Metasploit: Dumping Microsoft SQL Server Hashes

New module just committed today: auxiliary/scanner/mssql/mssql_hashdump

This modules takes given credentials and a port and attempts to log into one or more MSSQL Servers. Once it has logged in it will check to make sure it has sysadmin permissions. Assuming it has the needed permissions it will then grab all of the Database Username and Hashes. While it is in there, it will also grab all the Database and Table names. It reports all of this back into the Database for later cracking. Support will be added in the future to the John the Ripper functions to include support for these database hashes. When it does, the database, table names, and instance names will also be sued to seed the JtR wordlists to enhance cracking efforts.



msf  auxiliary(mssql_hashdump) > info

       Name: MSSQL Password Hashdump
     Module: auxiliary/scanner/mssql/mssql_hashdump
    Version: 13435
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  TheLightCosine

Basic options:
  Name                 Current Setting          Required  Description
  ----                 ---------------          --------  -----------
  PASSWORD             reallybadpassword        no        The password for the specified username
  RHOSTS               192.168.1.1,192.168.1.2  yes       The target address range or CIDR identifier
  RPORT                1433                     yes       The target port
  THREADS              1                        yes       The number of concurrent threads
  USERNAME             sa                       no        The username to authenticate as
  USE_WINDOWS_AUTHENT  false                    yes       Use windows authentification

Description:
  This module extracts the usernames and encrypted password hashes
  from a MSSQL server and stores them for later cracking. This module
  also saves information about the server version and table names,
  which can be used to seed the wordlist.

msf  auxiliary(mssql_hashdump) >

Metasploit Development Environment In Ubuntu

I have spent some time today getting a new Metasploit Development Environment in place. With a lot of help from DarkOperator and egyp7 I think I have succeeded.

Step 1: Installing some Pre-Reqs

sudo aptitude install build-essential libssl-dev zlib1g zlib1g-dev subversion openssh-server screen bison flex jam exuberant-ctags libreadline-dev libxml2-dev libxslt-dev libpcap-dev libmysqlclient-dev libpq-dev curl git libsqlite3-dev
Step 2 Installing RVM

sudo bash < <(curl -s https://rvm.beginrescueend.com/install/rvm)
Edit your .bashrc file for each user that will be using RVM:
And add the following lines to the end of it:
# Load RVM source if [[ -s "/usr/local/rvm/scripts/rvm" ]] ; then source "/usr/local/rvm/scripts/rvm" ; fi # Enable Tab Completion in RVM [[ -r /usr/local/rvm//scripts/completion ]] && source /usr/local/rvm/scripts/completion

Then from bash run: source /usr/local/rvm/scripts/rvm


Next we install some necessary packages for rvm:

rvm pkg install zlib
rvm pkg install openssl
rvm pkg install readline

Then we install the ruby versions we want


rvm install 1.9.2 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr 


rvm 1.9.2 --default

rvm install 1.9.1 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

rvm install 1.8.7 --with-zlib-dir=$rvm_path/usr --with-openssl-dir=$rvm_path/usr --with-readline-path=$rvm_path/usr

Then we install some needed Gems:


rvm gem install --no-rdoc --no-ri wirble pry pg nokogiri mysql sdoc msgpack hpricot sqlite3-ruby

Step 3: Adding DarkOperator's IRB customizations:

Create a file ~/.irbrc

The file should look like this:

puts "Loaded ~/.irbrc"
# Load Lobraries
require 'rubygems'
require 'wirble'
require 'irb/completion' 
# Enable Indentation in irb
IRB.conf[:AUTO_INDENT] = true 
# Enable Syntax Coloring 
Wirble.init
Wirble.colorize 
# get all the methods for an object that aren't basic methods from Object
class Object
def local_methods
(methods - Object.instance_methods).sort
end
end 

This customizes irb to give us syntax highlighting, tab completion, auto-indentation, and simple method enumeration.

Step 4: Installing Metasploit:

Metasploit install documentation

Step 5: Running Metasploit:

If you want to run msfconsole with the packaged Ruby, just run 'msfconsole' from bash.

Otherwise select your version like this: rvm 1.8.7

Then call msfconsole with the full path: /opt/metasploit/msf3/msfconsole

That's all there is to it. You are now ready to test your metasploit modules in various different versions of ruby all from the same box.

Once again, thanks to egypt and DarkOperator who provided a lot of this guidance to me.

Book Review: Metasploit a Penetration Tester's Guide

Earlier this month I picked up Metasploit: A Penetration Tester's Guide. I have, on multiple occasions, had the distinct pleasure to talk with two of the authours, Devon Kearns and Dave Kennedy. These two are shining examples of everything that is right with our industry. They are constantly giving back to the community at large and on an individual basis. They help others and share their knowledge and experience freely without any judgement. This book is just an extension of that behaviour. So enough about them, let's talk about the book.

The book seeks to give a complete overview of the Metasploit framework. This is a herculean task. They no doubt had to make hard decisions about what topics to cover as the most important. All things considered, I think they did an amazing job covering the most important facets. They start off with the basics of the framework: how it's laid out, auxiliary modules, scanners, exploits, getting shell, and what to do once you get a meterpreter session. Then we get to see some of the more advanced aspects, including writing custom fuzzers, developing exploits form scratch, and porting existing exploits into the framework. The book finishes up with a small example penetration test from start to finish. The only topic that they really seemed to skip was the Metasploit WMAP web scanning functionality. Although some Web Application topics were covered through the use of FastTrack.

The way the authours cover the subject matter is excellent. They show you each step, and call your attention to the most improtant parts along the way. It's as close as you can get to demonstration in a book, and it works very well in my opinion. They truly highlight what makes Metasploit great: it's flexibility. they show you how to modify existing modules or write your own. They show how you can use Metasploit in the actual exploit development process as well. Allowing you to birth new exploits completely in the Framework.

I have been using Metasploit since version 2, and I learned new things from this book. Whether it was small things like the SETG command, to some of the more advanced features I have never used before like msfpescan. Whether you are just starting to learn about Penetration Testing or you have been doing it from years, this book is a must read. Unless you are H.D. Moore you will be hard pressed not to get value from this book.

UPDATE: On a note of fairness, Metasploit Unleashed does cover WMAP functionality, even if it did not make it into the book.

Metasploit: Windows User Profile Data

The Metasploit team as added one of my latest submissions. It is a Mixin for Post modules that allows you to enumerate the user profile information on a windows machine. A lot of the psot modules that I and others have written relied on static values for determining paths for things like the AppData folder. While this worked, it was hardcoded for the English language and didn't account for other possible changes to the system.

The new Msf::Post::Windows::UserProfiles mixin seeks to address this issue by using the registry. Two new Registry functions were added into every layer of Meterpreter: RegLoadKey() and RegUnloadKey(). These two functions, incidentally, should also work from a windows shell session.

The first step is to look in the Registry under HKLM/Software/Microsoft/WindowsNT/CurrentVersion/ProfileList
There are a series of subkeys here for the different SIDs that exist on the machine. When we look at each SID's subkey we will see a value called ProfileImagePath which is the user's root profile directory.

The first function in the mixin is read_profile_list(). This parses this key and all of it's subkeys. While it's doing that it reads through HKU to see which of these hives are already loaded and marks them appropriately.


This lets us know what users we should expect to see on the system, and where we can find their NTUSER.DAT file. If we look at the HKU key in our example, we see only the Administrator hive is currently loaded.

So, next the load_missing_hives() function takes all of the hives not currently loaded, and the paths to their registry hives, and loads each one that it can. Below we see the additional Hives loaded into HKU.

We then call parse_profiles(), which takes each hive and calls parse_profile() on it. This pulls the locations of directories like AppData, My Documents, Local Settingsd etc, and assembles it all. We can see the reg key under the user (HKU//Software/Microsoft/WindowsNT/CurrentVersion/Explorer/ShellFolders)

When we are done parsing this data, we may be done with the registry hives themselves, assuming we were only after filesystem data. Since we are done with the hives, we will want to unload them again to minimize our impact on the system. To do that we call unload_our_hives() This function unloads only the hives that we specifically loaded.

All of these functions are exposed in the mixin, meaning that module writers can use as much or as little of it as they want. However, if the module writer just wants to grab the profile directory data, they can just call grab_user_profiles() . This function will walk through the entire process for them, returning an array of hashes containing all of this data. Below we see an example/test module to demonstrate the UserProfile functionality.

-------------------------------------------

require 'msf/core'
require 'rex'
require 'msf/core/post/windows/user_profiles'


class Metasploit3 < Msf::Post
include Msf::Post::Windows::Registry
include Msf::Post::Windows::UserProfiles

def initialize(info={})
super( update_info( info,
'Name'          => 'Windows Load Reg Hive Test',
'Description'   => %q{ This module exists simply to test
the user profile enuemration mixin},
'License'       => MSF_LICENSE,
'Author'        => [ 'TheLightCosine '],
'Platform'      => [ 'windows' ],
'SessionTypes'  => [ 'meterpreter' ]
))

end

def run

grab_user_profiles().each do |user|
print_status("***Username: #{user['UserName']} SID: #{user['SID']}***")
print_status("Profile dir: #{user['ProfileDir']} LocalSettings dir: #{user['LocalSettings']}")
print_status("AppData: #{user['AppData']} LocalAppData: #{user['LocalAppData']}")
print_status("History: #{user['History']} Cookies: #{user['Cookies']} Favorites:  #{user['Favorites']} ")
print_status("MyDocs: #{user['MyDocs']} Desktop: #{user['Desktop']}")
end


end

end

-------------------------------

Here is what the output of running this test module would look like:

-------------------------------------------------------

meterpreter > run post/windows/gather/hive_test

[*] ***Username: Testuser1 SID: S-1-5-21-1462624396-1657036728-2537704546-1009***
[*] Profile dir: C:\Documents and Settings\Testuser1 LocalSettings dir: C:\Documents and Settings\Testuser1\Local Settings
[*] AppData: C:\Documents and Settings\Testuser1\Application Data LocalAppData: C:\Documents and Settings\Testuser1\Local Settings\Application Data
[*] History: C:\Documents and Settings\Testuser1\Local Settings\History Cookies: C:\Documents and Settings\Testuser1\Cookies Favorites:  C:\Documents and Settings\Testuser1\Favorites
[*] MyDocs: C:\Documents and Settings\Testuser1\My Documents Desktop: C:\Documents and Settings\Testuser1\Desktop
[*] ***Username: Testuser2 SID: S-1-5-21-1462624396-1657036728-2537704546-1010***
[*] Profile dir: C:\Documents and Settings\Testuser2 LocalSettings dir: C:\Documents and Settings\Testuser2\Local Settings
[*] AppData: C:\Documents and Settings\Testuser2\Application Data LocalAppData: C:\Documents and Settings\Testuser2\Local Settings\Application Data
[*] History: C:\Documents and Settings\Testuser2\Local Settings\History Cookies: C:\Documents and Settings\Testuser2\Cookies Favorites:  C:\Documents and Settings\Testuser2\Favorites
[*] MyDocs: C:\Documents and Settings\Testuser2\My Documents Desktop: C:\Documents and Settings\Testuser2\Desktop
[*] ***Username: Administrator SID: S-1-5-21-1462624396-1657036728-2537704546-500***
[*] Profile dir: C:\Documents and Settings\Administrator LocalSettings dir: C:\Documents and Settings\Administrator\Local Settings
[*] AppData: C:\Documents and Settings\Administrator\Application Data LocalAppData: C:\Documents and Settings\Administrator\Local Settings\Application Data
[*] History: C:\Documents and Settings\Administrator\Local Settings\History Cookies: C:\Documents and Settings\Administrator\Cookies Favorites:  C:\Documents and Settings\Administrator\Favorites
[*] MyDocs: C:\Documents and Settings\Administrator\My Documents Desktop: C:\Documents and Settings\Administrator\Desktop

-------------------------------------------------

My latest password extraction module for the SmartFTP client uses this new functionality. I have submitted a patch, that is still pending to implement this functionality across numerous other post modules. Using it to discover profile directories, and in some cases more thoroughly search the registry by loading missing userhives and then unloading them again when done. 

All told this should help make these modules able to function more completely on non-English language pack machines, as well as be more thorough in their searching for critical data in the system.

Take away the Tools

Indi303 recently had a post on twitter

Dear pentester: Throw away metasploit.... are u still a hacker? If you make excuses about why u are,but need it.. you aren't

It seems like a lot of people did not understand what he was saying, which rather proves the point I think.  He is not saying that Pen Tester should not use Metasploit, or that tools are bad. What he is saying here is that knowing how to use tools does not make you a good pentester. It makes you a script kiddie. We have been interviewing candidates for two new PenTest positions at my work, and I can tell you I feel this keenly.

During our in-person panel interview we ask a long series of questions designed to gauge depth. We ask a number of basic questions. These first sets of questions we are jsut looking for typical responses. These questions can range from simple things like: "how does traceroute actually work" or "What is ring0" to more complex questions like "How do you exploit Blind SQL Injection on Oracle" or "Name two places besides the saved return pointer that you could overwrite to control program execution". The results we have seen on these questions alone are somewhat disappointing and very mixed.

Then we get to where the wheels always seem to come off. This is where we ask the candidates to actually demonstrate the things they have claimed knowledge of. We ask things like "Write out an HTTP GET request on the whiteboard". Some of you are probably saying to yourselves "That is simple". I would agree, and yet no candidate has done it correctly yet. We draw out a URL with GET parameters and ask them "Rewrite this request with a blind SQL injection attack".

The fact is that when asked to demonstrate these skills and knowledge disciplines outside the context of any sort of tool or crutch. One of my colleagues across the wall, in Incident Response land, has suggested that I am being too harsh. That people who can only use tools still have some value. He is right, as far as it goes. what happens though, when you have secured the environment past the point where you can just run metasploit modules and pop boxes. When you need to find design flaws, or 0days to exploit systems. A click-monkey is of no real value there, except maybe fetching coffee.


none of this means you should throw your tools away. Metasploit is a valuable tool and a framework for pentesting.  Those of you who know me, of course know, that when i find something Metasploit doesn't do that I want it to, i try and add it.  So while I can operate without Metasploit, and have to often, i try and continually reduce those occurrence by submitting enhancements to Metasploit. In this way I am also giving back to the community. Something i would encourage EVERY pentester to do: If you see something Metasploit should do, but doesn't, write it and submit it!

Or at least open up a feature request on their Redmine interface.

Information Security: Why we Fail

The very first word seems to be our downfall. Information. If we don't have all of it, we have already failed. So suppose you are in a sizable organisation. Suppose that this organisation has grown inorganically over the years.  You have a problem, and that problem is that there is no single authoritative source of information about your environment.

Now as a Security Engineer or Penetration Test how can you protect that environment from compromise? The answer: you can't.  At least not until you rectify this problem first. The simple fact that is often overlooked is this: it takes only 1 machine being compromised for the situation to spin out of control.  If your knowledge of your environment is incomplete and there are systems your security team is not covering because they don't know it exists, you have failed. It is a matter of when, not if, you suffer a serious breach.  you can secure all of those other hosts on the perimeter, and it will amount to nothing. The host with SQLi in that subnet you never knew about will let the attackers in. Then they are on a trusted machine somewhere in your environment, and their possible avenues of attack are countless.  Hgiher ups within the organisation will demand answers "Why didn't we catch this problem before? Why are we paying you people".

So here's the point of my rant: If you are an org that is attempting a major Information Security initiative, make sure you equip your security people with the Information they need. If it isn't available, then you need to apply some breaks and fix that problem before anything else.

1.  Identify all of the systems in your environment and where they are. Chances are you're going to find systems that should have been decommed years ago. There is an instant monetary savings for you when you shut them off, as well as a positive step for Security.  
2. Document all of these systems. What they are, who owns them, etc. Keep this documentation up to date going forward
3. Identify roles and responsibilities of those systems, and segregate portions of your network appropriately. Implement proper access controls between these segregated environments. If you worry about PCI compliance, this is a MUST.
4. Now set your Security people to work. Deploy Vulnerability Scanning solutions, arrange Penetration Test Engagements, implement an SDLC, etc.

If you try to skip these first three steps, you will fail. I guarantee it.