Friday, December 7, 2012

Command Execution on MS SQL Server using PowerShell

One of my favorite "vulnerabilities" during Pen Tests is easy/guessable password for "sa" on MS SQL server with mixed authentication enabled, it means instant pwnage. Though a bit hard to find nowadays (SQL server 2008 and later enforce password complexity) , still you would manage to get a couple of them in a large environment. This post is just one more method to exploit this misconfiguration.

I try to use PowerShell in my pen tests as far as I can and this method is the result of one such pen test. I wanted to execute commands on one of the production sql servers, with powershell :)

My search landed me to this blog post by Niklas. I have already included, with permission, the script discussed in the blog post in Nishang 0.2.0 as Get-SqlSysLogin.ps1. But there is more to that post, it discusses how to execute commands on the sql server using powershell. I implemented the technique in a new payload of Nishang, Execute-Command-MSSQL

Lets get started.

My lab setup was a SQL Server 2008 Express on a Windows 7 machine. I set weak password for "sa" as "sa1234", which I have seen in one of previous Pen Tests.

Execute-Command-MSSQL asks for three mandatory parameters, the IP address or ComputerName to connect to, the username of admin on sql server and password for the user.



If the connection is successful and credentials work, the payload will enable xp_cmdshell on the sql server.

Now, we can choose from one of the three "shells", a powershell shell, a sql shell or a cmd shell.




SQL Shell: This allows to run SQL commands on the server.




cmd shell: This is the plain old window cmd shell, for machines without powershell (not tested on old machines).




powershell shell: This provides with a powershell "shell".



These different "shells" provide us great opportunities to do some really effective post exploitation.

Note that though the shells appear to persistent, they are actually not. Each command is executed in a new process. The shell prompt is shown just for user friendliness :)

You can download Nishang 0.2.1 here or update your repositories.

Hope this would be helpful. I look forward for feedback, comments and feature requests.






Wednesday, November 21, 2012

Nishang 0.2.0 - More PowerShell awesomeness

Behold world, I give you a new and shiny version of Nishang after a long gap :) I have been using PowerShell more and more by each pen test so expect even more awesomeness.

This is a major release and all of the new payloads are courtesy Niklas Goude. Below is the changelog.

- Removed hard coded strings from DNS TXT Pwnage payload.
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
- Added Enable_DuplicateToken payload.
- Added Get-LSASecret payload.
- Added Get-SqlSysLogin payload.
- Added Invoke-Medusa payload.
- Added Invoke-PingSweep payload.

Check out the repository (http://code.google.com/p/nishang/source/browse/trunk) for the latest code.
The new payloads were discussed by Niklas on the awesome Hey, Scripting Guy! Blog.

I am working on many new payloads and you could expect frequent updates. Keep any eye on this blog :)

I would really like feedback, comments and feature requests :)

Saturday, October 27, 2012

Kautilya 0.4.0 - reliable payload execution and more

Kautilya 0.4.0 would be more reliable than ever (at least I intended so). There has been a major change in the architecture thanks to this awesome post by the Offensive Security guys. Large parts of code have been copied from the Peensy standalone.

Two major changes in how generated payloads will execute:

1. Now, whenever you connect a device with a payload from Kautilya, it will check for responsiveness to the Caps Lock key and will continue only when the drivers are loaded properly. The default 25 seconds delay gets out of the windows *phew*.

2. When the drivers are loaded (and is confirmed by step one), the next step is to open a command prompt. To make sure that it has a command prompt, the Teensy is made to press Caps Lock programmatically and then it senses the response. Only after a response it continues to send keystrokes for the rest of the payload. Life just got easier :)


A new payload for Windows, DNS TXT Backdoor has been added. This payload is a powershell script which keeps polling TXT records of a given domain and is capable of executing commands and powershell script based on the TXT record received. Have a look at the below screenshot



The subdomain "start.example.com" is one whose TXT records would be queried continuously for instructions. The payload will keep querying this subdomain.

If it gets "begin" as the value of TXT record of "start.example.com", it will query "cmds.example.com" for commands to execute on the target machine.

If it gets "script7" in response. It will query 1.otherexample.com upto 7.otherexample.com for seven lines of powershell script, that is, in this string the last character should be equal to number of lines in your powershell script. Each line should be base64 encoded in a single TXT record :) The script is decoded on the target and executed. The payload dies afterwards. Ugly, but works ;)

Another nice thing added is credential validation by the Credentials payload. Now, whenever credentials are entered in the pop up asking for credentials, they will be validated against local accounts and default AD, if both are not validated the box appears again. Increased probability of getting credentials in plain :)

In other things,I removed two unstable (read unusable) payloads, Chrome RDP and Uninstall. The Chrome RDP payload is gone for good and Uninstall would be back in a future release after it is rewritten and made usable.


Here is the CHANGELOG

- Added Peensy functionality which means reliable execution of payloads and measured delays when the device is connected.
- Added "DNS TXT Backdoor" payload for Windows.
- Fixed a small bug in Rogue AP payload. The SSID key was not masked previously.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Fixed a major bug in Time Based Execution payload. Embarrassingly, "echo" was missing from various lines of the payload,  making it ineffective.
- Added osx_payloadgen.txt to the extras directory. It was somehow missed in 0.3.0
- Fixed a small bug in Information Gather payload.
- Added sniffer.ps1 to the extras directory.
- Minor changes in Tracking Target Connectivity payload.
- Removed Chrome RDP Payload. Was not really useful.
- Removed Uninstall payload till next release.

As always, I welcome feedback, bug reports, questions and feature requests.

Sunday, September 2, 2012

Teensy USB HID for Penetration Testers - Part 5 - Advanced Windows Payloads of Kautilya


This is the fifth post in the series of Teensy USB HID for Penetration Testers. Sorry for the gap between this and the last post (almost three months).  I was not sitting idle though, I released Nishang in between and there is a new and shiny version of Kautilya is out :)

Let us have a look at some advanced payloads in Kautilya.

Hashdump

This payload could be used to dump password hashes from Windows 7 machine. To use this payload, you have to upload powerdump meterpreter script from msf to a website (I used pastebin).  The script would then be downloaded on the victim machine later on.

On a Windows 7 machine, you must have SYSTEM privilege to dump hashes using powerdump script. This SYSTEM privilege could be gained by scheduling a task as an administrator to be run as system. The second option asked during payload generation is the name of this task.
Also, this payload pastes the hashes to pastebin as a private paste. To paste privately, you need a free account on pastebin. You need to provide username, password and api developer key (under the api link after you log in to pastebin) for your pastebin account. 



Compile the generated output to Teensy, connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload

 Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).

Keylogger

This payload runs a keylogger written in powershell and pastes keys to pastebin as a private paste after a given interval. Here is how to use this:



Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)


Download this and use parsekeys.ps1 script to get some meaningful data. The script requires data from this pastebin to be copied in a text file called data.txt in the same folder as the script and creates a file called Logged_keys.txt with the parsed keys. This is how parsed keys should look.


The keylogger is able to log keys typed in web forms and windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin limits the number of posts per day and I think the limit is stricter for private pastes. You either need a pro account or ask me nicely for implementing some other paste service ;) In fact, I tested this on tinypaste and it worked cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed in many restricted environments as compared to tinypaste.

Wireless Rogue AP

Windows 7 has a nice feature called Hosted Network. This is meant for sharing your wireless network with other devices. This feature could be used as a backdoor. This payload adds and starts a wireless hosted network on the victim. Then a meterpreter bind is executed in the memory using powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.

You need to generate bind meterpreter payload using the command in payloadgen.txt in extras directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya





You should be able to see a  wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to connect to the bind payload but what would be the IP address to connect to? Open up command prompt and look at the gateway for this wireless connection. As this is hosted on the victim the default gateway would be the IP of victim.


Connect to the port you used for msf bind payload on the default gateway using msf listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".

Connect to Hotspot and Execute Code

I got idea of this payload during an internal pen test. In case of that client, there was no internet access from the employees’ laptops barring few (almost 20) websites. In such a scenario, I use this technique which I call Injecting the Internet…hee hee.  

This payload forces the target to connect to a hot spot controlled by you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.
An ideal use case is using a hot spot hosted on a Smartphone within the wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.


After connecting the Teensy to a victim, we get this :)


WLAN Keys Dump

This payload dumps information for all wlan profiles on the target system, including the in clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.

Code Execution using DNS TXT queries

This payload pulls first stage of a meterpreter from a DNS TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.



The result is same as some of the payloads above. A nice meterpreter shell !

Obviously, you should have control of TXT records of a domain to use this. I used a domain with zoneedit.com. It is easy and effective to use.You can fit first stage of a meterpreter inside a single TXT record.

Wait for Command

This payload continuously queries a pastebin url for specific content. As soon as the content matches, another URL is opened looking for powershell script. The powershell script is downloaded and executed on the target.



 In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .

This post covered many interesting payloads for Windows in Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments and feedback. I would be glad to implement (almost) any feature request.

Wednesday, August 22, 2012

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here https://code.google.com/p/kautilya/

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.


 I would love feedback, bug reports and feature requests. 

Tuesday, August 14, 2012

(Introducing) Nishang : PowerShell for Penetration Testing

I have been using PowerShell in penetration tests for some time now. It is a really powerful shell and scripting language which gives you access to interesting things on a Windows machine. There are many PowerShell scripts involved in Kautilya. In fact, these PowerShell scripts are the reason behind power of Windows payloads in Kautilya.

At some of my talks many nice folks have asked me about the availability of PowerShell scripts for use in Penetration Tests. I started writing new scripts and collecting older ones. After working on this for a while I had some useful collection of payloads and scripts. I call it Nishang. It is available on google code here http://code.google.com/p/nishang/

Nishang means quiver (container for arrows) in Sanskrit. Apt for a collection of payloads and scripts.

It is a collection of scripts and post exploitation framework in PowerShell. The aim is to increase the usage of PowerShell in offensive security and penetration test. Nishang is a result of my own requirements during real life pen tests. Since it is a post exploitation thingy it is assumed that you have a shell access on the machine or using a HID like Teensy to drop the script on the victim.

Why PowerShell? It is easy to learn and powerful (think of Bash in Unix ported to Windows) and is present on every modern Windows macine. If you use PowerShell "properly", most of the times you would need practically nothing for post exploitation other than powershell.

Currently, Nishang includes only those payloads and scripts which do not require you to be an administrator on the machine. That is, no priv shell is required. The payloads are of varied complexity (for the user), while there are simpler ones like Download, Keylogger and Information Gatherer to complex ones like DNS_TXT_Pwnage and Wait_For_Command. All the payloads and scripts come with help. Use

PS> Get-Help [payloadname.ps1] -full

for help on executing a script or payload.

How to use it? The scripts can be used either if you have access to powershell prompt (when you have vnc or rdp etc) or if you have a windows command shell on the target. You must download the script on the target machine.

Below screenshots shows a quick example of the Information_Gather payload being downloaded and executed on a target machine.

One liner to download a script on the target


Execute the script. Note the parameters being passed ot the script.

The result of this payload (info uploaded to pastebin)

That was easy. All the scripts could be executed this way. Yay!

A word of caution, it may appear that your session has stuck after you execute the script. But you can eventually make your way out by repeatedly pressing enter. I am unaware of the reason behind this.

What's next? More scripts are in the development pipeline. Many of them require privileged shell on the target. Also, Niklas Goude has allowed me to add his powershell scripts to Nishang. They should be available with next release, thanks Niklas !

Also, the scripts are Tab ugly right now, that would be clean in next release.

I am looking forward for feedbacks, contributions and feature requests. I hope this would be useful.

Sunday, July 1, 2012

PowerShell Web Access: What could possibly go wrong?

I recently started playing with PowerShell Web Access. It is a nice feature of PowerShell 3.0 and could be really useful in enterprise environments. This post is result of my experiments with this feature from a Penetration Tester's point of view (may be as a backdoor). So let's get started.

For setting up of PowerShell Web Access, I used a virtual machine (a Windows Server 8 (2012?) Developer Preview) running on virtualbox. This Technet document explains it all. So AFAIU from the technet document, following cmdlets could be used to setup PSWA up and running.

  1. Install-WindowsFeature –Name WindowsPowerShellWebAccess
  2. Install-PswaWebApplication -UseTestCertificate
  3. Add-PswaAuthorizationRule UserName -ComputerName -ConfigurationName
PSWA also requires PS remoting to be enabled. "Enable-PSRemoting -force" could be used to enable that.


So let us consider a post exploitation scenario where we can run commands on a Windows Server 8 (2012?). Following commands could be used to setup PWSA assuming that it is not already installed.



Above command will install a PWSA web app with name "pentest" which will use a self signed certificate. Obviously, you would like to change the name during a Pen Test.


Above command adds an Authorization rule which governs the access control for PWSA.
The cmdlet takes three arguments:
  1. Username is username of the user which would be used for authenticating.
  2. Computername is name of the computer to which the user would have access.
  3. ConfigurationName is name of the session configuration.

During a Pen Test you may like access to all of the computers accessible to a user. There is a nice "tip" (with warning) in the technet document which says that you can use wildcards for all the options in Add-PswaAuthorizationRule cmdlet. That is what we have used in above example.

A * in all of the three fields indicate, "allow all authorized network users access to all computers on the network to which they typically have access, with access to all session configurations to which they typically have access."

What does this mean? This means that if you are able to have access to credentials of a user which is present on large number of machines in a network, you can use PWSA as a secure, encrypted and native method of accessing the systems (with its own set of restrictions). Of course, there are other ways too of accessing systems if you have credentials of such a user.

Be mindful while using wildcard on a client's machine as this will open up the network for everyone. A better option could be


Enable PSRemoting


So now we have a PowerShell web session open in front of us.



Now what? Let us try to do some nasty things with it. I am using credentials of an Administrative user.

Elevate to meterpreter
Well not "elevate" exactly :P. Many pentesters can't go without having a meterpreter on target. Using a simple PowerShell script we can download and execute a meterpreter binary.


And the result is


Have a look at my previous blog post for doing this more effectively and stealthily.

Persistent Jobs
In the above example, if you do not use any persistance available with meterpreter, your meterpreter session will close as soon as you logout of web session. To keep it running, you can schedule it as job. Remember, you can schedule only a PowerShell script as job. A quick dirty trick could be



This can be used for many post exploitation tasks which require scripts to be running on target machine.

Elevation to SYSTEM
Now, let us try for SYSTEM level access to the machine. Why? For fun and password hashes :)

Let us use the technique implemented in Kautilya. We will schedule a batch file as a task which will run with SYSTEM privilege. The batch file will call the powerdump script (available in msf) and the hashes will be dumped. Sounds easy? Yes it is.

We will download the powerdump script and batch file using script used in the above example. The batch file should look like this.


Now let's scehdule it as a task which will run as SYSTEM

I am using harcoded paths as the batch will be running with SYSTEM priv and its TEMP directory is different (C:\Windows\Temp).

Let us run the task


Now if we check the contents of "C:\Users\<currentuser>\AppData\Local\Temp\dump.txt" we will find hashes :D


If you already have access to password of an Administrative user, why would you need to dump hashes? To gain access to more systems or similar stuff.

Many more things could be done using PSWA specially post exploitation activities. Look at it as one of the best web shell ever !!

Lastly, I have not seen any enterpise deployment of PSWA (as the OS itself is in review phase) so few things in this post could be wrong or based out of pure assumption. I hope the administrators will take care while deploying and users will be more careful while using this.

I will keep working on this and will write more posts about anything interesting. Also, if PSWA is ported to a Desktop OS ever, an implementation of this in Kautilya will be definitely done with a blog post detailing that.

Hope this would be useful and fun. Please leave comments and feedback.



Sunday, May 27, 2012

Fun with Sticky Keys, Utilman and Powershell

Recently, carnal0wnage and mubix blogged about sticky keys. I have implemented this in Kautilya and found this usefult during many internal penetration tests.

I thought of playing more with this and using this is as something more useful and powerful. I started using powershell as debugger for sethc.exe and no points for guessing this is what I get when I pressed shift 5 times (or Left Alt + Left Shift + PrntScr for that matter).


So powershell is getting executed but there is no interactive prompt (I have not looked into the reason for this). I tried executing a simple script (which calls calc.exe) by setting it as a debuuger to sethc.exe. I have to call powershell from cmd as without cmd powershell was throwing some errors.


and the result was


Wow the legendary calc is here!! Keep in mind that if you use any environment variable for path of your powershell script, it would not be same for different user profile. For example, in the above if you use %temp%\calc.ps1 as path of the script, on an unlocked system that would be Temp directory of currently logged in user "C:\Users\\AppData\Local\Temp\calc.ps1". But when the machine is locked %temp% would be "C:\Windows\Temp", because of SYSTEM profile will access it. Keep that in mind while testing.

So, I was able to call the powershell script. This means if you are able to drop a script on victim and set powershell with proper arguments as a debugger to sethc.exe (or utilman.exe), you can execute the script with SYSTEM privilege.

What if I can somehow download and execute a meterpreter executable on the victim? Yes it is quite easy using this powershell one liner.



This looks good, a meterpreter executable downloaded and executed on a locked machine! But pulling a meterpreter executable on a machine is not a good idea for obvious reasons. Why not pulling a powershell script which can execute code in memory? Yes I am talking about Matt's work from his blog Exploit Monday.


So what we have now? A powershell command which executes meterpreter from memory, set as debugger to sethc.exe which gets executed with SYSTEM level privilege. Wow!!

But is this over yet? Let's play more :) How to maintain access to the machine? Using persistence and other methods available with meterpreter is one option. I would like to use a little more powershell here.

Let's do this. Our powershell one liner will download another script (let's say payload.ps1). Payload.ps1 will keep polling a tinypaste id in an interval of one hour (or less) and would download and execute whatever powershell script is present there. So let's set our sethc.exe or Utilman.exe Debugger to below.

using this


and now the result is


So what we have now is a payload which uses tinypaste as its C&C thingy and executes powershell scripts there with SYSTEM privilege :D

This is quite similar to my unpublished work called Maareech which is a sort of automated domain takeover tool in powershell.

payload.ps1 is the following powershell script. I know its ugly, I am still learning to write clean powershell scripts.


The payload, which polls tinypaste after given interval is very similar to "Time based execution" payload of Kautilya (just one line is different) but still for sake of usage, will be added as "Externally controlled payload" in some upcoming version of Kautilya.

Hope you enjoyed this. Feedback and suggestions are welcome.

Wednesday, May 23, 2012

Teensy USB HID for Penetration Testers - Part 4 - Kautilya

In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias).  I will touch some less complex payload of Kautilya in this post.

Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells. 

The process of writing payloads for a Windows 7 machine could be summed up as:

  1. Understand the operating system in terms of USB buffer.
  2. Understand the commands supported and learn to write powershell or/and vbs.
  3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
  4. Understand the time taken by operating system in completing various commands.
  5. Write the commands and scripts on Teensy.
  6. Understand more quirks of the command line when Teensy types out thing on victim.
  7. Try not to be too noisy on the victim.
  8. Test the payload and reach to final reasonable sketch.
  9. Compile the sketch to Teensy device.
  10. Attach it to the victim machine actively or using Social Engineering.
  11. Enjoy the pwnage!
(Next few lines may look like self promotion ;) )

Kautilya automates steps 1-8 for you. Using Kautilya you just need to:
  1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
  2. Compile the sketch to Teensy device.
  3. Attach it to the victim machine actively or using Social Engineering.
  4. Enjoy the pwnage!
A screenshot of Kautilya 0.2.2
Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

Add a user and Enable RDP
This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.


The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha



Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.


Download and Execute
This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.



In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

Forceful Browsing
This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf  or a hook of BeEF  on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

Sethc and Utilman Backdoor
This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.


We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it ;) Please let me know if the length of blog posts is ok. Feedback and comments are welcome.

Wednesday, April 25, 2012

Teensy USB HID for Penetration Testers - Part 3 - Programming sketches in Arduino

In previous post we saw very basic usage of Arduino Development Environment (ADE) and ran our Hello World using Teensy. Let's have a look at doing something more with Teensy and ADE.

You know that there are two bare minimum functions called setup and loop in a sketch. But there are many more functions which are very useful while programming complex sketches. Have a look at the below sketch, which opens up notepad and types "Hello World" in it.

void setup()
{
delay(5000);
Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
Keyboard.set_key1(KEY_R);
Keyboard.send_now();

delay(500);
Keyboard.set_modifier(0);
Keyboard.set_key1(0);
Keyboard.send_now();

Keyboard.print("notepad");
Keyboard.set_key1(KEY_ENTER);
Keyboard.send_now();

Keyboard.set_key1(0);
Keyboard.send_now();
delay(2000);
Keyboard.print("Hello World");
}

void loop()
{
}

In a minute we will have a step by step look how the sketch is executed by Teensy. But before that, just recall how you open a notepad using "Run" prompt in Windows. These are the steps:

1. Press "Windows key + R"

2. Release "Windows key + R"

2. Type "notepad" when the run prompt opens up.

3. Press Enter.

4. Release Enter

Easy one. Now, if you map these steps to the sketch above you will find that the sketch is doing nothing but "simulating" your keystrokes. Let's have a look at the sketch again with comments

void setup()
{
  delay(5000); //Delay required for OS to connect the device properly
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI); //Tell Teensy to press Windows key
  Keyboard.set_key1(KEY_R); //Tell Teensy to press R
  Keyboard.send_now(); //Press "Windows key + R"
 
  delay(500); //Wait for half second
  Keyboard.set_modifier(0); //Tell Teensy to release Windows key
  Keyboard.set_key1(0); //Tell Teensy to release R
  Keyboard.send_now(); //Release "Windows key + R"
  //Teensy should open a run prompt now
  Keyboard.print("notepad"); //Type notepad in the run prompt
  Keyboard.set_key1(KEY_ENTER); //Tell Teensy to press Enter key
  Keyboard.send_now(); //Press Enter

  Keyboard.set_key1(0); //Tell Teensy to release Enter
  Keyboard.send_now(); //Release Enter
  delay(2000); //Wait for notepad to open
  Keyboard.print("Hello World"); //Type Hello World in notepad
}

void loop()
{
}
So the sketch makes more sense now. We used a number of new functions. Let's have a look at those:

delay() delays the execution of sketch by Teensy for given milliseconds. delay(5000) means delaying the execution for 5 seconds.

Keyboard.set_modifier sets a modifier key. There are four modifier keys

NameFunction
MODIFIERKEY_CTRLControl Key
MODIFIERKEY_SHIFTShift Key
MODIFIERKEY_ALTAlt Key
MODIFIERKEY_GUIWindows (PC) or Clover (Mac)
 Table Courtesy: http://www.pjrc.com/teensy/td_keyboard.html

Note that I said it "sets" the modifier key. To send the key you need Keyboard.send_now() which sends all the "set" keys. We used Keyboard.setkey1 for setting the "R" key and then sent those together using Keyboard.send_now().

As per great documentation here at pjrc.com USB keyboard can have up-to 6 normal keys and 4 modifier keys. A complete table of codes for all normal keys could be found on the same page.

So we pressed the "Windows keys + R" by setting and sending the keys. Now to release these we need to set these to 0 and send these again. That is what we have done in above sketch by using Keyboard.set_modifier(0), Keyboard.setkey1(0) and Keyboard.send_now().

Rest of the sketch is easy to understand and needs no explanation. 

In the next post we will have a look at Kautilya. Please leave comments and feedback.