So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP, guess what, no need to bypass the spoof filters ;–) Happy Rob!
1 2 3 | |
Results in:
Game ON!
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid (http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/) . Wesley’s stuff can be found here: http://www.mcgrewsecurity.com/tools/nbnspoof/
Wesley’s stuff eventually lead to this awesome post on the Packetstan blog: http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html
and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a “on-site” only attack. But if you read through Sid’s paper from 2007 this doesn’t have to be the case. He uses a tool written by “Patrick Chambet” back in 2005 for the Honeynet project: http://seclists.org/honeypots/2005/q4/46 called “FakeNetbiosDGM and FakeNetbiosNS”.
Finding the tools was no easy task though, googling for the file name, the author or the project just netted me this link:
http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip
Gotta love the Wayback Machine, I finally found it here: http://wayback.archive.org/web/*/http://honeynet.rstack.org/tools/FakeNetBIOS-0.91.zip
and eventually also here (on the author’s site of all places): http://www.chambet.com/tools.html
Question is, does it still work?? 2nd Question, how well does it work through/with Meterpreter?
(As a side note, I haven’t tried, but you might be able to use Py2Exe or PyInstaller to run nbnspoof.py on a windows box)
When running it on XP SP3 I get the following
Booooooooo, and on Windows 7 I get this:
Ok, error 10013 is a permissions issue, I can deal with that..
Run as Administrator it works! But something is wrong with the communication because the host doing the lookup doesn’t get the correct resolution back.
From what I can google it looks as though Windows Firewall has an ‘Anti-Spoofing’ outbound filter, so these “Bytes sent” don’t even make it to Wireshark.
I have created a Github repository, stuck the contents of the zip file in it and this is where I ask for help. If you know 1) how to disable the Windows Anti-spoofing filter or 2) How to circumvent it please leave a comment here, and issue on the repo or email me directly.
UPDATE (1&2 solved for this use case): /blog/2012/09/02/old-school-on-target-nbns-spoofing-part-2/
The other thing is, if you want to improve the code, that would be awesome too, submit a pull request, I’d love to get this thing going again and make it into something that we can solidly use over a Meterpreter session.
Github repo: https://github.com/mubix/FakeNetBIOS
And if the only commit to this repo 5 years from now is “Initial commit” then at the very least it will be some where the next blogger who picks up the trail can get it from.
P.S. If you know how to solve the issue on XP, that would be an awesome fix as well.
UPDATE 2: Looks like the XP issue ahas the Anti-spoofing too. (i.e it works great if you use the IP of the actual IP of the box with different hostnames)
I guess the only improvement I’d look for is for an .* (ALL HOSTS) ability
Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with:
1 2 3 4 5 6 7 8 9 10 | |
Awesome, this guy runs as root and we have the IP address. But it doesn’t have any public keys listed. That’s ok because Pageant is running.
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
w00t! An extra shell for free!!
The post exploitation command lists:
Have been a weekly upkeep for me with so many… I don’t know what to call it, ‘undesirable edits’ to them. Bad copies, bad pastes, formatting issues and some times deletion or vandalism of the docs. Anyways, I have finally broken down and removed ‘world’ editable permissions. Anyone who has these links can still comment and copy the docs, but they can no longer edit them directly.
If you would like to contribute, please shoot me a tweet, a email, a .. anything and I will gladly add you to the permissions to edit. Honestly it just became so overwhelming that every time I thought to add something I would cringe away because I know I’d spend most of time fixing them.
Anyway enough of my crying, please if you have stuff to add or are just really good at fixing up formatting, let me know and I’ll add you to the editors list.
Thanks, mubix
In the previous post: http://www.room362.com/blog/2012/8/11/let-me-out-of-your-net-workndashintro.html I told you about letmeoutofyour.net, but how does it work?
Things we need to accomplish on the server:
ONE: Listen on all ports
(I used Linux, so this guide is for such, modifications to other OSs is up to the reader)
First you have to get rid of all other services. That’s harder than you would first assume, because you have to admin the box some how. You could toss SSH on a really high port, or have some kind of backend management, or just remove things from running on a multi-IP’d box. It would be impossible in this post to describe every way this is done so I’ll leave it to you to research.
Once you have everything gone, install and start Apache or your favorite web server for Linux. Then run this very simple command that I stole from a commenter on the “Forcing Payloads Through Restrictive Firewalls” post:
iptables -t nat -I PREROUTING -p tcp -m state --state NEW -d 192.168.1.1 -j DNAT --to 192.168.1.1:80
Where ‘192.168.1.1’ is the IP address of your box. IPv4 NATing just allowed you to listen on every single port by forwarding them all to port 80. That simple. Don’t make the mistake I did and forget to set up alternative management before you set that rule, because if you don’t you’ll be forced to find one.
TWO: Answer for all hostnames and subdomains
This is pretty easy, DNS has the concept of a wildcard hostname. You simply put an asterisk * in the place of where you would normally put a WWW however you manage your DNS and you’re good. You will also want to add a second record, an ‘@’ is used to reference the domain without a host or subdomain. So the first records makes it answer for things like http://blah.letmeoutofyour.net and the second for http://letmeoutofyour.net/ – Pretty simple ya?
THREE: Answer for all HTTP verbs, file and folder requests
This is pretty simple as well. Apache’s mod_rewrite to the rescue. Here are the rules:
1 2 3 4 5 | |
You can either apply this in an .htaccess file or directly in the site configs, up to you.
And that’s it. It all seems really simple, but took me a good amount of time putting it all together. Next up, binaries and call backs that use this to wriggle their way out of networks.
P.S.
This setup throws web scanners through a loop, and if you wanted to be REALLY nasty you could have a bit of php make the index page be an endless 302 or have w00w00t linked to a random page / folder which is generated each time it’s requested.
Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers. But back to that in a sec, egress ‘busting’ or getting your payload/backdoor/trojan/c2 out of someone’s network once you’ve gotten that ever elusive “CODE EXECUTION HAPPY DANCE” going on isn’t always easy. There is even a Metasploit payload for it called ‘allports’:
There is also ‘Egress Buster’ by the guys over at TrustedSec which can do 1000 ports in just a few seconds:
https://www.trustedsec.com/july-2012/egress-buster-reverse-bypassav/
The problem I find with these tools is that they are still straight TCP. *(Yes, yes I know most networks still allow some ports directly outbound) and these tools are still quite valid. During the span between these two tools being released, MrB released a site that listens on all 65k ports: http://open.zorinaq.com/about/
Figured I should merge these ideas and add a few more capabilities (and show you how I did it so you can do so yourself), and so LetMeOutOfYour.net was born.
You can hit any subdomain or hostname of letmeoutofyour.net on any port with any HTTP Verb for any resource (web page or folder) and you will always receive a ‘w00tw00t’ back.
For example this request (removed the unimportant headers on the request to save space):
1 2 3 4 | |
Will result in this:
1 2 3 4 5 6 7 8 9 10 11 12 | |
All of those headers are standard Apache headers with the content being just ‘w00tw00t’. Making the connection an HTTP one opens a few doors to things like proxies. It’s ok to cackle at this point.
In the following parts I’ll show you how to build the server itself and a binary to find it’s way out of networks. Feel free to point your own domains at the IP it’s hosted on, it can handle it. Have a try, I know you want to:
http://youshouldreally.letmeoutofyour.net/before/i/get/angry/and/youwouldntlikemewhenimangry.asp
Egypt and I have decided to give away a spot in our training event at DerbyCon. This won’t come easy though, you have to submit an essay to us with one of the following topics:
Essay Topic Options:
1. Why I deserve a free training class
2. How I would social engineer Egypt and Mubix out of a ticket to their class
Maximum Length: ~1000 words / 3 pages. (We’re lazy)
Submissions sent in direct email, PDF, or Doc(x) (extra points for zero day!) format to: derbyessay@room362.com
The due date for a valid submission is 2359 GMT on August 15th, decisions will be made that weekend (August 18th & 19th) and the winner will be announced (and emailed direction how to obtain class info) on the 20th. **
Good luck!
— egypt and mubix
Also check out corelanc0der’s contest for a spot in his class here: https://www.corelan.be/index.php/2012/08/05/corelan-t-shirt-contest-derbycon-2012/
P.S. Dont’ know what DerbyCon is or the training we are providing? Here are some #lazyweb links:
Derbycon: https://www.derbycon.com/
Our training at Derbycon: https://www.derbycon.com/training-courses/#metasploit
Outline of the training (it’s changed a bit but generally right): /blog/2012/05/22/derbycon-training-sep-27-28-2012/
With the use of Mimikatz and WCE, clear text passwords are much more common. What isn’t always there is the user. They take lunches, go home at a reasonable time and generally aren’t really appreciative of our (pentester/red teamer)’s schedule.
A straight forward way, and provided by Microsoft to create a process as a user (whereby having their token readily available is using ‘runas.exe’:
w00t, we the user is present, we can migrate our meterepreter session into that notepad and we’re good right? Problem there is you have to interactively input the password, so without a real cmd.exe or RDP session of your own, (VNC payload would work), you’re generally SOL.
There are a ton of posted ways around this, most involve make a wrapper script to input the password for you such as this one:
(this was pretty unique as it actually sent the keys to the key buffer instead of directly to STDIN)
Another way if you don’t mind dropping / creating a custom bin, AutoIT makes this REALLY simple:
This could be 2 lines if you really wanted it to be but I like to make things a bit more universal. You could also execute this directly in memory with meterepreter’s execute command with the “-m” argument after you’ve built the AutoIT script into a EXE.
But what go through all that trouble? Railgun can do this just as easily. Drop to IRB or create a script that does the following:
1 2 | |
This will create a notepad.exe process with the defined user. But we can go a bit more stealthy, since we really only need their account token we can just user LogonUser:
1
| |
List the tokens available with Incognito, your new user will be there, steal it and you’re done. You now have the ability to user that account/domain token on any of the hosts you’ve compromised on the network, not just the ones they happen to have left themselves logged in. This gets really fun on servers where the admin hasn’t logged in but you wanna grab all of their IE saved passwords ;–)
Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day:
Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536
Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589
Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170
You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay
And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):
163 address is the Victim I tricked into loading a URL and 182 is the system I want to get onto. This is an HTTP request resulting in a SMB Relay’d auth. It looks as though multiple targets can be used as relay targets but I haven’t tested this out yet.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | |
Let the fun begin…
@jabjorkhaug posed the following question on Twitter today:
I figured I could solve this and it would be an interesting challenge. Here is what it gets detected as:
The service binary that is used as part of PSEXEC is located here:
MSF Directory/data/templates/src/pe/exe/service/service.c
The important part to look at starts at line 57:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 | |
It’s injecting our payload into the service binary and tossing our payload into “rundll32.exe” at run time on the victim (side note: you can change which bin it goes into ;). Lets change this so it doesn’t do any injection and just executes a binary. That removes the ‘injection’ piece and hopefully lets us get our shell. We are loosing a bit of stealth because instead of just one (the service binary) we are writing two binaries.
To make this change you replace the above with just this:
1 2 3 4 | |
Compiling this on OSX using mingw is very easy and is very similar on Ubuntu if you have mingw installed:
1
| |
Then just copy it to replace the current one:
1
| |
No other changes are needed. Only problem is, how do we get the “evil.exe” up onto the box for it to execute? That’s where the auxiliary module “auxiliary/admin/smb/upload_file” comes in :–) I built a resource file to demo the timeline of getting execution with this new service binary (broken up with comments to explain, remove the comments for it to work):
Start Multi Handler
1 2 3 4 5 6 | |
Upload file to evil.exe on the C$ share (C$ is default for this module so no reason to set it)
1 2 3 4 5 6 7 | |
Execute PSEXEC using the new service binary that simply executes
1 2 3 4 5 6 7 8 9 | |
The passwords could have just as easily been hashes, and the end result is:
Well I can’t really show you that nothing was detected… so I guess you just have to believe me when I say:
1
| |
w00t!