Merge pull request #451 from Dfte/SMB]-Rework-the-runasppl-module

[SMB] Rework the runasppl module
Pennyw0rth · Dec 17, 2024 · 278124f · 278124f
2 parents 0ff19ac + aa68664
commit 278124f
Showing 1 changed file with 37 additions and 7 deletions.
diff --git a/nxc/modules/runasppl.py b/nxc/modules/runasppl.py
@@ -1,5 +1,10 @@
+from impacket.dcerpc.v5 import rrp
+from impacket.examples.secretsdump import RemoteOperations
+from impacket.dcerpc.v5.rrp import DCERPCSessionError
+
 
 class NXCModule:
+    # Reworked by @Defte_ 13/10/2024 to remove unecessary execute operation
     name = "runasppl"
     description = "Check if the registry value RunAsPPL is set or not"
     supported_protocols = ["smb"]
@@ -14,10 +19,35 @@ def options(self, context, module_options):
         """"""
 
     def on_admin_login(self, context, connection):
-        command = r"reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ /v RunAsPPL"
-        context.log.debug(f"Executing command: {command}")
-        p = connection.execute(command, True)
-        if not p or "The system was unable to find the specified registry key or value" in p:
-            context.log.debug("Unable to find RunAsPPL Registry Key")
-        else:
-            context.log.highlight(p)
+        try:
+            remote_ops = RemoteOperations(connection.conn, False)
+            remote_ops.enableRegistry()
+
+            if remote_ops._RemoteOperations__rrp:
+                ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
+                reg_handle = ans["phKey"]
+                ans = rrp.hBaseRegOpenKey(
+                    remote_ops._RemoteOperations__rrp,
+                    reg_handle,
+                    "SYSTEM\\CurrentControlSet\\Control\\Lsa"
+                )
+                key_handle = ans["phkResult"]
+                _ = data = None
+                try:
+                    _, data = rrp.hBaseRegQueryValue(
+                        remote_ops._RemoteOperations__rrp,
+                        key_handle,
+                        "RunAsPPL\x00",
+                    )
+                except rrp.DCERPCSessionError as e:
+                    context.log.debug(f"RunAsPPL error {e} on host {connection.host}")
+
+                if data is None or data not in [1, 2]:
+                    context.log.highlight("RunAsPPL disabled")
+                else:
+                    context.log.highlight("RunAsPPL enabled")
+
+        except DCERPCSessionError as e:
+            context.log.debug(f"Error connecting to RemoteRegistry {e} on host {connection.host}")
+        finally:
+            remote_ops.finish()