Exercise 6

This is the report for the sixth series of exercises for my penetration testing course, taught by Tero Karvinen
http://terokarvinen.com/2018/penetration-testing-course-autumn-2018
The sixth assignment consists of six parts, as follows:

h6

1) Hae Google Scholarlista tuore (alle 1-2 v) artikkeli, joka liittyy kurssin aiheeseen. Sopivia ovat vertaisarvioidut (peer-reviewed) artikkelit (journal articles) tai  konfferenssipaperit (conference papers, ovat hieman alempaa tasoa kuin journal artikkelit). Muista säätää asetukset: English. Library links: Haaga-Helia. No citations, no patents. Since 2017. Kokotekstit (full text PDF) ovat oikeassa reunassa. Minkä käytännön pentestiin sovellettavan asian opit artikkelista?

2) Tee Google Scholar -haku kiinnostavasta aiheesta, jota haluat seurata. Mitä 5 tuoreinta tai viitatuinta artikkelia kertovat? Voit silmäillä artikkelit, ei tarvitse tiivistää niitä kattavasti. Tilaa haku omaan sähköpostiisi (alerts). Näin pysyt kärryillä oman alasi uudesta tieteellisestä tutkimuksesta – ehkä alue on hallussa jo opinnäytettä aloittaessa.

3) Paketoi troijan hevonen itse. Voit tehdä asennuksen esimerkiksi inno setup -ohjelmalla. Voit kokeilla myös pakata samaan asennukseen vihamielisen ohjelman sekä normaalin ohjelman – näin et joudu muokkaamaan normaalin ohjelman binääriä. Nimeä ohjelmat siten, että haitallinen tarkoitus ilmenee MALWARE-installer.exe. Älä tee itsestään leviäviä ohjelmia.

4) OSINT. Mistä ja millä tekniikoilla voit hakea ihmisistä tietoa avoimista lähteistä? Voit myös kokeilla sovelluksia, esim. maltego (suljettu) tai recon-ng (vapaa); sekä weppisivuja (esim. inteltechniques.com) ja oppaita (esim email). Voit hyödyntää myös offline-lähteitä. (Tämä kohta käsittelee tekniikoita, työkaluja ja weppisivuja – älä laita tähän parisi tietoja)

5) Hae paristasi tietoa avoimista lähteistä. Pyri laatimaan kattava profiili henkilöstä: historia, kiinnostuksen kohteen, poliittiset mielipiteet, lähipiiri, taloudellinen tilanne, asuinpaikka… Älä julkaise tuloksia edes anonymisoituna, ei edes salasanan takana, äläkä kerro niistä ulkopuolisille hauskoja anekdootteja. Anna tulokset parillesi (sille, josta tiedot kertovat). Kysy pariltasi etukäteen, mistä tiedoista voimme keskustella tunnilla ja millä tarkkuudella. Käytä vain laillisia tekniikoita ja julkisia lähteitä. Tässä tehtävässä ei saa murtautua mihinkään, eikä esiintyä toisena henkilönä. Ole asiakkaan (parisi) luottamuksen arvoinen – myös pentest-asiakkaasi edellyttävät luottamuksellisuutta.

6) Vapaaehtoinen: Koodaa oma troijan hevonen. Se voi esimerkiksi siirtää (exfiltrate) luottamuksellisia tiedostoja (selaimen salasanat, salaiset avaimet), nauhoittaa näppäimistöä (laukaisee todennäköisesti virustutkan/IDS:n) tai asentaa salaa lisää ohjelmia.

 

1)

Before I started the search, I set the preliminary options for this assignment. From the setting stab I set  the languages to English, unchecked the include patents box and added Haaga-Helia to the library links. On each search I specified that the search results should be from 2017 or newer.

I spent quite a while looking for an intresting article. First I thought about reading on ethical hacking but the papers that i reviewed contained pretty much same material we have already discussed in class. I started a search on malware and stumbled upon a review on bad usb.

 

 

 

 

 

 

 

 

 

 

In my opinion, the text could have been more precise and technical but in a general sense it gives the idea to the topic

I already knew about infected USB flash drives, made one my self during this course but in my case antifirus programs blocked it, so did windows 10 natively. This method of infecting general purpose USB devices, such as keyboards and mice in the firmware level is truly interesting and i’m quite supprised that operating systems and therefore also antivirus sofware lack the capability of detecting devices infected in this manner.

This of course offers a new attack vector option, when conducting penetration testing.  People and companies are aware in some extent the danger of handling unknown USB flash drives and are discouraged, or banned from using them in their computers. What if the malicious payload was by something every day as a keyboard or a mouse, these also have to be found by the would be victim and get them to use them, I would imagine that the ideal way of doing this is vanity. Infect a cooler looking or a technically better device than those usually in use, leave it lying around in the target area or place you know that the target would find it and then just wait. The logic in this is that most people are not honest, not completely. We tend to always whant something better than we already have and usually in lost & found cases, if we see benefit for ourselfs in what we have found, we tend to keep it or just “borrow it” until the owner comes looking for it. The weak point in this kind of approach is that the person might see more benefit to himself by displaying honesty, and returning the found device.

In a office enviroment this could be an ideal way of spreading an infected device, since in most cases the peripherals are ordered in bulk and everyone has the same set of them. There is always someone with the need to stand out in a growed, or express their individuality. This gives an opening for a possible exploit, since these kind of people should be the primary target, as they are more likely to use the cool looking or better device that is just lying around with no owner in sight.

This only has to work once to work. Like our teacher says, “once you are penetrated, you are fucked”.

In class we have already discussed how to prevent the use of USB devices. One way manually prevent the USB ports from working, this usually is done from BUOS/UEFI. The other, a more permanent solution is gluing the ports shut. This way it’s not possible to insert a USB device to the computer.

From what I have learned from this article is, that every USB device should be treated as USB storage medias. If you don’t know the origin, don’t use it.

2)

Let’s be honest, I love modding and tweaking computers. I like having the freedom to change the construck of computer hardware and software to better suite my needs, or just for the fun of it. A while ago a friend mentioned to about CoreBoot (https://www.coreboot.org/), an opensource firmware to replace the proprietary BIOS/UEFI in computers. I have used Linux for sometime now, so I found this really intriguing and worth taking a look at. It has only one function, to initialize the computers bare hardware and past the boot sequence forward, the last phase is actually running a payload, but “boot sequence” gives a more general idea of the process. To the payload, you can add a bootloader like grub, or install a open source BIOS, like seaBios to give access and control to the computers hardware.

The only problem is that this is a technical challenge to me, since I have never reprogrammed BIOS chips in the physical level before. So this is something I would consider a hard project.

So why would I whant to do this? For the freedom to control my own device. since the project is open source, the source code is also public. Which means that with propper technical understanding on would be able to interpret the code. Unlike in todays commercial BIOS/UEFI firmwares that are closed source.

This solution is also secure, since after the firmware has initialized the bare hardware, it stops running. If you are a security freak, this could be important to you.  Especially since there seems to be a UEFI rootkit found in the wild (https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf).

Last but not least, the boot sequence is fast. Much faster than current BIOS/UEFI platforms.

I have been planning on implementing this solution on one of my computers, but first I need to study it a bit more so I don’t cause permanent physical damage to my computer.

I don’t know if I should be surprised that google schollar doesn’t offer that much free (or in Haaga-Helia’s range ) info on this subject from the year 2018. Ok, let’s admit that this is a specific subject but as I understood, some computer companies have begun to add compatibility for this firmware in their systems (Like Google and Intel). So i had to enlarge the search timeline a bit.

The papers that I did find range from the years 2015 to 2018. The techical level of these papers are beyond me in some cases, so I will try to make sense of them in some respect.
Here is a short explanation of their general content, as I undestood it.

 

 

 

 

 

 

 

 

 

 

Who watches the watchmen: A security-focused review on current
state-of-the-art techniques, tools and methods for systems and
binary analysis on modern platforms (2018).
By Marcus Botacin, Paulo Lício de Geus and André Grégio

The paper discusses recent reseach on how malware developers have been using a wide range of anti-analysis and evasion techniques, in-memory attacks and system subversion, the targets also include BIOS and Hypervisor. The paper surveys the techniques on how to detect such an attack and attempt to mitigate it. The paper is quite extensive, so I focused on the part relating to Coreboot. Coreboot is refered on System Management mode (SMM), it seems thath SSM present a threat since it can communicate directly with the cpu and access the memmory. The SMM in initialized by the BIOS, so their recomendation is to replace the BIOS with coreboot to prevent this.

