mpgn
1308bc30c8
Adding Kerberos support for CME #22
...
TODO
- aeskey
- dc-ip
- checkifadmin()
2020-05-03 14:30:41 -04:00
mpgn
72338026ff
Merge pull request #367 from byt3bl33d3r/v5-metasploit
...
Add Module metasploit
2020-05-03 18:01:20 +02:00
mpgn
47fe1e4772
Remove submodule and simplify metasploit module #357
2020-05-03 06:19:26 -04:00
mpgn
c3c9b2f04a
Remove useless code #364
2020-05-01 17:31:54 -04:00
mpgn
580018050c
Add better logic to MSSQL connection #364
2020-05-01 17:18:25 -04:00
mpgn
c5be1e5234
Add exception handler when login fails on MSSQL protocol #364
2020-05-01 17:11:54 -04:00
mpgn
ef934a7925
Rename options for module metasploit #357
2020-05-01 16:53:02 -04:00
mpgn
bfe1d5b7c3
Fix uninitialized variable #363
2020-05-01 14:33:18 -04:00
mpgn
062e312fd5
Add try catch for issue #363
2020-05-01 14:20:55 -04:00
mpgn
fd912c0b7d
Fix thread stop assert error #357
2020-05-01 14:02:12 -04:00
mpgn
73fb336040
Update module metasploit #357
...
As the old code with the shellcode was broken, we switch to a simple powershell solution with Invoke-MetasploitPayload.ps1
2020-05-01 13:12:01 -04:00
mpgn
4dc4892660
Check if output is byte before decoding
2020-04-30 13:56:34 -04:00
mpgn
74792ce712
Add option --no-bruteforce allowing credentials spraying without bruteforce
...
cme accept user file and password file and works like this:
user1 -> pass1
-> pass2
user2 -> pass1
-> pass2
Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
2020-04-30 10:06:57 -04:00
mpgn
7b0f2e9bdb
Add multi domain support DOMAIN\user when passing file to -u option #243
2020-04-29 12:32:21 -04:00
mpgn
2ca377f3d8
Simplify command for wireless password #305
2020-04-29 11:09:44 -04:00
mpgn
b6a6e6a9bf
Add wireless module #305
2020-04-29 11:03:52 -04:00
mpgn
78c5d9ebd9
Update WINRM authentication option
...
If you want to avoind SMB connection use the flag -d DOMAIN
2020-04-29 06:28:47 -04:00
mpgn
479ae1f721
Update MSSQL protocol for windows authentication #306
...
If you want to use windows auth for MSSQL without SMB, add the flag -d DOMAIN
2020-04-29 05:56:11 -04:00
mpgn
f58a10124d
Update winrm method to allows code execution from normal user
...
User who can winrm but are not local admin can now use this method to exec command
more at https://github.com/diyan/pywinrm/issues/275
we switch from pywinrm to pypsrp
2020-04-28 15:30:18 -04:00
mpgn
a20d28a885
Update RID-Hijacking to latest version #353
2020-04-28 13:22:42 -04:00
mpgn
e9a5841731
Fix typo on put-file function
2020-04-28 12:28:25 -04:00
mpgn
f84035fa7a
Add function get-file and put-file
2020-04-28 12:22:30 -04:00
mpgn
1bbe1ac0cc
Clean output of mssql protocol
2020-04-28 09:39:33 -04:00
mpgn
af68773b6c
Fix #352 target using file
2020-04-28 08:42:25 -04:00
mpgn
356b020cb3
Fix winrm warning from pywinrm
2020-04-28 07:24:01 -04:00
mpgn
63cf5af003
Fix smbexec function #269
2020-04-28 06:19:33 -04:00
mpgn
18c438993c
Fix ssh connection #351
2020-04-28 06:11:16 -04:00
mpgn
ba04528738
Add feature: file as argument for -x and -X command #269
2020-04-27 16:38:30 -04:00
mpgn
f19f137b0d
Fix smbexec.py decode error
2020-04-22 11:04:22 -04:00
mpgn
84222eb001
Fix bytes error on gpp_autologin and gpp_password modules
2020-04-22 10:33:03 -04:00
mpgn
a13ec6c3d6
Fix gpp_password encoding error with python3 #350
2020-04-22 06:43:17 -04:00
mpgn
1e8cd73a26
Switch Invoke-VNC project to python3 branch #317
2020-04-21 09:12:43 -04:00
byt3bl33d3r
6c0228f403
Fixed dependency hell, added Github actions workflow
...
- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
dependency
2020-04-20 13:19:55 -03:00
mpgn
e294a72924
Fix mimikatz module decode error #308
2020-04-20 06:24:56 -04:00
sw
ed8c91ab60
changed comparison operators that generate syntax warnings
2020-04-20 03:22:03 +03:00
mpgn
9790c67620
Fix pylnk3 version from setup
...
fix warning with pylnk3 version
remove useless import and comment from lsassy module
2020-04-19 15:18:23 -04:00
pixis
47c83d90dc
Add lsassy module
2020-04-19 20:30:35 +02:00
mpgn
e2e976847b
Update module rid_hijack to python3
2020-04-19 14:09:32 -04:00
byt3bl33d3r
7bb0e4e4e6
Merge pull request #300 from hantwister/patch-1
...
