Commit Graph

288 Commits (b9f0b259380aa9eb4c01b28f25f04763f4cca8fc)

Author SHA1 Message Date
mpgn b9986a12ac
Add spooler service module
Add spooler service module to detect if the service is enabled or not using RCP call from https://raw.githubusercontent.com/SecureAuthCorp/impacket/master/examples/rpcdump.py
2021-07-05 21:02:15 +02:00
mpgn 091915b990 Fix and add a lot, check commit message
Update LDAP proto:
	- can fetch a LDAP domain from an account from another domain (trust relation between forest)
	- fix sizeLimit to unlimited on LDAP queries
	- fix little mistake in LDAP modules

Update SMB proto:
	- fix users function when DC is vulnerable to NULL SESSION
	- add SAMRPC function to fetch users on the domain
	- add option --computers to fetch all computers

Update CLI
	- add function export, but it's not tested
2021-06-24 14:38:24 -04:00
mpgn 8b05967bad
Merge branch 'master' into master 2021-05-30 22:17:08 +02:00
mpgn de5837b48c
Merge pull request #458 from sokaRepo/modules-mssql from @sokaRepo
Add privilege escalation MSSQL module
2021-05-30 22:09:44 +02:00
soka f6130ee2bb Add rollback action and fix IMPERSONATE filter 2021-05-30 18:28:14 +02:00
Podalirius 708e8e65ab
Added MachineAccountQuota LDAP module
Retrieves the MachineAccountQuota domain-level attribute
2021-05-28 10:07:50 +02:00
soka 2aaba52578 Add privilege escalation MSSQL module 2021-03-26 12:45:13 +01:00
mpgn 872cbb3d5f Update lsassy to version 2.1.4 to use latest version of pypykatz 2021-03-08 13:10:23 -05:00
mpgn 23a4e55ba8 Add LAPS module thx to @T3KX 2021-01-29 18:57:12 -05:00
mpgn 2250e5ab36 Fix grammar 2021-01-21 05:29:17 -05:00
nodauf fffb5d4532 Add module get_description 2020-12-11 18:48:35 +01:00
byt3bl33d3r cb5c8855ed Version 5.1.3 🔥
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
  give you a completion percentage and the number of hosts remaining to
  scan
2020-11-15 16:42:28 -07:00
mpgn 395a466bf7
Update spider_plus.py 2020-10-07 23:11:37 +02:00
mpgn 79e57eaa20
Fix spider_plus module options 2020-09-20 15:09:51 +02:00
mpgn 14d12fba1e Fix wireless module not showing all cleartext password 2020-09-12 15:54:51 -04:00
dev bf5b4486fc Fixed GPP filename typo and print 2020-08-26 22:47:43 -04:00
mpgn 4e444b68db Update spider_plus module with readable datetime 2020-07-30 10:30:29 -04:00
mpgn 97c92ffcdd Fix os import and add the dump optional using READ_ONLY option 2020-07-05 16:58:09 -04:00
mpgn ccb8e67e7b
Update spider_plus module
Change default output folder to TMP
Add import to fix error in try catch since os.errno does not exist anymore in python3.7
2020-07-05 21:53:07 +02:00
Vincent D 584c926af7 Add spider_plus module
Module to spider and dump small files from SMB servers.
2020-07-02 09:10:43 +02:00
pixis 4069cb7290 Add module - Set as owned in BloodHound 2020-05-05 09:59:30 +02:00
Pixis c75d7abebf
Update fix about no credentials 2020-05-04 19:32:58 +02:00
mpgn 622245dcfa Add support kerberos aesKey and kdcHost #22 add lssasy module kerberos support
add error when not credential foud on lsassy module #368
2020-05-04 13:23:41 -04:00
mpgn 47fe1e4772 Remove submodule and simplify metasploit module #357 2020-05-03 06:19:26 -04:00
mpgn ef934a7925 Rename options for module metasploit #357 2020-05-01 16:53:02 -04:00
mpgn 73fb336040 Update module metasploit #357
As the old code with the shellcode was broken, we switch to a simple powershell solution with Invoke-MetasploitPayload.ps1
2020-05-01 13:12:01 -04:00
mpgn 2ca377f3d8 Simplify command for wireless password #305 2020-04-29 11:09:44 -04:00
mpgn b6a6e6a9bf Add wireless module #305 2020-04-29 11:03:52 -04:00
mpgn 84222eb001 Fix bytes error on gpp_autologin and gpp_password modules 2020-04-22 10:33:03 -04:00
mpgn a13ec6c3d6 Fix gpp_password encoding error with python3 #350 2020-04-22 06:43:17 -04:00
byt3bl33d3r 6c0228f403 Fixed dependency hell, added Github actions workflow
- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
  dependency
2020-04-20 13:19:55 -03:00
mpgn e294a72924 Fix mimikatz module decode error #308 2020-04-20 06:24:56 -04:00
mpgn 9790c67620 Fix pylnk3 version from setup
fix warning with pylnk3 version
remove useless import and comment from lsassy module
2020-04-19 15:18:23 -04:00
pixis 47c83d90dc Add lsassy module 2020-04-19 20:30:35 +02:00
mpgn e2e976847b Update module rid_hijack to python3 2020-04-19 14:09:32 -04:00
byt3bl33d3r 02a62b027c
Merge pull request #295 from r4wd3r/rid_hijacking
Add RID Hijacking Persistence Module
2020-04-19 14:36:47 -03:00
mpgn ff167fa152
Fix typo response module mimikatz #334 2020-03-09 10:26:48 +01:00
mpgn 83c8e5b5a3 Add module compatibility for Python3
Mimikatz, Bloodhound etc
2020-01-18 07:20:10 -05:00
mpgn c2698ba8ed Fix HTTP server for module Mimikatz 2019-11-12 14:42:52 -05:00
mpgn 179dfef811 Fix mimikatz range issue 2019-11-11 06:26:38 -05:00
mpgn a29cf6760c update python3 2019-11-10 18:39:00 -05:00
Sebastián Castro 49a002fcd4
Merge branch 'master' into rid_hijacking 2019-03-23 16:10:44 -05:00
byt3bl33d3r 333f1c4e06 Updated all submodules, replace pycrypto with pycryptodomex 2019-03-13 21:51:25 -06:00
r4wd3r 56ed25b621
Add rid_hijack.py module 2019-02-24 20:51:16 -05:00
Dhiraj Mishra b4fb22f6fe
Get-ComputerDetails.py 2018-11-04 14:22:17 +05:30
Daniel Lawson a908d64fc1 Added module for enumerating AD DNS via WMI. 2018-01-22 18:45:56 -06:00
ganapati 6b6a1b4de5 Fix errors from empire 2017-10-25 10:28:55 +02:00
byt3bl33d3r 2b00a795da Fixed Powershell execution using MSSQL 2017-10-25 00:45:58 -06:00
byt3bl33d3r f1c6858e55 Fixed bug where creds dumped via mimikatz wouldn't be added to the database 2017-10-24 22:56:34 -06:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r dc0a7d8fd7 Merge pull request #203 from Waffle-Wrath/master
Bloodhound module
2017-09-08 10:21:55 -06:00
Waffle-Wrath 03465e3c58 default csv path modification 2017-08-30 17:54:40 +02:00
Waffle-Wrath cacfdf2915 Added bloodhound module and BloodHound-modified.ps1 script 2017-08-30 17:54:23 +02:00
vani11a 8644137faa CME Module: SCUFFY
Similarly to LNK abuse except SCF abuse.
2017-08-23 09:35:06 +01:00
byt3bl33d3r 212f0c363b Updated mimipenguin module description, fixed #193 2017-07-10 08:27:45 -06:00
byt3bl33d3r 0b936def23 Takes care of issue #190 and #191, initial SSH protocol implementation
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
  (This is very much still not finished, lots of stuff missing)

- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
2017-07-09 23:44:58 -06:00
byt3bl33d3r e9cafb2fdb Updated the empire_exec module for Empire 2.0 (for realzies this time) 2017-05-16 17:52:43 -06:00
byt3bl33d3r 60ac9e249d Updated the empire_exec module for Empire 2.0 2017-05-16 17:51:51 -06:00
byt3bl33d3r f9385023ed Added web_delivery module 2017-05-08 00:24:01 -06:00
byt3bl33d3r 2d22cca3ab Added SessionGopher module 2017-05-07 23:19:04 -06:00
byt3bl33d3r 4ff034f366 Added enum_avproducts module, fixed module logging
- Modules now do not print output of commands called from their protocol
- Added the enum_avproducts module
- Fixed the mimikatz_enum_vault_creds to not display creds with invalid
passwords
- Added an export command to the SMB protocols DB navigator (as
suggested by @hatredshapedlikeaman)
- Misc output fixes
2017-05-07 21:16:18 -06:00
byt3bl33d3r c26d993db4 Added Slinky module, pylnk in requirements 2017-05-04 19:13:11 -06:00
byt3bl33d3r 450fc19cdf Added CME-Powershell-Scripts submodule 2017-04-30 13:28:09 -06:00
byt3bl33d3r 3e27f30cb1 Added the RDP module to enable/disable RDP (Resolves #88) 2017-04-26 18:01:47 -06:00
byt3bl33d3r d9fb2a506a Fixes #168 and #167 2017-04-26 17:04:15 -06:00
caoimhinp 5bd238e9ae Fixed errors in on_request, options, and admin_login 2017-04-07 04:45:23 -05:00
byt3bl33d3r 57d5d7ca13 Y'all better be ready for this, initial 4.0 release
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
2017-04-06 22:34:30 -06:00
byt3bl33d3r 602b7e13f0 Re-added most of the SMB protocol functionality
- Added new module gpp_decrypt
- Cleaned up the SMB spider as much as possible
- --wmi now uses pywerview
- Re-added the http protocol
2017-04-05 09:07:00 -06:00
byt3bl33d3r cae5ffb6ce Various fixes 2017-04-03 09:25:05 -06:00
byt3bl33d3r 5dc7c4ae62 Fixed logic errors when adding users and groups to the database
- Added debug logging to core db functions
- Fixed logging output
- Updated modules to use the new API
2017-03-29 18:03:04 -06:00
byt3bl33d3r 751f209cd7 Initial 4.0 pre-release 2017-03-27 15:09:36 -06:00
byt3bl33d3r 8e6cc4e899 DB schema for the smb protocol is now final!
- added two more attributes to use in modules:opsec_safe and multiple_hosts

