danielsauder

A couple of days ago I started running a password honeypot based on heralding. Here is some first analysis and wordlists. Time frame of this analysis From: $ head heralding_activity.log -n 2 | cut -d “,” -f1 timestamp 2016-10-07 19:33:32.291966 To: $ tail heralding_activity.log -n 1 | cut -d “,” -f1 2016-10-22 16:51:06.616767 Password attacks…

During a pentest it might be possible to gain access to the DC of a windows network. The ntds.dit file is interesting, because all kind of information of the AD is stored here, as for example the user hashes. When looking for a howto crack NTDS databases I found: https://gist.github.com/ddouhine/018ac4a8c95498101e7f Not everything worked for me, so…

So why might this be relevant anyway? All management consoles should be in your separated management network anyway, right? Well, unfortunately that is not always the case: As you can see about 85.000 ports from the VMware Authentication Deamon are open over the internet. And you can even bruteforce accounts: https://www.rapid7.com/db/modules/auxiliary/scanner/vmware/vmauthd_login Further, during an onsite…

How cool is that: volatility standalone is running on esxi… (http://www.volatilityfoundation.org/#!releases/component_71401) This scenario is only if you have access to the ESXi server via ssh. [root@localhost:/tmp] wget http://downloads.volatilityfoundation.org/releases/2.5/volatility_2.5.linux.standalone.zip Connecting to downloads.volatilityfoundation.org (173.61.222.9:80) volatility_2.5.linux 100% |*******************************| 32039k  0:00:00 ETA [root@localhost:/tmp] unzip volatility_2.5.linux.standalone.zip Archive:  volatility_2.5.linux.standalone.zip    creating: volatility_2.5.linux.standalone/   inflating: volatility_2.5.linux.standalone/AUTHORS.txt   inflating: volatility_2.5.linux.standalone/CREDITS.txt   inflating: volatility_2.5.linux.standalone/LEGAL.txt…

– I installed ESXi 6 in VMWare Workstation 12 – for this download the ESXi image – choose “typical installation” when creating a new VM in VMWare Workstation – for learning and testing this is awesome Screenshot of ESXi running in VMWare Workstation. – I copied my Windows 7 VM from Workstation to ESXi. –…

The VM is running Windows 7. From the running machine take the snapshot: Now it is possible to perform the volatility stuff directly with the .vmem file from the snapshot: C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f “C:\Users\dax\Documents\Virtual Machines\Windows 7 x64\Windows 7 x64-Snapshot1.vmem” imageinfo Volatility Foundation Volatility Framework 2.5 INFO    : volatility.debug    : Determining profile based on KDBG…

For this part I’m using the standalone version of volatility for windows. The goal is dumping LM/NTLM hashes from a  windows memory image. When you have access to a host where virtual machines are running, but you do not have acces to the VMs itself, one possibility is to reboot the VM but starting an…

For this test I installed everything in a WinXP VM. I followed these instructions: http://michlstechblog.info/blog/security-install-mimikatz-offline-plugin-to-volatility-draft/ … with only small changes, because I had a win32 machine. First things first: The plugins seems to be PoC and supports Windows Vista & 7 with 32 & 64 Bit (Maybe works for Win Server 2008 too?). Here are…

Now this is interesting. It is possible to load a full memory dump into WinDBG, load mimikatz and dump the credentials in cleartext. For this I used the dump of the windows 7 machine from part 2. For this: – Download & Install WinDBG – Download MoonSols Windows Memory Toolkit (http://www.moonsols.com/windows-memory-toolkit/) Convert the memory image: C:\Users\dax\Downloads\MWMT-v1.4>bin2dmp.exe…

For this part we first make a memory dump with the moonsols dumit.exe tool (using my physical Windows 7 x64 machine): http://www.moonsols.com/2011/07/18/moonsols-dumpit-goes-mainstream/ The next steps are simple volatility calls, like getting the basic image information: C:\Users\dax\Downloads\volatility_2.5.win.standalone>volatility-2.5.standalone.exe -f DAXAMD-20160124-111555.raw imageinfo Volatility Foundation Volatility Framework 2.5 INFO    : volatility.debug    : Determining profile based on KDBG…