swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
NetExec/cme/protocols/winrm.py

232 lines
10 KiB
Python
Raw Normal View History

Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
import requests
import logging
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
import configparser
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
from impacket.smbconnection import SMBConnection, SessionError
from cme.connection import *
from cme.helpers.logger import highlight
Add bloodhound core feature
2021-11-20 21:37:14 +00:00
from cme.helpers.bloodhound import add_user_bh
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
from cme.logger import CMEAdapter
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
from io import StringIO
from pypsrp.client import Client
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
# The following disables the InsecureRequests warning and the 'Starting new HTTPS connection' log message
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
Fix winrm warning from pywinrm
2020-04-28 11:24:01 +00:00
class SuppressFilter(logging.Filter):
# remove warning https://github.com/diyan/pywinrm/issues/269
def filter(self, record):
return 'wsman' not in record.getMessage()
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
class winrm(connection):
def __init__(self, args, db, host):
self.domain = None
Fix winrm uninitialized variable and hash auth option
2020-07-28 14:16:06 +00:00
self.server_os = None
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
connection.__init__(self, args, db, host)
@staticmethod
def proto_args(parser, std_parser, module_parser):
winrm_parser = parser.add_parser('winrm', help="own stuff using WINRM", parents=[std_parser, module_parser])
Update winrm.py Closes https://github.com/byt3bl33d3r/CrackMapExec/issues/310
2019-08-16 13:58:26 +00:00
winrm_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2
2020-04-30 14:06:57 +00:00
winrm_parser.add_argument("--no-bruteforce", action='store_true', help='No spray when using file for username and password (user1 => password1, user2 => password2')
winrm_parser.add_argument("--continue-on-success", action='store_true', help="continues authentication attempts even after successes")
Add port option to WinRM protocol #469
2021-05-30 20:49:12 +00:00
winrm_parser.add_argument("--port", type=int, default=0, help="Custom WinRM port")
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
dgroup = winrm_parser.add_mutually_exclusive_group()
dgroup.add_argument("-d", metavar="DOMAIN", dest='domain', type=str, default=None, help="domain to authenticate to")
dgroup.add_argument("--local-auth", action='store_true', help='authenticate locally to each target')
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2
2020-04-30 14:06:57 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")
cgroup.add_argument('--no-output', action='store_true', help='do not retrieve command output')
cgroup.add_argument("-x", metavar="COMMAND", dest='execute', help="execute the specified command")
cgroup.add_argument("-X", metavar="PS_COMMAND", dest='ps_execute', help='execute the specified PowerShell command')
return parser
def proto_flow(self):
self.proto_logger()
if self.create_conn_obj():
self.enum_host_info()
self.print_host_info()
if self.login():
if hasattr(self.args, 'module') and self.args.module:
self.call_modules()
else:
self.call_cmd_args()
def proto_logger(self):
Add protocol and port regarding the protocol and port used
2021-10-16 19:37:06 +00:00
self.logger = CMEAdapter(extra={'protocol': 'SMB',
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
'host': self.host,
'port': 'NONE',
'hostname': 'NONE'})
def enum_host_info(self):
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
# smb no open, specify the domain
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
if self.args.domain:
self.domain = self.args.domain
self.logger.extra['hostname'] = self.hostname
else:
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
try:
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
smb_conn = SMBConnection(self.host, self.host, None)
try:
smb_conn.login('', '')
except SessionError as e:
if "STATUS_ACCESS_DENIED" in e.message:
pass
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Improve MSSQL login
2020-09-06 13:21:38 +00:00
self.domain = smb_conn.getServerDNSDomainName()
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
self.hostname = smb_conn.getServerName()
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
self.server_os = smb_conn.getServerOS()
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
self.logger.extra['hostname'] = self.hostname
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
try:
smb_conn.logoff()
except:
pass
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
except Exception as e:
logging.debug("Error retrieving host domain: {} specify one manually with the '-d' flag".format(e))
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
if self.args.domain:
self.domain = self.args.domain
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
Update WINRM authentication option If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 10:28:47 +00:00
if self.args.local_auth:
self.domain = self.hostname
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
def print_host_info(self):
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
if self.args.domain:
Add protocol and port regarding the protocol and port used
2021-10-16 19:37:06 +00:00
self.logger.extra['protocol'] = "HTTP"
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
self.logger.info(self.endpoint)
Add protocol and port regarding the protocol and port used
2021-10-16 19:37:06 +00:00
else:
self.logger.extra['protocol'] = "SMB"
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
self.logger.info(u"{} (name:{}) (domain:{})".format(self.server_os,
self.hostname,
self.domain))
Add protocol and port regarding the protocol and port used
2021-10-16 19:37:06 +00:00
self.logger.extra['protocol'] = "HTTP"
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
self.logger.info(self.endpoint)
Add protocol and port regarding the protocol and port used
2021-10-16 19:37:06 +00:00
self.logger.extra['protocol'] = "WINRM"
Improve output of protocol winrm
