Darryn Cull and Thomas Underhay - SensePost XRDP Tool

[Applause] okay hello people so this is our tool it's called xrdp and its main focus is on exploiting unauthenticated x11 sessions so my name is Thomas this is my colleague Darren we both work at st. spells as security analysts and just a little bit about myself so before I was doing the security stuff I was a civil engineer one day I was sitting in a meeting looking around me seeing all these old people and I decided well that's not me I want to be a rock star so then I joined st. first okay so Darren everyone i joined Sun Space Shuttle diversity studied computer science I was originally planning to become a coder but then I found security

and so much more interesting so I joined sensitized as well ok cool so xrdp added this thought so in the beginning of this year we did since post-training about after three or four months we got the time to do some research since we were both new to the field we didn't really know what to do so we asked the analyst some ideas and the one guy Dane is the most of all today and they and make some noise you didn't hear anything ok so Dane told us he had this problem on assessments ok basically he got this vulnerability and he didn't really feel that exploiting this manually was really working for him so we decided to take on

this problem we were really excited about this so we got started so the first thing if you you might know what X is but for those who don't I'll simply give you a short description basically if you are using a unique selinux type of system then you are making use of X so X is currently in the 11th version so it's called x11 mainly you might note by that name and basically it just plays a central role in displaying graphics on your screen it originated from MIT we're back in the days computers were really expensive so they had this one main computer and they needed a way to for students just to connect to this computer and just share

the resources for instance if they want to write a report I can connect to this machine have like it takes editor whatever display on data screen and they could do their work ok so looking at the basic architecture they on the top left you can see there's keyboard and mouse so that's basically your inputs and the top right that's the screen that's where X will display the windows and here looking if you're on the top of the dotted line that's basically your local machine if you go below the dotted line that can be some remote client ok so X is basically a mediator between the user and clients for example a browser on your machine may be X term on a remote

machine anything like that ok so you can imagine when there's lots of users using one resource authentication let's play role somewhere ok so we're yeah we can imagine we have our remote server there for the resources on the first method of the authentication is just by host so the administrator you can type in a command he says exhales plus and give it a IP so if you connect from that IP you can authenticate ok the next method is a cookie MIT generated MIT cookie if your computer or terminal wherever usage can prove that you have knowledge of this cookie then you can authenticate as well last method a little bit more difficult this is where the server and the user

both need to put a trust in a third party machine I through something like Kerberos that's just another thing Cashin method okay so for one other method you can commit connect with it's also authenticated is simply through ssh so it will update now okay so what you do you can just type SSH include the dash X option the target machine and when you connect it you can type X term and then you can see your little terminal that will actually pop up on your local machine okay so that's all good and fine everything is secure looking at an unauthenticated station like one of them is there's quite a few ways to mess this up one of the ways is

where the administrator allows the TCP traffic on port 6000 also you can maybe mistype something or if here is like just not I'm info struggling with authentication you can run XO spliced so anyhow on that network can simply just connect to that server okay so the main problem here or the what we have now is an unauthenticated session we are hackers what do we love most okay second most we love shells okay so our aim for this was we needed some other reverse shell maybe a graphical shell anything like that okay so just one more thing on this unauthenticated station the you can export your expert display run that command and that IP will typically be

the IP of the remote server and at the end you can just type your command okay so we have our remote server we want to exploit it what do we do ok so this process is not just straightforward there's a lot of different tools can use every tool just give you some output you have to chain that into the another tool and you go forth like that there's no like fluency throughout the process so it's really frustrating just rating okay so the first two we looked at was excellent info that you just targets display or window on the remote machine and it displays some information so looking at the command so it's just X watch one screen will update now dash

routes simply says that you want to look at the root window that will typically be exactly what the user on the remote machine will see so display that just says you targeting display 10 dot 213 whatever is running on there ok so another important piece of information is the window ID you need that for some of the other tools ok so like we had some information about two remotes a window we needed some like we needed see what's on that a machine can we get any output anything like that so the first tool we came across was xwd it stands for X Window dump so you can run the command its xwd dash display that's a

remote display you're targeting the root window again and you put that out to some file now you can't just read this file you need to convert it into the say for example the JPEG and then you can see what's going on so this process is not very like this it's very kind of blocky you do one thing at a time so we did some more research and we came across X watch when so this is a little gift this is typically what you'll see when looking at X watchman so you can see what's happening on that server it updates as quickly as possible with it's basically a bunch of screenshots that steichen and they is where you include

