Commit Graph

370 Commits (b1308da93e12dc67c08ebb11e7de9d6af93479bb)

Author SHA1 Message Date
byt3bl33d3r 50a379dad4
Merge pull request #255 from FrankSpierings/patch-1
Update smbspider.py - Feature to use `--spider '*'` to spider all rea…
2018-08-28 19:55:54 +08:00
byt3bl33d3r 0128b589dc
Merge pull request #248 from kmackinley/kmackinley-cme-dev1
Flag to allow continuation while password spraying
2018-08-28 19:40:14 +08:00
root 1a7174137c Added remotehost in the spidering output. It is now //<remotehost>/<share>/<folder *>/<file> 2018-07-07 14:33:14 +00:00
Frank Spierings 2823452053
Update smbspider.py - Feature to use `--spider '*'` to spider all readable shares
I've added the option to allow spidering over all readable shares.
2018-07-07 16:00:59 +02:00
Dan McInerney dabdcf49ca updated amsi bypass 2018-05-29 17:47:54 -06:00
Korey McKinley 7034ab66d0
Flag to allow continuation while password spraying
Adds --continue-on-success flag when spraying passwords using smb. Allows for continuing of password spraying even after valid password is found. (Useful when password spraying with userlist.)

Usage example:
cme smb ipaddress -u users.txt -p password --continue-on-success

In response to:
https://github.com/byt3bl33d3r/CrackMapExec/issues/245
https://github.com/byt3bl33d3r/CrackMapExec/issues/247
2018-05-26 19:44:24 -06:00
byt3bl33d3r f3465ef008 Fixed up @aj-cgtech changes 2018-03-01 12:36:17 -07:00
byt3bl33d3r 5fd4aa716c Merge branch 'usersfix' of https://github.com/aj-cgtech/CrackMapExec into aj-cgtech-usersfix 2018-03-01 11:57:33 -07:00
byt3bl33d3r 12846a7e9e
Merge pull request #237 from friendlyintruder/master
fixes debug output error if exec method fails
2018-03-01 11:51:57 -07:00
Markus Krell 8dd4e95fe7 fixes debug output error if exec method fails 2018-02-23 14:55:05 +01:00
aj-cgtech fffc24ae46 Having worked out how the protocol object is created. Created config
object once, and set as an attr on each protocol.
More elegant, and allows for further config options in the future.
2018-02-23 10:13:46 +00:00
aj-cgtech b6a7028999 Typo, not l33t. 2018-02-22 21:18:31 +00:00
aj-cgtech 7e2a267328 Merging "Pwn3d!" label changes.
Fixes issue #236

Adds the ability to change the (Pwned!) label on CME output.

By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".

eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
2018-02-22 20:24:03 +00:00
aj-cgtech 6ee852387c Pwn3d label parameterised in config file. 2018-02-22 13:03:07 +00:00
aj-cgtech 8bba4b46f6 Changes to users() and groups()
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.

extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
2018-02-20 12:57:23 +00:00
aj-cgtech e1e68abe9a Added extra export options and command line feedback. 2018-02-19 14:47:12 +00:00
Daniel Lawson a908d64fc1 Added module for enumerating AD DNS via WMI. 2018-01-22 18:45:56 -06:00
byt3bl33d3r 4b35455997 Refactored Database Menu code
- Fixed some MSSQL DB interaction bugs
- Made MSSQL DB schema more consistent
- cmedb output now gets formatted using terminaltables (so perty)
- Made everything a bit more PEP8 compliant
2017-11-02 17:43:08 +08:00
ganapati 6b6a1b4de5 Fix errors from empire 2017-10-25 10:28:55 +02:00
byt3bl33d3r 2b00a795da Fixed Powershell execution using MSSQL 2017-10-25 00:45:58 -06:00
byt3bl33d3r f1c6858e55 Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-24 22:56:34 -06:00
byt3bl33d3r 03f8fc6503 Fixes #187 2017-10-24 21:52:41 -06:00
byt3bl33d3r 211e78314d Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-24 21:30:21 -06:00
byt3bl33d3r e74b0a7efc Fixes #204 2017-10-24 21:30:14 -06:00
byt3bl33d3r e80c911378 Merge pull request #181 from martindube/fix_for_smb_fr
Replacing characters when they cannot be converted (UTF-8)
2017-10-24 21:14:30 -06:00
byt3bl33d3r 009822707b Merge pull request #208 from hateshape/patch-1
Critical new video for list
2017-10-24 21:12:42 -06:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r 6a645d0176 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-21 17:24:32 -06:00
byt3bl33d3r 6cce1483a4 Updated Submodules 2017-10-21 17:24:09 -06:00
hateshape 2ac8788dd8 Critical new video for list
Critical new video for list - Actual drrll here
2017-09-22 13:33:06 -06:00
byt3bl33d3r dc0a7d8fd7 Merge pull request #203 from Waffle-Wrath/master
Bloodhound module
2017-09-08 10:21:55 -06:00
Waffle-Wrath 03465e3c58 default csv path modification 2017-08-30 17:54:40 +02:00
Waffle-Wrath cacfdf2915 Added bloodhound module and BloodHound-modified.ps1 script 2017-08-30 17:54:23 +02:00
vani11a 8644137faa CME Module: SCUFFY
Similarly to LNK abuse except SCF abuse.
2017-08-23 09:35:06 +01:00
Louis Dion-Marcil 527b58d05c Don't make service auto-start (disable reboot persistance) 2017-08-04 14:19:06 -04:00
Louis Dion-Marcil b9aff9579c Debug message for service creation/modification 2017-08-04 14:18:39 -04:00
byt3bl33d3r 212f0c363b Updated mimipenguin module description, fixed #193 2017-07-10 08:27:45 -06:00
byt3bl33d3r 0b936def23 Takes care of issue #190 and #191, initial SSH protocol implementation
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
  (This is very much still not finished, lots of stuff missing)

- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
2017-07-09 23:44:58 -06:00
byt3bl33d3r e973e8c210 logger status change 2017-06-26 03:58:56 -06:00
byt3bl33d3r 7149b24524 Plugged in the Powershell obfuscation functionality
- Two new flags can be added to protocols that use powershell that can
clear cached obfuscated powershell scripts and obfuscate them if
powershell is installed
2017-06-26 03:49:04 -06:00
byt3bl33d3r d3a50afbfc Removed warning if powershell is not installed 2017-06-26 01:19:04 -06:00
byt3bl33d3r 11280c4ab0 Updated submodules, initial implementation of powershell script &
launcher obfuscation

- All powershell scripts are now obfuscated if powershell for linux is
installed using Invoke-Obfuscation

