PoshC2 – New Payloads, New Folder Layout

Since the release of PoshC2 we’ve been hard at work to improve the tool and we’ve recently added some more payloads to the tool.

In addition to the original payloads we’ve added new weaponised Excel, Word and PowerPoint documents. These are blank documents that have the implant embedded into them, ready for you to add content to.

We’ve added a payload that exploits the MS16-051 Internet Explorer – vbscript_godmode vulnerability. Credit goes to – http://theori.io/research/cve-2016-0189 for the exploit. The html payload can be copied directly to a webserver were victims can be directed to in a Red Team or social Engineering attack.

As can be seen above there is a revised layout to the engagement folders,  a much cleaner layout.

Further work to improve the whole tool are ongoing and further new features are planned.

Get PoshC2 here – https://github.com/nettitude/PoshC2,  also checkout the wiki for detailed information on features and usage po PoshC2.

PoshC2 – Powershell C2

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

More information on:

https://www.github.com/Nettitude/PoshC2/wiki

https://www.github.com/Nettitude/PoshC2

https://labs.nettitude.com/tools/poshc2/ 

Finding Exposed Http(s) Admin Pages

This post is a kinda fix for a really great series of posts by Chris Gates (@carnalownage), he wrote a blog post about finding exposed web admin pages on a network using Metasploit’s database, Firefox and a plugin called Linky, read it here http://carnal0wnage.attackresearch.com/2012/04/from-low-to-pwned-1-exposed-services.html

Since the article was written Rapid7/Metasploit devs chose to change the way web services are listed in the database of Metasploit, they changed them from ‘http’, ‘https’ to just plain ‘www’.

Oops edit the http and https labels have reappeared ! The script still should work just alter the services command to include http and https

I was on an internal network test this week and wanted to look for exposed web admin pages so I had to modify the ruby script that Chris wrote, not rocket science but the thing works now.

Continue reading “Finding Exposed Http(s) Admin Pages” →

2012 in review

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

4,329 films were submitted to the 2012 Cannes Film Festival. This blog had 25,000 views in 2012. If each view were a film, this blog would power 6 Film Festivals

Click here to see the complete report.

Metasploit MS08_067 Scanner Version 2

Following on from the previous post, I’ve improved the MS08_067 scanner by removing the sledge-hammer approach, ie scan everything, to a more defined and controlled approach, ie get some hosts, work out if they might be a windows box and then scan.

Here is the script;

<ruby>
###########################################################
#Must set Global RHOSTS via setg RHOSTS xxx.xxx.xxx.xxx/xx#
###########################################################
#Check to see if RHOSTS is set Globally
if (framework.datastore['RHOSTS'] == nil)
print_line("Please set RHOSTS globally with this command setg RHOSTS xxx.xxx.xxx.xxx/xx...exiting")
return
end

#Populate the datastore with some Hosts
#######################################

#Setup NMAP Options
nmapopts = "-O -T 5"
run_single("db_nmap #{nmapopts} #{framework.datastore['RHOSTS']}")

#Remove RHOSTS
run_single("unsetg RHOSTS")

framework.db.workspace.hosts.each do |host|
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)
if (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios/ or serv.port == 445 or serv.port == 139 or serv.port == 137)
if(serv.port == 445)
run_single("use exploit/windows/smb/ms08_067_netapi")
run_single("set RHOST #{host.address}")
run_single("check")
end
end
end
end
</ruby>

Some changes to the way the resource script works, first we need to set the Global variable RHOSTS, this can be set via the ‘setg RHOSTS xxx.xxx.xxx.xxx/xx’ command.

Then we just fire up the resource script as before, but this time you will get a bunch of nmap output.

I used a db_nmap scan to populate the database

Then, if there are any Windows hosts on the network with the correct services listening, you will see this;

And the rest is down to you…Enjoy

Credit to the MSF guys, as a couple of lines of code were taken from the default resource scripts that ship with the framework and of course to @mubix for the initial rapid psexec script that this was based upon.

Metasploit MS08_067 Scanner Resource Script

Today I’ve been messing around with Metasploit and came up with this, its not rocket science and uses a bit of code from another resource script written by @mubix, you can find it here http://www.room362.com/blog/2010/9/12/rapid-fire-psexec-for-metasploit.html

Any ways I thought why not try and write some resource scripts that look for ‘low hanging fruit’ to kinda speed up the pwnage on big network penetration tests.

The ms08_067 exploit module supports the ‘check’ function which we use to find our vulnerable hosts, there are more exploits with this function but not all.

Here’s the code its pretty self explanitory, just set the rhosts variable in the script.

################################################
# MS08_067 Vulnerability Checker Resource Script
################################################
use exploit/windows/smb/ms08_067_netapi

require 'rex/socket/range_walker'
#################################################
#Set rhosts to be network range you want to check
#################################################
rhosts = "192.168.0.0/24"
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single("set RHOST #{rhost}")
self.run_single("check")
end

Copy the code into a file called ms08_067_checker.rc and save it here /root/.msf4/scripts/resource or /yourusername/.msf4/scripts/resource, to be able to use it directly from msfconsole.
The resource script output is as below:

Unlucky…

Woot, we’re in luck.

The rest is simple,   Happy hunting.

2011 in review

The WordPress.com stats helper monkeys prepared a 2011 annual report for this blog.

Here’s an excerpt:

The concert hall at the Syndey Opera House holds 2,700 people. This blog was viewed about 14,000 times in 2011. If it were a concert at Sydney Opera House, it would take about 5 sold-out performances for that many people to see it.

Click here to see the complete report.

Active Directory KungFu – Messing With Users & Computers

Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.

I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.

So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.

DSQUERY Command @ Technet

http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

DSMOD Command @ Technet

http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx

So, OK lets have a look at these command and what to do with them.

Continue reading “Active Directory KungFu – Messing With Users & Computers” →

Pentestn00b 2010 in review

The stats helper monkeys at WordPress.com mulled over how my blog did in 2010, and here’s a high level summary of its overall blog health:

The Blog-Health-o-Meter™ reads This blog is on fire!.

Continue reading “Pentestn00b 2010 in review” →

Intrusion Detection Using PFSense Firewall

Recently I had the need to re visit IDS/IPS systems, mainly to refresh my knowledge and bring myself up-to date with new developments etc etc.

I decided to use this opportunity to build myself a ‘Proper’ firewall for my home network, and give my trusty Netgear DG 834 a well earned rest.

I already had an old Compaq PC to run this Firewall on, nothing special just an old desktop pc with a 2ghz Celeron CPU and 2gb RAM – small and quiet.

I had to get me an ADSL modem to allow me to use the PC as a Firewall, so I bought a Netgear DM111P ADSL 2+ Modem, this is just an ADSL bridge and connects to the WAN side of the Firewall.

Anyways I first had to find me a Firewall distro, after what seem like an age, trawling the net, downloading ISO’s an running them up on VirtualBox to check them out and if they had the required functionality – I found this absolute gem of a Firewall distro pfSense.

Continue reading “Intrusion Detection Using PFSense Firewall” →