Abusing Windows with PowerShell and Microsoft debuggers

the b-sides DC 2016 videos are brought to you by clear jobs net and cybersex jobs.com tools for your next career move and Antietam technologies focusing on advanced cyber detection analysis and mitigation hi everybody thank you very much for being here so normally it with one check like two minutes ago I'm Charlotte Sun Bracken I come from Montreal this morning I flew this morning i'm belgium and i will present you how to abuse windows with tools that it install and signed already in windows yeah sorry like that so like I said I'm from Belgium I'm I'm working at Deloitte in Montreal I do Incident Response compromises man and Red Team I have a 13 years experience in information

technology and security and I already took at several security conferences like hack fast info Security Europe in London UK sector just two days ago and I will talk about my tools at blackhat arsenal Europe this show and also I'm a Starcraft 2 player so if people like this game chem and we will come in and we will speak about that after the conference white poor memory because I wanted to create something with PowerShell and using Microsoft tools but we Microsoft tools which is signed by Microsoft so associated with certificate delivered by Microsoft so it's very cool and yes get a lot of money but it doesn't work so I did that I took a lot of fun

with that the agenda what is poor memory and then I will show you what is what poor memory use so the binaries actually it is debugger so the debug of Microsoft which is windbg and cdb for the common line tool then we will be a little more a bit technical and I will show you exactly how what what I do in memory and what bite I change I will talk about Empire I people like you know about Empire and I made pull requests for poor memory into Empire and mitigations so what is poor memory poor memory is a minesweeper solver that's all fault thank you that's a troll but it's true and I will I will

show you how we can solve it I never I never play at this this game you know with all this kind of bomb I never played before but the goal was to illustrate to show how you can modify the memory directly during the execution of the operating system with a tool like a debugger and automate it and so imagine some other scenarios like financial software or something like that so with Porsche and Microsoft tool and which is debugger signed per memory can do what you want into the user land the channel on and Wunderland so I if you know she Shire and listen the model on it all that so basically what I do with PowerShell

so the tool and the bag is sending and receiving text bytes that's all I don't use API I let the debugger do for me so all the cool to the operating system will be done by this debugger and with that you can do everything you want under the operating system so per memory so use on an attack you as I said you can get Windows password from the memory it's not the same things that mimic ads because mimic at will cool the API here I just use the debugger it you can inject executed shellcode in a remote process you can modify the memory of a process then you can do a channel and stuff to so you you will have some

screen like that but it's very useful because you can do all what advanced malware can do so by example dko amp or directional object manipulation and with this this kind of techniques you can hide and I the process from task manager by example and from the kernel structures you can protect a process which is very interesting because it lets you access to special processes like LS is s if you cannot see very well on the screen but if you try and on several new recent sorry operating system to dump this process you will have this kind of error message so by protecting your process as else as you will be able to dump it as usual

you can inject your privilege in the process with system identity and just by sending bytes into the process and then you will have all the operating right I don't know all the right you know it's pretty a lot but I I'm sure I have all the right you know and you can pass it to can attack so it there are old proof of concept that you can do a lot more if you want for memoriam of that is also an active directory recognition tool so you can use it to make a scan in atom Active Directory domain and passive because it's with SPN technique which is service principle name in Active Directory so you if you want to have I don't know all

the sequel server you can do it by just asking to the domain controller you can have files of everything you want you can get GPS password but for all connected for s dot so this tool will detect all the forests and forest connected and will try to retrieve all the GPB password of all the domain and forest connect it so you can also assess the server shares of all connected forest looking for chair accessible photon ticketed user because it's often the case in the domain so when it's Miskin is not very well configure you will have this kind of behavior on the network so you can assert that and you can draw the zyada topology like in

visual just ossifer also you can try to elevate right because if you are not an admin suite on the workstation you can not do a lot of things so you have for escalate that can be launched and try and it will try to elevate your right on this workstation it's it's right the McAfee password which is which are stored in XML files so I did that with an 2% did that I did the other way you can provoke a bsod and why I did the proof this proof of concept is because if the computer is configured to crash and and dump the crash on the operating system you can collect that crash and then give it to poor memory and get the

password bypass UAC and something very funny on very old software that I saw in a different client so it's actually I think it's something in 94 for something like that and it's actually again installed on several electronic lines so it's interesting so if you will launch the tool on directly on the computer you will have menu like that and you can try all the singer and just said it's very easy to use okay so what is what debugger / memory use II it will level the sentence of Jeffress number will create pro shell he say to us to automate all the things so I said to myself okay I will automate something like the debugger to things like that so

