Skip to content
A standalone WMI protocol for CrackMapExec
Python
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
slides adding slides conf RTFM Feb 3, 2020
wmi Create __init__.py Nov 30, 2019
LICENSE
README.md Update README.md Feb 3, 2020
example.png
wmi.py wmi protocol v1.0 Nov 30, 2019

README.md

cme-wmi

Experimental plugin for CrackMapExec that adds a new protocol based on pure WMI : all of CrackMapExec's traffic passes via DCOM (TCP/135 and dynamic ports).

Remote WMI access must be configured on the target. No SMB services are needed. CrackMapExec's HTTP server is not used. All command output is obtained exclusively using the WMI access, through storage in the WMI repository.

Currently only tested with CrackMapExec's Mimikatz module.

Usage

cme wmi targets.txt -d <DOMAIN> -u <USER> -p <PASS> [-H <HASH>] -M mimikatz

usage

As shown, commands are sent only via DCOM (TCP/135).

Install

git clone https://github.com/byt3bl33d3r/CrackMapExec.git
git clone https://github.com/Orange-Cyberdefense/cme-wmi.git
cp -r cme-wmi/wmi CrackMapExec/cme/protocols
cp cme-wmi/wmi.py CrackMapExec/cme/protocols
sed -ri "s/supported_protocols = \[(.*)\]/supported_protocols = \[\1, 'wmi'\]/" CrackMapExec/cme/modules/mimikatz.py #adding the new 'wmi' protocol manually to the list of supported protocols of the mimikatz.py module

Rebuild CrackMapExec afterwards.

TODO

  • add --sam and --lsa options (for secrets an idea is using nishang's Get-LsaSecret as a new module instead of Invoke-Mimikatz)
  • fix loggging error that makes mimikatz fail when using options -o COMMAND (works if manually modified in the mimikatz.py)
  • add enum_host() function
  • port to Python3 ;)
You can’t perform that action at this time.