Commit Graph

280 Commits (eb3342284a5731296522ae407db35f2f2f36ac9c)

Author SHA1 Message Date
mpgn 667faa0d7b Add catch for kerberos use-kcache option 2022-11-09 16:56:57 -05:00
Julio Ureña 47a92590a6
Remove @requires_admin flag for WMI queries
Although not common, it is possible for a user to be assigned WMI privileges. Removing @requires_admin in case we do not have privileges to make queries to WMI we will receive an access denied error, which makes it clearer what is happening.
2022-11-04 07:45:47 -04:00
mpgn b2bcbe0ade Fix issue #667 with use-kcache option 2022-11-03 16:04:46 -04:00
mpgn 49d68e0269 fix error with connection outside dc 2022-11-03 15:29:56 -04:00
Julio Ureña 3eb80ae534
Modify logging output when putting files
Added \\ to match the correct display of the file and path.
2022-11-01 08:10:55 -04:00
Julio Ureña cc72c6c868
Remove @requires_admin from get_file and put_file
The @requires_admin flag prevents non-admin users who have Read and Write access to a shared folder from performing any operations.
2022-11-01 07:29:56 -04:00
mpgn a36d3145e1
Merge pull request #655 from zblurx/master
Fix kerberos authentication and add kerbrute
2022-10-31 13:34:03 +01:00
mpgn 3942eab31b update a little bit 2022-10-31 08:33:41 -04:00
mpgn fedbfaf1f5 Change default order of exec method for smb 2022-10-27 15:40:34 -04:00
mpgn 132332a8fd add new color for asreproast account smb 2022-10-24 10:02:01 -04:00
mpgn d61d6f0339 add new color for asreproast account 2022-10-24 09:59:43 -04:00
mpgn b62bd670e0 Don't block if account not green 2022-10-24 09:11:45 -04:00
mpgn 70f8d973cf add KDC_ERR_PREAUTH_FAILED error 2022-10-24 09:01:30 -04:00
mpgn 5040ab6b40 ldap try catch + magenta 2022-10-24 08:55:48 -04:00
zblurx b9699ab078 fix output modifs on smb protocol 2022-10-24 14:55:07 +02:00
zblurx 53b612d317 adapt outputed creds 2022-10-24 14:12:32 +02:00
mpgn 0a218c534f add magenta color if user exist but connection KO 2022-10-24 05:43:52 -04:00
mpgn ef349a5309 refactor check if admin func to be comptatible with kerberos 2022-10-24 05:26:53 -04:00
mpgn 0a284bd2b0 remove message CCache file is not found + fix exec method with kerberos 2022-10-22 17:29:56 -04:00
mpgn ed2b2b261a fix for kerberoast function 2022-10-22 16:38:29 -04:00
mpgn 7e0613c883 fix username to send to bh 2022-10-20 17:18:22 -04:00
mpgn 53f5791e7c Fix a lot things but good pr 2022-10-20 15:40:53 -04:00
zblurx f4485ff279 fix kerberos authentication 2022-10-20 18:08:30 +02:00
mpgn 0fc010b0d5 Fix except error 2022-10-13 08:20:22 -04:00
mpgn 105ad97947 quick fix cmedb export share 2022-09-22 18:24:27 -04:00
mpgn 65796271c0 Merge branch 'export' 2022-09-22 18:06:37 -04:00
mpgn 018bd9608a Update cmedb for shares 2022-09-22 18:05:18 -04:00
mpgn fad860df43 Update ntds dump with option user and enabled #455 2022-09-11 12:49:28 -04:00
Wlayzz b57ba767f8 Adding shebang and encoding utf-8 for all python files 2022-07-19 01:59:14 +02:00
mpgn 94a28cd184 revert back to pywerview 0.3.3 for better compatibility 2022-07-06 09:52:53 -04:00
mpgn 75e19ae4b2
Merge pull request #545 from Serizao/master
Add smbv1 and signing into sqlite database
2022-06-18 23:50:18 +02:00
mpgn 708e76d17a
Merge pull request #572 from shoxxdj/master
🚀 add support for filter user when searching for loggedon
2022-06-18 22:47:53 +02:00
mpgn 055eb25c71
Merge pull request #570 from snovvcrash/codec
Add -codec execution option
2022-06-17 22:12:54 +02:00
Gianfranco Alongi def9d4a562
Fixed instability issues for SMB (no _Connection crash, NetBIOSTimeout crash, UnsupportedFeature-crash) (#560)
* Fixed instability issues based - the smb mode will now not crash on
 SMB object not having _Connection
 NetBIOSTimeout
 UnsupportedFeature

