BeRoot - Windows Privilege Escalation Tool

BeRoot(s) is a post exploitation tool to check commun Windows misconfigurations to find a way to escalate our privilege. 

A compiled version is available here.

It will be added to the pupy project as a post exploitation module (so it will be executed all in memory without touching the disk).

Except one method, this tool is only used to detect and not to exploit. If something is found, templates could be used to exploit it. To use it, just create a test.bat file located next to the service / DLL used. It should execute it once called. Depending on the Redistributable Packages installed on the target host, these binaries may not work.

Run it

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|


usage: beRoot.exe [-h] [-l] [-w] [-c CMD]

Windows Privilege Escalation

optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)

All detection methods are described on the following document.

Path containing space without quotes
Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the path contains spaces and no quotes, Windows would try to locate and execute programs in the following order:

C:\Program.exe
C:\Program Files\Some.exe
C:\Program Files\Some Folder\binary.exe

Following this example, if "C:\" folder is writeable, it would be possible to create a malicious executable binary called "Program.exe". If "binary.exe" run with high privilege, it could be a good way to escalate our privilege.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
How to exploit:

The vulnerable path runs as:

• a service: create a malicious service (or compile the service template)
• a classic executable: Create your own executable.

Writeable directory
Consider the following file path:

C:\Program Files\Some Test\binary.exe

If the root directory of "binary.exe" is writeable ("C:\Program Files\Some Test") and run with high privilege, it could be used to elevate our privileges.
Note: BeRoot realized these checks on every service path, scheduled tasks and startup keys located in HKLM.
How to exploit:

• The service is not running:
  
  • Replace the legitimate service by our own, restart it or check how it's triggered (at reboot, when another process is started, etc.).
• The service is running and could not be stopped:
  
  • Most exploitation will be like that, checks for dll hijacking and try to restart the service using previous technics.

Writeable directory on %PATH%
This technic affects the following Windows version:

6.0  =>  Windows Vista / Windows Server 2008
6.1  =>  Windows 7 / Windows Server 2008 R2
6.2  =>  Windows 8 / Windows Server 2012

On a classic Windows installation, when DLLs are loaded by a binary, Windows would try to locate it using these following steps:

- Directory where the binary is located
- C:\Windows\System32
- C:\Windows\System
- C:\Windows\
- Current directory where the binary has been launched
- Directory present in %PATH% environment variable

If a directory on the %PATH% variable is writeable, it would be possible to realize DLL hijacking attacks. Then, the goal would be to find a service which loads a DLL not present on each of these path. This is the case of the default "IKEEXT" service which loads the inexistant "wlbsctrl.dll".
How to exploit: Create a malicious DLL called "wlbsctrl.dll" (use the DLL template) and add it to the writeable path listed on the %PATH% variable. Start the service "IKEEXT". To start the IKEEXT service without high privilege, a technic describe on the french magazine MISC 90 explains the following method:
Create a file as following:

C:\Users\bob\Desktop>type test.txt
[IKEEXTPOC]
MEDIA=rastapi
Port=VPN2-0
Device=Wan Miniport (IKEv2)
DEVICE=vpn
PhoneNumber=127.0.0.1

Use the "rasdial" binary to start the IKEEXT service. Even if the connection failed, the service should have been started.

C:\Users\bob\Desktop>rasdial IKEEXTPOC test test /PHONEBOOK:test.txt

MS16-075
For French user, I recommend the article written on the MISC 90 which explain in details how it works.
This vulnerability has been corrected by Microsoft with MS16-075, however many servers are still vulnerable to this kind of attack. I have been inspired from the C++ POC available here
Here are some explaination (not in details):

1. Start Webclient service (used to connect to some shares) using some magic tricks (using its UUID)
2. Start an HTTP server locally
3. Find a service which will be used to trigger a SYSTEM NTLM hash.
4. Enable file tracing on this service modifying its registry key to point to our webserver (\\127.0.0.1@port\tracing)
5. Start this service
6. Our HTTP Server start a negotiation to get the SYSTEM NTLM hash
7. Use of this hash with SMB to execute our custom payload (SMBrelayx has been modify to realize this action)
8. Clean everything (stop the service, clean the regritry, etc.).

How to exploit: BeRoot realize this exploitation, change the "-c" option to execute custom command on the vulnerable host.

beRoot.exe -c "net user Zapata LaLuchaSigue /add"
beRoot.exe -c "net localgroup Administrators Zapata /add"

AlwaysInstallElevated registry key
AlwaysInstallElevated is a setting that allows non-privileged users the ability to run Microsoft Windows Installer Package Files (MSI) with elevated (SYSTEM) permissions. To allow it, two registry entries have to be set to 1:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated

How to exploit: create a malicious msi binary and execute it.

Unattended Install files
This file contains all the configuration settings that were set during the installation process, some of which can include the configuration of local accounts including Administrator accounts. These files are available on these following path:

C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattended.xml
C:\Windows\Panther\Unattend\Unattended.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\System32\Sysprep\unattend.xml 
C:\Windows\System32\Sysprep\Panther\unattend.xml

How to exploit: open the unattend.xml file to check if passwords are present on it. Should looks like:

<UserAccounts>
    <LocalAccounts>
        <LocalAccount>
            <Password>
                <Value>RmFrZVBhc3N3MHJk</Value>
                <PlainText>false</PlainText>
            </Password>
            <Description>Local Administrator</Description>
            <DisplayName>Administrator</DisplayName>
            <Group>Administrators</Group>
            <Name>Administrator</Name>
        </LocalAccount>
    </LocalAccounts>
</UserAccounts>

Other possible misconfigurations
Other tests are realized to check if it's possible to:

• Modify an existing service
• Create a new service
• Modify a startup key (on HKLM)
• Modify directory where all scheduled tasks are stored: "C:\Windows\system32\Tasks"

Special thanks

• Good description of each checks: https://toshellandback.com/2015/11/24/ms-priv-esc/
• C++ POC: https://github.com/secruul/SysExec
• Impacket as always, awesome work: https://github.com/CoreSecurity/impacket/

Download BeRoot

Read More

BrainDamage - A fully featured backdoor that uses Telegram as a C&C server

A python based backdoor which uses Telegram as C&C server.

                           /\
                          /_.\
                    _,.-'/ `",\'-.,_
                 -~^    /______\`~~-^~:

  ____            _       _____                                   
 |  _ \          (_)     |  __ \                                  
 | |_) |_ __ __ _ _ _ __ | |  | | __ _ _ __ ___   __ _  __ _  ___ 
 |  _ <| '__/ _` | | '_ \| |  | |/ _` | '_ ` _ \ / _` |/ _` |/ _ \
 | |_) | | | (_| | | | | | |__| | (_| | | | | | | (_| | (_| |  __/
 |____/|_|  \__,_|_|_| |_|_____/ \__,_|_| |_| |_|\__,_|\__, |\___|
                                                        __/ |     
                                                       |___/      

--> Coded by: Mehul Jain(mehulj94@gmail.com)
--> Github: https://github.com/mehulj94
--> Twitter: https://twitter.com/wayfarermj
--> For windows only

  ______         _                       
 |  ____|       | |                      
 | |__ ___  __ _| |_ _   _ _ __ ___  ___ 
 |  __/ _ \/ _` | __| | | | '__/ _ \/ __|
 | | |  __/ (_| | |_| |_| | | |  __/\__ \
 |_|  \___|\__,_|\__|\__,_|_|  \___||___/
                                         

--> Persistance
--> USB spreading
--> Port Scanner
--> Router Finder
--> Run shell commands
--> Keylogger
--> Insert keystrokes
--> Record audio
--> Webserver
--> Screenshot logging
--> Download files in the host
--> Execute shutdown, restart, logoff, lock
--> Send drive tree structure
--> Set email template
--> Rename Files
--> Change wallpaper
--> Open website
--> Send Password for
    • Chrome
    • Mozilla
    • Filezilla
    • Core FTP
    • CyberDuck
    • FTPNavigator
    • WinSCP
    • Outlook
    • Putty
    • Skype
    • Generic Network
--> Cookie stealer
--> Send active windows
--> Gather system information
    • Drives list
    • Internal and External IP
    • Ipconfig /all output
    • Platform

Setup

• Telegram setup:
  • Install Telegram app and search for "BOTFATHER".
  • Type /help to see all possible commands.
  • Click on or type /newbot to create a new bot.
  • Name your bot.
  • You should see a new API token generated for it.
• Dedicated Gmail account. Remember to check "allow connection from less secure apps" in gmail settings.
• Set access_token in eclipse.py to token given by the botfather.
• Set CHAT_ID in eclipse.py. Send a message from the app and use the telegram api to get this chat id.

bot.getMe() will give output {'first_name': 'Your Bot', 'username': 'YourBot', 'id': 123456789}

• Set copied_startup_filename in Eclipse.py.
• Set Gmail password and Username in /Breathe/SendData.py

Abilities

• whoisonline- list active slaves
  

  This command will list all the active slaves.

• destroy- delete&clean up
  

  This command will remove the stub from host and will remove registry entries.

• cmd- execute command on CMD
  

  Run shell commands on host

• download- url (startup, desktop, default)
  

  This will download files in the host computer.

• execute- shutdown, restart, logoff, lock
  

  Execute the following commands

• screenshot- take screenshot
  

  Take screenshot of the host of computer.

• send- passwords, drivetree, driveslist, keystrokes, openwindows
  

  This command will sends passwords (saved browser passwords, FTP, Putty..), directory tree of host (upto level 2), logged keystrokes and windows which are currently open

• set- email (0:Default,1:URL,2:Update), filename (0: Itself, 1: Others), keystrokes (text)
  

  This command can set email template (default, download from url, update current template with text you'll send), rename filenames or insert keystrokes in host.

• start- website (URL), keylogger, recaudio (time), webserver (Port), spread
  

  This command can open website, start keylogger, record audio, start webserver, USB Spreading

• stop- keylogger, webserver
  

  This command will stop keylogger or webserver

• wallpaper- change wallpaper (URL)
  

  Changes wallpaper of host computer

• find- openports (host, threads, ports), router
  

  This command will find open ports and the router the host is using

• help- print this usage
  

Requirements

• Telepot
• PyAudio
• PyCyrpto
• Pyasn1
• Pillow
• Install PyHook
• Install PyWin32
• Install Microsoft Visual C++ Compiler for Python
• Install PyInstaller

Screenshots

For educational purposes only, use at your own responsibility.

Download BrainDamage

Read More

Stitch - Python Remote Administration Tool (RAT)

This is a cross platform python framework which allows you to build custom payloads for Windows, Mac OSX and Linux as well. You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.

Features

Cross Platform Support

• Command and file auto-completion
• Antivirus detection
• Able to turn off/on display monitors
• Hide/unhide files and directories
• View/edit the hosts file
• View all the systems environment variables
• Keylogger with options to view status, start, stop and dump the logs onto your host system
• View the location and other information of the target machine
• Execute custom python scripts which return whatever you print to screen
• Screenshots
• Virtual machine detection
• Download/Upload files to and from the target system
• Attempt to dump the systems password hashes
• Payloads' properties are "disguised" as other known programs

Windows Specific

• Display a user/password dialog box to obtain user password
• Dump passwords saved via Chrome
• Clear the System, Security, and Application logs
• Enable/Disable services such as RDP,UAC, and Windows Defender
• Edit the accessed, created, and modified properties of files
• Create a custom popup box
• View connected webcam and take snapshots
• View past connected wifi connections along with their passwords
• View information about drives connected
• View summary of registry values such as DEP

Mac OSX Specific

• Display a user/password dialog box to obtain user password
• Change the login text at the user's login screen
• Webcam snapshots

Mac OSX/Linux Specific

• SSH from the target machine into another host
• Run sudo commands
• Attempt to bruteforce the user's password using the passwords list found in Tools/
• Webcam snapshots? (untested on Linux)

Implemented Transports
All communication between the host and target is AES encrypted. Every Stitch program generates an AES key which is then put into all payloads. To access a payload the AES keys must match. To connect from a different system running Stitch you must add the key by using the showkey command from the original system and the addkey command on the new system.

Implemented Payload Installers
The "stitchgen" command gives the user the option to create NSIS installers on Windows and Makeself installers on posix machines. For Windows, the installer packages the payload and an elevation exe ,which prevents the firewall prompt and adds persistence, and places the payload on the system. For Mac OSX and Linux, the installer places the payload and attempts to add persistence. To create NSIS installers you must download and install NSIS.

Wiki

• Crash Course of Stitch

Requirements

• Python 2.7

For easy installation run the following command that corresponds to your OS:

# for Windows
pip install -r win_requirements.txt

# for Mac OSX
pip install -r osx_requirements.txt

# for Linux
pip install -r lnx_requirements.txt

• Pycrypto
• Requests
• Colorama
• PIL

Windows Specific

• Py2exe
• pywin32

Mac OSX Specific

• PyObjC

Mac OSX/Linux Specific

• PyInstaller
• pexpect

To Run

python main.py
or
./main.py

Motivation
My motivation behind this was to advance my knowledge of python, hacking, and just to see what I could accomplish. Was somewhat discouraged and almost abandoned this project when I found the amazing work done by n1nj4sec , but still decided to put this up since I had already come so far.

Other open-source Python RATs for Reference

• vesche/basicRAT
• n1nj4sec/pupy

Screenshots

Download Stitch

Read More

[Password Sniffer Spy v2.0] Tool to Sniff and Capture HTTP/FTP/POP3/SMTP/IMAP Passwords

Password Sniffer Spy is the all-in-one Password Sniffing Tool to capture Email, Web and FTP login passwords passing through the network.

It automatically detects the login packets on network for various protocols and instantly decodes the passwords. Here is the list of supported protocols,

• HTTP (BASIC authentication)
• FTP
• POP3
• IMAP
• SMTP

In addition to recovering your own lost passwords, you can use this tool in following scenarios,

• Run it on Gateway System where all of your network's traffic pass through.
• In MITM Attack, run it on middle system to capture the Passwords from target system.
• On Multi-user System, run it under Administrator account to silently capture passwords for all the users.
  

It includes Installer which installs the Winpcap, network capture driver required for sniffing. For Windows 8, first you have to manually install Winpcap driver (in Windows 7 Compatibility mode) and then run our installer to install only Password Sniffer Spy.

Download Password Sniffer Spy v2.0

Read More

[Social Password Dump] Command-line Tool to Recover Social Network Password from Browsers and Messengers

Social Password Dump is the free command-line based all-in-one tool to recover your lost password for all social networks like Facebook, Twitter, Pinterest etc.

Currently it can recover passwords for following popular Social Networks,

• Facebook
• Twitter
• Google Plus
• Linkedin
• Pinterest
• Myspace
• Badoo

It can instantly find and decrypt your stored password from all the popular web browsers and messengers.
Here is the complete list of supported applications,

• Firefox
• Internet Explorer (v6.x - v10.x)
• Google Chrome
• Chrome Canary/SXS
• CoolNovo Browser
• Opera Browser
• Apple Safari
• Flock Browser
• SeaMonkey Browser
• Comodo Dragon Browser
• Paltalk Messenger
• Miranda Messenger

It automatically discovers all these installed applications on your system and recovers all the stored social network login passwords within seconds.

Download Social Password Dump

Read More