MS-1195 minor grammatical edits to psexec kb
parent
d6742c4097
commit
4c42a74d48
|
@ -1,24 +1,21 @@
|
||||||
psexec is one of the most popular exploits against Microsoft Windows. It is a great way to test
|
psexec is one of the most popular exploits against Microsoft Windows. It is a great way to test password security and demonstrate how a stolen password could lead to a complete compromise of an entire corporate network.
|
||||||
password security, and demonstrate how a stolen password could lead to a complete compromise of an
|
|
||||||
entire corporate network.
|
|
||||||
|
|
||||||
The Metasploit Framework actually includes different module types of psexec for different
|
The Metasploit Framework actually includes different module types of psexec for different scenarios. exploit/windows/smb/psexec is the father of them all and is used the same way
|
||||||
scenarios. exploit/windows/smb/psexec is the father of them all, and is used the same way
|
|
||||||
you normally would with any Metasploit exploits.
|
you normally would with any Metasploit exploits.
|
||||||
|
|
||||||
|
|
||||||
## Vulnerable Application
|
## Vulnerable Application
|
||||||
|
|
||||||
To be able to use exploit/windows/smb/psexec, you must meet these requirements:
|
To be able to use exploit/windows/smb/psexec:
|
||||||
|
|
||||||
1. You have a valid username/password.
|
1. You must have a valid username/password.
|
||||||
2. Firewall allows SMB traffic.
|
2. The firewall must allow SMB traffic.
|
||||||
3. Target is using SMBv1.
|
3. The target must use SMBv1.
|
||||||
4. The remote Windows machine's network security policy allows it. If you see [one of these errors](https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex%3A%3AProto%3A%3ASMB-Error-mean%3F), it's an indication it doesn't.
|
4. The remote Windows machine's network security policy must allow it. If you see [one of these errors](https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex%3A%3AProto%3A%3ASMB-Error-mean%3F), then the Windows machine does not allow it.
|
||||||
|
|
||||||
## Verification Steps
|
## Verification Steps
|
||||||
|
|
||||||
At the minimum, you should be able use psexec to get a session with a valid credential:
|
At the minimum, you should be able use psexec to get a session with a valid credential using the following:
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use exploit/windows/smb/psexec
|
msf > use exploit/windows/smb/psexec
|
||||||
|
@ -46,34 +43,29 @@ meterpreter >
|
||||||
|
|
||||||
## Options
|
## Options
|
||||||
|
|
||||||
By default, exploit/windows/smb/psexec can be as simple as setting the RHOST option, and ready to
|
By default, using exploit/windows/smb/psexec can be as simple as setting the RHOST option, and you're ready to go. But in reality, you will probably need to at least configure:
|
||||||
go. But in reality, you will probably need to at least configure:
|
|
||||||
|
|
||||||
**The SMBUser Option**
|
**The SMBUser Option**
|
||||||
|
|
||||||
A valid Windows username.
|
This is a valid Windows username.
|
||||||
|
|
||||||
**The SMBPass option**
|
**The SMBPass option**
|
||||||
|
|
||||||
This can be either the plain text version, or the Windows hash.
|
This can be either the plain text version or the Windows hash.
|
||||||
|
|
||||||
## Scenarios
|
## Scenarios
|
||||||
|
|
||||||
|
|
||||||
**Pass the Hash**
|
**Pass the Hash**
|
||||||
|
|
||||||
One common penetration testing scenario with using psexec is that attackers usually begin by
|
One common penetration testing scenario using psexec is that attackers usually begin by breaking into a box, dumping the hashes, and using some of those hashes to log into other boxes on the network using psexec. So in that scenario, with the following stolen hash:
|
||||||
breaking into a box, manage to the dump the hashes, and use some of those hashes to log into
|
|
||||||
other boxes on the network using psexec. So let's say I'm in that scenario with the following
|
|
||||||
stolen hash:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
meterpreter > hashdump
|
meterpreter > hashdump
|
||||||
Administrator:500:e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f:::
|
Administrator:500:e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f:::
|
||||||
```
|
```
|
||||||
|
|
||||||
Without the need to crack the hash, I can simply copy and paste it to the SMBPass option in
|
You can simply copy and paste it to the SMBPass option in psexec and get a session without needing to crack the hash:
|
||||||
psexec, and get a session:
|
|
||||||
|
|
||||||
```
|
```
|
||||||
msf > use exploit/windows/smb/psexec
|
msf > use exploit/windows/smb/psexec
|
||||||
|
@ -101,42 +93,28 @@ meterpreter >
|
||||||
|
|
||||||
**Automatic Target**
|
**Automatic Target**
|
||||||
|
|
||||||
exploit/windows/smb/psexec comes with multiple targets available, and Automatic is default. What
|
There are multiple targets available for exploit/windows/smb/psexec. The Automatic target is the default target. If the Automatic target detects Powershell on the remote machine, it will try Powershell, otherwise it uses the natvie upload. Each target is explained below.
