Thursday, February 16, 2012

BREAKING INTO WINDOWS VIRTUAL MACHINE – A DIFFERENT APPROACH

So my friend posted an open hacking challenge and provided users with a pre-built virtual machine for which they were to install and then black box hack in order to capture the flag stored on the admin user's dekstop. I was trying to install the virtual machine when I couldn’t log in so I wasn’t sure how I was supposed to get the system setup to hack as no credentials were provided at all. I couldn't do any in depth scanning due to initial setup on sensitive network. I then thought, well how would one go about getting the damn system passwords for a Windows machine normally if they had physical access to the box. OK, normally I would boot up to a Linux OS of choice, probably BackTrack, and then mount the system hard drive and make a copy of the SAM file and SYSTEM files to then dump and crack offline at my leasure, but this was on a virtual machine so it would seem I could find no way to do this. A) – I could not find anyway to change the boot order with the free vmware options without first installing a boot loader type mini-linux os and then installing the other systems ontop of it that way, but this was overly complex and too time consuming. B) – even if I could boot swap I don’t know if linux would be able to read the virtual hard drive or not. This part got me thinking, and I figured well why cant I just mount the damn virtual drive and then go through it like that. I had a hard time finding a method to get this to actually work…I admit at this point I was now back on Windows and only testing from Windows point of view. OK so I searched around and I found a crappy shareware program called WinImage which does the trick nicely (it allows 30 day trial and easy enough to reset on your own, can purchase if you like it and find you might use this method a lot). You can download it here: http://www.winimage.com/download.htm. Simple install that works like anything else on Windows…

Install winimage:

Once installed you can simply double click to run and then use the standard Windows icon in upper left to open a file and then point it to the location of the virtual machine hard disk file (.vmdk in this case) you want to mount for reading (free version is only read only L).

Choose mount point:

Go through content of virtual machine file system as you like J

NOTE: this crap shareware only lets you extract with the free version, pro paid version supposedly allows re-writing which would have allowed one to simple copy the cmd.exe over the sethc.exe and use the old SHIFT+Sticky Keys trick to bypass login at startup and create new administrator account or password and then restart and login with new credentials. Perhaps when I re-test with Linux this will be the easier shortcut to take…

But let’s have some fun for now shall we and review the now mounted virtual machines hard drive which will now appear like a normal C:\ drive:
Navigate to the C:\WINDOWS\system32\config folder to get our hands on the juicy stuff – mostly the SAM file so we can dump the systems usernames and passwords that are stored J Highlight the /config folder, right click and choose to extract that puppy to wherever it is you want to review it when you’re done…


OK, at this point we now have the SAM file and SYSTEM file which means we have the entire user and password hash details but we need to find a way to extract them as they are encrypted. The SYSTEM file will be used to determine the SYS-KEY which is then used to decode the SAM file so we can dump it. There are a few options when it comes to getting this part of the job done, here are a few of your options for going about things…

OPTION 1 – Dumping SAM File with: PwDump7
The first method I will show involves the use of the PwDump tool, latest version I found available online was v7 but methodology and command syntax should remain largely the same if your using a older version. The download for the one I used is available here: http://www.tarasco.org/security/pwdump_7/pwdump7.zip.  This is a command line only tool which can be used to dump the local systems SAM & SYSTEM file if run with administrator privileges or can be used to perform offline attacks as well (convenient for our particular scenario).

If you want to dump the local systems credentials, run as admin and simply run the tool without any arguments passed and it will do its thing, here is an example (no arguments but I am redirecting output to a file):

If we want to perform an offline attack we use the ”-s” switch and point it to the SAM & SYSTEM files so we can perform an offline attack, which is what we used in this particular scenario, it works the same and looks like this:

Now you have your dumped Windows usernames and password hashes and can go start trying to crack with your favorite hash cracker tool. In case your tool doesn’t accept the default PwDump file format for input the returned output file of the hash format for Windows NTLM Hashes is:  

Username:RID:LMHash:NTLMHash:::

You can just extract manually as needed and work with it from there.