to abuse Windows but you can do everything you want as I said why I wanted to use that because it's signed and it's signed so if never an anti-virus will catch that by default and I don't know a lot of you see is that you is that well developed and seem to detect that behavior because if you have to try to detect all the signed binaries it will be very difficult but you have to do that the as I show you it can be a big problem so it's trusted everywhere first step when you are in front of the console of the debugger you can ask him to display by it so on the screen I put DB and you

will have the bytes so it's like 5 1 D 1 something like that I don't know if you can see that I'm not sure so when you type that you will have this kind of information so you see just letter and and a number you can do that display world for display a to buy display double word for for byte etcetera and if you type D you you will have the ASCII representation so it's the clear text I just type D you and an address in memory and I get my my email so PA breakin at blah blah blah if you do that on the honor address where password is contained you will have something like

not in the ASCII table so you won't see anything so you have to do also thing to get a password it's not as easy also when you try to load to display information so when you compile a program it will be in all case I am with it will generate a PDB file and the PDB file contains some information very important for the program to run and Microsoft is very cool with us because he hosts a special symbol server on internet that you can access and every developer will access to that to debug Koerner things so they host all the symbols that are generated with the programs so if I just try to display something with a symbol

so it's do w digest etc and I didn't load the symbols I will have quotation marks oh no not the content of the content of the belt if I load the symbols I will have the bite it's I'm sorry do that you cannot look very well at the screen so the symbols are free you can so this light will be on the internet so you will be able to look at that more clearly so symbol is free you can really easily put that in the debugger and it will manage all the thing for you you don't have to - no nothing about symbols to load that so you indicate this URL in your in your

debugger and you will be able to get all the symbols so for to get all together to get the pass one is a memory we will need to have different symbols I will give you now so the first one is the symbols which represents the list entry because all the password in the memory are contained in a list circular lists and so you will need to go through the list to get all the icons that it's store in memory because if you are on a I don't know on a terminal server which a lot of users I don't know 10 user by example you will need to get to all these 10 user to get all the password so

the first one is the list entry and the symbol is L and those I don't know to say that in English but and those Co I don't know it see if it's called yeah and locks s list okay so you tell you type DB D symbols and you will get the bytes representing the first lesson tree I will show you the list entry just after this line then you will need key because the password has encrypted since it's an symmetrical encryption you need this symbol so I don't know GP it's not very interesting but des because NT 5 is 4 mm free operating system or XP by example so the information are encrypted in des

des X which is created by Microsoft and not documented so it was very difficult to crack this one and 2008 etc 2 and T 6 and T this was very easy because it's stunned our protocol and feedback and 4nt 6 and TD 10 you need a DES key into not the SE X and s if it's encrypted into this protocol but I I never see the two producers to put the coil or also C 1 which is a s and the initialization vector but we need to go deeper now so let's get technical because it was you know just just for for now so to really understand where to get the password I will show you well it it is yes and it's

not internal and it's in usual answer it you don't have to be into the kernel to do that we will attract the digest security support provider which is very interesting because if you disable that and microsoft proposed as a solution to disable that in company you won't have SSO so no shop owners no nothing so nobody disable this feature because if you disable that your company won't work normally so all to do that you steal the bus to steal the bad you can dump Alsace process you can do it locally or remotely and might will do it locally or remotely you can convert a file like ibises I prefer notice as you asked me to dump the information you can

provoke a BSOD and get the crash them fight so you you are not you're maybe not an administrator of the of the computer you can leverage the GI perverse law because imagine that you are an operator not an administrator an operator of VMware hypervisor V but you don't have no right on the target so on with the windows installed into the upper GI PI very so as an operator if I have the right to get you know special file which contains a memory of the virtual machine inside the hypervisor I will get all the password so I did it and you can get the password as an operator in hyper-v and in VMware and microsoft say to me no it's not a

problem because you are in front of the upper visor so ok you can also access else's process directly if you have kernel mode access so if you have kernel mode access you don't need to dump that you can directly steal the bytes ok so poor memory what it does it called the debugger is send to it a command to execute then you retrieve the bite it passes them very basically when you have them okay needs something else begin another comment to inject and launch it and you can write to an address to group because of the debugger thanks to the debugger so ok can you see the password as a password is over there I'll show you but

