Rebootuser | Just another bunch of 1's and 0's

HackLAB: Challenges include Vulnix, VulnVoIP & VulnVPN

Tools: Brief overview here, but checkout https://github.com/rebootuser for the latest updates

Cheatsheets: Local Linux Enumeration & Privilege Escalation & IP, DNS and Domain Enumeration

Active Directory Delegation Dissected (Blackhat Webcast)

Posted on by

I was given the opportunity to deliver a presentation for the Blackhat Webcast series in May of this year. The topic chosen was Active Directory delegation, but with an emphasis on manual enumeration.

We start by taking a step by step walkthrough of aspects relating to the configuration of delegation with some useful background information into the whats and whys, all the way to the stages of blackbox enumeration and finally exploitation of inadequately designed and secured environments.

The presentation is split into theory and practical sections and includes a case study that brings all the theory into real life. This is where we discover how to locate and abuse interesting permissions as well as take a look into interesting delegation permissions that relate to LAPS and BitLocker within an environment.

The slides are linked below and the full presentation (including recording) can be found at the Blackhat website.

Active Directory Delegation Dissected

Active Directory Delegation Slides (@camsec)

Posted on by

I recently gave a brief talk on Active Directory Delegation @camsec (a group in Cambridge, UK with interests in IT Security – see the tab at the top of this blog 😉 ). This brief talk focused upon a poorly thought out and implemented AD environment in which a relatively uninteresting account led to big headaches.

The slides have been published (see below) but I’m afraid the live demo content/talk is obviously absent.

IP, DNS & Domain Enumeration Cheatsheet

Posted on by

A few commands/tools/resources that aid with host discovery and network enumeration – it’s always useful at the start of an engagement to know what you have to target 😉

Revision 1.0 (January 2017)

Registered IP’s:

Resource
 Result
http://dev.maxmind.com/geoip/legacy/geolite A nice resource serving files containing Autonomous System Numbers (ASN’s)
https://mxtoolbox.com/asn.aspx Online resource to locate ASN’s and associated IP ranges

 

DNS Enumeration:

Command Result
dig <domain_name> Perform a basic forward lookup
nslookup <domain_name> As above
host <domain_name> As Above
dig @<server> <domain_name> Use a specific name server to perform query
nslookup <domain_name> <server> As above
dig @<server> version.bind chaos txt BIND version details
dig @<server> <domain_name> axfr Attempt zone transfer
nslookup
server <server>
set type=any
ls -d <domain_name> > output
exit		 As above
fierce -dnsserver <server> -dns <domain_name> Basic Fierce scan (also attempts zone transfer – as above)
dig @<server> <domain_name> A
dig @<server> <domain_name> MX
dig @<server> <domain_name> NS
dig @<server> <domain_name> SOA		 View specific record type  (examples)
nslookup -type=A <domain_name> <server>
nslookup -type=MX <domain_name> <server>
nslookup -type=NS <domain_name> <server>
nslookup -type=SOA <domain_name> <server>		 As above
dig @<server> <domain_name> A <domain_name> AAAA +short Get IPv4 and IPv6 addresses for target host names (limit output)
dig @<server> <domain_name> $record_type +short View just domain and/or IP details (limit output)
dig @<server> <domain_name> any View all record types
nslookup -type=any <domain_name> As above
dig -x <IP> +short Simplified reverse lookup (limit output)
dig -f <domains.txt> Read names from a file and query each
fierce -range 192.168.0.0-255 -dnsserver <server> Use Fierce to brute-force a target range of IP’s i.e. 192.168.0.0-255
for i in {0..255}; do fierce -range 192.168.$i.0-255 -dnsserver <server>; done Run Fierce within a for loop to help enumerate multiple ranges
fierce -dnsserver <server> -wordlist <hostname_wordlist> -dns <domain_name> -traverse 255 Fierce scan with traverse set to 255 hosts instead of the default 5 up and 5 down. A nice feature that performs reverse lookups on IP addresses surrounding a valid record. For example if www.rebootuser.com is found on 192.168.0.110, reverse lookups will be performed on 192.168.105-115 with matches for *.rebootuser.com flagged. It’s worth noting that if valid records are found, this process begins again.

