Enumerating Excluded AntiVirus Locations

Recently I submitted a PR to Metasploit for a Windows post module that was improved and landed with the help of @jhart-r7. The goal of this post module was to add the ability to quickly enumerate the "excluded" locations that are saved by AntiVirus software. These locations are sometimes created due to defaults within the product itself or are manually added by an admin of the machine. Excluded locations can be very useful places to upload/store files that you know are likely to get caught by AV as they will not be scanned/removed from the system. The module supports file, directory, process, and extension-based exclusions for the following products (so far):

Microsoft Defender
Microsoft Security Essentials/Antimalware
Symantec Endpoint Protection

Example usage:

 Once you have a shell, run the post module.

The module indicates that Microsoft Security Essentials is installed and there are a few excluded locations configured. Lets try to upload a known malicious binary to this machine in a non-excluded location.

We can see that we successfully uploaded WCE, but when trying to execute it, AV flags and deletes it.

Now when we try to upload and execute the same binary from one of the excluded locations....

AV leaves us alone.

I suppose this could also be useful to admins who want to audit these configurations as well ;)

Cheers

https://www.rapid7.com/db/modules/post/windows/gather/enum_av_excluded

IPMI and BMC Exploitation

A quick brain dump of resources/vulns/techniques for pwning IPMI devices:

Awesome work in this area by Rapid7, Dan Farmer, etc.

Educate yo-self

https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetration-testers-guide-to-ipmi

Discovery

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_version

Vulns

https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities

Exploits (MSF)

http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero
http://www.rapid7.com/db/modules/auxiliary/scanner/ipmi/ipmi_dumphashes
http://www.rapid7.com/db/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure
http://server:49152/PSBlock

Other resources

http://fish2.com/ipmi/
https://community.rapid7.com/community/metasploit/blog/2013/11/15/exploiting-the-supermicro-onboard-ipmi-controller
blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras
https://pedromadias.wordpress.com/2012/06/25/all-your-asus-servers-ikvmipmi-may-belong-to-other/
http://blog.devicenull.org/2014/02/02/supermicro-ipmi-firmware-x8sil-f-analysis.html


 I will update with more coherence when I get more time....

Password Hash Identifier

So I recently saw KoreLogic post a link to a password hash dump on pastebin located here: http://pastebin.com/A3JSbdzm

It was not a typical hash dump as it was not cracked or uncracked hashes, but hash types followed by examples. When faced with a funky password hash, I typically call upon john the ripper to do identification for me, however I have been in multiple scenarios where it is either unclear or john cannot identify the hash(es) I have. This pastebin dump was the kick in the pants I needed to write a tool of my own that attempts to identify the hash type of a given hash.

If an exact match cannot be found, the script will give you "possible" matches. I have incorporated the hash types mentioned above as well as the list from the hashcat site here: http://hashcat.net/wiki/doku.php?id=example_hashes

To use it you will need to download the python script and the associated hash list.

https://github.com/jakxx/Scripts/blob/master/hashes.py
https://github.com/jakxx/Scripts/blob/master/hashes.txt

Once you have them, usage is simple:

python hashes.py '[hash]'

An example can be seen below.

Cheers.