Drink!! So I’ve been working on a training package that takes a bit of a different approach than what I’ve normally done. The training breaks down like this: Day 1: Local LAN based exploit (Windows) Day 2: Remote Web based exploit (Linux) Day 3: Client side exploit (Windows) Day 4: Local exploit (FreeBSD) Day 5: Network of the Seven Bells Test Each day (save for the 5th) will focus on a single exploit, explaining it, running it on virtual machines, and spending 8 hours diving into as many detectable changes that exploit makes on a system.
Not very security related, but something I don’t want to forget how to do. It was a PITA. So I had a old WINDOWS directory that I needed to get rid of. And the following commands gave me the ooomph needed to get the job done. 1) Get a SYSTEM shell so all modding of permissions will be good. psexec /accepteula -i -s cmd 2) Grant Administrators FULL rights to the directory and all sub directories and files
Let me say first off that this isn’t the most elegant of ways to accomplish it. It is in the “it works for me” stage. A quick primer on EXE::Custom: This is a setting just like RHOST in Metasploit wherever an EXE is built for Windows payloads. Such as PSEXEC, BypassUAC, etc. It tells Metasploit to ignore all of your payload settings and just use the EXE you have specified. Now this does come at a bit of a cost.
Looking through network shares can be slow, and waiting for individual searches to finish looking through the whole “drive” is redundant. Easier to just use some Windows voodoo to get a good list to look through offline: start /b cmd /c dir /b /s \\nas\users_home_share$ ^> shareinfo.txt Breaking that down: start /b - starts a process that won’t hang up our current one, with the “b” flag meaning “background”, yay not visible to the user!
You’ve got shell, and a set of credentials but you’re coming up empty on what you can do with those credentials. This is especially problematic when you can’t get past UAC as you are either in a AlwaysNotify situation or not a local admin. (I’m not trying to pull some some “insert magic here” on the assumption of credentials just at the time of this writing I have only just started working (created a blank file) on a post module to do this as your current user, so until then, you need credentials)
Dave Kennedy and Kevin Mitnick submitted the “bypassuac” post module to Metasploit a while back (last DerbyCon?). Which is awesome and they did some fantastic work, but I had a few complaints as probably anyone did who used the module on a somewhat modern network. “Old” module post/windows/escalate/bypassuac: I decided to give it a bit of a face lift: “New” local exploit module exploit/windows/local/bypassuac: All of the credit for the availability of this module goes to @egyp7 though, without his epic addition of local exploits to Metasploit the majority of the updates to this module wouldn’t be possible.
Since I didn’t see any documentation bringing how to take an LM hash that you’ve cracked and convert it to the NTLM equivalent all in one place. And I google how to do it almost every time. I wanted to put all these links in one place and remember how to do it for john. Go-go-gadget blog-notes. So there is this: https://github.com/snarez/rcracki/blob/master/lm2ntlm.cpp And this: https://github.com/rapid7/metasploit-framework/blob/master/tools/lm2ntcrack.rb And this: http://www.securityfocus.com/tools/6696 And the edited version of the above: http://atenlabs.
TL;DR – DNSSEC Walker traverses a domain’s DNSSEC records to locate it’s regular DNS records. I like to go through slides of cons I can’t make it out to, and Hack-in-the-Box (HITB) Kul (Malaysia), was one such as they were very quick to release sides: http://conference.hitb.org/hitbsecconf2011kul/materials/ One that I came across is Marc “van Hauser” Heuse’s talk on IPv6 titled “IPv6 Insecurity Revolutions” (Link directly to PDF on aforementioned materials link).
One of the great things about the reverse_http(s) payloads is that it is proxy aware. However one of the pitfalls to this is that SYSTEM doesn’t have proxy settings, nor do users who have never logged into a system (unless profile loading is triggered). The problem here arrises when you are trying to do anything as SYSTEM, also the PSEXEC only has the option of getting you a SYSTEM shell (so you’re done for right out of the door)
Ok, this is pretty straight forward no magic: Got a shell, doesn’t have to be SYSTEM Add a route to the internal range or directly to the host you want over the session you want Mosy on over to the Socks4a module. And in another terminal we need to make sure our proxychains.conf file in /etc/ or where ever you store your conf is correct. It defaults to 9050 on 127.