Multiple Ways to Exploit Windows Systems using Macros

In this article, we will be exploring a total of 6 tools that can craft, encrypt and exploit a Windows Machine using malicious Macros.

Table of Content

  • Introduction
    • What are Macros?
    • Why Macros are Dangerous
  • Exploitation
    • Empire
    • Magic Unicorn
    • Metasploit
    • LuckyStrike
    • Macro_Pack
    • Evil Clipper
  • Mitigations

Introduction

What are Macros?

Whenever you are working with an Excel File or Word File for an instance and you want a certain repetitive task that you wish just got automated without your intervention. This was the issue that was faced by the users of the newly built Microsoft Office. Microsoft came to a solution for this by creating what we know as Macros. Macros are quite essentially just Visual Basic Scripts that can be crafted and shared and it works in the background without any knowledge of the user (if enabled.).

Why Macros are Dangerous?

 Now that you get what macros mean in a nutshell, it is not that difficult to wrap your head around the fact that running scripts in the background that can be crafted and altered and shared are bound to used as a way to exploit machines. What attacker does is that they generate a very harmless looking file in the Microsoft Office. Then they open up the Macros Editor and then craft a script that could generate a session form the target user to the attacker. The basic flow is the same for almost all tools. But the techniques that each tool uses in the background are quite different than another.

Exploitation

Now that we have established what are Macros and understood the risks, let’s see how it can affect the real-life scenarios. We have created a Lab Environment with Kali Linux, Windows 10 and other tools. We are going to exploit a Windows System using 5 different tools.

Empire

To use the Empire on Kali Linux, we need to install Empire Framework on your Attacker Machine. This is a pretty simple process. If you are facing some trouble, then refer to this article. After a successful installation, we will fire up the framework. We checked for the active listeners using the “listeners” command. As we can see that no listeners were running. Now, let’s create one. We created an HTTP Listener. After that, we need to create a stager for that listener that we just created. As our demonstration is based on Macros, we will be using the same for the stager. We will link the listener to the stager and just execute the config. This will create a stager in the “/tmp/macro”.

Moving on to the Target Machine, as we are doing this demonstration in a Lab Environment, it is easier to execute the following steps. We take a Normal Excel File and enter some data into it. Then we click on the “VIEW” Tab. In this tab, we will be selecting the Macros Option.

Clicking on the Macros will open up a small window as depicted in the image given below. Here, we are asked for the name of the Macro. This can be anything you want. After entering the name, click on the Create button to get started.

Here we have a blank module in which we can draft a Macro. We went back to our Kali Machine and copied the code that was generated by the Empire. Then Pasted the contents of that macro file into this blank module as shown in the image given below.

After pasting the code, we choose the Save As option from the menu. It opens up a window. In this window, we name the file and We choose Excel Macro-Enabled Workbook as shown in the image given below.  We click the Save button after filling in the necessary details.

Back in earlier days, this was all that is need to do. But seeing the rise in the Macro related attacks in the normal Office Environment, Microsoft has added some more verification on the User End to stop some attacks. Now we open a new Excel Workbook. We choose the “File” tab. In this tab, we Click the Options Section as shown in the image given below.

Clicking the Options Section will open a small window as shown in the image given below. Now the left-hand side menu of this window, there is a section called Trust Center. We opened it to find some privacy and security related settings. Here, we have a subsection called “Microsoft Excel Trust Center”, we open its settings by clicking the “Trust Center Settings” button

This opens up another window, Here we have a section called Macro Settings. We click on it. It gives us a total of 4 Macro policies each one against a radio button. We have the “Disable all macros with notification” policy selected by default. We change it to “Enable all macros” policy and close the window.

Now we open our Workbook that has the malicious macros injected in it. It opens up without any hindrance or warnings or prompts. We went back to our attacker machine and check the Empire to find that one of our agent is active. We used the agents command to take a look. Here we see that we have an agent. We tried to access the agent using the interact command. This was the procedure that needs to be followed if we want to exploit a target using the combination of Empire and Macros.

Magic Unicorn

It’s time to check another tool that could help us compromise the target using the macros. For this practical, we use the Unicorn Tool. For a more detailed guide on the Unicorn tool, check out this awesome guide. The payload creation in the unicorn is quite simple. We will have to state the payload as we would in crafting payload using MSFvenom. Then, we need to provide the IP Address and the port at which the session would generate and provide the macro keyword as depicted below.

This creates a text file and a “.rc” file with the same name and on the same destination.

We run the command shown by the unicorn to create a listener for our payload.

Now we need the macros enabled in Excel to accomplish this attack. In our lab environment, we enabled the macros in the previous practical when we were trying to exploit the target using Empire. So, After that, we open an Excel file and follow the steps to create a macro. After opening the macros editor module, we paste the data that was inside the text file that was created by Unicorn and then saves the Excel workbook as the Macros Enabled Excel on the Target System.

After saving the Malicious macros enabled Excel, we open the Excel on the Target System. It gives a Compatibility Error as shown in the image given below.

But when we move back to our attacker machine, we see that our payload has generated a meterpreter shell on the Target Machine. We can access this meterpreter session using the sessions command followed by the session id as shown in the image given below.

Metasploit

Let’s move on to a rather basic approach. This approach is quite detectable by almost all the Antivirus tools as the signature of the Metasploit Payload is quite common. Still to understand the basic attack and to perform in a lab environment, we will be using the Metasploit for exploiting our target via Marcos.  

To get started, we need to craft a payload. We will be using MSFvenom for crafting the payload. We used the reverse_http payload for this demonstration. We stated the Local IP Address of the Attacker Machine i.e., Kali Linux. We also need to provide a Local port for the session to get generated on. After generating the payload with the proper configuration for the vba payload, we copy the vba payload content and then move onto to the target machine.

LuckyStrike

Let’s move on to the next tool in our arsenal, Lucky Strike. It uses the “Invoke-Obfuscation” tool to obfuscate the payloads. So we downloaded it as well as LuckyStrike form GitHub.

In order for Invoke Obfuscation to work and get accessed by LuckyStrike, we need to move the Invoke Obfuscation tool to the PowerShell Modules directory as shown in the image given below.

Now that the initial configuration of LuckyStrike is done, we need to move on to the Installation Phase. In Windows 10 by default, there is a policy called Execution Policy which restricts the user to run scripts on the system. We need to alter that policy to run LuckyStrike. After making changes to the Execution Policy, we moved to the LuckyStrike directory. Here, we see that we have an install.ps1 script. We run the script. We are asked a bunch of Confirmations; we state Yes to all. After running the install script, we have the LuckyStrike in the System.

Now, before firing up our LuckyStrike, we need to have a payload that will generate the session. We used a one-line PowerShell script for the same. Save this file with the ps1 extension and then we will move on to obfuscate it using LuckyStrike.

Now that we have our payload, let’s run the LuckyStrike. As soon as we run the LuckyStrike, we have a beautiful banner and the Main Menu. In this menu we have multiple options like Payload, Catalog, File, etc., We choose the Catalog Options by entering the number 2. This gave us a sub-menu titled, “Catalog Options”. Here we have the configurations that can be done on the Payload and Templates. Before moving any further we need to add the payload that we just created in the LuckyStrike Catalog. Do this by entering number 1.

After the Selection of the payload, we were asked for the title for the payload. Then it asks us for the Target IP address and Port. These are optional parameters hence we skipped them by hitting enter. In the description, we state “netcat” for our reference. Next, we need to choose the payload type. Now we need to choose the payload type. As we created a PowerShell Script for the payload, we choose the same. Then LuckyStrike asks us for the path of the payload file. After doing it due diligence LuckyStrike adds the payload in its Catalog.  

Now in order to move ahead, we need to get to the Main Menu. This can be achieved using the number 99. In the Main Menu, we need to select the Payload Options. This can be achieved using number 1. This will give us a submenu of Payload Options. In this menu, we need to select the payload using the number 1. After getting inside the Select the payload option, we are asked for the type of file we want as an output. We choose the Excel File. This will send us the list of added payloads. Here we have the revshell payload that we added earlier. After choosing the payload, we are asked for the type of Infection. This is the method that LuckyStrike will use to Obfuscate. We choose the nonB64 method. You can choose any method of your preference as per your requirement.

Now that the payload is added. Then we get back to the Main Menu to generate the final malicious Excel File. In the Main Menu, we chose the File options by entering number 3. In the File Options menu, we choose the Generate the new file option by entering number 1. This will initiate the process of creating an Excel with malicious payload inside its macro. After creating the payload, LuckyStrike gives us the location of the payload.

We open the given location inside the Windows Explorer to find an Excel file by the name infected. Now we need to share this file with Target and encourage him/her to open the file and enable the macros.

We will do this while on the Kali Machine, we run the listener with the port that we mentioned in the payload during its creation. Now, as soon as the target enables the macros on the Excel File we will have its PowerShell Session as shown in the image given below.

