+Proxy support +Dockerfile

3 files changed, 114 insertions, 83 deletions

diff --git a/cmd/root.go b/cmd/root.go
index f596c75..b44c50e 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,104 +1,125 @@
 package cmd
 
 import (
-	"context"
-	"fmt"
-	"github.com/RedTeamPentesting/adauth"
-	"github.com/rs/zerolog"
-	"github.com/spf13/cobra"
-	"os"
-	"regexp"
-	"strings"
+  "context"
+  "fmt"
+  "github.com/RedTeamPentesting/adauth"
+  "github.com/rs/zerolog"
+  "github.com/spf13/cobra"
+  "net/url"
+  "os"
+  "regexp"
+  "strings"
 )
 
 var (
-	//logFile string
-	log      zerolog.Logger
-	ctx      context.Context
-	authOpts *adauth.Options
+  //logFile string
+  log      zerolog.Logger
+  ctx      context.Context
+  authOpts *adauth.Options
 
-	hostname string
+  hostname string
+  proxyStr string
+  proxyUrl *url.URL
 
-	// Root flags
-	debug bool
+  // Root flags
+  debug bool
 
-	// Generic flags
-	command          string
-	executable       string
-	executablePath   string
-	executableArgs   string
-	workingDirectory string
-	windowState      string
+  // Generic flags
+  command          string
+  executable       string
+  executablePath   string
+  executableArgs   string
+  workingDirectory string
+  windowState      string
 
-	rootCmd = &cobra.Command{
-		Use: "goexec",
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) {
-			// For modules that require a full executable path
-			if executablePath != "" && !regexp.MustCompile(`^([a-zA-Z]:)?\\`).MatchString(executablePath) {
-				return fmt.Errorf("executable path (-e) must be an absolute Windows path, i.e. C:\\Windows\\System32\\cmd.exe")
-			}
-			if command != "" {
-				p := strings.SplitN(command, " ", 2)
-				executable = p[0]
-				if len(p) > 1 {
-					executableArgs = p[1]
-				}
-			}
-			log = zerolog.New(zerolog.ConsoleWriter{Out: os.Stderr}).Level(zerolog.InfoLevel).With().Timestamp().Logger()
-			if debug {
-				log = log.Level(zerolog.DebugLevel)
-			}
-			return
-		},
-	}
+  rootCmd = &cobra.Command{
+    Use: "goexec",
+    PersistentPreRunE: func(cmd *cobra.Command, args []string) (err error) {
+      // For modules that require a full executable path
+      if executablePath != "" && !regexp.MustCompile(`^([a-zA-Z]:)?\\`).MatchString(executablePath) {
+        return fmt.Errorf("executable path (-e) must be an absolute Windows path, i.e. C:\\Windows\\System32\\cmd.exe")
+      }
+      if command != "" {
+        p := strings.SplitN(command, " ", 2)
+        executable = p[0]
+        if len(p) > 1 {
+          executableArgs = p[1]
+        }
+      }
+      log = zerolog.New(zerolog.ConsoleWriter{Out: os.Stderr}).Level(zerolog.InfoLevel).With().Timestamp().Logger()
+      if debug {
+        log = log.Level(zerolog.DebugLevel)
+      }
+      return
+    },
+  }
 )
 
+func needs(reqs ...func(*cobra.Command, []string) error) (fn func(*cobra.Command, []string) error) {
+  return func(cmd *cobra.Command, args []string) (err error) {
+    for _, req := range reqs {
+      if err = req(cmd, args); err != nil {
+        return
+      }
+    }
+    return
+  }
+}
+
 func needsTarget(proto string) func(cmd *cobra.Command, args []string) error {
-	return func(cmd *cobra.Command, args []string) (err error) {
-		if len(args) != 1 {
-			return fmt.Errorf("command require exactly one positional argument: [target]")
-		}
-		if creds, target, err = authOpts.WithTarget(ctx, proto, args[0]); err != nil {
-			return fmt.Errorf("failed to parse target: %w", err)
-		}
-		if creds == nil {
-			return fmt.Errorf("no credentials supplied")
-		}
-		if target == nil {
-			return fmt.Errorf("no target supplied")
-		}
-		if hostname, err = target.Hostname(ctx); err != nil {
-			log.Debug().Err(err).Msg("Could not get target hostname")
-		}
-		return
-	}
+
+  return func(cmd *cobra.Command, args []string) (err error) {
+    if proxyStr != "" {
+      if proxyUrl, err = url.Parse(proxyStr); err != nil {
+        return fmt.Errorf("failed to parse proxy URL %q: %w", proxyStr, err)
+      }
+    }
+    if len(args) != 1 {
+      return fmt.Errorf("command require exactly one positional argument: [target]")
+    }
+    if creds, target, err = authOpts.WithTarget(ctx, proto, args[0]); err != nil {
+      return fmt.Errorf("failed to parse target: %w", err)
+    }
+    if creds == nil {
+      return fmt.Errorf("no credentials supplied")
+    }
+    if target == nil {
+      return fmt.Errorf("no target supplied")
+    }
+    if hostname, err = target.Hostname(ctx); err != nil {
+      log.Debug().Err(err).Msg("Could not get target hostname")
+    }
+    return
+  }
 }
 
 func init() {
-	ctx = context.Background()
+  ctx = context.Background()
 
-	cobra.EnableCommandSorting = false
+  cobra.EnableCommandSorting = false
 
-	rootCmd.InitDefaultVersionFlag()
-	rootCmd.InitDefaultHelpCmd()
-	rootCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Enable debug logging")
+  rootCmd.InitDefaultVersionFlag()
+  rootCmd.InitDefaultHelpCmd()
+  rootCmd.PersistentFlags().BoolVar(&debug, "debug", false, "Enable debug logging")
+  rootCmd.PersistentFlags().StringVarP(&proxyStr, "proxy", "x", "", "Proxy URL")
 
-	authOpts = &adauth.Options{Debug: log.Debug().Msgf}
-	authOpts.RegisterFlags(rootCmd.PersistentFlags())
+  authOpts = &adauth.Options{Debug: log.Debug().Msgf}
+  authOpts.RegisterFlags(rootCmd.PersistentFlags())
 
-	scmrCmdInit()
-	rootCmd.AddCommand(scmrCmd)
-	tschCmdInit()
-	rootCmd.AddCommand(tschCmd)
-	wmiCmdInit()
-	rootCmd.AddCommand(wmiCmd)
-	dcomCmdInit()
-	rootCmd.AddCommand(dcomCmd)
+  scmrCmdInit()
+  rootCmd.AddCommand(scmrCmd)
+  tschCmdInit()
+  rootCmd.AddCommand(tschCmd)
+  wmiCmdInit()
+  rootCmd.AddCommand(wmiCmd)
+  dcomCmdInit()
+  rootCmd.AddCommand(dcomCmd)
 }
 
 func Execute() {
-	if err := rootCmd.Execute(); err != nil {
-		fmt.Println(err)
-		os.Exit(1)
-	}
+  if err := rootCmd.Execute(); err != nil {
+    fmt.Println(err)
+    os.Exit(1)
+  }
 }
diff --git a/cmd/rpc.go b/cmd/rpc.go
index d539400..cfc7a9d 100644
--- a/cmd/rpc.go
+++ b/cmd/rpc.go
@@ -6,6 +6,7 @@ import (
   "github.com/oiweiwei/go-msrpc/dcerpc"
   "github.com/spf13/cobra"
   "github.com/spf13/pflag"
+  "golang.org/x/net/proxy"
   "regexp"
 )
 
@@ -15,6 +16,15 @@ func needsRpcTarget(proto string) func(cmd *cobra.Command, args []string) error
     if err = needsTarget(proto)(cmd, args); err != nil {
       return err
     }
+    if proxyUrl != nil {
+      if netDialer, err := proxy.FromURL(proxyUrl, nil); err != nil {
+        return fmt.Errorf("proxy dialer from URL: %w", err)
+      } else if dceDialer, ok := netDialer.(dcerpc.Dialer); !ok {
+        return fmt.Errorf("failed to cast %T to dcerpc.Dialer", netDialer)
+      } else {
+        dceConfig.Options = append(dceConfig.Options, dcerpc.WithDialer(dceDialer))
+      }
+    }
     if argDceStringBinding != "" {
       dceConfig.Endpoint, err = dcerpc.ParseStringBinding(argDceStringBinding)
       if err != nil {
diff --git a/cmd/scmr.go b/cmd/scmr.go
index 9df9ef1..ee2e9dc 100644
--- a/cmd/scmr.go
+++ b/cmd/scmr.go
@@ -77,7 +77,7 @@ var (
 References:
   https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-scmr/6a8ca926-9477-4dd4-b766-692fab07227e
 `,
-    Args: needsRpcTarget("cifs"),
+    Args: needs(needsTarget("host"), needsRpcTarget("host")),
     Run: func(cmd *cobra.Command, args []string) {
 
       if scmrServiceName == "" {
@@ -137,7 +137,7 @@ References:
   scmrChangeCmd = &cobra.Command{
     Use:   "change [target]",
     Short: "Change an existing Windows service to gain execution",
-    Args:  needsRpcTarget("cifs"),
+    Args:  needs(needsTarget("host"), needsRpcTarget("host")),
     Run: func(cmd *cobra.Command, args []string) {
 
       executor := scmrexec.Module{}
@@ -185,7 +185,7 @@ References:
     Long: `Description:
 TODO
 `,
-    Args: needsRpcTarget("cifs"),
+    Args: needs(needsTarget("host"), needsRpcTarget("host")),
     Run: func(cmd *cobra.Command, args []string) {
       dceConfig.DceOptions = append(dceConfig.DceOptions, dcerpc.WithInsecure())