I posted recently about calculating subnets and CIDR notation quickly, but I didn’t mention in that post host to quickly get the Network ID, first host and Broadcast address for a subnet given an awkward address. This is another easy trick that covers that!
Metasploit is a suite of tools built into a framework which automates and tracks many of the tasks of a penetration test, plus it integrates nicely with other common Penetration Testing tools like Nessus and Nmap. Metasploit was acquired by Rapid-7 in 2009 and there are now commercial variants however the free framework does provide everything you need for a successful Penetration Test from a command-line interface. If you’re curious of the differences Rapid-7 has a page where you can compare the free version against the commercial version here. Metasploit includes port scanners, exploit code, post-exploitation modules – all sorts!#
The Metasploit database is great for tracking a Penetration Testing engagement, the biggest the engagement the more that the database can offer you. It tracks alive hosts, pwned boxes and stolen loot – plus it timestamps actions too just in case you need to track what happened when.
/I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering the service so that it runs the executable and parameters you want it to, instead the default configuration allowing you to supply a command and privilege level for the execution. So you can simply run the add user command as local system and create your own local administrator account!
During Penetration Tests I often gain access to a selection of domain user accounts on my path to compromising a domain admin account. This is often a requirement these days for enumerating domain policy and also it’s quite common to find standard user accounts that have access to interesting information, such as HR or Finance accounts with access to staff and payroll information or a user with VPN access. During the post-engagement meeting with clients they’re often shocked at how I could launch online brute-force attacks against accounts without locking them out.
Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials).
GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy.
This essentially means that a share exists on the domain controller which any domain user can access which contains other user account credentials, possible including a local administrator password which is reused across the network. This can mean that privilege escalation from a domain user to domain administrator becomes incredibly easy, as I’ve described before.
Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.
When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.
Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number.
The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR.
Attempting to connect to an RPC service when portmapper is filtered will result in an error similar to “RPC: Port mapper failure RPC: Unable to receive.” To work around this issue it is possible to create a local RPC portmapper and proxy the RPC endpoint connections through to the remote server
If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.
Why not copy and paste the following into your /etc/john.conf and try them out! Got a suggestion for a rule? Leave a comment! They can then be called with ‐‐rules=Try, ‐‐rules=TryHarder and ‐‐rules=BeBrutal! You can find an explanation of how these rules are built here.