2020-06-20 10:20:53 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
def create_conn_obj(self):
Add port option to WinRM protocol #469
2021-05-30 20:49:12 +00:00
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
endpoints = [
Add port option to WinRM protocol #469
2021-05-30 20:49:12 +00:00
'https://{}:{}/wsman'.format(self.host, self.args.port if self.args.port else 5986),
'http://{}:{}/wsman'.format(self.host, self.args.port if self.args.port else 5985)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
]
for url in endpoints:
try:
Add more compatibility for windows exe - decrease winrm timeout to 3 seconds so @IppSec 's videos tlast less time :) -- add ico to cme exe -- add option smb-server-port to make cme compatible with windows
2020-07-30 13:14:31 +00:00
requests.get(url, verify=False, timeout=3)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
self.endpoint = url
if self.endpoint.startswith('https://'):
Add port option to WinRM protocol #469
2021-05-30 20:49:12 +00:00
self.port = self.args.port if self.args.port else 5986
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
else:
Add port option to WinRM protocol #469
2021-05-30 20:49:12 +00:00
self.port = self.args.port if self.args.port else 5985
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
self.logger.extra['port'] = self.port
return True
except Exception as e:
if 'Max retries exceeded with url' not in str(e):
logging.debug('Error in WinRM create_conn_obj:' + str(e))
return False
def plaintext_login(self, domain, username, password):
try:
Fix winrm warning from pywinrm
2020-04-28 11:24:01 +00:00
from urllib3.connectionpool import log
log.addFilter(SuppressFilter())
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
self.conn = Client(self.host,
auth='ntlm',
Fix winrm login failed
2021-11-09 12:19:06 +00:00
username=u'{}\\{}'.format(domain, username),
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
password=password,
ssl=False)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
# TO DO: right now we're just running the hostname command to make the winrm library auth to the server
# we could just authenticate without running a command :) (probably)
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
self.conn.execute_ps("hostname")
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
self.admin_privs = True
update python3
2019-11-10 23:12:35 +00:00
self.logger.success(u'{}\\{}:{} {}'.format(self.domain,
username,
password,
Fixed up @aj-cgtech changes
2018-03-01 19:36:17 +00:00
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')))
Add bloodhound core feature
2021-11-20 21:37:14 +00:00
add_user_bh(self.username, self.domain, self.logger, self.config)
Add option --no-bruteforce allowing credentials spraying without bruteforce cme accept user file and password file and works like this: user1 -> pass1 -> pass2 user2 -> pass1 -> pass2 Option --no-bruteforce works like this user1 -> pass1 user2 -> pass2
2020-04-30 14:06:57 +00:00
if not self.args.continue_on_success:
return True
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
except Exception as e:
Clean authentication fail message on winrm protocol when ntlm error
2020-06-20 10:26:32 +00:00
if "with ntlm" in str(e):
self.logger.error(u'{}\\{}:{}'.format(self.domain,
username,
password))
else:
self.logger.error(u'{}\\{}:{} "{}"'.format(self.domain,
username,
password,
e))
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
return False
Add hash auth with winrm protocol
2020-06-22 10:25:00 +00:00
def hash_login(self, domain, username, ntlm_hash):
try:
from urllib3.connectionpool import log
log.addFilter(SuppressFilter())
lmhash = '00000000000000000000000000000000:'
nthash = ''
#This checks to see if we didn't provide the LM Hash
if ntlm_hash.find(':') != -1:
lmhash, nthash = ntlm_hash.split(':')
else:
nthash = ntlm_hash
ntlm_hash = lmhash + nthash
self.hash = nthash
if lmhash: self.lmhash = lmhash
if nthash: self.nthash = nthash
self.conn = Client(self.host,
auth='ntlm',
Fix winrm login failed
2021-11-09 12:19:06 +00:00
username=u'{}\\{}'.format(domain, username),
Add hash auth with winrm protocol
2020-06-22 10:25:00 +00:00
password=ntlm_hash,
ssl=False)
# TO DO: right now we're just running the hostname command to make the winrm library auth to the server
# we could just authenticate without running a command :) (probably)
self.conn.execute_ps("hostname")
self.admin_privs = True
self.logger.success(u'{}\\{}:{} {}'.format(self.domain,
username,
self.hash,
highlight('({})'.format(self.config.get('CME', 'pwn3d_label')) if self.admin_privs else '')))
Add bloodhound core feature
2021-11-20 21:37:14 +00:00
add_user_bh(self.username, self.domain, self.logger, self.config)
Add hash auth with winrm protocol
2020-06-22 10:25:00 +00:00
if not self.args.continue_on_success:
return True
except Exception as e:
if "with ntlm" in str(e):
self.logger.error(u'{}\\{}:{}'.format(self.domain,
username,
self.hash))
else:
self.logger.error(u'{}\\{}:{} "{}"'.format(self.domain,
username,
self.hash,
e))
return False
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
def execute(self, payload=None, get_output=False):
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
try:
r = self.conn.execute_cmd(self.args.execute)
except:
self.logger.debug('Cannot execute cmd command, probably because user is not local admin, but powershell command should be ok !')
r = self.conn.execute_ps(self.args.execute)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
self.logger.success('Executed command')
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
self.logger.highlight(r[0])
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
def ps_execute(self, payload=None, get_output=False):
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
r = self.conn.execute_ps(self.args.ps_execute)
Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump
2017-10-25 02:08:19 +00:00
self.logger.success('Executed command')
Update winrm method to allows code execution from normal user User who can winrm but are not local admin can now use this method to exec command more at https://github.com/diyan/pywinrm/issues/275 we switch from pywinrm to pypsrp
2020-04-28 19:30:18 +00:00
self.logger.highlight(r[0])