Using ADS, Symlinks, Junction points, and Windows Path tricks for security bypass:
INDEX_ALLOCATION windows stream can be used to bypass security checks:
“C:\temp” is the same as “C:\temp::$INDEX_ALLOCATION” and the same as “C:\temp:$I30:$INDEX_ALLOCATION”.
It can be used to bypass IIS 5 security and run any file on server even if you dont have access to it:
Using symlink and junction points and INDEX_ALLOCATION and FILE_FLAG_BACKUP_SEMANTICS in windows to get out of directories (creating symlink inside the c:\windows\tasks directory is nice):
Try running the following commands in command line (after doing cd into a temporary directory that you can delete afterwards):
Using symlinks tricks together with DCOM DCE/RPC local NTLM Reflection in order to write files to system directories:
Other than using index_allocation, files with special names can be created using:
- Using UNC path by starting the path with “\\?\”.
- Writing the file as a raw disk data.
Passthehash attack on ntlm uses hashed passwords which usually u need an admin to get them (from sam file or memory)…on the other hand NTLM-RELAY is another attack which doesnt needs admin! if someone, lets call him A, connects to you with NTLM or by using dns spoofing/arp spoofing to get the traffic, you can use NTLM-RELAY to connect to smb, http and other services that have ntlm-authentication with the user of A…what you could do is to relay the credentials to connect back to the user A computer (for example to his admin$) and then if he is local admin then u control his pc…in 2008 microsoft released patch that fixed relay back to A pc…however from around 2000 still to this day the general ntlm-relay attack is NOT fixed…so conclusion…if you dont have admin and you want to get the permissions/power/authorization of some other maybe stronger user then just use NTLM-RELAY…in a lan that uses NTLM combining this with arp-spoofing you can ALWAYS GET CONTROL OF ALL OF THE LAN basiclly by just waiting to admins to connect somewhere and arp spoof them and them ntlm-relay them.
Conclusion: if someone uses ntlm then you can hack him…ntlmv2 is vulnerable also
Metasploit module for Ntlm Relay attack: http://webstersprodigy.net/2012/07/22/metasploit-generic-ntlm-relay-module/
Video explaining what I wrote here: https://www.youtube.com/watch?v=N08r6cBfCVs , the guy in the video talks very well, not boring…(he is also a dj..). What the guy says is that all the usual tools relay http to http or http to smb and he wanted to make it wider for more protocols like mssql and ldap and rdp and more…so he built a tool: https://github.com/zfasel/ZackAttack . This tool knows: Relaying to LDAP (critical for relaying to Domain Controllers), Relaying to Exchange Web Services. The dc by default have smb signing (all packets signed with the hash of the password) thus smb relay not possible to dc however LDAP ntlm relay IS possible. The ZackAttack tool relaying to LDAP allows adding users to groups…so if domain admin is relayed then you can add yourself to be domain admin. Exchange web service relaying is good because by default the exachange web servers support ntlm so by this relaying you can send emails as the relayed user, read all their email and more.
As usual i left wireshark+fiddler open on the pc for a while and what i saw when i returned? the usual ssdp, dhcp, arp packets and….an interesting http packet! :
GET /ncsi.txt HTTP/1.1
User-Agent: Microsoft NCSI
HTTP/1.1 200 OK
Date: Sat, 29 Jun 2013 20:18:17 GMT
Cache-Control: max-age=30, must-revalidate
So i have done some research and its very interesting.
Here is the requested page: http://www.msftncsi.com/ncsii.txt
Basically this is the way of windows 7/vista wireless network to show you in the network connection icon if you have internet connectivity…it sends dns request and then http request and if dns returned and http returns 200 ok then it shows that there is network connectivity…if dns failes then no connectivity…and if dns suceed and http fail then it think that additional log in information is required for the wireless network.
First of all maybe if you send response 401 then automaticly there will be another request with credentials? this can be used for ntlm relay! all you need is register the http://www.msftncsi.com domain in the local dns or to do dns poisoning.
