A Novel Technique in Evading and Invisibly Poisoning the Chalice1
Show transcript [en]
all right so it used to be we'll just take this
because if you think about it from a corporate environment RDP files are used all the time right you've got some remote desktop that you're shared for terminal Services um you're good my mic just quit working though hold on one second the mic's working but my mouse is not working now all right let me just try this one more time let's see if that works yeah it's not working let me see there we go sweet so remote desktop looking at remote desktop the things that I've noticed were that RDP files are not blocked by email clients why because business continuity says that sometimes we need to send RDP files to our employees so that they can access
the remote workstation and so that's a really good indicator for us because that means we could email RDP files to our targets um they're not blocked by security providers so if you're using like proof point or any of the security mail gateways then they'll fly right through by default I mean you could obviously configure these rules up to block these and then Outlook Office 365 all of these mail providers are also permitting RDP files by default and so this was just kind of me generating a bunch of the extensions and randomly clicking and then bam RDP pops up and so RDP files are a really good indicator that we could leverage that so but when you
start thinking about this what does RDP provide to an attacker in the event where an RDP file was sent in and so the thing that we can actually do is there's a lot of stuff that comes with features within this um so RDP can be configured with the RDP file to actually pass through Network file shares for instance so let's just say that there's a mounted Network file share as you know Z drive or something that you're you automatically provision with a group policy for all your employees so those map network drives are available through a session of RDP then you have read write over the client drive so on the C drive you can do
binary planning so if you think about that from the the aspect of dropping a beacon in the startup folder or some other sort of persistence you could just drop it there the other cool thing is it actually forwards the local printers of that Network so if there's printers there it'll mount it and become available on the terminal Services client because Microsoft really wants to be able to enable this remote workspace so that it's seamless with the clients that are connecting to it and it creates a massive Vector for that uh with that you also get the clipboard contents and this is really this is actually really cool because in my research I was in a
virtual machine launching the remote desktop in order to connect to my rogue server which we'll talk about in a minute and the actual clipboard content from my host computer outside my virtual machine was forwarded to my remote server so now you have this other problem where network files or shares that are mounted on the host computer that are forwarded to a VM become available as well because the clipboard is usually there by default and so um you could also look at the audio devices so think about audio and video or any sort of USB components that are plugged into the machine you could actually set RDP up by default to forward all of the devices from that
local machine from your target to the remote session and we'll talk about why that gets really bad um in a little bit you can do cameras the other cool thing is in some some in some cases you can do remote code execution directly so as soon as that client connects to your Rogue server there's ways that you could actually execute code on that computer we'll talk about that a little bit in the con in the conditions that are required around it but if you look I mean Microsoft terminal Services has a wide variety of attack vectors that we could Leverage and so the cool thing with that is we can actually configure mstsc or the RDP
file on our own machine and then just send it as a file attachment and we could send it to any meal client because it passes through all the mail gateways and it bypasses all the mail providers and all the security gateways and everything else so we're basically evading everything um from end to end so it's a really great initial access Vector to kind of consider the only problem with this is we need a really good roof so when you're sending somebody an RDP file in the corporate environment what do you typically see right so you think about this from the outside the box because you're going to need to tailor the attack Vector to your Targets in
something that they're familiar with and so the way that we do that is using a really good ruse and so the cool thing is you know with with social engineering attacks and all this moving to other verticals and not necessarily having to stay on email anymore we can go back to email now and so because these RDP files pass through we don't have to worry about security gateways and so what we're going to try to do is we're going to try to entice a user to connect to us and it needs to look legit and because obviously we want them to be able to open the RDP file connection and then do some cool stuff
um and then if we in the in the email ruse if we provide some sort of out right if there's concerns or questions like I'm not expecting this we need to be able to provide them a decent way to get out of that without reporting back to their security teams and then we could forward them on after they're done and so we kind of want to think about all this because you don't want to leave red flags and you don't want to leave anybody concerned that they just open something because then the security team is going to be on you and then when they're on there you got a limited time and you got to move quick and lateral
movement and pivots and everything else has to be done really quickly rather than go low and slow like we would all like to do and so this works really good if you're on an internal Network because if you have it on an internal Network already you could plant RDP files on like Network file shares and it just makes it really valuable um and so the way that we're going to do this is we're going to set up a fake remote shared workspace and so I tend to go to LinkedIn look at what jobs are hiring for or look at what Engineers they have on their teams already and then find out what technologies that they're well versed in
um in a lot of cases this was a real one that I used from Citrix workspace and if you'll notice I I template the email because I usually send these in bulk so I'll send like 10 at a time or something and I'm basically spearfishing like five or ten people at a time but I want to be able to search and replace the target the sender and all that but we're testing a new shared recruitment environment need your help please verify your access as soon as possible to avoid service disruption the attack connection file will automatically connect you to the workspace so we're telling them what they can expect that way there's no red flags
so I would automatically connect you to the workspace the invitation is going to expire and so that because it's expiring it creates that urgency that we're trying to get them to do before something else happens we don't want to interfere with business so they're going to want to click on it and then I and this is a real Citrus Workspace Email um I just swapped it out with my own my own stuff and then you'll see the the workspace RDP file and then there's an attachment on there and it looks really nice um the cool thing is at the bottom I put in the event you're unable to connect to the remote workspace we don't want them
going to the security team or if I'm fishing them from another employee we don't want them to go to that employee so what we'll do is we'll say if you're having any problems please fill out this form using this link that way they just report it to us and it just goes to devnoll we don't care um and so that's that's how we kind of let them down from the roofs um and so now the roost delivery is really interesting because we're once again back on email but it doesn't have to be email you could do this through Linkedin lots of social networks and team collaboration tools will pass RDP files through flawlessly so think about start
thinking outside the box whenever you're starting to send these RDP files you can plant them anywhere um and then the other cool thing is when I was mentioning what the network file share replacement we'll talk about how that's going to work but if there if you find if you're on an internal Network and you find an RDP file that's there this technique that I'm going to show you will give you the ability to replace theirs with yours and not interfere with their normal connection so it'll pass right through they'll still connect to their normal resources and we'll talk about how we do that with man in the middle um proxying the RDP protocol and so
that's basically what we're going to be looking for this is what we're going to deliver um the cool thing is I have a bonus here this is a new one that's relatively new I'm not really sure exactly where I learned it from but I learned it from a friend who learned it from someone else so I don't know where the original came from it hasn't been talked about really publicly I think um Steve boros from Black Hills is doing a blog post on it this week and so you'll be able to see more about it but the cool thing with this is we can actually spoof from Office 365 to office 365. and so the
reason why this is valuable is now you can imagine like back in the day you used to be able to spoof emails and it was this big thing and now you get dmarc and or you got SPF records that are set or dchem you know encryption certificates but we could bypass all of that by going directly to the mail connector for office 365. and so it's enabled by default for Office 365 it's using this thing called direct send and it's a way for being able to send bulk mail with but it bypasses everything all the mail gateways and security controls that are in place you go directly to the Microsoft connector and and so it's a
smart host is what it's technically called and so and the reason why it works is because they don't want to Route the domain that you're sending email to as a Spam domain so it just automatically goes through I don't know what Microsoft's deal is but if you look over here on the image over in the middle there's a pink box that says your MX endpoint so it's your domain Dash Com or whatever TLD you have dot mail.protection.outlook.com the really Beauty behind us is there's no authentication you literally just connect to that mail connector on Port 25 and send SMTP as you normally would there's only a few caveats with it um you you need to be able to get the MX
record um this is the way that I do it I just use nslookup I query the MX record for my target domain so whoever the target is I Target dot comment and then I I'm able to connect to the SMTP server on Port 25 and in it's usually always the the name of the domain Dash the tld.mail.protection.outlook.com the only one of the only caveats is you have to be able to send from and to a real user that's on there so you want to do some user enumeration before you're actually using it for your ruse um and then the other thing is um you just you you basically have to know that the smart host of The Domain
is the right host outside of that you're really good once you have the the recipient account and the one that you're spoofing you could just send it directly to it and it works on a lot of o365 domains I mean we've used this um on pretty much most of the targets and it goes directly into um the Inbox and so you're basically spoofing whatever you want to spoof you can this proof another user you could spoof a distribution group as long as that user account is enabled and it's not just an alias you should be good to go so it's just a little bonus slide and so let's talk about bringing our own server because this is probably the most
important part right I mean we could send RDP files all day but if we're not sending them somewhere to connect to we need to make sure that um that we we nailed this part more than anything because this is where the code is going to be running right so think about running your own Windows server and you know you can put it in the cloud you could you could expose it if you want I'm going to show you how you can do it without exposing it but the idea is you're running your own RDP server you spin up a Windows Server you configure RDP and bear in mind that RDP file is going to auto connect to your
server so there's some logistical issues that I had with researching on how to pass in authentication and how do I do it where I'm not exposing my RDP server to the internet because you know Russia and China are going to be there beating down your door within minutes if you have exposed port 3389 and so you could change the local Port there's a just quick way to do it down there at the bottom but the idea is that you're going to want to open RDP in the firewall set up your server set up a new user that has RDP permissions now bear in mind your malicious code is going to be running on your own server but what
happens is when the when the client connects to the server you're actually able to access the hard drives and all the devices on the connected clients this is where the beauty comes in and so now we're looking at RDP there's lots of protocols with RDP that we'll talk about but the hard part about this was really on the credential loading so if you're familiar with DP API within Windows anytime you're you're storing encryption um your encrypted credentials it's based on the DP API of the computer that encrypted the credentials so if I encrypted them and then put them in an RDP file and saved it and then sent that RDP file to someone else that person
that opens it's not able to actually decrypt the credentials to use them for the connection and so I was like okay what if we just use like a blank account which is super bad don't ever really think that's a good idea but I wanted to try because this is progressing through how to force the client to automatically connect to us um it does require a little bit more interactions you also get this really ugly yellow Banner which is always scary whenever somebody clicks on it you want blue right Windows yellow is bad blue is good so we need to be able to get rid of that yellow Banner blink account passwords are going to expose the server
to the internet which means anybody can connect in and while we're running malicious code so that's not that big of a deal we don't want to accidentally hack someone outside of our scope so we want to make sure we stay in scope so it's super risky and then there's also the unverified banner that we're going to get rid of here in a second and then if the publisher is unknown now we have another issue right because it's sketch it says publisher unknown like you see that you're like I'm not clicking on this I'm not connecting um and then outbound 3389 might be also blocked right you're like oh well you know what outbound our RDP over the
Internet we're not going to allow that we will never we block that at the firewall okay well that's great but we can set whatever Port we want and we can pre-configure the RDP file to use colon port and it'll just automatically connect over that other port instead and so that's kind of the the catches that we have and so the solutions that we have is nice and blue um the way that we do this is we're gonna we're gonna man in the middle the client so they're going to connect to our our proxy server our proxy server is going to connect to our real server the reason why that's really good is because first we could firewall off
only our proxy to be able to connect to our RDP server and we don't have to worry about anybody connecting in the other thing that it really does is it gives you the ability to create whatever username you want for the RDP file it doesn't even matter so what I try to do is I try to tailor that for my target if it's a department that I'm targeting then I'm going to use the department name for my username you just want to make it look as legit as possible and but the other really good thing is you could just generate a real SSL certificate now there's some funkiness that you have to do like if you're
wanting to use let's encrypt for instance you could convert the let's and grip encryption certificate to like a pem and then import the pem into windows and and use the thumbprint to sign the RDP we'll talk about that in a minute but we're going to assign these RDP files with our own SSL certificate that matches some doppelganger domain of the company that we're targeting and make it look nice and pretty and then we're going to sign it using a built-in tool within Microsoft called RDP sign how novel um and so we do that it's signed there's no Mark of the web we're sending this over the wire we're we're good everything was great it'll pass through and then when
they open it it's just going to look like that nice and blue they click connect and it's game over and so the other really cool thing with this is we can set our proxy server to listen on whatever Port you want to listen on so if you wanted to set it for 443 or 480 you could certainly do that and you're basically connecting RDP over those ports but I mean who cares it's just a client connecting into you anyway and so that's the way that you can do let's encrypt that do this in the slide deck in case you wanted to go back and reference the slides later because it was a little tricky to kind of convert
this stuff especially on a Windows machine you had to install Coco and openssl in order to get the python3 sir bot to actually work properly once you do that you just generate your doppelganger domain and then you could actually use openssl to convert that certificate and that key into a p um a pfx which Imports directly into the search store within Windows once it's imported into the search store it'll provide you with a nice little thumbprint you take that thumb print ID and you pass it to RDP sign and point it at your RDP file and it signs it and everything is super great there's probably a much easier way to do this this is just me kind of hacking the
