Sticky Keys To The Kingdom: Pre auth System RCE on Windows is more common than you think

Video thumbnail (Frame 0) Video thumbnail (Frame 9970) Video thumbnail (Frame 10414) Video thumbnail (Frame 11100) Video thumbnail (Frame 11626) Video thumbnail (Frame 12058) Video thumbnail (Frame 12555)
Video in TIB AV-Portal: Sticky Keys To The Kingdom: Pre auth System RCE on Windows is more common than you think

Formal Metadata

Sticky Keys To The Kingdom: Pre auth System RCE on Windows is more common than you think
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin’s innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue. Bio: Dennis Maldonado is a Security Consultant at LARES Consulting. His current work includes penetration testing, infrastructure assessments, red teaming, and security research. Dennis’ focus is encompassing all forms information security into an assessment in order to better simulate a real world attack against systems and infrastructure. As a security researcher and evangelist, Dennis spends his time sharing what he knows about Information Security with anyone willing to learn. Dennis is a returning speaker to DEF CON and has presented at numerous workshops and meet-ups in the Houston area. Dennis co-founded Houston Lockport in Houston, Texas where he shares his love for lock-picking physical security as well as Houston Area Hackers Anonymous (HAHA), a meet-up for hackers and InfoSec professionals in the Houston area. Tim was voted “most likely to be indicted” by his high school senior class, but has since gone on to gain the trust of large organizations and their executive management, which may or may not be a good thing. He holds a few industry certifications and is a member of a few security organizations, but considers his insomnia and attention deficit problems far more important to his career.
Group action Code Java applet Debugger System administrator Multiplication sign Range (statistics) IP address Information technology consulting Computer programming Area Neuroinformatik Medical imaging Mechanism design Mathematics Roundness (object) Blog Computer configuration File system Cuboid Software framework Website Error message Descriptive statistics Control system Scripting language Email Computer file Binary code Electronic mailing list Bit Digital signal Port scanner Flow separation Data management System programming Self-organization Website MiniDisc Right angle Quicksort Freeware Row (database) Windows Registry Web page Point (geometry) Computer file Link (knot theory) Dependent and independent variables Password Student's t-test Login Shift operator Event horizon 2 (number) Hacker (term) System programming Software testing Traffic reporting Booting Backdoor (computing) Authentication Shift operator Dependent and independent variables Key (cryptography) Debugger Information technology consulting Login Computer network Incidence algebra Line (geometry) Binary file Limit (category theory) System call Event horizon Integrated development environment Software Large eddy simulation Password Window
Key (cryptography) Login Window Vulnerability (computing) Neuroinformatik
Scripting language Shift operator Multiplication sign Energy level System programming Backdoor (computing) Neuroinformatik
Scripting language Vulnerability (computing)
Shift operator Pixel Thread (computing) Touchscreen Multiplication sign Keyboard shortcut Electronic mailing list Connected space
Asynchronous Transfer Mode Ewe language Pixel Range (statistics) Interior (topology) Mach's principle
Pixel System administrator Open set Neuroinformatik Connected space Roundness (object) Computer configuration Different (Kate Ryan album) Encryption Videoconferencing Office suite Error message Social class Touchscreen Keyboard shortcut Electronic mailing list Sound effect Windows Registry Rounding Data management Process (computing) Befehlsprozessor Phase transition Spacetime Windows Registry Point (geometry) Slide rule Computer file Robot Mathematical analysis Code Number Goodness of fit Latent heat Energy level Traffic reporting Metropolitan area network Authentication Default (computer science) Key (cryptography) Demo (music) Information Weight Physical law Content (media) Computer network Line (geometry) Limit (category theory) Exploit (computer security) Integrated development environment Software Personal digital assistant Finite difference Large eddy simulation Window Code INTEGRAL Multiplication sign 1 (number) Port scanner Function (mathematics) Parameter (computer programming) IP address Bit rate Cuboid Flag Position operator Scripting language Pattern recognition Point (geometry) Parallel port Price index Entire function In-System-Programmierung Hard disk drive MiniDisc Right angle Energy level Remote procedure call Video game console Freeware Laptop Domain name Dataflow Statistics Server (computing) Functional (mathematics) Login Theory 2 (number) Revision control Internetworking Gastropod shell System programming Utility software Software testing MiniDisc Backdoor (computing) Task (computing) Shift operator Validity (statistics) Debugger Mathematical analysis Local ring
