Blog

Public Facing LDAP Enumeration

This article is more for future reference than anything else, but here's the deal. While doing an assessment, I encountered a public facing LDAP server. Not a huge deal, except that this LDAP server allowed empty base objects and NULL BINDs. Basically, this means that any anonymous Internet user could extract information from the LDAP server. This LDAP server was also tied directly into the internal Windows Active Directory infrastructure. Oops.

I tried a bunch of tools to assist me in enumerating information from the server. LdapMiner, LDAP Explorer, ldapsearch, and JXplorer to name a few. The only tool that properly leveraged the empty base object and NULL BIND vulnerabilities to produce useful results was JXplorer.

The LDAP server administrator did do one thing right. He limited the responses to all LDAP queries to 25 results. Whether or not it was intentional, I don't know, but it made it painful to extract large chunks of data. Basically, it forced attackers to use many alphabetical queries with wildcards to enumerate all entries, much like exploiting a blind SQL Injection vulnerability.

ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "cn=aa*"
ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "cn=ab*"
ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "cn=ac*"
ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "cn=ad*"

Not even JXplorer could do this, and was restricted to extracting only the first 25 nodes in each identified node throughout the directory tree. The thing that set JXplorer apart was that while some of the other tools pulled the first 25 nodes from the directory using the empty base object and NULL BIND, JXplorer crawled the tree and continued to pull the first 25 nodes from each of the child nodes it discovered. This was a good start, but I would have liked to dump the entire directory, and getting data in a useful form was cumbersome. I didn't have time to write a tool (on my list of things to do), so instead of dumping the directory, I used the empty base object and NULL BIND vulnerabilities to validate email addresses harvested with Recon-ng. Here are the commands I used to do that using the ldapsearch utility.

Verify single email address:

ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "mail=<email_address>"

Verify list of email addresses:

for line in $(cat list.txt); do ldapsearch -h <ldap_host> -p 389 -x -b "O=<known_dn>" "mail=$line" | grep mail: | cut -d" " -f2; done

The danger of an Internet facing LDAP server configured like this should be fairly obvious. Spammers and attackers have access to the full name and email address of every person in your environment that has an account in Active Directory. This will drastically increase the amount of spam your organization receives and the likelihood of phishing attacks. In addition, if you have web facing VPNs or web applications, you are giving attackers part of what is required to authenticate. This is a very bad idea.

Catching and Cleaning a Phish

This afternoon my wife looked up from her laptop and said to me, "You're gonna be proud of me. I just got phished (see image below). However, after clicking the link and seeing that it was asking me for my username and password, I logged into my Twitter account manually to see if the email was legit. It wasn't, so I deleted the email." While she thought that I should have been proud, I had obviously failed at explaining the risks of phishing attacks and it was time to dust off some incident response skills.

My wife helps run her fathers company, so she handles most of the business email that the company receives. As a result, she received the following email.

Looks pretty legit, right? You can't see it here, but the "from" address seems legit, and the links go to exactly where they say they're going. The trick here is that the attacker is using a URL shortener to obfuscate the final destination of the link. This is a good technique, as Twitter users are accustomed to seeing shortened URLs.

My wife did the right thing by manually going to twitter to see if she actually did receive a Direct Message, but not until after she clicked the link. Many people think that clicking links and visiting pages is okay as long as they don't enter credentials into untrusted pages. This is not the case. By merely visiting a web page, attacks can be launched against all sorts of client side technologies i.e. Java, Flash, the browser itself, etc. How each of these attacks work is out of the scope of this article. The point is, if someone clicks a link or visits a page which is hosting malicious content, they could be in trouble. Here is what the phishing site my wife encountered looks like.

What's wrong with this picture?

As the defender of the network, I was glad that my user did not surrender credentials, but as I mentioned above, the possibility still exists that the site is hosting malware and my user's system could be infected. Is it too late? Has the damage already been done? Let's find out by taking some response actions.

The first step is safely acquiring a copy of the email. According to my good friend Jake Williams, the best way to do this is to extract the email directly from the mail server. If the email is stored on a 3rd party mail server, this can be done using the affected user's credentials. Otherwise, the mail server administrator should have the ability to extract a copy of the email from the mail store. I acquired a copy by having the user forward me the email. This is not the preferred method, as sometimes header information is lost when emails are forwarded.

The second step is to conduct an analysis of the email. Some questions that need to be answered are:

• Where did the email come from?
• Are there embedded links?
• Where do the links go?
• Which links were clicked?
• What other users clicked the links according to traffic logs?

Since I'm dealing with a one user environment, getting these answers was simple.

The next step is to analyze of the target site's invocation process and contents for signs of malicious activity. Website analysis in a safe manner use to be painful. One would have to build a customized sandboxed environment complete with IDS, exploitable client side technologies, etc. However, thanks to the fine folks at URLQuery.net, all of these things are now available to us pain free.

URLQuery.net is a malicious web page analysis tool. It runs the contents of the given page through the proverbial "wringer". URLQuery.net loads web pages through two different Intrusion Detection Systems with commercial rule sets (Suricata and Snort), executes the content intended for client side technologies such as JavaScript, Java and Adobe Reader, and provides a detailed report on the results, including traffic analysis. The results for the page in question can be found here. The level of information given is incredible. Take a few moments to analyze the report.

As you can see, there isn't much danger on this site other than the fact that someone from Russia is trying to harvest Twitter credentials. Granted, there could be 0-day exploits embedded, but as far as we can see as first responders, things seem clean for now. Disaster averted.

A Work in Progress

One of the most common questions asked by newcomers to our community is, "How do I get started in InfoSec?" This article shows it is not simply a matter of what you do (don't get me wrong, ability and aptitude is important), but also a matter of who you surround yourself with. In any profession, to create an environment for maximum professional development, you must surround yourself with people that are smarter and more experienced than you. If you're the smartest and most experienced guy in the room, the level of development you experience will be far less than that of those you are mentoring. That being said, I've been doing the infosec thing for a couple of years now, and I've always tried to surround myself with the smartest and most experienced people possible. While I've been personally gracious to some of those individuals who have helped me along the way, I would like to publicly thank the rest of them now. I'm sure I'll end up unintentionally leaving someone out, but this is closer to the beginning of my career than the end, so I'm sure there will be many more mentors and many more blog posts like this to make up for anyone I fail to mention here.

Jon Fox - Most of you have not had the pleasure meeting this man, and probably never will, but this man is special. He gave me the opportunity to create and lead something that was above my skill set and out of my comfort zone. He saw potential in me that I simply didn't see, and through friendship and leadership, developed that potential into the canvas with which I entered the infosec industry. The rest of the individuals listed here helped me to paint that canvas.

Eric Bassel - Some of you may know Eric from the SANS Institute. However, my relationship with Eric goes much deeper. As a friend and mentor, Eric put the priorities of the organizations and people around our professional relationship aside to help me understand what is really important in life. During the most difficult of life decisions, similar to one that Eric had to make in his own life, Eric was there to provide me with sound advice. As a result of his advice, I am happier today than I have ever been.

Mark Baggett (@MarkBaggett) - What can I say, Mark is the absolute smartest man I know, and the best decision I made while working with the Army cyber training program. I am convinced that just being in the room with Mark will make anyone a smarter person, and it definitely did me. If it wasn't for Mark, I wouldn't be a part of the PaulDotCom team and I probably would have never started speaking at infosec conferences. Mark was all the brains behind the Volume Shadow Copy stuff we released at Hack3rCon a couple years ago, and I was little more than a cheerleader. Yet he graciously let me take part ownership of his amazing research and present along side of him. Even today Mark continues to mentor me and is always willing to extend a helping hand. Mark is much more than a mentor to me, he is an incredible friend.

Rob Dixon (@304geek) - Got writer's block? Looking for an idea? This guy's got'em! So many times during the development of PushPin I leaned on Rob for testing and ideas. Each time, Rob came back with a list of things that totally rocked. The majority of the coolest features built into PushPin are a direct result of Rob's input. While every time I've talked about PushPin I've been sure to mention Rob's contributions, he deserves a larger stage, and I hope he gets it here. We made a great development team, and he was an invaluable asset. I would also me remiss if I didn't mention Rob's impact of my single largest achievement, Recon-ng. I mentioned the idea of building a recon framework out of the recon-ng script during my talk at DerbyCon in 2012. Rob approached me afterward and told me about a project that he and another friend, Vitomir Margetic (@NodeZero_Linux), were working on called TunnelRat. TunnelRat is a framework built for network tunneling. I'm not sure if they ever publicly released the project, but I look forward to when they do. They had some really innovative things going there. Rob and Vitomir invited me to be on the dev team for TunnelRat in hopes that we could build the functionality of the recon-ng script into the framework. Very early on in the project, I broke away from the team and created a separate framework because the core functionality of TunnelRat was not conducive to what I was trying to do, but I walked away with my first experience in what a true modular framework looks like in python, and I have those gentlemen to thank. Anyone that is considering building a modular framework in Python should look at this article written by Vitomir. It explains the principal ideas behind TunnelRat modular functionality and one way to do framework development in Python. Another way to create modular frameworks in Python, the technique used in the Recon-ng framework, is to use nested "cmd" class modules. That idea came courtesy of my good friend Mark Baggett (see above).

Chris Gates (@carnal0wnage) - Chris and I had some personality conflicts to work through when we first met many years ago, but we worked through those and Chris became the first person I went to for infosec mentoring. While I was still an Army officer, I watched Chris do his thing against DoD networks with a childlike wonder. It was pure awesomesauce watching him own network after network with grace and modesty. His work intrigued me so much that I couldn't help but to badger him with questions on how to be like him and grow a skill set like his. He was the first person I approached with the question, "How do I become an infosec professional?" Carnal0wnage is the reason I started blogging and why LaNMaSteR53.com even exists. Even today I lean on him for advice, and he continues to provide.

Former Fellow Red Teamers - When I was a member of the Army Red Team, I was responsible for taking documentation from each of the cells that operated within the team and creating the final deliverables. I absolutely loved my job. I learned so much about the methodology, tools, and techniques of penetration testing just by proofing their reports. Long before I was learning from reading Twitter feeds, blog posts, and magazine articles, I was learning by reading the carnage inflicted on target networks by the best Red Team operators in the biz.

Chris Campbell (@obscuresec) - I don't know what it is with the name "Chris", but I've had some personality conflicts with this one too. Go figure. At one time, not too long ago, Chris and I were pretty good friends. I can honestly say that most of what I know about owning Windows domains, I learned from Chris. Most of you know Chris by the work he does with PowerShell and Passing-the-Hash. That was a natural transition for Chris. He was our go-to-guy for everything Windows on the Army Red Team. Need a domain popped? This guy can do it. A truly gifted technician.

TJ O'Connor (@ViolentPython) - TJ humbled, and humlbles, me. A brilliant man once asked me, "Can you outperform TJ O'Connor in a hacking competition?" I foolishly replied, "I don't know TJ O'Connor, but I imagine I could at least hang with him." buzzer Wrong answer. TJ whipped my arrogant tail and issued me one of my first lessons in infosec humility. But all the while, TJ never once claimed that he could beat me, or that he did beat me. He knew the lesson he had taught me. And it was an important one. Those that know TJ consider him one of the brightest minds in the industry, yet TJ would tell you that you are crazy for even thinking it. That kind of modesty is rare in our industry, and I look to TJ as an example of what right looks like.

Martin Bos (@purehate_) - Many of you are familiar with the verbal salvos that have taken place between Martin and I over the years on Twitter. While we are vastly different and disagree on just about everything, Martin has my utmost respect. Very few people have the passion and guts to be as honest and forthright as Martin is, and people like me who are equally passionate and stubborn need lessons in humility every now and again to keep our egos in check. Martin may not know it, because I've probably never said it, but he has taught me some valuable lessons about humility, and has helped me realize places in my personality where I need improvement. For that I am thankful.

My Father - He's old school, and not the best with computers, but I consider him to be the ultimate hardware hacker. I've never see anyone with the level of ingenuity and creativity he has to take ordinary things and do extraordinary things with them. Watching him as I grew up set deep roots in me to want to be like him. To be able to think outside of a seemingly useless object and do something amazing with it. My father is also the one that recognized my aptitude in programming at a very young age. I remember him watching me create batch scripts on an old IBM XT and asking me if I wanted to do more. He got me started with QBasic, introduced me to a man named Ron Davidson who gave me my first lesson on object-oriented and event-driven programming, and bought a new family computer (Packard Bell) so I could begin developing Visual Basic applications. My father is the reason why I am so passionate about code. He has also become my biggest fan, and now looks at me the way I look at him. That is an amazing feeling.

