January 10, 2016

GHR 104 – Windows Hacking

OBJECTIVES:

There are 4 main objectives in this section:

  • Topic 104.01 – Windows System Information
  • Topic 104.02 – File Manipulation
  • Topic 104.03 – Scheduling Tasks
  • Topic 104.11 – Windows Enumeration
  • Topic 104.12 – Hacking Windows Passwords
  • Topic 104.13 – Windows Privilege Escalation and Exploiting Vulnerabilities
  • Topic 104.14 – Covering Tracks
  • Topic 104.15 – Kerberos

Topic 104.01 – Windows System Information

  • RULE : Get the system information
    • C:\> systeminfo
    • C:\> systeminfo /S 10.20.30.97 /U mydomain\superdude /P p@$$word7
  • RULE : Show services
    • C:\> sc query state=all
  • RULE : Show processes and services
    • C:\> tasklist /svc
  • RULE : Show all processes and DLLs
    • C:\> tasklist /m
  • RULE : Show a list of remote processing
    • C:\> tasklist /S 10.20.30.144 /v
    • C:\> tasklist /S 10.16.4.110 /v /U CDI\superdude /P p@$$word7
  • RULE : Kill a process with force
    • C:\> taskkill /PID 1260 /F
  • RULE : List drives on the machine
    • C:\> fsutil fsinfo drives
  • RULE : See current user
    • C:\> echo %USERNAME%

Topic 104.02 – File Manipulation

  • RULE : Search file types for a string, like grep in linux
    • C:\> findstr /si password *.txt
    • C:\> find /i "password" somefile.txt
  • RULE : Display the contents of a file, like cat in linux
    • C:\> type somestuff.txt
  • RULE : Delete all files in the entire path with force
    • C:\> del c:\temp\*.* /a /s /q /f

Topic 104.03 – Scheduling Tasks

  • RULE : The old way to schedule tasks was with the at command
    • C:\> at 09:40 cmd /c
  • RULE : The new way to schedule tasks is with the schtasks command
    • C:\> schtasks /create /tn pwnedtask /tr cmd.exe /sc once /st 09:46

