Commit Graph

240 Commits (359dac91738312cc5acde126dcd6026b5671301b)

Author SHA1 Message Date
mpgn 1308bc30c8 Adding Kerberos support for CME #22
TODO
- aeskey
- dc-ip
- checkifadmin()
2020-05-03 14:30:41 -04:00
mpgn 72338026ff
Merge pull request #367 from byt3bl33d3r/v5-metasploit
Add Module metasploit
2020-05-03 18:01:20 +02:00
mpgn 47fe1e4772 Remove submodule and simplify metasploit module #357 2020-05-03 06:19:26 -04:00
mpgn c3c9b2f04a Remove useless code #364 2020-05-01 17:31:54 -04:00
mpgn 580018050c Add better logic to MSSQL connection #364 2020-05-01 17:18:25 -04:00
mpgn c5be1e5234 Add exception handler when login fails on MSSQL protocol #364 2020-05-01 17:11:54 -04:00
mpgn ef934a7925 Rename options for module metasploit #357 2020-05-01 16:53:02 -04:00
mpgn bfe1d5b7c3 Fix uninitialized variable #363 2020-05-01 14:33:18 -04:00
mpgn 062e312fd5 Add try catch for issue #363 2020-05-01 14:20:55 -04:00
mpgn fd912c0b7d Fix thread stop assert error #357 2020-05-01 14:02:12 -04:00
mpgn 73fb336040 Update module metasploit #357
As the old code with the shellcode was broken, we switch to a simple powershell solution with Invoke-MetasploitPayload.ps1
2020-05-01 13:12:01 -04:00
mpgn 4dc4892660 Check if output is byte before decoding 2020-04-30 13:56:34 -04:00
mpgn 74792ce712 Add option --no-bruteforce allowing credentials spraying without bruteforce
cme accept user file and password file and works like this:
user1 -> pass1
      -> pass2
user2 -> pass1
      -> pass2

Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
2020-04-30 10:06:57 -04:00
mpgn 7b0f2e9bdb Add multi domain support DOMAIN\user when passing file to -u option #243 2020-04-29 12:32:21 -04:00
mpgn 2ca377f3d8 Simplify command for wireless password #305 2020-04-29 11:09:44 -04:00
mpgn b6a6e6a9bf Add wireless module #305 2020-04-29 11:03:52 -04:00
mpgn 78c5d9ebd9 Update WINRM authentication option
If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 06:28:47 -04:00
mpgn 479ae1f721 Update MSSQL protocol for windows authentication #306
If you want to use windows auth for MSSQL without SMB, add the flag -d DOMAIN
2020-04-29 05:56:11 -04:00
mpgn f58a10124d Update winrm method to allows code execution from normal user
User who can winrm but are not local admin can now use this method to exec command
more at https://github.com/diyan/pywinrm/issues/275

we switch from pywinrm to pypsrp
2020-04-28 15:30:18 -04:00
mpgn a20d28a885 Update RID-Hijacking to latest version #353 2020-04-28 13:22:42 -04:00
mpgn e9a5841731 Fix typo on put-file function 2020-04-28 12:28:25 -04:00
mpgn f84035fa7a Add function get-file and put-file 2020-04-28 12:22:30 -04:00
mpgn 1bbe1ac0cc Clean output of mssql protocol 2020-04-28 09:39:33 -04:00
mpgn af68773b6c Fix #352 target using file 2020-04-28 08:42:25 -04:00
mpgn 356b020cb3 Fix winrm warning from pywinrm 2020-04-28 07:24:01 -04:00
mpgn 63cf5af003 Fix smbexec function #269 2020-04-28 06:19:33 -04:00
mpgn 18c438993c Fix ssh connection #351 2020-04-28 06:11:16 -04:00
mpgn ba04528738 Add feature: file as argument for -x and -X command #269 2020-04-27 16:38:30 -04:00
mpgn f19f137b0d Fix smbexec.py decode error 2020-04-22 11:04:22 -04:00
mpgn 84222eb001 Fix bytes error on gpp_autologin and gpp_password modules 2020-04-22 10:33:03 -04:00
mpgn a13ec6c3d6 Fix gpp_password encoding error with python3 #350 2020-04-22 06:43:17 -04:00
mpgn 1e8cd73a26 Switch Invoke-VNC project to python3 branch #317 2020-04-21 09:12:43 -04:00
byt3bl33d3r 6c0228f403 Fixed dependency hell, added Github actions workflow
- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
  dependency
2020-04-20 13:19:55 -03:00
mpgn e294a72924 Fix mimikatz module decode error #308 2020-04-20 06:24:56 -04:00
sw ed8c91ab60 changed comparison operators that generate syntax warnings 2020-04-20 03:22:03 +03:00
mpgn 9790c67620 Fix pylnk3 version from setup
fix warning with pylnk3 version
remove useless import and comment from lsassy module
2020-04-19 15:18:23 -04:00
pixis 47c83d90dc Add lsassy module 2020-04-19 20:30:35 +02:00
mpgn e2e976847b Update module rid_hijack to python3 2020-04-19 14:09:32 -04:00
byt3bl33d3r 7bb0e4e4e6
Merge pull request #300 from hantwister/patch-1
Fix false positive signing disabled with SMB2/3
2020-04-19 14:36:59 -03:00
byt3bl33d3r 02a62b027c
Merge pull request #295 from r4wd3r/rid_hijacking
