[winrm] Formatting output & add '--codec, --no-smb'

Signed-off-by: XiaoliChan <2209553467@qq.com>
2023-08-13 23:51:49 +08:00 · 2023-08-13 23:51:49 +08:00 · ec52633566
parent 4fd6efc2fc
commit ec52633566
2 changed files with 37 additions and 7 deletions
--- a/cme/protocols/winrm.py
+++ b/cme/protocols/winrm.py
@ -5,6 +5,7 @@ import hashlib
 import os
 import requests

+from io import StringIO
 from datetime import datetime
 from pypsrp.client import Client

@ -42,9 +43,8 @@ class winrm(connection):

    def enum_host_info(self):
        # smb no open, specify the domain
-        if self.args.domain:
+        if self.args.no_smb:
            self.domain = self.args.domain
-            self.logger.extra["hostname"] = self.hostname
        else:
            # try:
            smb_conn = SMBConnection(self.host, self.host, None, timeout=5)
@ -357,17 +357,22 @@ class winrm(connection):

    def execute(self, payload=None, get_output=False):
        try:
-            r = self.conn.execute_cmd(self.args.execute)
+            r = self.conn.execute_cmd(self.args.execute, encoding=self.args.codec)
        except:
            self.logger.info("Cannot execute command, probably because user is not local admin, but" " powershell command should be ok!")
            r = self.conn.execute_ps(self.args.execute)
        self.logger.success("Executed command")
-        self.logger.highlight(r[0])
+        buf = StringIO(r[0]).readlines()
+        for line in buf:
+            self.logger.highlight(line.strip())
+

    def ps_execute(self, payload=None, get_output=False):
        r = self.conn.execute_ps(self.args.ps_execute)
        self.logger.success("Executed command")
-        self.logger.highlight(r[0])
+        buf = StringIO(r[0]).readlines()
+        for line in buf:
+            self.logger.highlight(line.strip())

    def sam(self):
        self.conn.execute_cmd("reg save HKLM\SAM C:\\windows\\temp\\SAM && reg save HKLM\SYSTEM" " C:\\windows\\temp\\SYSTEM")
--- a/cme/protocols/winrm/proto_args.py
+++ b/cme/protocols/winrm/proto_args.py
@ -1,3 +1,5 @@
+from argparse import _StoreTrueAction
+
 def proto_args(parser, std_parser, module_parser):
    winrm_parser = parser.add_parser("winrm", help="own stuff using WINRM", parents=[std_parser, module_parser])
    winrm_parser.add_argument("-H", "--hash", metavar="HASH", dest="hash", nargs="+", default=[], help="NTLM hash(es) or file(s) containing NTLM hashes")
@ -6,9 +8,12 @@ def proto_args(parser, std_parser, module_parser):
    winrm_parser.add_argument("--ignore-ssl-cert", action="store_true", help="Ignore Certificate Verification")
    winrm_parser.add_argument("--laps", dest="laps", metavar="LAPS", type=str, help="LAPS authentification", nargs="?", const="administrator")
    winrm_parser.add_argument("--http-timeout", dest="http_timeout", type=int, default=10, help="HTTP timeout for WinRM connections")
+    no_smb_arg = winrm_parser.add_argument("--no-smb", action=get_conditional_action(_StoreTrueAction), make_required=[], help='No smb connection')
+
    dgroup = winrm_parser.add_mutually_exclusive_group()
-    dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
+    domain_arg = dgroup.add_argument("-d", metavar="DOMAIN", dest="domain", type=str, default=None, help="domain to authenticate to")
    dgroup.add_argument("--local-auth", action="store_true", help="authenticate locally to each target")
+    no_smb_arg.make_required = [domain_arg]

    cgroup = winrm_parser.add_argument_group("Credential Gathering", "Options for gathering credentials")
    cegroup = cgroup.add_mutually_exclusive_group()
@ -16,8 +21,28 @@ def proto_args(parser, std_parser, module_parser):
    cegroup.add_argument("--lsa", action="store_true", help="dump LSA secrets from target systems")

    cgroup = winrm_parser.add_argument_group("Command Execution", "Options for executing commands")
+    cgroup.add_argument("--codec", default="utf-8",
+                            help="Set encoding used (codec) from the target's output (default "
+                                 "\"utf-8\"). If errors are detected, run chcp.com at the target, "
+                                 "map the result with "
+                                 "https://docs.python.org/3/library/codecs.html#standard-encodings and then execute "
+                                 "again with --codec and the corresponding codec")
    cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
    cgroup.add_argument("-x", metavar="COMMAND", dest="execute", help="execute the specified command")
    cgroup.add_argument("-X", metavar="PS_COMMAND", dest="ps_execute", help="execute the specified PowerShell command")

-    return parser
+    return parser
+
+def get_conditional_action(baseAction):
+    class ConditionalAction(baseAction):
+        def __init__(self, option_strings, dest, **kwargs):
+            x = kwargs.pop('make_required', [])
+            super(ConditionalAction, self).__init__(option_strings, dest, **kwargs)
+            self.make_required = x
+
+        def __call__(self, parser, namespace, values, option_string=None):
+            for x in self.make_required:
+                x.required = True
+            super(ConditionalAction, self).__call__(parser, namespace, values, option_string)
+
+    return ConditionalAction