Macro_Pack

The next tool on our list is the Macro_Pack. The working of this tool is quite similar to the working of the LuckyStrike. First, we need a payload in which we generate the session. For this, we will be using the MSFVenom tool. In our Kali Machine, we ran the MSFVenom tool and crafted a payload as shown in the image given below.

After the creation of payload, we will run a python one-liner and host the payload on the local port 80.

After this we will move to our Windows Machine, here we will download the tool and then use the macro_pack to create an Excel File that is embedded with the malicious payload. This can be achieved using the one-liner mentioned below.

We went to the location, where the Macro_packer created the payload and then use some of our social engineering skills to transfer the payload to the Target Victim.

We sent the payload to the Target and then opened the Excel Workbook. To find the Security Warning as shown in the image given below. Before doing any of this make sure that you have the listener running to capture the session generated by the payload. As everything set, as soon as the target user clicks on the Enable Content, we have the meterpreter session of the user.

We set up the listener for the same payload that we used while generation using the MSFVenom tool. We also provide the Local IP Address of our Kali Machine and the port that we mentioned during crafting the payload.

Evil Clipper

If you were a Windows XP user with the old version of Microsoft Office, there is a chance you must have come across the animated clip mascot that was used by Microsoft at that time. This tool is a remembrance to that tool, what would happen if that clipper went Evil and hide the macros details. How? Let’s find out.

As always we need to craft a payload that could give back a reverse HTTPS session. We provide the Local IP Address of the Kali Machine as well as the port that will capture the session generated by the said payload. We generate this payload in the VBA format. After the generation of the payload, we copy the contents of payload on our clipboard and move on to our Windows Machine.

Here, we used the git clone command to clone the Evil Clippy tool to our Windows Machine. For this particular step, we need to install git on Windows. Also, add git to PATH Variable as well.

After cloning the EvilClippy git and look for the files. In these files, we see that we don’t have an executable. We will build an executable using the csc from the Visual Studio C# Compiler. After the building, we see that we have an executable inside the same directory. We try to run the executable as shown in the image given below.   

Next, we open an Excel Workbook. And then create macros as we did earlier in this article. In the image given below, we name our macro “malicious” and click on the create button.

As soon as we click on the create button, we have the Microsoft Visual Basic for Applications to draft the macros. Here we paste the payload code in VBS that we create at the beginning of the practical.

Next, we need to save this malicious macro-enabled Excel in the xlsm format in the same directory as the EvilClippy with all its configuration files. Now we will use the EvilClippt to hide the modules in the malicious macro that could trigger any Antivirus alert or any manual inspection by the user.

After the EvilClippy worked with the malicious  Excel, we went back to open the file to check if the modules were really removed in Excel itself.

As we can observe from the above screenshot that the malicious macros cannot be found anywhere in the Macro Editor of the Excel File. This doesn’t mean that the macro is deleted from the file. All EvilClippy did was hide the macro inside the Excel File and when the macro gets executed and we have a listener created that have the same configurations as the payload. We can gain a meterpreter session as shown in the image given below.

Ok! Enough exploitation. We get it is a very serious threat to any organization. Let’s talk about how we can mitigate it?

Mitigations

  • Microsoft Office Macros should be disabled in the organization.
  • Enable the Feature to block the macros in the documents that originate from the internet. [Office 2016, Office 365]
  • If the usage of macros is unavoidable, only enable the users or groups that absolutely need to use the capabilities of the macro.
  • Allowing only signed macros can also reduce the number of attacks that could be successful.
  • Use the Trusted Locations feature of the Microsoft Office Trust Centre. This means only the settings configured at the Trusted Location will be in action regardless of the local configurations.

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn

Threat Hunting – A proactive Method to Identify Hidden Threat

According to ISO 27005, a threat is defined as a potential cause of an incident that may cause harm to systems and organization. Software attacks, theft of intellectual property, identity theft, sabotage, and information extortion are examples of information security threats. As a result, most of the organization chose active threat hunting practice to defend their organization from the network’s unknown threat.

Table of Content

What is Threat Hunting?

Why threat hunting is important?

Who is threat hunter?

What Are the IOCs?

Threat Hunting Plan

  • Design Your Network for Hunting
  • Get your Team Ready
  • Know your Enterprise
  • Collect Hunt Data
  • Know Your Adversary TTP
  • Threat Intelligence Feeds
  • Create a Hypothesis
  • Hunt Cycle
  • Measuring Success
  • Resources

What is threat hunting?

Threat hunting is a proactive offense approach that security professionals use with the aid of Intel Threat. It consists of iteratively scanning through networks to detect compromise indicators (IoCs) and threats such as Advanced Persistent Threats (APTs) which bypass your existing security framework.

