Monday, June 9, 2014

Responder v2.0.9

Responder is an Active Directory/Windows environment takeover tool suite that can stealthily take over any default active directory environment (including Windows 2012) in minutes or hours. Most of the attacks in this tool are hard to detect and are highly successful.

Responder attacks 5 Windows core protocols:
 - LLMNR Poisoning (Windows >=vista).
 - Netbios Name Service Poisoning (NBT-NS poisoning, any by default).
 - WPAD (Any by default).
 - ICMP Redirect (Windows <=2003/XP).
 - DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP attacks (Linux, OSX, Windows) [unicast answer].

An extra protocol has been added, for OSX and Linux distributions using avahi: MDNS (Linux, Apple, any .local)

When exploiting these protocol flaws, Responder has its own rogue servers listening:
- SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.

- MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.

- HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can also send your custom files to a victim.

- HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need  to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service  name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added. It containa 2 default keys, including a dummy private key. This is intentional. The purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.

- LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.

- FTP Auth server. This module will collect FTP clear text credentials.

- Kerberos v5 pre-auth server.

- Small DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing, ICMP Redirect, DHCP INFORM.

- WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is highly effective. You can send your custom PAC script to a victim and inject HTML into the server's responses. See Responder.conf.

- Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR requests between systems without poisoning any requests. You can also map domains, MSSQL servers, workstations passively and also see if ICMP Redirects attacks are plausible on your subnet. No port scans.

- POP3 auth server. This module will collect POP3 plaintext credentials

- SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials.

- IMAP auth server.

Responder also lets you:

- Customizes your penetration test via Responder.conf.
- Responds to specific in-scope Netbios/LLMNR names.
- Responds to specific in-scope ip addresses.
- Injects SMB share pictures into WPAD responses.
- Replaces requested .exe files with your own, but shown as the original one requested.
- Replaces any requested page with your custom html page, exe file, etc (S-E).
- Set you custom NETNTLM Challenge.

- Logs all its activity to a file: Responder-Session.log.
- All hashes are printed to stdout and dumped in an unique hashcat compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt. The file will be located in the current folder.
- When the option -f is set, Responder will fingerprint every host that issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.

Usage example:
./Responder.py -i Your_IP_Address -rvF
MUse NBT-NS workstation redirects, be verbose, force WPAD file retrieval authentication

./Responder.py -i Your_IP_Address -A
Analyze mode shows NBT-NS/LLMNR/MDNS queries without responding and finds all MSSQL servers, Workstations, Domains, prints if you can ICMP-Redirect on the subnet. Passive reconnaissance at its best. No port scan, map a network within minutes.

Github:
https://github.com/Spiderlabs/Responder

More info:
- https://github.com/SpiderLabs/Responder/blob/master/README.md
- http://blog.spiderlabs.com/2012/10/introducing-responder-10.html
- http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html
- http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html
- http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

Twitter:
- https://twitter.com/PythonResponder

Saturday, June 7, 2014

More on PCredz..

Pcredz was designed to dump useful information on the fly, from a pcap file or from a pcap directory.
Unlike tools like, for example Breachprobe, Pcredz is highly effective and fast just to meet your pentest needs.

What Pcredz does right now from a live interface or pcap file: 
  • Identify Card Holder Data (CHD) on any port.
  • Dump NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP,MSSQL,HTTP,etc) hashes on any protocol and port.
  • Dump Kerberos (AS-REQ Pre-Auth etype 23) hashes (TCP/UDP 88).
  • Dump HTTP Basic (any port).
  • Dump POP credentials.
  • Dump SMTP credentials.
  • Dump IMAP credentials.
  • Dump SNMP community strings.
  • Dump FTP credentials.
All hashes are displayed in hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
All credentials are logged to a file (CredentialDump-Session.log).

Pcredz was designed to be highly efficient, specifically with ARP poisoning attacks.
More details and download link:
Github: https://github.com/lgandx/PCredz/

Wednesday, May 28, 2014

Microsoft DHCP INFORM Configuration Overwrite

Title:           Microsoft DHCP INFORM Configuration Overwrite
Version:         1.0
Issue type:      Protocol Security Flaw
Affected vendor: Microsoft
Release date:    28/05/2014
Discovered by:   Laurent Gaffié
Advisory by:     Laurent Gaffié
Issue status:    Patch not available
==============================
=================================================

Summary
-------

A vulnerability in Windows DHCP (http://www.ietf.org/rfc/rfc2131.txt) was found on Windows OS versions
ranging from Windows 2000 through to Windows server 2003.  This vulnerability allows an attacker to remotely
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user
interaction. Successful exploitation of this issue will result in a remote network configuration
overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.


Technical details
-----------------

Windows 2003/XP machines are sending periodic DHCP INFORM requests and are not checking if the DHCP INFORM answer (DHCP ACK) is from the registered DHCP server/relay-server. Any local system may respond to these requests and overwrite a Windows 2003/XP network configuration by sending a properly formatted unicast reply.

Impact
------

Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.

Affected products
-----------------

Windows:
- 2000
- XP
- 2003

Proof of concept
----------------
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.

git clone https://github.com/Spiderlabs/Responder

Solution
--------
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\Interfaces\

Response timeline
-----------------
* 18/04/2014 - Vendor notified.
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )
* 18/04/2014 - Suggested to vendor to run Responder on a A-D environment while looking at the DHCP issue for education purposes. Since multiple attempts were
               made to have them be aware that any A-D environment by default is vulnerable if Responder is running on the subnet. Also, MSRC was asked what
               code change made this DHCP INFORM issue different on Windows Vista than Windows Server 2003.
* 21/04/2014 - MSRC answers with an automated response.
* 08/05/2014 - Request for a reply.
* 14/05/2014 - MSRC reply and refuses to share their view on the code change, however they mention that 'The product team is investigating whether the RFC for
               a DHCPINFORM message is properly implemented'.
* 14/05/2014 - An email was sent to notify MSRC that no code change was requested, but the logic behind it. Also, MSRC was asked if they were successful with
               Responder.
* 16/05/2014 - MSRC closes [MSRC]0050886 and doesn't provide any info on if they were successful with Responder in their environment.


References
----------
* Responder: https://github.com/Spiderlabs/Responder
* https://twitter.com/PythonResponder
* http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html

Wednesday, April 9, 2014

Breaking MSFT Kerberos With Responder

I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don't display correctly).

Often you see these requests in wireshark on an internal penetration test:


So I came up with a tool that automates kerberos' connection for these:


Which shows up like this in Wireshark:


Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
 
and wait for the Kerberos AS-REQ on UDP 88.

Responder will then take care of the hash parsing and formating:




 And will make it ready for hashcat (-m 7500):

This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)

Game over MSKerberosV5.


Tuesday, April 8, 2014

Introducing PCredz

PCredz was built to extract credentials from large pcap files or from a live interface.

Stats:

Stats on juicy pcap files:
- 30 mo pcap file : 15s
- 500mo pcap file: 1.5 minutes
- 2 Go pcap file: 7 minutes.

Features:

  • Extract from a pcap file or from a live interface:
    • Credit card numbers
    • POP
    • SMTP
    • IMAP
    • SNMP community string
    • FTP
    • HTTP Basic
    • NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)
    • Kerberos (AS-REQ Pre-Auth etype 2#) hashes.
  • All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
  • Log all credentials to a file (CredentialDump-Session.log).

Install:

  • Linux:
On a debian based OS: apt-get install python-libpcap
  • Os X and other distributions:
wget http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.g
tar xvf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
python setup.py install

Usage:

./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0
Options:
-h, --help show this help message and exit
-f capture.pcap Pcap file to parse
-d /home/pnt/pcap/ Pcap directory to parse recursivly
-i eth0 interface for live capture
-v More verbose.


You can download PCredz here:
https://github.com/lgandx/PCredz

 

Sunday, January 5, 2014

thoughts on NSA and our future

NSA recent disclosures, makes the paranoid not so paranoid after all.

We confirmed, that they will listen on your call, your internet session, etc, particularly if you're a foreigner; me and you.

The whole current B.S is about "So what you're doing, is U.S constitutionally compliant ?" and everyone knows, if you're asking the question at the first place, it's probably because it is not and so people focus on having the U.S intelligence community to stop doing this. This might take a while doh...

What will happens after restriction applies (if it does) :

- NSA will act upon their new interpretation on the word "Spying" and will gather the same kind of data, in a different way, since it is presented in a different way.
- If they can't, they will reach and use their CSEC friends or any five eyes friends and get that data since it was collected as normal spying operation from a foreign gov, but since they are friendly, they share the info and then it is not collected by the NSA but acquired.

Oath Of Office:

Oaths of office are a statement of loyalty to a constitution or other legal text or to a person or other office-holder (e.g., an oath to support the constitution of the state, or of loyalty to the king). Under the laws of a state it may be considered treason or a high crime to betray a sworn oath of office.
If you expose wrongdoing done by your gov, which is against the constitution, it should be seeing as Oath right of disclosure, in order to protect the constitution.
See : http://en.wikipedia.org/wiki/Oath_of_office 

 
So what are your options ?
You should encrypt everything you do.

That simple. Don't wait for U.S congress to say "The way you defined it, it is illegal".
Move on and encrypt your communications right now.
The justice system, in the US and mostly around the world, works on a double standard and when it's time to have privacy, you don't have a word to say, or if you prefer your words will be listen.
Your pick on how you want to behave online.

Monday, December 30, 2013

Responder 2.0 is out

A quick blog post to let you know that Responder 2.0 Beta is out:
 - https://github.com/Spiderlabs/Responder

This version includes several new rogue auth servers, SMB Relay and much much more.

If you enjoy internal pentests, stay tuned on http://blog.spiderlabs.com, a complete blog post will be detailing all new functionalities and some actual Responder wushu.

Happy new year all.