Episode343

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security
BlackSquirrel
Onapsis

SANS Las Vegas from October 26-27th will debut a new course titled "Embedded Device Security Assessments for the Rest of Us" which will teach students how to assess embedded systems of all varieties on pen tests and in your duties as a security professional. Register Here


Episode Media

[MP3 pt1]

Announcements

PaulDotCom Security Weekly - Episode 343 for Thursday August 29th, 2013

  • We've released a book on Offensive Countermeasures! Visit tinyurl.com/OCM-Amazon to add this to your summer reading list.
  • We are looking for sponsors for our September webcast. Contact mike -at- hacknaked.tv for details!
  • The Stogie Geeks Show! - Kick some ash with the Stogie Geeks, Thursday nights at 9:00PM EST. Come have a cigar with us! If you are in the Rhode Island area please visit our sponsor the Havana Cigar Club, its an awesome place to have a drink! Make sure you print out your $5.00 off coupon here!

Intro on BruCON with Matt

Matt is a long time volunteer of BruCON and is going to let us know all the great things in store for 2013.

Here are just a couple of those things:

BruCON 2013 Schedule

BruCON 2013 Training

Guest Interview: Ira Winkler

Irawinkler.png

Biography:

Ira Winkler, CISSP is President of Secure Mentem. Ira is one of the foremost experts in the human elements of cyber security and is known for the extensive espionage and social engineering simulations that he has conducted for Fortune 500 companies globally, and has been named a “Modern Day James Bond” by the media.


  1. How did you get your start in information security?
  2. How do you recommend others get their start in the field?
  3. What was most attractive about the physical security and espionage aspect of our field?
  4. What is your opinion on certifications and education in the security field? What improvements would you make?
  5. In terms of severity, where do you rank insider threat? Do people often downplay the risk associated with insider threats?
  6. What are some of the most difficult companies to break into?
  7. What are the top mistakes companies make when it comes to physical security?
  8. What is the most important skill(s) someone needs to be successful, is it technical? Social skills? Mindset? or a combination of technical and interpersonal skills?
  9. Why are James Bond and Sydney Bristow are terrible spies?
  10. What are some of the most successful techniques when you are looking to target and steak company information?
  11. Have you ever been confronted during a test and been told what you are doing is illegal?
  12. How do you combine the physical aspects of testing with more traditional types of hacking? Is it a blended threat?
  13. What can companies do to improve physical security? Preventing inside threat?


Five Questions:

  • Three words to describe yourself
  • If you were a serial killer, what would be our weapon of choice?
  • In a game of ass grabby-grabby do you prefer to go first or second?
  • If you wrote a book about yourself, what would the title be?
  • Stranded on a desert island, which tablet would you bring with you if you could choose only one: Android, iPad or Surface?

Tech Segment: Carlos Perez

Carlosperez.png

Biography:

Also known as DarkOperator, He spends his time reverse engineering, and practicing PowerShell Kung-Fu. Known by his motto "Shell is only the Beginning".


  1. Enumerating a Domain using ADSI in PowerShell

I got a call from a friend that during a pentest that he had gotten access to a command shell thru a MS SQL Server using xp_cmdshell after brute forcing the SA account. Sadly the SQL server was running as Network Service and it was fully patched, this meant that a privilege escalation was very difficult. I recommended to make the most of it and enumerate the network thru the connection he had, but some ACLs where applied to binaries on the system making this difficult. After thinking about it I asked him to test PowerShell, when we found out that we could execute it I remembered that once on a machine joined to the domain one could enumerate the entire domain (computers, groups, users..etc) using ADSI (Active Directory Services Interfaces) so I started to look at writing a simple script to achieve this. First I created a ADSI Searcher object with a filter for objects of type computer and set a limit of 100 items.