include your window ID so at this point in time you can see what's happening on the remote machine you can just see what the user is doing and we want to take this further either just a reverse shell remote and like a reverse shell or some graphical shell since we really do love shells as occurs okay and the last thing we looked at was X 22 so what this enabled us to do is you can send some commands you can for example open a terminal you can open a file browser but this is not it looks easier than it is because if you say for instance you export display and you run your ex 22 if

you after that type something like X term in your terminal then your terminal will actually be displayed on the remote machine so that's rule one no backing like never hack yourself that's just stupid okay so in the second command you can for instance send a mouse movements but say you opened this second then you need to find a way to select your first screen types of if you want to just type like echo other world or whatever then it's got to be like a character space character space characters face so it makes the whole process really tedious so basically we were looking at a some form to like it a graphical shell remote shall something very easy to use and

that's not frustrating ok so I'll give over to Darren and you'll tell you more about our implementation cool so we know what tools are available and so what we need to do is take those tools and wrap them up in a nice bow so that they all work together and give us something awesome so what we did was we decided to write a Python script and we started off by running excellent info using Python grabbing the window ID and passing that 2x watch win creative creating the screens that updating gift that you saw earlier now we had the output so now we needed to figure out how to get how to take input from the

user and send it to the remote machine we did some research and we'd had to brainstorm a bit like how we're going to do this and really finally sort of just using transparent overlay so creating another window with that's completely transparent allowing you to click and with like text inputs and buttons and making it all look pretty and so we looked online how can we do this we decide we found pi gtk and we decided to use that the main reason for that there was with excellent info x1 and x2 a tool there's already a lot of dependencies to this tool so pi gtk ships with python so we didn't want so that simplifies the

installation process and whatnot but in hindsight there was a terrible idea pi gtk is horrible never use it it like getting the buttons and oh there was just making a transparent took us ages it was it was horrible but we eventually got it to work and then PI gtk allows for you takes the user input and then you use X through tool to send those inputs to the remote machine doing obviously doing some processing like taking a sentence since splitting it up into characters and whatnot but once we had the tool we decided we needed a fast and easy way to find a vulnerable hosts that was that would be fun to tack so we

created an nmap script using the N map scripting engine obviously and they already exists the x11 access script that ships default with nmap but all that does is it checks whether the host is vulnerable to unauthenticated x11 which tells you okay it's vulnerable but it doesn't give you a good enough idea of whether it's worth even looking at and if you come across like if you come across an internal network or something and every box is vulnerable which one you go for so we realize that there are four main options option one the box is invulnerable either port the port is closed the port is open nothing is running or it's authenticated but that's not very

interesting or important the second option is there's no active display so the the box is running x11 it's unauthenticated but it doesn't respond to any of the X commands we only actually found out about this after writing the tool and writing the script and using the script when the script would keep failing and we were like what's going on so we run x.x win info against that box and it just bombs but according to the but according to the output from the auth check it's unauthenticated we did some research into this and we really still have no idea why that's why that happens so that's some further work for us later the third option is it's vulnerable but

there's no desktop environment there's no desktop environment so this happens generally when you run an xserve but without an operating system or anything like that when you when you get a screenshot back it's literally just a black a black image with the default resolution so that's not very interesting either and the final option is jackpot you find a vulnerable box that's the one you're looking for what this the script actually generates a screenshot and saves it to the direct your directory so you can once you've run the script you can just look at all the pic and the pictures are named nicely with IP addresses and whatnot so you can see you oh no this from sections from sex

this one sucks that one let's go for that one once we created the scripts it was time to take it for a test drive okay so as you can see this is South Africa now imagine that you are the two interns like oh just finish the training you have this opportunity to write a nice script do you think this will be your main target well this was not our main target but we just started here we were we thought we going to take over like probably the whole internet with our new too okay so we got some IPS from our scanning team and these are the results so just in South Africa we scanned about 27 million IPS we did that

with masks and since we were just checking for port 6000 x11 ports and then after that we ran it through our in my script okay so looking at the whole of South Africa we found for vulnerable hosts now not vulnerable like in every case you could see a desktop we could see only one desktop okay so this was really pretty disappointing so we scanned the whole of South Africa found one desktop environment and we just thought that was really just lame so we also internally like that people see any of these x11 vulnerabilities on Eternals and they confirmed it they said they are quite not that common but they do see them on internals so the soul if it was

