Академический Документы
Профессиональный Документы
Культура Документы
ta
IMAGE21
Alternatively this can be done using the hotbar once a connection is made:
IMAGE22
Device pass-through (RS232 / Serial):
Allowing devices such as serial ports to be connected via the device pass-throug
h feature could allow an easy method of transferring data between the host and t
he server. The serial port can be emulated locally on the attacker s machine and u
sed to stream data over to the server. Data can be received on the server side u
sing a terminal application such as Windows HyperTerminal or a custom built rece
iver built in assembly using debug.exe if available.
Device pass-through (Firewire):
Firewire is notorious in the security community for being potentially vulnerable
to physical memory attacks. This exploits a feature within the Firewire specifica
tion that allows Direct Memory Access (DMA) to external devices connected via Fi
rewire. Theoretically, it may be possible to pass-through an emulated Firewire d
evice that would allow DMA, such as an Apple iPod. It may then be possible to ha
ve full read/write access of the remote memory. This would carry serious implica
tions as the memory most likely will store all manner of sensitive data, includi
ng user credentials, encryption keys, etc.
Useful System / Administrative Tools
Back To Index?
Many of the default tools built into Windows for admin purposes can be overlooke
d when hardening takes place and as a result can be available to us. The vast ma
jority of these can be ran using methods covered earlier in the article:
MMC.exe
Microsoft Management Console, allows a large degree of control over the
system using snap-ins
Mstsc.exe
Microsoft Terminal Services, can allow remote desktop connection to an
other host
Regedit.exe Registry control
Taskmgr.exe Task Manager
Control.exe Control Panel shortcut
Rundll32.exe An alternative method of accessing areas of the OS that may be hidd
en via native API calls
Dxdiag.exe DirectX diagnostic tool, useful for enumerating system information
Msconfig.exe System configuration, shows verbose system information and has link
s to system tools
Eventvwr.exe
Local events viewer
Systeminfo.exe Command line system info collector
Msinfo32.exe System Information
Osk.exe
On Screen Keyboard, can be useful in Kiosk style environments where no k
eyboard is available
At.exe Task Scheduler
Taskschd.msc
Task Scheduler GUI
Explorer.exe Brings up a new instance of Windows Explorer
WMIC.exe
Qwinsta.exe
Displays information about RDP sessions
Tasklist.exe / qprocess.exe
List process information
It is often worth hunting for other local Microsoft and 3rd Party executables th
at you have access to, e.g:
dir /s %WINDIR% *.exe
Rundll32:
There is a vast array of commands that can be run via Rundll32, we have included
a few examples that could come in useful:
Stored Usernames and Passwords:
RunDll32.exe keymgr.dll,KRShowKeyMgrControl Panel:
RunDll32.exe shell32.dll,Control_RunDLL
Date and Time Properties:
RunDll32.exe shell32.dll,Control_RunDLL timedate.cpl
Device Manager:
RunDll32.exe devmgr.dll DeviceManager_Execute
Folder Options
General:
RunDll32.exe shell32.dll,Options_RunDLL 0
Forgotten Password Wizard:
RunDll32.exe keymgr.dll,PRShowSaveWizardExW
Keyboard Properties:
RunDll32.exe shell32.dll,Control_RunDLL main.cpl @1
Lock Screen:
RunDll32.exe user32.dll,LockWorkStation
Network Connections:
RunDll32.exe shell32.dll,Control_RunDLL ncpa.cpl
Open With Dialog Box:
Rundll32 Shell32.dll,OpenAs_RunDLL FILE.ext
Printer User Interface:
Rundll32 Printui.dll,PrintUIEntry /?
System Properties Box:
Rundll32 Shell32.dll,Control_RunDLL Sysdm.cpl,,3
Windows Firewall:
RunDll32.exe shell32.dll,Control_RunDLL firewall.cpl
Windows About:
RunDll32.exe SHELL32.DLL,ShellAboutW
WMIC.exe:
WINDOWS+E
Launch Windows Explorer
WINDOWS+R Run
WINDOWS+U Ease of Access Centre
WINDOWS+F Search
SHIFT+F10 Context Menu
CTRL+SHIFT+ESC Task Manager
CTRL+ALT+DEL Splash screen on newer Windows versions
F1 Help
F3 Search
F6 Address Bar
F11 Toggle full screen within Internet Explorer
CTRL+H Internet Explorer History
CTRL+T Internet Explorer
New Tab
CTRL+N Internet Explorer
New Page
CTRL+O Open File
CTRL+S Save
CTRL+N New
RDP / Citrix Shortcuts
Back To Index?
Citrix and Microsoft Remote Desktop Protocol (RDP) have their own set of shortcu
ts or hotkeys that correspond to Operating system functions or other unique action
s.
Remote Desktop Hotkeys:
CTRL+ALT+END Opens Windows Security dialog box
CTRL+ALT+BREAK Switches between windowed and full-screen
ALT+INSERT Cycles through windows
ALT+HOME Displays start menu
ALT+DELETE Displays control / context menu
CTRL+ALT+NUMBER PAD MINUS
Takes screenshot of active window onto RDP clipboard
CTRL+ALT+NUMBER PAD PLUS Takes screenshot of entire RDP session onto RDP clipboa
rd
Citrix ICA Hotkeys:
SHIFT+F1 Displays Windows Task List
SHIFT+F2 Toggles title bar
SHIFT+F3 Closes remote application / Citrix connection
CTRL+F1
Displays Windows NT Security desktop
CTRL+F2 Displays remote task list or Start Menu
CTRL+F3 Displays task manager
ALT+F2 Cycles through maximised and minimised windows
ALT+PLUS Cycles through open windows
ALT+MINUS
Cycles through open windows (reverse)
Batch Files and Scripts
Back To Index?
Batch files such as .BAT and .CMD can be an alternative for executing system com
mands when an interactive shell isn t permitted. Whilst .BAT files can be disabled
, the lesser known .CMD equivalent can sometimes be allowed.
Windows Script Hosts (WSH):
Providing access hasn t been disabled and we can run either the cscript.exe or wscrip
t.exe executables, we can use WSH to run a variety of different scripting languag
es, including VBScript, VBA and JScript by default.
As an example, we can execute the following VBScript snippet by saving the conte
nts within a .VBS file. Using this code, it may be possible to launch a CMD shel
l:
other languages that the system has support for can also be potentially abus
e.g. Python, Perl, PHP, etc. It is worth checking for these. Java, for examp
is commonly installed on a lot of hosts. The javac.exe and java.exe executab
can be used in a similar fashion to the example above.
If we can place our malicious DLL earlier along the path, then the application w
ill quite likely load our malicious code.
Conclusion
Back To Index?
It s probably obvious by now that these types of environments are very tricky to h
arden, and even trickier to harden properly.
Where a full Desktop Environment is available to a user, this can be an especial
ly challenging task. Operating Systems are designed by default to be feature-ric
h and as user friendly as possible. Unfortunately, these two attributes are not
synonymous with security.
We would recommend that any remote environment is configured in a pragmatic fash
ion, where the bare minimum of functionality is offered to users to enable them
to carry out their tasks. This serves the purpose of reducing the overall attack
surface that is available.
All default configurations should be tweaked and hardened to minimise any possib
le routes that an attacker may use to break out or escalate their privileges.
Verbose logging measures should also be in place, with events being reported to
a central monitoring / reporting system. This can allow administrators to monito
r any potential attacks that occur, often in