Monday, December 10, 2018

I C(Sharp) Your Clipboard Contents

Clipboard Monitoring



Have you ever wondered what occurs when you push Ctrl+C or right click some highlighted text/image and click copy on Windows?

We're going to look into detecting changes to the clipboard, clipboard events, and reading the data copied to the clipboard. Additionally, we'll read the user's current active window for additional context on where the user was copying data from. We will achieve this with a Windows form and .NET's Platform Invoke (P/Invoke) functionality. The ability to P/Invoke provides interoperability and allows us to call unmanaged DLLs within our managed C# code.

Clipboard data can be useful during a penetration test to defeat some password managers or can provide additional context about your target in conjunction with screenshots and keyloggers.

Detecting Clipboard Events

Anytime the clipboard is updated, a WM_CLIPBOARDUPDATE message is sent to all windows registered in the clipboard format list. A window can be added to the clipboard format list using AddClipboardFormatListener(). Additionally, the WndProc() method processes all messages for any given Windows form.

Knowing this, we are able to use AddClipboardFormatListener() to add our Windows form to the clipboard format list. Once it is part of the clipboard format list, our Windows form will receive WM_CLIPBOARDUPDATE messages which we can listen for by overriding the WndProc() method. When a WM_CLIPBOARDUPDATE message is received, we can read the data from the clipboard or perform any other actions when the contents of the clipboard are changed.

SharpClipboard

Most of the code I will be showing is not original work. I've simply moved things around, added some functionality and added additional comments. I'd like to preface this section with the following links:

The NativeMethods class holds various constants and native Windows functions that we are calling through P/Invoke.

Originally, I assigned the STAThread attribute to the Main() method. However, when using execute-assembly in Cobalt Strike I ran into the following error.


It seemed that the STAThread attribute was not being assigned to the Main() method when using execute-assembly. The Clipboard class serves to override the Clipboard.GetText() method so that we can assign the STAThread attribute to our thread and retrieve the clipboard contents.

The ClipboardNotification class adds  our window to the clipboard format listeners list and overrides the WndProc() method.  When our window receives the WM_CLIPBOARDUPDATE message, the user's current active window is sent to standard output as well as the contents of the clipboard.

Below is an example of the output from testing:


Below is some testing against common password managers such as Keepass and 1Password:











































As you can see, we were able to identify when the clipboard is updated in order to read the clipboard contents and the current active windows. Thanks for reading! You can find my code at https://github.com/justinbui/SharpClipboard. I hope you learned a little about the Windows clipboard or C# today. If you spot any errors, please let me know by Twitter (@slyd0g) or by e-mail (justin.bui.ee@gmail.com).

Considerations / Future Work

  • If using this with Cobalt Strike, it will keep a post-exploitation process spawned (as set by spawnto) which could lead to detection. You will have to manually kill the job using jobkill.
  • I plan to create a small aggressor script to start/stop the clipboard monitoring. Eventually, I want to create a copy event store similar to the credential store already in Cobalt Strike.

References










Friday, September 28, 2018

LyncSniper: Kicking Out The Garbage!

LyncSniper



LyncSniper is an essential tool for any external penetration test or red team engagement. It performs brute-force and password spraying attacks against Skype for Business to obtain valid credentials. LyncSniper was written by @domchell of the MDSec ActiveBreach Team. MDSec put out an awesome blogpost detailing exactly how LyncSniper works and what you can do with valid Skype for Business credentials here. Big thanks to everyone who has contributed to the tool!

LyncSniper's Invoke-LyncSpray function will take a list of e-mail addresses and attempt to authenticate to Skype For Business with a single password (e.g. Summer2018). Based on the response, LyncSniper is able to determine whether an authentication attempt was successful as well as if the username provided was a valid username (when using the -Office365 flag).

What's the fuss about obtaining Skype for Business credentials? In the past, I've been able to log-in to Office 365 e-mails and even log-in directly to a company's VPN to gain direct access to the internal network.

I added a couple lines of PowerShell that will save all invalid usernames and cross-check this with the initial list of e-mails and output a clean list of e-mails. This saves time in future LyncSniper attempts as well as lets you know which e-mails are valid for future social engineering attempts.

I'll walk you through how I have used LyncSniper on previous pen tests and then introduce the small changes I made.

Open-Source Intelligence (OSINT)

Open-source intelligence is essentially any data about a company or its employees that is publicly available through websites such as Google or LinkedIn.

In the case of LyncSniper, we're looking to obtain a list of employee e-mail addresses. This can be done by researching current employees at the company and the format in which a company turns names into e-mails. Below are a few tools or techniques I like to use:
  1. theharvester is a tool that ships default on Kali Linux 2 and scrapes various search engines for e-mail addresses and other interesting information.
  2. LinkedIn
  3. Data.com is a Salesforce product that can help identify employee names. They're removing this service come May 4, 2019 so use it while you can!
    • Note: You're supposed to pay to export data. However, you can search up employees of a company and then copy the table into Excel, then grab the names and copy them into a text document.
Once you have a large list of employees, you have to research how the company formats employee e-mails. Some formats I have seen: johndoe@domain.com, jdoe@domain.com, doej@domain.com, jdoe001@domain.com, john.doe@domain.com. Search around and you should be able to find an example. Often times, the company's executive team publicizes their contact information in conferences/talks/events which you can find on Google ;)

LyncSniper Usage

LyncSniper has two main modules: Invoke-LyncSpray and Invoke-LyncBrute.

