Thursday, June 2, 2011

Using CAIN to read packet captures during a Penetration Test

There are many ways to leverage transitive trust relationships in an environment when performing Penetration Testing. Once privileged level access is obtained on a single Windows system, hashes can usually be obtained, and it is often the case that shared credentials exist. In the case of a LANMAN or NT hash environment which only uses LANMAN/NTLMv1 challenge/response and fixed stored hashes, it is known that access to other Windows systems can be trivially obtained through only stored hash possession.

Within the Metasploit framework, exists the 'windows/smb/psexec' module which works in a similar fashion to the Microsoft sysinternals PSEXEC command, but can also utilize "pass the hash" by setting the SMBPass variable to a LANMAN:NT hash rather than a plaintext password. This can be a useful way to pivot through to other systems once a single set of hashes is obtained.

A feature of the Metasploit Meterpreter I found useful in a recent Penetration Test is the 'sniffer' module. This module will allow you to capture up to 50,000 packets from an exploited system and download the captured data to a libpcap compatible file.

meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces

1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )

meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_stats 2
[*] Capture statistics for interface 2
packets: 1849
bytes: 444042

meterpreter > sniffer_dump 2 myfile.pcap
meterpreter > sniffer_stop 2

During a recent Pen Test, I happened to gain access to a network monitoring system. This is the near perfect scenario to leverage the meterpreter sniffer module.

CAIN ( is most often thought about as a layer 2 network interception and man in the middle tool with an incredibly useful set of password hash analysis and cracking ability. CAIN has the to perform cryptanalysis using traditional rcrack style rainbow tables, as well as the ophcrack format rainbow tables. Password cracking can also be done using dictionary or brute force mode.

What is usually overlooked is that CAIN can read libpcap files and process the contents, parsing out all of the useful various application and O/S password hash formats. To perform this libpcap file parsing in CAIN is a simple click on the open folder looking icon in the top left of the menu bar. It is hard to find because the typical "open file" entry does not exist in the file menu.

I used this capability to parse through sniffer packet captures from compromised systems, and managed to further my intrusion into the environment significantly in the process. Cryptanalysis, dictionary and bruteforce attacks can be leveraged against captured LANMAN/NT challenge response transactions. Dictionary and bruteforce attacks can be used against Oracle, and MySQL database credentials which are often weak. SNMP version 1 community strings are obviously plaintext and easy to capture. MSSQL in older days uses TDS (Unicode XOR with 0xa5) which is easily reversible. It is also quite interesting to see how much plaintext LDAP can be leveraged for access also.

Within the Pen Testing context, obtaining access and obtaining passwords with associated cracking time is a huge component. However, we cannot forget that demonstrating access to real data is important to show there exists real risk.

I find that the most interesting demonstration of this is to show that you can access database tables. However, one must tread carefully in this area. When demonstrating this access, try showing some table names, some column names and such without actually pulling database rows themselves. The idea is to prove you own it, and you're there without putting sensitive data into your reports. Redacted screenshots can work well in this context also.

With regard to database client software, the most challenging area is to get a functional Oracle PL*SQL client working. The installation is a little tricky but if you have access to a handy and friendly DBA, you can be up and running pretty quickly.

Microsoft SQL servers often have the command line utility named OSQL.EXE actually on the server itself, and PWDUMPX is useful for pulling LSA secrets from the Windows registry which often contain database credentials.

MySQL command line client is a simple installation, especially with Linux distro's like Ubuntu so that should not present much challenge.

No comments: