Merge pull request Pennyw0rth#820 from Pennyw0rth/neff-fix-wmi

NeffIsBack · web-flow · commit 19a54d5abac7 · 2025-07-24T15:25:22.000+02:00
Refactor WMI protocol execution
diff --git a/nxc/protocols/wmi.py b/nxc/protocols/wmi.py
@@ -208,7 +208,7 @@ def kerberos_login(self, domain, username, password="", ntlm_hash="", aesKey="",
             username = ccache.credentials[0].header["client"].prettyPrint().decode().split("@")[0]
             self.username = username
         used_ccache = " from ccache" if useCache else f":{process_secret(kerb_pass)}"
-        
+
         try:
             self.logger.debug(f"Attempting to connect via WMI to {self.host}")
             self.conn.set_credentials(username=username, password=password, domain=domain, lmhash=lmhash, nthash=nthash, aesKey=self.aesKey)
@@ -369,7 +369,7 @@ def hash_login(self, domain, username, ntlm_hash):
     @requires_admin
     def wmi(self, wql=None, namespace=None):
         """Execute WQL syntax via WMI
-        
+
         This is done via the --wmi flag
         """
         records = []
@@ -409,7 +409,7 @@ def wmi(self, wql=None, namespace=None):
             return records
 
     @requires_admin
-    def execute(self, command=None, get_output=False):
+    def execute(self, command=None, get_output=False, use_powershell=False):
         output = ""
 
         # Execution via -x
@@ -428,21 +428,38 @@ def execute(self, command=None, get_output=False):
 
         if self.args.exec_method == "wmiexec":
             exec_method = wmiexec.WMIEXEC(self.remoteName, self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.host, self.aesKey, self.logger, self.args.exec_timeout, self.args.codec)
-            output = exec_method.execute(command, get_output)
+            output = exec_method.execute(command, get_output, use_powershell=use_powershell)
 
         elif self.args.exec_method == "wmiexec-event":
             exec_method = wmiexec_event.WMIEXEC_EVENT(self.remoteName, self.username, self.password, self.domain, self.lmhash, self.nthash, self.doKerberos, self.kdcHost, self.host, self.aesKey, self.logger, self.args.exec_timeout, self.args.codec)
-            output = exec_method.execute(command, get_output)
+            output = exec_method.execute(command, get_output, use_powershell=use_powershell)
 
         self.conn.disconnect()
-        if output == "" and get_output:
-            self.logger.fail("Execute command failed, probabaly got detection by AV.")
-            return ""
-        elif self.args.execute and get_output:
+        if self.args.execute and get_output:
             self.logger.success(f'Executed command: "{command}" via {self.args.exec_method}')
             buf = StringIO(output).readlines()
             for line in buf:
-                self.logger.highlight(line.strip())
+                if line.strip():
+                    self.logger.highlight(line.strip())
             return output
-        elif get_output:
+        else:
             return output
+
+    def execute_psh(self, command=None, get_output=False):
+        # Execution via -X
+        if not command and self.args.execute_psh:
+            command = self.args.execute_psh
+            if not self.args.no_output:
+                get_output = True
+
+        output = self.execute(command, get_output, use_powershell=True)
+
+        if self.args.execute_psh and get_output:
+            self.logger.success(f'Executed PowerShell command: "{command}" via {self.args.exec_method}')
+            buf = StringIO(output).readlines()
+            for line in buf:
+                if line.strip():
+                    self.logger.highlight(line.strip())
+            return output
+        else:
+            return output
diff --git a/nxc/protocols/wmi/proto_args.py b/nxc/protocols/wmi/proto_args.py
@@ -16,8 +16,9 @@ def proto_args(parser, parents):
     cgroup = wmi_parser.add_argument_group("Command Execution", "Options for executing commands")
     cgroup.add_argument("--no-output", action="store_true", help="do not retrieve command output")
     cgroup.add_argument("-x", metavar="COMMAND", dest="execute", type=str, help="Creates a new cmd process and executes the specified command with output")
+    cgroup.add_argument("-X", metavar="COMMAND", dest="execute_psh", type=str, help="Creates a new PowerShell process and executes the specified command with output")
     cgroup.add_argument("--exec-method", choices={"wmiexec", "wmiexec-event"}, default="wmiexec", help="method to execute the command. (default: wmiexec). [wmiexec (win32_process + StdRegProv)]: get command results over registry instead of using smb connection. [wmiexec-event (T1546.003)]: this method is not very stable, highly recommend use this method in single host, using on multiple hosts may crash (just try again if it crashed).")
-    cgroup.add_argument("--exec-timeout", default=3, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
+    cgroup.add_argument("--exec-timeout", default=2, metavar="exec_timeout", dest="exec_timeout", type=int, help="Set timeout (in seconds) when executing a command, minimum 5 seconds is recommended. Default: %(default)s")
     cgroup.add_argument("--codec", default="utf-8", help="Set encoding used (codec) from the target's output (default: utf-8). If errors are detected, run chcp.com at the target & map the result with https://docs.python.org/3/library/codecs.html#standard-encodings and then execute again with --codec and the corresponding codec")
     return parser
 
diff --git a/nxc/protocols/wmi/wmiexec.py b/nxc/protocols/wmi/wmiexec.py
@@ -51,9 +51,17 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         iWbemLevel1Login.RemRelease()
         self.__win32Process, _ = self.__iWbemServices.GetObject("Win32_Process")
 
