XSS and bypassing an Imperva WAF with JSFuck
Grumpy Admin Here, you know when someone says something, and you like… are you serious… typically they say these things out of lack of understanding. So here is a very very quick blog to start the day off!!!
Maybe I was just grumpy and tired… but when I was told… just use” Password1”! as an service account password for a secure customer service. I was like…. are you serious…
“yeah, it’s secure enough it has a capital and number and punctuation.“…. Shaking my head in disbelieve I did it anyway. I’m not the boss… I do as I am told… I can only advice. But hopefully, I can think of a way to change his mind and get a decent password on that service account.
But then I came in to the office, at 7:30 this morning, after making coffee and machine starting up, normal health checks on the customer systems. I had a cunning plan, I would do a quick hacking demo to show how insecure the password was. By 08:10 still filled with rage from yesterday’s stupid statement. I demonstrated to my disbelieving boss how insecure that “Password1!” was and how trivial it was to break it! Guess he is one of these, have to see it to believe types!
This isn’t smart, cleaver and is very script kid method but needs must, as it is just to quickly prove to my boss that “Password1!” should not be used for anything other than simple testing! The fact that “Password1!” would be in most dictionary attacks anyway, but I wanted to point out that the password wasn’t actually strong by cracking it!
So in order to crack this password like a horrible nasty person, we need to do a few things
1) We need to get the password hash off a machine
2) we then need to crack the password hash
The method of grabbing the hash I am going to use today, is to use out-minidump.ps1, part of the PowerSploit kit! Written by a Mr Matthew Graeber. Remember, this is very quick demo just to prove a point not be technical!
I am going to use this to dump the LSASS process, this will then be in a dump file. If you wish to learn more about how the logon process works. Check this link out!
After I have this dump of the LSASS service. I am going to use another “hacking tool”, typically detected by AV, you might want to put an exclusion in your AV for it if you want to try this at home – Even my System Centre Endpoint Protection picked it.
The hacking tool I will use will be mimikatz – Written by some random French dude! Again a very simple and very common tool. Use google to find it! Grumpy Admin is too lazy to post a link!
So, I fire up my test lab, and made sure my test1 user has the correct password, and that it had logged in to the machine. If a user not logged in then the LSASS service won’t have it password in its memory cache.
Next I download the out-minidump.ps1 script.
This can be found here, if you don’t have the PowerSploit kit installed.
Next step is to dump the LSASS service… this very simple, I am going to use the get-process cmdlet and pipe it to the out-minidump script!
get-process LSASS |Out-Minidump
Now lets move to mimikatz and have a look at this. First thing, I like to do is set up a log file to capture the output to text/log file. This makes it easier to cut and paste, also give you a record for what you typed and received back, so can be present as evidence for your security reports.
To configure logging in mimikatz just type log followed by the path to the logfile
Now I need to load in the LSASS dump file into mimikatz so the froggy program can work its magic. The command to do this is
sekurlsa::minidump <dump file>
now to extract the passwords you can do the following command. There are others like MSV and you can use this tool for things like Pass The Hash. It worth looking at playing with!
As you can see from the output it enumerates all the NTLM hashes as well as tokens etc. All I want to do is quickly grab the NTLM hash of my Test1 User Don’t forget it will only enumerate if that user has logged on to that machine! Think terminal servers might be amazing place to harvest many hashes.
We have the output in our log file for easy cut and paste, don’t forget.
Now that we have the hash we can now use whatever method we like to break it and try to get the Password out of it! Cain and Able, etc
As this is my demo lab for MCSE work, not ethical hacking. I don’t have my large hash tables here! So I will use a “free” online hash cracking / lookup service. Use at own risk of course!
AS you can see, in no time at all, it was able to decode the NTLM hash, which we took from the memory of a running computer and reverse it to its password. Proving that “Password1!” is well known and very insecure.
So this quick 3 min demo. The blog took longer to write! Proved without doubt that we should NEVER use “Password1!” as service password account! Especially on a customer’s system! There ends my moaning session this morning… And a generated unique 17+ character complex password was used in place of “Password1!” and will be used in future! Good!!! Why did I have to do a demo to prove this… god only knows….