So you want to be a security expert

Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
So, You Want To Be A “Security Expert”
Fun Tools For Penetration Testing

Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.
• Husband & Father
• Accuvant LABS: Senior Consultant
• (A.K.A Pen Tester)
• Cofounder: http://www.pentestgeek.com
• Author: jigsaw.rb
• Twitter: @R3dy__
Who Is Royce Davis?

• Penetration Testing == Offensive Security
• Uploading Shells Is No Good
• Techniques to avoid shell upload
• Metasploit Modules
• Command execution
• Local & Cached hash dumping
• Fun With Domain Controllers
What Are You Talking About?

• Wikipedia Definition:
• “a method of evaluating computer and network
security by simulating an attack on a computer
system or network from external and internal
threats.”
What Is A Pen Test?
Not that kind of pen…

The All Powerful Shell
• What is a shell exactly?

• We‟ve been uploading shells to take control of
remote hosts since the beginning of time so
what‟s the big deal?
• Shells contain binary signatures that can be
recognized and blocked
• Obfuscation only creates a different
signature
• Shells can die leaving us with no way back in
• They can also leave remnants of themselves
Uploading Shells Is No Good

Why bother with a shell in the first place?
• Command execution
• Search the file system
• Create users
• Enumerate network resources
• Upload/download files
• Etc…
• Grab local/cached password hashes
• Dump all AD hashes from the DC
• “password” = 8846f7eaee8fb117ad06bdd830b7586c
• How can we do stuff without a shell???
What Can We Do With A Shell?

The Answer Is DCE/RPC
Distributed Computing Environment / Remote Procedure Calls
Book: DCE/RPC Over SMB – SAMBA and Windows NT* Domain Internals
Author: Luke Kenneth Casson Leighton
• Remotely interact with Windows API
• Supported by all versions of Windows
• Often left unsecured

Enter ‘psexec.rb’
• /exploit/windows/smb/psexec.rb
• Creates & Uploads a binary payload to the target over SMB
• Sends an RPC to the Service Control Manager
(SCM)
• UUID: „367abb81-9844-35f1-ad32-98f038001003‟
• Creates a service, starts it, cleans up after…
• MSDN Documentation
• http://msdn.microsoft.com/en-
us/library/windows/desktop/ms685942%28v=vs.85%29.aspx
Using Native Windows Functions

DCERPC Requests:
The dcerpc.call instance method takes in two parameters. The first parameter is the
opcode reference to the particular Windows function you wish to call. The second
parameter is the function arguments in NDR (Network Data Representation) Format.
• dcerpc.call(0x0f, stubdata) – OpenSCManager
• dcerpc.call(0x0c, stubdata) – CreateService
• dcerpc.call(0x0, svc_handle) – CloseServiceHandle
• dcerpc.call(0x10, stubdata) – OpenService
• dcerpc.call(0x13, stubdata) – StartService
• dcerpc.call(0x02, stubdata) – DeleteService
• dcerpc.call(0x0, svc_handle) - CloseServiceHandle
Inside psexec.rb

• This is what it looks like inside Metasploit‟s
psexec exploit module written by HDM
Psexec.rb Cont.
exploit/windows/smb/psexec.rb (line 254)

• This is the format accepted by the
CreateService function
• http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx
CreateService Windows Func.

• lpBinaryPathName [in, optional]
• The fully qualified path to the service binary file. If the path contains a space, it must be
quoted so that it is correctly interpreted. For example, "d:my sharemyservice.exe"
should be specified as ""d:my sharemyservice.exe"".
• The path can also include arguments for an auto-start service. For
example, "d:mysharemyservice.exe arg1 arg2". These arguments are passed to the
service entry point (typically the main function).
• If you specify a path on another computer, the share must be accessible by the computer
account of the local computer because this is the security context used in the remote call.
However, this requirement allows any potential vulnerabilities in the remote computer to
affect the local computer. Therefore, it is best to use a local file.
• psexec.rb looks like this:
• C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload
• What if we tried this instead:
• C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat &
C:windowssystem32cmd.exe /C launchfile.bat”
lpBinaryPathName MSDN Definition

