Nov 03 2014

PowerShell for Pentesters

PowerShell is extremely useful for admins. This power is also extremely useful for attackers.

There are several PowerShell tools specifically for increasing access on a network:

PowerSploit

PowerSploit – PowerShell based pentest tool set developed by Mattifestation.

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.

PowerSploit is comprised of the following major components:

CodeExecution
ScriptModification
Persistence
PETools
Capstone
ReverseEngineering
AntivirusBypass
Recon
Exfiltration

The last one listed, Exfiltration, includes the following useful PowerShell pentest scripts.

Invoke-TokenManipulation
Invoke-CredentialInjection
Invoke-Mimikatz
Get-GPPPassword
Get-VaultCredential

Continue reading

Nov 02 2014

Domain Controller Virtual Cloning

One of the best new features of Windows Server 2012 is virtual cloning.

The ASKPFE blog has an excellent article covering this new feature:

Tom Moser here with a post on one of the new ADDS features in Windows Server 2012; Virtual Domain Controller Cloning.

Until now, cloning, snapshotting, copying, or pretty much doing anything but rebuilding from scratch to a virtual domain controller wasn’t just unsupported; it had the potential to be really bad for your directory. Cloning or restoring snapshots of DCs could result in USN rollbacks or lingering objects, just to name a couple of problems.

Starting in Windows Server 2012, we now support DC cloning as well as snapshot restoration of domain controllers. With the RTM bits available, I found myself rebuilding my lab and took the opportunity to document the process to demonstrate just how easy it is to clone virtual domain controllers with Windows Server 2012.

Requirements

There are a few base infrastructure requirements to take advantage of DC cloning.

  • The hypervisor must support VM-GenerationID. Hyper-V running on Windows Server 2012 supports this feature. Other virtualization vendors will have the ability to implement this as well, so check with your vendor to see if it’s supported.
  • The source virtual DC must be running Windows Server 2012.
  • The PDC emulator role holder must be online and available to the cloned DC and must be running Windows Server 2012.

There are a few other steps and requirements and I’ll take you through those now.

Read the rest of the article here.

Nov 02 2014

Windows 8: Using PowerShell to Decrypt Wireless SSID Passwords with NetSH

Show the saved password for SSID named “SSID_NAME” in Windows 8.

((netsh wlan show profiles name="SSID_NAME" key=clear | select-string "Key Content" ) -split(" Key Content : "))[1]

 

 

 

Nov 01 2014

Active Directory Domain Trusts & Trust Password Management

Recently a customer asked me about Active Directory Domain Trusts and how the passwords were managed. I replied with some educated guesses based on how AD manages a variety of passwords. After stating how I thought it worked (and mentioned that I wasn’t sure), I decided to look it up. I was mostly correct.

Every trust a domain maintains is represented by a Trusted Domain Object (TDO) in the Domain partition’s System container. The TDO contains the following attributes for a domain trust:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name

Forest trusts store the following attributes:

  • DNS domain name
  • Domain SID
  • Trust type
  • Trust transitivity
  • Reciprocal domain name
  • Domain tree names
  • User Principal Name (UPN) suffixes
  • Service Principal Name (SPN) suffixes
  • Security ID (SID) namespaces

Since trust information is stored in Active Directory, all domains in the forest know about all of the trusts in place with all forest domains. External NT 4 trusts are not stored as TDOs and therefore are not in Active Directory.

Continue reading

Oct 31 2014

PowerShell Data Types

Useful table with Powershell’s data types and descriptions:

[string]  Fixed-length string of Unicode characters
 [array] Array of values
 [xml] Xml object
 [int] 32-bit signed integer
 [DateTime] Date and Time
 [long] 64-bit signed integer
 [decimal] 128-bit decimal value
 [single]  Single-precision 32-bit floating point number
 [double] Double-precision 64-bit floating point number
 [char] A Unicode 16-bit character
 [byte] An 8-bit unsigned character
 [bool] Boolean True/False value
 [hashtable]  Hashtable object
[void] Sends the datat to Null (same as piping to out-Null)

Oct 30 2014

BlueHat 2014 Slides: Reality Bites – The Attacker’s View of Windows Authentication and Post-exploitation

Each year, Microsoft invites security researchers (aka hackers) to speak to Microsoft employees about security issues.

One of the most interesting talks listed at “BlueHat” 2014 was the one by the “Pass-the-Hash” experts, Chris Campbell, Bejamin Delpy, and Skip Duckwall.

This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

BlueHat 2014 Slides: Reality Bites: The Attacker’s View of Windows Authentication and Post-exploitation – Chris Campbell, Benjamin Delpy, & Skip Duckwall

 

Oct 29 2014

Active Directory (and other) Security Resources

I just posted a “Security Resources” page that is a tab at the top of the site. This page contains useful security resources I have found over the years and plan on updating the content as needed.

