Top
Search
Subscribe
Social Media - Mubix
Login
Archives
« Free Ticket Contest - Metasploit Mastery at DerbyCon | Main | Cross-Protocol Chained Pass the Hash for Metasploit »
Tuesday
Jul312012

Raising Zombies in Windows: Part 1 - Passwords

DateTuesday, July 31, 2012 at 4:20PM

With the use of Mimikatz and WCE, clear text passwords are much more common. What isn't always there is the user. They take lunches, go home at a reasonable time and generally aren't really appreciative of our (pentester/red teamer)'s schedule.

A straight forward way, and provided by Microsoft to create a process as a user (whereby having their token readily available is using 'runas.exe':

Screen Shot 2012 07 31 at 4 04 41 PM

w00t, we the user is present, we can migrate our meterepreter session into that notepad and we're good right? Problem there is you have to interactively input the password, so without a real cmd.exe or RDP session of your own, (VNC payload would work), you're generally SOL.

There are a ton of posted ways around this, most involve make a wrapper script to input the password for you such as this one:

Screen Shot 2012 07 31 at 3 24 11 PM

(this was pretty unique as it actually sent the keys to the key buffer instead of directly to STDIN)

Another way if you don't mind dropping / creating a custom bin, AutoIT makes this REALLY simple:

Screen Shot 2012 07 31 at 3 57 42 PM

This could be 2 lines if you really wanted it to be but I like to make things a bit more universal. You could also execute this directly in memory with meterepreter's execute command with the "-m" argument after you've built the AutoIT script into a EXE.

But what go through all that trouble? Railgun can do this just as easily. Drop to IRB or create a script that does the following:

a = client.railgun.kernel32.GetStartupInfoW(56)["lpStartupInfo"]

client.railgun.advapi32.CreateProcessWithLogonW("USER","DOMAIN","PASSWORD","LOGON_WITH_PROFILE","notepad.exe",nil,0,nil,nil,a,32)

This will create a notepad.exe process with the defined user. But we can go a bit more stealthy, since we really only need their account token we can just user LogonUser:

client.railgun.advapi32.LogonUserA("USER","DOMAIN","PASSWORD","LOGON32_LOGON_INTERACTIVE","LOGON32_PROVIDER_DEFAULT",4)

 
List the tokens available with Incognito, your new user will be there, steal it and you're done. You now have the ability to user that account/domain token on any of the hosts you've compromised on the network, not just the ones they happen to have left themselves logged in. This gets really fun on servers where the admin hasn't logged in but you wanna grab all of their IE saved passwords ;-)

 

AuthorRob Fuller | Comment1 Comment |
tagged , ,

Reader Comments (1)

Could you please give a real use case for this? since i didn't quite got what your intentions are.
Thanks.

December 24, 2012 | Unregistered CommenterHanan

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.