Skip to content

Wmiexec task #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghost-ng merged 11 commits into from
Oct 6, 2025
Merged

Wmiexec task #18

ghost-ng merged 11 commits into from
Oct 6, 2025

Conversation

@ghost-ng
Copy link
Owner

@ghost-ng ghost-ng commented Oct 6, 2025

No description provided.

ghost-ng and others added 11 commits October 5, 2025 07:30
@ghost-ng @claude
fix: correct SMB API calls in WMI named pipe execution
24c24d9 
- Fix Windows path to SMB share-root path conversion (C:\Windows -> \Windows)
- Update openFile/readFile/closeFile to use tree_id instead of share string
- Use correct SMB API signatures matching smblib implementation
- Import SMB constants (FILE_READ_DATA, FILE_SHARE_READ, FILE_SHARE_WRITE)
- Fix deleteFile to use tree_id parameter
- Remove placeholder return value in _read_remote_file error handling
- Remove unused imports (os, tempfile)

This ensures wmiexec task method properly reads output files via SMB.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ghost-ng
fix: implement all wmiexec task flags and path handling
bbf9d7f 
- Fix SMB path conversion (remove extra backslash: C:\path -> \path not \path)
- Implement --sp/--save-path flag for output file location
- Implement --sn/--save-name flag for custom output filename
- Implement --working-dir flag for process working directory
- Implement --shell flag (cmd/powershell) for command execution
- Implement --raw-command flag for direct executable launch
- Pass args object through execution chain for flag access
- Update _create_wmi_process_traditional to accept working_dir parameter
- All flags now properly extracted and used in command construction
- Fix escape sequence warning in docstring

Share-aware implementation:
- Output paths use share-root syntax (\Windows\Temp\ not C:\Windows\Temp\)
- SMB file operations use tree_id for proper share context
- Supports arbitrary shares through existing SMB connection

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com}
@ghost-ng @claude
fix: correct command redirection syntax for wmiexec task
fd25217 
- Move output redirection inside cmd.exe /c quotes for proper execution
- Add 2 second delay before reading output file to allow process to complete
- Add debug output for share and tree_id during file operations
- Escape quotes properly in redirected command path

The issue was that 'cmd.exe /c "command" > file' doesn't work because
redirection is outside the /c scope. It must be 'cmd.exe /c "command > file"'
for the redirection to be processed by the child cmd.exe instance.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@ghost-ng
fix: remove redundant time import causing variable shadowing in wmi_n…
c793eec 
…amedpipe.py
@ghost-ng
fix: simplify command quoting for WMI Win32_Process.Create redirection
b38fe03 
Remove complex quote escaping that was preventing output redirection from working.
WMI's Win32_Process.Create() needs simpler command syntax without escaped quotes.
@ghost-ng
feat: implement proper Task Scheduler execution for wmiexec task
433b4c4 
- Replaced DCOM Win32_Process.Create with Task Scheduler DCE/RPC
- Reuses existing schtasks infrastructure (_create_task, _run_task, _delete_task)
- Added three helper methods:
  - _create_task_scheduler_task(): Creates task with XML definition
  - _run_task_scheduler_task(): Executes the created task
  - _delete_task_scheduler_task(): Cleans up task after execution
- Supports all task flags: --tn, --sp, --sn, --working-dir, --shell, --raw-command, --no-cleanup
- Uses proper Task Scheduler interface instead of WMI DCOM
@ghost-ng
refactor: remove wmiexec task method (duplicate of atexec)
5b38fee 
Removed wmiexec task implementation as it duplicated atexec functionality:
- Both use Task Scheduler via atsvc DCE/RPC interface
- Both create → run → delete task workflow
- atexec already provides share-aware task execution

Removed methods:
- wmiexec_handler() - task routing handler
- execute_wmi_command_namedpipe() - named pipe execution
- _execute_single_command_namedpipe() - single command exec
- _execute_interactive_shell_namedpipe() - interactive shell
- _create_task_scheduler_task() - task creation
- _run_task_scheduler_task() - task execution
- _delete_task_scheduler_task() - task cleanup
- _execute_wmi_command_memory_capture() - memory capture method

Removed CLI:
- wmiexec task subparser with all flags
- Updated help text to show: dcom, event, query methods

Kept functionality:
- wmiexec --show-endpoints (uses discover_wmi_endpoints)
- wmiexec dcom, event, query methods
- All WMI named pipe discovery methods

Use 'atexec' for Task Scheduler-based execution instead.
@ghost-ng
chore: remove remaining wmiexec task references from error messages
5b53203 
- Updated error message to not reference 'wmiexec task'
- Removed suggestion to use 'wmiexec task -i' for interactive mode
- Cleaned up formatting (removed extra blank lines)
@ghost-ng
fix: set global SMB timeout to 24 hours with --timeout flag
3c8fc5d 
Changes:
- Fixed 'DCETransport' has no attribute 'set_timeout' error
- Set default global SMB timeout to 24 hours (86400 seconds)
- Added --timeout CLI flag to override default timeout
- Removed invalid set_timeout() call on DCETransport
- Timeout is properly applied to SMB connection via config.smb_conn_timeout

Usage:
  slinger --host 10.10.10.161 --user admin --ntlm :hash  # Uses 24hr timeout
  slinger --host 10.10.10.161 --user admin --ntlm :hash --timeout 3600  # 1hr timeout
@ghost-ng
fix: propagate timeout to all Impacket SMB and DCE/RPC connections
082bf85 
Ensures the global timeout setting is properly applied to:
- SMBConnection initial creation (was hardcoded to 15)
- SMBConnection._timeout attribute
- DCE/RPC transport connections via set_connect_timeout()

This ensures all underlying Impacket connections respect the --timeout flag.
@ghost-ng
refactor: use config_vars properly for smb_conn_timeout
2ac9801 
Simplified timeout configuration to use standard config system:
- Added smb_conn_timeout to config_vars list (86400s = 24hr default)
- Changed all code to use get_config_value("smb_conn_timeout")
- Removed redundant module variable and special handling
- Now timeout can be changed via 'set' command or --timeout flag

This is cleaner - no duplicate logic, single source of truth in config_vars.
@ghost-ng ghost-ng merged commit e33de1e into main Oct 6, 2025
1 check passed
@ghost-ng ghost-ng deleted the wmiexec_task branch October 6, 2025 11:32
@ghost-ng ghost-ng restored the wmiexec_task branch October 6, 2025 11:38
@ghost-ng ghost-ng deleted the wmiexec_task branch October 6, 2025 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghost-ng