![Sleep 101
• “Sleep is primarily a glue language and was
designed from the ground up to be
embedded in Java applications…[it] brings
the power of Perl to the Java platform.”
• Much of the backend of Armitage is actually
written in Sleep
https://today.java.net/pub/a/today/2005/07/14/sleep.html](https://image.slidesharecdn.com/wieldingacortana-140321164319-phpapp01/75/wielding-a-cortana-7-2048.jpg?cb=1668534536)
![How Can Cortana Help?
• We can interact fully with the msf database
o @notes = call("db.notes")["notes"];
• We can setup ‘heartbeat’ callbacks to
periodically perform actions
o on heartbeat_5s {…}
• We can modify our gui in useful ways
o filter host_image { …change a host’s gui image …}](https://image.slidesharecdn.com/wieldingacortana-140321164319-phpapp01/75/wielding-a-cortana-40-2048.jpg?cb=1668534536)
Wielding a cortana
•4 likes•2,833 views
Report
Share
Download to read offline
These slides were presented at BSidesAustin 2014, and cover Cortana attack scripting, its background, and five implemented use cases.
More Related Content
What's hot
What's hot(20)
Viewers also liked
Viewers also liked(16)
Similar to Wielding a cortana
Similar to Wielding a cortana(20)
![[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...](https://cdn.slidesharecdn.com/ss_thumbnails/day1-04-140412114404-phpapp02-thumbnail.jpg?width=768&fit=bounds)
More from Will Schroeder
More from Will Schroeder(9)
Recently uploaded
Recently uploaded(20)
Wielding a cortana
- 1. Will @harmj0y Veris Group Wielding a Cortana
- 2. $ whoami • Security researcher and penetration tester for Veris Group • Co-founder of the Veil-Framework #avlol o www.veil-framework.com o Shmoocon ‘14: AV Evasion with the Veil Framework o co-wrote Veil-Evasion, wrote Veil-Catapult and Veil- PowerView • https://github.com/HarmJ0y/ • http://harmj0y.net
- 3. tl;dr • Cortana? wtf • OK that’s cool, what can I do • Cortana use cases: o grabcreds.cna - auto hash dumping o safetynet.cna - saving shells o veil_evasion.cna - #avlol :) o user_hunter.cna - find DAs o beacon.cna - graphical beacons*
- 4. Cortana? wtf • Raphael Mudge’s DARPA cyber fast track project • Allows for the scripting of Armitage and/or Metasploit itself o Some of this functionality is restricted to Cobalt Strike - marked by a * • Doesn’t seem to have publically caught on o Which is dumb, since it’s incredibly useful
- 5. Cortana: Why Use It • Allows for the easy customization of an already existing, powerful tool • Many standard pentest actions can be automated and manipulated in useful ways • Lets you minimize the time spent doing repetitive tasks
- 6. Cortana Background • Cortana is a set of extensions to the Sleep language that allows for the control of Armitage/Metasploit • Sleep = Java-based scripting language heavily inspired by Perl and written by Raphael o http://sleep.dashnine.org/documentation.html o http://www.fastandeasyhacking.com/download/corta na/cortana_tutorial.pdf
- 7. Sleep 101 • “Sleep is primarily a glue language and was designed from the ground up to be embedded in Java applications…[it] brings the power of Perl to the Java platform.” • Much of the backend of Armitage is actually written in Sleep https://today.java.net/pub/a/today/2005/07/14/sleep.html
- 8. Cortana 101 • Interaction with Metasploit is baked in through utilization of MSF’s RPC interface • You can send commands to a Meterpreter session, interact with the backend database, launch modules, etc. • m_cmd($1, “sysinfo”); • host_info($address); • exploit("windows/smb/ms08_067_netapi", $addr);
- 9. Cortana 101 • Triggers can be set up to asynchronously fire on various actions/events: o new sessions o meterpreter/shell commands o new hosts/services/routes/etc. • Lets you perform contextual actions and automate a lot of post-exploitation
- 10. Cortana 101
- 11. Cortana 101 • The user interface for Armitage can be easily modified: o new program menus o new meterpreter action menus o changeable host icons • Lots of examples at: https://github.com/rsmudge/cortana-scripts https://github.com/HarmJ0y/cortana
- 13. Use Case #1 • On each meterpreter session that comes in, we always like to grab all credentials we can from the box: o hashdump o run mimikatz o see if a user we want is logged in • ASPNET? Guest? SUPPORT_*? no thx
- 14. How Can Cortana Help? • grabcreds.cna o on session_sync { … } o m_cmd($1, "wdigest"); o on meterpreter_wdigest { … } • On each host that comes in: o run hashdump and mimikatz o filter out account names we don’t want o dump creds to the database o check users found against a designated list o announce results on the team chat*
- 15. grabcreds.cna
- 16. Use Case #2 • Losing shells sucks • Our standard procedure is to inject additional sessions (or beacons*) for fallback in case our main working session dies o and not to just one C2 server ● This becomes tedious when you’re dealing with A LOT of shells and various handlers
- 17. How Can Cortana Help? • safetynet.cna o on session_sync { … } o launch("post", …) • automatically runs a payload inject module against each host o injects a “safetynet” payload • Problem: o we want to inject two payloads, one from the existing process context and one into explorer.exe
- 18. Sidenote: smart_payload_inject.rb • Existing payload_inject.rb only allows for injection against predefined process IDs • smart_migrate.rb allows for “smart” migration into explorer.exe • Combine the two -> easy injection into a specific process name, explorer.exe default
- 20. Adding From Existing Listeners*
- 23. Use Case #3 • Armitage/Cobalt Strike are great, but sometimes we want specific gui modifications • Say we want to have a Cobalt Strike workspace containing only hosts with active beacons* *http://www.advancedpentest.com/help-beacon
- 24. How Can Cortana Help? • We can grab the active beacon list o @beacons = call('beacon.list'); • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …} o bind Ctrl+B { open_beacon_browser(); }
- 26. Use Case #4 • psexec in Metasploit is great, but the standard exe templates = no good • Veil-Evasion does a great job at generating AV-evading executables :) • But generating each time, reconfiguring paths, etc. is a pain
- 27. How Can Cortana Help? • veil_evasion.cna o filter user_launch { … } o exec(SYSTEM COMMAND); • Invokes Veil-Evasion to generate a binary, intercepts psexec calls in Armitage, and substitutes this in for a custom EXE • No more caught payloads :)
- 28. Sidenote: swing >_< • Exposed Cortana functions are great, but didn’t quite cover exactly what we wanted • Luckily, Cortana scripts can integrate various java/swing GUI manipulations • And guess what? Armitage has examples. And it’s BSD-licensed
- 29. Armitage Backend
- 30. Armitage Backend
- 31. veil_evasion.cna - Main Menu
- 32. veil_evasion.cna - Main Interface
- 33. Use case #5 • What’s the usual goal for a smash-and-grab pentest? • Find out who the domain admins are • Find where they’re logged into • Find a set of credentials that gives us SYSTEM on their box • psexec, pop a box, mimikatz, profit
- 34. Situational Awareness 101 • Manual process on the domain side: • net user /domain • net group /domain • net view • net view <hostname> • net sessions <hostname>
- 35. Netview.exe • Rub Fuller (@mubix) released a tool at Derbycon 2012 called Netview, which “enumerates systems using WinAPI calls” • Can find hosts, shares, and logged on users across a network • Two API calls really interest us: o NetServerEnum – enumerate (from the DC) domain systems of a certain type o NetWkstaUserEnum – get users logged onto a system
- 36. Metasploit • Most of this type of functionality already exists in Metasploit (of course): • smb_enumusers_domain o uses NetWkstaUserEnum (through railgun) to get users logged into a particular machine • local_admin_search_enum o checks a range of IPs to see if the current user has admin access, and grabs the logged in users with NetWkstaUserEnum as well
- 37. Metasploit • • enum_domain_group_users o runs “net groups GROUP /domain” against a host and parses the results • computer_browser_discovery o queries the default domain controller for all hosts of a particular type using NetServerEnum
- 38. user_hunter.rb • New Metasploit module, drawing from existing functionality • Takes a username, userlist, or domain group to query against the local DC • Takes a host list, or runs “net view” to try to enumerate all machines on a domain
- 39. user_hunter.rb • Runs NetWkstaUserEnum against each target host to determine the users logged into the machine • Compares this against the target user list, throwing a specific user.hunter note into the database when it finds a match • point -> click -> be told where DA’s are
- 40. How Can Cortana Help? • We can interact fully with the msf database o @notes = call("db.notes")["notes"]; • We can setup ‘heartbeat’ callbacks to periodically perform actions o on heartbeat_5s {…} • We can modify our gui in useful ways o filter host_image { …change a host’s gui image …}
- 41. Cortana – user_hunter.cna • Cortana script that periodically polls the MSF database for our user.hunter notes • Modifies the host icons of any systems with found users o i.e. any systems where a DA is logged into! • Also adds an option to launch the user_hunter.rb module from any meterpreter session
- 42. Demo
- 43. Recap • Cortana is awesome, contribute! o https://github.com/rsmudge/cortana-scripts o https://github.com/HarmJ0y/cortana • Many standard assessment actions can be automated and manipulated in useful ways • The less time you spend doing repetitive actions = the more you can spend pwning the client
- 44. Questions? Will @harmj0y will@harmj0y.net harmj0y on Freenode - #veil and #armitage Get the cortana pack- https://github.com/HarmJ0y/cortana