spiderlabs / portia Goto Github PK

Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.

License: Apache License 2.0

Shell 0.01% PowerShell 94.42% Python 4.60% C# 0.97% JavaScript 0.01%

portia's Introduction

⚠️ NOTE: This tool is no longer under active maintenance.

portia

Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised

Privilege escalation
Lateral movement
Convenience modules

Portia is a genus of jumping spider that feeds on other spiders - known for their intelligent hunting behaviour and problem solving capabilities usually only found in larger animals

A new functionality has been added. The new script is 'hopandhack.py'.
The new script ‘hopandhack‘ can be used by attackers to automatic find and hunt hosts that are not directly accessible from the attacker’s machine. In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored.

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them. The functionality of hopandhack will be incorporated into Portia in the next week or so.
More details about the hopandhack script can be found at https://milo2012.wordpress.com/2017/09/21/jumping-from-corporate-to-compromising-semi-isolated-network/

Slides

https://www.slideshare.net/secret/tkQFhYeFY3zEi4

Videos (Will be adding more soon)

Video that shows privilege escalation via impersonation tokens and running of post exploitation modules
https://asciinema.org/a/45ry3g26devqcabpugwyz4to5

Dependencies

apt-get update
apt-get install -y autoconf automake autopoint libtool pkg-config freetds-dev
pip install pysmb tabulate termcolor xmltodict pyasn1 pycrypto pyOpenSSL dnspython netaddr python-nmap
cd /opt
git clone https://github.com/CoreSecurity/impacket
python setup.py install
cd /opt
git clone https://github.com/libyal/libesedb.git && cd libesedb
./synclibs.sh
./autogen.sh
./configure 
make
make install
ldconfig
cd /opt
git clone https://github.com/csababarta/ntdsxtract && cd ntdsxtract
python setup.py install
pip install git+https://github.com/pymssql/pymssql.git
cd /opt
git clone https://github.com/volatilityfoundation/volatility && cd volatility
python setup.py install
cd /opt
git clone https://github.com/SpiderLabs/portia

How Portia Works


                        #7 Use Impersonation Token
                +------Run Mimikatz on DC---------------+   +---------------------------------------------------------+
                |      Dump Password Hashes from DC     |   |                                                         |
                |                                       |   |                                                         |
+------------+  |     +-------------+                +--v---v-----+                                                   |
|Workstation |  |     | Workstation |                | Domain     |        #3 Checks if Account                       |
|(Workgroup) |  |     | (Domain)    |                | Controller | <------is in Domain Admin Group                   |
++---+-------+  |     +-+----+------+                +------+-----+                           |                       |
 ^   ^          |       ^    ^                              ^                                 |                       |
 |   |          |       |    |                              |                                 |                       |
 |   |          |       |    |                          #4 Check SYSVOL                   #2 Enumerate Users          |
 |   |          |       |    |                          for Passwords                     in Domain Admin Group       |
 |   |#6 Checks for     | #5 Checks if account              |                                 |                       |
 |   |Impersonation     | has admin rights          +-------+------+                          |                       |
 |   +Tokens--------------on host-------------------+  Hacker      +-------#1 Checks----------+                       |
 |                      |                           +----+---+-----+       credentials                                |
 |                      |                                |   |                                                        |
 |                      |                                |   |                                                        |
 |                      |                                |   |                                                        |
 |           #8 Use New Hashes / Passwords               |   +--------------------------------------------------------+
 +-----------to Compromise Other Hosts-------------------+

portia's People

Contributors

Stargazers

Watchers

Forkers

cys3c yarbojanks littlecho johnhubcr kuteminh11 sanguine-leaveret minkione jymcheong infosecsecurity test1213145 freedomcodes atimorin kurtdegreeff prodject amorb chennqqi open-sec glira moriarty2016 y0d4a megamindat tobey123 alessiodallapiazza antoniomendez93 random1984 stuff2600 pentestingxroot rkornmeyer bijaye hbxc0re magnologan jack51706 alex-dengx rubythonode michalkoczwara team-firebugs cs24 followboy1999 securitywarrior tardummy01 zshell songofhack 0xmid9 theralfbrown mys7ic jothatron nsk awesome-security techlord-rce qsdj hectonpdomingos shantanu561993 johnjohnsp1 m41doror doctordeep 0thm4n3 expertasif olivierh59500 tmcmil emphazer fanntom grukz xinyuweb agahlot 4chr4f dviros r3dfruitrollup mabangde wilsonleeee deelmind raimundojimenez zenzue xtenex sporiyano p0x lhtest429 0xsploit ziednamouchi ro9ueadmin ashr malayke raystyle dannymas user-nobody bowentr modulexcite qing-q koushui xy-sec imulmul attackgithub strategist922 marciopocebon bestshow antbean kakuye m4rm0k 5l1v3r1 syedkhizarulhaq-cis ellerbrock

portia's Issues

IndexError: list index out of range

When running the tool against my own Windows machine I get the following error:

Traceback (most recent call last):
File "portia.py", line 4626, in
mountSysvol(username,password)
File "portia.py", line 3382, in mountSysvol
status,foundAdmin=testDomainCredentials(username,password,None,dcList[0],'WORKGROUP',True)
IndexError: list index out of range

Am I missing a dependency or something?

Error importing module

Looks very useful. After installing I unfortunately am receiving the following:

Traceback (most recent call last):
File "portia.py", line 9, in
from deps.secretsdump import *
File "/root/portia/deps/secretsdump.py", line 56, in
from impacket.examples.secretsdump import LocalOperations, RemoteOperations, SAMHashes, LSASecrets, NTDSHashes
ImportError: No module named secretsdump

any thoughts? Thanks

Eliminate the list of dependencies or make it optional at least

My first impression was: a great tool. But after I saw the list of dependencies I started to wonder.

Do you really expect it to be installed on a compromised machine??
First of all, it might be no internet in the intranet. Second, you will not be allowed to install all these on a client's machine (unless you developed a tool for hackers which is totally illegal)

Is any solution for this problem?

ImportError: No module named xmltodict

Hello,

My kali-system have some error.

I have installed all dependencies.

When I opened portia:

username@system:/opt/portia# ./portia.py
Traceback (most recent call last):
File "./portia.py", line 40, in
import xmltodict
ImportError: No module named xmltodict

