Tunnel snmp-check and other UDP traffic over SSH

Today I will be walking you through how to tunnel snmp-check and other UDP traffic over SSH.

In this example we are tunnelling UDP over SSH to circumvent firewall rules on the outside. Our firewall rules are only allowing access into the other side of the firewall to TCP port 22 on a Ubuntu server. We don’t have access to any other TCP or UDP ports. The only method of communication into the environment is via SSH to our Ubuntu server. We will use this server as jump/pivot point for other traffic. Imagine we have earlier identified through cdpsnarf using SSH dynamic port forwarding and proxychains another router, we want to enumerate this further. Our next goal in this case is to try and enumerate SNMP UDP port 161 on target router with a public community string. This example could also be applied to all sorts of UDP traffic such as DNS for example were we want to tunnel our local DNS requests to a server behind a firewall. Zone transfer maybe?tunnel snmp-check and other UDP over SSH

Attack machine: Kali Linux 192.168.200.2
Pivot Server: Ubuntu 192.168.100.10
Target: GNS3 Cisco Router 192.168.100.100

We are going to do this by sending our local UDP traffic through netcat (handling UDP) into a fifo process back into netcat (handling TCP), through the ssh tunnel then in reverse the other end. Yes I know bit of a brain teaser! You can read more about fifo files here, they are similar to pipe in linux. In essence we are sort of writing the output to a file (without actually writing anything) then sending it on its merry way through netcat via TCP then down the tunnel. Its best we see this in the flesh with an example.

We begin on the Attack machine by running up the ssh connection, here we are forwarding TCP port 6666 on localhost to TCP 6666 on the remote pivot server:

root@kali:~# ssh -L 6666:localhost:6666 user@192.168.100.10

Then on the Pivot Server we create a fifo file for netcat to talk too:

root@ubuntu:/home/user# mkfifo /tmp/fifo
root@ubuntu:/home/user# nc -l -p 6666 < /tmp/fifo | nc -u 192.168.100.100 161 > /tmp/fifo

On the Attack machine we do similar:

root@kali:~# mkfifo /tmp/fifo
root@kali:~# nc -l -u -p 161 < /tmp/fifo | nc localhost 6666 > /tmp/fifo

In second terminal on the attack machine:

Run up ‘netstat -au’ to verify snmp is listening on the local machine.

UDP netstat connections

We can then simple run snmp-check to localhost.

snmp-check 127.0.0.1

snmp-check over SSH

 

Looking further down the information we discover the following:
snmp-check over SSH another netowrk

 

Another network interface, is this possibly the internal network and route to DA..? Maybe in the next post…

Bingo UDP and snmp-check over an SSH tunnel, awesome!

Quick tip! Changing your MAC address in Windows, Linux and OSX is simple.

Changing your MAC address in Windows, Linux and OSX is simple. In this post I show you how:

For Windows:

In windows we can use PowerShell, to lookup the adapter name:

Get-NetAdapter

Then using the name of the interface we want to change specify:

Set-NetAdapter -Name "Wi-Fi" -MacAddress "1E:AT:DE:AD:BE:EF"

For Linux:

In Kali Linux we can simple run macchanger specifying the -r for random and the interface name as below:

machchanger -r wlan0

For OSX:

Open a terminal and type:

sudo ifconfig en0 1E:AT:DE:AD:BE:EF

Ace!

Avoiding AV detection when running mimikatz with sed!

In this post I will be talking about avoiding AV detection when running mimikatz with sed! I came across this on the BlackHills Information Security Website, link here. Props to Carrie Roberts for sharing this. The classic Invoke-Mimikatz.ps1 from the PowerSploit suite located here, does get detected by many Anti-Virus vendors. This really is a great for the Enterprise. However whats not so great is the way in which AV vendors are detecting it and how it can be easily bypassed! Yes AV can easily be bypassed by modifying the powershell file. Using ‘sed’ in bash we can swap out various text in the ps1 file. For example swapping out mimikatz for mimidogz as in line 1 below.