PS C:\Windows\system32> $adsisearcher = [adsisearcher]'objectcategory=computer'
$adsisearcher.SizeLimit = 100
$adsisearcher.FindAll()

Path                                                                                  Properties                                                                           
----                                                                                  ----------                                                                           
LDAP://CN=DC01,OU=Domain Controllers,DC=acmelabs,DC=com                               {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, ridsetrefe...
LDAP://CN=DC02,OU=Domain Controllers,DC=acmelabs,DC=com                               {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, ridsetrefe...
LDAP://CN=WIN701,OU=HR,DC=acmelabs,DC=com                                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN702,OU=HR,DC=acmelabs,DC=com                                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN801,CN=Computers,DC=acmelabs,DC=com                                      {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN2K01,CN=Computers,DC=acmelabs,DC=com                                     {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN2K301,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, displayname, codepage...}                   
LDAP://CN=WIN2K302,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, displayname, codepage...}                   
LDAP://CN=ALBEXCH01,CN=Computers,DC=acmelabs,DC=com                                   {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSCCM,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=WIN802,CN=Computers,DC=acmelabs,DC=com                                      {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=LOGCOLLECTOR,CN=Computers,DC=acmelabs,DC=com                                {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSQL2K51,CN=Computers,DC=acmelabs,DC=com                                 {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABSQL2K8R2-01,CN=Computers,DC=acmelabs,DC=com                             {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 
LDAP://CN=ALABFS01,CN=Computers,DC=acmelabs,DC=com                                    {primarygroupid, iscriticalsystemobject, msds-supportedencryptiontypes, codepage...} 

Once I saw I could pull the data I re-wrote the script to this time pull the data, select only the information I wanted and using .Net API calls do a reverse lookup of each FQDN for each computer:

$adsisearcher = [adsisearcher]'objectcategory=computer'
$adsisearcher.SizeLimit = 100
$adsisearcher.FindAll() | ForEach-Object {
            $CompProps = @{}
            $CompProps.Add('HostName', "$($_.properties.dnshostname)")
            $CompProps.Add('OperatingSystem', "$($_.properties.operatingsystem)")
            $CompProps.Add('ServicePack', "$($_.properties.operatingsystemservicepack)")
            $CompProps.Add('Version', "$($_.properties.operatingsystemversion)")
            $CompProps.Add('IPAddress',[System.Net.Dns]::GetHostAddresses("$($_.properties.dnshostname)"))

            New-Object PSObject -Property $CompProps
} 

Now the problem with PowerShell is that we can not use it in a regular plain vanilla shell because it will break our shell just like what WMIC does.But we can get around this by encoding our script by inserting null characters in between and Base64 encoding it. In fact the PowerShell.exe gives an example on this in their help message:

C:\Windows\system32> powershell.exe -h

…

EXAMPLES
    PowerShell -PSConsoleFile SqlSnapIn.Psc1
    PowerShell -version 1.0 -NoLogo -InputFormat text -OutputFormat XML
    PowerShell -Command {Get-EventLog -LogName security}
    PowerShell -Command "& {Get-EventLog -LogName security}"

    # To use the -EncodedCommand parameter:
    $command = 'dir "c:\program files" '
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    powershell.exe -encodedCommand $encodedCommand

If you are on OS X or Linux you could use a script I wrote for this in python in my github.

https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.py

infidel02:Desktop carlos$ ./ps_encoder.py -h
Version: 0.1
Usage: ./ps_encoder.py <options>

Options:
   -h, --help                  Show this help message and exit
   -s, --script                PowerShell Script.


