Commit Graph

123 Commits (2250e5ab3682719bb5a4dc0059c465dbcc4b1859)

Author SHA1 Message Date
mpgn f58a10124d Update winrm method to allows code execution from normal user
User who can winrm but are not local admin can now use this method to exec command
more at https://github.com/diyan/pywinrm/issues/275

we switch from pywinrm to pypsrp
2020-04-28 15:30:18 -04:00
mpgn e9a5841731 Fix typo on put-file function 2020-04-28 12:28:25 -04:00
mpgn f84035fa7a Add function get-file and put-file 2020-04-28 12:22:30 -04:00
mpgn 356b020cb3 Fix winrm warning from pywinrm 2020-04-28 07:24:01 -04:00
mpgn 63cf5af003 Fix smbexec function #269 2020-04-28 06:19:33 -04:00
mpgn 18c438993c Fix ssh connection #351 2020-04-28 06:11:16 -04:00
mpgn ba04528738 Add feature: file as argument for -x and -X command #269 2020-04-27 16:38:30 -04:00
mpgn f19f137b0d Fix smbexec.py decode error 2020-04-22 11:04:22 -04:00
byt3bl33d3r 6c0228f403 Fixed dependency hell, added Github actions workflow
- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
  dependency
2020-04-20 13:19:55 -03:00
sw ed8c91ab60 changed comparison operators that generate syntax warnings 2020-04-20 03:22:03 +03:00
byt3bl33d3r 7bb0e4e4e6
Merge pull request #300 from hantwister/patch-1
Fix false positive signing disabled with SMB2/3
2020-04-19 14:36:59 -03:00
byt3bl33d3r 498f3fc197
Merge pull request #327 from noraj/patch-1
lsa secrets: dump file extension
2020-04-19 14:32:48 -03:00
Alexandre ZANNI 18634423f3
lsa secrets: dump file extension
The logger tell you LSA secrets are dump in a file named xxx.lsa

```
SMB        x.x.x.x 445    FRSCWP0001       [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```

But in reality they are logged in xxx.screts.

So just fixing the extension showed by the  logger.
2019-12-19 10:12:17 +01:00
mpgn 2cf0c0fb90 Migrate cmedb to python3 2019-11-12 16:39:26 -05:00
mpgn 38acbbead5 Fix option --pass-pol in python3
error due to :
	python2 => 1 / 2 = 0
	python3 => 1 / 2 = 0.5
	python3 => 1 // 2 = 0
2019-11-12 13:33:14 -05:00
mpgn 73ab379acc Migrate function to python3
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
2019-11-11 05:06:39 -05:00
mpgn a29cf6760c update python3 2019-11-10 18:39:00 -05:00
mpgn c3c4b3192d start python3 migration 2019-11-10 22:42:04 +01:00
byt3bl33d3r 48fd338d22
Merge pull request #304 from gustavi/master
Fix encoding in smb --sam
2019-08-16 10:57:11 -06:00
byt3bl33d3r 44fd121dce
Merge pull request #309 from shadowgatt/master
Fixing SMB encoding error
2019-08-16 10:56:39 -06:00
Ryan f1228174cd
Update winrm.py
Closes https://github.com/byt3bl33d3r/CrackMapExec/issues/310
2019-08-16 08:58:26 -05:00
root 12443285e9 Fix SMB encode 2019-07-13 17:52:00 +02:00
root e435a4f87b Fix SMB encode 2019-07-13 17:50:24 +02:00
Augustin Laville fdb41c0125 Fix encoding in smb --sam 2019-04-12 13:32:38 +02:00
Harrison Neal 85e4de988b
Fix false positive signing disabled with SMB2/3
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection.  When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state.  Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite.  The latter contributed to many false positives in the --gen-relay-list output file.  This is a hackish change that addressed the issue for me.
2019-03-26 15:45:02 -04:00
byt3bl33d3r f61cb7e3f0
Merge pull request #256 from FrankSpierings/patch-2
Modified logging in spider.py
2018-08-28 19:57:55 +08:00
byt3bl33d3r 50a379dad4
Merge pull request #255 from FrankSpierings/patch-1
Update smbspider.py - Feature to use `--spider '*'` to spider all rea…
2018-08-28 19:55:54 +08:00
root 1a7174137c Added remotehost in the spidering output. It is now //<remotehost>/<share>/<folder *>/<file> 2018-07-07 14:33:14 +00:00
Frank Spierings 2823452053
Update smbspider.py - Feature to use `--spider '*'` to spider all readable shares
I've added the option to allow spidering over all readable shares.
2018-07-07 16:00:59 +02:00
Korey McKinley 7034ab66d0
Flag to allow continuation while password spraying
Adds --continue-on-success flag when spraying passwords using smb. Allows for continuing of password spraying even after valid password is found. (Useful when password spraying with userlist.)

Usage example:
cme smb ipaddress -u users.txt -p password --continue-on-success

In response to:
https://github.com/byt3bl33d3r/CrackMapExec/issues/245
https://github.com/byt3bl33d3r/CrackMapExec/issues/247
2018-05-26 19:44:24 -06:00
byt3bl33d3r f3465ef008 Fixed up @aj-cgtech changes 2018-03-01 12:36:17 -07:00
byt3bl33d3r 5fd4aa716c Merge branch 'usersfix' of https://github.com/aj-cgtech/CrackMapExec into aj-cgtech-usersfix 2018-03-01 11:57:33 -07:00
Markus Krell 8dd4e95fe7 fixes debug output error if exec method fails 2018-02-23 14:55:05 +01:00
aj-cgtech fffc24ae46 Having worked out how the protocol object is created. Created config
object once, and set as an attr on each protocol.
More elegant, and allows for further config options in the future.
2018-02-23 10:13:46 +00:00
aj-cgtech b6a7028999 Typo, not l33t. 2018-02-22 21:18:31 +00:00
aj-cgtech 7e2a267328 Merging "Pwn3d!" label changes.
Fixes issue #236

Adds the ability to change the (Pwned!) label on CME output.

By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".

eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
2018-02-22 20:24:03 +00:00
aj-cgtech 6ee852387c Pwn3d label parameterised in config file. 2018-02-22 13:03:07 +00:00
aj-cgtech 8bba4b46f6 Changes to users() and groups()
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.

extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
2018-02-20 12:57:23 +00:00
byt3bl33d3r 4b35455997 Refactored Database Menu code
- Fixed some MSSQL DB interaction bugs
- Made MSSQL DB schema more consistent
- cmedb output now gets formatted using terminaltables (so perty)
- Made everything a bit more PEP8 compliant
2017-11-02 17:43:08 +08:00
byt3bl33d3r 2b00a795da Fixed Powershell execution using MSSQL 2017-10-25 00:45:58 -06:00
byt3bl33d3r f1c6858e55 Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-24 22:56:34 -06:00
byt3bl33d3r 03f8fc6503 Fixes #187 2017-10-24 21:52:41 -06:00
byt3bl33d3r 211e78314d Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-24 21:30:21 -06:00
byt3bl33d3r e74b0a7efc Fixes #204 2017-10-24 21:30:14 -06:00
byt3bl33d3r e80c911378 Merge pull request #181 from martindube/fix_for_smb_fr
Replacing characters when they cannot be converted (UTF-8)
2017-10-24 21:14:30 -06:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r 6a645d0176 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-21 17:24:32 -06:00
byt3bl33d3r 6cce1483a4 Updated Submodules 2017-10-21 17:24:09 -06:00
Louis Dion-Marcil 527b58d05c Don't make service auto-start (disable reboot persistance) 2017-08-04 14:19:06 -04:00
Louis Dion-Marcil b9aff9579c Debug message for service creation/modification 2017-08-04 14:18:39 -04:00
byt3bl33d3r 212f0c363b Updated mimipenguin module description, fixed #193 2017-07-10 08:27:45 -06:00
byt3bl33d3r 0b936def23 Takes care of issue #190 and #191, initial SSH protocol implementation
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
  (This is very much still not finished, lots of stuff missing)

- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
2017-07-09 23:44:58 -06:00
byt3bl33d3r 7149b24524 Plugged in the Powershell obfuscation functionality
- Two new flags can be added to protocols that use powershell that can
clear cached obfuscated powershell scripts and obfuscate them if
powershell is installed
2017-06-26 03:49:04 -06:00
byt3bl33d3r d3a50afbfc Removed warning if powershell is not installed 2017-06-26 01:19:04 -06:00
byt3bl33d3r 11280c4ab0 Updated submodules, initial implementation of powershell script &
launcher obfuscation

- All powershell scripts are now obfuscated if powershell for linux is
installed using Invoke-Obfuscation

- All PS launchers are obfuscated using GreatSCT's python implementation
of launcher obfuscation (for now)
2017-06-26 01:03:43 -06:00
byt3bl33d3r f4dfddc89b Fixes #182 2017-06-23 12:15:09 -06:00
Martin Dubé 5eb275b55e Replacing characters when they cannot be converted (UTF-8) 2017-06-13 14:59:18 -04:00
byt3bl33d3r e795197501 Added support for both SMBv1 and SMBv3 connections
- Host info output now shows if SMBv1 is supported
2017-05-14 22:44:49 -06:00
byt3bl33d3r 4ff034f366 Added enum_avproducts module, fixed module logging
- Modules now do not print output of commands called from their protocol
- Added the enum_avproducts module
- Fixed the mimikatz_enum_vault_creds to not display creds with invalid
passwords
- Added an export command to the SMB protocols DB navigator (as
suggested by @hatredshapedlikeaman)
- Misc output fixes
2017-05-07 21:16:18 -06:00
byt3bl33d3r c71692e576 Fixed HTTP protocol exiting during setup and pass pol enumeration 2017-05-05 15:10:42 -06:00
byt3bl33d3r ee36665516 Fixed MSSQL protocol, refactored HTTP Protocol
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
2017-05-02 18:52:16 -06:00
byt3bl33d3r 8f38025821 Some submodule crap 2017-04-30 13:19:53 -06:00
byt3bl33d3r f0752f61b7 Re-wrote the HTTP protocol to use splinter and phantomjs
- All http connections are now concurrent
- Added a flag to take screenshots of webpages
- Minor Code cleanup
2017-04-30 12:54:35 -06:00
byt3bl33d3r d9fb2a506a Fixes #168 and #167 2017-04-26 17:04:15 -06:00
byt3bl33d3r e98f798eb3 Forcing the SMB dialect to SMBv1 since it gives us prettier OS banners 2017-04-10 02:58:33 -06:00
byt3bl33d3r fc147ddac0 Fixed content spidering and password policy enumeration
- Added enumeration for password complexity (resolves #135)
2017-04-10 01:24:23 -06:00
byt3bl33d3r 57d5d7ca13 Y'all better be ready for this, initial 4.0 release
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
2017-04-06 22:34:30 -06:00
byt3bl33d3r 602b7e13f0 Re-added most of the SMB protocol functionality
- Added new module gpp_decrypt
- Cleaned up the SMB spider as much as possible
- --wmi now uses pywerview
- Re-added the http protocol
2017-04-05 09:07:00 -06:00
byt3bl33d3r cae5ffb6ce Various fixes 2017-04-03 09:25:05 -06:00
byt3bl33d3r 5dc7c4ae62 Fixed logic errors when adding users and groups to the database
- Added debug logging to core db functions
- Fixed logging output
- Updated modules to use the new API
2017-03-29 18:03:04 -06:00
byt3bl33d3r 751f209cd7 Initial 4.0 pre-release 2017-03-27 15:09:36 -06:00
byt3bl33d3r 8e6cc4e899 DB schema for the smb protocol is now final!
- added two more attributes to use in modules:opsec_safe and multiple_hosts

- renamed db function names

- Added the python_injector module and it's necessary files as a reminder
2016-12-20 00:23:40 -07:00
byt3bl33d3r 9fefd167b0 Initial commit for v4.0
Just fyi for anyone reading this, it's not even close to being
finished.

The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.

Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
2016-12-15 00:28:00 -07:00