Re: Module ideas for smb-psexec.nse?

[Ron <ron () skullsecurity net>]

On 10/06/2009 11:08 AM, DePriest, Jason R. wrote:
> I just want to say thank you for putting this together.  The
> documentation you provide in the script is incredible and the
> functionality is hard to beat.
Thanks! This has been a lot of work, but I'm really happy with how its 
turned out. I don't *think* there are any other tools with this 
functionality.

I spent a couple hours on the documentation last night, but I didn't go 
back and proofread it. Hopefully it's fairly coherent. :)

> First the easy ones, built-in commands.
>
> - - - - - -
>
> Microsoft Windows [Version 6.0.6002]
> Copyright (c) 2006 Microsoft Corporation.  All rights reserved.
>
> C:\Windows\system32>ver<---- ver command to see what this version of
> Windows thinks it is
>
> Microsoft Windows [Version 6.0.6002]
I'll definitely add that one.

> C:\Windows\system32>arp -a<---- arp to get the full arp table; know
> what IPs this system can match to MACs
>
> Interface: 192.168.1.2 --- 0xb
>    Internet Address      Physical Address      Type
>    192.168.1.1           00-21-e8-c4-42-6f     dynamic
>    192.168.1.255         ff-ff-ff-ff-ff-ff     static
>    224.0.0.22            01-00-5e-00-00-16     static
>    224.0.0.252           01-00-5e-00-00-fc     static
>    239.255.255.250       01-00-5e-7f-ff-fa     static
>    255.255.255.255       ff-ff-ff-ff-ff-ff     static
>
> Interface: 192.168.56.1 --- 0xf
>    Internet Address      Physical Address      Type
>    192.168.56.255        ff-ff-ff-ff-ff-ff     static
>    224.0.0.22            01-00-5e-00-00-16     static
>    224.0.0.252           01-00-5e-00-00-fc     static
>    239.255.255.250       01-00-5e-7f-ff-fa     static
Got it. :)

> C:\Windows\system32>netstat -nr<---- full routing table; useful to
> find secondary NICs on the box or find alternate paths to try wiggling
> around firewalls
> ===========================================================================
> Interface List
>   11 ...00 24 2c 6c 03 40 ...... Atheros AR9285 802.11b/g WiFi Adapter
>   10 ...00 23 8b c1 9c ff ...... Realtek PCIe GBE Family Controller
>   15 ...08 00 27 00 bc d4 ...... VirtualBox Host-Only Ethernet Adapter
>    1 ........................... Software Loopback Interface 1
>   17 ...00 00 00 00 00 00 00 e0  isatap.{88821758-ACEE-478B-9370-39C78253F4DA}
>   12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
>   16 ...00 00 00 00 00 00 00 e0  isatap.{75B79F26-E3B6-4343-81AA-06C8FC4F2B2C}
>   18 ...00 00 00 00 00 00 00 e0  isatap.{CF28DC74-4904-4CE7-8272-258D17BA936B}
> ===========================================================================
>
> IPv4 Route Table
> ===========================================================================
> Active Routes:
> Network Destination        Netmask          Gateway       Interface  Metric
>            0.0.0.0          0.0.0.0      192.168.1.1      192.168.1.2     25
>          127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
>          127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
>    127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
>        192.168.1.0    255.255.255.0         On-link       192.168.1.2    281
>        192.168.1.2  255.255.255.255         On-link       192.168.1.2    281
>      192.168.1.255  255.255.255.255         On-link       192.168.1.2    281
>       192.168.56.0    255.255.255.0         On-link      192.168.56.1    276
>       192.168.56.1  255.255.255.255         On-link      192.168.56.1    276
>     192.168.56.255  255.255.255.255         On-link      192.168.56.1    276
>          224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
>          224.0.0.0        240.0.0.0         On-link      192.168.56.1    276
>          224.0.0.0        240.0.0.0         On-link       192.168.1.2    281
>    255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
>    255.255.255.255  255.255.255.255         On-link      192.168.56.1    276
>    255.255.255.255  255.255.255.255         On-link       192.168.1.2    281
> ===========================================================================
> Persistent Routes:
>    None
>
> IPv6 Route Table
> ===========================================================================
> Active Routes:
>   If Metric Network Destination      Gateway
>    1    306 ::1/128                  On-link
>   15    276 fe80::/64                On-link
>   11    281 fe80::/64                On-link
>   11    281 fe80::1870:525c:80da:88a8/128
>                                      On-link
>   15    276 fe80::2c20:ca0e:54e8:7fd2/128
>                                      On-link
>    1    306 ff00::/8                 On-link
>   15    276 ff00::/8                 On-link
>   11    281 ff00::/8                 On-link
> ===========================================================================
> Persistent Routes:
>    None
Excellent, didn't know about those ones!

> - - - - - -
>
> Another useful command is part of some resource kit tools
> (http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38&displaylang=en),
> but it is built in to Windows Server 2008 and maybe Vista.
>
> - - - - - -
>
> C:\Windows\system32>whoami /priv<---- find out what privileges your
> user account has on this box
>
> PRIVILEGES INFORMATION
> ----------------------
>
> Privilege Name                  Description                               State
> ===============================
> ========================================= ========
> SeLockMemoryPrivilege           Lock pages in memory
>     Disabled
> SeIncreaseQuotaPrivilege        Adjust memory quotas for a process
>     Disabled
> SeSecurityPrivilege             Manage auditing and security log
>     Disabled
> SeTakeOwnershipPrivilege        Take ownership of files or other
> objects  Disabled
> SeLoadDriverPrivilege           Load and unload device drivers
>     Disabled
> SeSystemProfilePrivilege        Profile system performance
>     Disabled
> SeSystemtimePrivilege           Change the system time
>     Disabled
> SeProfileSingleProcessPrivilege Profile single process
>     Disabled
> SeIncreaseBasePriorityPrivilege Increase scheduling priority
>     Disabled
> SeCreatePagefilePrivilege       Create a pagefile
>     Disabled
> SeBackupPrivilege               Back up files and directories
>     Disabled
> SeRestorePrivilege              Restore files and directories
>     Disabled
> SeShutdownPrivilege             Shut down the system
>     Disabled
> SeDebugPrivilege                Debug programs
>     Disabled
> SeSystemEnvironmentPrivilege    Modify firmware environment values
>     Disabled
> SeChangeNotifyPrivilege         Bypass traverse checking
>     Enabled
> SeRemoteShutdownPrivilege       Force shutdown from a remote system
>     Disabled
> SeUndockPrivilege               Remove computer from docking station
>     Disabled
> SeManageVolumePrivilege         Perform volume maintenance tasks
>     Disabled
> SeImpersonatePrivilege          Impersonate a client after
> authentication Enabled
> SeCreateGlobalPrivilege         Create global objects
>     Enabled
> SeIncreaseWorkingSetPrivilege   Increase a process working set
>     Disabled
> SeTimeZonePrivilege             Change the time zone
>     Disabled
> SeCreateSymbolicLinkPrivilege   Create symbolic links
>     Disabled
>
> - - - - - -
>
> You could also use 'whoami /all' to get even more information, but the
> privilege information is most useful.  A quick way to determine if you
> have an elevated account.
I'll definitely have a look at them for sure.

You'll definitely have an elevated account, though -- to actually run 
remote processes, an elevated account is required (you have to access 
the service control service).

By that same token, running this against Windows Vista/7/2008 is tricky, 
because they disable the service control service by default. You also 
don't get elevated privileges if UAC is enabled. That being said, if UAC 
is disabled and the service control service is running, everything works 
fine. :)

Thanks for your comments!
Ron

> When I come up with more, I'll send them in.
>
> -Jason
>
> On Mon, Oct 5, 2009 at 8:27 PM, Ron<>  wrote:
> > Hey all,
> >
> > After a lot of hard work, my development on smb-psexec.nse is finally
> > reaching its conclusion! But before that happens, I'm trying to include some
> > awesome defaults. I'm not really an expert on the Windows commandline,
> > though, so I'm hoping to get some help or ideas.
> >
> > I'm attaching the script itself, for reference, which has a ton of
> > documentation at the top. I'm also attaching the three modules I've made so
> > far, which should be enough to give you some idea how this is supposed to
> > work (backdoor.lua isn't done yet, obviously, but the others work pretty
> > well).
> >
> > I'm hoping to get some really cool default modules! If somebody gives me
> > ideas for commands whose output would be useful, go ahead and mention it, I
> > can take care of writing the actual commands.
> >
> > Looking forward to seeing your ideas!
> > Ron
> >
> > --
> > Ron Bowes
> > http://www.skullsecurity.org/
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org