not in vain okay so the conclusion is that our scanning stop right there we did not scan the whole internet or whatever but that's okay so this picture will always remind us about this whole exercise this is the one guy in South Africa that was vulnerable okay so Darren will quickly show you a demo of our two and I'll try to speak you through it or he'll speak you through it as it goes along sorry I'm talk very loud or october so i'm currently on private network and i know that there's a horrible host so first thing you have to do is find it we're going to run an nmap scan let me do that

is that big enough everyone first let me get the subnet

I'm going to ms down my current network looking for ports 6,000 i'm going to have make sure Ernie finding open ports and just to be double sure and use the default x11 imprint the script what I

our stands can i refined a horrible loss yes I did

and mr. just that I did

with our custom stress and it produces a screenshot it saves it to my cam truck because I didn't provide it with this is a this is a little teen years later we want to change the sawdust as saves the current working directory right I'm the grossest suppliers with a the directory of your choosing if you check out the screenshots

streets is great look at just

yeah that's why the game

hand against Pedro once you have this you go well that's horrible now we can run up to providing a Chris I big mess and the display this is generally reports class everyone said this is 0 for 6,000 the run as a reference tool on my other screen the Greater Los considering we may collect little easy regards your mind to change settings

they're so now we're going to grab yourself basically the devil it's as close to more definite you can obviously you can see this text box and follow the buttons so it doesn't want to capture your keyboard but it still allows you to do things like this I can hit to control all pendants to talk on type T is enter since it's a booty it will eventually when exports for updates Michelle I can then type grammar I answer this enter again itself in turkey drumstick man and Gia it also allows for lasting quest it doesn't do much trapped in Omaha but wherever you click + where it sends the clip man so I get the X goes away with

the menu eventually in Tibet slur but it's better than dinner with one of those multiple multiple tools giving gear shall I am one of the other patients we added in the bottom right corner you can see my

if I can show my box set up a net Katniss now every poor 44.4 I reckon my teachers and my idea dress

I put that in attack I'm address the port number and i hit the archelvin if you're getting annoyed with the laggy deaths or laptop what this will do is it will open a shop neuroimaging run where we can pre pre call pash magic sporting a reverse shell to your book reports and in minimizing the shell to try and hide the evidence and then happen easily can I see the time like this there you go a professional you're under a high and just to prove that this isn't the actual wish I just magically I got a box behind some for overlay there's no paradox that's the term

and you can see this is cutting through the overnight I move the front of the happiest and roots of this to me originally when you click the exit button on my other tool X watch we would stay and it would when you click excellent at urbana some areas in my heart yeah that's that's the tool and then there's be bitter and sour hola we took with Tina's horrible task you think and every time you want to do that you have to search long large figure out on usual tools because XD to open the light music and drumming ramen shop

regression how long did take in total about three to three days to recover very old and then on top of that like coding here and there over like a month to make it pretty they could add to that some teachers but the myth the main bulk of it was two or three days first aid figuring out at that point we were new to acting room and like I had some knowledge on c1 X so the first day was just figuring out what X was and how to use it all that stuff and then the piping game quite project Russians comments what's the battery usage of Armenians doesn't really use the patient as i am not as

far as I wear but Graham Nash eternity n Carter i but the screenshots do you take you take a screen done it's usually not very long the xbox persons

little access so you can so you can know you can't export the remote display to your machine so you are a few runs for example X term on the right there and have the title of here indoor ones the only way to do that would be through ssh or the proper means but they make themselves vulnerable like this it's generally the vocal box is generally the one that the admin BOTS trying to get connections from other machines so that they're trying to run next play right next next time on another box and several years from now on a machinist Olivia is it it's what the thickness alarm cotton and we still really confused about which way which way the

communications happening yeah so when we do export display we're exporting we are exporting the remotes and then rerun the next virtual or I'm not done and it does that sevens keyboard it works to the river and the new exports the remote display terminal and you run ga ga we're running launching a display over room so that box it hit it could be serving on the same box theoretically it could be next running a separate machine yes I'm one machine can run multiple Exeter if the growing x-overs within x-overs it gets complicated but it is if this scenario this this is generally will be fine although there is one cabinet to r2 and that is our we saw

I've tried to create a large this because we come across vulnerable windows machines a windows box running XO unauthenticated and I have no idea how they got that to the first place making a sauce vulnerable using the unix based widow

this is bleh but i found it when I come to use that one for the tools i found was paid for one thing but this tool doesn't work against Renee's party so if you come across a vulnerable readers box this to export all the default tools like X LED x1 x2 alerts d west xbox-green point also that's another to karaoke later as Christmas egg which is to probably manually do X bar instead of life which seems brussels you [Applause]