Topic 104.11 – Windows Enumeration

  • RULE : Enumeration is the process of actively querying or making connections to the target system to gain intelligence on services running on the target.
  • RULE : Windows enumeration is used to identify user accounts or system accounts that can be used during an attack.
  • RULE : Because of privilege escalation, you don’t need to focus on the administrator account.
  • RULE : Service accounts typically have static passwords that don’t change.
  • RULE : All Windows operating systems share a similar kernel.
  • RULE : The Windows kernel is the most trusted part of the operating system.
  • RULE : The kernel uses rings of protection to figure out what it can trust.
  • RULE : Ring 0 is the most trusted and is where the kernel runs.
  • RULE : Ring 3 is restricted and is where user applications typically reside.
  • RULE : Ring 3 is also where antivirus and analysis tools are run, so if the attacker runs any code in user mode on ring 3, it can be detected.
  • RULE : The goal for the attacker is to run code in kernel mode on ring 0, where it can’t be detected easily.
  • RULE : All code that runs on a Windows system must run in the context of an account.  Which means the attacker must find the accounts that can execute commands in ring 0.
  • RULE : Windows uses 2 identifiers to figure out what accounts run in which ring or mode (user or kernel):
    • Security Identifiers (SIDs).
    • Relative Identiers (RIDs).
  • RULE : SIDs are of variable length that identify computer, user, and group accounts.
  • RULE : Here is an example of a SID entry and then broken down into it’s parts:
    • S-1-5-21-1606870939-4928911556-1202000629-500
      • S = The security id.  (‘S-1′ is a literal prefix).
      • 1 = The revision level.  (‘S-1‘ is a literal prefix).
      • 5 = The Identifier Authority.
      • 21 = The Sub-authority.
      • 1606870939 = The Sub Authority 1.
      • 4928911556 = The Sub Authority 2.
      • 1202000629 = The Sub Authority 3.
      • 500 = The RID.  This is the juicy target here.
  • RULE : The Relative ID (RID) part of the SID is the important part.  If left unchanged the Administrator username, has the RID of 500.
  • RULE : The 500 account is the one that allows you to own the box, because it has all of the privileges.
  • RULE : The RID with a value of 501, is the Guest account by default.
  • RULE : The 501 account has the least privileges.
  • RULE : A common tactic among security-minded SysAdmins is to reverse the username of the 500 and 501 accounts.  So when SIDs aren’t checked.  Attackers will go after the ‘Administrator’ account, only to be bogged down trying to figure out why it can’t do anything significant.
  • RULE : The RID with a value of 502, is Kerberos.
  • RULE : The RIDs for User accounts and for Groups start as 1000 and increment by 1, when they are added.
  • RULE : The system account has the capability to run in kernel mode on ring 0.
  • RULE : On a single standalone Windows system, the user accounts and passwords are stored in the Security Account Manager (SAM) database.
  • RULE : The SAM database is stored in c:\Windows\System32\config directory.
  • RULE : The SAM database is controller by a protected area in the registry at HKEY_LOCAL_MACHINE\SAM\SAM.
  • RULE : On Windows systems that are part of a domain, the Active Directory (AD) user accounts and passwords are stored on the server acting as a Domain Controller.
  • RULE : Windows AD is compatible with Lightweight Directory Access Protocol (LDAP).
  • RULE : The Windows Local Security Authority Subsystem Service (LSASS) is responsible for enforcing the security policy on the host it runs on.
  • RULE : LSASS does things like:
    • Verifies users logging on the Windows system.
    • Manages password policies.
    • Password changes.
    • Creates access tokens.
    • Sending security audit messages to the event log.
  • RULE : NetBIOS is a legacy non-routeable protocol created by IBM and used by Windows systems to communicate.
  • RULE : Microsoft adapted NetBIOS to run over TCP/IP in order to make it routeable.
  • RULE : NetBIOS is used with Server Message Blocks (SMB).
  • RULE : SMB is an application layer protocol which allows 2 computers to share files, printers, serial ports, etc.
  • RULE : Windows uses these TCP/UDP ports:
    • TCP 135 for MS-RPC endpoint mapper.
    • UDP 137 for NetBIOS name service.
    • UDP 138 for NetBIOS datagram service.
    • TCP 139 for NetBIOS session service.
    • TCP 445 for SMB over TCP.
  • RULE : Inter-Process Communication (IPC) offers a default share on Windows systems.  The ipc$ supports named pipes and was meant to be used for process to process communications.
  • RULE : A null session is when you connect to a Windows system with no username or password using the net use \\servername\ipc$ "" /u:"" .  This only works with operating systems before Windows 7, it was secured then and after.
