1 00:00:00,250 --> 00:00:03,167 ERIC MILAM: How's it going? 2 00:00:03,167 --> 00:00:04,709 First I want to say, holy shit, I'm speaking at DEF CON, 3 00:00:04,709 --> 00:00:06,459 and it's an honor. 4 00:00:06,709 --> 00:00:10,459 And second of all, holy shit, people showed up and that's 5 00:00:10,459 --> 00:00:12,792 an honor as well. 6 00:00:12,918 --> 00:00:16,751 I will talk to you about getting the goods with smbexec. 7 00:00:17,876 --> 00:00:24,167 Some of you may know me as brav0hax. 8 00:00:28,542 --> 00:00:30,876 I'm on the Accuvant LABS attack and pen team. 9 00:00:33,999 --> 00:00:37,250 I'm involved with some open source projects 10 00:00:37,250 --> 00:00:41,042 and maybe you have heard of Easy Creds and smbexec 11 00:00:41,042 --> 00:00:46,083 and Ettercap, and we're involved with the Kali Linux. 12 00:00:50,918 --> 00:00:55,334 We will go over what is smbexec and there's nothing 0day here. 13 00:00:58,999 --> 00:01:01,542 But automation is awesome. 14 00:01:04,417 --> 00:01:07,999 This is not that the sun and the moon have to align on a certain day. 15 00:01:08,584 --> 00:01:10,959 It makes post exploitation much easier. 16 00:01:10,959 --> 00:01:11,999 At least it has for me. 17 00:01:13,792 --> 00:01:16,083 So what is smbexec? 18 00:01:17,459 --> 00:01:19,167 It's a Bash script. 19 00:01:19,167 --> 00:01:20,083 Everybody who knows me, knows I don't know how 20 00:01:20,083 --> 00:01:21,876 to code for shit. 21 00:01:21,999 --> 00:01:23,999 I'm very good with the Googles and I put a bunch 22 00:01:23,999 --> 00:01:26,626 of shit together until works. 23 00:01:26,751 --> 00:01:30,083 It's about 1500 lines and a million different functions. 24 00:01:30,501 --> 00:01:33,918 Put it together in a week, about an hour's worth of time 25 00:01:33,918 --> 00:01:37,167 and a year's worth of Mountain Due. 26 00:01:40,334 --> 00:01:44,125 It relies on SMB client, and we have PAP system 27 00:01:44,125 --> 00:01:48,459 for hash passing and that works as well. 28 00:01:57,918 --> 00:01:59,999 Why would you need this? 29 00:01:59,999 --> 00:02:03,542 We are on a bunch of pen tests and we realized that 30 00:02:03,542 --> 00:02:06,999 the smbexec was getting popped. 31 00:02:11,250 --> 00:02:13,959 And we threw it out to the community and basically 32 00:02:13,959 --> 00:02:16,083 Mubix, wherever they are. 33 00:02:16,083 --> 00:02:18,959 They found out real quick for us that basically what it was 34 00:02:18,959 --> 00:02:23,417 triggering on was the injection and the service protection. 35 00:02:23,542 --> 00:02:27,083 So, you know, fuck you turn micro, but thank you for the motivation. 36 00:02:28,417 --> 00:02:34,209 After we ran into this, we found a blog post by Colonel Carnage 37 00:02:34,209 --> 00:02:39,083 and that's where the script was born from. 38 00:02:40,584 --> 00:02:45,709 So originally, right, we just wanted to get our shells. 39 00:02:45,709 --> 00:02:46,999 We wanted our shells. 40 00:02:46,999 --> 00:02:49,999 So we wrote it so it would create an obfuscated payload. 41 00:02:51,209 --> 00:02:56,334 The newer versions, you can enable Hyperion and encrypt it 42 00:02:56,334 --> 00:02:58,083 as well. 43 00:02:58,250 --> 00:03:02,417 We also had it so it would create a metasploit rc file, and 44 00:03:02,417 --> 00:03:07,667 if it doesn't recognize X is running, it will automatically launch 45 00:03:07,667 --> 00:03:10,709 the attacks in the screen. 46 00:03:10,999 --> 00:03:12,999 That's where it was at. 47 00:03:14,792 --> 00:03:18,459 And then we started learning a little bit more about winexe. 48 00:03:19,792 --> 00:03:22,959 We can run native Windows commands and there's a lot 49 00:03:22,959 --> 00:03:26,417 of cool stuff we can probably end up doing. 50 00:03:26,792 --> 00:03:29,999 I'm not a Windows guy and I went to Google and Google told me what 51 00:03:29,999 --> 00:03:35,375 to do and we started realizing some of the great things we could do with it. 52 00:03:35,375 --> 00:03:39,292 What we really wanted the tool to do is basically kind of go undetected 53 00:03:39,292 --> 00:03:42,292 and just look like normal Windows, you know, 54 00:03:42,292 --> 00:03:46,709 traffic or normal network traffic to our victims. 55 00:03:47,584 --> 00:03:52,999 So winexe, I don't know if anybody is familiar with it. 56 00:03:52,999 --> 00:03:53,999 I hope you guys are. 57 00:03:53,999 --> 00:03:54,999 It's awesome. 58 00:03:54,999 --> 00:03:58,334 It's similar to the system internal PSX I'm sorry, 59 00:03:58,334 --> 00:04:03,876 and it has systems flag and it has an uninstall flag and I 60 00:04:03,876 --> 00:04:07,999 will explain them in a little bit. 61 00:04:09,125 --> 00:04:12,125 There's no quote/unquote payload necessary. 62 00:04:12,125 --> 00:04:16,125 You can one winexe and just issue CMD and it will give you a shell back 63 00:04:16,125 --> 00:04:20,959 from the victim community without executing a binary. 64 00:04:21,918 --> 00:04:23,834 And it looks like normal windows traffic, 65 00:04:23,834 --> 00:04:26,375 basically you are getting what they should end up seeing 66 00:04:26,375 --> 00:04:29,250 is a successful log in over the network. 67 00:04:29,792 --> 00:04:32,501 There's some caveats that I will discuss later that might be 68 00:04:32,501 --> 00:04:33,999 red flags. 69 00:04:35,667 --> 00:04:38,125 So if you can execute commands as system, 70 00:04:38,125 --> 00:04:41,918 the possibilities are virtually limitless. 71 00:04:41,918 --> 00:04:45,083 So you can dump hashes from workstations and server, 72 00:04:45,083 --> 00:04:49,709 create volume shadow copy, run other tools as system, enable, 73 00:04:49,709 --> 00:04:53,334 disable UAC, bypass it, you can also check systems 74 00:04:53,334 --> 00:04:58,083 for DA/EA accounts logged in or running a process. 75 00:05:01,083 --> 00:05:05,959 Is that some type of sign for me or I'm not fucking 76 00:05:05,959 --> 00:05:07,999 with anybody! 77 00:05:08,542 --> 00:05:10,751 You all know the drill. 78 00:05:10,751 --> 00:05:12,209 What does every new speaker do? 79 00:05:12,209 --> 00:05:13,876 AUDIENCE MEMBER: Drink! 80 00:05:13,876 --> 00:05:16,125 ERIC MILAM: So I'm Mormon. 81 00:05:16,501 --> 00:05:18,083 Not really. 82 00:05:19,626 --> 00:05:25,792 (Laughter) I'm a recovering Mormon, so That's a good one. 83 00:05:25,792 --> 00:05:26,792 Cheers! 84 00:05:26,792 --> 00:05:27,792 Congratulations. 85 00:05:27,792 --> 00:05:28,999 ERIC MILAM: Thank you. 86 00:05:34,792 --> 00:05:36,999 (Applause) As you were. 87 00:05:41,626 --> 00:05:44,292 Let's see him get back into it now. 88 00:05:44,292 --> 00:05:47,999 ERIC MILAM: Oh, you can't hear me. 89 00:05:47,999 --> 00:05:48,999 Okay. 90 00:05:48,999 --> 00:05:49,999 I know. 91 00:05:50,626 --> 00:05:52,083 All right. 92 00:05:52,083 --> 00:05:53,083 Is this better? 93 00:05:53,083 --> 00:05:54,375 AUDIENCE MEMBER: Yes. 94 00:05:54,375 --> 00:05:55,709 ERIC MILAM: All right. 95 00:05:55,709 --> 00:05:56,709 I apologize. 96 00:05:57,250 --> 00:05:58,459 Okay. 97 00:05:58,459 --> 00:05:59,542 So where were we at? 98 00:05:59,542 --> 00:06:02,999 So basically we can execute shit as system, fuck it, we might as well. 99 00:06:05,999 --> 00:06:10,667 Man, is that the alcohol or what? 100 00:06:10,667 --> 00:06:11,667 (Laughter). 101 00:06:11,667 --> 00:06:15,209 So we're like holy fuck, let's get some hashing right? 102 00:06:15,209 --> 00:06:19,999 You know, old school way was to get the registry keys out and do it. 103 00:06:19,999 --> 00:06:21,375 So fuck, let's automate that. 104 00:06:21,375 --> 00:06:24,209 So we wrote smbexec to dump the hashes from work stations 105 00:06:24,209 --> 00:06:29,459 and servers and what it basically does is runs Windows com regularsec. 106 00:06:33,999 --> 00:06:36,792 And sys plus sam, and then we run it 107 00:06:36,792 --> 00:06:40,876 through cred dump which converts it into the hashes and 108 00:06:40,876 --> 00:06:46,999 the John format and then we have our high quality hash there as well. 109 00:06:48,751 --> 00:06:52,459 So one of the other things that I was on a pen test, somebody brought 110 00:06:52,459 --> 00:06:55,918 up to me was WCE, yes, I know about memi cats, the stuff that 111 00:06:55,918 --> 00:06:58,542 they have done with minisploit. 112 00:07:02,834 --> 00:07:04,959 I found this and it's awesome. 113 00:07:08,999 --> 00:07:12,083 And WCE, basically with the minus w flag 114 00:07:12,083 --> 00:07:16,709 will dump clear text passwords out of memory. 115 00:07:16,709 --> 00:07:19,959 So it took me about five lines of code to code that in it. 116 00:07:19,999 --> 00:07:22,999 It was super simple. 117 00:07:22,999 --> 00:07:24,167 It runs automagically. 118 00:07:25,375 --> 00:07:27,667 If you want to turn that off, you can. 119 00:07:27,667 --> 00:07:29,501 You can comment out the code. 120 00:07:30,083 --> 00:07:32,834 So smbexec, we're like, shit, let's get stuff 121 00:07:32,834 --> 00:07:36,626 off the domain controller too while we're at it. 122 00:07:37,083 --> 00:07:41,209 Again, I went to my friend Google and Google told me how to go 123 00:07:41,209 --> 00:07:44,083 out and run everything from the command line 124 00:07:44,083 --> 00:07:48,125 and so what this will actually do is it will log in over 445, 125 00:07:48,125 --> 00:07:52,667 and create a volume shadow copy, and it will save off the NTDS.dit, 126 00:07:52,667 --> 00:07:54,417 the sys key. 127 00:07:54,542 --> 00:07:57,626 When it's done, it will clean up after itself. 128 00:07:57,626 --> 00:07:59,876 It will delete stuff it does on shadow copy. 129 00:08:00,083 --> 00:08:02,999 And I know there was a blog post in 2011 about this. 130 00:08:03,999 --> 00:08:07,292 There was actually a blog post and forum post back in 2005 131 00:08:07,292 --> 00:08:09,876 about doing this as well. 132 00:08:09,876 --> 00:08:12,125 So it's been around for a while. 133 00:08:12,125 --> 00:08:13,125 It's there. 134 00:08:13,751 --> 00:08:17,501 Once everything is good, it runs NTDS extractor and Libby SDB 135 00:08:17,501 --> 00:08:20,459 and gets the hashes out for you. 136 00:08:20,459 --> 00:08:22,501 It creates a tab separated, cred list for you 137 00:08:22,501 --> 00:08:25,584 for other functions within smbexec. 138 00:08:26,751 --> 00:08:29,918 So let's go ahead and see a demo. 139 00:08:29,918 --> 00:08:31,250 So I recorded the demo. 140 00:08:31,250 --> 00:08:32,751 So fuck it, we'll do it live! 141 00:08:37,999 --> 00:08:39,250 Okay. 142 00:08:44,626 --> 00:08:46,999 Does that look all right to you guys? 143 00:08:47,999 --> 00:08:51,876 All right. 144 00:08:51,876 --> 00:08:52,876 So that's smbexec. 145 00:08:52,876 --> 00:08:54,667 So first thing you are going to do, you are just going 146 00:08:54,667 --> 00:08:59,999 to really quickly just do system enumeration, create a quick host list. 147 00:09:05,626 --> 00:09:09,709 And basically what it's just doing is doing a quick Nmap scan 148 00:09:09,709 --> 00:09:12,792 and it builds the list for you. 149 00:09:12,792 --> 00:09:15,083 And then we'll go ahead and go into option three, which 150 00:09:15,083 --> 00:09:18,501 is obtain hashes, work stations and servers. 151 00:09:18,542 --> 00:09:19,999 Please provide the user name. 152 00:09:19,999 --> 00:09:21,834 I'm just going to spit it out here. 153 00:09:22,083 --> 00:09:23,959 This is Martin's password. 154 00:09:23,959 --> 00:09:24,959 (Laughter). 155 00:09:31,375 --> 00:09:33,709 So feel free, if you see pure hate anywhere, 156 00:09:33,709 --> 00:09:36,542 that's how you log into his accounts. 157 00:09:36,876 --> 00:09:42,334 Here's a local being, thanks to mimbix, it will give it a period or a dot, which 158 00:09:42,334 --> 00:09:46,375 is how developers recognize local hosts. 159 00:09:46,375 --> 00:09:49,709 And it recognizes that there was a host list created. 160 00:09:50,167 --> 00:09:54,667 This takes a little bit of time, you will see, it's basically what it's doing 161 00:09:54,667 --> 00:09:57,334 is it's going out and authenticating and logging 162 00:09:57,334 --> 00:10:01,000 into the box and pulling down the registry keys. 163 00:10:01,000 --> 00:10:03,999 And then when that's done, it will basically upload my 164 00:10:03,999 --> 00:10:05,918 obfuscated WCE. 165 00:10:07,334 --> 00:10:09,292 It does take a little bit. 166 00:10:09,292 --> 00:10:38,876 Let he had hop over here and get this ready. 167 00:10:38,876 --> 00:10:41,751 I'm just getting rid of some of this stuff here that I know comes 168 00:10:41,751 --> 00:10:44,083 out of it, and then sort. 169 00:10:44,083 --> 00:10:45,542 Can everybody see that? 170 00:10:45,542 --> 00:10:47,918 I made the font super big so okay. 171 00:10:47,918 --> 00:10:48,918 Cool. 172 00:10:48,918 --> 00:10:51,876 AUDIENCE MEMBER: It's a little hard from the back. 173 00:10:51,876 --> 00:10:54,417 ERIC MILAM: I'm a little hard up here, 174 00:10:54,417 --> 00:10:58,751 but (Laughter) ERIC MILAM: But I try. 175 00:11:01,999 --> 00:11:03,834 Is that a red card? 176 00:11:04,083 --> 00:11:05,209 Okay. 177 00:11:05,209 --> 00:11:08,209 So there we go, right/so basically, it's pretty much done. 178 00:11:08,209 --> 00:11:15,542 There's local hashes. 179 00:11:16,501 --> 00:11:20,125 I want to give a shout out to Royce Davis on our team, 180 00:11:20,125 --> 00:11:25,417 who updated our team and took Carlos' cash grab and redid it so it's actually 181 00:11:25,417 --> 00:11:29,999 a work standalone and it does include vista and non vista versions 182 00:11:29,999 --> 00:11:35,083 and then here's what I love the most, if I could spell right. 183 00:11:36,999 --> 00:11:39,417 Boom, clear text passwords, right? 184 00:11:39,417 --> 00:11:42,876 So if you look at that, that's 20 characters. 