-
Notifications
You must be signed in to change notification settings - Fork 14.3k
Warn user if they are using PowerShell with impersonation #20180
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Warn user if they are using PowerShell with impersonation #20180
Conversation
Thinking of the error message to show - here's some text I think we could put somewhere, and link to it in the error message. What would be the best way of hosting this? Add the below to the metasploit-framework.wiki directory? When using the PowerShell extension, if another user is being impersonated (e.g. To run PowerShell with the impersonated token, either:
Note that the latter will be at the mercy of any security mitigations on the system, such as AMSI, Constrained Language Mode, and logging. Discussion at rapid7/metasploit-payloads#737 |
@@ -53,10 +53,10 @@ def import_file(opts={}) | |||
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE, binary.length) | |||
request.add_tlv(TLV_TYPE_POWERSHELL_ASSEMBLY, binary) | |||
client.send_request(request) | |||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this is an API change, have all the callers of this API been updated to support this result type?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, as far as I could find, the only calls were:
lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb
(Updated)modules/exploits/windows/local/tokenmagic.rb
(Didn't use the return value in the first place)modules/exploits/windows/local/cve_2020_1337_printerdemon.rb
(Likewise, didn't use the return value in the first place)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look good to me and from my testing are behaving in the way that we'd expect. Thanks for your work on this smashery! I'm going to start by landing the payloads side of things.
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > getsystem
WARNING: Local file /home/smcintyre/Repositories/metasploit-framework.pr/data/meterpreter/elevator.x64.dll is being used
...got system via technique 4 (Named Pipe Impersonation (RPCSS variant)).
meterpreter > load powershell
Loading extension powershell...WARNING: Local file /home/smcintyre/Repositories/metasploit-framework.pr/data/meterpreter/ext_server_powershell.x64.dll is being used
Success.
meterpreter > powershell_execute -h
Usage: powershell_execute <powershell code> [-s session-id]
Runs the given Powershell string on the target.
OPTIONS:
-h Help banner
-s Specify the id/name of the Powershell session to run the command in.
meterpreter > powershell_execute "Write-Output 'Hello, World'"
[!] Impersonation will not apply to PowerShell.
[+] Command execution completed:
Hello, World
meterpreter > powershell_shell
[!] Impersonation will not apply to PowerShell.
PS >
f2a56c3
to
904f4b6
Compare
Release NotesThis adds a warning to PowerShell use when an impersonation token is active. |
As per the discussion in rapid7/metasploit-payloads#737, the PowerShell extension doesn't easily deal with impersonation. So at least we can warn the user when this situation occurs.
This PR relies on rapid7/metasploit-payloads#747
Verification
load powershell
getsystem
powershell_execute
,powershell_shell
,powershell_import
rev2self
impersonate_token