Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:
- All execution methods are now completely fileless, all output and/or batch
files get outputted/hosted locally on a SMB server that gets spun up on runtime
- Module structure has been modified for module chaining
- Module chaining implementation is currently very hacky, I definitly
have to figure out something more elegant but for now it
works. Module chaining is performed via the -MC flag and has it's own
mini syntax (will be adding it to the wiki)
- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency
TODO:
- Launchers/Payloads need to be escaped before being generated when
module chaining
- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
the results
- The whole connector function has been removed finally (was there since
v1.0)
- Functions now get called dynamically based on parsed arguments
- All of CME's functionality can now be accessed through the modules
(W00t!), just have finish modifing the code so the results will get
returned
- @mattifestation's AMSI bypass now gets called before executing
powershell commands or scripts
- Squashed some bugs related to account bruteforcing, enumerating users
and creating/deleting the UseLogonCredential reg key
time) to limit failed login attemptes
- The logic responsible for SMB bruteforcing/login has been modified
to sync between the concurrent threads: this allows us to limit failed login
attemptes with the two new flags. However this does cause the threads
to lock so there is a minor reduction in speed but IMHO this is a good
middle ground.
- You can now specify multiple DB credential IDs, CME will then
bruteforce using the specifspecified cred set
- Version bump
non-standard smb port support
- Fixed bug where current path was included in command output when using
the smbexec exec method
- Batch file name generation is now randomized on every command executed
rather than on object initialization
- Removed the mem_scraper module since the new mimikittenz module should
replace its functionalitu
- Fixed newline in enum_chrome output
- Version Bump
The modyle uses Mimikatz's new DPAPI Chrome module to decrypt saved
chrome credentials
Additionally a new version of Invoke-Mimikatz.ps1 script has been added
that contains the latest Mimikatz binaries and a patch for it to work
when injected
(https://github.com/PowerShellMafia/PowerSploit/issues/147)
connection.py
Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec
Furthermore, the method argument in the execute function now accepts a
list of exec methods.
* For some reason the config file got lost in between version bumps, re-added it
* Improved the logic in first_run.py, it will now autodetect missing files and will copy/generate them accordinglu
* Code cleanup in cmedb.py and bug fixes in crackmapexec.py
byt3bl33d3r