If you have no shame and you are running XP or 2k there is an exe also you can use:

https://github.com/darkoperator/powershell_scripts/blob/master/ps_encoder.exe

Also to make things easier my Posh-SecMod PowerShell module https://github.com/darkoperator/Posh-SecMod has an encode function:

:\Users\Carlos> gcm *post*



CommandType     Name                                               ModuleName

-----------     ----                                               ----------

Function        Compress-PostScript                                Posh-SecMod

Function        ConvertTo-PostBase64Command                        Posh-SecMod

Function        ConvertTo-PostFiletoHex                            Posh-SecMod

Function        ConvertTo-PostHextoFile                            Posh-SecMod

Function        Get-MSFPostCompatiblePayloads                      Posh-SecMod

Function        Get-MSFPostModule                                  Posh-SecMod

Function        Get-MSFSessionCompatPostModules                    Posh-SecMod

Function        Get-PostCopyNTDS                                   Posh-SecMod

Function        Get-PostHashdumpScript                             Posh-SecMod

Function        Get-PostReverTCPShell                              Posh-SecMod

Function        New-PostDownloadExecutePE                          Posh-SecMod

Function        New-PostDownloadExecuteScript                      Posh-SecMod

Function        Start-PostRemoteProcess                            Posh-SecMod

Application     RelPost.exe


C:\Users\Carlos> help ConvertTo-PostBase64Command



NAME

    ConvertTo-PostBase64Command



SYNOPSIS

    Converts a given PowerShell command string in to an Encoded Base64 command.





SYNTAX

    ConvertTo-PostBase64Command [-Command] <String> [<CommonParameters>]



    ConvertTo-PostBase64Command [-File] <String> [<CommonParameters>]





DESCRIPTION

    Converts a given PowerShell command string in to an Encoded Base64 command.





RELATED LINKS



REMARKS

    To see the examples, type: "get-help ConvertTo-PostBase64Command -examples".

    For more information, type: "get-help ConvertTo-PostBase64Command -detailed".

    For technical information, type: "get-help ConvertTo-PostBase64Command -full".









C:\Users\Carlos> help ConvertTo-PostBase64Command -full



NAME

    ConvertTo-PostBase64Command



SYNOPSIS

    Converts a given PowerShell command string in to an Encoded Base64 command.



SYNTAX

    ConvertTo-PostBase64Command [-Command] <String> [<CommonParameters>]



    ConvertTo-PostBase64Command [-File] <String> [<CommonParameters>]





DESCRIPTION

    Converts a given PowerShell command string in to an Encoded Base64 command.





PARAMETERS

    -Command <String>

        Command to Encode



        Required?                    true

        Position?                    1

        Default value

        Accept pipeline input?       true (ByPropertyName)

        Accept wildcard characters?  false



    -File <String>

        PowerShell Script to Encode



        Required?                    true

        Position?                    1

        Default value

        Accept pipeline input?       false

        Accept wildcard characters?  false



    <CommonParameters>

        This cmdlet supports the common parameters: Verbose, Debug,

        ErrorAction, ErrorVariable, WarningAction, WarningVariable,

        OutBuffer and OutVariable. For more information, see

        about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).



INPUTS



OUTPUTS



    -------------------------- EXAMPLE 1 --------------------------



    C:\PS>Encoding a command





    PS C:\> ConvertTo-Base64Command -command "write-host 'hello world'"

    dwByAGkAdABlAC0AaABvAHMAdAAgACcAaABlAGwAbABvACAAdwBvAHIAbABkACcA



    PS C:\> powershell.exe -encodedcommand

    dwByAGkAdABlAC0AaABvAHMAdAAgACcAaABlAGwAbABvACAAdwBvAHIAbABkACcA

    hello world

So now that we know how to encode the script we can execute it:


C:\Windows\system32>whoami
nt authority\network service

C:\Windows\system32>powershell.exe -enc KABbAGEAZABzAGkAcwBlAGEAcgBjAGgAZQByAF0A
JwBvAGIAagBlAGMAdABjAGEAdABlAGcAbwByAHkAPQBjAG8AbQBwAHUAdABlAHIAJwApAC4AZgBpAG4A
ZABhAGwAbAAoACkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewANAAoAIAAgACAA
IAAgACAAIAAgACAAIAAgACAAJABDAG8AbQBwAFAAcgBvAHAAcwAgAD0AIABAAHsAfQANAAoAIAAgACAA
IAAgACAAIAAgACAAIAAgACAAJABDAG8AbQBwAFAAcgBvAHAAcwAuAEEAZABkACgAJwBIAG8AcwB0AE4A
YQBtAGUAJwAsACAAIgAkACgAJABfAC4AcAByAG8AcABlAHIAdABpAGUAcwAuAGQAbgBzAGgAbwBzAHQA
bgBhAG0AZQApACIAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAJABDAG8AbQBwAFAAcgBvAHAA
cwAuAEEAZABkACgAJwBPAHAAZQByAGEAdABpAG4AZwBTAHkAcwB0AGUAbQAnACwAIAAiACQAKAAkAF8A
LgBwAHIAbwBwAGUAcgB0AGkAZQBzAC4AbwBwAGUAcgBhAHQAaQBuAGcAcwB5AHMAdABlAG0AKQAiACkA
DQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AcABQAHIAbwBwAHMALgBBAGQAZAAoACcA
UwBlAHIAdgBpAGMAZQBQAGEAYwBrACcALAAgACIAJAAoACQAXwAuAHAAcgBvAHAAZQByAHQAaQBlAHMA
LgBvAHAAZQByAGEAdABpAG4AZwBzAHkAcwB0AGUAbQBzAGUAcgB2AGkAYwBlAHAAYQBjAGsAKQAiACkA
DQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAQwBvAG0AcABQAHIAbwBwAHMALgBBAGQAZAAoACcA
VgBlAHIAcwBpAG8AbgAnACwAIAAiACQAKAAkAF8ALgBwAHIAbwBwAGUAcgB0AGkAZQBzAC4AbwBwAGUA
cgBhAHQAaQBuAGcAcwB5AHMAdABlAG0AdgBlAHIAcwBpAG8AbgApACIAKQANAAoAIAAgACAAIAAgACAA
IAAgACAAIAAgACAAJABDAG8AbQBwAFAAcgBvAHAAcwAuAEEAZABkACgAJwBJAFAAQQBkAGQAcgBlAHMA
cwAnACwAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4ARABuAHMAXQA6ADoARwBlAHQASABvAHMAdABBAGQA
ZAByAGUAcwBzAGUAcwAoACIAJAAoACQAXwAuAHAAcgBvAHAAZQByAHQAaQBlAHMALgBkAG4AcwBoAG8A
cwB0AG4AYQBtAGUAKQAiACkAKQANAAoADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAE4AZQB3AC0A
TwBiAGoAZQBjAHQAIABQAFMATwBiAGoAZQBjAHQAIAAtAFAAcgBvAHAAZQByAHQAeQAgACQAQwBvAG0A
cABQAHIAbwBwAHMADQAKACAAIAAgACAAfQA=


ServicePack     :
Version         : 6.2 (9200)
HostName        : DC01.acmelabs.com
IPAddress       : {fe80::10e9:a8b2:310:8fff%12, 192.168.10.10}
OperatingSystem : Windows Server 2012 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : DC02.acmelabs.com
IPAddress       : {192.168.10.12}
OperatingSystem : Windows Server 2008 R2 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : WIN701.acmelabs.com
IPAddress       : {192.168.10.20}
OperatingSystem : Windows 7 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : WIN702.acmelabs.com
IPAddress       : {192.168.10.21}
OperatingSystem : Windows 7 Ultimate

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN801.acmelabs.com
IPAddress       : {192.168.10.40}
OperatingSystem : Windows 8 Enterprise

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN2K01.acmelabs.com
IPAddress       : {192.168.10.2}
OperatingSystem : Windows Server 2012 Standard

ServicePack     : Service Pack 2
Version         : 5.2 (3790)
HostName        : win2k301.acmelabs.com
IPAddress       : {192.168.10.50}
OperatingSystem : Windows Server 2003

