I am way late to the game on this, but if you have a blog, a twitter handle, or even better (in this specific case) a CISSP, please support Wim Remes (@wimremes), as he has submitted to become a member of the (ISC)2 Board of Directors.
Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge
Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local administration group’ – I’m guessing since I ran this on a DC is why I didn’t notice this but it is something to keep in mind when running this script.
Adding users to a domain that you create for learning, training, or just for testing things out on can be quite tedious. Most of the time I just put a few users to simulate the different ‘levels’ I need for my testing. However that doesn’t really give someone you’re training much to think about, i.e. It’s really easy to identify the ‘interesting’ users when there are only a couple to pick from.
I am certainly not the first one to solve this problem:
These work perfectly and are all really easy. The problem for me is that with some the username is too similar and/or the passwords are the same/similar.
Well, of course I had to do it in Metasploit. (No, not everything has to be in Metasploit, but in this instance it actually helps a lot and you’ll see why in a sec)
Easiest way to get a bunch of random users is to download a list of names, I used this one:
The ‘usercount’ variable will be used for out loop on how many users to create. Next, just to shake things up we create another array of common suffixes:
Now to loop through the account creation, and since I’m not a big fan of running cmd.exe (staying in memory is one of the staples of Meterpreter) we’ll do it by injecting $usercount amount of the windows/adduser payload into our current process.
For usernames I take a random name and use it’s first letter, and then another random selection for the rest. This makes it look like a first initial + last name username scheme.
For passwords I throw a bit of twist in there I randomly select to have a ‘bad/ok/good’ password and use just a random selection, random selection + a date or number we generated earlier, or a double random selection put together, respectively.
(0..usercount).eachdofname=names[rand(names.size)]lname=names[rand(names.size)]goodpass=rand(3)password=casegoodpasswhen0passwords[rand(passwords.size)]when1"#{passwords[rand(passwords.size)]}#{datesnum[rand(datesnum.size)]}"when2"#{passwords[rand(passwords.size)]}#{passwords[rand(passwords.size)]}"endusername="#{fname[0].chr}#{lname}"casegoodpasswhen0puts"#{username} has a bad password of #{password}"when1puts"#{username} has an ok password of #{password}"when2puts"#{username} has a good password of #{password}"endpayload='windows/adduser'pay=client.framework.payloads.create(payload)pay.datastore['USER']=usernamepay.datastore['PASS']=passwordraw=pay.generatehost_process=client.sys.process.open(client.sys.process.getpid,PROCESS_ALL_ACCESS)mem=host_process.memory.allocate(raw.length+(raw.length%1024))host_process.memory.write(mem,raw)host_process.thread.create(mem,0)print_status("#{username} created with password: #{password}")end
Know what’s great about this? With just a few changed lines you can slam all of the user creation payloads into one binary and have a binary you can run any time you want to gen a bunch of users quickly. (Good to mess with CCDC blue teams too!
It looked like a lot of hard work to set that up and I’m really lazy. I didn’t want to have to go through all that every time I got onto a new network. So, I made a very simple meterpreter post module to just call a Windows API key called ‘gethostbyaddr’ using Railgun.
TL:DR; You can download the post module here: ipresolver.rb
(there were a bunch more lines of error correcting but I’ll just wanted to show these as the actual methods used on a successful run)
But on other hosts the 12th byte came back with a pointer to all 0s, so there was no way to jump again (hostnameptr) to the actual hostname.
What I missed while trying to do things the “C” way was that the hostname was always pretexted with the IP address in network byte order… Hold up, I know it begins with something I already know, and ends in the standard “C” string terminator of a null byte. So all of that plus the crazy error correction became:
That’s it, you can check out the download for the post module above.
I do however have 1 disadvantage over how the guys at SecurityArtWork did things. You can’t thread it. For whatever reason the API call that I am using uses the exact same memory space for each lookup. I tried putting threading in and what I got was a bunch of systems that resolved to the exact same thing.
If anyone knows a way to fix this I am all ears because right now the module is slow.
One important thing to note about Railgun is that you are querying the API and just as if you were using C++ the API you are calling just might not be there on the system you are trying to call it on. So here is a quick trick to find out if a the function (API) that you are trying to call is available to you:
For my example I’m using ‘getaddrinfo’ since it’s life in Windows is somewhat odd. If a user has installed Windows 2000’s IPv6 package it’s there, if not, it’s not. So if you run up on a WinNT box or a Win2k box that doesn’t have an updater stack this function isn’t going to work for you.
(Just as a side note, this is not dependant on the fuction being defined in Railgun already)
getaddrinfo is in ws2_32.dll (WinSock), so we get a handle from that DLL first:
If that returns a error in the form of a Ruby hash with “GetLastError” being ‘127’ that means that ws2_32.dll is either not there in the process. You will need to get it loaded into the process by calling client.railgun.ws2_32 or whatever DLL you are going for. (If it is not definied in Railgun this will fail and you’ll have to add the dll like I’ve talked about in previous posts)
So it’s pretty eash to handle that. If modhandle[“return”] == 0 something went wrong and we need to handle it, else we got a handle address and we can continue.
Same deal, if procaddr[“return”] == 0 then we have an issue (probably the function doesnt’ exist in that version of the DLL) else, we are good to go to call the function on the meterpreter session we are in and the system we are on.
Easy stuff, doing this on any of the Railgun scripts/post modules you have will greatly increase both the reliability and the user’s ability to know why it didn’t work.
Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )
and set “MinimumPasswordLength” to whatever you want it to be. (You need to replace any part of the path starting with a $ with the value applicable to your domain and group policy object_)
I tested this out myself, and sure enough, once you get up to 14 on the iterator, it jumps back down to 0:
After some googling I came up pretty empty handed (hence the highly SEO’d title of this post). I asked the question on Twitter and got a bunch of different answers, but @RizzyRong’s was the first one in that I could try out: (THANK YOU to everyone who shot me answers, I really appreciate it, and to those who shared my curiosity I hope this helps you out)
ADMod is a Joeware tool. Any windows Sys Admin should at the very least know of these tools as Penetration Testers use them to great effect:
RizzyRong’s instructions are straight forward and so was the tool:
For copy paste purposes thats: admod -default minpwdlength::15
w00t, done right? Lets check:
We have a winner! Testing out a user:
14 characters…
Cool. This applied to the Default Domain Policy. That’s a problem if I want to move this setting around or I don’t actually apply the default policy to any objects. I also ran into some file permission errors when trying to set other GPO settings after I ran ADMod: (If anyone knows a better way to operate ADMod to this end please leave a comment below)
Alright, well need definitely need a cleaner and more repeatable / flexible solution. After fixing the file permission issues I noticed that in that file was my setting. I wonder if I can set this manually and have it actually stick. Lets try, we need the GUID, so lets make a policy that we can apply anywhere we want and as many times we want with JUST that minimum password length setting.
GUID acquired. To make Microsoft do most of the work we need to set the minimum password length setting in that policy to 14 or whatever, just so that we don’t have to remember file and folder structure for the GPO. Next we go to the location where the policy setting is stored:
(replacing the 2 $DOMAIN instances with our domain name and $PolicyGUID with the GUID we copied from the policy page. If we set the policy to 14 there should be a line in the GptTmpl.inf file (you can open it with Notepad) that says ‘MinimumPasswordLength = 14’, change that to 15 or whatever you wish as so:
We check back or simply refresh our GPO settings:
Sweet, it’s there, again, just to be thorough we test and sure enough it works.
A few quick notes: Your users might complain about a few popups:
Not much you can do about this one, and I doubt your users will care, but this next one might get you a few support calls:
I haven’t found a way to make that say anything other than 14 characters (for that matter the 24 previous passwords number is incorrect as well)
If anyone knows how to fix this dialog or disable the previous one I am all ears. Please leave a comment so others can know how as well.
Update on 2011-07-26 17:10 by Rob Fuller
Jason mentioned that if you don’t increment the policy version in
which basically says that you can have it in a separate policy but it needs to supercede the default group policy at the domain level (making it essentially pointless to do so for anything other than ease of administration and beautification of the GPO list) (which is a valid reason for doing so)
if you need to apply policy at the OU level it needs to be in a Windows 2008 functional level domain.
This series was interrupted a bit by the new Metasploit HTTP/HTTPS payloads (more info). Definitely not complaining though as the new features *(as will be discussed in part 2) are some epic new additions to the payloads list. However an important change happened while the craziness over the new payloads was going on. ScriptJunkie snuck in an awesome change to msfvenom (a.k.a. msffsm).
Here is the link to the ticket about the change (link) and the revision (r13057)
TL;DR version: This change allows you to put multiple payloads into one binary… ya.. awesomesauce.
This example when ‘rev102msgbox.exe’ is run will pop up a message box with the default options (Hello, from MSF!) and throw a reverse)tcp connection to 192.168.0.102 over the default port of 4444.
This is great as an example and a good way to test to see if things are working, but I don’t normally like to inform my victims that I’m there by saying hello (especially if I’m not there to see their faces).
So I thought that this would be a great way of throwing a bunch of payloads together to try a few of the tried and true ways of getting past restrictive networks all in one binary. I started off with 3 payloads:
reverse_tcp_dns to port 7815
reverse_tcp_dns to port 80
reverse_https to port 443
I chose those because I can change the DNS to point to a new IP address in future without having to regenerate my binary and size really isn’t a concern since I won’t be using it in an exploit.
(SIDE NOTE: The motive for the port 7815 one is because sometimes there are proxy settings for port 80 and 443 which the new HTTP/HTTPS payloads can handle (‘cept for Auth proxies) but for some reason quite regularly companies will still allow odd ports to fly through unencumbered)
Luckily (and you’ll see why in a second) I forgot to set up a multi/handler on port 7815, which caused me to notice an issue. When one of the payloads failed to connect, ‘ExitProcess’ was called, causing all of my payloads to die prematurely (even if they had already gotten the second stage).
I tried setting AutoRunScript to ‘migrate -f’ so that the payloads would migrate out into a new Notepad process. But the connection died too quickly and none of the payloads were fast enough at jumping ship.
ReverseConnectRetries to the rescue. This is an advanced setting for the reverse_tcp family (ipv6_tcp, nonx_tcp, ord_tcp, tcp, tcp_allports, tcp_dns) which tells the payload how many times to loop through the initial connection. This setting defaults to 5 but can be anything between 1 and 255. The 255 setting is special since it actually sets an infinite loop. Sweet, now our sinking should never call the ExitProcess command right? Not quite, reverse_https and reverse_http doesn’t have this setting. We are still in a bit of a race condition if we want to use those payloads but it is a race we can win now at least.
I wrote a very simple batch file to generate my new binary when I need it (also so I don’t have to remember all the commands):
Plus it tells you whats going on and does a bit of clean up, leaving you with just your hydra-binary. One of the things I thought about adding was the cmd/windows/adduser payload just so if the user is an admin we can start our day off without having to add ourselves a user but I decided against it just for clean up and “noise” purposes.
(You’ll also notice that one of the payloads is going somewhere else.. no reason to not give your payloads every chance of getting out) Sharing is caring right?
I’ve been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic sorting (really wish I could search in-app). But I’ve been asking around on twitter some questions like Why is GPU cracking for 50k hashes faster than Rainbow Tables (most say the bottleneck is the HDD read style and speed) and many asked what all of my compalints are so I figured this would be the best place (vice multiple emails)
DISCLAIMER: I have very little crypto knowledge and even less GPU programming knowledge so I only get to complain as a user and not as someone who can actually fix the things I complain about.
Lack of LM support. I get that this is a complicated hashing algorithm, but the fact that 90% of companies still have it turned on and cracking any more than a few with Rainbow Tables is impractical unless you have a SSD raid with a GPU based cracker ($$$$$).
Lack of dictionary support. Right now the best way to crack passwords is with oclhashcat-plus since it is GPU based and supports rules, multiple hashes (hash files) and directories of hashes. However, it has a very limited list of hashes it supports (No LM, SHA1, etc..) and it doesn’t support dump formats, so you need to strip the file so it just has the hash (this is more of just a bother than a gripe).
I say ‘The best way’ because anything that has a key space larger than upper-alpha-numeric-32symbol (LM) is just a bit nuts to try and brute force out of the gate unless your goal is to ‘crack them all’. Me as a pentester, I want to get as many as possible, as quick as possible, so this means dictionaries are the smarter option. (Maybe later I can do the straight brute if I really need / want to)
Lack of POT. For some reason every cracking app on the planet, save for JtR, thinks it’s a good idea to crack the same hash multiple times. I wish even Cain would keep a secret store of all the hashes it’s cracked stripped of anything unimportant (need the salt (username) sometimes) and store it in the background so that if it comes across the same hash it can say “oo oo I know this one” and auto populate it even before I start cracking. Why more cracking software writers don’t do this I’ll never know (would make their software seem a ton faster the more it is used)
Lack of formatting documentation (#ripshairout). Rare is the time I’ve found a cracking program that shows you how it wants to consume a hash. JtR is the most egregious offenders of this but they all do it. One would think people would try and make it easy for people to use their software (give examples of what shit is supposed to look like at least if you don’t support standard formats)
Those are my biggest gripes that the moment. If I am wrong on any account, let me know, I would love to know of a better way to do things.
I missed the 3 year anniversary of NoVA Hackers but I did want to make a post about it since we are still going strong and are now at ~150 active members.
Chris Gates and I started this thing together back in October of 2008 which spawned off of Chris’ idea to start a AHA (Austin Hackers Association)-like group in NoVA. It’s ideals merged with the already going NoVA Security Luncheons that I was throwing in Reston VA and DC was where it all started.
The only rule we have is participation, and mutal respect. We wanted to have a place where people could present anything from awesome new ideas and pre-confrerence test-runs to the security settings on a mac. Accessible so that people could learn how to speak and get in front of people, and trusting enough so that people could do those pre-con / crazy idea talks and not worry that it’s going to get tweeted/blogged about.
With that said Georgia is awesome enough to record the presentations of members who do wish to be recorded and posts them regularly to the interwebs here:
We now have 5-10 speakers every month (2nd Monday of the month unless moved for other reasons), we have pizza, beer, snacks and an awesome location (thanks to Lucas Lyon). Out next meeting is July 11th actually, so get invited quick!
or if you know someone in the group you can simple ask them to invite you.
Just a word of warning, we do take the participation rule seriously, lurkers and non-participants are cut from the list.
(Our definition of participation means asking questions (think instant access to industry experts), starting discussions, or responding to the questions on the mailing list, or showing up for meetings. But the best way and the easiest way to be able to slack a bit on the mailinglist or attendence side is to present. That is the main reason for the group/meetings)
Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?). He mentions some very interesting points:
The DLL gets loaded at login by Explorer
The DLL exists in System32 but is looked for in Windows first
Explorer doesn’t try to use anything inside of it via exports unless the system is acting as a fax server (aka safe to put a pretty bland DLL there)
I thought… no it couldn’t be that simple… lets see:
We have our victim in a session and are going to make a DLL that points back to our reverse_https multi handler over port 443
Ok, we’ve got our super evil fxsst.dll now lets put it in place.
Lets test it out just to make sure it works. I will use the PID of explorer.exe (cause thats where it’s going to be normally) and I’m going to use the method I talked about in the Remote DLL Injection post.
Woot! Ok, so the DLL works, but does it load when a user logs in… (drop out of our 2 sessions first)
Thats me logging in 2 times because I couldn’t believe that it worked. System was fine, and I had a shell. These tests were performed on XP. On Win7 x64 it make the systems freeze up. Right now the DLL payload generation in Metasploit for 64bit systems isn’t setup. So, stay away from doing this on x64 bit systems at least with the Metasploit DLL, since it’s run at login so you’ll have to use psexec or another session to actually remove the file while everyone is logged out. TEST PRIOR TO USE as always.
