Thursday, December 27, 2012

WTH is PTH

Since Microsoft did a number to confuse the issue of "Pass the hash" attacks in their whitepaper, I think it's time for a brief refresher on what exactly a "Pass the hash" attack is.

So, please bear with me whilst I go over a few definitions.  I'm going to gloss over some of the details and elaborate where I feel I must.  I include a link to wikipedia with tons more info...

Cryptographic Hash  Function (from Wikipedia)-  "... an algorithm that takes an arbitrary block of data and returns a fixed-size bit string, the (cryptographic) hash value, such that an (accidental or intentional) change to the data will (with very high probability) change the hash value"
In small words, this means that you take a block of text (for example, a password) and run it through some magic function, and if you made a small change to the password, you would end up with a completely different value.  Passwords are often stored using a hash function to make them more difficult to crack prevent the password from being stored in plain text.

NTLM (from wikipedia) - "... a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users".  For implementation details, read the page on NTLM from the Davenport Project.

NT hash - the 16 byte result of the Unicode password sent through the MD4 hash  function
LM hash - old (NT old) hash read about it on Wikipedia

Kerberos - Microsoft's default authentication mechanism  for Active Directory (originally from MIT). (Wikipedia)

Now that you have some background...


A "pass the hash" (PTH) attack can happen when just the password hash is sufficient to authenticate a user to a system.  NTLM is a good example.  For both NTLM version 1 and version 2, the password for the user requesting services is hashed and then that hash is used for the rest of the challenge-response based authentication process.   Note other platforms have suffered from a PTH attack (e.g. coldfusion) so Microsoft doesn't own the patent on this class of vulnerability.


What normal authentication looks like
Hash only authentication



So, what does this mean?  In essence, if an attacker has password hashes (multiple ways of obtaining hashes, more than likely another blog entry... ) and access to a service which allows NTLM to authenticate, the attacker can authenticate using a username and a hash with a modified client.  

What services can use NTLM to authenticate?  Well, IIS, Exchange (to include SMTP, POP3, IMAP), file and print services, MSSQL, and many other services related to gathering information from an Active Directory environment can use NTLM to authenticate.  There are even a couple of ways to obtain code execution using PTH with either winexe (psexec clone) or WMIC, depending on how you're feeling.  There are modified clients to do all of this from Linux and there are even ways to coax a Windows client to do it.  For more info, please see the rest of the blog entries, our Blackhat 2012 talk, or the demo vids ;-)

But, you may say, "We use Kerberos, your puny PTH won't work against us!". You would be incorrect. In order for Kerberos to work properly, several conditions need to be met.  Among the big ones 1) both ends of the connection need to be in the same Active Directory domain (or trusted) and 2) each end of the connection needs to refer to the other side by DNS name.  There are more conditions (read the NTLM wiki link above for all the conditions of when NTLM is used instead of Kerberos)

If Kerberos cannot be used, by default NTLM is used as the fail over.  Uh oh....

WAIT! I thought PTH meant....

The MS whitepaper confuses the meaning of PTH with a couple of different attacks than what I described earlier. 

One attack that MS calls "PTH" is using a local account hash from a computer to privilege escalate on that computer or move laterally to other machines.  So, let's decipher this a little bit.  

When a new Windows computer is stood up it is built with an account that has administrative privileges.  Then, at some point, the computer has to be added to the domain.  So what happens to the admin account on that machine after it gets added to the domain?

On older Windows systems (XP/2003) the local administrator account (also sometimes known as the 500 account) is created when the computer is stood up.  This account is used for administrative tasks, such as backups, patching, installing software, etc...  The hashes for this account are stored locally in the SAM database.  When the computer is added to a domain, this account remains and is still available for network logins.  Since admins are often lazy, many of these built-in admin accounts share the same password across multiple machines.  If one of these machines is compromised, and the local hashes are dumped out of the SAM, an attacker has now gained administrative access to potentially more machines on the network.  While  the attacker doesn't have privileged domain credentials, the local "system" account on these machines has access to the computer account for the domain.  This is sufficient to query the AD for more information, such as a list of users or groups.  This extra info leads to further attacks later.

Newer versions of Windows (2008/Vista / 7 ) by default disable the built-in administrator account  and instead creates an account that is in the "Administrators" group local to the machine.  This account can also be used to administer the workstation and its information is also stored in the SAM.  When the computer is added to the domain, by default (assuming UAC is enabled) these accounts are NOT accessible from the network.   So while the hashes provided could be cracked or recycled for other accounts, this information isn't as useful as it would be on older versions of Windows.  However, it is worth noting that this behavior can be overridden by registry settings or GPO settings, so beware.

The MS whitepaper calls using these accounts a PTH attack. Meh.  I sorta see what they are going for, but aside from hashes being involved, this isn't really a separate attack vector...   More like an availability of hashes sort of issue... 

Tokens!

In either case, if an attacker could get to a point where they can dump the local hashes, then more than likely they'd be more interested in whatever security tokens are available. Tokens will be addressed in a later blog post about Windows authentication, however the gist is that a token gets created when a user logs in.  The token also contains the user's login name, the user hashes (NT / LM) and  the domain (if applicable) the user is authenticated to.  To keep things interesting, tokens often persist in memory for a long time, even after a user has disconnected from the computer.  If that wasn't enough, in many cases the plain text password (mimikatz) can be recovered as well.  

If that doesn't give you nightmares nothing else will... of course if I have a plain text password is it really a PTH attack now?  


Not to be confused with...

Another form of attack which is often confused with PTH is called SMB relaying.  Although, this is even a bit of a misnomer.  This attack deals with hashes, but not with the NT or LM hashes used by the traditional PTH tool suite.  The hashes involved are the response hashes to the challenge issued by a server when attempting to authenticate using one of the versions of NTLM.  

Because of a poor design in the NTLM protocols, if I can get an authenticated person to attempt to use NTLM authentication against a computer I control (say, via a web page requesting NTLM authentication) I can act as a Man-in-the-Middle for any other service using NTLM, such as file shares.  If I initiate a connection to the file server, I can feed the challenge I get from the file server back to the web page as my challenge and use the results to authenticate against the file server.  Essentially I'm using an already authenticated connection to authenticate to a different service.  So, without knowledge of the password, I am able to access additional services by "passing the hash".

There has been a lot of semi-recent conversations about SMB Relaying.  A couple of links:

In Summary...

I've tried to lay out the foundation to understanding what a PTH attack is.  I've also tried to explain what MS is calling a PTH attack and what other folks are calling PTH attacks.  Next post will be all about Windows authentication....  Questions? Comments? Feel I need clarification?  Hit me up on twitter or post comments to the blog and I'll try to answer as best I can...

Sunday, December 16, 2012

And we're back...

Sorry folks for the delay in getting the blog updated.  I'd meant to get back to the blog sooner, but I was on the road for a month, then I was trying to finish stuff up at work, then $excuse[0] and then $excuse[1]  and then $excuse[$i++] ...

So, what shook me out of my stupor?

This article and the associated PDF from Microsoft talking about Pass-the-Hash.

 My initial response after reading the blog post and the associated 81 page PDF?

"WTFITS?"

Chris (@obscuresec), my speaking partner at BHUSA 2012 and Derbycon 2.0, had a similar response...

Then Richard Bejtlich (@taosecurity) asked for comments on Twitter about the paper... that sorta opened up the floodgate for both me and Chris.  Long story short, I was asked to put some of my thoughts on the subject down, so here we go...

I've spent a couple days now re-reading the whitepaper.  I've read for detail and am trying to make sure I'm completely understanding what they are saying and where they're going.  I'm also trying (sometimes harder than others) to deliver a calm, rational response to the items in the whitepaper.

We'll see how that goes...

So, I'm going to have several blog entries about the whitepaper.  I'm not quite sure how it's all going to be split up at this point, but I am going to start with a few overall observations and then we will see.

I'm going to start with a quick aside, as I want to make sure we are all on the same sheet of music when it comes to terminology.  Please bear with me.

Definition :
  Mitigation - The action of reducing the severity, seriousness, or painfulness of something
Synonyms : cure, alleviate
 
So, I would expect a "PTH Mitigation" to lessen the impact of PTH attacks.  Makes sense, eh?

Ok, what's PTH (Pass-the-Hash)?

Short version: Microsoft treats the password hash as being equivalent to a password with NTLM.  This means that you don't need the plaintext password to log into a service.  With a modified client, you can simply substitute the hashed password and it will still work.

Longer version: For our BHUSA 2012 talk, Chris and I wrote a whitepaper.  You can read it here.

What PTH attacks are talked about in the MS whitepaper?

Microsoft in their whitepaper lists 2 specific examples of PTH attack:
.
1) Using password hashes to move laterally from computer to computer.  In this case the computers are of the same "value".  This means that an attacker is moving from workstation to workstation instead of workstation to server.

2) Using password hashes to "privilege escalate", or to move from a lower valued computer to a higher valued computer.  For example, moving from a workstation to a web server.

All of Microsoft's "mitigations" are meant to defend one or both of these "attacks"

Quick Observations
  • It's obvious (aside from 2 pages of writing credits) that this paper was written by many different hands.  This becomes even more obvious when parts of the whitepaper contradict itself.  I don't envy the job of the person who was supposed to cull everything together into some sort of semi-coherent beast.
  • The paper tries to do too much.  It tries to be all things to all people.  I realize that MS has been under pressure to deliver some sort of response to the 15 year old PTH problem, but releasing a long, confusing whitepaper really doesn't solve anything and could possibly compound the issue by being easy to misread or misunderstand. God help us when people implement the "mitigations" and are still attacked with PTH.  Microsoft better be ready for the pitchforks and torches...
  • This is a complex subject.  Windows authentication is a quagmire of backwards compatibility built on hacked solutions to hard problems (like SSO, single sign on).  You can't have a frank and complete conversation about Windows auth without talking about ALL of Windows auth, and the paper doesn't cover everything.
  • Pro Tip: You probably shouldn't have a "recommendation" for a mitigation that says "don't do this mitigation, instead do something else" (Read mitigation 2, p14.)
  • There are a lot of useful nuggets in the whitepaper.  However, they're either buried or poorly worded 
  • Many of the mitigations seem redundant and could be summarized as "Don't be stupid"
  • The tone of the whitepaper is a weird combination of spin control, defeatism, and over-generalizations.
And Finally....

If somebody is already in your network and has your hashes none of the mitigations in the whitepaper will have any positive effect.  None of the mitigations will give the attacker any pause, make life difficult, pester or bother them in any way.

 

I'm sorry, don't shoot the non-Microsoft messenger...

 

The only glimmer of hope is that some of these mitigations might make it more difficult for an attacker to obtain administrative hashes if they don't already have them.  However, it's usually just a matter of time.



So, moving forward I plan on several blog entries.  I think the first one is going to be an in-depth refresher on PTH.  I'm also going to have to do a post on Windows authentication mechanisms and talk about the stuff the whitepaper glossed over... I'm also going to do a post on hash collection methods... and also on the "mitigation" techniques and what MS was shooting for and what the actual effects would be if implemented...

and all I wanted for XMAS was a vacation.... :/

Sunday, September 9, 2012

Samba Part 2 - The Net Command

Sorry for the delay, but I was on assessment for a month straight and out of the country.

Samba's 'net' command is similar to its Windows counterpart, yet incorporates additional functionality from other Windows commands, such as 'sc'.

The 'net' command uses the '-U' , the 'W' and the '-n' command line options from my previous post on Samba.  The server we're querying is '-S <server ip/name>'

The 'net' command has a large amount of built in documentation.  I'll summarize some of the more useful features here.  We will be releasing our "PTH Rosetta Stone" hopefully in the next few weeks that will detail how to accomplish various tasks using both the native Windows command line utilities and the associated Samba utilities.

The basic format is:
net [rap|rpc|ads] <command> [options]

"net rap" commands are primarily used for old SMB servers (think IBM / OS2).

"net ads" commands are used for Active Directory integration, meaning the linux box has been added to an AD environment.  Suffice it to say that this is rarely the case for pen tests ;-) (that and I can't remember if I had all the bits and pieces compiled in for that to work...)

"net rpc" is the series of commands we will primarily deal with.


So, a typical example of the net command to view a list of all users in a domain "demo" would be:

net rpc user -S 172.16.1.1 -U demo/user%pw -n dummy1 -W demo

To list all groups in the domain, use the following command:

net rpc group -S 172.16.1.1 -U demo/user%pw -n dummy1 -W demo

List all the members of the "domain admins" group :

net rpc group members "domain admins" -S 172.16.1.1 -U demo/user%pw -n dummy1 -W demo 

Here's a complete list of commands available.  Note that some of the net commands only apply if the Linux box is joined to a domain.  Usually to get more info on the subcommand just tack a "help" on the end to get a listing of subcommands.

Tuesday, August 14, 2012

Breaking News! PTH Suite Now in Backtrack!!

Thanks to the tireless efforts of @purehate_, the PTH suite is now available in the Backtrack repositories.  I had a minor issue installing, so I'll walk through the steps I went through to debug the issue.  YMMV.

To install:

1) run "apt-get update" to update the package list on your local computer.
2) run "apt-cache search pth-suite".   If you see something similar to :








   then all you need to do is "apt-get install pth-suite" and it will install.

3) If you do NOT see the listing for it, then you will probably need to add the testing repository as a  source for apt.  Edit your /etc/apt/sources.list to look like this:

On my backtrack dev machine, the line beginning with "deb http://source" was commented out.  In that case simply uncomment out the line, save the file, and rerun steps 1 and 2.  If you have additional problems, lemme know and I'll see how I can help out.

To Utilize the New Tools:

The executables are located in /pentest/passwords/pth/bin.  If you want to use then automagically, then consider modifying your PATH to put this path first.  Consider appending the following line to /root/.bashrc if you find yourself using these utilities consistently.  IE:
# export PATH=/pentest/passwords/pth/bin:$PATH

Keep in mind that there could be Samba executables in your normal path.  Use the 'which' command to see what path is being used for a particular binary.



Sunday, August 12, 2012

Samba Stuff PT 1 - basics / smbclient

Several of the tools I demonstrated the pass-the-hash technique with are either part of Samba or use its libraries to access Windows DCE/RPC functionality and build from there.

Many of the Samba tools use many of the same command line arguments, which I will cover a couple of the commonly used ones briefly.  After that, I'll introduce you to smbclient, one of the staples of the Samba suite of utilities.

Common useful options:

-U domain/user%password

IE
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345
or
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345:::

(Capital) U then the target user's domain followed by a '/' followed by '%' and the password or hash.
I like specifying everything for the user I'm impersonating in one complete blob.



----------

-n <netbios name to use>


IE
-n exch01



(Lowercase n) By default Samba will use the computer's host name as its client-side netbios name when issuing requests. In the case of Backtrack, this will probably be "BT5". Use of this option can make it more stealthy on the network and in the event logs.

----------

-W <workgroup / domain name>

IE
-W demo

(Capital W) Specify the domain to use in the client side request.  Usually set to "workgroup" if not otherwise specified in the smb.conf or on the command line.  Another option to set to be more stealthy on the wire.


----------

Smbclient is a client that allows you to mount a windows file share and maneuver around in a very similar manner to the venerable 'ftp' client.  It also allows you to list shares available on a remote server.

To list the shares on a remote machine:

smbclient -L <IP>






to mount  a share , specify the machine and share :

smbclient -U <user info> //<machine>/<share>






so, to bring it all together :











We attach to the C$ share on 172.16.1.1 as the admin user.  We also specify that our domain is "demo" and that our name is "2k864-svr", which happens to be the exchange server. :-)

Friday, August 3, 2012

PTH with MSSQL and FreeTDS/SQSH

FreeTDS (TDS == Tabular Data Stream and is the protocol used by MSSQL and Sybase) and SQSH provide a method for connecting to Microsoft SQL servers under Linux.  Since FreeTDS is a protocol implememntation library, sqsh (SQL Shell) is used to actually interact with the MS SQL servers.  Assuming that the MS SQL servers are configured to allow Windows Integrated Authentication, we can pass the hash to login and interact with them.

The first step is to configure the .conf file to use with FreeTDS.

A sample snippet follows:
# A typical Microsoft server
[mssql]
        host = 10.2.2.19
        port = 1433
        tds version = 7.0

In this example, "mssql" is the name of the server we will pass to sqsh.
The hostname / IP is 10.2.2.19 and the port is 1433.
The TDS version is 7.0 and will work on SQL servers from SQL 2000 until the latest.

Typically the file will be stored in /etc, or in our case /opt/pth/etc/freetds.conf.  A good habit to get into is to specify the location of the file using the FREETDSCONF environmental variable, to prevent having to chase down which file is being referenced as FreeTDS could be installed in a couple of different places.

For our example, we'll add the text above into /root/freetds.conf and set the FREETDSCONF variable to point to it:

# export FREETDSCONF=/root/freetds.conf
 Now, we use sqsh to interact with the database.

The command line for sqsh looks like:

sqsh -S<config file name> -D <database name> -U <domain>\\<user> -P <password / hash>
so, as an example:

sqsh -S mssql -D master -U demo\\mssql -P 00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A

Where the profile name is "mssql", the domain is "demo", the username is "mssql" and we want to connect to the "master" database, with the hash "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A". 

As with all the modified tools, the hash can also be specified as "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A:::".


Assuming everything worked properly, you will end up with a prompt.  To issue queries, type in the query and put "go" on a separate line. 

From here, the database is your oyster....




If you see the following screen when you log in, verify the IP addresses in the configuration and validate that the credentials you are using are correct.  You might also want to verify that the account is enabled / isn't locked out, etc...




More information on SQSH can be found here: 
http://www.sqsh.org/

Wednesday, August 1, 2012

Demo Vids Online

Our demo videos are upload with added voiceovers. 

Windows Video:
http://youtu.be/nElrc04LBGc

Linux Video:
http://www.youtube.com/watch?v=XUn8u9iMDtY

Slides:
http://code.google.com/p/passing-the-hash/downloads/detail?name=BH%202012%20duckwall-campbell%20slides.pdf&can=2&q=

In addition, we'll release some more documentation of the tools soon.

Enjoy and share!

Questions or comments? Please ask!

Sunday, July 29, 2012

Using PTH Firefox

Firefox is probably the easiest tool to use hashes with.  Use either the linux version or there is also a windows version available on the google code page here

1)  Start the pth firefox.  Note that the name of the browser will show up as "Nightly" because FF is unbranded at this point.  This was done deliberately to differentiate it from the built in Firefox package.

# /opt/pth/bin/firefox
2)  Enter "about:config" in the url window and accept the warning.




3)  Type "ntlm" in the filter window




4) Doubleclick on "network.auth.force-generic-ntlm" to toggle the setting from "false" to "true"




5)  Visit a URL that wants NTLM authentication.  When prompted use the username and the hash in either the 65 (LM:NT) or 68 (LM:NT:::) format as the password.  (I have a FF addon turned on to show the password, normally it would be obscured with dots)




Note:  Some sites will want a domain name specified while others won't.  Unfortunately, this will often require a little experimentation.   If the site wants a domain, specify the domain using @.  IE alice.jones@demo.local



6)  Profit!



Bonus:  Think you've got password cracking skillz?  Try cracking alice's password.   I'll give you a hint...  It's 16 characters with 2 upper, 2 lower, 2 symbols and 2 numbers.  It's also fairly trivial to crack :-)  Have fun...   

Saturday, July 28, 2012

Building the pth-suite / Post Install

Our first blog entry will discuss the process to build your very own .deb packages for Backtrack R2.

As of right now the build process is centered around Backtrack as the primary attack platform.  However, I've already received a request for assistance in building packages for RedHat / CentOS based distributions.  I will probably also modify the build process to do tarballs as well, as that might be better for some folks.

By default, all my scripts create the .deb packages to install into /opt/pth.  This way they don't overwrite or otherwise conflict with existing packages.  Also, most of the compiled binaries will automatically look in /opt/pth for their required libraries, which makes life easier.

1)  As root, you can checkout the items from google code by doing the following:

# svn checkout http://passing-the-hash.googlecode.com/svn/trunk/ pth-suite
2)  Change directories into the build directory and install the precompilation dependencies.  I tested the scripts from a freshly installed version of Backtrack 5R2.  Hopefully none of the dependencies fail.

# cd pth-suite/build
# sh all-deps.sh


 3)  Execute the script for the utility that you want to build.  In this case we'll go with building Samba 4 and Openchange.  Since Openchange versioning is so closely tied to a particular version of Samba 4, we take advantage of the Openchange Samba 4 build script to ensure that Samba is built the way Openchange wants.  Because of this, this particular build script builds both Samba and then Openchange.  The first step in the build process is to download the source for Openchange and Samba.  From there the script will build everything.  Final packages will be in the packages subdirectory.
# ./build-samba4-openchange.sh
5)  Repeat the build process for each of the utilities you want to install.  Keep in mind that during their build process they are installed into /opt/pth and then removed as part of creating a package.  Therefore, /opt/pth should not initially exist.  Note the packages will take a while to compile.  Most noteably, Firefox might take a couple of hours depending on your CPU.  You've been warned.

6)  After all the packages have been compiled, you can install the .deb packages using dpkg.

# dpkg -i packages/*.deb

7)  After the installation, you will need to create a file in /etc/ld.so.conf.d to reference the library path /opt/pth/lib.  This is done by:

# echo /opt/pth/lib > /etc/ld.so.conf.d/pth.conf
# ldconfig

8)  Add /opt/pth/bin to your path either manually or by editing ~/.bashrc.

# export PATH=/opt/pth/bin:$PATH

or
# echo "export PATH=/opt/pth/bin:$PATH" > ~/.bashrc
# . ~/.bashrc

 9)  Have Fun!

Friday, July 27, 2012

Google Code updated with patches and downloads

Our google code page  has been updated with the following items:

  1. The svn repository contains all the patches and build stuff I used to build the packages from source.  I'll have a separate blog post about building all the utilities very soon.
  2. BT5 .deb packages for all of the pass-the-hash utilities mentioned in our talk yesterday plus a bonus package of the command line tool 'curl' that has been patched for PTH support.
  3. A Windows version of PTH Firefox from ESR 10.0.4.  I know that 10.0.5 is out, but I can't find my build of it.  I'll work on getting it built soon(tm) and uploaded to the website.

Soon to be here:

  • Slides / demo vids - I want to go back and do a more in depth demo of the various tools, so I will probably be re-recording the demos with voiceovers.  We'll see how my ambitions fare in a week or 2...
  • Blog entries on building and installing the packages - I've received interest in having the packages build on a different linux platform than BT5.  I don't think this is going to be a major challenge, but will require some retooling of VMs and scripts and whatnot...
  • Our PTH Rosetta stone which maps common Windows command line tasks to their Samba equivalents
  • Blog entries on the various tools detailing their common uses.

Thursday, July 26, 2012

Yup. That just happened...

It's 1115 BlackHat Standard Time and our talk just concluded.  Here's the high points:

  • WCE with password hashes can be used with pretty much any native windows app (IE / Outlook /  MSSQL studio, command line apps, AD management consoles, etc) from a Windows computer NOT IN THE DOMAIN to authenticate to windows services.  Just the way Bill intended...
  • We extented and enhanced JMK@foofus's  patch for Samba to allow password hashes to be passed on the command line in either "LM:NT" or "LM:NT:::" format to make it easier to script attacks.  This also made it so that when we patched Firefox, you wouldn't have to quit Firefox to reset the environmental variable.  You can just change the password after logging out.
  • We are releassing a suite of utilities where we patched in PTH support.  These packages include Firefox 10.0.5ESR, FreeTDS, Openchange, samba, winexe, and rudimentary WMI functionality including a blind command execution via WMI.
  • Patches to the actual packages and build scripts as well as precompiled binaries in .deb format for BackTrack R2 will be posted to the google code page within a day or so, or as soon as I can get a decent internet connection to upload the stuff.
Now, our surprise... Thanks to the tireless work of Pure_Hate (Martin Bos), our PTH suite will be available as a Backtrack repository package VERY soon..... "apt get install  pth-suite-1.0.0" FTW!

We will be posting blog entries talking about how to use the various utilities as well as instructions for building and installing the packages.

We will also be releasing our "Pass the Hash Rosetta Stone" with the various windows command lines and their associated samba command lines very soon....  Stay tuned to twitter and the blog for all the updates.

Sunday, July 22, 2012

On Our Way to Lost Wages

We're off to Vegas.  We've got some awesome pre-recorded demos in store and we'll get everything posted to our google code site shortly after our presentation...

Hope to see you there!

Wait, I Can Do That With Linux?

Did you know that there are open source tools available to access data saved in Microsoft applications such as MS SQL and Exchange?  Did you know that you can use password hashes to access the data instead of password hashes?

During our BH USA 2012 talk entitled "Still Passing the Hash 15 Years Later?" Chris and I will discuss this and more.  After our talk we'll upload the patches, build scripts/instructions and .deb packages for Backtrack to our google code site.

Future blog entries will go over the usage of the various utilities and the fun that can be had on a pentest with them.

Join us at Blackhat USA 2012 for our talk "Still Passing the Hash 15 Years Later" on Thursday July 26 at 10:00am!


Saturday, July 21, 2012

Using Hashes to Pentest Windows Using IE,Outlook,MSSQL Studio, etc...

As much as some of us want open source software to take over the world, the reality is that most businesses run on windows. Corporate intranets run Sharepoint, email is managed by Exchange, and data is stored in MS SQL databases. Microsoft provides a robust suite of tools to access all of this data with lots of pretty GUIs. Accessing corporate data in this environment can be challenging without a username and password.

Chris (@obscuresec) and I talk about a simple yet powerful technique to use password hashes and Microsoft tools to access a client's data from a Windows attack box without the need to join it to the domain.

Join us at Blackhat USA 2012 for our talk "Still Passing the Hash 15 Years Later" on Thursday July 26 at 10:00am!

Friday, July 20, 2012

Soon to be live from BlackHat USA 2012

Thanks for checking our blog out!

I'm Skip Duckwall and I wanted to take a moment to outline my future plans for this blog relating to our presentation "Still Passing the Hash 15 years Later?  Using the Keys to the Kingdom to Access All Your Data"

Over the next few days and weeks we plan on using the blog to document some of the features discussed during the BlackHat presentation.  Much of the documentation for the various suites of utilities is sparse and difficult to comprehend.

We will discuss how to build the utilities, how to use the utilities in a Windows environment during a penetration test, discuss how to set up a lab to experiment with the various utilities and hopefully point out some tips and pitfalls we've run into when using these utilities in the field.

Chris and I have also developed a spreadsheet that demonstrates how to use the various command line utilities in both Windows and Linux to perform common tasks.  We call this document "The Pass The Hash Rosetta Stone" and it will be available shortly after our presentation in Vegas.

We are also working with Purehate from the Backtrack team to possibly integrate the tools directly into Backtrack to make them much easier to use.

We will update with links when our project gets posted in the next few days.  Look forward to seeing you at Vegas!