Skip to content

Add ability to dcsync & hashdump via Powershell #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 17, 2018
Merged

Add ability to dcsync & hashdump via Powershell #284

merged 3 commits into from
May 17, 2018

Conversation

@OJ
Copy link
Contributor

@OJ OJ commented May 7, 2018
edited by busterb
Loading

Description

This PR makes use of the fact that DCSync functionality is exposed via Kiwi, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This means that it's possible to remotely dump all the hashes in a target DC using DCsync instead of having to get onto the DC and use the typical methods.

This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.

I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.

I haven't exposed this feature in any other way just yet, for $REASONS. I will consider other options at some point, but for now this should be useful. Here's a demo of it running on a domain-joined machine that isn't a DC.

image

The addition of the following built-in functions should make interacting with the functionality much easier:

  • Invoke-DcSync
  • Invoke-DcSyncAll
  • Invoke-DcSyncHashDump

Note 1

This rework has juggled with how powershel_shell works. It now does the commands on a separate thread and let's the UI receive a response. This allows the work to be done behind the scenes and streamed back via the channel. This allows for long running processes to run. Woo!

Note 2

I've commented out the support for creds_all in both PSH and Python bindings because they don't work after the rejig of the Kiwi source to use the Mimikatz subrepo. I'll work on getting it going again in both cases. So watch this space.

Validation

  • Make sure that the classic usages still work (powershell_import, powershell_execute) with different session IDs.
  • Validate that powershell_shell behaves appropriately with short or single-shot commands.
  • Validate that powershell_shell doesn't hang when long running commands are run.
  • Validate that Get-ChildItem function:\ | Select Name | sls 'DcSync' shows the list of newly baked-in powershell scripts.
  • Validate that each script has appropriate documentation via the Get-Help commandlet.
  • Validate that each of the new scripts works as advertised.
  • Validate that x64 is fine.
  • Validate that x86 is fine.

@OJ OJ requested a review from busterb May 7, 2018 04:01
@OJ OJ force-pushed the powershell-add-hashdump-dcsync branch from d6cb38d to fbb8f6f Compare May 7, 2018 05:45
@OJ
Add ability to dcsync & hashdump via Powershell
f44877a 
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.

I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
@OJ OJ force-pushed the powershell-add-hashdump-dcsync branch from fbb8f6f to f44877a Compare May 7, 2018 06:36
@OJ
Rework powershell_shell to work with "streaming"
90265c5 
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.

This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
@OJ OJ force-pushed the powershell-add-hashdump-dcsync branch from 4f413dc to 90265c5 Compare May 7, 2018 11:13
@OJ
Copy link
Contributor Author

OJ commented May 14, 2018

cough BUMP! 😈

@OJ
Change hash output to use LM hash if present
1e175da 
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
@busterb busterb self-assigned this May 17, 2018
@busterb
Copy link
Contributor

busterb commented May 17, 2018

Code review spots nothing obviously wrong. Let's test this.

busterb
busterb reviewed May 17, 2018
View reviewed changes
c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
return ERROR_SUCCESS;
}

DWORD channelise_session(wchar_t* sessionId, Channel* channel, LPVOID context)
Copy link
Contributor

@busterb busterb May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you win this time channelise

Copy link
Contributor

@wvu wvu May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clearly @OJ named this function.

Copy link
Contributor Author

@OJ OJ May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't abuse our beloved language with unnecessary zzzzzz's!

busterb
busterb reviewed May 17, 2018
View reviewed changes
c/meterpreter/source/extensions/powershell/powershell_runner.cpp
0x80, 0x02, 0x33, 0x00, 0xa5, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x86, 0x08,
0x7e, 0x0b, 0x3a, 0x03, 0x34, 0x00, 0xad, 0x2c, 0x00, 0x00, 0x00, 0x00,
0x86, 0x08, 0x86, 0x0b, 0x3e, 0x03, 0x34, 0x00, 0xb6, 0x2c, 0x00, 0x00,
0x00, 0x00, 0x86, 0x08, 0x8e, 0x0b, 0x3a, 0x03, 0x35, 0x00, 0xbe, 0x2c
Copy link
Contributor

@busterb busterb May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a wild hair earlier that maybe this could be reworked to use a resource file rather than converting to a C string in some future PR.

Copy link
Contributor Author

@OJ OJ May 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resources come with a diff set of issues, esp when reflectively loading DLLs. This was "simpler". :)

@busterb
Copy link
Contributor

busterb commented May 17, 2018

Seems fine enough to get a gem going.

@busterb busterb merged commit 1e175da into rapid7:master May 17, 2018
busterb added a commit that referenced this pull request May 17, 2018
@busterb
Land #284, Add ability to dcsync & hashdump via Powershell
f23186a
@OJ
Copy link
Contributor Author

OJ commented May 17, 2018

Much ❤️ to both of you!

@OJ OJ deleted the powershell-add-hashdump-dcsync branch May 17, 2018 07:38
@busterb
Copy link
Contributor

busterb commented May 17, 2018
edited
Loading

Well, I found a post-landing beug in the light of the morning (Windows 10 latest) with metasploit-framework head.

./msfconsole -qx 'use multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.56.1; run'
...
meterpreter > powershell_shell 
PS > ls

[*] 10.0.2.15 - Meterpreter session 1 closed.  Reason: Died

It's not in framework yet as a gem bump, so not a big deal. Taking a look to see what needs to be done to fix it up.

@busterb
Copy link
Contributor

busterb commented May 17, 2018 

[584] [1b70] [COMMAND] Calling completion handlers... 
[584] [1b70] [COMMAND] Completion handlers finished for core_channel_write. 
[584] [1b70] [COMMAND] Packet is not local, destroying 
[584] [1b70] [COMMAND] Packet destroyed 
[584] [1b70] [COMMAND] Command processing finishing. Returning: TRUE 
[584] [1b70] [COMMAND] Executed inline -> Commands: 02822AB8 Command1: 00A74020 Command2: 00000000 
[584] [1b70] [COMMAND] Cleaning up commands 
[584] CLR: Managed code called FailFast, saying "
[584] Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
[584] "

@OJ
Copy link
Contributor Author

OJ commented May 17, 2018

Was that x64?

@busterb
Copy link
Contributor

busterb commented May 17, 2018

32-bit windows/meterpreter/reverse_tcp

@OJ
Copy link
Contributor Author

OJ commented May 21, 2018

Did you end up looking at this again @busterb or do I need to jump in and figure it out?

@busterb
Copy link
Contributor

busterb commented May 21, 2018

Hi. I just refreshed to ask the same question :) I have not other than to have reviewed some of the memory allocations for obvious faults.

@OJ
Copy link
Contributor Author

OJ commented May 21, 2018

I've just fixed it :) PR coming!

@busterb
Copy link
Contributor

busterb commented May 21, 2018

🥇 thanks!

busterb added a commit to busterb/metasploit-framework that referenced this pull request May 21, 2018
@busterb
update kiwi plugin, add dcshadow and powershell streaming support
134ed38 
This does a few things:

 1. Updates the kiwi plugin to mimikatz 2.1.1 20180502
 2. Adds ability to dcsync & hashdump via Powershell
 3. Adds streaming support to powershell commands (no more timeouts)

It also adds the following powershell functions to make things more
convenient:

 * Invoke-DcSync
 * Invoke-DcSyncAll
 * Invoke-DcSyncHashDump

See rapid7/metasploit-payloads#284 for details
@busterb busterb mentioned this pull request May 21, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@busterb busterb busterb left review comments

@wvu wvu wvu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@busterb busterb

Labels

enhancement windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@OJ @busterb @wvu