 How's it going? First of all, I want to say holy shit, I'm speaking at DEF CON and it's an honor. And second of all, holy shit, people actually showed up. So thank you very much. That's an honor as well. So I'm going to talk to you today about getting the goods with SMB exact. And my name is Eric Milam. Some people might know me as Bravo Hacks. Thank you very much. That's the end. So, you know, of course, don't you know who I am? I'm on the attack and pen team for AcuVant Labs with a bunch of great people. My boy, pure hate. We do a lot of pen tests together. Involved with some open source projects. Maybe you guys have heard of Easy Crads, SMB exact, of course. Ettercap. We took over Ettercap a few years ago. And involved with the Cali Linux distribution. So what is this all about? Right? Basically, we're going to go over what is SMB exact? What does it do? Why should you actually care? There's nothing zero day here so you can boom me if you want. But automation is awesome. This is a tool you can use immediately. It's not some weird exploit that, you know, the sun and the moon have to line on a certain day. And it makes post exploitation much easier. At least it has for me. So what is SMB exact? SMB exact is a bash script. Because everybody who knows me knows I don't know how to code for shit. So, but I'm very good with the Googles. And I just put a bunch of shit together until it works. So it's about 1500 lines and about a million different functions. Put it together in a week, about an hour, about 100 hours worth of time, about, you know, a year's worth of Mountain Dew. The power of the tool really lies in SMB clients to get and put files and win AXE to execute those. And we have patched them for hash passing. So that works as well. So why write SMB exact? Right? I mean, there's awesome tools out there, right? Everybody has heard of the meta-sploits? Right? Awesome tools. You know, why would you actually need this? Well, we were on a bunch of pen tests and we started to realize that our, that the PS exec module was getting popped with our payloads. So we used the custom EXE option, but that was also getting popped. So we threw that to the community and basically Mubix, wherever Mubix is, found out real quick for us that basically what it was triggering on was the injection and service protection. So, you know, fuck you Trend Micro, but thanks for the motivation. We appreciate it. So after we ran into this a few times, Pure 8 actually found a blog post by Carnal Ownage that was basically upload and execute your payload. And that's kind of where the script was born from. So, originally, right, we just wanted to get our shells. We wanted our shells. So we wrote it so it would create an obfuscated payload that would bypass most AVs. The newer versions, you can actually enable Hyperion, cryptor.exe and encrypt it as well. We also had it so it would create a metasploit.rc file for us and launch that. It would either launch it in X term or screen depending on, you know, what you've commented out. If it doesn't recognize X is running, it'll automatically launch your text and screen. So that's kind of where it was at. And then we started learning a little bit more about Win.exe and we're like, you know, hey, we can basically run native Windows commands. And there's a lot of cool stuff that we could probably end up doing. So I'm not a Windows guy. So again, I went to Google and Google told me what to do. And we started realizing some of the great things that we could do with it. Because what we really wanted the tool to do was to basically kind of go undetected and just look like normal Windows traffic or normal network traffic to our victims. So Win.exe, I don't know if anybody is familiar with it. I hope you guys are. It's awesome. It's similar to the CIS internals PS exec modules. I'm sorry, the CIS internals PS exec tools. And it also has a system flag. It also has an uninstall flag, which is also awesome. And I'll explain those a little bit later. There's no, you know, quote unquote payload necessary. You can basically run Win.exe and just issue CMD and it'll give you a command shell back from the victim computer without executing a binary. And it looks like normal Windows traffic to offset. Basically, you're getting what they should end up seeing as a successful login over the network. There are some caveats, which I'll discuss later. That might be red flags. So if you can execute commands a system, right, the possibilities are virtually limitless. So you can dump hashes from workstation or server, create volume shadow copy, run other tools a system, enable, disable UAC, bypass it. You can also check systems for DAEA accounts logged in or running a process. Is that some type of sign for me here? What? I'm not fucking with anybody. You all know the drill. What does every new speaker do? So I'm Mormon. Not really. I'm a recovering Mormon. That's a good one. As you were. Let's see him get back into it now. Is this better? All right, I apologize. Okay, so where are we at? So basically we can execute a system. Fuck it, we might as well. Is that the alcohol? So we're like, well, holy fuck, let's get some hashes, right? Old school way was to get the registry keys out and do it. So fuck, let's automate that. So we wrote SMB exec to dump the hashes from workstations and servers. And what it basically does is it just runs the Windows command reg EXE save. And it saves the registry key. So sys plus SAM is your local hashes, everybody probably knows that. Sys plus sec is your domain cache credentials. And then we run it through cred dump, which converts it into the hashes into a John format. And of course we've got a high quality hash there as well. So one of the other things that I was on a pen test somebody brought up to me was WCE. Yes, I know about Mimikats. I know it's awesome. The integration that they've done with Metasploit is incredible. It's there's no political battle for me over this. It's just this was a tool I found. It's awesome. I worked with Hernan on it. He let me incorporate it into SMB exec. And WCE basically with the minus W flag will dump clear text passwords out of memory. So it took me about five lines of code to code that in. That was another reason. It was super simple. And it runs automatically as part of the hash grab functionality. If you want to turn that off, you can. You just comment out the code. So SMB exec, we're like shit, let's get stuff off the domain controller too while we're at it. So again, I went to my friend Google and Google told me how to go out and run everything from the command line. And so what this will actually do is it will log in over four for five, create a volume shadow copy. It will save off the NTDS.Dit, the sys key. And when it's done, it will clean up after itself. It deletes the volume shadow copy it created. And it does all this. And I know there was a blog post in 2011 about this. But I don't know if most people know this. There was actually a blog post in forum post back in 2005 about doing this as well. So it's been around for a while. It's there. Once everything's good, it runs NTDS extracted and Libby SEDB gets the hashes out for you. It also creates a tab separated cred list for you for other functionality within SMB exec. So let's go ahead and see a demo. So I recorded the demo, so fuck it, we'll do it live. Does that look all right to you guys? All right, so that's SMB exec. So the first thing you're going to do is you're going to just really quickly just do system enumeration, create a quick host list. And basically what it's just doing is just doing a quick end map scan, looking for systems with 1, 3, 9, 4, 5 open and it builds a list for you. Then we're going to go ahead and go into option three which is obtain hashes, workstations and servers. Please provide the username. I'm just going to spit it out here. This is Martin's password. So feel free if you see pure hate anywhere. That's how you log in as accounts. Here it's a local account. Again thanks to Mubix, local. This will give it a period or a dot which is how developers recognize local host. And then it recognizes that there was a host list created so it's going to run against that. So this does take a little bit of time. You'll see it's basically what it's doing. It's going out, it's authenticating. It's logging into the box, pulling down the registry keys. And then when that's done it will basically upload my obfuscated WCE. It'll run that command, it'll pump it all out. So it does take a little bit so let me hop over here. And get this ready. I'm just getting rid of some of the stuff here that I know comes out of it and then sort. Can everybody see that? I made the font super big. So I'm a little hard up here but I try. Is that a red card? Okay. So there we go, right? So basically it's pretty much done. There's our local hashes. Here's our domain cash credentials. And I want to give a shout out to Royce Davis who's on our team, Reddy who actually updated the Carlos's cash grab and redid it so that it actually worked standalone. So that does include Vista as well as non-Vista versions. And then here's what I love the most. If I could spell right. Boom. Clear text passwords. Right? So if you look at that, that's 20 characters. I mean you're not going to crack that shit. There's no way. So it's awesome that you can just get out of there. So here's one here. Top dog. Bravo hacks password. So I'm going to go ahead and use that one. So let's go ahead and get the domain. Go after the domain controller. So again, three. Go after the domain controller. I'm going to authenticate as top dog. This was Martin's old password. And then I know that the domain controller of course is this. But you know, there's simple dig commands or whatever you can look up and find it. So it asks you for the path to the NTDS.Dit. You can put any drive, any path. Oh. Oh, wait a second. It helps if I give it the correct IP address. Okay. Found the NTDS.Dit. Now it says where do you want to save this stuff off to, right? You can give it a different path if you want. I'm going to leave it the same. See Windows temp. So it checks to make sure that the path provided actually exists. It checks to make sure that there's disk space. It creates a volume shadow copy. It copies those files off to your local machine, the NTDS.Dit and assist. It then deletes those files that were created. It removes the volume shadow copy that it created. And then it runs Libby ESEDB to extract it and NTDS extract to get the hashes out. And you can see it's running there. Takes a little bit. Dramatic pause here. And then success. Looks like we got what we came for. So let's make sure that's true. That's true. So there you go. That's all the hashes off the domain controller right there for you. And it was like you were never there. So I have one other surprise for you. Might not be much of a surprise, but here's the domain controller. Oops. Did I spell something wrong? Oh. It's our desktop, right? Thank you. Thank you very much. Hey, it's Windows Server 2012. What do you know? So this is going to work for a while. So, hold on. Sorry. Okay. So the caveats, right? There's always caveats, right? You're going to need credentials to start with. You're going to need something with local admin rights. It could be a domain account. It could be a local account. But administrator and password tends to work in nine out of the 10 domains we pentest. So go ahead and do that. Of course there's NBNS spoofing. I'm partial to Ettercap, but that's just me. And of course there's always MSO8067. So when someone's actually carrying or paying attention, WinAXE actually creates a service that could be stopped or become a red flag. It actually has a binary that it does install in the, I believe it's either the Windows or the System32 or one of the paths. So that could be a red flag, could get caught. So it touches disk, basically. Sometimes AV doesn't like WCE, but what I've gone ahead and done and the reason why it took a little bit longer to run was I've actually obfuscated the resource DLLs that are within the WCE binary and the WCE binary itself. So it takes an extra couple of seconds, but I'm pretty sure AV is going to have a hard time with it. And that's just part of what I release. So authentication over report 139445 is required, right? If you can't do that, this doesn't work. And then low cards exchange principle, any contact with something's going to leave a trace. Like I said, this touches disk, this will not stand up to a forensics investigation, but I can tell you that most admins are going to look at the server and think everything's just fine. It does have a lot of logins, that's the main thing. Since it's automated, it might log in three or four times. That might look bad if they're looking for that. So where can I get SMB exact? It's out on SourceForge or GitHub under Bravo Hacks. Metasploit modules are created. There's actually six modules created by Royce Davis on our acuVont team. He's also from pentesgeek.com. Two of them are actually in the framework. That's PS exec command and NTDS grab. Impact it, it looks like they developed something in Python that was based on Royce's work. SMB exact version 2.0. Like I said, I know Bash. I don't know anything else and I don't really know Bash that well. So a couple of guys on our team ported it to Ruby so it's multi-threaded, it works better, less hiccups that come along with Bash script. And that's Brandon McCann and Thomas McCarthy also from pentesgeek. So credit where credit to do. Of course WCE, Hernan and Shoah, SMB client and Winnie Xie hash patch, hash passing patches, Joe McCunn, Emilio Escobar who's also the lead developer VetterCat. Skip Duckwall of course, Mr. Duckwall. You know, the original vanish script, Asamba team of course, Winnie Xie. Metasploit, HD, Egypt, everybody. Thank you so much. Appreciate it. Fedora and Map team, credit dump, NTDS extract. The list goes on and on. So basically I couldn't, SMB exact really wouldn't work without that. So I don't know if I have time for questions but please give the hackers for charity go buy a t-shirt or something. We love those guys. On Twitter I'm Bravo Hacks, on IRC I'm Johnny Bravo. Thank you very much.