Room362.com

Blatherings of a security addict.

Metasploit Mastery Meets CanSecWest

| Comments

In 2012 @egypt and I taught Metasploit Mastery for a day and a half @DerbyCon . This was a lot of fun but we had to cram a TON of slides into that short period of time. PLUS we had a CTF at the end where people had to break into a corporate network (virtualized) and sell their shells, data, passwords, or flags to us (egypt and I were acting as opposing countries). You could sell low to one and high to another whatever. Most money at the end wins. (We used a score card with ranges to keep it even)

We are doubling down on the content being provided and doing a 3 full days @CanSecWest. You get to learn the nooks and cranies of Metasploit’s guts from the egypt himself, and operational use from me, with a ton mixed in between. I mean, just getting in the room with egypt’s beard is worth the price of admission.

See you there!

Link: http://cansecwest.com/dojos/2013/meta_mastery.html

Intro to White Chapel

| Comments

I made a slide deck to kind of explain my latest project. Basically I got fed up with having dictionaries, passwords, and cracking tools but no way to really do better collaboration in a team format as well as just better management for myself. 

Please feel free to submit pull requests, issues if you think something is broken or want features, or whatever on the Github repo here:

https://github.com/mubix/WhiteChapel/

Here is the slide deck:

slideshare 16064224

Cyber Pickpocketing

| Comments

Drink!!

So I’ve been working on a training package that takes a bit of a different approach than what I’ve normally done. The training breaks down like this:

  • Day 1: Local LAN based exploit (Windows)
  • Day 2: Remote Web based exploit (Linux)
  • Day 3: Client side exploit (Windows)
  • Day 4: Local exploit (FreeBSD)
  • Day 5: Network of the Seven Bells Test

Each day (save for the 5th) will focus on a single exploit, explaining it, running it on virtual machines, and spending 8 hours diving into as many detectable changes that exploit makes on a system.. and how to not make them or make them vanish.

Day 5 will be a lot like a CTF where you know all the answers. First one to get all 7 exploits completed without being detected wins.

Venue is TBD but I’ve been putting a lot of time into making the VMs and slides and stuff just needed to get some feedback on what you guys think.

Let me know in the comments (something more valuable then, “great idea!” or , “thats stupid” please)

Delete TrustedInstaller-only Files and Folders

| Comments

Not very security related, but something I don’t want to forget how to do. It was a PITA. So I had a old WINDOWS directory that I needed to get rid of. And the following commands gave me the ooomph needed to get the job done.

1) Get a SYSTEM shell so all modding of permissions will be good.

psexec /accepteula -i -s cmd

2) Grant Administrators FULL rights to the directory and all sub directories and files

icacls C:\Windows\* /grant Administrators:F /C /T

3) Finish the job, delete the folder and everything below it

rmdir /s /q C:\Windows\

All done. Weeeeeeeee!

If you have a better way to do this via commands or programs please let me know, always looking to learn more.

EXE::Custom in Metasploit’s Java Exploits

| Comments

Let me say first off that this isn’t the most elegant of ways to accomplish it. It is in the “it works for me” stage.

A quick primer on EXE::Custom: This is a setting just like RHOST in Metasploit wherever an EXE is built for Windows payloads. Such as PSEXEC, BypassUAC, etc. It tells Metasploit to ignore all of your payload settings and just use the EXE you have specified. Now this does come at a bit of a cost. If you don’t have a handler set up to catch whatever is in your EXE and you have bogus information in your payload settings for your module, Metasploit won’t be able to magically determine what you want it to do. So make sure that you either have the payload settings correct (even though it won’t use them for the exploit) or set the option “DisablePayloadHandler” to true and start your own handler somewhere else.

With that said, the Java Signed Applet attack is one of the most widely used, one problem in the Metasploit module version is that you have no external control (such as EXE::Custom) for the binary that is dropped if you are using a Windows native payload. (I do highly recommend trying out Java Meterpreter, but that it for another post)

Here is the hack that gets me by until a more elegant solution is thought up by smarter people than I:

We are going to use the Java Rhino exploit, and this story starts with an undetectable.exe sitting in /tmp/ – How you bypass the AV you are up against is up to you. The first thing we need to do is make a core library change. Yes, this is as scary as it sounds and you should document any time you do so you can revert as needed.

In your MSF directory open up lib/msf/util/exe.rb – should look something like this:

Scroll down or search for self.to_jar – should look something like this:

Now add exe = File.read('/path/to/your/evil.exe') as demonstrated below:

Cool. We’ve made our change, now we have to pull down a jar generated with our evil bin, and the Rhino exploit. We can do that by spinning up Metasploit with our newly editing core library. Load up the Rhino exploit via use exploit/multi/browser/java_rhino.

One trip up that I messed up even just creating this blog post (and a constant headache in the #Metasploit channel on Freenode) is forgetting to set the TARGET variable in Java exploits. The default payload type being Java. Since we are using a native windows binary we need to specify Windows by setting TARGET 1.

Run the exploit with any settings, since we’ll be just pulling out what we need. Then pull down the exploit JAR file with wget:

(Most java exploits are set to answer ANY .jar extension request with the payload.)

The HTML to load the JAR is pretty straight forward, but if you’ve never seen it before here it is:

Thats it. A very blank page with an exploit in it. We can do better than that:

Obviously you can do whatever you want with the HTML, mirror a site or what have you. Notice that I’ve also changed the name of the JAR. (You can’t change the class unless you start making changes to the exploit directly and I wanted to keep this as generically applicable as possible)

Move the Applet.jar to SuperMario.jar and start up a Web server (for demo using Python’s awesome SimpleHTTPServer, but apache will serve as well)

Don’t forget to start up a handler for our now-external exploit:

Victim views the site:

And WA-LA! we haz shell:

Yay… Game over..

Smash and Grab: Windows Dir Lists

| Comments

Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to look through offline:

1
start /b cmd /c dir /b /s \\nas\users_home_share$ ^> shareinfo.txt

Breaking that down:

  • start /b – starts a process that won’t hang up our current one, with the “b” flag meaning “background”, yay not visible to the user! (unless your process forces it back)
  • cmd /c – no reason to explain this one it runs something.. (since dir isn’t an executable but something that resides inside of cmd this is needed)
  • dir /b /s – the “s” means sub directories and pretty widely known. The one that isn’t as well known is the “b” which means “bare” format. Also known as “puts-path-on-every-line-to-make-it-easy-to-find-and-grep-stuff” mode.

The path is arbitrary, if you didn’t know you could dir list a UNC path, now ya do.

The ^> is the cool trick. If you use “start” to create a process in the background, re-routing its output to a file instead of just getting the fact that start began (the only thing start outputs), is made possible by this lowly ‘carrot’ before the greater-than.

And that’s it. With big drives, come back in an hour or two and you’ll have a perfectly grep-able file waiting for you to grep through for file names and extensions to your heart’s content.

One caveat, don’t freak out if it’s been 30 minutes and the file size is still ZERO. It doesn’t write the output until the end, it write buffered in the process and then “start” pulls it back out at the end with the carrot.

Finding Admin Access

| Comments

You’ve got shell, and a set of credentials but you’re coming up empty on what you can do with those credentials. This is especially problematic when you can’t get past UAC as you are either in a AlwaysNotify situation or not a local admin.

(I’m not trying to pull some some “insert magic here” on the assumption of credentials just at the time of this writing I have only just started working (created a blank file) on a post module to do this as your current user, so until then, you need credentials)

Enter the auxiliary module: auxiliary/admin/smb/check_dir_file

First we set up a route as aux modules don’t have a “SESSION” parameter:

Use the module and set our credentials:

Next, set ADMIN$ as we can’t guarantee C$ is the primary drive, but ADMIN$ will definitely be the WINDOWS directory. Our RHOSTS is our target range

A simple ‘run’ and away it goes:

So we can see that our lowly user that doesn’t have any chance of bypassing the UAC on his current system can pivot to these other systems (172.16.10.10, and 172.16.10.150) quite easily.

=============================================================================

The rest of this has nothing to do about admin access, just some tricks to do it better

=============================================================================

As many of you know I’m not a huge fan of sending packets I don’t need to so instead of just spraying a range (which I doubt would be seen, but why take the chance?)

[Update: While computer_browser_discovery does lookup all the hosts and sends -more- packets than check_dir_file would, those extra packets are sent at DNS resolvers not into empty space that can be detected by network sensors]

Enter computer_browser_discovery:

This module does the equivalent of ‘net view’ to get a list of computers on the domain. You can change the LTYPE to “SQL” to just get MSSQL boxes but we’re going for everything:

As you can see WIN7X86 (the box we are on came up with 0.0.0.0) expected. and the .150 address didn’t show up at all as it’s not on the domain. So the benefits is that it’s quieter on the wire and you probably will find hosts that aren’t in your immediate IP range. (Not the case here simply because I don’t have a big enough test network). The disadvantages are as with the .150 address you may miss hosts.

Next we add the found host’s IP addresses to a text file (targethosts.txt)

[because at the time of this writing the computer_browser_discovery module doesn’t add the hosts to the MSF database]

Then use the smb_version module which does a couple things, it verifies that the hosts are there and alive, adds them to the MSF database, and what version of Windows (or samba) they are running:

(We still have our route set up so this is module is going through our low privilege user still)

And now we have info in the DB for better targeting:

Then back in our check_dir_file module we just use the hosts -R to have the database automatically set RHOSTS to the hosts in the database that match your search or alternatively use services -p 445 -R to add all the hosts that you’ve found port 445 open (everything smb_version finds will be shown in services)

One more way you can get hosts is doing reverse lookups of ranges. You can just hit a range you know of, or guess ranges based on the computer_browser_discovery results. You can do this with resolve_ip module (this can be pretty slow on ranges that don’t have many hosts):

I used the range this blog is hosted on 1) because for some reason my stupid VM wasn’t resolving internal stuff 2) To demonstrate that you can use the module to resolve anything, not just internal ranges.

So to wrap up, we have a ton of ways to find hosts that don’t involve traditional scanning (smb_version is the only thing that comes close). And we’ve located two hosts that we have the ability to administer. One oddly enough being the domain controller, so don’t ever discount the access you already have. Tunnel vision is the pentesters worst enemy.

BypassUAC Got a Facelift

| Comments

Dave Kennedy and Kevin Mitnick submitted the “bypassuac” post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as probably anyone did who used the module on a somewhat modern network.

“Old” module post/windows/escalate/bypassuac:

I decided to give it a bit of a face lift:

“New” local exploit module exploit/windows/local/bypassuac:

All of the credit for the availability of this module goes to @egyp7 though, without his epic addition of local exploits to Metasploit the majority of the updates to this module wouldn’t be possible.

Anywho, on to the new features:

1) You can set any windows payload you want to use now:

and yes it supports EXE::Custom.

2) It lets you know if it will be able to bypass the current setting of UAC or not:

Even when you’re going overkill with it:

(ASK module if UAC is disabled will just elevate without any kind of user prompt)

And of course it works as expected if UAC needs bypassing:

One thing I have yet to update is a simple check to make sure you are an admin that can actually bypass UAC. If you aren’t, then you’ll be leaving this lovely calling card behind for the user:

Lm2ntlm With John the Ripper

| Comments

Since I didn’t see any documentation bringing how to take an LM hash that you’ve cracked and convert it to the NTLM equivalent all in one place. And I google how to do it almost every time. I wanted to put all these links in one place and remember how to do it for john. Go-go-gadget blog-notes.

So there is this: https://github.com/snarez/rcracki/blob/master/lm2ntlm.cpp

And this: https://github.com/rapid7/metasploit-framework/blob/master/tools/lm2ntcrack.rb

And this: http://www.securityfocus.com/tools/6696

And the edited version of the above: http://atenlabs.com/blog/so-you-pillaged-a-domain-controllers-hashes/

But Metasploit’s is currently borked,(Update: this is now fixed) I don’t want to compile cpp, and perl sucks. One thing I did find was that someone submitted it to the JtR dev mailing list here:

http://www.openwall.com/lists/john-dev/2011/03/29/7

And I asked on that same list what had become of it:

http://www.openwall.com/lists/john-dev/2012/10/24/2

The result is as follows:

Given this hash:

1
Administrator:500:AA1AB12D9BE8C0D18F900ABF62624751:A2855453E8F6E555E5F22956F7DAA398:::

which is the LM and NTLM equiv of SUPERPASSWORD/SuPerPaSsWord respectively. So just so I don’t have to make a screen shot of a text file assume that hash exactly as-is is in pwdump.txt.

cracked the LM side in 16 seconds. Now you don’t need to use John to get the LM side (rainbow tables work better at times),

Solar Designer (JtR’s main dev) suggested the following path:

A bit hard to read but here are the commands:

1
2
./john -show pwdump.txt | cut -d: -f2 > cracked      
./john -w=cracked -rules:nt -format=nt pwdump.txt

As you can see (if you squint) that works well. Rich Rumble suggested:

http://www.openwall.com/lists/john-dev/2012/10/24/3

using the loopback as so: ./john pwdump.txt -format=nt -loopback=john.pot -rules=nt

The loopback been an amazing addition that is as Solar Designer put it “not in core JtR, it is a fairly recent addition to jumbo”. The loopback allows you to use previously cracked passwords as a dictionary without doing any cut/awk/sed voodoo. The problem with the suggested method for going from LM to NTLM and the loopback option is that it (rightly so) identifies LM hashes by their halves. When it tries to use those halves to crack the NTLM, every with the NT rule-set, it sees each half as separate passwords to try, so it fails.

AXFR for DNSSEC: DNSSEC Walker

| Comments

TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.

I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides:

http://conference.hitb.org/hitbsecconf2011kul/materials/

One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link). I definitely recommend checking it out as well as the IPv6 tools THC / Marc released (v2) here:

http://www.thc.org/thc-ipv6/

Amazing tools, but one I could not locate in their batch was dnssecwalk (slide 41 for those following along)

I found something that looks very similar here: http://josefsson.org/walker/

Released originally in 2001 by Simon Josefsson. If you read the TL;DR at the top, you pretty much know what to tool does, so I’ll take you through an example:

To get this bad boy working (since it’s Perl) you need to use CPAN to install Net::DNS and Net::DNS::SEC

cpan Net::DNS (hit enter for defaults)
cpan Net::DNS::SEC (same deal)

Using the slide’s example of ripe.net (ARIN’s Euro brother) You simply point it at a domain:

1
2
3
4
5
./walker ripe.net
;; Walker by Simon Josefsson
;; $Id: walker,v 1.31 2005/09/20 10:16:30 jas Exp $
;; Net::DNS 0.68
;; Net::DNS::SEC 0.16

Then it just starts going. Unlike the tool in the slides it’s a very verbose tool and doesn’t have any “write output to file” option so piping to a file is recommended.

1
2
$ ./walker ripe.net > output.txt &
[1] 32623

Then just run greps on it removing all of the DNS commenting with anything having a semicolon in it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
$ cat output.txt | grep -v ';' | grep IN
ripe.net.       273     IN      SOA     pri.authdns.ripe.net. dns.ripe.net. (
ripe.net.       17146   IN      A       193.0.6.139
ripe.net.       300     IN      AAAA    2001:67c:2e8:22:0:0:c100:68b
ripe.net.       2814    IN      DNSKEY  256  3  5 (
ripe.net.       2814    IN      DNSKEY  257  3  5 (
ripe.net.       2814    IN      DNSKEY  257  3  5 (
ripe.net.       2814    IN      DNSKEY  256  3  5 (
ripe.net.       183     IN      MX      200 postgirl.ripe.net.
ripe.net.       183     IN      MX      250 postlady.ripe.net.
ripe.net.       2017    IN      NS      tinnie.arin.net.
ripe.net.       2017    IN      NS      ns3.nic.fr.
ripe.net.       2017    IN      NS      sns-pb.isc.org.
ripe.net.       2017    IN      NS      pri.authdns.ripe.net.
ripe.net.       2017    IN      NS      sec3.apnic.net.
ripe.net.       2017    IN      NS      sec1.apnic.net.
ripe.net.       2723    IN      NSEC    256cns.ripe.net.  A AAAA DNSKEY MX NS NSEC RRSIG SOA
ripe.net.       21510   IN      RRSIG   A  5  2  21600  20121120100104 (
ripe.net.       210     IN      RRSIG   AAAA  5  2  300  20121120100104 (
ripe.net.       3510    IN      RRSIG   NS  5  2  3600  20121120100104 (
ripe.net.       210     IN      RRSIG   MX  5  2  300  20121120100104 (
                        7Te5Hfqh79JcJO4m94PLZ/GXnm3OVuKW1GINiNToNnTbz
ripe.net.       3510    IN      RRSIG   NSEC  5  2  3600  20121120100104 (
ripe.net.       3510    IN      RRSIG   SOA  5  2  3600  20121120100104 (
                        bfTSOsob1qYKrv3MrTrxDcr0dQJMjEUuKvWJINbFsCDDp
ripe.net.       3510    IN      RRSIG   DNSKEY  5  2  3600  20121120100104 (
                        ILjTJkBEsfhSs/7RKpoS+rLVOINoQXOtGgBhl5Ex5aAip
256cns.ripe.net.        20814   IN      CNAME   pip.ripe.net.
256cns.ripe.net.        2793    IN      NSEC    _jabber._tcp.ripe.net.  CNAME NSEC RRSIG
_jabber._tcp.ripe.net.  2804    IN      NSEC    _xmpp-client._tcp.ripe.net.  NSEC RRSIG SRV
_jabber._tcp.ripe.net.  2814    IN      RRSIG   NSEC  5  4  3600  20121120100104 (
_jabber._tcp.ripe.net.  114     IN      RRSIG   SRV  5  4  900  20121120100104 (
_jabber._tcp.ripe.net.  114     IN      SRV     30 30 5269 chat.ripe.net.
_xmpp-client._tcp.ripe.net.     2804    IN      NSEC    _xmpp-server._tcp.ripe.net.  NSEC RRSIG SRV
_xmpp-client._tcp.ripe.net.     115     IN      RRSIG   SRV  5  4  900  20121120100104 (
_xmpp-client._tcp.ripe.net.     2815    IN      RRSIG   NSEC  5  4  3600  20121120100104 (
_xmpp-client._tcp.ripe.net.     115     IN      SRV     30 30 5222 chat.ripe.net.
_xmpp-server._tcp.ripe.net.     2805    IN      NSEC    access.ripe.net.  NSEC RRSIG SRV
_xmpp-server._tcp.ripe.net.     115     IN      RRSIG   SRV  5  4  900  20121120100104 (
                        NJpdcDaytdKNINLVCFYUJWRnXiTRFrXSi2cL4nJLGLQlt
_xmpp-server._tcp.ripe.net.     2815    IN      RRSIG   NSEC  5
(snipped)

But of course in side 40 it shows that you can simply zone transfer ripe.net anyways. But for those that aren’t so forthcoming with their zones this can be a nice thing to try.