search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.77k stars 13.9k forks source link

[suggestions] three module suggestions #6931

Closed thesle3p closed 1 year ago

thesle3p commented 8 years ago

Just a few suggestions for easy to implement modules:

1: windows/local/invoke_tater: I know there was a interest in making a module for the potato Privilege escalation vulnerability in Windows, but rather then write it for scratch why not just make a module that invokes tater, a existing powershell implementation: https://github.com/Kevin-Robertson/Tater?

2: post/windows/gather/invoke_inveigh: Similar to Tater a powershell implementation of Responder exists called Inveigh, I would think a module that using a SYSTEM shell invokes Inveigh and stores captured credentials in the database would be useful and fairly easy to implement

3:post/windows/gather/credentials/dc_sync: DC_sync in Mimikatz and elsewhere is a incredibly useful post exploitation tool in AD environments, I am not sure if this feature is in the version of Mimikatz used by kiwi yet or not but if not doing it via Invoke-DCSync.ps1( https://gist.github.com/monoxgas/9d238accd969550136db) should not be too hard either.

Just my 3 cents as far as ideas for modules go.

mubix commented 8 years ago

With all of the extra options these days for modules, we really should have a way to add scripts and such that fall into the python, powershell and such category.

OJ commented 8 years ago

We still have an issue with the whole "long running process" thing as well. It's not just a matter of "plug it in and off it goes", there's management of the session and command that comes with it.

busterb commented 5 years ago

this reminds me of recent discussions around #11256 #11259

bcoles commented 2 years ago

1: windows/local/invoke_tater: I know there was a interest in making a module for the potato Privilege escalation vulnerability in Windows, but rather then write it for scratch why not just make a module that invokes tater, a existing powershell implementation: https://github.com/Kevin-Robertson/Tater?

Tater has not been updated in 6 years. Metasploit now includes many potatoes, including those of the hot, juicy, lonely, and rotten varieties.

2: post/windows/gather/invoke_inveigh: Similar to Tater a powershell implementation of Responder exists called Inveigh, I would think a module that using a SYSTEM shell invokes Inveigh and stores captured credentials in the database would be useful and fairly easy to implement

Not yet implemented.

3:post/windows/gather/credentials/dc_sync: DC_sync in Mimikatz and elsewhere is a incredibly useful post exploitation tool in AD environments, I am not sure if this feature is in the version of Mimikatz used by kiwi yet or not but if not doing it via Invoke-DCSync.ps1( https://gist.github.com/monoxgas/9d238accd969550136db) should not be too hard either.

kiwi has been updates to include dcsync.

msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > load kiwi 
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > kiwi -h
[-] Unknown command: kiwi
meterpreter > help kiwi

Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials (parsed)
    creds_kerberos         Retrieve Kerberos creds (parsed)
    creds_livessp          Retrieve Live SSP creds
    creds_msv              Retrieve LM/NTLM creds (parsed)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds (parsed)
    creds_wdigest          Retrieve WDigest creds (parsed)
    dcsync                 Retrieve user account information via DCSync (unparsed)
    dcsync_ntlm            Retrieve user account NTLM hash, SID and RID via DCSync
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets (unparsed)
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    kiwi_cmd               Execute an arbitary mimikatz command (unparsed)
    lsa_dump_sam           Dump LSA SAM (unparsed)
    lsa_dump_secrets       Dump LSA secrets (unparsed)
    password_change        Change the password/hash of a user
    wifi_list              List wifi profiles/creds for the current user
    wifi_list_shared       List shared wifi profiles/creds (requires SYSTEM)

meterpreter >
smcintyre-r7 commented 1 year ago

invoke_inveigh sounds like it solves a similar problem to our new capture plugin so I'm going to close this ticket out.