Psexec Python Rocks!

[Editor’s Note: Last week, we posted an article about the many faces of psexec functionality from Sysinternals, Metasploit, and the Nmap Scripting Engine, with some tips for using it, along with a Penetration Tester’s Pledge.  Continuing in that vein, Mark Baggett describes another way to do psexec, and to do it very flexibly: via Python.  With psexec.py, penetration testers and ethical hackers can incorporate psexec functionality into their own code, giving huge new avenues of increased flexibility and automation.  Sweet!  –Ed.]

By Mark Baggett

Python rocks! PSEXEC rocks! So, what could be better than psexec written in Python?  The psexec.py script is one of many examples of super useful penetration testing scripts that are distributed with the IMPACKET Python module available from Core Labs.  Kudos and many thanks to Core Security for their lab tools and the great features of IMPACKET.

After downloading and installing IMPACKET, running the Python version of psexec is pretty intuitive. You provide the script with credentials along with a target, and it does exactly what you would expect it to do. The following image illustrates how you would run cmd.exe on target 10.10.11.9 with a username of demoadmin and a password of demopass.

Now, you may be saying to yourself, “SO WHAT?  I can do that with the psexec tool from Microsoft Sysinternals.”  You’re right.  But this is a Python script! That means if I want to use all of that psexec awesomeness in my own programs, all I need to do is import psexec.py into my own script, or into the Python shell.  Then, I can build features on top of it, and make something even more powerful.

In the next image, you can see it only requires three lines of code to make use of the psexec feature from within your own script.  In the first line, we “import psexec”, making all the functionality in the original script available in the shell. In the second line, we create an object called “psobject” that is of type “PSEXEC”.  When we create the object we initialize it with a command (cmd.exe), the path to that program on the remote machine (c:\windows\system32\), the port and protocol (445/SMB), and the login credentials.  After we escape the forward slashes in the path of (c:\windows\system32\),  it becomes (c:\\windows\\system32\\). Now, to execute the code, all we have to do is provide psobject with a target IP address. In the third line, we provide the target IP address to the psobject’s run method.

Running that same command against multiple hosts is just a matter of passing different IP addresses to the run method, so finding targets in a range where these are valid credentials is a trivial process. A simple “for” loop can go through all the targets in a given IP range as follows:

for lastoctet in range(1,256):
          ip="10.10.11.%s" % (str(lastoctet))
          psobject.run(ip)

You can also try a list of usernames and passwords on all those same target hosts like this:

Okay, but who uses passwords anymore?  More often than not, I’m passing the hash to access a target.   That is not a problem with psexec.py!  Instead of setting the “password” parameter, we set the “hashes” parameter, and login with a hash.  Nice!

That is the power of Python, my friends! With an import and a few lines of your own code, you can do some really lethal stuff.  You don’t have to be a coding expert to create some really great tools by tying together features of already existing, really powerful libraries and modules.

Follow me on twitter : @MarkBaggett
–Mark Baggett

 

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Coinage: The SANS Pen Testing Coins Backstory

[Editor’s Note: Some things I work on are the result of ten, thirty, or one-hundred minutes of effort.  Others are the result of six months or a year of work (such as my office tour).  This blog is the result of over a year’s work by not only me, but also John Strand, Josh Wright, Kevin Johnson, Steve Sims, and many others).  

In each of the seven SANS Penetration Testing Curriculum courses, Day 6 is a Capture the Flag (CtF) event, allowing students to pull together their experiences from the previous five days into a full-day exercise that models real-world penetration test activities.  For about a year now, we’ve been rolling out course-specific CtF challenge coins as a prize for the noteworthy accomplishment of coming in the Top five winners in each class.  But, only a few people know the backstory of the SANS Pen Test Curriculum coins… until now. You see, there is a cipher embedded in each coin, and here’s the story of how that came to be.
–Ed.]

