https://github.com/ice-wzl/wmiexec2
wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
https://github.com/ice-wzl/wmiexec2
antivirus hacking hacking-code hacking-tools malware python python-3 python-script python3 red-team red-team-engagement red-team-tools red-teaming
Last synced: 3 months ago
JSON representation
wmiexec2.0 is the same wmiexec that everyone knows and loves (debatable). This 2.0 version is obfuscated to avoid well known signatures from various AV engines. It also has a handful of additional built in modules to help automate some common tasks on Red team engagements.
- Host: GitHub
- URL: https://github.com/ice-wzl/wmiexec2
- Owner: ice-wzl
- Created: 2023-02-07T22:10:08.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2024-06-12T17:56:15.000Z (over 1 year ago)
- Last Synced: 2024-06-14T00:11:18.857Z (over 1 year ago)
- Topics: antivirus, hacking, hacking-code, hacking-tools, malware, python, python-3, python-script, python3, red-team, red-team-engagement, red-team-tools, red-teaming
- Language: Python
- Homepage:
- Size: 160 KB
- Stars: 24
- Watchers: 3
- Forks: 1
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# โก wmiexec2.0 โก
> **The stealthy upgrade to everyone's favorite `wmiexec` โ obfuscated, enhanced, and red team ready.**
> ๐ *Bypass AV. Automate engagements. Dominate.*
---
## ๐ Features
- ๐ญ Obfuscated to evade signature-based AV detection
- ๐ ๏ธ Built-in red team modules for rapid automation
- ๐ Supports `cmd` and `powershell` shell types
- ๐ Local and remote file transfer (`lput`, `lget`)
- ๐ก Netsh tunneling, token abuse, VM detection, and more
---
## ๐ฆ Installation
```bash
git clone https://github.com/ice-wzl/wmiexec2.git
cd wmiexec2/
pip3 install -r requirements.txt
```
> โ ๏ธ **Do NOT use `wget` on GitHub Raw** โ it will break emoji characters. Always use `git clone`.
---
## ๐งช AV / EDR Compatibility
| Environment | Result |
|-----------------------------------------------------|----------------------------|
| Windows Server 2022 (Feb 2024 updates) | โ
All modules working |
| Windows 10 Pro, Defender v1.381.3595.0 | โ
All modules working |
| Windows 10 Pro, Kaspersky Standard 21.8.5 | โ
All modules working |
| Windows 8, Defender v1.383.35.0 | โ
All modules working |
| Windows 7 Pro, Defender v1.95.191.0 (2010) | โ ๏ธ Reg module not working |
---
## ๐ง Usage
```bash
python3 wmiexec2.py DOMAIN/USERNAME:PASSWORD@10.0.0.2 --shell-type powershell
python3 wmiexec2.py WORKGROUP/Administrator:'Password123!@#'@10.0.0.4 --shell-type cmd
```
> Supports both password and NTLM hash authentication
---
## ๐ Commands
| Command | Description |
|--------------------------|-------------------------------------------------------|
| `help` | Show available modules |
| `lcd ` | Change local working directory |
| `exit` | Exit shell |
| `lput ` | Upload file to target |
| `lget ` | Download file from target |
| `!` | Run a command locally (e.g., `!ls`) |
| `ls [path]` | List target directory (uses `dir /a`) |
| `cat ` | Show remote file contents (alias for `type`) |
---
## ๐ง Modules
### `sysinfo`
Display target user, hostname, IP, and architecture.
```bash
sysinfo
```
---
### `av`
Lists common AV product processes via remote enumeration.
```bash
av
```
---
### `defender`
Checks Defender installation, service status, exclusions, and tamper protection.
```bash
defender
```
---
### `vmcheck`
Detects ESXi, VMware, QEMU, and VirtualBox environments.
```bash
vmcheck
```
---
### `unattend`
Searches for unattended install config files that may contain credentials.
```bash
unattend
```
---
### `regrip`
Dumps `SAM`, `SECURITY`, and `SYSTEM` hives (bypasses Defender as of 6/7/24).
```bash
regrip
```
---
### `loggrab`
Download `.evtx` logs from remote system.
```bash
loggrab Security.evtx
```
---
### `tokens`
Enumerates active tokens and suggests privesc paths.
```bash
tokens
```
---
### `survey` / `survey save`
Run custom recon commands listed in `survey.conf`.
```bash
survey
survey save
```
---
### Netsh Tunneling
```bash
addtun 10000 10.0.0.5 443
showtun
deltun 10000
```
---
## ๐ Known impacket NAT Fix
If you get this error:
```
[-] Can't find a valid stringBinding to connect
```
### โค Fix
1. Locate your `dcomrt.py`:
```bash
find / -type f -name "dcomrt.py" 2>/dev/null
```
2. Edit and replace:
```python
# raise Exception("Can't find a valid stringBinding to connect")
stringBinding = 'ncacn_ip_tcp:%s%s' % (self.get_target(), bindingPort)
LOG.info("Can't find a valid stringBinding to connect, using default!")
```
โ
Done!
---
## ๐ก Notes
- This tool is **under active development** โ submit PRs or issues.
- All modules built for stealth and speed.
- Use responsibly in authorized engagements.
---
## โญ If This Helped You
If `wmiexec2.0` saved you time or helped your ops:
> ๐ง Spread the knowledge. ๐ Share the repo. โญ Star it.
---
## ๐ป Author
**ice-wzl**
๐ GitHub: [ice-wzl](https://github.com/ice-wzl)
๐ ๏ธ Built with โค๏ธ for red teams.
---