ServicePack     : Service Pack 2
Version         : 5.2 (3790)
HostName        : win2k302.acmelabs.com
IPAddress       : {192.168.10.51}
OperatingSystem : Windows Server 2003

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALBEXCH01.acmelabs.com
IPAddress       : {192.168.10.13}
OperatingSystem : Windows Server 2008 R2 Enterprise

ServicePack     :
Version         : 6.2 (9200)
HostName        : ALABSCCM.acmelabs.com
IPAddress       : {192.168.10.14}
OperatingSystem : Windows Server 2012 Standard

ServicePack     :
Version         : 6.2 (9200)
HostName        : WIN802.acmelabs.com
IPAddress       : {192.168.10.41}
OperatingSystem : Windows 8 Enterprise

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : LOGCOLLECTOR.acmelabs.com
IPAddress       : {192.168.10.16}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALABSQL2K51.acmelabs.com
IPAddress       : {192.168.10.17}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     : Service Pack 1
Version         : 6.1 (7601)
HostName        : ALABSQL2K8R2-01.acmelabs.com
IPAddress       : {192.168.10.18}
OperatingSystem : Windows Server 2008 R2 Standard

ServicePack     :
Version         : 6.2 (9200)
HostName        : ALABFS01.acmelabs.com
IPAddress       : {192.168.10.4}
OperatingSystem : Windows Server 2012 Standard


Some additional filters:

All security groups (local, global and universal):

   (groupType:1.2.840.113556.1.4.803:=2147483648)


All users:

   (&(objectCategory=person)(objectClass=user))

All users (more effective):

   (sAMAccountType=805306368)

All users with the account configuration 'Password never expires':

   (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)
   

All domain controllers:

   (&(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

Stories


Paul's Stories

  1. Java 6 0-Day Exploit in the Wild – Updated
  2. Webantix: Webshot: Screenshot every web server during your pen test
  3. BYOD – How much do you love your corporate laptop?
  4. Want to break some Android apps?
  5. ISPs scramble to explain mouse-sniffing tool
  6. Tesla Model S REST API Authentication Flaws
  7. Poison Ivy RAT Becoming The AK-47 Of Cyber-Espionage Attacks
  8. Cisco cracks down on security vulnerability
  9. Talking Threats with Senior Management

Larry’s Stories

  1. Geolocation hacks - [Larry] - an app to spoof geolocation via fake APs. Why? Apparently many mobile devices rely more heavily on the WiFi location thatn GPS, because it is signifigantly faster. Uses aircrack-ng suite and mdk3. I wish I had access to Apple's WiFi geolocation database, a la WiGLE
  2. Off grid internet - [Larry] - I love this. Great opportunities to use wireless mesh networking, and build new, infrastructure without prying eyes.
  3. OSX Sudo bypass - [Larry] - If a user has successfully used sudo on OSX in the past, set the date back to unix epoch and do sudo -k. Instant privileged access. Or use Dave's script
  4. Fake IDs? - [Larry] - Yup, the RI one is correct. Quahog anyone? Hm, the market for these is interesting. The stundent IDs might be good for social engineering and/or student discounts.
  5. Learn to break android apps - [Larry] - Some nice places to get started to learn how to break Android moble apps.
  6. NY Times, Twitter - [Larry] - spear phishing FTW. Why? That is what allegedly led to the Syrian Electronic Army to gain control of domains for twitter and the NYT. People are and always will be the weakest link in the chain.
  7. Tesla hacks - [Larry] - According to a Dell engineer and Tesla owner, the Tesla API allows unauthenticated control of certain, limited functions of the automobile. Paging theKos…
  8. KALI of doom! - [Larry] - Based on the implementation of Kali via PXE, now they have a tutorial for you to build a remote pentest ISO, and o the ability to turn that into a pentest drop box with auto connect back via OpenVPN.

Jack's Stories

Allison's Stories