SlideShare a Scribd company logo

2018 Writing Offensive .Net Tools

Download as PPTX, PDF
A
Alexander Polce Leary

ArcticCon 2018

Technology
1 of 27
WRITING OFFENSIVE .NET TOOLS OR HOW I GOT CONTINUOUSLY SIDETRACKED FOR A YEAR
2 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 2 Alexander Polce Leary Name: Alexander Polce Leary Job: Network & Application Pentester @ NetSPI Red Team Lead Twitter: @0xbadjuju Slides: On their way  Blogs: https://blog.netspi.com/author/aleary/ Code: https://github.com/0xbadjuju/
3 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 3 Overview  Why develop in .Net  Tools  WheresMyImplant  Tokenvator  RunDotNetDll32  MonkeyWorks  Issues presented with .Net Toolkits
4 Confidential & Proprietary4 Confidential & Proprietary WHY DEVELOP IN .NET?
5 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 5 Why develop in .Net? Low barrier to entry 1. Familiarity 2. Documentation 3. Resources 4. Visual Studio 5. Reflection (Late Binding)
6 Confidential & Proprietary6 Confidential & Proprietary TOOLING
7 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 7 WheresMyImplant Introduced DerbyCon & ArticCon 2017  C# WMI provider for persistence  Picking up where I left off  Problem: Not useful enough  Solution: Make it not dependent on other toolkits  To Do: Too long to list here https://www.irongeek.com/i.php?page=videos/derbycon7/s01-building-better- backdoors-with-wmi-alexander-leary
8 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 8 WheresMyImplant  First list item – SAM Hash Dumping  Problems:  How to do this?  Requires SYSTEM access  How to get SYSTEM?
9 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 9 Tokenvator  Started as the GetSystem portion  Released June 19  Picked up on Twitter March 18  Before it was released it was more popular than all other projects on my GitHub combined
10 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS Ooo Shiny Goals!?  Disable_Privilege  Remove_Privilege  Nuke_Privileges  Steal_Pipe_Token  Sample_Processes  Sample_Processes_WMI  Find_User_Processes  Find_User_Processes_WMI  List_Filters  List_Filter_Instances  Detach_Filter  Unload_Filter  …  GetSystem Core Goal  GetTrustedInstaller  Steal_Token  ByPassUAC  List_Privileges  Enable_Privilege  WhoAmI  RevertToSelf Stretch Goals? 10
11 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 11
12 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 12 Tokenvator  So what happened?  Ooo shiny factor (Scope Creep)  Caused it to grow in size to be it’s own tool  I Made the mistake of asking for suggestions  Tab completion?  Context Specific Help Menu?  Wiki?
13 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 13 WheresMyImplant  Got SYSTEM  Now where were we?  Adding modules  Problem:  Testing modules in a .Net DLL  There’s no easy way of running methods  Powershell gets tedious
14 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 14 RunDotNetDll32  Simple way to run .Net library  List the Namespaces, Classes, Methods, and Parameters without a reflector  Released April 24
15 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 15 RunDotNetDll32  Kept to a limited scope  ...until I started using it on engagements
16 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 16 RunDotNetDll32  Initial Release  Assembly.LoadFile()  Run into issues with EDR  Keeps the DLL in memory   Second Release  AssemblyName.GetAssemblyName() -> Type.GetType()  Avoids Assembly.LoadFile()  Doesn’t keep the DLL in memory   Third Release  Interactive Mode  Limited utility with one off commands
17 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS WheresMyImplant  Welp that just happened again  Back to building modules 17
18 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  MiniDump  Clipboard Monitoring  KeyLogger  Lateral Movement  WMI Method Execution  WMI Query  SMB Exec (PsExec)  PTH SMB Client - Get, Put, Del, List  PTH SMB Exec (PsExec)  PTH WMI Exec (Win32_Process)  DCOM – DDE, MMC, ShellWindows, ShellBrowserWindow, ShellAutomation, and more  ShellCode Injection  DLL Injection  Reflective PE Injection  Run Command  Run PowerShell  Run XP_CmdShell  C# Empire Agent  WMI Provider  WMI for file storage Starting Point  Injection  Process Hollowing  Thread Hijacking  Credentials  SAM Dump  LSA Secrets  Domain Cached Credentials  Credential Vault + CLI  Wireless Profiles PSK  Collection  Browser History  Memory Scraper New Stuff 18
19 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  Local – Mapped Network Drives  Local – Tasklist  Misc  Base64 Encode File  Generate NTLM Hash  And More  Persistence  Add Local User + Add Local Admin  Add Domain User  Add User to Domain Group  Delete Domain User  Remove Domain User From Group  WMI Self Install  Recon  LDAP Queries  LDAP – Domain Contollers  LDAP – Domain Groups  LDAP – Domain Users  LDAP – Domain Group Members  LDAP – Domain Protected Users  LDAP – Kerberos PreAuth  LDAP – Password Never Expires  LDAP – Password Not Required  LDAP – ServicePrincipalNames  LDAP – LAPS Password  Local – ComputerName  Local – Domain Name  Local – LogonServer  Local – AntiVirus Product  Local – OS Info 19
20 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 20 WheresMyImplant + Tokenvator  Problem: Large Shared Codebase  Maintaining consistency between the two  Did it by hand for too long  Solution:  Git Submodules  Tokenvator is a submodule of WheresMyImplant
21 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 21 MonkeyWorks  This a library of P/Invokes and SMB Client Methods  P/Invokes are organized by library and header file  MonkeyWorks.Unmanaged.Libraries.Advapi32  MonkeyWorks.Unmanaged.Headers.Winnt  SMB Client is organized by method  Port of Invoke-TheHash  MonkeyWorks.SMB.SMB2.SMB2IoctlRequest https://github.com/NetSPI/MonkeyWorks/
22 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  FltUserStructures  MinWinBase  Minidumpapiset  Ntifs  Ntpsapi  Ntsecapi  ProcessThreadsApi  Rpcdce  Subauth  TlHelp32  WinCred  Winbase  Wincon  Wincrypt  Windef  Winnt  Winsvc  Winternl  Winuser  wudfwdm 22  advapi32  crypt32  dbghelp  fltlib  kernel32  ntdll  secur32  user32  vaultcli  wlanapi  wtsapi32
23 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  DCERPCAUTH3  DCERPCAlterContext  DCERPCBind  DCERPCRequest  DCOMRemQueryInterface  DCOMRemRelease  DCOMRemoteCreateInstance  NTLMSSPVerifier  NetBIOSSessionService  SVCCTLSCMCloseServiceHandle  SVCCTLSCMCreateServiceW  SVCCTLSCMDeleteServiceW  SVCCTLSCMOpenSCManagerW  SVCCTLSCMStartServiceW  SMB2CloseRequest  SMB2CreateRequest  SMB2FindFileRequestFile  SMB2GetInfo  SMB2Header  SMB2IoctlRequest  SMB2NTLMSSPAuth  SMB2NTLMSSPNegotiate  SMB2NegotiateProtocolRequest  SMB2ReadRequest  SMB2SessionLogoffRequest  SMB2SessionSetupRequest  SMB2SetInfo  SMB2TreeConnectRequest  SMB2TreeDisconnectRequest  SMB2WriteRequest 23  SMBCloseRequest  SMBHeader  SMBLogoffAndXRequest  SMBNTCreateAndXRequest  SMBNegotiateProtocolRequest  SMBReadAndXRequest  SMBSessionSetupAndXRequest  SMBTreeConnectAndXRequest  SMBTreeDisconnectRequest  SMBWriteAndXRequest
24 Confidential & Proprietary24 Confidential & Proprietary ISSUES WITH .NET
25 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 25 Problems  Framework Versions  Windows 7 – .Net 3.5 – CLR 2.0 (Default)  Windows 10 – CLR 4.0 (Default)  More Framework Problems  .Net Framework 4.8 will be the final “Framework” release  .Net Core will be taking over  Trivial to Reverse Engineer  AMSI inevitability  Seems to be partially implemented in Defender
26 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 26 QUESTIONS? http://slideshare.net/0xbadjuju/ @0xbadjuju https://github.com/0xbadjuju/WheresMyImplant https://github.com/0xbadjuju/Tokenvator https://github.com/0xbadjuju/rundotnetdll32 https://github.com/NetSPI/MonkeyWorks
MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS Empowering enterprises to scale & operationalize their security programs, globally.

Recommended

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 

Recommended

Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015DevOops & How I hacked you DevopsDays DC June 2015
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
 
Socially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorSocially Acceptable Methods to Walk in the Front Door
Socially Acceptable Methods to Walk in the Front DoorMike Felch
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...
BlueHat 2014 - The Attacker's View of Windows Authentication and Post Exploit...Benjamin Delpy
 
Pwnstaller
PwnstallerPwnstaller
PwnstallerWill Schroeder
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the GapWill Schroeder
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsNicolas Corrarello
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys AdminsWill Schroeder
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android contentWilliam Hugo Yang
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaserNotSoSecure Global Services
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversOllie Whitehouse
 

More Related Content

What's hot

Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2Chris Gates
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Alexander Polce Leary
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsNicolas Corrarello
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterMike Felch
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android contentWilliam Hugo Yang
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Eviljaredhaight
 

What's hot (20)

Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
hackcon2013-Dirty Little Secrets They Didn't Teach You In Pentesting Class v2
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017Building Better Backdoors with WMI - DerbyCon 2017
Building Better Backdoors with WMI - DerbyCon 2017
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on Windows
 
I Hunt Sys Admins
I Hunt Sys AdminsI Hunt Sys Admins
I Hunt Sys Admins
 
Red Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite PerimeterRed Team Tactics for Cracking the GSuite Perimeter
Red Team Tactics for Cracking the GSuite Perimeter
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoBreaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin Vigo
 
[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content[UniteKorea2013] Protecting your Android content
[UniteKorea2013] Protecting your Android content
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Injection flaw teaser
Injection flaw teaserInjection flaw teaser
Injection flaw teaser
 

Similar to 2018 Writing Offensive .Net Tools

Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversOllie Whitehouse
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxYasserOuda2
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepThe Incredible Automation Day
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017Alexander Polce Leary
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?Graham Charters
 
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with Terraform
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with TerraformOracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with Terraform
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with TerraformFrederic Descamps
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNEDChris Gates
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - FalconerTony Godfrey
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfprithaaash
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidMatthew Johnson
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hackingnitish mehta
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriDocker, Inc.
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdfGabriel Mathenge
 

Similar to 2018 Writing Offensive .Net Tools (20)

Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
CEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptxCEHv10 M0 Introduction.pptx
CEHv10 M0 Introduction.pptx
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
TIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by stepTIAD - DYI: A simple orchestrator built step by step
TIAD - DYI: A simple orchestrator built step by step
 
WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017WMI for Penetration Testers - Arcticcon 2017
WMI for Penetration Testers - Arcticcon 2017
 
How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?How to get along with HATEOAS without letting the bad guys steal your lunch?
How to get along with HATEOAS without letting the bad guys steal your lunch?
 
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with Terraform
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with TerraformOracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with Terraform
Oracle Developer Live: Deploying MySQL InnoDB Cluster on OCI with Terraform
 
Lares from LOW to PWNED
Lares from LOW to PWNEDLares from LOW to PWNED
Lares from LOW to PWNED
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Kali Linux - Falconer
Kali Linux - FalconerKali Linux - Falconer
Kali Linux - Falconer
 
The Pivot
The PivotThe Pivot
The Pivot
 
Purple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdfPurple Teaming With Adversary Emulation.pdf
Purple Teaming With Adversary Emulation.pdf
 
Bettercap
BettercapBettercap
Bettercap
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
Introduction to hacking
Introduction to hackingIntroduction to hacking
Introduction to hacking
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

2018 Writing Offensive .Net Tools

  • 1. WRITING OFFENSIVE .NET TOOLS OR HOW I GOT CONTINUOUSLY SIDETRACKED FOR A YEAR
  • 2. 2 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 2 Alexander Polce Leary Name: Alexander Polce Leary Job: Network & Application Pentester @ NetSPI Red Team Lead Twitter: @0xbadjuju Slides: On their way  Blogs: https://blog.netspi.com/author/aleary/ Code: https://github.com/0xbadjuju/
  • 3. 3 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 3 Overview  Why develop in .Net  Tools  WheresMyImplant  Tokenvator  RunDotNetDll32  MonkeyWorks  Issues presented with .Net Toolkits
  • 4. 4 Confidential & Proprietary4 Confidential & Proprietary WHY DEVELOP IN .NET?
  • 5. 5 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 5 Why develop in .Net? Low barrier to entry 1. Familiarity 2. Documentation 3. Resources 4. Visual Studio 5. Reflection (Late Binding)
  • 6. 6 Confidential & Proprietary6 Confidential & Proprietary TOOLING
  • 7. 7 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 7 WheresMyImplant Introduced DerbyCon & ArticCon 2017  C# WMI provider for persistence  Picking up where I left off  Problem: Not useful enough  Solution: Make it not dependent on other toolkits  To Do: Too long to list here https://www.irongeek.com/i.php?page=videos/derbycon7/s01-building-better- backdoors-with-wmi-alexander-leary
  • 8. 8 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 8 WheresMyImplant  First list item – SAM Hash Dumping  Problems:  How to do this?  Requires SYSTEM access  How to get SYSTEM?
  • 9. 9 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 9 Tokenvator  Started as the GetSystem portion  Released June 19  Picked up on Twitter March 18  Before it was released it was more popular than all other projects on my GitHub combined
  • 10. 10 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS Ooo Shiny Goals!?  Disable_Privilege  Remove_Privilege  Nuke_Privileges  Steal_Pipe_Token  Sample_Processes  Sample_Processes_WMI  Find_User_Processes  Find_User_Processes_WMI  List_Filters  List_Filter_Instances  Detach_Filter  Unload_Filter  …  GetSystem Core Goal  GetTrustedInstaller  Steal_Token  ByPassUAC  List_Privileges  Enable_Privilege  WhoAmI  RevertToSelf Stretch Goals? 10
  • 11. 11 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 11
  • 12. 12 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 12 Tokenvator  So what happened?  Ooo shiny factor (Scope Creep)  Caused it to grow in size to be it’s own tool  I Made the mistake of asking for suggestions  Tab completion?  Context Specific Help Menu?  Wiki?
  • 13. 13 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 13 WheresMyImplant  Got SYSTEM  Now where were we?  Adding modules  Problem:  Testing modules in a .Net DLL  There’s no easy way of running methods  Powershell gets tedious
  • 14. 14 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 14 RunDotNetDll32  Simple way to run .Net library  List the Namespaces, Classes, Methods, and Parameters without a reflector  Released April 24
  • 15. 15 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 15 RunDotNetDll32  Kept to a limited scope  ...until I started using it on engagements
  • 16. 16 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 16 RunDotNetDll32  Initial Release  Assembly.LoadFile()  Run into issues with EDR  Keeps the DLL in memory   Second Release  AssemblyName.GetAssemblyName() -> Type.GetType()  Avoids Assembly.LoadFile()  Doesn’t keep the DLL in memory   Third Release  Interactive Mode  Limited utility with one off commands
  • 17. 17 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS WheresMyImplant  Welp that just happened again  Back to building modules 17
  • 18. 18 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  MiniDump  Clipboard Monitoring  KeyLogger  Lateral Movement  WMI Method Execution  WMI Query  SMB Exec (PsExec)  PTH SMB Client - Get, Put, Del, List  PTH SMB Exec (PsExec)  PTH WMI Exec (Win32_Process)  DCOM – DDE, MMC, ShellWindows, ShellBrowserWindow, ShellAutomation, and more  ShellCode Injection  DLL Injection  Reflective PE Injection  Run Command  Run PowerShell  Run XP_CmdShell  C# Empire Agent  WMI Provider  WMI for file storage Starting Point  Injection  Process Hollowing  Thread Hijacking  Credentials  SAM Dump  LSA Secrets  Domain Cached Credentials  Credential Vault + CLI  Wireless Profiles PSK  Collection  Browser History  Memory Scraper New Stuff 18
