SlideShare une entreprise Scribd logo

Sticky Keys to the Kingdom

Télécharger en tant que PPTX, PDF
Dennis Maldonado
Dennis Maldonado

The document discusses how replacing certain Windows accessibility tool binaries, like sethc.exe, with cmd.exe allows gaining command prompt access on Windows systems. The authors developed a tool called Sticky Key Slayer that scans networks for systems vulnerable to this issue by automating the process of connecting via RDP, triggering the accessibility tools, and checking for command prompts. When tested on a large network, over 500 vulnerable systems were found. The document recommends remediation steps and warns that this technique is a sign of potential compromise.

Technologie
1  sur  20
Sticky Keys to the Kingdom PRE-AUTH SYSTEM RCE ON WINDOWS IS MORE COMMON THAN YOU THINK DENNIS MALDONADO & TIM MCGUFFIN LARES
About Us • Dennis Maldonado • Adversarial Engineer – LARES Consulting • Founder • Houston Locksport • Houston Area Hackers Anonymous (HAHA) • Tim McGuffin • RedTeam Manager – LARES Consulting • 10-year DEFCON Goon • DEFCON CTF Participant • Former CCDCTeam Coach www.lares.com
History • “How to ResetWindows Passwords” websites • Replace sethc.exe or utilman.exe with cmd.exe • Reboot, Press Shift 5x orWIN+U • net user (username) (password) • Login! • Nobody ever cleans up after themselves • Can be used as a backdoor/persistence method • NoWindows Event Logs are generated when backdoor is executed
Implementation • Binary Replacement • Replace any of the accessibility tool binaries • Requires elevated rights • Registry (Debugger Method) • HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe • Debugger REG_SZ C:WindowsSystem32cmd.exe • Requires elevated rights
Windows Accessibility Tools Binary Description How to access C:WindowsSystem32sethc.exe Accessibility shortcut keys Shift 5 times C:WindowsSystem32Utilman.exe Utility Manager Windows Key + U C:WindowsSystem32osk.exe On-Screen Keyboard Locate the option on the screen using the mouse C:WindowsSystem32Magnify.exe Magnifier Windows Key + [Equal Sign] C:WindowsSystem32Narrator.exe Narrator Windows Key + Enter C:WindowsSystem32DisplaySwitch.exe Display Switcher Windows Key + P C:WindowsSystem32AtBroker.exe Manages switching of apps between desktops Have osk.exe, Magnify.exe, or Narrator.exe open then lock the computer. AtBroker.exe will be executed upon locking and unlocking
Limitations • Elevated access or offline system required • Replacing binary must be Digitally Signed • Replacing binary must exist in System32 • Replacing binary must exist inWindows “Protected File” list • You can’t use any old Binary, but you can cmd.exe /c file.bat
Background • While working with an Incident ResponseTeam: • Uncovered dozens of vulnerable hosts via file checks • Identification was done from the filesystem side • Missed the debugger method • Missed any unmanaged boxes • Needed a network-based scanner
Background • We wanted to write out own network-based tool • Started down the JavaRDP/Python Path • Ran across @ztgrace’s PoC script, Sticky Keys Hunter • It worked, and was a great starting point • Similar to “PeepingTom” • Opens a Remote Desktop connection • Sends keyboard presses • Saves screenshot to a file • To do list including automatic command prompt detection and multi-threading
Our Solution – Sticky Key Slayer • Parallelized scanning of multiple hosts • Automated command prompt detection • Detailed logging • Error handling • Performance improvements • Bash
DEMO VIDEO: HTTPS://WWW.YOUTUBE.COM/WATCH?V=JY4HG4A1FYI
Tools Usage • ./stickyKeysSlayer.sh -v -j 8 -t 10 targetlist.txt • -v • Verbose output • -j <num_of_jobs> • Jobs to run (defaults to 1) • -t <time_in_seconds> • Timeout in seconds (defaults to 30 seconds) • targetlist.txt • Hosts list delimited by line
Limitations • Ties up a LinuxVM while scanning • Needed for window focus and screenshotting • Will not alert on anything that is not cmd.exe • Ran across taskmgr.exe, mmc.exe, other custom applications
Statistics • On a large Business ISP: • Over 100,000 boxes scanned • About 571 Command Prompts • 1 out of 175 • All types of Institutions • Educational Institutions • Law Offices • Manufacturing Facilities • Gaming companies • Etc…
Recommendations • Remediation • Delete or replace the affected file (sethc.exe, utilman.exe, …) • sfc.exe /scannnow • Remove the affected registry entry • Treat this as an indicator of compromise • Prevention and Detection • Restrict local administrative access • Enable full disk encryption • Network LevelAuthentication for Remote Desktop Connection • End point monitoring • Netflow analysis
Tool Release • Code is on Github • https://github.com/linuz/Sticky-Keys-Slayer • Contribute • Report Issues • Send us feedback • Slides • http://www.slideshare.net/DennisMaldonado5/sticky-keys- to-the-kingdom • DemoVideo • https://www.youtube.com/watch?v=Jy4hg4a1FYI www.lares.com
Questions www.lares.com

