Should You Trust Your Admin Tools?
Introduction
Often time sysadmins are managing multiple servers and machines at once or doing some other shenanigans. So they tend to download and use tools that ease their process. These utilities sometimes offer a plethora of features such as the ability to save usernames and passwords, connect automatically to a specific machine once opened, save the history of commands…etc.
Today I thought it would interesting to take a look at some of these tools to highlight the “danger” of using such tools and their features and how can they be easily “abused”.
Let’s get started.
MobaXterm
The first tool that we’re gonna look at is “MobaXterm”. Here is a description from their website.
MobaXterm is your ultimate toolbox for remote computing. In a single Windows application, it provides loads of functions that are tailored for programmers, webmasters, IT administrators, and pretty much all users who need to handle their remote jobs in a more simple fashion.
MobaXterm provides all the important remote network tools (SSH, X11, RDP, VNC, FTP, MOSH, …) and Unix commands (bash, ls, cat, sed, grep, awk, rsync, …) to Windows desktop, in a single portable exe file which works out of the box — [MobaXterm]
Basically, MobaXterm is a do-it-all tool. For this, I’m only going to focus on some of these features.
Password Manager
One of the features is the ability to save usernames/passwords combination for SSH servers. These usernames/passwords are stored in the following registry.
HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P
Anyone with the right privileges can enumerate usernames and brute force passwords offline by reading this key. (There is already a freely available tool to help with this)
Command History
Another “useful” feature is the ability to have all the previously typed commands available via a “history”. If MobaXterm is installed then all the commands are stored in a “.bash_history” file located in the following path:
C:\Users\[username]\AppData\Roaming\MobaXterm\home\.bash_historyBookmarks
MobaXterm also allows the user to save servers as bookmarks. The list containing these are stored inside the “MobaXterm.ini” file which is located here:
C:\Users\[username]\AppData\Roaming\MobaXterm\MobaXterm.iniUsing this we can enumerate saved users and servers.
Tools, Tools, and More Tools
When installed (even in portable mode), MobaXterm drops a bunch of tools to be able to achieve what it claims. These tools are located here
C:\Users\[username]\AppData\Roaming\MobaXterm\slash\bin- BusyBox
- git.exe
- ftp.exe
- regtool.exe — A tool to view or edit the Win32 registry
- wget.exe
- telnet.exe
- TurboVNC.exe
And many more.
Radmin (Server)
This is another tool used by admin to access their servers through RDP.
It's a remote control program that lets you work on another computer through your own
Similar to MobaXterm the passwords and users information is stored inside of the registry
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin SecurityAnd the information stored can be cracked using the following tool by synacktiv.
Radmin (Viewer)
Similar to the server. If an admin has Radmin viewer installed, the list of the servers that he usually accesses is stored inside of a “.rpb” file that we can easily read.
C:\Users\[username]\AppData\Roaming\Radmin\radmin.rpbPutty
Another famous tool is “putty” an SSH and telnet client, which is used by administrators. Not as feature extensive as MobaXterm but the following is worth noting.
History
While this feature is not enabled by default. When it is, a history file is created. By default, it’ll be named “putty.log” and will be located in the installation folder
C:\Program Files\PuTTY\putty.logThe bravest of the administrators may enable this feature for “easiness” sake.
Saved Sessions
Putty offers the ability to save sessions to make it easy to access those servers. Once a session is saved a registry key is created that’ll contain all the config information including the hostname
HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\[Sessions Name]We can easily enumerate the servers that a particular admin has access to.
FileZilla (Client)
In the case of FileZilla a free FTP solution. Administrators use this to connect to different FTP servers and by default, every server an admin has tried to connect to is stored inside of a file on disk (sort of a history file).
C:\Users\[username]\AppData\Roaming\FileZilla\recentservers.xmlText Editors
Whilst they are not admin tools per se, but often time administrators use text editors to copy stuff or create files without saving them. These files are actually written to disk often time in a temp directory which makes it an easy target to grab “sensitive” information.
Sublime Text
The first example for this is “Sublime Text” which stores its “unsaved” files in the following directory/file
C:\Users\[username]\AppData\Roaming\Sublime Text 3\Local\Session.sublime_sessionVisual Studio Code
C:\Users\[username]\AppData\Roaming\Code\BackupsNotepad++
Credit — @mcbazza
C:\Users\[username]\AppData\Roaming\Notepad++\backupAll these “hidden” files can be used to extract information that could be considered “sensitive”.
Conclusion
The utilities shown here are but a very small set of what’s out there but the idea is still the same.
Know your tools, what they generate, baseline and monitor, monitor, monitor.