I guess there's no goon introducing us so we'll have to do everything ourselves alright so um so I'm Dennis a lot of you guys know me yay for Houston I'll have you know me for my previous talk I talked about access control systems so this is my second time speaking I work for a large consulting I'm an adversarial engineer my best my most favorite title yet I am also a since I'm from Houston I'm a founder of Houston lock sport or lock-picking Club and Houston air and hackers anonymous just a bunch of us hanging out drinking beers and doing micro talks in Houston so ooh what do we got here thank you so much round of applause for Kyle all right and so I'm Tim I'm a Red Team Manager for Juarez which means I'm I don't know what to call Dennis employee but more of a team lead consultant that sort of thing this is my tenth year as a Def Con do so I'm eligible for retirement now which is always fun yeah woo I'm also a former CCDC team coach for a group of college students through CCDC I don't know if y'all are familiar with that program see you guys in the back it also and I'm also former CTF participant for a Def Con into that two years in a row I also ran the wireless contest for a couple of years so I've kind of been around I've done a little bit of everything this is also my second Def Con talk so what we're gonna talk about is sticky keys if I say sticky keys does everybody in here know what we're talking about that's how you get into your computer exactly right so if you google for how to reset windows passwords like eight of the top ten links on Google are pages that tell you reboot or your rescue CD go in copy cmd.exe over set HC turd exe reboot at the login prompt press shift five times using that user change your password close the window log in and you're done there's only one or two of those sites it actually says clean up after yourself when you're done so there's a lot of boxes out there that still have CMD replaced our CMD replacing said HC and these boxes are just kind of right for the picking so it was used as a persistence mechanism like there's a carnal owner's blog on it there's several different places that tell you how to do this and with this though so there's no event logs that are generated whenever you actually execute this back door so there's no trace that you press shift five times and you get a command prompt because it's pre authentication so there's two ways that you can go about backdooring a windows box with this method one of them is the binary replacement actually replacing any of the pre authentication accessibility tools with C and B or you can set the image file execution option registry debugger key to be cmd.exe and so whenever you access any of the accessibility tools from within Windows you get a command prompt running as system free authentication so here's a list of the accessibility tools that are available for authentication you've got the binary on the left the description of what the tool actually does in the middle and on the right you've got how you actually access that and so that's gonna come in important later whenever you actually start talking about the tool but Microsoft does have some limitations on what binaries you can replace any of the accessibility tools with so the first limitation is you have to have elevated access on the Box you're gonna have to have administrator err system to begin with so we're not actually exploiting the box and we're not actually placing a backdoor we're just taking advantage of a backdoor that somebody else has already put on the box the binary must be digitally signed this is Microsoft restriction for that the binary must exist in system 32 and it must be on the windows protected file list and so if you've ever ran system file checker and it goes back and says hey look these binaries have been replaced or there's something wrong with them and it fixes them that's the windows protected file list and you can get a list of those from microsoft's website but so you can't just use any old binary you have to use something that meets those criteria and cmd.exe meets all three of those criteria and so we were working with an incident response team in our organization and they had uncovered via the file system side of things several boxes that had this persistence mechanism put in place and so it was more than likely a systems administrator could have been a rogue admin could have been some apt group that was in the environment don't know how they actually got there but we wanted something to where we could scan for this from the network side so we started a let me back up a little bit the problem with looking for binaries that have been replaced on the disk is you don't actually catch the image file execution option unless you're sweeping the registry as well you're going to miss any unmanage boxes so boxes that the group doesn't have administrative us on you're gonna miss any boxes they don't have administrative privileges and so we had a need for a network-based scanner we started looking into writing our own using Java RDP or lookin at Python and had a bunch of problems and just a hate for Java that we couldn't get over so we ran across that graceless proof-of-concept strip script sticky key hunter sticky key header was a great starting point for us it gave us a decent framework for how we wanted to kind of implement our script but his script was similar to the peeping tom program if any of your pen testers and you've seen peeping tom it scrapes a bunch of websites and will take screenshots of them and then give you a page that you can just scroll through looking at them and so if you're talking about a large organization with you know anywhere from twenty to hundred thousand endpoints that's a lot of screenshots just to scroll through looking for a command prompt so we wanted a way to to automate some of that for us and so Zacks script also in the two do's had automatic command prompt detection and then multi-threading to make a script faster it took about 25 to 30 seconds per host and we did some optimizations