Not Your Daddy s Winexe. THOTCON 0x9 May 4, 2018

Transcription

1 Not Your Daddy s Winexe ways to legitimately access a system THOTCON 0x9 May 4, 2018 ELEVATED SECURITY FOR MODERN ADVERSARIES.

2 WHO THE HELL ARE YOU? John Mocuta Principal Security Advisor Purveyor of fine cybers Josh Skorich Founder Dolos Group President - John Mocuta Fan Club

3 WHATCHA TALKIN BOUT? Administrators and attackers need to access systems remotely. We re going to discuss 15 technologies for Linux, OS X and Windows that can be leveraged to access systems. How/why they work Network port requirements Privileges Indicator of Compromise / signatures Public PoCs/Tools

4 REMOTE ACCESS TECHNOLOGIES GRAPHICAL Remote Desktop Protocol (RDP) Virtual Network Computing (VNC) Apple Remote Desktop (ARD) Xorg SCCM Remote Control CONSOLE / CODE-EX Telnet Rlogin/Rsh Secure Shell (SSH) Server Message Block (SMB) Windows Remote Management (WinRM) Windows Management Instrumentation (WMI) Scheduled Tasks MMC20 Class ShellBrowserWindow Class ShellWindows Class

5 REMOTE DESKTOP (RDP) Info TL;DR PORTS TCP 3389 AUTH TOOLS SIGNATURES Built-in Windows remote desktop solution Local Admin / Remote Desktop Users Group SeRemoteInteractiveLogonRight Microsoft Remote Desktop, rdesktop, xfreerdp Windows Auth Security Event ID: 528, LogonType: 10 (older versions of Windows) Security - Event ID: 4624, LogonType: 10 Successful Logon Security Event ID: 4624, LogonType: 7 (w/ remote IpAddress) Security - Event ID: 4625, LogonType: 10 Failed Logon Security Event ID: 4778 Session Reconnect TerminalServices-RemoteConnectionManager Log TerminalServices-LocalSessionManager Log EX. COMMAND rdesktop u JimmieBob

6 REMOTE DESKTOP (RDP) Netflow INITIATOR RDP connect / negotiate RDP auth RDP session RDP: 3389/TCP TPKT: 3389/TCP RECEIVER RDP options response RDP auth response Session

7 REMOTE DESKTOP (RDP) Examples Microsoft Remote Desktop Client:

8 REMOTE DESKTOP (RDP) Examples Linux: xfreerdp

9 VNC Info TL;DR Yet Another RDP PORTS TCP 5900+n AUTH TOOLS SIGNATURES None, Only Password, or LDAP vncconnect (xvnc), vncviewer Service specific RealVNC: Mac/Nix syslog Windows Application Specific EventLog EX. COMMAND vncviewer

10 VNC Netflow INITIATOR VNC Connect Security type enum Auth Client events VNC: 5900/TCP RECEIVER VNC protocol negotiation Security options sent Auth response Server response

11 VNC Examples

12 APPLE REMOTE DESKTOP Info TL;DR Rebranded VNC PORTS UDP 3283, TCP 5900 AUTH TOOLS SIGNATURES EX. COMMAND vncviewer Only specified authorized users, or everyone (if selected) Apple Screen Sharing, any VNC tool (if VNC Password enabled) /var/logs/secure.log

13 APPLE REMOTE DESKTOP Netflow INITIATOR ARD Connect Security type enum Auth Client events ARD: 5900/TCP RECEIVER ARD protocol negotiation Security options sent Auth response Server response

14 APPLE REMOTE DESKTOP Examples vncviewer

15 Xorg Info TL;DR The OG RDP PORTS TCP 22 (SSH X11Forwarding), TCP 6000+n AUTH TOOLS SIGNATURES EX. COMMAND Host/IP based auth xspy, xwatchwin, xwd, xvkbd, ssh, MSF, xrdp.py Kinda none? SSH - /var/log/auth /var/log/syslog ssh Y user@ xwatchwin u :0 root

16 Xorg Netflow INITIATOR Xorg Client Connect Xorg Features Client events Xorg: 6000/TCP RECEIVER MIT Magic Cookie Xorg Foundation Banner Server response

17 Xorg Examples

18 SCCM REMOTE CONTROL Info TL;DR PORTS TCP 2701 AUTH TOOLS SIGNATURES EX. COMMAND Microsoft System Center Configuration Manager (SCCM) includes the option to deploy a remote control service on managed clients. Only specified authorized users CmRcViewer.exe, SCCM Console Only Event ID 4672 Special Login, CmRcService.exe accepting remote connections N/A

19 SCCM REMOTE CONTROL Netflow INITIATOR SCCM connect Auth Remote Graphical Control SCCM: 2701/TCP RECEIVER Session setup Auth success/fail Remote Viewer

20 SCCM REMOTE CONTROL Examples

21 TELNET Info TL;DR PORTS TCP 23 AUTH TOOLS SIGNATURES Remote Command Prompt Only specified authorized users Telnet.exe, nc, ncat /var/log/auth EX. COMMAND telnet

22 TELNET Netflow INITIATOR Telnet connect Telnet: 23/TCP RECEIVER Session setup / connect

23 TELNET Examples

24 RLOGIN / RSH Info TL;DR PORT AUTH TOOLS SIGNATURES Slightly different Telnet TCP 512 (rexec), 513 (rlogin), 514 (rsh, rcp) Only specified authorized users,.rhost files rlogin, rsh, remsh, rexec, rcp (if enabled) log files in /var/log EX. COMMAND rlogin l root

25 RLOGIN / RSH Netflow INITIATOR Rlogin connect Rlogin: 513/TCP RECEIVER Session setup / connect

26 RLOGIN / RSH Examples

27 SECURE SHELL (SSH) Info TL;DR PORTS TCP 22 AUTH TOOLS SIGNATURES EX. COMMAND Encrypted Telnet Any user on the system by default, modified by sshd_config ssh, putty.exe /var/log/auth (distro dependent) ssh

28 SECURE SHELL (SSH) Netflow INITIATOR SSH connect SSH algorithm negotiation Key exchange Auth Interactive shell (read/write) SSH: 22/TCP RECEIVER Session setup Algorithm supported response Secure session established Auth success/fail Shell

29 SECURE SHELL (SSH) Examples

30 SMB/Psexec Info TL;DR PORT AUTH TOOLS Remote cmd.exe TCP 445 (SMB), 135 (RPC) Local Administrator Access winexe, psexec, smbexec, etc SIGNATURES Service binaries left behind, Windows Event #5145 EX. COMMAND Win> PsExec.exe \\ u josh p Password1 cmd.exe Nix> winexe --system --uninstall U testlab/josh%password1 // cmd.exe

31 TEAR- DOWN SHELL SETUP SMB/Psexec PsExec Netflow INITIATOR RECEIVER SMB Tree connect: ADMIN$ SMB: 445/TCP Session setup / connect Create Request File: PSEXESVC.exe RPC Bind SVCCTL StartServiceW SMB Create Named Pipes: FSCTL_PIPE_TRANSCEIVE: PSEXESVC RPC: 135/TCP RPC/SVCCTL: <high_port>/tcp SMB: 445/TCP Write: %SystemRoot%\PSEXESVC.exe EndPoint Mapper (SVCCTL Port) PSEXESVC Start PSEXESVC-stdin PSEXESVC-stdout Write Request: IPC$\PSEXESVC-stdin Read Request: IPC$\PSEXESVC-stdout Write Request Read Response SVCCTL ControlService SVCCTL DeleteService RPC/SVCCTL: <high_port>/tcp PSEXESVC Stop PSEXESVC Service Removed

32 SMB/Psexec Examples

33 SMB/Psexec Examples

34 WINRM Info TL;DR PORT AUTH TOOLS SIGNATURES EX. COMMAND SOAP based WMI-like protocol TCP 5985, 5986 (SSL) Only specified authorized users winrm, winrs, PowerShell Invoke-Command, Enter-PSSession, auxiliary/scanner/winrm/winrm_cmd Listed under Windows Remote Management Application Log in Event Viewer winrm get wmicimv2/win32_service r: winrs /r:win-dehib5froc2 /u:josh /p:password1 ipconfig PS> Invoke-Command {Get-Service *} msfconsole -x 'use auxiliary/scanner/winrm/winrm_cmd; set rhosts ; set DOMAIN CORP; set username Administrator; set password Password1; set cmd ipconfig; run'

35 WINRM Netflow INITIATOR WinRM connect POST /wsman HTTP/1.1 WS-Man: 5985/TCP RECEIVER Session setup / connect HTTP/1.1 Response Code

36 WINRM Examples

37 WINRM Examples

38 WINRM Examples

39 WMI Info TL;DR PORT AUTH TOOLS SIGNATURES EX. COMMAND Remote info/management protocol for Windows TCP 135 (RPCPortmapper) + Random high number port (DCOM) Only specified authorized users wmic.exe, wmis.exe, wmic, PowerShell, native.net calls Enable WMI tracing in event viewer to see WMI-Activity wmic.exe /USER:"testlab\josh" /PASSWORD:"Password1" /NODE: service get "startname,pathname PS> Get-WMIObject -ComputerName query "Select * from Win32_Service"

