Sunday, May 27, 2012

Fun with Sticky Keys, Utilman and Powershell

Recently, carnal0wnage and mubix blogged about sticky keys. I have implemented this in Kautilya and found this usefult during many internal penetration tests.

I thought of playing more with this and using this is as something more useful and powerful. I started using powershell as debugger for sethc.exe and no points for guessing this is what I get when I pressed shift 5 times (or Left Alt + Left Shift + PrntScr for that matter).

So powershell is getting executed but there is no interactive prompt (I have not looked into the reason for this). I tried executing a simple script (which calls calc.exe) by setting it as a debuuger to sethc.exe. I have to call powershell from cmd as without cmd powershell was throwing some errors.

and the result was

Wow the legendary calc is here!! Keep in mind that if you use any environment variable for path of your powershell script, it would not be same for different user profile. For example, in the above if you use %temp%\calc.ps1 as path of the script, on an unlocked system that would be Temp directory of currently logged in user "C:\Users\\AppData\Local\Temp\calc.ps1". But when the machine is locked %temp% would be "C:\Windows\Temp", because of SYSTEM profile will access it. Keep that in mind while testing.

So, I was able to call the powershell script. This means if you are able to drop a script on victim and set powershell with proper arguments as a debugger to sethc.exe (or utilman.exe), you can execute the script with SYSTEM privilege.

What if I can somehow download and execute a meterpreter executable on the victim? Yes it is quite easy using this powershell one liner.

This looks good, a meterpreter executable downloaded and executed on a locked machine! But pulling a meterpreter executable on a machine is not a good idea for obvious reasons. Why not pulling a powershell script which can execute code in memory? Yes I am talking about Matt's work from his blog Exploit Monday.

So what we have now? A powershell command which executes meterpreter from memory, set as debugger to sethc.exe which gets executed with SYSTEM level privilege. Wow!!

But is this over yet? Let's play more :) How to maintain access to the machine? Using persistence and other methods available with meterpreter is one option. I would like to use a little more powershell here.

Let's do this. Our powershell one liner will download another script (let's say payload.ps1). Payload.ps1 will keep polling a tinypaste id in an interval of one hour (or less) and would download and execute whatever powershell script is present there. So let's set our sethc.exe or Utilman.exe Debugger to below.

using this

and now the result is

So what we have now is a payload which uses tinypaste as its C&C thingy and executes powershell scripts there with SYSTEM privilege :D

This is quite similar to my unpublished work called Maareech which is a sort of automated domain takeover tool in powershell.

payload.ps1 is the following powershell script. I know its ugly, I am still learning to write clean powershell scripts.

The payload, which polls tinypaste after given interval is very similar to "Time based execution" payload of Kautilya (just one line is different) but still for sake of usage, will be added as "Externally controlled payload" in some upcoming version of Kautilya.

Hope you enjoyed this. Feedback and suggestions are welcome.

Wednesday, May 23, 2012

Teensy USB HID for Penetration Testers - Part 4 - Kautilya

In third part of this series, we discussed how to write sketches using Arduino and Teensyduino. In this part, let's have a look at Kautilya. Kautilya is a toolkit written by me which helps in easing usage of Teensy in a penetration test. It is named after the famous Indian strategist, economist and political scientist Chankaya (Kautilya is one of his alias).  I will touch some less complex payload of Kautilya in this post.

Kautilya has a menu driven UI which could be used to generate sketches without a need of knowing how to program a Teensy device. The toolkit is written in Ruby and is free and open source. It currently contains payloads for Windows 7 and Linux (tested on Ubuntu 11). Kautilya is specifically designed to support Teensy out of the box, there is absolutely no modification required to the hardware.My motive behind writing Kautilya is to bring Teensy to masses. During my talks about Kautilya and Teensy I observed that often Pen Testers do not have enough time to program a device for their usage. Payloads in Kautilya could be used for pre exploitation and post exploitation tasks other than the “usual” popping of shells. 

The process of writing payloads for a Windows 7 machine could be summed up as:

  1. Understand the operating system in terms of USB buffer.
  2. Understand the commands supported and learn to write powershell or/and vbs.
  3. Recognize the built-in security measures (like UAC and powershell script execution policy) which may check privileged commands and then learn how to bypass them.
  4. Understand the time taken by operating system in completing various commands.
  5. Write the commands and scripts on Teensy.
  6. Understand more quirks of the command line when Teensy types out thing on victim.
  7. Try not to be too noisy on the victim.
  8. Test the payload and reach to final reasonable sketch.
  9. Compile the sketch to Teensy device.
  10. Attach it to the victim machine actively or using Social Engineering.
  11. Enjoy the pwnage!
(Next few lines may look like self promotion ;) )

Kautilya automates steps 1-8 for you. Using Kautilya you just need to:
  1. Select a payload and select your options. A sketch (a .ino or .pde file) would be generated for you.
  2. Compile the sketch to Teensy device.
  3. Attach it to the victim machine actively or using Social Engineering.
  4. Enjoy the pwnage!
A screenshot of Kautilya 0.2.2
Kautilya is tested on Ruby 1.9.2. It requires ruby gems "colored" and "highline".

Let's have a look at some of the payloads for Windows in Kautilya. All the payloads are tested on a default install of Windows 7.

Add a user and Enable RDP
This payload adds an admin user to the victim. It also, enables and starts Terminal Service on the victim. An exception to Windows firewall is also added. This payload requires a user to be logged in with admin privileges.

The generated payload just needs to be compiled to a Teensy++. The device could then be connected to the victim. The victim will see start menu open up, some cmd being type and then a very small cmd window which type dark blue on black will do evil stuff for us...muhahaha

Let's have a look at the source code for better understanding. Many payloads in Kautilya are similar in structure to this one.

Download and Execute
This payload downloads an executable stored in text format from pastebin (or any other service which allows hosting of text without formatting), converts it back to exe on the victim and executes it in background. The exe must be converted into hex format using script exetotext.ps1 in extras folder of Kautilya. This script is originally an idea of Matt of Exploit-Monday blog.

In the above example, a windows reverse meterpreter is pasted to pastebin and the url is provided in the option.This payload could be used even with a low privilege user.

Forceful Browsing
This payload opens up a hidden instance of Internet Explorer using a COM obbject of Internet Explorer and browses to the provided URL. An ideal use case could be hosting an exploit of msf  or a hook of BeEF  on the given URL. This payload is one of my favorites as it is able to get executed on a normal user (non administrative) privilege and is very silent.

Sethc and Utilman Backdoor
This payload utilizes a useful hack in the Windows OS family. On a locked system, if you press Shift key five times (or Left Ctrl + Left Shift + Prnt Scr) i.e. sticky keys, sethc.exe is executed with SYSTEM level privileges. In a similar way, if Window key +U is pressed, utilmanager (which is utilman.exe ) is launched with SYSTEM privs. This payload attaches a an executable present on the machine as a debugger to sethc.exe and utilman.exe. The attahced executables can then be executed with SYSTEM level privileges on a locked Windows machine.

We had a look at some less complex payloads of Kautilya. In the next post (or posts) I will explain some more complex and powerful payloads. At least one post will cover breaking Linux (Ubuntu11) too.

I am thinking of creating some small videos demonstrating few payloads but only if some people ask for it ;) Please let me know if the length of blog posts is ok. Feedback and comments are welcome.