[wmi] Finished todo list after PR #114

Signed-off-by: XiaoliChan <2209553467@qq.com>

cme/modules/enum_dns.py

@@ -13,7 +13,7 @@ class CMEModule:
 
     name = "enum_dns"
     description = "Uses WMI to dump DNS from an AD DNS Server"
-    supported_protocols = ["smb"]
+    supported_protocols = ["wmi"]
     opsec_safe = True
     multiple_hosts = True
 
@@ -72,4 +72,4 @@ class CMEModule:
 
         log_name = "DNS-Enum-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
         write_log(data, log_name)
-        context.log.display(f"Saved raw output to {log_name}")
+        context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")

cme/modules/get_netconnections.py

@@ -15,7 +15,7 @@ class CMEModule:
 
     name = "get_netconnections"
     description = "Uses WMI to query network connections."
-    supported_protocols = ["smb"]
+    supported_protocols = ["wmi"]
     opsec_safe = True
     multiple_hosts = True
 
@@ -37,4 +37,4 @@ class CMEModule:
 
         log_name = "network-connections-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
         write_log(json.dumps(data), log_name)
-        context.log.display("Saved raw output to {}".format(log_name))
+        context.log.display(f"Saved raw output to ~/.cme/logs/{log_name}")

cme/modules/rdp.py

@@ -16,7 +16,6 @@ from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY
 class CMEModule:
     name = "rdp"
     description = "Enables/Disables RDP"
-    #supported_protocols = ["smb"]
     supported_protocols = ["smb" ,"wmi"]
     opsec_safe = True
     multiple_hosts = True

cme/protocols/wmi.py

@@ -175,19 +175,22 @@ class wmi(connection):
         try:
             dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.doKerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)
             iInterface = dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login, IID_IWbemLevel1Login)
-            self.firewall_check(iInterface, self.args.rpc_timeout)
+            flag, self.stringBinding = dcom_FirewallChecker(iInterface, self.args.rpc_timeout)
         except Exception as e:
             try:
                 dcom.disconnect()
             except:
                 pass
 
-            if str(e).lower().find("connect") > 0:
+            if not str(e).find("access_denied") > 0:
-                self.logger.fail(f'Check admin error: dcom initialization failed with stringbinding: "{self.stringBinding}", please try "--rpc-timeout" option. (probably is admin)')
-            elif str(e).find("access_denied") > 0:
-                pass
-            else:
                 self.logger.fail(str(e))
+        else:
+            if not flag:
+                self.logger.fail(f'Check admin error: dcom initialization failed with stringbinding: "{self.stringBinding}", please try "--rpc-timeout" option. (probably is admin)')
+                try:
+                    dcom.disconnect()
+                except:
+                    pass
             else:
                 try:
                     iWbemLevel1Login = IWbemLevel1Login(iInterface)
@@ -198,9 +201,7 @@ class wmi(connection):
                     except:
                         pass
 
-                if str(e).find("access_denied") > 0:
+                    if not str(e).find("access_denied") > 0:
-                    pass
-                else:
                         self.logger.fail(str(e))
                 else:
                     dcom.disconnect()
@@ -208,29 +209,6 @@ class wmi(connection):
                     self.admin_privs = True
         return
 
-    def firewall_check(self, iInterface ,timeout):
-        stringBindings = iInterface.get_cinstance().get_string_bindings()
-        for strBinding in stringBindings:
-            if strBinding['wTowerId'] == 7:
-                if strBinding['aNetworkAddr'].find('[') >= 0:
-                    binding, _, bindingPort = strBinding['aNetworkAddr'].partition('[')
-                    bindingPort = '[' + bindingPort
-                else:
-                    binding = strBinding['aNetworkAddr']
-                    bindingPort = ''
-
-                if binding.upper().find(iInterface.get_target().upper()) >= 0:
-                    stringBinding = 'ncacn_ip_tcp:' + strBinding['aNetworkAddr'][:-1]
-                    break
-                elif iInterface.is_fqdn() and binding.upper().find(iInterface.get_target().upper().partition('.')[0]) >= 0:
-                    stringBinding = 'ncacn_ip_tcp:%s%s' % (iInterface.get_target(), bindingPort)
-
-        self.stringBinding = stringBinding
-        rpctransport = transport.DCERPCTransportFactory(stringBinding)
-        rpctransport.set_connect_timeout(timeout)
-        rpctransport.connect()
-        rpctransport.disconnect()
-
     def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="", kdcHost="", useCache=False):
         logging.getLogger("impacket").disabled = True
         lmhash = ''
@@ -417,7 +395,7 @@ class wmi(connection):
             WQL = self.args.wmi.strip('\n')
 
         if not namespace:
-            namespace = self.args.namespace
+            namespace = self.args.wmi_namespace
 
         try:
             dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.doKerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)
@@ -428,7 +406,6 @@ class wmi(connection):
             iEnumWbemClassObject = iWbemServices.ExecQuery(WQL)
         except Exception as e:
             self.logger.fail('Execute WQL error: {}'.format(e))
-            iWbemServices.RemRelease()
             dcom.disconnect()
             return False
         else:
@@ -447,7 +424,6 @@ class wmi(connection):
                         break
             try:
                 iEnumWbemClassObject.RemRelease()
-                iWbemServices.RemRelease()
                 dcom.disconnect()
             except:
                 pass

cme/protocols/wmi/proto_args.py

@@ -4,7 +4,7 @@ def proto_args(parser, std_parser, module_parser):
     wmi_parser = parser.add_parser('wmi', help="own stuff using WMI", parents=[std_parser, module_parser], conflict_handler='resolve')
     wmi_parser.add_argument("-H", '--hash', metavar="HASH", dest='hash', nargs='+', default=[], help='NTLM hash(es) or file(s) containing NTLM hashes')
     wmi_parser.add_argument("--port", type=int, choices={135}, default=135, help="WMI port (default: 135)")
-    wmi_parser.add_argument("--rpc-timeout", help="RPC connection timeout, default 2 secondes", type=int, default=2)
+    wmi_parser.add_argument("--rpc-timeout", help="RPC/DCOM(WMI) connection timeout, default is %(default)s secondes", type=int, default=2)
 
     # For domain options
     dgroup = wmi_parser.add_mutually_exclusive_group()
@@ -12,8 +12,8 @@ def proto_args(parser, std_parser, module_parser):
     dgroup.add_argument("--local-auth", action='store_true', help='Authenticate locally to each target')
 
     egroup = wmi_parser.add_argument_group("Mapping/Enumeration", "Options for Mapping/Enumerating")
-    egroup.add_argument("-q", metavar='QUERY', dest='wmi',type=str, help='Issues the specified WMI query')
+    egroup.add_argument("--wmi", metavar='QUERY', dest='wmi',type=str, help='Issues the specified WMI query')
-    egroup.add_argument("--namespace", metavar='NAMESPACE', type=str, default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)')
+    egroup.add_argument("--wmi-namespace", metavar='NAMESPACE', type=str, default='root\\cimv2', help='WMI Namespace (default: root\\cimv2)')
 
     cgroup = wmi_parser.add_argument_group("Command Execution", "Options for executing commands")
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")