If you have a very sparsely populated network this large value (255) may be acceptable, otherwise you may chose to lower this.
dnsenum --file <wordlist> -dnsserver <server> -v <domain_name> An nice alternative to Fierce, although lacking the traverse ability there is some extra functionality available

 

Basic Host Discovery / OSINT:

Command / Resource
 Result
https://www.google.com/transparencyreport/https/ct/ Google’s certificate transparency report – “…Look up all certificates present in public Certificate Transparency logs that have been issued for a given hostname…”. Can also include subdomains (very useful)
www.google.com
site:<domain_name> -www		 Basic Google Dork to retrieve results for specific site excluding the hostname “www” – useful in identifying other hosts
www.bing.com
IP:<IP_address>		 Using Bing to view content on a specific IP address – useful to determine if a target has more than one application hosted on the same IP that could be targeted

 

Active Directory Delegation and Manual Analysis

Posted on by

I recently published this article on the NotSoSecure blog after doing some research in this area. Here comes the intro:

“…In many well secured environments you’ll probably find that the classic target groups of “Domain Admins” and “Enterprise Admins” are sparsely populated, and the accounts are used when only deemed necessary, or in dire emergencies. More often than not Active Directory delegation is utilised*. In this brief post, we’ll demonstrate some of the manual methods that can be used to enumerate such environments and why this is an important aspect of a Windows pentest….”

Read Full Post Here

Hashmash that hash!

Posted on by

Hashmash is a tool to aid in generating various hashes from user supplied values. Occasionally on a test you’ll see some dodgy looking functionality that you might look at and say ‘that looks vulnerable’. For example password reset functionality that returns an MD5 hash of something. Here’s where Hashmash comes in. Kudos to @mattclelland for the name 😉

Say you are assessing an application from an authenticated perspective and you have access to a user profile. You might perform a password reset from which you are emailed a link resembling www.vulnerablecompany.xyz/passwordreset=e23e4ae268f4ba432e74e625e6600e59. There are a number of attack vectors to explore here, but in this post we’ll assume (as pointed out by@exploresecurity this is generally, never a good thing to do) this IS a hash and just look at ways it may possibly have been constructed. How has this been generated? What might it be based on? Are these values predictable? Let’s see…

In this example we have access to the user account so we might know, or be in a position to make an educated guess, of some key values that could be used to generate this MD5 hash. Perhaps it’s a combination of all, some or none of; firstname, surname, ID, email address or even a Epoch value. Using Hashmash we can supply a list of variables in a file, choose the hashing algorithm (i.e. MD5, SHA1 etc.) select any delimiters that might have been used to separate the values, for example firstname:surname or firstname&surname, and then generate a hash for each combination. The aim is to try and get a match of the hash we have and therefore we can deduce that the password reset link might be constructed in the form of ID:firstname:emailaddress or Epoch:ID:name etc. With this knowledge we could then potentially change the password for another valid account as we have ‘cracked’ the construction!

In this release of Hashmash we can choose to add a Epoch value to the generated values that span a timerange. For example if we requested the password reset on 01/04/2016 at 10:25:06 (and we can validate/assume that the server time is roughly in the same ballpark) and we might think/test/cross fingers and press go, that perhaps the Epoch value has been used as part of the value? We can generate Epoch values for the range 01/04/2016 10:24:00 to 01/04/2016 10:26:00 (just to cover some irregularities and/or differences in time settings between systems) and then each of these timestamps can be tested with the user defined values in turn. There is the option to generate time since Epoch in milliseconds (using the –milli switch), but obviously this would generate a large number of Epoch values, and this script is built to just work and not for efficiency!

Basic usage is as follows…
hashmash_overview

Example run:

Let’s say our values.txt file contains the values 1, 2, 3. Running Hashmash in the most basic mode will generate the following combinations.

Cleartext Value: 1
c4ca4238a0b923820dcc509a6f75849b
Cleartext Value: 2
c81e728d9d4c2f636f067f89cc14862c
Cleartext Value: 3
eccbc87e4b5ce2fe28308fd9f2a7baf3
Cleartext Value: 12
c20ad4d76fe97759aa27a0c99bff6710
Cleartext Value: 13
c51ce410c124a10e0db5e4b97fc2af39
Cleartext Value: 21
3c59dc048e8850243be8079a5c74d079
Cleartext Value: 23
37693cfc748049e45d87b8c7d8b9aacd
Cleartext Value: 31
c16a5320fa475530d9583c34fd356ef5
Cleartext Value: 32
6364d3f0f495b6ab9dcf8d3b5c6e0b01
Cleartext Value: 123
202cb962ac59075b964b07152d234b70
Cleartext Value: 132
65ded5353c5ee48d0b7d48c591b8f430
Cleartext Value: 213
979d472a84804b9f647bc185a877a8b5
Cleartext Value: 231
9b04d152845ec0a378394003c96da594
Cleartext Value: 312
950a4152c2b4aa3ad78bdd6b366cc179
Cleartext Value: 321
caf1a3dfb505ffed0d024130f58c5cfa

OK, let’s generate a ‘test’ hash:

echo -n 1459970019:surname:email@rebootuser.com | md5sum

e23e4ae268f4ba432e74e625e6600e59 –

Run the script:

python hashmash.py --match e23e4ae268f4ba432e74e625e6600e59 --alg 1 --delim 2 --file values.txt    --st "2016-04-06 19:13:00" --et "2016-04-06 19:15:00" --sec

And…

[+] Gotya!
 1459970019:surname:email@rebootuser.com

Compatibility for v0.1:
Tested on Kali 2.0/Python 2.7.9 and Ubuntu 14.04/Python 2.7.6 platforms.

Disclaimer:

I’m not a developer! The code is rough, very very rough. I know this. But it works. Hopefully.

Feedback, improvement suggestions (and additions) are always welcome.

Find the project on Github at https://github.com/rebootuser/Hashmash

An Unexciting Intoduction to Services, Permissions and Misconfigurations

Posted on by

Service permissions are often an overlooked, yet easily exploitable if incorrectly configured, area of the Windows operating system. In this brief tutorial we take you through a simple scenario in which we identify a vulnerable service (purposely configured in an insecure manner) before explaining how we may use this to our advantage. It should be mentioned that here we are dealing with service permissions rather than the more commonly known service binary permissions, i.e. those assigned to the actual executable.
Firstly, there is nothing new here. However we hope this will shine some light to an otherwise uninteresting, just revealing topic.

Configuring Service Permissions:

An easy way to gain an overview of effective service permissions is to use the SysInternals utility AccessChk.

The following command will display a high level overview of the existing permissions of a service. Usage of this tool is as follows (example service used throughout this post is ‘MozillaMaintenance’):

AccessChk.exe –c MozillaMaintenance

Output from this command follows (please note that the service is deliberately configured insecurely and the verbose output option from AccessChk has not been used purposefully for ease of reference in this example):

 RW BUILTINAdministrators
 RW NT AUTHORITYAuthenticated Users
 RW PWNMEGuest
 R BUILTINPower Users
 RW NT AUTHORITYSYSTEM
 RW BUILTINUsers

From the above output it is obvious to see that a number of untrusted groups have privileged access to this service. By using the built-in tool sc we can extract more granular detail, as well as the data required in order to modify this service:

sc sdshow MozillaMaintenance

Output from this command is as follows:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LG)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)

The output from this command can be somewhat confusing. By consulting the this reference it is easier to understand the construction of the data descriptor.