Secondly, i searched and didnt find anything about it in google…but if you return good dns response and bad http response then the log in information required icon appears and its very interesting to check what happens when you press on it…it is supposed to open the browser for you to enter login credentials….interesting to check what happens and where does it try to send the credentials.
Anybody know/heard of attacks on this mechanism?
Cracking c# random:
The default seed when someone use Random() in c# is Environment.Tickcount which “Gets the number of milliseconds elapsed since the system started”…using nmap on a pc you can get a very good approximitation of the pc starting time and using this time the random creates array of size 56 and initializes 2 indexes and each time u get next number, it substructs the numbers in the array corresponding to the indexes and multiplies it by a constant and then moves the indexes …so once you do nmap and get the TickCount, you know all the random numbers that are going to be generated.
The following link talks about java but i put it because it shows how to get the system starting time with nmap:
WPAD and ISATAP (you maybe heard of WPAD, but did you hear of ISATAP?):
They are both defaultly enabled in windows machines) “The Microsoft Windows WINS Server is prone to an access-validation vulnerability because the software fails to properly restrict access when defining WPAD (Web Proxy Autodiscovery Protocol) and ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) entries. An authenticated attacker may exploit this issue to create a WPAD or ISATAP WINS entry. This may aid in man-in-the-middle and spoofing attacks. Other attacks are also possible.”
“CVE-2009-0093 describes an issue with how the Web Proxy Auto-Discovery, or WPAD, and the Intra-Site Automatic Tunnel Addressing Protocol, or ISATAP, can be abused by an attacker.
This is typically a local domain attack where there is a degree of trust between the domain members. The Windows DNS server can allow clients to register their own hostname in the DNS server using dynamic updates. In the most common scenario, this takes place using secure dynamic updates, where a client authenticated against the domain can update its own name on the DNS server. If the WPAD or ISATAP names have not yet been registered, a domain-authenticated user could register his own machine as either of these two names.
The reason why ISATAP and WPAD are so interesting for an attacker to register, is because they are default names a client will resolve to obtain specific functionality. In the case of WPAD, the name tells the host where to connect for proxy configuration information. In the case of ISATAP, it points to a tunneling server that connects IPv6 hosts over IPv4 networks.”
You can also use dns poisoning to make the poisoned computers think you are ISATAP/WPAD.
WPAD has authentication and can be used for ntlm-relay.
ISATAP rfc: http://tools.ietf.org/html/rfc5214#section-7
DOS to isatap routers using a packet with similar idea to LAND attack: http://resources.infosecinstitute.com/security-vulnerabilities-ipv6-tunnels/
ipv6 flaws+isatap: https://espix.net/~wildcat/ipv6/IPv6-flaws-by-design-fropert-packetfault.txt
ISATAP has basicly no acl validation and no authentication.
ISATAP is used for tunning ipv6 over ipv4…if you make pc think you are ISATAP router (dns or wins name isatap) then packets will go through you.
It can be used to send packet from internet to a pc in internal network…you send to ISATAP router with public ipv6 ip and internal network ipv4 ip (192.168… for example).
In 2009 microsoft made a fix that made a blacklist of registering the name ISATAP or WPAD in a dns/wins server but this still doesnt protect from dns/wins poisoning
You heard of dns poisoning? What about wins/netbios poisoning? I will write about it shortly.
Send packets to a series of ports on the server to trigger the opening of some port.
can be used to let a server have all ports closed, thus server scans always returning 0 open ports…while the true clients authenticate using portknocking and have a dynamic temporary rule opened only for them.
Unquoted Service Paths:
Easy way to get privelege escalation to system if you have write access.
Can find vulnerable services by simply running the following command in command line:
wmic service get name,displayname,pathname,startmode |findstr /i “auto” |findstr /i /v “c:\windows\\” |findstr /i /v “””
Services which don’t have quotes in their path are vulnerable. Many services such as intel services, mcafee services and others are vulnerable.
By creating “Program.exe” file under C:\ you will get your exe to execute in the priveleges of vulnerable service located in Program Files. However you will need write permissions to C:\ to exploit this, and in most cases you will not have those permissions.
This can be used if you have a traversal that gives you write permissions anywhere and you want to create persistency.
SMB Relay using LNK vulnerability (MS08_068 + MS10_046):
“In 2010, Microsoft released MS10_046 which patched the Stuxnet LNK vulnerability where a malicious DLL could be loaded (locally or remotely over WebDAV) using the path of the shortcut’s icon reference. LNK files are Windows shortcut files that allow the icons of the files to be changed much more dynamically than any other file type (Right click a shortcut, go to Properties, and just simply click the ‘Change Icon’ button). I could certainly be wrong here, but I believe all Microsoft patched was the ability to use this feature to load the DLLs via a certain Control Panel object. Which leaves the ability to load shortcut (LNK) icons from wherever we wish. ”
SMB Relay using XPath injection?
Interesting Anonimity Technique:
The article gives a technique for anonymity: to set up VM on your PC and use a VPN from the PC to some vpn server and then turn on the vm and use VPN from the vm to another VPN server (I guess as far as the vm knows, the host is the first VPN server)…or u can look at this article as good tutorial for setting up connection to vpns on windows/Linux https://www.cyberguerrilla.org/a/2012/?p=6766
Man In The Browser Attack:
in the attack you create your browser extension and install it on the attacked computer and then each request the client makes can be intercepted by your extension and changed to whatever you want and you can run any code you want at this point like stealing the form data or changing it and then sending it so that the client will not even notice he was attacked.
Http Verb Tunneling:
“To work with clients that do not support HTTP verbs like DELETE, PUT, or MERGE, OData protocol offers a technique called “verb tunneling.” In this technique, PUT, DELETE, and MERGE requests are submitted as a POST request, and an X-HTTP-Method header specifies the actual verb that the recipient should apply to the request.
Penetration testers must test for DELETE, PUT, or MERGE methods with “verb tunneling” to ensure that consistent access mechanisms are implemented. It is possible that direct invocation of DELETE or PUT methods may be prohibited on some resources but can be executed via X-HTTP-Method header ”
Software Distribution\Deployment Techniques to Windows Machines:
A couple of links related to windows update:
[MS-WSUSSS]: Windows Update Services: Server-Server Protocol
A diagram: https://msdn.microsoft.com/en-us/library/dd341409.aspx
[MS-WUSP]: Windows Update Services: Client-Server Protocol
[MC-BUP]: Background Intelligent Transfer Service (BITS) Upload Protocol
A diagram: https://msdn.microsoft.com/en-us/library/cc216524.aspx
(By the way microsoft published info of many of its protocols here:https://msdn.microsoft.com/en-us/library/cc216517.aspx )
For the automatic windows updates BITS (Background Intelligent Transfer Service) is used, info about it:
Turns out you can use the windows update process and WSUS to update third party programs as well, detailed info here:
If you know of some interesting info about windows update or any of the following stuff then please share in the comments.
Policy Software Installation (GPSI)
Distribution using GPO.
Recently a couple of vulnerabilities related to GPO were published.
The previous link has the following info:
“Using WSUS to deploy third-party software and updates has many advantages over GPSI, including the following:
– In addition to .msi packages, command-line executables and drivers can be deployed natively without requiring users to have administrative privileges.
– The Background Intelligent Transfer Service (BITS) is used to throttle the transfer of installation files to clients by using idle bandwidth. This is ideal for slow network links.
– WSUS is designed to be part of an enterprise-wide distributed architecture.
– WSUS includes basic reporting features.”
How to distribute msi using gpo ( by the way this site has many good tutorials and practical how-tos):
Creating msi file from exe can be done using the following tool or other tools:
SCCM – System Center Configuration Manager
Explains how to deploy internet explorer using the methods above:
(By the way unrelated interesting thing in the link is the fact that you can create a custom internet explorer using the IEAK https://technet.microsoft.com/en-us/library/jj822322.aspx )
Anybody know of other software deployment methods?
