PuttyRider. With great power comes great responsibility. # Pivoting from Windows to Linux in a penetration test. Adrian Furtunã, PhD adif2k8@gmail.



Similar documents
Penetration Testing - a way for improving our cyber security

Penetration Testing in Romania

File Transfer Examples. Running commands on other computers and transferring files between computers

How to hack a website with Metasploit

Pen Test Tips 2. Shell vs. Terminal

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

Penetration Testing with Kali Linux

IDS and Penetration Testing Lab II

OLD WIN32 CODE FOR A MODERN, SUPER-STEALTH TROJAN

IDS and Penetration Testing Lab ISA 674

Author: Sumedt Jitpukdebodin. Organization: ACIS i-secure. ID: My Blog:

Web Application Security Payloads. Andrés Riancho Director of Web Security OWASP AppSec USA Minneapolis

TUNNA. A tool designed to bypass firewall restrictions on remote webservers. By: Rodrigo Marcos Nikos Vassakis

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Post Exploitation. n00bpentesting.com

This report is a detailed analysis of the dropper and the payload of the HIMAN malware.

Penetration Testing Using The Kill Chain Methodology

Building A Secure Microsoft Exchange Continuity Appliance

1. LAB SNIFFING LAB ID: 10

Exploiting Transparent User Identification Systems

OWASP Omaha. The Open Web Application Security Project Omaha Chapter

Automated Penetration Testing with the Metasploit Framework. NEO Information Security Forum March 19, 2008

Lab Configure Basic AP Security through IOS CLI

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

File transfer clients manual File Delivery Services

CSSIA CompTIA Security+ Domain. Network Security. Network Security. Network Security. Network Security. Network Security

visionapp Remote Desktop 2010 (vrd 2010)

Penetration Testing Workshop

Contents Who Should Read this Book... 3 Credits:... 3 Introduction and background... 3 Lab Setup... 3 A primer on windows user privileges...

Automation of Post-Exploitation

Defcon 20 Owning One To Rule Them All. Dave DeSimone Manager, Information Security Fortune 1000

How We're Getting Creamed

Make a folder named Lab3. We will be using Unix redirection commands to create several output files in that folder.

Turning your managed Anti-Virus

MobaXTerm: A good gnome-terminal like tabbed SSH client for Windows / Windows Putty Tabs Alternative

Metasploit ing the target machine is a fascinating subject to all security professionals. The rich list of exploit codes and other handy modules of

Audience. Pre-Requisites

Vulnerability Assessment and Penetration Testing

The Pen Test Perfect Storm: Combining Network, Web App, and Wireless Pen Test Techniques Part 2

The Pen Test Perfect Storm: Combining Network, Web App, and Wireless Pen Test Techniques Part 2

Kautilya: Teensy beyond shells

NETWORK PENETRATION TESTS FOR EHR MANAGEMENT SOLUTIONS PROVIDER

How to Backup XenServer VM with VirtualIQ

david d. rude Affiliated Computer Services Penetration Tester <bannedit0 [ at ] gmail.com> Develop Codes for stuff

Network Traffic Analysis

SAST, DAST and Vulnerability Assessments, = 4

BSIDES Las Vegas Secret Pentesting Techniques Shhh...

Next-Generation Penetration Testing. Benjamin Mossé, MD, Mossé Security

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Inside-Out Attacks. Covert Channel Attacks Inside-out Attacks Seite 1 GLÄRNISCHSTRASSE 7 POSTFACH 1671 CH-8640 RAPPERSWIL

Network Security In Linux: Scanning and Hacking

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

How To Use Powerhell For Security Research

Common Security Vulnerabilities in Online Payment Systems

Network Penetration Testing and Ethical Hacking Scanning/Penetration Testing. SANS Security Sans Mentor: Daryl Fallin

Plunder Pillage & Print

Inside-Out Attacks. Security Event April 28, 2004 Page 1. Responses to the following questions

Hands-on Hacking Unlimited

Lab 10: Security Testing Linux Server

Tera Term Telnet. Introduction

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Learn Ethical Hacking, Become a Pentester

Practical exploitation of rounding vulnerabilities in internet banking applications

Network Attack Collaboration

RMAR Technologies Pvt. Ltd.

Metasploit The Elixir of Network Security

Thick Client Application Security

Security vulnerabilities in new web applications. Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

AUTHOR CONTACT DETAILS

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

I Hunt Penetration Testers!

How To Make A Backdoor On Windows Server From A Remote Computer From A Command Prompt On A Windows 2 Computer (Windows) On A Pc Or Ipad (Windows 2) On An Ipad Or Ipa (Windows 3) On Your Pc Or

Hijacking Arbitrary.NET Application Control Flow. Topher Timzen

Reverse Engineering and Computer Security

Security of IPv6 and DNSSEC for penetration testers

The Trivial Cisco IP Phones Compromise

More about Continuous Integration:

Comodo Endpoint Security Manager SME Software Version 2.1

A perspective to incident response or another set of recommendations for malware authors

Edit system files. Delete file. ObserveIT Highlights. Change OS settings. Change password. See exactly what users are doing!

Shell over what?! Naughty CDN manipulations. Roee Cnaan, Information Security Consultant

NCS 430 Penetration Testing Lab #2 Tuesday, February 10, 2015 John Salamy

The Open Cyber Challenge Platform *

A New Era. A New Edge. Phishing within your company

VCL Access. VCL provides access to Linux and Windows 7 Virtual Machines. Users will only see those images that they are authorized to access.

DiamondStream Data Security Policy Summary

Cyber Essentials. Test Specification

Using Nessus In Web Application Vulnerability Assessments

Welcome to BlackHat!

EMBnet Norway User introduction pack (instructions and services overview) George Magklaras Head Systems Engineer Version 3.

Experimental Techniques 8

ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing.

CIT 480: Securing Computer Systems. Vulnerability Scanning and Exploitation Frameworks

Lab 1: Network Devices and Technologies - Capturing Network Traffic

InspecTView Highlights

Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice.

PowerShell for Penetration Testers

Vulnerability analysis

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Transcription:

PuttyRider # Pivoting from Windows to Linux in a penetration test With great power comes great responsibility Adrian Furtunã, PhD adif2k8@gmail.com

root@bt:~# Agenda # Idea origin and usage scenario # PuttyRider features # Technical details # Demo 2014 2

root@bt:~# Whoami # Technical Manager Security Services at KPMG Romania # Leading the penetration testers team # PhD, OSCP, CEH # Speaker at security events and conferences: > ZeroNights > Hack.lu > Hacktivity > Defcamp, OWASP Romania, etc 2014 3

root@bt:~# Whoami # Technical Manager Security Services at KPMG Romania # Leading the penetration testers team # PhD, OSCP, CEH # Speaker at security events and conferences: > ZeroNights > Hack.lu > Hacktivity > Defcamp, OWASP Romania, etc 2 x Penetration Tester 2014 4

root@bt:~# How come this idea? # Internal penetration test # Gained Domain Admin # Target data was located on Linux/Unix servers # No obvious vulnerabilities on target servers 2014 5

root@bt:~# How come this idea? # Internal penetration test # Gained Domain Admin # Target data was located on Linux/Unix servers # No obvious vulnerabilities on target servers # How to gain access to data? 2014 6

root@bt:~# How come this idea? # Internal penetration test # Gained Domain Admin # Target data was located on Linux/Unix servers # No obvious vulnerabilities on target servers # How to gain access to data? Target the sysadmins ;) 2014 7

root@bt:~# Get access to sysadmin s machine # Metasploit + Domain Admin credentials # meterpreter> screenshot 2014 8

root@bt:~# We re closer to the target # The admin is already connected to our target server with Putty # How to take advantage of this? 2014 9

root@bt:~# Something is missing Attacker Sysadmin Target server Metasploit psexec Explorer.exe putty.exe SSH server Users subnet IT subnet Servers subnet 2014 10

root@bt:~# Introducing PuttyRider # Ride the existing Putty connection: > Sniff all conversation between admin and server Passwords included > Inject shell commands in the existing session Run as the current user > Transparent to the victim user > Interactive with the attacker (ex. via remote shell) > Independent of connection protocol (SSH, Telnet, Rlogin) 2014 11

root@bt:~# PuttyRider - the missing piece Attacker Sysadmin Target server Metasploit psexec Explorer.exe PuttyRider putty.exe SSH server Users subnet IT subnet Servers subnet 2014 12

root@bt:~# PuttyRider - feature list # Operation modes: > List existing Putty processes > Inject PuttyRider DLL in a certain Putty process > Wait in backgroud for new Puttys and inject in those also > Automatically execute a shell command after injection > Eject DLL from all Putty processes # Output modes: > Write all conversation to a file on local machine > Initiate a reverse connection to attacker s machine and start an interactive session 2014 13

root@bt:~# Technical Details 2014 14

root@bt:~# Previous work # PuttyHijack [1] > Written by Brett Moore, Insomnia Security 2008 > Uses DLL injection to hijack the Putty process > Only works for Putty 0.60 (2007) Other Putty versions crash Latest Putty is 0.63 > Just a proof of concept with multiple limitations Cannot specify in which Putty process to inject No information about the connection endpoints Hard to maintain/extend code (C + ASM mixture) [1] https://www.insomniasec.com/downloads/tools/puttyhijackv1.0.rar 2014 15

root@bt:~# PuttyRider technical overview # Started from the PuttyHijack proof of concept > DLL injection > Function hooking # Written in C on Windows with Win32 API # Works on all recent versions of Putty # Works on recent operating systems (Windows 8, Windows 7, etc) # Does not require administrative privileges 2014 16

root@bt:~# PuttyRider architecture Attacker Sysadmin Target putty.exe Remote shell (ex. Meterpreter) ldisc_send() term_data() SSH SSH server PuttyRider.exe Pipe PuttyRider.dll Netcat listener = PuttyRider data flow 2014 17

root@bt:~# Interesting functions in Putty # ldisc_send() > Defined in ldisc.c > ldisc.c: PuTTY line discipline. Sits between the input coming from keypresses in the window, and the output channel leading to the back end. > void ldisc_send(void *handle, char *buf, int len, int interactive) # term_data() > Defined in terminal.c > This source file implements a terminal emulator > The function handles data to be sent to the terminal window > int term_data(terminal *term, int is_stderr, const char *data, int len) 2014 18

root@bt:~# Finding address of internal Putty function # Putty.exe does not export any function # Cannot use LoadLibrary & GetProcAddress 2014 19

root@bt:~# Finding address of internal Putty function # Putty.exe does not export any function # Cannot use LoadLibrary & GetProcAddress # Downloaded source code & binaries of all Putty versions # Extracted binary signatures that match the beginning of target functions > ldisc_send() - 1 signature 21 bytes - covers Putty 0.54.. 0.63 > term_data() - 3 signatures 18 bytes - cover Putty 0.54.. 0.63 # Memory search the.text section of putty.exe for the signatures 2014 20

root@bt:~# Function hooking Locate starting address of ldisc_send() and term_data() in.text section of putty.exe Define myldisc_send() Define myterm_data() Overwrite first bytes of ldisc_send() with JMP addr_of_myldisc_send Overwrite first bytes of term_data() with JMP addr_of_myterm_data (translated to opcode) 2014 21

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() reinsert_hook() 2014 22

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() reinsert_hook() 2014 23

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() Restore term_data() Modify return address Send data to attacker reinsert_hook() 2014 24

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() Restore term_data() Modify return address Send data to attacker Call original term_data() reinsert_hook() 2014 25

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() Restore term_data() Modify return address Send data to attacker Call original term_data() reinsert_hook() 2014 26

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() Restore term_data() Modify return address Send data to attacker Call original term_data() reinsert_hook() Overwrite beginning of term_data() with JMP to myterm_data() 2014 27

root@bt:~# Hooking in action Putty code PuttyRider.dll term_data() myterm_data() Restore term_data() Modify return address Send data to attacker Call original term_data() reinsert_hook() Overwrite beginning of term_data() with JMP to myterm_data() 2014 28

root@bt:~# Demo 2014 29

root@bt:~# Download PuttyRider # Will be available on https://github.com/ in a few days 2014 30

root@bt:~# Q & A Thank you! Adrian Furtunã, PhD adif2k8@gmail.com 2014 31

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information