This and part 2 are mostly just an update to http://pauldotcom.com/2011/11/safely-dumping-hashes-from-liv.html but without the need for VSSOwn, that and we are doing it remotely without the need for shell on the DC. Ever run into a Domain Controller that wasn’t allowed to talk to the Internet, had insane AV and GPOs not allowing anyone to RDP in (Even Domain Admins) unless they provided some kind of voodo happy dance?
Mimikatz is now built into Metasploit’s meterpreter, you can do load mimikatz from the meterpreter prompt, but if you don’t want to go through the hassle of dealing with AV, reverse or bind payloads, meterpreter binaries, and you have clear text credentials for an admin, you can just use Mimikatz’s alpha release that allows you to run Mimikatz on your machine against a process memory dump of LSASS. The great thing about this technique is that the only thing on disk is a Microsoft tool.
This is how I did it: for /f "tokens=5 delims=" %A in ('reg query HKLM\SYSTEM\CurrentControlSet\Services') do sc qc %A Let me know if you know of a better way. If you don’t know why this could be important read here: http://www.ihtb.org/security/program.exe-privilege_escalation.txt If you are on a Win7 box or otherwise have the option to use WMI you can use the following command: wmic service get pathname
Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in memory, and ultimately transfer the entire binary over so that metasploit can do its thing. Then along came SessionDump. I only noticed this because someone was tweeting congratulations to someone on writing it:
Just a quick post to say that egypt and I will be giving Metasploit Mastery twice (2 x 2 day sessions) at BlackHat USA 2013. Come out and get your Metasploit on in Vegas w/ us Linky: http://www.blackhat.com/us-13/training/metasploit-mastery.html Current fill rate of July 27-28 session: Current fill rate of July 29-30 session: EOM
This is one of those stupid simple things that are easy to forget so I’m posting it here. Wordlists and dictionaries are awesome for cracking password hashes, and although, thanks to things like Mimikatz and WCE I don’t have to, but there is times where it’s important. Now, having John, Hashcat, or Cain go through a dictionary is a 1-for-1 hit, no time wasted no matter how it’s sorted and usually is best to sort them by most common first so you get earlier hits.
You’ve found an NFS share on a pentest, it’s sharing out your target’s home directories (/home) and some SAN with all of the Windows AD users “home” directories under /volumes/users/. You only have a meterpreter session though… enough back story, problem is that Metasploit doesn’t really have any auxiliary modules or otherwise to access the things on those shares. Please correct me if I’m wrong, but there also aren’t any tools for talking to NFS shares over TCP only proxies.
It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about when reacting: Do you use the password you use there anywhere else? Think about starting to use a password manager like LastPass, 1Password, KeePass, or a product like Yubico. This way you can very easily use different passwords for different sites.
The following has been a concept for me for a long time and recently I tweeted the idea which really put me under the fire to prove it. (re: justanidea hashtag) And a few people came up with some very valid points: 1) Doesn’t work so well with HTTPS sites He’s right, but that forces the attack to use SSL, and doing so can yield the defender more information about the attacker, and offer other avenues of defense.
This is here because I always forget how to do it sudo apt-get install libtirpc-dev libncurses-dev wget http://www.cs.vu.nl/pub/leendert/nfsshell.tar.gz tar zxvf nfsshell.tar.gz cd nfs ln -s /usr/include/tirpc/rpc/clnt_soc.h /usr/include/rpc/clnt_soc.h perl -p -i.orig -e 's/getline/getline_nfs/' nfs.c Next part I don’t have a good way to automate. You need to go in and comment out (w/ #) the 4 lines following “uncomment the following 4 lines for Solaris 2.x” and uncomment the 2 lines following “For GNU readline support you need to add”