if I show that it would be like I asked you to wait well do you know I don't know I never found what well do because and it's even more difficult on the screen I think I hope you will see that because it's very interesting so it's the list entry you know I give you the symbols to get the list entry so it's a list entry for dunt from a 2008 r2 Windows Server ok the first green element is the next entry in the list ok it's an address you type this address you will get the next entry in the list the red one is the previous one because it's circular like I said this address as you can see it's

this address the Lu ID address which is not at all interesting to get the password but it's which is a unique identifier on a Windows computer which is a guarantee to be unique until the next reboot then you have use a user name address and each it's in clear text so if you type D use this address you will have the username the NetBIOS domain name address the encrypted password so if you try to you you will get nothing the domain name address and the user name at domain address so it's true for 2008 r2 of owner 2064 bit architecture if you have a 32-bit a 2003 it will be different if you have a 2020

it will be different so I had to pass all the thing regarding the operating system target it max length of the field and Mainland for minimum so you have the password because you have the address of the password it's not enough you need the key and the initialization vector on a 2008 r2 so okay I type DD l as a sv exclamation mark and H 3 DES key and I get this kind of thing so the green the green address is the next entry so ok I'll type that I get in red I get the size of the block it's empirical so I figure it out but I'm not sure it's it's it's it's a thing but I review a lot of

them really so I think it's the size the tag KS SM which is also always the same next information you typed it this in this address and you will get in red and the size in purple and another tag which is MSS K and the key and if you type DB it will be the little engine transformation for you so it's interesting so in blue you have the key represented in invite for you so you have the password you have the key you need the initialization vector Allah and and there we will be very technical now big to to get that it's very difficult to get that you have to type DB and the symbol and you you have the directly

initialization vector so it's very it's a more difficult part of all the other thing so you have got the three information with this this three information you will be able to decrypt that very easily by standard a algorithm no nothing you okay I have some demo so first demo to get the password

okay so it's Purusha I see nothing okay so you you just launch it on locally on the computer you show you a menu you type okay I want to password so I type one a figure it out you'll write level etc so each launched another console and then you can do different thing the first thing is okay if you are into Windows domain do you want that if I if I find something do you want that I match it with you know is it a domain administrator is it an enterprise one is it a backup or pet or what is but if you do that it will make an LDAP request into the domain controller so maybe you

don't want to do that if you don't want to type to to get the password locally you type one you can do remotely you can do from else's process you collect I don't know when you go to a friend friend house like that you can do it with VM snapshot you can do it in kernel mode so I I will type one and no I don't want to send it to paste bin but if you if you just type enter it wit won't send it you know I'll show you you can you can look into the code I have nothing to add so I okay and do you want to I don't know do you want to clear neck event log

on this computer so yes we can just the technique is just to stop everything that holds the the event lock so I did I do that first and that I replace the log with another log that contain nothing or information completely useless you know so yes getting valuable information and okay I have password and I put a very secure one because I put to you know password two because one is very insecure so I prefer you know and the and nan understable character is because it's a key associated with the machine with the computer okay

okay you can inject a shellcode into a remote process and executed and the goal is not just to do what you can already do but do it and never use an API okay so just manipulating bite into the memory and I would like to call it without call and API so to do that you need to get a memory executable zone somewhere you need a new padding zone into this memory executable zones that you get and you need the address of the noodle padding want to execute it because I give you the hint to to execute it we will just modify the register instruction pointer and so the next instruction send it to the operating system will be your shellcode

so we will need to pass the rod table executable loaded into the memory and it's not very difficult you can you you the first thing you have to get is the address of the module load it into the memory so for the target that you try to to pass from this module address you get the PE header address which is located from the module address you get plus 3 C from this P address which is always 24 bytes you have the size of the optional header in in bytes from the optional header you can add the section table structure and you will because it's follows immediately on the previous information you get and from the section

table you will have the visual side the virtual address and the raw data pointers that you need with to calculate your PI things on it etc and then it is a commands that I so I write to bite so I take a shell code I write the bite into the memory and I just asked to the burger to modify the rhythm insurgent monitor with the module address that I found and he will launch it will launch it will launch my shellcode into the process that I attacked with the level of right of this process and you will have a calculator demo a friend of me pray actually the god of demo because I have like four

demos you know so okay

okay oh yeah I can show you that the the minesweeper solver because it's a it each it and show something about modifying memory directly you know I don't know if Anna content modify financial information into the marriage could be very not a secure you know to to see this that modify and the accountant could see the themes normally and the data send it will won't be that I you know II try to input into the screen so okay so they might the field okay so it launched something with with so it's you know there's a grid with all the you have to click etcetera so