- renamed db function names

- Added the python_injector module and it's necessary files as a reminder
2016-12-20 00:23:40 -07:00
byt3bl33d3r 9fefd167b0 Initial commit for v4.0
Just fyi for anyone reading this, it's not even close to being
finished.

The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.

Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
2016-12-15 00:28:00 -07:00
byt3bl33d3r b1e8322704 changed var names in token_rider module 2016-09-26 13:47:36 -06:00
byt3bl33d3r 3d50982bfa fixed powerview module again 2016-09-22 22:30:01 -06:00
byt3bl33d3r b6e8690757 fixed powerview module 2016-09-22 22:27:31 -06:00
byt3bl33d3r 07872985d7 This commit addresses a number of issues including #130 and #126 2016-09-21 13:40:59 -06:00
byt3bl33d3r db056d1ab4 Initial implementation of module chaining
Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:

- All execution methods are now completely fileless, all output and/or batch
  files get outputted/hosted locally on a SMB server that gets spun up on runtime

- Module structure has been modified for module chaining

- Module chaining implementation is currently very hacky, I definitly
  have to figure out something more elegant but for now it
  works. Module chaining is performed via the -MC flag and has it's own
  mini syntax (will be adding it to the wiki)

- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency

TODO:

- Launchers/Payloads need to be escaped before being generated when
  module chaining

- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
  the results
2016-09-12 00:52:50 -06:00
byt3bl33d3r 6f2596902c Implemented @mattifestation's AMSI bypass and multiple bugfixes
- @mattifestation's AMSI bypass now gets called before executing
  powershell commands or scripts

- Squashed some bugs related to account bruteforcing, enumerating users
  and creating/deleting the UseLogonCredential reg key
2016-08-06 10:28:16 -06:00
byt3bl33d3r 9af1ab56cf Added the mimikittenz module
- Removed the mem_scraper module since the new mimikittenz module should
  replace its functionalitu

- Fixed newline in enum_chrome output
- Version Bump
2016-08-01 02:23:17 -06:00
byt3bl33d3r 74f746592a Initial commit of the enum_chrome module (resolves half of #112)
The modyle uses Mimikatz's new DPAPI Chrome module to decrypt saved
chrome credentials

Additionally a new version of Invoke-Mimikatz.ps1 script has been added
that contains the latest Mimikatz binaries and a patch for it to work
when injected
(https://github.com/PowerShellMafia/PowerSploit/issues/147)
2016-06-29 00:53:41 -06:00
byt3bl33d3r d44d927372 Initial commit for the mem_scraper and powerview modules 2016-06-17 20:31:31 -06:00
byt3bl33d3r 6056ce83db Initial commit for the powerview and memscraper modules
The powerview module will replace all of the get_net* modules
Memscraper module stil has a bug which i'm working on
2016-06-17 01:34:38 -06:00
byt3bl33d3r 58edfe18f3 Code cleanup of the execute method in the Connection class in
connection.py

Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec

Furthermore, the method argument in the execute function now accepts a
list of exec methods.
2016-06-14 18:58:19 -06:00
byt3bl33d3r 7b0b06af39 Fixed log creation in tokens.py module 2016-06-14 17:49:20 -06:00
byt3bl33d3r db223b583a Some code cleanup, bug fixes and re-added the config file
* For some reason the config file got lost in between version bumps, re-added it
* Improved the logic in first_run.py, it will now autodetect missing files and will copy/generate them accordinglu
* Code cleanup in cmedb.py and bug fixes in crackmapexec.py
2016-06-08 21:44:45 -06:00
byt3bl33d3r 23d8a6517f Refactoring for packiging is now complete! 2016-06-04 01:13:38 -06:00
byt3bl33d3r 68a908562a Second round of refactoring for packaging 2016-06-03 23:42:26 -06:00