For example the first extract D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA can be broken down as follows:

The prefix ‘D’ states that were are dealing with a Discretionary Access Control List (DCAL) – these control permissions. The second variety ‘S’ tells us that we would be dealing with a System Access Control List (SACL) – these control auditing (of which we are not concerned with in this post). The remaining are detailed below:

(A) Allow
(CC) SERVICE_QUERY_CONFIG
(DC) Delete All Child Objects
(LC) SERVICE_QUERY_STATUS
(SW) SERVICE_ENUMERATE_DEPENDENTS
(RP) SERVICE_START
(WP) SERVICE_STOP
(DT) SERVICE_PAUSE_CONTINUE
(LO) SERVICE_INTERROGATE
(CR) SERVICE_USER_DEFINED_CONTROL
(SD) Delete
(RC) READ_CONTROL
(WD) Modify Permissions
(WO) Modify Owner

Finally (after the three semi-colons) we’re told which account these permissions affect:

(BA) Built-in administrators

As is evident from the first extract, this particular service allows a number of groups privileged access. In this following example we will remove the ‘Authenticated Users’ group entirely from the service permissions:

sc sdset “MozillaMaintenance” D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;LG)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)

Again, using the AccessChk tool, it is obvious to see that the ‘Authenticated Users’ group has been successfully removed.

RW BUILTINAdministrators
RW PWNMEGuest
R BUILTINPower Users
RW NT AUTHORITYSYSTEM
RW BUILTINUsers

It is also possible have finer control/permission assignment over the service permissions. In the following example we will use the same service and reassign the guest account (reference LG within the access descriptor) just the ‘SERVICE_QUERY_CONFIG’ permission.

Firstly, we require the SID (or the descriptor, i.e. LG for Local Guest) of the user. Tools can be found online to gain access to this; including using PowerShell. In this example the SID of the guest user is S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-501 (note the local guest will always have the RID of 501). To modify the access descriptor the SID can be supplied along with the relevant permissions:

D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CC;;;S-1-5-21-XXXXXXXXXX-XXXXXXXXX-XXXXXXXXX-501)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BU)

To verify the changes have been successful you can again use the sc sdshow command or, easier still, use AccessChk with greater verbosity.

What’s the issue?

Consider this. As it stands, prior to any modification of service permissions, the ‘Authenticated Users’ group has quite a number of permissions. What happens if an authenticated, yet unprivileged user has a malicious payload located at C:tempmalicious.exe.

Perhaps this may enlighten:

sc config MozillaMaintenance binPath= "C:tempmalicious.exe"

We have now modified the legitimate MozillaMaintenance service to call our payload when executed. You may be thinking great, but what use is this? I can call the malicious payload myself! You can but you will be limited by the permissions of your account. Here we’re looking for privilege escalation vulnerabilities. Let’s query the MozillaMaintenance service to see which account this runs as.

sc qc MozillaMaintenance

***output redacted for ease of reference***
SERVICE_START_NAME : LocalSystem

In summary any malicious payload that we have managed to ‘inject’ will run under the context of the LocalSystem account. Game over.

LinEnum Overhaul!

Posted on by

Well it’s been a while, but the latest (0.5 experimental) release of LinEnum is now available.

A few more scans have been added, which include password policy checks, reading of the umask setting and checking the ownership of binaries associated with inetd.conf (and variants). There will be plenty more additions in this area in the *very* near future.

However, the biggest changes have been made in the functionality of the script. The reporting functionality has been altered so it should work on legacy systems (although, admittedly ‘tee’ is a dependency). Additionally, by default, the script now runs just basic/quick checks. A ‘thorough’ tests switch (-t) has been added, which allows the user to choose if they wish to run lengthy scans (such as file permission checks, SUID/GUID file searches and so on).

The biggest addition is the introduction of ‘export’ functionality (experimental stages). If a scan is run with this switch (-e) all ‘interesting’ files (/etc/password, user history, SSH files etc.) will be copied to a location of the users choosing. Essentially these files, along with the LinEnum report (-r), should allow for easier offline analysis.

