Pennyw0rth
Added the tspkg module
Description
This PR introduces a new module that enables the AllowDefaultCredentials registry key so cleartext creds can be dumped with tspkg
The module supports three actions:
- enable: Creates/sets the registry key and values required for TSPKG/CredSSP credential delegation, enabling credential dumping
- disable: Removes the registry key and subkeys associated with AllowDefaultCredentials
- check: Queries the registry to confirm whether the key is present and enabled
Type of change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
- [ ] Deprecation of feature or functionality
- [ ] This change requires a documentation update
- [ ] This requires a third party update (such as Impacket, Dploot, lsassy, etc)
Setup guide for the review
Get administrative access to a Windows machine over SMB. Run the tspkg module with the ACTION option:
- enable - Creates/sets the AllowDefaultCredentials registry key and values.
- disable - Deletes the registry entries created by the module.
- check - Confirms whether the registry key is enabled and logs any SPN values.
- dump lsass with lsassy (see screenshot)
Tested against Windows Server 2019. Confirmed that enabling adds the correct DWORD and SPN subkey, disabling removes them, and check accurately returns the expected registry state
Screenshots (if appropriate):
Ignore prox its, something with proxychains in my GOAD setup
Checklist:
- [X] I have ran Ruff against my changes (via poetry:
poetry run python -m ruff check . --preview, use--fixto automatically fix what it can) - [X] I have added or updated the
tests/e2e_commands.txtfile if necessary (new modules or features are required to be added to the e2e tests) - [X] New and existing e2e tests pass locally with my changes
- [X] If reliant on changes of third party dependencies, such as Impacket, dploot, lsassy, etc, I have linked the relevant PRs in those projects
- [X] I have performed a self-review of my own code
- [X] I have commented my code, particularly in hard-to-understand areas
- [x] I have made corresponding changes to the documentation (PR here: https://github.com/Pennyw0rth/NetExec-Wiki)
*Some parts are copied from the wdigest module, both modules achieve the same results
Wow that's hot and definitely something I wasn't aware of! Will take a look :)! Thanks for the PR! One thing I'd already do is make "check" the default behaviour tho. @NeffIsBack I believe we should do the same for each and every "registry keys" related modules
Just looked at it, there are two things ruff complains about:
-
White dash here:
-
Missing newline at the end of the module:
With tspkg enabled:
Without tspkg enabled:
So the code works.
About the structure of the module I guess you can make it quite simplier factorizing it, have a generic :
remote_ops = RemoteOperations(smbconnection, False)
remote_ops.enableRegistry()
...
And a:
if self.action=check:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
ReadSubKey....
elif self.Action=add:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
CreateSubkey....
elif self.Action=remove:
ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
RemoveSubKeys....
Cause right now you are duplicating code and that's not necessary.
Thanks for the PR!
@NeffIsBack I believe we should do the same for each and every "registry keys" related modules
Yep, definitely a good idea, but actually i don't think there are thaaat many that simply changes reg keys.
Can this be merged?
Unfortunately my time at the moment is very limited. We'll have to wait until i had time to review it, but there are still quite a lot of other PRs that are waiting in queue.