* Forgotten return statement

* Improved logging logic

* Improved logging
2022-06-17 22:11:28 +02:00
shoxxdj d3b88088fc 🚀 add support for filter user when searching for loggedon 2022-04-27 11:04:23 +02:00
Sam Frees1de f183b6bcc1 Add -codec execution option 2022-04-26 16:58:03 +03:00
mpgn 47e6521822 Merge branch 'master' of https://github.com/byt3bl33d3r/CrackMapExec 2022-03-06 11:07:19 -05:00
TNeitzel 4dc4fd72c2 Add STATUS_NO_SUCH_FILE to success status
When the remote server returns a STATUS_NO_SUCH_FILE message, cme
interprets the login credentials as wrong. However, impackets
smbserver.py proves that this can be wrong.
2022-03-03 21:52:37 +01:00
Serizao 998b6a4f36
Update smb.py 2022-03-02 08:04:35 +01:00
Serizao 955ff4e4d3
Update smb.py 2022-03-02 08:00:26 +01:00
mpgn e15ae44c81 Push from public repo 2022-02-27 08:08:30 -05:00
mpgn b713723269 Add laps function for WinRM 2022-02-11 16:38:39 -05:00
mpgn 8d665375a8 Improve laps core functon 2022-02-10 16:36:07 -05:00
mpgn c3dec653d4 Add check for audit mode #523 2022-02-07 16:19:46 -05:00
mpgn 47dd3cdfc2 Add audit mode #523 2022-02-06 17:56:41 -05:00
HynekPetrak fdc2aadf2b sanitize IPv6 in a file name 2022-02-06 16:44:06 -05:00
mpgn 19a5896c1e Fix issue when local account is used with bh #533 2022-02-06 07:33:49 -05:00
mpgn 766ee48328 Fix kerberos ntds dump 2022-01-19 13:13:05 -05:00
mpgn d90709bd97 Fix exception 2021-12-18 15:33:46 -05:00
mpgn 66621b9014 Merger master public to sponsor version 2021-12-17 15:45:21 -05:00
brightio 2628a427d8
Fix a number of unhandled expections in cme/protocols/smb.py 2021-12-11 14:57:37 +01:00
mpgn e979dfe4f9 Add bloodhound core feature 2021-11-20 16:37:14 -05:00
mpgn b31ffc1a64 Improve laps core function 2021-11-17 07:37:20 -05:00
mpgn 0f5fe00f9e Fix ldap kerberos login 2021-11-01 14:27:14 -04:00
mpgn 23b0ff2a0c Add parameter to laps option 2021-10-17 14:41:20 -04:00
mpgn fcddee656e Update laps core function 2021-10-17 11:50:29 -04:00
mpgn ef1e5d3fb1 Add laps option to smb proto first version 2021-10-16 18:08:07 -04:00
mpgn 0000854b82 Remove filess method 2021-09-21 11:21:40 -04:00
mpgn 2942be1188 Add timeout to smb connection to 2 sec by default, much much better 2021-09-21 11:21:16 -04:00
mpgn fdf6cd31db
Merge pull request #2 from mpgn/dev3
Push dev branch to master
2021-09-18 23:04:16 +02:00
mpgn 53a51a02f2 Fix #464 thanks Wil 2021-09-18 22:44:48 +02:00
mpgn a31d03a99a Fix #486 with ntds dump thx @b13bs 2021-09-18 22:44:48 +02:00
mpgn c3516fe9d5 Merge branch 'master' of https://github.com/Porchetta-Industries/CrackMapExec 2021-06-28 13:25:31 -04:00
mpgn 091915b990 Fix and add a lot, check commit message
Update LDAP proto:
	- can fetch a LDAP domain from an account from another domain (trust relation between forest)
	- fix sizeLimit to unlimited on LDAP queries
	- fix little mistake in LDAP modules

Update SMB proto:
	- fix users function when DC is vulnerable to NULL SESSION
	- add SAMRPC function to fetch users on the domain
	- add option --computers to fetch all computers

