Wednesday, April 9, 2014

Breaking MSFT Kerberos With Responder

I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.
(click on the pics if they don't display correctly).

Often you see these requests in wireshark on an internal penetration test:


So I came up with a tool that automates kerberos' connection for these:


Which shows up like this in Wireshark:


Here's how the attack works :
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:
 
and wait for the Kerberos AS-REQ on UDP 88.

Responder will then take care of the hash parsing and formating:




 And will make it ready for hashcat (-m 7500):

This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)

Game over MSKerberosV5.


Tuesday, April 8, 2014

Introducing PCredz

PCredz was built to extract credentials from large pcap files or from a live interface.

Stats:

Stats on juicy pcap files:
- 30 mo pcap file : 15s
- 500mo pcap file: 1.5 minutes
- 2 Go pcap file: 7 minutes.

Features:

  • Extract from a pcap file or from a live interface:
    • Credit card numbers
    • POP
    • SMTP
    • IMAP
    • SNMP community string
    • FTP
    • HTTP Basic
    • NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)
    • Kerberos (AS-REQ Pre-Auth etype 2#) hashes.
  • All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).
  • Log all credentials to a file (CredentialDump-Session.log).

Install:

  • Linux:
On a debian based OS: apt-get install python-libpcap
  • Os X and other distributions:
wget http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.g
tar xvf pylibpcap-0.6.4.tar.gz
cd pylibpcap-0.6.4
python setup.py install

Usage:

./Pcredz -f file-to-parse.pcap
./Pcredz -d /tmp/pcap-directory-to-parse/
./Pcredz -i eth0
Options:
-h, --help show this help message and exit
-f capture.pcap Pcap file to parse
-d /home/pnt/pcap/ Pcap directory to parse recursivly
-i eth0 interface for live capture
-v More verbose.


You can download PCredz here:
https://github.com/lgandx/PCredz

 

Sunday, January 5, 2014

thoughts on NSA and our future

NSA recent disclosures, makes the paranoid not so paranoid after all.

We confirmed, that they will listen on your call, your internet session, etc, particularly if you're a foreigner; me and you.

The whole current B.S is about "So what you're doing, is U.S constitutionally compliant ?" and everyone knows, if you're asking the question at the first place, it's probably because it is not and so people focus on having the U.S intelligence community to stop doing this. This might take a while doh...

What will happens after restriction applies (if it does) :

- NSA will act upon their new interpretation on the word "Spying" and will gather the same kind of data, in a different way, since it is presented in a different way.
- If they can't, they will reach and use their CSEC friends or any five eyes friends and get that data since it was collected as normal spying operation from a foreign gov, but since they are friendly, they share the info and then it is not collected by the NSA but acquired.

Oath Of Office:

Oaths of office are a statement of loyalty to a constitution or other legal text or to a person or other office-holder (e.g., an oath to support the constitution of the state, or of loyalty to the king). Under the laws of a state it may be considered treason or a high crime to betray a sworn oath of office.
If you expose wrongdoing done by your gov, which is against the constitution, it should be seeing as Oath right of disclosure, in order to protect the constitution.
See : http://en.wikipedia.org/wiki/Oath_of_office 

 
So what are your options ?
You should encrypt everything you do.

That simple. Don't wait for U.S congress to say "The way you defined it, it is illegal".
Move on and encrypt your communications right now.
The justice system, in the US and mostly around the world, works on a double standard and when it's time to have privacy, you don't have a word to say, or if you prefer your words will be listen.
Your pick on how you want to behave online.

Monday, December 30, 2013

Responder 2.0 is out

A quick blog post to let you know that Responder 2.0 Beta is out:
 - https://github.com/Spiderlabs/Responder

This version includes several new rogue auth servers, SMB Relay and much much more.

If you enjoy internal pentests, stay tuned on http://blog.spiderlabs.com, a complete blog post will be detailing all new functionalities and some actual Responder wushu.

Happy new year all.

Wednesday, February 6, 2013

Some fun with Responder 1.8

I've made a short video on Responder 1.8 usage and examples.

This video can be found here: http://www.youtube.com/watch?v=nkpK5lIPHg8

Note that on the latest version, when you open IE * you wont get any password prompt for WPAD (not like in this video) and your browser will send your NTLM hashes along transparently.

As always, latest version can be found here: https://github.com/SpiderLabs/Responder/

Cheers

Thursday, January 24, 2013

Owning Windows Networks with Responder 1.7

Full post and download link can be found here :

http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html

Wednesday, October 24, 2012

Introducing Responder 1.0

I recently released a LLMNR/NBT-NS responder with several rogue auth servers.

Full details about this tool and download link can be found here : http://blog.spiderlabs.com/2012/10/introducing-responder-10.html