• This repository has been archived on 04/Apr/2023
  • Stars
    star
    265
  • Rank 154,577 (Top 4 %)
  • Language
    Python
  • Created about 3 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.

β›” [DEPRECATED] Active at https://github.com/XiaoliChan/wmiexec-Pro

wmiexec-RegOut

Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the bad code :(

Table of content

Specially Thanks to:

Overview

In original wmiexec.py, it get response from smb connection (port 445,139). Unfortunately, some antivirus software are monitoring these ports as high risk.
In this case, I drop smb connection function and use others method to execute command.

  • wmiexec-reg-sch-UnderNT6-wip.py: Executed command by using win32-scheduledjob class. According to xiangshan, win32-scheduledjob class only works under windows NT6 (windows-server 2003).
    BTW, win32_scheduledjob has been disabled by default after windows NT6. Here is the way how to enable it.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration 
Name: EnableAt 
Type: REG_DWORD
Value: 1
  • wmipersist-wip.py (Highly recommend, !!!only works on impacket v0.9.24!!!): A Python version of WMIHACKER, which I picked the vbs template from it. Attacker can use it to do lateral movement safety under antivirus-software running.

  • wmiexec-regOut.py: Just a simple Win32_Process.create method example .

How it works?

  • wmiexec-wip.py workflow:

    Step 1:

    • WMIC authenticated remotly

    Step 2:

    • Use win32process class and call create method to execute command. Then, write down the result into C:\windows\temp directory named [uuid].txt

    Step 3:

    • Encode the file content to base64 strings (need to wait a few seconds)

    Step 4:

    • Add the converted base64 string into registry, and key name call [uuid]

    Step 5:

    • Get the base64 strings remotly and decode it locally.
  • wmipersist-wip.py workflow:

    Step 1:

    • Add custom vbs script into ActiveScriptEventConsumer class.

    Step 2:

    • Creating an Event Filter.

    Step 3:

    • Trigger FilterToConsumerBinding class to PWNED!

Requirements

Generally, you just need to install official impacket.

Usage

  • wmiexec-wip.py usage:

    With cleartext password

    python3 wmiexec-reg.py administrator:[email protected] 'whoami'

    image

    With NTLM hashes

    python3 wmiexec-reg.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 [email protected] 'whoami'

    image

  • wmipersist-wip.py usage (Default is no output):

    With cleartext password (without output)

    python3 wmipersist-wip.py administrator:[email protected] 'command'

    image

    With NTLM hashes

    python3 wmipersist-wip.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 [email protected] 'whoami'

    image

    With output

    python3 wmipersist-wip.py administrator:[email protected] "whoami /priv" -with-output
    python3 wmipersist-wip.py [email protected] "whoami /priv" -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 -with-output

    image image

    Under Huorong antivirus-software (Using WMIHACKER VBS template!!!) 2ef86c8d934dc45498478aa9aedd91c

Cheatsheet

  • Do not forget to clean up temp directory after run command with out put.
    Command: del /q /f /s C:\windows\temp\*
    image

  • Command include double quotes.
    Make double quotes inside single quotes wevtutil cl '"security"'
    image

Todo

  • New version of wmi toolkit, Comming sonn :)

References