Several years ago, Rob Lee started giving away challenge coins to people he calls “Forensicators” (Given my delicate virgin ears, I blush every time I hear that word, by the way).  Rob awards these really beautiful coins to people who do something special — write a blog post, ask a great question in class, write a tool, win a challenge in a class, and more.  I’ve always thought his coins were a fantastic idea, and a wonderful reward for people who do great stuff.  Rob was pushing me for years to create a pen test coin.  “Where’s _your_ coin, Ed?” he’d sometimes taunt, in that precious way only Rob Lee can muster.

But, while I loved what Rob did with the coins, I didn’t want to just copy Rob’s coin plan.  So I thought about the situation for months, and how we could tie some sort of coin thing into the SANS Pen Test courses.

On Day 6, each Pen Test course has a Capture the Flag competition, and, for my courses, I’d always given out an autographed copy of my book as a prize.  My publisher generously sent those books to me for free, as a marketing thing.  I was really happy to get them.  About 18 months ago, there was a staffing change at my publisher, and they told me “No more free books” (kinda like the “No free bugs” movement, only completely different).  Buying books at the author’s price was still a bit pricey ($30 each), so I bought some books myself as prizes while I started brainstorming other options.

During one of my morning walks, it hit me… my two problems (getting a coin for the Pen Test Curriculum to address Rob’s taunting challenge, plus being kicked off of the free book gravy train for CtF prizes) could be used to solve each other, and we could add some fun and whimsy to the whole thing.  The idea was to have a different prize coin for each SANS Pen Test class.  Money-wise, we could give five prize coins away in each class for about the same price as the book.

And, instead of just 504, we’d have a different coin for each of the pen test classes, so people could collect them all!  We’d give each course’s coin a different theme, such as super heroes, ninjas, and spiders.  The course’s author could impart their own personality, wisdom, and humor into each coin.  And, best yet, the coin imagery could be taken as a course icon.  SANS has course icons for some of the other (non-pen-test) courses, but none for pen test courses.  I didn’t want a clip-art or stock image look for the course icons, so at that time I was working on a small project to try to come up with special course icons.  That project was fail fail fail, as the artists were only creating garbage.  But, the coin project also solved the logo problem too!  Win-win-win.

In early 2012, I set about having an artist work on the 504 coin.  We spent about a month going through ideas and drafts.  Then, at RSA in Feb 2012, we had our final draft ready to send.  I showed it to my friends and colleagues at the RSA conference, and they loved it!  I was excited.

But, at that same RSA conference, when I showed the 504 coin image to John Strand, he said, “Really cool… and what is the challenge?”

I replied (and this quote is 100% accurate), “Wha???”  Strand said back, “Well, this is a Skoudis thing so there must be some kind of challenge or puzzle built into the coin.”  Me: “Oh…uh… yeah.  I’m working on that.”  I panicked.  Strand was right, and I hadn’t thought this through enough.  It could be a hundred times better the way he suggested.

The coins were already in fabrication, and I needed to retrofit a challenge into the coin.  Walking the streets of San Francisco, I thought long and hard.  Then, it hit me — we could have a single phrase that weaves its way throughout each pen test course coin.  Each coin would have a unique cipher for part of the phrase.  People would have to solve all kinds of ancient, modern, and custom-created twisted ciphers from all of the coins to get the final phrase that pays.  Then, we’d give the first person to win and decode all the coins a really exciting prize.  I ran it by SANS management, and they were on board.  This would be a big undertaking, rolling out eight coins over the space of a year, but lots of fun — with the ultimate embedded mystery in the coins themselves.

But, there remained the problem of the 504 coin not having an encoded message.  I continued to think — and then, “Heeeeeey!  We could bootstrap this by using the text on the back of the 504 coin as a reference to decode something.”  I don’t want to give away how it works, but it is a little like a one-time pad based on a historical cipher.

With that problem solved and our plan in place, we got our first batch of 504 coins in Orlando in March 2012.  They were a hit.

We got our first batch of 560 coins in Baltimore in April 2012.  More excitement.

