Atexec-pro: Next-Gen Pentesting Tool Leveraging Task Scheduler (No Port 445)

by ddos · Published July 18, 2024 · Updated July 18, 2024

Atexec-pro

Modified based on atexec.py (ATSVC example for some functions implemented, creates, enums, runs and deletes jobs. This example executes a command on the target machine through the Task Scheduler service. Returns the output of such command.)

The TSCH service is used by default(need port 135 a dynamic high port), port 445 is no longer required. The technology is mainly based on this article by zcgonvh.

Feature

CMD command execute

PS command execute
File Upload
File Download

.Net assembly execute
Support ATSVC and TSCH interface.

Note: functions upload, download, and execute-assembly currently only support files up to 1MB in size. All functions do not bypass AMSI.

Download

git clone https://github.com/Ridter/atexec-pro.git

Use

usage: atexec-pro.py [-h] [-i {TSCH,ATSVC}] [-session-id SESSION_ID] [-ts] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address] [-keytab KEYTAB]
                     target

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -i {TSCH,ATSVC}, --interface {TSCH,ATSVC}
                        Interface to use.
  -session-id SESSION_ID
                        an existed logon session to use (no output, no cmd.exe)
  -ts                   adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
                        https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found,
                        it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -keytab KEYTAB        Read keys for SPN from keytab file

Example

GetShell

python atexec-pro.py localhost/administrator:123@10.211.55.3

Command

.Net assembly

Upload/Download

Source: https://github.com/Ridter/

Atexec-pro: Next-Gen Pentesting Tool Leveraging Task Scheduler (No Port 445)

Search

Brilliantly

Content & Links