OPTION 2 – Dumping SAM File with: Cain & Abel
If you don’t feel comfortable at the command line you can also get things done with the forever oldie but goodie Can & Abel. We start by launching Cain and using the Syskey Decoder tool from the tools menu:

Point it at the SECURITY file so it can determine the sys-key which we will use to decrypt the content of the SAM file in next steps, so make sure you take note or write it down…

NOTE: You need to provide the full path to where your SAM & SYSTEM files are stored on winblows.
Now we use the Cracker tab and choose the LM & NTLM Hashes options. Click on the blue “+” sign up top to launch the Add NT Hashes loader tool. We need to use the last option to load from SAM database file.

Point it at our extracted SAM file and use the sys-key we found using the decoder in the previous steps and together they will be used by Cain to extract the user password hash details. Once properly configured and loaded, just hit next and you will see the credentials loaded into Cain’s main hash window of the cracker tool. Voila we have dumped it again!

Now you can crack them with Cain or extract them now that they are in cleaner format and crack in your tool of choice, but Cain is perfectly capable if you have no other options (or just have time to wait). Now in order to crack the hashed passwords we need to go about things in a strategic order to ensure we have the best and fastest results possible. We first want to start by cracking the LM Hash by itself. In most cases you can simply right click and choose to Bruteforce the LM Hash. You might notice the max length allowed is 7, this is due to how Windows hashing algorithms break the password down for LM hashes (see Google for details on this particular subject – it is worth looking into as it will help in understanding why this approach works).

Once the LM hash is cracked you can put this in your dictionary file as it will be some portion of the NTLM password and will greatly increase your chances of cracking the NTLM hashed password which is a MD4 algorithm of sorts. Continue attacking NTLM with dictionary, bruteforce, or rainbow tables if you have them and eventually you will find the decrypted password you seek. I have a bonus at the end which will show you how you can build your own rainbow tables to perform super quick hash lookups enabling super-fast hash cracking.  The particular hash in this scenario was set to take ages running bruteforce attacks when I turned to rainbow tables for help and the password hashes were decrypted in mere seconds! A HUGE thanks to my friends over at http://www.md5decrypter.co.uk/ for some assistance they give me with rainbow tables, thanks again guys!

And voila, we have again managed to dump the SAM file so we can now perform offline dictionary and/or bruteforce attacks against the found hashed system user passwords. Once hashes are cracked you can simply pair up your username and password and login into the system as if it was meant to be J

I hope you have enjoyed this fun tutorial on how you can steal password hashes from Windows systems, and in this case even on a Virtual Machine hosted Windows platform. Physical or Admin access is the key in the end, but persistent is also the key and dominating every box in the network is the end goal so keep no rock unturned during your adventures out there in the wild. Hope you have enjoyed this one as much as I have, and as always and until next time – Enjoy!


BONUS – RAINBOW TABLES:
Building Rainbow Tables with RCRACK:
We can download the rcrack tool set from the Rainbow Tables Project homepage. We can use the tools included to build our rainbow tables, sort them (convert formats if needed) and then finally to search to see if we can quickly find our hashed passwords from our found SAM file. We first create our tables using the basic documentation provided by Rainbow Crack Team:

Note: This part may take some time so take it in strides, as you need to process the full charset into all possibilities. If you need system resources just hit CNTRL+C to stop and then re-issue the same commands to build again and the RCRACK tool will pick back up where it previously left off J

The syntax starts easy by you passing arguments for the hash type to use, followed by the charset to use (see charset.txt file if you need reference for what’s available), then you provide the minimum and maximum length you require. In this case I was building LM tables so the max allowed is 7 which kept this project relatively short in nature as opposed to generating a longer password length (longer pass, more possibilities, requires more tables, equals more time). Then the syntax gets weird, you need to pass the index (for keeping track if you break it into multiple files), the chain_len, then chain_num, and last the part_index which is just an identifier you can give that gets postfixed to the file names when generated. As I could not find any clear definition of the chain_leng or chain_num I can’t provide full clarification on how you can write you own custom runs from scratch as I don’t understand fully why or how you determine the number of times to loop the commands for a full set…perhaps it will come to me in the future, in which case I will update this article…but in the meantime I found this site: http://wired.s6n.com/files/jathias/ which provides a great tool for calculating this and in process creates a batch file with the proper commands needed to create the desired tables you need. You can run the batch file or open it up and run the commands one by one and simply use the batch file as a reference. It is up to you, but I highly recommend this tool as without it I would have been lost, and you might be too (you’re probably smarter than me so you probably figure it out :p ). If you just want the direct download, its available here: http://wired.s6n.com/files/jathias/RainCalc.zip. Once you download that you simple run it like any other program, this one has a GUI, and then you identify the charset, hash type, min and max length you want and then hit the generate batch file button.

It will generate a batch file with the needed commands to create your desired rainbow tables based on the input you provided it. If you open the batch file up, it will look something similar to this:

Now we know the proper commands to run, how many times to loop, etc. We run this which takes some serious time depending on your setup and what not.

You can find downloads available on the internet in various formats but I decided to make my own to become familiar with the whole process. Once you have rainbow tables built you can use rcrack.exe or the rcrack-GUI application to search the rainbow tables for you hash and find passwords in mere seconds in most cases. You can also look into the Free Rainbow Tables project and there new alternative tools for creating and reading of rainbow tables. It is compatible with rcrack so you an re-use your tables or convert to their format, but they have Terabytes worth of rainbow tables available for free to download here: http://www.freerainbowtables.com/

This may take a long amount of time to package in some people’s eyes but once it is done you have them to use for all cracking attempts going forward which makes the time trade off start to come out and is why rainbow tables have been popular for so long, very much a real Return on Investment (ROI) over time. Today newer methods leveraging GPU power is really starting to bring other avenues of attack to the table which are equally as impressive as I have outlined in some of my earlier articles. The folks at http://www.md5decrypter.co.uk/ also play a huge role in bringing the ability for the average user to use their online database for easy and quick hash lookups.

#EOF
NOTE: You could just take the SAM and SYSTEM files but I took the whole thing just to be safe and get it all intact…  

Wednesday, February 1, 2012

INTRODUCTION TO SYMBOLIC LINKS OR SYMLINKING

OK so you shelled a site but don’t have much access or you just want to try out symlinking because you heard it was what the cool guys do. Well today I am going to show you a few methods we can use to accomplish this. Here goes nothing…

Assumptions & Pre-requisites:
-          Assume you already have Shell on site
-          Assume you either have permission or we are performing black box test scenario
o   Either way I am in no way responsible for anything you do with this information and am surely not responsible for any damages or destruction you might cause as a result of any misunderstandings of this material. Tread at your own risk.
-          Assume you have a brain and some basic prior experience with *nix environments or aren’t afraid of using Google to fill in the gaps as I will not be providing a lot of hand holding following this tut
               
OK so we have shell uploaded in the /images folder and we want to symlink to read the content of some other files. I will start simple and then build up from there…

PART I: SIMPLE SYMLINKING TO TARGET FILES
We create a new folder to have a clean start and controlled environment, name it whatever you want although you might consider something inconspicuous if you don’t want it to stand out and set off any bell sand whistles:

I created folder “01” at location:  /home/pwnduser/public_html/images/01

COMMAND: mkdir /path/to/location/NewDirName


Now we are currently sitting in some image folder where we were able to upload our shell, but we don’t have much access. We will use Symlink method to bypass these restrictions and access files on other sites which we would otherwise be unable to access. We will now issue another set of commands to create the symlink between the file we want to read and the local file we actually have access to. In order to do this we issue this command:

COMMAND:
ln -s /home/targetuser/public_html/path/to/file/you/want.file /home/pwnduser/public_html/images/01/sym-test.txt

You will need to replace targetuser with the username of your environment and the path to the file you want will obviously be up to you and will potentially vary from one site to the next. Here is an example so you can better understand:

EXAMPLE:
ln -s /home/targetuser/public_html/includes/config.php /home/pwnduser/images/01/sym-test.txt

Now we check our file to see if it worked…




If we are lucky we will see a file created in our “01” directory called “sym-test.txt”. You should now be able to open it up and view the content of the remote file we linked to via the Symlink (in this case the “connect.inc” file). When you open the sym-test.txt file on your controlled site it should be as if you were opening the target file directly (as if you were on the site it exists on):


