winexe is an application for Linux that you can use to execute remote commands on Windows machines. Similar to how a meterpreter would work or how you use psexec on Windows.
The reason for using it could be that you want to script certain actions on remote machines, such as executing powershell scripts and gather information for forensic purposes etc. I was interested in it because of the last example.
In this guide I will show you how to do that and build a scenario for you and show you how one could use it to collect remote information on your endpoints. As usual I use CentOS 7 with the latest updates as per the date of this post.
|
1 2 3 4 |
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.1.1503 (Core) [root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-229.el7.x86_64 #1 SMP Fri Mar 6 11:36:42 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
1.
Download winexe from here. If you download the current source (as per this date) it is called “winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab.zip” with sha1sum cbbebd80c935a8408448f3a92c04b85ea19a8b64
Or, clone it using git:
|
1 |
git clone http://git.code.sf.net/p/winexe/winexe-waf winexe |
2.
Make sure you have all the packages installed. You will need the epel repo for some packages as well.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
yum install epel-release yum update -y yum install samba-client \ gcc \ perl \ mingw-binutils-generic \ mingw-filesystem-base \ mingw32-binutils \ mingw32-cpp \ mingw32-crt \ mingw32-filesystem \ mingw32-gcc \ mingw32-headers \ mingw64-binutils \ mingw64-cpp \ mingw64-crt \ mingw64-filesystem \ mingw64-gcc \ mingw64-headers \ libcom_err-devel \ popt-devel \ zlib-devel \ zlib-static \ glibc-devel \ glibc-static \ python-devel \ gnutls-devel \ libacl-devel \ openldap-devel \ samba-devel \ |
3. Unzip the package downloaded in step 1 (I downloaded it to /root/) and navigate into the source folder. Or if you used git simple go into the folder and then in the source folder.
|
1 2 |
[root@localhost source]# pwd /root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source |
4. Build it
|
1 |
[root@localhost source]# ./waf configure build |
5. If everything works good you will get the output
|
1 2 |
Waf: Leaving directory `/root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build' 'build' finished successfully (1.819s) |
6.
Time for the fun stuff. Now you will have your winexe binary in the build directory. Navigate into the folder build
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[root@localhost build]# pwd /root/winexe-winexe-waf-b787d2a2c4b1abc3653bad10aec943b8efcd7aab/source/build [root@localhost build]# ./winexe winexe version 1.1 This program may be freely redistributed under the terms of the GNU GPLv3 Usage: winexe [OPTION]... //HOST COMMAND Options: -h, --help Display help message -V, --version Display version number -U, --user=[DOMAIN/]USERNAME[%PASSWORD] Set the network username -A, --authentication-file=FILE Get the credentials from a file -N, --no-pass Do not ask for a password -k, --kerberos=STRING Use Kerberos, -k [yes|no] -d, --debuglevel=DEBUGLEVEL Set debug level --uninstall Uninstall winexe service after remote execution --reinstall Reinstall winexe service before remote execution --system Use SYSTEM account --profile Load user profile --convert Try to convert characters between local and remote code-pages --runas=[DOMAIN\]USERNAME%PASSWORD Run as the given user (BEWARE: this password is sent in cleartext over the network!) --runas-file=FILE Run as user options defined in a file --interactive=0|1 Desktop interaction: 0 - disallow, 1 - allow. If allow, also use the --system switch (Windows requirement). Vista does not support this option. --ostype=0|1|2 OS type: 0 - 32-bit, 1 - 64-bit, 2 - winexe will decide. Determines which version (32-bit or 64-bit) of service will be installed. [root@localhost build]# |
7.
Now. Before we continue you need to set up the Windows machine. There are some issues with Windows 7 and later as described here. I had to add this key to my machine to make it work:
|
1 |
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\system" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f |
Start cmd as administrator and paste it in. That should be everything.
8.
I have already uploaded a powershell script to my machine. It will run some commands and output this to a text file locally on the system. The local user I have created is called “bob” with the password of “secretpassword”. The system I am targeting is a system called windows.domain.local. Note that it is not joined to a active directory domain, it is just a domain I use for testing. You could do it with kerberos and an active directory account as well. The command line for executing the powershell script is:
|
1 |
./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "powershell.exe -executionPolicy bypass -File C:\gather.ps1" & EXIT' |
The –uninstall parameter removes the service that winexe installs after it is done.
The other parameters you can read about here
To just run a simple ipconfig you can do like this
|
1 |
[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "ipconfig" & EXIT' |
Or maybe drop yourself into a shell:
|
1 2 3 4 5 |
[root@localhost build]# ./winexe --user=\bob%secretpassword //windows.domain.local --interactive=1 --uninstall --system 'cmd /C "cmd" & EXIT' Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32> |
References
http://www.aldeid.com/wiki/Winexe#Common_options
http://sourceforge.net/p/winexe/winexe-waf/ci/master/tree/#
http://ss64.com/nt/cmd.html