OWNING COMPUTERSWITHOUT SHELL ACCESS
Who Am I?• Royce Davis• Senior Consultant – Accuvant LABS• Cofounder: http://www.pentestgeek.com• Author jigsaw.rb• Twitte...
Talk Synopsis• Uploading Binary Shells Is No Good• Techniques To Avoid Shell Upload• Metasploit Modules• Command Execution...
Background Story• Imagine that you’re on a pentest and discover a LHFvulnerability that gives you the local admin hash to ...
Uploading Binary Shells Is No Good• We’ve been uploading shells to take control of remotehosts since the beginning of time...
What Can We Do With A Shell?If we’re going to bypass using shells on pentests we need to firstidentify what purpose they s...
Using Native Windows FunctionsEnter ‘psexec.rb’• Metasploit already has several modules that useDCERPC to make direct auth...
Inside psexec.rbDCERPC Requests:The dcerpc.call instance method takes in two parameters. The first parameter is theopcode ...
Psexec.rb Cont.• This is what it looks like inside Metasploit’spsexec exploit module written by HDMexploit/windows/smb/pse...
CreateService• This is the format accepted by the CreateServicefunction• http://msdn.microsoft.com/en-us/library/windows/d...
lpBinaryPathName MSDN Definition• lpBinaryPathName [in, optional]• The fully qualified path to the service binary file. If...
The Psexec MixinIn order to provide accessibility to this functionality for other modules wecreated a mixin which has been...
Demo psexec_command.rb• Review the source code• Explain some of my favorite uses related topentesting• Demo the module
Dumping Password Hashes• Current methods for dumping password hashes• Post modules that require a meterpreter shell• Uploa...
Offline Password Hash Dumping1. Authenticate to the system using a password/hash2. Use the psexec mixin to execute the fol...
Demo hashgrab.rb & cachegrab.rb• Thank you to:• Brendan Dolan-Gavitt author of ‘creddump’.• Carlos Perez – smart_hashdump....
Dumping All the Hashes• The holy grail of most network pentests can be foundinside an ESE (Extensible Storage Engine) data...
Enter psexec_ntdsgrab.rbWe can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) and...
Getting What We Want From NTDS.dit• We’ll need to use the ‘libesedb’ C library to extract the righttables from NTDS.dit• $...
Demo psexec_ntdsgrab.rb• Grab NTDS.dit using MSF module• Export tables from NTDS.dit using libesedb• Extract hashes from e...
Closing• Uploading a binary shell to the target can be harmfulto a penetration test• DCERPC allows us to do a lot of the f...
Questions & Answers4/23/201321
Owning Computers Without Shell Access4/23/201322Thank You!Royce DavisAccuvant LABSSenior Consultant – Attack & Pen Teamroy...
Upcoming SlideShare
Loading in...5
×

Owning computers without shell access 2

1,490

Published on

These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.

Abstract:

For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,490
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Transition into uploading shells is no good.
  • Transition into what can we do with a shell, why upload one in the first place?
  • Owning computers without shell access 2