Analysts monitor, detect and delete active opponents in a network. They do this as early as possible in order to minimize damage and to reduce the time needed to identify a suspected threat.

Threat hunting tools and techniques are used by researchers to monitor and detect hidden activities. An example of a threat hunting Framework is, implemented N-SOC as part of a next-generation SIEM framework.

The SANS Institute authors expand on the cyber threat hunting process, calling it an active defense strategy consisting of:

Intelligence: The process of collecting data, turning the data into usable information, analyzing the potentially competing sources of that information to produce a tactical defense strategy.

Offense: The countermeasures organizations may take to defend against cyberattacks, in particular Advanced Persistent Threats (APT).

Why threat hunting is Important?

Threat hunting’s main purpose is to reduce the time needed to find signs of threats who have already breached the IT infrastructure. Since zero-day and Advanced Persistent Threats (APT) continue to challenge security staff, researchers are implementing threat analysis tools and approach to discover threats more efficiently. Through discovering these imprints as soon as possible, the risk of breaches can be reduced on the enterprise.

Other benefits of threat hunting include:

  • Identification of gaps in visibility necessary to detect and respond to a specific attacker TTP.
  • Classification of gaps in finding.
  • Advancement of new monitoring use cases and detection analytics.
  • Exposing new threats and TTPs that response to the threat intelligence process.
  • Recommendations for new preventive measures.

Who is threat hunter?

A threat hunter is a security professional who is skilled to recognize, isolate and defuse APTs by using manual or AI-based techniques because such threats can not be detected by network monitoring tools. He may hunt for insider provocations or outside intruders to uncover risks posed by malicious actor typically employees, or outsiders, including a criminal organization.

Threat hunting activity is mainly related to the NSOC, which represents the Next-Generation Security Operations Center because the threat hunter reports to the threat hunting team manager for hidden threats, who reports to the Chief Information Security Officer (CISO) and is further reported to the SOC manager for integration with the Security Operations Center (SOC) 

What Are the IOCs?

Threat Intelligence feeds can aid in this phase by defining specific vulnerability identifying common indicators of Compromise (IOCs) and suggesting measures necessary to prevent threat or breach.

Some of the most common indicators of compromise include:

  • A case would be when the intrusion that attacks an organizational host that established a connection with attackers such as IP addresses, URLs and Domain names
  • An example will be a phishing campaign based on an unwilling user clicking on a connection or attachment and a harmful instruction being activated such as Email addresses, email subject, links and attachments.
  • An instance would be an attempt by an external host that has already been detected for malicious behaviours such as Registry keys, filenames and file hashes and DLLs.

Threat Hunting Plan

The cyber threat hunting team should be answerable to these questions before planning for the operation.

  1. What is it that you hunt? You have to select exactly which adversaries you’re chasing for.
    • Exploitation?
    • Lateral movement?
    • Exfiltration?
  2. Where are you going to find the opponent/adversaries/IOC?
  3. How would you consider an opponent/adversaries/IOC?
  4. When will you find it?

The Chief Information Security Officer (CISO) should prepare a complete checklist that would be required for effective threat hunting before beginning the threat hunting operation within the company. This helps the team define the resources and tools used in the project and create a parallel strategy as the backup plan if the primary process fails.

1. Design Your Network for Hunting

It is important to consider that the proactive threat hunting should be conduct in a well secure environment where Chief information Security Office arrange all network essential equipment required in the activity, such as given below.

  • Segmentation : Security Zones
  • NTP : Network Time Protocol
  • Protection/Detection : FW/IDS/IPS/DLP/Proxy
  • Tapping : Dump PCAP Data
  • Visibility : Enable Logging as required

2. Get your Team Ready

The officer should build a team of professionals that are spontaneous in doing their job as per the situation requirements and know the situational awareness.

The skill of a threat hunter:

Proactively hunts for known adversaries—He is capable to identify the pattern of malicious code used by famous attackers that match to threat intel feeds or blacklist of known program.

Prevent the attack by identifying unknown threats— Threat hunters evaluate the computer system by means of constant surveillance. They choose behavioural analysis to identify abnormalities that indicate a threat.

Implements the incident response proposal—Hunters collect as much information as possible when they identify a threat before conducting an incident response strategy to nullify it. This could be used to refine the response plan and prevent future attacks.

3. Know your Enterprise

Group members should be mindful of the organization’s jewel crown by knowing the valuable assets and recognizing threat carriers that might affect the company. They should be able to calculate the effect of risk by prioritizing the unknown threat within the network.

Hence, they should be able to classify the following checklist for their organization:

  • Identify Assets
  • Know Threats to Your Assets
  • Prioritize ( High Value / Critical Assets First )
  • Baselining – Know what is normal ?

4. Know Your Adversary TTP

The Threat Hunters team aims to evaluate Tactics, Techniques, and Procedures (TTPs) that are learned from the indicators with the help of a process known as “Attack Tree Analysis” that includes defining certain measures an attacker can take to break the networks of an organization (Schneier, 1999). “The Lockheed Martin Cyber Kill Chain,” which describes one way of determining where an adversary’s actions occurred in the attack chain. Intruders also follow these steps on the Cyber Kill Chain while striving to get into a network or web server.

A cyber kill chain is a ‘Lockheed Martin’ model that uncovers the phases of a cyber-attack from early reconnaissance to the objective of data exfiltration: Flow Data NetFlow PCAP DNS Proxy Logs FW/SW/Routers.

5. Collect Hunt Data

When conducting the threat hunting task, the collection of hunting data is a very valuable phase in which one must collect the malicious data from the logs created in the network by monitoring the security equipment installed in the network in order to filter packets. Indeed, this phase is the big contribution in providing threat Intel feeds.

Through analyzing logs at each grade, the specialist may recognize the unknown threat carriers that would be active over a long period of time in the network and may constitute a threat of zero-day.

6. Threat Intelligence Feeds

 CTI is focused on data collection and analysis to identify potential or current threats to an IT infrastructure. This helps organizations to proactively defend critical infrastructure or intellectual property of an entity from cyber-attacks by using open-source intelligence (OSINT), social media intelligence (SOCMINT), human intelligence (HUMINT), deep and dark web technological intelligence or intelligence Security teams look for Indicators of Compromise (IoCs) for persistent threats and zero-day (recently discovered) exploits.

The cyber threat intel Feeds can be categorized in two broad categories:

Free Available: Open Source, OSINT, Social Listing

Paid: Private, Government, commercial vender

The intelligence feeds are continual streams of credible information about existing or potential threats and bad actors. The researchers are collecting security data from several sources on IoCs such as abnormal behaviour and suspicious domains and IP addresses. They can then correlate the information and process it to generate reports of threat intelligence and management.

7. Create a Hypothesis

8. Hunting cycle

The team should follow a common framework at the time of threat hunting which defines the threat hunting cycle process. It is a closed-loop that forms a model process for effective hunting which defines four vital stages.

Hypothesis: – Cyber threat hunting is started by making informative beliefs, about the different types of adversarial effects or behaviours that exist in your business network.

Investigate via tools & technique: – Hypotheses are examined via multiple tools and techniques in Identifying the relationship between different data sets. An analyst can use these to discover new malicious patterns in their data and reconstruct complex attack paths to reveal an attacker’s Tactics, Techniques, and Procedures (TTPs).

Uncover new pattern & TTP: – A hunter often uses manual methods, tool-based workflows or analytics to discover the specific patterns or anomalies that may be detected in an investigation. What you will find in this phase is a critical part of a hunt’s success criteria. Even if an anomaly or intruder is not detected, you want to be able to rule out the existence of a particular strategy or compromise. Essentially, this step acts as the step of “proving or disproving the hypothesis.”

Inform Enrich & Analytic: – Lastly, effective hunts form the basis for guiding and empowering predictive analytics. Do not waste time doing the same hunts over and over with your squad. If you discover an indicator or pattern that may reoccur in your system, automate its monitoring to keep your team focused on the next new hunt. Hunting information can be used to upgrade existing monitoring systems, which could include modifying SIEM rules or signatures for analysis.

9. Measuring Success

Once the hunting operation cycle has been completed, it is important to evaluate the finding and the assign task KRA to measure the success matrix.

  • Number of Incidents by severity
  • Number of Compromised Hosts
  • Dwell Time of Incidents Discovered.
  • Logging Gaps Identified and Corrected
  • Vulnerabilities Identified
  • Insecure Practices Identified and Corrected
  • Hunts Transitioned to Analytics
  • New Visibilities Gained

Resources:

TaHiTI-Threat-Hunting-Methodology-whitepaper.pdf

D2 BSIDES – Hunting Threats in Your Enterprise

Sqrrl: A Framework for Cyber Threat Hunting

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Evil SSDP: Spoofing the SSDP and UPnP Devices

TL; DR

Spoof SSDP replies and creates fake UPnP devices to phish for credentials and NetNTLM challenge/response.

