Forewarning, this is going to be a quick and dirty post. I’ll publish code to github once there is something worthwhile to post, until then, you can find the code below.
So you’re admin, you’ve bypassed UAC, it’s time to run hashdump and/or mimikatz but nothing happens, what gives?
It could be a number of issues: bitness of the session, the inability to impersonate or become SYSTEM, and so on (see Rob’s post which discusses it further). Usually my go to is to spawn a new SYSTEM session via psexec or getsystem, both of which will probably end up creating a new service (see Raphael’s post about getsystem). So what’s the problem? Well I’ve found that Endpoint Protection Platforms (EPP) have begun to either block or flag this activity as suspicious.
Enter Windows update standalone installer, or wusa.exe, which executes in an interesting manner. When called from a low or medium integrity process it will spawn as a high integrity elevated process, perfect for bypassing UAC, a technique which can be seen in TokenMagic and TokenDuplication. Additionally, it can be used to run SYSTEM tasks without spawning a service. As a quick and dirty PoC I used a reflective DLL to spin up a hidden instance of wusa.exe which needs to be run from a low or medium integrity process.
Continue reading “Dude, Where’s My Hashes”
Lately I’ve been playing around with MSI files as an all-in-one phishing package. I feel that MSIs are moderately trusted when it comes to downloadable files. Couple this with the ability to introduce some logic and I think MSIs can be a great way to avoid common security controls while shooting for that initial foothold during an engagement.
Personally, I feel when targeting users of high infosec awareness it’s best to bring the target to you and make them want to download your software. I like to bundle a bunch of publicly available legitimate tools with one or two of my custom written files … never embed cleartext shellcode, always grab it from a web server, dns, or whatever. This post follows ThunderMSI, a faux CISSP study guide that performs a series of actions depending on the user’s privilege level.
Recommended Read – Wixsharp Managed Setup
How to Defend
- Be skeptical when downloading software. It might be a good idea to have an auditing VM dedicated to vet software before installing on your primary machine.
- A good HIDS should be able to flag or detect several of the suspicious actions in this PoC. For example, a well written MSI shouldn’t be writing an exe to system32 or creating scheduled tasks in Windows sub-directories.
- Monitor processes for network IO. It’s not a good thing if cmd.exe or powershell.exe is consistently generating unexpected network traffic.
ThunderMSI is a C# program using wix and wixsharp that builds into a single .MSI file. It contains nothing that should be flagged as malicious; however, there are some WINAPI calls (createremotethread) that might trigger advanced endpoint solutions.
Continue reading “Phishing with Smart-ish MSIs”
Lately I’ve been playing around with Visual Studio Tools for Office (VSTO) as a persistent foothold. VSTOs are Microsoft Office add-ins that can enhance the user’s experience or automate tasks. Enabled add-ins are run every time the target Office application is started, a perfect persistence point. VSTOs can be written in C# or VB, and if done correctly, do not require administrative privileges to install.
Because of this event driven nature and the non-admin installation, I think VSTOs could be a decent addition to a phishing installation package. I’ve put together a proof of concept which can be found at https://github.com/ThunderGunExpress/ThunderVSTO
What This is Not
A complete installation package. This persistent VSTO would need to be included in some sort of a larger installation package. Fortunately, I plan on posting about this at a later date.
How to Defend
Sysinternals Autoruns checks for Office add-ins; however, unless I’m missing something, it only displays the HKLM\Software\Microsoft\Office\**Office App**\Addins. Personally, I would target HKU instead (non-admin) which is not tracked by Autoruns.
Continue reading “Persistent VSTO”
This really isn’t much of a post; instead, I wanted to show some love for https://www.hackthebox.eu/ which a friend recently introduced me to. I just started to work my way through some of the challenges and I think it’s very well done.
We all know that UAC is not a security boundary. That being said, it can be super annoying, and sometimes difficult, when you just want to spawn a window-less high integrity session so you can continue with funtimes.
Recently I came across the technique described on Tyranid’s Lair to bypass UAC, but I could only find Powershell implementations like UAC-TokenMagic and Invoke-TokenDuplication. So to take a different route, I put together a reflective DLL that uses this technique and an Aggressor script to make everything easy.