John Strand (@strandjs) - While I've not known John all that long, John has become, without a doubt, my strongest mentor. I met John in a SEC560 class in 2010. John noticed something in me, grabbed me by the arm, pulled me aside, and never let go. John watched me as I struggled through 2 jobs that he knew weren't making me happy or leveraging my potential, providing mentorship and sound advice all along the way. John then took a huge chance on me by hiring me as his first employee as he ventured into company ownership, and I sincerely hope it wasn't a mistake. John has fostered creativity in me that has lead to pretty much everything I've done. PushPin, Recon-ng, HoneyBadger... All of these tools were spawned from seeds that John planted in my mind. Whether or not he intended to, I'm not always certain, but in all cases, John has humbly stood aside and willfully offered me complete ownership of these creations.

Not all of the individuals listed here will read this, and not all of them maintain amicable relationships with me now. However, all of these people have played key rolls in my development to this point and deserve recognition. None of my accomplishments have been achieved alone. I have each of these individuals to thank. Thank you.

As you browse away from this article, remember the importance of surrounding yourself with bright people and being gracious for the mentoring they provide. Look around you. Are you the smartest and most experienced person in the room? If so, it may behoove you to change settings. But never forget that mentoring goes both ways. The only way this industry thrives is by its members simultaneously mentoring and being mentored at all times. There is always someone else in the same position you were in several years ago. Reach out and lift that person up, as those mentioned here lifted me.

Taming the Stubborn Tomcat

Today I ran into a problem that most penetration testers will encounter at some point, and whose solution required a creative approach. Therefore, I'm writing this brief article as a reference for future encounters with stubborn Tomcat servers.

I found an up-to-date Tomcat 7 server with easily guessable credentials and was able to access the Tomcat management console. At this point, compromising the server is usually a done deal. Typically, I would deploy a meterpreter shell via the Remote WAR deployment panel and proceed to pillage and pivot through the server using the SYSTEM level access that Tomcat granted me. However, this Tomcat was running on a fully patched and protected Windows Server 2008 R2 system which made this a bit more challenging.

Once I gained access to a Tomcat management console, I took the standard approach and deployed a meterpreter WAR application to the Tomcat server, but something was preventing meterpreter from exfiltrating the network. Extensive analysis proved that the target network was filtering all egress traffic from the target web server and only allowing outbound traffic for stateful TCP connections. Ingress filtering was also in place, so neither bind nor reverse meterpreter shells were possible against this server.

Next, I attempted to deploy a server side JSP shell and access it via a browser. While a JSP shell is not nearly as powerful as meterpreter, it is a SYSTEM shell nonetheless. The deployment appeared to be successful according to Tomcat, however, all attempts to access the shell via a browser returned 404 errors. The JSP shell was not being created during the deployment process for unknown reasons. Most likely the work of Antivirus software.

I tweeted for suggestions and James Jardine pointed me to a great article and an open source WAR application called filebrowser.war. The technique described in the article worked perfectly. I don't want to replicate content, so please read the original article for details. Below is an attack summary of the actions I took to compromise the server and surrounding environment after the initial exploitation.

1. Use the Tomcat management console to deploy the filebrowser.war application
2. Use the filebrowser application to upload a JSP shell to the filebrowser application directory.
3. Browser directly to the JSP shell.

4. Use the JSP shell to:

   • Survey the system using various post exploitation commands.
   • list volume shadow copies.
   • create a volume shadow copy.
   • copy the SYSTEM and SAM files from the created shadow copy to the filebrowser application directory.

5. Use the filebrowser application to:

   • download the SYSTEM and SAM files from the server for offline hash extraction with bkhive and samdump2.
   • upload mimikatz.exe and sekurlsa.dll to the server.

6. Use the JSP shell to execute mimikatz and extract the clear text credentials from memory. This must be done in a single command as the mimikatz interactive shell will not work through a non-interactrive web shell.

   • mimikatz.exe privilege::debug sekurlsa::logonPasswords exit

7. Pivot and pwn...

8. Use the Tomcat management console to "stop" and "undeploy" the filebrowser application, destroying all resources in the application's path.

Mission complete.

The Recon-ng Framework - Official Release

http://pauldotcom.com/2013/01/the-recon-ng-framework---offic.html