Post on 21-Jan-2017
Exploiting passwords for fun and profit with Metasploit
Don’t Pick the lockSteal the Key
David Maloney a.k.a theLightCosineCore Developer for Metasploit Commercial
EditionsMetasploit ProMetasploit Express
Before That:Community Contributor to the Metasploit
FrameworkPenetration Tester for Time Warner Cable
Contact MeTwitter: @thelightcosineEmail: thelightcosine@metasploit.com
Who is this guy, anyways?
ClientsConvenience
Keeps users from having to remember them
Manages credentials for numerous systems in one place
Totally AvoidableUsually done poorly
Authentication PurposesMust store them to
compare against provided creds
UnavoidableGetting Better at
doing this
Application Password StorageServers
Who needs an exploit if we have the password?
Looks like legitimate traffic/accessWho audits successful logons?
Shockingly easy to own all the thingsCase of the winscp.reg file
Why we want passwords
Password Storage TypesThe Where
Often Stored in one of two placesHKEY_LOCAL_MACHINE\SOFTWARE
Available to all users all the timeHKEY_USERS\<SID>\Software
Available only to that user and Admins on the system
Usually client appsCoreFTP is one example
The Registry
Old School way of storing dataStill in use in some applicationsMostly seems to be legacy supportUsually client-side not servers
WinSCP is an example
INI files
Soooo much better than INI Files </sarcasm>
Still a flat file sitting on the file systemEven easier to parse than INI files reallyJust grab your favorite XML parserSeen both on Clients and Servers
FileZilla is an example of this
XML Files
Usually some custom formatOften Breaks down into common blocks with
header groupingsHeaders usually tell
Type of dataLength of dataName of fieldEtc
Can be a real pain to reverse engineer the format on these
Binary File Format
Windows started providing a Credential Store for saving certain types of credentials
Managed by the Operating SystemRestricted by user access controls
Bypass these controls by calling the API functions as our victim user thanks to Railgun
See Kx499’s enum_credstore Post module for specifics
The Windows Credential Store
Passwords stored in a backend databaseHow most webapps work these daysUsually server apps
Databases
Password ObfuscationHow we keep you from just looking at the password…
in theory
ProNoneNever ever store
passwords in plaintext
Password is wide open to the world
This happens more than you’d think!
Same for every user
Cleartext PasswordsCon
ProNot in plaintextAttacker has to
figure out what the plaintext was XORed against
Easily reversedAttacked finds the
XOR valueXOR cipher text
against the same value to recover plaintext
Same for every user
XOR EncodingCon
ProMay be more
difficult for attacker to figure out
More Complex than simple XOR encoding, usually
Feel 1337 for writing your own ‘encryption’
Unless you are a cryptographer, your algorithm sucks (sorry, it’s true)
Not really encryption
Easily defeated by reverse engineering
Same for every user
Custom EncodingCon
ProReal EncryptionProven TechnologyNot simple
reversible procedure
Hardcoded static key used
Reverse Engineering can recover the key
Still the same for every user
Actual Encryption (AES,DES, etc)
Con
ProReal EncryptionProven TechnologyEncryption Key is
never given to userland
We can call the same APIs as the user with Railgun
Statically Coded Key material
Same for every user
Microsoft CAPICon
ProReal EncryptionProven TechnologyEntropy added on
user by user basisDifferent for every
user!
We can call the API as the user with Railgun
Machine hands decrypted Materials right over.
IN Soviet Russia….
CryptProtectDataCon
….passwords steal you!!!!
ProOne Way OperationNot Reversible (in
theory)Great for servers
Not an option for clients
Some hashing algorithms have weaknesses
Still always rainbow tables and bruteforcing
HashingCon
ProReal EncryptionProven TechnologyNo Static Keys!Different for every
user
Your users still have to remember 1 password
Have to be careful about how master password is put into memory
Master Password EncryptionCon
Examples
Filezilla FTP Client
•Saved Sites stored in XML File
•Passwords in Cleartext
•Filezilla offers ‘kisok mode’ to prevent password storage
mRemote
•Saved Sites stored in XML File
•AES-128-CBC Encryption
•Weak static Encryption Key
•OpenSource means everyone can see the encryption key
WinSCP
•Saved Sessions stored either in the registry or an INI File
•Passwords stored with weak custom encoding routine
•OpenSource means everyone can see the routine for decryption
S,artFTP
•Saved Sites stored in XML File
•Encrypted with Microsoft CAPI
•Weak Static Encryption Key
•Called same CAPI Functions with Railgun
Where do we go next?
•Creds stored to database
•Known creds are prioritized in the Pro Bruteforcer
•Run Bruteforcer with all the stolen creds
•Give it a few hours….
…You get this!Let’s see you exploit that many systems without setting off alarms