P aul Asadoorian Founder & CEO, PaulDotCom Enterprises [email protected] POST Exploitation: Going Beyond The Happy Dance Carlos

Paul AsadoorianFounder & CEO, PaulDotCom Enterprises

http://pauldotcom.com [email protected]

POST Exploitation:Going Beyond The Happy

Dance

Carlos PerezHP / PaulDotCom

[email protected]

Note: Special happy dance outfits are optional

http://pauldotcom.com/

mailto:[email protected]

mailto:[email protected]

http://pauldotcom.com June 2010

Who am I?

• I had this really boring slide about who I am

• Then I realized that’s not really who I am

• What follows is the “Powerpoint” version of “a little about me”...



Podcast

• 2005 - Present• ~ 200 episodes•Awards, blah• Thursdays 7PM EST



Hack Naked

Why Hack Naked?



Beer



Computer Destruction



PaulDotCom

John “Father John” Strand

Paul “Salad Shooter” Asadoorian

Larry “Dirty Uncle” Pesce

Mick “Jr. Salad Shooter” Douglas

Carlos “Dark0perator” Perez

Mike “The Original Intern” Perez

Darren “Girly Mustache” Wigley

?“Byte_Bucket”

Mark Baggett



“Hail Nessus!”

• My day job: I work for Tenable Network Security as a “Product Evangelist”

• I use Tenable products and write blogs, publish podcasts, teach courses, and produce videos

• http://blog.tenablesecurity.com

Hail Hail NessuNessu

s!s!


http://blog.tenablesecurity.com/


Carlos “dark0perator” Perez

• Carlos works as a Solution Architect for HP Infrastructure Consulting on the Security, Networking and Consolidation Practices

• He covers Central America, Caribbean and PR

• He is a Metasploit junky!!



I Hacked The Gibson!

• Do the happy dance!

• Hacking the Gibson is quite the accomplishment

• Congratulations, your penetration test has begun

• Like ___, the importance is on what happens after you get in

You can fill in the blanks. I’m going with “burglary”.



“POST-Exploitation”

• This is actually a really bad term as it doesn’t accurately describe the process

• “Exploitation” - Getting “shell” or remote command execution on the system

- But doesn’t neccessarily require an “exploit”

• “POST” - What happens after

- Should be: “things that must be done in order to make it worth your while and your clients money!”



• Some say they don’t need exploits, let alone “POST-Exploitation”

• In general, these are the exceptions and likley have an advanced and well-defined security program (Ha!)

• In every test, you should:

- Tell you client something they didn’t know about their network

- Make them reconsider risk-based decisions



“POST-Exploitation”

• Network Enumeration - Using the network interface to sniff and/or scan (even WiFi)

• Privilege Escelation - Got root?

• Pivoting - Attacking other systems

• MiTM Attacks - Arp cache poison, collect credentials

• Hiding - We need to do more of this on pen tests



More “POST-Exploitation”

1.Local Enumeration - Collecting information from the host

2.Re-configuration & changing settings - Manipulation, not just for relationships anymore



Focus

• We will focus on the local and network enumeration

• Re-configuring stuff is largely ignored, except by attackers

- This is where Paul comes in :)

• Automation in this space needs some work

- This is where Carlos comes in :)



Local Enumeration“Stuff We Can Automate”

• Accounts & Passwords

• List defenses

- Firewall, A/V, etc..

• General System Information

- Screen capture, video screen capture

- Open ports, file shares, running processes

- Registry / configuration data

- Device data - Mic, webcam, USB, Wireless

You are being watched

We MUST Automate



Local Enumeration - Manual

• Even with advanced Cylon technology, the following is still done manually:

- Go through file system and shares look for good stuff

- Backup files, configuration files, clear-text password files



Re-Configure The System

• Change settings - DNS, hosts file

• Disable defenses - Drop shields, disable anti-virus

• Add file shares

• Add access methods (RDP, VNC, Telnet)

• Grab the print queueI find the above methods apply

nice to embedded device exploitation!



Finding Vulnerabilities In Embedded Routers

• Linksys WAP54Gv3 Remote Debug Root Shell

• http://www.icysilence.org/?p=268

• Found by reverse engineering the firmare, and digging through open-source code

• User: gemtek / Pass: gemtekswd

• Great, now we can pwn routers!


http://www.icysilence.org/?p=268




There are a few out there...



But what do we do with them?