 

 

 

 

 

 

 

 

 

 

Towards Transparent Debugging (2015)
By Fengwei Zhang, Kevin Leach, Angelos Stavrou, and Haining Wang

The study focuses on analysing malware in a debugging framework called MALT. The problem on analysing modern malware in virtual enviroments is that they tend to be aware of the enviroment they are in and thus don’t work the same way they would in a nonvirtual enviroment. MALT offers a secure way of testing the malware without using virtualization. In this study, they use Coreboot for the bare hardware initialization and then run a SeaBios payload that the MALT uses.

 

 

 

 

 

 

 

 

 

 

Professionalizing hardware-based memory acquisition for incident response scenarios (2017)
by N.van Heijningen

The paper discusses forensic investigation on VRAM. The information that that volatile memmory contains can sometimes be crucial in an investigation but sometimes the aquisition methods have to be quite innovative. In this study, they combine a cold boot attack with coreboot to retrieve information from the system ram. The method is to use a Coreboot payload called RAM-dumper, so that right after the ram has been initialized they can utilize a trick aclled Cache as RAM (as I undestood this is using the processor cache as ram) so they can extract every byte of data that would be located in ram. The study uses Coreboot since it’s open source and add-ons such as previously menitoned can be programmed and added.

 

 

 

 

 

 

 

 

 

 

Hashing Hardware: Identifying Hardware During
Boot-Time System Verification (2017)
By Berj Krikor Chilingirian

This one is actually a bit supprising paper. The study centers on their technique on measuring computer hardware components. The idea is that modern system measures load a software to ensure that the machine is in a trusted state, but this leaves the possibility of a DRAM based attack open since the harware is not properly measured in boot. the study uses coreboot in the motherboard, which enables them to measure the DRAM at systemboot.

 

 

 

 

 

 

 

 

 

 

Scotch: Combining Software Guard Extensions
and System Management Mode to Monitor
Cloud Resource Usage (2017)
By Kevin Leach, Fengwei Zhang, and Westley Weimer

The study discusses the possible threats on cloud-based services conserning the system hardware and also the hypervisor used. The approach is quite similar than in the Who watches the watchmen study and also mentions Coreboot to prevent the same kind on attacks against the SMM. Coreboot is only discussed relating to this particular weakness.

All in all I’m pleased with the material I found, the methods and goals they discuss on relating to coreboot are new to me. I’m certain that the knowledge from these studies might come handy some day, when I have gotten over the initial terror of the actual successful Coreboot installation.

I set an alert on this subject, so new informantion regarding it can be sent to my email.

3)

For this exercise I will be using to computer, with to operating systems.

Target/victim computer =
Lenovo T470P
i7 7700k processor
16gb DDR4
512gb m.2 SATA SSD
Windows 10 pro

Attacker / inno setup =
Asus x99m-we motherboard
i7 5820k processor
16gb DDR4
250gb m.2 ssd x2 (one for each operating system)
Kali linux 2018.3a  / Windows 10

In last class I made assembled a VLC media player installation that had the application .exe file (the one the starts the player after the install) infected with a windows reverse tcp meterpreter. The only problem was that even after ita had been encoded a few times, windows defender detected the application. This not that practical if the idea is stay hidden. In this assignment I will try come up with a more elegant solution.

I will be using three different programs for this attack =
Metasploit (Kali linux)
Unicorn (https://github.com/trustedsec/unicorn) (Kali linux)
Inno setup (windows 10)

The idea is to repackage the VLC installation with the attack payload included. I use VLC installation because it needs administrator rights for the installation. Basically any software installation will do, as long as it needs the same rights as above.

I’ll start by using Kali linux and downloading Unicorn and creating a windows meterpreter reverse https attack payload. This attack is called a powershell attack, since the payload contains a powershell commad that opens the meterpreter connection. Why reverse https? Well the port 443 is usually allowed on computers, so that is a safe bet when attempting this.

 

 

 

The creation didn’t take that long, like ten seconds. The result was two files, the powershell command in a .txt format and a uncorn.rc which I can use when launching msfconsole to start the listener straight away. You can always configure the listener yourself, but this is a bit quicker method.

 

 

 

 

 

 

 

 

 

 

Here is the actual powershell code, that will be issued in the target computer. This has to be done in console, so the actual attack payload will be a .bat file.

 

 

 

 

Before I can actually start the repackaging, I need to test the payload. Firstly that it actually works, secondly if it’s detectable by windows 10 or AV software.

