Will @harmj0y Veris Group Wielding a Cortana
Dec 13, 2014
Will@harmj0y
Veris Group
Wielding a Cortana
$ whoami
• Security researcher and penetration tester for Veris Group
• Co-founder of the Veil-Framework #avlolo www.veil-framework.como Shmoocon ‘14: AV Evasion with the Veil Frameworko co-wrote Veil-Evasion, wrote Veil-Catapult and Veil-
PowerView
• https://github.com/HarmJ0y/
• http://harmj0y.net
tl;dr
• Cortana? wtf
• OK that’s cool, what can I do
• Cortana use cases:o grabcreds.cna - auto hash dumpingo safetynet.cna - saving shellso veil_evasion.cna - #avlol :)o user_hunter.cna - find DAso beacon.cna - graphical beacons*
Cortana? wtf
• Raphael Mudge’s DARPA cyber fast track project
• Allows for the scripting of Armitage and/or Metasploit itselfo Some of this functionality is restricted to Cobalt
Strike - marked by a *
• Doesn’t seem to have publically caught ono Which is dumb, since it’s incredibly useful
Cortana: Why Use It
• Allows for the easy customization of an already existing, powerful tool
• Many standard pentest actions can be automated and manipulated in useful ways
• Lets you minimize the time spent doing repetitive tasks
Cortana Background
• Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit
• Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael
o http://sleep.dashnine.org/documentation.htmlo http://www.fastandeasyhacking.com/download/corta
na/cortana_tutorial.pdf
Sleep 101
• “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.”
• Much of the backend of Armitage is actually written in Sleep
https://today.java.net/pub/a/today/2005/07/14/sleep.html
Cortana 101
• Interaction with Metasploit is baked in through utilization of MSF’s RPC interface
• You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc.
• m_cmd($1, “sysinfo”);
• host_info($address);
• exploit("windows/smb/ms08_067_netapi", $addr);
Cortana 101
• Triggers can be set up to asynchronously fire on various actions/events:
o new sessionso meterpreter/shell commandso new hosts/services/routes/etc.
• Lets you perform contextual actions and automate a lot of post-exploitation
Cortana 101
Cortana 101
• The user interface for Armitage can be easily modified:
o new program menuso new meterpreter action menuso changeable host icons
• Lots of examples at:
https://github.com/rsmudge/cortana-scripts
https://github.com/HarmJ0y/cortana
Cortana Use Cases
Use Case #1
• On each meterpreter session that comes in, we always like to grab all credentials we can from the box:
o hashdumpo run mimikatzo see if a user we want is logged in
• ASPNET? Guest? SUPPORT_*? no thx
How Can Cortana Help?
• grabcreds.cnao on session_sync { … }o m_cmd($1, "wdigest");o on meterpreter_wdigest { … }
• On each host that comes in:o run hashdump and mimikatzo filter out account names we don’t wanto dump creds to the databaseo check users found against a designated listo announce results on the team chat*
grabcreds.cna
Use Case #2
• Losing shells sucks
• Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dieso and not to just one C2 server
● This becomes tedious when you’re dealing with A LOT of shells and various handlers
How Can Cortana Help?
• safetynet.cnao on session_sync { … }o launch("post", …)
• automatically runs a payload inject module against each hosto injects a “safetynet” payload
• Problem:o we want to inject two payloads, one from the existing
process context and one into explorer.exe
Sidenote: smart_payload_inject.rb
• Existing payload_inject.rb only allows for injection against predefined process IDs
• smart_migrate.rb allows for “smart” migration into explorer.exe
• Combine the two -> easy injection into a specific process name, explorer.exe default
safetynet.cna - interface
Adding From Existing Listeners*
Custom Safetynet Payloads
Installing Safetynets
Use Case #3
• Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications
• Say we want to have a Cobalt Strike workspace containing only hosts with active beacons*
*http://www.advancedpentest.com/help-beacon
How Can Cortana Help?
• We can grab the active beacon listo @beacons = call('beacon.list');
• We can setup ‘heartbeat’ callbacks to periodically perform actionso on heartbeat_5s {…}
• We can modify our gui in useful wayso filter host_image { …change a host’s gui image …}o bind Ctrl+B { open_beacon_browser(); }
Graphical Beacons
Use Case #4
• psexec in Metasploit is great, but the standard exe templates = no good
• Veil-Evasion does a great job at generating AV-evading executables :)
• But generating each time, reconfiguring paths, etc. is a pain
How Can Cortana Help?
• veil_evasion.cnao filter user_launch { … }o exec(SYSTEM COMMAND);
• Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE
• No more caught payloads :)
Sidenote: swing >_<
• Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted
• Luckily, Cortana scripts can integrate various java/swing GUI manipulations
• And guess what? Armitage has examples. And it’s BSD-licensed
Armitage Backend
Armitage Backend
veil_evasion.cna - Main Menu
veil_evasion.cna - Main Interface
Use case #5
• What’s the usual goal for a smash-and-grab pentest?
• Find out who the domain admins are
• Find where they’re logged into
• Find a set of credentials that gives us SYSTEM on their box
• psexec, pop a box, mimikatz, profit
Situational Awareness 101
• Manual process on the domain side:
• net user /domain
• net group /domain
• net view
• net view \\<hostname>
• net sessions \\<hostname>
Netview.exe
• Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls”
• Can find hosts, shares, and logged on users across a network
• Two API calls really interest us:o NetServerEnum – enumerate (from the DC) domain
systems of a certain typeo NetWkstaUserEnum – get users logged onto a
system
Metasploit
• Most of this type of functionality already exists in Metasploit (of course):
• smb_enumusers_domaino uses NetWkstaUserEnum (through railgun) to get
users logged into a particular machine
• local_admin_search_enumo checks a range of IPs to see if the current user has
admin access, and grabs the logged in users with NetWkstaUserEnum as well
Metasploit
• enum_domain_group_userso runs “net groups GROUP /domain” against a host
and parses the results
• computer_browser_discoveryo queries the default domain controller for all hosts of
a particular type using NetServerEnum
user_hunter.rb
• New Metasploit module, drawing from existing functionality
• Takes a username, userlist, or domain group to query against the local DC
• Takes a host list, or runs “net view” to try to enumerate all machines on a domain
user_hunter.rb
• Runs NetWkstaUserEnum against each target host to determine the users logged into the machine
• Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match
• point -> click -> be told where DA’s are
How Can Cortana Help?
• We can interact fully with the msf databaseo @notes = call("db.notes")["notes"];
• We can setup ‘heartbeat’ callbacks to periodically perform actionso on heartbeat_5s {…}
• We can modify our gui in useful wayso filter host_image { …change a host’s gui image …}
Cortana – user_hunter.cna
• Cortana script that periodically polls the MSF database for our user.hunter notes
• Modifies the host icons of any systems with found userso i.e. any systems where a DA is logged into!
• Also adds an option to launch the user_hunter.rb module from any meterpreter session
Demo
Recap
• Cortana is awesome, contribute!o https://github.com/rsmudge/cortana-scriptso https://github.com/HarmJ0y/cortana
• Many standard assessment actions can be automated and manipulated in useful ways
• The less time you spend doing repetitive actions = the more you can spend pwning the client
Questions?
Will
@harmj0y
harmj0y on Freenode - #veil and #armitage
Get the cortana pack-
https://github.com/HarmJ0y/cortana