swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added option to perform WMI querys using WQL

main
byt3bl33d3r 2015-08-28 18:02:20 +02:00
parent 3c24c22f4c
commit 266e0077e3
2 changed files with 68 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -4,7 +4,7 @@ A swiss army knife for pentesting Windows/Active Directory environments
Powered by [Impacket](https://github.com/CoreSecurity/impacket)
This project was inspired by/based off of:
- @agsolino's [wmiexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py), [smbexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/smbexec.py), [samrdump.py](https://github.com/CoreSecurity/impacket/blob/master/examples/samrdump.py), [secretsdump.py](https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py) and [atexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/atexec.py) scripts (beyond awesome)
- @agsolino's [wmiexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/wmiexec.py), [wmiquery.py](https://github.com/CoreSecurity/impacket/blob/master/examples/wmiquery.py), [smbexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/smbexec.py), [samrdump.py](https://github.com/CoreSecurity/impacket/blob/master/examples/samrdump.py), [secretsdump.py](https://github.com/CoreSecurity/impacket/blob/master/examples/secretsdump.py) and [atexec.py](https://github.com/CoreSecurity/impacket/blob/master/examples/atexec.py) scripts (beyond awesome)
- @ShawnDEvans's [smbmap](https://github.com/ShawnDEvans/smbmap)
- @gojhonny's [CredCrack](https://github.com/gojhonny/CredCrack)
- @pentestgeek's [smbexec](https://github.com/pentestgeek/smbexec)
@ -145,4 +145,4 @@ Lets Spider the C$ share starting from the ```Users``` folder for the pattern ``
[+] 172.16.206.130:445 DESKTOP-QDVNP6B Done spidering (Completed in 38.6000130177)
```
For all available options, just run: ```python crackmapexec.py --help```
For all available options, just run: ```python crackmapexec.py --help```

66
crackmapexec.py
View File

@ -2165,6 +2165,57 @@ class WMIEXEC:
return result
class WMIQUERY:
def __init__(self, address, username, password, domain, hashes, namespace):
self.address = address
self.username = username
self.password = password
self.domain= domain
self.namespace = namespace
self.lmhash = ''
self.nthash = ''
if hashes:
self.lmhash, self.nthash = hashes.split(':')
def run(self, query):
record_dict = {}
dcom = DCOMConnection(self.address, self.username, self.password, self.domain, self.lmhash, self.nthash, None, oxidResolver = True, doKerberos=False)
iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin(self.namespace, NULL, NULL)
iWbemLevel1Login.RemRelease()
query = query.strip('\n')
if query[-1:] == ';':
query = query[:-1]
iEnumWbemClassObject = iWbemServices.ExecQuery(query.strip('\n'))
printHeader = True
while True:
try:
pEnum = iEnumWbemClassObject.Next(0xffffffff,1)[0]
record = pEnum.getProperties()
if printHeader is True:
for col in record:
record_dict[col] = []
printHeader = False
for key in record:
record_dict[key].append(record[key]['value'])
except Exception as e:
if str(e).find('S_FALSE') < 0:
raise
else:
break
iEnumWbemClassObject.RemRelease()
dcom.disconnect()
return record_dict
class RPCENUM():
def __init__(self, username, password, domain='', hashes=None):
self.__username = username
@ -2392,6 +2443,19 @@ def connect(host):
spider(smb, host, args.share, args.spider, args.pattern, args.depth)
print "[+] {}:{} {} Done spidering (Completed in {})".format(host, args.port, s_name, time() - start_time)
if args.wmi_query:
query = WMIQUERY(host, args.user, args.passwd, domain, args.hash, args.namespace)
res = query.run(args.wmi_query)
print "[+] {}:{} {} Executed specified WMI query:".format(host, args.port, s_name)
print ','.join(res.keys())
if len(res.values()) > 1:
for v in map(None, *res.values()):
print ','.join(v)
else:
for k in res:
for v in res[k]:
print v
if args.enum_sessions:
rpcenum = RPCENUM(args.user, args.passwd, domain, args.hash)
sessions = rpcenum.enum_sessions(host)
@ -2527,6 +2591,7 @@ if __name__ == '__main__':
parser.add_argument("-u", metavar="USERNAME", dest='user', default=None, help="Username, if omitted null session assumed")
parser.add_argument("-p", metavar="PASSWORD", dest='passwd', default=None, help="Password")
parser.add_argument("-H", metavar="HASH", dest='hash', default=None, help='NTLM hash')
parser.add_argument("-n", metavar='NAMESPACE', dest='namespace', default='//./root/cimv2', help='Namespace name (default //./root/cimv2)')
parser.add_argument("-d", metavar="DOMAIN", dest='domain', default="WORKGROUP", help="Domain name (default: WORKGROUP)")
parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Specify a share (default: C$)")
parser.add_argument("-P", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
@ -2543,6 +2608,7 @@ if __name__ == '__main__':
egroup.add_argument("--sessions", action='store_true', dest='enum_sessions', help='Enumerate active sessions')
egroup.add_argument("--users", action='store_true', dest='enum_users', help='Enumerate users')
egroup.add_argument("--lusers", action='store_true', dest='enum_lusers', help='Enumerate logged on users')
egroup.add_argument("--wmi", metavar='QUERY', type=str, dest='wmi_query', help='Issues the specified WMI query')
dgroup = parser.add_argument_group("Account Bruteforcing", "Options for bruteforcing SMB accounts")
dgroup.add_argument("--bruteforce", nargs=2, metavar=('USER_FILE', 'PASS_FILE'), help="Your wordlists containing Usernames and Passwords")