NOTE: In order to get started if this is totally unfamiliar and completely alien to you; I suggest you try linking to a known file first. If this means simply linking to an index file a directory below you just to see how it works than do this until you get the gist of things and then move forward with the next steps as everything builds upon abusing this simple shortcut or link feature. If linking to unknown directories a little trial and error may be needed…

ALSO NOTE: in most cases, you can access the newly created symlink via URL as well if you care to share the find with a friend or just want to navigate to it outside of your immediate shell for the clear visual:


Once you have found a juicy file we can now try to gain DB access with the credentials just gathered from our symlink and in most cases it will be successful – then you can try to login direct to target site with the newly found credentials OR maybe update them using SQL if you can’t crack them - w00t!  


You can use built in SQL connectors in most shells or you may use an independent script its really up to you and what preferences you have or what features you like to have available for MySQL activities. In most cases shell tools will do but sometimes it is nice to have a specialized shell available for working a little SQL magic so either make your own or search the web for a good one…

You can continue creating symlink(s) to additional files as needed, although it does take a little trial and error to get things right if you’re guessing the remote system’s infrastructure. It also helps to know what type of CMS is in use as it can help to narrow down the search for juicy files which contain critical data which can be used for further escalation (Google and specialized dork searches can be your best friend for finding out what sites are on a given IP and what types of CMS software they are using).

Some common files to check (especially if using a blind approach):
Flashchat room: /includes/config.php or /chatbd/includes/config.php
vBulletin: /includes/config.php
IPB: /conf_global.php
MyBB:  /inc/config.php
Phpbb:  /config.php
Php Nuke: /config.php
Php-Fusion: config.php
SMF: /Settings.php
Joomla: configuration.php , configuration.php-dist
WordPress: /wp-config.php
Drupal: /sites/default/settings.php
OScommerce: /includes/configure.php
e107: /e107_config.php
Seditio: /datas/config.php

Examples:
JOOMLA:  /home/target/public_html/configuration.php
WordPress: /home/target/public_html/wp-config.php




vB type of configuration file: /home/target/public_html/includes/config.php


SOME OTHER PLACES TO LOOK FOR IF UNKNOWN OR UNFOUND ABOVE:
/config/config.php
/config/system.php
/config/connect.php
/connect.php
/config/mysql.php
/db.php
/mysql.php
/config/db.php
/includes/db.php
/sql.php
/security.php
/UseSomeLogicAndGuessForTheObviousLocationsTrialAndErrorDoPayOffForThePatientJ

If you want to remove the symlink you created you can’t simply delete it (in most cases), you need to actually do a hard deletion of the symbolic link itself. You can accomplish this by treating it like a directory instead of a file when using the “rm” command. Here is an example of how to remove the above so I can create a new link to a new file using the same name without any issues.

COMMAND (to remove): rm –r /path/to/folder/01/sym-test.txt
COMMAND (to create another symlink): ln -s /home/targetuser/path/NextFileName /home/pwnduser/public_html/images/01/sym-test.txt

PART II: FINDING USERNAMES SO WE CAN LINK TO OTHER SITES (AND THEIR FILES)
Part I is a nice introduction to the basic principles of symlinking, but you may be asking how can I do this blind it will take forever or how to find those juicy files. You are right it can take a while, but let’s go over a few tricks we can use to help speed the whole process up a bit as  this method is not limited to our local site/user; we potentially can use and abuse it to also read files from ALL other sites located on the server. We can use reverse lookup or SameIP.com to check for other sites hosted on the same IP address as our hacked site to start things out (a few minutes up front can save you hours on the backend so always do your homework and lay out a plan of sorts).




