After seeing a Tweet about dumping password hashes from a live Windows 2008 Domain Controller, I was intrigued. Reading a post from Tim Tomes (LaNMaSteR53), I figured I’d give it a shot and if successful show my findings (with pictures). It’s an ingenious method of getting the hash values. This attack falls into the “post-exploitation” category. Even more so seeing administrative or system privileges are needed.

Firstly, we’ll need a few things to get this going. VSSOwn is a great script created by Tomes and Mark Baggett. In a nut shell, it will help us create a volume shadow copy of the windows domain controller’s drive from which the NTDS and SYSTEM files will be extracted. Yes you read right, we’ll be getting what we need from VSS. On Windows 2008 & 7 this feature is always on by default. Periodically taking backups of our system drive which also includes NTDS, SYSTEM the SAM files. VSSOwn has other interesting features, I strongly recommend checking out Tomes’ and Baggett’s talk from Hack3ercon 2.

Second item on our list will be another tool to retrieve the hashes once we’ve recovered our system files. Csaba Barta, a Hungarian researcher, has developed an open source tool to parse NTDS.dit files. Right now his tool only seems to work on NTDS files from 32bit domain controllers. This is why our target is a Win2008 R1. Let’s hope he gets the 64bit soon. The tool runs on Linux and installs great on BackTrack 5. With our groceries finished, we can now move along and recover our password hashes.



Another Hackfest has come and gone…

Well Hackfest third edition, Quebec’s largest and best Information Security Conference, has come to past. Like years previous this one was amazing.  The talks were full of life and content that kept you glued to your seat. The CTF games at the end of each day were simply works of networking art (trying to get the network diagram atm).  Unfortunately, due to a degenerative disease called “aging” I couldn’t participate in the events. Perhaps next year… who knows.

A major part of this conference were the people attending. Most, if not all, are hackers at heart willing to talk, share ideas and opinions. One could basically strike up a conversation with practically anyone.  Same goes with the speakers. The beauty of these types of Cons., is that you can actually hear yourself (and others) speak. No need to text message the guy in front of you just to say “Hi…”.

For a second year in a row, Hackfest has exceeded all expectations breaking every record they could think off. Attendance was up (300++), pre-registration was up, t-shirt sales were up and CTF participation was up.  It showed too… You’ve should’ve seen the organizers, zombies really do exist.

I have to thank all the sponsors such as Slow Cow, Offensive Security, The Laval University for helping these guys put up a great event. Leaving some important ones out I’m sure, but just going by memory from what I saw/heard over there…

With this all said and done, I unfortunately don’t have any pictures of the event and it’s memorable moments. Please take the time to visit the site and have a look around. This convention is worthy of your attention. And if you live near the Quebec boarder, say Ottawa, Vermont, Boston (yes it’s not that far) consider doing the trip next year. Quebec City really is a beautiful place to visit…



SSH tunnel yourself out of the work place…

Although I’m quite aware this subject has probably been blogged to death, this entry serves two purposes. For one my memory is shot and I need to write this somewhere to help me not forget. The second is the simple fact that this site is, after all, for the beginner.

Imagine yourself the following scenario:  You’re at work (or one of your clients) and you need to RDP out to your place.  Then you remember port 3389, amongst others, are blocked from going outside the corporate network.  What does a bored admin do…? What will he do?  He organizes ahead of time so as to be able to connect home using a SSH Tunnel.



Hackfest_ca 2011

Hackfest.ca Quebec’s finest and largest Information Security conference (and according to statistics one of the bigger ones in Canada) is set for November 4th & 5th.  This year promises to be as exciting as the years previous. Great sponsors, good roster of speakers in both English and French and some good prizes up for crabs during the evening events. Check their website (link provided above).

For those that are not familiar with Hackfest, I’ll do my best to describe the experience, the atmosphere and the overall “feeling” of the event. This from my point of view and by comments made by others while I was their in past years.  Although I have never attended any other InfoSec convention (Defcon, BlackHat, Brucon etc), I have been to many IT related convention and others.

First thing that pops out when one sets foot at Hackfest is the crowd.  Every year it just keeps getting bigger and yet still has that small personal feel. Everyone is open to discussion, nice and polite to each other. We are all there for a common purpose, to share and learn from one another. I’ve seen people that are normally so shy they have trouble talking to their own shadow. At Hackfest they open up and spark conversations with perfect strangers. That in my opinion is a strong point for any convention. The environment makes you feel invited and welcomed.

