network, wifi and av evasion

To content | To menu | To search

Thursday 27 August 2015

The Penetration Testers Framework (PTF)

Started contributing to Dave Kennedy's https://github.com/trustedsec/ptf

Looks like a very useful framework / toolset there. I'll be submitting source built tools that I've been using in my own toolset.

So far my pulls are not integrated but you can find my pull requests at https://github.com/0xsalt/ptf

UPDATE: Well, that was a bit involved ..

I've got a build of medusa 2.2_rc2 successfully built with all modules active including freerdp v1.2 with pass the hash support on Ubuntu 14.04-LTS server.

Yes, Apple Filing Protocol (AFP) is enabled, and yes RDP support is enabled.

I'll get a more detailed post written detailing how to build all of this with medusa on its own, but for now you can check out my git branch of PTF and it builds all modules currently.

https://github.com/0xsalt/ptf/tree/medusa-all_modules

Within PTF it is as simple as:

ptf> use modules/vulnerability-analysis/medusa
ptf:(modules/vulnerability-analysis/medusa)>install

Standalone is a little bit more involved.

# ./configure excerpt showing freerdp lib 
# version & module summary

configure:  *** Checking for FreeRDP libraries. ***
checking for main in -lfreerdp-channels... no
checking for main in -lfreerdp-client... yes
checking for main in -lfreerdp-core... no   
checking for main in -lfreerdp-gdi... no
configure: checking for FreeRDP library version 1.2...
checking for library containing WLog_CallbackAppender_SetCallbacks... -lwinpr
configure:  *** Detected FreeRDP library version 1.2. ***
checking whether to enable RDP module... yes

configure: *******************************************************
configure:     Medusa Module Build Summary  
configure:
configure:     AFP             Enabled
configure:     CVS             Enabled
configure:     FTP             Enabled
configure:     HTTP            Enabled
configure:     IMAP            Enabled
configure:     MSSQL           Enabled
configure:     MYSQL           Enabled
configure:     NCP             Enabled
configure:     NNTP            Enabled
configure:     PCANYWHERE      Enabled
configure:     POP3            Enabled
configure:     POSTGRES        Enabled
configure:     RDP             Enabled
configure:     REXEC           Enabled
configure:     RLOGIN          Enabled
configure:     RSH             Enabled
configure:     SMBNT           Enabled
configure:     SMTP            Enabled
configure:     SMTP-VRFY       Enabled
configure:     SNMP            Enabled
configure:     SSH             Enabled
configure:     SVN             Enabled
configure:     TELNET          Enabled
configure:     VMAUTHD         Enabled
configure:     VNC             Enabled
configure:     WRAPPER         Enabled
configure:     WEB-FORM        Enabled
configure:
configure:  If a module is unexpectedly marked as disabled, check
configure:  above output and verify dependancies were satisfied.
configure:
configure:  It should also be noted that, by default, not all of
configure:  the modules are built. Incomplete modules or modules
configure:  which have not been sufficiently tested may be
configure:  disabled. To enable non-default modules, use the
configure:  "--enable-module-MODULE_NAME" configure option.
configure: *******************************************************

$ medusa -d
Medusa v2.2_rc2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

  Available modules in "." :

  Available modules in "/usr/local/lib/medusa/modules" :
    + afp.mod : Brute force module for AFP sessions : version 2.0
    + cvs.mod : Brute force module for CVS sessions : version 2.0
    + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1
    + http.mod : Brute force module for HTTP : version 2.1
    + imap.mod : Brute force module for IMAP sessions : version 2.0
    + mssql.mod : Brute force module for M$-SQL sessions : version 2.0
    + mysql.mod : Brute force module for MySQL sessions : version 2.0
    + ncp.mod : Brute force module for NCP sessions : version 2.0
    + nntp.mod : Brute force module for NNTP sessions : version 2.0
    + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0
    + pop3.mod : Brute force module for POP3 sessions : version 2.0
    + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0
    + rdp.mod : Brute force module for RDP (Microsoft Terminal Server) sessions : version 0.1
    + rexec.mod : Brute force module for REXEC sessions : version 2.0
    + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0
    + rsh.mod : Brute force module for RSH sessions : version 2.0
    + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1
    + smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1
    + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0
    + snmp.mod : Brute force module for SNMP Community Strings : version 2.1
    + ssh.mod : Brute force module for SSH v2 sessions : version 2.1
    + svn.mod : Brute force module for Subversion sessions : version 2.1
    + telnet.mod : Brute force module for telnet sessions : version 2.0
    + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0
    + vnc.mod : Brute force module for VNC sessions : version 2.1
    + web-form.mod : Brute force module for web forms : version 2.1
    + wrapper.mod : Generic Wrapper Module : version 2.0

# usage example for rdp
$ medusa -M rdp -m PASS:HASH -u USER_NAME_HERE -h SERVER_NAME_HERE -p NT_HASH_HERE
ACCOUNT CHECK: [rdp] Host: SERVER_NAME_HERE (1 of 1, 0 complete) User: USER_NAME_HERE (1 of 1, 0 complete) Password: NT_HASH_HERE (1 of 1 complete)
ACCOUNT FOUND: [rdp] Host: SERVER_NAME_HERE User: USER_NAME_HERE Password: NT_HASH_HERE [SUCCESS]

Monday 29 September 2014

Dumping AD Hashes Without Process Injection

BSidesLA talk where I explore methods of dumping active directory password hashes from a domain controller by using the Volume Shadow Copy Service or direct disk access to make a copy of the NTDS.dit, SYSTEM and SAM files from a running DC.

I give a history of old methods and detail new methods and ideas for detecting them.

  • evolution of getting password hashes
  • non-injection methods
  • getting your tools onto the dc
  • vss & psh
  • volume shadow copy service
  • powersploit ninjacopy direct disk access
  • export and extract
  • crack them
  • pass them
  • detect vssown / ninjacopy activity

Talk: http://www.youtube.com/watch?v=_ZcAA6ncOG8

Slides: https://speakerdeck.com/0xsalt/dumping-ad-hashes-without-process-injection

https://github.com/0xsalt

https://twitter.com/0xsalt