  • RULE : To see what domains are available for you to connect to on a Windows system use net view /domain.
  • RULE : To see what servers are available in a domain (e.g. darkblueteam) use net view /domain:darkblueteam.
  • RULE : To see what shares are available on a server use net view \\dbtserver01 /all.
  • RULE : To see what the password policies are use net accounts.
  • RULE : To add or remove a computer to a domain, run these commands on a domain controller:
    • net computer \\newpc0122 /add.
    • net computer \\oldpc0007 /del.
  • RULE : To get details about the workstation or server including what account you are connected with use net config workstation.
  • RULE :net file
  • RULE : To add, display, or modify global groups in domains use net group on a domain controller.
  • RULE : net session, manages server computer connections. When used with no parameters, net session displays information about all sessions with the local computer.
  • RULE : net share, displays information about all of the resources that are shared on the Windows system.
  • RULE : To see the activities of a Windows server regarding sessions, files accessed, system errors, print jobs spooled use net statistics server.
  • RULE : To see the activities of a Windows workstation regarding SMBs, Bytes sent and received, network errors use net statistics workstation.
  • RULE : To set the NTP server for the Windows system use net time <ntp-server>.
  • RULE : To connect to a Windows share use net use.
  • RULE : To see what user accounts are on a Windows system use net user.
  • RULE : The net command can control the services on the Windows systems:
    • net stop <service>
    • net start <service>
    • net pause <service>
    • net continue <service>
  • RULE : DumpSec, is a NetBIOS enumeration tool that connects to Windows systems and dumps account information and share permissions, but it requires a null session to be established first.
  • RULE : GetAcct, is a NetBIOS enumeration tool to extract SIDs and more importantly the RID.  With it you can identify the RID 500 account.
  • RULE : SuperScan, is an old NetBIOS enumeration tool developed by Foundstone, grabs information about known users.  This tool was last updated in 2003
  • RULE : GetUserInfo, is a NetBIOS enumeration tool grabs information from a domain or single Windows system.
  • RULE : Ldp, is a NetBIOS enumeration tool works with Active Directory services.  You can connect using the guest account and see all of the user accounts and default groups.
  • RULE : User2sid, is a NetBIOS enumeration tool that can grab the SID from the SAM database.
  • RULE : Get the NetBIOS Remote Machine Table and the MAC address of a remote machine by using nbtstat -a drtsrv01 or nbtstat -A 10.122.3.44.
  • RULE : Get the NetBIOS Remote Cache Name Table by using nbtstat -c.
  • RULE : Get the NetBIOS Local Name Table by using nbtstat -n.
  • RULE : The important thing to look for with the nbtstat tables is the hex code next to the name.
  • RULE : These are the hex codes from nbtstat that are in reference to a computer name:
    • Code 00 type UNIQUE = Workstation service.
    • Code 01 type UNIQUE = Messenger service.
    • Code 01 type GROUP = Master Browser.
    • Code 03 type UNIQUE = Messenger service again.
    • Code 06 type UNIQUE = RAS service, server.
    • Code 1F type UNIQUE = NetDDE service.
    • Code 20 type UNIQUE = File server service.
    • Code 21 type UNIQUE = RAS service, client.
    • Code 22 type UNIQUE = Interchange for MSMail connector.
    • Code 23 type UNIQUE = Exchange Store.
    • Code 24 type UNIQUE = Exchange Directory.
    • Code 30 type UNIQUE = Modem sharing service, server.
    • Code 31 type UNIQUE = Modem sharing service, client.
    • Code 43 type UNIQUE = SMS Clients Remote Control.
    • Code 44 type UNIQUE = SMS Administrators Remote Control Tool.
    • Code 45 type UNIQUE = SMS Clients Remote Chat.
    • Code 46 type UNIQUE = SMS Clients Remote Transfer.
    • Code 6A type UNIQUE = Exchange IMC.
    • Code 87 type UNIQUE = Exchange MTA.
    • Code BE type UNIQUE = Network Monitor Agent.
    • Code BF type UNIQUE = Network Monitor Application.
  • RULE : These are the hex codes from nbtstat that are in reference to a domain:
    • Code 00 type GROUP = Domain name.
    • Code 1B type UNIQUE = Domain Master Browser.
    • Code 1C type GROUP = Domain Controllers.
    • Code 1D type UNIQUE = Master Browser.
    • Code 1E type GROUP = Browser service elections.
  • RULE : The hex codes from nbtstat that is in reference to a username is code 03 type UNIQUE.
  • RULE : Windows implementation of SNMP for version 1 and version 2 uses default community strings of public and private.
  • RULE : Some SNMP enumeration tools include snmpwalk, IP Network Browser, SNScan.
  • RULE : Best defense against SNMP attacks is to use version 3 or don’t use it at all.
  • RULE : If SNMP version 1 and version 2 must be used for whatever reason, at least change the community string from the defaults.