Fix false positive signing disabled with SMB2/3
2020-04-19 14:36:59 -03:00
byt3bl33d3r
02a62b027c
Merge pull request #295 from r4wd3r/rid_hijacking
...
Add RID Hijacking Persistence Module
2020-04-19 14:36:47 -03:00
byt3bl33d3r
498f3fc197
Merge pull request #327 from noraj/patch-1
...
lsa secrets: dump file extension
2020-04-19 14:32:48 -03:00
mpgn
ff167fa152
Fix typo response module mimikatz #334
2020-03-09 10:26:48 +01:00
mpgn
f34820939f
Remove impacket and pywinrm thirdparty
...
impacket and pywinrm are pip package, no need to have them in the
thirdparty folder anymore
2020-01-24 03:40:02 -05:00
mpgn
83c8e5b5a3
Add module compatibility for Python3
...
Mimikatz, Bloodhound etc
2020-01-18 07:20:10 -05:00
mpgn
545b59054b
Fix Pipfile python version and submodile version
2020-01-16 04:34:21 -05:00
Alexandre ZANNI
18634423f3
lsa secrets: dump file extension
...
The logger tell you LSA secrets are dump in a file named xxx.lsa
```
SMB x.x.x.x 445 FRSCWP0001 [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```
But in reality they are logged in xxx.screts.
So just fixing the extension showed by the logger.
2019-12-19 10:12:17 +01:00
mpgn
2cf0c0fb90
Migrate cmedb to python3
2019-11-12 16:39:26 -05:00
mpgn
c2698ba8ed
Fix HTTP server for module Mimikatz
2019-11-12 14:42:52 -05:00
mpgn
38acbbead5
Fix option --pass-pol in python3
...
error due to :
python2 => 1 / 2 = 0
python3 => 1 / 2 = 0.5
python3 => 1 // 2 = 0
2019-11-12 13:33:14 -05:00
mpgn
179dfef811
Fix mimikatz range issue
2019-11-11 06:26:38 -05:00
mpgn
d2c477aafb
Migrate file option input
...
* -u user.txt
* -p password.txt
* -H hashntlm
2019-11-11 05:39:44 -05:00
mpgn
73ab379acc
Migrate function to python3
...
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
2019-11-11 05:06:39 -05:00
mpgn
a29cf6760c
update python3
2019-11-10 18:39:00 -05:00
mpgn
c3c4b3192d
start python3 migration
2019-11-10 22:42:04 +01:00
byt3bl33d3r
48fd338d22
Merge pull request #304 from gustavi/master
...
Fix encoding in smb --sam
2019-08-16 10:57:11 -06:00
byt3bl33d3r
44fd121dce
Merge pull request #309 from shadowgatt/master
...
Fixing SMB encoding error
2019-08-16 10:56:39 -06:00
Ryan
f1228174cd
Update winrm.py
...
Closes https://github.com/byt3bl33d3r/CrackMapExec/issues/310
2019-08-16 08:58:26 -05:00
root
12443285e9
Fix SMB encode
2019-07-13 17:52:00 +02:00
root
e435a4f87b
Fix SMB encode
2019-07-13 17:50:24 +02:00
Augustin Laville
fdb41c0125
Fix encoding in smb --sam
2019-04-12 13:32:38 +02:00
Harrison Neal
85e4de988b
Fix false positive signing disabled with SMB2/3
...
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection. When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state. Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite. The latter contributed to many false positives in the --gen-relay-list output file. This is a hackish change that addressed the issue for me.
2019-03-26 15:45:02 -04:00
Sebastián Castro
49a002fcd4
Merge branch 'master' into rid_hijacking
2019-03-23 16:10:44 -05:00
byt3bl33d3r
333f1c4e06
Updated all submodules, replace pycrypto with pycryptodomex
2019-03-13 21:51:25 -06:00
r4wd3r
56ed25b621
Add rid_hijack.py module
2019-02-24 20:51:16 -05:00
r4wd3r
d472bdb004
Add RID-Hijacking submodule
2019-02-24 20:50:03 -05:00
byt3bl33d3r
dbe142c1ae
Merge pull request #280 from awsmhacks/master
...
update to powershell.py
2018-12-10 16:03:12 -07:00
Ryan
304836d702
update powershell.py
...
Adding [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12' to fix a SSL/TLS error
2018-12-06 14:07:40 -06:00
Dhiraj Mishra
b4fb22f6fe
Get-ComputerDetails.py
2018-11-04 14:22:17 +05:30
byt3bl33d3r
224c24a0a4
Updated all submodules and packages
2018-08-29 15:33:02 +08:00
byt3bl33d3r
f61cb7e3f0
Merge pull request #256 from FrankSpierings/patch-2
...