185 00:11:42,876 --> 00:11:44,999 I mean, you are not going to crack that shit. 186 00:11:44,999 --> 00:11:45,999 There's no way. 187 00:11:45,999 --> 00:11:48,999 So it's awesome that, you know, you can just get out of there. 188 00:11:48,999 --> 00:11:51,083 So here's one here, top dog, brav0hax. 189 00:11:52,709 --> 00:11:55,667 So let's go off the domain controller. 190 00:11:55,667 --> 00:11:57,209 Go after the domain controller. 191 00:12:00,999 --> 00:12:03,751 I'm going to authenticate as top dog. 192 00:12:05,292 --> 00:12:08,167 This was Martin's old password. 193 00:12:11,459 --> 00:12:15,918 And then I know that the domain controller, of course, is this, 194 00:12:15,918 --> 00:12:19,292 but, you know, there's simple dit commands that you 195 00:12:19,292 --> 00:12:21,999 can look up and find it. 196 00:12:21,999 --> 00:12:23,999 It asks you for the path to the NTDS.dit. 197 00:12:23,999 --> 00:12:25,626 You can put any path or any drive. 198 00:12:25,626 --> 00:12:26,626 Oh! 199 00:12:26,626 --> 00:12:28,751 Oh, wait a second. 200 00:12:36,999 --> 00:12:42,417 It helps if I give it the correct IP address. 201 00:12:47,584 --> 00:12:48,959 Okay. 202 00:12:48,959 --> 00:12:50,083 Found the NTDS.dit and now it says where do you want 203 00:12:50,083 --> 00:12:52,167 to save this stuff off to. 204 00:12:52,167 --> 00:12:53,959 You can give it a different path. 205 00:12:55,584 --> 00:12:59,999 So it checks to make sure that the path provided actually exists 206 00:12:59,999 --> 00:13:03,250 and it checks to make sure that there's disk space 207 00:13:03,250 --> 00:13:05,626 and creates the volume shadow copy 208 00:13:05,626 --> 00:13:08,999 and copies them off to your machine and it deletes 209 00:13:08,999 --> 00:13:11,709 the files that were created and removes 210 00:13:11,709 --> 00:13:16,417 the volume shadow copy that it was created and then it runs Libya ESDB 211 00:13:16,417 --> 00:13:20,125 to extract it and it gets the hashes out. 212 00:13:20,125 --> 00:13:21,999 And you can see it's running there. 213 00:13:25,501 --> 00:13:27,751 It takes a little bit. 214 00:13:27,792 --> 00:13:31,083 Dramatic pause here and then success. 215 00:13:31,083 --> 00:13:33,167 It looks like what we got what we came for. 216 00:13:33,167 --> 00:13:34,876 So let's make sure that's true. 217 00:13:34,999 --> 00:13:46,501 So there you go. 218 00:13:46,501 --> 00:13:47,999 That's all the hashes off the domain controller right there 219 00:13:47,999 --> 00:13:49,375 for you. 220 00:13:49,375 --> 00:13:50,375 (Applause). 221 00:13:50,375 --> 00:13:52,125 And it was like you were never there! 222 00:13:56,083 --> 00:13:59,999 So I have one other surprise for you. 223 00:14:04,626 --> 00:14:06,999 Might not be much of a surprise. 224 00:14:18,667 --> 00:14:21,709 That's our desktop, right? 225 00:14:21,999 --> 00:14:23,542 Oh, thank you. 226 00:14:23,584 --> 00:14:25,250 Thank you very much. 227 00:14:26,959 --> 00:14:30,250 Hey, it's Windows Server 2012, what do you know? 228 00:14:30,375 --> 00:14:32,083 So this is going to work for a while! 229 00:14:32,083 --> 00:14:33,083 (Applause). 230 00:14:33,083 --> 00:14:34,083 All right. 231 00:14:43,083 --> 00:14:44,751 So hold on. 232 00:14:44,751 --> 00:14:45,751 Sorry. 233 00:14:52,459 --> 00:14:53,626 Okay. 234 00:14:53,792 --> 00:14:56,626 So caveats, right, there's always caveats being right? 235 00:14:56,626 --> 00:14:58,876 You will need credentials to start with. 236 00:14:58,876 --> 00:15:00,792 You are going to need something with local admin rights, 237 00:15:00,792 --> 00:15:03,999 it could be a domain account or a local account. 238 00:15:04,375 --> 00:15:06,167 But administrator and password tends to work in nine 239 00:15:06,167 --> 00:15:08,876 out of the ten domains we pen test. 240 00:15:08,876 --> 00:15:09,999 So go and do that. 241 00:15:10,083 --> 00:15:14,083 Of course, there's NBNS spoofing and there's Ettercap. 242 00:15:19,999 --> 00:15:22,999 And so when someone is caring or paying attention, 243 00:15:22,999 --> 00:15:25,709 winexe creates a server that could be stopped 244 00:15:25,709 --> 00:15:27,999 or creates a red flag. 245 00:15:27,999 --> 00:15:35,083 It has a binary that could be installed in the system 32 or one of the paths. 246 00:15:35,125 --> 00:15:38,999 So that could be a red flag and get caught it. 247 00:15:38,999 --> 00:15:42,792 Touches disk, sometimes AV doesn't like WEC. 248 00:15:43,417 --> 00:15:46,834 And the reason it took longer to run, obfuscated 249 00:15:46,834 --> 00:15:50,792 the resource DSLs that are in the WCE binary and it takes 250 00:15:50,792 --> 00:15:54,501 an extra couple of seconds but I'm pretty sure that AV 251 00:15:54,501 --> 00:15:57,584 will have a hard time with it. 252 00:15:57,792 --> 00:16:00,751 That's part of what I release. 253 00:16:01,501 --> 00:16:04,999 Authentication over port 139 or 445 is required. 254 00:16:04,999 --> 00:16:06,999 If you can't do that, this doesn't work. 255 00:16:06,999 --> 00:16:08,999 And then locard exchange principles. 256 00:16:10,250 --> 00:16:12,167 This touches disk. 257 00:16:12,167 --> 00:16:14,959 It will not stand up to a forensics administration. 258 00:16:16,292 --> 00:16:20,083 The admins will look at the server and think everything is just fine. 259 00:16:20,417 --> 00:16:22,709 It has a lot of log ins. 260 00:16:23,584 --> 00:16:26,083 It might log in three or four times, and that might look bad 261 00:16:26,083 --> 00:16:28,375 if they are looking for that. 262 00:16:29,626 --> 00:16:31,584 So where can I get smbexec? 263 00:16:31,667 --> 00:16:35,083 It's out on sourceforge or git hub under brav0hax. 264 00:16:38,626 --> 00:16:40,999 And Royce creates one. 265 00:16:47,792 --> 00:16:49,709 Impact it looks like they developed something 266 00:16:49,709 --> 00:16:52,626 in python that was developed on Royce's work. 267 00:16:54,417 --> 00:16:55,999 I know bash, I don't know anything else 268 00:16:55,999 --> 00:16:58,626 and I don't really know bash that well. 269 00:16:58,626 --> 00:17:00,999 So a couple of our guys on team ported it to Ruby. 270 00:17:00,999 --> 00:17:07,250 So it's multi threaded and less hiccups and that's Brandon McCann. 271 00:17:10,375 --> 00:17:12,417 So credit where credit is due. 272 00:17:19,250 --> 00:17:22,999 Of course, WCE, Herman Ochoa, and smbclient, and winexe, 273 00:17:22,999 --> 00:17:27,459 and Skip Duckwall, you know, the original vanish script. 274 00:17:32,959 --> 00:17:36,292 The samba team, and winexe, and metasploit team, and 275 00:17:36,292 --> 00:17:38,999 the list goes on and on. 276 00:17:38,999 --> 00:17:43,834 Basically I couldn't smbexec really wouldn't work without that. 277 00:17:43,999 --> 00:17:46,375 So I don't know if I have time for questions, but please give 278 00:17:46,375 --> 00:17:49,709 the hackers for charity, go buy a T shirt or something. 279 00:17:53,083 --> 00:17:55,083 Thank you very much.