swisskyrepo
/
NetExec
mirror of https://github.com/swisskyrepo/NetExec.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[smb] Firewall checker in wmi query 

Signed-off-by: XiaoliChan <2209553467@qq.com>
main
XiaoliChan 2023-08-23 12:23:28 +08:00
parent c968955643
commit f6b3c28b2b
3 changed files with 50 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cme/modules/get_netconnections.py
View File

@ -28,11 +28,12 @@ class CMEModule:
def on_admin_login(self, context, connection): def on_admin_login(self, context, connection):
data = [] data = []
cards = connection.wmi(f"select DNSDomainSuffixSearchOrder, IPAddress from win32_networkadapterconfiguration") cards = connection.wmi(f"select DNSDomainSuffixSearchOrder, IPAddress from win32_networkadapterconfiguration")
for c in cards: if cards:
if c["IPAddress"].get("value"): for c in cards:
context.log.success(f"IP Address: {c['IPAddress']['value']}\tSearch Domain: {c['DNSDomainSuffixSearchOrder']['value']}") if c["IPAddress"].get("value"):
context.log.success(f"IP Address: {c['IPAddress']['value']}\tSearch Domain: {c['DNSDomainSuffixSearchOrder']['value']}")
data.append(cards) data.append(cards)
log_name = "network-connections-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S")) log_name = "network-connections-{}-{}.log".format(connection.args.target[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
write_log(json.dumps(data), log_name) write_log(json.dumps(data), log_name)

2
cme/modules/wcc.py
View File

@ -503,7 +503,7 @@ class HostChecker:
def check_last_successful_update(self): def check_last_successful_update(self):
records = self.connection.wmi(wmi_query='Select TimeGenerated FROM Win32_ReliabilityRecords Where EventIdentifier=19', namespace='root\\cimv2') records = self.connection.wmi(wmi_query='Select TimeGenerated FROM Win32_ReliabilityRecords Where EventIdentifier=19', namespace='root\\cimv2')
if len(records) == 0: if isinstance(records, bool) or len(records) == 0:
return False, ['No update found'] return False, ['No update found']
most_recent_update_date = records[0]['TimeGenerated']['value'] most_recent_update_date = records[0]['TimeGenerated']['value']
most_recent_update_date = most_recent_update_date.split('.')[0] most_recent_update_date = most_recent_update_date.split('.')[0]

75
cme/protocols/smb.py
View File

@ -56,7 +56,10 @@ from dploot.lib.target import Target
from dploot.lib.smb import DPLootSMBConnection from dploot.lib.smb import DPLootSMBConnection
from pywerview.cli.helpers import * from pywerview.cli.helpers import *
from pywerview.requester import RPCRequester
from impacket.dcerpc.v5.dtypes import NULL
from impacket.dcerpc.v5.dcomrt import DCOMConnection
from impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, WBEM_FLAG_FORWARD_ONLY, IWbemLevel1Login
from time import time from time import time
from datetime import datetime from datetime import datetime
@ -1208,45 +1211,55 @@ class smb(connection):
def pass_pol(self): def pass_pol(self):
return PassPolDump(self).dump() return PassPolDump(self).dump()
@requires_admin
def wmi(self, wmi_query=None, namespace=None): def wmi(self, wmi_query=None, namespace=None):
records = [] records = []
if not wmi_query:
wmi_query = self.args.wmi.strip('\n')
if not namespace: if not namespace:
namespace = self.args.wmi_namespace namespace = self.args.wmi_namespace
try: try:
rpc = RPCRequester( dcom = DCOMConnection(self.conn.getRemoteName(), self.username, self.password, self.domain, self.lmhash, self.nthash, oxidResolver=True, doKerberos=self.kerberos ,kdcHost=self.kdcHost, aesKey=self.aesKey)
self.host, iInterface = dcom.CoCreateInstanceEx(CLSID_WbemLevel1Login,IID_IWbemLevel1Login)
self.domain, flag, stringBinding = dcom_FirewallChecker(iInterface, self.args.dcom_timeout)
self.username, if not flag:
self.password, self.logger.fail(f'WMI Query: Dcom initialization failed on connection with stringbinding: "{stringBinding}", please increase the timeout with the option "--dcom-timeout". If it\'s still failing maybe something is blocking the RPC connection')
self.lmhash, # Make it force break function
self.nthash, dcom.disconnect()
) return False
rpc._create_wmi_connection(namespace=namespace) iWbemLevel1Login = IWbemLevel1Login(iInterface)
iWbemServices= iWbemLevel1Login.NTLMLogin(namespace , NULL, NULL)
if wmi_query: iWbemLevel1Login.RemRelease()
query = rpc._wmi_connection.ExecQuery(wmi_query, lFlags=WBEM_FLAG_FORWARD_ONLY) iEnumWbemClassObject = iWbemServices.ExecQuery(wmi_query)
else:
query = rpc._wmi_connection.ExecQuery(self.args.wmi, lFlags=WBEM_FLAG_FORWARD_ONLY)
except Exception as e: except Exception as e:
self.logger.fail(f"Error creating WMI connection: {e}") self.logger.fail('Execute WQL error: {}'.format(e))
return records iWbemServices.RemRelease()
dcom.disconnect()
while True: return False
else:
self.logger.info(f"Executing WQL syntax: {wmi_query}")
while True:
try:
wmi_results = iEnumWbemClassObject.Next(0xffffffff, 1)[0]
record = wmi_results.getProperties()
records.append(record)
for k,v in record.items():
self.logger.highlight(f"{k} => {v['value']}")
except Exception as e:
if str(e).find('S_FALSE') < 0:
raise e
else:
break
try: try:
wmi_results = query.Next(0xFFFFFFFF, 1)[0] iEnumWbemClassObject.RemRelease()
record = wmi_results.getProperties() iWbemServices.RemRelease()
records.append(record) dcom.disconnect()
for k, v in record.items(): except:
self.logger.highlight(f"{k} => {v['value']}") pass
self.logger.highlight("")
except Exception as e:
if str(e).find("S_FALSE") < 0:
raise e
else:
break
return records return records
def spider( def spider(
self, self,