okay yeah it's not easy but maybe I will just for that modify my settings

okay okay so you have you know you have the minesweeper you have a menu because he asked you okay how do you want to solve the grid of a minesweeper you can flag the bomb if you want like like the normal game but it's very it's it's very bad bad game I don't like you know put all the flag it's not very interesting you can demand the bombs directly if you want you you can reveal the bombs you can explore the bombs and still win you can make a 42 option which is a special one and you can clean the board if I try I don't know two explosive bombs so it works with my phone in total rank so

maybe it will it won't be very very quick very fast so it looks it looks in the kernel sorry user lunch it's not kernel and you will try to figure out which which is the site of the grid and then pass it into the memory because into the memory you will you have as the exact structure that you can see on the screen but not exactly like you know the grid perfectly online it's not like that normally it's very quick but

okay so you show the icon here nobody has to work it is will work it's just because the internet connection I think of my phone okay so 13 times 16 so he so the grid into the memory and he'd say okay has been secured so I will try to display that oh wow interesting so I have exploited all the mines and I can not lose not so it's you know okay you can do that it it's not very interesting because it's it's not fast to win so I prefer to select you know the option of clean the board and I just click one and then I win directly and I have the maximum score yeah so it's fun but the goal is to show

you the impact so for the rest in injection into a remote process no it's not it's not better so I will Wow okay I don't know if I have a process okay I have a CMD okay command prompt I will I will close it okay so I launched another one so I want to inject something not all the privilege not was this time but a process something so I pass all the things and normally you have to see I don't see that because my why is calculating okay

I don't know why it does not rock okay okay actually it worked but as we cannot see all the screen I will try to just relaunch it sorry yes I don't know what weight is but normally you you see it I can try to to inject in because in fact if I if I try to put exit you know I don't exceed because my process is already injected into but if you if you want to see the calculator I will try to inject another process like notepad

okay okay I have the calculator so and if I show you into the memory with the tools of mark russinovich at working on Microsoft and who creates a sysinternals suite it's injected into the not plan okay the calculator is into the notepad the tech Z process okay yes but okay Kiernan stuff so now we are going to the camel lon because it's more fun you can do everything in Canada all what you can do in userland but also a lot of lot of things that you cannot and just to make a easy proof of concept that it is easy to understand I will show you the height a process it's not a new technique too

high to process its advancement well already did that but maybe not with the burger and partial like that so if you want to hide a process into the memory process is contained into a process structure if you type on Google a process structure you will find it and you have this kind of information so each each little square is a process and and yes F link building is for welding and back welding you can you can see that all is linked to each other and in a circular way so the first thing to do is to unlink you know a process because it's more fun if it's unlink because the colonel won't be able to see that but if

you just do that it's it just BSOD so it's blue screen of death immediately so you have to give to the kernel the illusion all is okay so okay in pro rochelle you you send a command to the debugger and you create this link from the previous process to the next one and you do the things for the back wall link but if you do just that same thing BSOD because the operating system will figure out that you have do something with its structure its internal structure because a one of the process which is actually process is not linked to anything so it's not it's not normal so you you simulate it you create that and this and all will be

very good for the kernel and you can continue to work normally with a process which is hidden so yes sorry so demo my last data so demo you want to hide something to the colonel and to the operating system sorry so okay we will you we have the CMD that we had just before I will type hide my process which is cmd.exe and i will try to have okay okay

maybe I will have the same problem with the internet connection because why I need the internet connection I don't really need it absolutely but as I said first I I connect to Microsoft is it if on the he found the address I and he is not I have to connect to the Microsoft servers Microsoft symbol servers to get the symbols and then be able to you know type all the things I I could preload all the symbols on my computer and and don't don't need to do that but I don't want to you know to put all the symbols of all the operating system of my computer because it's it's not a target it attack it's the most demonstration if

I need to to make something target it I will target a specific operating system on a specific architecture so yes it's sorted by name so yes is not is not that but is easy because if I yes yes yes I have CMD you know I can type Who am I yes like that and yes it works because he is in in Windows web process and thread and the sweat continue to work usual and normally but I like to you know to do correctly things so if you have this address which is the current address of this process

yes it appears so it works too okay yeah I did a thing - to weaponize these tools so you can if you know hand pie Empire which has a very cool tool I did a pull request on it and to be able to do this kind of things with the debugger on Z as a target so it's not in one Dolan it's a real world so normally I have a music with you know to me I don't know that I I don't have that for you sorry so Empire is a very cool tool if you don't know that you have to look at that on internet so it was developed by three people but also helped by other

people so I'm John 6 de panamá but you have also Matt grabber which is a very awesome game guys right and should make up is that a speaker just before so if you want to do that you have to target something I don't know what you force the target to load you on per agent and through thin package and you load poor memory into the target memory you drop the scientific or because it's a concept and you make final profits and I have a demo for you so you have a basic Kelly and here maybe the password is not as secure that you know so what because it's one so you have Empire

okay I have lists - no but no agents and you can do different thing here I will try to show you something but I'm not sure it will work but it's something that case dismissed I don't know if you know him Casey Smith subti Gila straight at different technique to whitelist - to try to bypass Microsoft Lync with Microsoft tools - so it showed that with a software called msbuild eggsy you should you should be able to launch I don't know PowerShell code by example so as soon as I saw that I try to do something and the thing is yeah okay the thing is - to launch partial but without having personal memory into memory okay

so it's in - okay

okay

and you have primal yeah so you have MS which is pre-installed by Microsoft and I prepare something which is decide DC dot XML so if you if you are able to cross by example by something like a rule a not locked rule client rule to for the client to launch software which is already installed in the operating system with just something very not dangerous like an XML file you should be able to provoke something like that okay I have an urgent you saw so initially gent blah blah blah it just come from that and if I check my memory just with that I I will I see partial eyes which is my IDE but I don't see PowerShell as

a console because if if for shell was launched I will have something like that and it's actually loaded into a mess bill that eggsy so it's reticle it's on my gear up if you want to take a look at that but the objective was not that is to look at for memory true in PI off so you can interact with this agent use a module financial and my to list it's really easy to say it's our w MC our ass but it actually means something is to reveal Windows memory credential remote shell so info you don't need anything else that I need an active agent on your target and you type run normally would it will work

yes or debug so you have I don't know okay follow the right rabbit obviously in Wunderland and normally we will have a password so you have this machine yes so password - you know etc and this machine is maybe I don't know on the internet on something like that

okay okay mitigation how to mitigate that kind of attacks the first thing it's to don't trust the trusted tooth sorry that it's it's the first answer to that you have to look at behavior so it's a pretty it's it's more difficult it's not just okay this tool is not signed because I people say okay I will just take a look at all the I don't know auto runs by example which is installed on the operating system and just look at those which is not signed but yes look also at address which is sang because if you were a debugger on your torrents it may be a problem you have to look for dumping activities and Microsoft don't

provide something to do that you have to code it yourself I did it it's not on my gear up yet but maybe I will it's it's really simple you have to try to get to detect if something is being to attack not to tune to suspend okay the process because when you try to dump a process you will see very very quick suspend state on this process so if you are able to detect that a process is suspended it's not very normal on something like else's you have to look for bcdedit that we use while because it these tools which is tools Microsoft tools and it which is installed on your computer is allow an attacker if the

computer is not protected by BIOS or something like that to launch your computers next time in kernel mode and a way to detect if your computer is in kernel mode is to try to take a screen know yes a screen shot if you do that you will provoke break you know in the in the kernel so it will just do something like that don't resident point it's not new and look for behavior and yes I work at Deloitte I don't know if I already said that but we have a methodology so being secure of vision and a resilient and the major point is first thing is UF to know your crown jewels and it's to you know

to link with a behavior so if you know what are you crown jewels you will be able to protect this this information and you have a different step that you could read and on this slide and that you can read after you we we do actually a lot of things we make red team we make compromise assessment and and we also do things like architecture on and so all you know all the loop is is take in account and yes something that we said a lot is you will if you have a company you will be hacked the goal is not to avoid all the attacks but to be able to respond to that so maybe add I don't know an insulin

response programming to develop into your company and if you don't have that you you you need maybe to to to put it in place other thing the summary so primary level special and assign Microsoft debugger to hack Microsoft operating system it's difficult to detect because it just sent text and bytes to the debugger so if you look at the activity it's not very obvious you know to detect ah it just sent zero one and then it just sent a F I don't know so you know if you see that it won't be very easy to detect you can also recon Riccar make reconnaissance to reconnaissance I don't know what this is that of an Active

Directory domain and you can also try to escalate on a workstation and input thank you very much