on that all right so we started with the sticky key hunter script that we you know Tim talked about and we went into it just what we wanted to help improve it and help kind of complete its to do items and what ended up happening is I bent way too much time on it just seeing things that I want to do differently and so we ended up more than double the lines of code what what originally was and we implemented a lot of performance improvements some error handling to help with you know when if hosts go down or whatever lots of detail logging to help with reporting and as well as it's now parallelized so you it'll scan more than one host at a time and that dramatically improves the time it takes to scan a list a range of host or IPs and it also automatically alerts on command prompts or on host it thinks that actually found a command prompt on and so you don't have to scroll through thousands of thousands of screenshots and of course it's in bash so it's tailored towards Linux we programmed this on kali linux all the tools you'll need is available for Kelly so that's our script so let me demo this for you I'm gonna start I'm gonna start by demoing
what Tim talked about what's the stick
what the what the sticky keys vulnerability it so I'm going to remote
desktop into a computer and just show you what happens is you're gonna see a Windows login prompt and we're not gonna put in any credentials we're just going to be presented with that login prompt and this this computer is vulnerable to
the sticky key backdoor so all we do is press shift 5 times I'm gonna do this there you go and then now you see we
have a command prompt and because this is spawning from when logon DXE you can see who am i we our system the highest level access you can get on that computer and so that's just a method of persistence a backdoor that lots of people do and so our script let's go back to the
PowerPoint here our script to automate
searching for that automates actually scanning for that vulnerability you'll see here let's press play carefully is that does that work ok so that's going so you'll see its name banana that Sh when we recorded this I had no idea what to name it so Tim and I've settled on banana but uh now it's sticky key Slayer so but you can see I've told to do a
threads at a time it's doing a host of
like twenty-something hosts a list of 20-something hosts and it's going through each one it's establishing a
connection to it it's taking screenshot
hitting shift five times as well as other keyboard shortcuts taking another screen shot and then comparing the amount of black pixels that are on the screen and it alert okay I found a lot
of black pixels it's within this range of this percentage and this percentage I
think you have a command prompt and once
it's done you can see the logging there I hope the text is not too small you can look through the screenshots and you see
the screenshots of all the coasts that don't have a command prompt and in that discovered folder that I'm gonna click
on in a second you'll see all the hosts
that actually have a command prompt and you can see them in there there's one of
them so to reiterate there's there's a sticky key Slayer that's the real name specify - JH for the number of jobs demo host is just a list of targets line by line and then you get the screenshots for all the computers and in a discover folder there's the ones that actually have command and there it is and those are computers we have full system level remote code execution on without any work using someone else's backdoor so free free money so tool usage so that I mean that's the tool that's that's the gist of it it's like 360 lines of code but that's all it does stick to stick Achille excuse me tool usage sticky key Slayer Sh so there's a few parameters that you can choose you can do - V for verbose it does output some information to you but you can make it more verbose if you want to maybe something's wrong or you just want more information you can specify the number of jobs it defaults one job at a time but you can give it as much as you want as much as you CPU can handle don't try a thousand because it will crash but I have I've had success on a Kali BM running on a MacBook Pro about 24 and that'll scan about 22,000 hosts in about three hours so that's pretty good time out you guys put me with the concept of time out it'll it'll try a certain job for a certain amount of time before it just errors out you can specify that time out it defaults to 30 seconds and on target list you can either give it a single target an IP or a host or fqdn or you can give it a list of hosts and that's that's the money right there you you can give it a list of 20,000 hosts let it run go home come back and get all these get hundreds of sorry 20,000 screenshots when you come back so some limitations to the tool it does tie up the computer you're using as you can see it was popping up a bunch of remote desktop windows so it's kind of hard to use it when you're when you're it's hard to use the computer when you're using the script so have a VM dedicated just to that for for that time and as well as we went in and I were doing some scans on some other IP addresses with their permission wink we found that the majority of them majority of the back doors were CMD dot exe however there were a few that were something else like task manager or MMC or something you know custom and our script of course doesn't detect those because it's looking for a certain amount of black pixels so maybe in the future where Tim and I are kind of working on how we're gonna engineer that