I’ll start the meterpreter listener before trying out the payload.

 

 

 

 

 

 

 

 

 

 

 

 

 

Now to test it on the target computer.

 

 

 

 

 

 

 

 

 

 

So far so good, windows 10 didn’t detect any funny business and when I double click on the .bat file the connection is made without a hickup.

 

 

 

 

 

 

 

 

 

 

 

 

(ok, a small typo in the command sequence..)

The target computers windows is without a proper AV program (Use it only for test purposes), so I have to test the payload on the Inno Setup computer. It has F-secure, so it should be able to detect a viral payload. Thus far, all of my attack payloads have been detected by it.

 

 

 

 

 

 

 

 

 

 

This is actually going better than expected. Since the payload doesn’t contain any strings like “meterpreter”, “reverse_tcp” or “super_malware” and since I’m fairly certain that this has not been loaded to any AV library, I should be on the safe side for the time being.

Now that everything checks out, I will start the repackaging or the VLC installation media.

For this, I need the latest installation software, 7zip to extract the .exe file and Inno setup to repackage the installation.

VLC media player = https://www.videolan.org/vlc/index.html
7zip = https://www.7-zip.org/
Inno setup = http://jrsoftware.org/isdl.php (I installed the quick start pack)

First I start of by downloading the VLC installation file. I’ll copy that and also the attack payload to a project folder (just to keep things neat and tidy). Then I’ll unpack the VLC installation .exe file with 7zip. Choose the “extract file…” option so it creates a folder for it.

 

 

 

 

 

 

 

 

 

 

 

 

Now I will start the Inno setup up. I’ll be using the Inno setup Script wizard, since it’s quite convenient for this purpose.

 

 

 

 

 

 

Lets add a bit authenticity to this installation file.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Choose the vlc.exe for the main executable file, so the program actually works when installed. Add  the unpacked installation file folder. To make the magic work, I added the .bat file separately.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

To have persistence in this attack I need to add the file to the Windows startup folder, so it will be run at start up. In this case I add the file so it runs with every user, not just the current user doing the installation.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The rest of the procedure is quite straight forward. I don’t have the installation licence files (they come up during the installation) but I think I will manage with out them.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

NOTE!! the custom icon must be .ico format. The script found an error with the .png image so i had to change it. When asked to confirm, just say “yes”.
To abide by the given course rules, I added the MW (Malware) in the file name.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Once the compiling is done, I have a new and shiny installation file.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Here is a video of the actual installation process. The main goal is to get the .bat file to windows startup.

Ok, let’s admit that if you have installed this software recently, you can see the difference but all in all it seems almost legit.

The reason why I test run the installation on the Inno setup system is that is has the F-secure installed. This is probably the last phase that it would detect it and as you can see, all goes quite nicely.

The only “flaw” of this attack is that victim computer has to restart to make the meterpreter connection, but this way I have persistence in the attack and it is undetected by windows 10 or F-secure (Please read the EDIT comment below). There is another problem also, at startup the console window pop’s up to execute the command. It’s only visible about half a second or less and in my eyes look’s like a system process, but still this attack is not completely invisible to the user.

I was unable to get privilege elevation through meterpreter, the “getsystem” command raised the virus detection alarm in the victim system. Oddly the connection was not cut.

References
https://blog.rapid7.com/2011/06/29/meterpreter-httphttps-communication/

 

EDIT.

For some reason when I started the computer on the next day to test the connection, it would not connect through meterpreter. Actually none of the unicorn payloads (reverse_https, reverse_tcp) I made, worked with the computer. I managed to get the connection up again with a new Kali linux installation (not deleting the old one).  For the time being, I haven’t located the reason for this problem on the old setup.

After some more try outs, it seems that at least F-secure blocks this when you try to run it. The virus scan shows no threats, but the meterpreter connection only works when the AV is turned of. For some reason, there still was no warning when the connection attempt was made.

 

4)

If one is searching information about another person, in legal mean’s that is. A good place to start is a persons full name (First, last). With that I can search the social media (Facebook, linkedin, instagram, twitter) for clues and ideas what the person might be like (relations, work, social status, hobbies etc). In finland you can use the official state offices that give information on a person, GDPR of course restricts this but there are places like the tax office (tax information) and väestökeskus (current home address). If you are willing to pay a little for information, there are services that can provide address info and also a telephone number.

 

5)

This will not be reported or published anywhere, since the information about the target person is private.