Add ability to dcsync & hashdump via Powershell #284
Conversation
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host. I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel. This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.
|
cough BUMP! |
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.
|
Code review spots nothing obviously wrong. Let's test this. |
| @@ -538,6 +569,151 @@ DWORD powershell_channel_close(Channel* channel, Packet* request, LPVOID context | |||
| return ERROR_SUCCESS; | |||
| } | |||
|
|
|||
| DWORD channelise_session(wchar_t* sessionId, Channel* channel, LPVOID context) | |||
busterb
May 17, 2018
Member
you win this time channelise
you win this time channelise
OJ
May 17, 2018
Author
Contributor
Don't abuse our beloved language with unnecessary zzzzzz's!
Don't abuse our beloved language with unnecessary zzzzzz's!
| 0x80, 0x02, 0x33, 0x00, 0xa5, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x86, 0x08, | ||
| 0x7e, 0x0b, 0x3a, 0x03, 0x34, 0x00, 0xad, 0x2c, 0x00, 0x00, 0x00, 0x00, | ||
| 0x86, 0x08, 0x86, 0x0b, 0x3e, 0x03, 0x34, 0x00, 0xb6, 0x2c, 0x00, 0x00, | ||
| 0x00, 0x00, 0x86, 0x08, 0x8e, 0x0b, 0x3a, 0x03, 0x35, 0x00, 0xbe, 0x2c |
busterb
May 17, 2018
Member
I had a wild hair earlier that maybe this could be reworked to use a resource file rather than converting to a C string in some future PR.
I had a wild hair earlier that maybe this could be reworked to use a resource file rather than converting to a C string in some future PR.
OJ
May 17, 2018
Author
Contributor
Resources come with a diff set of issues, esp when reflectively loading DLLs. This was "simpler". :)
Resources come with a diff set of issues, esp when reflectively loading DLLs. This was "simpler". :)
|
Seems fine enough to get a gem going. |
|
Much |
|
Well, I found a post-landing beug in the light of the morning (Windows 10 latest) with metasploit-framework head. It's not in framework yet as a gem bump, so not a big deal. Taking a look to see what needs to be done to fix it up. |
|
|
Was that x64? |
|
32-bit windows/meterpreter/reverse_tcp |
|
Did you end up looking at this again @busterb or do I need to jump in and figure it out? |
|
Hi. I just refreshed to ask the same question :) I have not other than to have reviewed some of the memory allocations for obvious faults. |
|
I've just fixed it :) PR coming! |
|
|
This does a few things: 1. Updates the kiwi plugin to mimikatz 2.1.1 20180502 2. Adds ability to dcsync & hashdump via Powershell 3. Adds streaming support to powershell commands (no more timeouts) It also adds the following powershell functions to make things more convenient: * Invoke-DcSync * Invoke-DcSyncAll * Invoke-DcSyncHashDump See rapid7/metasploit-payloads#284 for details
Description
This PR makes use of the fact that DCSync functionality is exposed via Kiwi, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This means that it's possible to remotely dump all the hashes in a target DC using DCsync instead of having to get onto the DC and use the typical methods.
This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.
I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.
I haven't exposed this feature in any other way just yet, for $REASONS. I will consider other options at some point, but for now this should be useful. Here's a demo of it running on a domain-joined machine that isn't a DC.
The addition of the following built-in functions should make interacting with the functionality much easier:
Invoke-DcSyncInvoke-DcSyncAllInvoke-DcSyncHashDumpNote 1
This rework has juggled with how
powershel_shellworks. It now does the commands on a separate thread and let's the UI receive a response. This allows the work to be done behind the scenes and streamed back via the channel. This allows for long running processes to run. Woo!Note 2
I've commented out the support for
creds_allin both PSH and Python bindings because they don't work after the rejig of the Kiwi source to use the Mimikatz subrepo. I'll work on getting it going again in both cases. So watch this space.Validation
powershell_import,powershell_execute) with different session IDs.powershell_shellbehaves appropriately with short or single-shot commands.powershell_shelldoesn't hang when long running commands are run.Get-ChildItem function:\ | Select Name | sls 'DcSync'shows the list of newly baked-in powershell scripts.Get-Helpcommandlet.