Update LDAP proto:
- can fetch a LDAP domain from an account from another domain (trust relation between forest)
- fix sizeLimit to unlimited on LDAP queries
- fix little mistake in LDAP modules
Update SMB proto:
- fix users function when DC is vulnerable to NULL SESSION
- add SAMRPC function to fetch users on the domain
- add option --computers to fetch all computers
Update CLI
- add function export, but it's not tested
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
give you a completion percentage and the number of hosts remaining to
scan
- decrease winrm timeout to 3 seconds so @IppSec 's videos
tlast less time :)
-- add ico to cme exe
-- add option smb-server-port to make cme compatible with windows
cme accept user file and password file and works like this:
user1 -> pass1
-> pass2
user2 -> pass1
-> pass2
Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
The logger tell you LSA secrets are dump in a file named xxx.lsa
```
SMB x.x.x.x 445 FRSCWP0001 [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```
But in reality they are logged in xxx.screts.
So just fixing the extension showed by the logger.
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection. When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state. Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite. The latter contributed to many false positives in the --gen-relay-list output file. This is a hackish change that addressed the issue for me.
Fixes issue #236
Adds the ability to change the (Pwned!) label on CME output.
By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".
eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.
extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
mpgn
byt3bl33d3r
sw
byt3bl33d3r
Alexandre ZANNI
root
Harrison Neal
Korey McKinley
Markus Krell
aj-cgtech