Sunday, July 29, 2012

Using PTH Firefox

Firefox is probably the easiest tool to use hashes with.  Use either the linux version or there is also a windows version available on the google code page here

1)  Start the pth firefox.  Note that the name of the browser will show up as "Nightly" because FF is unbranded at this point.  This was done deliberately to differentiate it from the built in Firefox package.

# /opt/pth/bin/firefox
2)  Enter "about:config" in the url window and accept the warning.

3)  Type "ntlm" in the filter window

4) Doubleclick on "network.auth.force-generic-ntlm" to toggle the setting from "false" to "true"

5)  Visit a URL that wants NTLM authentication.  When prompted use the username and the hash in either the 65 (LM:NT) or 68 (LM:NT:::) format as the password.  (I have a FF addon turned on to show the password, normally it would be obscured with dots)

Note:  Some sites will want a domain name specified while others won't.  Unfortunately, this will often require a little experimentation.   If the site wants a domain, specify the domain using @.  IE alice.jones@demo.local

6)  Profit!

Bonus:  Think you've got password cracking skillz?  Try cracking alice's password.   I'll give you a hint...  It's 16 characters with 2 upper, 2 lower, 2 symbols and 2 numbers.  It's also fairly trivial to crack :-)  Have fun...   

Saturday, July 28, 2012

Building the pth-suite / Post Install

Our first blog entry will discuss the process to build your very own .deb packages for Backtrack R2.

As of right now the build process is centered around Backtrack as the primary attack platform.  However, I've already received a request for assistance in building packages for RedHat / CentOS based distributions.  I will probably also modify the build process to do tarballs as well, as that might be better for some folks.

By default, all my scripts create the .deb packages to install into /opt/pth.  This way they don't overwrite or otherwise conflict with existing packages.  Also, most of the compiled binaries will automatically look in /opt/pth for their required libraries, which makes life easier.

1)  As root, you can checkout the items from google code by doing the following:

# svn checkout pth-suite
2)  Change directories into the build directory and install the precompilation dependencies.  I tested the scripts from a freshly installed version of Backtrack 5R2.  Hopefully none of the dependencies fail.

# cd pth-suite/build
# sh

 3)  Execute the script for the utility that you want to build.  In this case we'll go with building Samba 4 and Openchange.  Since Openchange versioning is so closely tied to a particular version of Samba 4, we take advantage of the Openchange Samba 4 build script to ensure that Samba is built the way Openchange wants.  Because of this, this particular build script builds both Samba and then Openchange.  The first step in the build process is to download the source for Openchange and Samba.  From there the script will build everything.  Final packages will be in the packages subdirectory.
# ./
5)  Repeat the build process for each of the utilities you want to install.  Keep in mind that during their build process they are installed into /opt/pth and then removed as part of creating a package.  Therefore, /opt/pth should not initially exist.  Note the packages will take a while to compile.  Most noteably, Firefox might take a couple of hours depending on your CPU.  You've been warned.

6)  After all the packages have been compiled, you can install the .deb packages using dpkg.

# dpkg -i packages/*.deb

7)  After the installation, you will need to create a file in /etc/ to reference the library path /opt/pth/lib.  This is done by:

# echo /opt/pth/lib > /etc/
# ldconfig

8)  Add /opt/pth/bin to your path either manually or by editing ~/.bashrc.

# export PATH=/opt/pth/bin:$PATH

# echo "export PATH=/opt/pth/bin:$PATH" > ~/.bashrc
# . ~/.bashrc

 9)  Have Fun!

Friday, July 27, 2012

Google Code updated with patches and downloads

Our google code page  has been updated with the following items:

  1. The svn repository contains all the patches and build stuff I used to build the packages from source.  I'll have a separate blog post about building all the utilities very soon.
  2. BT5 .deb packages for all of the pass-the-hash utilities mentioned in our talk yesterday plus a bonus package of the command line tool 'curl' that has been patched for PTH support.
  3. A Windows version of PTH Firefox from ESR 10.0.4.  I know that 10.0.5 is out, but I can't find my build of it.  I'll work on getting it built soon(tm) and uploaded to the website.

Soon to be here:

  • Slides / demo vids - I want to go back and do a more in depth demo of the various tools, so I will probably be re-recording the demos with voiceovers.  We'll see how my ambitions fare in a week or 2...
  • Blog entries on building and installing the packages - I've received interest in having the packages build on a different linux platform than BT5.  I don't think this is going to be a major challenge, but will require some retooling of VMs and scripts and whatnot...
  • Our PTH Rosetta stone which maps common Windows command line tasks to their Samba equivalents
  • Blog entries on the various tools detailing their common uses.

