HackLAB: Challenges include Vulnix, VulnVoIP & VulnVPN
Tools: Brief overview here, but checkout https://github.com/rebootuser for the latest updates
Cheatsheets: Local Linux Enumeration & Privilege Escalation & IP, DNS and Domain Enumeration
I was recently fortunate enough to speak at the BSides London Rookie Track. The slot was just 15 minutes, so just enough to get the content in and not too much to get too anxious about speaking! The slides have been published on the @camsec Slideshare and are linked here for anyone that’s interested.
I recently gave a brief talk on Active Directory Delegation @camsec (a group in Cambridge, UK with interests in IT Security – see the tab at the top of this blog 😉 ). This brief talk focused upon a poorly thought out and implemented AD environment in which a relatively uninteresting account led to big headaches.
The slides have been published (see below) but I’m afraid the live demo content/talk is obviously absent.
A few commands/tools/resources that aid with host discovery and network enumeration – it’s always useful at the start of an engagement to know what you have to target 😉
Revision 1.0 (January 2017)
Registered IP’s:
| Resource |
Result |
http://dev.maxmind.com/geoip/legacy/geolite |
A nice resource serving files containing Autonomous System Numbers (ASN’s) |
https://mxtoolbox.com/asn.aspx |
Online resource to locate ASN’s and associated IP ranges |
DNS Enumeration:
| Command | Result |
dig <domain_name> |
Perform a basic forward lookup |
nslookup <domain_name> |
As above |
host <domain_name> |
As Above |
dig @<server> <domain_name> |
Use a specific name server to perform query |
nslookup <domain_name> <server> |
As above |
dig @<server> version.bind chaos txt |
BIND version details |
dig @<server> <domain_name> axfr |
Attempt zone transfer |
nslookupserver <server>set type=anyls -d <domain_name> > outputexit |
As above |
fierce -dnsserver <server> -dns <domain_name> |
Basic Fierce scan (also attempts zone transfer – as above) |
dig @<server> <domain_name> Adig @<server> <domain_name> MXdig @<server> <domain_name> NSdig @<server> <domain_name> SOA |
View specific record type (examples) |
nslookup -type=A <domain_name> <server>nslookup -type=MX <domain_name> <server>nslookup -type=NS <domain_name> <server>nslookup -type=SOA <domain_name> <server> |
As above |
dig @<server> <domain_name> A <domain_name> AAAA +short |
Get IPv4 and IPv6 addresses for target host names (limit output) |
dig @<server> <domain_name> $record_type +short |
View just domain and/or IP details (limit output) |
dig @<server> <domain_name> any |
View all record types |
nslookup -type=any <domain_name> |
As above |
dig -x <IP> +short |
Simplified reverse lookup (limit output) |
dig -f <domains.txt> |
Read names from a file and query each |
fierce -range 192.168.0.0-255 -dnsserver <server> |
Use Fierce to brute-force a target range of IP’s i.e. 192.168.0.0-255 |
for i in {0..255}; do fierce -range 192.168.$i.0-255 -dnsserver <server>; done |
Run Fierce within a for loop to help enumerate multiple ranges |
fierce -dnsserver <server> -wordlist <hostname_wordlist> -dns <domain_name> -traverse 255 |
Fierce scan with traverse set to 255 hosts instead of the default 5 up and 5 down. A nice feature that performs reverse lookups on IP addresses surrounding a valid record. For example if www.rebootuser.com is found on 192.168.0.110, reverse lookups will be performed on 192.168.105-115 with matches for *.rebootuser.com flagged. It’s worth noting that if valid records are found, this process begins again.
If you have a very sparsely populated network this large value (255) may be acceptable, otherwise you may chose to lower this. |
dnsenum --file <wordlist> -dnsserver <server> -v <domain_name> |
An nice alternative to Fierce, although lacking the traverse ability there is some extra functionality available |
Basic Host Discovery / OSINT:
| Command / Resource |
Result |
https://www.google.com/transparencyreport/https/ct/ |
Google’s certificate transparency report – “…Look up all certificates present in public Certificate Transparency logs that have been issued for a given hostname…”. Can also include subdomains (very useful) |
www.google.comsite:<domain_name> -www |
Basic Google Dork to retrieve results for specific site excluding the hostname “www” – useful in identifying other hosts |
www.bing.comIP:<IP_address> |
Using Bing to view content on a specific IP address – useful to determine if a target has more than one application hosted on the same IP that could be targeted |
I recently published this article on the NotSoSecure blog after doing some research in this area. Here comes the intro:
“…In many well secured environments you’ll probably find that the classic target groups of “Domain Admins” and “Enterprise Admins” are sparsely populated, and the accounts are used when only deemed necessary, or in dire emergencies. More often than not Active Directory delegation is utilised*. In this brief post, we’ll demonstrate some of the manual methods that can be used to enumerate such environments and why this is an important aspect of a Windows pentest….”
Hashmash is a tool to aid in generating various hashes from user supplied values. Occasionally on a test you’ll see some dodgy looking functionality that you might look at and say ‘that looks vulnerable’. For example password reset functionality that returns an MD5 hash of something. Here’s where Hashmash comes in. Kudos to @mattclelland for the name 😉
Say you are assessing an application from an authenticated perspective and you have access to a user profile. You might perform a password reset from which you are emailed a link resembling www.vulnerablecompany.xyz/passwordreset=e23e4ae268f4ba432e74e625e6600e59. There are a number of attack vectors to explore here, but in this post we’ll assume (as pointed out by@exploresecurity this is generally, never a good thing to do) this IS a hash and just look at ways it may possibly have been constructed. How has this been generated? What might it be based on? Are these values predictable? Let’s see…
In this example we have access to the user account so we might know, or be in a position to make an educated guess, of some key values that could be used to generate this MD5 hash. Perhaps it’s a combination of all, some or none of; firstname, surname, ID, email address or even a Epoch value. Using Hashmash we can supply a list of variables in a file, choose the hashing algorithm (i.e. MD5, SHA1 etc.) select any delimiters that might have been used to separate the values, for example firstname:surname or firstname&surname, and then generate a hash for each combination. The aim is to try and get a match of the hash we have and therefore we can deduce that the password reset link might be constructed in the form of ID:firstname:emailaddress or Epoch:ID:name etc. With this knowledge we could then potentially change the password for another valid account as we have ‘cracked’ the construction!
In this release of Hashmash we can choose to add a Epoch value to the generated values that span a timerange. For example if we requested the password reset on 01/04/2016 at 10:25:06 (and we can validate/assume that the server time is roughly in the same ballpark) and we might think/test/cross fingers and press go, that perhaps the Epoch value has been used as part of the value? We can generate Epoch values for the range 01/04/2016 10:24:00 to 01/04/2016 10:26:00 (just to cover some irregularities and/or differences in time settings between systems) and then each of these timestamps can be tested with the user defined values in turn. There is the option to generate time since Epoch in milliseconds (using the –milli switch), but obviously this would generate a large number of Epoch values, and this script is built to just work and not for efficiency!
Basic usage is as follows…
Example run:
Let’s say our values.txt file contains the values 1, 2, 3. Running Hashmash in the most basic mode will generate the following combinations.
Cleartext Value: 1 c4ca4238a0b923820dcc509a6f75849b Cleartext Value: 2 c81e728d9d4c2f636f067f89cc14862c Cleartext Value: 3 eccbc87e4b5ce2fe28308fd9f2a7baf3 Cleartext Value: 12 c20ad4d76fe97759aa27a0c99bff6710 Cleartext Value: 13 c51ce410c124a10e0db5e4b97fc2af39 Cleartext Value: 21 3c59dc048e8850243be8079a5c74d079 Cleartext Value: 23 37693cfc748049e45d87b8c7d8b9aacd Cleartext Value: 31 c16a5320fa475530d9583c34fd356ef5 Cleartext Value: 32 6364d3f0f495b6ab9dcf8d3b5c6e0b01 Cleartext Value: 123 202cb962ac59075b964b07152d234b70 Cleartext Value: 132 65ded5353c5ee48d0b7d48c591b8f430 Cleartext Value: 213 979d472a84804b9f647bc185a877a8b5 Cleartext Value: 231 9b04d152845ec0a378394003c96da594 Cleartext Value: 312 950a4152c2b4aa3ad78bdd6b366cc179 Cleartext Value: 321 caf1a3dfb505ffed0d024130f58c5cfa
OK, let’s generate a ‘test’ hash:
echo -n 1459970019:surname:email@rebootuser.com | md5sum
e23e4ae268f4ba432e74e625e6600e59 –
Run the script:
python hashmash.py --match e23e4ae268f4ba432e74e625e6600e59 --alg 1 --delim 2 --file values.txt --st "2016-04-06 19:13:00" --et "2016-04-06 19:15:00" --sec
And…
[+] Gotya! 1459970019:surname:email@rebootuser.com
Compatibility for v0.1:
Tested on Kali 2.0/Python 2.7.9 and Ubuntu 14.04/Python 2.7.6 platforms.
Disclaimer:
I’m not a developer! The code is rough, very very rough. I know this. But it works. Hopefully.
Feedback, improvement suggestions (and additions) are always welcome.
Service permissions are often an overlooked, yet easily exploitable if incorrectly configured, area of the Windows operating system. In this brief tutorial we take you through a simple scenario in which we identify a vulnerable service (purposely configured in an insecure manner) before explaining how we may use this to our advantage. It should be mentioned that here we are dealing with service permissions rather than the more commonly known service binary permissions, i.e. those assigned to the actual executable.
Firstly, there is nothing new here. However we hope this will shine some light to an otherwise uninteresting, just revealing topic.
Configuring Service Permissions:
An easy way to gain an overview of effective service permissions is to use the SysInternals utility AccessChk.
The following command will display a high level overview of the existing permissions of a service. Usage of this tool is as follows (example service used throughout this post is ‘MozillaMaintenance’):
AccessChk.exe –c MozillaMaintenance
Output from this command follows (please note that the service is deliberately configured insecurely and the verbose output option from AccessChk has not been used purposefully for ease of reference in this example):
RW BUILTINAdministrators RW NT AUTHORITYAuthenticated Users RW PWNMEGuest R BUILTINPower Users RW NT AUTHORITYSYSTEM RW BUILTINUsers
From the above output it is obvious to see that a number of untrusted groups have privileged access to this service. By using the built-in tool sc we can extract more granular detail, as well as the data required in order to modify this service:
sc sdshow MozillaMaintenance
Output from this command is as follows:
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LG)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)
The output from this command can be somewhat confusing. By consulting the this reference it is easier to understand the construction of the data descriptor.
For example the first extract D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA can be broken down as follows:
The prefix ‘D’ states that were are dealing with a Discretionary Access Control List (DCAL) – these control permissions. The second variety ‘S’ tells us that we would be dealing with a System Access Control List (SACL) – these control auditing (of which we are not concerned with in this post). The remaining are detailed below:
(A) Allow (CC) SERVICE_QUERY_CONFIG (DC) Delete All Child Objects (LC) SERVICE_QUERY_STATUS (SW) SERVICE_ENUMERATE_DEPENDENTS (RP) SERVICE_START (WP) SERVICE_STOP (DT) SERVICE_PAUSE_CONTINUE (LO) SERVICE_INTERROGATE (CR) SERVICE_USER_DEFINED_CONTROL (SD) Delete (RC) READ_CONTROL (WD) Modify Permissions (WO) Modify Owner
Finally (after the three semi-colons) we’re told which account these permissions affect:
(BA) Built-in administrators
As is evident from the first extract, this particular service allows a number of groups privileged access. In this following example we will remove the ‘Authenticated Users’ group entirely from the service permissions:
sc sdset “MozillaMaintenance” D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LG)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)
Again, using the AccessChk tool, it is obvious to see that the ‘Authenticated Users’ group has been successfully removed.
RW BUILTINAdministrators RW PWNMEGuest R BUILTINPower Users RW NT AUTHORITYSYSTEM RW BUILTINUsers
It is also possible have finer control/permission assignment over the service permissions. In the following example we will use the same service and reassign the guest account (reference LG within the access descriptor) just the ‘SERVICE_QUERY_CONFIG’ permission.
Firstly, we require the SID (or the descriptor, i.e. LG for Local Guest) of the user. Tools can be found online to gain access to this; including using PowerShell. In this example the SID of the guest user is S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-501 (note the local guest will always have the RID of 501). To modify the access descriptor the SID can be supplied along with the relevant permissions:
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX-501)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)
To verify the changes have been successful you can again use the sc sdshow command or, easier still, use AccessChk with greater verbosity.
What’s the issue?