Update CLI
	- add function export, but it's not tested
2021-06-24 14:38:24 -04:00
mpgn 215c479957 Fix spelling mistake 2021-05-30 16:28:37 -04:00
mpgn 3ade69abed
Fix missing try catch on --shares option
Thx to @0xdf report !
2021-04-02 19:25:06 +02:00
mpgn d2f0b66ae4 Add option --amsi-bypass allowing you to pass a custom amsi bypass when using option -X 2021-02-28 09:48:50 -05:00
mpgn ba91408c74 Fix smb error not correctly catched 2021-01-29 11:30:05 -05:00
mpgn b2a53dc896 Better null session handle 2021-01-29 05:53:40 -05:00
mpgn d53343369b Fix function name sessions option 2021-01-27 05:49:23 -05:00
mpgn 7210bc1eae Add better error management for --shares 2020-12-09 17:12:58 -05:00
byt3bl33d3r cb5c8855ed Version 5.1.3 🔥
- Replaced Gevent with AsyncIO
- Shares are now logged in the database and can be queried
- You can now press enter while a scan is being performed and CME will
  give you a completion percentage and the number of hosts remaining to
  scan
2020-11-15 16:42:28 -07:00
mpgn 8785f5d3f4
option --ntds doesn't require to be admin anymore check #408 2020-08-12 17:27:53 +02:00
mpgn ce8094045d Add more compatibility for windows exe
- decrease winrm timeout to 3 seconds so @IppSec 's videos
 tlast less time :)
 -- add ico to cme exe
 -- add option smb-server-port to make cme compatible with windows
2020-07-30 15:14:31 +02:00
mpgn 56f1f9dd93 Login return False only if NT_STATUS_LOGON_FAILURE 2020-06-21 15:21:07 -04:00
mpgn 280d497b0d Add conditional check on the func login()
- modules, options will no longer be loaded if authentication fails
- add some try catch and fix some problem with the debug on the passpolicy class
2020-06-20 18:16:37 -04:00
mpgn 8f2ef3fdaf Add color when smb status is not ACCESS_DENIED #391 2020-06-20 13:20:27 -04:00
mpgn e5d1942251 Add kerberoasting and asrepoast attack with LDAP protocol 2020-06-19 09:20:22 -04:00
mpgn b796000343 Fix issue #321 option --continue-on-success 2020-05-09 09:36:31 -04:00
mpgn 3e1fa0f258 Fix local-auth authentication 2020-05-09 08:20:53 -04:00
mpgn b778306cc1 Always print FQDN 2020-05-05 12:13:32 -04:00
mpgn 3b57fb0869 Add checkifadmin() for Kerberos auth #22 2020-05-05 12:11:18 -04:00
mpgn 1820cc1ffb Show FQDN instead of domain name 2020-05-04 15:30:56 -04:00
mpgn 622245dcfa Add support kerberos aesKey and kdcHost #22 add lssasy module kerberos support
add error when not credential foud on lsassy module #368
2020-05-04 13:23:41 -04:00
mpgn 1308bc30c8 Adding Kerberos support for CME #22
TODO
- aeskey
- dc-ip
- checkifadmin()
2020-05-03 14:30:41 -04:00
mpgn 74792ce712 Add option --no-bruteforce allowing credentials spraying without bruteforce
cme accept user file and password file and works like this:
user1 -> pass1
      -> pass2
user2 -> pass1
      -> pass2

Option --no-bruteforce works like this
user1 -> pass1
user2 -> pass2
2020-04-30 10:06:57 -04:00
mpgn e9a5841731 Fix typo on put-file function 2020-04-28 12:28:25 -04:00
mpgn f84035fa7a Add function get-file and put-file 2020-04-28 12:22:30 -04:00
mpgn ba04528738 Add feature: file as argument for -x and -X command #269 2020-04-27 16:38:30 -04:00
sw ed8c91ab60 changed comparison operators that generate syntax warnings 2020-04-20 03:22:03 +03:00
byt3bl33d3r 7bb0e4e4e6
Merge pull request #300 from hantwister/patch-1
Fix false positive signing disabled with SMB2/3
2020-04-19 14:36:59 -03:00
byt3bl33d3r 498f3fc197
Merge pull request #327 from noraj/patch-1
lsa secrets: dump file extension
2020-04-19 14:32:48 -03:00
Alexandre ZANNI 18634423f3
lsa secrets: dump file extension
The logger tell you LSA secrets are dump in a file named xxx.lsa

```
SMB        x.x.x.x 445    FRSCWP0001       [+] Dumped 22 LSA secrets to /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.lsa and /home/noraj/.cme/logs/host_x.x.x.x_2019-12-19_095552.cached
```

But in reality they are logged in xxx.screts.

