Sunday, September 2, 2012

Teensy USB HID for Penetration Testers - Part 5 - Advanced Windows Payloads of Kautilya


This is the fifth post in the series of Teensy USB HID for Penetration Testers. Sorry for the gap between this and the last post (almost three months).  I was not sitting idle though, I released Nishang in between and there is a new and shiny version of Kautilya is out :)

Let us have a look at some advanced payloads in Kautilya.

Hashdump

This payload could be used to dump password hashes from Windows 7 machine. To use this payload, you have to upload powerdump meterpreter script from msf to a website (I used pastebin).  The script would then be downloaded on the victim machine later on.

On a Windows 7 machine, you must have SYSTEM privilege to dump hashes using powerdump script. This SYSTEM privilege could be gained by scheduling a task as an administrator to be run as system. The second option asked during payload generation is the name of this task.
Also, this payload pastes the hashes to pastebin as a private paste. To paste privately, you need a free account on pastebin. You need to provide username, password and api developer key (under the api link after you log in to pastebin) for your pastebin account. 



Compile the generated output to Teensy, connect to the victim and after few seconds you should see this in the private pastes of the pastebin account used with payload

 Neat!! Now we can crack or “pass” these in further attacks. (The hashes are from one of my test system).

Keylogger

This payload runs a keylogger written in powershell and pastes keys to pastebin as a private paste after a given interval. Here is how to use this:



Compile the output to Teensy, connect to the victim and you should see this in your pastebin account after few seconds (keep in mind the time interval you have given)


Download this and use parsekeys.ps1 script to get some meaningful data. The script requires data from this pastebin to be copied in a text file called data.txt in the same folder as the script and creates a file called Logged_keys.txt with the parsed keys. This is how parsed keys should look.


The keylogger is able to log keys typed in web forms and windows prompts. This payload works with a normal user privs (no admin required). While using this payload, please keep in mind that pastebin limits the number of posts per day and I think the limit is stricter for private pastes. You either need a pro account or ask me nicely for implementing some other paste service ;) In fact, I tested this on tinypaste and it worked cleanly. The reason I stuck with pastebin is that I have seen pastebin allowed in many restricted environments as compared to tinypaste.

Wireless Rogue AP

Windows 7 has a nice feature called Hosted Network. This is meant for sharing your wireless network with other devices. This feature could be used as a backdoor. This payload adds and starts a wireless hosted network on the victim. Then a meterpreter bind is executed in the memory using powershell. This technique is being used from this awesome post by Matt (used in many more payloads in Kautilya). Administrative access is required for this payload.

You need to generate bind meterpreter payload using the command in payloadgen.txt in extras directory. The generated payload is to be copied to rogue_ap.txt in src directory. After that, create a payload using Kautilya





You should be able to see a  wireless network called “wifibdoor” after the output is compiled to Teensy and attached to the victim. After successfully connecting to the network you would like to connect to the bind payload but what would be the IP address to connect to? Open up command prompt and look at the gateway for this wireless connection. As this is hosted on the victim the default gateway would be the IP of victim.


Connect to the port you used for msf bind payload on the default gateway using msf listener and bingo you have a meterpreter session. But wait, this is a bind shell what about Windows Firewall? If you look at the source,an exception is added to Windows Firewall exception list with program name as "PowerShell Update".

Connect to Hotspot and Execute Code

I got idea of this payload during an internal pen test. In case of that client, there was no internet access from the employees’ laptops barring few (almost 20) websites. In such a scenario, I use this technique which I call Injecting the Internet…hee hee.  

This payload forces the target to connect to a hot spot controlled by you thus effectively bypassing any restrictions on the internet connectivity. This forceful connection is achieved by "typing" a wlan profile on the victim, the profile is then used to make a connection. Administrative access is required for thisaction.
An ideal use case is using a hot spot hosted on a Smartphone within the wireless range of the target machine ;) In the third option (URL where the payload is hosted), you can use either a URL hosted on a web server running on your phone (I use kWS) or a URL from the internet. The Kautilya payload expects an executble in text format at this URL.


After connecting the Teensy to a victim, we get this :)


WLAN Keys Dump

This payload dumps information for all wlan profiles on the target system, including the in clear text and uploads them to pastebin as a private paste. A user with admin privs must be logged in for this payload to work.

Code Execution using DNS TXT queries

This payload pulls first stage of a meterpreter from a DNS TXT record and executes it in memory using powershell. The payload makes two queries to differnt subdomains for a 32bit and 64 bit shellcode, the architecture is detected during the payload execution and the appropriate shellcode is executed. The meterpreter needs to be generated using the command in payloadgen.txt in extras directory in Kautilya.



The result is same as some of the payloads above. A nice meterpreter shell !

Obviously, you should have control of TXT records of a domain to use this. I used a domain with zoneedit.com. It is easy and effective to use.You can fit first stage of a meterpreter inside a single TXT record.

Wait for Command

This payload continuously queries a pastebin url for specific content. As soon as the content matches, another URL is opened looking for powershell script. The powershell script is downloaded and executed on the target.



 In the above example, the content of first URL is queried continuously (with an interval of 5 seconds). Whenever you want to execute powershell script on the target, change its content to that of the magicstring (which is "balwant_rai_ke_kutte" in this case ;) ) and the payload will download and execute powershell script from the second URL .

This post covered many interesting payloads for Windows in Kautilya. In the next post in this series we will have a look at payloads for Linux (Ubuntu) and OS X. Please leave comments and feedback. I would be glad to implement (almost) any feature request.

21 comments:

  1. I'm loving all of this. I'm getting my teensy ++ tomorrow and I'm quite excited to try all of this out. Keep up the good work! The wait for command is an ingenious idea :D

    ReplyDelete
  2. Please post a way to get admin rights from limited account :)

    ReplyDelete
  3. Hi Nikhil, it's the same person that commented first on this post ;)

    Anyways, for the keylogger module, is it persistent? Or does the effect terminate once the computer is turned off?

    ReplyDelete
    Replies
    1. Not now. It would be persistent in the next update or one after that. You can achieve some persistent by using it is a start-up/logon script or scheduling it as task. Perhaps I should do a blog post on this :)

      Delete
    2. Ahhhhh I see. But still a useful module nonetheless. And you can make an option to kill the persistence and clean up by querying a pastebin script every day or so!

      Delete
  4. Hi Nikhil,

    I'm following your teensy posts now for a while and have ordered some devices for security awareness trainings here in my company. They are really awesome because they create a "Wow-effect".
    I also checked the Peensy post and I have to say, it's becoming better and better.

    Last weekend I was playing a bit with powershell as I was a little bit unhappy with the cmd.exe. (You can see what is entered on the screen).
    I found this very cool:
    Just try WINDOWS+R and then type the following:
    powershell.exe -WindowStyle Hidden powershell.exe

    The opened powershell window is shown for about a second and then disapears. After that you can keep on typing (just try something like notepad.exe), because the window is still in the foreground, but invisible. It appears in the task manager but not in the task list (ALT+TAB).

    I'm currently on trying some things. I'd like to do the following:

    1. Plug in Teensy
    2. Teensy starts hidden powershell
    3. Hidden powershell checks if a script is running (one liner, typed by teensy, if yes --> sleep n seconds, if no goto 4 ). So the hidden powershell becomes the root handler.
    4. Type script lines >> scriptfile
    5. execute scriptfile (again with the hidden option)

    The scriptfile itself should do the following things:
    - do some state handling (running 1 or 0)
    - act as Handler for different attack-scriptfiles (like download scriptfile posted on pastebin or others)
    - start different scriptfiles


    In the end the teensy would just start a handler if it is not running. The handler itself would then start the attack scripts.
    This could reduce some side effects if the teensy is plugged in and tries to do some typings.

    Regards
    Andy

    ReplyDelete
    Replies
    1. Thanks for your comments.

      The powershell hidden window thing looks cool. I did a quick check and facing some issues with it.

      For a "normal" powershell window this seems to work fine. But when I try to start an elevated powershell window, the hidden window is not focused anymore. Anything typed by Teensy is not being sent to the screen. Have you tried doing that?

      Delete
    2. Well I tested around a bit and didn't find a direct way to "re-focus".

      But I found another way how to bypass that issue (from here: http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx).

      The powershell script below ist some kind of "sudo". You can run a unprivileged powershell (in background), then echo the lines of the script to a "elevate.ps1" script that starts the argumented script in elevated mode. That said it opens the UAC message, after clicking "OK" the script is executed with administrator privileges.


      -------------- powershell sudo ----------------
      # Get the ID and security principal of the current user account
      $myWindowsID=[System.Security.Principal.WindowsIdentity]::GetCurrent()
      $myWindowsPrincipal=new-object System.Security.Principal.WindowsPrincipal($myWindowsID)

      # Get the security principal for the Administrator role
      $adminRole=[System.Security.Principal.WindowsBuiltInRole]::Administrator

      # Check to see if we are currently running "as Administrator"
      if ($myWindowsPrincipal.IsInRole($adminRole))
      {
      # We are running "as Administrator" - so change the title and background color to indicate this
      $Host.UI.RawUI.WindowTitle = $myInvocation.MyCommand.Definition + "(Elevated)"
      $Host.UI.RawUI.BackgroundColor = "DarkBlue"
      clear-host
      }
      else
      {
      # We are not running "as Administrator" - so relaunch as administrator
      # Create a new process object that starts PowerShell
      $newProcess = new-object System.Diagnostics.ProcessStartInfo "PowerShell";
      # Specify the current script path and name as a parameter
      $newProcess.Arguments = $myInvocation.MyCommand.Definition;
      # Indicate that the process should be elevated
      $newProcess.Verb = "runas";
      # Start the new process
      [System.Diagnostics.Process]::Start($newProcess);
      # Exit from the current, unelevated, process
      exit
      }
      # Run your code that needs to be elevated here
      Write-Host -NoNewLine "Press any key to continue..."
      $null = $Host.UI.RawUI.ReadKey("NoEcho,IncludeKeyDown")

      Delete
  5. ok, formatting got lost.
    better check for the original link here:
    tp://blogs.msdn.com/b/virtual_pc_guy/archive/2010/09/23/a-self-elevating-powershell-script.aspx

    Or you could also try this one:
    http://jeffwouters.nl/index.php/2011/11/having-some-fun-with-uac-and-powershell/

    Regards
    Andy

    ReplyDelete
  6. Thanks Andy, this looks nice. I will do some testing on this soon. Lets see how it goes.

    ReplyDelete
  7. Hi,

    really great work. i have some issues with a german keyboard, which is allready described here:

    https://groups.google.com/forum/?fromgroups#!topic/kautilya-users/ZWXX989w2LY

    i hope it will be solved soon.


    some questions: what about an offline-version without going to the internet and downloading the script from pastebin or whatever?

    and, 1+ for the Post from Andy: i would like to see a universal teensy which dumps every kind of passwords from the local machine and put them to a sd on the teensy or something. why? sometimes local clients are not allowed to use the internet.....

    ReplyDelete
    Replies
    1. Hi,

      Thanks for your nice words. I need to do some teting for ascii support, hopefuly this would be addressed in next major release.

      Most of the payloads are offline. Only those payloads download scripts from the internet which are big (like hashdump and sniffer) and take considerable time for typing. I will see if it would be feasible to type them locally.

      Regarding the "universal teensy", I have not implemented any SD card method to keep the "learning curve" simple for new users. I want to support a Teensy (or other HID) out of the box, that is, without a need to attach a SD card etc.

      Other than that, all the payloads of Kautilya are designed so that the device need not be connected to the target for more than 30-40 seconds. More functionality in a single payload means more time required for typing, thus more time on the target.

      Although given there is a demand I will introduce an option or seperate payloads which make use of SD card in future.

      Thanks,
      Nikhil

      Delete
    2. One more thing, many environments block a storage device, even if the internal storage is used it may get blocked. Anyway, I will look to what extent storage could be supported while maintaing an ease of usage.

      Delete
  8. Hi Nikhil,

    this sound really awesome. What about the following, the sdcard could be optionally, means, if no sd is attached, online-version, if and sd is attached and mountable, offline version.

    let me know when you need some support, i really love your project.

    ReplyDelete
    Replies
    1. Thank you. Yes that is what I was thinking of. Kautilya will support the SD card in a near future release.

      Delete
    2. Also, code contributions are always welcoe. Please let me know if you want to contribute.

      Delete
  9. Hi again,

    Could you possibly provide a link or a screenshot of the options/payloads for OS X?

    Thanks.

    ReplyDelete
  10. Sure, payloads for OS X are:

    1. Download and Execute
    2. DNS TXT Code Execution
    3. Perl Reverse Shell (MSF)
    4. Ruby Reverse Shell (MSF)

    ReplyDelete
  11. Nikhil,

    Awesome work man!! Just awesome. I want to work with you to build a new product, (really an improvement to an existing) a peensy. I want to add a Fram memory module to a Teensy 3.1 and create different versions for specific OS/Systems.

    ReplyDelete