search

fortra / impacket

Impacket is a collection of Python classes for working with network protocols.
https://www.coresecurity.com
Other
12.99k stars 3.5k forks source link

Delete() method on CIM_Datafile not working #1672

Closed massimiliano-dalcero closed 5 months ago

massimiliano-dalcero commented 6 months ago

Hello, I'm trying to delete a file on remote host using WMI, but when I invoke the Delete() method nothing happens. No errors come back, everything seems to have gone well, but it doesn't delete the file.

Below I report the core of the code that I simplified to a minimum for testing

myquery =  "SELECT * FROM CIM_DataFile WHERE Name = 'C:\\\\Users\\\\pippo\\\\ciao.txt'"

dcom = DCOMConnection(address, username, password, domain, lmhash, nthash, aesKey, oxidResolver=True, doKerberos=k, kdcHost=dc_ip)

Interface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login,wmi.IID_IWbemLevel1Login)

iWbemLevel1Login = wmi.IWbemLevel1Login(Interface)

iWbemServices= iWbemLevel1Login.NTLMLogin(namespace, NULL, NULL)

iEnumWbemClassObject = iWbemServices.ExecQuery(myquery)

pEnum = iEnumWbemClassObject.Next(0xffffffff,1)[0]

pEnum.Delete() # no errors, seems to have worked correctly (but not)

print( pEnum.Caption )  # print correctly the file path

dcom.disconnect()

Replicating the code above in powershell on a remote machine on the network and connecting remotly to the target host , everything works fine:

$username = "<username>"

$password = '<password>' | ConvertTo-SecureString -AsPlainText -Force

$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

$f = Get-WmiObject -Query "Select * from CIM_Datafile Where Name='C:\\Users\\pippo\\ciao.txt'" -Credential $cred -ComputerName 192.168.0.1

$f.Delete()

Following the impacket version installed via pip:

# pip show impacket
Name: impacket
Version: 0.11.0
Summary: Network protocols Constructors and Dissectors
Home-page: https://www.coresecurity.com
Author: SecureAuth Corporation
Author-email:
License: Apache modified
Location: /usr/local/lib/python3.10/dist-packages

Best regards :)

NtAlexio2 commented 5 months ago

You cannot delete an enumerable object directly. You should call DeleteInstance() function of wbemservices and specify your instance path, as shown below:

from impacket.dcerpc.v5.dcomrt import DCOMConnection
from impacket.dcerpc.v5.dcom import wmi
from impacket.dcerpc.v5.dtypes import NULL

dcom = DCOMConnection(address, username, password, domain, lmhash, nthash, aesKey, oxidResolver=True, doKerberos=k, kdcHost=dc_ip)
Interface = dcom.CoCreateInstanceEx(wmi.CLSID_WbemLevel1Login, wmi.IID_IWbemLevel1Login)
iWbemLevel1Login = wmi.IWbemLevel1Login(Interface)
iWbemServices = iWbemLevel1Login.NTLMLogin('//./root/cimv2', NULL, NULL)
iWbemServices.DeleteInstance("CIM_DataFile.Name='C:\\\\Users\\\\pippo\\\\ciao.txt'")
dcom.disconnect()
massimiliano-dalcero commented 5 months ago

Thanks 🙏 wirks perfectly 😊

Only (and last) question: Where could I have found documentation related to this aspect? I have searched extensively around the web, but without success.

NtAlexio2 commented 5 months ago

You can find wmi specification in MS-WMI document.

massimiliano-dalcero commented 5 months ago

Hello no, that's not what I meant 😊 I meant in packet documentation or code examples.
Using the Microsoft documentation and powershell I had found the solution but it didn't work with impacket 😉