Eternalblue, DoublePulsar NSA Exploit

This is going to be series of articles about building NSA/ShadowBrokers exploit kit . We will cover the followings  (Eternalblue, EternalRomance, DoublePulsar ) exploits against windows server 2003,2008,2012 and of course why not with 2016 J


I’m not going to cover the background history lessons here for more information, please read  here

Ok so eternalblue & externalromance are 2 fantastic bufferoverflow exploits that exploits SMBv1  in memmove operation Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt with simple mathematical mists where a DWORD is substracted into a WORD . The kernel pool is groomed that overwrites an SMbv1 buffer. The actual Return address pointer (RIP) hijack is later completed in srvnet!SrvNetWskReveComplete.

We will not use NSA backdoor dll instead we generate our own DLL with MSFvenom  and execute against our target machine


Attacker IP (Kali Linux)

Target IP ( Lab domain joined Windows server 2008 r2 with Smbv1 unpatched)

Ok so i decided to port the NSA exploit kit on to my kali system


Figure  1 NSA exploit kit widows based to linux


Figure 2 exploit kit python  nice graphical NSA interface 🙂


Figure  3 Set target IP address and Callback IP address


Figure 4 we use doublepulsar exploit to check if the system is already infected 🙂


Figure  5 we choice function backdoor and set path /tmp/win2008.bin shellcode to binary on the target system


Figure 6 final validation and we execute the exploit against


Figure 7 successful execution and shellcode is written to the output file


Figure 8 we use eternalblue SMBv1 exploit code and msfvenom reverse shell DLL to execute code on the target system


Figure 9 we select 1 tradtional exploit deploymenet using FUZZBUNCH NSA framework


Figure 10 we execute the eternalblue with our custom DLL


Figure 11 Recerse shell from to our kali machine


So let’s  summarize

  • Smbv1 is bad and easy to exploit
  • The externalblue exploit runs with SYSTEM priv

ShadowBrokers Exploit Network Analysis

So I decided to spend some time investigate shadowBrokers EternalBlue exploit attack against windows on my favourite port TCP 445  and so I analysed 2 particular unique awesome remote execution exploits EternalRomance and DoublePulsar .

I personally find the NSA exploit naming convention absolutely/incredibly amazing

A bit of background history lesson

NSA has tons of money and best hackers out there ,yeah people hack for money and NSA willing to pay a lot for zero day exploits and hacking techniques but hey that’s how security industry work

EternalBlue is the a weaponised exploit kit with number of zero day exploit codes for windows/linux operating systems, one of the exploits EternalRomance is exactly the same as MS08-067 SMB exploit but the only difference is the year 2017 O.0

So we created wireshark PCAP(s)  and run EternalRomance exploit against unpatched windows system (successful compromise with NT/Authority System Level Privilege)  and second objective was to reconnect to the compromised system using (DoublePulsar) which is a very impressive backdoor listens on TCP 445 and RDP 3389 to connect back to the target machine ( EternalBlue installs DoublePulsar)


Eternal blue exploit documented here the exploit is against windows 7 unpatched windows system

One of the interesting observation we made is that when run the eternalblue exploit against unpatched windows 7 it sent a Trans2  stands for Transaction 2 Subcommand Extension (highlited in yellow)  This particular request is send just before the exploit is sent the intent/idea is to check if the target windows system already exploited or not .  The response from the system returns with  SESSION_SETUP, ERROR: STATUS_NOT_IMPLEMENTED however when we look at the packet we see the Multiplex ID is returned with 65 (0x41) for not compromised system and  Multiplex ID 81 for compromised infected system  .

