Owning computers without shell access dark

Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.

Owning ComputersWithout Shell Access

Proprietary and Confidential. Do Not Distribute. © 2013 Accuvant, Inc. All Rights Reserved.

• Husband & Father

• Pentester: Accuvant LABS

• Cofounder: http://www.pentestgeek.com

• Author: jigsaw.rb

• Twitter: @R3dy__

WTF is Royce Davis?

http://www.pentestgeek.com/


• Uploading Binary Shells Is No Good

• Techniques To Avoid Shell Upload

• Metasploit Modules• Command Execution

• Local & Cached Hash Dumping

• Other Possibilities

• Demo Modules

Talk Synopsis


• Imagine that you’re on a pentest and discover a LHF vulnerability that gives you the local admin hash to all the boxes.

• You try to use the psexec exploit module to pop a meterpreter shell on multiple systems only to get flagged by AV and stopped dead in your tracks.

• What do you do now?

• Enter SMBExec (Eric Milam a.k.a @Brav0hax)• SMBExec is a great tool, however it still uploads a

binary to the target

Background Story


• We’ve been uploading shells to take control of remote hosts since the beginning of time so what’s the big deal?

• Shells contain binary signatures that can be recognized and blocked

• Obfuscation only creates a different signature that could still be recognized and blocked

• Shells can die leaving us with no way back into the target machine

• They can also leave remnants of themselves

Uploading Binary Shells Is No Good


If we’re going to bypass using shells on pentests we need to first identify what purpose they serve and what additional functions to they provide.

• Command execution• Search the file system• Create users• Enumerate network resources• Upload/download files• Etc…

• Grab local/cached password hashes• Dump all AD hashes from the DC

• Any others?

What Can We Do With A Shell?


Enter ‘psexec.rb’

• Metasploit already has several modules that use DCERPC to make direct authenticated requests to Windows APIs

• /exploit/windows/smb/psexec.rb• Creates & Uploads a binary payload to the target over SMB• Sends an RPC to the Service Control Manager (SCM)

• UUID: ‘367abb81-9844-35f1-ad32-98f038001003’• Creates a service, starts it, cleans up after…

• MSDN Documentation• http://

msdn.microsoft.com/en-us/library/windows/desktop/ms685942%28v=vs.85%29.aspx

Using Native Windows Functions

http://msdn.microsoft.com/en-us/library/windows/desktop/ms685942(v=vs.85).aspx




DCERPC Requests:The dcerpc.call instance method takes in two parameters. The first parameter is the opcode reference to the particular Windows function you wish to call. The second parameter is the function arguments in NDR (Network Data Representation) Format.

• dcerpc.call(0x0f, stubdata) – OpenSCManager

• dcerpc.call(0x0c, stubdata) – CreateService

• dcerpc.call(0x0, svc_handle) – CloseServiceHandle

• dcerpc.call(0x10, stubdata) – OpenService

• dcerpc.call(0x13, stubdata) – StartService

• dcerpc.call(0x02, stubdata) – DeleteService

• dcerpc.call(0x0, svc_handle) - CloseServiceHandle

Inside psexec.rb


• This is what it looks like inside Metasploit’s psexec exploit module written by HDM

Psexec.rb Cont.

exploit/windows/smb/psexec.rb (line 254)


• This is the format accepted by the CreateService function

• http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx

CreateService



• lpBinaryPathName [in, optional]

• The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:\\my share\\myservice.exe" should be specified as "\"d:\\my share\\myservice.exe\"".

• The path can also include arguments for an auto-start service. For example, "d:\\myshare\\myservice.exe arg1 arg2". These arguments are passed to the service entry point (typically the main function).

• If you specify a path on another computer, the share must be accessible by the computer account of the local computer because this is the security context used in the remote call. However, this requirement allows any potential vulnerabilities in the remote computer to affect the local computer. Therefore, it is best to use a local file.

