crazylazy.info

txtI always try to motivate myself: find one problem a day AND fix it - if that's my job. But finding one unknown problem every day isn't quite hard. There's always something. Here're 10 ways to reveal the nasty things:

1.) Scaning with MBSA

Tuesdays, 11:30 in pentests: it's MBSA time. MBSA is a mighty tool from Microsoft to find out whether you missed an important update. It creates a short report, but of course doesn't patch automatically because of business-continuity - you named it. But, and that's what's very interesting: it reports based on Microsoft's own recommendations.













You can see: this is a command-line based scan. The report is available in a GUI-way, too. I used an updated catalog and my VM. By the way: the Evilgrade-way doesn't work for Windows Update as far as I'm concerned and this includes Office, of course. So if you've got a lot of eMail, PDFs, Office-docs around, and stuff, you know where to look now.

02.) DumpSec stuff

Even CISSPs know DumpSec.





It uses Null-Sessions, like:

net use \\192.168.2.12\icp$ "*"/user:""

There's no magic behind this, and if there's a restriction in HKLM/System/CurrentControlSet/Control/LSA/RestrictAnonymous=2, well... this won't work. By default even Windows Vista allows Null Sessions.

03.) Use the new stuff: wmi and PowerShell

Because of the fact that DumpSec is kind of lame, here's something new with future: you will not pop Windows Command Lines in future. I guess you will start Powershell, because it's included by default and offers much more options.

Get Computername and OS

1# gwmi win32_operatingsystem -computername localhost

Example output:

1# gwmi win32_operatingsystem -computername localhost
SystemDirectory : C:\WINDOWS\system32
Organization :
BuildNumber : 2600
RegisteredUser : wishi
SerialNumber : deleted for reasons
Version : 5.1.2600

2# gwmi win32_service -ComputerName localhost

note: this is case-sensitive

2# gwmi win32_service -ComputerName localhost
ExitCode : 1077
Name : Alerter
ProcessId : 0
StartMode : Disabled
State : Stopped
Status : OK
ExitCode : 1077
Name : ALG
ProcessId : 0
StartMode : Manual
State : Stopped
Status : OK
ExitCode : 1077
Name : AppMgmt
ProcessId : 0
StartMode : Manual
State : Stopped
Status : OK

[...]

Get Processes

3# gwmi win32_process -ComputerName localhost

Output example:

[...]

Caption : gvim.exe
CommandLine : "C:\Program Files\vim\vim71\gvim.exe" "-u" "C:\Program Files\vim\vim71\cream\creamrc"
"-U" "NONE" "--servername" "CREAM"
CreationClassName : Win32_Process
CreationDate : 20090227121608.738750+060
CSCreationClassName : Win32_ComputerSystem
CSName : DAWMVM
Description : gvim.exe
ExecutablePath : C:\Program Files\vim\vim71\gvim.exe
ExecutionState :
Handle : 3408
HandleCount : 80
InstallDate :
KernelModeTime : 20468750
MaximumWorkingSetSize : 1413120
MinimumWorkingSetSize : 204800
Name : gvim.exe
OSCreationClassName : Win32_OperatingSystem
OSName : Microsoft Windows XP Professional|C:\WINDOWS|\Device\Harddisk0\Partition1

[...]

This is huge... you get everything!

Get Users

gwmi Win32_UserAccount -ComputerName localhost

Example output:

16# gwmi Win32_UserAccount -ComputerName localhost
AccountType : 512
Caption : DAWMVM\Administrator
Domain : DAWMVM
SID : S-1-5-21-1292428093-1606980848-1801674531-500
FullName :
Name : Administrator

Get Groups

17# gwmi Win32_Group -ComputerName localhost
Caption Domain Name SID
------- ------ ---- ---
DAWMVM\Administrators DAWMVM Administrators S-1-5-32-544
DAWMVM\Backup Operators DAWMVM Backup Operators S-1-5-32-551
DAWMVM\Guests DAWMVM Guests S-1-5-32-546
DAWMVM\Network Configurat... DAWMVM Network Configuration Ope... S-1-5-32-556
DAWMVM\Power Users DAWMVM Power Users S-1-5-32-547
DAWMVM\Remote Desktop Users DAWMVM Remote Desktop Users S-1-5-32-555
DAWMVM\Replicator DAWMVM Replicator S-1-5-32-552
DAWMVM\Users DAWMVM Users S-1-5-32-545
DAWMVM\HelpServicesGroup DAWMVM HelpServicesGroup S-1-5-21-1292428093-16069...

You see it's always a lot of information. Writing a parser to highlight critical stuff maybe a nice idea...

More...

gwmi win32_share -ComputerName localhost
gwmi Win32_NTDomain -ComputerName localhost
gwmi win32_quickfixengineering -ComputerName localhost

You can find forgotten user-accounts, private shares, outdated system setups...

4.) Changed files - the pressure of change

This is funny sometimes. Announced Audits: you make a small conference, there's some coffee, and the CIO tell his team: "Alright, these are our ... " NEW ENEMIES. I personally work with people, not against them, but that's another thing. Most often Administrators tend to change stuff some days before the Audit takes place. Maybe they'll change them back afterwards because the policy is a pain in the butt...

#Find-Files.ps1
$1 = (read-Host "Enter start date e.g yyyy/mm/dd")
$2 = (read-Host "Enter finish date e.g yyyy/mm/dd")
$path = (Read-Host "Enter path of target e.g \\server\c$\windows\")
$results = (Read-Host "Where do you want the results saved to? e.g c:\temp\")
$start = [datetime]$1
$end = [datetime] $2
$period = {$_.lastwritetime -gt $start -and $_.lastwritetime -lt $end}
gci $path -Recurse | where {!$_.psiscontainer -and (.$period)} | Out-File -Width 255 $Results

(Source: synjunkie's blog)

So I don't use it for incident response... It searches for modified files and you can define the period. This sometimes has got funny side-effects: "Oh, you changed all Admin-passwords yesterday so that normal tools don't find them being outdated? Why yesterday?"

Of course in case of a compromised system this is far more useful.

5.) We all know... tactical exploitation

WebApp pentests, Network Audits, System-Pentests, Source Audits and beyond. Going through testing. And it's always similar:

• scaning with NStalker, Wikto/nikto, w3af, Grendel, WebScarap, proxyfying with Burp... there's countless stuff. Intercepting http(s) in a Webshop and change the prices. Wait until someone manually checks back and report if no one does. [...]


• auditing a network by going through ACLs on Ciscos and other routers with nipper, trying some old-skool ARP poisoning/IP spoofing with Ethercap, sniffing for cleartext PWs with dsniff, middle traffic by absuing Windows WPAD auto-proxy config in IE, steal Cookies, start beef or browser_autopwn [...]


• use nessus, metasploit, Core Impact and exploit some vulnerabilities. Use Nmap to discover services, map the nework [...]


• go through code with a static code scanner or reverse the binary with a disassembler. Look for large buffers, input validation issues, possible flaws for buffer overruns [...]

I don't want to focus this. You can do the hard work. Takes hours and days. That's where the money is, but what if you analyze a situation tactically. Most often you simply can mail the Malware and socialize people. It's fairly easy:


Dear Mr. IKNOWYOURNAME,

As a long-term customer and investor I hereby want to ask you about something that lies in your expertise. Yesterday you sent me an eMail, and the attachment was quite interesting. I found out that [blablabla] and want to ask whether you could do me the favor and check this back.


Kind regards,
MRS. IMPORTANT


And you can apply some dirty magic with the binary in the attachment. The point is to target the weakest point; the employees. They may fear MRS: IMPORTANT or think of this as an opportunity.
This isn't personalized Spam, this is a direct social attack via eMail or anything else the company offers to communicate. You don't even need to attach a file. A simple link often is enough. Give it some kind of trustful domain name, apply some tricks to the site you're linking to. Can save hours of scanning and searching, and going through false-positives.
Find an employee who doesn't know why the policy says "No attachments" or "No Active X" or "No Java-Script". That's a vulnerability, too. Your malware simply could report back: "Was opened by User!"


Have fun,
wishi