parent
e1991e3446
commit
d4aa81bc2e
|
@ -13,7 +13,7 @@ class CMEModule:
|
|||
|
||||
name = "enum_dns"
|
||||
description = "Uses WMI to dump DNS from an AD DNS Server"
|
||||
supported_protocols = ["smb"]
|
||||
supported_protocols = ["wmi"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
|
@ -72,4 +72,4 @@ class CMEModule:
|
|||
|
||||
log_name = "DNS-Enum-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
|
||||
write_log(data, log_name)
|
||||
context.log.display(f"Saved raw output to {log_name}")
|
||||
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
|
||||
|
|
|
@ -15,7 +15,7 @@ class CMEModule:
|
|||
|
||||
name = "get_netconnections"
|
||||
description = "Uses WMI to query network connections."
|
||||
supported_protocols = ["smb"]
|
||||
supported_protocols = ["wmi"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
||||
|
@ -37,4 +37,4 @@ class CMEModule:
|
|||
|
||||
log_name = "network-connections-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
|
||||
write_log(json.dumps(data), log_name)
|
||||
context.log.display("Saved raw output to {}".format(log_name))
|
||||
context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")
|
||||
|
|
|
@ -16,7 +16,6 @@ from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
|
|||
class CMEModule:
|
||||
name = "rdp"
|
||||
description = "Enables/Disables RDP"
|
||||
#supported_protocols = ["smb"]
|
||||
supported_protocols = ["smb" ,"wmi"]
|
||||
opsec_safe = True
|
||||
multiple_hosts = True
|
||||
|
|
|
@ -175,61 +175,39 @@ class wmi(connection):
|
|||
try:
|
||||
dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.doKerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)
|
||||
iInterface = dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login, IID_IWbemLevel1Login)
|
||||
self.firewall_check(iInterface, self.args.rpc_timeout)
|
||||
flag, self.stringBinding = dcom_FirewallChecker(iInterface, self.args.rpc_timeout)
|
||||
except Exception as e:
|
||||
try:
|
||||
dcom.disconnect()
|
||||
except:
|
||||
pass
|
||||
|
||||
if str(e).lower().find("connect") > 0:
|
||||
self.logger.fail(f'Check admin error: dcom initialization failed with stringbinding: "{self.stringBinding}", please try "--rpc-timeout" option. (probably is admin)')
|
||||
elif str(e).find("access_denied") > 0:
|
||||
pass
|
||||
else:
|
||||
if not str(e).find("access_denied") > 0:
|
||||
self.logger.fail(str(e))
|
||||
else:
|
||||
try:
|
||||
iWbemLevel1Login = IWbemLevel1Login(iInterface)
|
||||
iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
|
||||
except Exception as e:
|
||||
if not flag:
|
||||
self.logger.fail(f'Check admin error: dcom initialization failed with stringbinding: "{self.stringBinding}", please try "--rpc-timeout" option. (probably is admin)')
|
||||
try:
|
||||
dcom.disconnect()
|
||||
except:
|
||||
pass
|
||||
|
||||
if str(e).find("access_denied") > 0:
|
||||
pass
|
||||
else:
|
||||
self.logger.fail(str(e))
|
||||
else:
|
||||
dcom.disconnect()
|
||||
self.logger.extra['protocol'] = "WMI"
|
||||
self.admin_privs = True
|
||||
return
|
||||
try:
|
||||
iWbemLevel1Login = IWbemLevel1Login(iInterface)
|
||||
iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
|
||||
except Exception as e:
|
||||
try:
|
||||
dcom.disconnect()
|
||||
except:
|
||||
pass
|
||||
|
||||
def firewall_check(self, iInterface ,timeout):
|
||||
stringBindings = iInterface.get_cinstance().get_string_bindings()
|
||||
for strBinding in stringBindings:
|
||||
if strBinding['wTowerId'] == 7:
|
||||
if strBinding['aNetworkAddr'].find('[') >= 0:
|
||||
binding, _, bindingPort = strBinding['aNetworkAddr'].partition('[')
