wmiexec-RegOut

Modify version of impacket wmiexec.py,wmipersist.py. Got output(data,response) from registry, don't need SMB connection, but I'm in the bad code :(

Table of content

• Overview
• Requirements
• Usage
• Todo
• References

Specially Thanks to:

• @rootclay, wechat: _xiangshan

Overview

In original wmiexec.py, it get response from smb connection (port 445,139). Unfortunately, some antivirus software monitoring these ports as high risk.
In this case, I drop smb connection function and use others method to execute command.

• wmiexec-reg-sch-UnderNT6-wip.py: Executed command by using win32-scheduledjob class. According to xiangshan, win32-scheduledjob class only works under windows NT6 (windows-server 2003).
  BTW, win32_scheduledjob has been disabled by default after windows NT6. Here is the way how to enable it.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Configuration 
Name: EnableAt 
Type: REG_DWORD
Value: 1

• wmipersist-wip.py (Recommend, !!!only works on linux platform!!!): A Python version of WMIHACKER, which I picked the vbs template from it. Attacker can use it to do lateral movement safety under antivirus-software running.

• wmiexec-regOut.py: Just a simple Win32_Process.create method example .

How it works?

• wmiexec-wip.py workflow:

  Step 1:

  • WMIC authenticated remotly

  Step 2:

  • Use win32process class and call create method to execute command. Then, write down the result into C:\windows\temp directory named [uuid].txt

  Step 3:

  • Encode the file content to base64 strings (need to wait a few seconds)

  Step 4:

  • Add the converted base64 string into registry, and key name call [uuid]

  Step 5:

  • Get the base64 strings remotly and decode it locally.

• wmipersist-wip.py workflow:

  Step 1:

  • Add custom vbs script into ActiveScriptEventConsumer class.

  Step 2:

  • Creating an Event Filter.

  Step 3:

  • Trigger FilterToConsumerBinding class to PWNED!

Requirements

Generally, you just need to install official impacket.

• Portal

Usage

• wmiexec-wip.py usage:

  With cleartext password

  python3 wmiexec-reg.py administrator:[email protected] 'whoami'

  

  With NTLM hashes

  python3 wmiexec-reg.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 [email protected] 'whoami'

  

• wmipersist-wip.py usage (Default is no output):

  With cleartext password (without output)

  python3 wmipersist-wip.py administrator:[email protected] 'command'

  

  With NTLM hashes

  python3 wmipersist-wip.py -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 [email protected] 'whoami'

  

  With output

  python3 wmipersist-wip.py administrator:[email protected] "whoami /priv" -with-output
  python3 wmipersist-wip.py [email protected] "whoami /priv" -hashes e91d2eafde47de62c6c49a012b3a6af1:e91d2eafde47de62c6c49a012b3a6af1 -with-output

  

  Under Huorong antivirus-software (Using WMIHACKER VBS template!!!)

Todo

• Optimize code (In bad code now.)
• Add more functions

References

• https://github.com/SecureAuthCorp/impacket/blob/master/examples/wmiexec.py
• https://github.com/360-Linton-Lab/WMIHACKER
• https://github.com/FortyNorthSecurity/WMIOps
• https://docs.microsoft.com/en-us/windows/win32/cimwin32prov/operating-system-classes