Wednesday, July 30, 2014

Kautilya 0.5.0 - Passwords in Plain, Exfiltrate SAM, Code Exec and more

Kautilya 0.5.0 is out. This version adds six more exciting payloads for Windows and supports Ruby bundler! I tried to do away with the menus and make Kautilya UI interactive shell based just like MSF but my Ruby skills failed me. I would be glad if some ruby expert could help me with that.

Anyway, lets have a look at what are the new things.

Using the artii gem, Kautilya would now show different ascii arts as banner :)

Also, you need not install each gem individually now, just run 'bundler install' from Kautilya's root directory.

Coming to the payloads, the new ones are:

Add a user and Enable Powershell Remoting
Simple and effective, this payload adds an administrative user on the target and enables Powershell Remoting from any subnet. An exception to Windows firewall is also added.



Just compile this to your HID and plug in the device.

Dump passwords in plain
This payload is able to dump passwords of users on the target system in plain-text. It uses the excellent Invoke-Mimikatz by Joseph Bialek. You need to host the Invoke-Mimikatz.ps1 on a webserver, it would be downloaded and executed in memory from there. The script could be found in the extras directory.

Lets use it from a local server. Also, lets choose gmail to exfiltrate the results.

And what we get is

  
 


Great! There is nothing better to get hold of plain-text credentials.
You could also pass any command of Mimikatz with "Invoke-Mimikatz -command  "

Copy SAM
This payload copies the SAM file with the help of Volume Shadow Service. The SAM file could be exfiltrated ONLY using gmail right now.


I understand that using gmail only means you need to leave credentials of a gmail account on a target. I tested converting the SAM file to hex and exfiltrating using other options but the size of hex file is too big to make it practical, the compression and encoding built in Kautilya, the compress_encode function in exfilmethoddefs file, didn't work either.

Execute Shellcode
Use this to execute shellcode in memory. This is based on the awesome Invoke-Shellcode from Powersploit by Matt Graeber. You need to host the Invoke-Shellcode.ps1 on a webserver, it would be downloaded and executed in memory from there. The script could be found in the extras directory.

After compiling it to a HID and connecting the HID to a target, we could see following on the listener:

Nice!
The default is set to Metasploit's windows/meterpreter/reverse_https which would work for both 32-bit and 64-bit machines.

Dump Process Memory
This payload takes a full minidump of a process. The dump file could then be exfiltrated using gmail ONLY (same reasons as for Copy SAM). The payload uses logic from Out-MiniDump.ps1 script of Powersploit. By default, the lsass process memory is dumped, but you could specify other process too.

And we recieve the dump in the specified gmail id.
Great! Now this dmp could be used to extract juicy information using any tool of choice.

Kautilya could be found here:
https://github.com/samratashok/Kautilya

The complete changelog is below:
----------------------------------------------------------------------------------------------------------------------------
CHANGELOG:
0.5.0
- Added Execute Shellcode for Windows (under Execution menu).
- Added "Dump passwords in plain" for Windows (under Gather menu).
- Added "Copy SAM (VSS)" for Windows (under Gather menu).
- Added "Dump Process Memory" for Windows (under Gather menu).
- Added "Dump Windows Vault Credentials" for Windows (under Gather menu).
- Added "Add a user and Enable Powershell Remoting" for Windows (under Manage menu).
- Added support for Gems bundler.
- Added more banners of Kautilya.
----------------------------------------------------------------------------------------------------------------------------

Hope this would be useful to you. I await feedback, comments and bugs.

8 comments:

  1. Hello SamratAshok, hope you doing good friend.
    Please, i read your post and i would like to congrat you very good material, but i don't understood if there in the plain text password screen i will find the password for the wireless network, because looking to the screenshot i don't saw this information.
    Thanks for dispose your time to read this message,

    ReplyDelete
    Replies
    1. I did not include that part of screenshot whic hwas showing my password as it was run on my actual machine and not a test machine. If you try it, you will get the passwords in plain-text.

      Delete
  2. Hello SamratAshok, my friend i did the download from GitHub but i really don't know how to proceed to put your program running. Please could you give some hints how to execute it under Debian or W$ XP?

    Thank you once again for help.

    ReplyDelete
    Replies
    1. Please see earlier posts on Kautilya
      http://www.labofapenetrationtester.com/2012/05/teensy-usb-hid-for-penetration-testers.html
      http://www.labofapenetrationtester.com/search/label/Kautilya

      Please let me know if it helps.

      Delete
  3. Hello Nikhil, can not compile sketch in Arduino 1.6.3 (Windows), teensy 2 from kautilya (i try 0.5.0 and 0.4.4), problem in Keyboard.print(filename); variable filename

    dump_passwords1.ino:286:20: warning: missing terminating " character [enabled by default]
    dump_passwords1:286: error: missing terminating " character
    dump_passwords1.ino: In function 'void setup()':
    dump_passwords1.ino:28:19: warning: comparison with string literal results in unspecified behaviour [-Waddress]
    dump_passwords1.ino:32:23: warning: comparison with string literal results in unspecified behaviour [-Waddress]
    dump_passwords1.ino:43:23: warning: comparison with string literal results in unspecified behaviour [-Waddress]
    dump_passwords1.ino:47:23: warning: comparison with string literal results in unspecified behaviour [-Waddress]
    dump_passwords1.ino: In function 'void wait_for_drivers(int)':
    dump_passwords1.ino:70:32: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:79:32: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino: In function 'bool cmd_admin(int, int)':
    dump_passwords1.ino:97:44: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:104:39: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:106:59: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:108:28: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:120:1: warning: no return statement in function returning non-void [-Wreturn-type]
    dump_passwords1.ino: In function 'bool cmd(int, int, char*)':
    dump_passwords1.ino:126:44: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:127:24: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:136:28: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:145:1: warning: no return statement in function returning non-void [-Wreturn-type]
    dump_passwords1.ino: In function 'void make_sure_capslock_is_off()':
    dump_passwords1.ino:152:32: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino: In function 'bool check_for_capslock_success_teensy(int, int)':
    dump_passwords1.ino:186:28: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
    dump_passwords1.ino: In function 'void minimise_windows()':
    dump_passwords1.ino:192:44: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:193:24: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino: In function 'void send_left_enter()':
    dump_passwords1.ino:216:29: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino:222:30: warning: large integer implicitly truncated to unsigned type [-Woverflow]
    dump_passwords1.ino: In function 'void pastebin(String)':
    dump_passwords1:287: error: expected ')' before ';' token
    expected ')' before ';' token

    ReplyDelete
    Replies
    1. Hi,

      This is a bug in Arduino IDE. Try using Arduino 1.0.6 or earlier. See the below issue:
      https://github.com/samratashok/Kautilya/issues/12

      Delete
  4. Are you actually exfiltrating and storing authentication data in plain-text during live engagements? Your blog is a good resource, and it would be cool of you to advise new pen testers to be responsible with their exfil - encrypt! :)

    ReplyDelete