Changing the DNS serverto ones that you own, pwn

Several embedded routershave poor security and weak

authentication



Hacking Printer Example

• “Fun With Printers” by Matt

- http://www.attackvector.org/?p=110

• Printers are fun, and so is changing the display

• But there are more evil things...


http://www.attackvector.org/?p=110

http://www.attackvector.org/?p=110


Hacking Printer Example

• Tell printers to store jobs:

- @PJL DEFAULT HOLD=STORE

• Download stored jobs:

- 0:\savedevice\savedjobs\heldjobs

• Simple, yet effective POST-Exploitation that will retrieve information stealthily

• Notice there is no “exploit”

• You may need to customize your “POST-Exploitation” activities



The Trick

• Being able to do “POST-Exploitation” across multiple platforms

• Windows - Has great coverage, especially in Metasploit thanks to Carlos

• Linux - Tons of stuff exists to automate

• OS X - Seems to want to behave differently thank Linux/UNIX

- Each release changes the commands!



Windows

• Microsoft in latest versions of Windows has worked hard to provide layers to secure the System.

- Windows Vista

- Windows 7

- Windows 2008

- Windows 2008 R2

• New management tools have been added



Windows

• Access to Registry has been limited

• Access to Operating System files is more limited

- %SYSTEMDRIVE%

- %PROGRAMFILES%

- %WINDIR%

• For compatibility some of this access is now Virtualized



Windows

• Sadly the data is not secured to well

• We can read application data and configuration even with out “Administrator” on Vista/7/2k8 R2- HKCU\

- %APPDATA%

- %HOMEPATH%

- %LOCALAPPDATA%\VirtualStore (Virtualized FS)

- HKCU\Software\Classes\VirtualStore (Virtualized Reg)



WindowsWhat Can We find?



Windows



WindowsPowershell

• Powershell is now the foundation for all future MS Enterprise Products

- Exchange

- SQL Server

- System Manager

- Hyper-V

- Windows 2008 and beyond



WindowsPowershell

• Powershell is in use by third parties other than Microsoft

- VMware

- Citrix

- F5

- Others….

• Access to .Net, multitude of command-lets and OS commands



Windows Powershell

• Not too shell friendly since it breaks regular shells like ncat, nc and even Meterpreter

• But there are other ways to use it



Windows Powershell



WindowsPowershell

• We can identify Snap-Ins, including their version

• We can identify the execution policy of scripts

• We can tell if the default profile is loading any libraries by default for a user.

• If running as SYSTEM we will enumerate all users in the host





WindowsPowershell

• Works with WMIC also

• On Meterpreter just

- execute -H -f cmd.exe -a "/c powershell Get-Service > out.txt”

• Thankfully most third party and some MS Snap-Ins require an execution policy of RemoteSigned

*Yes a Meterpreter script in on it’s way ;)



Windows Persistence with UAC

• Most tools and scripts for Persistance fail with UAC

• But UAC Protects the system not the user

- %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run



Windows Virtualization

• More and more companies are virtualizing

• VDI is being pushed by all vendors (Citrix, Vmware and MS)

• Most solutions have a centralized system for management ““One system to rule them all, one One system to rule them all, one system to find them, one system to system to find them, one system to bring them all and in the darkness bring them all and in the darkness

bind them”bind them”





Windows Virtualization

• When attacking Virtual Environments getting all the info on the managements systems is critical

- Products

- Databases

- Scripting environments

- Managed Systems





WindowsVirtualization

• When attacking client systems look for managements products and interfaces

• Also look for desktop virtualization products and VDI clients

• In many clients the data is shifting to virtual system

• Knowing how to get to it and work in this environments is crucial



WindowsVmware Local Tools

• When VIX is installed vmrun is your new found friend

• Control VM’s State, Manage Files, Take Screenshot and Execute commands.

• Works Against ESX, WorkStation and Server

• CD to VIX Program Files folder to run- 32 bit - %PROGRAMFILES%\Vmware VIX\

- 64 bit - %PROGRAMFILES(x86)%\Vmware VIX\





Final Notes

• All Meterpreter Script will be available in the coming weeks in Metasploit

• Additional scripts that we where not able to cover do to time will also be released and discussed in our blog

• If we know the VM password we can copy files from and to the VM

• We need more people to help work on OS X and Linux “POST-Exploitation”



Don’t Forget:http://www.securityfail.com

• Presentations: http://pauldotcom.com/presentations.html

• Radio: http://pauldotcom.com/radio

• Live Stream: http://pauldotcom.com/live

• Forum: http://forum.pauldotcom.com/

• Mailing List: http://mail.pauldotcom.com

• Webcasts: http://pauldotcom.com/webcasts

• Insider: http://pauldotcom.com/insider

• Email: [email protected]

Documents

P aul Asadoorian Founder & CEO, PaulDotCom Enterprises [email protected] POST Exploitation: Going Beyond The Happy Dance Carlos