- All PS launchers are obfuscated using GreatSCT's python implementation
of launcher obfuscation (for now)
2017-06-26 01:03:43 -06:00
byt3bl33d3r 01c0b334a8 Updated impacket 2017-06-24 17:59:42 -06:00
byt3bl33d3r fd94502d48 Removed useless format param 2017-06-23 14:37:18 -06:00
byt3bl33d3r 92453cd7a9 Fixes #179 2017-06-23 14:29:36 -06:00
byt3bl33d3r f4dfddc89b Fixes #182 2017-06-23 12:15:09 -06:00
Martin Dubé 5eb275b55e Replacing characters when they cannot be converted (UTF-8) 2017-06-13 14:59:18 -04:00
byt3bl33d3r c9eec77cf8 Updated Impacket (resolves #173) 2017-05-21 22:37:01 -06:00
byt3bl33d3r e9cafb2fdb Updated the empire_exec module for Empire 2.0 (for realzies this time) 2017-05-16 17:52:43 -06:00
byt3bl33d3r 60ac9e249d Updated the empire_exec module for Empire 2.0 2017-05-16 17:51:51 -06:00
byt3bl33d3r e795197501 Added support for both SMBv1 and SMBv3 connections
- Host info output now shows if SMBv1 is supported
2017-05-14 22:44:49 -06:00
byt3bl33d3r f9385023ed Added web_delivery module 2017-05-08 00:24:01 -06:00
byt3bl33d3r 2d22cca3ab Added SessionGopher module 2017-05-07 23:19:04 -06:00
byt3bl33d3r 4ff034f366 Added enum_avproducts module, fixed module logging
- Modules now do not print output of commands called from their protocol
- Added the enum_avproducts module
- Fixed the mimikatz_enum_vault_creds to not display creds with invalid
passwords
- Added an export command to the SMB protocols DB navigator (as
suggested by @hatredshapedlikeaman)
- Misc output fixes
2017-05-07 21:16:18 -06:00
byt3bl33d3r 04907ceb29 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-05-05 15:11:56 -06:00
byt3bl33d3r c71692e576 Fixed HTTP protocol exiting during setup and pass pol enumeration 2017-05-05 15:10:42 -06:00
hatredshapedlikeaman 1684d4988d Update videos_for_darrell.harambe 2017-05-05 13:38:59 -06:00
byt3bl33d3r c26d993db4 Added Slinky module, pylnk in requirements 2017-05-04 19:13:11 -06:00
byt3bl33d3r ee36665516 Fixed MSSQL protocol, refactored HTTP Protocol
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
2017-05-02 18:52:16 -06:00
byt3bl33d3r feb9f2f63e Adjusted logger formatting 2017-04-30 13:40:00 -06:00
byt3bl33d3r 450fc19cdf Added CME-Powershell-Scripts submodule 2017-04-30 13:28:09 -06:00
byt3bl33d3r 8f38025821 Some submodule crap 2017-04-30 13:19:53 -06:00
byt3bl33d3r f0752f61b7 Re-wrote the HTTP protocol to use splinter and phantomjs
- All http connections are now concurrent
- Added a flag to take screenshots of webpages
- Minor Code cleanup
2017-04-30 12:54:35 -06:00
byt3bl33d3r 3e27f30cb1 Added the RDP module to enable/disable RDP (Resolves #88) 2017-04-26 18:01:47 -06:00
byt3bl33d3r d9fb2a506a Fixes #168 and #167 2017-04-26 17:04:15 -06:00
byt3bl33d3r cada0fcbb4 Switched to gevents gethostbyname() function 2017-04-14 15:32:39 -06:00
byt3bl33d3r 3901ec4b13 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-04-14 15:26:26 -06:00
byt3bl33d3r e8def0ad4c Fixes #165 2017-04-14 15:26:17 -06:00
byt3bl33d3r 63e4fb8f77 Update videos_for_darrell.harambe 2017-04-14 10:13:53 -06:00
byt3bl33d3r 0390529cf1 Added another video for darrell 2017-04-11 22:55:33 -06:00
byt3bl33d3r e98f798eb3 Forcing the SMB dialect to SMBv1 since it gives us prettier OS banners 2017-04-10 02:58:33 -06:00
byt3bl33d3r 6d9de77f4b Updated impacket and pywerview submodules 2017-04-10 01:27:45 -06:00
byt3bl33d3r 86273bdc27 Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-04-10 01:25:34 -06:00
byt3bl33d3r fc147ddac0 Fixed content spidering and password policy enumeration
- Added enumeration for password complexity (resolves #135)
2017-04-10 01:24:23 -06:00
byt3bl33d3r 8270e44ce9 Updated pywerview 2017-04-07 09:08:13 -06:00
caoimhinp 5bd238e9ae Fixed errors in on_request, options, and admin_login 2017-04-07 04:45:23 -05:00
byt3bl33d3r 57d5d7ca13 Y'all better be ready for this, initial 4.0 release
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
2017-04-06 22:34:30 -06:00
byt3bl33d3r 602b7e13f0 Re-added most of the SMB protocol functionality
- Added new module gpp_decrypt
- Cleaned up the SMB spider as much as possible
- --wmi now uses pywerview
- Re-added the http protocol
2017-04-05 09:07:00 -06:00
byt3bl33d3r cae5ffb6ce Various fixes 2017-04-03 09:25:05 -06:00
byt3bl33d3r 5dc7c4ae62 Fixed logic errors when adding users and groups to the database
- Added debug logging to core db functions
- Fixed logging output
- Updated modules to use the new API
2017-03-29 18:03:04 -06:00
byt3bl33d3r 751f209cd7 Initial 4.0 pre-release 2017-03-27 15:09:36 -06:00
byt3bl33d3r f1346ad55f Added impacket and pywerview as submodules 2017-03-26 16:34:11 -06:00
byt3bl33d3r d2a1078c9a Added more powershell submodules 2017-03-26 12:20:39 -06:00
byt3bl33d3r d8d1bfc9cf Re-Added invoke-obfuscation submodule 2017-02-11 12:17:24 -07:00
byt3bl33d3r 0dff45983e Re-Added submodules 2017-02-11 12:09:17 -07:00
byt3bl33d3r 59b9891c0b Removed submodules 2017-02-11 12:04:01 -07:00
byt3bl33d3r 8e6cc4e899 DB schema for the smb protocol is now final!
- added two more attributes to use in modules:opsec_safe and multiple_hosts

