- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
dependency
The logger tell you LSA secrets are dump in a file named xxx.lsa
```
SMB x.x.x.x 445 FRSCWP0001 [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```
But in reality they are logged in xxx.screts.
So just fixing the extension showed by the logger.
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection. When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state. Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite. The latter contributed to many false positives in the --gen-relay-list output file. This is a hackish change that addressed the issue for me.
Fixes issue #236
Adds the ability to change the (Pwned!) label on CME output.
By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".
eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.
extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
- Fixed some MSSQL DB interaction bugs
- Made MSSQL DB schema more consistent
- cmedb output now gets formatted using terminaltables (so perty)
- Made everything a bit more PEP8 compliant
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
(This is very much still not finished, lots of stuff missing)
- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
- Two new flags can be added to protocols that use powershell that can
clear cached obfuscated powershell scripts and obfuscate them if
powershell is installed
launcher obfuscation
- All powershell scripts are now obfuscated if powershell for linux is
installed using Invoke-Obfuscation
- All PS launchers are obfuscated using GreatSCT's python implementation
of launcher obfuscation (for now)
- Modules now do not print output of commands called from their protocol
- Added the enum_avproducts module
- Fixed the mimikatz_enum_vault_creds to not display creds with invalid
passwords
- Added an export command to the SMB protocols DB navigator (as
suggested by @hatredshapedlikeaman)
- Misc output fixes
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
- added two more attributes to use in modules:opsec_safe and multiple_hosts
- renamed db function names
- Added the python_injector module and it's necessary files as a reminder
Just fyi for anyone reading this, it's not even close to being
finished.
The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.
Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished