Room362.com

UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD

(MY MISTAKE FOR NOT TESTING MORE)

So the "-ish" is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions)

I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute's 'RunAs' verb. But until then, get CPAU here:

http://www.joeware.net/freetools/tools/cpau/

and Elevate here:

http://jpassing.com/2007/12/08/launch-elevated-processes-from-the-command-line/

 and doing it manually with built in Windows Kung-Fu:

I read this article a while back:

http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html

by @FuzzyNop

Great article showing the use of WCE's "-s" flag to Pass-The-Hash locally and I highly recommend checking it out. 

Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit's powerhouse library 'rex' installed just fine I was set.

Then copy the following to the machine:

https://github.com/rapid7/metasploit-framework/blob/master/tools/psexec.rb

That's a standalone version of psexec module (minus any advanced options). Once you have it down, make two quick edits (removing the requires for fast lib and msfenv):

And then you should see this:

Now, I elected to use the windows/adduser Metasploit single for my purposes, you can just as well use any executable you want depending on what you are trying to accomplish. So this is the users list before hand:

And then I executed this:

Which resulted in:

w00t. Game over. But wait, there's more...

There is another GEM that makes things even easier to continue if your next hop doesn't have Ruby:

http://ocra.rubyforge.org

OCRA (One-Click-Ruby-Application), you just need to 'gem install ocra' and you can then compile Ruby into Windows executables (it does this the same way as Py2Exe - packaging a interpreter in with the script). 

To build the executable (once our gem is installed) is pretty straight forward:

And as you can see, we have a ~5.5 meg file:

The output without options looks like this:

You can plainly see the Temp directory it's being extracted to. It does do a very good job at cleaning up the temp directory after it's run the Ruby script which is nice, but not forensically (obviously), just a heads up.

But, the result is the same:

Now you can take your 5.5 meg bin anywhere you want and psexec with a hash to your heart's content.

(As a side note, this works REALLY well to bypass UAC if you have a username and password/hash for a local admin. Just don't forget that it runs the EXE as SYSTEM, who normally doesn't have proxy settings)

If you follow the exact same steps you did for Netview: http://www.room362.com/blog/2012/10/8/compiling-and-release-of-netview.html

then you already have the steps needed to create a compiled version of ditto from the repo here:

https://github.com/mubix/ditto

And while the sheep icon is cute, and a nod to what ditto does, it comes at a pretty hefty cost:

Size. Now if you're scoffing at 408 KB then you don't have any issues, but I like not having to wait while a binary I am trying to push to a victim box is transferring. Removing the icon is pretty straight forward. Once you've loaded the .SLN file up in Visual Studio C++ just expand the "Resource Files" folder in the "Solution Explorer":

And summarily delete both files (Right click and go to Remove or just press the Del button)

(Side note, don't forget to rename or copy the one with the icon somewhere first if you want to keep that version)

Then "Build Solution" again, and wa-la! A much smaller, less witty but highly functional Ditto:

And of course, like last time, you could go through all that, or just download them here:

Without the icon: http://www.room362.com/storage/ditto_noicon.exe

With the icon: http://www.room362.com/storage/ditto_withicon.exe

If you haven't caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 - we released 2 tools, Netview, and Ditto. Here I'll walk you through compiling Netview yourself, in the next blog post we'll go over compiling Ditto and how you can remove it's icon to reduce the size if you want. But for Netview it's pretty straight forward. First you pull a copy of the GIT repository:

https://github.com/mubix/netview

Once you've done that, you've got a directory looking like this:

You will also need Visual Studio C++ (The Express version if free here: http://www.microsoft.com/visualstudio/eng/downloads#d-2010-express )

Once you have both you double click the .sln file (Solution File)

And you get a ugly blue and purple box like this:

Where you switch the compile option from "Debug" to "Release" and click to "Build Solution":

Sounds much more grandiose than it really is. If all goes well you'll get the box at the bottom to say "Build: 1 succeeded"

You'll have a new folder:

and inside is your wonderful prize:

You could go through all of that… or just download it here:

http://www.room362.com/storage/netview.exe

pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of configuration.

Enter Peerblock and AnalogX's proxy. Two free tools, one usually used to stop people who torrent from getting caught by the RIAA/MPAA and the other a drop dead simple windows based proxy utility.

First we'll talk about AnalogX's proxy, you can get it here: 

http://www.analogx.com/contents/download/Network/proxy/Freeware.htm

A simple next->next->finish install gets you this:

With the following ports listening:

• HTTP (web browsers) (port 6588)
• HTTPS (secure web browsers) (port 6588)
• SOCKS4 (TCP proxying) (port 1080)
• SOCKS4a (TCP proxying w/ DNS lookups) (port 1080)
• SOCKS5 (only partial support, no UDP) (port 1080)
• NNTP (usenet newsgroups) (port 119)
• POP3 (receiving email) (port 110)
• SMTP (sending email) (port 25)
• FTP (file transfers) (port 21)

So you can test everything to your hearts content that it goes through a proxy, using any proxy type you want basically.

(I will assume here that you know how to setup your own proxy settings for your OS)

But the problem being that if your code / application misbehaves it will still get out. You could go to the trouble of fiddling with the Windows firewall if you are running Windows 7 (not sure if XP can box egress, probably can). But I like simple and straight forward solutions.

PeerBlock can be found here:

http://www.peerblock.com

And is simple to set up as well (next->next->finish applies).

Go into List Manager once you have it installed and "Create a List"

Give ti a description and a place to save the file:

You'll get this window automatically pop up, but if you don't you just click 'Add' with your custom list selected in the List Manager:

Feel free to block everything but one IP, a range, or whatever your meets your needs, nothing in or out from or to that IP/Range will be allowed

One of the uses I use it for is blocking the whole Internet except for my internal ranges for stuff like my personal Virus Total lab where I run bins to test stuff out, that way the AntiVirus services can't ship my bin off to who knows where to be analyzed before I even get to use it.

Here is an example of my "All the Internet" block list:

Thats everything for now, hope some of it was useful in your setup and experiments ;-)