Consider this. As it stands, prior to any modification of service permissions, the ‘Authenticated Users’ group has quite a number of permissions. What happens if an authenticated, yet unprivileged user has a malicious payload located at C:tempmalicious.exe.
Perhaps this may enlighten:
sc config MozillaMaintenance binPath= "C:tempmalicious.exe"
We have now modified the legitimate MozillaMaintenance service to call our payload when executed. You may be thinking great, but what use is this? I can call the malicious payload myself! You can but you will be limited by the permissions of your account. Here we’re looking for privilege escalation vulnerabilities. Let’s query the MozillaMaintenance service to see which account this runs as.
sc qc MozillaMaintenance ***output redacted for ease of reference*** SERVICE_START_NAME : LocalSystem
In summary any malicious payload that we have managed to ‘inject’ will run under the context of the LocalSystem account. Game over.
I’ve added a few more commands/one-liners that may be of use (many of which were recently included within the latest version of LinEnum).
Well it’s been a while, but the latest (0.5 experimental) release of LinEnum is now available.
A few more scans have been added, which include password policy checks, reading of the umask setting and checking the ownership of binaries associated with inetd.conf (and variants). There will be plenty more additions in this area in the *very* near future.
However, the biggest changes have been made in the functionality of the script. The reporting functionality has been altered so it should work on legacy systems (although, admittedly ‘tee’ is a dependency). Additionally, by default, the script now runs just basic/quick checks. A ‘thorough’ tests switch (-t) has been added, which allows the user to choose if they wish to run lengthy scans (such as file permission checks, SUID/GUID file searches and so on).
The biggest addition is the introduction of ‘export’ functionality (experimental stages). If a scan is run with this switch (-e) all ‘interesting’ files (/etc/password, user history, SSH files etc.) will be copied to a location of the users choosing. Essentially these files, along with the LinEnum report (-r), should allow for easier offline analysis.
A quick peek at the help menu highlights the changes/additions:
The Github repository has been updated with this latest addition and is available from here.
A more detailed version of the changelog can be found here and the associated ‘readme’ file here.
If you have any suggestions/improvements/criticisms re LinEnm please do contact me and I’ll try to address these in the next release – otherwise please feel free to contribute to the project!
LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.
An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.
After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.
Example output is shown in the following screenshot:
I’m afraid from hereon in it’s a manual task to check over the results.
Below is a high-level summary of the checks/tasks performed by LinEnum:
Some of the above commands are privileged/and or the related task may be nonexistent and will therefore most likely fail. The user shouldn’t be alerted to failed results, just the output from successful commands should be displayed.
To date I’ve tested LinEnum on Ubuntu, Debian, Redhat and CentOS. If you feel that there are some additional checks that you’d like to see added to the script and/or you find any bugs etc. please post within the below comments section (or feel free to contribute towards the project).
Please note that I realise that my scripting ability is limited and there may well be better/easier/quicker ways of performing some of the tasks. However, all that said, hopefully you’ll find this a useful tool.
###########################################
LinEnum can be downloaded from Github
###########################################
Finally, I’d like to say thanks to @pentestmonkey for his inspirational unix-privesc-check tool that I’ll continue to use on a very regular basis!
The following post lists a few Linux commands that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits and I realise these are just the tip of the iceberg in terms of what’s available.
Revision 1.2 (Minor January 2017 update)
Kernel, Operating System & Device Information:
| Command | Result |
uname -a |
Print all available system information |
uname -r |
Kernel release |
uname -n |
System hostname |
hostname |
As above |
uname -m |
Linux kernel architecture (32 or 64 bit) |
cat /proc/version |
Kernel information |
cat /etc/*-release |
Distribution information |
cat /etc/issue |
As above |
cat /proc/cpuinfo |
CPU information |
df -a |
File system information |
Users & Groups:
| Command | Result |
cat /etc/passwd |
List all users on the system |
cat /etc/group |
List all groups on the system |
for i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null |
List all uid’s and respective group memberships |
cat /etc/shadow |
Show user hashes – Privileged command |
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' |
List all super user accounts |
finger |
Users currently logged in |
pinky |
As above |
users |
As above |
who -a |
As above |
w |
Who is currently logged in and what they’re doing |
last |
Listing of last logged on users |
lastlog |
Information on when all users last logged in |
lastlog –u %username% |
Information on when the specified user last logged in |
lastlog |grep -v "Never" |
Entire list of previously logged on users |