Updated execution methods and user enumeration for better

non-standard smb port support

- Fixed bug where current path was included in command output when using
  the smbexec exec method

- Batch file name generation is now randomized on every command executed
  rather than on object initialization

Author: byt3bl33d3r

cme/enum/users.py

@@ -19,20 +19,18 @@
 from impacket.nt_errors import STATUS_MORE_ENTRIES
 from impacket.dcerpc.v5 import transport, samr
 from impacket.dcerpc.v5.rpcrt import DCERPCException
+from impacket.smb import SMB_DIALECT
 
 class ListUsersException(Exception):
     pass
 
 class SAMRDump:
-    KNOWN_PROTOCOLS = {
-        '139/SMB': (r'ncacn_np:%s[\pipe\samr]', 139),
-        '445/SMB': (r'ncacn_np:%s[\pipe\samr]', 445),
-        }
 
-    def __init__(self, logger, protocol, connection):
+    def __init__(self, logger, protocol, connection, port=445):
 
         self.__username = connection.username
         self.__addr = connection.host
+        self.__port = port
         self.__password = connection.password
         self.__domain = connection.domain
         self.__hash = connection.hash
@@ -51,19 +49,26 @@ def __init__(self, logger, protocol, connection):
 
     def enum(self):
         """Dumps the list of users and shares registered present at
-        addr. Addr is a valid host name or IP address.
+        remoteName. remoteName is a valid host name or IP address.
         """
 
-        logging.info('Retrieving endpoint list from %s' % self.__addr)
-
-        # Try all requested protocols until one works.
         entries = []
 
-        protodef = SAMRDump.KNOWN_PROTOCOLS['{}/SMB'.format(self.__protocol)]
-        port = protodef[1]
+        logging.info('Retrieving endpoint list from %s' % self.__addr)
 
-        logging.info("Trying protocol %s..." % self.__protocol)
-        rpctransport = transport.SMBTransport(self.__addr, port, r'\samr', self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash, self.__aesKey, doKerberos = self.__doKerberos)
+        stringbinding = 'ncacn_np:%s[\pipe\samr]' % self.__addr
+        logging.debug('StringBinding %s'%stringbinding)
+        rpctransport = transport.DCERPCTransportFactory(stringbinding)
+        rpctransport.set_dport(self.__port)
+        #rpctransport.setRemoteHost(self.__addr)
+
+        if hasattr(rpctransport,'preferred_dialect'):
+            rpctransport.preferred_dialect(SMB_DIALECT)
+        if hasattr(rpctransport, 'set_credentials'):
+            # This method exists only for selected protocol sequences.
+            rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash,
+                                         self.__nthash)# self.__aesKey)
+        #rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
         try:
             entries = self.__fetchList(rpctransport)

cme/execmethods/smbexec.py

@@ -1,25 +1,24 @@
+import logging
 from gevent import sleep
 from impacket.dcerpc.v5 import transport, scmr
 from impacket.smbconnection import *
+from impacket.smb import SMB_DIALECT
 from cme.helpers import gen_random_string
 
 class SMBEXEC:
-    KNOWN_PROTOCOLS = {
-        '139/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 139),
-        '445/SMB': (r'ncacn_np:%s[\pipe\svcctl]', 445),
-        }
 
-    def __init__(self, host, protocol, username = '', password = '', domain = '', hashes = None, share = None):
+    def __init__(self, host, protocol, username = '', password = '', domain = '', hashes = None, share = None, port=445):
         self.__host = host
+        self.__port = port
         self.__username = username
         self.__password = password
         self.__serviceName = gen_random_string()
         self.__domain = domain
         self.__lmhash = ''
         self.__nthash = ''
         self.__share = share
-        self.__output = '\\Windows\\Temp\\' + gen_random_string() 
-        self.__batchFile = '%TEMP%\\' + gen_random_string() + '.bat'
+        self.__output = None
+        self.__batchFile = None
         self.__outputBuffer = ''
         self.__shell = '%COMSPEC% /Q /c '
         self.__retOutput = False
@@ -40,20 +39,17 @@ def __init__(self, host, protocol, username = '', password = '', domain = '', ha
         if self.__password is None:
             self.__password = ''
 