- renamed db function names

- Added the python_injector module and it's necessary files as a reminder
2016-12-20 00:23:40 -07:00
byt3bl33d3r 9fefd167b0 Initial commit for v4.0
Just fyi for anyone reading this, it's not even close to being
finished.

The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.

Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
2016-12-15 00:28:00 -07:00
byt3bl33d3r b1e8322704 changed var names in token_rider module 2016-09-26 13:47:36 -06:00
byt3bl33d3r 3d50982bfa fixed powerview module again 2016-09-22 22:30:01 -06:00
byt3bl33d3r b6e8690757 fixed powerview module 2016-09-22 22:27:31 -06:00
byt3bl33d3r 07872985d7 This commit addresses a number of issues including #130 and #126 2016-09-21 13:40:59 -06:00
byt3bl33d3r 1468e258ee removed wrong import 2016-09-13 15:57:36 -06:00
byt3bl33d3r 9bda755de4 Added SessionError handling 2016-09-13 15:55:34 -06:00
byt3bl33d3r 2121503ffe Removed some debug code and dependency_link in setup.py 2016-09-12 01:10:08 -06:00
byt3bl33d3r db056d1ab4 Initial implementation of module chaining
Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:

- All execution methods are now completely fileless, all output and/or batch
  files get outputted/hosted locally on a SMB server that gets spun up on runtime

- Module structure has been modified for module chaining

- Module chaining implementation is currently very hacky, I definitly
  have to figure out something more elegant but for now it
  works. Module chaining is performed via the -MC flag and has it's own
  mini syntax (will be adding it to the wiki)

- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency

TODO:

- Launchers/Payloads need to be escaped before being generated when
  module chaining

- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
  the results
2016-09-12 00:52:50 -06:00
byt3bl33d3r 90f1f3ad54 Some extensive code refactoring
- The whole connector function has been removed finally (was there since
  v1.0)
- Functions now get called dynamically based on parsed arguments
- All of CME's functionality can now be accessed through the modules
  (W00t!), just have finish modifing the code so the results will get
  returned
2016-08-12 00:36:38 -06:00
byt3bl33d3r 6f2596902c Implemented @mattifestation's AMSI bypass and multiple bugfixes
- @mattifestation's AMSI bypass now gets called before executing
  powershell commands or scripts

- Squashed some bugs related to account bruteforcing, enumerating users
  and creating/deleting the UseLogonCredential reg key
2016-08-06 10:28:16 -06:00
byt3bl33d3r 6876761cfe Added the --ufail-limit flag to limit failed login attempts per username 2016-08-02 08:49:30 -06:00
byt3bl33d3r 022671d039 Re-implemented the --gfail-limit and --fail-limit options (Properly this
time) to limit failed login attemptes

- The logic responsible for SMB bruteforcing/login has been modified
  to sync between the concurrent threads: this allows us to limit failed login
  attemptes with the two new flags. However this does cause the threads
  to lock so there is a minor reduction in speed but IMHO this is a good
  middle ground.