The 575 coin came in May 2012 in San Diego.  Josh hired his own artist to do it, and it was AWESOME with a cool cipher, great theme (Gamera, the flying turtle monster that battled Godzilla), and inspired artwork.  Next, the 542 coin arrived in June 2012 in Denver, with my artist working on spider ideas provided by Kevin Johnson and Lara Dawson.  Then, the 660 coin appeared in DC at SANS FIRE in July 2012, done by Steve Sims’ artist using a Conan the Barbarian theme.

We hit a snag.  Our artists were pretty tapped for ideas, as were we.  There were three more coins needed: 617, 642, and NetWars.  It took a few months, but we finally got the NetWars coins done in the nick of time for the Tournament of Champions in December 2012.  The Counter Hack Challenges guys and I created a custom cipher over Thanksgiving (at the same time we were working on the Miser Brothers’ Holiday Hacking challenge) for that one.  Then, the 617 coin debuted in January 2013 featuring another movie monster (that knife-headed monster Guiron from another Godzilla movie, via Josh’s artist).

We are almost there with our final coin: the one for 642, which we just finished last week and will pass out starting in one month.  That’ll make 8 coins total, with the following themes (please click on the theme for a full view of the face of each coin):

504: Super Heroes (with a nod to Batman, Spider Man, and the Incredibles)
542: Spider & Fly
560: Ninja
575: Reptile Monster Movie (Gamera)
617: Another Reptile Monster Movie (Guiron)
642: Samurai and Dragon
660: Conan the Barbarian
NetWars: The World

      

      

Each coin includes on its face the course name, number, and logo, as well as some words about what the course is about.  On the back, there’s an inspirational quote congratulating the winner and challenging him or her to do great things.  And, of course, there is a different cipher on each coin’s back.  I must say, it has been TREMENDOUSLY fun adapting historical ciphers and encodings to the coins, as well as creating our own fun ciphers from scratch.

But, not everyone wins a coin, and some people really like the images from the course and wanted something to take home.  Even the people who won the coin wanted another way to represent their victory.  So, we tried another experiment at SANS Vegas in September 2012 — we had little stickers made up with the coin images on them, to distribute to folks who took the course.  When we went to pass them out, students went CRAZY for them.  We gave them all away in a matter of minutes.  We’ve been passing them out at selected conferences ever since.  Oh, but the stickers DO NOT have the ciphers on them.  If you want the ciphers, you have to win the coin (or use your wiles, wit, persuasion, and other more nefarious tactics) to determine those.

And, that’s the story of the coins.

The story does continue, though — we’re having T-shirts made up that show all 8 coins on the front (two rows of four coins), and then a mysterious coin-shaped silhouette lit from behind underneath.  We hope to have those T-Shirts later in 2013.  That way, students can wear the shirt and point to the coins they’ve won, and also point to the next one they plan to conquer.  What’s that 9th coin, in silhouette, you ask?  Well, that’s another mystery (our funk is multi-layered).

Oh, and we have one more thing up our sleeves for people who have taken our courses in the past, but perhaps didn’t win a coin (either because we didn’t have the coins at the time, or because they didn’t win the CtF).  I call this idea and event “Coin-A-Palooza”.  Just at two special events, if you have taken a given SANS Pen Test course before, your NetWars performance will allow you to earn coins for those courses you’ve taken before.  People who get from Level 1 to Level 2 of NetWars will get a 504 coin (if you’ve taken 504 before… and we will be checking).  If you go from Level 2 to Level 3, you can get a 542, 560, 573, or 575 coin of your choosing if you’ve taken those courses.  If you go from Level 3 to Level 4, you’ll get your choice of a 617, 642, or 660 coin.  And, if you come in the top 5 spots of NetWars at the event, you get a NetWars coin.  So, people will be able to pick up between one and five extra coins at the event.

I’d like to close by congratulating the victors of the various SANS Pen Test Courses.  You folks have done something very special, and, as an instructor, it has been an honor working with you as you develop and apply your incredible skills.  On behalf of all the SANS Pen Test Curriculum instructors, we’d like to thank you for your hard work, diligence, and achievement of excellence!

–Ed Skoudis.
SANS Penetration Testing Curriculum Lead
Director, SANS NetWars & CyberCity Projects
Founder, Counter Hack Challenges

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02

Mobile App Analysis with NetworkMiner

[Editor’s Note:  Josh Wright provides some really useful insight in how penetration testers and vulnerability assessors can use tools traditionally associated with digital forensics to look for information leakage flaws from mobile applications.  The techniques he describes below are powerful yet pretty easy to implement — That’s awesome.  Check out the interesting issue Josh discovered in Dropbox using the technique! –Ed.]

By Joshua Wright

As a penetration tester and author of SANS Mobile Device Security and Ethical Hacking (SEC575) course, I get this kind of question a lot:

“My organization is looking at deploying the XYZ app company-wide.  Is the app secure? Any significant flaws I should know about?”

With the Apple and Google Play stores each adding nearly 1,000 new apps per day, it’s hard to keep up.  Analyzing the security of mobile device applications can be time-consuming and cumbersome, but there are some easy tools that we can use to get quick results.

In this short series of articles, I’ll present tips and techniques for evaluating the security of mobile device applications for both Apple iOS and Android.  First, we’ll start with network traffic analysis with NetworkMiner.

NetworkMiner

NetworkMiner is described as a Network Forensics Analysis Tool (NFAT).  This is both an unfortunate acronym and a shortcoming since NetworkMiner is useful for many tasks beyond the scope of forensic analysis.

NetworkMiner evaluates live or stored network traffic, summarizing the data in a useful and easy-to-browse manner.  Unlike Wireshark (a tool I love dearly), NetworkMiner doesn’t try to give you all the information.  Rather, NetworkMiner summarizes the network traffic into several tabs of information that can be quickly assessed without digging into the minutia of network protocols.  Personally, I love the minutia of network protocols, but there are only so many hours in the day.

Dropbox for Android

For this article, we’ll look at the security of the Dropbox application (version 2.1.10) since it is a popular application used by many mobile device users for transferring and synchronizing potentially sensitive documents.  I installed the Dropbox application from the Google Play store on my Samsung Galaxy S3 running Android 4.1.1 (Jelly Bean).

After installing Dropbox, I created a new Dropbox account, and uploaded some images, a PDF file and an MPEG movie file to my account through the web interface.  Next, I started a packet capture using tcpdump on a hub connected to the WiFi AP my Android device is connected to (you could use a network tap, or a span port, as appropriate).  My Android device is using a local IP address of 172.16.0.134.

With my packet capture running, I performed several actions using Dropbox:

  • Logged in to the Dropbox application
  • Downloaded three different image files
  • Opened a PDF file, invoking the default Galaxy PDF viewer (Polaris Office)
  • Streamed a video file

Next, I ran the packet capture through NetworkMiner to assess the results.

Network Activity Analysis

After opening the packet capture with NetworkMiner, I have a populated list of 25 unique hosts.  Of these identified hosts, only the bold lines represent hosts where network traffic was sent or received (the remainder are extracted from HREF links or other host references).  In the Hosts tab, we can quickly change the sort order to identify the hosts that sent or received the most packets, the greatest number of listening TCP ports, or even the Time To Live (TTL) distance.  For me, the best summary data is available on the Sessions tab.

The Sessions tab summarizes the unique session traffic, sorted by the frame number that initiated the session.  For TCP-based protocols, this view gives us a mostly-chronological list of hosts and protocols that were used.

In the previous figure, we see two TCP/443 (SSL) session from my Galaxy S3 (starting with frames 2 and 28).  This likely corresponds to the authentication exchange from the Android Dropbox software to the Dropbox servers.

Immediately afterward, we see three more SSL sessions, pointing to dl-balancer.blah.dropbox.com (with an alias indicating that Dropbox uses Amazon AWS services).  This likely corresponds to my three image open operations, each one retrieving the selected image from the Dropbox server.  So far so good; authentication appears to happen over SSL, and file transfers happen over SSL as well.

