How to send a command with needed password in a shell script?

5 stars based on 39 reviews

In Part 1I listed some common tools and techniques to use domain credentials to execute commands on Windows machines from Kali linux. In this post, I'm going to delve a little bit into how those tools actually work by re-creating the techniques from a Windows machine. All of the tools mentioned in the previous post psexec, wmiexec, etc are essentially re-implementations of core Windows functionality, and every technique can be used natively from within Windows.

A lot of pentesters myself included have used the psexec techniques extensively, but until recently I never fully understood what was going on under the hood. Hopefully this post will shed some binary from command line run as administrator with password on PsExec by manually re-creating the technique using native Windows tools.

It is not domain joined, it just sits on the same network. And as a reminder, we have recovered or cracked a single domain user's account:. There's a few ways you can test credentials against a machine from Windows, but for demonstration purposes I'm gonna use the basic net commands. This isn't the best or stealthiest way to do it, but it's easy to follow and understand.

An easy way to test credentials is to try to binary from command line run as administrator with password an SMB connection to the machine.

This is essentially what Metasploit's module does. In Windows, you binary from command line run as administrator with password utilize the net use command with credentials to establish an SMB connection with a host:. We can see it completes successfully, so the credentials are good.

If we weren't an admin, we'd binary from command line run as administrator with password an access denied: Now one of the problems with this technique is we have established connections with the Windows hosts that can be detected. If an administrator on ordws01 ran a net session command, he or she would see a connection open from our attacking box:.

The other problem is that we can't use all the net commands and other Windows tools by passing a username and password. But we can bypass that limitation. The Windows runas command let's us execute commands in the context of another user. We can launch an interactive command prompt by running "cmd. The beauty of this technique is that our LogonId changes, and we can actually start using Kerberos auth on the domain. Note how the whoami output is the same but our LogonId changes in the new command prompt after doing a runas: In this new command prompt, we don't need to run the net use command to open connections with specified credentials.

We can just use normal commands the Windows will use our LogonId with Kerberos authentication:. From this command prompt we are essentially "on the domain" and can start running native Windows commands with the privileges of jarrieta. In the last post, I used Metasploit's "psexec" module and Impacket's "psexec. Both of these tools are based on a classic Windows utility named, shockingly, psexec.

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It's a standalone binary that's included in the Sysinternals suite.

You can pass credentials to it and remotely execute commands or drop into an interactive command prompt:. If you run it from the "runas" command prompt which has a Kerberos TGT, you don't even need to specify credentials. This might clue you in a little bit as to how PsExec actually operates. In fact, if we go on the target machine and view services while the command prompt is open, we can see it:.

The service starts the binary C: So PsExec performs a few steps to get you a shell:. This is precisely how the Metasploit module and the Impacket script operate as well. We can also manually recreate the steps to remotely start any other binary of our choice e.

First let's assume we have a payload executable we generated with msfvenom and obfuscated with Veil so AV doesn't flag it. Really though, it could be copied and hidden anywhere on the filesystem. The Windows sc command is used to query, create, delete, etc Windows services and can be used remotely. Read more about it here.

From our command prompt, we'll remotely create a service called "meterpreter" that points to our uploaded binary:. The last step is to start the service and execute the binary. That's because our meterpreter binary isn't an actual service binary and won't return binary from command line run as administrator with password expected response code. That's fine because we just need it to execute once to fire:. After getting the meterpreter session, I'd migrate out of the met Why the sudden privilege escalation?

It has to do with how services are created and started. If we really wanted to run the service with different credentials, we could have specified when we created it, but if we can just jump to straight to SYSTEM why would we want to? One of the Impacket tools I used last past to get a semi-interactive shell is "smbexec.

This makes use of a binary from command line run as administrator with password clever technique to execute commands and get output through SMB without needing to drop a binary on the system.

Let's see what happens when smbexec runs by looking at it from the target's side. Obviously we could look at the source code, but this is more fun. As a reminder, let's see what smbexec looks like when it's fired up:. But that service isn't present on the target machine when we do an sc query.

The system logs reveal a clue to what happened:. It echos the command to be executed to a bat file, redirects the stdout and stderr to a Temp file, then executes the bat file and deletes it. Back on Kali, the Python binary from command line run as administrator with password then pulls the output file via SMB and displays the contents in our "pseudo-shell". For every command we type into our "shell", a new service is created and the process is repeated.

This is why it doesn't need to drop a binary, it just executes each desired command as a new service. Definitely more stealthy, but as we saw, an event log is created for every command executed. Still a very clever way to get a non-interactive "shell"!

As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary.

This can be a useful trick to keep in your back pocket if you need to just execute one arbitrary command on a target Windows machine. As a quick example, let's get a Meterpreter shell using a remote service without a binary. The listener is set up and it tells us binary from command line run as administrator with password command to execute on the target machine:. From our Windows attack box, we binary from command line run as administrator with password a remote service "metpsh" and set the binPath to execute cmd.

It errors out because binary from command line run as administrator with password service doesn't respond, but if we look at our Metasploit listener we see that the callback was made and the payload executed:. And we just launched a meterpreter payload remotely through a Windows service without dropping a binary. Which, by the way, is nothing revolutionary. This is exactly how Metasploit tries to execute payloads through the psexec module now. Only if PowerShell is not available or you manually specify it will Metasploit actually drop a binary on the target systems now which is good, since most AV detects Metasploit binaries now.

In this post I walked through how Windows services can be used to remotely execute commands when you have credentials. Hopefully this exposed some of the "magic" behind Metasploit's psexec module and Impacket's psexec and smbexec scripts. If you're ever on a pentest and don't have access to Kali, now you know how to use native Windows tools to replicate some of the behavior.

Hope this helped someone. Writing it and exploring these tools certainly helped me. Feel free to comment with questions or tell me where I'm wrong. And as a reminder, we have recovered or cracked a single domain user's account: In Windows, you can utilize the net use command with credentials to establish an SMB connection with a host: We can see which connections we have open by issuing a net use command: If an administrator on ordws01 ran a net session command, he or she would see a connection open from our attacking box: Using 'runas' to get Kerberos auth The Windows runas command let's us execute commands in the context of another user.

We can just use normal commands the Windows will use our LogonId with Kerberos authentication: From the TechNet article: PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software It's a standalone binary that's included in the Sysinternals suite.

You can pass credentials to it and remotely execute commands or drop into an interactive command prompt: When you start PsExec, you may notice a status line saying: In fact, if we go on the target machine and view services while the command prompt is open, we can see it: So PsExec performs a few steps to get you a shell: Manually PsExec'ing First let's assume we have a payload executable we generated with msfvenom and obfuscated with Veil so AV doesn't flag it.

From our command prompt, we'll remotely create a service called "meterpreter" that points to our uploaded binary: That's fine because we just need it to execute once to fire: If we look at our Metasploit listener, we'll see the session has been opened: As a reminder, let's see what smbexec looks like when it's fired up: The system logs reveal a clue to what happened: Executing commands via services As smbexec demonstrated, it's possible to execute commands directly from service binPaths instead of needing a binary.

The listener is set up and it tells us the command to execute on the target machine: And then start it:

Que significan las opciones sobre acciones adquiridas

  • Non directional options trading home study course download game

    How we trade options book download dubai

  • Blogger binary options website script how to win from trading!

    Swing trading ditm options

Colt mccoy 2018 trade options

  • Optionshouse customer complaints

    Online broker unlimited trade fees

  • Best forex trader australia

    Skyline markets how to trade binary options

  • Harga jeans forex dubai

    Email-based identity confirmation option trading

Deutsche bank broker dealer

47 comments Securities brokerdealer index

The importance of binary brokers for successful auto trading process

Generates a self-signed SSL certificate. Dumps all files and databases into a zip file. Outputs into a file like gitea-dump Generates random values and tokens for usage in configuration file.

Useful for generating values for automatic deployments. Command Line Usage gitea [global options] command [command options] [arguments Show help text and exit. This can be used with any of the subcommands to see help text for it. Show version and exit. Commands web Starts the server: Gitea configuration file path. Gitea should not be run as root. To bind to a port below , you can use setcap on Linux: This will need to be redone every time you update Gitea.

If provided, this makes the user an admin. Comma seperated hostnames and ips which this certificate is valid for. ECDSA curve to use to generate a key. Valid options are P, P, P, P Size of RSA key to generate.

Ignored if —ecdsa-curve is set. Duration which the certificate is valid for. Path to the temporary directory used. If provided, shows additional details. Token used for an internal API call authentication.