Trans2 Request, SESSION_SETUP  Initial request
Figure 1 Transe Response SESSION_SETUP, Error: Status_NOT_IMPLEMNTED

BufferOverflow payload sent to target system

Figure 2 packet contains large number of buffer sent to  target windows server
smb.mid==65 (0x41) confirms Trans2 as initial check request


Figure 3  Trans2 request is sent to check if system infected or not
EternalBlue PCAP exploit network analysis
DoublePulsar PCAP exploit network analysis
  Wireshark filters

EternalBlue exploit  smb.mid == 65   ( Initial exploit)

DoublePulsar back door exploit smb.mid==81  ( Stealthy backdoor)

So we can conclude that the EternalBlue exploit used for initial bufferoveflow attack and foot hold on the network with NT/Authority SYSTEM privilege – highest privilege one can have and the DoublePulsar used for connecting back to the infected system


Go check your entire network and find all smbv1 and turn it off ( Smbv1 is bad)

DKIM Office 365 & DNS change GoDaddy :

Configuring DKIM  on Office 365 and GoDaddy

What is DKIM

DomainKeys Identified Mail is an email authentication method designed implemented to detect email spoofing . It enable the receiver to check that an email claamied to have cam e from a specific “domain “ for example how do you know if you received an email and it’s not spoofed?

It is intended to prevent forged sender address in emails, a very common and affective technique to harvest credentials or drop a malicious attached file to the target system

Read on phishing and email spam here


Ok so you bored by now and like to jump to configuration with Office 365 and your DNS provider?  Ok in my case I will be configuring Office 365 demo tenant I created for 30 day trail and my Go phishing service provider sorry I meant GoDaddy

Please note you should always use SPF/DMARC in addition to DKIM to prevent spoofers from sending you malicious emails looks like they are coming from your domain .

Does this sound complicated at all ? DKIM is simple especially with office 365 its almost no technical skill required but I still see people struggle with this concept

Step one 

Go to office 365 and exchange online protection and click DKIM ( By default the first DKIM and SPF already enabled for you but any other site you add you need to configure and enable dkim.



Figure  1 DKIM configuration

If you decide to add new site In my example is my domain and registered for office 365 domain demo tenant and now I want to enable  DKIM for

Add your domain if and click on enable button  and you will get an error like this?

CNAME record does not exist for this config. Please publish the following two CNAME records first.



Figure 2 CNAME selectors for DKIM –

You need these selectors to be added to your external DNS service e.g Go Daddy or any other provider, it could be your own DNS service so that you can prove own the domain – I use Go Daddy because it’s cheap and easy to make dns changes

GoDaddy DNS portal


Figure 3 add your selector1 to GoDaddy


Now we have configured the DNS and point CNAME to office 365 DKIM we test it by sending myself an email and capture the header


Figure 4 DLKIM header is pass and SPF already generated

Nslookup for testing ?


Figure 4 nslookup with type=txt to check if DKIM work

Final word Remember Microsoft has the private key and you no longer have control of your own keys? Maybe secure maybe not but hey it’s easy to enable DKIM  J

NTDS.DIT Active Directory Passwords & Decryption

Windows Server 2008 Active Directory

We know local user accounts are stored in SAM file and we have previously demonstrated on PASS THE HASH article how to dump/extract use abuse these password equivalent hashes.

In this article we demonstrate/describe some of the attack techniques to gain access to a windows domain controller the techniques to copy NTDS.dit database using built-in tools “living off the land “ the use of WMI, VSSADMIN , PowerShell. A.KA Microsoft post exploitation framework  J

Active directory data is stored in the Ntds.dit ESE database file.  Two copies of Ntds.dit present in separate location on a given domain controller  %SystmRoot%\NTDS\ Ntds.dit  &  %SystemRoot%\System32\Ntds.dit .

These are exclusive locked file meaning they cannot be copied simply using click right and copy to the destination will not work as these files have in use with set of permissions  attribute on.

This of course doesn’t mean we can’t using Build-in tools VSSADMIN or PowerShell to make a copy of the Ntds.dit file locally and infiltrate to our attacking machine for closer offline analysis and password extraction. But of course we need to gain access to the domain controller with local administrative privilege or domain admin in order be able to copy the AD server crown jewels .

Without further ado let’s get to hacking into breaking windows 2008 active directory

Our attacker IP address is set to   

Our target is windows 2008 active directory installed

We already have an administrative account (Credential theft or MS14-068 Kerberos prive escalation

Windows Built-in tools – Welcome to VSSADMIN  .

VSSADMIN is essentially shadow volume copy feature since windows Vista that allows an administrator or “hackers” to take friendly snapshot backups files even when the files are currently in use J  J J  that’s how I feel when I login to a Domain controller…

You already figured out my next move – Yes I will use VSSADMIN built-in tool to copy NTDS.dit and SYSYEM file from the domain controller save it to the disk for remote exfiltration.  You may ask why we need SYSTEM file. Great question, SYSTEM file contains what knows as Boot secret key which used at the windows boot startup for decryption

Quick Scan against domain controller identified port SMB on 445 and Port 88 kerberos authentication protocl .

server_2008_nmapFigure 1 Port scan identified number of open ports from our attacking machine

Credential theft – We use Rdesktop to login to the remote server 2008 AD.

rdesktop_02Figure 2 with administrative access we login to the remote Target windows 2008 server

vssadmin create shadow /for=c:  to creaate a light snapshot

vssadmin-create-copy-03Figure 2 vssadmin built-in windows tool to create a fast snapshot

Next we  use copy command and copy the ntds.dit file to our \windows\ntds\ntds.dit location

copy-ntds-dit-04Figure 3 snapshot of ntds.dit now successfully copied to the c:\ drive

We also need a copy of SYSTEM File to decrypt the NTDS.dit objects

copy-system-dir-04Figure 3 SYSTEM file is copied to c:\ location we need that file to decrypt the ntds file

Now that we have a copy of NTDS.dit and SYSTEM file waiting for final exfiltration to our attacking machine for offline decryption

We use Mount -t cifs to connect the target remote machine specefying the username and password and associate /mnt/

mnt-copiedFigure 4 C$ is mounted to /mnt drive to copy ntds.dit and SYSTEM file for extraction

We use to look at certain table and grep particular hashes from the NTDS.dit file

bFigure 5 we use esentuil to grep datatable contains hash objects

Next we we use extract datatable from the ntds.dit and pipe it to the output.txt file

ntds-dirFigure 6 we point SYSTEM file and output extract and pipe it to the hashes.txt file

Password equivalent hash extracted from windows active directory server

hashes-textFigure 7 Windows NTLM password hashes

So there we are , NTLM password hashes for PTH & offline decryption





Pass The Hash …

We got hacked and yes this was sophistictaed attack


Long live pass the hash.

In cryptanalysis and computer security PASS THE HASH is security hacking technique that allows an attacker or researcher to authenticate to a windows remote service or service by using underlying LM LanMan or NTLM of the users password, instead of requiring  the associated correct plaintext password as is normally the case  .


Microsoft Windows Operating Systems store hashed user password in SAM Security Account Manager. In order to stop and deter offline password attacks against the database, Microsoft Introduced SYSKEY which will partially encrypts the SAM file. An attacker will not be able to decrypt SAM file without SYSKEY and SYSTEM File.

Microsoft based operating system up to windows 2003 store two separate authentication password hashes; LAN MANAGER (LM) which is based on DES DATA ENCRYPTION STANDARD based on symmetric block key and NTLM NT LAN MANAGER based on MD4 yes Message digest 4 hashing.

LM LAN MANAGER provide little or no security and known to be extremely weak for the following reasons:

Passwords that are longer than seven characters are split into two strings each is hashed separately .The password is converted to upper case before begin hashed. The LM/NTLM hashing system does not include salts making brute force rainbow table attacks possible.


From windows Vista on , Windows operating system by default disables LAN MANAGER LM and uses NTLM which supports all Unicode characters, and does not limit stored passwords to two 7 character but of course NTLM hashes stored in SAM database are not salted.

