Commit Graph

35 Commits (14d12fba1e66665013ec6140346f8e66d43bc913)

Author SHA1 Message Date
mpgn 3cc0b00f0b Remove conditional auth for modules and options 2020-08-11 07:39:16 -04:00
mpgn 1aa2f8cc0f Fix winrm uninitialized variable and hash auth option 2020-07-28 10:16:06 -04:00
mpgn d13042f637 Fix missing user.seek when using file as username with several hosts
this commit maybe break something but it solve this `cme smb file -u file -p file`
2020-06-20 18:43:34 -04:00
mpgn 280d497b0d Add conditional check on the func login()
- modules, options will no longer be loaded if authentication fails
- add some try catch and fix some problem with the debug on the passpolicy class
2020-06-20 18:16:37 -04:00
mpgn fb9d6fbc59 Fix cme action build 2020-05-10 20:16:34 +02:00
mpgn 8931ec2300 Add Windows spec file to compile CME for Windows 2020-05-10 20:06:08 +02:00
mpgn d3a7effb86 Fix ssh issue #375 2020-05-09 07:59:53 -04:00
mpgn 622245dcfa Add support kerberos aesKey and kdcHost #22 add lssasy module kerberos support
add error when not credential foud on lsassy module #368
2020-05-04 13:23:41 -04:00
mpgn 1308bc30c8 Adding Kerberos support for CME #22
TODO
- aeskey
- dc-ip
- checkifadmin()
2020-05-03 14:30:41 -04:00
mpgn 74792ce712 Add option --no-bruteforce allowing credentials spraying without bruteforce
cme accept user file and password file and works like this:
user1 -> pass1
      -> pass2
user2 -> pass1
      -> pass2

Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
2020-04-30 10:06:57 -04:00
mpgn 7b0f2e9bdb Add multi domain support DOMAIN\user when passing file to -u option #243 2020-04-29 12:32:21 -04:00
mpgn d2c477aafb Migrate file option input
* -u user.txt
* -p password.txt
* -H hashntlm
2019-11-11 05:39:44 -05:00
mpgn a29cf6760c update python3 2019-11-10 18:39:00 -05:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r 0b936def23 Takes care of issue #190 and #191, initial SSH protocol implementation
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
  (This is very much still not finished, lots of stuff missing)

- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
2017-07-09 23:44:58 -06:00
byt3bl33d3r ee36665516 Fixed MSSQL protocol, refactored HTTP Protocol
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
2017-05-02 18:52:16 -06:00
byt3bl33d3r f0752f61b7 Re-wrote the HTTP protocol to use splinter and phantomjs
- All http connections are now concurrent
- Added a flag to take screenshots of webpages
- Minor Code cleanup
2017-04-30 12:54:35 -06:00
byt3bl33d3r cada0fcbb4 Switched to gevents gethostbyname() function 2017-04-14 15:32:39 -06:00
byt3bl33d3r e8def0ad4c Fixes #165 2017-04-14 15:26:17 -06:00
byt3bl33d3r 602b7e13f0 Re-added most of the SMB protocol functionality
- Added new module gpp_decrypt
- Cleaned up the SMB spider as much as possible
- --wmi now uses pywerview
- Re-added the http protocol
2017-04-05 09:07:00 -06:00
byt3bl33d3r 5dc7c4ae62 Fixed logic errors when adding users and groups to the database
- Added debug logging to core db functions
- Fixed logging output
- Updated modules to use the new API
2017-03-29 18:03:04 -06:00
byt3bl33d3r 751f209cd7 Initial 4.0 pre-release 2017-03-27 15:09:36 -06:00
byt3bl33d3r 9fefd167b0 Initial commit for v4.0
Just fyi for anyone reading this, it's not even close to being
finished.

The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.

Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
2016-12-15 00:28:00 -07:00
byt3bl33d3r 07872985d7 This commit addresses a number of issues including #130 and #126 2016-09-21 13:40:59 -06:00
byt3bl33d3r 1468e258ee removed wrong import 2016-09-13 15:57:36 -06:00
byt3bl33d3r 9bda755de4 Added SessionError handling 2016-09-13 15:55:34 -06:00
byt3bl33d3r db056d1ab4 Initial implementation of module chaining
Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:

- All execution methods are now completely fileless, all output and/or batch
  files get outputted/hosted locally on a SMB server that gets spun up on runtime

- Module structure has been modified for module chaining

- Module chaining implementation is currently very hacky, I definitly
  have to figure out something more elegant but for now it
  works. Module chaining is performed via the -MC flag and has it's own
  mini syntax (will be adding it to the wiki)

- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency

TODO:

- Launchers/Payloads need to be escaped before being generated when
  module chaining

- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
  the results
2016-09-12 00:52:50 -06:00
byt3bl33d3r 90f1f3ad54 Some extensive code refactoring
- The whole connector function has been removed finally (was there since
  v1.0)
- Functions now get called dynamically based on parsed arguments
- All of CME's functionality can now be accessed through the modules
  (W00t!), just have finish modifing the code so the results will get
  returned
2016-08-12 00:36:38 -06:00
byt3bl33d3r 6f2596902c Implemented @mattifestation's AMSI bypass and multiple bugfixes
- @mattifestation's AMSI bypass now gets called before executing
  powershell commands or scripts

- Squashed some bugs related to account bruteforcing, enumerating users
  and creating/deleting the UseLogonCredential reg key
2016-08-06 10:28:16 -06:00
byt3bl33d3r 6876761cfe Added the --ufail-limit flag to limit failed login attempts per username 2016-08-02 08:49:30 -06:00
byt3bl33d3r 022671d039 Re-implemented the --gfail-limit and --fail-limit options (Properly this
time) to limit failed login attemptes

- The logic responsible for SMB bruteforcing/login has been modified
  to sync between the concurrent threads: this allows us to limit failed login
  attemptes with the two new flags. However this does cause the threads
  to lock so there is a minor reduction in speed but IMHO this is a good
  middle ground.

- You can now specify multiple DB credential IDs, CME will then
  bruteforce using the specifspecified cred set

- Version bump
2016-08-01 22:23:27 -06:00
byt3bl33d3r cb3c39beb8 Fixed logic bug with password file if brute forcing 2016-07-21 05:40:10 -06:00
byt3bl33d3r 58edfe18f3 Code cleanup of the execute method in the Connection class in
connection.py

Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec

Furthermore, the method argument in the execute function now accepts a
list of exec methods.
2016-06-14 18:58:19 -06:00
byt3bl33d3r 68a908562a Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00
byt3bl33d3r d5a7af9858 goddammit, git add bro 2016-05-16 17:48:31 -06:00