Kerberos Attack Surface

There are different ways of attacking active directory and the attack surface/vectors change all the time. I do like to use built-in tools and my own Linux box to interact with the windows infrastructure environment for few good reasons:

  • Not every environment use NTLM authentication
  • Hacker/Security tools fails to work in Kerberos only environment
  • Stealth – Kerberos less monitored protocol
  • Kerberos is less understood protocol
  • Majority of SIEM services fails to identify
  • Kerberos is difficult to monitor and identify anomalies
  • My ridiculous ego,unconscious aspect of the personality is happier with kerberos
Assumptions:
  • Gained initial foothold e.g phishing, web app exploit, client side attack etc.
  • Gained physical access and connected to target network Wired/WiFi.
  • You have no credentials to begin but you are connected to target network.
Reconnaissance Phase:

Domain Name Server (DNS) to look up for particular Active Directory Resource using  dig linux command line utility

dig  -t SRV _ldap._tcp.pri-dc-01.cryotoambient.com ( LDAP  AD server discovery)

dig -t  SRV  _gc._tcp.pri-dc-01.cryotoambient.com   ( Global Catalog  LDAP recon for entire active directory forest)

dig -t _kerberos._tcp.pri-dc-01.cryotoambient.com  ( Identify Key distribution center KDC)

dig -t  SRV  _kpasswd.tcp._tcp.pri-dc-01.cryotoambient.com  ( Kerberos Password changer server)

Example dig command to identify kerberos (KDC Servers)

dig

Figure 1 dig Linux utility to identify  KDC (Kerberos Key Distribution Center)

 

Similarly we can conduct reconnaissance using NSLOOKUP utility

Nslookup-Kerberos

Figure 2 identifying KDC using nslookup command line utility

LDAP –  We can identify domain controller  and request few details with no authentication:

  •  Functionality level  e.g.  Is the target server 2003,2008/2012 domain controller
  • Identify KDC Kerberos Distribution Center
  • Limited objectclass information e.g. Domain metadata

unauthenticated ldap query

Domain-Meta-Data-Through-LDAP

Figure 3  ldapsearch to list juicy useful metadata

Domain functionality level is 4 indicating the target server is Windows 2008 R2

functionality-levelFigure 4 unauthenticated ldap query to identify target server functionality level.

Functional-Level-Windows

Figure 5  -Ref Microsoft MSDN

You can also use Netbios to identify  hosts in a network  (NBT) still in use for legacy system. I leave this to the reader for unsupervised reading investigate how an attacker abuse NBT (nbtscan & responder)

Imagine that we obtained an unprivileged AD user with no remote desktop/no special privilege with most basic active directory rights e.g. simple basic active directory authentication.

NTLM SessionErro (NTLM Not Supported)

NTLM-Stopped

Figure 6 standard penetration tools fails to work with valid credentials

CME  Fails to with correct credentials. (Sky is falling – Target infrastructure is Kerberos only)

sme

Figure 7 CME and other pen test tools fails due to NTLM authentication is disabled

Under the hood at the packet level we see the see NTLMSSP_Auth Plinux user request failed due to the NTLM is not supported.

NTLMSSP

Figure 8 Attempt to establish NTLM session fails no session created.

Quick look at the Active Security Policy shows the  NTLM Authentication in this domain set to deny all ( Do not apply this to your production environment it will break legacy system communicating with the active directory server )

Kerberos-Only-DenyAll

Figure 9  Deny all to NTLM authentication. Very difficult to implement/apply deny all, due to the legacy products and still list of major network devices doesn’t support Kerberos authentication.

Sky is falling none of our standard security tools no longer work? So maybe the target system is SECURE?  Not so easy…  Kerberos (Hound of Hades)  Multi-Headed dog that guards the gates of the windows environment ( Dead from leaving )

Ok lets utilize MIT Kerberos V5 to operate in secure kerberos environment:

  • Configure /etc/krb5.conf and specify  default_realm to your AD
  • Set the relams at the bottom of configuration file to Active directory FQDN

5

Figure 10 we setup/configure kerberos KRB5 client and set the relam to our target domain controller to communicate target windows environment via Kerberos authentication.