I have talked about slowing down attackers who are using mimikatz in this post. This is where we can deny access to the clear text credentials in early versions of Windows (up to windows 7). In later versions of windows (8 and above) we can deny access to the hash and the clear text credentials. This will only slow attackers down though as the OS can be modified, however this will make noise on the network. This is really is a must for slowing down attackers. Harden your systems!

Below are the sed commands:

sed -i -e 's/Invoke-Mimikatz/Invoke-Mimidogz/g' Invoke-Mimikatz.ps1
sed -i -e '/<#/,/#>/c\\' Invoke-Mimikatz.ps1
sed -i -e 's/^[[:space:]]*#.*$//g' Invoke-Mimikatz.ps1
sed -i -e 's/DumpCreds/DumpCred/g' Invoke-Mimikatz.ps1
sed -i -e 's/ArgumentPtr/NotTodayPal/g' Invoke-Mimikatz.ps1
sed -i -e 's/CallDllMainSC1/ThisIsNotTheStringYouAreLookingFor/g' Invoke-Mimikatz.ps1
sed -i -e "s/\-Win32Functions \$Win32Functions$/\-Win32Functions \$Win32Functions #\-/g" Invoke-Mimikatz.ps1

 

The Shadow Brokers dump – Eternalblue, DoublePulsar – Hello SYSTEM!

Well The Shadow Brokers dump certainly tied up a proportion of time of the Easter weekend for myself and I suspect many infosec bods. It turns out the exploit framework known as fuzzbunch which was released as part of the dump is tied to the ‘Equation Group’ threat actor,  the NSA’s Tailored Access Operations (TAO) according to Wikipedia. From my testing, this is the real deal and pretty effective at allow one to gain SYSTEM level access over an an unpatched supported operating system. It should be noted that many of the exploits have been patched by Microsoft in this months patch Tuesday, most notable MS17-010.  Interestingly there is no attribution from Microsoft in terms of who tipped MS off about the vulnerabilities, one would question whether this was the reason why MS skipped the previous months patch Tuesday.

Utilising the exploit module Eternalblue and doublepulsar from fuzzbunch coupled with Empire or Metasploit is a quick win for gaining SYSTEM level access on any unpatched systems.  If this is not patched in my view this is the next MS08-067 it terms of exploit-ability. The MS08-067 vulnerability was a classic RCE (remote code execution) and easy exploit for 9 times out 10 gaining SYSTEM level access in minutes on a pentest. In my view from my testing that I have completed in the lab with Windows 7 Professional 64bit this new vulnerability in SMB v1.0 is no different, requiring only a few extra steps. Ultimately allowing system level access in a reverse shell… yes those words should make your shudder at the thought. Ensure your systems are patched.

fuzzbunch exploit framework

What is also interesting is that these tools are from 2011-2013, as they require early python versions. One can’t help but think there are a whole raft of new tools being used in the wild potentially by the other nation state threat actor groups. This point simply emphasises the need for secure configuration in addition to mandatory patching. If indeed tools like this are out in the wild we need to ensure secure configuration in the enterprise, ie segmentation, tightening host based firewalls (yes removing access to 445 on your clients), effective monitoring, to name just a few.

How can we detect Double Pulsar?

There are a couple of ways we can detect if double pulsar has been used. Using a vulnerability scanner such as Nessus we can firstly detect whether the Critical patch MS17-010 is missing:

Nessus MS17-010

Nessus will also detect whether double pulsar has been used on a machine by sending an SMBv1 Trans2 request  .

Nessus Doublepulsar detection

In addition to this we can also use nmap’s scripting engine and invoke the smb-double-pulsar-backdoor to check if the target machine is running the Double Pulsar SMB backdoor:

smb-double-pulsar-backdoor

There are also some other specific detection scripts available on github by Luke Jennings available here and a auxiliary scanning module in Metasploit for detecting MS17-010 auxiliary/scanner/smb/smb_ms17_010.

How can we mitigate this threat?

  • Patch Patch and Patch some more, can’t emphasis this enough.
  • Stop using SMB1 as describing and advised by Microsoft in this blog post.
  • If you have SMB port 445 exposed on any systems review why and ensure only systems that need to access this port have access. Do your windows 7 clients really need this port?
  • Ensure your Firewalls are switched on and appropriate firewall configuration is in place. ie don’t just switch it on and allow everything through in any case.
  • Migrate your out of support systems XP and 2003 to new supported versions of MS Operating Systems.

Additional info from Microsoft on the Shadow Brokers was released here.

Linux Host Enumeration (Authenticated Post-Exploitation)

Linux Host Enumeration On a pentest once you have compromised a Linux host there stands a good chance you will want to go through further ‘Linux Host Enumeration’ from an authenticated position. If you have gained an unprivileged user shell such as a web user you are most likely also going to want to escalate your privileges to root or a higher privileged account and gather as much info as possible. The first stages of this are situational awareness and information gathering based on what you have right in front of you, ie starting with host enumeration. Now whether you have grown up with a Windows or a Linux background, you will probably be more au fait with one or the other. I tend to find as with myself people tend to fall into one camp or the other, probably simple due to the exposure and experience you have had with one or the other in the past. And the need to practice with the other, not so au fait side, is essential. For me I was more exposed to windows boxes.

This post will hopefully guide you through some of what I have learned with host enumeration for Linux operating systems, in this instance Debian Ubuntu. Commands will vary from distro to distro, however, this will give you a taste. Of course please feel free to comment on this particular post with what I have missed and I will be sure to update the post.

Starting on a Ubuntu 14.04 machine as root we would be looking to run the following, (some may seem obvious) however; this isn’t meant to be an exhaustive list more of a top commands:

System Information:

hostname
uname -a
cat /etc/*-release
cat /proc/version
route
arp
ifconfig
netstat -antp
netstat -anup
iptables -L
mount
dpkg -l
apache2 -v
mysql –version
cat /etc/resolv.conf
cat /etc/network/interfaces

User Information:

id
who
last
cat /etc/passwd (you will need a privilege account for this one!)
cat /etc/sudoers
cat history

Sensitive Files:

cat /etc/passwd
cat /etc/group
cat /etc/shadow

Potential SSH information:

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

 

Searching for password files in PowerShell on a Penetration test!

Searching for password files in PowerShell

Searching for Password files in PowerShellSearching for password files in PowerShell, can be particularly useful especially for post exploitation recon phase of an engagement. PowerShell is great tool for a penetration tester. Its post exploitation capabilities has grown exceptionally over the last few years. During the course of a penetration test once you have compromised a windows host there is a good chance that you will want to enumerate the host system further and gather as much information as possible. If you have access to a low privilege user you are likely going to want to escalation your privileges to higher account. This being known as post-exploitation. This will almost always likely include searching the local system for passwords. We will want to search for xlsx, docx are classics.  Sure we can use the windows built-in gui however we can also use PowerShell. We can use the following syntax in PowerShell to search for files with the text ‘password’ in the filename, just like below. We use the wildcard ‘*’ either end of the ‘passwords’ so we can search for variations in the file name. Ace!

Get-ChildItem "C:\Users\" -recurse -filter *passwords*.txt

Searching for Password files in PowerShell

Simple, quick and very effective, this needs to be in your cheetsheet!

Conducting a PowerShell Port Scan – Post Exploitation

How to conduct a PowerShell Port Scan. Using PowerShell to conduct a simple port scan is very useful. If you have compromised a Windows server on a pentest and want to conduct a quick port scan you can use PowerShell. This might be to verify open ports on a neighboring system or to check egress filtering outbound to the internet using a public IP.

Using this simple one liner will produce a port scan of all ports 1-65536, the code snippet will also ask you for the IP address you want to port scan. Of course you can swap out the port range or simply substitute the ‘1..65536’ for something shorter like ’80, 445, 3389′ just like in the second example:

$Server = Read-Host -Prompt 'Input your target IP/host' ; 1..65536 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("$Server",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if ($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "
$Server = Read-Host -Prompt 'Input your target IP/host' ; 80, 445, 3389 | % {$test= new-object system.Net.Sockets.TcpClient; $wait = $test.beginConnect("$Server",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if ($test.Connected){echo "$_ open"}else{echo "$_ closed"}} | select-string " "

