sneedmca/shadowbrokers-exploits
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
shadowbrokers-exploits/windows/payloads/Regdelete-1.1.1.0.xml
Donncha O'Cearbhaill 7f640a83d4 Inital commit of Shadowbrokers 'Lost in Translation' release
2017-04-14 11:45:07 +02:00

182 lines
8.3 KiB
XML
Raw Blame History

<?xml version="1.0"?>
<t:config id="4d6e05ddd130ec9b520bbee4d7f887b9db6595d5"
name="Regdelete"
version="1.1.1"
configversion="1.1.1.0"
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:t='tc0'>
<t:inputparameters>
<t:parameter name="NetworkTimeout"
description="Timeout for blocking network calls (in seconds)"
type="S16"
default="60"/>
<t:parameter name="TargetIp"
description="Target IP Address"
type="IPv4"
binding="//identifier"/>
<t:parameter name="TargetPort"
description="Port used by the atsvc service"
type="TcpPort"
binding="//service[name='smb']/port"
default="445"/>
<t:paramchoice name="RegHive"
description="Registry hive containing the key or value to be deleted">
<t:paramgroup name="HKLM"
description="Connect to HKEY_LOCAL_MACHINE" />
<t:paramgroup name="HKU"
description="Connect to HKEY_USERS" />
<t:paramgroup name="HKPD"
description="Connect to HKEY_PERFORMANCE_DATA"/>
<t:paramgroup name="HKCU"
description="Connect to HKEY_CURRENT_USER"/>
<t:paramgroup name="HKCR"
description="Connect to HKEY_CLASSES_ROOT"/>
</t:paramchoice>
<t:parameter name="RegKey"
description="The registry key containing the entity to be deleted"
type="UString"/>
<t:paramchoice name="TypeToDelete"
description="Specifies whether we want to delete a key or value">
<t:paramgroup name="Key"
description="Delete a key"/>
<t:paramgroup name="Value"
description="Delete a value"/>
</t:paramchoice>
<t:parameter name="EntityToDelete"
description="The thing (key or value) to delete, as a UString"
type="UString"/>
<t:paramchoice name="CredentialType"
description="Password, password hash, ticket, etc">
<t:paramgroup name="UnicodeCreds"
description="Unicode encoded credentials">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Unicode password entered as hex bytes (in Unicode)"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="PasswordHash"
description="NTLM password hash">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Hash of user/machine password entered as hex bytes"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosTicket"
description="Kerberos ticket for target machine">
<t:parameter name="Username"
description="Name of the user who owns the Kerberos ticket (in Unicode)"
type="UString"/>
<t:parameter name="DomainDns"
description="DNS name of the domain being exploited (in Unicode)"
type="UString"/>
<t:parameter name="KerberosTicket"
description="Kerberos ticket with necessary privileges"
type="UString"/>
<t:parameter name="SessionKey"
description="Encryption key used in the Kerberos ticket"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosFile"
description="Kerberos ticket from disk">
<t:parameter name="TicketFile"
description="Local file holding Kerberos ticket"
type="LocalFile"/>
</t:paramgroup>
<t:paramgroup name="MachineHash"
description="Credentials for the domain computer, obtained from lsadump">
<t:parameter name="Username"
description="Machine's name, with trailing '$' character, in UNICODE"
type="UString"/>
<t:parameter name="Credential"
description="Machine hash obtained from lsadump, entered as HEX bytes."
type="UString"/>
</t:paramgroup>
</t:paramchoice>
</t:inputparameters>
<t:outputparameters>
<t:paramchoice name="CredentialType"
description="Password, password hash, ticket, etc">
<t:paramgroup name="UnicodeCreds"
description="Unicode encoded credentials">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Unicode password entered as hex bytes (in Unicode)"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="PasswordHash"
description="NTLM password hash">
<t:parameter name="Username"
description="Username entered as hex bytes (in Unicode)"
type="UString"/>
<t:parameter name="Credential"
description="Hash of user/machine password entered as hex bytes"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="MachineHash"
description="Credentials for the domain computer, obtained from lsadump">
<t:parameter name="Username"
description="Machine's name, with trailing '$' character, in UNICODE"
type="UString"/>
<t:parameter name="Credential"
description="Machine hash obtained from lsadump, entered as HEX bytes."
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosTicket"
description="Kerberos ticket for target machine">
<t:parameter name="Username"
description="Name of the user who owns the Kerberos ticket (in Unicode)"
type="UString"/>
<t:parameter name="DomainDns"
description="DNS name of the domain being exploited (in Unicode)"
type="UString"/>
<t:parameter name="KerberosTicket"
description="Kerberos ticket with necessary privileges"
type="UString"/>
<t:parameter name="SessionKey"
description="Encryption key used in the Kerberos ticket"
type="UString"/>
</t:paramgroup>
<t:paramgroup name="KerberosFile"
description="Kerberos ticket from disk">
<t:parameter name="TicketFile"
description="Local file holding Kerberos ticket"
type="LocalFile"/>
</t:paramgroup>
</t:paramchoice>
</t:outputparameters>
<t:redirection>
<t:local protocol="TCP"
listenaddr="TargetIp"
listenport="TargetPort"
destaddr="//identifier"
destport="//service[name='smb']/port"
closeoncompletion="true"/>
</t:redirection>
<t:logic>
<t:or>
<t:os family="windows" name="Windows 2000"/>
<t:os family="windows" name="Windows XP"/>
<t:os family="windows" name="Windows 2003"/>
<t:os family="windows" name="Windows 2003 R2"/>
<t:os family="windows" name="Windows Vista"/>
<t:os family="windows" name="Windows 2008"/>
<t:os family="windows" name="Windows 7"/>
<t:os family="windows" name="Windows 2008 R2"/>
</t:or>
</t:logic>
</t:config>
Reference in a new issue View git blame Copy permalink