Nishang 0.2.5 Released: Get WLAN keys in plain, Remove update and bug fixes.

This is a short & quick post about Nishang 0.2.5. Two new payloads which are borrowed from other sources (and went unnoticed for months lying in one of my VMs) have been added:

1. Get-WLAN-Keys dumps WLAN keys in clear text, handy!!. The code is borrowed from this code by Jan Egil Ring. An elevated shell is required to dump the keys.

2. Remove-Update could be used to remove all updates, all security updates or a particular update from a target machine. The script calls wusa.exe to do so. This is based on this post by Trevor Sullivan. This payload could be useful to re-introduce a patched vulnerability (an easy way of backdooring a system). Administrator access is required to remove most updates.

Also, some stupid bugs with Credentials payload hav been fixed. This payload has been bugging me (or I am bugging it :P) from the first release of Nishang. I hope to bring some peace to it.

The Nishang repo has been updated. Please update your repos.

Changelog:
0.2.5
- Added Get-WLAN-Keys payload.
- Added Remove-Update payload.
- Fixed help in Credentials.ps1
- Minor changes in Donwload_Execute and Information_Gather.

Please send feedbacks and questions my way. Hope this would be useful.

Introducing Prasadhak: Check running processes for known malwares using PowerShell

Once during a pen test, I got a complete acess to a box. It was a Windows 2008 server in a really bad shape. So bad that I wanted to check it for malwares as I was not sure about the integrity of the anti virus of the server. The client was also not sure as the server was just one of "those" servers who no one cared about as the services it offered were no longer required by business (I later gave a lecture to the client on why this is bad etc. etc.)

So I was in a fix, installing an AV was not an option and as always there was not enough time to do a manual sanity check of the system for malwares. I though of using Virustotal for this. Virustotal provides a nice API which could be used for automating the process of analysis of files. But there was a catch, I could not upload files from the system to the interent, confidentiality issues! So I decided to use search function for running processes. I would search for executables of running processes for malwares using Virustotal API, looks good.

So behold world, I give you, Prasadhak. A powershll script which will check running processes (actually their executables) for malware by searching md5 their md5 hashes on virustotal database. For those curious, Prasadhak means purifier in Sanskrit.

PowerShell being quite powerful there was not much of a problem getting the current processes and their corresponding executable. Please note that some of the process do not report their path.
A little problem was with the limitations on request by the API. Using the normal public API, one could make only 4 requests in a minute. So I have to adjust the code this way.

Another problem was that Virustotal API responded with JSON objects and I was unable to parse the responses properly. I tried various methods including this. The code worked fine for a single request but failed for a batch request. I got lazy and wrote the script for PowerShell v3 instead which comes with a ready made ConverFrom-Json cmdlet. This is my first script which would require powershell v3.

Prasadhak reports one of the following for each process whose executable path was detected based on the response from Virustotal:

1. Not found in VT database for hashes which are not present in Virustotal Database.
2. Something malicious is found with the link to complete analysis.
3. This is reported clean for hashes which are reported clean.
4. File queued for analysis.

You need to register a free account on virustotal to get the apikey which is required for using the API.

A sample run of Prasadhak on my machine with Administrator privilege

So two malicious processes were found, the first one is a known one and I ran it just to test Prasadhak. Second one is new for me, lets have a look at it.

So hfs server is detected as malware by many AVs. Interestingly, a modified meterpreter payload was not found in database as its hash was different from a "normal" meterpreter. A huge limitation of hash based detection (Do I sound like an AV vendor?)

Two major limitations I know of Prasadhak are:

1. Results of each process are not labelled with the process name. You will see that I have left commented portions of code for labelling the results, this was a quick attempt before this post. Please let me know if you modify the script to improve that.

2. The approach of Prasadhak is very limited. As we saw above, a meterpreter binary was not detected just because slight modifications were made to it. Many malwares are better in stealth.

Please note that only section of script which requires PowerShellv3 is the function "check". If you need to use this script using PowerShell v2, try using this code at codeplex.

The code could be found below

#Requires -Version 3

<#
.SYNOPSIS
Nishang script which checks running processes for malwares.

.DESCRIPTION
This script uses takes md5 hashes of running processes (the correspondibg executable) 
on the target system and search the hashes in the Virustotal database using the Public API.

.PARAMETER APIKEY
THe APIKEY provided when someone registers to virustotal

.EXAMPLE
PS > .\Prasadhak.ps1 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0

.LINK
http://labofapenetrationtester.blogspot.com/
http://code.google.com/p/nishang

.Notes
The word Prasadhak means purifier in Sanskrit language.
#>



Param( [Parameter(Position = 0, Mandatory = $True)] [String] $apikey)

function Prasadhak
{

    function post_http($url,$parameters) 
    { 
        $http_request = New-Object -ComObject Msxml2.XMLHTTP 
        $http_request.open("POST", $url, $false) 
        $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") 
        $http_request.setRequestHeader("Content-length", $parameters.length); 
        $http_request.setRequestHeader("Connection", "close") 
        $http_request.send($parameters) 
        $script:response = $http_request.responseText 
    } 
 


    function check
    {
        
        $res = $response | ConvertFrom-JSON
        foreach ($code in $res)
        {
            #$proc1[$track]                
            if ($code.response_code -eq 0)
                {
                    Write-Host "Not found in VT database. " #+ $proc1[$track]
                }

            elseif (($code.response_code -eq 1) -and ($code.positives -ne 0))
                {
                    Write-Host "Something malicious is found. " -ForegroundColor Red # $proc1[$track]
                    $code.Permalink
                }

            elseif (($code.response_code -eq 1))
                {
                    Write-Host "This is reported clean. " -ForegroundColor Green # $proc1[$track]
                    
                }

            elseif ($res.response_code -eq -2)
                {
                    "File queued for analysis. " #+ $proc1[$track]
                    $code.Permalink
                }
        #$track++
        }
    }


    $ErrorActionPreference = "SilentlyContinue"
    $iteration = 0
    $count = 0
    $reqcount = 0
    [String[]]$hash = @()
    #[String[]]$procname = @()
    "Reading Processes and determining executables."
    Start-Sleep -Seconds 3
    $procs = (Get-Process).path
    $procnumber = Get-Process | Measure-Object -line
    "Total Processes detected: " + $procnumber.lines
    "Total Processes for which executables were detected: " + $procs.length
    Start-Sleep -Seconds 3


    foreach ($proc in $procs)
    {
        $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
        $hash = $hash + "," + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($proc))).Replace("-", "").ToLower()
        #$procname = $procname + $proc
        if ((($count -eq 25) -and (($procs.length - 25) -ge 0)) -or ($procs.Length -lt 25) -or (($iteration -ge 1) -and ((($procs.length - (25 * $iteration)) - 1) -eq $count)))
        {
            Post_http "https://www.virustotal.com/vtapi/v2/file/report" "resource=$hash&apikey=$apikey"
            check
            $hash = 0
            $count = 0
            $reqcount++
            $iteration++
        }
        if ($reqcount -eq 4)
        {
            "Waiting for one minute as VT allows only 4 requests per minute."
            Start-Sleep -seconds 60
            $reqcount = 0
        }

        $count++
    }
}

Prasadhak

Prasadhak is available in Nishang's repository, please update your repos.

Hope this would be useful. There wold be a day when I will start writing non-ugly code.
Bugs, feedback and comments are welcome. 

Update - Minor changes  have been made to Prasadhak, the code above has been modified a bit.

P.S. - I planned to release Prasadhak later after some improvements but a similar blog post forced me to post this, now. Research collision anyone? Thanks to my friends who quickly consoled me when I was shocked after that post.. hee hee :)

(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.

#Hyper-V
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
    {
        $hypervm = $true
    }

if (!$hypervm)
    {
        $hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }
    
if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }
            
if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }

if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
        if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
            {
                $hypervm = $true
            }
    }
   
if ($hypervm)
    {
    
        "This is a Hyper-V machine."
    
    }

This is how it looks like when ran inside a Windows 7 on VMWare.

I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.

Command Execution on MS SQL Server using PowerShell

One of my favorite "vulnerabilities" during Pen Tests is easy/guessable password for "sa" on MS SQL server with mixed authentication enabled, it means instant pwnage. Though a bit hard to find nowadays (SQL server 2008 and later enforce password complexity) , still you would manage to get a couple of them in a large environment. This post is just one more method to exploit this misconfiguration.

I try to use PowerShell in my pen tests as far as I can and this method is the result of one such pen test. I wanted to execute commands on one of the production sql servers, with powershell :)

My search landed me to this blog post by Niklas. I have already included, with permission, the script discussed in the blog post in Nishang 0.2.0 as Get-SqlSysLogin.ps1. But there is more to that post, it discusses how to execute commands on the sql server using powershell. I implemented the technique in a new payload of Nishang, Execute-Command-MSSQL

Lets get started.

My lab setup was a SQL Server 2008 Express on a Windows 7 machine. I set weak password for "sa" as "sa1234", which I have seen in one of previous Pen Tests.

Execute-Command-MSSQL asks for three mandatory parameters, the IP address or ComputerName to connect to, the username of admin on sql server and password for the user.

If the connection is successful and credentials work, the payload will enable xp_cmdshell on the sql server.

Now, we can choose from one of the three "shells", a powershell shell, a sql shell or a cmd shell.

SQL Shell: This allows to run SQL commands on the server.

cmd shell: This is the plain old window cmd shell, for machines without powershell (not tested on old machines).

powershell shell: This provides with a powershell "shell".

These different "shells" provide us great opportunities to do some really effective post exploitation.

Note that though the shells appear to persistent, they are actually not. Each command is executed in a new process. The shell prompt is shown just for user friendliness :)

You can download Nishang 0.2.1 here or update your repositories.

Hope this would be helpful. I look forward for feedback, comments and feature requests.

Nishang 0.2.0 - More PowerShell awesomeness

Behold world, I give you a new and shiny version of Nishang after a long gap :) I have been using PowerShell more and more by each pen test so expect even more awesomeness.

This is a major release and all of the new payloads are courtesy Niklas Goude. Below is the changelog.

- Removed hard coded strings from DNS TXT Pwnage payload.
- Information Gather now pastes data base64 encoded, does not trigger pastebin spam filter anymore.
- Credentials payload now validates both local and AD crdentials. If creds entered could not be validated locally or at AD, credential prompt is shown again.
- Base64ToString now asks for a file containing base64 string. To provide a string in place of file use "-IsString" parameter.
- Browse_Accept_Applet now handles prompts for both 32 bit and 64 bit Internet Explorer. The wait time for the applet to load has also been increased .
- Added Enable_DuplicateToken payload.
- Added Get-LSASecret payload.
- Added Get-SqlSysLogin payload.
- Added Invoke-Medusa payload.
- Added Invoke-PingSweep payload.

Check out the repository (http://code.google.com/p/nishang/source/browse/trunk) for the latest code.
The new payloads were discussed by Niklas on the awesome Hey, Scripting Guy! Blog.

I am working on many new payloads and you could expect frequent updates. Keep any eye on this blog :)

I would really like feedback, comments and feature requests :)