Thursday, July 26, 2012

Yup. That just happened...

It's 1115 BlackHat Standard Time and our talk just concluded.  Here's the high points:

  • WCE with password hashes can be used with pretty much any native windows app (IE / Outlook /  MSSQL studio, command line apps, AD management consoles, etc) from a Windows computer NOT IN THE DOMAIN to authenticate to windows services.  Just the way Bill intended...
  • We extented and enhanced JMK@foofus's  patch for Samba to allow password hashes to be passed on the command line in either "LM:NT" or "LM:NT:::" format to make it easier to script attacks.  This also made it so that when we patched Firefox, you wouldn't have to quit Firefox to reset the environmental variable.  You can just change the password after logging out.
  • We are releassing a suite of utilities where we patched in PTH support.  These packages include Firefox 10.0.5ESR, FreeTDS, Openchange, samba, winexe, and rudimentary WMI functionality including a blind command execution via WMI.
  • Patches to the actual packages and build scripts as well as precompiled binaries in .deb format for BackTrack R2 will be posted to the google code page within a day or so, or as soon as I can get a decent internet connection to upload the stuff.
Now, our surprise... Thanks to the tireless work of Pure_Hate (Martin Bos), our PTH suite will be available as a Backtrack repository package VERY soon..... "apt get install  pth-suite-1.0.0" FTW!

We will be posting blog entries talking about how to use the various utilities as well as instructions for building and installing the packages.

We will also be releasing our "Pass the Hash Rosetta Stone" with the various windows command lines and their associated samba command lines very soon....  Stay tuned to twitter and the blog for all the updates.

Sunday, July 22, 2012

On Our Way to Lost Wages

We're off to Vegas.  We've got some awesome pre-recorded demos in store and we'll get everything posted to our google code site shortly after our presentation...

Hope to see you there!

Wait, I Can Do That With Linux?

Did you know that there are open source tools available to access data saved in Microsoft applications such as MS SQL and Exchange?  Did you know that you can use password hashes to access the data instead of password hashes?

During our BH USA 2012 talk entitled "Still Passing the Hash 15 Years Later?" Chris and I will discuss this and more.  After our talk we'll upload the patches, build scripts/instructions and .deb packages for Backtrack to our google code site.

Future blog entries will go over the usage of the various utilities and the fun that can be had on a pentest with them.

Join us at Blackhat USA 2012 for our talk "Still Passing the Hash 15 Years Later" on Thursday July 26 at 10:00am!

Saturday, July 21, 2012

Using Hashes to Pentest Windows Using IE,Outlook,MSSQL Studio, etc...

As much as some of us want open source software to take over the world, the reality is that most businesses run on windows. Corporate intranets run Sharepoint, email is managed by Exchange, and data is stored in MS SQL databases. Microsoft provides a robust suite of tools to access all of this data with lots of pretty GUIs. Accessing corporate data in this environment can be challenging without a username and password.

Chris (@obscuresec) and I talk about a simple yet powerful technique to use password hashes and Microsoft tools to access a client's data from a Windows attack box without the need to join it to the domain.

Join us at Blackhat USA 2012 for our talk "Still Passing the Hash 15 Years Later" on Thursday July 26 at 10:00am!

Friday, July 20, 2012

Soon to be live from BlackHat USA 2012

Thanks for checking our blog out!

I'm Skip Duckwall and I wanted to take a moment to outline my future plans for this blog relating to our presentation "Still Passing the Hash 15 years Later?  Using the Keys to the Kingdom to Access All Your Data"

Over the next few days and weeks we plan on using the blog to document some of the features discussed during the BlackHat presentation.  Much of the documentation for the various suites of utilities is sparse and difficult to comprehend.

We will discuss how to build the utilities, how to use the utilities in a Windows environment during a penetration test, discuss how to set up a lab to experiment with the various utilities and hopefully point out some tips and pitfalls we've run into when using these utilities in the field.

Chris and I have also developed a spreadsheet that demonstrates how to use the various command line utilities in both Windows and Linux to perform common tasks.  We call this document "The Pass The Hash Rosetta Stone" and it will be available shortly after our presentation in Vegas.

We are also working with Purehate from the Backtrack team to possibly integrate the tools directly into Backtrack to make them much easier to use.

We will update with links when our project gets posted in the next few days.  Look forward to seeing you at Vegas!