Add possibility to use different sessions for execution and file interaction

DumpMethod now differs between execution and file interaction so that it is possible to use winrm as execution path but smb as file interaction or vise versa. When execution and file interactions are the same both sessions refer to the same session object.

Author: dotpy

lsassy/console.py

@@ -44,6 +44,8 @@ def main():
             ", ".join(Dumper.list_exec_methods())
         ),
     )
+    group_dump.add_argument("--file-interaction", action="store", help="Methods for file interaction, default is smb", choices=["smb", "winrm"], default="smb")
+
     group_dump.add_argument(
         "--no-powershell", action="store_true", help="Disable PowerShell"
     )
@@ -84,23 +86,34 @@ def main():
         help="Do not delete lsass dump on remote host",
     )
 
+# There might be cases for boxes where the user may have access to smb but not winrm or vise versa
     group_auth = parser.add_argument_group("authentication")
     group_auth.add_argument("-u", "--username", action="store", help="Username")
+    group_auth.add_argument("-fu", "--file-username", action="store", help="Username for file interaction (if file interaction and exec differ!)")
+
     group_auth.add_argument(
         "-p", "--password", action="store", help="Plaintext password"
     )
+    group_auth.add_argument(
+        "-fp", "--file-password", action="store", help="Plaintext password for file interaction (if file interaction and exec differ!)"
+    )
     group_auth.add_argument(
         "-d", "--domain", default="", action="store", help="Domain name"
     )
     group_auth.add_argument(
-        "--port", default=445, type=int, action="store", help="Port (Default: 445)"
+        "--port", default=0, type=int, action="store", help="Port (Default: 445)"
+    )
+    group_auth.add_argument(
+        "--file-port", default=0, type=int, action="store", help="Port for file interaction (if file interaction and exec differ!)"
     )
     group_auth.add_argument(
         "--no-pass",
         action="store_true",
         help="Do not provide password (Default: False)",
     )
     group_auth.add_argument("-H", "--hashes", action="store", help="[LM:]NT hash")
+    group_auth.add_argument("-FH", "--file-hashes", action="store", help="[LM:]NT hash for file interaction (if file interaction and exec differ!)")
+
     group_auth.add_argument(
         "-k",
         "--kerberos",

lsassy/core.py

@@ -102,7 +102,10 @@ def run(self):
 
         # Credential parsing
         username = self.args.username if self.args.username else ""
+        file_username = self.args.file_username if self.args.file_username else username
+
         password = self.args.password if self.args.password else ""
+        file_password = self.args.file_password if self.args.file_password else password
 
         lmhash, nthash = "", ""
         if not password and self.args.hashes:
@@ -111,11 +114,27 @@ def run(self):
             else:
                 lmhash, nthash = "aad3b435b51404eeaad3b435b51404ee", self.args.hashes
 
+        file_lmhash, file_nthash = "", ""
+        if not file_password and self.args.file_hashes:
+            if ":" in self.args.file_hashes:
+                file_lmhash, file_nthash = self.args.file_hashes.split(":")
+            else:
+                file_lmhash, file_nthash = "aad3b435b51404eeaad3b435b51404ee", self.args.file_hashes
+
+
+
+
         # Exec methods parsing
         exec_methods = self.args.exec.split(",") if self.args.exec else None
         if exec_methods and "winrm" in exec_methods and len(exec_methods)>1:
             lsassy_logger.error(f"Incompatible methods winrm and {exec_methods} - can only use either winrm or others")
 
+        # Ports parsing
+        if self.args.file_port == 0:
+            self.args.file_port = 5985 if self.args.file_interaction == "winrm" else 445
+        if self.args.port == 0:
+            self.args.port = 5985 if exec_methods and "winrm" in exec_methods else 445
+
         # Dump modules options parsing
         options = (
             {v.split("=")[0]: v.split("=")[1] for v in self.args.options.split(",")}
@@ -155,33 +174,57 @@ def run(self):
             return False
 
         try:
-            if exec_methods and "winrm" in exec_methods:
+            if self.args.file_interaction == "winrm":
                 session = WinrmSession()
-                self.args.port = 5985
             else:
                 session = Session()
             session.get_session(
                 address=self.target,
                 target_ip=self.target,
-                port=self.args.port,
-                lmhash=lmhash,
-                nthash=nthash,
-                username=username,
-                password=password,
+                port=self.args.file_port,
+                lmhash=file_lmhash,
+                nthash=file_nthash,
+                username=file_username,
+                password=file_password,
                 domain=self.args.domain,
                 aesKey=self.args.aesKey,
                 dc_ip=self.args.dc_ip,
                 kerberos=self.args.kerberos,
                 timeout=self.args.timeout,
             )
 