|
||||||
happens under the hood is if Powershell is detected on the remote machine, it will try Powershell,
|
|
||||||
otherwise it uses the natvie upload. Each target is explained below.
|
|
||||||
|
|
||||||
**Powershell Target**
|
**Powershell Target**
|
||||||
|
|
||||||
The Powershell target forces the psexec module to run a Powershell command with a payload embedded
|
The Powershell target forces the psexec module to run a Powershell command with a payload embedded in it. Since this approach does not leave anything on disk, it is a very powerful way to evade antivirus. However, older Windows machines might not support Powershell by default.
|
||||||
in it. Since this approach does not leave anything on disk, it is a very powerful way to evade
|
|
||||||
antivirus. However, older Windows machines might not support Powershell by default.
|
|
||||||
|
|
||||||
Ideally, you probably want to use the Automatic target setting instead of this. Because the
|
Because of this, you will probably want to use the Automatic target setting. The automatic mode will check if the target supports Powershell before it tries it; the manually set Powershell target won't do that.
|
||||||
automatic mode will check if the target supports Powershell or not before it tries, but the
|
|
||||||
manually set Powershell target won't do that.
|
|
||||||
|
|
||||||
**Native Upload Target**
|
**Native Upload Target**
|
||||||
|
|
||||||
The Native target will attempt to upload the payload (executable) to SYSTEM32 (modifiable with the
|
The Native target will attempt to upload the payload (executable) to SYSTEM32 (which can be modified with the
|
||||||
SHARE datastore option) , and then execute it with psexec.
|
SHARE datastore option), and then execute it with psexec.
|
||||||
|
|
||||||
This approach is rather reliable, but has a high chance of getting caught by antivirus on the
|
This approach is generally reliable, but has a high chance of getting caught by antivirus on the target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
|
||||||
target. To counter this, you can try to use a template by setting the EXE::Path and EXE::Template
|
|
||||||
datastore options. Or, you can supply your own custom EXE by setting the EXE::Custom option.
|
|
||||||
|
|
||||||
**MOF Upload Target**
|
**MOF Upload Target**
|
||||||
|
|
||||||
The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec: it does not explicitly tell Windows to execute
|
The [MOF](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-WbemExec-for-a-write-privilege-attack-on-Windows) target technically does not use psexec; it does not explicitly tell Windows to execute anything. All it does is upload two files: the payload (exe) in SYSTEM32 and a managed object
|
||||||
anything. All it does is uploading two files: the payload (exe) in SYSTEM32, and a managed object
|
format file in SYSTEM32\wbem\mof\ directory. When Windows sees the MOF file in that directory, it automatically runs it. Once executed, the code inside the MOF file basically tells Windows to execute our payload in SYSTEM32, and you get a session.
|
||||||
format file in SYSTEM32\wbem\mof\ directory. When Windows sees the mof file in that directory, it
|
|
||||||
automatically runs it. Once executed, the code inside the mof file basically tells Windows to
|
|
||||||
execute our payload in SYSTEM32, and we get a session.
|
|
||||||
|
|
||||||
Although a neat trick, Metasploit's MOF library only works against Windows XP and
|
Although it's a neat trick, Metasploit's MOF library only works against Windows XP and Windows Server 2003. And since it writes files to disk, there is also a high chance of getting
|
||||||
Windows Server 2003. And since it does write files to disk, there is also a high chance of getting
|
|
||||||
caught by antivirus on the target.
|
caught by antivirus on the target.
|
||||||
|
|
||||||
The way to counter antivirus is still the same. You can either use a different template by setting
|
The best way to counter antivirus is still the same. You can either use a different template by setting the EXE::Path and EXE::Template datastore options or you can supply your own custom EXE by setting the EXE::Custom option.
|
||||||
the EXE::Path and EXE::Template datastore options. Or you can supply your own custom EXE by setting
|
|
||||||
the EXE::Custom option.
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue