Thursday, 24 March 2011

Dumping on UAC with Metasploit

Before the likes of Vista, Server 2008 and Windows 7, dumping hashes under meterpreter used to be a trivial process of running getsystem and hashdump. Since then, Microsoft came up with UAC. As you know, this basically requires the user to click a pop-up prompt whenever they wish to perform a function that requires admin level privs, regardless of whether they are an admin on the machine anyway. This prevents us from running many of the regular post-exploit scripts within meterpreter - in particular, hashdump.

Luckily for us, Dave Kennedy and Kevin Mitnic put their heads together and created a module to get around this issue...

The secret to getting this to work is the migrate after running getsystem.
In this video I demonstrate the process from start to finish. I hope you find it useful.

Friday, 11 March 2011

Farewell OSCP :0(

So... It's all over. After three months spent in the offsec labs, this week I passed the OSCP exam.

I have endured many exams over my career, and I usually get a relieved feeling when I walk out of an exam with a pass. However, this time around I felt different - almost disappointed.

I had spent the last three months in what I can only describe as a hacker's Disney Land: a virtual lab with around 60 or so vulnerable servers just waiting to get owned. With every OS you can think of this side of the millennium, along with simulated users eager to open whatever payload you decide to email them, you can begin to get an idea of just how much fun is to be had here.

Time quickly came for the fun to stop though. I had root on almost all the lab machines in the student network and one or two on the other networks. It was now my chance to prove that I have been "trying harder", and take on the dreaded 24 hour exam.

I knew the course material cover-to-cover and had completed 90% of the extra mile challenges, so I was confident this was enough to tame this beast. How wrong I was!

24 hours went by like 24 minutes. 8 hours in, and I was still on the first of the five servers! Panic sets in, and you start to feel really demoralised at this point. "I shouldn't be a pentester", I told myself, "I havent even got the first server yet... throw in the towel now - this is not for you - go back to being a sys admin...".

Time out, let's get another coffee. Damn - I wish I still smoked!

Then suddenly things seemed clearer and exploits started working; the time was after midnight and tiredness was now long past. The first hurdle was cleared and I felt good again. So good, in fact, that I breezed throught the second server also. "That's 45 points and I still have 10 hours left. I'm going to make it easily", I thought. "I might even grab some sleep".

10 hours later, no sleep was had and I was still on the third box! I needed this (and another) to get the 70 points required to pass. I had shell, but could not escalate. It was then that I ran out of time (I can now understand why they give you 24 hours).

There aren't any single steps to root in this exam; you need to fight for a limited shell, then fight harder to escalate to admin, before grabbing the trophy from  the admin's desktop.

I picked up my sorry ass and re-booked the exam right away. This time I passed, but it was still a 12 hour battle, despite having the knowledge from the first exam.

Anyway, if you're reading this and are considering the course for yourself, then please do. It is not like any other you will take. By the time you  finish the exam, you will have earned the right to deservingly call yourself a security professional.

Okay, so now what? Well, other courses just don't do it for me anymore - they are all the same:-

Listen to the instructor, read the book, try a few excersises and pick an answer from a to e.

I am missing the offsec labs already, after only a week! All I can think about now is how to get my next offsec fix.

OSCE maybe ??!

Anyway, I'd like to say thanks, first to offensive security for such a well designed course and lab environment, and secondly to B0nd from for the support and encouragement throughout the course.

My only gripe I guess with the course, is that the trademark term "Try Harder!" is often overused when you need help within the labs. It can be rather fustrating sometimes when you are really stuck, to not be given even a point in the right direction, especially if you cannot afford to spend months on end playing around in the labs, and need that little help to get the most out of the course on a limited budget.
That said, some of the offsec admins DID help me out a couple of times with a few tips to help me focus in the right direction, so it would be worth trying a few of them before giving up, you may catch one having a really good day.