+            if exec_methods and "winrm" in exec_methods:
+                exec_session = WinrmSession()
+            else:
+                exec_session = Session()
+            # if the sessions are the same we dont want two sessions
+            if isinstance(exec_session, type(session)):
+                del exec_session
+                exec_session = session
+            else:
+                exec_session.get_session(
+                    address=self.target,
+                    target_ip=self.target,
+                    port=self.args.port,
+                    lmhash=lmhash,
+                    nthash=nthash,
+                    username=username,
+                    password=password,
+                    domain=self.args.domain,
+                    aesKey=self.args.aesKey,
+                    dc_ip=self.args.dc_ip,
+                    kerberos=self.args.kerberos,
+                    timeout=self.args.timeout,
+                )
+
+
             if session.smb_session is None:
                 lsassy_logger.warning("Couldn't connect to remote host")
                 return False
 
             if not parse_only:
                 dumper = Dumper(
-                    session, self.args.timeout, self.args.time_between_commands
+                    exec_session, session, self.args.timeout, self.args.time_between_commands
                 ).load(self.args.dump_method)
                 if dumper is None:
                     lsassy_logger.error("Unable to load dump module")
@@ -295,3 +338,11 @@ def run(self):
                 lsassy_logger.debug(
                     "Potential issue while closing SMB session: {}".format(str(e))
                 )
+            try:
+                # Im not gonna break up the whole try except block. If exec_session is unassigned we dont care.
+                exec_session.smb_session.close()
+                lsassy_logger.debug("SMB session closed")
+            except Exception as e:
+                lsassy_logger.debug(
+                    "Potential issue while closing SMB session: {}".format(str(e))
+                )

lsassy/dumper.py

@@ -13,8 +13,9 @@ class Dumper:
     Returns None if doesn't exist.
     """
 
-    def __init__(self, session, timeout, time_between_commands):
-        self._session = session
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        self._session = file_session
+        self._exec_session = exec_session
         self._timeout = timeout
         self._time_between_commands = time_between_commands
 
@@ -27,7 +28,7 @@ def load(self, dump_module):
         try:
             return importlib.import_module(
                 "lsassy.dumpmethod.{}".format(dump_module.lower()), "DumpMethod"
-            ).DumpMethod(self._session, self._timeout, self._time_between_commands)
+            ).DumpMethod(self._exec_session, self._session,  self._timeout, self._time_between_commands)
         except ModuleNotFoundError:
             lsassy_logger.warning("Dump module '{}' doesn't exist".format(dump_module))
             return None

lsassy/dumpmethod/__init__.py

@@ -157,9 +157,10 @@ class IDumpMethod:
         "vmrs",
     ]
 
-    def __init__(self, session, timeout, time_between_commands, *args, **kwargs):
-        self._session = session
-        self._file = session.correct_file_handler()(self._session)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands, *args, **kwargs):
+        self._session = file_session
+        self._exec_session = exec_session
+        self._file = file_session.correct_file_handler()(self._session)
         self._file_handle = None
         self._executor_name = ""
         self._executor_path = ""
@@ -171,7 +172,7 @@ def get_exec_method(self, exec_method, no_powershell=False):
         try:
             exec_method = importlib.import_module(
                 f"lsassy.exec.{exec_method.lower()}", "Exec"
-            ).Exec(self._session)
+            ).Exec(self._exec_session)
         except ModuleNotFoundError:
             lsassy_logger.error(
                 f"Exec module '{exec_method.lower()}' doesn't exist",
@@ -394,6 +395,7 @@ def dump(
             )
             return None
 
+        # why is this whole block unreachable??
         for e, exec_method in valid_exec_methods.items():
             lsassy_logger.info(f"Trying {e} method")
             exec_commands = self.build_exec_command(

lsassy/dumpmethod/comsvcs_stealth.py

@@ -9,8 +9,8 @@
 class DumpMethod(IDumpMethod):
     need_debug_privilege = True
 
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
 
         # If default, set to 7. Otherwise, keep custom time
         if self._time_between_commands == 1:

lsassy/dumpmethod/dllinject.py

@@ -9,8 +9,8 @@ class DumpMethod(IDumpMethod):
     dump_share = "C$"
     dump_path = "\\Windows\\Temp\\"
 
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
         self.loader = Dependency("loader", "loader.exe")
         self.dll = Dependency("dll", "calc.dll")
 

lsassy/dumpmethod/dumpert.py

@@ -13,8 +13,8 @@ class DumpMethod(IDumpMethod):
     dump_share = "C$"
     dump_path = "\\Windows\\Temp\\"
 
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
         self.dumpert = Dependency("dumpert", "dumpert.exe")
 
     def prepare(self, options):

lsassy/dumpmethod/dumpertdll.py

@@ -13,8 +13,8 @@ class DumpMethod(IDumpMethod):
     dump_share = "C$"
     dump_path = "\\Windows\\Temp\\"
 
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
         self.dumpertdll = Dependency("dumpertdll", "dumpert.dll")
 
     def prepare(self, options):

lsassy/dumpmethod/edrsandblast.py

@@ -20,8 +20,8 @@
 
 
 class DumpMethod(IDumpMethod):
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
         self.edrsandblast = Dependency("edrsandblast", "EDRSandBlast.exe")
         self.RTCore64 = Dependency("RTCore64", "RTCore64.sys")
         self.ntoskrnl = Dependency("ntoskrnl", "NtoskrnlOffsets.csv")

lsassy/dumpmethod/mirrordump.py

@@ -9,8 +9,8 @@
 
 
 class DumpMethod(IDumpMethod):
-    def __init__(self, session, timeout, time_between_commands):
-        super().__init__(session, timeout, time_between_commands)
+    def __init__(self, exec_session, file_session, timeout, time_between_commands):
+        super().__init__(exec_session, file_session, timeout, time_between_commands)
         self.mirrordump = Dependency("mirrordump", "Mirrordump.exe")
 
     def prepare(self, options):