Closed thesle3p closed 1 year ago
With all of the extra options these days for modules, we really should have a way to add scripts and such that fall into the python, powershell and such category.
We still have an issue with the whole "long running process" thing as well. It's not just a matter of "plug it in and off it goes", there's management of the session and command that comes with it.
this reminds me of recent discussions around #11256 #11259
1: windows/local/invoke_tater: I know there was a interest in making a module for the potato Privilege escalation vulnerability in Windows, but rather then write it for scratch why not just make a module that invokes tater, a existing powershell implementation: https://github.com/Kevin-Robertson/Tater?
Tater has not been updated in 6 years. Metasploit now includes many potatoes, including those of the hot, juicy, lonely, and rotten varieties.
2: post/windows/gather/invoke_inveigh: Similar to Tater a powershell implementation of Responder exists called Inveigh, I would think a module that using a SYSTEM shell invokes Inveigh and stores captured credentials in the database would be useful and fairly easy to implement
Not yet implemented.
3:post/windows/gather/credentials/dc_sync: DC_sync in Mimikatz and elsewhere is a incredibly useful post exploitation tool in AD environments, I am not sure if this feature is in the version of Mimikatz used by kiwi yet or not but if not doing it via Invoke-DCSync.ps1( https://gist.github.com/monoxgas/9d238accd969550136db) should not be too hard either.
kiwi
has been updates to include dcsync
.
msf6 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > load kiwi
Loading extension kiwi...
.#####. mimikatz 2.2.0 20191125 (x64/windows)
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/
Success.
meterpreter > kiwi -h
[-] Unknown command: kiwi
meterpreter > help kiwi
Kiwi Commands
=============
Command Description
------- -----------
creds_all Retrieve all credentials (parsed)
creds_kerberos Retrieve Kerberos creds (parsed)
creds_livessp Retrieve Live SSP creds
creds_msv Retrieve LM/NTLM creds (parsed)
creds_ssp Retrieve SSP creds
creds_tspkg Retrieve TsPkg creds (parsed)
creds_wdigest Retrieve WDigest creds (parsed)
dcsync Retrieve user account information via DCSync (unparsed)
dcsync_ntlm Retrieve user account NTLM hash, SID and RID via DCSync
golden_ticket_create Create a golden kerberos ticket
kerberos_ticket_list List all kerberos tickets (unparsed)
kerberos_ticket_purge Purge any in-use kerberos tickets
kerberos_ticket_use Use a kerberos ticket
kiwi_cmd Execute an arbitary mimikatz command (unparsed)
lsa_dump_sam Dump LSA SAM (unparsed)
lsa_dump_secrets Dump LSA secrets (unparsed)
password_change Change the password/hash of a user
wifi_list List wifi profiles/creds for the current user
wifi_list_shared List shared wifi profiles/creds (requires SYSTEM)
meterpreter >
invoke_inveigh sounds like it solves a similar problem to our new capture plugin so I'm going to close this ticket out.
Just a few suggestions for easy to implement modules:
1: windows/local/invoke_tater: I know there was a interest in making a module for the potato Privilege escalation vulnerability in Windows, but rather then write it for scratch why not just make a module that invokes tater, a existing powershell implementation: https://github.com/Kevin-Robertson/Tater?
2: post/windows/gather/invoke_inveigh: Similar to Tater a powershell implementation of Responder exists called Inveigh, I would think a module that using a SYSTEM shell invokes Inveigh and stores captured credentials in the database would be useful and fairly easy to implement
3:post/windows/gather/credentials/dc_sync: DC_sync in Mimikatz and elsewhere is a incredibly useful post exploitation tool in AD environments, I am not sure if this feature is in the version of Mimikatz used by kiwi yet or not but if not doing it via Invoke-DCSync.ps1( https://gist.github.com/monoxgas/9d238accd969550136db) should not be too hard either.
Just my 3 cents as far as ideas for modules go.