New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

psexec_command improvements #2134

Merged
merged 7 commits into from Oct 26, 2014

Conversation

Projects
None yet
6 participants
@webstersprodigy
Contributor

webstersprodigy commented Jul 19, 2013

There were a couple issues with psexec_command (at least the way I was trying to use it). You couldn't execute things that took a long time to run (it would give an error). Also, large or binary output didn't work.

This pull request addresses these. It waits until the output file is not blocked before downloading output, using configurable retry and delay options. Also it outputs to a logfile by default rather than just to the prompt.

@wchen-r7

This comment has been minimized.

Contributor

wchen-r7 commented Jul 21, 2013

For you get_output() method, is it not desirable to log your stuff using store_loot() or report_note()?

@webstersprodigy

This comment has been minimized.

Contributor

webstersprodigy commented Jul 21, 2013

it could be. I was using the module to grab binary data, so for me the actual files were more convenient, but how I was using it might be an edge case for executing commands. fwiw the exec_powershell module does it with log files also.

I was on the fence logging to a file or database, so I'm not tied to either way.

@todb-r7 todb-r7 referenced this pull request Sep 5, 2013

Merged

Retab/pr/2134 #1

@webstersprodigy

This comment has been minimized.

Contributor

webstersprodigy commented Sep 28, 2013

Bringing this back up. It would be nice to merge this because the old psexec_command breaks a few resource scripts I'm using.

@wchen-r7, logging to a file made the most sense for my use case. The old module just prints to the screen, and like I mentioned the the way I ended up doing it is the same thing the exec_powershell module does. But I'm happy with whatever - I don't want the logging to be a blocker because it's not a piece I care much about and I want to follow metasploit conventions :)

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented Oct 30, 2013

@websterprodigy: as proposed by @wchen-r7 I think report_note or store_loot has more sense to log the command output. If there hasn't been a mind change on the @wchen-r7 side I think it's the best way of proceeding.

if execute_command(text, bat)
res = execute_command(text, bat)
for i in 0..(datastore['RETRY'])

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 30, 2013

Contributor

Looks like all this stuff hasn't sense if res is false, has it?

res = execute_command(text, bat)
for i in 0..(datastore['RETRY'])
sleep datastore['DELAY']

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 30, 2013

Contributor

Use Rex::Sleep

@@ -53,6 +53,9 @@ def initialize(info = {})
register_advanced_options([
OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 1]),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 30, 2013

Contributor

Don't delay by default

@@ -53,6 +53,9 @@ def initialize(info = {})
register_advanced_options([
OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 1]),
OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 10]),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 30, 2013

Contributor

Don't retry by default has more sense for me

rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
print_status("#{peer} - Unable to get handle: #{accesserror}")
return false
end

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 30, 2013

Contributor

looks like ensure simple.disconnect should be needed.

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 May 29, 2014

Contributor

^^^

@webstersprodigy

This comment has been minimized.

Contributor

webstersprodigy commented Oct 31, 2013

Thanks for the feedback @jvazquez-r7 - I took it all

end
report_note(
:host => datastore['RHOSTS'],

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 31, 2013

Contributor

:host => rhost,
:port => rport,

print_line("#{output}")
log_dir = ::File.join(Msf::Config.log_directory,'scripts', 'psexec_command')
::FileUtils.mkdir_p(log_dir)

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 31, 2013

Contributor

Are you using log_dir still :? Can these two lines be deleted?

@@ -53,6 +53,9 @@ def initialize(info = {})
register_advanced_options([
OptString.new('FILEPREFIX', [false, 'Add a custom prefix to the temporary files','']),
OptInt.new('DELAY', [true, 'Wait this many seconds before reading output and cleaning up', 0]),
OptInt.new('RETRY', [true, 'Retry this many times to check if the process is complete', 0]),
OptPath.new('LOGDIR', [false, 'File to log output', nil]),

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 Oct 31, 2013

Contributor

Looks like it isn't used. Can be deleted?

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented May 29, 2014

Reviewing!