A quick peek at the help menu highlights the changes/additions:

linenum05

The Github repository has been updated with this latest addition and is available from here.

A more detailed version of the changelog can be found here and the associated ‘readme’ file here.

If you have any suggestions/improvements/criticisms re LinEnm please do contact me and I’ll try to address these in the next release – otherwise please feel free to contribute to the project!

Introducing LinEnum – Scripted Local Linux Enumeration & Privilege Escalation Checks

Posted on by

LinEnum will automate many of the checks that I’ve documented in the Local Linux Enumeration & Privilege Escalation Cheatsheet. It’s a very basic shell script that performs over 65 checks, getting anything from kernel information to locating possible escalation points such as potentially useful SUID/GUID files and Sudo/rhost mis-configurations and more.

An additional ‘extra’ feature is that the script will also use a provided keyword to search through *.conf and *.log files. Any matches will be displayed along with the full file path and line number on which the keyword was identified.

linenum

After the scan has completed (please be aware that it make take some time) you’ll be presented with (possibly quite extensive) output, to which any key findings will be highlighted in yellow with everything else documented under the relevant headings.

Example output is shown in the following screenshot:

linenum-out-example-001

I’m afraid from hereon in it’s a manual task to check over the results.

Below is a high-level summary of the checks/tasks performed by LinEnum:

  • Kernel and distribution release details
  • System Information:
    • Hostname
    • Networking details:
      • Current IP
      • Default route details
      • DNS server information
  • User Information:
    • Current user details
    • Last logged on users
    • Llist all users including uid/gid information
    • List root accounts
    • Extract full details for ‘default’ uid’s such as 0, 1000, 1001 etc
    • Attempt to read restricted files i.e. /etc/shadow
    • List current users history files (i.e .bash_history, .nano_history etc.)
  • Privileged access:
    • Determine if /etc/sudoers is accessible
    • Determine if the current user has Sudo access without a password
    • Are known ‘good’ breakout binaries available via Sudo (i.e. nmap, vim etc.)
    • Is root’s home directory accessible
    • List permissions for /home/
  • Environmental:
    • Display current $PATH
  • Jobs/Tasks:
    • List all cron jobs
    • Locate all world-writable cron jobs
    • Locate cron jobs owned by other users of the system
  • Services:
    • List network connections (TCP & UDP)
    • List running processes
    • Lookup and list process binaries and associated permissions
    • List inetd.conf/xined.conf contents and associated binary file permissions
    • List init.d binary permissions
  • Version Information (of the following):
    • Sudo
    • MYSQL
    • Postgres
    • Apache
  • Default/Weak Credentials:
    • Checks for default/weak Postgres accounts
    • Checks for default root/root access to local MYSQL services
  • Searches:
    • Locate all SUID/GUID files
    • Locate all world-writable SUID/GUID files
    • Locate all SUID/GUID files owned by root
    • Locate ‘interesting’ SUID/GUID files (i.e. nmap, vim etc)
    • List all world-writable files
    • Find/list all accessible *.plan files and display contents
    • Find/list all accesible *.rhosts files and display contents
    • Show NFS server details
    • Locate *.conf and *.log files containing keyword supplied at script runtime
    • List all *.conf files located in /etc
    • Locate mail

Some of the above commands are privileged/and or the related task may be nonexistent and will therefore most likely fail. The user shouldn’t be alerted to failed results, just the output from successful commands should be displayed.

To date I’ve tested LinEnum on Ubuntu, Debian, Redhat and CentOS. If you feel that there are some additional checks that you’d like to see added to the script and/or you find any bugs etc. please post within the below comments section (or feel free to contribute towards the project).

Please note that I realise that my scripting ability is limited and there may well be better/easier/quicker ways of performing some of the tasks. However, all that said, hopefully you’ll find this a useful tool.

###########################################

LinEnum can be downloaded from Github

###########################################

Finally, I’d like to say thanks to @pentestmonkey for his inspirational unix-privesc-check tool that I’ll continue to use on a very regular basis!