Room362.com

Blatherings of a security addict.

Setting SYSTEM’s Proxy Settings With Metasploit

| Comments

One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you’re done for right out of the door)

Now, there is a stub in Metasploit that I have been unable to complete due to my lack of knowledge in the shell code world. The stub allows you to create payloads that have static proxies, which basically invalidates the need for the following. Until then here is a few ways to set / read the proxy settings for SYSTEM or any other user for that matter.

Its here if you want to take a whack at it: external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm

One of the ways @carnal0wnage and I demoed @DerbyCon was using the bitsadmin binary. Windows7/Vista/2008 come with version 2.0+ which has this great ability to run the following:

bitsadmin /util /setieproxy localsystem MANUAL_PROXY 192.168.1.55:3128 ";"

(2000,XP,2003 you could upload a copy of bitsadmin that was new enough and that would still work)

That command sets the proxy settings for the SYSTEM account. I was able to jump through hoops and do this remotely by using the windows/exec payload via psexec, then reverse_http(s) would work.

But I wanted a better way to do this. I watched the execution of bitsadmin to see what it was doing and all it was actually doing is setting a registry key. Awesome, I can do that.

Enter enum_proxy:

And…

If you’ve noticed that RHOST option, Metasploit has the ability to do remote registry calls as well (this module will attempt to start the RemoteRegistry service if the user has the privilege to do so):

Output from it finding a disabled RemoteRegistry:

1
2
3
4
5
6
7
8
msf post(enum_proxy) > run

[-] Unable to contact remote registry service on 172.16.10.217
[*] Attempting to start service remotely...
[*] Proxy Counter = 9
[*] Setting: WPAD and AutoConfigure script
[*] AutoConfigURL: http://anotherproxyserver/pac.pac
[*] Post module execution completed

“Awesome but you promised setting the proxy settings”, well right now all I can give you is a cloner ;–)

Enter clone_proxy_settings module:

And thats it. Still working on an actual “set_proxy” module, but this should do for now, and a lot less to type.

As of this post both are currently pull requests:

Mounting SMB Shares Over Meterpreter

| Comments

Ok, this is pretty straight forward no magic:

Got a shell, doesn’t have to be SYSTEM

Add a route to the internal range or directly to the host you want over the session you want

Mosy on over  to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. 

It defaults to 9050 on 127.0.01 for Tor, that’s pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.

Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)

And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn’t prompt you for it).

And just to love it working:

yay files.. Yes I know I didn’t use smbmount but it works the same as well as rpcclient.

A side note here is if you are using the pth-tools from:

https://code.google.com/p/passing-the-hash/

You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn’t get clear text passwords anymore ;–)

 

UAC AlwaysNotify Bypass-ish

| Comments

UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD

(MY MISTAKE FOR NOT TESTING MORE)

So the “-ish” is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions)

I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute’s ‘RunAs’ verb. But until then, get CPAU here:

http://www.joeware.net/freetools/tools/cpau/

and Elevate here: http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

and doing it manually with built in Windows Kung-Fu:

 

Pass the Hash Without Metasploit - Part 2

| Comments

I read this article a while back:

http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html

by @FuzzyNop

Great article showing the use of WCE’s “-s” flag to Pass-The-Hash locally and I highly recommend checking it out. 

Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.

Notice: This is now gem install librex

Then copy the following to the machine:

https://github.com/rapid7/metasploit-framework/blob/master/tools/psexec.rb

That’s a standalone version of psexec module (minus any advanced options). Once you have it down, make two quick edits (removing the requires for fast lib and msfenv):

And then you should see this:

Now, I elected to use the windows/adduser Metasploit single for my purposes, you can just as well use any executable you want depending on what you are trying to accomplish. So this is the users list before hand:

And then I executed this:

Which resulted in:

w00t. Game over. But wait, there’s more…

There is another GEM that makes things even easier to continue if your next hop doesn’t have Ruby:

http://ocra.rubyforge.org

OCRA (One-Click-Ruby-Application), you just need to ‘gem install ocra’ and you can then compile Ruby into Windows executables (it does this the same way as Py2Exe – packaging a interpreter in with the script). 

To build the executable (once our gem is installed) is pretty straight forward:

And as you can see, we have a ~5.5 meg file:

The output without options looks like this:

You can plainly see the Temp directory it’s being extracted to. It does do a very good job at cleaning up the temp directory after it’s run the Ruby script which is nice, but not forensically (obviously), just a heads up.

But, the result is the same:

Now you can take your 5.5 meg bin anywhere you want and psexec with a hash to your heart’s content.

(As a side note, this works REALLY well to bypass UAC if you have a username and password/hash for a local admin. Just don’t forget that it runs the EXE as SYSTEM, who normally doesn’t have proxy settings)

Compiling and Release of Ditto

| Comments

If you follow the exact same steps you did for Netview: /blog/2012/10/07/compiling-and-release-of-netview/

then you already have the steps needed to create a compiled version of ditto from the repo here:

https://github.com/mubix/ditto

And while the sheep icon is cute, and a nod to what ditto does, it comes at a pretty hefty cost:

Size. Now if you’re scoffing at 408 KB then you don’t have any issues, but I like not having to wait while a binary I am trying to push to a victim box is transferring. Removing the icon is pretty straight forward. Once you’ve loaded the .SLN file up in Visual Studio C++ just expand the “Resource Files” folder in the “Solution Explorer”:

And summarily delete both files (Right click and go to Remove or just press the Del button)

(Side note, don’t forget to rename or copy the one with the icon somewhere first if you want to keep that version)

Then “Build Solution” again, and wa-la! A much smaller, less witty but highly functional Ditto:

And of course, like last time, you could go through all that, or just download them here:

Without the icon: /projects/ditto_noicon.exe

With the icon: /projects/ditto_withicon.exe

 

Compiling and Release of Netview

| Comments

If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 – we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward. First you pull a copy of the GIT repository:

https://github.com/mubix/netview

Once you’ve done that, you’ve got a directory looking like this:

You will also need Visual Studio C++ (The Express version if free here: http://www.microsoft.com/visualstudio/eng/downloads#d-2010-express )

Once you have both you double click the .sln file (Solution File)

And you get a ugly blue and purple box like this:

Where you switch the compile option from “Debug” to “Release” and click to “Build Solution”:

Sounds much more grandiose than it really is. If all goes well you’ll get the box at the bottom to say “Build: 1 succeeded”

You’ll have a new folder:

and inside is your wonderful prize:

You could go through all of that… or just download it here: /projects/netview.exe

Lab Setup - Windows Proxy and Egress Filtering

| Comments

pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of configuration.

Enter Peerblock and AnalogX’s proxy. Two free tools, one usually used to stop people who torrent from getting caught by the RIAA/MPAA and the other a drop dead simple windows based proxy utility.

First we’ll talk about AnalogX’s proxy, you can get it here: 

http://www.analogx.com/contents/download/Network/proxy/Freeware.htm

A simple next->next->finish install gets you this:

With the following ports listening:

  • HTTP (web browsers) (port 6588)
  • HTTPS (secure web browsers) (port 6588)
  • SOCKS4 (TCP proxying) (port 1080)
  • SOCKS4a (TCP proxying w/ DNS lookups) (port 1080)
  • SOCKS5 (only partial support, no UDP) (port 1080)
  • NNTP (usenet newsgroups) (port 119)
  • POP3 (receiving email) (port 110)
  • SMTP (sending email) (port 25)
  • FTP (file transfers) (port 21)

So you can test everything to your hearts content that it goes through a proxy, using any proxy type you want basically.

(I will assume here that you know how to setup your own proxy settings for your OS)

But the problem being that if your code / application misbehaves it will still get out. You could go to the trouble of fiddling with the Windows firewall if you are running Windows 7 (not sure if XP can box egress, probably can). But I like simple and straight forward solutions.

PeerBlock can be found here: http://www.peerblock.com

And is simple to set up as well (next->next->finish applies).

Go into List Manager once you have it installed and “Create a List”

Give it a description and a place to save the file:

You’ll get this window automatically pop up, but if you don’t you just click ‘Add’ with your custom list selected in the List Manager:

Feel free to block everything but one IP, a range, or whatever your meets your needs, nothing in or out from or to that IP/Range will be allowed

One of the uses I use it for is blocking the whole Internet except for my internal ranges for stuff like my personal Virus Total lab where I run bins to test stuff out, that way the AntiVirus services can’t ship my bin off to who knows where to be analyzed before I even get to use it.

Here is an example of my “All the Internet” block list:

Thats everything for now, hope some of it was useful in your setup and experiments ;–)

Meet “q” – Free Metasploit Exploit Pack

| Comments

Once you’re done staring at the Star Trek deity above (it’s a staring contest you will loose since you a such a simplistic race). I pull your attention to: https://github.com/mubix/q

This repository / exploit pack was created for the sole purpose to house modules, scripts and resource files that would otherwise not be accepted into the Metasploit trunk. It will always be free and anyone is free to submit pulls of modules, scripts or resource files that they created or just found and were not accepted to the trunk because it was just a script, it violates TOS of a service, they did not author it, or any other possible reason. (Like the fear of @egyp7 ‘s coding red pen)

While I completely understand the reason and possible backlash Metasploit and subsequently Rapid7 might get for housing modules that were not submitted by their original owners, or violate some TOS, I feel that those modules should not simply disappear into time.

With that said, if a module gets added to this repo by another person and the other contacts me to take it down I certainly will.

So if you have modules, scripts, resource files or anything else that you would like to share, please submit a pull request, and we’ll see about getting it shared out for other people to use.

P.S. I am, as evident by this blog, a friend of the framework, so I would do my best to remove the blockage that is stopping the item from being in the Metasploit trunk if at all possible. This repo / exploit pack is meant to support the framework, not subjugate it in any way.

Completely In-memory Mimikatz With Metasploit

| Comments

Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk:

(yes I realize I’m running this on disk ‘wce32.exe’, but it exhibits the same DLL drop when doing in-memory)

Now, don’t get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it’s the best tool for the job. And today, that’s now Mimikatz. 

Just like WCE to execute it in memory you use the -m flag for execute:

meterpreter> execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

For mimikatz to automatically send commands require double quotes in the command line arguments, so we use single quotes in meterpreter to encircle the execute arguments (-a). Running first “sekurlsa::logonPasswords full” then ‘exit’ to auto-exit mimikatz console. Like so:

And all you get forensically is calc.exe loading a ton of DLLs it has no business loading but no new files touch disk ;–)

The downloads for Mimikatz are were they always are: http://blog.gentilkiwi.com/mimikatz

Oh, did I mention that Mimikatz is open source and the in-memory goodness has been uploaded to svn: https://code.google.com/p/mimikatz/

Awesome work @gentilkiwi

If you want to check out the the fix that was implemented to work with Meterpreter’s in-memory goodness check here: https://code.google.com/p/mimikatz/source/detail?r=33