At the TCP session starting with frame 996 there is another request, corresponding to my selecting and opening a PDF file from Dropbox.  This leads to some different host activity, including HTTP requests to www.google.com and usermgr1.polarisoffice.com.  The www.google.com request is inconsequential here (further inspection in Wireshark indicates that the Android client opens the TCP connection and then closes it without sending any data), but the 2nd request corresponds to the startup of the Polaris Office PDF Viewer on my Galaxy S3 device.

After closing Polaris Office and returning to Dropbox, I opened a movie file.  This causes Dropbox to stream the content to my Android device within Dropbox application.  In the NetworkMiner view, we can see that the initial connection establishment process starts over SSL, but then reverts later to HTTP.

From this analysis, we can determine that the Dropbox for Android application encrypts file transfer activity for image and PDF files.  Invoking Polaris Office and seeing the HTTP request that was sent may indicate to an attacker that the document opened is one that is not natively supported by Dropbox (such as a PDF, MS Office file, or other formats supported by Polaris Office), but otherwise does not disclose the content of the files themselves.  However, the use of SSL does not extend to the streaming video content as well.

Extracting Files from Network Data

Perhaps the most significant feature of NetworkMiner is the ability to extract file content from network traffic, recreating the files on the filesystem in the NetworkMiner “AssembledFiles” directory.  Clicking on the “Files” tab lists the extracted file content along with the associated protocol and server IP addresses.  Where possible, NetworkMiner will also identify the file type and filename.

Many of the files listed here are “.cer” files, corresponding to certificate data exchanged in the SSL connection setup process.  Right-clicking and selecting “open file” on any of these lines will open the associated file handler as shown below.

Navigating to the filename associated with the Polaris Office HTTP traffic reveals an XML file that was transferred at application startup as shown below.  These URL’s are used in the Polaris Office application as part of application screen content, potentially creating an opportunity for a man-in-the-middle attacker to exploit cross-site request forgery or client-side injection vulnerabilities.  I’m sure one of our faithful readers will investigate this issue in more depth at some point in the future.

Scrolling further down in the NetworkMiner files tab indicates that several “MP2T” files were also extracted from the packet capture, corresponding to 8-10 second clips of the movie file I transferred in Dropbox.  Opening these files in a media playback tool such as Windows Media Player displays the content of the video (with audio) as shown below.

Not only is Dropbox streaming video content in an unencrypted fashion, but NetworkMiner is ready and able to extract and recreate that content for us.  Although the content is stored in shorter segments than the original video, it is easy to put the entire video back together with a M3U playlist file that identifies each filename to play in sequence.  Additional analysis is needed to determine if this is the only file type that Dropbox for Android delivers in an unencrypted format, or if other file content is similarly disclosed.

NetworkMiner FTW!

NetworkMiner is not trying to take the place of Wireshark, but it is an easy tool to use to quickly assess the hosts and protocols in a packet capture, and to extract and recreate file content.  I’ve given it a special place of honor in my C:\TOOLS directory on my Windows boxes, and will certainly return to it on future mobile application security assessments.

– Joshua Wright

[If you are interested in detailed penetration testing and analysis of mobile applications and environments, you should definitely check out Josh’s SANS Security 575 course, which provides a treasure trove of information, tools, and techniques for securing and testing mobile environments.  There are several upcoming sessions in cities around the world, including Monterey CA, Reston VA, San Diego CA, Berlin Germany, Washington DC, and Canberra Australia.  The full schedule is here.]

iPillaging – Snarfing Useful Data from iOS Images

[Editor’s Note: Tim Medin has taken the SANS Security 575 course on Mobile Device Security and Penetration Testing more than any other human.  His frequent stints as a teaching assistant for Josh Wright (yes, mandatory back rubs) has ensured that unique distinction.  In the course, they look at all kinds of cool ways to analyze and exploit security weaknesses in iOS, Android, Blackberry, and Windows Phone environments.  In the article below, Tim provides practical information on extracting useful goodies from iOS devices, specifically finding and extracting relevant info from plist files and sqlite databases.  It’s all wrapped up in a bizarre super-hero fantasy too.  Enjoy!  –Ed.] 

