kevin-robertson / invoke-thehash Goto Github PK
View Code? Open in Web Editor NEWPowerShell Pass The Hash Utils
License: BSD 3-Clause "New" or "Revised" License
PowerShell Pass The Hash Utils
License: BSD 3-Clause "New" or "Revised" License
Hello!
I've a question concerning Invoke-SMBExec module. When I run command through it, the command is executed as System on the remote host.
Problem: some block Internet connection issued by Local System account. Is there a mean to execute command as user used to launch SmbExec directly on the remote host?
Hi Kevin,
thanks for sharing your work, it really is a great tool.
I figured it would be interesting to tweak Invoke-WMIExec so it can also query stuff via WMI and not only execute. I had a look at the source code but I couldn't quite figure out where you define the actual WMI class you use for command execution ("Win32_Process" ?). Could you point me in the right direction?
Thanks in advance!
Christoph
Kevin,
Trying to recreate https://github.com/lgandx/Responder/blob/master/tools/RunFinger.py in powershell.
According to the SMBFinger function need to send command 72, flag1 x18, flag2 x53 xC8. I think I got that but not sure how to send and pull the data.
Here is what I got so far, but I could be way off:
function Get-SmbFinger()
{
$SMB_client_stream = $SMB_client.GetStream()
$SMB_client_receive = New-Object System.Byte[] 81920
$packet_SMB_header = Get-PacketSMBHeader 0x72 0x18 0x53,0xC8 0xff,0xff $process_ID_bytes[0,1] 0x00,0x00
$packet_SMB_data = Get-PacketSMBNegotiateProtocolRequest $SMB_version
$SMB_header = ConvertFrom-PacketOrderedDictionary $packet_SMB_header
$SMB_data = ConvertFrom-PacketOrderedDictionary $packet_SMB_data
$packet_NetBIOS_session_service = Get-PacketNetBIOSSessionService $SMB_header.Length $SMB_data.Length
$NetBIOS_session_service = ConvertFrom-PacketOrderedDictionary $packet_NetBIOS_session_service
$SMB_client_send = $NetBIOS_session_service + $SMB_header + $SMB_data
$SMB_client_stream.Write($SMB_client_send,0,$SMB_client_send.Length)
$SMB_client_stream.Flush()
$SMB_client_stream.Read($SMB_client_receive,0,$SMB_client_receive.Length)
}
Let me know what you think.
when, i send it command more than 3847 length, im getting this error
Any idea to fix this?
So it seems Invoke-SMBEnum fails when passing target inputs that are processed in Invoke-TheHash, but not when a single target is passed directly to Invoke-SMBEnum.
So when debugging I can see in Get-TargetList the $target_list.Add($entry) line actually adds a string, which is the correct type.
However when checking the target type later in the flow it's an object array which errors out when attempting to convert to String when passed to Invoke-SMBEnum.
I have no idea about this powershell voodoo, but a quick fix I found is to manually convert to string before passing to Invoke-SMBEnum.
Note I have not tested other functions (SMBClient, SMBExec, etc.), just needed this one to work on a pentest.
how can i create process or execute command on local computer (127.0.0.1) with another credential?
mimikatz:
sekurlsa::pth /user:admin /domain:workgroup /ntlm:3DBDE697D71690A769204BEB12283678 /run:"cmd.exe /c whoami"
Invoke-WMIExec:
Invoke-WMIExec -Target 127.0.0.1 -Domain workgroup -Username admin -Hash 3DBDE697D71690A769204BEB12283678 -Command 'whoami' -verbose
So I tried fussing around in the code to change the name of the pipe from \svcctl to a different value. My test target is SMB2, so I didn't fuss with the pipe name encoded in the SMB1 section. I put the nulls in to account for the UTF-16LE. However, when I run the script, I just get:
Hash being used: 79D6ED02F83D0E3862B2755AB5487933
user successfully authenticated on <machinename>
Something went wrong with <machinename>
I saw this $SMB_named_pipe_UUID value, but when I tried to decode it I just got binary-looking gibberish. Do I need to change this value as well? And if so, how do I derive the correct value?
Any pointers would be appreciated.
Hello Kevin,
I was looking your SMBExec code and I realize that you have constant offset(1002) at WriteAndX part. I am cofused about it. I think it is about svcctl pipe but I don't know the reason.
Can you explain the reason?
Hi Kevin,
Thanks for sharing your fantastic work. Been testing it successfully in my own lab environment, it's amazing.
I was wondering if there's any chance that your tools can be extended/modified to simply map a network share on a server that is not a Windows one, but still uses Windows domain credentials and SMB/NTLM authentication, typically a SAMBA server integrated to ActiveDirectory.
Thanks,
Regards,
Arno
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.