So just fixing the extension showed by the  logger.
2019-12-19 10:12:17 +01:00
mpgn 73ab379acc Migrate function to python3
* --shares -> OK
* --sessions -> OK
* --disks -> OK
* --loggedon-users -> OK
* --users -> Not tested
* --rid-brute -> OK
* --groups -> Not tested
* --local-groups -> OK
* --pass-pol -> OK
2019-11-11 05:06:39 -05:00
mpgn a29cf6760c update python3 2019-11-10 18:39:00 -05:00
mpgn c3c4b3192d start python3 migration 2019-11-10 22:42:04 +01:00
root 12443285e9 Fix SMB encode 2019-07-13 17:52:00 +02:00
root e435a4f87b Fix SMB encode 2019-07-13 17:50:24 +02:00
Harrison Neal 85e4de988b
Fix false positive signing disabled with SMB2/3
Currently, the SMBConnection.isSigningRequired and SMB3.is_signing_required methods in Impacket reflect the state of the session as opposed to the state of the connection.  When using CME with the --gen-relay-list option, the login method would encounter an exception near the end, and would reset the session state.  Afterwards, the connection state correctly showed that signing was required, but the session state claimed the opposite.  The latter contributed to many false positives in the --gen-relay-list output file.  This is a hackish change that addressed the issue for me.
2019-03-26 15:45:02 -04:00
Korey McKinley 7034ab66d0
Flag to allow continuation while password spraying
Adds --continue-on-success flag when spraying passwords using smb. Allows for continuing of password spraying even after valid password is found. (Useful when password spraying with userlist.)

Usage example:
cme smb ipaddress -u users.txt -p password --continue-on-success

In response to:
https://github.com/byt3bl33d3r/CrackMapExec/issues/245
https://github.com/byt3bl33d3r/CrackMapExec/issues/247
2018-05-26 19:44:24 -06:00
byt3bl33d3r f3465ef008 Fixed up @aj-cgtech changes 2018-03-01 12:36:17 -07:00
byt3bl33d3r 5fd4aa716c Merge branch 'usersfix' of https://github.com/aj-cgtech/CrackMapExec into aj-cgtech-usersfix 2018-03-01 11:57:33 -07:00
Markus Krell 8dd4e95fe7 fixes debug output error if exec method fails 2018-02-23 14:55:05 +01:00
aj-cgtech fffc24ae46 Having worked out how the protocol object is created. Created config
object once, and set as an attr on each protocol.
More elegant, and allows for further config options in the future.
2018-02-23 10:13:46 +00:00
aj-cgtech b6a7028999 Typo, not l33t. 2018-02-22 21:18:31 +00:00
aj-cgtech 7e2a267328 Merging "Pwn3d!" label changes.
Fixes issue #236

Adds the ability to change the (Pwned!) label on CME output.

By default, nothing changes, but if required, to keep suits happy, you
can change the output of CME by adding a property to ~/.cme/cme.conf, in
the [CME] section, property "pwn3d_label".

eg:
[CME]
workspace = default
last_used_db = smb
pwn3d_label = Woot!
2018-02-22 20:24:03 +00:00
aj-cgtech 6ee852387c Pwn3d label parameterised in config file. 2018-02-22 13:03:07 +00:00
aj-cgtech 8bba4b46f6 Changes to users() and groups()
users() was failing on a bad attribute, changed code to use getattr
instead. If attribute is missing, it no longer throws exception.

extraction of domain from distinguished name was not working in all
circumstances. FOO.COM would work, but FOO.CO.UK or even FOO.BAR.CO.UK
would extract CO incorrectly. function now extracts fully qualified
domain, which then gets shortened by db_add_user() function.
2018-02-20 12:57:23 +00:00
byt3bl33d3r 2b00a795da Fixed Powershell execution using MSSQL 2017-10-25 00:45:58 -06:00
byt3bl33d3r 211e78314d Merge branch 'master' of github.com:byt3bl33d3r/CrackMapExec 2017-10-24 21:30:21 -06:00
byt3bl33d3r e74b0a7efc Fixes #204 2017-10-24 21:30:14 -06:00
byt3bl33d3r e80c911378 Merge pull request #181 from martindube/fix_for_smb_fr
Replacing characters when they cannot be converted (UTF-8)
2017-10-24 21:14:30 -06:00
byt3bl33d3r 1603ac4819 Added WINRM support, NMap XML and .Nessus parsing
- Added the WINRM protocol, CME now supports executing commands through WinRM (Powershell Remoting)
- Added support for NMap XML and .Nessus files if given as targets
- Fixed a bug in the MSSQL protocol which caused it to not retrieve host info
- Version Bump
2017-10-24 20:08:19 -06:00
byt3bl33d3r 0b936def23 Takes care of issue #190 and #191, initial SSH protocol implementation
- Passing --ntds will automatically use the drsuapi method (DCSync)
- Initial implementation of the SSH protocol and the mimipenguin module
  (This is very much still not finished, lots of stuff missing)