After taking the new SANS 575: Mobile Device Security and Ethical Hacking class, I was really excited to play with some of the techniques I learned. When I got home, I started rooting all of my devices and looking for interesting information leaked by applications.

Sometimes when I’m working at home, I like to pretend that I’m fighting comic book criminals. Naturally, I’m wearing my underwear^h^h^h^h^h^h^h^h^h^h^h^h a cape  and fighting crime. I’m not one of the those superheroes everyone knows about, but instead, I’m the nerdy super hero with an all-too-small cape and uncomfortable tights. Welcome to my mind, where I apply practical knowledge of analyzing mobile devices in my own nerdy super-hero fantasies…

Department X is trying to track down and stop the evil Dr. Loki. An iPhone was taken from one of the not-so-good Dr.’s minions after he was captured trying to steal large quantities of trout from a hatchery. My tiny cape and I need a quick way to rip through the file system of an iPhone and look for clues. We aren’t sure of Dr. Loki’s plans, and our department has little funding (we can’t even afford a longer department name or a properly sized cape), so I needed to do it cheap…and fast! (These tights are starting to constrict blood flow.)

I need a way to quickly rip through the file system and search for data related to Dr. Loki’s evil plan. Fortunately, the minion rooted his phone and didn’t change the default credentials of root/alpine, which allowed Department X to quickly copy the iPhone’s file system. Now that I have the file system, what should I look for? If you aren’t familiar with the iOS platform, most of the important data exists in plist files or sqlite database files. We need to find these files and search inside them for specific keywords. Let’s start with plist files.

Plist files come in a two flavors, the regular vanilla XML text flavor and the Apple flavored binary format. Parsing the regular text XML format is easy, but the Apple proprietary format is a different story. Ideally, we would like to use the same tools to read each, but the built-in tools on a Mac don’t exist on the other platforms. To quickly extract the data from a plist file via a Mac, I can use this command:

$ plutil -convert xml1 -o - somefile.plist

The plutil command allows for all sorts of interaction with plist files. This command will read a plist file (binary or text) and output it as text XML. The “-convert xml1” does the conversion and “-o -” outputs the results, where the dash (-) means send the output to STDOUT.

We can read plist files, but we need to find them first. To find plist files we can use the aptly named find command. The find command’s -exec option allows another command to be executed based on the found files. The combined search and execute looks like this:

$ find . -name '*.plist' -exec plutil -convert xml1 -o - {} \;

This command will find the plist files and then output them in text format. Some good ol’ grep fu can be appended to find interesting data in the files. We may need to run this more than once, so a script format like this is handy.

#!/bin/sh find . -name '*.plist' -exec plutil -convert xml1 -o - {} \; | grep $1 $2 $3 $4 $5 $6 $7 $8 $9

The first portion of the command is the same as earlier; the only difference is the grep command and the extra parameters. That way, we can pass extra grep options to grep in addition to the required search string. For example, this command will highlight our matching string and display four lines of context after a case-insensitive match (-i) of the word “plan”:

$ ./plistsearch.sh --color=always -A 4 -i plan

Step 1 of the plan is to get large quantities of trout
Step 2 of the plan is <redacted>
Step <redacted> of the plan is get some pizza
Step 4 of the plan is TBD
Step 5 profit

Searching in plist files on other platforms isn’t as easy. I encountered some issues with Python’s libplist and it, much like my cape, proved to be useless. Fortunately, the biplist library works well with both text and binary formats. YEAH!

I created a python script called plistdump.py (which you can get here) to find plist files and dump them to STDOUT. You can run this script on any machine where you have a python interpreter installed, thus freeing you from the plist prison of the Mac and allowing you to adventure forth on Linux or Windows machines.  The output of the script can be used with grep for filtering/searching. The script includes features that will find plist files (Windows people may need this) and functionality to search inside the found plist files. If the search string is not specified, then plist files are dumped to STDOUT where OS-specific tools can be used to find the strings (grep on Linux, Find and FindStr on Windows).

We found some interesting information in the plist files, but there must be more. Time to check the sqlite3 databases.

Searching in sqlite3 database files is pretty simple. The sqlite3 executable allows SQL commands to be executed right from the command line. To dump the contents of a database file we can use this simple command:

$ sqlite3 sms.db .dump

The hard part is that the sqlite files can be named whatever the developer wants to call them. To find the files we need to do a little extra fu with the find command.

$ find . \( -name *.db -or -name *.sqlite -or -name *.sqlite3 -or -name *.sqlitedb -or -name *.sqlite3db -or -name *.mddb \) -exec sqlite3 {} .dump \;

This command will search for files that end in .db, .sqlite, .sqlite3, .sqlitedb, .sqlite3db, or .mddb. We then use the -exec option with the find command to execute sqlite3 and dump the contents. We can then use grep to search the output.

Sorry, but this only works on OSX and Linux. On Windows you can use PowerShell thusly:

PS C:\DrLoki_Image> ls -r | ? { ".db", ".sqlite", ".sqlite3", ".sqlitedb", ".sqlite3db", ".mddb" -contains $_.Extension} | % { C:\bin\sqlite3.exe $_.Path .dump } | Select-String trout -Context 0, 4

where r we going 2 get the machin guns 4 all the troutz

we'll unleash the trout <redacted> with <redacted> and <redacted> sauce

This quick and dirty technique is useful for quickly looking through the iOS file system and here, we used it to prevent a catastrophe! While I’m not able to disclose the details of what happened in my head for security reasons, I can say that you should be happy that St. Patrick’s Day wasn’t interrupted by machine gun toting armies of stinky fish.

By the way, if you are interested in signing up for the AWESOME 575 course, there are several upcoming sessions in cities around the world, including Monterey CA, Reston VA, San Diego CA, Berlin Germany, Washington DC, and Canberra Australia.  Check them all out here: https://www.sans.org/course/mobile-device-security-ethical-hacking.  The course really provides a huge amount of useful information about attacking (and defending) mobile devices and the infrastructures that support them!

-Tim Medin
Counter Hack Challenges

A Penetration Tester’s Pledge

by Ed Skoudis

Over the weekend, I was thinking about the wonderful psexec capabilities of tools like Metasploit, the Nmap Scripting engine smb-psexec script, and the psexec tool itself from Microsoft Sysinternals.  It’s my go-to exploit on Windows targets, once I have gained SMB access and admin credentials (username and password, or username and hash for pass-the-hash attacks).  It works on a fully patched Windows environment, giving you code execution with local system privileges of a program or Metasploit payload of your choice.  That’s especially helpful in a penetration test once you gain access to an internal network that is relatively well patched.  We talk a lot about how to leverage this capability creatively and effectively in my SANS SEC560 course on Network Penetration Testing and Ethical Hacking.

During my class, this lesson sinks in with some students faster than others.  Where it doesn’t sink in, target crashing inevitably ensues as people try other service-side exploits to hammer a target.  To help make the lesson of the usefulness of psexec a little more memorable, I’ve created the following Despair-like poster, titled “A Penetration Tester’s Pledge”:

*Photo credit: Wiki Commons, User Grj23

Don’t get me wrong: I love service-side exploits as much as the next guy.  But, some of them could crash target processes or even entire systems.  Further, psexec is so wonderful because it comes in handy once you’ve compromised one target (perhaps with a client-side exploit), escalated privileges, grabbed some juicy-licious admin credentials, and are looking to spread to more prey.   Now, you can target other fully patched Windows systems in the environment with psexec, your new besty-best friend forever.

