Nov 16, 2012

Dumping Domain Password Hashes Using Metasploit (ntds_hashextract.rb) By Pentest Geek

Step 1 – Install Libesedb
is an open source C library developed to forensically extract information from Extensible Storage Engine (ESE) database files. In order to get what we need out of NTDS.dit we will first have to download and install the library using the following URL

Next we will need to extract the tarball, configure, make and install the library using the command line.
  • $tar xvzf libesedb-alpha-20120102.tar.gz
  • $cd libesedb-20120102
  • $./configure
  • $make && make install
This is what the finished output looked like for me after everything was done on a fresh copy of Backtrack 5.

Step 2 – Export Tables From NTDS.dit
Now that you have a working install of the Libesedb library make sure you’ve got a proper copy of the NTDS.dit database as well as the SYSTEM registry hive file on your machine. In case you weren’t already aware, you can use another one of my modules ntdsgrab.rb to obtain these items from a Windows Domain Controller, provided you have proper credentials or course. Here is what they look like on my system after downloading them via the Metasploit Framework.

Change into whatever directory contains your loot, in my case the /tmp/NTDS_Grab directory and run esedbexport from the libesedb/esedbtools directory against your NTDS.dit database. It will export all of the tables and store them in a newly created directory called ntds.export.

Step 3 – Dump All The Hashes
At this point you’re ready to run ntds_hashextract.rb against the datatable (Table #4) and the SYSTEM registry hive file in order to grab all of the domain password hashes. If the domain is large enough (several thousand unique users) the command might take a few minutes to finish on your system so go grab a cup of coffee. When it’s done it should look something like this.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 14, 2012

VMInjector - DLL Injection tool to unlock guest VMs

Overview: VMInjector is a tool designed to bypass OS login authentication screens of major operating systems running on VMware Workstation/Player, by using direct memory manipulation.
VMInjector is a tool which manipulates the memory of VMware guests in order to bypass the operation system authentication screen.
VMware handles the resources allocated to guest operating systems, including RAM memory. VMInjector injects a DLL library into the VMWare process to gain access to the mapped resources. The DLL library works by parsing memory space owned by the VMware process and locating the memory-mapped RAM file, which corresponds to the guest’s RAM image. By manipulating the allocated RAM file and patching the function in charge of the authentication, an attacker gains unauthorised access to the underlying virtual host.
VMInjector can currently bypass locked Windows, Ubuntu and Mac OS X operation systems.
The in-memory patching is non-persistent, and rebooting the guest virtual machine will restore the normal password functionality.
Attacking Scenarios:
VMInjector can be used if the password of a virtual host is forgotten and requires reset.
Most usually, this tool can be used during penetration testing activities, when access to a VMWare host is achieved and the attacker is looking to gain additional access to the guests running in such host.
  • Windows machine (with administrative access);
  • VMware workstation or player edition;
  • A locked guest VM;
VMInjector consists of 2 parts:
  • The DLL injection application (python script or provided converted executable)
  • DLL library (x86 and x64)
The tool supports both x86 and x64 bit architectures by providing both DLLs. One may use his own DLL injector to select the guest virtual machine running on the host.
In order to run the tool, execute the VMInjector (32 or 64) executable provided from the command line as shown in figure 1.
Figure 1: List of running guest machines running.
VMWare runs each guest in a different process. VMInjector needs to be pointed to the process running the guest which requires bypass. Once the user chooses a process, it will inject the DLL into the chosen target.
Once the DLL is injected, the user will need to specify the OS, so that the memory patching can be accomplished, as shown in Figure 2.
Figure 2: Searching for OS signature in memory and patching.
Tool and Source Code:
The tool executable and source code can be found on GitHub (

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Use X-Forwarded-For header to get the admin access

If you want to get full story, please visit the Source.

The Attack

So I was hanging out on StackOverflow's chat fairly frequently at that point. At that time, it was still very new, and still had a bug or two. One day I started noticing stack traces on the main site. I didn't think anything of it at that point, because I'd been used to seeing them all over the internet. In fact, almost every time I got an error page on an ASP.NET site, I'd see a stack trace. But at this point, I didn't put 2+2 together. 

It wasn't until I noticed a new menu item in the chat application that it really clicked. This new menu item was named "Admin". Curious, I clicked the link, figuring I'd be immediately denied access. What happened next surprised me. Not only was I not denied access, but I was granted full access to everything. I had the developer console to see what people were doing. I had a database query interface where I could directly query any database that I wanted. I had admin access to chat.

The Vulnerability

If you're clever, you should be able to figure out what happened. But in case you didn't, here's how it went down. When I had my connection proxied through Squid, it added a X-Forwarded-For header. The value of this header was the IP of my source browser which made the request. But because of the SSH tunnel, the IP was localhost. To Squid, there was no difference between my browser and local. So it added X-Forwarded-For:

The really interesting part was what ASP was reporting. When they configured a page which would dump the raw request headers, my requests came through as Remote_Addr:!!! In their application, they were checking the correct header value. But IIS was misconfigured to rewrite Remote_Addr from X-Forwarded-For if it existed. So thanks to a misconfiguration, I was able to get admin access as easily as using my proxy.

The Takeaway

There are a few takeaways from this that I think are important to point out. The first is the simple one. Never rely upon X-Forwarded-For for anything with respect to security. Always use Remote_Addr. And given that, I think it's worth asking the question if you need IP based security in the first place. Or at least don't rely on IP based security, and just use it as a defense-in-depth tool. But don't rely on it.

Applying This To PHP

The interesting thing here is that PHP applications may have the same style vulnerability. Check out Symfony2's Request class. On the surface it looks great. Until you notice that it uses a static variable to determine if it should use the proxy information. That means that if ANY part of your application wants proxy information (such as a logging class), all of your application after that will get the proxied information. So to see if you're vulnerable to this style attack, grep your code for $request->trustProxy(). Also note that there's no in-built mechanism to untrust the proxy. Once it switches to true, it will stay true. Sounds like a major design flaw to me...

It's worth nothing that Zend Framework 2 does not have this functionality. They have an IP session validator, which behaves similar to Symfony's Request class (in terms of getting the IP). However, Zend Framework 1 did have functionality to get the IP address. And in my opinion, this is the right way to do it. Don't rely on brittle state or even global state. Have the requestor explicitly choose what they want, defaulting to the secure alternative.


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

XSS In the famous website.

XSS In Apple website.

XSS In  Ebay website 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 12, 2012

NetSleuth - Realtime & PCAP Analyzer

NetSleuth features:

  • A realtime overview of devices connected to a network.
  • No requirement for hardware or reconfiguration of networks.
  • “Silent portscanning” and undetectable network monitoring.
  • Offline analysis of pcap files to aid in intrusion response and network forensics.
  • Automatic identification of a vast array of device types, including smartphones, tablets, gaming consoles, printers, routers, desktops and more

Silent PortScanning

Many network devices broadcast various information across the network. Often this is for ‘zero configuration’ style services, for example Apple’s Bonjour protocol. This information often contains information on the machine, and services running on that device – great information for fingerprinting.
For this reason, it is possible to obtain port scanning style information completely silently. NetSleuth also does not put the network adapters into promiscuous mode, mitigating some techniques to detect sniffing network adapters.

No Configuration

NetSleuth is a 100% software solution, and will monitor traffic on switched or hubbed networks. Any Windows machine on the network can be used.

Offline Analysis

A network capture from any network with consumer devices will contain a huge amount of rich broadcast traffic for analysis. NetSleuth can analyse and extract this data from .pcap files from Snort, Wireshark or other tools. It can also analyse data intercepted by Kismet (the .pcapdump) files.


NetSleuth can extract, analyse and fingerprint devices from the following protocols
  • Apple MDNS / Bonjour
  • SMB / CIFS / NetBios
  • DHCP (using the resource)
  • SSDP (as used in Microsoft Zero Config)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.