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented May 29, 2014

I get ACCESS denied when testing this module, but from the same branch I get authentication successful with smb_login ? Is it just me, or a known thing?

msf auxiliary(psexec_command) > rexploit
[*] Reloading module...

[-] 172.16.158.160:445 - Unable to authenticate with given credentials: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_command) > show options

Module options (auxiliary/admin/smb/psexec_command):

   Name       Current Setting                    Required  Description
   ----       ---------------                    --------  -----------
   COMMAND    net group "Domain Admins" /domain  yes       The command you want to execute on the remote host
   RHOSTS     172.16.158.160                     yes       The target address range or CIDR identifier
   RPORT      445                                yes       The Target port
   SMBDomain  SMALLBUSINESS                      no        The Windows domain to use for authentication
   SMBPass    juan                               no        The password for the specified username
   SMBSHARE   C$                                 yes       The name of a writeable share on the server
   SMBUser    Administrator                      no        The username to authenticate as
   THREADS    1                                  yes       The number of concurrent threads
   WINPATH    WINDOWS                            yes       The name of the remote Windows directory

msf auxiliary(psexec_command) > rexploit
[*] Reloading module...

[-] 172.16.158.160:445 - Unable to authenticate with given credentials: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(psexec_command) > use auxiliary/scanner/smb/smb_login
msf auxiliary(smb_login) > rexploit
[*] Reloading module...

[*] 172.16.158.160:445 SMB - Starting SMB login bruteforce
[-] 172.16.158.160:445 SMB - [1/3] - \\SMALLBUSINESS - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator :  [STATUS_LOGON_FAILURE]
[-] 172.16.158.160:445 SMB - [2/3] - \\SMALLBUSINESS - FAILED LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : Administrator [STATUS_LOGON_FAILURE]
[+] 172.16.158.160:445 \\SMALLBUSINESS - SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2) Administrator : juan [STATUS_SUCCESS]
[*] Username is case insensitive
[*] Domain is ignored
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(smb_login) >
# Report output
print_good("#{peer} - Command completed successfuly!")
if datastore['VERBOSE']

This comment has been minimized.

@jvazquez-r7

jvazquez-r7 May 29, 2014

Contributor

Use vprint_* instead of check for datastore['VERBOSE']

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented May 29, 2014

This pull request looks good to me to land, I'm just a concerned of the STATUS_LOGON_FAILURE when the smb_login shows successful login with the same credentials.

@webstersprodigy

This comment has been minimized.

Contributor

webstersprodigy commented May 29, 2014

Not dismissing that getting the failed login might be a bug, but IIRC this pull request shouldn't touch any auth stuff or change how psexec executes code. So if there's a bug there I think it should repro with common psexec stuff that uses Msf::Exploit::Remote::SMB::Psexec (which this doesn't touch)

Just a shot in the dark, but psexec can be locked down (i.e. I don't think you can psexec by default on recent windows domain controllers?). So even if you're an admin you could get access denied.

@jvazquez-r7

This comment has been minimized.

Contributor

jvazquez-r7 commented May 29, 2014

@webstersprodigy right, cause of that I'm concerned about the failed login, I would like for someone else to test / try before modifying further a module which maybe is having an unexpected behaviour.

About the shot in the dark, I'm using a 2003 Domain Controller, so I think psexec should work. Maybe there is something weird on my testing, cause of that I'm asking some one else to check / verify.

@todb-r7 todb-r7 added the module label May 30, 2014

@scriptjunkie

This comment has been minimized.

Contributor

scriptjunkie commented Oct 26, 2014

I can verify that it works. You might get a failed login if the target box requires NTLMv2, but that's a limitation of underlying metasploit libraries, not this module.

@scriptjunkie

This comment has been minimized.

Contributor

scriptjunkie commented Oct 26, 2014

So it looks good to me

@scriptjunkie scriptjunkie merged commit c3113f7 into rapid7:master Oct 26, 2014

1 check passed

default The Travis CI build passed
Details

scriptjunkie added a commit that referenced this pull request Oct 26, 2014

@Meatballs1 Meatballs1 referenced this pull request Oct 28, 2014

Merged

Psexec Refactor Round 2 #3144

9 of 9 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment