Owning Computers Without Shell Access

Discussion in 'other security issues & news' started by Hungry Man, Nov 14, 2012.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    http://www.accuvant.com/blog/2012/11/13/owning-computers-without-shell-access

    Really cool. You can see how much they pull - SAM/SECURITY hives for example.
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Wouldn't work on my XP/SP2 as cmd.exe/regedit.exe/vssadmin.exe/ are governed by ProcessGuard :D I agree though it does seem Very clever & Noiseless too :)

    Some interesting links if you search for NTDS.dit file. You might like to have a look at this one http://www.ntdsxtract.com/downloads/ntdsxtract/ntds_forensics.pdf as it also mentions utilising Volume Shadow Copy Services to help extract NTDS.DIT

    Amongst other things in there is this.

     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Is reg.exe? Just curious.

    A sandbox would prevent this from working depending on how it's configured. A default Sandboxie wouldn't stop this from what I can tell, but you could easily configure it to do so.
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Yes :)

    reg.png
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Nice, that should stop this attack cold then.
     
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Correct me if I'm wrong. Does this attack assume that port 445 is open and accessible?
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This particular attack does, or it relies uses the SMB protocol, which runs over a few ports including 445. The attack in general shouldn't though, I can't see why it would be specific to that port or even that protocol but I'm not sure.
     
  8. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    OK. If I'm understanding it correctly, SMB is a lot like NETBIOS and is used for many of the same purposes, primarily on the local network. Like NETBIOS, the simplest way to defend against this attack is closing the port and disabling the service behind it unless you actually use it.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Right. But the idea of using windows executables to attack the system should be independent of the initial exploit. I think the psexec.rb may require the port. It is unclear.
     
  10. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Using Windows own components maliciously isn't exactly new. I seem to recall something a lot like this that used NETBIOS ports to gain access to a command prompt. There's been attacks similar to this dating back to the 9X days. That said, if an attacker can gain access to a command prompt, it's game over no matter what OS you have.

    That's one problem I have with some of the "whitelisting" tools. Executables like cmd.exe, reg.exe, etc might be legitimate system files, but they shouldn't be permitted for anyone but the system administrator. Preventing these and others from running in user mode are some of the first rules I make for SSM.

    No matter how much Windows changes, some things never do when you think about it, starting with leaving ports open by default that give an attacker this kind of access.
     
Loading...
Thread Status:
Not open for further replies.