The talks are, of course, interesting. A wide range of topics are always on the table. From the legal perspective to the actual demonstrations and theories displayed on large screens. Having a broad selection of topics makes the convention accessible not only to the IT guy or gal, but also to management that may want to understand more on whats going on behind the scenes when it comes to IT security.  Another good thing are the talk’s languages. Being in Quebec Canada, the predominant language up here is French. I must add to this, a good percentage of French speaking Quebec are either bilingual or have an excellent understanding of the English language. So this opens up the convention to foreign speakers (either from the US or UK) without any trouble. And lets face, if one is going to work in IT you have no choice really to understand English in the first place. I have to mention the language issue, seeing the wide spread misconception that Canada and/or Quebec is French speaking only… it is not. Last thing about the speakers, and the way the convention is setup, they are available to the public after their talk… And usually available at the bar during the evening’s event.

A few comments from speakers past range from (paraphrasing here) “Great little con not too crowed so we can actually hear ourselves speak” -Mick Douglas 2009 to Mike Kemp’s comment (2010) “This is like Defcon’s little brother much better then the one in Toronto…”  Many speakers actually participate in the events, so that alone shows their enjoy it. They wouldn’t stay otherwise no?

For the atmosphere and setting, well the convention is held in the beautiful city of Quebec. Although in November it is on the cooler side of the thermometer, it’s nothing a heavy sweater won’t fix. The city has many attractions such as historical monuments and great restaurants if one wishes to go out for some site-seeing.

Finally the glue that makes this event hold together and possible are of course the organizers. The hard work these guys put into this thing is impressive… probably obsessive.  Sharing information about information security is their primary motivation. They don’t do it for fame and fortune and it shows.  They accept suggestions and help from anyone willing to put some time. They are open and very accessible outside the event as well. In a word “human”. Very nice humans at that I must add. I’ve had the privileged to meet them on several occasions, and contribute (in my own small way) to this event.

In a nut shell, everyone can/will/would enjoy this convention. It may not be 10,000 strong like Defcon, but one must remember it had humble beginnings as well. Everything starts small and as long as the quality is present the quantity will eventually follow.

I really do hope that more people outside the Quebec InfoSec community will come this year and in future years. Hackfest deserves to be on the map along side it’s US counterparts. Pretty sure there’s enough room to share.

Hope to see you there.

-Steven McElrea
aka loneferret


Metasploit Penetration Tester’s Guide

Metasploit The Penetration Tester's Guide

Front Cover

A few weeks ago, I ordered the MSF pentest guide mostly authored by the Offsec crew (www.offsec.com).  Hailed as the best MSF guide, and highly praised by the project’s founder H.D Moore this guide does live up to the hype.  I rarely find an IT book that can be read cover-to-cover, especially one that is as specific as this one.

The book covers the framework’s basic functions as well as more advance ones.  It does this by taking the reader through a mock penetration test on vulnerable systems; Windows XP SP2 & Ubuntu 9.04 for example.  Some may criticize the OS selection, saying “what’s the point”, but they need to keep in mind the object of the book is the tool and not “how to hack”.

New and old users to Metasploit will appreciate this work. It covers the basics in such a way as to not lose the new comer’s interest, and for the veterans it may serve as a good refresher on certain auxiliary modules.

The guide starts off with basic setup of the tool, setting up with a database for record keeping.  Moves on to the scanning capabilities; features such as using NMAP straight from the application’s console.  Scanning for mySql or MSSql databases from the console using MSF’s built in features.  Loading and running exploits against found targets, encoding payloads to avoid anti-virus detection, pass-the-hash attacks and so on.

It also convers porting existing exploits to Metasploit and meterpreter scripting. Fast-Track and SET (www.social-engineer.org) are covered as well in later chapters.

Even if this guide is a shade under 300 hundred pages, I must say it covers Metasploit very well.  It could have easily been a few hundred pages longer, but then how good a read would that have been is unsure. For new users to the framework, this book coupled with Offsec’s Metasploit Unleasched WiKi  is great, provides enough material to have a firm understanding.  As for the veterans, they may skip a few chapters but I’m convinced some of the pages will hold their interest.

The book is published by No Starch press, and can also be purchased from their web site directly.

One last note on the authors and the work they have done. Lots of time and effort was put into this.  Seeing they are not professional writers (people that make a living off writing books), I must say they did a great job.  Pretty sure writing and compiling such a book together is no small feat.  Hats off to them…