************************************************************
smbexec
A rapid psexec style attack with samba tools
Original Concept and Script by Brav0Hax & PureHate
Ported to ruby and modified by Smilingraccoon and Zeknox
Codename - Machiavellian
************************************************************
Written because we got sick of Metasploit PSExec getting popped
Special thanks to Carnal0wnage who's blog inspired us to go this route.
http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html
v2.0 - 10/17/2013
UPDATED - Rubified ;)
v1.2.9.1 - 07/31/2013
ADDED - r3dy (pentestgeek.com) created a custom cachedump.rb that is a standalone tool to extract dcc's. This tool extracts non-vista and vista style cached creds. Built based off the cachedump metasploit module create by Carlos Perez (DarkOperator)
v1.2.9 - 07/15/2013
UPDATED - wce has been updated with a universal binary with new version released by the developer (v1.41) as usual its obfuscated ;)
FIXED - on occasion when a Ctrl-C is inititated, if the smbexec proj folder is empty it will delete it and not recreate
FIXED - Typo in the f_dsusers function for sys file path
Windows Credentials Editor v1.41beta
(c) 2010, 2011, 2012, 2013 Amplia Security, Hernan Ochoa
written by: hernan@ampliasecurity.com
http://www.ampliasecurity.com
v1.2.8.1 - 06/24/2013
UPDATED - Added 'make' install check since libesedb and nmap rely on it for compile
UPDATED - DA/EA checker still not working as I wanted, ugly grep hacks to make it perform better.
v1.2.8 - 05/22/2013
ADDED - If you have crypter.exe installed on your system it will encrypt your payload after obfuscation. (uncomment line 46)
ADDED - Will prompt you if you'd like to execute payload as user or SYSTEM
ADDED - Option to gain a command shell from a remote system without a payload
FIXED - DA check gives system error 5 "Access Denied" changed it to complete the tasks as SYSTEM -> Thx Craig Freyman for bug report and fix
UPDATED - Fix payload creation issues, triggered DEP when combined with crypter.exe option. Thx to Hostess for the code!
v1.2.7 - 04/01/2013
FIXED - False positives from Admin check option
FIXED - Domain cached creds logic I brok in last release
UPDATED - The whole look and feel is less gaudy and borrow heavily from msfconsole
v1.2.6 - 02/25/2013
ADDED - wce.exe for 64 Bit systems
FIXED - DA/EA checker did not check for any errors and would falsely state users were on the system that did not exist
FIXED - Option to just create payload and RC file would continue by launching attack. Now operating as expected
UPDATE - Now checks the target systems processor architecture in order to use the proper wce.exe (wce-32.exe or wce-64.exe)
UPDATE - dcc hash file & cleartext password file is only moved into logfolder if not empty (common errors grep'd out)
UPDATE - source code for samba is now v3.6.12 for compiling smbexeclient binary
UPDATE - Installer now installs nmap verision 6.25 (Only if nmap is not found on the system. It does not version check)
v1.2.5 - 02/19/2013
FIXED - Issues with proper mingw identification, especially for 64 Bit systems - Bug reported by Jim Broome
UPDATE - Installer was updated with extra prereqs for winexe compilation.
TESTING - Install and execution of smbexec was tested again on Ubuntu 12.04 and Fedora 17 64Bit systems
v1.2.4 - 02/04/2013
UPDATE - Added UAC functionality. Now you can check systems to see if they have UAC enabled. In addition, you can disable or enable UAC on systems
v1.2.3 - 01/20/2013
UPDATE - Changed menu layout, was getting crowded on the main page. Combined like tasks.
FIXED - Hash folder creation wasn't checking for existing folder before trying to create. Resulted in error message.
v1.2.2 - 01/17/2013
UPDATE - Check credentials for remote login capabilities
UPDATE - Checks systems for DA/EA users logged in or running processes
UPDATE - If wce.exe is place in the smbexec/progs/ directory it will upload and execute on the target to obtain cleartext credentials from memory during hash grab
NOTE: The wce.exe file that exists in the progs directory has been obfuscated and is included in smbexec with written permission from the copyright owner Hernan Ochoa.
Hernan retains all rights to the Windows Credential Editor and can ask to have the program removed from smbexec distribution at any time. We'd like to than Hernan for letting us include his incredibly awesome tool for distribution.
Windows Credentials Editor v1.3beta
(c) 2010, 2011, 2012 Amplia Security, Hernan Ochoa
written by: hernan@ampliasecurity.com
http://www.ampliasecurity.com
v1.2.0 - 11/30/2012
FIXED - Script now checks to ensure exe's are compiled before running. Alerts user to use installer to compile.
UPDATE - Added drive and path variables to ntds hash grab function. (No longer hardcoded to C:\Windows\NTDS or C:\Windows\Temp)
UPDATE - Checks for available diskspace before copying ntds.dit and sys files to the path provided
UPDATE - Deletes the volume shadow copy created by the ntds hash grab function
v1.1.1 - 11/11/2012
FIXED - Sometimes the IP validation fails even though it is a proper IP address
UPDATE - Installer updated with Samba-3.6.9 source
UPDATE - libesedb project moved to Google Code, installer updated with proper path
Includes
- smbexec.sh
- installer.sh
- patches to compile binaries
- source for samba-3.6.9 and winexe-1.00
Just run the installer and you should be good to go! If not email me... jbrav.hax@gmail.com
Credit where credit is due:
* wce.exe - Hernan Ochoa - An incredible tool that mimikatz CANNOT touch! - http://www.ampliasecurity.com
* smbclient & winexe Hash Passing patch - JoMo-kun -> http://www.foofus.net/~jmk/passhash.html
- Patch updated for Samba 3.6.12 by exfil (Emilio Escobar)
* vanish.sh - Original concept Astr0baby stable version edits Vanish3r -> http://www.securitylabs.in/2011/12/easy-bypass-av-and-firewall.html
* www.samba.org
* winexe - ahajda -> http://sourceforge.net/users/ahajda
* Metasploit - www.metasploit.com (Thank you HD and team!)
* Nmap - nmap.org (Thank you Fydor!)
* Creddump - Brendan Dolan-Gavitt - http://code.google.com/p/creddump/
* NTDSXtract - Csaba Barta - http://www.ntdsxtract.com/
* libesedb - Joachim Metz - http://libesedb.googlecode.com/
Happy Hunting!