Scripting Metasploit for a Real-Life Pentest

During a recent internal penetration test, we got to the point where we had to search a lot of Windows machines for Domain Admin tokens. Of course, our objective was to impersonate such a  (delegation) token with Metasploit and create our own Domain Admin user.

Since the search space was quite large, we had to automate this task by creating a custom Metasploit script. In this post we describe the process of creating and running such a script.

A bit of context

During our penetration test we’ve managed to obtain the credentials of a privileged user. This user, let’s call him Robert, had local administrative rights on multiple workstations in the Windows domain.

Using Robert’s credentials, we managed to create a low privileged domain user, which we’ll further denote by OurUser, but we were not able to add it to the Domain Admins group.

Continue reading

Upgrade your DLL to Reflective DLL

Reflective DLL for injectionIf you want to execute code stealthily on a machine and the antivirus stands in your way, you should think about avoiding the disk because this is the place where the antivirus reigns.

In this scenario, you might find it useful to execute a DLL directly inside the address space of a running process without touching the disk. This will bypass the AV in a stealthy and powerful way.

To achieve this, all you need to do is upgrade your DLL to Reflective DLL.

Introduction

The antivirus can sometimes be a significant problem during a penetration test in the post-exploitation phase. For dealing with this issue, several strategies have been proposed:

  • making use of the command line / PowerShell
  • executing a program (EXE) from memory
  • executing a DLL from memory

Sometimes the command line interface is severely limited.

Also, by executing a program from memory you may still run into problems with the antivirus; you might get away with it by making use of a crypter (a tool that encrypts an executable, decrypting it during execution and executing it from memory) but most of them are detectable.

Thus, you may find it useful to use a DLL instead of an EXE to do your job.

Continue reading