engineer like detecting and any anomalous behavior not just CMD sits a six alright so based on Dennis and i's assessments and then based on some assessments from some other friends other things we've probably scanned about half a million boxes we've turned these over to some large organizations for internal scanning and there's a pretty decent success rate internally for some of the bots some of the environment that we were in but we decided to turn around and look at a large business class isp I went to show Dan did a search for business is P and then port 3389 got a list of boxes that were exposed that were exposing RDP to the Internet and there were about a hundred thousand or so roughly in that list we had five hundred and seventy system shells by the time the scan was done it took about six or eight hours to scan that large of an IP space so that was one out of the real statistic was like one out of every 100 and seventy three boxes wanted every 175 makes a great round number for it but that was far more boxes than we thought were actually going to be vulnerable to a backdoor that's been around for years I mean our first step into this was this is going to be stupid nobody's ever going to do this and it turns out this is happening all over the place so by looking at the domain names on the login screen there's educational institutions there's law offices manufacturing facilities hospitals pretty much any vertical that you can think of have free system shells on their boxes so if you step into an assessment and environment if you're doing actually an external test and they have already been able to paid take a shot it may work if your internal that's even better because you may find one or two servers but there's one or two servers you've got a system shell on that you can now run me me cats or go from there with absolutely no logging by the way that's five hundred seventy plus shells we got like with no work required how is that not worth a round of applause all right so now we got to talk about what matters most right the recommendations the remediation the prevention detection so we have a lot of we've worked a lot on on the remediation side of this so we came up with a few techniques a few uh just just ways so we helped mitigate this so if you do find one of these one of your boxes in your environment are vulnerable to this back door there are a few things you can do you can delete the executable if there's if if CMD was replaced as said HDC or any one of those other accessibility tools you can just simply delete them they're not totally necessary to make a computer function and your computer will eventually in an update or when it does an integrity check it'll it'll replace those files back to order B if you don't want to delete them you can force an integrity check you can use SFCC which is system file checker that's built into Windows and what that'll do is that'll scan all the windows protected files in which all of these are windows protected files and it'll check are these the files that they're supposed to be if not it'll replace them back to what they're supposed to be so you can run f2c scan now you can specify to do the your entire drive or specific files if if this was done through the registry method using the debugger to make it run you can simply delete that registry key that key does not need to be there delete the whole key for set htw or util man or whatever and one thing I like to to inform people's that I really feel that they should treat this as an indicator of compromise if they find if you guys find this backdoor in your environment it's going to be one of two things it's gonna be someone subverted processes and put this backdoor in for whatever reason maybe that maybe it's just a simple reason they want to get in in case something goes wrong or maybe it's they want it to get in when they get fired so there's that and then there's also it if it's not that reason it's an indicator of compromise maybe there is a an intrusion in your network previously some malware or apt as they call it or some threat actor okay someone laughed at abt I laughed too every time someone someone did this this this is a known method of persistence I mean this is my top method when I go to see CDC I played against that guy over there we we I mean we wrecked them with just cmd.exe back door because you know they took a snapshot of their VMs before you know after we already put them fill into this back door so we were able to get in every time so treat this as an indicator compromise because it's serious it's not it doesn't just happen now going into the prevention detection phase ok the simple protection simple way to protect against Isis restrict local admin of course you need to be local admin to replace these files so restricting that is important it helps resolve a lot of issues including this full disk encryption that will help prevent with someone were to steal a laptop and get content access the concepts of hard drive and replace the files that way full disk encryption will help protect against that my favorite method of put it doesn't really protect against it it protects against an exploitation of it is network live authentication for remote desktop network level authentication if when that's enabled it requires valid credentials before a console is ever presented to the user so our script wouldn't work unless we had valid credentials so enabling NLA across the entire environment is a valid protection against exploitation of this against remote exploitation endpoint monitoring we've seen a lot of success with the