Ever since MS17-010 made headlines and the Metasploit exploit came out, it has been mostly good news for penetration testers and corporate red teams. I'm not going to cover the vulnerability or how it came about as that has been beat to death by hundreds of people since March. The purpose of this post is to share some tricks that I have used to get this exploit to be more reliable. For those not aware, you can view the metasploit exploit via Rapid7 at the following link.

https://www.rapid7.com/db/modules/exploit/windows/smb/ms17_010_eternalblue

 Being a penetration tester, I've encountered numerous instances of the vulnerability across many different networks. From my experience, this is what I have found. 

• Sometimes the exploit will work
• Sometimes the exploit will cause the machine to BSOD (blue screen of death)
• Sometimes the exploit will execute, but nothing will happen.

I have tried using both meterpreter and native bind and reverse shells, tcp, http, https, etc. It has been very flaky for me over the course of the last 5 or so months. 

I have, however, found that using the following method/killchain to be the fastest and most reliable method to leverage this vulnerability and metasploit exploit. First, you are going to need to use the exploit. To do this, type

use exploit/windows/smb/ms17_010_eternablue

If this doesn't work, chances are you need to update your metasploit instance. I usually just run an apt-get update && upgrade to get everything upgraded if that happens. The more the merrier!

Now, instead of using the default meterpreter/reverse_tcp payload, you are going to set your payload to something that is a little less popular and often overlooked. The exec payload. What this payload does is execute a command on the machine. This can be anything from a reverse shell via powershell, launchng the calculator, killing minesweeper...you get the drift.

set payload windows/x64/exec

What I use this payload for is to add a local administrator to the machine. This is a two part process. I know you can chain the command in Windows, however, I have found limited success in doing that. I use this as the first part of the command.

set cmd net user NewAdmin SuperDuperPass1 /add

set rhost 192.168.1.1

Where:

• NewAdmin is the name of the new local administrative account we are adding to the machine. 
• SuperDuperPass1 is the password to the new local admin account we are adding to the machine. 
• RHOST is the machine being targeted

When you run this exploit, it will appear to fail (what metasploit tells you), however, you can try logging into the machine using msf login_scanner or other methods, and what you will often find is your new account has been added to the machine! Awesome. Now, all you have to do is re-run the exploit but use the following as the CMD argument.

set cmd net localgroup "administrators" NewAdmin /add

When you run this exploit, the account will be added to the local administrative group, which will allow you to use psexec to gain administrative access to the machine and get the goods!

So about a month back I started posting what we thought would be "weekly" security tutorials/thoughts/ideas, however the last month has been insane for us at SNT. I finally had time to break away and even more time to think about what I wanted my "comeback post" to be about. I stumbled across this little lightweight tool some time ago and thought this would be the perfect opportunity to explain how I use it in a penetration test how it helps get the goods. 

So first off, credit where credit is due, this tool is an awesome little project by byt3bl33d3r who has some great tools and programs under his belt. I suggest you take a look at his Github page and play around with some of his projects. They are a godsend to penetration testers. https://github.com/byt3bl33d3r

Okay, now that that is out of our system, it's time to dig in with CrackMapExec (CME). Installing the tool could not be simpler. Run the following on your kali linux command line. If this fails, i suggest pulling it from Github and installing it that way. 

apt-get install crackmapexec

If it doesn't install using the above command, I recommend doing an "apt-get update && apt-get upgrade" to make sure you have the latest and greatest packages from OffSec and the Kali squad.

I've found this tool incredibly useful for the following areas. 

Finding Local Admin Rights Across A Network - So, the "old" way I was doing this was using metasploits auxiliary/scanner/smb/smb_login script once I obtained local administrator username/hashes. Although this script has worked wonderfully for as long as I can remember, all it can do is scan where the user might have local administrator rights. CrackMapExec is like MSF's smb_login, but on steroids. 

Running Mimikatz on an entire range - So, once I had local admin rights to numerous machines on the network due to shared local admin accounts, the next challenge I had was finding that elusive logged in domain administrator or stealing the juicy password from memory. There a ton of different ways you finagle this in metsploit or some other framework, however, I always found every way to be somewhat clunky and not incredible reliable. Sure, SMBexec is one tool that can do "similar" things, however, installing that and having it work has become cumbersome lately. SMBexec is not the most lightweight tool in the world and if I'm on a pentest with a new VM or don't have the time (probably more of a patience than time thing) it can ruin your day and pentesting momentum. Sometimes that can be hard to come by. 

Also, like others have said before me, bombing mimikatz on a /24 is the most satisfying thing in the world.  CME can do this - and then some!

The Database

One of the coolest things about this tool is that it logs everything to a database. This is insanely helpful when you stumble across numerous credentials/hashes or have a ton of shell windows open at once and you accidentally close out of that *one* window. It logs everything to a nice database which you can access by typing "cmedb". It's reminiscent of a core impact-esque database that houses these username and password combinations during a penetration test. 

My Usage

During a penetration test, I use numerous tools to map the network in various ways. Some can be using active directory or null sessions, others can be using masscan/nmap to see whats alive, etc. I've found CME to be useful because it can map the network rather quickly and also saves it to a database. To do this, I generally perform the following command.

crackmapexec smb 192.168.1.1/24

*Note: Depending on how you installed CME, you may have to type "cme" or "crackmapexec" to run the tool. YMMV.

The output of the command should looks something like the following.

The above results were on my lab network, which I have a HP printer and a windows workstation. 

The next step is to start feeding CME some username and password/hash combinations so that it can work its magic and do the dirty work for us. To do this, you are going to want to use the following commands. 

crackmapexec smb 192.168.1.1/24 -u CoolAdmin -p ARealGoodPassword 

Sweet. We found that CoolAdmin can log into the device at 192.168.1.188! But it looks like he can just login, and he doesn't have any local admin rights on the machine. What a bummer.

Lucky for us, we happen to have the local administrative username and password for the local admin "Administrator". We will run the command above again, except this time we are going to use the local hash. In this case, I have included both the LM and NTLM values, you can of course skate by with just the NTLM value. The usage for a username and hash combination is shown below.

crackmapexec smb 192.168.1.1/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B

Now, you will know you have local administrative rights to the machine(s) because CME has possibly the greatest way of telling you. Pwn3d!

Ideally, from a penetration testing point of view and what makes me excited is running this tool on a network range and seeing hundreds of those little yellow words of decimation.

The next thing you are going to want to do is run mimikatz across that whole range to extract any passwords that may be hanging out in memory. To do this with CME, you run the following command. Note that I'm switching back to -p for a plaintext password, if you have a hash, just substitute it for the -H value as shown above. 

crackmapexec smb 192.168.1.1/24 -u Administrator -p Password1 -M mimikatz

By default, this should run the equivalent to "sekurlsa::logonpasswords" via mimikatz. The results are shown below.

I suggest you read the CME documentation and look at some of the other amazing things this tool can do and automate penetration testing. Hope you enjoyed this!

Just this week multiple media outlets reported over 129 million LinkedIn passwords being sold on the darkweb, stemming from a breach that occurred in 2012.  Although LinkedIn has implemented automated security precautions, such as blocking login attempts from a suspicious locations, e-mailing PINS, etc. - this breach is still a huge deal. The passwords are very easily accessible in plaintext through various sources that don’t require the dark web (I won’t share them here, if you are curious do a quick google search). Just yesterday, Forbes.com reported that LinkedIn has began resetting users passwords that haven’t been changed since 2012 to help thwart potential account compromises. The problem is that – this is only the tip of the iceberg.

One thing I know and many security professionals know for a fact is that users HATE passwords. Therefore, users will re-use the same password for multiple services. Let’s say your name is Ray Reddington (I do love the blacklist), you were involved in the great LinkedIn data breach of 2012, and your account credentials are now plastered all over the dark web for the pickings. Roman and his hacking buddies have targeted you (or your organization), and the data looks something like this.

Username: Ray.Reddington@blacklist.com

password: IL0veLiz

Because of LinkedIn’s diligent efforts to protect your security, they have conveniently reset your password, which you have changed by now. Good game, uber hackers!

Not so fast.

The hackers have located Blacklist Enterprises email portal, located at webmail.blacklist.com, which you use the same password for! Sure – you changed your LinkedIn password, but did you change your company email password? Your remote access or VPN password? If I breached your email account, how many changed passwords could I reset? Well, you use that e-mail for you LinkedIn account, banking account, online payment and benefits portal..you get my point.

Now, your account and possibly your corporate network has been owned because of LinkedIn, a classic example of some pwnage-by-proxy! So, what can you as a user do to help prevent this?

• Use complex passwords (or passphrases)
  • The more complex, generally the harder to break. If an attacker does compromise a site such as LinkedIn, and your account is protected with a strong password, it will not be cracked, therefore your account is not in immediate danger.
• Use different passwords for each service
  • Re-using passwords is something that has plagued and will continue to plague the security industry. By using different passwords for each service, it ensures that if one service is breached (such as LinkedIn), an attacker will not be able to access services such as your webmail with the same username/password combination.
• Really..make that password different
  • Using the example above, changing the password to IL0veLiz1 will not cut it, and a motivated attacker will step right through it. Maybe something like Liz1sN0TD3AD!LOL?. 

A good resource to bench how secure your password may be can be found at www.howsecureismypassword.net. According to howsecureismypassword, IL0veLiz1 will be cracked in about 4 days, whereas Liz1sN0TD3AD!LOL? Will take about 4 Quadrillion Years (yes, that’s the actual metric).