NFTF: Bypassing Group Policy Denied Command Prompt

This is an old trick but I ended up doing it the other day just for kicks, it will only work on 32bit systems at the moment (edit.exe is a 16bit editor and won’t run on a 64bit OS). Just to clarify – I had no internet access or access to any tools…

This is an old trick but I ended up doing it the other day just for kicks, it will only work on 32bit systems at the moment (edit.exe is a 16bit editor and won’t run on a 64bit OS).


Just to clarify – I had no internet access or access to any toolsets, so had to go with whatever I could find on the box hence the use of edit.exe and not winhex/hxd/hexeditorofyourchoice.


I think I vaguely recall a way to use debug.exe to edit binary files but it involved raw assembler and was more complicated than I could remember off of the top of my head with zero internet access at the time so this will do for now.


Right, so as before we have access to a basic command prompt using the VBS/VBA “Call FTP and ! prefix your commands” method.


But I want a full prompt that works without needing such a workaround.


Copy C:windowssystem32cmd.exe somewhere (unless you want to possibly break cmd.exe on your test system).


Using the VBS/VBA FTP method, call “Edit” (Don’t try this with notepad it will change all of the nulls to x20 and destroy the file such that you can no longer run it as an executable)


File -> Tick the “Open Binary” box (This is important), Navigate to C:windowssystem32cmd.exe and open the file.



Scroll down (I’ve tried searching and as there is no way of typing a null char, it won’t work) and you’re looking for the first references to “SoftwarePolicies…” Its the registry key that it is looking at to determine if it should allow you to run or not.


Change P O L I C I E S to B O L I C I E S (well whatever you want, keep the length the same though)


Save the file – Run the file – Voila! command prompt with no need to have to go through FTP.exe over and over. 

NFTF: Local Lockdown – Getting prompts, Fun with Macros and Scripting Help on Airgapped Systems

1. NFTF Quickie – VBS Funtimes – Run Scripts? Get Prompt This is probably a duplicate somewhere but wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down d…

Using VBS to fire up FTP as a local command shell

This is probably a duplicate somehwere but I wanted it noted for my own use anyway – here’s a very handy VBS that does the job nicely for accessing useful commands as a user on a locked down desktop.

In this example I choose to fire up FTP.exe as its well known that local commands can be run within the FTP.exe interface.

'run ftp

CreateObject("WScript.Shell").Run "cmd.exe /k ftp"

Using the above and the bang character, this will allow you to run commands on the host. For example: !cd or !c:\windows\system32\calc.exe

Odd Behaviour: On XP64 !cd did not appear to persist the path post it’s single command, however on windows 7 and 32bit XP it did so. Pretty noddy stuff but useful to remember.

No Macros Allowed?

Myself and a colleague were presented with a “Defect Fixed, macros are completely disabled on the host” statement from a long term pentest engagement, I was new to the project so decided to give it a good kicking.

At first glance, no access to the editor was possible and only trusted signed macros were capable of running. We could be forgiven at this point for even mistakenly “passing” the defect if we hadn’t been so determined.

After a bit of poking and managing to pop open the editor across the office suite, I was convinced I could get it to play ball all the way. My colleague thankfully indulged my inane ramblings about digitally signing and feeling like it’s so close to popping.

3 to 4 hours later and a fair few dead ends, we got macro editing and execution as a trusted signed macro across all the office apps available on the host (aside from outlook, that could probably fall too given more poking but we had proved our point).

What follows is a quick run through of what we did:

First problem, Creating the macro – we need an editor

If the macro menu is disabled and the buttons on the developer toolbar are greyed out (or even removed from the interface) try the following.

In Word: Right click the toolbar, select “customise quick access toolbar”, select “all commands” and add the buttons labelled “view code” and “design mode”. The view code button will be greyed out until the design mode button is pressed so press the design mode button, hit view code and voila the VB Editor pops open!

In Excel: Right click the sheet tab and select view code – it is also accessible through the same way it was in Word.

In Powerpoint: There should already be a view code option on the ribbon. Failing that activate it as you would in Word above.

Just sign here, here and here

Our second issue, accessing the security window and then the macro security window using the above toolbar button method (anything with the word macro in was disabled from a UI point of view in the ribbon menus, so you had to load the plain “security” window in order to get the macro security screen to pop). We could see that only signed macros were allowed to run. Nightmare, what can we do now?