The SAM database cannot be copied while the operation system is running even though the windows kernel keeps an exclusive file system lock on the file, however PowerShell allow direct interactions with exclusive locked privileged files. There are many other techniques to extract windows password hashes , such as DLL injection against  LSASS Local Security Authority Subsystem Service which is core windows authentication package.

Windows Authentication

After a user logs on to windows operating system, a variety of the account credentials are generated and stored in the LSASS Local Security Authority Subsystem Service, Process in memory. This meant to allow the SSO (Single Sign On) ensuring a user isn’t prompted each time resource or services is requested. The credential data depends on the environment and configurations. This may include Kerberos TGT Ticket Granting Ticket, NTLM password hash, LM password hashes, in some instances if the user password is less than 15 characters, depending OS version and Patches level it might be possible to extract clear-text passwords (WDigest and SSP Authentications)

While it’s you can stop/prevent windows system from creating LM hash in local SAM file however this doesn’t prevent system from generating LM hash in memory. From windows vista and windows server 2008 LM is no longer generated for users unless explicitly enabled by users.

WDigest & Clear-Text Password?

Microsoft introduced Wdigest.dll in the windows XP operating system, the protocol is designed for HTTP Hypertext Transfer Protocol and Simple Authentication Security Layer (SASL) which mean passwords are not encrypted when sent to a server leaving them vulnerable to man in middle attack, at the same time windows stores the password in memory for convenience of the user when they login to their local workstation.

When Microsoft release windows 8.1 they added a security features that mitigated ability of tools like WCE , mimikatz to dump/extract clear text credentials from LSA memory .

In 2014 Microsoft backported those security fixed (  for windows operating system prior to 8.1 however because of legacy OS and WDigest is used by many products (IIS) Microsoft left the Wdiget providers enabled which is why it’s still possible to use mimikataz module to obtain clear-text passwords prior to windows 8.1

After you install this security update, you can control how installed WDigest credentials can be saved by using a registry setting. To prevent WDigest credentials from being stored in memory, a Group Policy setting can be applied to the UseLogonCredential registry entry under the following subkey:


  • If the UseLogonCredential value is set to 0, WDigest will not store credentials in memory.

  • If the UseLogonCredential value is set to 1, WDigest will store credentials in memory.

Windows 10 enterprise , Security Provider registry doesn’t contain UseLogonCredential entry



Figure 1 Default to windows 10 with no UserLogonCredential entry

We simply force UseLogonCredential entry set to 1 forcing registry to store clear text password in the memory  ( NT/Authority credentials required)

2Figure 2 creating UseLogonCredential in order to force user credentials stored in clear text.


UseLogonCredential entry created in SP Security Providers registry Under WDiges . The value is set to 1 stores the credentials as clear text in memeory


Figure 3 UseLogonCredential set to 1 which allows an attacker to extract clear text password direcrly from memory

Mimikatz powershell password dump with WDigest set to 1 allows clear text password


Figure 4 WDigest UseLogonCredential set to 1 allowing credential to be extracted

Mimikatz PowerShell password dump with WDigest set to 0 prevents clear-text password extraction


Figure 5 UseLogonCrdential set to 0 prevents user not to store password in memeory

WDigest Provider UserLogonCredential Registry REG_DWORD set to 0X0 mitigate against clear-text password extraction


Figure 6 corroborating UseLogonCredential is not set to  1 to fix the issue

Pass the hash (Local System)

PTH requires local administrators’ privilege that’s because local admin has Debug privilege assigned to it. Below we demonstrate PTH and open two cmd.exe consoles, one as an administrator and the other one as normal user

Cmd.exe run as Administrator has debug Privilege permission


Figure 7 Whoami /all shows administrator as part of Debug priv permission

Authenticated user with no administrator privilge


Figure 8 authenticated none privileged user with no debug privilege

There are different techniques and ways to extract password hashes from local windows operating system. We use Mimikatz for password extractions

Privilege debug is set to ok however the Lsadump::sam failed to work as mimikatz requires to have NT/Authority SYSTEM privilege to extract password hashes from the system


Figure 9 token::whoami shows Zane as normal authenticated user

How do we elevate NT/Authority SYSTEM user in order to have appropriate permissions to access windows secret hives . We  use SysInternls tools to elevate permission Local System

psexec -s -i -d cmd.exe

System internal tools to elevate local system


Figure 10  nt authority\System priv

Alternatively we can elevate within the mimikatz request nt authority/system


Figure 11 token::elevate delegation

lsadump:sam to dump NTLM password hash from SAM file


Figure 12 Mimikatz to extract the SAM hash database

sekurlsa::pth /user:Administrator /domain:locahost  /ntlm:9cf1735cff285fdcc130125cee


Figure 13 Sekurlsa obtained new cmd.exe prompt with admin token  (Mimikatz)

Dumping windows live memory

One of the tools i like to use during security pentest engagement is  ProDump a command-line utility who’s primary purpose is monitoring an application for CPU spikes and investigating crash dumps but we obviously  we interested to perform the memory dump of the core windows authentication process LSASS.exe in order to do some offline analysis using mimikatzzzz

But first we need to move ProcDump to the target victim workstation?

There are number of techniques to transfer files to the victim target workstation, but my preferred way PowerShell since the target is windows workstation

Basic PowerShell script to copy ProcDump.exe from our attacking machine and rename it on the disk hacker.exe using  System.Net.WebClient cmdlet to do clean transfer to our target destination


Figure 14 System.Net.WebClient cmdlet powershell file transfer

Next we attach the ProcDump to the lsass.exe in order to dump extract clear text password hashes.The -accepteula parameter is to accept EULA ,this its necessary to use it other wise you will get stuck in the remote console. We perform the memory dump for offline clear text and password hash extractions

hacker.exe -accepteula -ma lsass.exe


Figure 15 we use ProcDump to dump live memeory  .

Next we use mimikatz module to dump the hashes from ProcDump lssas.dmp file which contains the administrator password hashes and clear text passwords.


Figure 16  Password hash dumped from procdump .dmp file


  • Use LAPS Local Administrators Password Solutions to mitigate Lateral movements
  • Switch off Privilege debug permissions – You don’t need it
  • Upgrade to windows 10 with device guard enabled


Encryption & OpenPGP

The  is more of comprehensive post detailing how to setup and use PGP encryption on any Linux machine using the most widely used GnuPGP, as the name describes PGP Is free open source. i will describe and explain core concepts the following ,

  1. Why encryption & core concept of the OpenPGP
  2. Generating encryption
  3. Revocation certificate
  4. Backup configuration and data



Generally there are two types of encryption: Symmetric and asymmetric. In symmetric encryption shared key is used to encrypt document and decrypt from clear text to cipher text  example of symmetric tools 7zip widely used or HDD hard disk drive encryption, Bitlocker, Becrypt. Clearly the use of symmetric is only worth anything if both sender and receiver know the secret.  Asymmetric.

Asymmetric encryption much more secure , in total two keys are used throughout the encryption process The way asymmetric key works is that if document encrypted with one key only be decrypted with using the other key a.k.a Public and Private keys, this form of encryption also known as trapdoor algorithms  “Consider a padlock and its key. It is trivial to change the padlock from open to closed without using the key, by pushing the shackle into the lock mechanism. Opening the padlock easily, however, requires the key to be used. Here the key is the trapdoor and the padlock is the trapdoor function”

So what does encryption provide ?


Asymmetric encryption is used to maintain the confidentiality i.e  the privacy of your data, documents , this formation of encryption involves generating a “keypair” i.e if document is encrypted with one can only be decrypted by the other (public, private)  you share your public key with other and keep your private keys for yourself. People who want to communicate with you via encrypted e-mail will use public key to encrypt the clear text to cipher-text and read it.

Asymmetric encryption  has security advantages with a few drawbacks. It’s computationally intensive, in actual fact Asymmetric uses hybrid encryption rather than just public keys

Installing and using OpenPGP

This just a basic guides to get started with installing and running OpenPGP on Centos 7. I;m not running Windows or other GNU/Linux flavours but you can probably find some good guides installing PGP online elsewhere.

Install GnuPG2

Almost all linux operating system have GnuPGP but if not for some reason it should be pretty easy to install

 sudo yum install gnupgp2 pinentry-gtk 


Figure 1 installing gnupgp2 locally

Below gpg –version  for successful installation

Screenshot from 2017-05-29 09-26-49

Figure 2 gpg version with successful installation


Generate A Keypair

This involve using your favourite command launch terminal app and type

gpg –gen-key

you will this this

Screenshot from 2017-05-29 09-40-06
Figure 3  – just choice the default version 1 to select RSA

Next we select the key size i like to have 4096  but that a decision yo need to make. remember the the loner key the more security however they can also take very long to generate on the older hardware especially old legacy embedded system

RSA as selection and the key size is 4096

Screenshot from 2017-05-29 09-43-11

Figure 4  –  The key size and how long the key should be valid is your decision. if somehow your private key becomes compromised you will be able to revoke it using the revocation certificate just hit y and enter again.

0 valid and the key does not expire

Screenshot from 2017-05-29 10-12-50

Figure 5 Email address must be your valid email


Your User ID constructed

Screenshot from 2017-05-29 10-16-22

Figure 6 Just type O  to confirm a dialog box will appear asking for a passphrases. this is crucial to make sure that even if an attacker gain access to your private key , they might not be able to use it. Make sure this is a strong password. Complex password at least 18 characters long i.e mixture of upper, and lower case letters, numbers, special characters

Screenshot from 2017-05-29 10-55-43

Figure 7 The initial 8 character  F6ACBB42  key ID on the line beginning with pub is the unique public master id which is used for identity and signing. The one line beginning with sub is that of your public subkey ( key used for encryption)  and your primary user ID is on the line beginning with uid .. Read on  more man gpg2

Key servers

How do you publish or let people know about your public key ? That’s where key servers comes to help.  a key server is a computer that receives and then serves existing cryptographic keys to users of other programs.

To publish your public key to a keyserver, run:   gpg2  –send-keys Public_ID

Screenshot from 2017-05-29 11-11-55

Figure 8 Sending keys to key servers


Public key export

To be able to receive encrypted files you need the export public key and share with others via email attachment or via usb memory

Lists the existing keys

Screenshot from 2017-05-29 11-58-18

Figure 9 listing the keys i.e you need username demo for generating key

Exporting key to “key.txt” specified key name demo

Screenshot from 2017-05-29 11-58-46Figure 10 export of demo public key demo

Key.txt contains the public key

Screenshot from 2017-05-29 11-59-27

Figure 10 public key contains public demo key

Revocation Certificates

if the key becomes a compromised somehow you should revoke it i.e declare the key is no longer is safe, you still require to type in the Passphrase

gpg2 –gen-revoke “publicid”  creates a revocation .asc format

Screenshot from 2017-05-29 19-30-36

Figure 11 revoke certificate

Just follow the instruction and press 1 to revoke the key

Screenshot from 2017-05-29 19-32-53

Figure 12 – press 1 for key has been compromised

Next import the key to be revoked locally

Screenshot from 2017-05-29 20-07-01

Figure 13 key locally revoked

In order to let the key server know, just send the key ID to it using

Screenshot from 2017-05-29 20-09-37

Figure 14 sending the revoked key to the keyserver


Web of Trust  / Key signing ?

Web of trust is very interesting security concept with GnuPGP, let say an attacker decide to generate a keypair using your identify i.e your name and email . How are people to know which belongs to who  ? This is where Web of Trust comes into help  which is basically is key signing , the more people sign key the more likely becomes trusted.

