Raising Zombies in Windows: Passwords

Thursday, September 13, 2012

Rob Fuller

D8853ae281be8cfdfa18ab73608e8c3f

With the use of Mimikatz and WCE, clear text passwords are much more common. What isn't always there is the user.

They take lunches, go home at a reasonable time and generally aren't really appreciative of our (pentester/red teamer)'s schedule.

A straight forward way, and provided by Microsoft to create a process as a user (whereby having their token readily available is using 'runas.exe':

Screen Shot 2012 07 31 at 4 04 41 PM

w00t, we the user is present, we can migrate our meterepreter session into that notepad and we're good right? Problem there is you have to interactively input the password, so without a real cmd.exe or RDP session of your own, (VNC payload would work), you're generally SOL.

There are a ton of posted ways around this, most involve make a wrapper script to input the password for you such as this one:

Screen Shot 2012 07 31 at 3 24 11 PM

(this was pretty unique as it actually sent the keys to the key buffer instead of directly to STDIN)

Another way if you don't mind dropping / creating a custom bin, AutoIT makes this REALLY simple:

Screen Shot 2012 07 31 at 3 57 42 PM

This could be 2 lines if you really wanted it to be but I like to make things a bit more universal. You could also execute this directly in memory with meterepreter's execute command with the "-m" argument after you've built the AutoIT script into a EXE.

But what go through all that trouble? Railgun can do this just as easily. Drop to IRB or create a script that does the following:

a = client.railgun.kernel32.GetStartupInfoW(56)["lpStartupInfo"]

client.railgun.advapi32.CreateProcessWithLogonW("USER","DOMAIN","PASSWORD","LOGON_WITH_PROFILE","notepad.exe",nil,0,nil,nil,a,32)

This will create a notepad.exe process with the defined user. But we can go a bit more stealthy, since we really only need their account token we can just user LogonUser:

client.railgun.advapi32.LogonUserA("USER","DOMAIN","PASSWORD","LOGON32_LOGON_INTERACTIVE","LOGON32_PROVIDER_DEFAULT",4)

List the tokens available with Incognito, your new user will be there, steal it and you're done. You now have the ability to user that account/domain token on any of the hosts you've compromised on the network, not just the ones they happen to have left themselves logged in.

This gets really fun on servers where the admin hasn't logged in but you wanna grab all of their IE saved passwords.

Cross-posted from Room362

Possibly Related Articles:
9082
Network Access Control
Information Security
Passwords Windows Hacking Tools Penetration Testing Network Security Meterpreter Railgun Tutorial Mimikatz
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.