-        protodef = SMBEXEC.KNOWN_PROTOCOLS['{}/SMB'.format(protocol)]
-        port = protodef[1]
-
-        stringbinding = protodef[0] % self.__host
-
+        stringbinding = 'ncacn_np:%s[\pipe\svcctl]' % self.__host
+        logging.debug('StringBinding %s'%stringbinding)
         self.__rpctransport = transport.DCERPCTransportFactory(stringbinding)
-        self.__rpctransport.set_dport(port)
-
+        self.__rpctransport.set_dport(self.__port)
+        #self.__rpctransport.setRemoteHost(self.__host)
         if hasattr(self.__rpctransport,'preferred_dialect'):
             self.__rpctransport.preferred_dialect(SMB_DIALECT)
         if hasattr(self.__rpctransport, 'set_credentials'):
             # This method exists only for selected protocol sequences.
             self.__rpctransport.set_credentials(self.__username, self.__password, self.__domain, self.__lmhash, self.__nthash)
-        #rpctransport.set_kerberos(self.__doKerberos)
+        #rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
 
         self.__scmr = self.__rpctransport.get_dce_rpc()
         self.__scmr.connect()
@@ -76,7 +72,10 @@ def execute(self, command, output=False):
         return self.__outputBuffer
 
     def cd(self, s):
+        ret_state = self.__retOutput
+        self.__retOutput = False
         self.execute_remote('cd ' )
+        self.__retOutput = ret_state
 
     def get_output(self):
 
@@ -96,13 +95,18 @@ def output_callback(data):
                 sleep(2)
 
     def execute_remote(self, data):
+        self.__output = '\\Windows\\Temp\\' + gen_random_string() 
+        self.__batchFile = '%TEMP%\\' + gen_random_string() + '.bat'
+
         if self.__retOutput:
             command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' 2^>^&1 > ' + self.__batchFile + ' & ' + self.__shell + self.__batchFile 
         else:
             command = self.__shell + 'echo ' + data + ' 2^>^&1 > ' + self.__batchFile + ' & ' + self.__shell + self.__batchFile 
 
         command += ' & ' + 'del ' + self.__batchFile 
 
+        logging.debug('Executing command: ' + command)
+
         resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command)
         service = resp['lpServiceHandle']
 

cme/execmethods/wmiexec.py

@@ -1,4 +1,4 @@
-import ntpath
+import ntpath, logging
 
 from gevent import sleep
 from cme.helpers import gen_random_string
@@ -16,7 +16,7 @@ def __init__(self, target, username, password, domain, smbconnection, hashes=Non
         self.__nthash = ''
         self.__share = share
         self.__smbconnection = smbconnection
-        self.__output = '\\' + gen_random_string(6)
+        self.__output = None
         self.__outputBuffer = ''
         self.__shell = 'cmd.exe /Q /c '
         self.__pwd = 'C:\\'
@@ -61,13 +61,16 @@ def cd(self, s):
             self.__pwd = ntpath.normpath(ntpath.join(self.__pwd, s))
             self.execute_remote('cd ')
             self.__pwd = self.__outputBuffer.strip('\r\n')
-            self.prompt = self.__pwd + '>'
             self.__outputBuffer = ''
 
     def execute_remote(self, data):
+        self.__output = '\\Windows\\Temp\\' + gen_random_string(6)
+
         command = self.__shell + data 
         if self.__retOutput:
             command += ' 1> ' + '\\\\127.0.0.1\\%s' % self.__share + self.__output  + ' 2>&1'
+
+        logging.debug('Executing command: ' + command)
         self.__win32Process.Create(command, self.__pwd, None)
         self.get_output()