harmj0y / damp Goto Github PK
View Code? Open in Web Editor NEWThe Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification
License: BSD 3-Clause "New" or "Revised" License
The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification
License: BSD 3-Clause "New" or "Revised" License
Hi, RemoteHashRetrieval.ps1 & Add-RemoteRegBackdoor work perfectly, but the other 2 functions
Get-RemoteMachineAccountHash & Get-RemoteCachedCredential encountered some errors as shown below:
PS C:\Users\user1\Desktop\DAMP-master\DAMP-master> Get-RemoteMachineAccountHash -ComputerName mail.testdomain.com
Decrypt-AES : The parameter 'IV' cannot be specified because it conflicts with the parameter alias of the same name
for parameter 'InformationVariable'.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1282 char:30
$LSAKeyStructPlaintext = Decrypt-AES -Key $TmpKey -CipherText $LS ...
~~~~~~~~~~~
Cannot index into a null array.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1283 char:5
$LSAKey = $LSAKeyStructPlaintext[68..99]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exception calling "ToString" with "1" argument(s): "Value cannot be null.
Parameter name: value"
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1431 char:9
Write-Verbose ("LSA Key : " + ([System.BitConverter]:: ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Decrypt-AES : The parameter 'IV' cannot be specified because it conflicts with the parameter alias of the same name
for parameter 'InformationVariable'.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1465 char:39
$MachineHashStructPlaintext = Decrypt-AES -Key $TempKey -Ciph ...
~~~~~~~~~~~
Cannot index into a null array.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1466 char:9
$MachineHashBytes = $MachineHashStructPlaintext[16..255]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Multiple ambiguous overloads found for "ComputeHash" and the argument count: "1".
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1471 char:9
$Out = $MD4.ComputeHash($MachineHashBytes)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exception calling "ToString" with "1" argument(s): "Value cannot be null.
Parameter name: value"
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1472 char:9
$MachineAccountHash = ([System.BitConverter]::ToString($Out) ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PS C:\Users\user1\Desktop\DAMP-master\DAMP-master> Get-RemoteCachedCredential -ComputerName mail.testdomain.com
Decrypt-AES : The parameter 'IV' cannot be specified because it conflicts with the parameter alias of the same name
for parameter 'InformationVariable'.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1282 char:30
$LSAKeyStructPlaintext = Decrypt-AES -Key $TmpKey -CipherText $LS ...
~~~~~~~~~~~
Cannot index into a null array.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1283 char:5
$LSAKey = $LSAKeyStructPlaintext[68..99]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get-RemoteNLKMKey : Cannot validate argument on parameter 'LSAKey'. The argument is null or empty. Provide an argument
that is not null or empty, and then try the command again.
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1687 char:58
$NLKMKey = Get-RemoteNLKMKey -hKey $nKey -LSAKey $LSAKey
~~~~~~~
Exception calling "ToString" with "1" argument(s): "Value cannot be null.
Parameter name: value"
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1690 char:9
Write-Verbose ("LSA Key : " + ([System.BitConverter]:: ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exception calling "ToString" with "1" argument(s): "Value cannot be null.
Parameter name: value"
At C:\Users\user1\Desktop\DAMP-master\DAMP-master\RemoteHashRetrieval.ps1:1691 char:9
Write-Verbose ("NL`$KM Key : " + ([System.BitConverter]:: ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi, I'm trying Add-RemoteRegBackdoor.ps1 on a domain joined windows 10 machine, and I get the following error on all registry keys:
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
Any idea on what might be wrong?
I'm attaching the output, but github's markdown makes it difficult to read. Here's the paste just in case:
https://pastebin.com/sbZVfwmn
Thanks!
`PS Microsoft.PowerShell.Core\FileSystem::\DAMP> Add-RemoteRegBackdoor -Trustee 'S-1-1-0' -ComputerName DESKTOP-13DT5NH -Verbose
VERBOSE: [DESKTOP-13DT5NH : ] Using trustee username 'Everyone'
Get-WMIObject : The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:185 char:36
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH] Remote registry is not running, attempting to start
Add-RemoteRegBackdoor : [DESKTOP-13DT5NH] Error interacting with the remote registry service: You cannot call a method on a null-valued expression.
At line:1 char:1
+ CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Add-RemoteRegBackdoor
PS Microsoft.PowerShell.Core\FileSystem::\vmware-host\Shared Folders\share\DAMP> Add-RemoteRegBackdoor -Trustee 'S-1-1-0' -ComputerName DESKTOP-13DT5NH -Verbose
VERBOSE: [DESKTOP-13DT5NH : ] Using trustee username 'Everyone'
VERBOSE: [DESKTOP-13DT5NH] Remote registry is not running, attempting to start
VERBOSE: [DESKTOP-13DT5NH] Attaching to remote registry through StdRegProv
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\JD] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Skew1] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2
(CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\Data] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE) VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SYSTEM\CurrentControlSet\Control\Lsa\GBG] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SECURITY] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Backdooring started for key
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Creating ACE with Access Mask of 983103 (ALL_ACCESS) and AceFlags of 2 (CONTAINER_INHERIT_ACE)
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Creating the trustee WMI object with user 'Everyone'
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Applying Trustee to new Ace
The property 'DACL' cannot be found on this object. Verify that the property exists and can be set.
At \vmware-host\Shared Folders\share\DAMP\Add-RemoteRegBackdoor.ps1:246 char:13
$RegSD.DACL += $RegAce.PSObject.ImmediateBaseObject
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Calling SetSecurityDescriptor on the key with the newly created Ace
VERBOSE: [DESKTOP-13DT5NH : SAM\SAM\Domains\Account] Backdooring completed for key
VERBOSE: [DESKTOP-13DT5NH] Backdooring completed for system
ComputerName BackdoorTrustee
DESKTOP-13DT5NH S-1-1-0
`
Please add a 'remove options' to the Add-RemoteRegBackdoor.ps1 script, so that we can do cleanup when we are doing abusing the feature (e.g. at the end of a redteam mission).
Also just curious, for the SID can you use a computer account or would it only work for a user sid? id rather not tie the access to a domain account if i can help it (computer account seems more stealthy and also easier to share).
Where are all the rest of the powershell scripts from the talk?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.