Computer$ in Domain Admins

The other day I came across a situation I have not seen before. One of the guys I work with gained access to a Windows 2008 box that was joined to a domain. The LSA secrets did not reveal anything useful, no domain users were currently logged on, and password reuse wasn’t the case here. However, and this is the interesting part, it turned out that the computer itself was part of the “Domain Admins” group. A quick migrate to a system process and “net user /add /domain” worked! Domain compromised and I am now looking into reasons for adding a host to administrative groups. I imagine it must be some lazy fix…

Blogging sequentially using Writeroom, TextMate and ecto or MarsEdita

I’ve been looking into various tools for use in OSX and came across this article. The biggest idea I got out of it was:

The key to better productivity: separate writing, coding and publishing into clearly distinct sequences and find the best tools for doing each

I realized that I’ve been trying to do all of it at the same time and it usually got too frustrated to write more or better.

Blogging sequentially using Writeroom, TextMate and ecto or MarsEdita

Similar projects to PastebinDorks

I haven’t really done any research into what’s available out there prior to creating PastebinDorks, but now I’m coming across more and more projects with similar ideas in mind. I thought I’d list them here (in no particular order):

I’m sure there’s more out there and I will post links as I find them.

PastebinDorks

One of my little projects I’ve been working on lately is PastebinDorks. The idea is simple: scan pastebin for potentially interesting information. More specifically, password dumps and releases of current hacking groups such as Anonymous. Writing the tool wasn’t hard (it’s just a few hundred lines of code right now); the actual challenge was and still is in differentiating valid data and junk such as debug logs. So far I’ve been working with just identifying false positives, but have not done anything about finding false negatives. That bit would require quite a bit of effort since I would have to go through each paste to verify it (and there are a lot of pastes).

What are the benefits of such a tool? From a security analyst/researcher perspective, it is important to stay current with user trends to provide valuable, up to date service. A dictionary attack is not very useful if it is not fine tuned. The bad guys already have these real world passwords since they are the ones who did the hacking in the first place. They are a step a head and I feel we need to catch up. Another reason is that one might want to monitor for leaks of their personal information, compromises of websites he is a member of, leaks from one’s organization, etc.

Anyway, just wanted to make this quick note. The tool is fairly stable right now (as in it’s been able to handle errors gracefully), but I’m still getting too many false positives. Also, it seems I’m missing some of the posts and need to play around with timing requests, although pastebin.com gets upset if I make them too frequently.

A Note on Hacking Citrix

During one of my pentests recently I was able to gain access to a Citrix server with user-level privileges. The user had access to some client-specific applications and read/write access to a share. Changing .ica shortcuts to point to other programs did not work out; access to cmd.exe was disabled by the administrators. So, what to do? Why, create a .bat file on that writable share, of course! It’s not cmd.exe that’s important, it’s running commands such as “net user” what really matters. But, just a “net user” by itself won’t do — the window closes right after execution. Not a big deal, throw a “pause” in there which will make it wait for user input before exiting. Editing and saving the .batch file to run new commands each time is tiresome, though. That is why I created a tiny script that simply loops and keeps asking for new commands to execute:

@echo off
:awesome
echo %CD%^>
set /p cmd=
%cmd%
goto awesome

With this I was able to easily enumerate the domain. Unfortunately that’s where I had to stop due to time constraints. What would I have done if I could have kept going? Probably enumerate all the users and do some sweeps for weak passwords using command to map network drives. Perhaps enumerate the network and scan for misconfigured hosts that have domain users in their local administrators group. Maybe TFTP out and download a malicious tool or document to leave for the user to open. Maybe all of the above and more! I wish I had more time because that would have been a lot of fun!

Edit: updated the script slightly (%CD% is to show current working directory and ^ is to escape greater than sign).