196 lines
8.9 KiB
XML
196 lines
8.9 KiB
XML
|
<?xml version="1.0"?>
|
||
|
|
<t:config id="f08d49ac41d1023d9d462d58af51414daff95a6a"
|
||
|
|
name="Regread"
|
||
|
|
version="1.1.1"
|
||
|
|
configversion="1.1.1.0"
|
||
|
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
||
|
|
xmlns:t='tc0'>
|
||
|
|
|
||
|
|
<t:inputparameters>
|
||
|
|
<t:parameter name="NetworkTimeout"
|
||
|
|
description="Timeout for blocking network calls (in seconds)"
|
||
|
|
type="S16"
|
||
|
|
default="60"/>
|
||
|
|
<t:parameter name="TargetIp"
|
||
|
|
description="Target IP Address"
|
||
|
|
type="IPv4"
|
||
|
|
binding="//identifier"/>
|
||
|
|
<t:parameter name="TargetPort"
|
||
|
|
description="Port used by the winreg service"
|
||
|
|
type="TcpPort"
|
||
|
|
binding="//service[name='smb']/port"
|
||
|
|
default="445"/>
|
||
|
|
|
||
|
|
<t:paramchoice name="RegHive"
|
||
|
|
description="Registry hive to read">
|
||
|
|
<t:paramgroup name="HKLM"
|
||
|
|
description="Connect to HKEY_LOCAL_MACHINE"/>
|
||
|
|
<t:paramgroup name="HKU"
|
||
|
|
description="Connect to HKEY_USERS"/>
|
||
|
|
<t:paramgroup name="HKPD"
|
||
|
|
description="Connect to HKEY_PERFORMANCE_DATA"/>
|
||
|
|
<t:paramgroup name="HKCU"
|
||
|
|
description="Connect to HKEY_CURRENT_USER"/>
|
||
|
|
<t:paramgroup name="HKCR"
|
||
|
|
description="Connect to HKEY_CLASSES_ROOT"/>
|
||
|
|
</t:paramchoice>
|
||
|
|
|
||
|
|
<t:parameter name="RegKey"
|
||
|
|
description="The registry key to read, as string or hex bytes"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="RegValue"
|
||
|
|
description="The registry value to read, as string or hex bytes"
|
||
|
|
type="UString"/>
|
||
|
|
|
||
|
|
<t:paramchoice name="AuthLevel"
|
||
|
|
description="RPC authentication level"
|
||
|
|
default="None">
|
||
|
|
<t:paramgroup name="Default"
|
||
|
|
description="Default level for RPC service"/>
|
||
|
|
<t:paramgroup name="None"
|
||
|
|
description="No authentication"/>
|
||
|
|
<t:paramgroup name="Connect"
|
||
|
|
description="Authenticates connection setup only"/>
|
||
|
|
<t:paramgroup name="Call"
|
||
|
|
description="Authenticates RPC call only"/>
|
||
|
|
<t:paramgroup name="Packet"
|
||
|
|
description="Validate packet sender"/>
|
||
|
|
<t:paramgroup name="Integrity"
|
||
|
|
description="Packet level integrity"/>
|
||
|
|
<t:paramgroup name="Privacy"
|
||
|
|
description="Packet level encryption"/>
|
||
|
|
</t:paramchoice>
|
||
|
|
|
||
|
|
<t:paramchoice name="CredentialType"
|
||
|
|
description="Password, password hash, ticket, etc">
|
||
|
|
<t:paramgroup name="UnicodeCreds"
|
||
|
|
description="Unicode encoded credentials">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Username entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Unicode password entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="PasswordHash"
|
||
|
|
description="NTLM password hash">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Username entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Hash of user/machine password entered as hex bytes"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="MachineHash"
|
||
|
|
description="Machine credentials, obtained from LSADump">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Machine name, including the '$' character, in UNICODE"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Hash of machine password entered as HEX BYTES. This can be obtained from lsadump"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="KerberosTicket"
|
||
|
|
description="Kerberos ticket for target machine">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Name of the user who owns the Kerberos ticket (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="DomainDns"
|
||
|
|
description="DNS name of the domain being exploited (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="KerberosTicket"
|
||
|
|
description="Kerberos ticket with necessary privileges"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="SessionKey"
|
||
|
|
description="Encryption key used in the Kerberos ticket"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="KerberosFile"
|
||
|
|
description="Kerberos ticket from disk">
|
||
|
|
<t:parameter name="TicketFile"
|
||
|
|
description="Local file holding Kerberos ticket"
|
||
|
|
type="LocalFile"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
|
||
|
|
</t:paramchoice>
|
||
|
|
</t:inputparameters>
|
||
|
|
|
||
|
|
<t:outputparameters>
|
||
|
|
<t:paramchoice name="CredentialType"
|
||
|
|
description="Password, password hash, ticket, etc">
|
||
|
|
<t:paramgroup name="UnicodeCreds"
|
||
|
|
description="Unicode encoded credentials">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Username entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Unicode password entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="PasswordHash"
|
||
|
|
description="NTLM password hash">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Username entered as hex bytes (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Hash of user/machine password entered as hex bytes"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="MachineHash"
|
||
|
|
description="Machine credentials, obtained from LSADump">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Machine name, including the '$' character, in UNICODE"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="Credential"
|
||
|
|
description="Hash of machine password entered as HEX BYTES. This can be obtained from lsadump"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
|
||
|
|
<t:paramgroup name="KerberosTicket"
|
||
|
|
description="Kerberos ticket for target machine">
|
||
|
|
<t:parameter name="Username"
|
||
|
|
description="Name of the user who owns the Kerberos ticket (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="DomainDns"
|
||
|
|
description="DNS name of the domain being exploited (in Unicode)"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="KerberosTicket"
|
||
|
|
description="Kerberos ticket with necessary privileges"
|
||
|
|
type="UString"/>
|
||
|
|
<t:parameter name="SessionKey"
|
||
|
|
description="Encryption key used in the Kerberos ticket"
|
||
|
|
type="UString"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
<t:paramgroup name="KerberosFile"
|
||
|
|
description="Kerberos ticket from disk">
|
||
|
|
<t:parameter name="TicketFile"
|
||
|
|
description="Local file holding Kerberos ticket"
|
||
|
|
type="LocalFile"/>
|
||
|
|
</t:paramgroup>
|
||
|
|
</t:paramchoice>
|
||
|
|
|
||
|
|
</t:outputparameters>
|
||
|
|
|
||
|
|
<t:redirection>
|
||
|
|
<t:local protocol="TCP"
|
||
|
|
listenaddr="TargetIp"
|
||
|
|
listenport="TargetPort"
|
||
|
|
destaddr="//identifier"
|
||
|
|
destport="//service[name='smb']/port"
|
||
|
|
closeoncompletion="true"/>
|
||
|
|
</t:redirection>
|
||
|
|
|
||
|
|
<t:logic>
|
||
|
|
<t:or>
|
||
|
|
<t:os family="windows" name="Windows 2000"/>
|
||
|
|
<t:os family="windows" name="Windows XP"/>
|
||
|
|
<t:os family="windows" name="Windows 2003"/>
|
||
|
|
<t:os family="windows" name="Windows 2003 R2"/>
|
||
|
|
<t:os family="windows" name="Windows Vista"/>
|
||
|
|
<t:os family="windows" name="Windows 2008"/>
|
||
|
|
<t:os family="windows" name="Windows 7"/>
|
||
|
|
<t:os family="windows" name="Windows 2008 R2"/>
|
||
|
|
</t:or>
|
||
|
|
</t:logic>
|
||
|
|
</t:config>
|