Active Directory (and other) Security Resources

Oct 29 2014

Windows Server 2012 R2 deprecates FRS (File Replication Service)

Microsoft’s Tip of the Day has the following useful information on Domain Controller File Replication Service (FRS) depercation:

FRS (File Replication Service) has been deprecated in Windows Server 2012 R2.  The deprecation of FRS has been accomplished by enforcing a minimum domain functional level of Windows Server 2008.  This enforcement is present only if the new domain is created using Server Manager or PowerShell.  DCPromo still exists and is used by unattended installations.  Such domains can still be created at a lower domain functional level.

 

 

Oct 28 2014

PowerShell Code: Convert Integer8 to Date

There are several Active Directory attributes where the value is stored as an Integer8 value.
These include:

  • accountExpires
  • badPasswordTime
  • lastlogon
  • lastlogontimestamp
  • pwdLastSet

Here’s information on what Integer8 is:

Many attributes in Active Directory have a data type (syntax) called Integer8. These 64-bit numbers (8 bytes) often represent time in 100-nanosecond intervals. If the Integer8 attribute is a date, the value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601. Any leap seconds are ignored.

In .NET Framework (and PowerShell) these 100-nanosecond intervals are called ticks, equal to one ten-millionth of a second. There are 10,000 ticks per millisecond. In addition, .NET Framework and PowerShell DateTime values represent dates as the number of ticks since 12:00 AM January 1, 0001.

Quick PowerShell code for converting Integer8 into a date/time value:

$Integer8 = “130567517440984934”
[datetime]::FromFileTimeUTC($Integer8)

Oct 25 2014

Microsoft EMET 5 Configuration to Mitigate PowerPoint Zero Day

Microsoft Security Advisory 3010060: Vulnerability in Microsoft OLE Could Allow Remote Code Execution (Published: October 21, 2014)

PowerPoint Zero Day Vulnerability Executive Summary:

Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

At this time, we are aware of limited, targeted attacks that attempt to exploit the vulnerability through Microsoft PowerPoint.

PowerPoint Zero Day Mitigating Factors:

 

  • n observed attacks, User Account Control (UAC) displays a consent prompt or an elevation prompt, depending on the privileges of the current user, before a file containing the exploit is executed. UAC is enabled by default on Windows Vista and newer releases of Microsoft Windows.
  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
  • In a web-based attack scenario, an attacker could host a website that contains a webpage that contains a specially crafted Office file that is used to attempt to exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.
  • Files from the Internet and from other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer. To help protect your computer, files from these potentially unsafe locations are opened in Protected View. By using Protected View, you can read a file and see its contents while reducing the risks. Protected View is enabled by default.

 

EMET 5 Mitigation:

Deploy the Enhanced Mitigation Experience Toolkit 5.0 and configure Attack Surface Reduction
The Attack Surface Reduction feature in EMET 5.0 can help block current attacks. You need to add configuration to the standard one in order to be protected.

  1. Create a new file with the content below: 
    <EMET Version="5.0.5324.31801">
  <Settings />
  <EMET_Apps>
    <AppConfig Path="*" Executable="dllhost.exe">
      <Mitigation Name="DEP" Enabled="false" />
      <Mitigation Name="SEHOP" Enabled="false" />
      <Mitigation Name="NullPage" Enabled="false" />
      <Mitigation Name="HeapSpray" Enabled="false" />
      <Mitigation Name="EAF" Enabled="false" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="false" />
      <Mitigation Name="BottomUpASLR" Enabled="false" />
      <Mitigation Name="LoadLib" Enabled="false" />
      <Mitigation Name="MemProt" Enabled="false" />
      <Mitigation Name="Caller" Enabled="false" />
      <Mitigation Name="SimExecFlow" Enabled="false" />
      <Mitigation Name="StackPivot" Enabled="false" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
    <AppConfig Path="*\OFFICE1*" Executable="POWERPNT.EXE">
      <Mitigation Name="DEP" Enabled="true" />
      <Mitigation Name="SEHOP" Enabled="true" />
      <Mitigation Name="NullPage" Enabled="true" />
      <Mitigation Name="HeapSpray" Enabled="true" />
      <Mitigation Name="EAF" Enabled="true" />
      <Mitigation Name="EAF+" Enabled="false" />
      <Mitigation Name="MandatoryASLR" Enabled="true" />
      <Mitigation Name="BottomUpASLR" Enabled="true" />
      <Mitigation Name="LoadLib" Enabled="true" />
      <Mitigation Name="MemProt" Enabled="true" />
      <Mitigation Name="Caller" Enabled="true" />
      <Mitigation Name="SimExecFlow" Enabled="true" />
      <Mitigation Name="StackPivot" Enabled="true" />
      <Mitigation Name="ASR" Enabled="true">
        <asr_modules>flash*.ocx;packager.dll</asr_modules>
      </Mitigation>
    </AppConfig>
  </EMET_Apps>
</EMET>
  2. Save this file as EMET_CVE-2014-6352.xml.
  3. From the EMET user interface, click Import from the File ribbon.
  4. Select the EMET_CVE-2014-6352.xml file and click Open.
  5. Alternatively, run this command from a Command Prompt with elevated privileges to import the saved script “EMET_CVE-2014-6532.xml” into EMET: 
    EMET_Conf.exe  --import EMET_CVE-2014-6352.xml

 

Microsoft : https://technet.microsoft.com/library/security/3010060