Wednesday, June 30, 2010

more with rpcclient


Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]


rpcclient $> enumalsgroups builtin

group:[Administrators] rid:[0x220]

group:[Backup Operators] rid:[0x227]

group:[Guests] rid:[0x222]

group:[Network Configuration Operators] rid:[0x22c]

group:[Power Users] rid:[0x223]

group:[Remote Desktop Users] rid:[0x22b]

group:[Replicator] rid:[0x228]

group:[Users] rid:[0x221]


Now you would think that doing a querygroup would give you the right output, but actually you get a:

rpcclient $> querygroup 0x220
result was NT_STATUS_NO_SUCH_GROUP


Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.

Anyway it takes one more step but you can do it this way:

rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]


rpcclient $> queryaliasmem builtin 0x220
sid:[S-1-5-21-1214440339-1383384898-839522115-500]

sid:[S-1-5-21-1214440339-1383384898-839522115-1003]

sid:[S-1-5-21-2392188729-2485841371-4291725810-512]


Then you can look up who those SIDs belong to

rpcclient $> lookupsids

Usage: lookupsids [sid1 [sid2 [...]]]


rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PC\Administrator (1)


rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003
S-1-5-21-1214440339-1383384898-839522115-1003 PC\user (1)


rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe \lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT


Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.
CG

Monday, June 28, 2010

Firefox Saved Passwords


Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.db
signons.sqlite

If there is no master password set, all you have to do is replace the files on your test VM with the two files you downloaded, open firefox, go to preferences, security, and do a view saved passwords.

I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...

-thanks to Mubix for telling me about this.
CG

Friday, June 25, 2010

Android and another use for XSS


This morning I saw a tweet by @dinodaizovi . Dino posted a comment regarding an article by Google (you can find Here ) responding to an interesting method of gaining Root via "RootStrap" (link: Here ).

To summarize Google sort of dismissed the idea that this application (and research, by @jonoberheide was damaging because the application he created didn't have "root" permissions, it simply had network permissions to download rootkits and install them in areas of the device not meant for normal applications.

Google/Android removed the application with an over the air update. We are saved! .....okay {sarcasm}

It got me thinking, I remembered something I touched on during a presentation at a recent NoVAH Hackers meeting. The idea was basically using something like XSS to redirect an Android user to download an attacker's application(s).

Here is the video, stick around to the end, you may get a chuckle.


Android and another use for XSS from cktricky on Vimeo.

Happy Hacking!

~cktricky
cktricky

Tuesday, June 22, 2010

wxruby on Ubuntu


Thank you to Mario Steele for creating a wxruby gem compatible with the more recent versions of Ubuntu's G++ compiler.

You can download the gem Here .

Install by.....

sudo gem install --local wxruby-2.0.1-x86-linux.gem

If you've tried to run DirChex or DirSnatch you'll notice problems. The above tip should help to resolve.

~Happy Hacking
cktricky