* Fixed instability issues based - the smb mode will now not crash on
SMB object not having _Connection
NetBIOSTimeout
UnsupportedFeature
* Forgotten return statement
* Improved logging logic
* Improved logging
When the remote server returns a STATUS_NO_SUCH_FILE message, cme
interprets the login credentials as wrong. However, impackets
smbserver.py proves that this can be wrong.
Update LDAP proto:
- can fetch a LDAP domain from an account from another domain (trust relation between forest)
- fix sizeLimit to unlimited on LDAP queries
- fix little mistake in LDAP modules
Update SMB proto:
- fix users function when DC is vulnerable to NULL SESSION
- add SAMRPC function to fetch users on the domain
- add option --computers to fetch all computers
Update CLI
- add function export, but it's not tested
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
give you a completion percentage and the number of hosts remaining to
scan
- decrease winrm timeout to 3 seconds so @IppSec 's videos
tlast less time :)
-- add ico to cme exe
-- add option smb-server-port to make cme compatible with windows
cme accept user file and password file and works like this:
user1 -> pass1
-> pass2
user2 -> pass1
-> pass2
Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
The logger tell you LSA secrets are dump in a file named xxx.lsa
```
SMB x.x.x.x 445 FRSCWP0001 [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```
But in reality they are logged in xxx.screts.
So just fixing the extension showed by the logger.
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection. When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state. Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite. The latter contributed to many false positives in the --gen-relay-list output file. This is a hackish change that addressed the issue for me.
Fixes issue #236
Adds the ability to change the (Pwned!) label on CME output.
By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".
eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.
extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
(This is very much still not finished, lots of stuff missing)
- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
- Two new flags can be added to protocols that use powershell that can
clear cached obfuscated powershell scripts and obfuscate them if
powershell is installed
launcher obfuscation
- All powershell scripts are now obfuscated if powershell for linux is
installed using Invoke-Obfuscation
- All PS launchers are obfuscated using GreatSCT's python implementation
of launcher obfuscation (for now)
mpgn
zblurx
Wlayzz
Gianfranco Alongi
shoxxdj
Sam Frees1de
TNeitzel
Serizao
HynekPetrak
brightio
byt3bl33d3r
sw
byt3bl33d3r
Alexandre ZANNI
root
Harrison Neal
Korey McKinley
Markus Krell
aj-cgtech
byt3bl33d3r