As promised in my previous post, I am back for an overview of the Troopers19 – Active Directory related talks… Videos have been published and it’s popcorn time… So if you are into stories about Kingdoms and Crown Jewels, grab your loved one [or a drink…] and turn the lights down low, ’cause tonight it’s “Troopers & Chill…”Continue reading
Windows 10 is one of the most commonly deployed operating systems at this time. Knowledge about its components and internal working principles is highly beneficial. Among other things, such a knowledge enables:
- in-depth studies of undocumented, or poorly documented, system functionalities;
- development of performant and compatible software to monitor or extend the activities of the operating system itself; and
- analysis of security-related issues, such as persistent malware.
Generally speaking, I’m more of a Cat type of guy, but I have to say I really love BloodHound. And if you do too, you are in for a treat…
Last week, the ERNW Insight Active Directory Security Summit took place in Heidelberg. (More Info)
For this occasion, @Enno_Insinuator asked me if I would like to deliver a BloodHound Workshop, and of course I accepted the challenge…
This blogpost contains summaries of talks from this year’s TROOPERS18 Defense & Management Track.Continue reading
In various scenarios it might be helpful or even required to have a statically compiled version of Nmap available. This applies to e.g. scenarios where only limited user privileges are available and installing anything to the system might not be desirable.Continue reading
A new ERNW whitepaper was just published. I wrote this whitepaper in the course of my bachelor thesis and it examines multi-factor authentication in Microsoft Windows environments: Continue reading “White Paper on Multi-Factor Authentication in Microsoft Windows Environments”Continue reading
In this post we’ll take a detailed look at the properties of the Windows Server 2016 IPv6 stack.
I perform(ed) this exercise for several reasons:
Last week, we decided to take a look onto the EMET library provided by Microsoft. This library is intended to introduce several security features to applications which are not explicitly compiled to use them.
It also adds an additional layer to protect against typical exploiting techniques by filtering library calls, preventing usage of dangerous functions/components and inserting mitigation technologies.
As EMET is already a target for many researchers, we currently only started to get an overview of it’s structure and how the different components are interacting with each other. Today we would like to share some of our results with you.Continue reading
In a recent assessment, we had to evaluate how Microsoft’s System Management Server (SMS) certificate management solution (CMS) stores and handles certificates. This question came up because sensitive, encrypted user certificates were to be stored in the SMS CMS. Due to the sensitivity of the handled certificates, we assessed the protection capabilities of the certificate management solution against extraction attempts from a local attacker with administrative privileges.Continue reading
Ever got a backdoor installed on your computer by your beloved mouse? Here’s the story of a poor mouse that got really, really sick.
Do you remember the times where people put Teensy-boards and USB hubs in their mouses? [Chris? ;)] Their aim was to attach an additional Human Interface Device (HID, like keyboards or mouses) with some payload in kind of e.g. keystrokes or mouse movements. Also, there are devices available like the USB Rubber Ducky in the housing of a USB thumb drive.
The principle is easy: The tools are using a programmable microcontroller with the capability to emulate USB HID. That’s it. Just program your board of choice with the payload fitting your needs and plug it in at the target computer. The latter will recognize it as a keyboard/mouse and the payload-keystrokes will be entered.
But why should external hardware be used? Many modern gaming peripherals provide functions to store macros on them, including enough onboard memory for little payloads.
While we were working on the layout of this years’ Troopers-Badge, I felt uncomfortable using my touchpad, so I switched over to a Logitech G-series gaming mouse. This one worked like a charm – many buttons and the feature to store personal profiles on the mouse itself, which is perfect when you work on more than one machine.
But wait – macros and profiles stored on the mouse? Recall the lines above concerning the HID story.
Could it be possible to store a macro big enough to drop a reverse shell on a Windows target?
Actually – it could.
It’s just as simple as using the Logitech Gaming Software’s Command Editor. Choose a button, put a macro on it, fit the timings and go!
The only thing you should consider, that you’re limited to about 100 keystrokes. If there should be something dropped on the target, like an executable or a script, you should think about using FTP or Powershell to download it externally, like I did here.
In this Proof of Concept the marco opens the Windows Command Line and downloads Netcat via Windows’ own ftp.exe from an external FTP server. Afterwards, it launches Netcat in background mode, while a Netcat listener already is waiting on the remote machine.
I think this kind of attack is dangerous due to its minimal effort and people trusting their mouses. Who would be afraid of a manipulated mouse, while being away for just 2 minutes to grab a cold Mate drink in the kitchen? The mouse’s software in this example offers the option to delay the keystrokes. Consider, the mouse acts like usual and after 30 or 60 seconds the bad magic happens, and it would take only a few seconds, so you might even miss the chance to see the windows popping up.
Live long and prosper,