    1. 1. OWNING COMPUTERSWITHOUT SHELL ACCESS
    2. 2. Who Am I?• Royce Davis• Senior Consultant – Accuvant LABS• Cofounder: http://www.pentestgeek.com• Author jigsaw.rb• Twitter: @R3dy__
    3. 3. Talk Synopsis• Uploading Binary Shells Is No Good• Techniques To Avoid Shell Upload• Metasploit Modules• Command Execution• Local & Cached Hash Dumping• Other Possibilities• Demo Modules
    4. 4. Background Story• Imagine that you’re on a pentest and discover a LHFvulnerability that gives you the local admin hash to all theboxes.• You try to use the psexec exploit module to pop ameterpreter shell on multiple systems only to get flaggedby AV and stopped dead in your tracks.• What do you do now?• Enter SMBExec (Eric Milam a.k.a @Brav0hax)• SMBExec is a great tool, however it still uploads a binaryto the target
    5. 5. Uploading Binary Shells Is No Good• We’ve been uploading shells to take control of remotehosts since the beginning of time so what’s the big deal?• Shells contain binary signatures that can be recognizedand blocked• Obfuscation only creates a different signature that couldstill be recognized and blocked• Shells can die leaving us with no way back into the targetmachine• They can also leave remnants of themselves
    6. 6. What Can We Do With A Shell?If we’re going to bypass using shells on pentests we need to firstidentify what purpose they serve and what additional functions to theyprovide.• Command execution• Search the file system• Create users• Enumerate network resources• Upload/download files• Etc…• Grab local/cached password hashes• Dump all AD hashes from the DC• Any others?
    7. 7. Using Native Windows FunctionsEnter ‘psexec.rb’• Metasploit already has several modules that useDCERPC to make direct authenticated requests toWindows APIs• /exploit/windows/smb/psexec.rb• Creates & Uploads a binary payload to the target over SMB• Sends an RPC to the Service Control Manager (SCM)• UUID: ‘367abb81-9844-35f1-ad32-98f038001003’• Creates a service, starts it, cleans up after…• MSDN Documentation• http://msdn.microsoft.com/en-us/library/windows/desktop/ms685942%28v=vs.85%29.aspx
    8. 8. Inside psexec.rbDCERPC Requests:The dcerpc.call instance method takes in two parameters. The first parameter is theopcode reference to the particular Windows function you wish to call. The secondparameter is the function arguments in NDR (Network Data Representation) Format.• dcerpc.call(0x0f, stubdata) – OpenSCManager• dcerpc.call(0x0c, stubdata) – CreateService• dcerpc.call(0x0, svc_handle) – CloseServiceHandle• dcerpc.call(0x10, stubdata) – OpenService• dcerpc.call(0x13, stubdata) – StartService• dcerpc.call(0x02, stubdata) – DeleteService• dcerpc.call(0x0, svc_handle) - CloseServiceHandle
    9. 9. Psexec.rb Cont.• This is what it looks like inside Metasploit’spsexec exploit module written by HDMexploit/windows/smb/psexec.rb (line 254)
    10. 10. CreateService• This is the format accepted by the CreateServicefunction• http://msdn.microsoft.com/en-us/library/windows/desktop/ms682450%28v=vs.85%29.aspx
    11. 11. lpBinaryPathName MSDN Definition• lpBinaryPathName [in, optional]• The fully qualified path to the service binary file. If the path contains a space, it must be quotedso that it is correctly interpreted. For example, "d:my sharemyservice.exe" should bespecified as ""d:my sharemyservice.exe"".• The path can also include arguments for an auto-start service. Forexample, "d:mysharemyservice.exe arg1 arg2". These arguments are passed to the serviceentry point (typically the main function).• If you specify a path on another computer, the share must be accessible by the computeraccount of the local computer because this is the security context used in the remote call.However, this requirement allows any potential vulnerabilities in the remote computer to affectthe local computer. Therefore, it is best to use a local file.• psexec.rb looks like this:• C:HjeKOplsYutVmBWn.exe  Probably a Meterpreter payload• What if we tried this instead:• C:windowssystem32cmd.exe /C echo dir C: ^> outputfile.txt > launchfile.bat &C:windowssystem32cmd.exe /C launchfile.bat”
