Should You Trust Your Admin Tools?

Photo by Cesar Carlevarino Aragon on Unsplash

Introduction

Often time sysadmins are managing multiple servers and machines at once or doing some other shenanigans. So they tend to download and use tools that ease their process. These utilities sometimes offer a plethora of features such as the ability to save usernames and passwords, connect automatically to a specific machine once opened, save the history of commands…etc.

Today I thought it would interesting to take a look at some of these tools to highlight the “danger” of using such tools and their features and how can they be easily “abused”.

Let’s get started.

MobaXterm

The first tool that we’re gonna look at is “MobaXterm”. Here is a description from their website.

MobaXterm is your ultimate toolbox for remote computing. In a single Windows application, it provides loads of functions that are tailored for programmers, webmasters, IT administrators, and pretty much all users who need to handle their remote jobs in a more simple fashion.

MobaXterm provides all the important remote network tools (SSH, X11, RDP, VNC, FTP, MOSH, …) and Unix commands (bash, ls, cat, sed, grep, awk, rsync, …) to Windows desktop, in a single portable exe file which works out of the box — [MobaXterm]

Basically, MobaXterm is a do-it-all tool. For this, I’m only going to focus on some of these features.

Password Manager

One of the features is the ability to save usernames/passwords combination for SSH servers. These usernames/passwords are stored in the following registry.

HKEY_CURRENT_USER\Software\Mobatek\MobaXterm\P

Anyone with the right privileges can enumerate usernames and brute force passwords offline by reading this key. (There is already a freely available tool to help with this)

Command History

Another “useful” feature is the ability to have all the previously typed commands available via a “history”. If MobaXterm is installed then all the commands are stored in a “.bash_history” file located in the following path:

C:\Users\[username]\AppData\Roaming\MobaXterm\home\.bash_history

Bookmarks

MobaXterm also allows the user to save servers as bookmarks. The list containing these are stored inside the “MobaXterm.ini” file which is located here:

C:\Users\[username]\AppData\Roaming\MobaXterm\MobaXterm.ini

Using this we can enumerate saved users and servers.

Tools, Tools, and More Tools

When installed (even in portable mode), MobaXterm drops a bunch of tools to be able to achieve what it claims. These tools are located here

C:\Users\[username]\AppData\Roaming\MobaXterm\slash\bin
  • BusyBox
  • git.exe
  • ftp.exe
  • regtool.exe — A tool to view or edit the Win32 registry
  • wget.exe
  • telnet.exe
  • TurboVNC.exe

And many more.

Radmin (Server)

This is another tool used by admin to access their servers through RDP.

It's a remote control program that lets you work on another computer through your own

Similar to MobaXterm the passwords and users information is stored inside of the registry

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin Security

And the information stored can be cracked using the following tool by synacktiv.

Radmin (Viewer)

Similar to the server. If an admin has Radmin viewer installed, the list of the servers that he usually accesses is stored inside of a “.rpb” file that we can easily read.

C:\Users\[username]\AppData\Roaming\Radmin\radmin.rpb

Putty

Another famous tool is “putty” an SSH and telnet client, which is used by administrators. Not as feature extensive as MobaXterm but the following is worth noting.

History

While this feature is not enabled by default. When it is, a history file is created. By default, it’ll be named “putty.log” and will be located in the installation folder

C:\Program Files\PuTTY\putty.log

The bravest of the administrators may enable this feature for “easiness” sake.

Saved Sessions

Putty offers the ability to save sessions to make it easy to access those servers. Once a session is saved a registry key is created that’ll contain all the config information including the hostname

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\[Sessions Name]

We can easily enumerate the servers that a particular admin has access to.

FileZilla (Client)

In the case of FileZilla a free FTP solution. Administrators use this to connect to different FTP servers and by default, every server an admin has tried to connect to is stored inside of a file on disk (sort of a history file).

C:\Users\[username]\AppData\Roaming\FileZilla\recentservers.xml

Text Editors

Whilst they are not admin tools per se, but often time administrators use text editors to copy stuff or create files without saving them. These files are actually written to disk often time in a temp directory which makes it an easy target to grab “sensitive” information.

Sublime Text

The first example for this is “Sublime Text” which stores its “unsaved” files in the following directory/file

C:\Users\[username]\AppData\Roaming\Sublime Text 3\Local\Session.sublime_session

Visual Studio Code

C:\Users\[username]\AppData\Roaming\Code\Backups

Notepad++

Credit — @mcbazza

C:\Users\[username]\AppData\Roaming\Notepad++\backup

All these “hidden” files can be used to extract information that could be considered “sensitive”.

Conclusion

The utilities shown here are but a very small set of what’s out there but the idea is still the same.

Know your tools, what they generate, baseline and monitor, monitor, monitor.

--

--

--

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

XSS Stored- Cross Site Scripting

🔍WATCH OUT for our Airdrop rewards transfer is about to START!!!  Mark your calendars NOW!

An analysis of the current cyber threat landscape

Failing to Revive AUTOEXEC.BAT on Windows 7 & 10

How Invoca is Fighting Call Fraud and Robocalls in 2020

Axie Infinity Announced Builders Program with Awards for Creators and Developers

Axie Infinity Announced Builders Program with Awards for Creators and Developers

CEZO Completes 2nd Token Burn

How Email Risk Assessment Can Help Your Business Grow Safely

email risk assessment cover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

More from Medium

Methodology for Malware Static analysis : Portable Executable (PE) files

Modelling ATT&CK, CAPEC and CWE as STIX 2.1 Domain Objects to represent CVEs

Analysis of a trojanized anydesk

Threat Analysis | T-Pot Multi- Platform Honeypot | AWS EC2 | Cowrie