Added the tspkg module#940
Conversation
E1A
requested review from
Marshall-Hallenbeck,
NeffIsBack,
mpgn and
zblurx
as code owners
|
*Some parts are copied from the wdigest module, both modules achieve the same results |
Signed-off-by: E1A <57531297+E1A@users.noreply.github.com>
|
Wow that's hot and definitely something I wasn't aware of! Will take a look :)! Thanks for the PR! One thing I'd already do is make "check" the default behaviour tho. @NeffIsBack I believe we should do the same for each and every "registry keys" related modules |
|
Just looked at it, there are two things ruff complains about:
With tspkg enabled: 
Without tspkg enabled: 
So the code works. About the structure of the module I guess you can make it quite simplier factorizing it, have a generic : remote_ops = RemoteOperations(smbconnection, False)
remote_ops.enableRegistry()
...And a: if self.action=check:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
ReadSubKey....
elif self.Action=add:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
CreateSubkey....
elif self.Action=remove:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
RemoveSubKeys....Cause right now you are duplicating code and that's not necessary. |
…default behaviour
|
|
Thanks for the PR!
Yep, definitely a good idea, but actually i don't think there are thaaat many that simply changes reg keys. |
|
Can this be merged? |
Unfortunately my time at the moment is very limited. We'll have to wait until i had time to review it, but there are still quite a lot of other PRs that are waiting in queue. |
|
No rush but have you been able to look at the module? |
Not yet. There are still a ton of PRs that will come first because they waited even longer. Bear with me, we will get to it one day :D |
|
|
||
| name = "tspkg" | ||
| description = ( | ||
| "Creates, removes or inspects the AllowDefaultCredentials registry entry" |
There was a problem hiding this comment.
Please add a space between the two description strings (or use a single string)
| def on_admin_login(self, context, connection): | ||
| self._manage_allow_default_credentials(context, connection.conn) | ||
|
|
||
| def _parse_dword(self, data): |
There was a problem hiding this comment.
Please remove _parse_dword and use int(data) like wdigest.py, unless you have a repro where impacket returns non-int DWORDs on your targets
| rrp.hBaseRegSetValue(remote_ops._RemoteOperations__rrp, key_handle, "ConcatenateDefaults_AllowDefault\x00", rrp.REG_DWORD, 1) | ||
|
|
||
| # create (or open) subkey and add SPN entry as value "1" | ||
| try: |
There was a problem hiding this comment.
For consistency, swap the try/except order: try hBaseRegOpenKey first, then hBaseRegCreateKey on DCERPCException (mirror L65–70).
| subkey_handle = ans["phkResult"] | ||
|
|
||
| rrp.hBaseRegSetValue(remote_ops._RemoteOperations__rrp, subkey_handle, "1\x00", rrp.REG_SZ, "*\x00") | ||
|
|
There was a problem hiding this comment.
You must initialize data = None before the try
| else: | ||
| if module_options["ACTION"].lower() not in ["enable", "disable", "check"]: | ||
| context.log.fail("Invalid value for ACTION option! (allowed: enable, disable, check)") | ||
| exit(1) |
There was a problem hiding this comment.
Please return instead of exit(1)
| try: | ||
| rrp.hBaseRegDeleteValue(remote_ops._RemoteOperations__rrp, sub_handle, "1\x00") | ||
| context.log.debug("Deleted subkey value '1'") | ||
| except Exception: |
There was a problem hiding this comment.
Please catch DCERPCException instead of bare Exception here (and in the other delete blocks) to stay consistent with the rest of the module and avoid swallowing unrelated errors
| try: | ||
| rrp.hBaseRegDeleteKey(remote_ops._RemoteOperations__rrp, key_handle, "AllowDefaultCredentials") | ||
| context.log.debug("Deleted AllowDefaultCredentials subkey") | ||
| except Exception: |
| @@ -0,0 +1,171 @@ | |||
| from impacket.dcerpc.v5.rpcrt import DCERPCException | |||
| from impacket.dcerpc.v5 import rrp | |||
| from impacket.examples.secretsdump import RemoteOperations | |||
There was a problem hiding this comment.
Please don't use RemoteOperations. We already have a dedicated helper, NXCRPCConnection (rpc.py), which is the standard way to do remote registry in NetExec
| return None | ||
|
|
||
| def _manage_allow_default_credentials(self, context, smbconnection): | ||
| remote_ops = RemoteOperations(smbconnection, False) |
There was a problem hiding this comment.
See above and please switch to :
connection.trigger_winreg()
dce = NXCRPCConnection(connection).connect(r"\winreg", rrp.MSRPC_UUID_RRP)| self.action = module_options["ACTION"].lower() | ||
|
|
||
| def on_admin_login(self, context, connection): | ||
| self._manage_allow_default_credentials(context, connection.conn) |
There was a problem hiding this comment.
To use NXCRPCConnection, please pass connection instead of connection.conn
4 participants
Description
This PR introduces a new module that enables the AllowDefaultCredentials registry key so cleartext creds can be dumped with tspkg
The module supports three actions:
Type of change
Setup guide for the review
Get administrative access to a Windows machine over SMB.
Run the tspkg module with the ACTION option:
Tested against Windows Server 2019. Confirmed that enabling adds the correct DWORD and SPN subkey, disabling removes them, and check accurately returns the expected registry state
Screenshots (if appropriate):
Ignore
proxits, something with proxychains in my GOAD setupChecklist:
poetry run python -m ruff check . --preview, use--fixto automatically fix what it can)tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests)