Thanks to the tireless efforts of @purehate_, the PTH suite is now available in the Backtrack repositories. I had a minor issue installing, so I'll walk through the steps I went through to debug the issue. YMMV.
To install:
1) run "apt-get update" to update the package list on your local computer.
2) run "apt-cache search pth-suite". If you see something similar to :
then all you need to do is "apt-get install pth-suite" and it will install.
3) If you do NOT see the listing for it, then you will probably need to add the testing repository as a source for apt. Edit your /etc/apt/sources.list to look like this:
On my backtrack dev machine, the line beginning with "deb http://source" was commented out. In that case simply uncomment out the line, save the file, and rerun steps 1 and 2. If you have additional problems, lemme know and I'll see how I can help out.
To Utilize the New Tools:
The executables are located in /pentest/passwords/pth/bin. If you want to use then automagically, then consider modifying your PATH to put this path first. Consider appending the following line to /root/.bashrc if you find yourself using these utilities consistently. IE:
# export PATH=/pentest/passwords/pth/bin:$PATH
Keep in mind that there could be Samba executables in your normal path. Use the 'which' command to see what path is being used for a particular binary.
Providing all the extra info that didn't make it into the BlackHat 2012 USA Presentation "Still Passing the Hash 15 Years Later? Using the Keys to the Kingdom to Access All Your Data" by Alva Lease 'Skip' Duckwall IV and Christopher Campbell.
Tuesday, August 14, 2012
Sunday, August 12, 2012
Samba Stuff PT 1 - basics / smbclient
Several of the tools I demonstrated the pass-the-hash technique with are either part of Samba or use its libraries to access Windows DCE/RPC functionality and build from there.
Many of the Samba tools use many of the same command line arguments, which I will cover a couple of the commonly used ones briefly. After that, I'll introduce you to smbclient, one of the staples of the Samba suite of utilities.
Common useful options:
-U domain/user%password
IE
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345
or
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345:::
(Capital) U then the target user's domain followed by a '/' followed by '%' and the password or hash.
I like specifying everything for the user I'm impersonating in one complete blob.
----------
-n <netbios name to use>
IE
-n exch01
(Lowercase n) By default Samba will use the computer's host name as its client-side netbios name when issuing requests. In the case of Backtrack, this will probably be "BT5". Use of this option can make it more stealthy on the network and in the event logs.
----------
-W <workgroup / domain name>
IE
-W demo
(Capital W) Specify the domain to use in the client side request. Usually set to "workgroup" if not otherwise specified in the smb.conf or on the command line. Another option to set to be more stealthy on the wire.
----------
Smbclient is a client that allows you to mount a windows file share and maneuver around in a very similar manner to the venerable 'ftp' client. It also allows you to list shares available on a remote server.
To list the shares on a remote machine:
smbclient -L <IP>
to mount a share , specify the machine and share :
smbclient -U <user info> //<machine>/<share>
so, to bring it all together :
We attach to the C$ share on 172.16.1.1 as the admin user. We also specify that our domain is "demo" and that our name is "2k864-svr", which happens to be the exchange server. :-)
Many of the Samba tools use many of the same command line arguments, which I will cover a couple of the commonly used ones briefly. After that, I'll introduce you to smbclient, one of the staples of the Samba suite of utilities.
Common useful options:
-U domain/user%password
IE
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345
or
-U demo/alice000000000000000000000000000000:12345678912345678912345678912345:::
(Capital) U then the target user's domain followed by a '/' followed by '%' and the password or hash.
I like specifying everything for the user I'm impersonating in one complete blob.
----------
-n <netbios name to use>
IE
-n exch01
(Lowercase n) By default Samba will use the computer's host name as its client-side netbios name when issuing requests. In the case of Backtrack, this will probably be "BT5". Use of this option can make it more stealthy on the network and in the event logs.
----------
-W <workgroup / domain name>
IE
-W demo
(Capital W) Specify the domain to use in the client side request. Usually set to "workgroup" if not otherwise specified in the smb.conf or on the command line. Another option to set to be more stealthy on the wire.
----------
Smbclient is a client that allows you to mount a windows file share and maneuver around in a very similar manner to the venerable 'ftp' client. It also allows you to list shares available on a remote server.
To list the shares on a remote machine:
smbclient -L <IP>
to mount a share , specify the machine and share :
smbclient -U <user info> //<machine>/<share>
so, to bring it all together :
We attach to the C$ share on 172.16.1.1 as the admin user. We also specify that our domain is "demo" and that our name is "2k864-svr", which happens to be the exchange server. :-)
Friday, August 3, 2012
PTH with MSSQL and FreeTDS/SQSH
FreeTDS (TDS == Tabular Data Stream and is the protocol used by MSSQL and Sybase) and SQSH provide a method for connecting to Microsoft SQL servers under Linux. Since FreeTDS is a protocol implememntation library, sqsh (SQL Shell) is used to actually interact with the MS SQL servers. Assuming that the MS SQL servers are configured to allow Windows Integrated Authentication, we can pass the hash to login and interact with them.
The first step is to configure the .conf file to use with FreeTDS.
A sample snippet follows:
In this example, "mssql" is the name of the server we will pass to sqsh.
The hostname / IP is 10.2.2.19 and the port is 1433.
The TDS version is 7.0 and will work on SQL servers from SQL 2000 until the latest.
Typically the file will be stored in /etc, or in our case /opt/pth/etc/freetds.conf. A good habit to get into is to specify the location of the file using the FREETDSCONF environmental variable, to prevent having to chase down which file is being referenced as FreeTDS could be installed in a couple of different places.
For our example, we'll add the text above into /root/freetds.conf and set the FREETDSCONF variable to point to it:
The command line for sqsh looks like:
sqsh -S<config file name> -D <database name> -U <domain>\\<user> -P <password / hash>
so, as an example:
sqsh -S mssql -D master -U demo\\mssql -P 00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A
Where the profile name is "mssql", the domain is "demo", the username is "mssql" and we want to connect to the "master" database, with the hash "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A".
As with all the modified tools, the hash can also be specified as "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A:::".
Assuming everything worked properly, you will end up with a prompt. To issue queries, type in the query and put "go" on a separate line.
From here, the database is your oyster....
If you see the following screen when you log in, verify the IP addresses in the configuration and validate that the credentials you are using are correct. You might also want to verify that the account is enabled / isn't locked out, etc...
More information on SQSH can be found here:
http://www.sqsh.org/
The first step is to configure the .conf file to use with FreeTDS.
A sample snippet follows:
# A typical Microsoft server
[mssql]
host = 10.2.2.19
port = 1433
tds version = 7.0
In this example, "mssql" is the name of the server we will pass to sqsh.
The hostname / IP is 10.2.2.19 and the port is 1433.
The TDS version is 7.0 and will work on SQL servers from SQL 2000 until the latest.
Typically the file will be stored in /etc, or in our case /opt/pth/etc/freetds.conf. A good habit to get into is to specify the location of the file using the FREETDSCONF environmental variable, to prevent having to chase down which file is being referenced as FreeTDS could be installed in a couple of different places.
For our example, we'll add the text above into /root/freetds.conf and set the FREETDSCONF variable to point to it:
# export FREETDSCONF=/root/freetds.confNow, we use sqsh to interact with the database.
The command line for sqsh looks like:
sqsh -S<config file name> -D <database name> -U <domain>\\<user> -P <password / hash>
so, as an example:
sqsh -S mssql -D master -U demo\\mssql -P 00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A
Where the profile name is "mssql", the domain is "demo", the username is "mssql" and we want to connect to the "master" database, with the hash "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A".
As with all the modified tools, the hash can also be specified as "00000000000000000000000000000000:DDF5EB5351C272CB8CC4EAE015F14E3A:::".
Assuming everything worked properly, you will end up with a prompt. To issue queries, type in the query and put "go" on a separate line.
From here, the database is your oyster....
If you see the following screen when you log in, verify the IP addresses in the configuration and validate that the credentials you are using are correct. You might also want to verify that the account is enabled / isn't locked out, etc...
More information on SQSH can be found here:
http://www.sqsh.org/
Wednesday, August 1, 2012
Demo Vids Online
Our demo videos are upload with added voiceovers.
Windows Video:
http://youtu.be/nElrc04LBGc
Linux Video:
http://www.youtube.com/watch?v=XUn8u9iMDtY
Slides:
http://code.google.com/p/passing-the-hash/downloads/detail?name=BH%202012%20duckwall-campbell%20slides.pdf&can=2&q=
In addition, we'll release some more documentation of the tools soon.
Enjoy and share!
Questions or comments? Please ask!
Windows Video:
http://youtu.be/nElrc04LBGc
Linux Video:
http://www.youtube.com/watch?v=XUn8u9iMDtY
Slides:
http://code.google.com/p/passing-the-hash/downloads/detail?name=BH%202012%20duckwall-campbell%20slides.pdf&can=2&q=
In addition, we'll release some more documentation of the tools soon.
Enjoy and share!
Questions or comments? Please ask!
Subscribe to:
Posts (Atom)