The DLL creates a duplicate token for wusa.exe, crafts a new restricted token, spawns an elevated hidden instance of cmd.exe, and proceeds to inject shellcode into cmd.exe via RTLCreateUserThread. I’ve tested it on Windows 7, 10, 2008, and 2012 on both x64 and x86 architectures.
Lately I’ve been neglecting my CTF posts so I could put some time into OutlookToolbox, a C# DLL that uses COM to target Outlook in the background. Additionally, I put together a Cobalt Strike Aggressor script to assist with the execution of OutlookToolbox, both of which can be found at the repository here – https://github.com/ThunderGunExpress/OutlookToolbox.
This is a quick and dirty post which will cover the features. Later, I plan on creating another post which further explores potential use cases of OutlookToolbox.
- Only use for good.
- I have not done extensive testing with this tool, use at your own risk. I recommend testing OutlookToolbox on a replica of your target first.
- The Aggressor script uses several brm (file and/or directory remove) function calls which can bulldoze entire directories if input is not sanitized correctly. I’ve tried to iron out all the issues, but still, I would put OutlookToolbox in a non-critical directory like C:\Users\Public\Documents just to be safe.
What it Does
- Lists folders in Outlook (Inbox, Sent Items, Conversation History, Joe’s Custom Folder … )
- Exports target folder to a CSV File
- Enumerate targets using the GAL
- Download specific messages
- Sends an email on behalf of the target user
How to Prevent
Configure Outlook’s programmatic access security to report on suspicious activity – MS link. Email encryption will cause several of these functions not to work, not a bad idea.
Continue reading “OutlookToolbox”
Lately, I’ve been dedicating my spare time to Pentestit v11, a terrific pentest lab which is great to hone those skills. If you have the spare time, I highly recommend participating – lab.pentestit.ru.
Version 11 is named “Who is Mr. Hacker?”. To start, we are given a network diagram and two target IP addresses: 192.168.101.10 and 192.168.101.11. For this post, I’ve created my own network diagram so I can mark it up along the way.
Obviously there are spoilers ahead.
Continue reading “Pentestit v11”
Just a FYI, this is more or less a placeholder post with little content until I upload a walk-through.
While surfing reddit/netsec someone posted a link of a walk-through of some targets in a virtual pentest lab called practicalpentestlabs, naturally I decided to give it a go.
To join the game, it’s as simple as registering and establishing a VPN session into the lab environment via openvpn. Target IP addresses are provided, and depending on the difficulty, a little hint giving potential avenues of attack. The goal is to hack into each of the targets and grab the contents of secret.txt, which usually resides in /root or the administrator’s desktop. The contents of secret can then be submitted for points, the amount awarded is based on the difficulty of the target. Accumulated points are tracked on a pretty slick dashboard … sorry I couldn’t help myself :S
At the moment, I’ve worked through the web application and scenario based targets with the exception of “X”. I thought the targets were challenging but not insanely difficult. Practical pentest labs was a great walk-through of various vulnerabilities while not obscuring them to a point where it’s less an exploitation exercise, and more a game of hide and seek. Continue reading “Practical Pentest Labs”
In the previous post we discussed using Responder with Snarf, this post will be doing the same but through a pivot. To pivot in we’ll be using Simpletun and a layer 2 pivoting client, this will give the ability to assign an IP address to an interface on our attacking VM, listen for broadcasts, and where available, respond. Commercial products Metasploit Pro and Cobalt Strike have this feature built-in and perform the pivot via encrypted channels, if you are not intentionally looking to get caught by Blue Teams, use them. Another option is Inveigh, a powershell LLMNR/NBNS spoofer with relay capabilities that is included in Empire and available for pivot poisoning without the layer 2 tunnel.
Continue reading “Responder and Layer 2 Pivots”
This post is about using Responder and Snarf to poison broadcasts, SMB relay, enumerate privileges and files, and when we choose, spawn a shell. Bonus post includes doing all of the above through a pivot.
I would imagine the majority of the offsec crew can appreciate Responder and all that it can do. Using in UNION with SMB relay, it can be a great way to get that first shell or enumerating sensitive files. The good old days where we can relay back to the source are long past us (well I hope), but that doesn’t mean we should dismiss this as a potential wedge point.
Continue reading “Responder and Snarf”