Fortunately key signing is very simple task.  You need the user’s key if it is stored on key server simply run

Receive key_ID

Screenshot from 2017-05-29 20-47-43

Figure 15 receive key from the keyserver

Signing key

Screenshot from 2017-05-29 20-59-11

Figure 16  we sign the key we imported from the key server

It’ll ask you to confirm the signature operation, and then it’ll ask you to input your passphrase. Once this is done you have added your signature to the key is now modified,

you need to send it back to the keyserver

Screenshot from 2017-05-29 21-14-50

Figure 17 sending the signed key back to the key server  (Web of trusted created)

Encrypting document

gpg --encrypt --recipient ambientcrypto secret.txt


Screenshot from 2017-05-29 23-05-43

Figure 18 is encrypting a document locally secret.txt.gpg  

Decrypt the secret.txt.gpg

Screenshot from 2017-05-29 23-11-21

Figure 19 decrypted secret.txt.gpg – you need pass phrase to decrypt the key

What if you want to encrypt files for others ?  That’s the cool thing about GnuPGP using public available keys

gpg --import key.asc

Screenshot from 2017-05-30 21-14-09

Figure 20  importing keys to encrypt document for someone else

Alternatively, you will be able to find key on public keyserver. Here’s what it look like when someone searcher for key

Screenshot from 2017-05-30 21-19-49

Figure 21 search for a key with name ‘security’ from the pool key servers


Further Reading

Why you should be using Azure and move on premise infrastructure to cloud ?

Microsoft Azure cloud computing services for deploying managing application and service through ta global network of Microsoft managed data centres. T provide software as a service , platform as service and infrastructure as service with large number of services , tools and framework including both Microsoft specific and third party software systems .

But really why should you move to cloud? Well next couple of paragraph explains,

After my introduction to Azure cloud implementing azure infrastructure solution decided to look at the one of the core Azure cloud service Azure Security centre Prevent, detect and to threats with increased visibility and control over resource groups , essentially Virtual machines,  NSG Network security groups, network anomalies e.g. external/network attacks especially windows attack vector.

What did I really found.. Next step is to test the underlying Security operation centre security identify how it respond to determined sophisticated PowerShell based on memory/disk attack ,

We created a resource group under the name of and deployed a windows server 2012 R2 with domain active directory installed and a SQL Server 2016 as joined server to the domain.

The new ARM template when deploy a VM by default doesn’t allow any incoming connection, in another word port 3389 Remote Desktop Protocol is not allowed. We created a new NSG Network security group and allowed port 3389 for remote management. Of course you should never allow direct access to RDP over the public network but still very common very mistake administrator make.

Next we enabled Security centre and added a policy to monitor our resource group containing the Domain controller active directory and domain joined SQL Server 2016. Now that we have configured virtual machines and security centre monitoring.. You probably figured out our next step… The attack

In this scenario I use the following attacks and tools,

  1. RDP Remote Protocol attack using a dictionary attack with most common used passwords
  2. –         Custom designed PowerShell/Python command and control framework
  3. –         Persistence and lateral movement using pass the hash attack
  4. –         Forensic network analysis and anomaly detection

On our kail attacking host we used medusa with dictionary file containing the password attacked the which is the SRV01 domain controller listening on port 3389. Of course for sake of demonstration we added the correct password to the list as highlighted the password found “ReallySecure$$” Success .


Figure 1 Medusa conducted controlled dictionary attack from Kali Linux attacking machine

Next we logged on to the SRV01 using Rdesktop from kali machine using the credentials we found in previous initial RDP attack


Figure 2 RDP session with the target SRV01 domain controller server

Custom powershell agent created and base64 encoded to copy over the target machine in order to maintain a persistence on target machine and ensure the agent payload lives in memory only after self-destruct.


Figure 3 powershell agent runs and on target machine and self-destruct itself and lives in memory

Custom Namlook framework python/powershell command control uses public key infrastructure for command and control so the idea is to encrypt the traffic between the target victim machine and my attacking command and control machine

4Figure 4 we have connection back from the target azure SRV01 to our python powershell command and control the payload. The payload as you see it spawn the powershell on PID 3632 and we also have internal IP address, machine name, user logged on, ad the last seen is based on 5 second interval to check if the server still sending the heartbeats .

Next step we decided to deploy a persistence stager to our target machine the idea is to force the target SRV01 server to send cmd.exe shell back to our command control every day at 8:00am or simply at startup. So whenever a use logins we get nice shell back from the SRV01


Figure 5 Stager but with high detection ratio as this would touch the disk and lives in HKLM:\Software\Microsoft\Network\debug registry . we encode the payload to be base64

The agent now lives inside registry debug file whenever the user logins to the SRV01 server the persistence module trigger happens and sends encrypted shell back to the command  control


Figure 6 debug embedded with base64 encoded powershell agent.

Next step we decided to conduct situational awareness to check what other host is reachable within from compromised target, this module simply uses nmap network mapper to identify hosts and the port numbers


Figure 7 SQLSRV01 identified with the open ports 445 SMB , 3389 ?

Next we used another module to extract password hashes directly from SYSTEM/SAM file. System file is required as it contains the windows secret bootkey to extract the password hashes from SAM file


Figure 8 USER Private and RID 500 indicates the user is local administrator account and user Guest RID 501 is guest but disabled by default.

Another fantastic we used is the mimikatz by benjamin DEPLY a.k.a gentilkiwi written in C but ported to powershell to make the use of extracted password hashes and use that as way gaining access to the connecting SQLSRV2 host with the PTH Pass the hash attack, which essentially is to inject the NTLMv2 hash into the process PID 1240 and call the cmd.exe on target server.


Figure 9 now is just a matter of running another PS module to steal the token to give us full administrative access on target SQLSRV02 box.

One last demo was to check how security centre identify malicious executables land on the disk with up to date AV. Of course it’s simple to bypass AV. As you see I recompiled the mimikatz simply by replacing all mimimkatz strings in code with Kikitaz to bypass Anti-virus..


Figure 10 extracted password hashes from SRV01 Server 2012 KIKTAZZZ

Azure Security centre and on disk analysis

process explore is one of the top windows system internal tool we use for security/troubleshooting investigations , it lists all the process and one can easily identify malicious process, schedule tasks, TCP/IP connections and most importantly file signature and many more ..

Process explore identified the PID 3632 Powershell v.1.0 and command line containing the agent PowerShell code runs under the user private context. Base64 encoded code to send the shell back to the command and control.


Figure 10 Process explore identifies the PowerShell malicious code

Closer dynamic analysis we can see winhttp.dll dynamic link library establishes makes 5 minutes interval to our command and control


Figure 11 winhttp.dll used for establishing the C2 connection

Azure security centre main dashboard resource security health with recommendations on vulnerabilities such as open NSG network security  groups, Patching as well as container encryption


Figure 12 azure security centre

Azure Security Centre Security Alert with description of each suspicious activities and severity level


Figure 13 dates and individual attack type with severity level Medium to High

Closer analysis shows our dictionary attack from my attacking machine against SRV01 Server 2012 has been identified as network anomaly, good indication of brute force attack


Figure 14 RDP network anomaly brute force  detection

Powershell agent identified as malicious with decoded script showing the command and control IP address


Figure 15 Agent identified as malicious powershell

In conclusion it’s clear how Microsoft raised security bar against the sophisticated attacks especially identifying network anomaly and memory based attacks as we demonstrated using PowerShell as command and control. As these types of attacks on premises difficult to identify almost impossible but with Azure the response time is almost 2 ~ 3 hours

The future is here, so time to accept and adopt to cloud services  🙂

Hit me up for security related projects or 5 minutes of CLI ? 🙂

Version: GnuPG v2.0.22 (GNU/Linux)