Update LDAP proto:
- can fetch a LDAP domain from an account from another domain (trust relation between forest)
- fix sizeLimit to unlimited on LDAP queries
- fix little mistake in LDAP modules
Update SMB proto:
- fix users function when DC is vulnerable to NULL SESSION
- add SAMRPC function to fetch users on the domain
- add option --computers to fetch all computers
Update CLI
- add function export, but it's not tested
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
give you a completion percentage and the number of hosts remaining to
scan
Before this commit, file objects for the username, password or NTLM hash
files were all shared between target jobs for different hosts. This
could cause numerous different errors in password or hash spraying jobs
with multiple targets. Sometimes some lines in input files were skipped
for some targets, and sometimes CME even ended up in an infinite loop
due to seeking in a file that is currently also being iterated on.
There have been attempts to fix some of these errors with file.seek(0)
in some places, such as with d13042f637.
This almost works because of the BoundedSemaphore sem that effectively
keeps CME attacks single-threaded. However, there were still corner
cases with shared file object accesses not protected by the semaphore.
To fix this in a reliable way, this commit shifts the responsibility of
open()ing a file object to every job instead of globally at the start.
While this does mean that the application will open the same files a
bunch of times, it also ensures correctness in regard to concurrency.
This should also allow to relax the semaphore in the future in case no
global or username limit across all targets is required.
cme accept user file and password file and works like this:
user1 -> pass1
-> pass2
user2 -> pass1
-> pass2
Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
(This is very much still not finished, lots of stuff missing)
- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
Just fyi for anyone reading this, it's not even close to being
finished.
The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.
Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
mpgn
zblurx
Wlayzz
byt3bl33d3r
Marius Renner
byt3bl33d3r
byt3bl33d3r
byt3bl33d3r