    12. 12. The Psexec MixinIn order to provide accessibility to this functionality for other modules wecreated a mixin which has been graciously accepted into the MSF.lib/msf/core/exploit/smb/psexec.rb• Slightly modified version of the original psexec.rb code wrapped in afunction which excepts a Windows command in the following format:• [PATH TO cmd.exe] [/C] [INSERT WINDOWS COMMAND]• The method is called like so ‘return psexec(command)’• Returns ‘true’ if execution was successful• Major difference is it does not try to delete cmd.exe after execution• Also contains a ‘smb_read_file(smbshare, host, file)’ method forconvenient retrieval of command output
    13. 13. Demo psexec_command.rb• Review the source code• Explain some of my favorite uses related topentesting• Demo the module
    14. 14. Dumping Password Hashes• Current methods for dumping password hashes• Post modules that require a meterpreter shell• Upload a standalone binary like pwdump/fgdump…• These methods extract specific registry key values from theSYSTEM, SECURITY, and/or SAM registry hive• This process can flag antivirus• We need to somehow retrieve a copy of the registry hives andextract the hashes from them offline on our attacking system• We can look at the code from pwdump.py from thecreddump suite.
    15. 15. Offline Password Hash Dumping1. Authenticate to the system using a password/hash2. Use the psexec mixin to execute the following WindowsCommands:• reg.exe save HKLMSAM c:windowstempsam• reg.exe save HKLMSYSTEM c:windowstempsys• reg.exe save HKLMSECURITY c:windowstempsec3. Download the registry hive copies to our attacking machine4. Remove the registry hive copies from the target5. Open the registry hive copies on our attacking machine andextract the password hashes
    16. 16. Demo hashgrab.rb & cachegrab.rb• Thank you to:• Brendan Dolan-Gavitt author of ‘creddump’.• Carlos Perez – smart_hashdump.rb and other modules• Brandon Perry – tools/reg.rb• Review the source code• Demo the module
    17. 17. Dumping All the Hashes• The holy grail of most network pentests can be foundinside an ESE (Extensible Storage Engine) databasecalled NTDS.dit located on the Domain Controller• Protected by operating system• Requires inject into lsass and/or other black magics• Contains a BOAT LOAD of information about the system• Including password hashes and usernames for all ADaccounts!
    18. 18. Enter psexec_ntdsgrab.rbWe can use the psexec_ntdsgrab module to create or target an existing VSC (Volume Shadow Copy) andsafely pull down a copy of NTDS.dit to our attacking machine.auxiliary/admin/smb/psexec_ntdsgrab.rb1. Use psexec mixin to execute windows commands for creating a VSC• vssadmin create shadow /For=%SYSTEMDRIVE%2. Query vssadmin for the path to the newly created VSC• vssadmin list shadows3. Copy NTDS.dit from the VSC to the WINDOWSTemp directory• copy /Y ?GLOBALROOTDeviceHarddiskVolumeShadowCopy1WINDOWSNTDSNTDS.dit C:WINDOWSTempntds4. Use reg.exe to make a copy of the SYSTEM registry hive5. Download the ‘ntds’ and ‘sys’ files to attacking machine6. Cleanup after ourselves
    19. 19. Getting What We Want From NTDS.dit• We’ll need to use the ‘libesedb’ C library to extract the righttables from NTDS.dit• $ wget https://libesedb.googlecode.com/files/libesedb-alpha-20120102.tar.gz$• $ tar xvzf libesedb-alpha-20120102.tar.gz• $ cd libesedb-20120102/• $ ./configure• $ make && make install• Once libesedb is compiled we will use esedbexport located in the ‘libesedb-20120102/esedbtools’ to export the datatable which contains the user accountpassword hashes for AD• http://www.pentestgeek.com/2012/11/16/dumping-domain-password-hashes-using-metasploit-ntds_hashextract-rb/
    20. 20. Demo psexec_ntdsgrab.rb• Grab NTDS.dit using MSF module• Export tables from NTDS.dit using libesedb• Extract hashes from exported datatable usingntds_hashextract.rb
    21. 21. Closing• Uploading a binary shell to the target can be harmfulto a penetration test• DCERPC allows us to do a lot of the functions wewould ask of a binary shell without uploading one tothe target• Metasploit modules already exist to achieve remotecommand execution, grab local/cached passwordhashes and dump AD hashes from a DC• The sky is the limit as to what else we could do if weall chose to adapt this style of thinking
    22. 22. Questions & Answers4/23/201321
    23. 23. Owning Computers Without Shell Access4/23/201322Thank You!Royce DavisAccuvant LABSSenior Consultant – Attack & Pen Teamroyce.e.davis@gmail.comhttp://www.pentestgeek.com@R3dy__
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×