New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the scanner/smb/impacket/wmiexec module #10106

Merged
merged 1 commit into from Jun 5, 2018

Conversation

Projects
None yet
3 participants
@zeroSteiner
Copy link
Contributor

zeroSteiner commented May 27, 2018

This adds Impacket's wmiexec as an external module. The basic options were kept and carried over to the module version. The different settings are noted in the markdown documentation. This information was carried over from the original tool. The primary advantage of this module is the support for SMBv3.

This uses the same _msf_impacket.py library introduced for the dcomexec module added in PR #9816.

Verification

List the steps needed to make sure this thing works

  • Install Impacket v0.9.17 from GitHub. The impacket package must be
    in Python's module path, so import impacket works from any directory.
  • Install pycrypto v2.7 (the experimental release). Impacket requires
    this specific version.
  • Start msfconsole
  • Do: use auxiliary/scanner/smb/impacket/wmiexec
  • Set: COMMAND, RHOSTS, SMBUser, SMBPass
  • Do: run, see the command result (if OUTPUT is enabled)
  • Do: info -d, see the module documentation and ensure it makes sense

Example Output

metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > show options 

Module options (auxiliary/scanner/smb/impacket/wmiexec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   COMMAND    ipconfig         yes       The command to execute
   OUTPUT     true             yes       Get the output of the executed command
   RHOSTS     192.168.90.11    yes       The target address range or CIDR identifier
   SMBDomain  .                no        The Windows domain to use for authentication
   SMBPass    wakawaka         yes       The password for the specified username
   SMBUser    spencer          yes       The username to authenticate as
   THREADS    1                yes       The number of concurrent threads

metasploit-framework (S:0 J:1) auxiliary(scanner/smb/impacket/wmiexec) > run

[*] [2018.04.04-17:10:47] Running for 192.168.90.11...
[*] [2018.04.04-17:10:47] 192.168.90.11 - SMBv3.0 dialect used
[*] [2018.04.04-17:10:47] 192.168.90.11 - Target system is 192.168.90.11 and isFDQN is False
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: \\\\WINDOWS8VM[\\PIPE\\atsvc]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: Windows8VM[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: 10.0.3.15[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding: 192.168.90.11[49154]
[*] [2018.04.04-17:10:47] 192.168.90.11 - StringBinding chosen: ncacn_ip_tcp:192.168.90.11[49154]
[*] [2018.04.04-17:10:49] 
Windows IP Configuration


Ethernet adapter Ethernet 5:

   Connection-specific DNS Suffix  . : foo.lan
   Link-local IPv6 Address . . . . . : fe80::9ceb:820e:7c6b:def9%17
   IPv4 Address. . . . . . . . . . . : 10.0.3.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.3.2

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Ethernet adapter Ethernet 3:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

Ethernet adapter Ethernet 4:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.90.11
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 

Tunnel adapter isatap.foo.lan:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : foo.lan

Tunnel adapter isatap.{70FE2ED7-E141-40A9-9CAF-E8556F6A4E80}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

[*] [2018.04.04-17:10:49] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

@jrobles-r7 jrobles-r7 merged commit 9fab231 into rapid7:master Jun 5, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jrobles-r7 added a commit that referenced this pull request Jun 5, 2018

msjenkins-r7 added a commit that referenced this pull request Jun 5, 2018

@jrobles-r7

This comment has been minimized.

Copy link
Contributor

jrobles-r7 commented Jun 5, 2018

Release Notes

The auxiliary/scanner/smb/impacket/wmiexec module performs command execution on a target system through WMI. Output of the executed command can be retrieved by setting the OUTPUT argument to true.

@jrobles-r7 jrobles-r7 self-assigned this Jun 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment