Hackin9

I recently had a client pose an interesting problem. They wanted to move all their thin clients to a separate VLAN. In order to do that, I needed to identify which switch port each was on. Since there were several device vendors involved, I couldnt use OUI portion of the MAC. Fortunately, they were using only a few patterns in their thin client hostnames, so that gives me an in.

Great you say, use nmap -sn, sweep for the names, get the MAC addresses and map those to switch ports - easy right? Yup, it would be, except that this wont tell me about any devices that are powered off at the time. Which got me to thinking about DNS and DHCP - and how you could use these methods to mine Microsoft DHCP and DNS databases for Recon info in a much stealthier (and more complete) way than sweeping the network would be.

DNS Approach

We can get part of what we need out of DNS - first, let">$dns = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter DomainName = example.com -Credential (Get-Credential)

(the Get-Credential cmdlet will prompt you for credentials)

Yes, I know that there are get-dns cmdlets in the newest versions of powershell + OS combos (see references), but I haven">">Name MemberType Definition
---- ---------- ----------
PSComputerName AliasProperty PSComputerName = __SERVER
CreateInstanceFromTextRepresentation Method System.Management.ManagementBaseObject CreateInstanceFromTextRepresentation(System.String DnsServerName, System.Strin...
GetObjectByTextRepresentation Method System.Management.ManagementBaseObject GetObjectByTextRepresentation(System.String DnsServerName, System.String Conta...
Modify Method System.Management.ManagementBaseObject Modify(System.UInt32 TTL, System.String IPAddress)
Caption Property}
ContainerName Property}
Description Property}
DnsServerName Property}
DomainName Property}
InstallDate Property}
IPAddress Property}
Name Property}
OwnerName Property}
RecordClass Property}
RecordData Property}
Status Property}
TextRepresentation Property}
Timestamp Property}
TTL Property}
__CLASS Property}
__DERIVATION Property}
__DYNASTY Property}
__GENUS Property}
__NAMESPACE Property}
__PATH Property}
__PROPERTY_COUNT Property}
__RELPATH Property}
__SERVER Property}
__SUPERCLASS Property}
ConvertFromDateTime ScriptMethod
ConvertToDateTime ScriptMethod


Let">$dns2 = Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC01 -Filter DomainName = example.com -Credential (Get-Credential)">$ipsofinterest = $dns | where { ($_.Ownername -like *TP*) -or ($_.Ownername -like *THIN*) -or ($_.Ownername -like *THP*) }
$ipsofinterest

Ownername ipaddress
--------- ---------
THP-01.example.com 10.71.32.5
THP-02.example.com 10.71.32.13
THP-03.example.com 10.71.32.23
THP-05.example.com 10.71.32.21
THP-07.example.com 10.71.4.18
THP-08.example.com 10.71.4.17 ">
Finally, what we really want is the MAC addresses and switch ports. Ping the IPs, and while that">Ping statistics for 10.71.32.5:
Packets: Sent = 2, Received = 1, Lost = 1 (50% loss),
Approximate round trip times in milli-seconds:
Minimum = 44ms, Maximum = 44ms, Average = 44ms

This last thing is pretty cludgy though, you still need to get the ARP entry (from whatever subnet you are pinging), and relate that MAC back to the MACs on the switch - this started to sound like more work than I wanted to take on. Plus its totally counter to the stealthy approach we want to take in a penetration test. Lets look at the DHCP database instead:

DHCP Approach

DHCP is more attractive for hosts that use DHCP - you">ScopeId SubnetMask Name State StartRange EndRange LeaseDuration
------- ---------- ---- ----- ---------- -------- -------------
10.71.33.0 255.255.255.0 Scope1 Active 10.71.33.17 10.71.33.139 8.00:00:00
10.71.34.0 255.255.255.0 Workstations Active 10.71.34.10 10.71.34.250 01:00:00
10.71.35.0 255.255.255.0 Wireless Active 10.71.35.50 10.71.35.200">IPAddress ScopeId ClientId HostName AddressState LeaseExpiryTime
--------- ------- -------- -------- ------------ ---------------
10.71.33.1 10.71.33.0 68-b5-99-e8-22-94 W-HOF-A30.example.com ActiveReservation
10.71.33.2 10.71.33.0 b8-ac-6f-c9-9e-3b W-HOF-A18.example.com ActiveReservation
10.71.33.3 10.71.33.0 68-b5-99-e8-25-d2 w-hof-a12.example.com InactiveReservation
10.71.33.4 10.71.33.0 f0-4d-a2-ab-f2-2a W-HOF-A06.example.com ActiveReservation
10.71.33.5 10.71.33.0 f0-1f-af-66-46-7d W-HOF-A25.example.com ActiveReservation
10.71.33.19 10.71.33.0 f0-4d-a2-ae-30-50 TPC-L19.example.com Active 04 May 2016 4:29:16 PM
10.71.33.20 10.71.33.0 f0-4d-a2-ab-f2-20 W-HOF-L93.example.com Active">Get-DhcpServerv4Scope | foreach { get-dhcpserverv4lease $_.ScopeId -allleases } | where { ($_.hostname -like *TP*) -or ($_.hostname -like *THIN*) -or ($_.hostname -like *THP*) }

Or, even better, do that and">$targethosts = Get-DhcpServerv4Scope | foreach { get-dhcpserverv4lease $_.ScopeId -allleases } | where { ($_.hostname -like *TP*) -or ($_.hostname -like *THIN*) -or ($_.hostname -like *THP*">Hostname IPAddress Clientid
-------- --------- --------
TPC-L08.example.com 10.71.33.17 00-25-64-79-28-49
W-HOF-THINPC20.example.com 10.71.33.18 64-31-50-41-41-fc
TPC-L19.example.com 10.71.33.19 f0-4d-a2-ae-30-50

Now we have the hostname, the IP and the MAC

For my ops problem, Id pull the switch ports using some python fun or an SNMP tool

However, in a penetration test, youd have much different uses for this data:

  • umm... the reason that we were moving these thin clients to another vlan is because Thin Clients often have IOT CLass operating systems - in other words, linux OSs or embedded Windows OS, with much slower (or nonexistent) patch cycles. So you could use exactly this to target thin clients.
  • Or .. if you are perhaps targeting VMs, you could look for MAC addresses starting in 00-50
  • If you were looking for something else with a known vulnerability, like say a printer or access point, you could look for the affected OUI(s)
  • Maybe target hosts with names like DC - maybe look for an older one, maybe win2k3, maybe on a subnet you dont know about yet
  • Other fun target strings? SQL COUCHDB NOSQL, log or syslog - you really can mine this database and only engage a single host.
  • How about hostnames that include the names of system admins, or network admins? Company Execs? Social media is a great place to get this target data, or often you can find an our executive team page on the target company website.

How could you go one better? I have found new target subnets using this approach (*everything* is in DNS!). If you have an especially forward-thinking client, the DHCP cmdlets will work on IPv6 scopes by changing the 4 in the cmdlet to a 6.

Have you used an approach like this? If so, did you find anything good? Or do you have a better cmdlet to get the DNS info? Please, use our comment form to share your experiences ..

===========
references:
https://technet.microsoft.com/en-us/library/jj590751%28v=wps.630%29.aspx
https://technet.microsoft.com/en-us/library/jj649850.aspx

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Softpedia News

American Samoa Domain Registry Was Exposing Client Data Since the mid-1990s
Softpedia News
A British security researcher that goes online only by the name of InfoSec Guy revealed today that American Samoa domain registry ASNIC was using an outdated domain name management system that contained a bug allowing anyone to view the personal ...

 

This breach was likely not caused by a default password. But too many data breaches in 2015 were. (credit: Jim Barton)

The number of reported breaches of organizations' data has been growing hyperbolically over the past few years, based on data in Verizon's 2016 Data Breach Investigations Report (DBIR). And a major reason for that is that many organizations are still doing security like they were decades ago. The leading cause of reported data breaches, as documented by Verizon, is "miscellaneous errors"—mistakes made by employees—that open the door to attackers.

For those who've followed the recent chain of crypto-ransomware attacks at hospitals around the country, this finding will come as no surprise. Issues such as system misconfiguration, end users sending sensitive data out of the network by mistake, or users clicking on stuff they shouldn't be clicking on were among the errors made by organizations that led to about 18 percent of the data breaches documented in 2015—and were likely the leading contributor to the many incidents that went unreported.

In 63 percent of "confirmed" breaches, attackers took advantage of weak password credentials, default passwords left in place, or passwords that were stolen through phishing attacks or other means. In other words, if organizations were using something other than just usernames and passwords as credentials to gain access to systems, more than half of the data breaches that happened in 2015 would not have occurred.

Read 7 remaining paragraphs | Comments

 

Techworm

$4000 custom build PC trounces a $4000 iMac in a photography showdown
Techworm
For years running, we have always pitted an Apple's iMac against numerous custom built PCs, and the comments have been fueled that the separate machine are better in their own ways. Now, thanks to the efforts of SLR Lounge, we finally have real-world ...

and more »
 

High-Tech Bridge Launches Malicious Domain Discovery Service
Newswire Today (press release)
The continuous and very positive reaction of the infosec community to our SSL and web security testing services inspired us to create the domain security radar aimed to help fight such grave problems as domain squatting and phishing. We want to make ...

 
[SECURITY] [DSA 3559-1] iceweasel security update
 

Fortuately, the computer systems at the Gundremmingen nuclear power facility in Germany don't have Internet access, because they certainly weren't secure. (credit: Felix König)

A nuclear power plant 75 miles from Munich has been harboring malware—including remote-access trojans and file-stealing malware—on the computer system that is used to monitor the plant's fuel rods. Fortunately, as Reuters reported, the computer isn't connected to the Internet, and the malware was never able to be activated.

The malware was discovered on computer systems at the Gundremmingen nuclear power facility by employees of the German electrical utility company RWE. It included Conficker, a worm first detected in 2008 designed to steal user credentials and personal financial data and turn infected computers into "bots" to carry out distributed denial of service (DDoS) attacks. W32.Ramnit, a worm that provides attackers with a remote access tool and allows them to steal files and inject code into webpages to capture banking data, was also discovered on the system.

In addition to the infected computer system, last upgraded in 2008, malware was discovered on 18 USB removable storage devices. Both Conficker and W32.Ramnit spread themselves through USB drives. The malware did no harm because it required Internet access to contact a command-and-control network, and it appears that the plant was not specifically targeted by attackers since the malware was focused largely on financial fraud.

Read 2 remaining paragraphs | Comments

 
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
 

(credit: Lifeboat)

As security breaches go, they don't get more vexing than this: 7 million compromised accounts that protected passwords using woefully weak unsalted MD5 hashes, and the outfit responsible, still hadn't disclosed the hack three months after it came to light. And as if that wasn't enough, the service recommended the use of short passwords. That's what Motherboard reported Tuesday about Lifeboat, a service that provides custom multiplayer environments to gamers who use the Minecraft mobile app.

The data circulating online included the e-mail addresses and hashed passwords for 7 million Lifeboat accounts. The mass compromise was discovered by Troy Hunt, the security researcher behind the Have I been pwned? breach notification site. Hunt said he had acquired the data from someone actively involved in trading hacked login credentials who has provided similar data in the past.

Hunt reported that some of the plaintext passwords users had chosen were so weak that he was able to discover them simply by posting the corresponding MD5 hash into Google. As if many users' approach to password selection weren't lackadaisical enough, Lifeboat's own Getting started guide recommended "short, but difficult to guess passwords" because "This is not online banking."

Read 3 remaining paragraphs | Comments

 

The Register

Linux infosec outfit does a Torvalds, rageblocks innocent vuln spotter
The Register
An open source security firm has blocked a security researcher who reported flaws in a recently issued patch in an apparent fit of pique. Hector Martin took to Twitter on Tuesday to note a trivial crashing vulnerability in a recently issued patch by ...

 
Oracle Discoverer Viewer BI - Open Redirect Vulnerability
 
[slackware-security] mozilla-firefox (SSA:2016-117-01)
 

The News Lens (press release) (registration)

Hackers Bolstering Cyber Security in Taiwan
The News Lens (press release) (registration)
In recent years, HIT has developed new talents, honed hackers' skills, and improved Taiwan's information security by organizing a wide array of activities and forums, which the government is willing to support and invest in, according to Duh. Duh said ...

 

Waterbury Republican American

That USB drive you found has more than just spring break photos
Waterbury Republican American
... has more than just spring break photos. By Ally Marotti TRIBUNE NEWS SERVICE ... Jack Koziol, president and founder of InfoSec Institute, an Elmwood Park-based information security training company, agreed. "I don't think most people realize that ...

 

Gossip Monthly Magazine

Millions of Mexican voter records leaked to Amazon's cloud, says infosec expert
Gossip Monthly Magazine
... date of birth, addresses, occupations, and unique voting numbers for every single registered Mexican voter. However, good news is that the data has been removed from the servers. Companies must ensure proper security of their own data in the cloud.

 
Internet Storm Center Infocon Status