Windows PATHEXT environment variable vulnerability:
I reported this to microsoft and they don’t consider this a vulnerability:
Windows uses the environment variable called PATHEXT to decide what is the extension of files that are being run without extension.
For example if you run “calc” in the windows command line then in the background window will query all the directories in the PATH environment variable for the names of the files in the directories. Then it checks if the directory has a file with a filename that when you remove the extension from it you get calc. For example if the directory has a file called calc.txt then this check will pass successfully.
In the case that this check passed successfully, Windows (in this case the command line) tries to combine the directory path together with the command entered “calc” and together with the extensions from the PATHEXT and run the combines resulted path. THE VULNERABILITY is that this path combination\concatanation is VULNERABLE TO DIRECTORY TRAVERSAL, resulted from an evil value in the PATHEXT variable, which is an unexpected and undesired behaviour of dealing with the PATHEXT environment variable. The following proof of concept shows the result.
Proof of concept:
My default PATHEXT value is:
I add an evil value to it so that the new evil PATHEXT is: “a\..\..\..\..\..\..\..\windows\system32\notepad.exe;.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC”
Now (after the new PATHEXT is changed and saved) open a new command line (cmd.exe)
Run in the command line the command: “cmd”.
You will see a notepad opened!! (of course the correct behaviour should be that cmd.exe will be opened and not notepad.exe).
Note: From the explanation above this proof of concept will open notepad not only for cmd but for any command “xxx” (xxx is any word) such that in one of the directories in the PATH environment variable there is a file named “xxx.zzz” where zzz is the extension which can take any value but must not contain ‘.’
Attacking Asp.Net Website Hosted On IIS (Of course only for whitehat testing purposes 🙂 ):
- Scan the server ports to find out what is accessible (both tcp and udp and different icmp types)
- Map all the technologies, and their versions, used by the website by:
- Looking at the client side code.
- Looking at Http headers.
- Running active and passive webserver and os fingerprinting using tools such as httprint.
- Search for known vulnerabilities for the technologies versions used by the website, for example WINSHOCK.
- Turn on a proxy such as fiddler or ZAP with some passive vulnerability detecting extensions such as fiddler Watcher and slide to the website. Check out the client side code and the server responses and map the website services and features.
- Search for detailed errors and directory listings. On new IIS you will probably not find directory listings.
- Send Http OPTIONS request and check out if WEBDAV is turned on and in particular if sensitive Http methods such as PUT or TRACE\TRACK are turned on. Note: If PUT is turned on then you should try upload aspx file to execute server side code by sliding to your file, however the aspx extension might be blocked for PUT, there is a trick to bypass that protection: upload aaa.txt using PUT and then change its name to aaa.aspx using MOVE. On IIS 5 the aspx extension is blocked for PUT but not for MOVE.
- Search for XSS\SQLI\File upload\Xpath injections\LDAP injections, reflective file download, etc. Modern libraries such as LINQ, NHibernate, Entity Framework give automatic protection from SQLI unless misused, the razor engine gives automatic protection from xss unless misused. So if you should put more efforts on attacks that got more chance of success againts the technologies the website you are attacking uses.
- Search for another accessible server on the LAN of the website you are attacking. If there is another, weaker, server which you can take control of, then it will be easier to take over the website while attacking it from its LAN from the server you took control of.
A google search led me to the following link: http://18.104.22.168/~ipaudit/cgi-bin/SearchIpauditData?date=2015-09-22-13%3A30&ip=192.168.103.058&sort=0 which looks like a system that allows to search in recorded network traffic http://22.214.171.124/~ipaudit/ . Its an open source system called IPAudit: http://ipaudit.sourceforge.net/
Conclusion: If you want network traffic data for your analysis and as datasets for anomaly detection algorithms then you can do the following google search: https://www.google.co.il/search?q=inurl:~ipaudit and find many sites which allow you to search their network traffic data.
Web Applications Race Conditions
A race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for. https://www.owasp.org/index.php/Testing_for_Race_Conditions_(OWASP-AT-010)
Tool to help with the exploitation of web application race conditions: https://github.com/andresriancho/race-condition-exploit
To be continued.