This commit introduces failover command execution

If a command or module fails to run using a certain execution method
(e.g wmiexec) it will automatically try another one.

This behavior can be overrided by using the --exec-method flag

Author: byt3bl33d3r

core/connection.py

@@ -1,3 +1,4 @@
+from traceback import format_exc
 from core.helpers import highlight
 from core.execmethods.mssqlexec import MSSQLEXEC
 from core.execmethods.wmiexec import WMIEXEC
@@ -211,17 +212,42 @@ def execute(self, payload, get_output=False, method=None):
 
         elif not self.args.mssql:
 
-            if not method:
-                method = self.args.exec_method
-
-            if method == 'wmiexec':
-                exec_method = WMIEXEC(self.host, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
-
-            elif method == 'smbexec':
-                exec_method = SMBEXEC(self.host, self.args.smb_port, self.username, self.password, self.domain, self.hash, self.args.share)
-
-            elif method == 'atexec':
-                exec_method = TSCH_EXEC(self.host, self.username, self.password, self.domain, self.hash) #self.args.share)
+            if not method and not self.args.exec_method:
+                try:
+                    exec_method = WMIEXEC(self.host, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
+                except:
+                    if self.args.verbose:
+                        self.logger.debug('Error executing command via wmiexec, traceback:')
+                        self.logger.debug(format_exc())
+
+                    try:
+                        exec_method = SMBEXEC(self.host, self.args.smb_port, self.username, self.password, self.domain, self.hash, self.args.share)
+                    except:
+                        if self.args.verbose:
+                            self.logger.debug('Error executing command via smbexec, traceback:')
+                            self.logger.debug(format_exc())
+
+                        try:
+                            exec_method = TSCH_EXEC(self.host, self.username, self.password, self.domain, self.hash) #self.args.share)
+                        except:
+                            if self.args.verbose:
+                                self.logger.debug('Error executing command via atexec, traceback:')
+                                self.logger.debug(format_exc())
+                            return
+
+            elif method or self.args.exec_method:
+
+                if not method:
+                    method = self.args.exec_method
+
+                if method == 'wmiexec':
+                    exec_method = WMIEXEC(self.host, self.username, self.password, self.domain, self.conn, self.hash, self.args.share)
+
+                elif method == 'smbexec':
+                    exec_method = SMBEXEC(self.host, self.args.smb_port, self.username, self.password, self.domain, self.hash, self.args.share)
+
+                elif method == 'atexec':
+                    exec_method = TSCH_EXEC(self.host, self.username, self.password, self.domain, self.hash) #self.args.share)
 
         if self.cmeserver:
             if hasattr(self.cmeserver.server.module, 'on_request') or hasattr(self.cmeserver.server.module, 'on_response'):

core/connector.py

@@ -127,7 +127,7 @@ def connector(target, args, db, module, context, cmeserver):
                         if args.pscommand:
                             output = connection.execute(create_ps_command(args.pscommand), get_output=get_output, method=args.exec_method)
 
-                        logger.success('Executed command via {}'.format(args.exec_method))
+                        logger.success('Executed command {}'.format('via {}'.format(args.exec_method) if args.exec_method else ''))
                         buf = StringIO(output).readlines()
                         for line in buf:
                             logger.highlight(line.strip())

core/execmethods/atexec.py

@@ -1,5 +1,3 @@
-import traceback
-
 from impacket.dcerpc.v5 import tsch, transport
 from impacket.dcerpc.v5.dtypes import NULL
 from core.helpers import gen_random_string
@@ -38,11 +36,8 @@ def __init__(self, target, username, password, domain, hashes=None):
 
     def execute(self, command, output=False):
         self.__retOutput = output
-        try:
-            self.doStuff(command)
-            return self.__outputBuffer
-        except Exception as e:
-            traceback.print_exc()
+        self.doStuff(command)
+        return self.__outputBuffer
 
     def doStuff(self, command):
 
@@ -113,33 +108,28 @@ def output_callback(data):
 