solution through because I have no clue what I'm talking about with this kind of stuff I just have to figure it out as I go so there's probably a better way and if you do know you know feel free to reach out and I will update this and I'd love to find a better way to do it and so um so the proxies let's talk about the proxy the proxy is really interesting because in order to proxy RDP traffic you have to do all kinds of protocols there's there's fast protocols and short protocols and there's these fast paths and low pass and encryption protocols and communication protocols there's lots of binding for the the GUI
so there's lots of protocol binding um to be able to get the user interface from the Windows server to pass through your proxy into the client so they can render properly there's all kinds of specifications and this Rabbit Hole goes really deep so I was I was looking I started looking at like free x free RDP I started looking at x-free RDP all these different protocols or these software packages that were open source that kind of already implemented it so I can try to avoid this part of it um and then I started I came across a tool called Pi RDP now Pi RDP implemented all of the protocols so it's the TCP the segmentation all of the
encryption the security stack everything they did all of it in Python it's already put together you don't have to do any thing you just tie it together and they put it in a really cool tool so they built all of this and the hard part about this is you have to remember we're proxying the redirectors for the file access for the drives for the audio devices for you know for the USB devices there's lots of communications between the client and the server that we have to account for if we're going to leverage this in a ruse uh and so Pi RDP is amazing it wasn't built for this it was actually built for honey pots like
an RDP honey pot but Pi RDP actually monitors the clipboard content for you so I don't have to do it on the server I could do it on the server but it actually implemented it in the in the python Library already it does actually hijack any of the host host clipboards so in the event where there is something on the clipboard you could either you could write to that clipboard of your target or you could just monitor it and then copy off and save stuff it'll has built-in crawler this is super cool I have a demo at the end of it um but it will actually enumerate all of the files and all of the drives to a
list that you're looking for so you could set up a list pass it to the crawl and it'll look for all those extensions so like dot configs or AWS or Azure if you're looking for like some sort of um Cloud credentials on the on the machine it'll enumerate all of them and any of those files that it finds it'll download them directly to the proxy server so you don't have to worry about writing it I've wrote it all in C sharp and did it on the server but this had it in there so I have kind of built them out um it does actually Implement most of the specifications but one of the big things is all of the GUI bindings it's
already there so we're good on that side um the cool thing with priority P2 is you can actually Replay that entire session so if you wanted to replay the user interface aspect of it it has that built in you could pass in the the certificate and the key in and listening port and it'll basically just listen on that Port so if you want to listen on 443 pass in your your certificate and your key it'll listen on that that way everything looks good and uh yeah and the other the beauty part in this part is it actually solved for my credential issues so having to log into the server without exposing the server meant that I
could pass in the command line the real RDP server the real username and the real password and the proxy will connect to my rogue server and now it doesn't even matter whenever they click connect on the RDP file it's just automatically going to log them in and map all the drives and take everything that it needs to take so it's super good and then the cool thing with this is you're thinking like okay well my client's going to have some sort of EDR maybe they have the latest and greatest Secret Sauce stuff right we're running server-side code so that server-side code is not running on the actual Target it's interacting with the devices of the target but it's not
actually running in a memory space on the target which means no EDR and so we get to bypass kind of all of that and so when you're when you're thinking about this we need to be able to run some sort of payloads on these machines right so our malware that's running on our server is running at login so the way that I usually do it is I just throw it in the startup but you can set up a GPO policy that kicks off a file you can do whatever you want but once that session is established with a server it's game over it literally will immediately start attacking it and so what I like to do is
I like the plant like an lnk file on the desktop I'll do like an lnk with like a Spaceport space bar shortcut right so every time they hit spacebar it's going to launch my lnk and I'm going to plant my binary somewhere so yeah there's a lot of payloads that get executed or you could execute it and then delete the payload immediately so it doesn't run again um and you could do some side loading so if you're familiar with any of the dll side loading stuff you could drop like dbghelp.dll in the Microsoft teams folder so that whenever Microsoft team starts up you have your persistence and it's in user land so you don't have to
worry about having elevated permissions you could do some of the app domain injections if you're familiar with like.net where you can update the.net configuration file plant your dll or plant your executable and basically hijack the appdomain for net all kinds of cool uh ways you can actually execute code on Startup for persistence within user land and then the other thing that I want to do is I want to be able to look for any of the sensitive files I'm looking for credentials I'm looking for um you know gpp stuff on the network file shares if they're mapped and we want to be able to do all that because when we compromise the target machine we're going to use that Target machine
