This is something I wrote up a while back. Not that great but wanted to document it before I lost it.
---
Background: Its great gaining local admin on a windows box,but then you are limited to that box.
Its much more useful getting a Domain user or even Domain Enterprise Admin!
Assumming you are on a Domain.
Most Windows Domains have password caching turned on.
Which means anytime a domain user logs into the box it is cached in the registry with SYSTEM rights.
Now lets see how we can grab this and crack it.
Note: I only did this in Linux, I have no idea if it work in windows.
Also, I will not go into much technical details on the caching. Google if you want to learn more.
The info is out there.
Tools: 1. John The Ripper(1.6.37) - http://www.openwall.com/john/ (you will need the src, we will patch it)
2. mscashdump - http://www.off-by-one.net/misc/cachedump.html
3. John The Ripper Patch - http://www.banquise.net/misc/patch-john.html (get "the big patch")
Steps: 1. Compile and Patch John(john dir and patch must be in same dir)
-tar xfz john-1.6.37.tar.gz
-gunzip -c john-1.6.37-bigpatch-13.diff.gz | patch -p0 (should see it patching files)
-cd john-1.6.37/src/
-make
Note: Now you have john patched,it can accept much more hashes such as mscash. Another favorite
of mine is Lotus Notes, its pretty easy to get anyone’s Notes hash without even being a user.
I'll save that for a different doc, we'll stick with mscash.
2. Get cached passwords from windows box (must be local admin)
-cmd.exe
-cachedump.exe -v (should first install a service to get SYSTEM rights)
-Output should look like the following.
CacheDump service successfully installed.
Service started.
user1:5E9092870891234FEF30940952359045633456:domain:
domainadmin:D938458093490BF9035649095CC334:domain:
user2:8982390FAB93099EF30940945745:domain:
Service successfully removed.
-copy and paste the hashs to a txt file for john.
3. Now we get to crack it. Your choice on brute or dict.
-./john -format:mscash ./mshashs.txt
Note: Now you just have to wait. Depending on how good the password is.
And that’s It. Have Fun
References:
http://www.off-by-one.net/misc/cachedump.html
http://www.banquise.net/misc/patch-john.html
Friday, October 28, 2005
All Your File Are Belong To Us
Been testing a neat little app called tcpxtract.
http://tcpxtract.sourceforge.net/
What it does is grab files from sniffed traffic though "carving". Can be
used against live sniffing or against a pcap file.
Findings so far:
First, I thought I would run it against a kismet pcap file I had laying
around.
Turned up with a couple of images, must have been people browsing the web.
I would assume other files would work no problem, since wireless it is not a
switched network and all the traffic anyone can see.
1. FILES OWNED
Second, I thought I would fire up ethereal http://www.ethereal.com/ and bind
it to my local Ethernet card to sniff.
I did a few file transfers during the sniff. SCP, FTP, Windows SMB Share(AD
Kerbros)
Saved the sniff in a pcap file and ran tcpxtract against it.
- SCP, I obviously did not grab that file I transferred.
- FTP, Do I even have to tell?
- SMB, Yep grabbed that file too
2. FILES OWNED
Third, I was thinking this isn't that useful. Why do I want to see my own
files transferred and on
a wireless network anyone to transfer anything useful, is just plain stupid.
So, I got to thinking how about a "man in the middle" attack? I Fire up the
handy ettercap http://ettercap.sourceforge.net/
and poison the arp cache on the switch and route all traffic to my local
Ethernet card and then route the packets to their final destination.
Now since all the switch traffic is running though my Ethernet device. I
bind tcpxtract to my
local Ethernet device. And the files started to pour in (mpg, mp3,doc,pdf ,
etc) a lot.
3. FILES OWNED
Now, I'm sure people see the danger here. For security testers/auditors its
a way to rid your company of using
ftp and other non-secure protocols. Do that attack against some highly
sensitive servers, and then show your
manager all the nice sensitive documents you mined!
I will be looking into other methods of using tcpxract.
http://tcpxtract.sourceforge.net/
What it does is grab files from sniffed traffic though "carving". Can be
used against live sniffing or against a pcap file.
Findings so far:
First, I thought I would run it against a kismet pcap file I had laying
around.
Turned up with a couple of images, must have been people browsing the web.
I would assume other files would work no problem, since wireless it is not a
switched network and all the traffic anyone can see.
1. FILES OWNED
Second, I thought I would fire up ethereal http://www.ethereal.com/ and bind
it to my local Ethernet card to sniff.
I did a few file transfers during the sniff. SCP, FTP, Windows SMB Share(AD
Kerbros)
Saved the sniff in a pcap file and ran tcpxtract against it.
- SCP, I obviously did not grab that file I transferred.
- FTP, Do I even have to tell?
- SMB, Yep grabbed that file too
2. FILES OWNED
Third, I was thinking this isn't that useful. Why do I want to see my own
files transferred and on
a wireless network anyone to transfer anything useful, is just plain stupid.
So, I got to thinking how about a "man in the middle" attack? I Fire up the
handy ettercap http://ettercap.sourceforge.net/
and poison the arp cache on the switch and route all traffic to my local
Ethernet card and then route the packets to their final destination.
Now since all the switch traffic is running though my Ethernet device. I
bind tcpxtract to my
local Ethernet device. And the files started to pour in (mpg, mp3,doc,pdf ,
etc) a lot.
3. FILES OWNED
Now, I'm sure people see the danger here. For security testers/auditors its
a way to rid your company of using
ftp and other non-secure protocols. Do that attack against some highly
sensitive servers, and then show your
manager all the nice sensitive documents you mined!
I will be looking into other methods of using tcpxract.
Tuesday, October 18, 2005
Snort Back Orifice Preprocessor Buffer Overflow
While looking into US-CERT TA-05-291A. This is what I found.
While snort does review the traffic on port 31337, it will also look
for any UDP traffic that is using Back Orifice's magic cookie.
* spp_bo.c comments
*
* Purpose: Detects Back Orifice traffic by brute forcing the weak encryption
* of the program's network protocol and detects the magic cookie
* that it's servers and clients require to communicate with each
* other.
*
* Back Orifice magic cookie is "*!*QWTY?", which is located in the first
* eight bytes of the packet. But it is encrypted using an XOR.
When exploiting this we want this function of the preprocessor to kick
off. Which is why you will have to create a UDP packet that is not
using port 31337.
Below is where the fun happens.
//snippet from spp_bo.c
static int BoGetDirection(Packet *p, char *pkt_data)
{
u_int32_t len = 0;
u_int32_t id = 0;
u_int32_t l, i;
char type;
char buf1[1024]; #Interesting ??? A static array? Is this checked? hehe
char buf2[1024]; #Interesting ??? A static array? Is this checked? hehe
char *buf_ptr;
char plaintext;
//snippet from spp_bo.c
I don't see any checks.
//snippet from spp_bo.c
/* Only examine data if this a ping request or response */
if ( type == BO_TYPE_PING )
{
i = 0;
buf_ptr = buf1;
*buf1 = 0;
*buf2 = 0;
/* Decrypt data */
while ( i < len )
{
plaintext = (char) (*pkt_data ^ (BoRand()%256));
*buf_ptr = plaintext;
i++;
pkt_data++;
buf_ptr++;
if ( plaintext == 0 )
buf_ptr = buf2;
}
/* null-terminate string */
*buf_ptr = 0;
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf1 = %s\n", buf1););
if ( *buf2 != 0 )
{
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf2 = %s\n",buf2););
}
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "crc = 0x%x\n", (char)
(*pkt_data ^ (BoRand()%256))););
if ( len > 4 && !strncasecmp((buf1+3), "PONG", 4) )
{
return BO_FROM_SERVER;
}
else
{
return BO_FROM_CLIENT;
}
}
//snippet from spp_bo.c
To validate it a bit more I ran the code through flawfinder. This is
the output.
Examining spp_bo.c
spp_bo.c:430: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
spp_bo.c:431: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
Just my findings.
While snort does review the traffic on port 31337, it will also look
for any UDP traffic that is using Back Orifice's magic cookie.
* spp_bo.c comments
*
* Purpose: Detects Back Orifice traffic by brute forcing the weak encryption
* of the program's network protocol and detects the magic cookie
* that it's servers and clients require to communicate with each
* other.
*
* Back Orifice magic cookie is "*!*QWTY?", which is located in the first
* eight bytes of the packet. But it is encrypted using an XOR.
When exploiting this we want this function of the preprocessor to kick
off. Which is why you will have to create a UDP packet that is not
using port 31337.
Below is where the fun happens.
//snippet from spp_bo.c
static int BoGetDirection(Packet *p, char *pkt_data)
{
u_int32_t len = 0;
u_int32_t id = 0;
u_int32_t l, i;
char type;
char buf1[1024]; #Interesting ??? A static array? Is this checked? hehe
char buf2[1024]; #Interesting ??? A static array? Is this checked? hehe
char *buf_ptr;
char plaintext;
//snippet from spp_bo.c
I don't see any checks.
//snippet from spp_bo.c
/* Only examine data if this a ping request or response */
if ( type == BO_TYPE_PING )
{
i = 0;
buf_ptr = buf1;
*buf1 = 0;
*buf2 = 0;
/* Decrypt data */
while ( i < len )
{
plaintext = (char) (*pkt_data ^ (BoRand()%256));
*buf_ptr = plaintext;
i++;
pkt_data++;
buf_ptr++;
if ( plaintext == 0 )
buf_ptr = buf2;
}
/* null-terminate string */
*buf_ptr = 0;
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf1 = %s\n", buf1););
if ( *buf2 != 0 )
{
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "buf2 = %s\n",buf2););
}
DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "crc = 0x%x\n", (char)
(*pkt_data ^ (BoRand()%256))););
if ( len > 4 && !strncasecmp((buf1+3), "PONG", 4) )
{
return BO_FROM_SERVER;
}
else
{
return BO_FROM_CLIENT;
}
}
//snippet from spp_bo.c
To validate it a bit more I ran the code through flawfinder. This is
the output.
Examining spp_bo.c
spp_bo.c:430: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
spp_bo.c:431: [2] (buffer) char:
Statically-sized arrays can be overflowed. Perform bounds checking,
use functions that limit length, or ensure that the size is larger
than
the maximum possible length.
Just my findings.
Friday, October 7, 2005
kPan1c.dc414.org
Just added this blog with masking to http://kPan1c.dc414.org. So you can always just hit that.
Thursday, October 6, 2005
GoogleDork SysPrep Hack
Not sure if you guys know what googledorks are. Basically custom google
querys that find some interesting stuff. Johnny Long talks a lot more
about them and has a whole database of them on his site
http://johnny.ihackstuff.com/.
Now to the fun stuff. Not sure if this has been done or not but here it
goes.
I was talking to someone about sysprep (things it does, options you can
set, etc.)
Which got me thinking of my next idea.
GoogleDork:
+"AdminPassword" | "DomainAdmin" | "DomainAdminPassword"
inurl:sysprep.inf
I know this is a pretty simple googledork(but you would be amazed at
the findings). If anyone has a better way of doing it or expanding it,
I would love to see it.
querys that find some interesting stuff. Johnny Long talks a lot more
about them and has a whole database of them on his site
http://johnny.ihackstuff.com/.
Now to the fun stuff. Not sure if this has been done or not but here it
goes.
I was talking to someone about sysprep (things it does, options you can
set, etc.)
Which got me thinking of my next idea.
GoogleDork:
+"AdminPassword" | "DomainAdmin" | "DomainAdminPassword"
inurl:sysprep.inf
I know this is a pretty simple googledork(but you would be amazed at
the findings). If anyone has a better way of doing it or expanding it,
I would love to see it.
Subscribe to:
Posts (Atom)
Posts