         #logging.info("Task XML: {}".format(xml))
         taskCreated = False
-        try:
-            #logging.info('Creating task \\%s' % tmpName)
-            tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
-            taskCreated = True
-
-            #logging.info('Running task \\%s' % tmpName)
-            tsch.hSchRpcRun(dce, '\\%s' % tmpName)
-
-            done = False
-            while not done:
-                #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
-                resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
-                if resp['pLastRuntime']['wYear'] != 0:
-                    done = True
-                else:
-                    sleep(2)
-
-            #logging.info('Deleting task \\%s' % tmpName)
+        #logging.info('Creating task \\%s' % tmpName)
+        tsch.hSchRpcRegisterTask(dce, '\\%s' % tmpName, xml, tsch.TASK_CREATE, NULL, tsch.TASK_LOGON_NONE)
+        taskCreated = True
+
+        #logging.info('Running task \\%s' % tmpName)
+        tsch.hSchRpcRun(dce, '\\%s' % tmpName)
+
+        done = False
+        while not done:
+            #logging.debug('Calling SchRpcGetLastRunInfo for \\%s' % tmpName)
+            resp = tsch.hSchRpcGetLastRunInfo(dce, '\\%s' % tmpName)
+            if resp['pLastRuntime']['wYear'] != 0:
+                done = True
+            else:
+                sleep(2)
+
+        #logging.info('Deleting task \\%s' % tmpName)
+        tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
+        taskCreated = False
+
+        if taskCreated is True:
             tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
-            taskCreated = False
-        except tsch.DCERPCSessionError, e:
-            traceback.print_exc()
-            e.get_packet().dump()
-
-        finally:
-            if taskCreated is True:
-                tsch.hSchRpcDelete(dce, '\\%s' % tmpName)
 
         peer = ':'.join(map(str, self.__rpctransport.get_socket().getpeername()))
         #self.__logger.success('Executed command via ATEXEC')

core/execmethods/smbexec.py

@@ -1,5 +1,3 @@
-import traceback
-
 from gevent import sleep
 from impacket.dcerpc.v5 import transport, scmr
 from impacket.smbconnection import *
@@ -58,11 +56,7 @@ def __init__(self, host, protocol, username = '', password = '', domain = '', ha
         #rpctransport.set_kerberos(self.__doKerberos)
 
         self.__scmr = self.__rpctransport.get_dce_rpc()
-        try:
-            self.__scmr.connect()
-        except Exception as e:
-            traceback.print_exc()
-
+        self.__scmr.connect()
         s = self.__rpctransport.get_smb_connection()
         # We don't wanna deal with timeouts from now on.
         s.setTimeout(100000)
@@ -73,17 +67,14 @@ def __init__(self, host, protocol, username = '', password = '', domain = '', ha
         self.transferClient = self.__rpctransport.get_smb_connection()
 
     def execute(self, command, output=False):
-            self.__retOutput = output
-            try:
-                if self.__retOutput:
-                    self.cd('')
-
-                self.execute_remote(command)
-                self.finish()
-                return self.__outputBuffer
-            except Exception as e:
-                traceback.print_exc()
+        self.__retOutput = output
+        if self.__retOutput:
+            self.cd('')
 
+        self.execute_remote(command)
+        self.finish()
+        return self.__outputBuffer
+            
     def cd(self, s):
         self.execute_remote('cd ' )
 

core/execmethods/wmiexec.py

@@ -1,5 +1,4 @@
 import ntpath
-import traceback
 
 from gevent import sleep
 from core.helpers import gen_random_string
@@ -45,19 +44,14 @@ def __init__(self, target, username, password, domain, smbconnection, hashes=Non
 
     def execute(self, command, output=False):
         self.__retOutput = output
-        try:
-            if self.__retOutput:
-                self.__smbconnection.setTimeout(100000)
-                self.cd('\\')
+        if self.__retOutput:
+            self.__smbconnection.setTimeout(100000)
+            self.cd('\\')
 
-            self.execute_remote(command)
-            self.__dcom.disconnect()
-            return self.__outputBuffer
-        except Exception as e:
-            traceback.print_exc()
-            self.__dcom.disconnect()
+        self.execute_remote(command)
+        self.__dcom.disconnect()
+        return self.__outputBuffer
 
-        
     def cd(self, s):
         self.execute_remote('cd ' + s)
         if len(self.__outputBuffer.strip('\r\n')) > 0:

crackmapexec.py

@@ -107,7 +107,7 @@
 sgroup.add_argument("--depth", type=int, default=10, help='Spider recursion depth (default: 10)')
 
 cgroup = parser.add_argument_group("Command Execution", "Options for executing commands")
-cgroup.add_argument('--exec-method', choices={"wmiexec", "smbexec", "atexec"}, default="wmiexec", help="Method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
+cgroup.add_argument('--exec-method', choices={"wmiexec", "smbexec", "atexec"}, default=None, help="Method to execute the command. Ignored if in MSSQL mode (default: wmiexec)")
 cgroup.add_argument('--force-ps32', action='store_true', help='Force the PowerShell command to run in a 32-bit process')
 cgroup.add_argument('--no-output', action='store_true', dest='no_output', help='Do not retrieve command output')
 cgroup.add_argument("-x", metavar="COMMAND", dest='command', help="Execute the specified command")