40 SHELL SETUP WMI Netflow INITIATOR RECEIVER RPC Bind RPC: 135/TCP Session setup / connect Authentication Authorization DCOM Request RemoteCreateInstance(DCOM) WMI Query RPC/DCOM: <random_high>/tcp Execution/Response

41 WMI Examples

42 WMI Examples

43 WMI Examples

44 SCHEDULED TASKS Info TL;DR PORT AUTH TOOLS SIGNATURES EX. COMMAND Schedule jobs to run on Windows, but remotely TCP 135 (RPCPortmapper) + TCP (typically) Only specified authorized users Schtasks.exe, at.exe, Scheduleme MSF Post Module Windows Security Event ID 4698 (task creation), MEOW schtasks.exe /Create /S /U testlab\josh /P Password1 /TR "C:\Windows\System32\win32calc.exe" /TN "pwnd" /SC ONCE /ST 20:05

45 SHELL SETUP SCHEDULED TASKS Netflow INITIATOR RECEIVER RPC Bind RPC: 135/TCP Session setup / connect Authentication Authorization DCOM Request Endpoint Mapper(DCOM) Schedule Task RPC/DCOM: <random_high>/tcp Execution/Response

46 SCHEDULED TASKS Examples Client: Server:

47 MMC20 CLASS Info TL;DR PORT AUTH TOOLS SIGNATURES.NET API call on another machine to execute commands TCP 135 (RPCPortmapper) + Random high number port (DCOM) Local Administrators / privileged accounts PowerShell / direct.net calls mmc.exe spawning child process, MEOW EX. COMMAND PS> $com = [activator]::createinstance([type]::gettypefromprogid("mmc20.application"," ")) PS> $com.document.activeview.executeshellcommand("c:\windows\system32\calc. exe",$null,$null,"7")

48 SHELL SETUP MMC20 CLASS Netflow INITIATOR RECEIVER RPC Bind RPC: 135/TCP Session setup / connect Authentication Authorization Remote Class Object Request RemoteGetClassObject(MMC20) RPC/DCOM Bind RPC/DCOM: <random_high>/tcp DCOM Session setup Authentication Authorization DCOM context shift (MMC) Alter_context ExecuteShellCommand Code Execution

49 MMC20 CLASS Examples

50 MMC20 CLASS Examples

51 SHELLBROWSERWINDOW Info TL;DR PORT AUTH TOOLS SIGNATURES EX. COMMAND Yet another.net command execution TCP 135 (RPCPortmapper) + Random high number port (DCOM) Authenticated users PowerShell, direct.net calls MEOW PS> $com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D A0C91F3880'," ") PS> $obj = [System.Activator]::CreateInstance($com) PS> $obj.document.application.shellexecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)

52 SHELL SETUP SHELLBROWSERWINDOW Netflow INITIATOR RECEIVER RPC Bind RPC: 135/TCP Session setup / connect Authentication Authorization Remote Class Object Request RemoteGetClassObject RPC/DCOM Bind RPC/DCOM: <random_high>/tcp DCOM Session setup ShellExecute Code Execution

53 SHELLBROWSERWINDOW Examples

54 SHELLBROWSERWINDOW Examples

55 SHELLWINDOWS Info TL;DR PORT AUTH TOOLS SIGNATURES EX. COMMAND Yet another.net command execution TCP 135 (RPCPortmapper) + Random high number port (DCOM) Only specified authorized users PowerShell, direct.net calls MEOW PS> $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39'," ") PS> $obj = [System.Activator]::CreateInstance($com) PS> $item = $obj.item() PS> $item.document.application.shellexecute("cmd.exe","/c calc.exe","c:\windows\system32",$null,0)

56 SHELL SETUP SHELLWINDOWS Netflow INITIATOR RECEIVER RPC Bind RPC: 135/TCP Session setup / connect Authentication Authorization Remote Class Object Request RemoteGetClassObject RPC/DCOM Bind RPC/DCOM: <random_high>/tcp DCOM Session setup ShellExecute Code Execution

57 SHELLWINDOWS Examples

58 SHELLWINDOWS Examples

59 MEOW Signature

60 INBOUND PORT: / (U) / HIGH RDP X ARD X X VNC X X-Server Forwarding X SCCM Remote Control X Telnet X SSH X Rlogin/Rsh X SMB X X - WMI X X WinRM X Schtasks X X MMC20 X X ShellBrowserWindow X X ShellWindows X X