Atexec-pro: Next-Gen Pentesting Tool Leveraging Task Scheduler (No Port 445)

by ddos · Published · Updated

Atexec-pro

Modified based on atexec.py (ATSVC example for some functions implemented, creates, enums, runs and deletes jobs. This example executes a command on the target machine through the Task Scheduler service. Returns the output of such command.)

The TSCH service is used by default(need port 135 a dynamic high port), port 445 is no longer required. The technology is mainly based on this article by zcgonvh.

Feature

  • CMD command execute
  • PS command execute
  • File Upload
  • File Download
  • .Net assembly execute
  • Support ATSVC and TSCH interface.

Note: functions upload, download, and execute-assembly currently only support files up to 1MB in size. All functions do not bypass AMSI.

Download

git clone https://github.com/Ridter/atexec-pro.git

Use

usage: atexec-pro.py [-h] [-i {TSCH,ATSVC}] [-session-id SESSION_ID] [-ts] [-debug] [-codec CODEC] [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                     [-dc-ip ip address] [-keytab KEYTAB]
                     target

positional arguments:
  target                [[domain/]username[:password]@]<targetName or address>

options:
  -h, --help            show this help message and exit
  -i {TSCH,ATSVC}, --interface {TSCH,ATSVC}
                        Interface to use.
  -session-id SESSION_ID
                        an existed logon session to use (no output, no cmd.exe)
  -ts                   adds timestamp to every logging output
  -debug                Turn DEBUG output ON
  -codec CODEC          Sets encoding used (codec) from the target's output (default "utf-8"). If errors are detected, run chcp.com at the target, map the result with
                        https://docs.python.org/3/library/codecs.html#standard-encodings and then execute wmiexec.py again with -codec and the corresponding codec

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH
  -no-pass              don't ask for password (useful for -k)
  -k                    Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found,
                        it will use the ones specified in the command line
  -aesKey hex key       AES key to use for Kerberos Authentication (128 or 256 bits)
  -dc-ip ip address     IP Address of the domain controller. If omitted it will use the domain part (FQDN) specified in the target parameter
  -keytab KEYTAB        Read keys for SPN from keytab file

Example

GetShell

python atexec-pro.py localhost/administrator:123@10.211.55.3

Command

.Net assembly

Upload/Download

Source: https://github.com/Ridter/