Owning Windows 7 - Double hack (physical access required)

Hi all, i finished my Windows 7 upgrade and i decided to check and old trick that worked on XP and Vista, no foo required, it's an easy one:

If you have access to a Windows 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by your favourite backdoor (you can insert the same binary with the meterpreter embedded) and trigger it pressing 5 times the shift key on the login screen. Also the trick works by replacing c:\windows\system32\utilman.exe, and pressing WIN-U in the login screen. (you must boot with a live CD in order to replace the binaries)

I know, i know.. if someone have access to your machine it's game over, but hey this it's still there and this could have been improved and avoid the direct calling of two binaries by a key combination.

You can see the double cmd.exe popping one for sethc.exe and the other for utilman.exe, both with "nt authority\system" privileges.

If you don't have your disk encrypted you should do it... if you have it encrypted, beware with the Evil Maid.

Enjoy,

Christian

Client Side exploit Delivery - Word files

Today i will do a brief post about how you can deliver an exploit URL to your target.

I was reading the SANS storm post about MS09-002 XML/DOC initial infection vector, and i wanted to try it. Here is the information from SANS:

After many failed attempts and some research, i stumble and old post about a XSS in Word documents where the steps to accomplish the XSS where:

The html file content:

So if you change the value code by your exploit serving URL, you will get your exploit served when the target open the Word document.

In this example i changed the value by "http://www.google.com" and the results when opening the word file:

And in the next page is the little frame with the page loaded:

For doing it in a cleaner way, your page will be blank, so there will be no trace at plain sight for a typical user. Also it's possible to play with the object size and location. Also depending on the configuration the user will receive an alert saying that an Activex is trying to run.

So for your next penetration test when you need to perform a targeted client side attack, fire up Metasploit, setup MS09-002 build a Word file, send emails with juicy Subjects , leave some USB sticks on the building and wait :)

-CMM

L0phtCrack is back with L0pht

I read via Christien Rioux twitter, that L0phtCrack is being reacquired by the original authors.

They are preparing a special information session at SOURCE Boston (Thursday 10:15 am), and they will be releasing version 6. Also they will explain the story of the product from the days of L0pht, @stake, Symantec and L0pht again.

Check this site for more info soon.

I will be there for this session!

-CMM

15 Minutes Penetration test

Here you have two interesting videos from Ryan Linn on EthicalHacker.net , reviewing a fast Penetration Test using Nmap, Nessus, Metasploit / Meterpreter and Ophcrack.

Video part 1 Nmap, Nessus, Metasploit

Video part 2 Meterpreter, Ophcrack, Command line users

This is a good time to say how much i like meterpreter :)

Enjoy

-CMM

Fast-Track - Automated penetration testing suite

Fast-track is

"a compilation of custom developed tools that allow penetration testers the ease of advanced penetration techniques in a relatively easy manner"

Fast-Track has tools for MSSQL server, SQL Injection, Metasploit Autopwn Automation, Mass Client Side attacks, exploits and a Payload generator.

The idea is to provide easy and fast to use tools, that will usually take you many steps, or some minor coding on existing tools. I liked the integration with Metasploit payloads.

It's like executing scripts and tools combos :)

You can check a video of the SQLPwnage module in action:

Fast-Track SQLPwnage from David Kennedy on Vimeo

Presentation of Fast-Track at ShmooCon 2009, here
Download here

Enjoy

-CMM

DVL 1.5 - a hacking playground

A new version of the most vulnerable distribution was released yesterday. This Linux distribution is known for providing resources to learn security and hacking.  It's loaded with training material, vulnerable software, and tools. 

It's a very interesting distribution to have in your lab, for testing

your tools in a controlled environment.

The new version 1.5 (Infectious disease) it's a 1.6 GB ISO image, and it's available to download here

Happy hacking

-CMM