Topic 104.12 – Hacking Windows Passwords

  • RULE : To acquire passwords without touching a keyboard, you can use dumpster diving, social engineering, or shoulder surfing.
  • RULE : Human’s are predictable so some accounts are susceptible to password guessing.  If you know the person’s hobbies, favorite movie, favorite band, favorite sports team, or famously their pet’s name then you can try variations of these to guess their password.
  • RULE : If you don’t know anyone at the target organization, there are a few accounts to try:
    • Look for accounts that show the user has never logged in.
    • Look for accounts that have never changed the password, or haven’t changed for a long time.
    • Look for comments on the account, it might give clues to what the password is.
    • Look for service accounts, try the organization’s name and other variations of it.
  • RULE : To attempt passwords on Windows systems, an easy way is to try mapping a drive with net use * \\dbtserver07\c$ * /u:chris.chelios.  Then you will be prompted for your password guess.
  • RULE : Before making password guesses, you need to see how many guesses you can try before locking out the account.
  • RULE : Windows has little know FOR loop command that you can use to automate your guesses.  Try FOR /F %variable in (guesses.txt) DO net use \\dbtserver03\ipc$ %guesspassword /u:%guessuser.
  • RULE : There are a few programs that automate the password guessing for you, but they require a password dictionary file as well:
    • Brutus.
    • THC Hydra
    • Venom
    • NetBIOS Auditing Tool (NAT)
  • RULE : If password guess doesn’t work you and you can move on to password sniffing.
  • RULE : Pass-The-Hash uses the concept of sniffing the LM/NTLM hash and just replaying it to gain access.  This bypasses the need to crack it at all.
  • RULE : ScoopLM sniffs and captures password hashes then uses a built-in dictionary and brute-force cracking tool.
  • RULE : The current Windows authentication protocols is Kerberos V5.  Kerberos was first seen in Windows 2000 and can still be used by Windows 8 and Windows Servers 2012.
  • RULE : KerberosV5 is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.
  • RULE : Kerberos on port 88 is another attack vector you can use besides Windows authentication.  KerbSniff and KerbCrack are part of the KerbCrack tool from around 2002 (Windows XP and Windows Server 2000) that sniffs, conducts dictionary guessing, and brute-force attacks against Kerberos.
  • RULE : The password cracking tool, L0phtCrack 6 (aka “LC6”) is a powerful features such as scheduling, hash extraction from 64-bit and 32-bit Windows versions from as late as Windows 2008R2 as well as most BSD and Linux flavors with an SSH daemon.
  • RULE : A newer approach to cracking password makes use of rainbow tables.
  • RULE : A rainbow table is a precomputed table for reverse engineering crypto hash functions such a passwords.  The tables are huge in regards to disk space, but the benefit is very little computation to compare the captured value to each one in the table.  Speeding up the process of brute forcing the passwords.
  • RULE : If password guessing and password sniffing aren’t possible, the attacker can move onto to keystroke loggers if you have physical access.
  • RULE : A hardware keystroke logger is typically in the form of a USB extension cable or some kind other USB device or adapter.  While the target user is gone, the hardware keyboard logger is installed.
  • RULE : Depending on the target organization, it might be risky returning to retrieve the device with webcams everywhere after the target finds it.  The better hardware keystroke loggers uses wifi and/or bluetooth to send the keystrokes so the attacker can distance himself from the potential crime scene.
  • RULE : A software keystroke logger can be installed on the target system if you can log into the target system also, which seems risky.
  • RULE : Some software keystroke loggers include:
    • ISpyNow.
    • PC Activity Monitor.
    • RemoteSpy.
    • Spector.
    • KeyStrokeSpy.

Topic 104.13 – Windows Privilege Escalation and Exploiting Vulnerabilities

  • RULE : Once you have compromised a limited privilege user account, like the receptionist for instance.  You won’t be able to do much with it other than view their emails, pictures, documents, and the like.
  • RULE : Use the receptionist’s system to escalate your privileges by:
    • Tricking the user into executing an application.
    • Get a privilege escalation tool onto the receptionist’s system, then use a scheduled task to get it to run.
    • Use Remote Desktop, Terminal Server client, or VNC client from the receptionist’s system since it maybe configured with privileged credentials already.
  • RULE : Use the receptionist’s system to exploit a vulnerability by:
    • Replace the sticky keys exe file, sethc.exe with cmd.exe then hold down a key until it executes as LocalSystem.
  • RULE : Use a buffer overflow to spray the heap with and use some shellcode as the payload, so it pukes and executes.  IE 6 was an easy target for the old Aurora exploit which did this back in the day.
  • RULE : Java is a target rich environment that has been exploited many times over.  Some of the better known privilege escalation tools that exploited Java in older Windows systems such as Windows XP, Vista, 2000, ad 2003 are:
    • ANI Exploit.
    • Billybastard.c.
    • ERunAs2X.exe.
    • Getad.exe.
  • <Too be continued>

Topic 104.14 – Covering Tracks

  • RULE : Sloppy hackers (typically script kiddies) will leave a trail of destruction in the form of log files pointing back toward their direction.
  • RULE : To cover tracks, disabling logging during and attack and reenabling after the attack will make it less obvious.  There will be a hole in the data, but they will have to look for it.
  • RULE : Auditpol.exe, which was introduced in the NT Resource Kit, can be used to disable logging:
    • C:\> auditpol \\192.168.1.77 /disable
  • RULE : If disabling the logs won’t work, clear them tools with such as:
    • ElSave.
    • Evidence Eliminator.
    • WinZapper.
  • RULE : If files must be left behind you need to hide them.
  • RULE : File can be hidden using the attributes of the files themselves, with the attrib command.  However, this can also be found by the sysadmin using the attrib command.
  • RULE : The Hierarchical File System (HFS) is an alternate data stream that can be used to hide file.
  • RULE : To create an alternative data stream:
    • Stream one file behind the other, C:\> somefile.zip > grantsnotes.txt:somefile.zip.
    • Erase the original attack, C:\> del somefile.zip.
    • To access the hidden file, C:\> start grantsnotes.txt:somefile.zip.