wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
wmiexec2.0 is the same wmiexec that everyone knows and loves.
This 2.0 version is obfuscated to avoid well known signatures from various AV engines.
It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
This script is under active development and will improve with time.
If you find an issue or want a specific module throw me a PR.
Enjoy
Installation
Do notwget this file with GitHubs Raw feature, it will break the Ghost emoji. Git clone the repo and it will all work.
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt
Modules
Tested on:
#Windows Server 2022 Updated Febuary Defender Sigs
All modules working, no module flags
#Windows 10 Pro Defender Virus + Spyware Definition Version: 1.381.3595.0 2/14/2023
All modules working, no module flags
#Windows 10 Pro Kaspersky Standard App Version 21.8.5.452, Definitions 2/15/23
All modules working, no module flags
#Windows 8 Defender Virus and Spyware Definition Version: 1.383.35.0 2/15/2023
All modules working, no module flags
#Windows 7 Pro Defender Antispyware Definitions: v1.95.191.0 11/18/2010
Reg module not working, no module flags
Help
To view the help and available modules:
C:\>help
Connection
You can still connect to the remote machine the exact same way.
You can specify whether you want a powershell shell or a cmd shell by adding the flag --shell-type powershell or --shell-type cmd
lput {src_file} {dst_file} upload local file to remote machine path
lget {file} download remote file to your local machine
! {cmd} execute local system command --> !ls lists your current directory on your local machine
Additional modules
Everything else from here and below is additional features added into wmiexec to make it wmiexec2.0
cat - just to make this more unix friendly simply uses type on the remote machine to view a file....just an alias you can use
ls || ls C:\Users - allows you to view your current target directory. Its executing the dir /a command so you will see hidden files by default without any other special options
View some well known security products running on the target system.
Enumerates the process list to see if they are running.
๐ป PS C:\> av
MsMpEng.exe
Defender
Check specific Defender settings
๐ป PS C:\> defender
[*] Defender Install Location
InstallLocation REG_SZ C:\Program Files\Windows Defender\
[*] Defender Service is Running
[*] Defender Process Exclusions
No Process Exclusions
[*] Defender Path Exclusions
[*] Tamper Protection is Disabled
VMcheck
Attempts to detect if you are in a virtual machine (So far works for ESXi/VMWare Workstation and QEMU)
Performs three checks
Looks for C:\Program Files\VMWare
Looks for common running executables in a proccess list
Pulls the System Manufactuer from host
๐ป PS C:\> vmcheck
[*] Common Processes:
[*] No VM Processes found
C:\Program Files\VMware Not Present
OS Manufacturer: Microsoft Corporation
System Manufacturer: QEMU
[*] Virtual Box Detection
[!] Found VBox Files:
File Not Found
File Not Found
unattend
There are 11 files (that I know of) part of the unattend group in Windows that have the potential to have base64 encoded credentials in them. Find them all in one command
๐ป PS C:\> unattend
[*] Looking for: C:\unattend.txt, C:\unattend.inf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features
TamperProtection REG_DWORD 0x1
End of search: 1 match(es) found.
[*] Looking for: C:\Windows\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\sysprep\sysprep.xml, C:\Windows\sysprep\sysprep.inf
Nothing Found
[*] Looking for: C:\Windows\Panther\Unattended.xml, C:\Windows\Panther\Unattend.xml
06/12/2024 04:33 PM 24,206 unattend.xml
[*] Looking for: C:\Windows\Panther\Unattend\Unattend.xml, C:\Windows\Panther\Unattend\Unattended.xml
Nothing Found
[*] Looking for: C:\Windows\System32\Sysprep\unattend.xml, C:\Windows\System32\Sysprep\unattended.xml
Nothing Found
Regrip
Save off the SAM, Security and System hives to your local machines. Defender blocks this by default, so I had to find a bypass working as of 6/7/24. Try to not get this signatured, thanks in advance.
Tunneling
Leverage Windows built in netsh tunneling without having to type the whole thing out
Input your own custom commands into survey.conf file seperated by a new line, or use the basic one that I have provided
There are two options with this module:
run module with survey which will print out the command you ran plus the output of that command
Or run with survey savethis will return none of the commands to stdout, but will save all commands run and their output into survey.txt located in your local pwd.
survey save
to run the survey module and save the output to your local station (No stdout)
๐ป PS C:\> survey save
[*] Saving all output from survey to survey.txt in your local pwd
[*] Starting Survey
[*] Survey Completed
๐ป PS C:\> !ls
av.py debug.log __pycache__ README.md remoteshell.py requirements.txt Security.evtx survey.conf survey.txt wmiexec2.py
๐ป PS C:\> !head survey.txt
[*] hostname
DOCKERW-VG85334
[*] whoami
dockerw-vg85334\administrator
[*] whoami /priv
PRIVILEGES INFORMATION
----------------------
๐ป PS C:\>
python3 wmiexec2.py Administrator:'abc123!!!'@172.17.0.2 -shell-type powershell
Impacket v0.11.0 - Copyright 2023 Fortra
[*] SMBv3.0 dialect used
[-] Can't find a valid stringBinding to connect
This is usually caused when a target system is NAT'ed in some way. A target behind a router, a cloud VPS, or a docker container are three good examples that will cause this error.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent