Wednesday, April 30, 2014

Egress Testing using PowerShell

Imagine that you pwned a box during a pen test. You want to know if it is possible to acess the internet/other network on any port. This is what egress testing is, for me. I am happy to give you Firebuster and Firelistener, a pair of powershell scripts which could be used for the purpose. The scripts are written by Nikhil Sreekumar(@roo7break) and me (yes we have the same first name :P). He blogged about it sometime back. You can read about it here. The code has been updated and improved for Nishang.

We can use the scripts this way.

1. Run the Firelistener on our machine (we are the attacker/listener)

2. Run the FireBuster on the target machine.

3. You can see the open ports on FireListener console.


While using FireListener for more than 100-150 ports, it overwhelms the listening machine (the attacker's machine). I am trying to improve on this. I would really love if someone can improve it. Also, FireListener sometimes "misses" restarting a job for a port to which a connection has been made. This is due to the delay introduced before restarting the jobs.

With this blog post, some more updates have been pushed to Nishang. The CHANGELOG
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
- Fixed help in Brute-Force function in Powerpreter.
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
- Added Firebuster.ps1 and Firelistener.ps1

Firebuster and Firelistener are available in Nishang repository.

I would love to hear feedback and bugs on this. Please leave comments.

Friday, April 25, 2014

Kautilya 0.4.5 - Reboot Persistence, DNS TXT exfiltration and more

This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.

Another major improvement has been the addition of DNS TXT exfiltration and HTTP POST exfiltration to your own website. That means, your need not leave credentials of your pastebin/gmail on target.  Note that in case of gmail, you can use application specific passwords. Both of these exfiltration methods were suggested by users.

So, please keep the feature requests and suggestions coming :)

WMI permanent event consumer is included in the code for persistence, But actually, it is not being used by any payload! Why? Because, it requires administrative privileges and both the backdoors run with non-admin privileges. In the case of Keylogger too, only Run registry key is used. Besides the above reason, there is one more catch, the WMI permanenet event consumer we are using, executes the payload with SYSTEM privileges on system reboot while the Keylogger logs keys in the context of the user it runs. This makes it necesarry to run the Keylogger with the privileges of current user and not SYSTEM.

So persistence using WMI is included for future use. Do leave a comment if you think additional payloads needs persistence. It is trivial to do but needs little code changes in .ino or .pde file of that payload.

A powershell script Remove-Persistence.ps1 has been added in the extras directory which could be used to remove persistence added by various payloads in Kautilya.


DNS TXT Exfiltration

In my lab, is running a BIND DNS Server with querylogging enabled. I used these tutorials for setting it up:

Lets use the DNS exfiltration with the "Get Target Credentials" payload (and I am running Kautilya on Windows)

After compiling and uploading the generated payload to a HID, lets connect it a VM, we see this:

The exfiltration method could also be used for bigger data, it simply divides the data and sends multiple queries. I will soon write a separate blog post to cover that.

Now, this data is compressed and encoded using the method found here. To decode it, use Decode.ps1 which has been added to the extras directory.

Great! We were able to exfiltrate data using only DNS TXT queries.

HTTP POST Exfiltration

A VM in my lab is running a simple code, which I got from stackoverflow.

Now, lets try this with the WLAN Keys Dump payload.

And we can see this on the web server:

Decoding it using Decode.ps1

Size of the payloads
Those who take interest in source code of Kautilya may notice that all the payloads have been made more modular. It means, if you chose not to do exfiltration the payload would be much smaller now, unlike earlier. Same goes for persistemce. This makes it easier to use payloads of Kautilya on various devices.

Here is the full CHANGELOG

- Bug fixes and improvements in Time Based Exec. It now supports exfiltration and could be stopped remotely.
- Less lines of code for HTTP Backdoor and Download Execute PS.
- HTTP Backdoor, Download Execute PS, Hashdump and Exfiltrate and Dump LSA Secrets now execute the downloaded script in memory.
- Shortened parameters passed to powershell.exe when the scripts are called. Thus, saving the time in "typing" by HID.
- Added two new exfiltration options, POST requests and DNS TXT records.
- Username and password for exfiltration would be asked only if you select gmail or pastebin.
- Tinypaste as an option for exfiltration has been removed.
- Payloads have been made more modular which results in smaller size.
- Reboot Persistence has been added to HTTP Backdoor and DNS TXT Backdoor.
- Menu redesign.
- Bug fix in Dump LSA Secrets payload.
- Added ./extras/Decode.ps1. Use this to decode data exfiltrated by HTTP Backdoor and DNS TXT Backdoor.
- Added ./extras/Remove-Persistence.ps1. Use this to remove persistence by Keylogger, HTTP Backdoor and DNS TXT Backdoor.
- Kautilya could be run on Windows if win32console gem is installed.

You can find kautilya here:

As always, I welcome feedback, bugs and feature requests.