And in action this looks like the below:

PowerShell Port Scan

PowerShell Port Scan

Conducting a PowerShell Ping Sweep

In this post we will look to see how we can conduct a PowerShell Ping Sweep. So you are on a pentest engagment and have just owned a box and can see an alternative subnet or have just pivoted into a new subnet. You know want to know what else is in that new subnet but can’t access it from your attack machine. You will want to see what is alive and so a quick ping sweep of the subnet is in order to see how many targets are in the range. Why not use PowerShell. This is pretty straightforward, we can use the following syntax to perform a ping sweep of a /24 subnet:

1..255 | % {echo "10.0.2.$_"; ping -n 1 -w 100 10.0.2.$_ | Select-String ttl }

This should look like this in action:

PowerShell Ping Sweep

Pivoting with netsh in Windows – post exploitation goodness!

Move across a network by pivoting with netsh in windows!

Just a quick post to demonstrating pivoting with netsh in Windows. More specifically port forwarding with netsh in Windows (Windows 7 and above). This really is great as your not having to upload any tools to the target system. It is limited in its functionality however, is a great option for say a single port such as 445 or 3389.

netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

Now if you don’t have interactive logon rights but you have a PSEXEC, PTH or even a meterpreter session you can add a port forward on you target system and pivot to your next target with SMB/445. This is especially great when you think of tools like PSEXEC module in Metasploit or the main other remote CMD tools available. Now you could use the autoroute or route add function in Metasploit but its nice to have a backup plan if you didn’t have Metasploit!

You can use the below to display your port forwarding rules:

netsh interface portproxy show all

Just remember to clear down your port forwarding rules when your finished with:

netsh interface portproxy reset

This all comes together like the below: (you can see here i have just used random ports just to give you an example how it looks).

Pivoting with netsh in Windows

Enjoy!

VLAN tagging in Kali Linux 2.0

Connecting to Trunked Ports!

Just a quick post on how to configure VLAN tagging in Kali Linux 2.0. If we have a trunk port presented to us, how do we utilise it?

To setup vlan tagging in Kali Linux 2.0 is pretty straight forward, to set the scene and demonstrate this further we need a lab. The below lab is our ‘test.local’ environment set up in GNS3. There are 3 vlans, 10 20 and 30. 10 and 20 are routable, vlan 30 is isolated from 10 and 20. In the lab we have a ‘router on stick’ configured  at R4, fa0/1 is sub interfaced with vlans 10 and 20. utilising DHCP, vlan 10 for servers and vlan 20 for clients. All devices in vlan 30 are statically assigned IP addresses and not routable to the 10 and 20 vlan networks.  In all switches there are a variety of 802.1q trunked and access ports.

The idea of the lab is that vlan 30 can’t talk to vlan 10 or 20. However as a trunked port is presented to the Kali vm, it will be able to communicate to all vlans.

This is how it looks:

VLAN tagging in Kali Linux 2.0 - switch configuration

Lets look at how we would configure Kali to test all hosts in the different vlans, first via CLI and then via GUI in Network Manager:

As you can see with the current trunk connection we can’t access any of the networks, however a quick Wireshark does reveal we can see traffic and the different vlans…

First lets open up ‘/etc/network/interfaces’ in nano and add our interfaces. The idea is very similar to a cisco router we are essentially sub interfacing our network connection in the interfaces file:

An alternative configuration for the interfaces file which I have used as well is the following, both work just as well:

Save our file  restart the networking service and then simply bring up the sub-interfaces with ‘ifconfig XXX up’ where XXX is our subinterface so:

‘ifconfig vlan10 up’ or ‘ifconfig eth0.10 up’ as below:

We can now access all of our vlans in question.

Further to this, if we set off a ping to each network and Wireshark the trunk connection we can see our tagged packets. Hooray.

The Gui is even easier, lets configure it via the Network Manager. We will do this via opening up our network connections/Network Manager, simple click on the ‘+’ sign, select ‘VLAN’ fill in the details on the vlan tab as well as the ‘IPv4Settings’ tab:

And there you have it.

I hope this helps someone!