The psexec capability just completely rocks, and we have several different variants to choose from:

  • If you want super flexibility in making the target machine run a Metasploit payload of your choosing, such as the mighty Meterpreter, use Metasploit’s psexec module (windows/smb/psexec), which also supports pass-the-hash for authentication (no need to know what the password is; instead, just set SMBPass to the LM:NT hashes). You can also choose a custom RPORT besides TCP 445, so you can port-forward pivot other ports through to your ultimate target’s TCP port 445.
  • If you want to run something at scale across a large number of machines you’ve scanned, consider using Ron Bowes’ psexec Nmap Scripting Engine script on targets where you’ve found TCP port 445 open, which also supports pass-the-hash sweetness.
  • If you are in an environment that prohibits you from running third-party attack tools like Metasploit or Nmap (oucha, I know), you might want to use Microsoft SysInternals’ own psexec program, which typically doesn’t flag anti-virus tools because it comes from Microsoft itself and is regularly used for system administration.  This version doesn’t explicitly support pass-the-hash, but you can use Hernan Ochoa’s excellent Windows Credentials Editor (WCE) to inject your hashes into your Windows machine’s memory, and then use Sysinternals psexec with the new credentials.

Regardless of the variant you use, psexec leverages your credentials to make an SMB connection to the target machine, writes into its file system some code you want to execute, creates a service on the box, and uses the service to execute your code. If you use the Metasploit or NSE versions of psexec, it then cleans up after itself, by deleting the service and removing the code from the file system (both the service and code have a pseudo-random name in Metasploit and NSE).  Yaaaayyyy, Metasploit and NSE!  Thanks for doing it right.

Important note: the Microsoft Sysinternals psexec program doesn’t remove the service that it creates.  Thus, as a penetration tester, you’ll either leave behind an installed service on the machine, or you’ll need to remove it after you are done.  I like to remove it, restoring the environment to what it was like before I was there, lest I slightly increase the attack service of the target machine by leaving behind the psexec service and its related code.  You can remove it using the Microsoft service control (sc) command, as follows:

C:\> sc \\<RemoteTarget> stop psexesvc

C:\> del \\<RemoteTarget>\admin$\psexesvc.exe

C:\> del \\<RemoteTarget>\admin$\system32\psexesvc.exe

C:\> sc \\<RemoteTarget> delete psexesvc

And, one more SUPER IMPORTANT NOTE: The Sysinternals psexec has an option to allow you to specify a different user and password other than your current credentials (the -u <user> and -p <password> command flags).  If you don’t use the -u <user> and -p <password> option with the Sysinternals psexec, the tool uses whatever Microsoft Windows authentication your client and the target support (such as NTLMv2), passing through your existing credentials via a challenge/response protocol.  However, if you use -u and -p with Sysinternals psexec, it will PASS THROUGH THESE CREDENTIALS IN CLEAR TEXT (as described brilliantly by Mike Pilkington here and in Section 4 of this article by Jean-Baptiste Marchand  here).  That’s why I recommend you NEVER use -u and -p with psexec, unless you are comfortable passing through admin-level creds in cleartext.  Your best bet it so use it without the -u and -p options.

So, there you have it. Psexec… a great capability and trusted friend, along with a few notes on its safe usage.

Thanks!

–Ed Skoudis

//
SANS Institute Fellow
Counter Hack Challenges Founder

Upcoming SANS Special Event – 2018 Holiday Hack Challenge

KringleCon

SANS Holiday Hack Challenge – KringleCon 2018

  • Free SANS Online Capture-the-Flag Challenge
  • Our annual gift to the entire Information Security Industry
  • Designed for novice to advanced InfoSec professionals
  • Fun for the whole family!!
  • Build and hone your skills in a fun and festive roleplaying like video game, by the makers of SANS NetWars
  • Learn more: www.kringlecon.com
  • Play previous versions from free 24/7/365: www.holidayhackchallenge.com

Player Feedback!

  • “On to level 4 of the #holidayhackchallenge. Thanks again @edskoudis / @SANSPenTest team.” – @mikehodges
  • “#SANSHolidayHack Confession – I have never used python or scapy before. I got started with both today because of this game! Yay!” – @tww2b
  • “Happiness is watching my 12 yo meet @edskoudis at the end of #SANSHolidayHack quest. Now the gnomes #ProudHackerPapa” – @dnlongen
kringle_02