Recommandé

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 

Recommandé

The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
Orange Tsai
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
Practical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-DisassemblyPractical Malware Analysis: Ch 15: Anti-Disassembly
Practical Malware Analysis: Ch 15: Anti-Disassembly
Sam Bowne
 
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24Six Degrees of Domain Admin - BloodHound at DEF CON 24
Six Degrees of Domain Admin - BloodHound at DEF CON 24
Andy Robbins
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
Matthew Dunwoody
 
Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
Jason Lang
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
Sam Bowne
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
Ahmad karawash
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
zakieh alizadeh
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Andy Robbins
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder
 
Microsoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password SolutionMicrosoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password Solution
Int64 Software Ltd
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
Nikhil Mittal
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班
hugo lu
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
Frans Rosén
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
Dennis Maldonado
 
Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information Security
Dennis Maldonado
 

Contenu connexe

Tendances

Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
Ross Wolf
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
Shakacon
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
Vibhor Kumar
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
Howard Greenberg
 

Tendances (20)

Red Team Methodology - A Naked Look
Red Team Methodology - A Naked LookRed Team Methodology - A Naked Look
Red Team Methodology - A Naked Look
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static TechniquesCNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
Brute Force Attack
Brute Force AttackBrute Force Attack
Brute Force Attack
 
AllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CIAllDayDevOps ZAP automation in CI
AllDayDevOps ZAP automation in CI
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
PGEncryption_Tutorial
PGEncryption_TutorialPGEncryption_Tutorial
PGEncryption_Tutorial
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Here Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLsHere Be Dragons: The Unexplored Land of Active Directory ACLs
Here Be Dragons: The Unexplored Land of Active Directory ACLs
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
Microsoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password SolutionMicrosoft LAPS - Local Administrator Password Solution
Microsoft LAPS - Local Administrator Password Solution
 
Hacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShellHacked? Pray that the Attacker used PowerShell
Hacked? Pray that the Attacker used PowerShell
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
Sql injection 幼幼班
Sql injection 幼幼班Sql injection 幼幼班
Sql injection 幼幼班
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best PracticesApril, 2021 OpenNTF Webinar - Domino Administration Best Practices
April, 2021 OpenNTF Webinar - Domino Administration Best Practices
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 

En vedette

Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
Dennis Maldonado
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
kuza55
 

En vedette (13)

Hacking Access Control Systems
Hacking Access Control SystemsHacking Access Control Systems
Hacking Access Control Systems
 
Getting Started in Information Security
Getting Started in Information SecurityGetting Started in Information Security
Getting Started in Information Security
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Zpusob Vyuky Marketingove Komunikace Na Pef Czu V Praze
Zpusob Vyuky Marketingove Komunikace Na Pef Czu V PrazeZpusob Vyuky Marketingove Komunikace Na Pef Czu V Praze
Zpusob Vyuky Marketingove Komunikace Na Pef Czu V Praze
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
Paměťové techniky
Paměťové technikyPaměťové techniky
Paměťové techniky
 
Techniky učení
Techniky učeníTechniky učení
Techniky učení
 
ePUB 3 and Publishing e-books
ePUB 3 and Publishing e-booksePUB 3 and Publishing e-books
ePUB 3 and Publishing e-books
 
Evaluating and Selecting a Learning Management System
Evaluating and Selecting a Learning Management SystemEvaluating and Selecting a Learning Management System
Evaluating and Selecting a Learning Management System
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 
Access Controls Attacks
Access Controls AttacksAccess Controls Attacks
Access Controls Attacks
 
Kali net hunter
Kali net hunterKali net hunter
Kali net hunter
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 

Similaire à Sticky Keys to the Kingdom

Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
Joff Thyer
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
Positive Hack Days
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
Beau Bullock
 

Similaire à Sticky Keys to the Kingdom (20)

Ranger BSides-FINAL
Ranger BSides-FINALRanger BSides-FINAL
Ranger BSides-FINAL
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Windows Malware Techniques
Windows Malware TechniquesWindows Malware Techniques
Windows Malware Techniques
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Заполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не оконченаЗаполучили права администратора домена? Игра еще не окончена
Заполучили права администратора домена? Игра еще не окончена
 
Cleartext and PtH still alive
Cleartext and PtH still aliveCleartext and PtH still alive
Cleartext and PtH still alive
 
Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?Hogy jussunk ki lezárt hálózatokból?
Hogy jussunk ki lezárt hálózatokból?
 
Time tested php with libtimemachine
Time tested php with libtimemachineTime tested php with libtimemachine
Time tested php with libtimemachine
 
PowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue KidPowerShell - Be A Cool Blue Kid
PowerShell - Be A Cool Blue Kid
 
CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)CNIT 121: 12 Investigating Windows Systems (Part 3)
CNIT 121: 12 Investigating Windows Systems (Part 3)
 
Salt at school
Salt at schoolSalt at school
Salt at school
 
CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)CNIT 152 12. Investigating Windows Systems (Part 3)
CNIT 152 12. Investigating Windows Systems (Part 3)
 
CNIT 152: 12b Windows Registry
CNIT 152: 12b Windows RegistryCNIT 152: 12b Windows Registry
CNIT 152: 12b Windows Registry
 
Automate Thyself
Automate ThyselfAutomate Thyself
Automate Thyself
 
CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)CNIT 152 12 Investigating Windows Systems (Part 2)
CNIT 152 12 Investigating Windows Systems (Part 2)
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Monitoring and Debugging your Live Applications
Monitoring and Debugging your Live ApplicationsMonitoring and Debugging your Live Applications
Monitoring and Debugging your Live Applications
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 

Dernier

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Sticky Keys to the Kingdom

  • 1. Sticky Keys to the Kingdom PRE-AUTH SYSTEM RCE ON WINDOWS IS MORE COMMON THAN YOU THINK DENNIS MALDONADO & TIM MCGUFFIN LARES
  • 2. About Us • Dennis Maldonado • Adversarial Engineer – LARES Consulting • Founder • Houston Locksport • Houston Area Hackers Anonymous (HAHA) • Tim McGuffin • RedTeam Manager – LARES Consulting • 10-year DEFCON Goon • DEFCON CTF Participant • Former CCDCTeam Coach www.lares.com
  • 3. History • “How to ResetWindows Passwords” websites • Replace sethc.exe or utilman.exe with cmd.exe • Reboot, Press Shift 5x orWIN+U • net user (username) (password) • Login! • Nobody ever cleans up after themselves • Can be used as a backdoor/persistence method • NoWindows Event Logs are generated when backdoor is executed
  • 4. Implementation • Binary Replacement • Replace any of the accessibility tool binaries • Requires elevated rights • Registry (Debugger Method) • HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe • Debugger REG_SZ C:WindowsSystem32cmd.exe • Requires elevated rights
  • 5. Windows Accessibility Tools Binary Description How to access C:WindowsSystem32sethc.exe Accessibility shortcut keys Shift 5 times C:WindowsSystem32Utilman.exe Utility Manager Windows Key + U C:WindowsSystem32osk.exe On-Screen Keyboard Locate the option on the screen using the mouse C:WindowsSystem32Magnify.exe Magnifier Windows Key + [Equal Sign] C:WindowsSystem32Narrator.exe Narrator Windows Key + Enter C:WindowsSystem32DisplaySwitch.exe Display Switcher Windows Key + P C:WindowsSystem32AtBroker.exe Manages switching of apps between desktops Have osk.exe, Magnify.exe, or Narrator.exe open then lock the computer. AtBroker.exe will be executed upon locking and unlocking
  • 6. Limitations • Elevated access or offline system required • Replacing binary must be Digitally Signed • Replacing binary must exist in System32 • Replacing binary must exist inWindows “Protected File” list • You can’t use any old Binary, but you can cmd.exe /c file.bat
  • 7. Background • While working with an Incident ResponseTeam: • Uncovered dozens of vulnerable hosts via file checks • Identification was done from the filesystem side • Missed the debugger method • Missed any unmanaged boxes • Needed a network-based scanner
  • 8. Background • We wanted to write out own network-based tool • Started down the JavaRDP/Python Path • Ran across @ztgrace’s PoC script, Sticky Keys Hunter • It worked, and was a great starting point • Similar to “PeepingTom” • Opens a Remote Desktop connection • Sends keyboard presses • Saves screenshot to a file • To do list including automatic command prompt detection and multi-threading
  • 9. Our Solution – Sticky Key Slayer • Parallelized scanning of multiple hosts • Automated command prompt detection • Detailed logging • Error handling • Performance improvements • Bash
  • 11.
  • 12.
  • 13.
  • 14.
  • 15. Tools Usage • ./stickyKeysSlayer.sh -v -j 8 -t 10 targetlist.txt • -v • Verbose output • -j <num_of_jobs> • Jobs to run (defaults to 1) • -t <time_in_seconds> • Timeout in seconds (defaults to 30 seconds) • targetlist.txt • Hosts list delimited by line
  • 16. Limitations • Ties up a LinuxVM while scanning • Needed for window focus and screenshotting • Will not alert on anything that is not cmd.exe • Ran across taskmgr.exe, mmc.exe, other custom applications
  • 17. Statistics • On a large Business ISP: • Over 100,000 boxes scanned • About 571 Command Prompts • 1 out of 175 • All types of Institutions • Educational Institutions • Law Offices • Manufacturing Facilities • Gaming companies • Etc…
  • 18. Recommendations • Remediation • Delete or replace the affected file (sethc.exe, utilman.exe, …) • sfc.exe /scannnow • Remove the affected registry entry • Treat this as an indicator of compromise • Prevention and Detection • Restrict local administrative access • Enable full disk encryption • Network LevelAuthentication for Remote Desktop Connection • End point monitoring • Netflow analysis
  • 19. Tool Release • Code is on Github • https://github.com/linuz/Sticky-Keys-Slayer • Contribute • Report Issues • Send us feedback • Slides • http://www.slideshare.net/DennisMaldonado5/sticky-keys- to-the-kingdom • DemoVideo • https://www.youtube.com/watch?v=Jy4hg4a1FYI www.lares.com

Notes de l'éditeur

  1. Tim
  2. Tim
  3. Tim Find better top screenshot
  4. Tim
  5. Tim
  6. Tim
  7. Tim
  8. Tim
  9. Dennis
  10. Dennis
  11. Dennis
  12. Dennis
  13. Dennis
  14. Dennis Write this slide on tool usage. Help stuff
  15. Dennis
  16. Tim
  17. Dennis
  18. Dennis Write this slide
  19. Dennis