Room362.com

Dave Kennedy and Kevin Mitnick submitted the "bypassuac" post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as probably anyone did who used the module on a somewhat modern network.

"Old" module (post/windows/escalate/bypassuac):

I decided to give it a bit of a face lift:

"New" local exploit module (exploit/windows/local/bypassuac):

All of the credit for the availability of this module goes to @egyp7 though, without his epic addition of local exploits to Metasploit the majority of the updates to this module wouldn't be possible.

Anywho, on to the new features:

1) You can set any windows payload you want to use now:

and yes it supports EXE::Custom.

2) It lets you know if it will be able to bypass the current setting of UAC or not:

Even when you're going overkill with it:

(ASK module if UAC is disabled will just elevate without any kind of user prompt)

And of course it works as expected if UAC needs bypassing:

One thing I have yet to update is a simple check to make sure you are an admin that can actually bypass UAC. If you aren't, then you'll be leaving this lovely calling card behind for the user:

Since I didn’t see any documentation bringing how to take an LM hash that you’ve cracked and convert it to the NTLM equivalent all in one place. And I google how to do it almost every time. I wanted to put all these links in one place and remember how to do it for john. Go-go-gadget blog-notes.

So there is this: https://github.com/snarez/rcracki/blob/master/lm2ntlm.cpp

And this: https://github.com/rapid7/metasploit-framework/blob/master/tools/lm2ntcrack.rb

And this: http://www.securityfocus.com/tools/6696

And the edited version of the above: http://atenlabs.com/blog/so-you-pillaged-a-domain-controllers-hashes/

But Metasploit’s is currently borked,(Update: this is now fixed) I don’t want to compile cpp, and perl sucks. One thing I did find was that someone submitted it to the JtR dev mailing list here:

http://www.openwall.com/lists/john-dev/2011/03/29/7

And I asked on that same list what had become of it:

http://www.openwall.com/lists/john-dev/2012/10/24/2

The result is as follows:

Given this hash: Administrator:500:AA1AB12D9BE8C0D18F900ABF62624751:A2855453E8F6E555E5F22956F7DAA398:::

which is the LM and NTLM equiv of SUPERPASSWORD/SuPerPaSsWord respectively. So just so I don’t have to make a screen shot of a text file assume that hash exactly as-is is in pwdump.txt.

cracked the LM side in 16 seconds. Now you don’t need to use John to get the LM side (rainbow tables work better at times),

Solar Designer (JtR’s main dev) suggested the following path:

A bit hard to read but here are the commands:

./john -show pwdump.txt | cut -d: -f2 > cracked
./john -w=cracked -rules:nt -format=nt pwdump.txt

As you can see (if you squint) that works well. Rich Rumble suggested:

http://www.openwall.com/lists/john-dev/2012/10/24/3

using the loopback as so:
./john pwdump.txt -format=nt -loopback=john.pot -rules=nt

The loopback been an amazing addition that is as Solar Designer put it “not in core JtR, it is a fairly recent addition to jumbo”. The loopback allows you to use previously cracked passwords as a dictionary without doing any cut/awk/sed voodoo. The problem with the suggested method for going from LM to NTLM and the loopback option is that it (rightly so) identifies LM hashes by their halves. When it tries to use those halves to crack the NTLM, every with the NT rule-set, it sees each half as separate passwords to try, so it fails.

TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records.

I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides:

http://conference.hitb.org/hitbsecconf2011kul/materials/

One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link). I definitely recommend checking it out as well as the IPv6 tools THC / Marc released (v2) here:

http://www.thc.org/thc-ipv6/

Amazing tools, but one I could not locate in their batch was dnssecwalk (slide 41 for those following along)

I found something that looks very similar here:

http://josefsson.org/walker/

Released originally in 2001 by Simon Josefsson. If you read the TL;DR at the top, you pretty much know what to tool does, so I’ll take you through an example:

To get this bad boy working (since it’s Perl) you need to use CPAN to install Net::DNS and Net::DNS::SEC

cpan Net::DNS (hit enter for defaults)
cpan Net::DNS::SEC (same deal)

Using the slide’s example of ripe.net (ARIN’s Euro brother) You simply point it at a domain:

./walker ripe.net
;; Walker by Simon Josefsson
;; $Id: walker,v 1.31 2005/09/20 10:16:30 jas Exp $
;; Net::DNS 0.68
;; Net::DNS::SEC 0.16

Then it just starts going. Unlike the tool in the slides it’s a very verbose tool and doesn’t have any “write output to file” option so piping to a file is recommended.

$ ./walker ripe.net > output.txt &
[1] 32623

Then just run greps on it removing all of the DNS commenting with anything having a semicolon in it:

$ cat output.txt | grep -v ';' | grep IN
ripe.net.       273     IN      SOA     pri.authdns.ripe.net. dns.ripe.net. (
ripe.net.       17146   IN      A       193.0.6.139
ripe.net.       300     IN      AAAA    2001:67c:2e8:22:0:0:c100:68b
ripe.net.       2814    IN      DNSKEY  256  3  5 (
ripe.net.       2814    IN      DNSKEY  257  3  5 (
ripe.net.       2814    IN      DNSKEY  257  3  5 (
ripe.net.       2814    IN      DNSKEY  256  3  5 (
ripe.net.       183     IN      MX      200 postgirl.ripe.net.
ripe.net.       183     IN      MX      250 postlady.ripe.net.
ripe.net.       2017    IN      NS      tinnie.arin.net.
ripe.net.       2017    IN      NS      ns3.nic.fr.
ripe.net.       2017    IN      NS      sns-pb.isc.org.
ripe.net.       2017    IN      NS      pri.authdns.ripe.net.
ripe.net.       2017    IN      NS      sec3.apnic.net.
ripe.net.       2017    IN      NS      sec1.apnic.net.
ripe.net.       2723    IN      NSEC    256cns.ripe.net.  A AAAA DNSKEY MX NS NSEC RRSIG SOA
ripe.net.       21510   IN      RRSIG   A  5  2  21600  20121120100104 (
ripe.net.       210     IN      RRSIG   AAAA  5  2  300  20121120100104 (
ripe.net.       3510    IN      RRSIG   NS  5  2  3600  20121120100104 (
ripe.net.       210     IN      RRSIG   MX  5  2  300  20121120100104 (
                        7Te5Hfqh79JcJO4m94PLZ/GXnm3OVuKW1GINiNToNnTbz
ripe.net.       3510    IN      RRSIG   NSEC  5  2  3600  20121120100104 (
ripe.net.       3510    IN      RRSIG   SOA  5  2  3600  20121120100104 (
                        bfTSOsob1qYKrv3MrTrxDcr0dQJMjEUuKvWJINbFsCDDp
ripe.net.       3510    IN      RRSIG   DNSKEY  5  2  3600  20121120100104 (
                        ILjTJkBEsfhSs/7RKpoS+rLVOINoQXOtGgBhl5Ex5aAip
256cns.ripe.net.        20814   IN      CNAME   pip.ripe.net.
256cns.ripe.net.        2793    IN      NSEC    _jabber._tcp.ripe.net.  CNAME NSEC RRSIG
_jabber._tcp.ripe.net.  2804    IN      NSEC    _xmpp-client._tcp.ripe.net.  NSEC RRSIG SRV
_jabber._tcp.ripe.net.  2814    IN      RRSIG   NSEC  5  4  3600  20121120100104 (
_jabber._tcp.ripe.net.  114     IN      RRSIG   SRV  5  4  900  20121120100104 (
_jabber._tcp.ripe.net.  114     IN      SRV     30 30 5269 chat.ripe.net.
_xmpp-client._tcp.ripe.net.     2804    IN      NSEC    _xmpp-server._tcp.ripe.net.  NSEC RRSIG SRV
_xmpp-client._tcp.ripe.net.     115     IN      RRSIG   SRV  5  4  900  20121120100104 (
_xmpp-client._tcp.ripe.net.     2815    IN      RRSIG   NSEC  5  4  3600  20121120100104 (
_xmpp-client._tcp.ripe.net.     115     IN      SRV     30 30 5222 chat.ripe.net.
_xmpp-server._tcp.ripe.net.     2805    IN      NSEC    access.ripe.net.  NSEC RRSIG SRV
_xmpp-server._tcp.ripe.net.     115     IN      RRSIG   SRV  5  4  900  20121120100104 (
                        NJpdcDaytdKNINLVCFYUJWRnXiTRFrXSi2cL4nJLGLQlt
_xmpp-server._tcp.ripe.net.     2815    IN      RRSIG   NSEC  5
(snipped)

But of course in side 40 it shows that you can simply zone transfer ripe.net anyways. But for those that aren’t so forthcoming with their zones this can be a nice thing to try.

One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn't have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you're done for right out of the door)

Now, there is a stub in Metasploit that I have been unable to complete due to my lack of knowledge in the shell code world. The stub allows you to create payloads that have static proxies, which basically invalidates the need for the following. Until then here is a few ways to set / read the proxy settings for SYSTEM or any other user for that matter.

(Its here if you want to take a whack at it: external/source/shellcode/windows/x86/src/block/block_reverse_https_proxy.asm )

One of the ways @carnal0wnage and I demoed @DerbyCon was using the bitsadmin binary. Windows7/Vista/2008 come with version 2.0+ which has this great ability to run the following:

bitsadmin /util /setieproxy localsystem MANUAL_PROXY 192.168.1.55:3128 ";"

(2000,XP,2003 you could upload a copy of bitsadmin that was new enough and that would still work)

That command sets the proxy settings for the SYSTEM account. I was able to jump through hoops and do this remotely by using the windows/exec payload via psexec, then reverse_http(s) would work.

But I wanted a better way to do this. I watched the execution of bitsadmin to see what it was doing and all it was actually doing is setting a registry key. Awesome, I can do that.

Enter enum_proxy:

And...

If you've noticed that RHOST option, Metasploit has the ability to do remote registry calls as well (this module will attempt to start the RemoteRegistry service if the user has the privilege to do so):

Output from it finding a disabled RemoteRegistry:

msf post(enum_proxy) > run

[-] Unable to contact remote registry service on 172.16.10.217
[*] Attempting to start service remotely...
[*] Proxy Counter = 9
[*] Setting: WPAD and AutoConfigure script
[*] AutoConfigURL: http://anotherproxyserver/pac.pac
[*] Post module execution completed

"Awesome but you promised setting the proxy settings", well right now all I can give you is a cloner ;-)

Enter clone_proxy_settings module:

And thats it. Still working on an actual "set_proxy" module, but this should do for now, and a lot less to type.

As of this post both are currently pull requests:

https://github.com/rapid7/metasploit-framework/pull/942

https://github.com/rapid7/metasploit-framework/pull/943

Ok, this is pretty straight forward no magic:

Got a shell, doesn't have to be SYSTEM

Add a route to the internal range or directly to the host you want over the session you want

Mosy on over  to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. 

It defaults to 9050 on 127.0.01 for Tor, that's pretty easy to cope with and no reason to mess with it if you actually use it for Tor for other things.

Run the socks proxy with the Tor-like settings. (Remember to shutdown Tor first)

And the rest is gravy. The % (percent sign if blog software mangles it) is a delimiter that smbclient and other samba tools recognize between user and password (so it doesn't prompt you for it).

And just to love it working:

yay files.. Yes I know I didn't use smbmount but it works the same as well as rpcclient.

A side note here is if you are using the pth-tools from:

https://code.google.com/p/passing-the-hash/

You can use hashes instead of passwords for stuff like this. But who are we kidding? Who doesn't get clear text passwords anymore ;-)