UPDATE: THIS IS ONLY WORKS WITH THE LOCAL ADMIN (ID 500) ACCOUNT AND PASSWORD (MY MISTAKE FOR NOT TESTING MORE) So the “-ish” is you need to have the username and pass of another account that has administrator rights the local administrator account on that box. But other than that, the following image should speak for itself. (no UAC prompt occurred during the following actions) I plan on writing a Metasploit module to do this as all it really does is starts a process as a different user and that process executes ShellExecute’s ‘RunAs’ verb.
I read this article a while back: http://fuzzynop.blogspot.com/2012/09/pass-hash-without-metasploit.html by @FuzzyNop Great article showing the use of WCE’s “-s” flag to Pass-The-Hash locally and I highly recommend checking it out. Anywho, I was once in a similar scenario, where I had no Metasploit to back me up, but the box I was on did have one interesting thing, ruby and an accessible target for relatively up-to-date ruby gems. Since Metasploit’s powerhouse library ‘rex’ installed just fine I was set.
If you follow the exact same steps you did for Netview: /blog/2012/10/07/compiling-and-release-of-netview/ then you already have the steps needed to create a compiled version of ditto from the repo here: https://github.com/mubix/ditto And while the sheep icon is cute, and a nod to what ditto does, it comes at a pretty hefty cost: Size. Now if you’re scoffing at 408 KB then you don’t have any issues, but I like not having to wait while a binary I am trying to push to a victim box is transferring.
If you haven’t caught Chris Gates (@carnal0wnage) and my talk at DerbyCon 2012 - we released 2 tools, Netview, and Ditto. Here I’ll walk you through compiling Netview yourself, in the next blog post we’ll go over compiling Ditto and how you can remove it’s icon to reduce the size if you want. But for Netview it’s pretty straight forward. First you pull a copy of the GIT repository: https://github.com/mubix/netview
pfSense is an excellent free way of including a firewall / ids / proxy in your lab or VMs. It runs small and fast, but even as simple as pfsense is sometimes you need a bit less complexity and speed of configuration. Enter Peerblock and AnalogX’s proxy. Two free tools, one usually used to stop people who torrent from getting caught by the RIAA/MPAA and the other a drop dead simple windows based proxy utility.
Once you’re done staring at the Star Trek deity above (it’s a staring contest you will loose since you a such a simplistic race). I pull your attention to: https://github.com/mubix/q This repository / exploit pack was created for the sole purpose to house modules, scripts and resource files that would otherwise not be accepted into the Metasploit trunk. It will always be free and anyone is free to submit pulls of modules, scripts or resource files that they created or just found and were not accepted to the trunk because it was just a script, it violates TOS of a service, they did not author it, or any other possible reason.
Executing WCE.exe in memory as demoed by Egypt here: https://community.rapid7.com/community/metasploit/blog/2012/05/08/eternal-sunshine-of-the-spotless-ram has two issues with it. 1, you leave a file on disk with your hashes and clear text passwords. That just won’t do. 2. There is this DLL called WCEAUX.dll that gets written for the briefest second to disk: (yes I realize I’m running this on disk ‘wce32.exe’, but it exhibits the same DLL drop when doing in-memory) Now, don’t get me wrong, I love WCE, and Hernan Ochoa does an amazing job with it, but when it comes down to it, it’s the best tool for the job.
So it turns out that Windows Firewall talks IP addresses just like any other firewall, so if you configure FakeNetBIOSNS to tell everyone that the IP address for whatever they looked up is YOUR IP, guess what, no need to bypass the spoof filters ;-) Happy Rob! $ cat nbns.ini PROJECTMENTOR WPAD 172.16.10.207 PROJECTMENTOR FILESHARE 188.8.131.52 Results in: Game ON!
One of pen testers favorite attacks is NBNS spoofing. Now Wesley who I originally learned this attack from, traced this back to sid (http://www.notsosecure.com/folder2/2007/03/14/abusing-tcpip-name-resolution-in-windows-to-carry-out-phishing-attacks/) . Wesley’s stuff can be found here: http://www.mcgrewsecurity.com/tools/nbnspoof/ Wesley’s stuff eventually lead to this awesome post on the Packetstan blog: http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html and in that post the Metasploit module to do it all is demoed. But there in lies the rub. With each degree of separation we have more and more solidified in into a “on-site” only attack.