Modified logging in spider.py
2018-08-28 19:57:55 +08:00
byt3bl33d3r
50a379dad4
Merge pull request #255 from FrankSpierings/patch-1
...
Update smbspider.py - Feature to use `--spider '*'` to spider all rea…
2018-08-28 19:55:54 +08:00
byt3bl33d3r
0128b589dc
Merge pull request #248 from kmackinley/kmackinley-cme-dev1
...
Flag to allow continuation while password spraying
2018-08-28 19:40:14 +08:00
root
1a7174137c
Added remotehost in the spidering output. It is now //<remotehost>/<share>/<folder *>/<file>
2018-07-07 14:33:14 +00:00
Frank Spierings
2823452053
Update smbspider.py - Feature to use `--spider '*'` to spider all readable shares
...
I've added the option to allow spidering over all readable shares.
2018-07-07 16:00:59 +02:00
Dan McInerney
dabdcf49ca
updated amsi bypass
2018-05-29 17:47:54 -06:00
Korey McKinley
7034ab66d0
Flag to allow continuation while password spraying
...
Adds --continue-on-success flag when spraying passwords using smb. Allows for continuing of password spraying even after valid password is found. (Useful when password spraying with userlist.)
Usage example:
cme smb ipaddress -u users.txt -p password --continue-on-success
In response to:
https://github.com/byt3bl33d3r/CrackMapExec/issues/245
https://github.com/byt3bl33d3r/CrackMapExec/issues/247
2018-05-26 19:44:24 -06:00
byt3bl33d3r
f3465ef008
Fixed up @aj-cgtech changes
2018-03-01 12:36:17 -07:00
byt3bl33d3r
5fd4aa716c
Merge branch 'usersfix' of https://github.com/aj-cgtech/CrackMapExec into aj-cgtech-usersfix
2018-03-01 11:57:33 -07:00
byt3bl33d3r
12846a7e9e
Merge pull request #237 from friendlyintruder/master
...
fixes debug output error if exec method fails
2018-03-01 11:51:57 -07:00
Markus Krell
8dd4e95fe7
fixes debug output error if exec method fails
2018-02-23 14:55:05 +01:00
aj-cgtech
fffc24ae46
Having worked out how the protocol object is created. Created config
...
object once, and set as an attr on each protocol.
More elegant, and allows for further config options in the future.
2018-02-23 10:13:46 +00:00
aj-cgtech
b6a7028999
Typo, not l33t.
2018-02-22 21:18:31 +00:00
aj-cgtech
7e2a267328
Merging "Pwn3d!" label changes.
...
Fixes issue #236
Adds the ability to change the (Pwned!) label on CME output.
By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".
eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
2018-02-22 20:24:03 +00:00
aj-cgtech
6ee852387c
Pwn3d label parameterised in config file.
2018-02-22 13:03:07 +00:00
aj-cgtech
8bba4b46f6
Changes to users() and groups()
...
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.
extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
2018-02-20 12:57:23 +00:00
aj-cgtech
e1e68abe9a
Added extra export options and command line feedback.
2018-02-19 14:47:12 +00:00
Daniel Lawson
a908d64fc1
Added module for enumerating AD DNS via WMI.
2018-01-22 18:45:56 -06:00
byt3bl33d3r
4b35455997
Refactored Database Menu code
...
- Fixed some MSSQL DB interaction bugs
- Made MSSQL DB schema more consistent
- cmedb output now gets formatted using terminaltables (so perty)
- Made everything a bit more PEP8 compliant
2017-11-02 17:43:08 +08:00
ganapati
6b6a1b4de5
Fix errors from empire
2017-10-25 10:28:55 +02:00
byt3bl33d3r
2b00a795da
Fixed Powershell execution using MSSQL
2017-10-25 00:45:58 -06:00
byt3bl33d3r
f1c6858e55
Fixed bug where creds dumped via mimikatz wouldn't be added to the database
2017-10-24 22:56:34 -06:00
byt3bl33d3r
03f8fc6503
Fixes #187
2017-10-24 21:52:41 -06:00
byt3bl33d3r
211e78314d
Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec
2017-10-24 21:30:21 -06:00
byt3bl33d3r
e74b0a7efc
Fixes #204
2017-10-24 21:30:14 -06:00
byt3bl33d3r
e80c911378
Merge pull request #181 from martindube/fix_for_smb_fr
...
Replacing characters when they cannot be converted (UTF-8)
2017-10-24 21:14:30 -06:00
byt3bl33d3r
009822707b
Merge pull request #208 from hateshape/patch-1
...
Critical new video for list
2017-10-24 21:12:42 -06:00
byt3bl33d3r
1603ac4819
Added WINRM support, NMap XML and .Nessus parsing
...
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r
6a645d0176
Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec
2017-10-21 17:24:32 -06:00
byt3bl33d3r
6cce1483a4
Updated Submodules
2017-10-21 17:24:09 -06:00
hateshape
2ac8788dd8
Critical new video for list
...
Critical new video for list - Actual drrll here
2017-09-22 13:33:06 -06:00