Merge pull request #1 from FortyNorthSecurity/RemovePS

Started removing PS
RedSiege · May 25, 2021 · 86176a5 · 86176a5
2 parents 0c6f032 + 9bad71c
commit 86176a5
Show file tree

Hide file tree

Showing 14 changed files with 574 additions and 570 deletions.
diff --git a/CIMplant/CIMplant.csproj b/CIMplant/CIMplant.csproj
@@ -67,6 +67,7 @@
   <ItemGroup>
     <Compile Include="Commander.cs" />
     <Compile Include="Connector.cs" />
+    <Compile Include="EnvelopeSize.cs" />
     <Compile Include="ExceptionLogging.cs" />
     <Compile Include="ExecuteWMIwithProvider.cs" />
     <Compile Include="ExecuteCIM.cs" />
@@ -76,6 +77,7 @@
     <Compile Include="Planter.cs" />
     <Compile Include="Program.cs" />
     <Compile Include="Properties\AssemblyInfo.cs" />
+    <Compile Include="RegistryMod.cs" />
   </ItemGroup>
   <ItemGroup>
     <None Include="..\.editorconfig">

diff --git a/CIMplant/Commander.cs b/CIMplant/Commander.cs
@@ -1,5 +1,8 @@
 using System;
+using System.Collections.Generic;
 using System.Linq;
+using CommandLine;
+using CommandLine.Text;
 
 namespace CIMplant
 {
@@ -21,19 +24,19 @@ public class Commander
 
         public Commander()
         {
-            this.RegKey = Program.Options.Instance.RegistryKey;
-            this.RegSubKey = Program.Options.Instance.RegistrySubkey;
-            this.RegVal = Program.Options.Instance.RegistryValue;
-            this.Execute = Program.Options.Instance.Execute;
-            this.RegValType = Program.Options.Instance.RegistryValueType;
-            this.Service = Program.Options.Instance.Service;
-            this.ServiceBin = Program.Options.Instance.ServiceBin;
-            this.Cmdlet = Program.Options.Instance.Cmdlet;
-            this.File = Program.Options.Instance.File;
-            this.FileTo = Program.Options.Instance.FileTo;
-            this.Directory = Program.Options.Instance.Directory;
-            this.Reset = Program.Options.Instance.Reset;
-            this.Process = Program.Options.Instance.Process;
+            this.RegKey = Options.Instance.RegistryKey;
+            this.RegSubKey = Options.Instance.RegistrySubkey;
+            this.RegVal = Options.Instance.RegistryValue;
+            this.Execute = Options.Instance.Execute;
+            this.RegValType = Options.Instance.RegistryValueType;
+            this.Service = Options.Instance.Service;
+            this.ServiceBin = Options.Instance.ServiceBin;
+            this.Cmdlet = Options.Instance.Cmdlet;
+            this.File = Options.Instance.File;
+            this.FileTo = Options.Instance.FileTo;
+            this.Directory = Options.Instance.Directory;
+            this.Reset = Options.Instance.Reset;
+            this.Process = Options.Instance.Process;
             this.Method = null;
         }
 
