After fighting with my VMWare install under Ubuntu 10.04 (yes, I know…. it’s Alpha, why is that on your main box!!!) last night after the release, I finally got a chance to play a little with the exploit today in a test environment. As you can imagine the exploit is simple to use and works like a charm (at least in the testing I’ve done). I’ve put together a quick video of the exploit for those that want to show their management types why this is such a serious issue.

I particularly like the addition of the migrate -f automatically into the exploit (see ’show advanced’). This spawns a new notepad process and migrates to it so that if the victim closes/kills IE, the meterpreter session won’t be automatically killed along with the process. You learn something new everyday!

Microsoft have now posted a number of workarounds (most centered around disabling or limiting access to the peer class). For more information checkout KB981374 and CVE-2010-0806

All credit for the exploit goes to Tracer, All credit to HD Moore and the Metasploit team for producing such a great tool, for people like me (another tool), to rely on so much.

Keep up the good work.

1. Standard mode – The account is created and added to the hardcoded ‘Administrators’ local group
2. Custome mode – The account is created and added to the local group specified by the cust parameter
3. WMIC mode – The account is created and added to the local administrators group regardless of name, based on the SID.

This last option is, as HD pointed out, supported only on Windows XP / 2003 and later systems. However it does offer a larger degree of flexibility by discovering the local administrators account without relying on the name. This can help bypass the language issue, as well as the issue of renamed local groups. I’ll leave it up to you if you find it useful.

Some of the commands I used on the video are below for your reference .:

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X > adduser_std.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG cust=Admingroup X > adduser_cust_admingroup.exe

./msfpayload windows/adduser_wmic pass=Re@llyStr0nG X wmic=true > adduser_wmic.exe

A number of small issues did appear in testing. The issue of a password greater than 14 chars prompting the target user to accept (due to backwards compatability reasons). As well as the issue of password complexity (the payload will fail if complexity rules on the target system aren’t met). I’ll be looking at those issues to see what can be done within the payload when I have a chance. Until then please feel free to download the current version of adduser_wmic.rb and give it a whirl.

As always, feel free to leave any comments if you encounter problems or would like to suggest any possible changes.

After many (many) months of procrastination, I’ve finally put the first couple of pieces together for an idea I’ve had going round in my head since the beginning of the year. What finally made me get things rolling ? well, it’s a number of things really. I managed to sit and chat with Carlos “Darkoperator” Perez before his talk at Defcon, and his enthusiasm for Metasploit and what the project was trying to achieve really made me want to be a bigger part of that. Still, I’m rambling and not getting to the point. So what is this idea I had, and why is it important enough to write about it.

To most people who read my blog, this isn’t going to be something that effects your everyday life, but you have to remember that not everybody using Metasploit comes from the US/UK. There’s a whole world of people out their using Metasploit on machines that are installed  in different languages. Most people wouldn’t think twice about it. After all it’s just the system language, why would that have an effect on anything we want to exploit. Well here’s the problem. Different language versions of Windows have a range of differences that might break, or limit your use of Metasploit. That’s bad right ? Nobody wants to have to say they could exploit an unpatched system just because it’s running an Italian version of Windows 2003.

Coming from the UK, and speaking English, I never considered this could be a problem. That is, until I started preparing for a class on Metasploit last year. None of the testing I was doing on my Windows 2003 VM was working, even though I’d not patched it against MS08-067, I couldn’t exploit the box. It was just crashing, every time. Sure 1 or 2 crashes can happen, but every time without fail. Something was wrong. Why was this happening ? Because the memory offsets are different between the language versions of Windows. It’s not only that… when looking through the payloads the adduser.rb payload defaults to a hard-coded net localgroup command, which although it’ll work on 75% of systems (lots of languages use the Administrators group after all) there were specific languages that would just fail (German being one of them).

After looking a little further I came up with a few other scripts (mostly meterpreter POST exploitation scripts) that used hard-coded group names, service names, and screen scraping to do their magic (and yes, some of them are real magic). They served the purpose and they did the job great, but not for me.

So where to start. First off I took at at the MS08-067 exploit. I wanted to get a feel for how the exploits were written in Ruby (a new language for me) and wanted to see if I could replicate the exploit and get it working on a German version of Windows 2003 (language support for Windows XP is much better owing to the widespread use of it, and ease of finding testers). After some testing with msfpscan I found some alternative memory addresses that worked for the German version of 2003 sp1/sp2 (without NX enabled). After playing about a little more I even managed to find addresses that worked for both the English and the German versions. That however was the easy part. Finding the NO-NX memory addresses was pretty simple (child’s play for most probably). The challenge of the NX exploits is something I need to work more on. My Fu is weak in that area.

This last weekend I finally had some time to sit down and concentrate on understanding the way that the adduser.rb payload works. Once you look at the code things are pretty straight forward. I’m surprised more people don’t read the code, as it’s pretty simple once you get started. I guess some people are scared of coding. After some thoughts on how to proceed, I came to the realization that whatever I did should be language neutral, after all whats the point in me adding in 5 language options into the payload and letting the user pick the one they want. That’s not much of a move towards being language neutral is it. I also realized that the command for finding the language (and the name of the local Administrators group) needs to run on the client-side. After all, it needs to work with msfpayload and that runs a command completely on the client. For maximum effect it needs to adapt to the language used on the fly.

After spending some time mulling over the possible solutions, I zoned in on the use of WMIC to output the information. I know this is going to cut-off Windows NT/2000 systems, but this was the most elegant solution available. With a little help from trust Google (and Ed Skoudis) and a lot of trial and error, I managed to output the information I needed in a format that was usable based on the common local Administrators group SID number. The good thing about this solution is that it will not only be language neutral, but will also allow me to still add a user to the Administrators group even if the crafty Admin has renamed it to something else. After all the SID remains the same (S-1-5-32-544). The wmic command for people who want to play is .:

wmic group where sid=”S-1-5-32-544″ get name

The adduser_wmic.rb payload is still in testing, but for those that want to take a look, you can grab a copy here. Just let me know if you encounter any problems. I know there are currently some issues with the windows/adduser/bind_tcp payload, but once these are fixed in the SVN, I’ll resume testing with the wmic version.

Hopefully I’ll be working more in this project in the coming months (maybe even talk about it briefly at a conference). Let me know if you want to help with testing, as I could always use testers with access to Windows systems of different languages.

Until I read the post I’d been using the SMB_relay attack to load up a meterpreter shell onto the remote target, but seeing as Microsoft have finally decided this is a bug worth patching, it’s time to move on to other attack vectors. SMB_relay will still be a good attack vector for some attacks, but the patch against reflective relays means it’s not going to always be available.

All was going well with the walkthrough, I’d captured the hash from the target machine and had the HALFLM tables downloaded (halflmchall _alphanumeric #1-7_x_2400_ 1122334455667788). So after running the rcracki_mt_0.5.exe *.rti -h <First16Chars> was depressed to see that the first half wasn’t found (the tables are only alpha numeric after all). Not a problem I thought, and went back to Chris’ walkthrough to see the next step. That’s where it all went wrong. If you can’t find the first part of the hash, then the rest of the walkthrough isn’t going to help. I had a little hunt around the big WWW and like any good Googler I found some hints on what other tools could do a brute force or password guessing attack aginst the HALFLM format. I picked CAIN and set about trying to manually tell it what the username, LM hash and challenge were, without much luck. Cain can sometimes be stubborn on the input formats and you can’t manually tell it what should go where. I went back to the Metasploit smb capture module and had a closer look at the set options to see what I could do. Here I found the option to output captured the hashes straight into a format readable by Cain&Able (set PWFILE cain_hashdump.txt) instead of to the screen in a generic format.

After performing the SMB capture again, the file cain_hashdump.txt was created, allowing me to directly import it into CAIN (along with the challenge this time).

For those that may have already captured the HALFLM hash and need to import this into CAIN, the format of the dump output from Metasploit is as follows .:

USERNAME:DOMAIN:1122334455667788:LMHASH:NTHASH

The 1122334455667788 in the middle tells Cain what challenge was used by the Metasploit module. In this case Metasploit is hard coded to use \x11\x22\x33\x44\x55\x66\x77\x88 as the challenge string.

Hope you find this useful, and remember to checkout the Carnal0wnage blog for the RainbowTable method, as well as lots of other Metasploit hints, tips and examples.

As a penetration tester, I can breath a sigh of relief and know that this attack vector is still open. As a defender, the chance that Microsoft had changed the way this functionality works to block the attack was a welcome update to protect our systems. Still, you can’t expect Microsoft to repair something they see as a feature and the way things should work. Some things aren’t meant to be repaired I guess.

Testing

Just to make sure that Microsoft hadn’t broken the Incognito functionality while messing with the way tokens work, I ran a couple of tests against a Windows XP service pack 2 machine.

I started off with an unpatched version and ran the trusty MS08-067 exploit to get a meterpreter shell.

./msfcli exploit/windows/smb/ms08_067_netapi payload=windows/meterpreter/bind_tcp LHOST=192.168.0.104 RHOST=192.168.0.103 E

This functioned as you’d expect and resulted in a meterpreter shell running under the Local System Account. After running the “use incognito” command I listed the tokens using “list_tokens -u”.

Taking the local account “pentestuser” as the token to impersonate, I ran “impersonate_token PENTEST-3C73D9Cpentestuser”

Success, as expected on the unpatched system. Next up, I patched the system, rebooted and repeated the same msfcli exploit (MS08-067). This time however the exploit failed on the first run as it couldn’t isolate the exact service pack version. Metasploit listed it as Service Pack 2+ (which is technically correct). Re-running the command completed the exploit however.

Even after the patch everything seems fine in the token list.

The final test, impersonation of the PENTEST-3C73D9Cpentestuser user. As before this went off without a hitch, giving us access to the local user without error.

Conclusion

Microsoft have patched the flaws listed in KB952004 without effecting the Incognito tool (or the implementation of the tool within Metasploit). Good for attackers, bad for defenders. But you can’t always have it both ways can you. I doubt that we’ll be seeing a patch against the token impersonation flaw used in incognito anytime soon, if at all.

I’m heading to Blackhat Europe in a few hours (courtesy of a last minute press registration). If you’re there feel free to drop me a line and buy me a drink — > contact [at] c22 [dot] cc