-    def execute(self, command, output=False):
-        if output:
+    def execute(self, command, output=False, use_powershell=False):
+        """Execute a command on the remote host using WMI.
+        Options:
+        - No output
+        - Output with bash (limited to ~1MB)
+        - Output with PowerShell (recommended for larger outputs)
+        """
+        if output and not use_powershell:
             self.execute_WithOutput(command)
+        elif output and use_powershell:
+            self.execute_WithOutput_psh(command)
         else:
             command = self.__shell + command
             self.execute_remote(command)
@@ -73,35 +81,112 @@ def execute_WithOutput(self, command):
         result_output = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
         result_output_b64 = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
         keyName = str(uuid.uuid4())
-        self.__registry_Path = f"Software\\Classes\\{gen_random_string(6)}"
-
-        commands = [
-            f"{self.__shell} {command} 1> {result_output} 2>&1",
-            f"{self.__shell} certutil -encodehex -f {result_output} {result_output_b64} 0x40000001",
-            f'{self.__shell} for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f',
-            f"{self.__shell} del /q /f /s {result_output} {result_output_b64}",
-        ]
-
-        for cmd in commands:
-            self.execute_remote(cmd)
-            time.sleep(0.5)
-        self.logger.info(f"Waiting {self.__exec_timeout}s for command completely executed.")
+        self.__registry_Path = f"Software\\Classes\\{gen_random_string(8)}"
+
+        # 1. Run the command and write output to file
+        self.execute_remote(f'{self.__shell} {command} 1> "{result_output}" 2>&1')
+        self.logger.info(f"Waiting {self.__exec_timeout}s for command to complete.")
         time.sleep(self.__exec_timeout)
 
+        # 2. Base64 encode the file
+        self.execute_remote(f"{self.__shell} certutil -encodehex -f {result_output} {result_output_b64} 0x40000001")
+        time.sleep(0.5)
+
+        # 3. Store content in registry
+        self.execute_remote(f'{self.__shell} for /F "usebackq" %G in ("{result_output_b64}") do reg add HKLM\\{self.__registry_Path} /v {keyName} /t REG_SZ /d "%G" /f')
+        time.sleep(0.1)
+
         self.queryRegistry(keyName)
+        self.clean_up(result_output, result_output_b64)
 