- Added check to make sure existing config file is in the 4.x format
- Added splinter and paramiko to dep requirements
- Updated Impacket to latest commit
- HTTP protocol now also returns server version in output
2017-07-09 23:44:58 -06:00
byt3bl33d3r 7149b24524 Plugged in the Powershell obfuscation functionality
- Two new flags can be added to protocols that use powershell that can
clear cached obfuscated powershell scripts and obfuscate them if
powershell is installed
2017-06-26 03:49:04 -06:00
byt3bl33d3r d3a50afbfc Removed warning if powershell is not installed 2017-06-26 01:19:04 -06:00
byt3bl33d3r 11280c4ab0 Updated submodules, initial implementation of powershell script &
launcher obfuscation

- All powershell scripts are now obfuscated if powershell for linux is
installed using Invoke-Obfuscation

- All PS launchers are obfuscated using GreatSCT's python implementation
of launcher obfuscation (for now)
2017-06-26 01:03:43 -06:00
byt3bl33d3r f4dfddc89b Fixes #182 2017-06-23 12:15:09 -06:00
Martin Dubé 5eb275b55e Replacing characters when they cannot be converted (UTF-8) 2017-06-13 14:59:18 -04:00
byt3bl33d3r e795197501 Added support for both SMBv1 and SMBv3 connections
- Host info output now shows if SMBv1 is supported
2017-05-14 22:44:49 -06:00
byt3bl33d3r ee36665516 Fixed MSSQL protocol, refactored HTTP Protocol
- Fixed error in MSSQL protocol which would cause it to error out when
executing commands
- Fixed logic to deal with standard MSSQL auth instead of windows auth
- Refactored the HTTP protocol
2017-05-02 18:52:16 -06:00
byt3bl33d3r f0752f61b7 Re-wrote the HTTP protocol to use splinter and phantomjs
- All http connections are now concurrent
- Added a flag to take screenshots of webpages
- Minor Code cleanup
2017-04-30 12:54:35 -06:00
byt3bl33d3r e98f798eb3 Forcing the SMB dialect to SMBv1 since it gives us prettier OS banners 2017-04-10 02:58:33 -06:00
byt3bl33d3r fc147ddac0 Fixed content spidering and password policy enumeration
- Added enumeration for password complexity (resolves #135)
2017-04-10 01:24:23 -06:00
byt3bl33d3r 57d5d7ca13 Y'all better be ready for this, initial 4.0 release
- Fixed an edge case in gpp_decrypt.py also renamed to gpp_password
- Added the gpp_autologin module
- Added a workaround for the current impacket smb server bug in
get_keystrokes
- fixed formatting in the SMB database navigator
- fixed an error where DC would have there dc attribute overwritten
- Other stuff that i don't remember
2017-04-06 22:34:30 -06:00
byt3bl33d3r 602b7e13f0 Re-added most of the SMB protocol functionality
- Added new module gpp_decrypt
- Cleaned up the SMB spider as much as possible
- --wmi now uses pywerview
- Re-added the http protocol
2017-04-05 09:07:00 -06:00
byt3bl33d3r 5dc7c4ae62 Fixed logic errors when adding users and groups to the database
- Added debug logging to core db functions
- Fixed logging output
- Updated modules to use the new API
2017-03-29 18:03:04 -06:00
byt3bl33d3r 751f209cd7 Initial 4.0 pre-release 2017-03-27 15:09:36 -06:00
byt3bl33d3r 8e6cc4e899 DB schema for the smb protocol is now final!
- added two more attributes to use in modules:opsec_safe and multiple_hosts

- renamed db function names

- Added the python_injector module and it's necessary files as a reminder
2016-12-20 00:23:40 -07:00
byt3bl33d3r 9fefd167b0 Initial commit for v4.0
Just fyi for anyone reading this, it's not even close to being
finished.

The amount of changes are pretty insane, this commit is to serve as a
refrence point for myself.

Highlights for v4.0:
- The whole codebase has been re-written from scratch
- Codebase has been cut around 2/4
- Protocols are now modular! In theory we could use CME for everything
- Module chaining has been removed for now, still trying to figure out a
more elegant solution
- Workspaces have implemented in cmedb
- The smb protocol's database schema has been changed to support storing users,
groups and computers with their respective memberships and relations.
- I'm in the process of re-writing most of the modules, will re-add them
once i've finished
2016-12-15 00:28:00 -07:00