@@ -185,5 +188,145 @@ private void ParseCommands()
                 }
             }
         }
+
+        public static readonly string[] CommandArray =
+        {
+            "cat", "copy", "download", "ls", "search", "upload", "command_exec", "process_kill", "process_start",
+            "ps", "active_users", "basic_info", "drive_list", "ifconfig", "installed_programs", "logoff", "reboot",
+            "restart", "power_off", "shutdown",
+            "vacant_system", "logon_events", "command_exec", "disable_wdigest", "enable_wdigest", "disable_winrm",
+            "enable_winrm",
+            "reg_mod", "reg_create", "reg_delete", "remote_posh", "sched_job", "service_mod"
+        };
+
+        public static void DisplayHelp<T>(ParserResult<T> result, IEnumerable<Error> errs)
+        {
+            HelpText helpText = HelpText.AutoBuild(result, h =>
+            {
+                h.AdditionalNewLineAfterOption = false;
+                h.Heading = "WMI C# Version 0.1"; //change header
+                h.Copyright = ""; //change copyright text
+                h.AutoVersion = false;
+                return HelpText.DefaultParsingErrorsHandler(result, h);
+            }, e => e);
+            Console.WriteLine(helpText);
+            System.Environment.Exit(1);
+        }
+
+        public class Options
+        {
+            public static Options Instance { get; set; }
+
+            // Command line options
+            [Option('v', "verbose", Required = false, HelpText = "Set output to verbose")]
+            public bool Verbose { get; set; }
+
+            [Option('u', "username", Required = false, HelpText = "Specify a username to use")]
+            public string Username { get; set; }
+
+            [Option('p', "password", Required = false, HelpText = "Specify a password to use", Default = null)]
+            public string Password { get; set; }
+
+            [Option('d', "domain", Required = false, HelpText = "Specify a domain", Default = "WORKGROUP")]
+            public string Domain { get; set; }
+
+            [Option('s', "system", Group = "Required", Required = true, HelpText = "Specify a system to target",
+                Default = "localhost")]
+            public string System { get; set; }
+
+            [Option('n', "namespace", Required = false, HelpText = "Specify a namespace to use",
+                Default = "root\\cimv2")]
+            public string NameSpace { get; set; }
+
+            [Option('c', "command", Group = "Command", Required = true,
+                HelpText = "Specify a command to run, run program with just '--show-commands' for a list of commands")]
+            public string Command { get; set; }
+
+            [Option('r', "reset", Group = "Command", Required = true,
+                HelpText =
+                    "Reset the DebugFilePath property back to the Windows default in the event of any execution errors")]
+            public bool Reset { get; set; }
+
+            [Option('e', "execute", Required = false,
+                HelpText =
+                    "Specify a command-line command to execute and receive the output for (use double quotes \"command\" for complex commands)")]
+            public string Execute { get; set; }
+
+            [Option('f', "file", Group = "Required", Required = true,
+                HelpText = "Specify a remote or local file to cat/download/copy/search for/execute ps1/etc.",
+                Default = null)]
+            public string File { get; set; }
+
+            [Option("cmdlet", Group = "Required", Required = true,
+                HelpText = "Specify a cmdlet to run and obtain the results for", Default = null)]
+            public string Cmdlet { get; set; }
+
+            [Option("fileto", Group = "Required", Required = true, HelpText = "Specify a name to copy the file to",
+                Default = null)]
+            public string FileTo { get; set; }
+
+            [Option("directory", Group = "Required", Required = true, HelpText = "Specify a directory to list/search",
+                Default = null)]
+            public string Directory { get; set; }
+
+            [Option("regkey", Group = "Required", Required = true,
+                HelpText =
+                    "Specify a registry key to create/delete/modify (ex: HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest)",
+                Default = null)]
+            public string RegistryKey { get; set; }
+
+            [Option("regsubkey", Group = "Required", Required = true,
+                HelpText = "Specify a registry subkey to create/delete/modify (ex: UseLogonCredential)",
+                Default = null)]
+            public string RegistrySubkey { get; set; }
+
+            [Option("regval", Group = "Required", Required = true,
+                HelpText = "Specify a registry data value to create/delete/modify (ex: \"1\" for REG_DWORD)",
+                Default = null)]
+            public string RegistryValue { get; set; }
+
+            [Option("regvaltype", Group = "Required", Required = true,
+                HelpText =
+                    "Specify a registry data type to create/delete/modify (case insensitive, ex: REG_DWORD, reg_binary, or reg_sz)",
+                Default = null)]
+            public string RegistryValueType { get; set; }