to Pivot to the network file shares and search those for stuff as well and then obviously because it's not running on the client lots of cool detections and so uh so server side payload so I have a little section on this even though Pi RDP kind of happened to kind of implement a lot of this um so the client interaction so I did most of this stuff in C sharp and um and the idea is there's a library called cassia it's really really cool and it gives you the ability to interact with the the terminal service client that's connected to your server so it's basically a server side code a little tricky to write because you're having to
like install Visual Studio on your RDP server and then debug it step through the debugging sessions and stuff that way but in a nutshell if you remember anything this is all you really have to remember in order to do it if you if a client connects to your terminal server and you have code that accesses backslash backslash tsclient backslash C drive or C then it's going to interact with the connected clients machine rather than the actual servers machine and this is where it gets really fun because now we can start leveraging this in all kinds of different cool unique ways we can generate the user folders and start looking for which users are there and their startup folders and
plant binaries for startup and then there's all kinds of other stuff too like I've tested with RDP Gateway RDP Gateway works but it doesn't work with pi RDP so if you're familiar with like Rd um like the RDP gateways um we're looking for something for like a low level privileged escalation or uh code execution so I have one that I'll talk about here in a second but we're looking for ways to execute code without having to wait for the computer to restart right now it's not that big of a deal because if you're on like a red team and you're using this then they're going to eventually restart the machine anyway but with that waiting game is
where we get burned because if we're on a one month red team engagement and we have to wait two weeks for them to restart the computer well then we got a problem and so um and then anything from that mapped VM host like I was mentioning earlier if you have a mapped drive that's shared with your virtual machine and they're running that RDP file from a virtual machine it's game over it's a VM escape on your client computer uh so we're good there and so this is just some of the code I threw this in there just so you can kind of have it in case you wanted to interact with it and play with some
c-sharp I'd just throw this in there um I have some code that I haven't released yet just for other reasons uh but yeah it's pretty cool it gives you some some deep information about the IP addresses it'll give you some of the client information the windows station name it'll give you the username of the targets machine so they're a local machine that they're connecting from so you know kind of who's there and you can get the display information and resolution and all that you can get other stuff like the printers and and whatnot if you could uh do that and enumerate those so there's a lot of valuable stuff that you can get kind of
from from that uh that Library super powerful and so this is our talk path so on the red teamer over here on the left I'm going to send my RDP Vish to my victims workstation we're going to execute they're going to they're going to execute that RDP file I'm going to be able to access the mounted Network shares using the TS client um server uh it's also going to connect them directly to the pi RDP session the pi RDP proxy is going to connect to our Rogue RDP server and then we're going to plant a binary back on that workstation so that we can get C2 and then just imagine our Command and control system kind of
working and that's kind of the way that we're that's that's the attack so hopefully this is going to work let me see um if I can figure out how to share this with the this tool here you want to see if I can get this demo I don't know if it's going to work but we'll
um
that's not the software
that's all the best options foreign
that's why we start a little bit early
yeah are they working
something demo ain't gonna work yeah I know these I need some windows help actually I don't know um so
we'll see if that'll work where's the folder
nope okay no big deal
okay well that ain't gonna work so it was a demo but there you have some recording software that's not letting me share the demo I did pre-record it but this is why I bring my own um laptop normally but um so the demo basically was going to walk through all of that um I'll tell you what it does so the the concept is once that RDP file gets executed it connects to the the proxy server and the proxy server is going to connect to the Rogue RDP server once it does that the binary planting actually creates an lnk file on the desktop with the spacebar and then writes another payload to the startup folder just for a
sec of persistence once that machine so the interesting thing with RDP files writing the file to the lnk on the desktop is that the shortcut doesn't actually take effect until the computer restarts again this is with the exception of unless you have hyper-v installed if hyper-v this is an interesting little excerpt on executing code on the endpoint Target without having to worry about restarting the machine hyper-v actually will create a process that runs if you print to the machine so think about from the computer's perspective you have hyper-v installed and you're wanting to print within a hyper-v environment it runs a program called wfs.exe within the hyper-v folder remember that the printers are actually forwarded to the Rogue server so what we
do is we create a symbolic link we write the file to the wfs.exe in hyper-v with our payload this is our our beacan or C2 or whatever it is and and then what we do is we create a print job on the local printer that's being shared with our server and when that happens that print job in hyper-v actually kicks off our Beacon and we get remote code execution without having to worry about a machine restarting and so it's super valuable it gives us some really cool stuff but we're looking for new ways to do that as well there's probably other audio or USB camera or certain models of laptops that will give us the ability to execute
stuff but the the goal is we don't want to have to wait for the computer to restart so once that Rogue RDP server is interacting with our victim we want that victim machine to run our Beacon immediately so we can have our c2's Channel established and that's pretty much the nuts and bolts of the demo um there was some other cool stuff where I was going to show you the clipboard and then I had a in the demo I actually had a mounted USB drive that was in the host computer and so what happened was I was able to look for a specific file extension on that USB drive and actually X fill it off across
the network without even worrying about it that could have been anything it could have been a credential file it was just a demo file but just to kind of show the impact of this but um yeah so that's RDP in a nutshell um and so some closing thoughts um because we're getting short now but um so the remediations for this are that you want to really set a gpp or a group policy setting for uh the remote desktop session host because you don't want that host to be able to share their local drives with the external connection right you want to make sure that that's locked down and so there's a lot of device and resource redirection that you
could disable like in the video in the screenshot right there so there's everything from USBS to network file shares to all of that where you could actually restrict that from being shared out this is the best way to do it but you have to do it in a policy that's going to spread across the network otherwise if nobody's has this enabled then they're they're prone to be a victim you can block 33.89 but you notice that it's still only going to make it more difficult just routing around 33.89 and using another Port but it's not a bad idea to block outbound 3389 and so the other interesting thing is um so if you're familiar with like
com objects so com gives a um an object interface to remote desktop sessions so I obviously I created this initial access technique in order to get around using macros because if you didn't know macros are dead or they're going to be dead here in very short time so Microsoft finally decided to say that macros downloaded from the internet are bad right like we should have known that but they're bad now if you didn't know so they're going to be disabled by default you're not going to be able to run macros and so this came out of that but in the event where you still found a way to get a Word document or something with a macro that's bad and and into the
the targets Network you could actually use the macro to create a com object for RDP so you could do all of this from like a word doc without actually having to send an RDP file now obviously the whole idea was to send an RDP file because it's not being blocked but in the event where you wanted to use a com object or use something like that for persistence or for executing code you can instantiate the comma object you can even set it where it's invisible where it's not even going to pop open the the um the GUI interface for Microsoft terminal services and so the idea behind that is it's going to do the exact same stuff it's
going to share the network it's going to do everything you would normally do just run in the background and you know comma is calm so there's some really cool stuff you could do with com objects and so yeah that's what I would say watch out for so that's pretty much everything that I had I had a demo but obviously the demo shortened this so um but yeah I have some time I guess for questions if anybody has any questions is this running through a perimeter Network Network correct yes and so that's the beauty behind being able to change the port right so you're going over the internet you can go through the cloud if you
wanted to but it's basically creating that connection outside the network whether it's through because it's connecting out right it's not we're not connecting into the network so they're connecting to us so the cool thing with that is wherever they're at as long as they have internet activity they can connect into our server so great question
what is your mechanism yeah so great question as well so the question was you know once we get that established C2 and we're we're connected to our Target how are we doing it and that's all going to be based on the actual engagement type and the scope of the engagement so typically I use this on red team engagements right where it's a little bit more low and slow and so a lot of that is really situational awareness at first I'm once I establish that connection I want to know where did I land um what process am I running as who's logged into the machine that I'm logged in where's that machine and you want to
do that really really slow right because the moment you start hitting stuff and running Bloodhound is the moment you're going to get soft beating down your door so you want to be able to blend in you want to tell a story right so what I try to do is I try to have my beacon or the binary that I'm planting tell that story and so think about it from the when when IR comes running and they're going to triage that machine what are they looking for they're looking for certain processes they're looking for you know this is a weird process or this is a a child process of a really weird parent process that's phoning home to the internet but it's
like notepad like they're looking for weird stuff so if you tell that story and you blend in and you do you know your parent ID is spoofing and you do you set up your payloads properly um then you could just yeah you can do your Bloodhound and and lateral movement and escalations but it all depends on the scope of the objective really but that's usually what I do I do use Bloodhound and sharp Hound so is there a password collection opportunity in that proxy um so when you when you say password you mean
yes so the cool thing with it um it does capture it if there is a password um but because once they click connect there is no logging in it's automatic because we're logging in for them um but in the event where like with your example like let's say you found an RDP file on the network file share that you know they needed to type their login and password in what we can do is we could Point our proxy to the real server change their RDP file to our proxy and then when they do log in we capture credentials as well so that's already built into the proxy yeah
um so that's more manual because I think you know when you're planting a binary only or any file for that matter only you would know where you planted it and so what what we do at Black Hills and we're on our red team is what we what we do is we keep track of our artifacts so any changes that we make any you know if we make a change to a password or add a user for whatever reason or write a file somewhere we always keep track of that because at the end of the engagement somebody has to clean this up and so we want to make sure that we're doing our due diligence to make sure that whatever
organization we're testing has the ability to see what we did and be able to to take those artifacts and delete them sometimes I'll delete them um if they want me to but yeah so that's the best way to do it I don't know another way to do it like manually I mean I don't know like a tool or anything but I would I would definitely I think I would do it manually no matter what because it's more important to make sure that you get all the artifacts properly
it's a great question um so I didn't spend a lot of time on all of them but most of the default ones that are within windows I opened up there's some graph programs for like performance and and weird stuff but I didn't see anything that I could leverage for an attack Vector there's probably a lot of unexplored attack vectors in some of these default programs though I just haven't I didn't spend a lot of time um I did also look at um there's some uh I think it's wsix or something um it's like an it's the new um it's some new windows remote thing I don't know it's like on the new app the new app.net whatever it is what is it I
forget there's some new framework within windows that gives you the ability to do stuff but it was like um like click once it's like the W the new click once is what it is remember the click ones from like a couple of years ago where you could install it and it'll like download it through Edge and just run your code it's like a new version of that but it's for like the new modern Windows through the App Store and everything I did play with that a little bit but there's some really good safeguards with those vectors because they need like they need to be signed or in the certificate store already so you kind of have to figure
out how to do that but yeah so how often do you have time to be installed on the routines because I can't imagine that's a great question yeah that's a good question so you'll notice that um so when I talk about hyper-v it's always just been in theory I've seen it and I'll even be on Twitter and I'll say I've never seen it in the real world I haven't found it but I haven't also looked for it so I don't know how often it's really there um some of these times you don't really know what you compromise either so like you might not like I go after security Engineers I'll go after the it Administration like I'll go after
anybody with any sort of elevated privileges that's usually who I Target because in your mind you're thinking well they would never do that but the reality is that we all will do that with the right ruse so I I just I kind of go that way so
overly generous treats like this like this drive that's correct yeah and so it's um so by default um in the Microsoft terminal service client remember we're creating the connection file so we just enable all disks and then when we save it and send an RDP file that's still persisting in that RDP file yeah so it just forwards all of their disks so it's just pretty much game over so I got time for one more I think probably not the kids
yeah it's a great question so the question is what do you have access to once that terminal service client is connected is that what you're saying so um so it really depends um most of the time it's all the local printers so I enable all the options in the RDP file when I'm targeting someone and so and what that means is you get the local printers you get the audio devices you get the camera you get the video devices you get any of the Plug and Play devices you get any of the maps network drives so if like they have Network file share that's mapped by default through like a policy you'll get that you'll get access
to that um and so and you can read and write as within their permissions right so their ACLS on those Network file shares that's what you're restricted to but yeah you can write to pretty much anything across the network clipboard um and then anything that's forwarded so if they're running it in a VM anything that's forwarded to the VM as well so shared folders clipboard again um yeah thank you
see now you're thinking that's that's exactly what that's exactly where I went can I access the hlk you know the actual registry because everything's a file um I haven't figured that part out yet because I'm limited to like like backtake back to TS client and then whatever's mounted but that's where this research should be going is I think I think there's lots of really cool stuff that we could do especially if it's elevated if they're running from local admin then you know there's a lot of stuff you could potentially do um so cool all right that's it I think I'm up for time but uh yeah appreciate it [Applause]
I'm not a huge fan not using my top just because I prepare everything on my laptop so like I know that it's gonna work um
so um right guys
Related talks
47:39
47:03
51:22
43:03
41:58
47:08