#!/usr/bin/env python # -*- Coding: UTF-8 -*- import sys import binascii import logging from ZIBE import logs, zbutil from ZIBE.context_mgr import ContextManager, ZIBEException from ZIBE.shell import ZIBEShell from optparse import OptionParser import os if os.name == "nt": sep = ';' else: sep = ":" for v in os.environ['PATH'].split(sep): sys.path.append(v) __logo__ = ''' .sssssssss. .ssssssssssssssssss sssssssssssssssssssssss sssssssssssssssssssssssssss @@sssssssssssssssssssssss@ss |s@@@@sssssssssssssss@@@@s|s _____|sssss@@@@@sssss@@@@@sssss|s / sssssssss@sssss@sssssssss|s / .----+.ssssssss@sssss@ssssssss.| / / |...sssssss@sss@sssssss...| | | |.......sss@sss@ssss......| | | |..........s@ss@sss.......| | | |...........@ss@..........| \ \ |............ss@..........| \ , +...........ss@...........| \______ .........................| | ........................| /...........................\\ |.............................| |.......................| |...............| ''' class ZIBEOptionParser(OptionParser): def __init__(self): OptionParser.__init__(self) self.add_option('--TargetIp', help='IP Address of Target Machine', dest="TargetIp") self.add_option('--TargetPort', help='Port of Target Machine', dest="TargetPort", default=445, type='int') self.add_option('--NetworkTimeout', help='Timeout for networking calls', dest="NetworkTimeout", default=60, type='int') self.add_option('--TargetEPMPort', help='Port of Target Machine', dest="TargetEPMPort", default=135, type='int') self.add_option('--CredentialType', help='Type of credential provided', dest="CredentialType", default="UsernamePassword") self.add_option('--Username', help='Account Username', dest="Username") self.add_option('--Credential', help='Account Password', dest="Credential") self.add_option('--Domain', help='Account Domain', dest="Domain", default=None) # Kerberos options self.add_option("--UseESRO", action="store_true", dest="UseESRO") self.add_option('--KerbCredentialType', help="The type of credential to use when performing the kerberos authentication", dest='KerbCredentialType') self.add_option('--TargetNetbiosName', help="NETBIOS name of the target computer", dest='TargetNetbiosName') self.add_option('--TargetDcIp', help="Domain Controller's IP address", dest='TargetDcIp') self.add_option('--TargetDcKerberosPort', help="Port used by the Kerberos service", dest='TargetDcKerberosPort', default=88, type='int') self.add_option('--TargetDcSMBPort', help="Port used by the Kerberos service", dest='TargetDcSMBPort', default=445, type='int') # DAPU Options self.add_option('--PrivateKey', help='DAPU Private Key', dest="PrivateKey") # Usability options self.add_option('--TabCompletion', help='Disable tab completion, which uses more network traffic, and may be painful over slow networks', dest="TabCompletion") try: sys.path.append(os.path.abspath(os.path.join(os.environ['FBDIR'], "fuzzbunch"))) from coli import CommandlineWrapper except Exception as e: print "Fuzzbunch directory not registered. Using command line arguments" class CommandlineWrapper(object): def __call__(self, args): print "Called local commandlinewrapper" d = {} context = {} self.processParams(args, None, d, context, logs.get_logger('debug.log')) class ZIBE(CommandlineWrapper): def __init__(self): CommandlineWrapper.__init__(self) self.parser = ZIBEOptionParser() self.opts = None self.args = None def __del__(self): pass def validateParams(self, params): return True def cleanup(self, flags, context, logConfig): return def getID(self): return "b7bc209584db8d06d97dd5a6fa8b2453a93aa94a" def processParams(self, inputs, constants, outputs, context, logConfig): # As a bi-product of the way we do things, we need to remove # the StreamHandler from the logConfig we receive for l in logConfig.handlers: if not isinstance(l, logging.FileHandler): logConfig.removeHandler(l) try: options, args = self.parser.parse_args(inputs) if options.TargetIp == "" or options.TargetPort > 65535: print("IP/port are invalid") return if options.CredentialType not in ['UsernamePassword', 'PasswordHash', 'Kerberos', 'DAPU']: print("Invalid credential type. ") return except: self.parser.print_usage() return print "[+] TargetIp: %s" % (options.TargetIp) print "[+] TargetPort: %d" % (options.TargetPort) mgr = ContextManager() ctx = mgr.create_context("UselessContextName", options.TargetIp, options.TargetPort, options.TargetEPMPort) print "[+] CredentialType: %s" % (options.CredentialType) try: if options.CredentialType in ['UsernamePassword', 'PasswordHash']: domain = options.Domain or '\\' in options.Username try: if options.CredentialType == 'UsernamePassword' and domain: ctx.provider( ctx.PROVIDER_NTLM_DOMAIN ) if options.Domain: ctx.domain(options.Domain) ctx.username( zbutil.arg_to_utf8(options.Username) ) ctx.password( zbutil.arg_to_utf8(options.Credential) ) print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username)) print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential)) elif options.CredentialType == 'UsernamePassword' and not domain: ctx.provider( ctx.PROVIDER_NTLM_PLAINTEXT ) ctx.username( zbutil.arg_to_utf8(options.Username) ) ctx.password( zbutil.arg_to_utf8(options.Credential) ) print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username)) print "[+] Credential: %s" % (zbutil.arg_to_utf8(options.Credential)) elif options.CredentialType == 'PasswordHash' and domain: ctx.provider( ctx.PROVIDER_NTLM_DOMAIN_HASH ) if options.Domain: ctx.domain(options.Domain) ctx.username( zbutil.arg_to_utf8(options.Username) ) ctx.password_hash(binascii.unhexlify(options.Credential)) print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username)) print "[+] Password Hash: %s" % (options.Credential) elif options.CredentialType == 'PasswordHash' and not domain: ctx.provider( ctx.PROVIDER_NTLM_PWHASH ) ctx.username( zbutil.arg_to_utf8(options.Username) ) ctx.password_hash(binascii.unhexlify(options.Credential)) print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username)) print "[+] Password Hash: %s" % (options.Credential) except Exception as e: print("Unable to parse username or password: %s" % (e)) return elif options.CredentialType == 'Kerberos': if options.KerbCredentialType not in ['Password', 'PasswordHash']: print("Invalid Kerberos credential type (--KerbCredentialType)") return if not options.TargetDcIp or options.TargetDcIp == "": print("Invalid domain controller IP address") return if not options.TargetNetbiosName or options.TargetNetbiosName == "": print("TargetNetbiosName is required") return print "[+] TargetDcIp: %s" % (options.TargetDcIp) print "[+] TargetDcPort: %s" % (options.TargetDcKerberosPort) print "[+] TargetDcSMBPort: %s" % (options.TargetDcSMBPort) print "[+] TargetNetbiosName: %s" % (zbutil.arg_to_utf8(options.TargetNetbiosName)) print "[+] KerbCredentialType: %s" % (options.KerbCredentialType) print "[+] Username: %s" % (zbutil.arg_to_utf8(options.Username)) if options.KerbCredentialType == 'Password': if options.UseESRO: ctx.provider( ctx.PROVIDER_ESRO_PLAINTEXT ) else: ctx.provider( ctx.PROVIDER_KERB_PLAINTEXT ) ctx.password(zbutil.arg_to_utf8(options.Credential)) print "[+] Password: %s" % (zbutil.arg_to_utf8(options.Credential)) else: # Password Hash if options.UseESRO: ctx.provider( ctx.PROVIDER_ESRO_HASH ) else: ctx.provider( ctx.PROVIDER_KERB_HASH ) try: ctx.password_hash(binascii.unhexlify( options.Credential )) print "[+] PasswordHash: %s" % (options.Credential) except TypeError as e: print("Invalid password hash. Password must be encoded using binhex representation") print(str(e)) ctx.kdc_location( options.TargetDcIp, options.TargetDcKerberosPort, options.TargetDcSMBPort ) ctx.target_name( zbutil.arg_to_utf8(options.TargetNetbiosName)) ctx.username(zbutil.arg_to_utf8(options.Username)) elif options.CredentialType == 'DAPU': ctx.provider( ctx.PROVIDER_DAPU ) ctx.dp_key( binascii.unhexlify( options.PrivateKey)) else: print("Invalid Authentication mechanism") return except Exception, e: print("Error when parsing parameters: " + str(e) ) import traceback print(traceback.format_exc()) return try: ctx.start_session() except ZIBEException, err: print("Failed to start ZIBE session: " + str(err) ) return print(__logo__) if options.TabCompletion: shell = ZIBEShell(context=ctx, logger=logConfig) else: shell = ZIBEShell(context=ctx, completekey=None, logger=logConfig) shell.cmdloop(intro="ZIBE Interactive Shell") mgr.release_context(ctx) if __name__ == "__main__": z = ZIBE() z(sys.argv[1:])