• psexec.rb looks like this:• C:\HjeKOplsYutVmBWn.exe Probably a Meterpreter payload

• What if we tried this instead:• C:\windows\system32\cmd.exe /C echo dir C:\ ^> outputfile.txt > launchfile.bat & C:\

windows\system32\cmd.exe /C launchfile.bat”

lpBinaryPathName MSDN Definition


In order to provide accessibility to this functionality for other modules we created a mixin which has been graciously accepted into the MSF.

lib/msf/core/exploit/smb/psexec.rb

• Slightly modified version of the original psexec.rb code wrapped in a function which excepts a Windows command in the following format:

• [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND]

• The method is called like so ‘return psexec(command)’

• Returns ‘true’ if execution was successful

• Major difference is it does not try to delete cmd.exe after execution

• Also contains a ‘smb_read_file(smbshare, host, file)’ method for convenient retrieval of command output

The Psexec Mixin


• Review the source code

• Explain some of my favorite uses related to pentesting

• Demo the module

Demo psexec_command.rb


• Current methods for dumping password hashes

• Post modules that require a meterpreter shell• Upload a standalone binary like pwdump/fgdump…• These methods extract specific registry key values

from the SYSTEM, SECURITY, and/or SAM registry hive

• This process can flag antivirus

• We need to somehow retrieve a copy of the registry hives and extract the hashes from them offline on our attacking system• We can look at the code from pwdump.py from the

creddump suite.

Dumping Password Hashes


1. Authenticate to the system using a password/hash

2. Use the psexec mixin to execute the following Windows Commands:

• reg.exe save HKLM\SAM c:\windows\temp\sam

• reg.exe save HKLM\SYSTEM c:\windows\temp\sys

• reg.exe save HKLM\SECURITY c:\windows\temp\sec

3. Download the registry hive copies to our attacking machine

4. Remove the registry hive copies from the target

5. Open the registry hive copies on our attacking machine and extract the password hashes

Offline Password Hash Dumping


• Thank you to:

• Brendan Dolan-Gavitt author of ‘creddump’.

• Carlos Perez – smart_hashdump.rb and other modules

• Brandon Perry – tools/reg.rb

• Review the source code

• Demo the module

Demo hashgrab.rb & cachegrab.rb


• The holy grail of most network pentests can be found inside an ESE (Extensible Storage Engine) database called NTDS.dit located on the Domain Controller

• Protected by operating system

• Requires inject into lsass and/or other black magics

• Contains a BOAT LOAD of information about the system

• Including password hashes and usernames for all AD accounts!

Dumping All the Hashes


We can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and safely pull down a copy of NTDS.dit to our attacking machine.

auxiliary/admin/smb/psexec_ntdsgrab.rb1. Use psexec mixin to execute windows commands for creating a VSC

• vssadmin create shadow /For=%SYSTEMDRIVE%

2. Query vssadmin for the path to the newly created VSC

• vssadmin list shadows

3. Copy NTDS.dit from the VSC to the WINDOWS\Temp directory

• copy /Y \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\WINDOWS\NTDS\NTDS.dit C:\WINDOWS\Temp\ntds

4. Use reg.exe to make a copy of the SYSTEM registry hive

5. Download the ‘ntds’ and ‘sys’ files to attacking machine

6. Cleanup after ourselves

Enter psexec_ntdsgrab.rb


• We’ll need to use the ‘libesedb’ C library to extract the right tables from NTDS.dit

• $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$

• $ tar xvzf libesedb-alpha-20120102.tar.gz

• $ cd libesedb-20120102/

• $ ./configure

• $ make && make install

• Once libesedb is compiled we will use esedbexport located in the ‘libesedb-20120102/esedbtools’ to export the datatable which contains the user account password hashes for AD

• http://www.pentestgeek.com/2012/11/16/dumping-domain-password-hashes-using-metasploit-ntds_hashextract-rb/

Getting What We Want From NTDS.dit

https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$

https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$

http://www.pentestgeek.com/2012/11/16/dumping-domain-password-hashes-using-metasploit-ntds_hashextract-rb/




• Grab NTDS.dit using MSF module

• Export tables from NTDS.dit using libesedb

• Extract hashes from exported datatable using ntds_hashextract.rb

Demo psexec_ntdsgrab.rb


• Uploading a binary shell to the target can be harmful to a penetration test

• DCERPC allows us to do a lot of the functions we would ask of a binary shell without uploading one to the target

• Metasploit modules already exist to achieve remote command execution, grab local/cached password hashes and dump AD hashes from a DC

• The sky is the limit as to what else we could do if we all chose to adapt this style of thinking

Closing


Questions & Answers

9/12/1322


Owning Computers Without Shell Access

9/12/1323

Thank You!Royce DavisAccuvant LABSSenior Consultant – Attack & Pen [email protected]://www.pentestgeek.com@R3dy__

mailto:[email protected]

http://www.pentestgeek.com/

Owning computers without shell access dark

Technology

stubdata createservice

dcerpc requests

binary shells

stubdata startservice

stubdata openservice

stubdata deleteservice

stubdata openscmanager

accuvant labs cofounder