Exploiting passwords for fun and profit with Metasploit

Don’t Pick the lockSteal the Key

David Maloney a.k.a theLightCosineCore Developer for Metasploit Commercial

EditionsMetasploit ProMetasploit Express

Before That:Community Contributor to the Metasploit

FrameworkPenetration Tester for Time Warner Cable

Contact MeTwitter: @thelightcosineEmail: thelightcosine@metasploit.com

Who is this guy, anyways?

ClientsConvenience

Keeps users from having to remember them

Manages credentials for numerous systems in one place

Totally AvoidableUsually done poorly

Authentication PurposesMust store them to

compare against provided creds

UnavoidableGetting Better at

doing this

Application Password StorageServers

Who needs an exploit if we have the password?

Looks like legitimate traffic/accessWho audits successful logons?

Shockingly easy to own all the thingsCase of the winscp.reg file

Why we want passwords

Password Storage TypesThe Where

Often Stored in one of two placesHKEY_LOCAL_MACHINE\SOFTWARE

Available to all users all the timeHKEY_USERS\<SID>\Software

Available only to that user and Admins on the system

Usually client appsCoreFTP is one example

The Registry

Old School way of storing dataStill in use in some applicationsMostly seems to be legacy supportUsually client-side not servers

WinSCP is an example

INI files

Soooo much better than INI Files </sarcasm>

Still a flat file sitting on the file systemEven easier to parse than INI files reallyJust grab your favorite XML parserSeen both on Clients and Servers

FileZilla is an example of this

XML Files

Usually some custom formatOften Breaks down into common blocks with

header groupingsHeaders usually tell

Type of dataLength of dataName of fieldEtc

Can be a real pain to reverse engineer the format on these

Binary File Format

Windows started providing a Credential Store for saving certain types of credentials

Managed by the Operating SystemRestricted by user access controls

Bypass these controls by calling the API functions as our victim user thanks to Railgun

See Kx499’s enum_credstore Post module for specifics

The Windows Credential Store

Passwords stored in a backend databaseHow most webapps work these daysUsually server apps

Databases

Password ObfuscationHow we keep you from just looking at the password…

in theory

ProNoneNever ever store

passwords in plaintext

Password is wide open to the world

This happens more than you’d think!

Same for every user

Cleartext PasswordsCon

ProNot in plaintextAttacker has to

figure out what the plaintext was XORed against

Easily reversedAttacked finds the

XOR valueXOR cipher text

against the same value to recover plaintext

Same for every user

XOR EncodingCon

ProMay be more

difficult for attacker to figure out

More Complex than simple XOR encoding, usually

Feel 1337 for writing your own ‘encryption’

Unless you are a cryptographer, your algorithm sucks (sorry, it’s true)

Not really encryption

Easily defeated by reverse engineering

Same for every user

Custom EncodingCon

ProReal EncryptionProven TechnologyNot simple

reversible procedure

Hardcoded static key used

Reverse Engineering can recover the key

Still the same for every user

Actual Encryption (AES,DES, etc)

Con

ProReal EncryptionProven TechnologyEncryption Key is

never given to userland

We can call the same APIs as the user with Railgun

Statically Coded Key material

Same for every user

Microsoft CAPICon

ProReal EncryptionProven TechnologyEntropy added on

user by user basisDifferent for every

user!

We can call the API as the user with Railgun

Machine hands decrypted Materials right over.

IN Soviet Russia….

CryptProtectDataCon

….passwords steal you!!!!

ProOne Way OperationNot Reversible (in

theory)Great for servers

Not an option for clients

Some hashing algorithms have weaknesses

Still always rainbow tables and bruteforcing

HashingCon

ProReal EncryptionProven TechnologyNo Static Keys!Different for every

user

Your users still have to remember 1 password

Have to be careful about how master password is put into memory

Master Password EncryptionCon

Examples

Filezilla FTP Client

•Saved Sites stored in XML File

•Passwords in Cleartext

•Filezilla offers ‘kisok mode’ to prevent password storage

mRemote

•Saved Sites stored in XML File

•AES-128-CBC Encryption

•Weak static Encryption Key

•OpenSource means everyone can see the encryption key

WinSCP

•Saved Sessions stored either in the registry or an INI File

•Passwords stored with weak custom encoding routine

•OpenSource means everyone can see the routine for decryption

S,artFTP

•Saved Sites stored in XML File

•Encrypted with Microsoft CAPI

•Weak Static Encryption Key

•Called same CAPI Functions with Railgun

Where do we go next?

•Creds stored to database

•Known creds are prioritized in the Pro Bruteforcer

•Run Bruteforcer with all the stolen creds

•Give it a few hours….

…You get this!Let’s see you exploit that many systems without setting off alarms