I'll be focusing on Invoke-LyncSpray as this is less likely to lock out accounts and generally what I use. You can run Invoke-LyncSpray as follows:

Invoke-LyncSpray -UserList C:\Users\path\to\userlist.txt -Password Summer2018 -Office365 -Verbose -Delay 5000

This will attempt to authenticate to Skype for Business with the e-mails in the user list provided with a single password, in our case 'Summer2018'. Some common passwords I will use in spray attempts can be found here: https://github.com/SpiderLabs/Spray/blob/master/passwords-English.txt. The output will return successful authentication attempts and tell us which e-mail addresses were invalid.

Kicking Out The Garbage!

To remove invalid usernames from the user list I used to go through one-by-one and delete e-mails that LyncSniper told me were invalid. I had enough and figured I could save myself a couple minutes every pen test if I automated this!

First, I created an ArrayList to store the invalid usernames in the Invoke-LyncSpray function.


Invoke-LyncSpray calls the Invoke-AuthenticateO365 function when the -Office365 flag is used. Invoke-AuthenticateO365 is able to determine when a username does not exist. Thanks to @cobbr for adding this feature! I added all invalid usernames to $InvalidUsernames with the following.


Lastly, I check if the user specified the -Office365 flag and compare $UserList to $InvalidUsernames and output all valid usernames to <original user list>_validusers.txt.


That's it! We removed all the invalid usernames and have a clean list of valid users to work with in the future. You can find my edits to LyncSniper here: https://github.com/justinbui/LyncSniper

Thanks for reading! I hope you learned a little something about LyncSniper, performing OSINT, password spraying or PowerShell today. Thanks again to @domchell for the amazing tool! Thanks @dotslashpeaches for showing me the song that inspired the title of this post. If you spot any errors, please let me know by Twitter @youslydawg or e-mail justin.bui.ee@gmail.com.

References

Saturday, August 18, 2018

Kerberoasting and SharpRoast output parsing!

Hey everyone, so harmj0y released a bunch of cool C# tools about a month ago here: https://www.harmj0y.net/blog/redteaming/ghostpack/.

Today, I used SharpRoast from the released tool set which is a C# implementation of Kerberoasting and wrote a crappy bash one-liner that will parse the output into hashcat format for you to crack!

Kerberos

In a nutshell, Kerberos is used to authenticate to services on the Windows domain using a ticketing system. When a user authenticated to the domain wants to access a service, the user requests a service ticket from the domain controller. The domain controller does not control authentication to the service. This responsibility is given to the service itself. Once the user has a service ticket, it presents the ticket to the service and the service will determine if the user can access the service. 

Kerberoasting is an attack on this authentication protocol. The service ticket granted by the domain controller is encrypted with the service account's NTLM hash (ding ding!). If we can crack the NTLM hash we can authenticate as the service account. This is important because service accounts generally have administrative access on the server providing the service.  Based on the nature of service accounts, they can even be given administrative access to machines that interact with the service. All in all, compromising service accounts can give additional access that one previously didn't have leading to full compromise of a domain.

Some key things that make Kerberoasting so effective:
1. Any user on the domain can request these tickets.
2. You do not need to be a local admin on your machine.
3. Offline cracking so you don't have to worry about locking accounts out.
3. People use shitty passwords.

SharpRoast

SharpRoast is a C# implementation of Kerberoasting released by harmj0y about a month ago!

The output of SharpRoast gives you the SamAccountName, DistinguishedName, ServicePrincipalName and the Hash (in hashcat cracking format). The only issue is the hash is broken across multiple lines with a ton of whitespace that you have to delete before you can throw it in your cracker.

Demo


This is an example of the output of a single hash from SharpRoast. Now imagine manually parsing multiple of these into one lined hashes! That'd be a nightmare.


I know this isn't the prettiest or most efficient way to do this, but hey it works! Here's the one-liner:

cat kerberoast.txt | grep Hash -A 29 | sed 's/\<Hash\>//g' | sed s/://g | sed s/--//g | sed -r 's/\s+//g' | tr '\n' ' ' | sed 's/\s//g' | sed 's/$k\{1,\}/\'$'\n&/g' > kerb_hashes_hashcat.txt

Some shortcomings:
1. There's a newline at the beginning of the file, you can just manually delete this.
2. The part where you 'grep Hash -A 29', 29 lines may truncate or capture too many lines depending on your ServicePrincipalName and DistinguishedName. Play around with this number to make sure you're capturing the entire hash.

And just like that you're ready to fire up your cracker and hopefully crack the hashes for some plaintext passwords :)

Thanks for reading! Hope you learned a little something about Kerberoasting and how it can be used to further your access on a Windows domain. If you spot any errors, please let me know on twitter or by email!

References