Update LDAP proto:
- can fetch a LDAP domain from an account from another domain (trust relation between forest)
- fix sizeLimit to unlimited on LDAP queries
- fix little mistake in LDAP modules
Update SMB proto:
- fix users function when DC is vulnerable to NULL SESSION
- add SAMRPC function to fetch users on the domain
- add option --computers to fetch all computers
Update CLI
- add function export, but it's not tested
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
give you a completion percentage and the number of hosts remaining to
scan
- Got rid of netaddr in favor of built in ipaddress module
- cme/cmedb binaries are now built with shiv
- Removed http protocol as it was basically useless and added another
dependency
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
(This is very much still not finished, lots of stuff missing)
- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
- Modules now do not print output of commands called from their protocol
- Added the enum_avproducts module
- Fixed the mimikatz_enum_vault_creds to not display creds with invalid
passwords
- Added an export command to the SMB protocols DB navigator (as
suggested by @hatredshapedlikeaman)
- Misc output fixes
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
- added two more attributes to use in modules:opsec_safe and multiple_hosts
- renamed db function names
- Added the python_injector module and it's necessary files as a reminder
Just fyi for anyone reading this, it's not even close to being
finished.
The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.
Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
Oook, this commit is basicallu just so I can start tracking (and
testing) all of the changes made so far:
- All execution methods are now completely fileless, all output and/or batch
files get outputted/hosted locally on a SMB server that gets spun up on runtime
- Module structure has been modified for module chaining
- Module chaining implementation is currently very hacky, I definitly
have to figure out something more elegant but for now it
works. Module chaining is performed via the -MC flag and has it's own
mini syntax (will be adding it to the wiki)
- You can now specify credential ID ranges using the -id flag
- Added the eventvwr_bypass and rundll32_exec modules
- Renamed a lot of the modules for naming consistency
TODO:
- Launchers/Payloads need to be escaped before being generated when
module chaining
- Add check for modules 'required_server' attribute
- Finish modifying the functions in the Connection object so they return
the results
- @mattifestation's AMSI bypass now gets called before executing
powershell commands or scripts
- Squashed some bugs related to account bruteforcing, enumerating users
and creating/deleting the UseLogonCredential reg key
- Removed the mem_scraper module since the new mimikittenz module should
replace its functionalitu
- Fixed newline in enum_chrome output
- Version Bump
The modyle uses Mimikatz's new DPAPI Chrome module to decrypt saved
chrome credentials
Additionally a new version of Invoke-Mimikatz.ps1 script has been added
that contains the latest Mimikatz binaries and a patch for it to work
when injected
(https://github.com/PowerShellMafia/PowerSploit/issues/147)
connection.py
Additionally, since the smbexec execution method seems to be detected by
a number of AV HIPS'es, i've switched the default execution method order
to:
1. wmiexec
2. atexec
3. smbexec
Furthermore, the method argument in the execute function now accepts a
list of exec methods.
* For some reason the config file got lost in between version bumps, re-added it
* Improved the logic in first_run.py, it will now autodetect missing files and will copy/generate them accordinglu
* Code cleanup in cmedb.py and bug fixes in crackmapexec.py