In order to provide accessibility to this functionality for other modules we
created a mixin which has been graciously accepted into the MSF.
lib/msf/core/exploit/smb/psexec.rb
• Slightly modified version of the original psexec.rb code wrapped in a
function which excepts a Windows command in the following format:
• [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND]
• The method is called like so „return psexec(command)‟
• Returns „true‟ if execution was successful
• Major difference is it does not try to delete cmd.exe after execution
• Also contains a „smb_read_file(smbshare, host, file)‟ method for
convenient retrieval of command output
The Psexec Mixin

Command Execution

• Current methods for dumping password hashes
• Post modules that require a meterpreter shell
• Upload a standalone binary like
pwdump/fgdump…
• These methods extract specific registry key
values from the SYSTEM, SECURITY, and/or
SAM registry hive (This process can flag
antivirus)
• We need to somehow retrieve a copy of the registry
hives and extract the hashes from them offline
Dumping Password Hashes

1. Authenticate to the system using a password/hash
2. Use the psexec mixin to execute the following Windows
Commands:
• reg.exe save HKLMSAM c:windowstempsam
• reg.exe save HKLMSYSTEM c:windowstempsys
• reg.exe save HKLMSECURITY c:windowstempsec
3. Download the registry hive copies to our attacking machine
4. Remove the registry hive copies from the target
5. Open the registry hive copies on our attacking machine and
extract the password hashes
Offline Password Hash Dumping

Local & Cached Hash Extraction
• Local Hashes
• Domain Cached Hashes

• The holy grail of most network pentests can be found
inside an ESE (Extensible Storage Engine) database
called NTDS.dit located on the Domain Controller
• Protected by operating system
• Requires inject into lsass and/or other black magics
• Contains a BOAT LOAD of information about the
system
• Including password hashes and usernames for all
AD accounts!
Dumping All the Hashes

We can use the psexec_ntdsgrab module to create or target an existing VSC
(Volume Shadow Copy) and safely pull down a copy of NTDS.dit to our attacking
machine.
auxiliary/admin/smb/psexec_ntdsgrab.rb
1. Use psexec mixin to execute windows commands for creating a VSC
• vssadmin create shadow /For=%SYSTEMDRIVE%
2. Query vssadmin for the path to the newly created VSC
• vssadmin list shadows
3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory
• copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit
C:WINDOWSTempntds
4. Use reg.exe to make a copy of the SYSTEM registry hive
5. Download the „ntds‟ and „sys‟ files to attacking machine
6. Cleanup after ourselves
Enter psexec_ntdsgrab.rb

• We‟ll need to use the „libesedb‟ C library to extract
the right tables from NTDS.dit
• $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$
• $ tar xvzf libesedb-alpha-20120102.tar.gz
• $ cd libesedb-20120102/
• $ ./configure
• $ make && make install
• Once libesedb is compiled we will use esedbexport located in the
„libesedb-20120102/esedbtools‟ to export the datatable which contains
the user account password hashes for AD
• http://www.pentestgeek.com/2012/11/16/dumping-domain-
password-hashes-using-metasploit-ntds_hashextract-rb/
Getting What We Want From NTDS.dit

• Uploading a binary shell to the target can be
harmful to a penetration test
• DCERPC allows us to do a lot of the functions we
would ask of a binary shell without uploading one to
the target
• Metasploit modules already exist to achieve remote
command execution, grab local/cached password
hashes and dump AD hashes from a DC
• The sky is the limit as to what else we could do if
we all chose to adapt this style of thinking
Closing

Any Questions?
10/9/201322

So, You Want To Be A “Security Expert”
10/9/201323
Thank You!
Royce Davis
Accuvant LABS
Senior Consultant – Attack & Pen Team
royce.e.davis@gmail.com
http://www.pentestgeek.com
@R3dy__

So you want to be a security expert

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

Similaire à So you want to be a security expert

Similaire à So you want to be a security expert (20)

Dernier

Dernier (20)

So you want to be a security expert

Notes de l'éditeur