NetExec icon indicating copy to clipboard operation
NetExec copied to clipboard

Published 20 hours ago verified publisher icon Pennyw0rth

add new security-questions module

Open Adamkadaban opened this issue 9 months ago • 4 comments

Description

this module will dump security questions and answers for all users on the machine assuming run as administrator

requires this PR to work: https://github.com/fortra/impacket/pull/1743

Reference: https://hackback.zip/2024/05/08/Remotely-Dumping-Windows-Security-Questions-With-Impacket.html

Type of change

  • [x] New feature (non-breaking change which adds functionality)

How has this been tested?

Only tested against windows 10 and windows 11. Ran e2e tests

Screenshots

image example output shows <Username> - <Question>: <Answer> for each user

Checklist

  • [x] I have ran Ruff against my changes (via poetry: poetry run python -m ruff check . --preview, use --fix to automatically fix what it can)
  • [x] I have added or updated the tests/e2e_commands.txt file if necessary
  • [x] New and existing e2e tests pass locally with my changes
  • [x] My code follows the style guidelines of this project (should be covered by Ruff above)
  • [x] If reliant on third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki/pull/11)

Adamkadaban avatar May 08 '24 22:05 Adamkadaban

@Adamkadaban did you run Ruff against this? If you are using poetry: poetry run python -m ruff check . --preview

Marshall-Hallenbeck avatar May 10 '24 18:05 Marshall-Hallenbeck

did you run Ruff against this?

@Marshall-Hallenbeck Oh sorry, I didn't - but I have now. made the necessary changes and all checks are passing

Adamkadaban avatar May 10 '24 19:05 Adamkadaban

Quick question but since these informations are dumped calling the SAMR RPC endpoint, can't we simply add this module in the code --sam option ?

Dfte avatar May 12 '24 12:05 Dfte

@Dfte I considered this too. I would say yes, but afaik --sam currently only tries to dump passwords in the sam database. There are a ton of things we can dump with samr that currently aren't being dumped, so I assumed the best option would be a module

Adamkadaban avatar May 12 '24 15:05 Adamkadaban

@NeffIsBack

Not sure what is happening here, but when i swap out the print() for the exception logging this is the traceback:

This looks like the ~very verbose~ logging that impacket provides when an information class doesn't exist.

I think this means your impacket is outdated

Adamkadaban avatar Jun 01 '24 23:06 Adamkadaban

@NeffIsBack

Not sure what is happening here, but when i swap out the print() for the exception logging this is the traceback:

This looks like the ~very verbose~ logging that impacket provides when an information class doesn't exist.

I think this means your impacket is outdated

Oh yes, it's late, missed the fortra PR notice. Gonna update impacket and try again👍🏼

NeffIsBack avatar Jun 01 '24 23:06 NeffIsBack

Hmm okay so with impacket being updated i get an error on the dc and no output at all on the win11 machine. There should be a local account set up with sec questions. image image

The DC debug output: image

The Win11 debug output (looks like its running fine, but doesn't find anything?): image

NeffIsBack avatar Jun 02 '24 11:06 NeffIsBack

Looks like on DC this object doesn't have the UserResetInformation block. I added a try&Except block (with debug logging) just in case other servers have the same problem with some users. image

NeffIsBack avatar Jul 18 '24 22:07 NeffIsBack