Thursday, November 18, 2010

Doing penetration testing with a minimal footprint

This presentation from  hack3rcon shows how to perform a penetration test that will leave a minimal footprint, thanks to the Metasploit Meterpreter.

It describes techniques to avoid leaving footprints in:  the Eventlog, the Windows Registry, the Windows Prefetch and  the File System.

Below you can read my notes (almost a copy of the slides)

Operating in the Shadows Carlos Perez a.k.a Darkoperator from Adrian Crenshaw on Vimeo.

 - Runs in memory ( no disk access)
 - Memory scrubbing. Not easy to understand what meterpreter did when analizing a memory image.
 - Windows API access
 - Encrypted traffic (man in the middle, self-generated keys)
 - Can be automated and extended

Why leaving a minimal footprint?
- Test Incident Response
- Tests monitoring systems
- Real world attacks.

- list of targets and goals (business and technical point of views)
   * Interview the client and information gathering
- Enumarate target capabilities
- Physical, SE and network
- Design an initial plan
- Modify your plan as you keep advancing
  * Gather information from the hosts (data and configuration)
  * Modify your plan if something looks out of place

Know your enemy
- First go for the easy targets
  * They will check the processes running, connections, registry keys,
     event logs and they may dump the memory
- Not all companies have an IR team
- In some companies, the system administrators are also doing security.
- We can predict what the defenders are going to do

- Their questions:
  * Process list: Time of creation, Parent PID, owned and command line
  * Connections: Why is a process like 'notepad' connecting to Internet?
  * Why is Internet Explorer connecting to a not standard port?
  * etc.
- They will create a timeline to investigate the incident.

Event log
- Command and capabilities differ among Windows versions
  (they also do not record the same data and they use different formats)
- Event log: binary format  up to windows XP.  XML format to Vista, 7 and 2008
- The IDs also changed with the new formats
- We can read from the registry without leaving footprints.
- We can get the file location, name and configuration out of the registry
- Script 'event_manager' works with the Eventlog from memory: query, clear, etc. It saves the data localy in a csv file.
- Windows 7 and Windows 2008 can send event logs to other servers by using winrm (ssl and self-generated certificates)
- A server can collect remote event logs if the Wecsvc service is running
- Wecsvc can be queried by using wecutil command es  (enum subscriptions)  and gs (enum configurations)
- Most interesting entries: Scheduled tasks, new/change/remove accounts, stop/start service, logon/logoff, failed logon, add/remove user from a group

Windows Registry
- OS settings
- Group policy settings
- Application settins
- Read access is available on most of it
- With the UAC enabled in Windows 7/2008R2, administrators may not be able to modify registry keys
- It can be configured to log access to it and the modifications (not set by default and rarely used)
- ACLs can be placed on registry keys (not set by default and rarely used)
- Metadata only shows Write an Creation Time, but not Access Time
- We need special tools to get the Write time: F-Response, EnCase and Open Source (

Windows Prefetch
- Saves a list of the most commonly executed binaries to speed up the booting process. Enabled by default on client operative systems since XP .
- It shows how many times a file has been executed since it first appeared in the prefetch.
- %windir%\prefetch and can only be deleted by the administrator
- Configuratio saved in the registry
- Anything we do on the computer will create a file there.

User Assist
- Registry key that saves a counter of the programs executed by Explorer.exe
- HCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
- Each key name is the name of the executable/shortcut encrypted in ROT-13 (can be easily decrypted)
- Only the commands executed through the GUI

File System
- 2000,XP and 2003 record the last access time by default
- Vista, 7 and 2008 do not do that (performance)
- Cleaning a File MACE will not help since only $STDINFO is modified. The data will remain there.
- Deleted files and directories can be saved in a Volume Shadow (VSS or snapshots) that is enabled by default
- Some folders and file types are excluded from the snapshots and this information can be queried.

How To Operate
- Use Meterpreter commands
- Understand the scripts. Are they uploading/creating files or directories?
- check if prefetch and Volume Shadows are enabled
- Do not forget the User Assist key if the GUI is used

Know your Environment
- check your privileges
- What is running?
- What is being logged by EventLog?
- Is VSS enabled?
- What tools are they using?
- Is last Access Time logged?

Clear the Tracks
- Sometimes is better to clear the security log even if it is a dead gateway
- Delete the files and then wipe with  cipher.exe
- Delete the Volume Shadows after whiping the files
- Delete prefetch entries in client computers

Execution of Commands
- Execute from Explorer
- Use Incognito or Tokens if you are System
- If you are placing tools, stream them under system executables and execute them from there
- Use Railgun instead of executables if possible (no write to disk is done because it is injecting DLLs)

Hide your Connections
- The connections must look 'normal'. Try to behave like a ligitimate user/server would do.
- Use IPv6 when it is available because people is not looking at it.

Where to Take a Dump
- The files in the temporary folders have weird names.
- If not able to delete the VSS, check the file extensions and temporary folders.
- Be carefull what you are writting to disk, because the Antivirus will check the files (vbs,payloads)
- The duplicate and multi_meter_inject scripts can inject a meterpreter payload onto the memory of a running executable.

No comments:

Post a Comment