Wednesday, August 26, 2015

Abusing Web Query (.iqy) files for effective phishing

Few days back I saw tweets from awesome Casey Smith about IQY files.
Like any penetration tester or red teamer worth his salt, I always try to use built in functionality of the target for my job. So this was obviously very interesting. Ability to make a web request using native/trusted tools is something no attacker would like to miss.

Casey soon tweeted a simple PoC.

I shared the grin! It is indeed easy yet effective phishing and much more. IQY files could be used for SMB relay attacks as well. Lets have a look at few possibilities.

Phishing for clear text credentials

I have created a PowerShell script which can generate an IQY file. I give you Out-WebQuery.ps1 which could be find in the Client directory of Nishang. Below is an example of using it:


For listener, lets use Start-CaptureServer.ps1. This script starts a HTTP listener and is capable of logging Basic and NTLM authentication requests made to it. It must be run from an elevated shell on the attacker's machine. For clear text credentials we must choose AuthType Basic, it could be used this way.

Now, the IQY file generated in the first step could be sent to a victim as an email attachment or trick a user in opening it from a URL or drop it on target's machine using a Human Interface Device. Anyways, the file is opened in MS Excel and the user gets a security warning.
 So, after clicking on enable, our target will see a prompt asking for credentials:
After the target user enter his credentials (they almost always do), we can see this on the listener and the log file:
Woohoo! User credentials in clear text.

Phishing for NTLM Hashes

Out-WebQuery and Start-CaptureServer can also be used to capture NTMLv2 hashes in the netntlm format from a target. There are less chances of getting caught while using hashes as compared to Basic authentication. The credential prompt user gets is less suspicious as well. We just need to use AuthType NTLM2.

And the hashes could be cracked using John the ripper. The hashes captured above should be used in hashes.txt in the below format
nikhil::PFPTLAB:00000000000000000000000000000000060380250000000F:970170524E4B2A0D00000000020000000000000000000000:1122334455667788
and
john --format=netntlm hashes.txt

We can also use Inveigh (https://github.com/Kevin-Robertson/Inveigh) for capturing hashes using PowerShell. It is much more versatile than Start-CaptureServer and has many more capabilities.

SMB Relay

We can use IQY files for SMB relaying as well. IQY files support UNC paths as well. In such a case, the user need not enter his credentials.
Unfortunately, there is no PowerShell code which is able to Relay hashes. Lets use smbrelayx from the Impacket library. Lets replay SMB captures from 192.168.230.111, a Windows 7 machine to 192.168.230.112 which is a Windows 8 machine in my lab.
The runps.exe above is a .Net Console application which runs an encoded PowerShell script on the target by calling powershell.exe. The encoded PowerShell script is the Invoke-PowerShellTcpOneLine from Nishang.

There are of course much better and stealthier methods of using calling PowerShell code from .Net but lets not discuss that.
Now, as soon as the target opens the IQY file sent to it:
Yay! An interactive PowerShell session. If you want, this can be easily upgraded to a meterpreter session as well. PowerShell payloads of msfvenom will be your friends.

Please note that there are tonnes of existing ways to perform the above attacks. See this nice blog post by Karl  https://blog.netspi.com/10-places-to-stick-your-unc-path/. In fact, the methods listed there could be used with Start-CaptureServer or Inveigh as well.

Out-WebQuery and Start-CaptureServer could be found in the Nishang repository: https://github.com/samratashok/nishang

I've never heard about abusing IQY files earlier and this is one more trick added to my and hopefully your collection of phishing tricks. Hope this would be useful to some of you.

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

DeepSec, Vienna (November 17-18th, 2015) - https://deepsec.net/speaker.html#WSLOT192


Wednesday, August 19, 2015

Executing SQL Queries from Antak Webshell

I have recently made some changes to Antak. The first one implementation of an authentication mechanism to check its misuse. It was also part of a feature request raised in Nishang's GitHub repository: https://github.com/samratashok/nishang/issues/17. Antak now asks for Username and Password before you would be able to use it on a target. The username/password are hardcoded in the the antak.aspx itself.  Unless correct credentials are entered, all the controls in the webshell remain invisible and disabled. This is not secure but that is the only way I could implement some sort of restriction on antak's access and still keep it in a single file. Default Username is "Disclaimer" and Password is "ForLegitUseOnly" without quotes and case-sensitive. This is how Antak looks like without authentication. 
After authentication, we will be able to access Antak. Because Antak has the ability to execute PowerShell commands and scripts, upload and download files we can use it for many things.  I have already done a post earlier on other functionalities of Antak: http://www.labofapenetrationtester.com/2014/06/introducing-antak.html. In this post lets focus on the new functionality of ability to execute SQL Queries from Antak. The code has been largely taken from cmdsql (https://github.com/NetSPI/cmdsql) from Antti and Scott at NetSPI.

Here is how to use it:
Click om "Parse Web.Config". We should be able to see the connection string. By default, Antak looks for web.config in the C:\Inetpub directory. We can specify a full path in the command box to look for web.config in other directory.
Paste that connection string in the textbox besides the "Execute SQL Query" button. Enter the SQL Query in the command box and click the "Execute SQL Query" button.
Great! We can now execute SQL queries. This opens up so many opportunities to play with. Feel free to play around with SQL Queries, look here to begin with: http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

Hope you enjoyed this! I welcome suggestions and feedback.

Friday, May 15, 2015

Week of PowerShell Shells - Day 5 - DNS, ICMP Shells and Wrap up

Welcome to the Day 5 of Week of PowerShell Shells. Today we will see interactive PowerShell shells using ICMP and DNS. Both ICMP and DNS are generally allowed through firewalls and are not as commonly used for shells as TCP or UDP. That makes both of them useful for attackers. Lets see how both could be used to serve our purpose. 

For using DNS, lets use Ron Bowes' awesome dnscat2 (https://github.com/iagox86/dnscat2) as a server. On the target Windows machine, we can use, once again, powercat (https://github.com/besimorhino/powercat). We have used powercat earlier as well and it is of great use.

Use below command to start a dnscat2 server:
Use below command on the target to connect back:
And the result is:
Brilliant! We have an interactive PowerShell shell over legit DNS traffic. 

While dnscat2 supports an indirect connection as well, we used a direct connection to the dns server started by dnscat2.

If we ask Wireshark, it has no complaints:

While we are on this, Nishang has couple of interesting scripts which make use of DNS for command, script and msf shellcode execution. But there is no interactive shell. Please see this blog post for more details: http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html

Now, lets move on to ICMP. For server/listener part, we will use icmpsh (https://github.com/inquisb/icmpsh) by Bernardo Damele (@inquisb). I have written a client/connect-back in PowerShell. I give you Invoke-PowerShellIcmp.

The current source code without help and credtis documentation:

Invoke-PowerShellIcmp is available in the Nishang repo here: https://github.com/samratashok/nishang/tree/master/Shells

Use below command to disable ping replies (IPv4) and start a listener:
Use below command on the target:
Aaand:
Awesome! An interactive PowerShell session over ICMP.

Wireshark looks like this:

A video showing DNS shell and Invoke-PowerShellIcmp in action:


Those who wanted to know what to do after we get access to a target using these shells, please refer to my earlier blogposts.
For any of the Shells discussed in these five days, a PowerShell script could be executed with the help of the -EncodedCommand or -e parameter of powershell.exe.

For example, to execute Get-WLANKeys, encode it with the help of Invoke-Encode from Nishang. Make sure to remove the function declaration and help section.
which looks like this:

Then use the encodedscript in encodedcommand.txt with any of the shells:

or you can use the below one line to execute scripts from a local web server:


Please note that I encountered error in some of the shells if the encoded script is too long. I need more testing on this problem, so please provide feedback and report bugs.

The best way to pass parameters to modules or scripts when using -EncodedCommand is to include the parameter passing within the script.


To transfer files, the best way is to use following one line downloader. You can use a local web server like Apache/HFS.

Wrap up of the Week of PowerShell Shells

We have reached the end of Week of PowerShell shells. It was a wonderful yet tiresome experience. I learned a lot while writing these posts and hope you learned something as well. The goal was to keep the posts concise and usable without going into too much details. In fact, to achive this goal, no protocol level details were discussed. I would like to believe that through this series, I am able to spread awareness about the capabilities of PowerShell to more folks in the Infosec community.

Continuing with the shameless self promotion :), I would ask you to consider joining one of my upcoming two days training "PowerShell for Penetration Testers" at:
NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

I hope you enjoyed reading the posts as much as I enjoyed writing them. Please leave comments, feedback and report bugs.