kevin-robertson / invoke-thehash Goto Github PK

Hey,
when using TheHash, the sleep function doesn't seem to work, there is zero delay between access attempts.

thank you!

Hello!

I've a question concerning Invoke-SMBExec module. When I run command through it, the command is executed as System on the remote host.

Problem: some block Internet connection issued by Local System account. Is there a mean to execute command as user used to launch SmbExec directly on the remote host?

Hi Kevin,

thanks for sharing your work, it really is a great tool.

I figured it would be interesting to tweak Invoke-WMIExec so it can also query stuff via WMI and not only execute. I had a look at the source code but I couldn't quite figure out where you define the actual WMI class you use for command execution ("Win32_Process" ?). Could you point me in the right direction?

Thanks in advance!

Christoph

Kevin,
Trying to recreate https://github.com/lgandx/Responder/blob/master/tools/RunFinger.py in powershell.
According to the SMBFinger function need to send command 72, flag1 x18, flag2 x53 xC8. I think I got that but not sure how to send and pull the data.
Here is what I got so far, but I could be way off:

function Get-SmbFinger()
{
$SMB_client_stream = $SMB_client.GetStream()
$SMB_client_receive = New-Object System.Byte[] 81920
$packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x53,0xC8 0xff,0xff $process_ID_bytes[0,1] 0x00,0x00
$packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version
$SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
$SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
$packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
$NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
$SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
$SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
$SMB_client_stream.Flush()
$SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)

}

Let me know what you think.

when, i send it command more than 3847 length, im getting this error

Any idea to fix this?

Hey i added X user on 2012 R2.

i added local administrator groups too.

But when i trying to pass the hash with smb. i getting "X user not local administrator on x.x.x.x"

But kali PTH working fine

So it seems Invoke-SMBEnum fails when passing target inputs that are processed in Invoke-TheHash, but not when a single target is passed directly to Invoke-SMBEnum.

So when debugging I can see in Get-TargetList the $target_list.Add($entry) line actually adds a string, which is the correct type.

However when checking the target type later in the flow it's an object array which errors out when attempting to convert to String when passed to Invoke-SMBEnum.

I have no idea about this powershell voodoo, but a quick fix I found is to manually convert to string before passing to Invoke-SMBEnum.

Note I have not tested other functions (SMBClient, SMBExec, etc.), just needed this one to work on a pentest.

how can i create process or execute command on local computer (127.0.0.1) with another credential?

mimikatz:

sekurlsa::pth /user:admin /domain:workgroup /ntlm:3DBDE697D71690A769204BEB12283678 /run:"cmd.exe /c whoami"

Invoke-WMIExec:

Invoke-WMIExec -Target 127.0.0.1 -Domain workgroup -Username admin -Hash 3DBDE697D71690A769204BEB12283678 -Command 'whoami' -verbose

So I tried fussing around in the code to change the name of the pipe from \svcctl to a different value. My test target is SMB2, so I didn't fuss with the pipe name encoded in the SMB1 section. I put the nulls in to account for the UTF-16LE. However, when I run the script, I just get:

Hash being used: 79D6ED02F83D0E3862B2755AB5487933
user successfully authenticated on <machinename>
Something went wrong with <machinename>

I saw this $SMB_named_pipe_UUID value, but when I tried to decode it I just got binary-looking gibberish. Do I need to change this value as well? And if so, how do I derive the correct value?

Any pointers would be appreciated.

Hello Kevin,
I was looking your SMBExec code and I realize that you have constant offset(1002) at WriteAndX part. I am cofused about it. I think it is about svcctl pipe but I don't know the reason.
Can you explain the reason?

Hi Kevin,

Thanks for sharing your fantastic work. Been testing it successfully in my own lab environment, it's amazing.

I was wondering if there's any chance that your tools can be extended/modified to simply map a network share on a server that is not a Windows one, but still uses Windows domain credentials and SMB/NTLM authentication, typically a SAMBA server integrated to ActiveDirectory.

Thanks,
Regards,
Arno