Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wielding a cortana


Published on

These slides were presented at BSidesAustin 2014, and cover Cortana attack scripting, its background, and five implemented use cases.

Published in: Technology
  • Be the first to comment

Wielding a cortana

  1. 1. Will @harmj0y Veris Group Wielding a Cortana
  2. 2. $ whoami • Security researcher and penetration tester for Veris Group • Co-founder of the Veil-Framework #avlol o o Shmoocon ‘14: AV Evasion with the Veil Framework o co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView • •
  3. 3. tl;dr • Cortana? wtf • OK that’s cool, what can I do • Cortana use cases: o grabcreds.cna - auto hash dumping o safetynet.cna - saving shells o veil_evasion.cna - #avlol :) o user_hunter.cna - find DAs o beacon.cna - graphical beacons*
  4. 4. Cortana? wtf • Raphael Mudge’s DARPA cyber fast track project • Allows for the scripting of Armitage and/or Metasploit itself o Some of this functionality is restricted to Cobalt Strike - marked by a * • Doesn’t seem to have publically caught on o Which is dumb, since it’s incredibly useful
  5. 5. Cortana: Why Use It • Allows for the easy customization of an already existing, powerful tool • Many standard pentest actions can be automated and manipulated in useful ways • Lets you minimize the time spent doing repetitive tasks
  6. 6. Cortana Background • Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit • Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael o o na/cortana_tutorial.pdf
  7. 7. Sleep 101 • “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.” • Much of the backend of Armitage is actually written in Sleep
  8. 8. Cortana 101 • Interaction with Metasploit is baked in through utilization of MSF’s RPC interface • You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc. • m_cmd($1, “sysinfo”); • host_info($address); • exploit("windows/smb/ms08_067_netapi", $addr);
  9. 9. Cortana 101 • Triggers can be set up to asynchronously fire on various actions/events: o new sessions o meterpreter/shell commands o new hosts/services/routes/etc. • Lets you perform contextual actions and automate a lot of post-exploitation
  10. 10. Cortana 101
  11. 11. Cortana 101 • The user interface for Armitage can be easily modified: o new program menus o new meterpreter action menus o changeable host icons • Lots of examples at:
  12. 12. Cortana Use Cases
  13. 13. Use Case #1 • On each meterpreter session that comes in, we always like to grab all credentials we can from the box: o hashdump o run mimikatz o see if a user we want is logged in • ASPNET? Guest? SUPPORT_*? no thx
  14. 14. How Can Cortana Help? • grabcreds.cna o on session_sync { … } o m_cmd($1, "wdigest"); o on meterpreter_wdigest { … } • On each host that comes in: o run hashdump and mimikatz o filter out account names we don’t want o dump creds to the database o check users found against a designated list o announce results on the team chat*
  15. 15. grabcreds.cna
  16. 16. Use Case #2 • Losing shells sucks • Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dies o and not to just one C2 server ● This becomes tedious when you’re dealing with A LOT of shells and various handlers
  17. 17. How Can Cortana Help? • safetynet.cna o on session_sync { … } o launch("post", …) • automatically runs a payload inject module against each host o injects a “safetynet” payload • Problem: o we want to inject two payloads, one from the existing process context and one into explorer.exe
  18. 18. Sidenote: smart_payload_inject.rb • Existing payload_inject.rb only allows for injection against predefined process IDs • smart_migrate.rb allows for “smart” migration into explorer.exe • Combine the two -> easy injection into a specific process name, explorer.exe default
  19. 19. safetynet.cna - interface
  20. 20. Adding From Existing Listeners*
  21. 21. Custom Safetynet Payloads
  22. 22. Installing Safetynets
  23. 23. Use Case #3 • Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications • Say we want to have a Cobalt Strike workspace containing only hosts with active beacons* *
  24. 24. How Can Cortana Help? • We can grab the active beacon list o @beacons = call('beacon.list'); • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …} o bind Ctrl+B { open_beacon_browser(); }
  25. 25. Graphical Beacons
  26. 26. Use Case #4 • psexec in Metasploit is great, but the standard exe templates = no good • Veil-Evasion does a great job at generating AV-evading executables :) • But generating each time, reconfiguring paths, etc. is a pain
  27. 27. How Can Cortana Help? • veil_evasion.cna o filter user_launch { … } o exec(SYSTEM COMMAND); • Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE • No more caught payloads :)
  28. 28. Sidenote: swing >_< • Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted • Luckily, Cortana scripts can integrate various java/swing GUI manipulations • And guess what? Armitage has examples. And it’s BSD-licensed
  29. 29. Armitage Backend
  30. 30. Armitage Backend
  31. 31. veil_evasion.cna - Main Menu
  32. 32. veil_evasion.cna - Main Interface
  33. 33. Use case #5 • What’s the usual goal for a smash-and-grab pentest? • Find out who the domain admins are • Find where they’re logged into • Find a set of credentials that gives us SYSTEM on their box • psexec, pop a box, mimikatz, profit
  34. 34. Situational Awareness 101 • Manual process on the domain side: • net user /domain • net group /domain • net view • net view <hostname> • net sessions <hostname>
  35. 35. Netview.exe • Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls” • Can find hosts, shares, and logged on users across a network • Two API calls really interest us: o NetServerEnum – enumerate (from the DC) domain systems of a certain type o NetWkstaUserEnum – get users logged onto a system
  36. 36. Metasploit • Most of this type of functionality already exists in Metasploit (of course): • smb_enumusers_domain o uses NetWkstaUserEnum (through railgun) to get users logged into a particular machine • local_admin_search_enum o checks a range of IPs to see if the current user has admin access, and grabs the logged in users with NetWkstaUserEnum as well
  37. 37. Metasploit • • enum_domain_group_users o runs “net groups GROUP /domain” against a host and parses the results • computer_browser_discovery o queries the default domain controller for all hosts of a particular type using NetServerEnum
  38. 38. user_hunter.rb • New Metasploit module, drawing from existing functionality • Takes a username, userlist, or domain group to query against the local DC • Takes a host list, or runs “net view” to try to enumerate all machines on a domain
  39. 39. user_hunter.rb • Runs NetWkstaUserEnum against each target host to determine the users logged into the machine • Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match • point -> click -> be told where DA’s are
  40. 40. How Can Cortana Help? • We can interact fully with the msf database o @notes = call("db.notes")["notes"]; • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …}
  41. 41. Cortana – user_hunter.cna • Cortana script that periodically polls the MSF database for our user.hunter notes • Modifies the host icons of any systems with found users o i.e. any systems where a DA is logged into! • Also adds an option to launch the user_hunter.rb module from any meterpreter session
  42. 42. Demo
  43. 43. Recap • Cortana is awesome, contribute! o o • Many standard assessment actions can be automated and manipulated in useful ways • The less time you spend doing repetitive actions = the more you can spend pwning the client
  44. 44. Questions? Will @harmj0y harmj0y on Freenode - #veil and #armitage Get the cortana pack-