Should You Trust Your Admin Tools?

Photo by Cesar Carlevarino Aragon on Unsplash

Introduction

Today I thought it would interesting to take a look at some of these tools to highlight the “danger” of using such tools and their features and how can they be easily “abused”.

Let’s get started.

MobaXterm

MobaXterm is your ultimate toolbox for remote computing. In a single Windows application, it provides loads of functions that are tailored for programmers, webmasters, IT administrators, and pretty much all users who need to handle their remote jobs in a more simple fashion.

MobaXterm provides all the important remote network tools (SSH, X11, RDP, VNC, FTP, MOSH, …) and Unix commands (bash, ls, cat, sed, grep, awk, rsync, …) to Windows desktop, in a single portable exe file which works out of the box — [MobaXterm]

Basically, MobaXterm is a do-it-all tool. For this, I’m only going to focus on some of these features.

Password Manager

HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P

Anyone with the right privileges can enumerate usernames and brute force passwords offline by reading this key. (There is already a freely available tool to help with this)

Command History

C:\Users\[username]\AppData\Roaming\MobaXterm\home\.bash_history

Bookmarks

C:\Users\[username]\AppData\Roaming\MobaXterm\MobaXterm.ini

Using this we can enumerate saved users and servers.

Tools, Tools, and More Tools

C:\Users\[username]\AppData\Roaming\MobaXterm\slash\bin
  • BusyBox
  • git.exe
  • ftp.exe
  • regtool.exe — A tool to view or edit the Win32 registry
  • wget.exe
  • telnet.exe
  • TurboVNC.exe

And many more.

Radmin (Server)

It's a remote control program that lets you work on another computer through your own

Similar to MobaXterm the passwords and users information is stored inside of the registry

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security

And the information stored can be cracked using the following tool by synacktiv.

Radmin (Viewer)

C:\Users\[username]\AppData\Roaming\Radmin\radmin.rpb

Putty

History

C:\Program Files\PuTTY\putty.log

The bravest of the administrators may enable this feature for “easiness” sake.

Saved Sessions

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\[Sessions Name]

We can easily enumerate the servers that a particular admin has access to.

FileZilla (Client)

C:\Users\[username]\AppData\Roaming\FileZilla\recentservers.xml

Text Editors

Sublime Text

C:\Users\[username]\AppData\Roaming\Sublime Text 3\Local\Session.sublime_session

Visual Studio Code

C:\Users\[username]\AppData\Roaming\Code\Backups

Notepad++

C:\Users\[username]\AppData\Roaming\Notepad++\backup

All these “hidden” files can be used to extract information that could be considered “sensitive”.

Conclusion

Know your tools, what they generate, baseline and monitor, monitor, monitor.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.