Add RID Hijacking Persistence Module
2020-04-19 14:36:47 -03:00
byt3bl33d3r 498f3fc197
Merge pull request #327 from noraj/patch-1
lsa secrets: dump file extension
2020-04-19 14:32:48 -03:00
mpgn ff167fa152
Fix typo response module mimikatz #334 2020-03-09 10:26:48 +01:00
mpgn f34820939f Remove impacket and pywinrm thirdparty
impacket and pywinrm are pip package, no need to have them in the
thirdparty folder anymore
2020-01-24 03:40:02 -05:00
mpgn 83c8e5b5a3 Add module compatibility for Python3
Mimikatz, Bloodhound etc
2020-01-18 07:20:10 -05:00
mpgn 545b59054b Fix Pipfile python version and submodile version 2020-01-16 04:34:21 -05:00
Alexandre ZANNI 18634423f3
lsa secrets: dump file extension
The logger tell you LSA secrets are dump in a file named xxx.lsa

```
SMB        x.x.x.x 445    FRSCWP0001       [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```

But in reality they are logged in xxx.screts.

So just fixing the extension showed by the  logger.
2019-12-19 10:12:17 +01:00
mpgn 2cf0c0fb90 Migrate cmedb to python3 2019-11-12 16:39:26 -05:00
mpgn c2698ba8ed Fix HTTP server for module Mimikatz 2019-11-12 14:42:52 -05:00
mpgn 38acbbead5 Fix option --pass-pol in python3
error due to :
	python2 => 1 / 2 = 0
	python3 => 1 / 2 = 0.5
	python3 => 1 // 2 = 0
2019-11-12 13:33:14 -05:00
mpgn 179dfef811 Fix mimikatz range issue 2019-11-11 06:26:38 -05:00
mpgn d2c477aafb Migrate file option input
* -u user.txt
* -p password.txt
* -H hashntlm
2019-11-11 05:39:44 -05:00
mpgn 73ab379acc Migrate function to python3
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
2019-11-11 05:06:39 -05:00
mpgn a29cf6760c update python3 2019-11-10 18:39:00 -05:00
mpgn c3c4b3192d start python3 migration 2019-11-10 22:42:04 +01:00
byt3bl33d3r 48fd338d22
Merge pull request #304 from gustavi/master
Fix encoding in smb --sam
2019-08-16 10:57:11 -06:00
byt3bl33d3r 44fd121dce
Merge pull request #309 from shadowgatt/master
Fixing SMB encoding error
2019-08-16 10:56:39 -06:00
Ryan f1228174cd
Update winrm.py
Closes https://github.com/byt3bl33d3r/CrackMapExec/issues/310
2019-08-16 08:58:26 -05:00
root 12443285e9 Fix SMB encode 2019-07-13 17:52:00 +02:00
root e435a4f87b Fix SMB encode 2019-07-13 17:50:24 +02:00
Augustin Laville fdb41c0125 Fix encoding in smb --sam 2019-04-12 13:32:38 +02:00
Harrison Neal 85e4de988b
Fix false positive signing disabled with SMB2/3
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection.  When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state.  Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite.  The latter contributed to many false positives in the --gen-relay-list output file.  This is a hackish change that addressed the issue for me.
2019-03-26 15:45:02 -04:00
Sebastián Castro 49a002fcd4
Merge branch 'master' into rid_hijacking 2019-03-23 16:10:44 -05:00
byt3bl33d3r 333f1c4e06 Updated all submodules, replace pycrypto with pycryptodomex 2019-03-13 21:51:25 -06:00
r4wd3r 56ed25b621
Add rid_hijack.py module 2019-02-24 20:51:16 -05:00
r4wd3r d472bdb004
Add RID-Hijacking submodule 2019-02-24 20:50:03 -05:00
byt3bl33d3r dbe142c1ae
Merge pull request #280 from awsmhacks/master
update to powershell.py
2018-12-10 16:03:12 -07:00
Ryan 304836d702
update powershell.py
Adding [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' to fix a SSL/TLS error
2018-12-06 14:07:40 -06:00
Dhiraj Mishra b4fb22f6fe
Get-ComputerDetails.py 2018-11-04 14:22:17 +05:30
byt3bl33d3r 224c24a0a4 Updated all submodules and packages 2018-08-29 15:33:02 +08:00
byt3bl33d3r f61cb7e3f0
Merge pull request #256 from FrankSpierings/patch-2
Modified logging in spider.py
2018-08-28 19:57:55 +08:00
byt3bl33d3r 50a379dad4
Merge pull request #255 from FrankSpierings/patch-1
Update smbspider.py - Feature to use `--spider '*'` to spider all rea…
2018-08-28 19:55:54 +08:00
byt3bl33d3r 0128b589dc
Merge pull request #248 from kmackinley/kmackinley-cme-dev1
Flag to allow continuation while password spraying
2018-08-28 19:40:14 +08:00
root 1a7174137c Added remotehost in the spidering output. It is now //<remotehost>/<share>/<folder *>/<file> 2018-07-07 14:33:14 +00:00
Frank Spierings 2823452053
Update smbspider.py - Feature to use `--spider '*'` to spider all readable shares
I've added the option to allow spidering over all readable shares.
2018-07-07 16:00:59 +02:00
Dan McInerney dabdcf49ca updated amsi bypass 2018-05-29 17:47:54 -06:00
Korey McKinley 7034ab66d0
Flag to allow continuation while password spraying
Adds --continue-on-success flag when spraying passwords using smb. Allows for continuing of password spraying even after valid password is found. (Useful when password spraying with userlist.)

Usage example:
cme smb ipaddress -u users.txt -p password --continue-on-success

In response to:
https://github.com/byt3bl33d3r/CrackMapExec/issues/245
https://github.com/byt3bl33d3r/CrackMapExec/issues/247
2018-05-26 19:44:24 -06:00
byt3bl33d3r f3465ef008 Fixed up @aj-cgtech changes 2018-03-01 12:36:17 -07:00
byt3bl33d3r 5fd4aa716c Merge branch 'usersfix' of https://github.com/aj-cgtech/CrackMapExec into aj-cgtech-usersfix 2018-03-01 11:57:33 -07:00
byt3bl33d3r 12846a7e9e
Merge pull request #237 from friendlyintruder/master
fixes debug output error if exec method fails
2018-03-01 11:51:57 -07:00
Markus Krell 8dd4e95fe7 fixes debug output error if exec method fails 2018-02-23 14:55:05 +01:00
aj-cgtech fffc24ae46 Having worked out how the protocol object is created. Created config
object once, and set as an attr on each protocol.
More elegant, and allows for further config options in the future.
2018-02-23 10:13:46 +00:00
aj-cgtech b6a7028999 Typo, not l33t. 2018-02-22 21:18:31 +00:00
aj-cgtech 7e2a267328 Merging "Pwn3d!" label changes.
Fixes issue #236

Adds the ability to change the (Pwned!) label on CME output.

By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".

eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
2018-02-22 20:24:03 +00:00
aj-cgtech 6ee852387c Pwn3d label parameterised in config file. 2018-02-22 13:03:07 +00:00
aj-cgtech 8bba4b46f6 Changes to users() and groups()
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.

extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
2018-02-20 12:57:23 +00:00
aj-cgtech e1e68abe9a Added extra export options and command line feedback. 2018-02-19 14:47:12 +00:00
Daniel Lawson a908d64fc1 Added module for enumerating AD DNS via WMI. 2018-01-22 18:45:56 -06:00
byt3bl33d3r 4b35455997 Refactored Database Menu code
- Fixed some MSSQL DB interaction bugs
- Made MSSQL DB schema more consistent
- cmedb output now gets formatted using terminaltables (so perty)
- Made everything a bit more PEP8 compliant
2017-11-02 17:43:08 +08:00
ganapati 6b6a1b4de5 Fix errors from empire 2017-10-25 10:28:55 +02:00
byt3bl33d3r 2b00a795da Fixed Powershell execution using MSSQL 2017-10-25 00:45:58 -06:00
byt3bl33d3r f1c6858e55 Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-24 22:56:34 -06:00
byt3bl33d3r 03f8fc6503 Fixes #187 2017-10-24 21:52:41 -06:00
byt3bl33d3r 211e78314d Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-24 21:30:21 -06:00
byt3bl33d3r e74b0a7efc Fixes #204 2017-10-24 21:30:14 -06:00
byt3bl33d3r e80c911378 Merge pull request #181 from martindube/fix_for_smb_fr
Replacing characters when they cannot be converted (UTF-8)
2017-10-24 21:14:30 -06:00
byt3bl33d3r 009822707b Merge pull request #208 from hateshape/patch-1
Critical new video for list
2017-10-24 21:12:42 -06:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r 6a645d0176 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-21 17:24:32 -06:00
byt3bl33d3r 6cce1483a4 Updated Submodules 2017-10-21 17:24:09 -06:00
hateshape 2ac8788dd8 Critical new video for list
Critical new video for list - Actual drrll here
2017-09-22 13:33:06 -06:00