  • 19. 19 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  Local – Mapped Network Drives  Local – Tasklist  Misc  Base64 Encode File  Generate NTLM Hash  And More  Persistence  Add Local User + Add Local Admin  Add Domain User  Add User to Domain Group  Delete Domain User  Remove Domain User From Group  WMI Self Install  Recon  LDAP Queries  LDAP – Domain Contollers  LDAP – Domain Groups  LDAP – Domain Users  LDAP – Domain Group Members  LDAP – Domain Protected Users  LDAP – Kerberos PreAuth  LDAP – Password Never Expires  LDAP – Password Not Required  LDAP – ServicePrincipalNames  LDAP – LAPS Password  Local – ComputerName  Local – Domain Name  Local – LogonServer  Local – AntiVirus Product  Local – OS Info 19
  • 20. 20 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 20 WheresMyImplant + Tokenvator  Problem: Large Shared Codebase  Maintaining consistency between the two  Did it by hand for too long  Solution:  Git Submodules  Tokenvator is a submodule of WheresMyImplant
  • 21. 21 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 21 MonkeyWorks  This a library of P/Invokes and SMB Client Methods  P/Invokes are organized by library and header file  MonkeyWorks.Unmanaged.Libraries.Advapi32  MonkeyWorks.Unmanaged.Headers.Winnt  SMB Client is organized by method  Port of Invoke-TheHash  MonkeyWorks.SMB.SMB2.SMB2IoctlRequest https://github.com/NetSPI/MonkeyWorks/
  • 22. 22 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  FltUserStructures  MinWinBase  Minidumpapiset  Ntifs  Ntpsapi  Ntsecapi  ProcessThreadsApi  Rpcdce  Subauth  TlHelp32  WinCred  Winbase  Wincon  Wincrypt  Windef  Winnt  Winsvc  Winternl  Winuser  wudfwdm 22  advapi32  crypt32  dbghelp  fltlib  kernel32  ntdll  secur32  user32  vaultcli  wlanapi  wtsapi32
  • 23. 23 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS  DCERPCAUTH3  DCERPCAlterContext  DCERPCBind  DCERPCRequest  DCOMRemQueryInterface  DCOMRemRelease  DCOMRemoteCreateInstance  NTLMSSPVerifier  NetBIOSSessionService  SVCCTLSCMCloseServiceHandle  SVCCTLSCMCreateServiceW  SVCCTLSCMDeleteServiceW  SVCCTLSCMOpenSCManagerW  SVCCTLSCMStartServiceW  SMB2CloseRequest  SMB2CreateRequest  SMB2FindFileRequestFile  SMB2GetInfo  SMB2Header  SMB2IoctlRequest  SMB2NTLMSSPAuth  SMB2NTLMSSPNegotiate  SMB2NegotiateProtocolRequest  SMB2ReadRequest  SMB2SessionLogoffRequest  SMB2SessionSetupRequest  SMB2SetInfo  SMB2TreeConnectRequest  SMB2TreeDisconnectRequest  SMB2WriteRequest 23  SMBCloseRequest  SMBHeader  SMBLogoffAndXRequest  SMBNTCreateAndXRequest  SMBNegotiateProtocolRequest  SMBReadAndXRequest  SMBSessionSetupAndXRequest  SMBTreeConnectAndXRequest  SMBTreeDisconnectRequest  SMBWriteAndXRequest
  • 24. 24 Confidential & Proprietary24 Confidential & Proprietary ISSUES WITH .NET
  • 25. 25 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 25 Problems  Framework Versions  Windows 7 – .Net 3.5 – CLR 2.0 (Default)  Windows 10 – CLR 4.0 (Default)  More Framework Problems  .Net Framework 4.8 will be the final “Framework” release  .Net Core will be taking over  Trivial to Reverse Engineer  AMSI inevitability  Seems to be partially implemented in Defender
  • 26. 26 Confidential & Proprietary WRITING OFFENSIVE .NET TOOLS 26 QUESTIONS? http://slideshare.net/0xbadjuju/ @0xbadjuju https://github.com/0xbadjuju/WheresMyImplant https://github.com/0xbadjuju/Tokenvator https://github.com/0xbadjuju/rundotnetdll32 https://github.com/NetSPI/MonkeyWorks
  • 27. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS Empowering enterprises to scale & operationalize their security programs, globally.

Editor's Notes

  1. Familiarity – Similar to Java and Powershell Documentation – MSDN is massive Resources - Stack Overflow – I you have a question it’s already been answered somewhere – p/invoke Visual Studio – Seems small but small things like intellisense lower the barrier to entry
  2. Reaction was well… Muted
  3. How to do this – this is a recurring theme
  4. There a people out there that creep on repo’s
  5. Reaction was well… Muted
  6. I should mention that even my wife is a project manager Well, it turned into a cool project
  7. …So why is it it’s own tool?
  8. Reaction was well… Muted
  9. Reaction was well… Muted
  10. Similar to PSReflect Project
  11. Reaction was well… Muted
  12. Reaction was well… Muted