Difference between revisions of "Episode130"

From Security Weekly Wiki
Jump to navigationJump to search
Line 36: Line 36:
== Tech Tip: Scan For MS08-067 With Nmap! ==
== Tech Tip: Scan For MS08-067 With Nmap! ==
Note: You must use the current svn version to make this work (''svn co --username guest --password "" svn://svn.insecure.org/nmap/'')
<pre>nmap -oA 114subnet-08-067 -sS -p445 --script smb-check-vulns.nse</pre>
<pre>nmap -oA 114subnet-08-067 -sS -p445 --script smb-check-vulns.nse</pre>

Revision as of 20:30, 13 November 2008

Tech Segment: Pass The Hash, Hold The Salt

We've mentioned it on the show before, referenced it several times in various publications, SANS covers it in many courses (SEC560 has almost an entire day on password cracking), but here's a little tuttorial on how to put it all together. What am I talkin about? Windows hashes, either LANMAN or NTLM, they are literally the keys to the kingdom. First, you need to collect them by:

  • Sniffing them off of the network
  • Gaining SYSTEM level access to a system and grabbing the SAM database
  • Gaining user level privileges to a system and grabbing the backup

I won't go into a lot of detail about the above, because well, we've been there before. So, lets say for example you compromise a system on the internal (or external) network. The first thing you should do (After your happy dance of pwnage) is to grab the SAM database. You can do that with:

  • Metasploit - Meterpreter.dll "hashdump" command
  • Core IMPACT - "Dump Passwords From SAM"
  • fgdump - Excellent tool for dumping passwords (I upload it to NT 4.0 systems because Core doesn't support them for password dumping)

So, you go along and try to crack those hashes with john, which can have sexy results most of the time. However, remember you can also pass the hash too! But first, you must choose which hashes to pass. I try to determine if there is a shared local administrator password amounst systems. If I've compromised a bunch of systems I will review the hashes and look for similarities. Remember, no salt, so if some systems have a username of "administrator" and others a username of "tom", one can deduce that an admin may have gotten sneaky and changed the local administrator username. So, grep, sort, and uniq are your friends, do some analysis of the hashes. To pass the hash, I've had great success using Core IMPACT's module "Install Agent Using SMB", as shown below:


You will need both the LANMAN and NTLM hashes which will serve as the password. I take this module and run it against all of the hosts on a particular subnet, and really make a point that you should never use the same local admin password on several different systems!

Stories For Discussion

Stephen Northcutt's Security Predictions Page - [PaulDotCom] - Experts from the field weigh in on security predictions. You know, I've changed my mind about predictions. I've decided that they are fun to make because you can think big and outlandish, and hey, its just a prediction. I make some more serious predictions, as do Josh Wright, Eric Cole, Rob Lee, and several others..

Tcpdump and Libpcap Updates - [PaulDotCom] - I have to tell you, while wireshark is all sexy, gui, and pretty, I MUCH perfer tcpdump. There is something just so familiar to me and comfortable about the command line (in fact, I have been actually enjoying windows by using more of the command line). I also found it interesting in the release notes when it mentions "Add support for Bluetooth Sniffing", really?

Metadata, PDF files, and watching attackers - [PaulDotCom] - I don't recommend actually watching hackers. For one, most are not super models (nor are many of them actually females), second, its pretty boring to watch someone type, even if they are doing cool, sexy hacking things. But here is a way to look into how an attacker created a malicious PDF, how long it took, what version he used to create it, etc... I like this idea, using metadata techniques against the attackers!

SOHO Router Wireless Security Report - [PaulDotCom] - This paper details some attacks against SOHO routers. First, they go over the DHCP name XSS vulnerability, which can execute XSS vulns against an administrator. Another attack, which I thought was neat, what that they registered their hostname with DHCP as "www.google.com", and got the router to update its DNS cache accordingly so that www.google.com resolved to a local IP address. So, if you have a Linksys WRT160N, D-Link DIR-615, Belkin F5D8233-4v3, or ActionTec MI424-WR you want to read this paper :)

Caller-ID Spoofing = Voicemail access - [PaulDotCom] - Voicemail can contain sensitive information (never leave passwords on someone's voicemail). Also, information gathering potential is huge. Set a pin!

I <3 Protocol Attacks - [PaulDotCom] - The main reason I love design flaws is that they stick around a lot longer than software vulnerabilities. Simply because they are harder to fix :) SMBrelay was great, and let me tell ya, you can have a FIELD DAY with it :)

Campaign Computers For Obama and Macain Hacked - [PaulDotCom] - I wanted to weigh in on this one and say that targeted attacks will most often be successful.

Tech Tip: Scan For MS08-067 With Nmap!

Note: You must use the current svn version to make this work (svn co --username guest --password "" svn://svn.insecure.org/nmap/)

nmap -oA 114subnet-08-067 -sS -p445 --script smb-check-vulns.nse

Its freaking fast too:

Nmap done: 256 IP addresses (156 hosts up) scanned in 83.53 seconds