Disclaimer

Table of Content

  • Introduction
    • What is SSDP?
    • What are UPnP devices?
  • Installation
  • Spoofing Scanner SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Office365 SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Password Vault SSDP
    • Template Configuration
    • Manipulating User
    • Grabbing the Credentials
  • Spoofing Microsoft Azure SSDP
    • Template Configuration
    • Manipulating User
  • Mitigation

Introduction

What is SSDP?

SSDP or Simple Service Discovery Protocol is a network protocol designed for advertisement and discovery of network services. It can work without any DHCP or DNS Configuration. It was designed to be used in residential or small office environments. It uses UDP as the underlying transport protocol on port 1900. It uses the HTTP method NOTIFY to announce the establishment or withdrawal of services to a multicast group. It is the basis of the discovery protocol UPnP.

What are UPnP devices?

UPnP or Universal Plug and Play is a set of networking protocols that allows networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points, and mobile devices to discover each other’s availability on the network and establish network services for communications, data sharing, and entertainment. The UPnP architecture supports zero-configuration networking. A UPnP compatible device from any vendor can dynamically join a network, obtain an IP address, announce its name, advertise or convey its capabilities upon request, and learn about the presence and capabilities of other devices.

Now that we understood the basic functions of SSDP or UPnP, let’s use it to manipulate the target user in order to steal their credentials.

Installation

The Evil SSDP too was developed by initstring. This tool is hosted on the GitHub. We will be using the git clone command to clone all the contents of the git onto our attacker machine. The git clone command will create a directory with the same name as on GitHub. Since the tool is developed in Python version 3, we will have to use the python3 followed by the name of the .py file in order to run the program. Here we can see a basic help screen of the tool.

In the cloned directory, we will find a directory named templates. It contains all the pre complied templates that can be used to phish the target user.

Spoofing Scanner SSDP

Now, that we ran the tool without any issues, let’s use it to gain some sweet credentials. In this first Practical, we will be spoofing a Scanner as a reliable UPnP device. To begin, we will have to configure the template.

Template Configuration

To use the tool, we will have to provide the network interface. Here, on our attacker machine, we have the “eth0” as our interface, you can find your interface using the “ifconfig” command.

After providing the interface, we will use the “–template” parameter to pass a template that we found earlier in the templates directory. To spoof a scanner, we will be running the following command. As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888. We also have the SMB pointer hosted as well.

Manipulating User

The next logical step is to manipulate the user to click on the application. Being on the same network as the target will show our fake scanner on its explorer. This is where the UPnP is in works. The Evil SSDP tool creates this genuine-looking scanner on the system on the target without any kind of forced interaction with the target.

Upon clicking the icon inside the Explorer, we will be redirected to the default Web Browser, opening our hosted link. The templates that we used are in play here. The user is now aware he/she is indeed connected to a genuine scanner or a fake UPnP device that we generated. Unaware target having no clue enters the valid credentials on this template as shown in the image given below.

Grabbing the Credentials

As soon as the target user enters the credentials, we check our terminal on the attacker machine to find that we have the credentials entered by the user. As there is no conversation required for each target device, our fake scanner is visible to each and every user in the network. This means the scope of this kind of attack is limitless.

Spoofing Office365 SSDP

In the previous practical, we spoofed the scanner to the target user. Now, ongoing through the template directory, we found the Office365 template. Let’s use it.

Template Configuration

As we did previously, let’s begin with the configuration of the template as well as the tool. We are going to use the python3 to run the tool followed by the name of the python file. Then providing the network interface which indeed will be followed by the template parameter with the office365.

As we can see that the tool has done its job and hosted multiple template files on our attacker machine at port 8888.

Manipulating User

As soon as we run the tool, we have a UPnP device named Office365 Backups. This was done by the tool without having to send any file, payload or any other type of interaction to the target user. All that’s left is the user to click on the icon.

Upon being clicked by the user, the target user is redirected to our fake template page through their default browser. This is a very genuine looking Microsoft webpage. The clueless user enters their valid credentials onto this page.

Grabbing the Credentials

As soon as the user enters the credentials and they get passed as the post request to the server, which is our target machine, we see that on our terminal, we have the credentials.

Diverting User to a Password Vault SSDP

Until now, we successfully spoofed the target user to gain some scanner credentials and some Office365 backup credentials. But now we go for the most important thing that is used as a UPnP, The Password Vault.

Template Configuration

As we did in our previous practices, we will have to set up the template for the password-vault. In no time, the tool hosts the password-vault template onto the port 8888.

Manipulating User

Moving onto the target machine, we see that the Password Vault UPnP is visible in the Explorer. Now lies that the user clicks on the device and gets trapped into our attack. Seeing something like Password Vault, the user will be tempted to click on the icon.

As the clueless user thinks that he/she has achieved far most important stuff with the fake keys and passwords. This works as a distraction for the user, as this will lead the user to try this exhaustive list of credentials with no success.

Spoofing Microsoft Azure SSDP

While working with Spoofing, one of the most important tasks is to not let the target user know that he/she has been a victim of Spoofing.  This can be achieved by redirecting the user after we grab the credentials or cookies or anything that the attacker wanted to acquire. The evil_ssdp tool has a parameter (-u) which redirects the targeted user to any URL of the attacker’s choice. Let’s take a look at the working of this parameter in action.

To start, we will use the python3 for loading the tool. Followed by we mention the Network Interface that should be used. Now for this practical, we will be using the Microsoft Azure Storage Template. After selecting the template, we put the (-u) parameter and then mention any URL where we want to redirect the user. Here we are using the Microsoft official Link. But this can be any malicious site.

Manipulating User

Now that we have started the tool, it will create a UPnP device on the Target Machine as shown in the image given below. For the attack to be successful, the target needs to click on the device.

After clicking the icon, we see that the user is redirected to the Microsoft Official Page. This can be whatever the attacker wants it to be.

This concludes our practical of this awesome spoofing tool.

Mitigation

  • Disable UPnP devices.
  • Educate Users to prevent phishing attacks
  • Monitor the network for the password travel in cleartext.

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here

Windows Persistence using Application Shimming

In this article, we are going to describe the persistence of the Application Shimming and how vital it is in Windows Penetration Testing.

TL; DR

Application Shimming is a technique used on Windows OS that can be used to make the applications developed for the earlier versions of Windows OS still work on the latest version of Windows

Table of Content

  • Introduction
    • What is Application Shimming?
    • How does Application Shimming work?
  • Configurations used in Practical
  • Persistence using Application Shimming
    • Malicious DLL Creation
    • Injecting Malicious DLL
    • Installing Infected Executable
    • Gaining Persistent Shell
  • Detection
  • Mitigation
  • Conclusion

Introduction

What is Application Shimming?

Ever since the early stages of Microsoft Windows, there have been some fundamental features that have been part of the Windows basic Functionalities. One of them is their “Backward Compatibility”. What it means is that if your Software was developed earlier like at the time of Windows XP. But now we have Windows 10 and you are worried that if the Windows will able to run that piece of software as it has updated. Here, the Backward Compatibility comes into play. It gives us the ability to run the software on the Windows OS that was not developed on that particular OS.

The “Shim Infrastructure” or how they like to call it at the big house “Microsoft Windows Application Compatibility Infrastructure” helped its user get that backward compatibility. Now the thing to keep in mind is that during all those years of development, Windows kept its basic Architecture the same. They developed around the same framework that they started to work in the early nineties. This means that there are still some bits of code in the Windows 10 that has been there since the times of Windows 95.

How does Application Shimming Work?

The Shim Infrastructure applies a method of Application Programming Interface (API) hooking. Explicitly, it forces the nature of linking to redirect API calls from Windows itself to alternative code – the shim itself. The Windows Portable Executable (PE) and Common Object Format (COFF) Specification includes several headers, and the data directories in this header provide a layer of indirection between the application and the linked file. Calls to external binary files take place through the Import Address Table (IAT). Consequently, a call into Windows looks like the image shown below to the system.

We can modify the address of the Windows function fixed in the import table, and then replace it with a pointer to a function into the alternate shim code, as shown in the image given below.

This indirection happens statically linked .dll files when the application is loaded. You can also shim dynamically linked .dll files by hooking it with an API.

Configurations used in Practical

Attacker:

OS: Kali Linux 2019.4

Tools: MSFVenom, Metasploit Framework

Target:

OS: Windows 10 (Build 1909)

Tools: Windows Assessment and Deployment Kit (Windows ADK), PuTTY.exe

You can download the Tools by clicking on Their Name.

Persistence using Application Shimming

Application Shimming can perform many functions but we will be focusing on gaining a persistence shell on the Target System for now. This practical was tested in a lab-controlled environment where we have the configurations set for minimum interference. The actual real-life scenario can differ.

Malicious DLL Creation

To begin the exploitation, we decided to create a payload using the MSFVenom tool. We used the reverse_tcp payload with the target to be Windows System and gaining a shell. We defined the LHOST for the IP Address for the Attacker Machine followed by the subsequent LPORT on which we will be receiving the session from the target machine. We created this payload in the form of a Dynamic Link Library or DLL and named it inject.dll

As discussed in the Configurations used section we need the Windows Assessment and Deployment Kit. After downloading and installing it, we have service inside it. Its called Compatibility Administrator. We are going to need it to proceed further.