|
||||
bindingPort = '[' + bindingPort
|
||||
if not str(e).find("access_denied") > 0:
|
||||
self.logger.fail(str(e))
|
||||
else:
|
||||
binding = strBinding['aNetworkAddr']
|
||||
bindingPort = ''
|
||||
|
||||
if binding.upper().find(iInterface.get_target().upper()) >= 0:
|
||||
stringBinding = 'ncacn_ip_tcp:' + strBinding['aNetworkAddr'][:-1]
|
||||
break
|
||||
elif iInterface.is_fqdn() and binding.upper().find(iInterface.get_target().upper().partition('.')[0]) >= 0:
|
||||
stringBinding = 'ncacn_ip_tcp:%s%s' % (iInterface.get_target(), bindingPort)
|
||||
|
||||
self.stringBinding = stringBinding
|
||||
rpctransport = transport.DCERPCTransportFactory(stringBinding)
|
||||
rpctransport.set_connect_timeout(timeout)
|
||||
rpctransport.connect()
|
||||
rpctransport.disconnect()
|
||||
dcom.disconnect()
|
||||
self.logger.extra['protocol'] = "WMI"
|
||||
self.admin_privs = True
|
||||
return
|
||||
|
||||
def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
|
||||
logging.getLogger("impacket").disabled = True
|
||||
|
@ -417,7 +395,7 @@ class wmi(connection):
|
|||
WQL = self.args.wmi.strip('\n')
|
||||
|
||||
if not namespace:
|
||||
namespace = self.args.namespace
|
||||
namespace = self.args.wmi_namespace
|
||||
|
||||
try:
|
||||
dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.doKerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)
|
||||
|
@ -428,7 +406,6 @@ class wmi(connection):
|
|||
iEnumWbemClassObject = iWbemServices.ExecQuery(WQL)
|
||||
except Exception as e:
|
||||
self.logger.fail('Execute WQL error: {}'.format(e))
|
||||
iWbemServices.RemRelease()
|
||||
dcom.disconnect()
|
||||
return False
|
||||
else:
|
||||
|
@ -447,7 +424,6 @@ class wmi(connection):
|
|||
break
|
||||
try:
|
||||
iEnumWbemClassObject.RemRelease()
|
||||
iWbemServices.RemRelease()
|
||||
dcom.disconnect()
|
||||
except:
|
||||
pass
|
||||
|
|
|
@ -4,7 +4,7 @@ def proto_args(parser, std_parser, module_parser):
|
|||
wmi_parser = parser.add_parser('wmi', help="own stuff using WMI", parents=[std_parser, module_parser], conflict_handler='resolve')
|
||||
wmi_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
|
||||
wmi_parser.add_argument("--port", type=int, choices={135}, default=135, help="WMI port (default: 135)")
|
||||
wmi_parser.add_argument("--rpc-timeout", help="RPC connection timeout, default 2 secondes", type=int, default=2)
|
||||
wmi_parser.add_argument("--rpc-timeout", help="RPC/DCOM(WMI) connection timeout, default is %(default)s secondes", type=int, default=2)
|
||||
|
||||
# For domain options
|
||||
dgroup = wmi_parser.add_mutually_exclusive_group()
|
||||
|
@ -12,8 +12,8 @@ def proto_args(parser, std_parser, module_parser):
|
|||
dgroup.add_argument("--local-auth", action='store_true', help='Authenticate locally to each target')
|
||||
|
||||
egroup = wmi_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
|
||||
egroup.add_argument("-q", metavar='QUERY', dest='wmi',type=str, help='Issues the specified WMI query')
|
||||
egroup.add_argument("--namespace", metavar='NAMESPACE', type=str, default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)')
|
||||
egroup.add_argument("--wmi", metavar='QUERY', dest='wmi',type=str, help='Issues the specified WMI query')
|
||||
egroup.add_argument("--wmi-namespace", metavar='NAMESPACE', type=str, default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)')
|
||||
|
||||
cgroup = wmi_parser.add_argument_group("Command Execution", "Options for executing commands")
|
||||
cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
|
||||
|
|
Loading…
Reference in New Issue