One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you’re done for right out of the door)
Ok, this is pretty straight forward no magic: Got a shell, doesn’t have to be SYSTEM Add a route to the internal range or directly to the host you want over the session you want Mosy on over to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. It defaults to 9050 on 127.
UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD (MY MISTAKE FOR NOT TESTING MORE) So the “-ish” is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions) I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute’s ‘RunAs’ verb.
I read this article a while back: http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html by @FuzzyNop Great article showing the use of WCE’s “-s” flag to Pass-The-Hash locally and I highly recommend checking it out. Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.
If you follow the exact same steps you did for Netview: /blog/2012/10/07/compiling-and-release-of-netview/ then you already have the steps needed to create a compiled version of ditto from the repo here: https://github.com/mubix/ditto And while the sheep icon is cute, and a nod to what ditto does, it comes at a pretty hefty cost: Size. Now if you’re scoffing at 408 KB then you don’t have any issues, but I like not having to wait while a binary I am trying to push to a victim box is transferring.
If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 - we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward. First you pull a copy of the GIT repository: https://github.com/mubix/netview
pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of configuration. Enter Peerblock and AnalogX’s proxy. Two free tools, one usually used to stop people who torrent from getting caught by the RIAA/MPAA and the other a drop dead simple windows based proxy utility.
Once you’re done staring at the Star Trek deity above (it’s a staring contest you will loose since you a such a simplistic race). I pull your attention to: https://github.com/mubix/q This repository / exploit pack was created for the sole purpose to house modules, scripts and resource files that would otherwise not be accepted into the Metasploit trunk. It will always be free and anyone is free to submit pulls of modules, scripts or resource files that they created or just found and were not accepted to the trunk because it was just a script, it violates TOS of a service, they did not author it, or any other possible reason.
Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk: (yes I realize I’m running this on disk ‘wce32.exe’, but it exhibits the same DLL drop when doing in-memory) Now, don’t get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it’s the best tool for the job.