     def queryRegistry(self, keyName):
         try:
-            self.logger.debug(f"Querying registry key: HKLM\\{self.__registry_Path}")
+            # Spawn an instance of StdRegProv to access the registry
+            self.logger.debug(f"Retrieving output from: HKLM\\{self.__registry_Path}")
             descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
             descriptor = descriptor.SpawnInstance()
-            retVal = descriptor.GetStringValue(0x80000002, self.__registry_Path, keyName)
-            self.__outputBuffer = base64.b64decode(retVal.sValue).decode(self.__codec, errors="replace").rstrip("\r\n")
+
+            # Retrieve the base64 content from the registry
+            for _ in range(10):
+                self.logger.debug(f"Retrieving key: {keyName}")
+                outputBuffer_b64 = descriptor.GetStringValue(0x80000002, self.__registry_Path, keyName).sValue
+                if outputBuffer_b64 is not None:
+                    break
+                time.sleep(1)
+            self.__outputBuffer = base64.b64decode(outputBuffer_b64).decode(self.__codec, errors="replace").rstrip("\r\n")
         except Exception:
-            self.logger.fail("WMIEXEC: Could not retrieve output file, it may have been detected by AV. Please try increasing the timeout with the '--exec-timeout' option. If it is still failing, try the 'smb' protocol or another exec method")
+            self.logger.fail("WMIEXEC: Could not retrieve output file! Either command timed out or AV killed the process. Please try increasing the timeout: '--exec-timeout 10'")
+
+    def execute_WithOutput_psh(self, command):
+        """Same functionality as execute_WithOutput, but uses PowerShell to handle larger outputs by splitting the base64 content into chunks and storing it in the registry."""
+        result_output = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
+        result_output_b64 = f"C:\\windows\\temp\\{uuid.uuid4()!s}.txt"
+        keyName = str(uuid.uuid4())
+        self.__registry_Path = f"Software\\Classes\\{gen_random_string(8)}"
+
+        # 1. Run the command and write output to file
+        if not command.lower().startswith("powershell"):
+            command = f"powershell -Command {command}"
+        self.execute_remote(f'{command} > "{result_output}" 2>&1')
+        self.logger.info(f"Waiting {self.__exec_timeout}s for command to complete.")
+        time.sleep(self.__exec_timeout)
+
+        # 2. Base64 encode the file using PowerShell
+        self.execute_remote(f'powershell -Command "[Convert]::ToBase64String([IO.File]::ReadAllBytes(\'{result_output}\')) | Out-File -Encoding ASCII \'{result_output_b64}\'"')
+        time.sleep(0.5)
+
+        # 3. Use PowerShell to split base64 content into 16KB chunks and store in registry
+        self.execute_remote(
+            f'powershell -Command "$b64 = Get-Content -Raw \'{result_output_b64}\'; '
+            f'$chunksize = 16000; '
+            f'$count = [math]::Ceiling($b64.Length / $chunksize); '
+            f'for ($i = 0; $i -lt $count; $i++) {{ '
+            f'  $chunk = $b64.Substring($i * $chunksize, [math]::Min($chunksize, $b64.Length - ($i * $chunksize))); '
+            f'  $name = \\"{keyName}_chunk_$i\\"; '
+            f'  reg add \\"HKLM\\{self.__registry_Path}\\" /v $name /t REG_SZ /d $chunk /f }}; '
+            f'reg add \\"HKLM\\{self.__registry_Path}\\" /v \\"{keyName}\\" /t REG_DWORD /d $count /f"'
+        )
+        time.sleep(0.1)
+
+        self.queryRegistry_psh(keyName)
+        self.clean_up(result_output, result_output_b64)
+
+    def queryRegistry_psh(self, keyName):
+        try:
+            # Spawn an instance of StdRegProv to access the registry
+            self.logger.debug(f"Retrieving output from: HKLM\\{self.__registry_Path}")
+            descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
+            descriptor = descriptor.SpawnInstance()
+
+            # Get the number of chunks stored in the registry
+            num_chunks = None
+            for _ in range(10):
+                self.logger.debug(f"Retrieving number of chunks for key: {keyName}")
+                num_chunks = descriptor.GetDWORDValue(0x80000002, self.__registry_Path, keyName).uValue
+                if num_chunks is not None:
+                    break
+                time.sleep(1)
+
+            self.logger.debug(f"Number of chunks: {num_chunks}")
+
+            # Retrieve each chunk and decode the base64 content
+            outputBuffer_b64 = ""
+            for i in range(num_chunks):
+                chunk_name = f"{keyName}_chunk_{i}"
+                self.logger.debug(f"Retrieving chunk: {chunk_name}")
+                outputBuffer_b64 += descriptor.GetStringValue(0x80000002, self.__registry_Path, chunk_name).sValue
+            self.__outputBuffer = base64.b64decode(outputBuffer_b64).decode("utf-16le", errors="replace").rstrip("\r\n").lstrip("\ufeff")  # Remove BOM if present
+        except Exception:
+            self.logger.fail("WMIEXEC: Could not retrieve output file! Either command timed out or AV killed the process. Please try increasing the timeout: '--exec-timeout 10'")
+
+    def clean_up(self, result_output, result_output_b64):
+        """Deletes the output file, the base64 output file, and the registry path where the base64 content was stored."""
+        self.execute_remote(f'{self.__shell} del /q /f "{result_output}" "{result_output_b64}"')
 
         try:
             self.logger.debug(f"Removing temporary registry path: HKLM\\{self.__registry_Path}")
-            retVal = descriptor.DeleteKey(0x80000002, self.__registry_Path)
+            descriptor, _ = self.__iWbemServices.GetObject("StdRegProv")
+            descriptor = descriptor.SpawnInstance()
+            descriptor.DeleteKey(0x80000002, self.__registry_Path)
         except Exception as e:
-            self.logger.debug(f"Target: {self.__target} removing temporary registry path error: {e!s}")
+            self.logger.fail(f"Target: {self.__target} removing temporary registry path error: {e!s}")
diff --git a/nxc/protocols/wmi/wmiexec_event.py b/nxc/protocols/wmi/wmiexec_event.py
@@ -57,9 +57,11 @@ def __init__(self, target, username, password, domain, lmhash, nthash, doKerbero
         self.__iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/subscription", NULL, NULL)
         iWbemLevel1Login.RemRelease()
 
-    def execute(self, command, output=False):
+    def execute(self, command, output=False, use_powershell=False):
         if "'" in command:
             command = command.replace("'", r'"')
+        if use_powershell:
+            command = f"powershell.exe -Command {command}"
         self.__retOutput = output
         self.execute_handler(command)
 