We must make changes  to /etc/resolv.conf and point our attacking Linux machine to active directory domain name server (DNS) in our case the active directory runs  as DNS  and the IP is 192.168.1.100.

6

Figure 11 pointed our attacking Linux machine to the active directory

KRB5 configuration is complete we can now authenticate to Active Directory account.

7

Figure 12 kinit ambientuser user with valid password to create TGT Ticket Granting Ticket. The ticket issued by KRBTGT kerberos master key. Klist shows valid Principal.

smbclient with kerberos to authenticate the target victim server

8Figure 13 kerberos authentication used to connect the target server

rpcclient with  -k flag initiated to connect the target victim server

9

Figure 14 authenticated to the target server with TGT ticket

Shell? gaining shell via kerberos using wmiexec

10

Figure 15 limited shell with kerberos authentication on target victim machine

psexec with kerberos authentication against target server

11

Figure 16 psexec to authenticate target victim server

Golden ticket:
  • KRBTGT NTLM Hash
  • Domain Sid
  • Target Domain
  • Impersonated user

12

Figure 17 forged kerberos ticket user notadministraor to authenticate as domain admin target domain controller server.

Set export KRB5CCNAME variable to the forged kerberos notadministrator.cacche ticket

13

Figure 18 set KRB5CCNAME to our impersonated notadministrator.ccache

Mitigation:
  • Least privilege principle
  • Remove the use of NTLM authentication as much as possible and rely on Kerberos
  • Enable kerberos auditing
  • Monitor Kerberos authentication TGT & TGS tickets

 

 

Playing with Kerberos, Kerberoasting, Kinit, Ticket Granting Ticket (TGT)

There has been a number of technical blog posts, demonstrations  about Kerberoasting/SPNs and how widely abused attack vector against windows enterprise network infrastructure (AD) i will try to minimize background info on SPNs and kerberoating as much as possible and provide links at the end to all that i know about.

My focus on this post is to demonstrate how to perform all your attack on a Linux OS as opposed to windows based operating system, the advantages with this approach is your attacking system do not require to be domain joined, all you need is basic (AD) username and password to perform a successful attack.

Attack advantages:

  • Linux OS as attacking machine
  • No windows domain join hassle and permissions etc
  • Can use majority of red team and penetration tools
  • Stealth avoid detection

GetUserSPNs.py specify DC IP address and the user authenticate with.

1
Figure 1  List Services Accounts IIS_003 and IIS_002 assigned to servers.

 

GetUserSPNs.py   -request parameter and the DC IP address to request Kerb TGT service tickets.

2

Figure 2  -request parameter to capture kerberos ticket granting ticket on IIS_002, IIS_003 in hashcat format.

Hashcat password cracking tool to crack the TGT response on the IIS_002 and IIS_003 service accounts.   (Hashcat -m  130100  tgtkerberosticket.txt  dictionaryword.txt)

3

Figure 3  IIS_002 TGT Response ticket password successfully cracked.

Now that we know the domain controller FQDN we send 2 pings to the host.

4

Figure 4  sec-pr1-01 DC Netbios name identified.

In order to reduce and avoid detection (Red team)  in the target network we can utilize the use of Heimdal implementation of Kerberos 5 client to receive valid TGT session ticket and use Kerberos post exploitation as opposed password equivalent NTLM hash. The idea is to blend in to the target network and reduce the risk of been identified by security operation team (SOC) and security conscious system administrators.

Steps to configure Heimdal clients on Linux OS:

Vi /etc/krb5.conf 

  • default_relam set that  to a target domain controller CRYPTOAMBIENT.COM
  •  realms set that to a target KDC to Fully qualified domain controller e.g. my target domain controller is set to sec-pri-01.crytoambeint.com and the admin_server and default_domain to FQDN target server.

5

Figure 5 Heimdal Krb5 client configuration

We also must add the following entries in to the /etc/resolv.conf and point our nameserver to the domain controller. Almost 99% of time DNS is the root cause of kerberos authentications problems/issue. “My own personal experience”

6

Figure 6 resolve configuration file added with the target domain entries.

Kinit obtains and caches an initial ticket-granting ticket for ambientuser and klist is used to list the valid ticket issued by domain controller KRBTGT. Armed with valid TGT ticket we can tools from our Linux attacking machine and interact with accessible hosts within the domain controller forest.

7

Figure 7 TGT Ticket Granting Ticket for valid ambientuser received.

smbclient with –kerberos flag to use ambinetuser ticket to authenticate a hosts IPC$.

8

Figure 8 smbclient to use kerberos ticket as opposed to traditional clear text/NTLM authentication hash.

rpcclient  -k flag is to use kerberos to authenticate windows host joined cryoptoambient.com domain forest.

9

Figure 9 rpclient can be used to enumerate SID,RID Password policy etc.

wmiexec with -k flag and –nopass used to gain remote shell against the domain joined host using kerberos ticket – user must be part of local admin or domain admin group to be able spawn a cmd.exe process. WMI is still widely used/abused and difficult challenge for good guys to identify slow planned WMI attack.

10

Figure 10 wmiexec to gain remote administrative level shell on the target host.

psexec i will not and never will use it in real engagement but just for demonstration  i thought it’s a good idea to show different attack tool(s) that supports kerberos to interact with target domain joined hosts.

11

Figure 11 psexe to gain code execution with the SYSTEM privilege the disadvantages with psexec creates a service executable, writes to a share and finally execute/start the service.

Moral of the story:  Kerberos is the way to go in a locked down enterprise network to avoid detection and operate without the use of NTLM hash in windows environment.

Remediation:

  • Use Group managed security groups for service accounts
  • Use 28 or more password character for service accounts
  • Make sure service accounts are not delegated rights to domain admin or any other groups in fact.
  • Monitor and enable kerberos auditing
  • Investigate incidents do not just assume

Links:

What is SPNs

https://docs.microsoft.com/en-us/windows/desktop/AD/service-principal-names

kerberoasting

https://adsecurity.org/?p=2293

Hemidal Kerberos

https://www.h5l.org/

Windows Service Privilege Escalation

Now you have gained initial foot hold on the network and you almost certain the end user is low privilege user. Yes, you need to elevate the privilege to local administrator or maybe to system level or if you in luck domain admin.

 
So what we talk about here you may ask? Privilege escalation; a privilege escalation happens when a low level user requires access to a user or a service to increase privilege on compromised workstation/server etc.

Hacker thoughts and Post exploitation Assumptions:

  • Initial intrusion could start from anywhere, a phishing attack, a guest account a local authenticated user?
  • Living of the land, build in windows tools such as windows binary and PowerShell to come rescue?
  • Windows Services & Third party applications leverage and exploit it to our advantage and escalate low user to admin and or system.
  • Exploiting Weak Folder Permissions and mount and redirect  folder.
  • Classic dll hijacking and gain elevated privilege.

Steps to exploit weak services and binary implants

Assume we compromised an end user windows 10 fully patched workstation and the compromised user is as expected low level user (Authenticated user) no special permissions or rights.

There are different and easy ways to elevate privilige from low level user to all the way to  domain admins in less security conscious environment e.g The GPP Vulnerability  extracting cpassword filed in SYSVOL Groups.xml file etc

Here, we will be looking at different attack vector often overlooked  (Windows and third party services) often windows/third party service binary run under the System or high integrity level, any vulnerability in a service could result in privilege escalation.

Windows Services is  vast subject link for your further unsupervised read  here

Naturally, i go for quick powershell one liner to list all the potential vulnerable services in C:\ drive.  Get-WMIobject win32_service to look for services running outside of c:\windows folder   and the -eq “auto” is to check if the services out started, finally we check the  if the services running under the localsystem privilege account and we output the path is located.

 

service_02

Figure 1 we identified  c:\Users\lowuser\Desktop\AwesomeService\Secure.exe  path sits on user desktop with localsystem intergity level.

Icacls Microsoft  native binary to list  security descriptors on folders and files –  (F) indicates lowuser has full control over the Secure.exe binary. Obvious fail but this does happen all the time.

Service_1Figure 2    Lowuser has full control of the folder

Security descriptor definition language (SDDL) in windows world used to define access and protect objects for example, folders, shares, active directory objects, windows event logs etc.   SC sdshow lists access list against AwesomeService a.k.a to identify which user groups have access and make etc

service_03Figure 3 AwesomeService a.k.a Secure.exe SDDL

Brilliant description with SDDL breakdown here:

You might have notices you from SDDL output Authenticated User is not part of the SDDL,we can add our lowuser account to specific access.

 

 

service_04

Figure 4 Interactive user but not Authenticated User e.g. lowuser account

In order to add lowuser account to the list of SDDL we need the user Security Descriptor, we can identify user SID in the following locations:

C:\Users\lowuser\AppData\Roaming\Microsoft\Protect

5_service

Figure 5 low user sid

Whoami /all is also another way to list user SID

6_services

Figure 6  whoami /all cmd.exe

SC sdset to set the Authenticated User Read Property and Write Property

sdset

Figure 6 SetServiceObjectSecurity successfully set.

set

Figure 7 authenticated user is set and part of sddl.

Privilge escalation steps:

  • Lowuser has full control of the t C:\Users\lowuser\Desktop\AwesomeService\ folder
  • We can modify ,change, delete, replace
  • Build empire executable and replace the Secure.exe with our own call back agent
  • Reboot the service
  • Elevate Privillige from lowuser to SYSTEM integrity level

 

Compiled Empire agent executable and named it Secure.exe and copied to our Target Service location ( Replaced the legitimate Secure.exe service with our own executable)

service_07

Figure 8 compiled Empire callback and named it Exactly the same as Secure.exe

 

As expected we got shell from the victim machine with SYSTEM privilege successfully elevated from lowuser to SYSTEM user.

08_Service

Figure 9 Secure Process Shell with integrity level SYSTEM.

 

Final couple of words,  log log log everything from your end user workstations, ensure third party services not running under HIGH/SYSTEM integrity.

I hope this has been informative

LSA Secrets, Service Account Password Extraction, NT/SYSTEM Privilege Account, gMSAs

In this article we talk about one of the most common vulnerability exist in modern  enterprise windows network infrastructure. We demonstrate how an attacker elevate privilege from administrator account to NT/ SYSTEM Authority privilege which is highest privilege in local windows system. The idea is to use NT authority system privilege to interact with LSA secrets and extract passwords from services account. Often these services accounts misconfigured in modern windows enterprise, which likely enable low privilege user to gain higher privileges.

Technical assumptions:

  • Attacker has an elevated privilege (Local Admin)
  • Attacker identified a service account AwesomeService.exe installed locally and runs under the local administrator privilege

 

Regedit Registry editor permission with SAM hive file requires NT/Authority SYSTEM Privilege, we  can not access the SAM File hive with windows local administrative permission.

SYSTEMPerm

Figure 1 SAM Hive set to full control permission

 

We Launch registry editor under the local administrative privilege – we are not able to read/write and modify SAM files.

4

Figure 2 Regedit under the windows administrator privilege account.

 

We elevate the local administrator privilege to NT/Authority SYSTEM privilege using the SysInternals PsExec Mark Russinovich copy of the PsExec Here   with the -i interactive, -s run remote process in the system account and -d  dot wait for process to terminate.

1

Figure 3 PsExec elevated privilege from local admin to NT/Authority SYSTEM

 

NT Authority\SYSTEM has access to SAM hive files

NT-Authority-Sam-file-5

Figure 4 Corroborates the SAM hive access via SYSTEM privilege

 

We not really interested in SAM/SYSTEM contents – We are after LSA Secrets and Service Account password extraction, however we need to create and compile a windows 10 compatible service and install it locally on our windows 10.

2

Figure 5 –  We created AwesomeService.exe with DisplayName “Windows Update” using SC Service Control to install and set the run time to auto start.

 

Display Name set as Windows Update

3

Figure 6 AwesomeService.exe runs as service under the local administrator privilege.

 

AwesomeService current value is in binary mode

currentValue

Figure 7  AwesomeService in binary value

 

lsasecret.exe /service AwesomeService command to dump clear text password from the registry.

AwesomeService-OpenSSHd

Figure 8   extracted openSSHd and AwesomeService accounts from registry.

Link to github lsasecre.exe the original source code from “Timothy D.Morgan”

 

Mitigation:

There are couple of solutions to mitigate against this particular vulnerability – the easiest and Microsoft recommended approach is the use of native windows feature,  Managed Service Account (MSA) and Group Managed Service Account (gMSA) .

Switch to your Server 2012 domain controller generate KDS root key for use with managed MSA and Group Managed Service Accounts (gMSA)   New-KdsRootKey Powershell cmdlet to initialize the key. The reason that we need to generate this once because this will be used in generating passwords for the Group Managed Service Accounts.

Add-KdsRootKey –EffectiveImmediately

Run this under the windows administrator Powershell console; The  -EffectiveImmeditely takes 10 hours from the time of creation to allow all domain controllers to replicate before allowing the creation of a gMSA. The idea behind 10 hours delay is a safety measure to prevent password generation from occurring before all domain controller are capable of responding to gMSA requests.

Perhaps yo may want to run this over the weekend over the night in production environment?

 

Service Account Creation

It’s straightforward to create gMSAs (Group Managed Service Account) Switch to the server you want to add service account, you need active directory Powershell module part of the RSAT for this to work.

New-ADServiceAccount -Name svc_Secure -DNSHostName cryptoambient.local -PrincipalsAllowedToRetriveManagedPassword  WIN-12-AV$

Command Breakdown :

-Name    service name of your choice

-DNSHostName   –  FQDN for our domain controller that holds KDS root key in my case ambientcrypto.local

PrincipalsAllowedToRetriveManagedPassword     –  This parameter allows you to specify the server(s) that you are going to be running particular (gMSA) on.

 

That’s it, simple and extremely reliable to manage service accounts. Good luck 🙂

 

 

 

 

 

Windows Task Scheduler Privilege Escalation ALPC exploit

Quick Description:

Hacker goes by name SandboxEscaper decide to upload 0day exploit in the windows 10 32-64 bit & Server 2016 x64 task scheduler, SchRpcSetSecurity API contains a privilege escalation vulnerability which can allow authenticated low privilege user to overwrite content of certain files protected by ACLs in filesystem. This is big, a local user authenticated can elevate their privilege to NT Authority /SYSTEM, which is highest privilege in windows operating system.

Maybe this new trend to release 0days ?

Hey I link to the code here,hopefully SanboxEscaper doesn’t mind me doing that.

Exploit prerequisite:

-Windows 10 32/64 or server 2016 system
-Exploit code link here
-CFF PE resource editor link here
-Your own malicious dll e.g msfvenom or empire powershell post exploitation framework etc

Process explore tool to see existing/new running process.Cmd.exe then launched notepad.exe to create a new process id PID  so that we can use PID to call hijack DDL as system privilege.

lpp1

Figure 1  notepad process associated with PID 1356 run under the cmd.exe.

Windows CFF explore  to edit ALPC_Tasksched-LPE.dll  then  RCData 101, Click right to Replace Resource Raw  then poc.dll which we used empire C2 for dll generation . CFF

Figure 2 CFF explore edit the ALPC_Tasksched-LPE.dll and replaced the existing dll with our empire C2 for reverse during execution.

 

InjectDll.exe 3508 notepad PID and our modified ALP-TaskSched-LPE.PoC.dll

F

Figure 3  we execute InjectDll.exe with modified empire dll

Local copy of empire agent call back “whoami” command shows session runs under the NT Authority\SYTEM

NT-Authority-lpe-access

Figure 4  Agent runs under the NT AUTHORITY\SYSTEM privilege context

 

Quick Video session here to demonstrate steps taken to corroborate the  ALPC privilege escalation  https://youtu.be/t50v8zGIwWE

Remediation

Wait for Microsoft to release security patch next few weeks…

 

 

 

 

Playing and Hacking Active Directory Certificate Authority

Brief Active Directory Certificate Authority

Microsoft Active Directory Certificate Services provide a platform for generating and issuing and managing PKI Public Key Infrastructure certificates. In short AD CS provides certificates for securing HTTP traffic and also supports other authentication mechanism such as computer, user or device accounts on a network.
No point for me to describe what the certificate authority is used for as Microsoft has covered this here in details  here and here.

The objective with this brief technical article is to demonstrate common mis-configuration with the certificate generation and issuing keys to domain joined end users. The idea is to show an attacker can enumerate certificate authority using built-in windows MMC managed certificate Snap-in in windows 10 and export private keys to our attacking machine for offline PKCS12 PFX password recovery.
You probably ask why do you want to extract private key and recover the password? Well that depends on the type o certificate but generally speaking certificate used for encrypting traffic or perhaps use machine authentication to a domain controller or can be used as internal code signing certificate.
In my personal opinion I think CA Certificate Authority is significant attack vector and often overlooked by system administrators and security professionals, for years’ bad actors utilized and abused certificate authority to circumvent external/internal technical controls and security operations, often these attacks go undetected by third part and built-in signature based anti-virus products.

So let’s assume breach scenario here and an attacker managed to gain foothold on your end user windows 10 workstation and we also assume the workstation is domain joined, and there is a single tier domain joined active directory certificate authority installed on server that issues automated client machine/user certificates to the workstations once  joined the domain controller (AutoEnrollment Group Policy Configured)

LAB Setup and Break down:

Cryotoambient.com SEC-PRI-DC-1 (Primary Lab Domain Controller)

SEC-PRI-DC-02 (Secondary Domain Controller – Certificate Authority installed

Windows10 Domain Joined with active directory low privilege user ambient10

Let’s assume the attacker is on post exploitation phase and enumerating the workstation for vulnerabilities weakness to elevate higher privilege access from zero to hero domain administrator privilege. There are different methodology and techniques to elevate privilege from windows environment, unpatched vulnerabilities, powershell, vulnerable services, pass the hash,  credential theft and the list goes on.

Let’s focus on how an attacker abuse exportable certificates and reuse the certificate for other malicious use cases.

Certificate authority  we replicated an exiting template and named it User_V2.

1

Figure 1  Notice Private Key is to be exported ticked.

 

Enabled Certificate Templates we created.

2

Figure 2 Published User/Workstation authentication template.

 

Group Policy change to enable automatic enrollment.

comes just after 2 with commens

Figure 3  PKI Group Policy created to allow AutoEnrollement to end user workstations.

Joined our target windows10 to the domain controller.

comes before 2

Figure 4 DESKTOP-BOB1 Windows 10 Joined to the domain controller and waiting for the certificate to be pushed to the user workstation upon first login.

 

Issued Certificates to workstations.

3

Figure 5 User/Machine certificate issued to newly joined window10 with the user ambient10 as low privileged user.

 

Next we check newly joined Windows 10 MMC console under the Personal  Certificate we see ambient10 user been issued a certificate.

4

Figure 6 We use export wizard to export the private key in PKCS12 PFX format.

 

Certificate Export Wizard.

5

Figure 7 we select the export private key from abmient10 user personal certificate

 

ExportPrivateKey certificate saved on the ambient10 user desktop.

6

Figure 8  private key saved on to the ambient user workstation desktop

 

Next we move the file to the c:\cert folder on the target workstation 192.168.1.73 for quick certificate transfer to our attacking machine.

7

Figure 9 from our lab kali machine we use mount -t cifs to mount the remote folder to our /mnt folder on our attacking machine with the user ambient10 credential.

 

Now that we have copy of the private key in pfx format we github crackpkcs12 source code here and compile it on our kali machine.  Crackpkcs12 -b  certificatefile.pfx or pkc12 format.

8

Figure 10  Successful Brute force attack and recovered the Password “123”

 

When was the last time did you review/audit your internal Certificate Authority published certificates ? Do you know if the keys are exportable?

 

 

ETERNALROMANCE/SYNERGY EXPLOITATION ON WINDOWS 2012R2

MS10-010 vulnerability patched by Microsoft affecting from windows 7 to a windows server 2016 (Eternalromance/synergy published by shadow brokers the exploits are very unstable if tried against the windows 2012, 2016 server causing 100% of the target machine BSOD

This is not a comprehensive article but we will demonstrate how we can leverage and make necessary changes to the Sleepys code and make minimal code change in order to obtain a privileged windows meterepreter reverse on the target system

Virtual Environment & prerequisites

Kali Ubuntu Machine  IP address 192.168.1.14

Python v.2.7

Ps1Encode   – Used to generate PowerShell metasploit types revershell

https://github.com/CroweCybersecurity/ps1encode

Windows Server 2012 R2 target IP   192.168.1.30 ( Not patched with MS17_010 )

Ok so without further ado let’s compromise windows 2012R2 server

The exploit has been published by sleepya https://www.exploit-db.com/exploits/42315/  the exploit is working properly without doing any modification if we execute the exploit against the windows 2012r2 server it will create a file  in C:\pawned.txt  on the target disk .

But you might already think hm but that doesn’t give me meterpreter shell on the target box , that’s very much true but we make couple of modification to get the desired shell

We now enabled guest account on our windows server R2 windows machine

guest-account

Figure 1  we set the authentication to “guest”  with minimal privilege

Parameters

The exploit code requires two parameters  the actual Target IP address windows server 2012R2 in our case and the PIPE name  – windows named pipe is not in the scope of this article. SMB protocol supports three different types of shares  File share which is a directory tree, Print: print share  which is access to print shares on the server,   PIPE inter communication between the process that uses FIFO model essentially first in first out  a.k.a  named pipes .

What other pipe types you can potentially exploits on a windows server box ?

  • Netlogon, samr, lsarpc,spoolss,browser

Ok it’s very straightforward to identify which named pipe are available on a target server – I wrote a python scrip which compares the UID to identify if the named pipe exist is so then just check access if allowed or denied

Script identify named pipes on the target windows server 2012 R2

named-pipes

Figure 2 allows identify named pipe Browser, Spools, Netlogon, LSARPC, SAMR

If we decide to execute the exploit it will create c:\\namlook.txt on the target .

2

Figure 3  executed code without reverse shell created c:\namlook.txt

Code snippet creates namlook.txt on the target server

1Figure 4 CreateFile function adds pwned.txt on the target server but no reverse shell code.

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component

This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

Exploit Modification/Reverse shell

Executing code with our SCT reverse shell code ( SCT File Extension ) Windows script component. This is an affective approach to evade security controls using the SCT extension with embedded powershell reverse shell code. We wil l use PS1encode  that allows us to generate encoded metasploit codes in different/several format

We can download the ps1encode here  from github   https://github.com/CroweCybersecurity/ps1encode

SCT Reverse Shell code

3Figure 5 reverse shell code windows/meterepreter/reverse_tcp

Armed with .SCT reverse shell file we simply move the to our python web server on kali machine  /var/www/html  or any machine that can be reach from the target server. The idea is that when we execute the exploit against the target server to use regsvr32 (Microsoft Register Server) command line utility for registering and  DLLs in the windows registry

Reverse shell code

regsrc32-http-connection

Figure 6  – We modified code to execute our malicious revershell code .SCT  on our target machine

Meterpreter session

We now configrured the metasplot’s exploit/multi/handler to receive reverse shell

pingping

Figure 7 handler configured with windows/meterpreter/reverse_tcp

After executing modified MS17_010 exploit get clean meterpreter reverse shell

sysinfo

Figure 8 sysinfo with  NT/Authority priv ….

 

Go and patch please … https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J

 

I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine

 

Attacker IP 192.168.1.14 (Kali Linux)

Target IP   192.168.1.28 ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system

1

Figure  1 NSA exploit kit widows based to linux

2

Figure 2 exploit kit python fb.py  nice graphical NSA interface 🙂

3

Figure  3 Set target IP address 192.168.1.26 and Callback IP address 192.168.1.14

5

Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂

6

Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system

7

Figure 6 final validation and we execute the exploit against 192.168.1.26

8

Figure 7 successful execution and shellcode is written to the output file

9

Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system

10

Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework

12

Figure 10 we execute the eternalblue with our custom DLL

13

Figure 11 Recerse shell from 192.168.1.26 to our kali machine 192.168.1.26

 

So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)

 

Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
TCP-1
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

tcp-02
Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request

tcp-02-02

Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
https://www.dropbox.com/s/dp64m5ay5xo75li/EternalBlue-Unpatched-Windows7-Exploit.pcap?dl=0
DoublePulsar PCAP exploit network analysis
https://www.dropbox.com/s/kujlk8p0oi7ych6/DoublePulsar-Exploit-mid-81.pcap?dl=0
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system

Mitigation

Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)