Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: Module ideas for smb-psexec.nse?
From: Ron <ron () skullsecurity net>
Date: Tue, 06 Oct 2009 11:23:20 -0500

On 10/06/2009 11:08 AM, DePriest, Jason R. wrote:
I just want to say thank you for putting this together.  The
documentation you provide in the script is incredible and the
functionality is hard to beat.
Thanks! This has been a lot of work, but I'm really happy with how its turned out. I don't *think* there are any other tools with this functionality.

I spent a couple hours on the documentation last night, but I didn't go back and proofread it. Hopefully it's fairly coherent. :)

First the easy ones, built-in commands.

- - - - - -

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>ver<---- ver command to see what this version of
Windows thinks it is

Microsoft Windows [Version 6.0.6002]
I'll definitely add that one.

C:\Windows\system32>arp -a<---- arp to get the full arp table; know
what IPs this system can match to MACs

Interface: 192.168.1.2 --- 0xb
   Internet Address      Physical Address      Type
   192.168.1.1           00-21-e8-c4-42-6f     dynamic
   192.168.1.255         ff-ff-ff-ff-ff-ff     static
   224.0.0.22            01-00-5e-00-00-16     static
   224.0.0.252           01-00-5e-00-00-fc     static
   239.255.255.250       01-00-5e-7f-ff-fa     static
   255.255.255.255       ff-ff-ff-ff-ff-ff     static

Interface: 192.168.56.1 --- 0xf
   Internet Address      Physical Address      Type
   192.168.56.255        ff-ff-ff-ff-ff-ff     static
   224.0.0.22            01-00-5e-00-00-16     static
   224.0.0.252           01-00-5e-00-00-fc     static
   239.255.255.250       01-00-5e-7f-ff-fa     static
Got it. :)

C:\Windows\system32>netstat -nr<---- full routing table; useful to
find secondary NICs on the box or find alternate paths to try wiggling
around firewalls
===========================================================================
Interface List
  11 ...00 24 2c 6c 03 40 ...... Atheros AR9285 802.11b/g WiFi Adapter
  10 ...00 23 8b c1 9c ff ...... Realtek PCIe GBE Family Controller
  15 ...08 00 27 00 bc d4 ...... VirtualBox Host-Only Ethernet Adapter
   1 ........................... Software Loopback Interface 1
  17 ...00 00 00 00 00 00 00 e0  isatap.{88821758-ACEE-478B-9370-39C78253F4DA}
  12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
  16 ...00 00 00 00 00 00 00 e0  isatap.{75B79F26-E3B6-4343-81AA-06C8FC4F2B2C}
  18 ...00 00 00 00 00 00 00 e0  isatap.{CF28DC74-4904-4CE7-8272-258D17BA936B}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
           0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     25
         127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
         127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
   127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
       192.168.1.0    255.255.255.0         On-link       192.168.1.2    281
       192.168.1.2  255.255.255.255         On-link       192.168.1.2    281
     192.168.1.255  255.255.255.255         On-link       192.168.1.2    281
      192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
      192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
    192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
         224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
         224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
         224.0.0.0        240.0.0.0         On-link       192.168.1.2    281
   255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
   255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
   255.255.255.255  255.255.255.255         On-link       192.168.1.2    281
===========================================================================
Persistent Routes:
   None

IPv6 Route Table
===========================================================================
Active Routes:
  If Metric Network Destination      Gateway
   1    306 ::1/128                  On-link
  15    276 fe80::/64                On-link
  11    281 fe80::/64                On-link
  11    281 fe80::1870:525c:80da:88a8/128
                                     On-link
  15    276 fe80::2c20:ca0e:54e8:7fd2/128
                                     On-link
   1    306 ff00::/8                 On-link
  15    276 ff00::/8                 On-link
  11    281 ff00::/8                 On-link
===========================================================================
Persistent Routes:
   None

Excellent, didn't know about those ones!

- - - - - -

Another useful command is part of some resource kit tools
(http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en),
but it is built in to Windows Server 2008 and maybe Vista.

- - - - - -

C:\Windows\system32>whoami /priv<---- find out what privileges your
user account has on this box

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State
===============================
========================================= ========
SeLockMemoryPrivilege           Lock pages in memory
    Disabled
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process
    Disabled
SeSecurityPrivilege             Manage auditing and security log
    Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other
objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers
    Disabled
SeSystemProfilePrivilege        Profile system performance
    Disabled
SeSystemtimePrivilege           Change the system time
    Disabled
SeProfileSingleProcessPrivilege Profile single process
    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority
    Disabled
SeCreatePagefilePrivilege       Create a pagefile
    Disabled
SeBackupPrivilege               Back up files and directories
    Disabled
SeRestorePrivilege              Restore files and directories
    Disabled
SeShutdownPrivilege             Shut down the system
    Disabled
SeDebugPrivilege                Debug programs
    Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values
    Disabled
SeChangeNotifyPrivilege         Bypass traverse checking
    Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system
    Disabled
SeUndockPrivilege               Remove computer from docking station
    Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks
    Disabled
SeImpersonatePrivilege          Impersonate a client after
authentication Enabled
SeCreateGlobalPrivilege         Create global objects
    Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set
    Disabled
SeTimeZonePrivilege             Change the time zone
    Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links
    Disabled

- - - - - -

You could also use 'whoami /all' to get even more information, but the
privilege information is most useful.  A quick way to determine if you
have an elevated account.
I'll definitely have a look at them for sure.

You'll definitely have an elevated account, though -- to actually run remote processes, an elevated account is required (you have to access the service control service).

By that same token, running this against Windows Vista/7/2008 is tricky, because they disable the service control service by default. You also don't get elevated privileges if UAC is enabled. That being said, if UAC is disabled and the service control service is running, everything works fine. :)

Thanks for your comments!
Ron


When I come up with more, I'll send them in.

-Jason

On Mon, Oct 5, 2009 at 8:27 PM, Ron<>  wrote:
Hey all,

After a lot of hard work, my development on smb-psexec.nse is finally
reaching its conclusion! But before that happens, I'm trying to include some
awesome defaults. I'm not really an expert on the Windows commandline,
though, so I'm hoping to get some help or ideas.

I'm attaching the script itself, for reference, which has a ton of
documentation at the top. I'm also attaching the three modules I've made so
far, which should be enough to give you some idea how this is supposed to
work (backdoor.lua isn't done yet, obviously, but the others work pretty
well).

I'm hoping to get some really cool default modules! If somebody gives me
ideas for commands whose output would be useful, go ahead and mention it, I
can take care of writing the actual commands.

Looking forward to seeing your ideas!
Ron

--
Ron Bowes
http://www.skullsecurity.org/



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault