptor of Windows registry keys.