+
+            [Option("service", Group = "Required", Required = true,
+                HelpText = "Specify a service name to create/delete/start/stop", Default = null)]
+            public string Service { get; set; }
+
+            [Option("servicebin", Group = "Required", Required = true,
+                HelpText = "Specify a service binary while creating a new service", Default = null)]
+            public string ServiceBin { get; set; }
+
+            [Option("process", Group = "Required", Required = true,
+                HelpText = "Specify a process name or handle to kill or start (wildcards accepted for name)",
+                Default = null)]
+            public string Process { get; set; }
+
+            [Option("wmi", Required = false, HelpText = "Use WMI (DCOM) to connect to the remote system instead of CIM/MI (WSMan)",
+                Default = false)]
+            public bool Wmi { get; set; }
+
+            [Option("provider", Required = false, HelpText = "Use InstallUtil to register a WMI provider (Not Currently Working)",
+                Default = false)]
+            public bool Provider { get; set; }
+
+            [Option("show-commands", Group = "Command", Required = true,
+                HelpText = "Displays a list of available commands")]
+            public bool ShowCommands { get; set; }
+
+            [Option("show-examples", Group = "Command", Required = true,
+                HelpText = "Displays examples for all available commands")]
+            public bool ShowExamples { get; set; }
+
+            [Option("no-banner", Group = "Command", Required = false,
+                HelpText = "Disables that gorgeous ASCII art (probably should never use this)", Default = false)]
+            public bool NoBanner { get; set; }
+
+            [Option("test", Group = "Command", Required = false,
+                HelpText = "Tests all commands with a specified username/password/system (or against the localhost)")]
+            public bool Test { get; set; }
+        }
     }
 }
diff --git a/CIMplant/EnvelopeSize.cs b/CIMplant/EnvelopeSize.cs
@@ -0,0 +1,79 @@
+using System;
+using Microsoft.Management.Infrastructure;
+using Microsoft.Win32;
+
+namespace CIMplant
+{
+    public class EnvelopeSize
+    {
+        // Let's get the maxEnvelopeSize if it's set something other than default
+        public static string GetLocalMaxEnvelopeSize()
+        {
+            //Messenger.WarningMessage("[*] Getting the MaxEnvelopeSizeKB on the local system to reset later");
+            try
+            {
+                using (RegistryKey key = Registry.CurrentUser.OpenSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client"))
+                {
+                    return key.GetValue("maxEnvelopeSize").ToString();
+                }
+            }
+            catch (Exception e)
+            {
+                Messenger.ErrorMessage(
+                    $"[-] Error: Unable to create local runspace to change maxEnvelopeSizeKB.\n");
+                Console.WriteLine(e);
+                return "0";
+            }
+        }
+
+        public static string GetMaxEnvelopeSize(CimSession cimSession)
+        {
+            CimMethodResult result = RegistryMod.CheckRegistryCim(regMethod: "GetDWORDValue", defKey: 0x80000002,
+                regSubKey: @"SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client",
+                regSubKeyValue: "maxEnvelopeSize", cimSession);
+            if (Convert.ToUInt32(result.ReturnValue.Value.ToString()) == 0)
+            {
+                return result.OutParameters["uValue"].Value.ToString();
+            }
+
+            Console.WriteLine("Issues getting maxEnvelopeSize");
+            return "0";
+        }
+
+        public static void SetLocalMaxEnvelopeSize(int envelopeSize)
+        {
+            Messenger.WarningMessage("[*] Setting the MaxEnvelopeSizeKB on the local system to " + envelopeSize);
+
+            try
+            {
+                using (RegistryKey key =
+                    Registry.CurrentUser.CreateSubKey(@"SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client"))
+                {
+                    key.SetValue("maxEnvelopeSize", Convert.ToUInt32(envelopeSize), RegistryValueKind.DWord);
+                }
+            }
+            catch (Exception e)
+            {
+                Messenger.ErrorMessage(
+                    $"[-] Error: Unable to create local runspace to change maxEnvelopeSizeKB.\n");
+                Console.WriteLine(e);
+            }
+        }
+
+        public static void SetMaxEnvelopeSize(string envelopeSize, CimSession cimSession)
+        {
+            Messenger.WarningMessage("[*] Setting the MaxEnvelopeSizeKB on the remote system to " + envelopeSize);
+
+            CimMethodResult result = RegistryMod.SetRegistryCim(regMethod: "SetDWORDValue", defKey: 0x80000002,
+                regSubKey: @"SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client",
+                regSubKeyValue: "maxEnvelopeSize", data: envelopeSize, cimSession);
+            if (Convert.ToUInt32(result.ReturnValue.Value.ToString()) == 0)
+            {
+            }
+            else
+            {
+                Console.WriteLine("Issues setting maxEnvelopeSize");
+            }
+        }
+    }
+}