When I used the ./setup.sh

./install.sh
Holen:1 http://ftp.halifax.rwth-aachen.de/kali kali-rolling InRelease [30,5 kB]
Holen:2 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/main i386 Packages [15,4 MB]
Holen:3 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/main amd64 Packages [15,4 MB]
Holen:4 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/non-free amd64 Packages [162 kB]
Holen:5 http://ftp.halifax.rwth-aachen.de/kali kali-rolling/non-free i386 Packages [144 kB]
Es wurden 31,1 MB in 2 min 13 s geholt (234 kB/s).
Paketlisten werden gelesen... Fertig
Paketlisten werden gelesen... Fertig
Abhängigkeitsbaum wird aufgebaut.
Statusinformationen werden eingelesen.... Fertig
autoconf ist schon die neueste Version (2.69-10).
automake ist schon die neueste Version (1:1.15.1-2).
autopoint ist schon die neueste Version (0.19.8.1-2).
freetds-dev ist schon die neueste Version (0.91-6.1+b4).
libtool ist schon die neueste Version (2.4.6-2).
pkg-config ist schon die neueste Version (0.29-4+b1).
0 aktualisiert, 0 neu installiert, 0 zu entfernen und 30 nicht aktualisiert.
Running virtualenv with interpreter /usr/bin/python2
New python executable in /opt/portia/portia/bin/python2
Also creating executable in /opt/portia/portia/bin/python
Installing setuptools, pkg_resources, pip, wheel...done.
./install.sh: 8: ./install.sh: source: not found
Requirement already satisfied: pysmb in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: tabulate in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: termcolor in /usr/lib/python3/dist-packages
Requirement already satisfied: xmltodict in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: pyasn1 in /usr/lib/python3/dist-packages
Requirement already satisfied: pycrypto in /usr/lib/python3/dist-packages
Requirement already satisfied: pyOpenSSL in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: dnspython in /usr/lib/python3/dist-packages
Requirement already satisfied: netaddr in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: python-nmap in /usr/local/lib/python3.5/dist-packages
Requirement already satisfied: cryptography>=1.9 in /usr/local/lib/python3.5/dist-packages (from pyOpenSSL)
Requirement already satisfied: six>=1.5.2 in /usr/lib/python3/dist-packages (from pyOpenSSL)
Requirement already satisfied: idna>=2.1 in /root/.local/lib/python3.5/site-packages/idna-2.5-py3.5.egg (from cryptography>=1.9->pyOpenSSL)
Requirement already satisfied: cffi>=1.7 in /usr/local/lib/python3.5/dist-packages (from cryptography>=1.9->pyOpenSSL)
Requirement already satisfied: asn1crypto>=0.21.0 in /usr/local/lib/python3.5/dist-packages (from cryptography>=1.9->pyOpenSSL)
Requirement already satisfied: pycparser in /usr/local/lib/python3.5/dist-packages (from cffi>=1.7->cryptography>=1.9->pyOpenSSL)
fatal: Zielpfad 'impacket' existiert bereits und ist kein leeres Verzeichnis.
python: can't open file 'setup.py': [Errno 2] No such file or directory
fatal: Zielpfad 'libesedb' existiert bereits und ist kein leeres Verzeichnis.
./install.sh: 19: ./install.sh: ./synclibs.sh: not found
./install.sh: 20: ./install.sh: ./autogen.sh: not found
fatal: Zielpfad 'ntdsxtract' existiert bereits und ist kein leeres Verzeichnis.
python: can't open file 'setup.py': [Errno 2] No such file or directory
Collecting git+https://github.com/pymssql/pymssql.git
Cloning https://github.com/pymssql/pymssql.git to /tmp/pip-v25e3sm_-build
Requirement already satisfied (use --upgrade to upgrade): pymssql==2.2.0.dev0 from git+https://github.com/pymssql/pymssql.git in /usr/local/lib/python3.5/dist-packages
fatal: Zielpfad 'volatility' existiert bereits und ist kein leeres Verzeichnis.
python: can't open file 'setup.py': [Errno 2] No such file or directory
fatal: Zielpfad 'portia' existiert bereits und ist kein leeres Verzeichnis.
./install.sh: 34: ./install.sh: ./portia.py: not found

install pre-requisite

issue/notice:: not sure if this is the case for every install but, in order for
'sudo pip install git+https://github.com/pymssql/pymssql.git' to run correctly without failure .. i needed to install 'freetds-dev'
i have kali rolling installed as native OS.

Obfuscated cmd powershell

Hi,

I think that will be interesting to add the possibility to obfuscate the powershell cmd executed on the remote host.
I've tested your script on host protected by KASPERSKY, and all the cmd executed on the remote host are dropped by the AV.

I've tested some manually obfuscated cmd and its are not dropped by the AV.

Thank you.

import failures

this is one of the few errors im getting after install. i have gotten

root@kali:/opt/portia# ./portia.py
Traceback (most recent call last):
File "./portia.py", line 16, in
import nmap
ImportError: No module named nmap

i installed python-nmap and i believe i fixed that as it hasnt re-appeared.

as well as

root@kali:/opt/portia# ./portia.py
Traceback (most recent call last):
File "./portia.py", line 9, in
from deps.secretsdump import *
File "/opt/portia/deps/secretsdump.py", line 56, in
from impacket.examples.secretsdump import LocalOperations, RemoteOperations, SAMHashes, LSASecrets, NTDSHashes
ImportError: No module named secretsdump

Specify Admin Group

Hi !

I think it will be cool to add an option to specify the group admin.
In French Windows, the domain admin group is named "Admins du domaine".

Thank you !

Domain are not set [WORKGROUP by default]

Portia fails to verify credentials due to the fact that portia does not parse the -d parameter, instead uses the default WORKGROUP.

I make a temporary validation check on line: 2342 by printing my inputs (username, password, domain).

Editing the portia.py file and manually specifying the domain value it seems to work only for account verifying function and next keep using the WORKGOUP value for the rest of the code.

I have identified also on lines number 2720 and 2730 domain value is assigned with the value WORKGROUP instead taking the user's input.

Maybe domain="WORKGROUP" parameters exists also in multiple lines on .py file.