endpoint monitoring you can monitor a few things one of them being monitor when the file is replaced if the file is something what it's not supposed to be alert on that you can also alert on if CMD ever spawns from the win logon process as a child of the win logon process that's not normal I mean in my in my experience it's usually not normal so you can flag on that as well and a net flow analysis simply look at are their hosts is there one host or a few host environment that are just spraying RDP port 3389 everywhere if so maybe you should look into that so oh by the way Tim made this for me it's great this is what do you call it the the what what do you call it conquest the years of your enemies the ears of my enemy the rumor has it these are all the shift keys that we've broken overtime from exploiting them so we just took them up and made them into a necklace so I'm gonna wear it so a little treat for you guys the code is has been released as of an hour ago so it's on my github sticky cute excuse me sticky key Slayer what are you laughing at sticky key Slayer it's up there it spit the I put a lot of documentation hopefully it's it's easy to read and easy to use I recommend if you guys work for a big company or a small company download it look at the code so you know I'm not doing anything malicious don't just download any code and run it but uh I mean you can if you want run this in your environment uh and just see you know you'll be surprised how many you'll see out there we there's there hasn't been any environment yet that we've scanned and haven't at least found one so try it you know look into it and see what you can get so yeah my codes I gave up I encourage you guys to contribute to it or at least report any issues you see because I always like to make my stuff work for everyone so report issues send us feedback whatever you want slides are also online demo videos online if you care about it that's that's pretty much it questions so we're we've also got a weaponized version in the works that you can just say execute this code as soon as you find a command prompt so you just set it and forget it and watch the shells rain in so that's uh I call it raining shells that Sh question question over there oh you will repeat the question yeah yeah okay all right all right yeah that's a good idea okay we'll do that okay questions go up here so we have three minutes for questions and the loudmouth in the back yeah I'm sure you have questions all right go ahead is it on oh yeah just tell me I'll repeat it all right so if if you use black pixels to determine if you got a command prompt what did you do to account for the different operating systems for example Windows XP has a pure black background and other operating systems might use dark background we take a screen shot and whenever we make a actually send all the accessibility options we take a difference take a second screen shot and it's the difference between the two it's not just looking for black pixels it's looking for the difference the difference between them so if you look it like Dell has their default Windows install has the front end of the Dell bezel on it that's got a lot of black in it whenever you actually pop a sticky key shell on it it it there's more black on the screen than there was before and so we're just looking for the difference it's very simple its rudimentary there's been some work out there and like OpenCV trying to do screenshot detection other stuff for it we looked into using OCR on the screen but we found a lot of boxes and non-native English and I don't know how to do OCR recognition in English and non English so the about half a million IP addresses that we've scanned with it from us and then other people's engagements it's great it's like ninety-nine point nine six percent effective in detecting the screen shot every time there were a couple of false positives but those false positives were due to broken consoles to where like the top two thirds of the screen was the actual console the bottom third of the screen would just be black thank you whoo yeah I mean so it's due to paralyse this we do use a new parallel that's it right canoe parallel we use the tool canoe parallel and that just allows the script to spawn itself in multiple processes and just run really really fast so it's really cool looking set tool question thank you thirst um do you have a list of all of the other ones that work as you said there are other ones but you only talked about set HC there you go haha thank you okay so yes so just to reiterate this is the not so shift five times it's only one of the one two three four five six seven seven executables that will work with this window key you will open util man on screen keyboard there's a there's no keyboard stroker for that but there's an option for that and so they're saying we're done we have one more minute question one more minute yeah sure so if you can programmatically skin and detect these things and you can programmatically send keys you could also in theory programmatically add an option to remove the back door yes or add - - evil and add your own implant and then remove that back door so so my goal is a troll was if you just downloaded our cold and red coat and ran it and said hey go ahead and just do this is to run sfc /scannow as the actual webinars code and then drop us something in the log file to say hey there this box had this backdoor enabled on it but sorry you just cleaned it thanks read the paid x time thank you guys so much questions will we'll be out there and let's go the move to the bar thank you guys