- You can now specify multiple DB credential IDs, CME will then
  bruteforce using the specifspecified cred set

- Version bump
2016-08-01 22:23:27 -06:00
byt3bl33d3r 6472937773 Updated execution methods and user enumeration for better
non-standard smb port support

- Fixed bug where current path was included in command output when using
  the smbexec exec method

- Batch file name generation is now randomized on every command executed
  rather than on object initialization
2016-08-01 03:36:58 -06:00
byt3bl33d3r 9af1ab56cf Added the mimikittenz module
- Removed the mem_scraper module since the new mimikittenz module should
  replace its functionalitu

- Fixed newline in enum_chrome output
- Version Bump
2016-08-01 02:23:17 -06:00
byt3bl33d3r cb3c39beb8 Fixed logic bug with password file if brute forcing 2016-07-21 05:40:10 -06:00
byt3bl33d3r 2e102130b1 Fixed unhandled traceback occurring when an invalid WMI namespace is
specified
2016-07-02 23:12:51 -06:00
byt3bl33d3r 9c1259b60f Fixed a bunch errors in the SMB Spider (closes #117)
Additionally, regexes are now pre-compiled before starting the spider
2016-07-02 22:47:03 -06:00
byt3bl33d3r 74f746592a Initial commit of the enum_chrome module (resolves half of #112)
The modyle uses Mimikatz's new DPAPI Chrome module to decrypt saved
chrome credentials

Additionally a new version of Invoke-Mimikatz.ps1 script has been added
that contains the latest Mimikatz binaries and a patch for it to work
when injected
(https://github.com/PowerShellMafia/PowerSploit/issues/147)
2016-06-29 00:53:41 -06:00
byt3bl33d3r 928c9af721 Fixed if statement in msf credential import code 2016-06-25 11:11:29 -06:00
byt3bl33d3r 53b49a7c3a Added support for importing Metasploit credentials (closes issue #89) 2016-06-17 21:44:40 -06:00
byt3bl33d3r d44d927372 Initial commit for the mem_scraper and powerview modules 2016-06-17 20:31:31 -06:00
byt3bl33d3r 6056ce83db Initial commit for the powerview and memscraper modules
The powerview module will replace all of the get_net* modules
Memscraper module stil has a bug which i'm working on
2016-06-17 01:34:38 -06:00
byt3bl33d3r 58edfe18f3 Code cleanup of the execute method in the Connection class in
connection.py

Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec

Furthermore, the method argument in the execute function now accepts a
list of exec methods.
2016-06-14 18:58:19 -06:00
byt3bl33d3r 7b0b06af39 Fixed log creation in tokens.py module 2016-06-14 17:49:20 -06:00
byt3bl33d3r db223b583a Some code cleanup, bug fixes and re-added the config file
* For some reason the config file got lost in between version bumps, re-added it
* Improved the logic in first_run.py, it will now autodetect missing files and will copy/generate them accordinglu
* Code cleanup in cmedb.py and bug fixes in crackmapexec.py
2016-06-08 21:44:45 -06:00
byt3bl33d3r 18e3914731 Cleaned up the module loading code 2016-06-05 14:43:51 -06:00
byt3bl33d3r 1e281bd638 Got rid of some left over merger cruft 2016-06-04 02:18:17 -06:00
byt3bl33d3r ca9e272f26 Resolved merge conflict 2016-06-04 01:21:18 -06:00
byt3bl33d3r 838cc29634 Merged changes 2016-06-04 01:18:20 -06:00
byt3bl33d3r 23d8a6517f Refactoring for packiging is now complete! 2016-06-04 01:13:38 -06:00
byt3bl33d3r 68a908562a Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00
byt3bl33d3r d5a7af9858 goddammit, git add bro 2016-05-16 17:48:31 -06:00