From d0c97ddad1638974431bf72cdb546594a5c26b28 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Mon, 30 Sep 2019 23:57:34 +0200 Subject: [PATCH 01/19] Updated changelog with v1.7 stuff --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1a6319..2b91888 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.7 + - Added x64 compatibility to use Donut payloads + ### 1.6 - Added SSL and certificates support - Upload/download messages improved From 4e783f5185ae704eaa42d5f24d81b00377887f5c Mon Sep 17 00:00:00 2001 From: jarilaos Date: Wed, 2 Oct 2019 01:29:09 +0200 Subject: [PATCH 02/19] Add pass-the-hash --- evil-winrm.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/evil-winrm.rb b/evil-winrm.rb index 69b7633..aa1e86a 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -68,6 +68,13 @@ def arguments() opts.on("-U", "--url URL", "Remote url endpoint (default /wsman)") { |val| options[:url] = val } opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val } opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } + opts.on("-H", "--hash HASH", "NTLM hash") do |val| + if !val.match /^[a-fA-F0-9]{32}$/ + puts("Invalid hash format") + custom_exit(0, false) + end + options[:password] = "00000000000000000000000000000000:"+val + end opts.on("-P", "--port PORT", "Remote host port (default 5985)") { |val| options[:port] = val } opts.on("-V", "--version", "Show version") do |val| puts("v" + VERSION) From 78b2da9d259278a25cf2962c11072c7acba06a1d Mon Sep 17 00:00:00 2001 From: jarilaos Date: Wed, 2 Oct 2019 01:33:04 +0200 Subject: [PATCH 03/19] Update usage --- evil-winrm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evil-winrm.rb b/evil-winrm.rb index aa1e86a..f1b5b68 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -55,7 +55,7 @@ class EvilWinRM def arguments() options = { port:$port, url:$url } optparse = OptionParser.new do |opts| - opts.banner = "Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ]" + opts.banner = "Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ]" opts.on("-S", "--ssl", "Enable ssl") do |val| $ssl = true options[:port] = "5986" From 4edf3fc70e82fdfb124e15f9e714bae2b721b0e2 Mon Sep 17 00:00:00 2001 From: jarilaos <32414258+jarilaos@users.noreply.github.com> Date: Wed, 2 Oct 2019 01:35:21 +0200 Subject: [PATCH 04/19] Update readme --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 847e05a..38f133b 100644 --- a/README.md +++ b/README.md @@ -27,12 +27,13 @@ purposes by system administrators as well but the most of its features are focus - Load x64 payloads generated with awesome [donut] technique - Colorization on output messages (can be disabled optionally) - SSL and certificates support + - Pass-the-hash support ## Help ``` -Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] - -S, --ssl Enable SSL +Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] + -S, --ssl Enable ssl -c, --pub-key PUBLIC_KEY_PATH Local path to public key certificate -k, --priv-key PRIVATE_KEY_PATH Local path to private key certificate -s, --scripts PS_SCRIPTS_PATH Powershell scripts local path @@ -41,6 +42,7 @@ Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p P -U, --url URL Remote url endpoint (default /wsman) -u, --user USER Username (required) -p, --password PASS Password + -H, --hash HASH NTLM hash -P, --port PORT Remote host port (default 5985) -V, --version Show version -h, --help Display this help message From 394f3021a80a7e7764736615b3bb42d6cd8bd742 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 08:20:19 +0200 Subject: [PATCH 05/19] Preparing 1.8 version number --- README.md | 2 +- evil-winrm.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 38f133b..94da18d 100644 --- a/README.md +++ b/README.md @@ -161,7 +161,7 @@ Use it at your own servers and/or with the server owner's permission. [WinRb]: https://github.com/WinRb/WinRM/graphs/contributors [TheWover]: https://github.com/TheWover -[Version-shield]: https://img.shields.io/badge/version-1.7-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version" +[Version-shield]: https://img.shields.io/badge/version-1.8-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version" [Ruby2.3-shield]: https://img.shields.io/badge/ruby-2.3%2B-blue.svg?style=flat-square&colorA=273133&colorB=ff0000 "Ruby 2.3 or later" [License-shield]: https://img.shields.io/badge/license-LGPL%20v3%2B-blue.svg?style=flat-square&colorA=273133&colorB=bd0000 "LGPL v3+" [Gem-Version]: https://badge.fury.io/rb/evil-winrm.svg "Ruby gem" diff --git a/evil-winrm.rb b/evil-winrm.rb index f1b5b68..e00ebc5 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -17,7 +17,7 @@ # Constants # Version -VERSION = '1.7' +VERSION = '1.8' # Msg types TYPE_INFO = 0 From c3cae8caf1ec824e1b13fbf9bc5aafce52e0370f Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 08:26:11 +0200 Subject: [PATCH 06/19] Added pass-the-hash feature to changelog --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2b91888..86e80bd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 1.8 + - Added pass-the-hash feature + ### 1.7 - Added x64 compatibility to use Donut payloads From eb4f488a44b82dbe2136e273a5c54f08c1698b34 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 08:31:07 +0200 Subject: [PATCH 07/19] Updated Readme, minor changes --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 94da18d..a8473ca 100644 --- a/README.md +++ b/README.md @@ -140,6 +140,7 @@ Hat tip to: - [WinRb] All contributors of ruby library. - [TheWover] for his awesome donut tool. - [byt3bl33d3r] for his python library to create donut payloads. + - [Sh11td0wn] for inspiration about new features. ## Disclaimer & License This script is licensed under LGPLv3+. Direct link to [License](LICENSE). @@ -160,6 +161,7 @@ Use it at your own servers and/or with the server owner's permission. [byt3bl33d3r]: https://twitter.com/byt3bl33d3r [WinRb]: https://github.com/WinRb/WinRM/graphs/contributors [TheWover]: https://github.com/TheWover +[Sh11td0wn]: https://github.com/Sh11td0wn [Version-shield]: https://img.shields.io/badge/version-1.8-blue.svg?style=flat-square&colorA=273133&colorB=0093ee "Latest version" [Ruby2.3-shield]: https://img.shields.io/badge/ruby-2.3%2B-blue.svg?style=flat-square&colorA=273133&colorB=ff0000 "Ruby 2.3 or later" From 3d105bbb07adc4f8002970fc6a414a5981266272 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 08:39:01 +0200 Subject: [PATCH 08/19] Fixed exit code in pth feature --- evil-winrm.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/evil-winrm.rb b/evil-winrm.rb index e00ebc5..5f81315 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -68,24 +68,24 @@ def arguments() opts.on("-U", "--url URL", "Remote url endpoint (default /wsman)") { |val| options[:url] = val } opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val } opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } - opts.on("-H", "--hash HASH", "NTLM hash") do |val| + opts.on("-H", "--hash HASH", "NTLM hash") do |val| if !val.match /^[a-fA-F0-9]{32}$/ puts("Invalid hash format") - custom_exit(0, false) + self.custom_exit(1) end - options[:password] = "00000000000000000000000000000000:"+val + options[:password] = "00000000000000000000000000000000:" + val end opts.on("-P", "--port PORT", "Remote host port (default 5985)") { |val| options[:port] = val } opts.on("-V", "--version", "Show version") do |val| puts("v" + VERSION) - custom_exit(0, false) + self.custom_exit(0, false) end opts.on('-h', '--help', 'Display this help message') do puts() self.print_message("Evil-WinRM shell v" + VERSION, TYPE_INFO, false) puts(opts) puts() - custom_exit(0, false) + self.custom_exit(0, false) end end From 16741ebb864b9796d8c565debaed549bb0160689 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 08:49:10 +0200 Subject: [PATCH 09/19] Added print_header function. Modified invalid hash error message. --- evil-winrm.rb | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/evil-winrm.rb b/evil-winrm.rb index 5f81315..98fde11 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -69,9 +69,10 @@ def arguments() opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val } opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } opts.on("-H", "--hash HASH", "NTLM hash") do |val| + self.print_header() if !val.match /^[a-fA-F0-9]{32}$/ - puts("Invalid hash format") - self.custom_exit(1) + self.print_message("Invalid hash format", TYPE_ERROR) + self.custom_exit(1, false) end options[:password] = "00000000000000000000000000000000:" + val end @@ -81,8 +82,7 @@ def arguments() self.custom_exit(0, false) end opts.on('-h', '--help', 'Display this help message') do - puts() - self.print_message("Evil-WinRM shell v" + VERSION, TYPE_INFO, false) + self.print_header() puts(opts) puts() self.custom_exit(0, false) @@ -97,8 +97,7 @@ def arguments() raise OptionParser::MissingArgument.new(missing.join(', ')) end rescue OptionParser::InvalidOption, OptionParser::MissingArgument - puts() - self.print_message("Evil-WinRM shell v" + VERSION, TYPE_INFO, false) + self.print_header() self.print_message($!.to_s, TYPE_ERROR) puts(optparse) puts() @@ -119,6 +118,12 @@ def arguments() $priv_key = options[:priv_key] end + # Print script header + def print_header() + puts() + self.print_message("Evil-WinRM shell v" + VERSION, TYPE_INFO, false) + end + # Generate connection object def connection_initialization() if $ssl then @@ -284,8 +289,7 @@ def main self.arguments() self.connection_initialization() file_manager = WinRM::FS::FileManager.new($conn) - puts() - self.print_message("Starting Evil-WinRM shell v" + VERSION, TYPE_INFO) + self.print_header() if !$ssl and ($pub_key or $priv_key) then self.print_message("Useless cert/s provided, SSL is not enabled", TYPE_WARNING) From f34dbf76dcafec400130856b02e2db6cef361496 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Wed, 2 Oct 2019 09:52:48 +0200 Subject: [PATCH 10/19] Added password and hash validation --- evil-winrm.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/evil-winrm.rb b/evil-winrm.rb index 98fde11..712b5ff 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -70,6 +70,10 @@ def arguments() opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } opts.on("-H", "--hash HASH", "NTLM hash") do |val| self.print_header() + if options[:password] != nil and val != nil + self.print_message("You must choose either password or hash auth. Both at the same time are not allowed", TYPE_ERROR) + self.custom_exit(1, false) + end if !val.match /^[a-fA-F0-9]{32}$/ self.print_message("Invalid hash format", TYPE_ERROR) self.custom_exit(1, false) From 7533fca6a4ff478e36d5c48d9ce0aaa45c766cd2 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Sun, 13 Oct 2019 11:55:57 +0200 Subject: [PATCH 11/19] Fix header printed twice for pth auth --- evil-winrm.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/evil-winrm.rb b/evil-winrm.rb index 712b5ff..7276abf 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -69,12 +69,13 @@ def arguments() opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val } opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } opts.on("-H", "--hash HASH", "NTLM hash") do |val| - self.print_header() if options[:password] != nil and val != nil + self.print_header() self.print_message("You must choose either password or hash auth. Both at the same time are not allowed", TYPE_ERROR) self.custom_exit(1, false) end if !val.match /^[a-fA-F0-9]{32}$/ + self.print_header() self.print_message("Invalid hash format", TYPE_ERROR) self.custom_exit(1, false) end From 137b14b5db73bd472e781ce1de16b9325afcfa4e Mon Sep 17 00:00:00 2001 From: Paul Nittmann Date: Fri, 18 Oct 2019 18:53:47 +0200 Subject: [PATCH 12/19] add Gemfile and usage of bundler --- Gemfile | 6 ++++++ Gemfile.lock | 47 +++++++++++++++++++++++++++++++++++++++++++++++ README.md | 5 ++++- 3 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 Gemfile create mode 100644 Gemfile.lock diff --git a/Gemfile b/Gemfile new file mode 100644 index 0000000..1d6ed7d --- /dev/null +++ b/Gemfile @@ -0,0 +1,6 @@ +source 'https://rubygems.org' + +gem 'winrm' +gem 'winrm-fs' +gem 'colorize' +gem 'stringio' diff --git a/Gemfile.lock b/Gemfile.lock new file mode 100644 index 0000000..239dcfc --- /dev/null +++ b/Gemfile.lock @@ -0,0 +1,47 @@ +GEM + remote: https://rubygems.org/ + specs: + builder (3.2.3) + colorize (0.8.1) + erubis (2.7.0) + ffi (1.11.1) + gssapi (1.3.0) + ffi (>= 1.0.1) + gyoku (1.3.1) + builder (>= 2.1.2) + httpclient (2.8.3) + little-plugger (1.1.4) + logging (2.2.2) + little-plugger (~> 1.1) + multi_json (~> 1.10) + multi_json (1.14.1) + nori (2.6.0) + rubyntlm (0.6.2) + rubyzip (1.3.0) + stringio (0.0.2) + winrm (2.3.2) + builder (>= 2.1.2) + erubis (~> 2.7) + gssapi (~> 1.2) + gyoku (~> 1.0) + httpclient (~> 2.2, >= 2.2.0.2) + logging (>= 1.6.1, < 3.0) + nori (~> 2.0) + rubyntlm (~> 0.6.0, >= 0.6.1) + winrm-fs (1.3.2) + erubis (~> 2.7) + logging (>= 1.6.1, < 3.0) + rubyzip (~> 1.1) + winrm (~> 2.0) + +PLATFORMS + ruby + +DEPENDENCIES + colorize + stringio + winrm + winrm-fs + +BUNDLED WITH + 2.0.2 diff --git a/README.md b/README.md index a8473ca..78baa7f 100644 --- a/README.md +++ b/README.md @@ -53,9 +53,12 @@ Ruby 2.3 or higher is needed. Some ruby gems are needed as well: `winrm >=2.3.2` `~$ sudo gem install winrm winrm-fs colorize stringio` +or using bundler with the Gemfile (Installation & Quick Start - Step 2) + ## Installation & Quick Start - Step 1. Clone the repo: `git clone https://github.com/Hackplayers/evil-winrm.git` - - Step 2. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` + - Step 2 (optional if using bundler): `cd evil-winrm && bundle install --path vendor/bundle` + - Step 3. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` If you don't want to put the password in clear text, you can optionally avoid to set `-p` argument and the password will be prompted preventing to be shown. From d3052a70ef2459b6cb7708625963c2c9bd2d099f Mon Sep 17 00:00:00 2001 From: Paul Nittmann Date: Sat, 19 Oct 2019 19:19:58 +0200 Subject: [PATCH 13/19] add bundler to gitignore & readme usage --- .gitignore | 4 +++- README.md | 10 +++++++--- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/.gitignore b/.gitignore index ed756a2..6484f85 100644 --- a/.gitignore +++ b/.gitignore @@ -6,4 +6,6 @@ ehthumbs.db Thumbs.db desktop.ini .dropbox* -.idea \ No newline at end of file +.idea +vendor/ +.bundle/ \ No newline at end of file diff --git a/README.md b/README.md index 78baa7f..9907436 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,16 @@ Ruby 2.3 or higher is needed. Some ruby gems are needed as well: `winrm >=2.3.2` `~$ sudo gem install winrm winrm-fs colorize stringio` -or using bundler with the Gemfile (Installation & Quick Start - Step 2) +or using bundler with the Gemfile (Installation & Quick Start - Using bundler) ## Installation & Quick Start - Step 1. Clone the repo: `git clone https://github.com/Hackplayers/evil-winrm.git` - - Step 2 (optional if using bundler): `cd evil-winrm && bundle install --path vendor/bundle` - - Step 3. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` + - Step 2. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` + +### Using bundler + - Step 1: `cd evil-winrm && bundle install --path vendor/bundle` + - Step 2: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` + If you don't want to put the password in clear text, you can optionally avoid to set `-p` argument and the password will be prompted preventing to be shown. From 66679cc7d38d26e1243caaed8312583a581c66f2 Mon Sep 17 00:00:00 2001 From: Paul Nittmann Date: Sat, 19 Oct 2019 19:22:09 +0200 Subject: [PATCH 14/19] add some desc to readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9907436..03fdd9e 100644 --- a/README.md +++ b/README.md @@ -60,8 +60,8 @@ or using bundler with the Gemfile (Installation & Quick Start - Using bundler) - Step 2. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` ### Using bundler - - Step 1: `cd evil-winrm && bundle install --path vendor/bundle` - - Step 2: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` + - Step 1. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle` + - Step 2. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` If you don't want to put the password in clear text, you can optionally avoid to set `-p` argument and the password will be prompted preventing to be shown. From 85b0090e9818600ef7fe9d968fc6c2f483e2cec2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=93scar=20Alfonso=20D=C3=ADaz?= Date: Sun, 20 Oct 2019 13:17:17 +0200 Subject: [PATCH 15/19] Create CONTRIBUTING.md --- CONTRIBUTING.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 CONTRIBUTING.md diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..73cddf8 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,22 @@ +# Contributing + +Hello, thank you for your interest into contributing to this project. Your help is really appreciated. + +Please note we have a [Code of Conduct], please follow it in all your interactions with the project. + +--- + +## Git Workflow Policy + +1. Direct push to [Master] is not allowed. +2. Pull Requests to [Master] are not allowed. +3. Usually, commits and pull requests should be done on [Dev] branch. If you have any doubt, don't hesitate to ask first. +4. Temporary branches may be existing for specific features, be pretty sure that the branch you are going to commit on is the right one. Ask first if you have any doubt. +5. Any branch will be finally merged to [Dev], there it will be reviewed and tested deeply before being merged to [Master]. +6. All merges from [Dev] to [Master] are a new `evil-winrm` release. This merges to [Master] will be performed and reviewed exclusively by the staff. + +--- + +[Code of Conduct]: CODE_OF_CONDUCT.md +[Master]: https://github.com/Hackplayers/evil-winrm/tree/master +[Dev]: https://github.com/Hackplayers/evil-winrm/tree/dev From dd23ab6006961e72522af60fe564391ead39ad8f Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Sun, 20 Oct 2019 13:19:28 +0200 Subject: [PATCH 16/19] Fix typo and remove not needed space --- evil-winrm.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evil-winrm.rb b/evil-winrm.rb index 7276abf..2019df8 100755 --- a/evil-winrm.rb +++ b/evil-winrm.rb @@ -69,7 +69,7 @@ def arguments() opts.on("-u", "--user USER", "Username (required)") { |val| options[:user] = val } opts.on("-p", "--password PASS", "Password") { |val| options[:password] = val } opts.on("-H", "--hash HASH", "NTLM hash") do |val| - if options[:password] != nil and val != nil + if options[:password] != nil and val != nil self.print_header() self.print_message("You must choose either password or hash auth. Both at the same time are not allowed", TYPE_ERROR) self.custom_exit(1, false) @@ -410,7 +410,7 @@ def main end print(output.output) rescue - self.print_message("Check file names", TYPE_ERROR) + self.print_message("Check filenames", TYPE_ERROR) end elsif command.start_with?('Donut-Loader') then @@ -428,7 +428,7 @@ def main end print(output.output) rescue - self.print_message("Check file names", TYPE_ERROR) + self.print_message("Check filenames", TYPE_ERROR) end elsif command.start_with?('services') then From d038a46c4fea6ab8294d8f74e107c2f05f31d5c5 Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Sun, 20 Oct 2019 13:48:16 +0200 Subject: [PATCH 17/19] Better explanation of installation methods on README file --- README.md | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 03fdd9e..3e1ea4f 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,6 @@ purposes by system administrators as well but the most of its features are focus - Pass-the-hash support ## Help - ``` Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p PASS] [-H HASH] [-U URL] [-S] [-c PUBLIC_KEY_PATH ] [-k PRIVATE_KEY_PATH ] -S, --ssl Enable ssl @@ -50,30 +49,31 @@ Usage: evil-winrm -i IP -u USER [-s SCRIPTS_PATH] [-e EXES_PATH] [-P PORT] [-p P ## Requirements Ruby 2.3 or higher is needed. Some ruby gems are needed as well: `winrm >=2.3.2`, `winrm-fs >=1.3.2`, `stringio >=0.0.2` and `colorize >=0.8.1`. +Depending of your installation method (3 availables) the installation of them could be required to be done manually. -`~$ sudo gem install winrm winrm-fs colorize stringio` +## Installation & Quick Start (3 methods) -or using bundler with the Gemfile (Installation & Quick Start - Using bundler) +### Method 1. Git clone and install dependencies on your system manually + - Step 1. Install dependencies manually: `~$ sudo gem install winrm winrm-fs colorize stringio` + - Step 2. Clone the repo: `git clone https://github.com/Hackplayers/evil-winrm.git` + - Step 3. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` -## Installation & Quick Start - - Step 1. Clone the repo: `git clone https://github.com/Hackplayers/evil-winrm.git` - - Step 2. Ready. Just launch it! `~$ cd evil-winrm && ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` +### Method 2. Using bundler (dependencies will not be installed on your system, just to use evil-winrm) + - Step 1. Install bundler: `gem install bundler:2.0.2` + - Step 2. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle` + - Step 3. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` -### Using bundler - - Step 1. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle` - - Step 2. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` +## Method 3. Installation directly as ruby gem (dependencies will be installed automatically on your system) + - Step 1. Install it (it will install automatically dependencies): `gem install evil-winrm` + - Step 2. Ready. Just launch it! `~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` +## Documentation +#### Clear text password If you don't want to put the password in clear text, you can optionally avoid to set `-p` argument and the password will be prompted preventing to be shown. -To use IPv6, the address must be added to /etc/hosts. - -##### Alternative installation method as ruby gem - - - Step 1. Install it: `gem install evil-winrm` - - Step 2. Ready. Just launch it! `~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` - -## Documentation +#### Ipv6 +To use IPv6, the address must be added to /etc/hosts. Just put the already set name of the host after `-i` argument instead of an IP address. #### Basic commands - **upload**: local files can be auto-completed using tab key. It is recommended to use absolute path for destination to avoid errors. Otherwise you could get uncontrolled errors due Winrm-fs limitations. @@ -97,7 +97,6 @@ To use IPv6, the address must be added to /etc/hosts. ![ps1](resources/image7.png) #### Advanced commands - - Invoke-Binary: allows exes compiled from c# to be executed in memory. The name can be auto-completed using tab key and allows up to 3 parameters. The executables must be in the path set at `-e` argument. ![Invoke-Binary](resources/image3.png) From 278b1f23976afc362b0de79a447a00c3ddd4873d Mon Sep 17 00:00:00 2001 From: OscarAkaElvis Date: Sun, 20 Oct 2019 13:49:21 +0200 Subject: [PATCH 18/19] Added bundler installation method to CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 86e80bd..f6fbb65 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,6 @@ ### 1.8 - Added pass-the-hash feature + - Added bundler installation method ### 1.7 - Added x64 compatibility to use Donut payloads From d465cd198ea15c9f8c71790c7aa6bd7dfec0f28f Mon Sep 17 00:00:00 2001 From: jarilaos <32414258+jarilaos@users.noreply.github.com> Date: Sun, 20 Oct 2019 13:52:28 +0200 Subject: [PATCH 19/19] tittle size --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3e1ea4f..20504ce 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,7 @@ Depending of your installation method (3 availables) the installation of them co - Step 2. Install dependencies with bundler: `cd evil-winrm && bundle install --path vendor/bundle` - Step 3. Launch it with bundler: `bundle exec evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'` -## Method 3. Installation directly as ruby gem (dependencies will be installed automatically on your system) +### Method 3. Installation directly as ruby gem (dependencies will be installed automatically on your system) - Step 1. Install it (it will install automatically dependencies): `gem install evil-winrm` - Step 2. Ready. Just launch it! `~$ evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'`