Well, coming at this from a lockdown breakout just don’t save the document. Group Policy only applies in terms of macro execution to a saved word document. Writing a macro and executing it instantly is usually not blocked.

However this is a long term pentest engagement and sometimes the ability to save documents and have say your VBA port scanner or VBA based file downloading widget saved for later use on other engagements is a useful thing. We used to just copy paste from text files but that’s frustrating and doesn’t allow you to really go to down with forms and things to prettify your attack “docs” 🙂

So we need to sign our macros. While poking about the office program files folders I noted the following executable: selfcert.exe

Run it, and it’ll produce a lovely new certificate for you to sign your macros with, now granted it’s self signed but word doesn’t really care too much about that.

Tools -> Digital Signatures -> Choose Certificate -> Select your cert. Now it’s signed. You may need to reopen the document to get it to run.

This is all fantastic until…

But wait, mommy told me not to run macros from strangers…

Okay so we’ve got our macro signed, but due to the security settings they’ve hobbled it further and disabled any prompting for self-signed macros, allowing only trusted macros to run. So we need to find a way to explicitly trust our self-signed macro.

Open the VB Editor as before, Then… Tools -> Digital Signatures -> Choose -> View Certificate -> Details -> Copy To File

Navigate to the saved .cer file (just accept the defaults in the export wizard). Right click the file and select “install certificate”, select the location to install the certificate as “Trusted Publishers”

With the certificate installed successfully you just added your certificate to the trusted signatures that microsoft office will blindly accept without needing you to click on an “accept the risk” style dialog box.

Before: In our case this dialog was hidden and not shown to users, meaning we had no option of accepting anyway in this manner, so self-signed macros would never run.

After: No prompt, macro runs and certificate is trusted

So what can I do with these things anyway?

So the little example given at the top of this blog post will fail without the use of cscript/wscript.exe. Which is commonly locked down.

How about doing it in VBA?

Sub run_me    retVal = Shell("c:\windows\system32\cmd.exe /k ftp",1)End Sub

A quick F5 and you’re back running the commands you love.

retVal in the above will contain the PID of the process you just launched so the following will kill the process too.

Sub run_me_kill_me    Dim retVal as String    retVal = Shell("c:\windows\system32\calc.exe",1)    killCmd = "c:\windows\system32\cmd.exe /k taskkill /PID " + retVal    retVal2 = Shell(killCmd,1)End Sub

The ,1 part of the shell call, that’s describing what you want VB to do with the window. If you are doing calls to a script or a command/console based program, you can use vbHide instead and no window will appear on the screen.

Be careful doing this however on systems with cmd.exe disabled by group policy as you’ll find that they never show up and so persist within task manager waiting on an invisible but very real “This command has been disabled by your administrator, press any key to continue” prompt.

Help! No Web, No Hope? No Way!

So a final tidbit on the end of this blog post. Ever wanted to write some VBS or VBA but not sure of the exact syntax or even the functions you may have access to, you’re in a location with zero access to the internet and someone has helpfully disabled the “help and support” service, denying you any F1 action you may be looking for?

This is a little trick I picked up from previous work. Providing the host you’re playing with has Microsoft Office installed you will have access to all the scripting reference material you could want.

First lets make a new shortcut on the desktop or wherever is convenient for you.

Set the path to

"C:\program files (x86)\Microsoft office\office12\clview.exe" "MSE" "Microsoft Scripting Engine"

Double click your newly created shortcut and a blank help screen should appear.

Use the search bar to searfch for something “VBS” related for example and then click the “Microsoft scripting engine” (grey text top left) and then “Microsoft Scripting Engine Help”. You’ll have access to the help for VBScript and JScript language references along with information on all the juicy runtime objects you can access using them.

Need VBA help? Once again CLVIEW to the rescue…

Create a shortcut only this time it’s contents will be:

"C:\program files (x86)\Microsoft office\office12\clview.exe" "WINWORD" "Microsoft Office Word"

This looks like you’re calling for word help but in reality it is the word developer reference manual and in turn will give you the full VBA language reference too.

There are options too for Excel and Powerpoint references in case the word based help is not sufficient for your needs.

Happy local lockdown testing!

Cross-Post: Exploiting Windows 2008 Group Policy Preferences – Expanded

Cross posting some work of a friend of mine that I was helping with, I say “helping” in the lightest form of the word (I had a domain controller ready to test, he didn’t). Meatballs (over at: has been doing some work…

Cross posting some work of a friend of mine that I was helping with, I say “helping” in the lightest form of the word (I had a domain controller ready to test, he didn’t).

Meatballs (over at: has been doing some work attempting to put together a metasploit module to decrypt passwords found within the sysvol folder on win2k8 domains.

However rather than just settle for the disclosed “local users and groups are vulnerable…” he dug a little deeper after realising that datasources and other such things that have user credentials associated with them were also stored in the same manner.

What follows is a snippet from his blog, visit his site for the full article.


This follows on from the disclosure which discussed how Group Policy Preferences can be used to create Local Users on machines and the resulting passwords easily decrypted. (Expect a metasploit post module to gather these details soon…)

Browsing the MSDN documentation I noticed that there were many other preferences that could be set that, and delving further they also allow a password to be stored. For example Services.xml specifies services to run on end machines, and can specify a specific user and password for that service to run under.

Whilst these preferences may not be used as commonly as local users preferences (to set local administrator passwords), they may lead to current valid domain credentials rather than just local users accounts – for example specifying a domain user to connect to a network share in Drives.xml… (read more)

The finished result when run against my little 2k8 test domain.


Adding Google Authenticator 2-Factor Auth to an OpenVZ VPS

…running Centos 6.2 After seeing a great little tutorial courtesy of @hak5darren I decided to implement this on my VPS box to provide a little extra security while removing the need for private keys. Granted I can still use private keys at home …

…running Centos 6.2

After seeing a great little tutorial courtesy of @hak5darren I decided to implement this on my VPS box to provide a little extra security while removing the need for private keys.

Granted I can still use private keys at home but it’d be nice to have access to my box when I maybe don’t have access to my private key or using it via an internet cafe.

Step One: Make sure your time is set correctly

Everything we will end up doing is to set up a time sensitive token. If your server is not running on the same time as your mobile phone/authenticator then you’re going to find yourself unable to log into your machine.

In OpenVZ you are unable to use NTP to sync up time or manage timeservers and so you’re stuck to what your physical host is using. Providing your provider is decent enough and is ensuring his physical hosts are kept up to date you shouldn’t have a problem.

If you follow these next steps and your time is still out of sync, you’ve got a problem that I can’t solve. Contact your provider and get him to sort out NTP on his physical hosts.

As you can’t use NTP yourself to set the time, you have to set the correct “offset”. You do this by:

  1. rm /etc/localtime && ln -s /usr/share/zoneinfo/Europe/London /etc/localtime && date

Make sure you set the timezone appropriately for your area. The output should be in sync with your local time now.

Step Two: Get hold of the Google Authenticator PAM

The Pluggable Authentication Module (PAM for short) is available from:

wget and extract the source tarball:

  1. wget && tar jxvf libpam-google-authenticator-1.0-source.tar.bz2
  2. Ensure you have the development tools installed: sudo yum groupinstall “Development Tools”
  3. Ensure you have the pam development libraries installed: sudo yum install pam-devel
  4. cd libpam-google-authenticator-1.0
  5. sudo make install

With no errors you should now have two files contained within /lib64/security and /usr/local/bin

  • google-authenticator

Step Three: Lets start configuring it

First the system authentication…

Copy the following line into your /etc/pam.d/sshd configuration file.

  • auth    required              

You can add the above to the system-auth file if you wish but expect problems if you’re running X. I only have a single service I want to protect so I’ve added it as per Darren’s instructions to the service’s configuration file.

Note that each stack (auth, account, session, etc…) is executed in line order. So if you place the above line after the line within the auth stack that deals with “password”, it’ll request a password first, if you place it above the password line, it’ll request a verification code first.

Any references to “include” means that it defers that point of the stack to another file under /etc/pam.d/ so if you want to fine tune where the google authenticator module is called, you’ll need to follow the stack.

Once you’ve added the above line edit your /etc/ssh/sshd_config file to make use of challenge_response authentication.

  • Ensure “usepam” is set to yes
  • Ensure “ChallengeResponse Authentication” is set to yes – This is the “Something I have” factor
  • Enable Password Authentication – This would be the second “something I know” factor.

Another thing to note is make sure that your login grace time is set to something sufficiently large enough for you to type in both the authenticator code and your password. I had mine set to 10s to allow me to type in a keyphrase for my private key, but kept finding my login timing out after submitting a verification code but before I could finish typing my password when using 2FA.

With all the above done you’re now ready for step 4.

Step 4: Configuring your user account

As your normal user enter the following command:

  • google-authenticator

The following exchange will take place. Answers are down to your preferences except for where I’ve marked it in bold.

[[email protected] libpam-google-authenticator-1.0]$ google-authenticator
Do you want authentication tokens to be time-based (y/n) y….
Your new secret key is: AAAAAAAAAAAAAAAAAAAAAA
Your verification code is 111111111111111111111
Your emergency scratch codes are:
Do you want me to update your “/home/user/.google_authenticator” file (y/n) y

Do you want to disallow multiple uses of the same authentication token?
This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks (y/n)

By default, tokens are good for 30 seconds and in order to compensate for possible time-skew between the client and the server, we allow an extra token before and after the current time. If you experience problems with poor time synchronization, you can increase the window from its default size of 1:30min to about 4min.

Do you want to do so (y/n)

If the computer that you are logging into isn’t hardened against brute-force login attempts, you can enable rate-limiting for the authentication module. By default, this limits attackers to no more than 3 login attempts every 30s.

Do you want to enable rate-limiting (y/n)

Navigate to the URL given to you within the output.

  • Using the Google Authenticator app on your phone, add an account and select “scan barcode”
  • Position camera to view the QR code presented to you at the above URL

The Google Authenticator Application will automatically add an account with a value which will update every 30 seconds or so.


Now restart your sshd server using:

  • sudo service sshd restart


  • sudo /etc/init.d/sshd restart

And before you log out of your current session. Open up a secondary putty window and attempt to login using your google verification code and a password (obviously having set one for your user).

Step Five: …now you’re auth’n with google

Providing the last step worked, you’re all sorted. Google authenticator is working for you.


Otherwise, undo the above changes and give up as I have no idea what went wrong and if you logout you’ll likely lock yourself out of your machine.

Mini Rant – Security that makes no sense…

In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII. However it’s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects shoul…

In my line of work we encourage encrypted communications and securing sensitive data especially when it comes to PII.

However it’s increasingly common to see systems put into place that are obviously only there to mitigate litigation aspects should anything go wrong.

Take American Express for example:

An email from them asking you to send a copy of your passport/driving licence/etc… to confirm your identity suggests that you may reply via email however:

Please note that the internet can be insecure. You must use a secure encryption method when sending personal data and/or documentation to us via email to safeguard your personal data

Great… you encourage your customers to encrypt their personal data.

So I’ll just send over a truecrypt volume encrypted with twofish-aes-serpent shall I?

Or perhaps a PGP encrypted volume, whats your public key?

What about just an AES256 encrypted zip?

Okay so that’s point 1.

  • They’ve suggested that it is on the customers own head to protect their data. However they have not listed the accepted formats of encryption that they use.

So we’re assuming because they’ve not provided us with a public key they don’t want pgp or gpg encryption. They want something simple that doesn’t require too much infrastructure in place so we’ll go with the AES256 encrypted zip, which providing they have winzip/7zip/*ziprarace client means they can enter in a password and decrypt the contents.

Great, so how do I get the password to you?

AMEX are right, internet communication via email is all in the clear, so if someone was in the middle of my traffic (i’m on a corporate network, chances are they’re monitoring it at least so files could be logged or archived in an antivirus mail gateway for example) they could intercept the cleartext data and have my passport details.

So I encrypt it and send it via email, attacker or corporate network now only has an encrypted zip file.

How do AMEX suggest I send a password to them? I call their customer service desk, expecting them to give me a number to SMS it to or a voice service that instead reads me a password when I dial the number and enter my reference code?

Oh you just send it via email. I think you’re meant to send it all together

…I explain my concerns..

Erm, I’ve never been asked that before I guess I could give you another email address to send it to

Point 2:

  • Sending encrypted data along with the password in the same email is as good as sending cleartext data.
  • Sending encrypted data along with the password via the same mechanism is as good as sending cleartext data.

So despite all of AMEX’s good advice above “You must use a secure encryption method…” actually there is no way to use a secure encryption method to keep your data safe when dealing with them.

Extra Note:Along the same lines, as I mention above I regularly get asked to encrypt reports that are deemed commercially sensitive. So I email out the encrypted zip file, and they request that I SMS them the password.

2 minutes later, their blackberry chirps… twice*.

*Did you guess what just happened?

Their blackberry received both the encrypted zip and the plain text password. Loss/Theft of the blackberry once again could result in the loss of commercially sensitive data.