NOTE: if the server is configured with multiple interfaces you may only get a partial finding of what is actually hosted on the server due to interfaces being configured with different IP addresses (very common), but this will certainly give you more than enough to stay busy for a while in most cases J

Once we have some potential targets to link to, we then use some more *nix commands to find out which users are linked to what sites. In order to do this we check the /etc/valiases by using this command:

COMMAND: ls –la /etc/valiases/YourTargetSite.com
NOTE: replace YourTargetSite.com with the domain name of your site (i.e. Site.com, site.info, etc). DO NOT include the http:// or www




ACTUAL: ls -la /etc/valiases/ukpussytalk.com
-rw-r----- 1 ukpussyt mail DATE:TIME /etc/valiases/ukpussytalk.com

This method also needs to be combined with a quick viewing of the /etc/passwd file contents which contains a list of all users on the system as well as a showing of the path to their home directory. We can use this combined with the /etc/valiases results to determine the username and full path to our target site(s).

COMMAND: cat /etc/passwd


The /etc/valiases is a nice way to speed things up in a targeted attack although you can use just the /etc/passwd, some logic on the naming convention in use (gained from our site we already have access to), and a little trial and error if /etc/valias is not available to you. Either way the goal is to determine the path to the target site and knowing the username helps to speed things up and allow us to get started. If neither of these tricks work you can simply issue a “ls /hsphere/local/home/” or whatever is needed to fire at your base location listing all users directories (typically a directory below your current user base location). Another long reach is to use the “locate” command to try and enumerate locations and user names from information gleemed from the results (but this is long shot). We can then use these as potential lists for targets to symlink to.

Once we have a path to use for a target site we could start repeating the steps outlined in PART I: SIMPLE SYMLINKING, but instead of having to use trial and error to find a needle in a hay stack (i.e. config file) we will see if we can use another neat trick tied to symlinking. We will instead of linking to a single file try to create a folder link between a folder we control and the remote target site we want to now access from our already hacked site location. A folder to folder link! In order to do these we use very similar syntax was introduced in PART I but we leave it open-ended. The link will be created from wherever we execute the command so keep this in mind. Basically we give the command to create a symbolic link and then we give that link a name rather than pointing it to anything in particular.

COMMAND:
ln -s /home/VictimUserName/public_html/ Gotcha

The above will create a symlink (ln –s) to the VictimUserName’s websites base directory (/home/VictimUserName/public_html/ ) and the link created will be labeled or called “Gotcha”. Once created we can open Gotcha and we will be staring at the VictimUserName’s site instead of a file located on our controlled site.


NOTE: You can also test it out with a simple “ln –s / root” which will create a link to the base directory of the server and label the link “root”

Once you know the full and direct path to specific files you can then easily create another symlink using Part I method to directly link or you can simply view them using the Gotcha link.



NOTE: If you can’t seem to access the link directly from your shell, try accessing the link as a URL and you might find better results. You may also need to upload an .htaccess file into your controlled /01/ directory to allow proper following of symlinks and indexing (in addition to anything else you might want to do in this folder). You can use Google to search and learn more about .htaccess as it is an entire subject which I can’t go into here. The short explanation is we can abuse .htaccess file to control the behavior for our directory and any “sub-directories” within it, in many cases overriding system wide global settings established in the apache config file (depends on options and overrides being allowed of course). This can be the key to bypassing 403 forbidden errors when you’re trying to link or view links so be weary this can make or break your attempts, especially if you try to use some of the famous CGI scripts which can automate this whole process – I HIGHLY RECOMMEND YOU SPEND TIME RESEARCHING THIS SUB-TOPIC ON YOUR OWN!

Now this concludes my introduction to symlinking and how to do it manually. There are indeed other ways to go about doing this as it can also be done with the assistance of Perl, CGI, and PHP scripts but if they don’t work now you know how to go about at least attempting things yourself manually. I hope you found this to be informative as I have not seen very many tutorials on this subject which have been clear in nature. If time permits and my knowledge can catch up I may do a follow up article on .htaccess techniques as well as some hints or highlights on other methods to use to get the job done, like doing the same thing we have done here with *nix commands with PHP. Going to end it now though and keep it simple so as to not take away from this being an introduction level tutorial. If you need further assistance you can find a wealth of help by searching on symlinking or symbolic links on the *nix forums and you can find more about .htaccess files in the Apache forums - I can’t recommend this part enough as it will save you from countless headaches when repeatedly encountering 403 and 500 error messages during your adventures :p

Until next time, Enjoy!