Now in our Attacker Machine, we transferred the recently created DLL to the Target Machine. We use the python one-liner for it. There are lots of ways this can be done. We start a Multi/Handler on the Attacker Machine with the proper configuration to receive the session that will be generated soon.

Injecting Malicious DLL

Now we will divert our attention to the Target Machine. After browsing the IP Address of the Attacker Machine and downloading the Malicious DLL file, we open the Compatibility Administrator as shown in the image given below. Here we are using the 32-bit version as it is easier to bind the DLL to it. We also created a new custom Database.

Now we begin the process of binding the safe and original Executable without malicious DLL file. We right-clicked on our newly created Database and choose the First option in the Dropdown Menu called Create New. This leads to opening a sub-drop-down menu. We choose the Application Fix option as shown in the image given below. We can also use the Shortcut by pressing the Ctrl key and P key simultaneously.

As soon as we click on that Application Fix option, we have ourselves a Config Window Titled “Create New Application Fix”. We enter the name of the Program to be fixed as “putty”. And we provide the path of the executable to the program we want to inject our malicious DLL into. In this case, we provide the path of the PuTTY.exe and hit Next.

Now we are asked the compatibility modes. This would have been important if we were fixing a genuine executable. Or using the Shimming for genuine purposes. As we are not doing any of that, we will skip this step and straight-up hit the “Next” button and move on.

Now we are at an important step. We are asked the compatibility fix that we want to apply to the executable. We choose the “InjectDll” option from the list as shown in the image given below. After checking the box we hit the “Parameters” button to provide the path of out malicious DLL that we created at the start of the exploitation.

This opens up a new small window asking the Command-Line. Here we provide the path of our malicious DLL and click OK button.

Back to out config window, we click the Next Button and now we have the Matching Information panel in front of us. We click on “Unselect All” Button as we don’t want to add any more additional configurations to out payload. At last, we hit the Finish Button.

This closes the config window. We are back to our Compatibility Administrator window. We click the Save button as shown in the image below to inject our DLL in the PuTTY executable.

We are asked to name the database, we name it puttyshim. This can be whatever you want. In real life attacking situations choose the name that is less conspicuous.

After naming the database we are asked the location, where we want to save the AppCompat Database or the .sdb file of the complete configuration.

Installing Infected Executable

Now that this is done, we will now install the now infected Executable on the Target Machine. This can be done by right-clicking on the name of the database and choosing the Install option from the drop-down button.

This initiates an installation process that will installed our infected executable as a service. We can see that in the Programs and Features section inside the Control Panel as shown in the image below. If we had added the Publisher or Vendor Information at the earlier stage it would have appeared here.

 

Gaining Persistent Shell

Now when we execute the service that we just shimmed and installed. As soon as we have the program executed on the target machine, we will receive a shell on our attacker machine as shown in the image below. We can add the infected service in the startup service list to receive the shell every time the Target system reboots.

This concluded the exploitation. Now let’s talk defense mechanisms.

Detection

There are many tools available that can detect the applications that have been shimmed.

  • Shim-File-Scanner: Scans Files/Folders for non-default shims and checks registry for installed shims
  • Shim-Process-Scanner: Will search all process for shim flags and also check for the Shim App Helper

Other than that the process of shimming creates a bloody trail that leads right to the smoking gun aka the shimmed application. Shimming creates a trial inside the Registry at the following locations.

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB

Apart from the registry, we have some locations on the Drives where we can find evidence for the Application Shimming.

  • C:\Windows\AppPatch\Custom\
  • C:\Windows\AppPatch\Custom\Custom64\

We can also create custom Yara Rules and snort rules that could detect Application Shimming.

Mitigation

As always, the first line of defense against any kind of attack is keeping our infrastructure and devices updated. Microsoft released this patch for restricting the Shim Application to bypass the UAC.

Some tools like the one in the Detection section can be used for mitigating the Applications Shimming.

Shim-Guard: Detects and alert on newly installed shims

We can also implement strict UAC policies to notify when a user is getting elevated privileges.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different environments where the large scale compromise was done using the Applications Shimming.

Stay Tuned!

MITRE|ATT&CK

Black Hat USA

FireEye

Author: Kavish Tyagi is a Cybersecurity enthusiast and Researcher in the field of WebApp Penetration testing. Contact here